feat: add more

clusters/cl01tl/helm/ollama/templates/external-secret.yaml

@@ -2,40 +2,40 @@
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
-  name: ollama-key-secret
+  name: open-webui-key
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: ollama-key-secret
+    app.kubernetes.io/name: open-webui-key
     {{- include "custom.labels" . | nindent 4 }}
 spec:
   secretStoreRef:
     kind: ClusterSecretStore
-    name: vault
+    name: openbao
   data:
     - secretKey: key
       remoteRef:
-        key: /cl01tl/ollama/key
+        key: /cl01tl/ollama/open-webui/key
         property: key
 
 ---
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
-  name: ollama-oidc-secret
+  name: open-webui-oidc-authentik
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: ollama-oidc-secret
+    app.kubernetes.io/name: open-webui-oidc-authentik
     {{- include "custom.labels" . | nindent 4 }}
 spec:
   secretStoreRef:
     kind: ClusterSecretStore
-    name: vault
+    name: openbao
   data:
     - secretKey: client
       remoteRef:
-        key: /authentik/oidc/ollama
+        key: /cl01tl/authentik/oidc/open-webui
         property: client
     - secretKey: secret
       remoteRef:
-        key: /authentik/oidc/ollama
+        key: /cl01tl/authentik/oidc/open-webui
         property: secret

clusters/cl01tl/helm/ollama/values.yaml

@@ -127,7 +127,7 @@ ollama:
             - name: WEBUI_SECRET_KEY
               valueFrom:
                 secretKeyRef:
-                  name: ollama-key-secret
+                  name: ollama-key
                   key: key
             - name: DATABASE_URL
               valueFrom:
@@ -143,12 +143,12 @@ ollama:
             - name: OAUTH_CLIENT_SECRET
               valueFrom:
                 secretKeyRef:
-                  name: ollama-oidc-secret
+                  name: open-webui-oidc-authentik
                   key: secret
             - name: OAUTH_CLIENT_ID
               valueFrom:
                 secretKeyRef:
-                  name: ollama-oidc-secret
+                  name: open-webui-oidc-authentik
                   key: client
             - name: OAUTH_PROVIDER_NAME
               value: Authentik

clusters/cl01tl/helm/openbao/templates/namespace.yaml

@@ -1,9 +1,9 @@
 apiVersion: v1
 kind: Namespace
 metadata:
-  name: openbao
+  name: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: openbao
+    app.kubernetes.io/name: {{ .Release.Namespace }}
     {{- include "custom.labels" . | nindent 4 }}
     pod-security.kubernetes.io/audit: privileged
     pod-security.kubernetes.io/enforce: privileged

clusters/cl01tl/helm/outline/templates/external-secret.yaml

@@ -1,15 +1,15 @@
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
-  name: outline-key-secret
+  name: outline-key
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: outline-key-secret
+    app.kubernetes.io/name: outline-key
     {{- include "custom.labels" . | nindent 4 }}
 spec:
   secretStoreRef:
     kind: ClusterSecretStore
-    name: vault
+    name: openbao
   data:
     - secretKey: secret-key
       remoteRef:
@@ -24,21 +24,21 @@ spec:
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
-  name: outline-oidc-secret
+  name: outline-oidc-authentik
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: outline-oidc-secret
+    app.kubernetes.io/name: outline-oidc-authentik
     {{- include "custom.labels" . | nindent 4 }}
 spec:
   secretStoreRef:
     kind: ClusterSecretStore
-    name: vault
+    name: openbao
   data:
     - secretKey: client
       remoteRef:
-        key: /authentik/oidc/outline
+        key: /cl01tl/authentik/oidc/outline
         property: client
     - secretKey: secret
       remoteRef:
-        key: /authentik/oidc/outline
+        key: /cl01tl/authentik/oidc/outline
         property: secret

clusters/cl01tl/helm/outline/values.yaml

@@ -22,12 +22,12 @@ outline:
             - name: SECRET_KEY
               valueFrom:
                 secretKeyRef:
-                  name: outline-key-secret
+                  name: outline-key
                   key: secret-key
             - name: UTILS_SECRET
               valueFrom:
                 secretKeyRef:
-                  name: outline-key-secret
+                  name: outline-key
                   key: utils-key
             - name: POSTGRES_USERNAME
               valueFrom:
@@ -89,12 +89,12 @@ outline:
             - name: OIDC_CLIENT_ID
               valueFrom:
                 secretKeyRef:
-                  name: outline-oidc-secret
+                  name: outline-oidc-authentik
                   key: client
             - name: OIDC_CLIENT_SECRET
               valueFrom:
                 secretKeyRef:
-                  name: outline-oidc-secret
+                  name: outline-oidc-authentik
                   key: secret
             - name: OIDC_AUTH_URI
               value: https://auth.alexlebens.dev/application/o/authorize/

