move to stage

2025-02-18 20:57:50 -06:00
parent 75497f6f0f
commit 561c69d778
168 changed files with 0 additions and 9850 deletions
--- a/clusters/standby/applications/audiobookshelf/Chart.yaml
+++ b/clusters/standby/applications/audiobookshelf/Chart.yaml
@@ -1,23 +0,0 @@
 apiVersion: v2
 name: audiobookshelf
 version: 1.0.0
 description: Audiobookshelf
 keywords:
  - audiobookshelf
  - books
  - podcasts
  - audiobooks
 home: https://wiki.alexlebens.dev/doc/audiobookshelf-uNciuFjzDw
 sources:
  - https://github.com/advplyr/audiobookshelf
  - https://github.com/advplyr/audiobookshelf/pkgs/container/audiobookshelf
  - https://github.com/bjw-s/helm-charts/tree/main/charts/other/app-template
 maintainers:
  - name: alexlebens
 dependencies:
  - name: app-template
    alias: audiobookshelf
    repository: https://bjw-s.github.io/helm-charts/
    version: 3.6.1
 icon: https://raw.githubusercontent.com/walkxcode/dashboard-icons/main/png/audiobookshelf.png
 appVersion: 2.17.5
--- a/clusters/standby/applications/audiobookshelf/templates/external-secret.yaml
+++ b/clusters/standby/applications/audiobookshelf/templates/external-secret.yaml
@@ -1,116 +0,0 @@
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
  name: audiobookshelf-config-backup-secret
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: audiobookshelf-config-backup-secret
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: backup
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: vault
  target:
    template:
      mergePolicy: Merge
      engineVersion: v2
      data:
        RESTIC_REPOSITORY: "{{ `{{ .BUCKET_ENDPOINT }}` }}/audiobookshelf/audiobookshelf-config"
  data:
    - secretKey: BUCKET_ENDPOINT
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /cl01tl/volsync/restic/config
        metadataPolicy: None
        property: S3_BUCKET_ENDPOINT
    - secretKey: RESTIC_PASSWORD
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /cl01tl/volsync/restic/config
        metadataPolicy: None
        property: RESTIC_PASSWORD
    - secretKey: AWS_DEFAULT_REGION
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /cl01tl/volsync/restic/config
        metadataPolicy: None
        property: AWS_DEFAULT_REGION
    - secretKey: AWS_ACCESS_KEY_ID
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /digital-ocean/home-infra/volsync-backups
        metadataPolicy: None
        property: access_key
    - secretKey: AWS_SECRET_ACCESS_KEY
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /digital-ocean/home-infra/volsync-backups
        metadataPolicy: None
        property: secret_key
 ---
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
  name: audiobookshelf-metadata-backup-secret
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: audiobookshelf-metadata-backup-secret
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: backup
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: vault
  target:
    template:
      mergePolicy: Merge
      engineVersion: v2
      data:
        RESTIC_REPOSITORY: "{{ `{{ .BUCKET_ENDPOINT }}` }}/audiobookshelf/audiobookshelf-metadata"
  data:
    - secretKey: BUCKET_ENDPOINT
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /cl01tl/volsync/restic/config
        metadataPolicy: None
        property: S3_BUCKET_ENDPOINT
    - secretKey: RESTIC_PASSWORD
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /cl01tl/volsync/restic/config
        metadataPolicy: None
        property: RESTIC_PASSWORD
    - secretKey: AWS_DEFAULT_REGION
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /cl01tl/volsync/restic/config
        metadataPolicy: None
        property: AWS_DEFAULT_REGION
    - secretKey: AWS_ACCESS_KEY_ID
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /digital-ocean/home-infra/volsync-backups
        metadataPolicy: None
        property: access_key
    - secretKey: AWS_SECRET_ACCESS_KEY
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /digital-ocean/home-infra/volsync-backups
        metadataPolicy: None
        property: secret_key
--- a/clusters/standby/applications/audiobookshelf/templates/persistent-volume-claim.yaml
+++ b/clusters/standby/applications/audiobookshelf/templates/persistent-volume-claim.yaml
@@ -1,40 +0,0 @@
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
  name: audiobookshelf-nfs-storage-backup
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: audiobookshelf-nfs-storage-backup
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: storage
