feat: total revamp of homelab configuration

fix: Postgres | finally get backups and restores properly up and running
feat: Minecraft | add ATM10 and enable backups
2025-11-15 13:22:49 +05:00 · 2025-11-15 13:22:37 +05:00 · 2025-11-15 13:22:23 +05:00 · 2025-11-15 13:22:02 +05:00 · 2025-11-15 13:21:44 +05:00 · 2025-11-15 13:21:18 +05:00
27 changed files with 856 additions and 502 deletions
--- a/flake.lock
+++ b/flake.lock
@@ -18,49 +18,13 @@
        "type": "github"
      }
    },
-    "flake-utils_2": {
-      "locked": {
-        "lastModified": 1659877975,
-        "narHash": "sha256-zllb8aq3YO3h8B/U0/J1WBgAL8EX5yWf5pMj3G0NAmc=",
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "rev": "c0e246b9b83f637f4681389ecabcb2681b4f3af0",
-        "type": "github"
-      },
-      "original": {
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "type": "github"
-      }
-    },
-    "krew2nix": {
-      "inputs": {
-        "flake-utils": "flake-utils_2",
-        "nixpkgs": [
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1716272275,
-        "narHash": "sha256-JWDyPhAJp263EVVsGrKwrJU+xdDReHsDmSe7A190/Cg=",
-        "owner": "eigengrau",
-        "repo": "krew2nix",
-        "rev": "0c1fecaab044dba1249c5d09366891ec467b4ad2",
-        "type": "github"
-      },
-      "original": {
-        "owner": "eigengrau",
-        "repo": "krew2nix",
-        "type": "github"
-      }
-    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1761236834,
-        "narHash": "sha256-+pthv6hrL5VLW2UqPdISGuLiUZ6SnAXdd2DdUE+fV2Q=",
+        "lastModified": 1762943920,
+        "narHash": "sha256-ITeH8GBpQTw9457ICZBddQEBjlXMmilML067q0e6vqY=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "d5faa84122bc0a1fd5d378492efce4e289f8eac1",
+        "rev": "91c9a64ce2a84e648d0cf9671274bb9c2fb9ba60",
        "type": "github"
      },
      "original": {
@@ -73,7 +37,6 @@
    "root": {
      "inputs": {
        "flake-utils": "flake-utils",
-        "krew2nix": "krew2nix",
        "nixpkgs": "nixpkgs"
      }
    },
--- a/flake.nix
+++ b/flake.nix
@@ -4,14 +4,9 @@
  inputs = {
    nixpkgs.url = "github:NixOS/nixpkgs/nixpkgs-unstable";
    flake-utils.url = "github:numtide/flake-utils";
-
-    krew2nix = {
-      url = "github:eigengrau/krew2nix";
-      inputs.nixpkgs.follows = "nixpkgs";
-    };
  };

-  outputs = { nixpkgs, flake-utils, krew2nix, ... }: flake-utils.lib.eachDefaultSystem (system:
+  outputs = { nixpkgs, flake-utils, ... }: flake-utils.lib.eachDefaultSystem (system:
    let
      lib = nixpkgs.lib;

@@ -24,16 +19,12 @@
          ];
        };
      };
-
-      kubectl = krew2nix.packages.${system}.kubectl;
    in {
      # Define the devShell for the current system
      devShell = pkgs.mkShell {
        buildInputs = with pkgs; [
          kubernetes-helm
-          (kubectl.withKrewPlugins (plugins: with plugins; [
-            cnpg
-          ]))
+          kubectl-cnpg
          nil
          terraform
          tflint
--- a/helm/values/gitea.values.yaml
+++ b/helm/values/gitea.values.yaml
@@ -1,5 +1,5 @@
 global:
-  storageClass: longhorn-crypto
+  storageClass: longhorn
 image:
  rootless: false
 service:
--- a/helm/values/longhorn.values.yaml
+++ b/helm/values/longhorn.values.yaml
@@ -1,13 +1,20 @@
+global:
+  nodeSelector:
+    nodepool: worker
 defaultSettings:
-  defaultReplicaCount: 3
-  storageOverProvisioningPercentage: 100
+  defaultReplicaCount: "3"
+  storageOverProvisioningPercentage: "100"
  backupCompressionMethod: "gzip"
+  replicaSoftAntiAffinity: "true"
+  concurrentReplicaRebuildPerNodeLimit: "1"
+  replicaReplenishmentWaitInterval: "600"
+  disableSchdedulingOnCordonedNode: "true"
 defaultBackupStore:
-  backupTarget: "s3://homelab@auto/longhorn"
+  backupTarget: "s3://longhorn-backups@auto"
  backupTargetCredentialSecret: cloudflare-token
 metrics:
  serviceMonitor:
-    enabled: true
+    enabled: false
 ingress:
  enabled: true
  ingressClassName: nginx-internal
--- a/helm/values/nginx-internal.values.yaml
+++ b/helm/values/nginx-internal.values.yaml
@@ -1,4 +1,7 @@
 controller:
+  replicaCount: 3
+  nodeSelector:
+    nodepool: worker
  ingressClassResource:
    name: nginx-internal
    enabled: true
@@ -9,8 +12,31 @@ controller:
  service:
    annotations:
      external-dns.alpha.kubernetes.io/hostname: "dogar.dev"
+  extraVolumes:
+    - name: nix-cache
+      persistentVolumeClaim:
+        claimName: nix-cache
+  extraVolumeMounts:
+    - name: nix-cache
+      mountPath: /var/cache/nginx/nix
+  podSecurityContext:
+    fsGroup: 101
+  config:
+    proxy-buffering: "on"
+    proxy-ssl-server-name: "true"
+    http-snippet: |
+      # Persistent on-disk cache; lives on the PVC
+      proxy_cache_path /var/cache/nginx/nix levels=1:2 keys_zone=cachecache:32m max_size=120g inactive=365d use_temp_path=off;
+
+      # Only advertise cacheability for 200/302
+      map $status $cache_header {
+        200     "public";
+        302     "public";
+        default "no-cache";
+      }
 tcp:
  22:       "homelab/gitea-ssh:22"
  25565:    "minecraft/monifactory-server:25565"
  25566:    "minecraft/gtnh-server:25565"
  25567:    "minecraft/tfg-server:25565"
+  25568:    "minecraft/atm10-server:25565"
--- a/kustomize/kustomization.yaml
+++ b/kustomize/kustomization.yaml
@@ -1,6 +1,7 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
-commonLabels:
-  app.kubernetes.io/managed-by: Kustomize
+metadata:
+  labels:
+    app.kubernetes.io/managed-by: Kustomize
 resources:
  - ./metallb/pool.yaml
--- a/kustomize/metallb/pool.yaml
+++ b/kustomize/metallb/pool.yaml
@@ -3,7 +3,7 @@ apiVersion: metallb.io/v1beta1
 kind: IPAddressPool
 metadata:
  name: pool
-  namespace: homelab
+  namespace: metallb-system
 spec:
  addresses:
    - 192.168.18.192/26
@@ -12,7 +12,7 @@ apiVersion: metallb.io/v1beta1
 kind: L2Advertisement
 metadata:
  name: pool
-  namespace: homelab
+  namespace: metallb-system
 spec:
  ipAddressPools:
    - pool
--- a/longhorn/index.ts
+++ b/longhorn/index.ts
@@ -11,7 +11,6 @@ type LonghornOptions = {
    helm: HelmProvider;
  };
  name: string;
-  namespace: string;
 };