clusters/cl01tl/helm/paperless-ngx/templates/external-secret.yaml

@@ -1,51 +1,58 @@
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
-  name: paperless-ngx-secret
+  name: paperless-ngx-key
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: paperless-ngx-secret
+    app.kubernetes.io/name: paperless-ngx-key
     {{- include "custom.labels" . | nindent 4 }}
 spec:
   secretStoreRef:
     kind: ClusterSecretStore
-    name: vault
+    name: openbao
   data:
     - secretKey: secret-key
       remoteRef:
-        key: /cl01tl/paperless-ngx/secret
+        key: /cl01tl/paperless-ngx/key
         property: secret-key
+
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: paperless-ngx-config
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: paperless-ngx-config
+    {{- include "custom.labels" . | nindent 4 }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: openbao
+  data:
     - secretKey: admin-user
       remoteRef:
-        key: /cl01tl/paperless-ngx/secret
+        key: /cl01tl/paperless-ngx/config
         property: admin-user
     - secretKey: admin-password
       remoteRef:
-        key: /cl01tl/paperless-ngx/secret
+        key: /cl01tl/paperless-ngx/config
         property: admin-password
 
 ---
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
-  name: paperless-ngx-oidc-secret
+  name: paperless-ngx-oidc-authentik
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: paperless-ngx-oidc-secret
+    app.kubernetes.io/name: paperless-ngx-oidc-authentik
     {{- include "custom.labels" . | nindent 4 }}
 spec:
   secretStoreRef:
     kind: ClusterSecretStore
-    name: vault
+    name: openbao
   data:
-    - secretKey: OIDC_CLIENT_ID
-      remoteRef:
-        key: /authentik/oidc/paperless-ngx
-        property: client
-    - secretKey: OIDC_CLIENT_SECRET
-      remoteRef:
-        key: /authentik/oidc/paperless-ngx
-        property: secret
     - secretKey: PAPERLESS_SOCIALACCOUNT_PROVIDERS
       remoteRef:
         key: /authentik/oidc/paperless-ngx

clusters/cl01tl/helm/paperless-ngx/values.yaml

@@ -44,7 +44,7 @@ paperless-ngx:
             - name: PAPERLESS_SECRET_KEY
               valueFrom:
                 secretKeyRef:
-                  name: paperless-ngx-secret
+                  name: paperless-ngx-key
                   key: secret-key
             - name: PAPERLESS_URL
               value: https://paperless-ngx.alexlebens.net
@@ -53,12 +53,12 @@ paperless-ngx:
             - name: PAPERLESS_ADMIN_USER
               valueFrom:
                 secretKeyRef:
-                  name: paperless-ngx-secret
+                  name: paperless-ngx-config
                   key: admin-user
             - name: PAPERLESS_ADMIN_PASSWORD
               valueFrom:
                 secretKeyRef:
-                  name: paperless-ngx-secret
+                  name: paperless-ngx-config
                   key: admin-password
             - name: PAPERLESS_ACCOUNT_ALLOW_SIGNUPS
               value: true
@@ -73,7 +73,7 @@ paperless-ngx:
             - name: PAPERLESS_SOCIALACCOUNT_PROVIDERS
               valueFrom:
                 secretKeyRef:
-                  name: paperless-ngx-oidc-secret
+                  name: paperless-ngx-oidc-authentik
                   key: PAPERLESS_SOCIALACCOUNT_PROVIDERS
             - name: PAPERLESS_SOCIALACCOUNT_DEFAULT_PERMISSIONS
               value: '["view_uisettings", "view_savedview", "add_uisettings", "change_uisettings", "delete_uisettings"]'

clusters/cl01tl/helm/plex/templates/_helpers.tpl

@@ -12,3 +12,10 @@ Selector labels
 app.kubernetes.io/instance: {{ .Release.Name }}
 app.kubernetes.io/part-of: {{ .Release.Name }}
 {{- end }}
+
+{{/*
+NFS names
+*/}}
+{{- define "custom.storageNfsName" -}}
+plex-nfs-storage
+{{- end -}}

