Add more Nix Apps

Rewrite of some of the Apps to Nix. Tried to convert ApplicationSets to simple Applications with an ${env} modifier.
fix: fix amqp password
2025-02-21 17:47:45 +00:00 · 2025-02-04 17:02:42 +01:00 · 2025-02-04 15:43:37 +01:00 · 2025-02-04 15:43:24 +01:00 · 2025-01-31 13:25:45 +01:00 · 2025-01-31 13:22:27 +01:00
423 changed files with 70556 additions and 1399 deletions
@@ -0,0 +1 @@
+use nix
@@ -1,2 +1,6 @@
+*.tgz
+_*/
+.direnv/
+.pre-commit-config.yaml
 _manifest.yaml
 _resources.yaml
@@ -1,21 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: atlantis-host-cluster-resources
-  namespace: argocd
-spec:
-  project: aux
-  destination:
-    server: https://kubernetes.default.svc
-  syncPolicy:
-    automated:
-      prune: false
-      selfHeal: false
-  sources:
-  - repoURL: https://gitlab.com/oceanbox/manifests.git
-    targetRevision: main
-    path: resources/atlantis/host-manifests
-  - repoURL: https://gitlab.com/oceanbox/manifests.git
-    targetRevision: main
-    path: 'resources/atlantis/manifests/prod'
-
@@ -1,46 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: ApplicationSet
-metadata:
-  name: redis
-  namespace: argocd
-spec:
-  generators:
-  - list:
-      elements:
-      - cluster: https://kubernetes.default.svc
-        env: prod
-        hostname: redis.srv.oceanbox.io
-      - cluster: https://kubernetes.default.svc
-        env: staging
-        hostname: redis.beta.oceanbox.io
-  template:
-    metadata:
-      name: '{{ env }}-redis'
-    spec:
-      project: aux
-      destination:
-        server: https://kubernetes.default.svc
-        namespace: redis
-      sources:
-        # - repoURL: https://charts.bitnami.com/bitnami
-        #   targetRevision: 18.9.1
-        #   chart: redis
-        #   helm:
-        #     valueFiles:
-        #       - $values/redis/values.yaml
-        # - repoURL: https://gitlab.com/oceanbox/manifests.git
-        #   targetRevision: HEAD
-        #   path: manifests/redis/{{ env }}
-        #   ref: values
-        - repoURL: https://gitlab.com/oceanbox/manifests.git
-          targetRevision: main
-          path: manifests/redis
-          plugin:
-            name: kustomize-helm-with-rewrite
-            parameters:
-            - name: env
-              string: '{{ env }}'
-            - name: hostname
-              string: '{{ hostname }}'
-            - name: chart
-              string: bitnami/redis
@@ -13,11 +13,11 @@ spec:
        hostname: archmeister.srv.oceanbox.io
        autoSync: false
        prune: true
-      - cluster: https://staging-vcluster.staging-vcluster
-        env: staging
-        hostname: archmeister.beta.oceanbox.io
-        autoSync: true
-        prune: true
+      # - cluster: https://staging-vcluster.staging-vcluster
+      #   env: staging
+      #   hostname: archmeister.beta.oceanbox.io
+      #   autoSync: true
+      #   prune: true
  template:
    metadata:
      name: "{{ .env }}-archmeister"
@@ -29,7 +29,7 @@ spec:
      sources:
      - repoURL: https://gitlab.com/oceanbox/manifests.git
        targetRevision: main
-        path: manifests/archmeister
+        path: values/archmeister
        plugin:
          name: kustomize-helm-with-rewrite
          parameters:
@@ -0,0 +1,27 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: atlantis-cluster-resources
+  namespace: argocd
+  # annotations: # close, but no cigar
+  #   argocd.argoproj.io/compare-options: ServerSideDiff=true,IncludeMutationWebhook=true
+spec:
+  project: atlantis
+  destination:
+    server: https://kubernetes.default.svc
+  syncPolicy:
+    automated:
+      prune: false
+      selfHeal: false
+  # ignoreDifferences:
+  #   - kind: Secret
+  #     name: prod-rabbitmq
+  #     jqPathExpressions:
+  #       - '.data'
+  #       - '.metadata.annotations.clone'
+  #       - '.metadata.labels'
+  sources:
+  - repoURL: https://gitlab.com/oceanbox/manifests.git
+    targetRevision: main
+    path: resources/atlantis
+
@@ -1,3 +1,4 @@
+# Currently not in use. Configured via the create-vcluster script.
 apiVersion: argoproj.io/v1alpha1
 kind: ApplicationSet
 metadata:
@@ -14,6 +15,8 @@ spec:
        prune: false
      # - cluster: https://staging-vcluster.staging-vcluster
      #   env: staging
+      #   autoSync: false
+      #   prune: false
  template:
    metadata:
      name: "{{ .env }}-atlantis-resources"
@@ -0,0 +1,51 @@
+{ lib, config, ... }:
+let
+  cfg = config.apps.atlantis;
+  env = config.apps.env;
+
+  values = lib.apps.appValues {
+    inherit env;
+    base = ../values/atlantis;
+    extraValues = {};
+  };
+
+  kustomize = r:
+    if r.kind == "Deployment" then
+      lib.attrsets.recursiveUpdate r {
+        spec.template.spec.containers =
+        builtins.map (x:
+        x // {
+            livenessProbe.httpGet.path = "/healthz";
+            readinessProble.httpGet.path = "/healthz";
+            env = x.env ++ [ { name = "INERNAL_PORT"; value = 8000; } ];
+        }) r.spec.template.spec.containers;
+      }
+      else if r.kind == "Service" then
+      {}
+    else r;
+in
+{
+  options.apps.atlantis = lib.apps.appOptions {
+      revision = lib.mkOption {
+        type = lib.types.str;
+        default = "main";
+        description = "Revision";
+      };
+
+      hostname = lib.mkOption {
+        type = lib.types.str;
+        default = if env == "prod"
+          then "maps.oceanbox.io"
+          else "atlantis.beta.oceanbox.io";
+        description = "Revision";
+      };
+  };
+
+  config = lib.apps.appConfig cfg "${env}-atlantis" {
+    helm.releases."${env}-atlantis" = {
+      inherit values;
+      chart = ../charts/atlantis;
+      transformer = rs: builtins.map (x: kustomize x) rs;
+    };
+  };
+}
@@ -13,11 +13,11 @@ spec:
        hostname: atlantis.srv.oceanbox.io
        autoSync: false
        prune: true
-      - cluster: https://staging-vcluster.staging-vcluster
-        env: staging
-        hostname: atlantis.beta.oceanbox.io
-        autoSync: true
-        prune: true
+      # - cluster: https://staging-vcluster.staging-vcluster
+      #   env: staging
+      #   hostname: atlantis.beta.oceanbox.io
+      #   autoSync: true
+      #   prune: true
  template:
    metadata:
      name: '{{ .env }}-atlantis'
@@ -29,7 +29,7 @@ spec:
      sources:
      - repoURL: https://gitlab.com/oceanbox/manifests.git
        targetRevision: main
-        path: manifests/atlantis
+        path: values/atlantis
        plugin:
          name: kustomize-helm-with-rewrite
          parameters:
@@ -7,9 +7,9 @@ spec:
  generators:
  - list:
      elements:
-      - cluster: https://kubernetes.default.svc
-        env: prod
-        hostname: busynix.srv.oceanbox.io
+      # - cluster: https://kubernetes.default.svc
+      #   env: prod
+      #   hostname: busynix.srv.oceanbox.io
      - cluster: https://staging-vcluster.staging-vcluster
        env: staging
        hostname: busynix.beta.oceanbox.io
@@ -24,7 +24,7 @@ spec:
      source:
        repoURL: https://gitlab.com/oceanbox/manifests.git
        targetRevision: main
-        path: manifests/busynix
+        path: values/busynix
        plugin:
          name: kustomize-helm-with-rewrite
          parameters:
@@ -25,8 +25,8 @@ spec:
          chart: cerbos
          helm:
            valueFiles:
-              - $values/manifests/cerbos/values.yaml
-              - $values/manifests/cerbos/values-{{ env }}.yaml
+              - $values/values/cerbos/values.yaml
+              - $values/values/cerbos/values-{{ env }}.yaml
        - repoURL: https://gitlab.com/oceanbox/manifests.git
          targetRevision: main
          ref: values
@@ -0,0 +1,46 @@
+{ lib, config, ... }:
+let
+  cfg = config.apps.dapr;
+  env = config.apps.env;
+
+  values = lib.apps.appValues {
+    inherit env;
+    extraValues = {
+      global.ha.enabled = true;
+    };
+  };
+
+in
+{
+  options.apps.dapr = lib.apps.appOptions {
+    revision = lib.mkOption {
+      type = lib.types.str;
+      default = "1.14.4";
+      description = "Dapr chart version";
+    };
+  };
+
+  config = lib.apps.appConfig cfg "dapr" {
+    namespace = "argocd";
+    helm.releases.dapr = {
+      inherit values;
+      chart = lib.helm.downloadHelmChart {
+        repo = "https://dapr.github.io/helm-charts/";
+        chart = "dapr";
+        version = cfg.revision;
+      };
+    };
+    annotations = {
+      "argocd.argoproj.io/sync-options" = "SkipDryRunOnMissingResource=true";
+    };
+    resources = {
+      "argoproj.io".v1alpha1.Application.dapr.spec = {
+        destination = {
+          namespace = "dapr-system";
+          server = "https://kubernetes.default.svc";
+        };
+        project = "default";
+      };
+    };
+  };
+}
@@ -0,0 +1,33 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: dapr
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  destination:
+    namespace: dapr-system
+    server: https://kubernetes.default.svc
+  project: default
+  syncPolicy:
+    # managedNamespaceMetadata:
+    #   labels:
+    #     component: aux
+    syncOptions:
+      - CreateNamespace=true
+      - ApplyOutOfSyncOnly=true
+    automated:
+      prune: true
+      selfHeal: true
+  sources:
+  - repoURL:  https://dapr.github.io/helm-charts/
+    targetRevision: 1.14.4
+    chart: dapr
+    helm:
+      values: |
+        global:
+          ha:
+            enabled: true
@@ -0,0 +1,16 @@
+{ ... }:
+{
+  imports = [
+    ./atlantis.nix
+    ./dapr.nix
+    ./dex.nix
+    ./keycloak.nix
+    ./loki.nix
+    ./openfga.nix
+    ./opentelemetry-collector.nix
+    ./rabbitmq.nix
+    ./redis.nix
+    ./tempo.nix
+    ./wordpress.nix
+  ];
+}
@@ -0,0 +1,39 @@
+{ lib, config, ... }:
+let
+  cfg = config.apps.dex;
+  env = config.apps.env;
+  
+  values = lib.apps.appValues {
+    inherit env;
+    base = ../values/dex;
+    extraValues = {};
+  };
+in
+{
+  options.apps.dex = lib.apps.appOptions { 
+    enable = lib.mkEnableOption "Dex";
+    revision = lib.mkOption {
+      type = lib.types.str;
+      default = "0.16.0";
+      description = "Dex chart version";
+    };
+    hostname = lib.mkOption {
+      type = lib.types.str;
+      description = "Dex hostname";
+      default = "idp.${env}.oceanbox.io";
+    };
+  };
+  config = lib.apps.appConfig cfg "${env}-dex" {
+    namespace = "idp";
+    helm.releases.dex = {
+      inherit values;
+      chart = lib.helm.downloadHelmChart {
+        repo = "https://charts.dexidp.io";
+        chart = "dex";
+        version = cfg.revision;
+        chartHash = "";
+      };
+      transformer = rs: builtins.map (x: kustomize x) rs;
+    };
+  };
+}
@@ -10,6 +10,6 @@ spec:
    namespace: idp
  source:
    repoURL: https://gitlab.com/oceanbox/manifests.git
-    targetRevision: main
-    path: manifests/dex/manifests
+    targetRevision: nixidy
+    path: values/dex/manifests

@@ -24,7 +24,7 @@ spec:
      sources:
      - repoURL: https://gitlab.com/oceanbox/manifests.git
        targetRevision: main
-        path: manifests/geoserver
+        path: values/geoserver
        plugin:
          name: kustomize-helm-with-rewrite
          parameters:
@@ -13,11 +13,11 @@ spec:
        hostname: hipster.srv.oceanbox.io
        autoSync: false
        prune: true
-      - cluster: https://staging-vcluster.staging-vcluster
-        env: staging
-        hostname: hipster.beta.oceanbox.io
-        autoSync: true
-        prune: true
+      # - cluster: https://staging-vcluster.staging-vcluster
+      #   env: staging
+      #   hostname: hipster.beta.oceanbox.io
+      #   autoSync: true
+      #   prune: true
  template:
    metadata:
      name: '{{ .env }}-hipster'
@@ -29,7 +29,7 @@ spec:
      sources:
      - repoURL: https://gitlab.com/oceanbox/manifests.git
        targetRevision: main
-        path: manifests/hipster
+        path: values/hipster
        plugin:
          name: kustomize-helm-with-rewrite
          parameters:
@@ -14,9 +14,9 @@ spec:
    chart: jaeger-operator
    helm:
      valueFiles:
-        - $values/manifests/jaeger/values.yaml
+        - $values/values/jaeger/values.yaml
  - repoURL: https://gitlab.com/oceanbox/manifests.git
    targetRevision: main
-    # path: manifests/jaeger/manifests
+    # path: values/jaeger/manifests
    ref: values

@@ -0,0 +1,34 @@
+{ lib, config, ... }:
+let
+  cfg = config.apps.keycloak;
+  env = config.apps.env;
+
+  values = lib.apps.appValues {
+    inherit env;
+    base = ../values/keycloak;
+    extraValues = {};
+  };
+in
+{
+  options.apps.keycloak = lib.apps.appOptions {
+    enable = lib.mkEnableOption "Keycloak";
+    revision = lib.mkOption {
+      type = lib.types.str;
+      default = "24.0.2";
+      description = "Keycloak chart version";
+    };
+  };
+  config = lib.apps.appConfig cfg "keycloak" {
+    namespace = "idp";
+    helm.releases.keycloak = {
+      inherit values;
+      chart = lib.helm.downloadHelmChart {
+        repo = "https://charts.bitnami.com/bitnami";
+        chart = "keycloak";
+        version = cfg.revision;
+        chartHash = "";
+      };
+      transformer = rs: builtins.map (x: kustomize x) rs;
+    };
+  };
+}
@@ -10,12 +10,12 @@ spec:
    namespace: idp
  sources:
  - repoURL: https://charts.bitnami.com/bitnami
-    targetRevision: 18.3.4
+    targetRevision: 24.0.2
    chart: keycloak
    helm:
      valueFiles:
-        - $values/manifests/keycloak/values.yaml
+        - $values/values/keycloak/values.yaml
  - repoURL: https://gitlab.com/oceanbox/manifests.git
-    targetRevision: main
+    targetRevision: nixidy
    ref: values