 export class Longhorn extends Construct {
@@ -19,15 +18,15 @@ export class Longhorn extends Construct {
    super(scope, id);

    const { helm, kubernetes } = options.providers;
+    const namespace = "longhorn-system";

    new Release(this, id, {
      name: options.name,
-      namespace: options.namespace,
+      namespace,
      provider: helm,
      repository: "https://charts.longhorn.io",
      chart: "longhorn",
      createNamespace: true,
-      upgradeInstall: true,
      values: [
        fs.readFileSync("helm/values/longhorn.values.yaml", {
          encoding: "utf8",
@@ -38,44 +37,19 @@ export class Longhorn extends Construct {
    new Manifest(this, "recurring-backup-job", {
      provider: kubernetes,
      manifest: {
-        apiVersion: "longhorn.io/v1beta1",
+        apiVersion: "longhorn.io/v1beta2",
        kind: "RecurringJob",
        metadata: {
          name: "daily-backup",
-          namespace: options.namespace,
+          namespace,
        },
        spec: {
          cron: "0 0 * * *",
          task: "backup",
-          retain: 30,
-          groups: ["default"],
+          retain: 7,
          concurrency: 3,
        },
      },
    });
-
-    new Manifest(this, "longhorn-crypto-storage-class", {
-      provider: kubernetes,
-      manifest: {
-        kind: "StorageClass",
-        apiVersion: "storage.k8s.io/v1",
-        metadata: {
-          name: "longhorn-crypto",
-        },
-        provisioner: "driver.longhorn.io",
-        allowVolumeExpansion: true,
-        parameters: {
-          numberOfReplicas: "3",
-          staleReplicaTimeout: "2880", // 48 hours in minutes
-          encrypted: "true",
-          "csi.storage.k8s.io/provisioner-secret-name": "longhorn-encryption",
-          "csi.storage.k8s.io/provisioner-secret-namespace": options.namespace,
-          "csi.storage.k8s.io/node-publish-secret-name": "longhorn-encryption",
-          "csi.storage.k8s.io/node-publish-secret-namespace": options.namespace,
-          "csi.storage.k8s.io/node-stage-secret-name": "longhorn-encryption",
-          "csi.storage.k8s.io/node-stage-secret-namespace": options.namespace,
-        },
-      },
-    });
  }
 }
--- a/main.ts
+++ b/main.ts
@@ -1,9 +1,10 @@
 import * as dotenv from "dotenv";
 import { cleanEnv, str } from "envalid";
 import { Construct } from "constructs";
-import { App, TerraformStack, S3Backend } from "cdktf";
+import { App, TerraformStack, LocalBackend } from "cdktf";
 import { HelmProvider } from "@cdktf/provider-helm/lib/provider";
 import { KubernetesProvider } from "@cdktf/provider-kubernetes/lib/provider";
+import { NamespaceV1 } from "@cdktf/provider-kubernetes/lib/namespace-v1";

 import { GiteaServer } from "./gitea";
 import { OnePassword } from "./1password";
@@ -12,7 +13,6 @@ import { Longhorn } from "./longhorn";
 import { AuthentikServer } from "./authentik";
 import { ValkeyCluster } from "./valkey";
 import { CertManager } from "./cert-manager";
-import { Manifest } from "@cdktf/provider-kubernetes/lib/manifest";
 import { Nginx } from "./nginx";
 import { Prometheus } from "./prometheus";
 import { MetalLB } from "./metallb";
@@ -45,15 +45,10 @@ class Homelab extends TerraformStack {

    const namespace = "homelab";

-    const ns = new Manifest(this, "namespace", {
+    new NamespaceV1(this, "namespace", {
      provider: kubernetes,
-      manifest: {
-        kind: "Namespace",
-        apiVersion: "v1",
-        metadata: {
-          name: namespace,
-        },
-        spec: {},
+      metadata: {
+        name: namespace,
      },
    });

@@ -65,12 +60,10 @@ class Homelab extends TerraformStack {
      },
    });

-    longhorn.node.addDependency(ns);
-
    new MetalLB(this, "metallb", {
      provider: helm,
      name: "metallb",
-      namespace,
+      namespace: "metallb-system",
    });

    new OnePassword(this, "one-password", {
@@ -121,7 +114,6 @@ class Homelab extends TerraformStack {
        kubernetes,
        helm,
      },
-      storageClass: "longhorn-crypto",
      users: ["shahab", "budget-tracker", "authentik", "gitea"],
      primaryUser: "shahab",
      initSecretName: "postgres-password",
@@ -156,21 +148,9 @@ class Homelab extends TerraformStack {
 const app = new App();
 const stack = new Homelab(app, "homelab");

-new S3Backend(stack, {
-  encrypt: true,
-  bucket: env.BUCKET,
-  key: "terraform.tfstate",
-  region: "auto",
-  skipCredentialsValidation: true,
-  skipMetadataApiCheck: true,
-  skipRegionValidation: true,
-  skipRequestingAccountId: true,
-  skipS3Checksum: true,
-  accessKey: env.R2_ACCESS_KEY_ID,
-  secretKey: env.R2_SECRET_ACCESS_KEY,
-  endpoints: {
-    s3: `${r2Endpoint}/${env.BUCKET}`,
-  },
+new LocalBackend(stack, {
+  path: "terraform.tfstate",
+  workspaceDir: ".",
 });