clusters/cl01tl/helm/plex/templates/persistent-volume-claim.yaml

@@ -1,13 +1,13 @@
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
-  name: plex-nfs-storage
+  name: {{ include "custom.storageNfsName" . }}
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: plex-nfs-storage
+    app.kubernetes.io/name: {{ include "custom.storageNfsName" . }}
     {{- include "custom.labels" . | nindent 4 }}
 spec:
-  volumeName: plex-nfs-storage
+  volumeName: {{ include "custom.storageNfsName" . }}
   storageClassName: nfs-client
   accessModes:
     - ReadWriteMany

clusters/cl01tl/helm/plex/templates/persistent-volume.yaml

@@ -1,10 +1,10 @@
 apiVersion: v1
 kind: PersistentVolume
 metadata:
-  name: plex-nfs-storage
+  name: {{ include "custom.storageNfsName" . }}
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: plex-nfs-storage
+    app.kubernetes.io/name: {{ include "custom.storageNfsName" . }}
     {{- include "custom.labels" . | nindent 4 }}
 spec:
   persistentVolumeReclaimPolicy: Retain

clusters/cl01tl/helm/postiz/Chart.yaml

@@ -5,7 +5,7 @@ description: Postiz
 keywords:
   - postiz
   - social-media
-home: https://docs.alexlebens.dev/applications/plex/
+home: https://docs.alexlebens.dev/applications/postiz/
 sources:
   - https://github.com/gitroomhq/postiz-app
   - https://github.com/getsentry/spotlight

clusters/cl01tl/helm/postiz/templates/external-secret.yaml

@@ -1,71 +1,21 @@
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
-  name: postiz-config-secret
+  name: postiz-config
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: postiz-config-secret
+    app.kubernetes.io/name: postiz-config
     {{- include "custom.labels" . | nindent 4 }}
 spec:
   secretStoreRef:
     kind: ClusterSecretStore
-    name: vault
+    name: openbao
   data:
     - secretKey: JWT_SECRET
       remoteRef:
         key: /cl01tl/postiz/config
         property: JWT_SECRET
 
----
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: postiz-oidc-secret
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: postiz-oidc-secret
-    {{- include "custom.labels" . | nindent 4 }}
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: vault
-  data:
-    - secretKey: client
-      remoteRef:
-        key: /authentik/oidc/postiz
-        property: client
-    - secretKey: secret
-      remoteRef:
-        key: /authentik/oidc/postiz
-        property: secret
-
----
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: postiz-elasticsearch-secret
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: postiz-elasticsearch-secret
-    {{- include "custom.labels" . | nindent 4 }}
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: vault
-  data:
-    - secretKey: username
-      remoteRef:
-        key: /cl01tl/postiz/elasticsearch
-        property: username
-    - secretKey: password
-      remoteRef:
-        key: /cl01tl/postiz/elasticsearch
-        property: password
-    - secretKey: roles
-      remoteRef:
-        key: /cl01tl/postiz/elasticsearch
-        property: roles
-
 ---
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
@@ -78,7 +28,7 @@ metadata:
 spec:
   secretStoreRef:
     kind: ClusterSecretStore
-    name: vault
+    name: openbao
   data:
     - secretKey: REDIS_URL
       remoteRef:
@@ -96,3 +46,26 @@ spec:
       remoteRef:
         key: /cl01tl/postiz/valkey
         property: password
+
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: postiz-oidc-authentik
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: postiz-oidc-authentik
+    {{- include "custom.labels" . | nindent 4 }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: openbao
+  data:
+    - secretKey: client
+      remoteRef:
+        key: /cl01tl/authentik/oidc/postiz
+        property: client
+    - secretKey: secret
+      remoteRef:
+        key: /cl01tl/authentik/oidc/postiz
+        property: secret

clusters/cl01tl/helm/postiz/values.yaml

@@ -13,7 +13,7 @@ postiz:
             - name: JWT_SECRET
               valueFrom:
                 secretKeyRef:
-                  name: postiz-config-secret
+                  name: postiz-config
                   key: JWT_SECRET
             - name: MAIN_URL
               value: https://postiz.alexlebens.dev
@@ -64,12 +64,12 @@ postiz:
             - name: POSTIZ_OAUTH_CLIENT_ID
               valueFrom:
                 secretKeyRef:
-                  name: postiz-oidc-secret
+                  name: postiz-oidc-authentik
                   key: client
             - name: POSTIZ_OAUTH_CLIENT_SECRET
               valueFrom:
                 secretKeyRef:
-                  name: postiz-oidc-secret
+                  name: postiz-oidc-authentik
                   key: secret
             - name: POSTIZ_OAUTH_SCOPE
               value: openid profile email