@@ -0,0 +1,249 @@
+{ lib, config, ... }:
+let
+  cfg = config.apps.loki;
+  env = config.apps.env;
+
+  values = lib.apps.appValues {
+    inherit env;
+    extraValues = {
+      loki = {
+        auth_enabled = false;
+        storage = {
+          bucketNames = {
+            chunks = cfg.buckets.chunks;
+            ruler = cfg.buckets.ruler;
+            admin = cfg.buckets.admin;
+          };
+          s3 =
+            {
+              endpoint = cfg.s3.endpoint;
+              region = cfg.s3.region;
+              secretAccessKey = "\${S3SECRET}";
+              accessKeyId = "\${S3KEY}";
+              s3ForcePathStyle = true;
+            }
+            // lib.optionalAttrs cfg.s3.insecureSkipVerify {
+              http_config.insecure_skip_verify = true;
+            };
+        };
+        schemaConfig.configs = [
+          {
+            from = "2024-04-01";
+            index.period = "24h";
+            index.prefix = "loki_index_";
+            object_store = "s3";
+            schema = "v13";
+            store = "tsdb";
+          }
+        ];
+        compactor = {
+          compaction_interval = "10m";
+          working_directory = "/tmp/loki/compactor";
+          retention_enabled = true;
+          retention_delete_delay = "2h";
+          retention_delete_worker_count = 150;
+          delete_request_store = "s3";
+        };
+        limits_config.retention_period = "744h";
+      };
+
+      write = {
+        extraArgs = [ "-config.expand-env=true" ];
+        extraEnv = [
+          {
+            name = "S3KEY";
+            valueFrom.secretKeyRef = {
+              name = cfg.secret.name;
+              key = cfg.secret.accessKey;
+            };
+          }
+          {
+            name = "S3SECRET";
+            valueFrom.secretKeyRef = {
+              name = cfg.secret.name;
+              key = cfg.secret.secretKey;
+            };
+          }
+        ];
+        tolerations = [
+          {
+            effect = "NoSchedule";
+            operator = "Equal";
+            key = "unschedulable";
+            value = "true";
+          }
+        ];
+      };
+
+      read = {
+        extraArgs = [ "-config.expand-env=true" ];
+        extraEnv = [
+          {
+            name = "S3KEY";
+            valueFrom.secretKeyRef = {
+              name = cfg.secret.name;
+              key = cfg.secret.accessKey;
+            };
+          }
+          {
+            name = "S3SECRET";
+            valueFrom.secretKeyRef = {
+              name = cfg.secret.name;
+              key = cfg.secret.secretKey;
+            };
+          }
+        ];
+        tolerations = [
+          {
+            effect = "NoSchedule";
+            operator = "Equal";
+            key = "unschedulable";
+            value = "true";
+          }
+        ];
+      };
+
+      ingress = {
+        enabled = true;
+        ingressClassName = "nginx";
+        annotations = {
+          "cert-manager.io/cluster-issuer" = "letsencrypt-staging";
+          "nginx.ingress.kubernetes.io/ssl-redirect" = "true";
+          "atlantis.oceanbox.io/expose" = "internal";
+        };
+        hosts = [ "loki.adm.oceanbox.io" ];
+        tls = [{
+          hosts = [ "loki.adm.oceanbox.io" ];
+          secretName = "loki-distributed-tls";
+        }];
+      };
+
+      compactor = {
+        extraArgs = [ "-config.expand-env=true" ];
+        extraEnv = [
+          {
+            name = "S3KEY";
+            valueFrom.secretKeyRef = {
+              name = cfg.secret.name;
+              key = cfg.secret.accessKey;
+            };
+          }
+          {
+            name = "S3SECRET";
+            valueFrom.secretKeyRef = {
+              name = cfg.secret.name;
+              key = cfg.secret.secretKey;
+            };
+          }
+        ];
+      };
+
+      backend = {
+        extraArgs = [ "-config.expand-env=true" ];
+        extraEnv = [
+          {
+            name = "S3KEY";
+            valueFrom.secretKeyRef = {
+              name = cfg.secret.name;
+              key = cfg.secret.accessKey;
+            };
+          }
+          {
+            name = "S3SECRET";
+            valueFrom.secretKeyRef = {
+              name = cfg.secret.name;
+              key = cfg.secret.secretKey;
+            };
+          }
+        ];
+      };
+    };
+  };
+
+in
+{
+  options.apps.loki = lib.apps.appOptions {
+    revision = lib.mkOption {
+      type = lib.types.str;
+      default = "6.12.0";
+      description = "Loki chart version";
+    };
+    buckets = {
+      chunks = lib.mkOption {
+        type = lib.types.str;
+        default = "loki-chunks";
+        description = "S3 bucket for chunks";
+      };
+      ruler = lib.mkOption {
+        type = lib.types.str;
+        default = "loki-chunks";
+        description = "S3 bucket for ruler";
+      };
+      admin = lib.mkOption {
+        type = lib.types.str;
+        default = "loki-chunks";
+        description = "S3 bucket for admin";
+      };
+    };
+    s3 = {
+      endpoint = lib.mkOption {
+        type = lib.types.str;
+        default = "http://10.255.241.30:30080";
+        description = "S3 endpoint";
+      };
+      region = lib.mkOption {
+        type = lib.types.str;
+        default = "tos";
+        description = "S3 region";
+      };
+      insecureSkipVerify = lib.mkOption {
+        type = lib.types.bool;
+        default = true;
+        description = "Skip TLS verification";
+      };
+    };
+    secret = {
+      name = lib.mkOption {
+        type = lib.types.str;
+        default = "loki-s3";
+        description = "Name of the S3 credentials secret";
+      };
+      accessKey = lib.mkOption {
+        type = lib.types.str;
+        default = "AWS_ACCESS_KEY_ID";
+        description = "Access key field in secret";
+      };
+      secretKey = lib.mkOption {
+        type = lib.types.str;
+        default = "AWS_ACCESS_KEY_SECRET";
+        description = "Secret key field in secret";
+      };
+    };
+  };
+
+  config = lib.apps.appConfig cfg "loki" {
+    namespace = "argocd";
+    helm.releases.loki = {
+      inherit values;
+      chart = lib.helm.downloadHelmChart {
+        repo = "https://grafana.github.io/helm-charts";
+        chart = "loki";
+        version = cfg.revision;
+        chartHash = "sha256-YUtEIUiQWRzlttfOOgDk1xfTaiAZ12tIgpGr1QcMpro=";
+      };
+    };
+    annotations = {
+      "argocd.argoproj.io/sync-options" = "SkipDryRunOnMissingResource=true";
+    };
+    # TODO: Add network policies as a second source or integrate them into `resources`.
+    resources = {
+      "argoproj.io".v1alpha1.Application.loki.spec.ignoreDifferences = [
+        {
+          group = "apps";
+          kind = "StatefulSet";
+          jsonPointers = [ "/spec/persistentVolumeClaimRetentionPolicy" ];
+        }
+      ];
+    };
+  };
+}
@@ -0,0 +1,150 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: loki
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  destination:
+    namespace: loki
+    server: 'https://kubernetes.default.svc'
+  project: aux
+  ignoreDifferences:
+  - group: apps
+    kind: StatefulSet
+    jsonPointers:
+    - /spec/persistentVolumeClaimRetentionPolicy
+  syncPolicy:
+    managedNamespaceMetadata:
+      labels:
+        component: aux
+    syncOptions:
+      - CreateNamespace=true
+      - ApplyOutOfSyncOnly=true
+    automated:
+      prune: true
+      selfHeal: true
+  sources:
+  - repoURL: https://gitlab.com/serit/k8s/serit-platform-manifests.git
+    path: network-policies/netpol-loki
+    targetRevision: HEAD
+  - repoURL: 'https://grafana.github.io/helm-charts'
+    targetRevision: 6.12.0
+    chart: loki
+    helm:
+      values: |
+        loki:
+          auth_enabled: false
+          storage:
+            bucketNames:
+              chunks: loki-chunks
+              ruler: loki-chunks
+              admin: loki-chunks
+            s3:
+              endpoint: http://10.255.241.30:30080
+              region: tos
+              accessKeyId: ${S3KEY}
+              secretAccessKey: ${S3SECRET}
+              s3ForcePathStyle: true
+              http_config:
+                insecure_skip_verify: true
+          schemaConfig:
+            configs:
+            - from: "2024-04-01"
+              index:
+                period: 24h
+                prefix: loki_index_
+              object_store: s3
+              schema: v13
+              store: tsdb
+          compactor:
+            compaction_interval: 10m
+            working_directory: /tmp/loki/compactor
+            retention_enabled: true
+            retention_delete_delay: 2h
+            retention_delete_worker_count: 150
+            delete_request_store: s3
+          limits_config:
+            retention_period: 744h
+        write:
+          extraArgs:
+            - -config.expand-env=true
+          extraEnv:
+          - name: S3KEY
+            valueFrom:
+              secretKeyRef:
+                name: loki-s3
+                key: AWS_ACCESS_KEY_ID
+          - name: S3SECRET
+            valueFrom:
+              secretKeyRef:
+                name: loki-s3
+                key: AWS_ACCESS_KEY_SECRET
+          tolerations:
+          - effect: "NoSchedule"
+            operator: "Equal"
+            key: "unschedulable"
+            value: "true"
+        read:
+          extraArgs:
+            - -config.expand-env=true
+          extraEnv:
+          - name: S3KEY
+            valueFrom:
+              secretKeyRef:
+                name: loki-s3
+                key: AWS_ACCESS_KEY_ID
+          - name: S3SECRET
+            valueFrom:
+              secretKeyRef:
+                name: loki-s3
+                key: AWS_ACCESS_KEY_SECRET
+          tolerations:
+          - effect: "NoSchedule"
+            operator: "Equal"
+            key: "unschedulable"
+            value: "true"
+        ingress:
+          enabled: true
+          ingressClassName: nginx
+          annotations:
+            cert-manager.io/cluster-issuer: letsencrypt-staging
+            nginx.ingress.kubernetes.io/ssl-redirect: "true"
+            atlantis.oceanbox.io/expose: internal
+          hosts:
+            - loki.adm.oceanbox.io
+          tls:
+            - hosts:
+               - loki.adm.oceanbox.io
+              secretName: loki-distributed-tls
+        compactor:
+          extraArgs:
+            - -config.expand-env=true
+          extraEnv:
+          - name: S3KEY
+            valueFrom:
+              secretKeyRef:
+                name: loki-s3
+                key: AWS_ACCESS_KEY_ID
+          - name: S3SECRET
+            valueFrom:
+              secretKeyRef:
+                name: loki-s3
+                key: AWS_ACCESS_KEY_SECRET
+        backend:
+          extraArgs:
+            - -config.expand-env=true
+          extraEnv:
+          - name: S3KEY
+            valueFrom:
+              secretKeyRef:
+                name: loki-s3
+                key: AWS_ACCESS_KEY_ID
+          - name: S3SECRET
+            valueFrom:
+              secretKeyRef:
+                name: loki-s3
+                key: AWS_ACCESS_KEY_SECRET
@@ -0,0 +1,39 @@
+{ lib, config, ... }:
+let
+  cfg = config.apps.openfga;
+  env = config.apps.env;
+
+  values = lib.apps.appValues {
+    inherit env;
+    base = ../values/openfga;
+    extraValues = {};
+  };
+
+  kustomize = r:
+    if r.kind == "Job" then
+      lib.attrsets.recursiveUpdate r { spec.backoffLimit = 2; }
+    else r;
+
+in
+  {
+    options.apps.openfga = lib.apps.appOptions {};
+
+    config = lib.apps.appConfig cfg "${env}-openfga" {
+        helm.releases."${env}-openfga" = {
+          inherit values;
+          chart = lib.helm.downloadHelmChart {
+            repo = "https://openfga.github.io/helm-charts";
+            chart = "openfga";
+            version = "0.2.12";
+            chartHash = "sha256-7yLcw9/oNPvCePrtTJwKAG88t0Ym5Dl/S83Gz+gQdDU=";
+          };
+          transformer = rs: builtins.map (x: kustomize x) rs;
+        };
+
+        annotations = {};
+        resources = {
+          services.poop.spec = {
+          };
+        };
+      };
+  }
@@ -0,0 +1,117 @@
+{ lib, config, ... }:
+let
+  cfg = config.apps.opentelemetry-collector;
+  env = config.apps.env;
+
+  values = lib.apps.appValues {
+    inherit env;
+    extraValues = {
+      mode = "deployment";
+      image = {
+        repository = "otel/opentelemetry-collector-k8s";
+      };
+      service = {
+        type = "LoadBalancer";
+        loadBalancerIP = "10.255.241.12";
+      };
+      config = {
+        receivers = {
+          "prometheus/collector" = {
+            config.scrape_configs = [{
+              job_name = "opentelemetry-collector";
+              static_configs = [{
+                targets = [ "\${env:MY_POD_IP}:8888" ];
+              }];
+            }];
+          };
+          zipkin.endpoint = "\${env:MY_POD_IP}:9411";
+        };
+        exporters = {
+          otlp = {
+            endpoint = "tempo.tempo.svc:4317";
+            tls.insecure = true;
+          };
+          "otlphttp/metrics" = {
+            endpoint = "http://prom-prometheus.prometheus:9090/api/v1/otlp";
+            tls.insecure = true;
+          };
+          "otlphttp/logs" = {
+            endpoint = "http://loki-write-headless.loki:3100/otlp";
+            tls.insecure = true;
+          };
+          "debug/metrics".verbosity = "detailed";
+          "debug/traces".verbosity = "detailed";
+          "debug/logs".verbosity = "detailed";
+        };
+        service = {
+          telemetry.logs.level = "info";
+          pipelines = {
+            traces = {
+              receivers = [ "otlp" "zipkin" ];
+              processors = [ "batch" ];
+              exporters = [ "otlp" ];
+            };
+            metrics = {
+              receivers = [ "otlp" "prometheus/collector" ];
+              processors = [ "batch" ];
+              exporters = [ "otlphttp/metrics" ];
+            };
+            logs = {