 app.synth();
--- a/media/deployment.yaml
+++ b/media/deployment.yaml
@@ -0,0 +1,231 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: server
+  namespace: media
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: server
+  template:
+    metadata:
+      labels:
+        app: server
+    spec:
+      nodeSelector:
+        kubernetes.io/hostname: aamil-3
+      containers:
+        - name: server
+          image: jellyfin/jellyfin:latest
+          imagePullPolicy: IfNotPresent
+          ports:
+            - containerPort: 8096
+              name: http
+          env:
+            - name: TZ
+              value: "Asia/Karachi"
+          volumeMounts:
+            - name: config
+              mountPath: /config
+            - name: cache
+              mountPath: /cache
+            - name: media
+              mountPath: /media
+      volumes:
+        - name: config
+          persistentVolumeClaim:
+            claimName: jellyfin-config
+        - name: cache
+          emptyDir: {}
+        - name: media
+          persistentVolumeClaim:
+            claimName: media
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: sonarr
+  namespace: media
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: sonarr
+  template:
+    metadata:
+      labels:
+        app: sonarr
+    spec: 
+      nodeSelector:
+        kubernetes.io/hostname: aamil-3
+      containers:
+        - name: sonarr
+          image: lscr.io/linuxserver/sonarr:latest
+          imagePullPolicy: IfNotPresent
+          ports:
+            - containerPort: 8989
+              name: http
+          env:
+            - name: TZ
+              value: "Asia/Karachi"
+            - name: PUID
+              value: "1000"
+            - name: PGID
+              value: "1000"
+          volumeMounts:
+            - name: config
+              mountPath: /config
+            - name: media
+              mountPath: /media
+            - name: downloads
+              mountPath: /downloads       
+      volumes:
+        - name: config
+          persistentVolumeClaim:
+            claimName: sonarr-config
+        - name: media
+          persistentVolumeClaim:
+            claimName: media
+        - name: downloads
+          persistentVolumeClaim:
+            claimName: downloads
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: qbittorrent
+  namespace: media
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: qbittorrent
+  template:
+    metadata:
+      labels:
+        app: qbittorrent
+    spec:
+      nodeSelector:
+        kubernetes.io/hostname: aamil-3
+      containers:
+        - name: qbittorrent
+          image: lscr.io/linuxserver/qbittorrent:latest
+          ports:
+            - containerPort: 8080   # web UI
+              name: http
+            - containerPort: 6881
+              name: bt
+            - containerPort: 6881
+              protocol: UDP
+              name: bt-udp
+          env:
+            - name: TZ
+              value: "Asia/Karachi"
+            - name: PUID
+              value: "1000"
+            - name: PGID
+              value: "1000"
+            - name: WEBUI_PORT
+              value: "8080"
+          volumeMounts:
+            - name: config
+              mountPath: /config
+            - name: downloads
+              mountPath: /downloads
+      volumes:
+        - name: config
+          persistentVolumeClaim:
+            claimName: qbittorrent-config
+        - name: downloads
+          persistentVolumeClaim:
+            claimName: downloads
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: prowlarr
+  namespace: media
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: prowlarr
+  template:
+    metadata:
+      labels:
+        app: prowlarr
+    spec:
+      nodeSelector:
+        nodepool: worker
+      containers:
+        - name: prowlarr
+          image: lscr.io/linuxserver/prowlarr:latest
+          imagePullPolicy: IfNotPresent
+          ports:
+            - containerPort: 9696
+              name: http
+          env:
+            - name: TZ
+              value: "Asia/Karachi"
+            - name: PUID
+              value: "1000"
+            - name: PGID
+              value: "1000"
+          volumeMounts:
+            - name: config
+              mountPath: /config
+      volumes:
+        - name: config
+          persistentVolumeClaim:
+            claimName: prowlarr-config
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: radarr
+  namespace: media
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: radarr
+  template:
+    metadata:
+      labels:
+        app: radarr
+    spec:
+      nodeSelector:
+        kubernetes.io/hostname: aamil-3
+      containers:
+        - name: radarr
+          image: lscr.io/linuxserver/radarr:latest
+          imagePullPolicy: IfNotPresent
+          ports:
+            - containerPort: 7878
+              name: http
+          env:
+            - name: TZ
+              value: "Asia/Karachi"
+            - name: PUID
+              value: "1000"
+            - name: PGID
+              value: "1000"
+          volumeMounts:
+            - name: config
+              mountPath: /config
+            - name: media
+              mountPath: /media
+            - name: downloads
+              mountPath: /downloads
+      volumes:
+        - name: config
+          persistentVolumeClaim:
+            claimName: radarr-config
+        - name: media
+          persistentVolumeClaim:
+            claimName: media
+        - name: downloads
+          persistentVolumeClaim:
+            claimName: downloads
--- a/media/ingress.yaml
+++ b/media/ingress.yaml
@@ -0,0 +1,76 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: server
+  namespace: media
+  annotations:
+    # cert-manager (Cloudflare DNS-01)
+    cert-manager.io/cluster-issuer: cloudflare-issuer
+    cert-manager.io/acme-challenge-type: dns01
+    cert-manager.io/private-key-size: "4096"
+
+    # Jellyfin / streaming friendly nginx settings
+    nginx.ingress.kubernetes.io/proxy-body-size: "0"
+    nginx.ingress.kubernetes.io/proxy-buffering: "off"
+    nginx.ingress.kubernetes.io/proxy-read-timeout: "3600"
+    nginx.ingress.kubernetes.io/proxy-send-timeout: "3600"
+    nginx.ingress.kubernetes.io/proxy-http-version: "1.1"
+    nginx.ingress.kubernetes.io/use-proxy-protocol: "false"
+    nginx.ingress.kubernetes.io/proxy-request-buffering: "off"
+spec:
+  ingressClassName: nginx-internal
+  tls:
+    - hosts:
+        - media.dogar.dev
+      secretName: media-tls
+    - hosts:
+        - sonarr.dogar.dev
+      secretName: sonarr-tls
+    - hosts:
+        - radarr.dogar.dev
+      secretName: radarr-tls
+    - hosts:
+        - torrent.dogar.dev
+      secretName: torrent-tls
+  rules:
+    - host: media.dogar.dev
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: server
+                port:
+                  number: 80
+    - host: sonarr.dogar.dev
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: sonarr
+                port:
+                  number: 80
+    - host: radarr.dogar.dev
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: radarr
+                port:
+                  number: 80
+    - host: torrent.dogar.dev
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: qbittorrent
+                port:
+                  number: 80
--- a/media/namespace.yaml
+++ b/media/namespace.yaml
@@ -0,0 +1,5 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: media
--- a/media/pvc.yaml
+++ b/media/pvc.yaml
@@ -0,0 +1,106 @@
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: jellyfin-config
+  namespace: media
+  labels:
+    recurring-job.longhorn.io/source: "enabled"
+    recurring-job.longhorn.io/backup: "enabled"
+spec:
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 5Gi
+  storageClassName: longhorn
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: media
+  namespace: media
+spec:
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 512Gi
+  storageClassName: longhorn
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: sonarr-config
+  namespace: media
+  labels:
+    recurring-job.longhorn.io/source: "enabled"
+    recurring-job.longhorn.io/backup: "enabled"
+spec:
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 512Mi
+  storageClassName: longhorn