clusters/cl01tl/helm/prowlarr/templates/external-secret.yaml

@@ -9,7 +9,7 @@ metadata:
 spec:
   secretStoreRef:
     kind: ClusterSecretStore
-    name: vault
+    name: openbao
   data:
     - secretKey: key
       remoteRef:

clusters/cl01tl/helm/qbittorrent/Chart.yaml

@@ -5,7 +5,7 @@ description: qBittorrent
 keywords:
   - qbittorrent
   - torrent
-home: https://docs.alexlebens.dev/applications/prowlarr/
+home: https://docs.alexlebens.dev/applications/qbittorrent/
 sources:
   - https://github.com/qbittorrent/qBittorrent
   - https://github.com/qdm12/gluetun

clusters/cl01tl/helm/qbittorrent/templates/_helpers.tpl

@@ -12,3 +12,10 @@ Selector labels
 app.kubernetes.io/instance: {{ .Release.Name }}
 app.kubernetes.io/part-of: {{ .Release.Name }}
 {{- end }}
+
+{{/*
+NFS names
+*/}}
+{{- define "custom.storageNfsName" -}}
+qbittorrent-nfs-storage
+{{- end -}}

clusters/cl01tl/helm/qbittorrent/templates/external-secret.yaml

@@ -1,75 +1,112 @@
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
-  name: qbittorrent-wireguard-conf
+  name: qbit-manage-config
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: qbittorrent-wireguard-conf
+    app.kubernetes.io/name: qbit-manage-config
     {{- include "custom.labels" . | nindent 4 }}
 spec:
   secretStoreRef:
     kind: ClusterSecretStore
-    name: vault
+    name: openbao
+  target:
+    template:
+      mergePolicy: Merge
+      engineVersion: v2
+      data:
+        ntfy-url: "{{ `{{ .endpoint }}` }}/qbit-manage"
   data:
+    - secretKey: endpoint
+      remoteRef:
+        key: /cl01tl/ntfy/users/cl01tl
+        property: internal-endpoint-credential
+
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: qui-oidc-authentik
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: qui-oidc-authentik
+    {{- include "custom.labels" . | nindent 4 }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: openbao
+  data:
+    - secretKey: secret
+      remoteRef:
+        key: /cl01tl/authentik/oidc/qui
+        property: secret
+    - secretKey: client
+      remoteRef:
+        key: /cl01tl/authentik/oidc/qui
+        property: client
+
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: airvpn-wireguard-conf
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: airvpn-wireguard-conf
+    {{- include "custom.labels" . | nindent 4 }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: openbao
+  data:
+    - secretKey: conf
+      remoteRef:
+        key: /airvpn/config
+        property: conf
     - secretKey: private-key
       remoteRef:
-        key: /airvpn/conf/cl01tl
+        key: /airvpn/config
         property: private-key
     - secretKey: preshared-key
       remoteRef:
-        key: /airvpn/conf/cl01tl
+        key: /airvpn/config
         property: preshared-key
     - secretKey: addresses
       remoteRef:
-        key: /airvpn/conf/cl01tl
+        key: /airvpn/config
         property: addresses
     - secretKey: input-ports
       remoteRef:
-        key: /airvpn/conf/cl01tl
+        key: /airvpn/config
         property: input-ports
 
 ---
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
-  name: qbittorrent-qbit-manage-config
+  name: protonvpn-wireguard-conf
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: qbittorrent-qbit-manage-config
+    app.kubernetes.io/name: protonvpn-wireguard-conf
     {{- include "custom.labels" . | nindent 4 }}
 spec:
   secretStoreRef:
     kind: ClusterSecretStore
-    name: vault
+    name: openbao
   data:
-    - secretKey: ntfy-url
+    - secretKey: conf
       remoteRef:
-        key: /cl01tl/qbittorrent/qbit-manage
+        key: /protonvpn/config
-        property: ntfy-url
+        property: conf
-    - secretKey: config.yml
+    - secretKey: email
       remoteRef:
-        key: /cl01tl/qbittorrent/qbit-manage
+        key: /protonvpn/config
-        property: config.yml
+        property: email
-
+    - secretKey: password
----
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: qui-oidc-secret
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: qui-oidc-secret
-    {{- include "custom.labels" . | nindent 4 }}
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: vault
-  data:
-    - secretKey: secret
       remoteRef:
-        key: /authentik/oidc/qui
+        key: /protonvpn/config
-        property: secret
+        property: password
-    - secretKey: client
+    - secretKey: private-key
       remoteRef:
-        key: /authentik/oidc/qui
+        key: /protonvpn/config
-        property: client
+        property: private-key