+              receivers = [ "otlp" ];
+              processors = [ "batch" ];
+              exporters = [ "otlphttp/logs" ];
+            };
+          };
+        };
+      };
+      ports.metrics.enabled = true;
+      ingress = {
+        enabled = false;
+        annotations = {
+          "cert-manager.io/cluster-issuer" = "letsencrypt-production";
+          "nginx.ingress.kubernetes.io/ssl-redirect" = "true";
+          "atlantis.oceanbox.io/expose" = "internal";
+        };
+        ingressClassName = "nginx";
+        hosts = [{
+          host = "opentelemetry-collector.adm.oceanbox.io";
+          paths = [{
+            path = "/";
+            pathType = "Prefix";
+            port = 4318;
+          }];
+        }];
+        tls = [{
+          secretName = "collector-tls";
+          hosts = [ "opentelemetry-collector.adm.oceanbox.io" ];
+        }];
+      };
+    };
+  };
+
+in
+{
+  options.apps.opentelemetry-collector = lib.apps.appOptions {
+    revision = lib.mkOption {
+      type = lib.types.str;
+      default = "0.107.0";
+      description = "OpenTelemetry Collector chart version";
+    };
+  };
+
+  config = lib.apps.appConfig cfg "opentelemetry-collector" {
+    namespace = "argocd";
+    helm.releases.opentelemetry-collector = {
+      inherit values;
+      chart = lib.helm.downloadHelmChart {
+        repo = "https://open-telemetry.github.io/opentelemetry-helm-charts";
+        chart = "opentelemetry-collector";
+        version = cfg.revision;
+        chartHash = "sha256-0000000000000000000000000000000000000000000000"; # TODO: Add correct hash
+      };
+    };
+    annotations = {
+      "argocd.argoproj.io/sync-options" = "SkipDryRunOnMissingResource=true";
+    };
+  };
+}
@@ -0,0 +1,109 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: opentelemetry-collector
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  destination:
+    namespace: otel
+    server: 'https://kubernetes.default.svc'
+  project: aux
+  syncPolicy:
+    # managedNamespaceMetadata:
+    #   labels:
+    #     component: aux
+    syncOptions:
+      - CreateNamespace=true
+      - ApplyOutOfSyncOnly=true
+    automated:
+      prune: true
+      selfHeal: true
+  sources:
+  - repoURL: 'https://open-telemetry.github.io/opentelemetry-helm-charts'
+    targetRevision: 0.107.0
+    chart: opentelemetry-collector
+    helm:
+      values: |
+        mode: deployment
+        image:
+          repository: otel/opentelemetry-collector-k8s
+        service:
+          type: LoadBalancer
+          loadBalancerIP: 10.255.241.12
+        config:
+          receivers:
+            prometheus/collector:
+              config:
+                scrape_configs:
+                  - job_name: 'opentelemetry-collector'
+                    static_configs:
+                      - targets:
+                         - ${env:MY_POD_IP}:8888
+            zipkin:
+              endpoint: ${env:MY_POD_IP}:9411
+          exporters:
+            otlp:
+              endpoint: "tempo.tempo.svc:4317"
+              tls:
+                insecure: true
+            otlphttp/metrics:
+              endpoint: http://prom-prometheus.prometheus:9090/api/v1/otlp
+              tls:
+                insecure: true
+            otlphttp/logs:
+              endpoint: http://loki-write-headless.loki:3100/otlp
+              tls:
+                insecure: true
+            debug/metrics:
+              verbosity: detailed
+            debug/traces:
+              verbosity: detailed
+            debug/logs:
+              verbosity: detailed
+          service:
+            telemetry:
+              logs:
+                level: "info"
+            pipelines:
+              traces:
+                receivers: [otlp,zipkin]
+                processors: [batch]
+                exporters: [otlp]
+                # exporters: [otlphttp/traces,debug/traces]
+              metrics:
+                receivers: [otlp,prometheus/collector]
+                processors: [batch]
+                exporters: [otlphttp/metrics]
+                # exporters: [otlphttp/metrics,debug/metrics]
+              logs:
+                receivers: [otlp]
+                processors: [batch]
+                exporters: [otlphttp/logs]
+                # exporters: [otlphttp/logs,debug/logs]
+        ports:
+          metrics:
+            enabled: true
+        # presets:
+        #   logsCollection:
+        #     enabled: true
+        ingress:
+          enabled: false
+          annotations:
+              cert-manager.io/cluster-issuer: letsencrypt-production
+              nginx.ingress.kubernetes.io/ssl-redirect: "true"
+              atlantis.oceanbox.io/expose: internal
+          ingressClassName: nginx
+          hosts:
+            - host: opentelemetry-collector.adm.oceanbox.io
+              paths:
+                - path: /
+                  pathType: Prefix
+                  port: 4318
+          tls:
+            - secretName: collector-tls
+              hosts:
+                - opentelemetry-collector.adm.oceanbox.io
@@ -22,9 +22,9 @@ spec:
        namespace: oceanbox
        server: '{{ cluster }}'
      source:
-        repoURL: https://gitlab.com/oceanbox/charts.git
+        repoURL: https://gitlab.com/oceanbox/manifests.git
        targetRevision: HEAD
-        path: manifests/osm-tile-server
+        path: values/osm-tile-server
        plugin:
          name: kustomize-helm-with-rewrite
          parameters:
@@ -13,11 +13,11 @@ spec:
        hostname: petimeter.srv.oceanbox.io
        autoSync: false
        prune: true
-      - cluster: https://staging-vcluster.staging-vcluster
-        env: staging
-        hostname: petimeter.beta.oceanbox.io
-        autoSync: true
-        prune: true
+      # - cluster: https://staging-vcluster.staging-vcluster
+      #   env: staging
+      #   hostname: petimeter.beta.oceanbox.io
+      #   autoSync: true
+      #   prune: true
  template:
    metadata:
      name: '{{ .env }}-petimeter'
@@ -29,7 +29,7 @@ spec:
      sources:
      - repoURL: https://gitlab.com/oceanbox/manifests.git
        targetRevision: main
-        path: manifests/petimeter
+        path: values/petimeter
        plugin:
          name: kustomize-helm-with-rewrite
          parameters:
@@ -39,7 +39,7 @@ spec:
            string: '{{ .hostname }}'
      - repoURL: https://gitlab.com/oceanbox/manifests.git
        targetRevision: main
-        path: manifests/petimeter/manifests
+        path: values/petimeter/manifests
  templatePatch: |
    {{- if .autoSync }}
    spec:
@@ -0,0 +1,66 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: prod-atlantis
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  destination:
+    namespace: prod-atlantis
+    server: https://kubernetes.default.svc
+  project: atlantis
+  sources:
+  - repoURL: https://gitlab.com/oceanbox/manifests.git
+    targetRevision: nixidy
+    ref: values
+  - repoURL: https://gitlab.com/oceanbox/manifests.git
+    targetRevision: nixidy
+    path: values/atlantis
+    plugin:
+      name: kustomize-helm-with-rewrite
+      parameters:
+      - name: env
+        string: prod
+      - name: hostname
+        string: maps.oceanbox.io
+  - repoURL: https://charts.bitnami.com/bitnami
+    targetRevision: 20.1.7
+    chart: redis
+    helm:
+      valueFiles:
+      - $values/values/atlantis/prod/redis.yaml
+  ignoreDifferences:
+    - kind: Secret
+      name: azure-keyvault
+      jqPathExpressions:
+        - '.data'
+        - '.metadata.labels'
+        - '.metadata.annotations'
+    - kind: Secret
+      name: prod-atlantis-rabbitmq
+      jqPathExpressions:
+        - '.data'
+        - '.metadata.labels'
+        - '.metadata.annotations'
+    - kind: Secret
+      name: prod-archmeister-replication
+      jqPathExpressions:
+        - '.data'
+        - '.metadata.labels'
+        - '.metadata.annotations'
+    - kind: Secret
+      name: prod-archmeister-ca
+      jqPathExpressions:
+        - '.data'
+        - '.metadata.labels'
+        - '.metadata.annotations'
+  syncPolicy:
+    syncOptions:
+      - CreateNamespace=true
+      - ApplyOutOfSyncOnly=true
+    # automated:
+    #   prune: true
+    #   selfHeal: false
@@ -0,0 +1,38 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: prod-keycloak
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: aux
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: keycloak
+  syncPolicy:
+    managedNamespaceMetadata:
+      labels:
+        component: aux
+    syncOptions:
+      - CreateNamespace=true
+      - ApplyOutOfSyncOnly=true
+    automated:
+      prune: true
+      selfHeal: true
+  sources:
+  - repoURL: https://gitlab.com/oceanbox/manifests.git
+    targetRevision: nixidy
+    path: values/keycloak/prod
+  - repoURL: https://charts.bitnami.com/bitnami
+    targetRevision: 24.0.2
+    chart: keycloak
+    helm:
+      valueFiles:
+        - $values/values/keycloak/values-prod.yaml
+  - repoURL: https://gitlab.com/oceanbox/manifests.git
+    targetRevision: nixidy
+    ref: values
+
@@ -0,0 +1,39 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: prod-openfga
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  destination:
+    namespace: openfga
+    server: https://kubernetes.default.svc
+  project: aux
+  # ignoreDifferences:
+  # - group: apps
+  #   kind: StatefulSet
+  #   jsonPointers:
+  #   - /spec/persistentVolumeClaimRetentionPolicy
+  syncPolicy:
+    managedNamespaceMetadata:
+      labels:
+        component: aux
+    syncOptions:
+      - CreateNamespace=true
+      - ApplyOutOfSyncOnly=true
+    automated:
+      prune: true
+      selfHeal: true
+  sources:
+  - repoURL: https://openfga.github.io/helm-charts
+    targetRevision: 0.2.19
+    chart: openfga
+    helm:
+      valueFiles:
+      - $values/values/openfga/values-prod.yaml
+  - repoURL: https://gitlab.com/oceanbox/manifests.git
+    targetRevision: nixidy
+    ref: values
@@ -0,0 +1,54 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: prod-sorcerer
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  destination:
+    namespace: prod-sorcerer
+    server: https://10.255.241.99:4443
+  project: atlantis
+  sources:
+  - repoURL: https://gitlab.com/oceanbox/manifests.git
+    targetRevision: nixidy
+    ref: values
+  - repoURL: https://gitlab.com/oceanbox/manifests.git
+    targetRevision: nixidy
+    path: values/sorcerer
+    plugin:
+      name: kustomize-helm-with-rewrite
+      parameters:
+      - name: env
+        string: prod
+      - name: hostname
+        string: sorcerer.data.oceanbox.io
+  - repoURL: https://charts.bitnami.com/bitnami
+    targetRevision: 20.1.7
+    chart: redis
+    helm:
+      valueFiles:
+      - $values/values/sorcerer/prod/redis.yaml
+  ignoreDifferences:
+    - kind: Secret
+      name: azure-keyvault
+      jqPathExpressions:
+        - '.data'
+        - '.metadata.labels'
+        - '.metadata.annotations'
+    - kind: Secret
+      name: prod-atlantis-rabbitmq
+      jqPathExpressions:
+        - '.data'
+        - '.metadata.labels'
+        - '.metadata.annotations'
+  syncPolicy:
+    syncOptions:
+      - CreateNamespace=true
+      - ApplyOutOfSyncOnly=true
+    # automated:
+    #   prune: true
+    #   selfHeal: false
@@ -0,0 +1,39 @@
+{ lib, config, ... }:
+let
+  cfg = config.apps.rabbitmq;
+  env = config.apps.env;
+
+  values = lib.apps.appValues {
+    inherit env;
+    base = ../values/rabbitmq;
+    extraValues = {};
+  };
+in
+{
+  options.apps.rabbitmq = lib.apps.appOptions {
+    enable = lib.mkEnableOption "RabbitMQ";
+    revision = lib.mkOption {
+      type = lib.types.str;
+      default = "12.9.0";
+      description = "RabbitMQ chart version";
+    };
+    hostname = lib.mkOption {
+      type = lib.types.str;
+      description = "RabbitMQ hostname";
+      default = "rabbitmq.${env}.oceanbox.io";
+    };
+  };
+  config = lib.apps.appConfig cfg "${env}-rabbitmq" {
+    namespace = "rabbitmq";
+    helm.releases.rabbitmq = {
+      inherit values;
+      chart = lib.helm.downloadHelmChart {
+        repo = "https://charts.bitnami.com/bitnami";
+        chart = "rabbitmq";
+        version = cfg.revision;
+        chartHash = "";
+      };
+      transformer = rs: builtins.map (x: kustomize x) rs;
+    };
+  };
+}
@@ -27,8 +27,8 @@ spec:
          chart: rabbitmq
          helm:
            valueFiles:
-              - $values/manifests/rabbitmq/values-{{ env }}.yaml
+              - $values/values/rabbitmq/values-{{ env }}.yaml
        - repoURL: https://gitlab.com/oceanbox/manifests.git
          targetRevision: main
-          path: manifests/rabbitmq/{{ env }}
+          path: values/rabbitmq/{{ env }}
          ref: values
@@ -0,0 +1,34 @@
+{ lib, config, ... }:
+let
+  cfg = config.apps.redis;
+  env = config.apps.env;
+
+  values = lib.apps.appValues {
+    inherit env;
+    base = ../values/redis;
+    extraValues = {};
+  };
+in
+{
+  options.apps.redis = lib.apps.appOptions {
+    enable = lib.mkEnableOption "Redis";
+    revision = lib.mkOption {
+      type = lib.types.str;
+      default = "19.5.2";
+      description = "Redis chart version";
+    };
+  };
+  config = lib.apps.appConfig cfg "${env}-redis" {
+    namespace = "redis";
+    helm.releases.redis = {
+      inherit values;
+      chart = lib.helm.downloadHelmChart {
+        repo = "https://charts.bitnami.com/bitnami";
+        chart = "redis";
+        version = cfg.revision;
+        chartHash = "";
+      };
+      transformer = rs: builtins.map (x: kustomize x) rs;
+    };
+  };
+}
@@ -0,0 +1,39 @@
+apiVersion: argoproj.io/v1alpha1
+kind: ApplicationSet
+metadata:
+  name: redis
+  namespace: argocd
+spec:
+  generators:
+  - list:
+      elements:
+      - cluster: https://kubernetes.default.svc
+        env: prod
+      - cluster: https://kubernetes.default.svc
+        env: staging
+  template:
+    metadata:
+      name: '{{ env }}-redis'
+    spec:
+      project: aux
+      destination:
+        server: https://kubernetes.default.svc