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: qbittorrent-config
+  namespace: media
+  labels:
+    recurring-job.longhorn.io/source: "enabled"
+    recurring-job.longhorn.io/backup: "enabled"
+spec:
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 512Mi
+  storageClassName: longhorn
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: downloads
+  namespace: media
+spec:
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 450Gi
+  storageClassName: longhorn
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: prowlarr-config
+  namespace: media
+  labels:
+    recurring-job.longhorn.io/source: "enabled"
+    recurring-job.longhorn.io/backup: "enabled"
+spec:
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 512Mi
+  storageClassName: longhorn
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: radarr-config
+  namespace: media
+  labels:
+    recurring-job.longhorn.io/source: "enabled"
+    recurring-job.longhorn.io/backup: "enabled"
+spec:
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 512Mi
+  storageClassName: longhorn
--- a/media/service.yaml
+++ b/media/service.yaml
@@ -0,0 +1,69 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: server
+  namespace: media
+spec:
+  selector:
+    app: server
+  ports:
+    - name: http
+      port: 80
+      targetPort: 8096
+  type: ClusterIP
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: sonarr
+  namespace: media
+spec:
+  selector:
+    app: sonarr
+  ports:
+    - name: http
+      port: 80
+      targetPort: 8989
+  type: ClusterIP
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: qbittorrent
+  namespace: media
+spec:
+  selector:
+    app: qbittorrent
+  ports:
+    - name: http
+      port: 80
+      targetPort: 8080
+  type: ClusterIP
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: prowlarr
+  namespace: media
+spec:
+  selector:
+    app: prowlarr
+  ports:
+    - name: http
+      port: 80
+      targetPort: 9696
+  type: ClusterIP
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: radarr
+  namespace: media
+spec:
+  selector:
+    app: radarr
+  ports:
+    - name: http
+      port: 80
+      targetPort: 7878
--- a/minecraft/pvc.yaml
+++ b/minecraft/pvc.yaml
@@ -5,7 +5,6 @@ metadata:
  name: monifactory-data
  namespace: minecraft
 spec:
-  storageClassName: longhorn-crypto
  accessModes:
    - ReadWriteMany
  resources:
@@ -18,7 +17,6 @@ metadata:
  name: gtnh-data
  namespace: minecraft
 spec:
-  storageClassName: longhorn-crypto
  accessModes:
    - ReadWriteMany
  resources:
@@ -31,7 +29,21 @@ metadata:
  name: tfg-data
  namespace: minecraft
 spec:
-  storageClassName: longhorn-crypto
+  accessModes:
+    - ReadWriteMany
+  resources:
+    requests:
+      storage: 10Gi
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: atm10-data
+  namespace: minecraft
+  labels:
+    recurring-job.longhorn.io/source: "enabled"
+    recurring-job.longhorn.io/backup: "enabled"
+spec:
  accessModes:
    - ReadWriteMany
  resources:
--- a/minecraft/service.yaml
+++ b/minecraft/service.yaml
@@ -43,3 +43,18 @@ spec:
      port: 25565
  selector:
    app: tfg-server
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: atm10-server
+  namespace: minecraft
+  labels:
+    app: atm10-server
+spec:
+  type: ClusterIP
+  ports:
+    - name: atm10
+      port: 25565
+  selector:
+    app: atm10-server
--- a/minecraft/statefulset.yaml
+++ b/minecraft/statefulset.yaml
@@ -5,6 +5,7 @@ metadata:
  name: monifactory-server
  namespace: minecraft
 spec:
+  serviceName: monifactory-server
  selector:
    matchLabels:
      app: monifactory-server
@@ -13,6 +14,8 @@ spec:
      labels:
        app: monifactory-server
    spec:
+      nodeSelector:
+        nodepool: worker
      containers:
        - name: monifactory-server
          image: itzg/minecraft-server:java17
@@ -37,7 +40,7 @@ spec:
            - name: INIT_MEMORY
              value: 4G
            - name: MAX_MEMORY
-              value: 8G
+              value: 12G
            - name: ALLOW_FLIGHT
              value: "TRUE"
            - name: ENABLE_ROLLING_LOGS
@@ -53,7 +56,7 @@ spec:
              memory: "4Gi"
            limits:
              cpu: 8
-              memory: "8Gi"
+              memory: "12Gi"
          volumeMounts:
          - name: monifactory-data
            mountPath: /data
@@ -68,6 +71,7 @@ metadata:
  name: gtnh-server
  namespace: minecraft
 spec:
+  serviceName: gtnh-server
  selector:
    matchLabels:
      app: gtnh-server
@@ -76,6 +80,8 @@ spec:
      labels:
        app: gtnh-server
    spec:
+      nodeSelector:
+        nodepool: worker
      containers:
        - name: gtnh-server
          image: itzg/minecraft-server:java25
@@ -97,7 +103,7 @@ spec:
            - name: SKIP_GENERIC_PACK_UPDATE_CHECK
              value: "true"
            - name: MEMORY
-              value: 6G
+              value: 12G
            - name: JVM_OPTS
              value: "-Dfml.readTimeout=180 -Dfml.queryResult=confirm @java9args.txt"
            - name: CUSTOM_JAR_EXEC
@@ -112,7 +118,7 @@ spec:
          resources:
            limits:
              cpu: 8
-              memory: "8Gi"
+              memory: "12Gi"
          volumeMounts:
          - name: gtnh-data
            mountPath: /data
@@ -127,6 +133,7 @@ metadata:
  name: tfg-server
  namespace: minecraft
 spec:
+  serviceName: tfg-server
  selector:
    matchLabels:
      app: tfg-server
@@ -135,6 +142,8 @@ spec:
      labels:
        app: tfg-server
    spec:
+      nodeSelector:
+        nodepool: worker
      containers:
        - name: tfg-server
          image: itzg/minecraft-server:java17
@@ -159,7 +168,7 @@ spec:
            - name: INIT_MEMORY
              value: 2G
            - name: MAX_MEMORY
-              value: 8G
+              value: 12G
            - name: ALLOW_FLIGHT
              value: "TRUE"
            - name: ENABLE_ROLLING_LOGS
@@ -175,7 +184,7 @@ spec:
              memory: "2Gi"
            limits:
              cpu: 6
-              memory: "9Gi"
+              memory: "12Gi"
          volumeMounts:
          - name: tfg-data
            mountPath: /data
@@ -183,3 +192,71 @@ spec:
        - name: tfg-data
          persistentVolumeClaim:
            claimName: tfg-data
+---
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: atm10-server
+  namespace: minecraft
+spec:
+  serviceName: atm10-server
+  selector:
+    matchLabels:
+      app: atm10-server
+  template:
+    metadata:
+      labels:
+        app: atm10-server
+    spec:
+      nodeSelector:
+        nodepool: worker
+      containers:
+        - name: atm10-server
+          image: itzg/minecraft-server:java21
+          env:
+            - name: EULA
+              value: "TRUE"
+            - name: MODE
+              value: "survival"
+            - name: MODPACK_PLATFORM
+              value: "AUTO_CURSEFORGE"
+            - name: CF_API_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: curseforge
+                  key: credential
+            - name: CF_PAGE_URL
+              value: "https://www.curseforge.com/minecraft/modpacks/all-the-mods-10/files/7121777"
+            - name: VERSION
+              value: "1.21.1"
+            - name: INIT_MEMORY
+              value: 2G
+            - name: MAX_MEMORY
+              value: 15G
+            - name: ALLOW_FLIGHT
+              value: "TRUE"
+            - name: ENABLE_ROLLING_LOGS
+              value: "TRUE"
+            - name: USE_MEOWICE_FLAGS
+              value: "TRUE"
+            - name: CF_OVERRIDES_EXCLUSIONS
+              value: |
+                # Not applicable for server side
+                shaderpacks/**
+          ports:
+            - name: minecraft
+              containerPort: 25565
+          resources:
+            requests:
+              cpu: 2
+              memory: "2Gi"
+            limits:
+              cpu: 6
+              memory: "16Gi"
+          volumeMounts:
+          - name: atm10-data
+            mountPath: /data
+      volumes:
+        - name: atm10-data
+          persistentVolumeClaim:
+            claimName: atm10-data
--- a/nginx/index.ts
+++ b/nginx/index.ts
@@ -3,6 +3,8 @@ import { HelmProvider } from "@cdktf/provider-helm/lib/provider";
 import { Release } from "@cdktf/provider-helm/lib/release";
 import { Construct } from "constructs";

