From b037f5acf790c5aefc70b38d7eeee0ddc5a8f2e2 Mon Sep 17 00:00:00 2001
From: teddy <sirteddy99@gmail.com>
Date: Tue, 9 Jun 2026 21:13:22 +0200
Subject: [PATCH 1/2] Deploy Headlamp internally at headlamp.local

Add headlamp/headlamp.yaml (Deployment v0.42.0, cluster-admin ServiceAccount + login token, Service, Traefik ingress). Remove the stray root headlamp-ingress.yaml that referenced a non-existent service.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 headlamp-ingress.yaml  |  18 -------
 headlamp/headlamp.yaml | 111 +++++++++++++++++++++++++++++++++++++++++
 2 files changed, 111 insertions(+), 18 deletions(-)
 delete mode 100644 headlamp-ingress.yaml
 create mode 100644 headlamp/headlamp.yaml

diff --git a/headlamp-ingress.yaml b/headlamp-ingress.yaml
deleted file mode 100644
index 7b80836..0000000
--- a/headlamp-ingress.yaml
+++ /dev/null
@@ -1,18 +0,0 @@
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  name: headlamp
-  namespace: kube-system
-spec:
-  ingressClassName: traefik
-  rules:
-    - host: headlamp.local
-      http:
-        paths:
-          - path: /
-            pathType: Prefix
-            backend:
-              service:
-                name: headlamp
-                port:
-                  number: 80
diff --git a/headlamp/headlamp.yaml b/headlamp/headlamp.yaml
new file mode 100644
index 0000000..5af6096
--- /dev/null
+++ b/headlamp/headlamp.yaml
@@ -0,0 +1,111 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: headlamp-admin
+  namespace: kube-system
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: headlamp-admin
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cluster-admin
+subjects:
+  - kind: ServiceAccount
+    name: headlamp-admin
+    namespace: kube-system
+---
+# Long-lived token used to log in to the Headlamp UI.
+# Retrieve with: kubectl -n kube-system get secret headlamp-admin -o jsonpath='{.data.token}' | base64 -d
+apiVersion: v1
+kind: Secret
+metadata:
+  name: headlamp-admin
+  namespace: kube-system
+  annotations:
+    kubernetes.io/service-account.name: headlamp-admin
+type: kubernetes.io/service-account-token
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: headlamp
+  namespace: kube-system
+  labels:
+    k8s-app: headlamp
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      k8s-app: headlamp
+  template:
+    metadata:
+      labels:
+        k8s-app: headlamp
+    spec:
+      serviceAccountName: headlamp-admin
+      containers:
+        - name: headlamp
+          image: ghcr.io/headlamp-k8s/headlamp:v0.42.0
+          args:
+            - "-in-cluster"
+            - "-plugins-dir=/headlamp/plugins"
+          ports:
+            - containerPort: 4466
+              name: http
+          livenessProbe:
+            httpGet:
+              path: /
+              port: 4466
+            initialDelaySeconds: 30
+            timeoutSeconds: 30
+          readinessProbe:
+            httpGet:
+              path: /
+              port: 4466
+            initialDelaySeconds: 30
+            timeoutSeconds: 30
+          securityContext:
+            runAsNonRoot: true
+            runAsUser: 100
+            privileged: false
+            allowPrivilegeEscalation: false
+            readOnlyRootFilesystem: false
+            capabilities:
+              drop:
+                - ALL
+            seccompProfile:
+              type: RuntimeDefault
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: headlamp
+  namespace: kube-system
+spec:
+  selector:
+    k8s-app: headlamp
+  ports:
+    - port: 80
+      targetPort: 4466
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: headlamp
+  namespace: kube-system
+spec:
+  ingressClassName: traefik
+  rules:
+    - host: headlamp.local
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: headlamp
+                port:
+                  number: 80

From 3d22ced62d222f86ac51515b8997d757e539fb05 Mon Sep 17 00:00:00 2001
From: teddy <sirteddy99@gmail.com>
Date: Tue, 9 Jun 2026 21:13:22 +0200
Subject: [PATCH 2/2] Pin nextcloud image to 33.0.5

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 nextcloud/nextcloud.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/nextcloud/nextcloud.yaml b/nextcloud/nextcloud.yaml
index 32f90a0..0c4312e 100644
--- a/nextcloud/nextcloud.yaml
+++ b/nextcloud/nextcloud.yaml
@@ -91,7 +91,7 @@ spec:
     spec:
       containers:
         - name: nextcloud
-          image: nextcloud:latest
+          image: nextcloud:33.0.5
           env:
             - name: POSTGRES_HOST
               value: postgres