+        namespace: redis
+      sources:
+        - repoURL: https://charts.bitnami.com/bitnami
+          targetRevision: 19.5.2
+          chart: redis
+          helm:
+            valueFiles:
+              - $values/values/redis/values-{{ env }}.yaml
+        - repoURL: https://gitlab.com/oceanbox/manifests.git
+          targetRevision: HEAD
+          ref: values
+        - repoURL: https://gitlab.com/oceanbox/manifests.git
+          targetRevision: main
+          path: values/redis/{{ env }}
+      ignoreDifferences:
+        - group: apps
+          kind: StatefulSet
+          jqPathExpressions:
+            - '.spec.template.spec.containers[].resources.limits.cpu'
@@ -14,7 +14,7 @@ spec:
    chart: seq
    helm:
      valueFiles:
-        - $values/manifests/seq/values.yaml
+        - $values/values/seq/values.yaml
  - repoURL: https://gitlab.com/oceanbox/manifests.git
    targetRevision: main
    ref: values
@@ -13,11 +13,11 @@ spec:
        hostname: sorcerer.data.oceanbox.io
        autoSync: false
        prune: true
-      - cluster: https://10.255.241.99:4443
-        env: staging
-        hostname: sorcerer.ekman.oceanbox.io
-        autoSync: true
-        prune: true
+      # - cluster: https://10.255.241.99:4443
+      #   env: staging
+      #   hostname: sorcerer.ekman.oceanbox.io
+      #   autoSync: true
+      #   prune: true
  template:
    metadata:
      name: '{{ .env }}-sorcerer'
@@ -29,7 +29,7 @@ spec:
      sources:
      - repoURL: https://gitlab.com/oceanbox/manifests.git
        targetRevision: main
-        path: manifests/sorcerer
+        path: values/sorcerer
        plugin:
          name: kustomize-helm-with-rewrite
          parameters:
@@ -0,0 +1,66 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: staging-atlantis
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  destination:
+    namespace: staging-atlantis
+    server: https://kubernetes.default.svc
+  project: atlantis
+  sources:
+  - repoURL: https://gitlab.com/oceanbox/manifests.git
+    targetRevision: nixidy
+    ref: values
+  - repoURL: https://gitlab.com/oceanbox/manifests.git
+    targetRevision: nixidy
+    path: values/atlantis
+    plugin:
+      name: kustomize-helm-with-rewrite
+      parameters:
+      - name: env
+        string: staging
+      - name: hostname
+        string: atlantis.beta.oceanbox.io
+  - repoURL: https://charts.bitnami.com/bitnami
+    targetRevision: 20.1.7
+    chart: redis
+    helm:
+      valueFiles:
+      - $values/values/atlantis/staging/redis.yaml
+  ignoreDifferences:
+    - kind: Secret
+      name: azure-keyvault
+      jqPathExpressions:
+        - '.data'
+        - '.metadata.labels'
+        - '.metadata.annotations'
+    - kind: Secret
+      name: staging-atlantis-rabbitmq
+      jqPathExpressions:
+        - '.data'
+        - '.metadata.labels'
+        - '.metadata.annotations'
+    - kind: Secret
+      name: prod-archmeister-replication
+      jqPathExpressions:
+        - '.data'
+        - '.metadata.labels'
+        - '.metadata.annotations'
+    - kind: Secret
+      name: prod-archmeister-ca
+      jqPathExpressions:
+        - '.data'
+        - '.metadata.labels'
+        - '.metadata.annotations'
+  syncPolicy:
+    syncOptions:
+      - CreateNamespace=true
+      - ApplyOutOfSyncOnly=true
+    automated:
+      prune: true
+      selfHeal: false
@@ -0,0 +1,39 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: staging-openfga
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  destination:
+    namespace: openfga
+    server: https://kubernetes.default.svc
+  project: aux
+  # ignoreDifferences:
+  # - group: apps
+  #   kind: StatefulSet
+  #   jsonPointers:
+  #   - /spec/persistentVolumeClaimRetentionPolicy
+  syncPolicy:
+    managedNamespaceMetadata:
+      labels:
+        component: aux
+    syncOptions:
+      - CreateNamespace=true
+      - ApplyOutOfSyncOnly=true
+    automated:
+      prune: true
+      selfHeal: true
+  sources:
+  - repoURL: https://openfga.github.io/helm-charts
+    targetRevision: 0.2.19
+    chart: openfga
+    helm:
+      valueFiles:
+      - $values/values/openfga/values-staging.yaml
+  - repoURL: https://gitlab.com/oceanbox/manifests.git
+    targetRevision: nixidy
+    ref: values
@@ -0,0 +1,54 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: staging-sorcerer
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  destination:
+    namespace: staging-sorcerer
+    server: https://10.255.241.99:4443
+  project: atlantis
+  sources:
+  - repoURL: https://gitlab.com/oceanbox/manifests.git
+    targetRevision: nixidy
+    ref: values
+  - repoURL: https://gitlab.com/oceanbox/manifests.git
+    targetRevision: nixidy
+    path: values/sorcerer
+    plugin:
+      name: kustomize-helm-with-rewrite
+      parameters:
+      - name: env
+        string: staging
+      - name: hostname
+        string: sorcerer.ekman.oceanbox.io
+  - repoURL: https://charts.bitnami.com/bitnami
+    targetRevision: 20.1.7
+    chart: redis
+    helm:
+      valueFiles:
+      - $values/values/sorcerer/staging/redis.yaml
+  ignoreDifferences:
+    - kind: Secret
+      name: azure-keyvault
+      jqPathExpressions:
+        - '.data'
+        - '.metadata.labels'
+        - '.metadata.annotations'
+    - kind: Secret
+      name: prod-atlantis-rabbitmq
+      jqPathExpressions:
+        - '.data'
+        - '.metadata.labels'
+        - '.metadata.annotations'
+  syncPolicy:
+    syncOptions:
+      - CreateNamespace=true
+      - ApplyOutOfSyncOnly=true
+    # automated:
+    #   prune: true
+    #   selfHeal: false
@@ -0,0 +1,124 @@
+{ lib, config, ... }:
+let
+  cfg = config.apps.tempo;
+  env = config.apps.env;
+
+  values = lib.apps.appValues {
+    inherit env;
+    extraValues = {
+      tempo = {
+        storage = {
+          trace = {
+            backend = "s3";
+            s3 = {
+              bucket = cfg.s3.bucket;
+              endpoint = cfg.s3.endpoint;
+              access_key = "\${S3SECRET}";
+              secret_key = "\${S3KEY}";
+              insecure = true;
+            };
+            local = {
+              path = "/var/tempo/traces";
+            };
+            wal = {
+              path = "/var/tempo/wal";
+            };
+          };
+        };
+        metricsGenerator = {
+          enabled = true;
+          remoteWriteUrl = "http://prom-prometheus.prometheus:9090/api/v1/write";
+        };
+        extraEnv = [
+          {
+            name = "S3KEY";
+            valueFrom.secretKeyRef = {
+              name = cfg.secret.name;
+              key = cfg.secret.accessKey;
+            };
+          }
+          {
+            name = "S3SECRET";
+            valueFrom.secretKeyRef = {
+              name = cfg.secret.name;
+              key = cfg.secret.secretKey;
+            };
+          }
+        ];
+      };
+
+      tempoQuery = {
+        ingress = {
+          enabled = true;
+          ingressClassName = "nginx";
+          annotations = {
+            "cert-manager.io/cluster-issuer" = "letsencrypt-staging";
+            "nginx.ingress.kubernetes.io/ssl-redirect" = "true";
+            "atlantis.oceanbox.io/expose" = "internal";
+          };
+          path = "/";
+          pathType = "Prefix";
+          hosts = [ "query.tempo.adm.oceanbox.io" ];
+          tls = [{
+            secretName = "tempo-query-tls";
+            hosts = [ "query.tempo.adm.oceanbox.io" ];
+          }];
+        };
+      };
+    };
+  };
+
+in
+{
+  options.apps.tempo = lib.apps.appOptions {
+    revision = lib.mkOption {
+      type = lib.types.str;
+      default = "1.10.3";
+      description = "Tempo chart version";
+    };
+    s3 = {
+      bucket = lib.mkOption {
+        type = lib.types.str;
+        default = "tempo-traces";
+        description = "S3 bucket for traces";
+      };
+      endpoint = lib.mkOption {
+        type = lib.types.str;
+        default = "http://10.255.241.30:30080";
+        description = "S3 endpoint";
+      };
+    };
+    secret = {
+      name = lib.mkOption {
+        type = lib.types.str;
+        default = "tempo-s3";
+        description = "Name of the S3 credentials secret";
+      };
+      accessKey = lib.mkOption {
+        type = lib.types.str;
+        default = "AWS_ACCESS_KEY_ID";
+        description = "Access key field in secret";
+      };
+      secretKey = lib.mkOption {
+        type = lib.types.str;
+        default = "AWS_ACCESS_KEY_SECRET";
+        description = "Secret key field in secret";
+      };
+    };
+  };
+
+  config = lib.apps.appConfig cfg "tempo" {
+    namespace = "argocd";
+    helm.releases.tempo = {
+      inherit values;
+      chart = lib.helm.downloadHelmChart {
+        repo = "https://grafana.github.io/helm-charts";
+        chart = "tempo";
+        version = cfg.revision;
+      };
+    };
+    annotations = {
+      "argocd.argoproj.io/sync-options" = "SkipDryRunOnMissingResource=true";
+    };
+  };
+}
@@ -0,0 +1,76 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: tempo
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  destination:
+    namespace: tempo
+    server: 'https://kubernetes.default.svc'
+  project: aux
+  syncPolicy:
+    # managedNamespaceMetadata:
+    #   labels:
+    #     component: aux
+    syncOptions:
+      - CreateNamespace=true
+      - ApplyOutOfSyncOnly=true
+    automated:
+      prune: true
+      selfHeal: true
+  sources:
+  - repoURL: 'https://grafana.github.io/helm-charts'
+    targetRevision: 1.10.3
+    chart: tempo
+    helm:
+      values: |
+        tempo:
+          storage:
+            trace:
+              backend: s3
+              s3:
+                bucket: tempo-traces
+                endpoint: 10.255.241.30:30080
+                access_key: ${S3KEY}
+                secret_key: ${S3SECRET}
+                forcepathstyle: true
+                insecure: true
+              local:
+                path: /var/tempo/traces
+              wal:
+                path: /var/tempo/wal
+          metricsGenerator:
+            enabled: true
+            remoteWriteUrl: "http://prom-prometheus.prometheus:9090/api/v1/write"
+          extraArgs: { config.expand-env=true }
+          extraEnv:
+          - name: S3KEY
+            valueFrom:
+              secretKeyRef:
+                name: tempo-s3
+                key: AWS_ACCESS_KEY_ID
+          - name: S3SECRET
+            valueFrom:
+              secretKeyRef:
+                name: tempo-s3
+                key: AWS_ACCESS_KEY_SECRET
+        tempoQuery:
+          ingress:
+            enabled: true
+            ingressClassName: nginx
+            annotations:
+              cert-manager.io/cluster-issuer: letsencrypt-staging
+              nginx.ingress.kubernetes.io/ssl-redirect: "true"
+              atlantis.oceanbox.io/expose: internal
+            path: /
+            pathType: Prefix
+            hosts:
+              - query.tempo.adm.oceanbox.io
+            tls:
+             - secretName: tempo-query-tls
+               hosts:
+                 - query.tempo.adm.oceanbox.io
@@ -0,0 +1,39 @@
+{ lib, config, ... }:
+let
+  cfg = config.apps.wordpress;
+  env = config.apps.env;
+
+  values = lib.apps.appValues {
+    inherit env;
+    base = ../values/wordpress;
+    extraValues = {};
+  };
+in
+{
+  options.apps.wordpress = lib.apps.appOptions {
+    enable = lib.mkEnableOption "WordPress";
+    revision = lib.mkOption {
+      type = lib.types.str;
+      default = "19.2.2";
+      description = "WordPress chart version";
+    };
+    hostname = lib.mkOption {
+      type = lib.types.str;
+      description = "WordPress hostname";
+      default = "www.${env}.oceanbox.io";
+    };
+  };
+  config = lib.apps.appConfig cfg "www-oceanbox" {
+    namespace = "www-oceanbox";
+    helm.releases.wordpress = {
+      inherit values;
+      chart = lib.helm.downloadHelmChart {
+        repo = "https://charts.bitnami.com/bitnami";
+        chart = "wordpress";
+        version = cfg.revision;
+        chartHash = "";
+      };
+      transformer = rs: builtins.map (x: kustomize x) rs;
+    };
+  };
+}
@@ -0,0 +1,14 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: yolo-dl
+  namespace: argocd
+spec:
+  project: aux
+  destination:
+    server: https://10.255.241.99:4443
+    namespace: oceanbox
+  sources:
+  - repoURL: https://gitlab.com/oceanbox/manifests.git
+    targetRevision: main
+    path: charts/yolo-dl
@@ -1,16 +0,0 @@
-apiVersion: v1
-kind: Secret
-metadata:
-  annotations:
-    managed-by: argocd.argoproj.io
-  labels:
-    argocd.argoproj.io/secret-type: cluster
-  name: cluster-staging-vcluster
-  namespace: argocd
-stringData:
-  config: |
-    {"bearerToken":"eyJhbGciOiJSUzI1NiIsImtpZCI6InhKNmNNemw4V01jR0cxUHJ4ajE3bTdQRDlKd1ZyQUQ0cDFPcXRuVDBFbWsifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJhZG1pbi10b2tlbiIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJhZG1pbiIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6ImUyNjQ2MDgzLTNjMDMtNDc0Ni1iMGIxLWViOGRmMzY3NTNiMiIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDprdWJlLXN5c3RlbTphZG1pbiJ9.hXQzh4mus2yPwXz-EyowgSpOKgOk7uDU8z-dH-sZJ-UgzxQFOxABfkjD4Kb4JYlXrr_zkMO7n_zkaDOl3iFDCDS2Pury7hsIlJNKETYk-_llH0RYI9DYzAB5PkeOyuKhmRq8eklynq5ObPtk7WVuj3Bp-64uSqfX-WvxqoE0dfh0erSVcU7BwwjRdeDnO01xzv5zXXAYkOmk6e5DGOLBdUMD8kDZE0_NEa-MKCVkl78sc2mCsOMOUhzXoCduvc92hfnoFEfoTKe7xHwLeUim4HvVfD9czXOpRtHKXgEsk0UGtj0xg7D70uftUIxpr4a8rbWceM4eyGtXpjPUm1mh1Q","tlsClientConfig":{"insecure":true}}
-  name: staging-vcluster
-  server: https://staging-vcluster.staging-vcluster
-type: Opaque
-
@@ -0,0 +1,14 @@
+apiVersion: v1
+stringData:
+  config: |
+    {"bearerToken":"","tlsClientConfig":{"insecure":true}}
+  name: ekman
+  server: https://10.255.241.99:4443
+kind: Secret
+metadata:
+  labels:
+    argocd.argoproj.io/secret-type: cluster
+  name: cluster-10.255.241.99-4046803085
+  namespace: argocd
+type: Opaque
+
@@ -4,4 +4,4 @@ RUN mkdir -p /home/argocd/cmp-server/config/
 COPY plugin.yaml /home/argocd/cmp-server/config/