+import { NixCache } from "./nix-cache";
+
 type NginxOptions = {
  provider: HelmProvider;
  name: string;
@@ -24,5 +26,11 @@ export class Nginx extends Construct {
        }),
      ],
    });
+
+    new NixCache(this, "nix-cache", {
+      namespace: options.namespace,
+      host: "nix.dogar.dev",
+      ingressClassName: "nginx-internal",
+    });
  }
 }
--- a/nginx/nix-cache.ts
+++ b/nginx/nix-cache.ts
@@ -0,0 +1,105 @@
+import { Construct } from "constructs";
+import { ServiceV1 } from "@cdktf/provider-kubernetes/lib/service-v1";
+import { IngressV1 } from "@cdktf/provider-kubernetes/lib/ingress-v1";
+import { PersistentVolumeClaimV1 } from "@cdktf/provider-kubernetes/lib/persistent-volume-claim-v1";
+
+export interface NixCacheProps {
+  namespace: string;
+  host: string;
+  ingressClassName?: string;
+  externalName?: string;
+}
+
+export class NixCache extends Construct {
+  constructor(scope: Construct, id: string, props: NixCacheProps) {
+    super(scope, id);
+
+    const {
+      namespace,
+      host,
+      ingressClassName: ingressClass = "nginx-internal",
+      externalName: upstreamHost = "cache.nixos.org",
+    } = props;
+
+    // 1) ExternalName Service -> cache.nixos.org
+    new ServiceV1(this, "nixcache-upstream-svc", {
+      metadata: {
+        name: "nixcache-upstream",
+        namespace,
+      },
+      spec: {
+        type: "ExternalName",
+        externalName: upstreamHost,
+      },
+    });
+
+    // 2) Ingress that targets the ExternalName Service over HTTPS:443
+    new IngressV1(this, "nixcache-ingress", {
+      metadata: {
+        name: "nix-cache",
+        namespace,
+        annotations: {
+          // Use the cache zone defined in controller.config.http-snippet
+          "nginx.ingress.kubernetes.io/proxy-cache": "cachecache",
+          "nginx.ingress.kubernetes.io/proxy-cache-valid": "200 302 60d",
+          "nginx.ingress.kubernetes.io/proxy-cache-lock": "true",
+          "nginx.ingress.kubernetes.io/proxy-buffering": "on",
+
+          // Upstream is HTTPS with SNI and a fixed Host header
+          "nginx.ingress.kubernetes.io/backend-protocol": "HTTPS",
+          "nginx.ingress.kubernetes.io/proxy-ssl-server-name": "true",
+          "nginx.ingress.kubernetes.io/upstream-vhost": upstreamHost,
+
+          // Use cert-manager to provision TLS certs via Cloudflare
+          "cert-manager.io/cluster-issuer": "cloudflare-issuer",
+          "cert-manager.io/acme-challenge-type": "dns01",
+          "cert-manager.io/private-key-size": "4096",
+        },
+      },
+      spec: {
+        ingressClassName: ingressClass,
+        rule: [
+          {
+            host,
+            http: {
+              path: [
+                {
+                  path: "/",
+                  pathType: "Prefix",
+                  backend: {
+                    service: {
+                      name: "nixcache-upstream",
+                      port: { number: 443 },
+                    },
+                  },
+                },
+              ],
+            },
+          },
+        ],
+        tls: [
+          {
+            hosts: [host],
+            secretName: "nix-cache-tls",
+          },
+        ],
+      },
+    });
+
+    // 3) PersistentVolumeClaim for caching
+    new PersistentVolumeClaimV1(this, "nix-cache-pvc", {
+      metadata: {
+        name: "nix-cache",
+        namespace,
+      },
+      spec: {
+        accessModes: ["ReadWriteMany"],
+        resources: {
+          requests: {
+            storage: "128Gi",
+          },
+        },
+      },
+    });
+  }
+}
--- a/nixos/master/configuration.nix
+++ b/nixos/master/configuration.nix
@@ -1,145 +0,0 @@
-# Edit this configuration file to define what should be installed on
-# your system. Help is available in the configuration.nix(5) man page, on
-# https://search.nixos.org/options and in the NixOS manual (`nixos-help`).
-
-{ pkgs, meta, ... }:
-
-{
-  imports = [ ./hardware-configuration.nix ];
-
-  nix = {
-    settings = {
-      require-sigs = false;
-      experimental-features = [ "nix-command" "flakes" ];
-    };
-  };
-
-  # Use the systemd-boot EFI boot loader.
-  boot.loader.systemd-boot.enable = true;
-  boot.loader.efi.canTouchEfiVariables = true;
-
-  networking.hostName = meta.hostname; # Define your hostname.
-  # Pick only one of the below networking options.
-  networking.networkmanager.enable = true;
-  networking.interfaces.enp1s0.ipv4.addresses = [
-    {
-      address = (
-        if meta.hostname == "homelab-0" then "192.168.18.10"
-        else if meta.hostname == "homelab-1" then "192.168.18.11"
-        else if meta.hostname == "homelab-2" then "192.168.18.12"
-        else throw "Unknown hostname"
-      );
-      prefixLength = 24;
-    }
-  ];
-  networking.defaultGateway = "192.168.18.1";
-  networking.nameservers = [
-    "192.168.18.250"
-    "1.1.1.1"
-  ];
-
-  # Set your time zone.
-  time.timeZone = "Asia/Karachi";
-
-  # Select internationalisation properties.
-  i18n.defaultLocale = "en_US.UTF-8";
-  console = {
-    font = "Lat2-Terminus16";
-    keyMap = "us";
-  };
-
-  # Fixes for longhorn
-  systemd.tmpfiles.rules = [
-    "L+ /usr/local/bin - - - - /run/current-system/sw/bin/"
-  ];
-  virtualisation.docker.logDriver = "json-file";
-
-  services.k3s = {
-    enable = true;
-    role = "server";
-    tokenFile = /var/lib/rancher/k3s/server/token;
-    extraFlags = toString ([
-	    "--write-kubeconfig-mode \"0644\""
-	    "--cluster-init"
-	    "--disable servicelb"
-	    "--disable traefik"
-	    "--disable local-storage"
-    ] ++ (if meta.hostname == "homelab-0" then [] else [
-	      "--server https://192.168.18.10:6443"
-    ]));
-    clusterInit = (meta.hostname == "homelab-0");
-  };
-
-  services.openiscsi = {
-    enable = true;
-    name = "iqn.2016-04.com.open-iscsi:${meta.hostname}";
-  };
-
-  # Define a user account. Don't forget to set a password with ‘passwd’.
-  users.users.shahab = {
-    isNormalUser = true;
-    extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user.
-    packages = with pkgs; [
-      tree
-      cloudflared