clusters/cl01tl/helm/qbittorrent/templates/namespace.yaml

@@ -1,9 +1,9 @@
 apiVersion: v1
 kind: Namespace
 metadata:
-  name: qbittorrent
+  name: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: qbittorrent
+    app.kubernetes.io/name: {{ .Release.Namespace }}
     {{- include "custom.labels" . | nindent 4 }}
     pod-security.kubernetes.io/audit: privileged
     pod-security.kubernetes.io/enforce: privileged

clusters/cl01tl/helm/qbittorrent/templates/persistent-volume-claim.yaml

@@ -1,13 +1,13 @@
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
-  name: qbittorrent-nfs-storage
+  name: {{ include "custom.storageNfsName" . }}
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: qbittorrent-nfs-storage
+    app.kubernetes.io/name: {{ include "custom.storageNfsName" . }}
     {{- include "custom.labels" . | nindent 4 }}
 spec:
-  volumeName: qbittorrent-nfs-storage
+  volumeName: {{ include "custom.storageNfsName" . }}
   storageClassName: nfs-client
   accessModes:
     - ReadWriteMany

clusters/cl01tl/helm/qbittorrent/templates/persistent-volume.yaml

@@ -1,10 +1,10 @@
 apiVersion: v1
 kind: PersistentVolume
 metadata:
-  name: qbittorrent-nfs-storage
+  name: {{ include "custom.storageNfsName" . }}
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: qbittorrent-nfs-storage
+    app.kubernetes.io/name: {{ include "custom.storageNfsName" . }}
     {{- include "custom.labels" . | nindent 4 }}
 spec:
   persistentVolumeReclaimPolicy: Retain

clusters/cl01tl/helm/qbittorrent/templates/secret-provider-class.yaml

@@ -0,0 +1,18 @@
+apiVersion: secrets-store.csi.x-k8s.io/v1
+kind: SecretProviderClass
+metadata:
+  name: qbit-manage-config
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: qbit-manage-config
+    {{- include "custom.labels" . | nindent 4 }}
+spec:
+  provider: openbao
+  parameters:
+    baoAddress: "http://openbao-internal.openbao:8200"
+    roleName: qbittorrent
+    objects: |
+      - objectName: config.yml
+        fileName: config.yml
+        secretPath: secret/data/cl01tl/qbittorrent/qbit-manage
+        secretKey: config.yml