 WORKDIR /plugin
-COPY init.sh get-values.sh generate.sh ./
+COPY init-helm-repos.sh init.sh get-values.sh generate.sh ./
@@ -1,23 +1,24 @@
 #!/bin/sh

-export HOME=/tmp
+export HOME=/helm-working-dir

 env > /tmp/$ARGOCD_APP_NAME.env

 echo "$ARGOCD_APP_PARAMETERS" | jq '.[] | select(.name == "helm-parameters") | .map' | yq -P -oy > parameters.yaml
 cp parameters.yaml /tmp/$ARGOCD_APP_NAME-parameters.yaml

-if [ -d chart ]; then
-    CHART=chart
-elif [ -f chart -a "$PARAM_CHART" = "." ]; then
-    CHART=$(cat chart)
-elif [ -n "$PARAM_CHART" ]; then
+if [ -n "$PARAM_CHART" -a "$PARAM_CHART" != "." ]; then
    CHART=$PARAM_CHART
+elif [ -d chart ]; then
+    CHART=chart
+elif [ -f chart ]; then
+    CHART=$(cat chart)
 else
    CHART="."
 fi

 [ -f chart/values.yaml ] && VALUES="-f chart/values.yaml"
+[ -f values-chart.yaml ] && VALUES="$VALUES -f values-chart.yaml"
 [ -f values.yaml ] && VALUES="$VALUES -f values.yaml"
 [ -f values-$PARAM_ENV.yaml ] && VALUES="$VALUES -f values-$PARAM_ENV.yaml"
 VALUES="$VALUES -f parameters.yaml"
@@ -2,6 +2,8 @@

 if [ -f values.yaml ]; then
    VALUES="values.yaml"
+elif [ -f values-chart.yaml ]; then
+    VALUES="values-chart.yaml"
 elif [ -f chart/values.yaml ]; then
    VALUES="chart/values.yaml"
 else
@@ -1,12 +1,15 @@
 #!/bin/sh

-export HOME=/tmp
+export HOME=/helm-working-dir
+
+helm repo add --username argocd-helm --password "$OCEANBOX_HELM_ACCESS_TOKEN" oceanbox \
+    https://gitlab.com/api/v4/projects/54396343/packages/helm/stable

 helm repo add bitnami https://charts.bitnami.com/bitnami
 helm repo add cerbos https://download.cerbos.dev/helm-charts
 helm repo add dapr https://dapr.github.io/helm-charts/
 helm repo add ncsa https://opensource.ncsa.illinois.edu/charts
 helm repo add dex https://charts.dexidp.io
+helm repo add openfga https://openfga.github.io/helm-charts

 helm repo update
-
@@ -0,0 +1,12 @@
+#!/bin/sh
+
+export HOME=/helm-working-dir
+
+helm repo update oceanbox
+
+if [ -n "$PARAM_CHART" -a "$PARAM_CHART" != "." ]; then
+    helm show values $PARAM_CHART > values-chart.yaml
+elif [ -f chart ]; then
+    CHART=$(cat chart)
+    helm show values $CHART > values-chart.yaml
+fi
@@ -0,0 +1,16 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  annotations:
+    managed-by: argocd.argoproj.io
+  labels:
+    argocd.argoproj.io/secret-type: cluster
+  name: cluster-staging-vcluster
+  namespace: argocd
+stringData:
+  config: |
+    {"bearerToken":"","tlsClientConfig":{"insecure":true}}
+  name: staging-vcluster
+  server: https://staging-vcluster.staging-vcluster
+type: Opaque
+
@@ -12,8 +12,7 @@ description: Archive management for Atlantis
 type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
-version: v6.19.5
+version: v6.20.0
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application.
-appVersion: v6.19.5
-
+appVersion: v6.20.0
@@ -84,8 +84,8 @@ spec:
        emptyDir: {}
      {{- end }}
      - name: appsettings
-        secret:
-          secretName: {{ template "Archmeister.fullname" . }}-appsettings
+        configMap:
+          name: {{ template "Archmeister.fullname" . }}-appsettings
      {{- with .Values.nodeSelector }}
      nodeSelector:
        {{- toYaml . | nindent 8 }}
@@ -5,12 +5,23 @@
 replicaCount: 1
 image:
  repository: registry.gitlab.com/oceanbox/oceanbox.dataagent
-  tag: v6.19.5
+  tag: v6.20.0
  pullPolicy: IfNotPresent
 init:
  enabled: false
  image: ubuntu:rolling
  command: ["/bin/sh", "-c", "true"]
+env:
+  - name: LOG_LEVEL
+    value: "3"
+  - name: APP_NAME
+    valueFrom:
+      fieldRef:
+        fieldPath: metadata.name
+  - name: APP_NAMESPACE
+    valueFrom:
+      fieldRef:
+        fieldPath: metadata.namespace
 imagePullSecrets:
  - name: gitlab-pull-secret
 nameOverride: ""
@@ -1,18 +1,6 @@
 apiVersion: v2
 name: atlantis
 description: Atlantis map and simulation service
-# A chart can be either an 'application' or a 'library' chart.
-#
-# Application charts are a collection of templates that can be packaged into versioned archives
-# to be deployed.
-#
-# Library charts provide useful utilities or functions for the chart developer. They're included as
-# a dependency of application charts to inject those utilities and functions into the rendering
-# pipeline. Library charts do not define any templates and therefore cannot be deployed.
 type: application
-# This is the chart version. This version number should be incremented each time you make changes
-# to the chart and its templates, including the app version.
-version: v2.78.15
-# This is the version number of the application being deployed. This version number should be
-# incremented each time you make changes to the application.
-appVersion: v2.78.15
+version: v2.87.1
+appVersion: v2.87.1
@@ -2,14 +2,15 @@
 apiVersion: postgresql.cnpg.io/v1
 kind: Cluster
 metadata:
-  name: {{ include "Atlantis.fullname" . }}
+  name: {{ include "Atlantis.fullname" . }}-db
+  namespace: {{ .Release.Namespace }}
  annotations:
    linkerd.io/inject: disabled
  labels:
    {{- include "Atlantis.labels" . | nindent 4 }}
 spec:
-  instances: {{ .Values.cluster.instances | default "2" }}
-
+  instances: {{ .Values.cluster.instances | default "1" }}
+  imageName: ghcr.io/cloudnative-pg/postgis:15-3.3
  # Example of rolling update strategy:
  # - unsupervised: automated update of the primary once all
  #                 replicas have been upgraded (default)
@@ -18,9 +19,36 @@ spec:
  primaryUpdateStrategy: unsupervised
  backup:
    retentionPolicy: {{ .Values.cluster.backupRetention | default "60d" }}
-
  storage:
    size: {{ .Values.cluster.size | default "5Gi" }}
+{{- with .Values.cluster.bootstrap }}
+  bootstrap:
+{{- if .enabled }}
+    pg_basebackup:
+      source: archmaester
+  externalClusters:
+  - name: archmaester
+    connectionParameters:
+      host: {{ .source.db }}-rw.{{ .source.namespace }}
+      user: streaming_replica
+      sslmode: verify-full
+    sslKey:
+      name: {{ .source.db }}-replication
+      key: tls.key
+    sslCert:
+      name: {{ .source.db }}-replication
+      key: tls.crt
+    sslRootCert:
+      name: {{ .source.db }}-ca
+      key: ca.crt
+{{- else }}
+    initdb:
+      postInitTemplateSQL:
+        - CREATE EXTENSION postgis;
+        - CREATE EXTENSION postgis_topology;
+        - CREATE EXTENSION fuzzystrmatch;
+        - CREATE EXTENSION postgis_tiger_geocoder;
+        - ALTER USER app WITH SUPERUSER;
+{{- end }}
+{{- end }}
 {{- end }}
-
-
@@ -2,6 +2,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: {{ include "Atlantis.fullname" . }}
+  namespace: {{ .Release.Namespace }}
  labels:
    {{- include "Atlantis.labels" . | nindent 4 }}
 spec:
@@ -83,8 +84,8 @@ spec:
        emptyDir: {}
      {{- end }}
      - name: appsettings
-        secret:
-          secretName: {{ template "Atlantis.fullname" . }}-appsettings
+        configMap:
+          name: {{ template "Atlantis.fullname" . }}-appsettings
      {{- with .Values.nodeSelector }}
      nodeSelector:
        {{- toYaml . | nindent 8 }}
@@ -3,6 +3,7 @@ apiVersion: autoscaling/v2beta1
 kind: HorizontalPodAutoscaler
 metadata:
  name: {{ include "Atlantis.fullname" . }}
+  namespace: {{ .Release.Namespace }}
  labels:
    {{- include "Atlantis.labels" . | nindent 4 }}
 spec:
@@ -16,6 +16,7 @@ apiVersion: extensions/v1beta1
 kind: Ingress
 metadata:
  name: {{ $fullName }}
+  namespace: {{ .Release.Namespace }}
  labels:
    {{- include "Atlantis.labels" . | nindent 4 }}
  {{- with .Values.ingress.annotations }}
@@ -53,8 +54,8 @@ spec:
                port:
                  number: {{ $svcPort }}
              {{- else }}
-              serviceName: {{ $fullName }}
-              servicePort: {{ $svcPort }}
+              serviceName: {{ .serviceName | default $fullName }}
+              servicePort: {{ .servicePort | default $svcPort }}
              {{- end }}
          {{- end }}
    {{- end }}
@@ -0,0 +1,62 @@
+{{- if .Values.ingress.enabled -}}
+{{- $fullName := include "Atlantis.fullname" . -}}
+{{- $svcPort := .Values.service.port -}}
+{{- if and .Values.ingress.className (not (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion)) }}
+  {{- if not (hasKey .Values.ingress.annotations "kubernetes.io/ingress.class") }}
+  {{- $_ := set .Values.ingress.annotations "kubernetes.io/ingress.class" .Values.ingress.className}}
+  {{- end }}
+{{- end }}
+{{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion -}}
+apiVersion: networking.k8s.io/v1
+{{- else if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}}
+apiVersion: networking.k8s.io/v1beta1
+{{- else -}}
+apiVersion: extensions/v1beta1
+{{- end }}
+kind: Ingress
+metadata:
+  name: {{ $fullName }}-internal
+  labels:
+    {{- include "Atlantis.labels" . | nindent 4 }}
+  {{- with .Values.ingress.annotations }}
+  annotations:
+    atlantis.oceanbox.io/expose: internal
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  {{- if and .Values.ingress.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }}
+  ingressClassName: {{ .Values.ingress.className }}
+  {{- end }}
+  {{- if .Values.ingress.tls }}
+  tls:
+    {{- range .Values.ingress.tls }}
+    - hosts:
+        {{- range .hosts }}
+        - {{ . | quote }}
+        {{- end }}
+      secretName: {{ .secretName }}
+    {{- end }}
+  {{- end }}
+  rules:
+    {{- range .Values.ingress.hosts }}
+    - host: {{ .host | quote }}
+      http:
+        paths:
+          {{- range .internal }}
+          - path: {{ .path }}
+            {{- if and .pathType (semverCompare ">=1.18-0" $.Capabilities.KubeVersion.GitVersion) }}
+            pathType: {{ .pathType }}
+            {{- end }}
+            backend:
+              {{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }}
+              service:
+                name: {{ $fullName }}
+                port:
+                  number: {{ $svcPort }}
+              {{- else }}
+              serviceName: {{ $fullName }}
+              servicePort: {{ $svcPort }}
+              {{- end }}
+          {{- end }}
+    {{- end }}
+{{- end }}
@@ -3,6 +3,7 @@ kind: PersistentVolumeClaim
 apiVersion: v1
 metadata:
  name: {{ template "Atlantis.fullname" . }}
+  namespace: {{ .Release.Namespace }}
 {{- with .Values.persistence.annotations  }}
  annotations:
 {{ toYaml . | indent 4 }}
@@ -0,0 +1,38 @@
+{{- if not .Values.cluster.enabled }}
+apiVersion: v1
+kind: Secret
+metadata:
+  annotations:
+    kyverno/clone: "true"
+  name: {{ include "Atlantis.fullname" . }}-db-superuser
+  namespace: {{ .Release.Namespace }}
+type: kubernetes.io/basic-auth
+data:
+  username:
+  password:
+{{- else }}
+{{- if .Values.cluster.bootstrap.enabled }}
+apiVersion: v1
+kind: Secret
+metadata:
+  annotations:
+    kyverno/clone: "true"
+  name: {{ .Values.cluster.bootstrap.source.db }}-replication
+type: kubernetes.io/tls
+data:
+  tls.crt: ""
+  tls.key: ""
+---
+apiVersion: v1
+kind: Secret
+type: Opaque
+metadata:
+  annotations:
+    kyverno/clone: "true"
+  name: {{ .Values.cluster.bootstrap.source.db }}-ca
+  namespace: {{ .Release.Namespace }}
+data:
+  ca.crt: ""
+  ca.key: ""
+{{- end }}
+{{- end }}
@@ -2,6 +2,7 @@ apiVersion: v1
 kind: Service
 metadata:
  name: {{ include "Atlantis.fullname" . }}
+  namespace: {{ .Release.Namespace }}
  labels:
    {{- include "Atlantis.labels" . | nindent 4 }}
 spec:
@@ -3,6 +3,7 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: {{ include "Atlantis.serviceAccountName" . }}
+  namespace: {{ .Release.Namespace }}
  labels:
    {{- include "Atlantis.labels" . | nindent 4 }}
  {{- with .Values.serviceAccount.annotations }}
@@ -0,0 +1,20 @@
+{{- if .Values.serviceMonitor.enabled }}
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: {{ include "Atlantis.fullname" . }}
+  namespace: {{ .Release.Namespace }}
+spec:
+  endpoints:
+  - honorLabels: false
+    path: /metrics
+    port: http
+  jobLabel: {{ .Values.serviceMonitor.label | default (include "Atlantis.fullname" .) }}
+  namespaceSelector:
+    matchNames:
+    - {{ .Release.Namespace }}
+  selector:
+    matchLabels:
+      app.kubernetes.io/instance: {{ include "Atlantis.fullname" . }}
+      app.kubernetes.io/name: atlantis
+{{- end }}
@@ -3,21 +3,36 @@
 # Declare variables to be passed into your templates.