-    ];
-    # Created using mkpasswd
-    hashedPassword = "$6$.ZlYnf2cZph4tCbM$E/JJUDirRV8MZrgX4Rh.Pi1q95tev1ZxcKjPA1I.uURv56qoWcC39MJWO9S2T5MlkPVbSLGiM8Ihfz9mERImo/";
-    openssh.authorizedKeys.keys = [
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGD/V4jLpuk7uAovkbHFr6uulfBKZmsH+BqmXIR2aYD0"
-    ];
-  };
-
-  security.sudo.extraRules = [
-    {
-      users = ["shahab"];
-      commands = [
-        { command = "ALL"; options = ["NOPASSWD"]; }
-      ];
-    }
-  ];
-
-  # List packages installed in system profile. To search, run:
-  # $ nix search wget
-  environment.systemPackages = with pkgs; [
-     neovim
-     k3s
-     cifs-utils
-     nfs-utils
-     git
-  ];
-
-  # List services that you want to enable:
-
-  # Enable the OpenSSH daemon.
-  services.openssh.enable = true;
-
-  # Open ports in the firewall.
-  # networking.firewall.allowedTCPPorts = [ 80 ];
-  # networking.firewall.allowedUDPPorts = [ ... ];
-  # Or disable the firewall altogether.
-  networking.firewall.enable = false;
-
-  # Copy the NixOS configuration file and link it from the resulting system
-  # (/run/current-system/configuration.nix). This is useful in case you
-  # accidentally delete configuration.nix.
-  # system.copySystemConfiguration = true;
-
-  # This option defines the first version of NixOS you have installed on this particular machine,
-  # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions.
-  #
-  # Most users should NEVER change this value after the initial install, for any reason,
-  # even if you've upgraded your system to a new NixOS release.
-  #
-  # This value does NOT affect the Nixpkgs version your packages and OS are pulled from,
-  # so changing it will NOT upgrade your system.
-  #
-  # This value being lower than the current NixOS release does NOT mean your system is
-  # out of date, out of support, or vulnerable.
-  #
-  # Do NOT change this value unless you have manually inspected all the changes it would make to your configuration,
-  # and migrated your data accordingly.
-  #
-  # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion .
-  system.stateVersion = "24.05"; # Did you read the comment?
-}
--- a/nixos/master/disko-config.nix
+++ b/nixos/master/disko-config.nix
@@ -1,45 +0,0 @@
-{
-  disko.devices = {
-    disk = {
-      vdb = {
-        type = "disk";
-        device = "/dev/nvme0n1";
-        content = {
-          type = "gpt";
-          partitions = {
-            ESP = {
-              priority = 1;
-              name = "ESP";
-              start = "1M";
-              end = "128M";
-              type = "EF00";
-              content = {
-                type = "filesystem";
-                format = "vfat";
-                mountpoint = "/boot";
-              };
-            };
-            luks = {
-              size = "100%";
-              content = {
-                name = "crypted";
-                type = "luks";
-                passwordFile = "/tmp/secret.key";
-                settings = {
-                  allowDiscards = true;
-                  crypttabExtraOpts =
-                    [ "fido2-device=auto" "token-timeout=10" ];
-                };
-                content = {
-                  type = "filesystem";
-                  format = "ext4";
-                  mountpoint = "/";
-                };
-              };
-            };
-          };
-        };
-      };
-    };
-  };
-}
--- a/nixos/master/flake.lock
+++ b/nixos/master/flake.lock
@@ -1,48 +0,0 @@
-{
-  "nodes": {
-    "disko": {
-      "inputs": {
-        "nixpkgs": [
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1758287904,
-        "narHash": "sha256-IGmaEf3Do8o5Cwp1kXBN1wQmZwQN3NLfq5t4nHtVtcU=",
-        "owner": "nix-community",
-        "repo": "disko",
-        "rev": "67ff9807dd148e704baadbd4fd783b54282ca627",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nix-community",
-        "repo": "disko",
-        "type": "github"
-      }
-    },
-    "nixpkgs": {
-      "locked": {
-        "lastModified": 1759994382,
-        "narHash": "sha256-wSK+3UkalDZRVHGCRikZ//CyZUJWDJkBDTQX1+G77Ow=",
-        "owner": "NixOS",
-        "repo": "nixpkgs",
-        "rev": "5da4a26309e796daa7ffca72df93dbe53b8164c7",
-        "type": "github"
-      },
-      "original": {
-        "owner": "NixOS",
-        "ref": "nixos-25.05",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
-    },
-    "root": {
-      "inputs": {
-        "disko": "disko",
-        "nixpkgs": "nixpkgs"
-      }
-    }
-  },
-  "root": "root",
-  "version": 7
-}
--- a/nixos/master/flake.nix
+++ b/nixos/master/flake.nix
@@ -1,37 +0,0 @@
-{
-  description = "Homelab NixOS Flake";
-
-  inputs = {
-    nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.05";
-    # Disko
-    disko = {
-      url = "github:nix-community/disko";
-      inputs.nixpkgs.follows = "nixpkgs";
-    };
-  };
-
-  outputs = { nixpkgs, disko, ... }: let
-    nodes = [
-      "homelab-0"
-      "homelab-1"
-      "homelab-2"
-    ];
-  in {
-    nixosConfigurations = builtins.listToAttrs (map (name: {
-	    name = name;
-	    value = nixpkgs.lib.nixosSystem {
-     	    specialArgs = {
-            meta = { hostname = name; };
-          };
-          system = "x86_64-linux";
-          modules = [
-            # Modules
-            disko.nixosModules.disko
-            ./hardware-configuration.nix
-            ./disko-config.nix
-            ./configuration.nix
-          ];
-        };
-    }) nodes);
-  };
-}
--- a/nixos/master/hardware-configuration.nix
+++ b/nixos/master/hardware-configuration.nix
@@ -1,24 +0,0 @@
-# Do not modify this file!  It was generated by ‘nixos-generate-config’
-# and may be overwritten by future invocations.  Please make changes
-# to /etc/nixos/configuration.nix instead.
-{ config, lib, modulesPath, ... }:
-
-{
-  imports = [(modulesPath + "/installer/scan/not-detected.nix")];
-
-  boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "usbhid" "usb_storage" "sd_mod" ];
-  boot.initrd.kernelModules = [ ];
-  boot.kernelModules = [ "kvm-amd" ];
-  boot.extraModulePackages = [ ];
