squash all

Mostly copied over from my old repo and modified for app of apps.
Cleaning up the mess from migration

Signed-off-by: gwg313 <gwg313@pm.me>

metallb/values.yaml

@@ -0,0 +1,46 @@
+metallb:
+  controller:
+    enabled: true
+  speaker:
+    enabled: true
+    hostNetwork: true
+    podAnnotations:
+      sidecar.istio.io/inject: "false"
+    tolerations:
+      - operator: Exists
+    securityContext:
+      allowPrivilegeEscalation: false
+      privileged: false
+      capabilities:
+        drop: ["ALL"]
+  # keep FRR disabled – GoBGP mode works fine and avoids NET_ADMIN
+  frr:
+    enabled: false
+  configInline:
+    peers:
+      - peer-address: 10.1.10.1 # OPNsense LAN IP
+        peer-asn: 65551 # ASN you set on OPNsense
+        my-asn: 64512 # <<< MUST MATCH “Remote AS” on OPNsense
+        hold-time: 90s
+        source-address: 10.1.10.3 # Talos node IP (optional but fine)
+      - peer-address: 10.1.10.1 # OPNsense LAN IP
+        peer-asn: 65551 # ASN you set on OPNsense
+        my-asn: 64512 # <<< MUST MATCH “Remote AS” on OPNsense
+        hold-time: 90s
+        source-address: 10.1.10.4 # Talos node IP (optional but fine)
+      - peer-address: 10.1.10.1 # OPNsense LAN IP
+        peer-asn: 65551 # ASN you set on OPNsense
+        my-asn: 64512 # <<< MUST MATCH “Remote AS” on OPNsense
+        hold-time: 90s
+        source-address: 10.1.10.5 # Talos node IP (optional but fine)
+      - peer-address: 10.1.10.1 # OPNsense LAN IP
+        peer-asn: 65551 # ASN you set on OPNsense
+        my-asn: 64512 # <<< MUST MATCH “Remote AS” on OPNsense
+        hold-time: 90s
+        source-address: 10.1.10.6 # Talos node IP (optional but fine)
+        # router-id optional – can omit or make unique per node
+    address-pools:
+      - name: default
+        protocol: bgp
+        addresses:
+          - 10.1.10.50-10.1.10.100