clusters/cl01tl/helm/qbittorrent/values.yaml

@@ -62,33 +62,22 @@ qbittorrent:
                 command: ["/bin/sh", "-c", "(ip rule del table 51820; ip -6 rule del table 51820) || true"]
           env:
             - name: VPN_SERVICE_PROVIDER
-              value: airvpn
+              value: protonvpn
             - name: VPN_TYPE
               value: wireguard
             - name: WIREGUARD_PRIVATE_KEY
               valueFrom:
                 secretKeyRef:
-                  name: qbittorrent-wireguard-conf
+                  name: protonvpn-wireguard-conf
                   key: private-key
-            - name: WIREGUARD_PRESHARED_KEY
-              valueFrom:
-                secretKeyRef:
-                  name: qbittorrent-wireguard-conf
-                  key: preshared-key
-            - name: WIREGUARD_ADDRESSES
-              valueFrom:
-                secretKeyRef:
-                  name: qbittorrent-wireguard-conf
-                  key: addresses
-            - name: FIREWALL_VPN_INPUT_PORTS
-              valueFrom:
-                secretKeyRef:
-                  name: qbittorrent-wireguard-conf
-                  key: input-ports
             - name: FIREWALL_OUTBOUND_SUBNETS
               value: 192.168.1.0/24,10.244.0.0/16
             - name: FIREWALL_INPUT_PORTS
-              value: 8080,9022
+              value: 5030,50300
+            - name: VPN_PORT_FORWARDING
+              value: 'on'
+            - name: VPN_PORT_FORWARDING_UP_COMMAND
+              value: '/bin/sh -c "/gluetun/update.sh {{ printf "{{PORTS}}" }}"'
             - name: DNS_UPSTREAM_RESOLVER_TYPE
               value: dot
             - name: BLOCK_MALICIOUS
@@ -141,6 +130,8 @@ qbittorrent:
         reloader.stakater.com/auto: "true"
       replicas: 1
       strategy: Recreate
+      serviceAccount:
+        name: qbittorrent
       initContainers:
         init-copy-config:
           image:
@@ -150,7 +141,7 @@ qbittorrent:
             - /bin/sh
             - -ec
             - |
-              cp /config/config.yml /app/config/config.yml
+              cp /tmp/config.yml /app/config/config.yml
       containers:
         qbit-manage:
           image:
@@ -194,7 +185,7 @@ qbittorrent:
             - name: APPRISE_STATELESS_URLS
               valueFrom:
                 secretKeyRef:
-                  name: qbittorrent-qbit-manage-config
+                  name: qbit-manage-config
                   key: ntfy-url
     qui:
       type: deployment
@@ -223,12 +214,12 @@ qbittorrent:
             - name: QUI__OIDC_CLIENT_ID
               valueFrom:
                 secretKeyRef:
-                  name: qui-oidc-secret
+                  name: qui-oidc-authentik
                   key: client
             - name: QUI__OIDC_CLIENT_SECRET
               valueFrom:
                 secretKeyRef:
-                  name: qui-oidc-secret
+                  name: qui-oidc-authentik
                   key: secret
             - name: QUI__OIDC_REDIRECT_URL
               value: https://qui.alexlebens.net/api/auth/oidc/callback
@@ -238,6 +229,10 @@ qbittorrent:
             requests:
               cpu: 10m
               memory: 70Mi
+  serviceAccount:
+    qbittorrent:
+      enabled: true
+      staticToken: true
   service:
     main:
       controller: main
@@ -347,22 +342,6 @@ qbittorrent:
           gluetun:
             - path: /gluetun/update.sh
               subPath: update.sh
-    qbit-manage-config:
-      enabled: true
-      type: secret
-      name: qbittorrent-qbit-manage-config
-      advancedMounts:
-        qbit-manage:
-          init-copy-config:
-            - path: /config/config.yml
-              readOnly: true
-              mountPropagation: None
-              subPath: config.yml
-          qbit-manage:
-            - path: /config/config.yml
-              readOnly: true
-              mountPropagation: None
-              subPath: config.yml
     config-data:
       forceRename: qbittorrent-config-data
       storageClass: ceph-filesystem
@@ -377,6 +356,27 @@ qbittorrent:
           qbit-manage:
             - path: /qbittorrent/qBittorrent
               readOnly: false
+    qbit-manage-config:
+      enabled: true
+      type: custom
+      volumeSpec:
+        csi:
+          driver: secrets-store.csi.k8s.io
+          readOnly: true
+          volumeAttributes:
+            secretProviderClass: qbit-manage-config
+      advancedMounts:
+        qbit-manage:
+          init-copy-config:
+            - path: /tmp/config.yml
+              readOnly: true
+              mountPropagation: None
+              subPath: config.yml
+          qbit-manage:
+            - path: /tmp/config.yml
+              readOnly: true
+              mountPropagation: None
+              subPath: config.yml
     qbit-manage-config-data:
       forceRename: qbittorrent-qbit-manage-config-data
       storageClass: ceph-block
@@ -390,6 +390,15 @@ qbittorrent:
           qbit-manage:
             - path: /app/config
               readOnly: false
+    qbit-manage-config-var:
+      storageClass: ceph-block
+      accessMode: ReadWriteOnce
+      size: 500Mi
+      advancedMounts:
+        qbit-manage:
+          qbit-manage:
+            - path: /app/var
+              readOnly: false
     qui-config-data:
       forceRename: qbittorrent-qui-config-data
       storageClass: ceph-block
@@ -400,13 +409,6 @@ qbittorrent:
           qui:
             - path: /config
               readOnly: false
-    qbit-manage-config-var:
-      type: emptyDir
-      advancedMounts:
-        qbit-manage:
-          qbit-manage:
-            - path: /app/var
-              readOnly: false
     storage:
       type: persistentVolumeClaim
       existingClaim: qbittorrent-nfs-storage