-
-  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
-  # (the default) this is the recommended approach. When using systemd-networkd it's
-  # still possible to use this option, but it's recommended to use it in conjunction
-  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
-  networking.useDHCP = lib.mkDefault false;
-  networking.interfaces.enp1s0.useDHCP = lib.mkDefault false;
-  # networking.interfaces.wlo1.useDHCP = lib.mkDefault true;
-
-  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
-  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
-}
--- a/package-lock.json
+++ b/package-lock.json
@@ -75,9 +75,9 @@
      }
    },
    "node_modules/@jridgewell/sourcemap-codec": {
-      "version": "1.5.0",
-      "resolved": "https://registry.npmjs.org/@jridgewell/sourcemap-codec/-/sourcemap-codec-1.5.0.tgz",
-      "integrity": "sha512-gv3ZRaISU3fjPAgNsriBRqGWQL6quFx04YMPW/zD8XMLsU32mhCCbfbO6KZFLjvYpCZ8zyDEgqsgf+PwPaM7GQ==",
+      "version": "1.5.5",
+      "resolved": "https://registry.npmjs.org/@jridgewell/sourcemap-codec/-/sourcemap-codec-1.5.5.tgz",
+      "integrity": "sha512-cYQ9310grqxueWbl+WuIUIaiUaDcj7WOq5fVhEljNVgRfOUhY9fy2zTvfoqWsnebh8Sl70VScFbICvJnLKB0Og==",
      "dev": true,
      "license": "MIT"
    },
@@ -121,13 +121,14 @@
      "license": "MIT"
    },
    "node_modules/@types/node": {
-      "version": "24.0.3",
-      "resolved": "https://registry.npmjs.org/@types/node/-/node-24.0.3.tgz",
-      "integrity": "sha512-R4I/kzCYAdRLzfiCabn9hxWfbuHS573x+r0dJMkkzThEa7pbrcDWK+9zu3e7aBOouf+rQAciqPFMnxwr0aWgKg==",
+      "version": "24.9.1",
+      "resolved": "https://registry.npmjs.org/@types/node/-/node-24.9.1.tgz",
+      "integrity": "sha512-QoiaXANRkSXK6p0Duvt56W208du4P9Uye9hWLWgGMDTEoKPhuenzNcC4vGUmrNkiOKTlIrBoyNQYNpSwfEZXSg==",
      "dev": true,
      "license": "MIT",
+      "peer": true,
      "dependencies": {
-        "undici-types": "~7.8.0"
+        "undici-types": "~7.16.0"
      }
    },
    "node_modules/acorn": {
@@ -173,6 +174,7 @@
        "semver"
      ],
      "license": "MPL-2.0",
+      "peer": true,
      "dependencies": {
        "archiver": "7.0.1",
        "json-stable-stringify": "1.2.1",
@@ -1250,7 +1252,8 @@
      "version": "10.4.2",
      "resolved": "https://registry.npmjs.org/constructs/-/constructs-10.4.2.tgz",
      "integrity": "sha512-wsNxBlAott2qg8Zv87q3eYZYgheb9lchtBfjHzzLHtXbttwSrHPs1NNQbBrmbb1YZvYg2+Vh0Dor76w4mFxJkA==",
-      "license": "Apache-2.0"
+      "license": "Apache-2.0",
+      "peer": true
    },
    "node_modules/create-require": {
      "version": "1.1.1",
@@ -1270,9 +1273,9 @@
      }
    },
    "node_modules/dotenv": {
-      "version": "16.5.0",
-      "resolved": "https://registry.npmjs.org/dotenv/-/dotenv-16.5.0.tgz",
-      "integrity": "sha512-m/C+AwOAr9/W1UOIZUo232ejMNnJAJtYQjUbHoNTBNTJSvqzzDh7vnrei3o3r3m9blf6ZoDkvcw0VmozNRFJxg==",
+      "version": "16.6.1",
+      "resolved": "https://registry.npmjs.org/dotenv/-/dotenv-16.6.1.tgz",
+      "integrity": "sha512-uBq4egWHTcTt33a72vpSG0z3HnPuIl6NqYcTrKEg2azoEyl2hpW0zqlxysq2pK9HlDIHyHyakeYaYnSAwd8bow==",
      "license": "BSD-2-Clause",
      "engines": {
        "node": ">=12"
@@ -1282,15 +1285,15 @@
      }
    },
    "node_modules/envalid": {
-      "version": "8.0.0",
-      "resolved": "https://registry.npmjs.org/envalid/-/envalid-8.0.0.tgz",
-      "integrity": "sha512-PGeYJnJB5naN0ME6SH8nFcDj9HVbLpYIfg1p5lAyM9T4cH2lwtu2fLbozC/bq+HUUOIFxhX/LP0/GmlqPHT4tQ==",
+      "version": "8.1.0",
+      "resolved": "https://registry.npmjs.org/envalid/-/envalid-8.1.0.tgz",
+      "integrity": "sha512-OT6+qVhKVyCidaGoXflb2iK1tC8pd0OV2Q+v9n33wNhUJ+lus+rJobUj4vJaQBPxPZ0vYrPGuxdrenyCAIJcow==",
      "license": "MIT",
      "dependencies": {
-        "tslib": "2.6.2"
+        "tslib": "2.8.1"
      },
      "engines": {
-        "node": ">=8.12"
+        "node": ">=18"
      }
    },
    "node_modules/make-error": {
@@ -1345,17 +1348,18 @@
      }
    },
    "node_modules/tslib": {
-      "version": "2.6.2",
-      "resolved": "https://registry.npmjs.org/tslib/-/tslib-2.6.2.tgz",
-      "integrity": "sha512-AEYxH93jGFPn/a2iVAwW87VuUIkR1FVUKB77NwMF7nBTDkDrrT/Hpt/IrCJ0QXhW27jTBDcf5ZY7w6RiqTMw2Q==",
+      "version": "2.8.1",
+      "resolved": "https://registry.npmjs.org/tslib/-/tslib-2.8.1.tgz",
+      "integrity": "sha512-oJFu94HQb+KVduSUQL7wnpmqnfmLsOA/nAh6b6EH0wCEoK0/mPeXU6c3wKDV83MkOuHPRHtSXKKU99IBazS/2w==",
      "license": "0BSD"
    },
    "node_modules/typescript": {
-      "version": "5.8.3",
-      "resolved": "https://registry.npmjs.org/typescript/-/typescript-5.8.3.tgz",
-      "integrity": "sha512-p1diW6TqL9L07nNxvRMM7hMMw4c5XOo/1ibL4aAIGmSAt9slTE1Xgw5KWuof2uTOvCg9BY7ZRi+GaF+7sfgPeQ==",
+      "version": "5.9.3",
+      "resolved": "https://registry.npmjs.org/typescript/-/typescript-5.9.3.tgz",
+      "integrity": "sha512-jl1vZzPDinLr9eUt3J/t7V6FgNEw9QjvBPdysz9KfQDD41fQrC2Y4vKQdiaUpFT4bXlb1RHhLpp8wtm6M5TgSw==",
      "dev": true,
      "license": "Apache-2.0",
+      "peer": true,
      "bin": {
        "tsc": "bin/tsc",
        "tsserver": "bin/tsserver"
@@ -1365,9 +1369,9 @@
      }
    },
    "node_modules/undici-types": {
-      "version": "7.8.0",
-      "resolved": "https://registry.npmjs.org/undici-types/-/undici-types-7.8.0.tgz",
-      "integrity": "sha512-9UJ2xGDvQ43tYyVMpuHlsgApydB8ZKfVYTsLDhXkFL/6gfkp+U8xTGdh8pMJv1SpZna0zxG1DwsKZsreLbXBxw==",
+      "version": "7.16.0",
+      "resolved": "https://registry.npmjs.org/undici-types/-/undici-types-7.16.0.tgz",
+      "integrity": "sha512-Zz+aZWSj8LE6zoxD+xrjh4VfkIG8Ya6LvYkZqtUQGJPZjYl53ypCaUwWqo7eI0x66KBGeRo+mlBEkMSeSZ38Nw==",
      "dev": true,
      "license": "MIT"
    },
--- a/postgres/index.ts
+++ b/postgres/index.ts
@@ -11,7 +11,6 @@ type PostgresClusterOptions = {
  };
  name: string;
  namespace: string;
-  storageClass: string;
  users: string[];
  primaryUser: string;
  initSecretName: string;
@@ -31,11 +30,13 @@ export class PostgresCluster extends Construct {
      chart: "cloudnative-pg",
      name: "postgres-system",
      namespace: "cnpg-system",
+      createNamespace: true,
    });