 replicaCount: 1
+
 image:
  repository: registry.gitlab.com/oceanbox/atlantis
-  tag: v2.78.15
+  tag: v2.87.1
  pullPolicy: IfNotPresent
+
 init:
  enabled: false
  image: ubuntu:rolling
  command: ["/bin/sh", "-c", "true"]
+
 env:
  - name: LOG_LEVEL
    value: "3"
+  - name: APP_NAME
+    valueFrom:
+      fieldRef:
+        fieldPath: metadata.name
+  - name: APP_NAMESPACE
+    valueFrom:
+      fieldRef:
+        fieldPath: metadata.namespace
+
 imagePullSecrets:
  - name: gitlab-pull-secret
+
 nameOverride: ""
+
 fullnameOverride: ""
+
 serviceAccount:
  create: true
  # Annotations to add to the service account
@@ -25,9 +40,12 @@ serviceAccount:
  # The name of the service account to use.
  # If not set and create is true, a name is generated using the fullname template
  name: ""
+
 podAnnotations: {}
+
 podSecurityContext:
  fsGroup: 2000
+
 securityContext:
  capabilities:
    drop:
@@ -35,11 +53,13 @@ securityContext:
  readOnlyRootFilesystem: false
  runAsNonRoot: true
  runAsUser: 1000
+
 service:
  type: ClusterIP
  port: 8085
+
 ingress:
-  enabled: true
+  enabled: false
  className: "nginx"
  annotations:
    nginx.ingress.kubernetes.io/ssl-redirect: "true"
@@ -49,21 +69,36 @@ ingress:
      paths:
        - path: /
          pathType: ImplementationSpecific
+        - path: /events
+          pathType: ImplementationSpecific
+          serviceName: main-ingress-nginx-defaultbackend.ingress-nginx
+          servicePort: 80
+      internal:
+        - path: /internal
+          pathType: ImplementationSpecific
  tls:
    - hosts:
        - atlantis.srv.oceanbox.io
      secretName: atlantis-tls
+
 persistence:
  enabled: false
  size: 1G
  storageClass: ""
  accessMode: ReadWriteOnce
+
 cluster:
-  enabled: false
-  instances: 2
+  enabled: true
+  instances: 1
  backupEnabled: true
  backupRetention: 60d
  size: 5Gi
+  bootstrap:
+    enabled: true
+    source:
+      db: prod-archmeister
+      namespace: atlantis
+
 resources: {}
 # We usually recommend not to specify default resources and to leave this as a conscious
 # choice for the user. This also increases chances charts run on environments with little
@@ -82,6 +117,10 @@ autoscaling:
  maxReplicas: 100
  targetCPUUtilizationPercentage: 80
  # targetMemoryUtilizationPercentage: 80
+
+serviceMonitor:
+  enabled: true
+
 nodeSelector: {}
 tolerations: []
 affinity: {}
@@ -12,7 +12,7 @@ description: A Helm chart for Kubernetes
 type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
-version: v2.6.4
+version: v2.7.0
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application.
-appVersion: v2.6.4
+appVersion: v2.7.0
@@ -81,8 +81,8 @@ spec:
        emptyDir: {}
      {{- end }}
      - name: appsettings
-        secret:
-          secretName: {{ template "Hipster.fullname" . }}-appsettings
+        configMap:
+          name: {{ template "Hipster.fullname" . }}-appsettings
      {{- with .Values.nodeSelector }}
      nodeSelector:
        {{- toYaml . | nindent 8 }}
@@ -5,12 +5,23 @@
 replicaCount: 1
 image:
  repository: registry.gitlab.com/oceanbox/hipster
-  tag: v2.6.4
+  tag: v2.7.0
  pullPolicy: IfNotPresent
 init:
  enabled: false
  image: ubuntu:rolling
  command: ["/bin/sh", "-c", "true"]
+env:
+  - name: LOG_LEVEL
+    value: "3"
+  - name: APP_NAME
+    valueFrom:
+      fieldRef:
+        fieldPath: metadata.name
+  - name: APP_NAMESPACE
+    valueFrom:
+      fieldRef:
+        fieldPath: metadata.namespace
 imagePullSecrets:
  - name: gitlab-pull-secret
 nameOverride: ""
@@ -12,7 +12,7 @@ description: A Helm chart for Kubernetes
 type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
-version: v1.9.8
+version: v1.9.9
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application.
-appVersion: v1.9.8
+appVersion: v1.9.9
@@ -1,19 +0,0 @@
- op: replace
-  path: /spec/template/spec/containers/0/livenessProbe/httpGet/path
-  value: /healthz
- op: replace
-  path: /spec/template/spec/containers/0/readinessProbe/httpGet/path
-  value: /healthz
- op: add
-  path: /spec/template/spec/containers/0/volumeMounts/-
-  value:
-    name: acl
-    mountPath: /app/acl.json
-    subPath: acl.json
-    readOnly: true
- op: add
-  path: /spec/template/spec/volumes/-
-  value:
-    name: acl
-    configMap:
-      name: petimeter-acl
@@ -1,16 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-namespace: oceanbox
-patches:
-  - target:
-      version: v1
-      group: apps
-      kind: Deployment
-      name: petimeter
-    path: deployment_patch.yaml
-# configMapGenerator:
-#   - name: petimeter-acl
-#     files:
-#       - acl.json
-resources:
-  - _manifest.yaml
@@ -84,8 +84,8 @@ spec:
        emptyDir: {}
      {{- end }}
      - name: appsettings
-        secret:
-          secretName: {{ template "Petimeter.fullname" . }}-appsettings
+        configMap:
+          name: {{ template "Petimeter.fullname" . }}-appsettings
      {{- with .Values.nodeSelector }}
      nodeSelector:
        {{- toYaml . | nindent 8 }}
@@ -5,12 +5,23 @@
 replicaCount: 1
 image:
  repository: registry.gitlab.com/oceanbox/petimeter
-  tag: v1.9.8
+  tag: v1.9.9
  pullPolicy: IfNotPresent
 init:
  enabled: false
  image: ubuntu:rolling
  command: ["/bin/sh", "-c", "true"]
+env:
+  - name: LOG_LEVEL
+    value: "3"
+  - name: APP_NAME
+    valueFrom:
+      fieldRef:
+        fieldPath: metadata.name
+  - name: APP_NAMESPACE
+    valueFrom:
+      fieldRef:
+        fieldPath: metadata.namespace
 imagePullSecrets:
  - name: gitlab-pull-secret
 nameOverride: ""
@@ -1,18 +1,6 @@
 apiVersion: v2
 name: sorcerer
 description: A Helm chart for Kubernetes
-# A chart can be either an 'application' or a 'library' chart.
-#
-# Application charts are a collection of templates that can be packaged into versioned archives
-# to be deployed.
-#
-# Library charts provide useful utilities or functions for the chart developer. They're included as
-# a dependency of application charts to inject those utilities and functions into the rendering
-# pipeline. Library charts do not define any templates and therefore cannot be deployed.
 type: application
-# This is the chart version. This version number should be incremented each time you make changes
-# to the chart and its templates, including the app version.
-version: v4.7.7
-# This is the version number of the application being deployed. This version number should be
-# incremented each time you make changes to the application.
-appVersion: v4.7.7
+version: v4.9.0
+appVersion: v4.9.0
@@ -38,8 +38,7 @@ spec:
              containerPort: {{ .Values.service.port }}
              protocol: TCP
          env:
-            - name: LOG_LEVEL
-              value: "3"
+            {{- toYaml .Values.env | nindent 12 }}
          livenessProbe:
            httpGet:
              path: /
@@ -84,8 +83,8 @@ spec:
        emptyDir: {}
      {{- end }}
      - name: appsettings
-        secret:
-          secretName: {{ template "Sorcerer.fullname" . }}-appsettings
+        configMap:
+          name: {{ template "Sorcerer.fullname" . }}-appsettings
      {{- with .Values.nodeSelector }}
      nodeSelector:
        {{- toYaml . | nindent 8 }}
@@ -0,0 +1,62 @@
+{{- if .Values.ingress.enabled -}}
+{{- $fullName := include "Sorcerer.fullname" . -}}
+{{- $svcPort := .Values.service.port -}}
+{{- if and .Values.ingress.className (not (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion)) }}
+  {{- if not (hasKey .Values.ingress.annotations "kubernetes.io/ingress.class") }}
+  {{- $_ := set .Values.ingress.annotations "kubernetes.io/ingress.class" .Values.ingress.className}}
+  {{- end }}
+{{- end }}
+{{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion -}}
+apiVersion: networking.k8s.io/v1
+{{- else if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}}
+apiVersion: networking.k8s.io/v1beta1
+{{- else -}}
+apiVersion: extensions/v1beta1
+{{- end }}
+kind: Ingress
+metadata:
+  name: {{ $fullName }}-internal
+  labels:
+    {{- include "Sorcerer.labels" . | nindent 4 }}
+  {{- with .Values.ingress.annotations }}
+  annotations:
+    atlantis.oceanbox.io/expose: internal
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  {{- if and .Values.ingress.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }}
+  ingressClassName: {{ .Values.ingress.className }}
+  {{- end }}
+  {{- if .Values.ingress.tls }}
+  tls:
+    {{- range .Values.ingress.tls }}
+    - hosts:
+        {{- range .hosts }}
+        - {{ . | quote }}
+        {{- end }}
+      secretName: {{ .secretName }}
+    {{- end }}
+  {{- end }}
+  rules:
+    {{- range .Values.ingress.hosts }}
+    - host: {{ .host | quote }}
+      http:
+        paths:
+          {{- range .internal }}
+          - path: {{ .path }}
+            {{- if and .pathType (semverCompare ">=1.18-0" $.Capabilities.KubeVersion.GitVersion) }}
+            pathType: {{ .pathType }}
+            {{- end }}
+            backend:
+              {{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }}
+              service:
+                name: {{ $fullName }}
+                port:
+                  number: {{ $svcPort }}
+              {{- else }}
+              serviceName: {{ $fullName }}
+              servicePort: {{ $svcPort }}
+              {{- end }}
+          {{- end }}
+    {{- end }}
+{{- end }}
@@ -3,18 +3,36 @@
 # Declare variables to be passed into your templates.

 replicaCount: 1
+
 image:
  repository: registry.gitlab.com/oceanbox/sorcerer
-  tag: v4.7.7
+  tag: v4.9.0
  pullPolicy: IfNotPresent
+
 init:
  enabled: false
  image: ubuntu:rolling
  command: ["/bin/sh", "-c", "true"]
+
+env:
+  - name: LOG_LEVEL
+    value: "3"
+  - name: APP_NAME
+    valueFrom:
+      fieldRef:
+        fieldPath: metadata.name
+  - name: APP_NAMESPACE
+    valueFrom:
+      fieldRef:
+        fieldPath: metadata.namespace
+
 imagePullSecrets:
  - name: gitlab-pull-secret
+
 nameOverride: ""
+
 fullnameOverride: ""
+
 serviceAccount:
  create: true
  # Annotations to add to the service account
@@ -22,9 +40,12 @@ serviceAccount:
  # The name of the service account to use.
  # If not set and create is true, a name is generated using the fullname template
  name: ""
+
 podAnnotations: {}
+
 podSecurityContext:
  fsGroup: 2000
+
 securityContext:
  capabilities:
    drop:
@@ -32,9 +53,11 @@ securityContext:
  readOnlyRootFilesystem: false
  runAsNonRoot: true
  runAsUser: 1000
+
 service:
  type: ClusterIP
  port: 8085
+
 ingress:
  enabled: true
  className: "nginx"
@@ -46,6 +69,9 @@ ingress:
      paths:
        - path: /
          pathType: ImplementationSpecific
+      internal:
+        - path: /internal
+          pathType: ImplementationSpecific
  tls:
    - hosts:
        - sorcerer.srv.oceanbox.io
@@ -62,6 +88,7 @@ cluster:
  backupEnabled: true
  backupRetention: 60d
  size: 5Gi
+
 resources: {}
 # We usually recommend not to specify default resources and to leave this as a conscious
 # choice for the user. This also increases chances charts run on environments with little
@@ -80,6 +107,10 @@ autoscaling:
  maxReplicas: 100
  targetCPUUtilizationPercentage: 80
  # targetMemoryUtilizationPercentage: 80
+
+serviceMonitor:
+  enabled: true
+
 nodeSelector: {}
 tolerations: []
 affinity: {}
@@ -6,9 +6,9 @@ metadata:
 spec:
  egress:
  - toFQDNs:
-    - matchName: api.github.com
    - matchName: dapr.github.io
-    - matchName: gitlab.com
    - matchName: analytics.loft.rocks
+    # - matchName: gitlab.com
+    # - matchName: api.github.com
  endpointSelector:
    matchLabels: {}
@@ -24,7 +24,7 @@ spec:
 apiVersion: postgresql.cnpg.io/v1
 kind: Cluster
 metadata:
-  name: staging-archmeister
+  name: {{ $name }}-archmaester
  namespace: {{ .Release.Namespace }}
  annotations:
    linkerd.io/inject: disabled
@@ -54,7 +54,7 @@ spec:
  externalClusters:
  - name: prod-archmeister
    connectionParameters:
-      host: prod-archmeister-rw.atlantis.svc
+      host: prod-archmeister-rw.atlantis
      user: streaming_replica
      sslmode: verify-full
    sslKey:
@@ -1,14 +0,0 @@
-apiVersion: jaegertracing.io/v1
-kind: Jaeger
-metadata:
-  name: jaeger
-  namespace: {{ .Release.Namespace }}
-spec:
-  strategy: allInOne
-  ingress:
-    enabled: false
-  allInOne:
-    image: jaegertracing/all-in-one:1.22
-    options:
-      query:
-        base-path: /jaeger
@@ -1,49 +0,0 @@
-{{- $fullname := include "vCluster.fullname" . -}}
-{{- $name := include "vCluster.releaseName" . -}}
-apiVersion: kyverno.io/v1
-kind: ClusterPolicy
-metadata:
-  annotations:
-    kyverno.io/kyverno-version: 1.7.0
-    policies.kyverno.io/description:  Allow egress to vcluster kube-apiserver
-    policies.kyverno.io/minversion: 1.7.0
-    policies.kyverno.io/subject: Namespace, NetworkPolicy
-    policies.kyverno.io/title: Generate NetworkPolicy to Existing Namespaces
-  name: allow-{{ $name }}-vcluster-apiserver
-  namespace: {{ .Release.Namespace }}
-spec:
-  background: true
-  generateExisting: true
-  rules:
-  - name: allow-{{ $name }}-vcluster-apiserver
-    generate:
-      apiVersion: cilium.io/v2
-      kind: CiliumNetworkPolicy
-      name: allow-{{ $name }}-vcluster-apiserver-access
-      namespace: {{ printf "{{request.object.metadata.name}}" | quote }}
-      synchronize: true
-      data:
-        spec:
-          description: Allow egress to vcluster kube-apiserver
-          egress:
-          - toEndpoints:
-            - matchLabels:
-               app: vcluster
-            toPorts:
-            - ports:
-              - port: "443"
-                protocol: TCP
-          endpointSelector: {}
-    match:
-      any:
-      - resources:
-          kinds:
-          - Namespace
-          names:
-          - {{ $fullname }}
-      - resources:
-          kinds:
-          - Namespace
-          selector:
-            matchLabels:
-              vcluster.loft.sh/vcluster-name: {{ $fullname }}
@@ -1,66 +0,0 @@
-{{- $name := include "vCluster.releaseName" . -}}
-apiVersion: kyverno.io/v1
-kind: ClusterPolicy
-metadata:
-  name: "sync-{{ $name }}-vcluster-secrets"
-spec:
-  background: true
-  generateExisting: true
-  rules:
-  - name: sync-rabbitmq-secrets
-    generate:
-      apiVersion: v1
-      kind: Secret
-      name: staging-rabbitmq
-      namespace: {{ printf "{{request.object.metadata.name}}" | quote }}
-      synchronize: false
-      clone:
-        namespace: rabbitmq
-        name: staging-rabbitmq
-    match:
-      resources:
-        kinds:
-        - Namespace
-        names:
-          - "vcluster-009dba7e-*"
-        selector:
-          matchLabels:
-            vcluster.loft.sh/vcluster-namespace: '{{ .Release.Namespace }}'
-  - name: sync-redis-secrets
-    generate:
-      apiVersion: v1
-      kind: Secret
-      name: staging-redis
-      namespace: {{ printf "{{request.object.metadata.name}}" | quote }}
-      synchronize: false
-      clone:
-        namespace: redis
-        name: staging-redis
-    match:
-      resources:
-        kinds:
-        - Namespace
-        names:
-          - "vcluster-009dba7e-*"
-        selector:
-          matchLabels:
-            vcluster.loft.sh/vcluster-namespace: '{{ .Release.Namespace }}'
-  - name: sync-archmeister-app-secret
-    generate:
-      apiVersion: v1
-      kind: Secret
-      name: staging-archmeister-app
-      namespace: {{ printf "{{request.object.metadata.name}}" | quote }}
-      synchronize: false
-      clone:
-        namespace: '{{ .Release.Namespace }}'
-        name: staging-archmeister-superuser
-    match:
-      resources:
-        kinds:
-        - Namespace
-        names:
-          - "vcluster-009dba7e-*"
-        selector:
-          matchLabels:
-            vcluster.loft.sh/vcluster-namespace: '{{ .Release.Namespace }}'
@@ -11,16 +11,3 @@ subjects:
 - kind: ServiceAccount
  namespace: {{ $fullname }}
  name: {{ $fullname }}
---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: vcluster-jaegers
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: vcluster-jaegers
-subjects:
- kind: ServiceAccount
-  namespace: {{ $fullname }}
-  name: {{ $fullname }}
@@ -16,7 +16,7 @@ spec:
    namespace: {{ .Release.Namespace }}
  source:
    repoURL: https://charts.loft.sh
-    targetRevision: 0.19.5
+    targetRevision: 0.20.1
    chart: vcluster
    helm:
      values: |-
@@ -63,14 +63,14 @@ spec:

          mapServices:
            fromHost:
-            - from: "redis/{{ .Values.environment }}-redis-master"
-              to: "redis/{{ .Values.environment }}-redis-master"
            - from: "rabbitmq/{{ .Values.environment }}-rabbitmq"
              to: "rabbitmq/{{ .Values.environment }}-rabbitmq"
-            - from: "{{ .Release.Namespace }}/staging-archmeister-rw"
-              to: "atlantis/staging-archmeister-rw"
-            - from: "{{ .Release.Namespace }}/jaeger-collector"
-              to: "atlantis/jaeger-collector"
+            - from: "{{ .Release.Namespace }}/{{ $name  }}-archmaester-rw"
+              to: "atlantis/{{ $name }}-archmaester-rw"
+            - from: "idp/{{ .Values.environment }}-openfga"
+              to: "idp/{{ .Values.environment }}-openfga"
+            - from: "otel/opentelemetry-collector"
+              to: "otel/opentelemetry-collector"
            - from: "idp/{{ .Values.environment }}-cerbos"
              to: "idp/{{ .Values.environment }}-cerbos"
          sync:
@@ -94,31 +94,14 @@ spec:
                  - apiGroups: [ "cilium.io" ]
                    resources: [ "ciliumnetworkpolicies" ]
                    verbs: [ "get", "list", "watch", "create", "patch" ]
-                  # - apiGroups: [ "jaegertracing.io" ]
-                  #   resources: [ "jaegers" ]
-                  #   verbs: [ "get", "list", "watch", "create", "patch" ]
              config: |-
                version: v1beta1
                import:
-                - kind: Cluster
-                  apiVersion: postgresql.cnpg.io/v1
                - kind: Secret
                  apiVersion: v1
-                # - kind: Component
-                #   apiVersion: dapr.io/v1alpha1
-                # - kind: Configuration
-                #   apiVersion: dapr.io/v1alpha1
-                # - kind: Subscription
-                #   apiVersion: dapr.io/v1alpha1
-                # - kind: Jaeger
-                #   apiVersion: jaegertracing.io/v1
-                # - kind: CiliumNetworkPolicy
-                #   apiVersion: cilium.io/v2
                export:
-                - kind: CiliumNetworkPolicy
-                  apiVersion: cilium.io/v2
-                # - kind: Jaeger
-                #   apiVersion: jaegertracing.io/v1
+                - kind: Cluster
+                  apiVersion: postgresql.cnpg.io/v1
          init:
            manifests: |-
              ---
@@ -161,6 +144,13 @@ spec:
                annotations:
                  kubernetes.io/service-account.name: admin
              type: kubernetes.io/service-account-token
+              ---
+              apiVersion: v1
+              kind: Namespace
+              metadata:
+                labels:
+                  kubernetes.io/metadata.name: atlantis
+                name: atlantis