-    const destinationPath = "s3://homelab/";
+    const destinationPath = "s3://postgres-backups/";
    const endpointURL = options.backupR2EndpointURL;
    const barmanStoreName = "r2-postgres-backup-store";
+    const backupServerName = `${options.name}-backup`;

    const barmanConfiguration = {
      destinationPath,
@@ -49,6 +50,16 @@ export class PostgresCluster extends Construct {
          name: "cloudflare-token",
          key: "secret_access_key",
        },
+        region: {
+          name: "cloudflare-token",
+          key: "AWS_REGION",
+        },
+      },
+      wal: {
+        compression: "gzip",
+      },
+      data: {
+        compression: "gzip",
      },
    };

@@ -62,11 +73,9 @@ export class PostgresCluster extends Construct {
          name: barmanStoreName,
        },
        spec: {
+          retentionPolicy: "15d",
          configuration: {
            ...barmanConfiguration,
-            wal: {
-              compression: "gzip",
-            },
          },
        },
      },
@@ -147,22 +156,6 @@ export class PostgresCluster extends Construct {
      },
    });

-    // Secret for server certificate
-    new Manifest(this, "server-ca-cert-secret", {
-      provider: kubernetes,
-      manifest: {
-        apiVersion: "v1",
-        kind: "Secret",
-        metadata: {
-          name: certNames.server,
-          namespace: options.namespace,
-          labels: {
-            "cnpg.io/reload": "",
-          },
-        },
-      },
-    });
-
    // Server certificate
    new Manifest(this, "server-cert", {
      provider: kubernetes,
@@ -332,7 +325,7 @@ export class PostgresCluster extends Construct {
          postgresql: {
            parameters: {
              archive_mode: "on",
-              archive_timeout: "5min",
+              archive_timeout: "60min",
              checkpoint_timeout: "10min",
              checkpoint_completion_target: "0.7",
              dynamic_shared_memory_type: "posix",
@@ -346,16 +339,17 @@ export class PostgresCluster extends Construct {
              logging_collector: "on",
              max_parallel_workers: "32",
              max_replication_slots: "32",
-              max_wal_size: "768MB",
              max_worker_processes: "32",
              max_slot_wal_keep_size: "256MB",
+              max_wal_size: "512MB",
              min_wal_size: "128MB",
              shared_memory_type: "mmap",
              shared_preload_libraries: "",
              ssl_max_protocol_version: "TLSv1.3",
              ssl_min_protocol_version: "TLSv1.3",
+              wal_compression: "on",
              wal_keep_size: "128MB",
-              wal_level: "logical",
+              wal_level: "replica",
              wal_log_hints: "on",
              wal_receiver_timeout: "5s",
              wal_sender_timeout: "5s",
@@ -368,31 +362,16 @@ export class PostgresCluster extends Construct {
          plugins: [
            {
              name: "barman-cloud.cloudnative-pg.io",
-              enabled: true,
              isWALArchiver: true,
              parameters: {
                barmanObjectName: barmanStoreName,
+                serverName: backupServerName,
              },
            },
          ],
-          enableSuperuserAccess: true,
-          // bootstrap: {
-          //   recovery: {
-          //     source: "clusterBackup",
-          //     database: "postgres",
-          //     owner: options.primaryUser,
-          //     secret: {
-          //       name: options.initSecretName,
-          //     },
-          //   },
-          // },
          bootstrap: {
-            initdb: {
-              database: "postgres",
-              secret: {
-                name: options.initSecretName,
-              },
-              postInitSQL: [`CREATE USER ${options.primaryUser} SUPERUSER;`],
+            recovery: {
+              source: "clusterBackup",
            },
          },
          externalClusters: [
@@ -402,7 +381,8 @@ export class PostgresCluster extends Construct {
                name: "barman-cloud.cloudnative-pg.io",
                parameters: {
                  barmanObjectName: barmanStoreName,
-                  serverName: "postgres-cluster",
+                  serverName: backupServerName,
+                  skipWalArchiveCheck: true,
                },
              },
            },
@@ -416,6 +396,7 @@ export class PostgresCluster extends Construct {
                  serviceTemplate: {
                    metadata: {
                      name: "postgres-cluster",
+                      superuser: true,
                      annotations: {
                        "external-dns.alpha.kubernetes.io/hostname":
                          "postgres.dogar.dev",
@@ -428,14 +409,26 @@ export class PostgresCluster extends Construct {
                },
              ],
            },
+            roles: [
+              {
+                name: options.primaryUser,
+                inRoles: ["postgres"],
+                inherit: true,
+                disablePassword: true,
+                createdb: true,
+                createrole: true,
+                login: true,
+                ensure: "present",
+              },
+            ],
          },
          storage: {
            size: "10Gi",
-            storageClass: options.storageClass,
+            storageClass: "longhorn",
          },
          walStorage: {
-            size: "1Gi",
-            storageClass: options.storageClass,
+            size: "2Gi",
+            storageClass: "longhorn",
          },
        },
      },
@@ -451,8 +444,18 @@ export class PostgresCluster extends Construct {
          namespace: options.namespace,
        },
        spec: {
-          schedule: "0 0 0 * * *", // daily at midnight
+          immediate: true,
+          // weekly midnight on Sunday
+          schedule: "* 0 0 * * 0",
          backupOwnerReference: "self",
+          method: "plugin",
+          pluginConfiguration: {
+            name: "barman-cloud.cloudnative-pg.io",
+            parameters: {
+              barmanObjectName: barmanStoreName,
+              serverName: backupServerName,
+            },
+          },
          cluster: {
            name: options.name,
          },
--- a/valkey/index.ts
+++ b/valkey/index.ts
@@ -17,7 +17,7 @@ export class ValkeyCluster extends Construct {
    const labels = { app: "valkey" };
    const { provider, name, namespace } = options;

-    new DeploymentV1(this, "valkeyDeployment", {
+    new DeploymentV1(this, "valkey-deployment", {
      provider,
      metadata: {
        name,
@@ -93,7 +93,7 @@ export class ValkeyCluster extends Construct {
      },
    });

-    new ServiceV1(this, "valkeyService", {
+    new ServiceV1(this, "valkey-service", {
      provider,
      metadata: {
        name,
Author	SHA1	Message	Date
Shahab Dogar	5d95773722	feat: total revamp of homelab configuration	2025-11-15 13:22:49 +05:00
Shahab Dogar	c59ee18d09	fix: Postgres \| finally get backups and restores properly up and running	2025-11-15 13:22:37 +05:00
Shahab Dogar	72b006a7e4	feat: Minecraft \| add ATM10 and enable backups	2025-11-15 13:22:23 +05:00
Shahab Dogar	0b01f40ac8	feat: Media \| add jellyfin and related services for home media system	2025-11-15 13:22:02 +05:00
Shahab Dogar	d17c8b1b34	feat: Nginx \| add local nix cache behind reverse proxy	2025-11-15 13:21:44 +05:00
Shahab Dogar	5ee891fe2b	sec: NixOS \| remove nixos configuration and move to nix-config repo	2025-11-15 13:21:18 +05:00
Shahab Dogar	d1aae53fa6	fix: longhorn \| update to 1.10.0 and use longhorn-system namespace	2025-11-15 13:20:51 +05:00
Shahab Dogar	6c419454d8	fix: MetalLB \| move into metallb-system namespace	2025-11-15 13:20:25 +05:00
Shahab Dogar	706cd8e919	fix: Gitea \| switch to regular longhorn storage class	2025-11-15 13:19:20 +05:00
Shahab Dogar	c0e0d74e4f	fix: move longhorn onto worker nodepool and update backup target	2025-11-15 13:17:19 +05:00
Shahab Dogar	74707a469c	chore: better resource ids for valkey resources	2025-11-15 13:16:31 +05:00
Shahab Dogar	3b9a75c7ba	chore: update flake lock	2025-11-15 13:16:15 +05:00