            # The contents of manifests-template will be templated using helm
            # this allows you to use helm values inside, e.g.: {{ .Release.Name }}
@@ -172,7 +162,7 @@ spec:
            helm:
              - chart:
                  name: dapr
-                  version: 1.13.3
+                  version: 1.14.0
                  repo: https://dapr.github.io/helm-charts/
                release:
                  name: dapr
@@ -0,0 +1,49 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: yolo-dl
+  name: yolo-dl
+  namespace: oceanbox
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: yolo-dl
+  strategy:
+    rollingUpdate:
+      maxSurge: 25%
+      maxUnavailable: 25%
+    type: RollingUpdate
+  template:
+    metadata:
+      labels:
+        app: yolo-dl
+    spec:
+      containers:
+      - command:
+        - /bin/sh
+        - -c
+        - httpd -p 8000 -f
+        image: busybox:latest
+        imagePullPolicy: IfNotPresent
+        name: yolo-dl
+        ports:
+        - containerPort: 8000
+          protocol: TCP
+        resources: {}
+        terminationMessagePath: /dev/termination-log
+        terminationMessagePolicy: File
+        volumeMounts:
+        - mountPath: /data
+          name: data
+        workingDir: /data
+      dnsPolicy: ClusterFirst
+      restartPolicy: Always
+      securityContext: {}
+      terminationGracePeriodSeconds: 30
+      volumes:
+      - name: data
+        persistentVolumeClaim:
+          claimName: yolo-dl-data
+
@@ -1,7 +1,7 @@
 apiVersion: v1
 kind: PersistentVolume
 metadata:
-  name: pv-prod-ceph-archives
+  name: pv-yolo-dl
 spec:
  accessModes:
  - ReadWriteMany
@@ -16,22 +16,7 @@ spec:
      fsName: data
      clusterID: rook-ceph
      staticVolume: "true"
-      rootPath: /archives
-    volumeHandle: pv-prod-ceph-archives
+      rootPath: /ssd/dl
+    volumeHandle: pv-yolo-dl
  persistentVolumeReclaimPolicy: Retain
  volumeMode: Filesystem
---
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  name: prod-ceph-archives
-  namespace: sorcerer
-spec:
-  accessModes:
-  - ReadWriteMany
-  resources:
-    requests:
-      storage: 1Gi
-  storageClassName: ""
-  volumeMode: Filesystem
-  volumeName: pv-prod-ceph-archives
@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: yolo-dl-data
+  namespace: oceanbox
+spec:
+  accessModes:
+  - ReadWriteMany
+  resources:
+    requests:
+      storage: 1Gi
+  storageClassName: ""
+  volumeMode: Filesystem
+  volumeName: pv-yolo-dl
@@ -0,0 +1,33 @@
+let
+  sources = import ./nix;
+  system = builtins.currentSystem;
+  pkgs = import sources.nixpkgs {
+    inherit system;
+    config = { };
+    overlays = [ ];
+  };
+  nixpkgs = sources.nixpkgs;
+  nixhelm = sources.nixhelm;
+  nixidy = import sources.nixidy { inherit nixpkgs; };
+  kube = pkgs.callPackage "${sources.nix-kube-gen}/lib/default.nix" { inherit pkgs; };
+in
+nixidy.lib.mkEnvs {
+  libOverlay = self: super: {
+    apps = import ./modules/lib.nix { inherit pkgs kube; };
+  };
+  modules = [
+    (
+      { lib, ... }:
+      {
+        nixidy.charts = lib.helm.mkChartAttrs "${nixhelm}/charts";
+      }
+    )
+    ./modules
+    ./apps
+    ./policies
+  ];
+  envs = {
+    prod.modules = [ ./envs/prod.nix ];
+    staging.modules = [ ./envs/staging.nix ];
+  };
+}
@@ -0,0 +1,13 @@
+_:
+{
+  config = {
+    apps = {
+      env = "prod";
+      autoSync = false;
+      prune = false;
+
+      atlantis.enable = true;
+      openfga.enable = true;
+    };
+  };
+}
@@ -0,0 +1,17 @@
+_:
+{
+  config = {
+    apps = {
+      env = "staging";
+      autoSync = true;
+      prune = true;
+
+      atlantis = {
+        enable = true;
+        autoSync = true;
+        prune = false;
+      };
+      openfga.enable = true;
+    };
+  };
+}
@@ -0,0 +1,666 @@
+{
+  "nodes": {
+    "cargo2nix": {
+      "inputs": {
+        "flake-compat": "flake-compat_3",
+        "flake-utils": "flake-utils_5",
+        "nixpkgs": "nixpkgs_3",
+        "rust-overlay": "rust-overlay"
+      },
+      "locked": {
+        "lastModified": 1699033427,
+        "narHash": "sha256-OVtd5IPbb4NvHibN+QvMrMxq7aZN5GFoINZSAXKjUdA=",
+        "owner": "cargo2nix",
+        "repo": "cargo2nix",
+        "rev": "c6f33051f412352f293e738cc8da6fd4c457080f",
+        "type": "github"
+      },
+      "original": {
+        "owner": "cargo2nix",
+        "ref": "release-0.11.0",
+        "repo": "cargo2nix",
+        "type": "github"
+      }
+    },
+    "flake-compat": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1673956053,
+        "narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=",
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9",
+        "type": "github"
+      },
+      "original": {
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "type": "github"
+      }
+    },
+    "flake-compat_2": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1696426674,
+        "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
+        "type": "github"
+      },
+      "original": {
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "type": "github"
+      }
+    },
+    "flake-compat_3": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1696426674,
+        "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
+        "type": "github"
+      },
+      "original": {
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "type": "github"
+      }
+    },
+    "flake-utils": {
+      "inputs": {
+        "systems": "systems"
+      },
+      "locked": {
+        "lastModified": 1726560853,
+        "narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
+    "flake-utils_2": {
+      "inputs": {
+        "systems": "systems_2"
+      },
+      "locked": {
+        "lastModified": 1710146030,
+        "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
+        "type": "github"
+      },
+      "original": {
+        "id": "flake-utils",
+        "type": "indirect"
+      }
+    },
+    "flake-utils_3": {
+      "inputs": {
+        "systems": "systems_3"
+      },
+      "locked": {
+        "lastModified": 1710146030,
+        "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
+    "flake-utils_4": {
+      "inputs": {
+        "systems": "systems_5"
+      },
+      "locked": {
+        "lastModified": 1701680307,
+        "narHash": "sha256-kAuep2h5ajznlPMD9rnQyffWG8EM/C73lejGofXvdM8=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "4022d587cbbfd70fe950c1e2083a02621806a725",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
+    "flake-utils_5": {
+      "inputs": {
+        "systems": "systems_7"
+      },
+      "locked": {
+        "lastModified": 1694529238,
+        "narHash": "sha256-zsNZZGTGnMOf9YpHKJqMSsa0dXbfmxeoJ7xHlrt+xmY=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "ff7b65b44d01cf9ba6a71320833626af21126384",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
+    "gitignore": {
+      "inputs": {
+        "nixpkgs": [
+          "pre-commit-hooks",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1709087332,
+        "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
+        "owner": "hercules-ci",
+        "repo": "gitignore.nix",
+        "rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
+        "type": "github"
+      },
+      "original": {
+        "owner": "hercules-ci",
+        "repo": "gitignore.nix",
+        "type": "github"
+      }
+    },
+    "haumea": {
+      "inputs": {
+        "nixpkgs": [
+          "nixhelm",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1685133229,
+        "narHash": "sha256-FePm/Gi9PBSNwiDFq3N+DWdfxFq0UKsVVTJS3cQPn94=",
+        "owner": "nix-community",
+        "repo": "haumea",
+        "rev": "34dd58385092a23018748b50f9b23de6266dffc2",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "ref": "v0.2.2",
+        "repo": "haumea",
+        "type": "github"
+      }
+    },
+    "kubenix": {
+      "inputs": {
+        "flake-compat": "flake-compat",
+        "nixpkgs": [
+          "nixidy",
+          "nixpkgs"
+        ],
+        "systems": "systems_6",
+        "treefmt": "treefmt"
+      },
+      "locked": {
+        "lastModified": 1718110643,
+        "narHash": "sha256-KrEOCx/bpN++sySOEL5EO5AhYsqRZZk+CXacueUeSl4=",
+        "owner": "hall",
+        "repo": "kubenix",
+        "rev": "a04066c45526c6d8410ba998134f692ff991b4f3",
+        "type": "github"
+      },
+      "original": {
+        "owner": "hall",
+        "repo": "kubenix",
+        "type": "github"
+      }
+    },
+    "nix-github-actions": {
+      "inputs": {
+        "nixpkgs": [
+          "nixhelm",
+          "poetry2nix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1703863825,
+        "narHash": "sha256-rXwqjtwiGKJheXB43ybM8NwWB8rO2dSRrEqes0S7F5Y=",
+        "owner": "nix-community",
+        "repo": "nix-github-actions",
+        "rev": "5163432afc817cf8bd1f031418d1869e4c9d5547",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "nix-github-actions",
+        "type": "github"
+      }
+    },
+    "nix-kube-generators": {
+      "locked": {
+        "lastModified": 1708155396,
+        "narHash": "sha256-A/BIeJjiRS7sBYP6tFJa/WHDPHe7DGTCkSEKXttYeAQ=",
+        "owner": "farcaller",
+        "repo": "nix-kube-generators",
+        "rev": "14dbd5e5b40615937900f71d9a9851b59b4d9a88",
+        "type": "github"
+      },
+      "original": {
+        "owner": "farcaller",
+        "repo": "nix-kube-generators",
+        "type": "github"
+      }
+    },
+    "nix-kube-generators_2": {
+      "locked": {
+        "lastModified": 1708155396,
+        "narHash": "sha256-A/BIeJjiRS7sBYP6tFJa/WHDPHe7DGTCkSEKXttYeAQ=",
+        "owner": "farcaller",
+        "repo": "nix-kube-generators",
+        "rev": "14dbd5e5b40615937900f71d9a9851b59b4d9a88",
+        "type": "github"
+      },
+      "original": {
+        "owner": "farcaller",
+        "repo": "nix-kube-generators",
+        "type": "github"
+      }
+    },
+    "nix-kube-generators_3": {
+      "locked": {
+        "lastModified": 1708155396,
+        "narHash": "sha256-A/BIeJjiRS7sBYP6tFJa/WHDPHe7DGTCkSEKXttYeAQ=",
+        "owner": "farcaller",
+        "repo": "nix-kube-generators",
+        "rev": "14dbd5e5b40615937900f71d9a9851b59b4d9a88",
+        "type": "github"
+      },
+      "original": {
+        "owner": "farcaller",
+        "repo": "nix-kube-generators",
+        "type": "github"
+      }
+    },
+    "nixhelm": {
+      "inputs": {
+        "flake-utils": "flake-utils_2",
+        "haumea": "haumea",
+        "nix-kube-generators": "nix-kube-generators_2",
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "poetry2nix": "poetry2nix"
+      },
+      "locked": {
+        "lastModified": 1728868745,
+        "narHash": "sha256-ZuaxkAtUL1visOmVMxgHk3j+H8/bMmm82tJfE1s35VY=",
+        "owner": "farcaller",
+        "repo": "nixhelm",
+        "rev": "f901d2ba3ce1bd0086d50efdcce3cc76bce04d80",
+        "type": "github"
+      },
+      "original": {
+        "owner": "farcaller",
+        "repo": "nixhelm",
+        "type": "github"
+      }
+    },
+    "nixidy": {
+      "inputs": {
+        "flake-utils": "flake-utils_4",
+        "kubenix": "kubenix",
+        "nix-kube-generators": "nix-kube-generators_3",
+        "nixpkgs": "nixpkgs"
+      },
+      "locked": {
+        "lastModified": 1728815994,
+        "narHash": "sha256-uF6HAoDMAX0cZbKH27k/0UpIteQMhyLkP1rYKUfj5ys=",
+        "owner": "arnarg",
+        "repo": "nixidy",
+        "rev": "6e20193c95a0aaca444289d7c69f4eb329d25234",
+        "type": "github"
+      },
+      "original": {
+        "owner": "arnarg",
+        "ref": "HEAD",
+        "repo": "nixidy",
+        "type": "github"
+      }
+    },
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1702151865,
+        "narHash": "sha256-9VAt19t6yQa7pHZLDbil/QctAgVsA66DLnzdRGqDisg=",
+        "owner": "nixos",
+        "repo": "nixpkgs",
+        "rev": "666fc80e7b2afb570462423cb0e1cf1a3a34fedd",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nixos",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs-stable": {
+      "locked": {
+        "lastModified": 1720386169,
+        "narHash": "sha256-NGKVY4PjzwAa4upkGtAMz1npHGoRzWotlSnVlqI40mo=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "194846768975b7ad2c4988bdb82572c00222c0d7",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-24.05",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs_2": {
+      "locked": {
+        "lastModified": 1728492678,
+        "narHash": "sha256-9UTxR8eukdg+XZeHgxW5hQA9fIKHsKCdOIUycTryeVw=",
+        "owner": "nixos",
+        "repo": "nixpkgs",
+        "rev": "5633bcff0c6162b9e4b5f1264264611e950c8ec7",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nixos",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs_3": {
+      "locked": {
+        "lastModified": 1697382362,
+        "narHash": "sha256-PvFjWFmSYOF6TjNZ/WjOeqa+sgaWm+83Fz37vEuATHA=",
+        "owner": "nixos",
+        "repo": "nixpkgs",
+        "rev": "ad9a253a0d34f313707f9c25fb8c95c65b1c8882",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nixos",
+        "ref": "release-23.05",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "poetry2nix": {
+      "inputs": {
+        "flake-utils": "flake-utils_3",
+        "nix-github-actions": "nix-github-actions",
+        "nixpkgs": [
+          "nixhelm",
+          "nixpkgs"
+        ],
+        "systems": "systems_4",
+        "treefmt-nix": "treefmt-nix"
+      },
+      "locked": {
+        "lastModified": 1718285706,
+        "narHash": "sha256-DScsBM+kZvxOva7QegfdtleebMXh30XPxDQr/1IGKYo=",
+        "owner": "nix-community",
+        "repo": "poetry2nix",
+        "rev": "a5be1bbbe0af0266147a88e0ec43b18c722f2bb9",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "poetry2nix",
+        "type": "github"
+      }
+    },
+    "pre-commit-hooks": {
+      "inputs": {
+        "flake-compat": "flake-compat_2",
+        "gitignore": "gitignore",
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "nixpkgs-stable": "nixpkgs-stable"
+      },
+      "locked": {
+        "lastModified": 1728778939,
+        "narHash": "sha256-WybK5E3hpGxtCYtBwpRj1E9JoiVxe+8kX83snTNaFHE=",
+        "owner": "cachix",
+        "repo": "pre-commit-hooks.nix",
+        "rev": "ff68f91754be6f3427e4986d7949e6273659be1d",
+        "type": "github"
+      },
+      "original": {
+        "owner": "cachix",
+        "repo": "pre-commit-hooks.nix",
+        "type": "github"
+      }
+    },
+    "root": {
+      "inputs": {
+        "flake-utils": "flake-utils",
+        "nix-kube-generators": "nix-kube-generators",
+        "nixhelm": "nixhelm",
+        "nixidy": "nixidy",
+        "nixpkgs": "nixpkgs_2",
+        "pre-commit-hooks": "pre-commit-hooks",
+        "yaml2nix": "yaml2nix"
+      }
+    },
+    "rust-overlay": {
+      "inputs": {
+        "flake-utils": [
+          "yaml2nix",
+          "cargo2nix",
+          "flake-utils"
+        ],
+        "nixpkgs": [
+          "yaml2nix",
+          "cargo2nix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1697336027,
+        "narHash": "sha256-ctmmw7j4liyfSh63v9rdFZeIoNYCkCvgqvtEOB7KhX8=",
+        "owner": "oxalica",
+        "repo": "rust-overlay",
+        "rev": "e494404d36a41247987eeb1bfc2f1ca903e97764",
+        "type": "github"
+      },
+      "original": {
+        "owner": "oxalica",
+        "repo": "rust-overlay",
+        "type": "github"
+      }
+    },
+    "systems": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    },
+    "systems_2": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    },
+    "systems_3": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    },
+    "systems_4": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "id": "systems",
+        "type": "indirect"
+      }
+    },
+    "systems_5": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    },
+    "systems_6": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "id": "systems",
+        "type": "indirect"
+      }
+    },
+    "systems_7": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    },
+    "treefmt": {
+      "inputs": {
+        "nixpkgs": [
+          "nixidy",
+          "kubenix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1688026376,
+        "narHash": "sha256-qJmkr9BWDpqblk4E9/rCsAEl39y2n4Ycw6KRopvpUcY=",
+        "owner": "numtide",
+        "repo": "treefmt-nix",
+        "rev": "df3f32b0cc253dfc7009b7317e8f0e7ccd70b1cf",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "treefmt-nix",
+        "type": "github"
+      }
+    },
+    "treefmt-nix": {
+      "inputs": {
+        "nixpkgs": [
+          "nixhelm",
+          "poetry2nix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1717850719,
+        "narHash": "sha256-npYqVg+Wk4oxnWrnVG7416fpfrlRhp/lQ6wQ4DHI8YE=",
+        "owner": "numtide",
+        "repo": "treefmt-nix",
+        "rev": "4fc1c45a5f50169f9f29f6a98a438fb910b834ed",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "treefmt-nix",
+        "type": "github"
+      }
+    },
+    "yaml2nix": {
+      "inputs": {
+        "cargo2nix": "cargo2nix",
+        "flake-utils": [
+          "flake-utils"
+        ],
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1726132715,
+        "narHash": "sha256-DkHWWpvBco2yodyOk40LjTNcoaJ1bFKf0JY9OwWgy5M=",
+        "owner": "euank",
+        "repo": "yaml2nix",
+        "rev": "3a6df359da40ee49cb9ed597c2400342b76f2083",
+        "type": "github"
+      },
+      "original": {
+        "owner": "euank",
+        "repo": "yaml2nix",
+        "type": "github"
+      }
+    }
+  },
+  "root": "root",
+  "version": 7
+}
@@ -0,0 +1,148 @@
+{
+  description = "My ArgoCD configuration with nixidy.";
+
+  inputs = {
+    nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
+    flake-utils.url = "github:numtide/flake-utils";
+
+    nixidy = {
+      url = "github:juselius/nixidy?ref=HEAD";
+      # url = "github:juselius/nixidy?ref=special-args";
+      # url = "/home/jonas/src/OceanBox/nixidy";
+      # inputs.nixpkgs.follows = "nixpkgs";
+    };
+
+    nixhelm = {
+      url = "github:farcaller/nixhelm";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+
+    pre-commit-hooks = {
+      url = "github:cachix/pre-commit-hooks.nix";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+
+    nix-kube-generators.url = "github:farcaller/nix-kube-generators";
+
+    yaml2nix = {
+      url = "github:euank/yaml2nix";
+      inputs.nixpkgs.follows = "nixpkgs";
+      inputs.flake-utils.follows = "flake-utils";
+    };
+  };
+
+  outputs =
+    {
+      self,
+      nixpkgs,
+      flake-utils,
+      nixidy,
+      nixhelm,
+      yaml2nix,
+      pre-commit-hooks,
+      nix-kube-generators,
+    }:
+    (flake-utils.lib.eachDefaultSystem (
+      system:
+      let
+        pkgs = import nixpkgs { inherit system; };
+        kube = nix-kube-generators.lib { inherit pkgs; };
+        lib = {
+          apps = import ./modules/lib.nix { inherit pkgs kube;};
+        };
+      in
+      {
+        nixidyEnvs = nixidy.lib.mkEnvs {
+            inherit pkgs;
+            extraSpecialArgs = { inherit lib; };
+            charts = nixhelm.chartsDerivations.${system};
+            modules = [
+              ./modules
+              ./apps
+              ./policies
+            ];
+            envs = {
+              prod.modules = [ ./envs/prod.nix ];
+              staging.modules = [ ./envs/staging.nix ];
+            };
+          };
+
+        checks = {
+          pre-commit-check = pre-commit-hooks.lib.${system}.run {
+            src = ./.;
+            hooks = {
+              nixfmt-rfc-style.enable = false;
+              deadnix.enable = false;
+              statix.enable = false;
+            };
+          };
+        };
+
+        packages = {
+          nixidy = nixidy.packages.${system}.default;
+          generators = {
+            cilium = nixidy.packages.${system}.generators.fromCRD {
+              name = "cilium";
+              src = pkgs.fetchFromGitHub {
+                owner = "cilium";
+                repo = "cilium";
+                rev = "v1.16.0";
+                hash = "sha256-LJrNGHF52hdKCuVwjvGifqsH+8hxkf/A3LZNpCHeR7E=";
+              };
+              crds = [
+                "pkg/k8s/apis/cilium.io/client/crds/v2/ciliumnetworkpolicies.yaml"
+                "pkg/k8s/apis/cilium.io/client/crds/v2/ciliumclusterwidenetworkpolicies.yaml"
+              ];
+            };
+
+            kyverno = nixidy.packages.${system}.generators.fromCRD {
+              name = "kyverno";
+              src = pkgs.fetchFromGitHub {
+                owner = "kyverno";
+                repo = "kyverno";
+                rev = "v1.12.6";
+                hash = "sha256-FwVB1okxhWTzWlZljGEEH9KuSsJl9GmwnX7bn4iDx/M=";
+              };
+              crds = [
+                "config/crds/kyverno/kyverno.io_cleanuppolicies.yaml"
+                "config/crds/kyverno/kyverno.io_clustercleanuppolicies.yaml"
+                "config/crds/kyverno/kyverno.io_clusterpolicies.yaml"
+                "config/crds/kyverno/kyverno.io_globalcontextentries.yaml"
+                "config/crds/kyverno/kyverno.io_policies.yaml"
+                "config/crds/kyverno/kyverno.io_policyexceptions.yaml"
+                "config/crds/kyverno/kyverno.io_updaterequests.yaml"
+              ];
+            };
+          };
+        };
+
+        apps = {
+          gen-crd = {
+            type = "app";
+            program =
+              (pkgs.writeShellScript "generate-modules" ''
+                set -eo pipefail
+                echo "generate cilium"
+                cat ${self.packages.${system}.generators.cilium} > modules/cilium-crd.nix
+                echo "generate kyverno"
+                cat ${self.packages.${system}.generators.kyverno} > modules/kyverno-crd.nix
+              '').outPath;
+          };
+        };
+
+        devShells.default = pkgs.mkShellNoCC {
+          inherit (self.checks.${system}.pre-commit-check) shellHook;
+          nativeBuildInputs = with pkgs; [
+            self.checks.${system}.pre-commit-check.enabledPackages
+            nixidy.packages.${system}.default
+            yaml2nix.packages.${system}.default
+            nixd
+            nixfmt-rfc-style
+            just
+            fzf
+          ];
+          NIXD_FLAGS = "--inlay-hints";
+        };
+      }
+    ));
+}
@@ -0,0 +1,44 @@
+let
+  sources = import ./nix;
+  system = builtins.currentSystem;
+  pkgs = import sources.nixpkgs {
+    inherit system;
+    config = { };
+    overlays = [ ];
+  };
+  nixpkgs = sources.nixpkgs;
+  nixidy = import sources.nixidy { inherit nixpkgs; };
+in
+{
+  cilium = nixidy.generators.fromCRD {
+    name = "cilium";
+    src = pkgs.fetchFromGitHub {
+      owner = "cilium";
+      repo = "cilium";
+      rev = "v1.16.0";
+      hash = "sha256-LJrNGHF52hdKCuVwjvGifqsH+8hxkf/A3LZNpCHeR7E=";
+    };
+    crds = [
+      "pkg/k8s/apis/cilium.io/client/crds/v2/ciliumnetworkpolicies.yaml"
+      "pkg/k8s/apis/cilium.io/client/crds/v2/ciliumclusterwidenetworkpolicies.yaml"
+    ];
+  };
+  kyverno = nixidy.generators.fromCRD {
+    name = "kyverno";
+    src = pkgs.fetchFromGitHub {
+      owner = "kyverno";
+      repo = "kyverno";
+      rev = "v1.12.6";
+      hash = "sha256-FwVB1okxhWTzWlZljGEEH9KuSsJl9GmwnX7bn4iDx/M=";
+    };
+    crds = [
+      "config/crds/kyverno/kyverno.io_cleanuppolicies.yaml"
+      "config/crds/kyverno/kyverno.io_clustercleanuppolicies.yaml"
+      "config/crds/kyverno/kyverno.io_clusterpolicies.yaml"
+      "config/crds/kyverno/kyverno.io_globalcontextentries.yaml"
+      "config/crds/kyverno/kyverno.io_policies.yaml"
+      "config/crds/kyverno/kyverno.io_policyexceptions.yaml"
+      "config/crds/kyverno/kyverno.io_updaterequests.yaml"
+    ];
+  };
+}
--- a/Show More
+++ b/Show More