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  volumeMode: Filesystem
  storageClassName: nfs-client
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 1Gi
 ---
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
  name: audiobookshelf-nfs-storage
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: audiobookshelf-nfs-storage
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: storage
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  volumeName: audiobookshelf-nfs-storage
  storageClassName: nfs-client
  accessModes:
    - ReadWriteMany
  resources:
    requests:
      storage: 1Gi
--- a/clusters/standby/applications/audiobookshelf/templates/persistent-volume.yaml
+++ b/clusters/standby/applications/audiobookshelf/templates/persistent-volume.yaml
@@ -1,25 +0,0 @@
 apiVersion: v1
 kind: PersistentVolume
 metadata:
  name: audiobookshelf-nfs-storage
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: audiobookshelf-nfs-storage
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: storage
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  persistentVolumeReclaimPolicy: Retain
  storageClassName: nfs-client
  capacity:
    storage: 1Gi
  accessModes:
    - ReadWriteMany
  nfs:
    path: /volume2/Storage
    server: synologybond.alexlebens.net
  mountOptions:
    - vers=4
    - minorversion=1
    - noac
--- a/clusters/standby/applications/audiobookshelf/templates/replication-source.yaml
+++ b/clusters/standby/applications/audiobookshelf/templates/replication-source.yaml
@@ -1,56 +0,0 @@
 apiVersion: volsync.backube/v1alpha1
 kind: ReplicationSource
 metadata:
  name: audiobookshelf-config-backup-source
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: audiobookshelf-config-backup-source
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: backup
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  sourcePVC: audiobookshelf-config
  trigger:
    schedule: 0 0 */3 * *
  restic:
    pruneIntervalDays: 14
    repository: audiobookshelf-config-backup-secret
    retain:
      hourly: 1
      daily: 1
      weekly: 1
      monthly: 2
      yearly: 4
    copyMethod: Snapshot
    storageClassName: ceph-block-delete
    volumeSnapshotClassName: ceph-blockpool-snapshot
 ---
 apiVersion: volsync.backube/v1alpha1
 kind: ReplicationSource
 metadata:
  name: audiobookshelf-metadata-backup-source
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: audiobookshelf-metadata-backup-source
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: backup
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  sourcePVC: audiobookshelf-metadata
  trigger:
    schedule: 0 0 */3 * *
  restic:
    pruneIntervalDays: 14
    repository: audiobookshelf-metadata-backup-secret
    retain:
      hourly: 1
      daily: 1
      weekly: 1
      monthly: 2
      yearly: 4
    copyMethod: Snapshot
    storageClassName: ceph-block-delete
    volumeSnapshotClassName: ceph-blockpool-snapshot
--- a/clusters/standby/applications/audiobookshelf/values.yaml
+++ b/clusters/standby/applications/audiobookshelf/values.yaml
@@ -1,80 +0,0 @@
 audiobookshelf:
  controllers:
    main:
      type: deployment
      replicas: 1
      strategy: Recreate
      revisionHistoryLimit: 3
      containers:
        main:
          image:
            repository: ghcr.io/advplyr/audiobookshelf
            tag: 2.19.2
            pullPolicy: IfNotPresent
          env:
            - name: TZ
              value: US/Central
          resources:
            requests:
              cpu: 10m
              memory: 128Mi
  serviceAccount:
    create: true
  service:
    main:
      controller: main
      ports:
        http:
          port: 80
          targetPort: 80
          protocol: HTTP
  ingress:
    tailscale:
      enabled: true
      className: tailscale
      hosts:
        - host: audiobookshelf-cl01tl
          paths:
            - path: /
              pathType: Prefix
              service:
                name: audiobookshelf
                port: 80
      tls:
        - hosts:
            - audiobookshelf-cl01tl
  persistence:
    config:
      storageClass: ceph-block
      accessMode: ReadWriteOnce
      size: 2Gi
      retain: true
      advancedMounts:
        main:
          main:
            - path: /config
              readOnly: false
    metadata:
      storageClass: ceph-block
      accessMode: ReadWriteOnce
      size: 10Gi
      retain: true
      advancedMounts:
        main:
          main:
            - path: /metadata
              readOnly: false
    backup:
      existingClaim: audiobookshelf-nfs-storage-backup
      advancedMounts:
        main:
          main:
            - path: /metadata/backups
              readOnly: false
    audiobooks:
      existingClaim: audiobookshelf-nfs-storage
      advancedMounts:
        main:
          main:
            - path: /mnt/store/
              readOnly: false
--- a/clusters/standby/applications/calibre-web-automated/Chart.yaml
+++ b/clusters/standby/applications/calibre-web-automated/Chart.yaml
@@ -1,21 +0,0 @@
 apiVersion: v2
 name: calibre-web-automated
 version: 1.0.0
 description: Calibre Web Automated
 keywords:
  - calibre-web-automated
  - books
 home: https://wiki.alexlebens.dev/doc/calibre-web-automated-1SMf1jPFsb
 sources:
  - https://github.com/crocodilestick/Calibre-Web-Automator
  - https://hub.docker.com/r/crocodilestick/calibre-web-automated
  - https://github.com/bjw-s/helm-charts/tree/main/charts/other/app-template
 maintainers:
  - name: alexlebens
 dependencies:
  - name: app-template
    alias: calibre-web-automated
    repository: https://bjw-s.github.io/helm-charts/
    version: 3.6.1
 icon: https://raw.githubusercontent.com/walkxcode/dashboard-icons/main/png/calibre-web.png
 appVersion: V2.1.2
--- a/clusters/standby/applications/calibre-web-automated/templates/external-secret.yaml
+++ b/clusters/standby/applications/calibre-web-automated/templates/external-secret.yaml
@@ -1,82 +0,0 @@
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
  name: calibre-web-automated-gmail-config
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: calibre-web-automated-gmail-config
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: web
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: vault
  data:
    - secretKey: gmail.json
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /cl01tl/calibre-web/gmail
        metadataPolicy: None
        property: gmail.json
 ---
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
  name: calibre-web-automated-config-backup-secret
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: calibre-web-automated-config-backup-secret
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: backup
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: vault
  target:
    template:
      mergePolicy: Merge
      engineVersion: v2
      data:
        RESTIC_REPOSITORY: "{{ `{{ .BUCKET_ENDPOINT }}` }}/calibre-web-automated/calibre-web-automated-config"
  data:
    - secretKey: BUCKET_ENDPOINT
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /cl01tl/volsync/restic/config
        metadataPolicy: None
        property: S3_BUCKET_ENDPOINT
    - secretKey: RESTIC_PASSWORD
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /cl01tl/volsync/restic/config
        metadataPolicy: None
        property: RESTIC_PASSWORD
    - secretKey: AWS_DEFAULT_REGION
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /cl01tl/volsync/restic/config
        metadataPolicy: None
        property: AWS_DEFAULT_REGION
    - secretKey: AWS_ACCESS_KEY_ID
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /digital-ocean/home-infra/volsync-backups
        metadataPolicy: None
        property: access_key
    - secretKey: AWS_SECRET_ACCESS_KEY
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /digital-ocean/home-infra/volsync-backups
        metadataPolicy: None
        property: secret_key
--- a/clusters/standby/applications/calibre-web-automated/templates/persistent-volume-claim.yaml
+++ b/clusters/standby/applications/calibre-web-automated/templates/persistent-volume-claim.yaml
@@ -1,40 +0,0 @@
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
  name: calibre-web-automated-nfs-storage
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: calibre-web-automated-nfs-storage
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: storage
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  volumeName: calibre-web-automated-nfs-storage
  storageClassName: nfs-client
  accessModes:
    - ReadWriteMany
  resources:
    requests:
      storage: 1Gi
 ---
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
  name: calibre-web-automated-ingest-nfs-storage
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: calibre-web-automated-ingest-nfs-storage
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: storage
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  volumeName: calibre-web-automated-ingest-nfs-storage
  storageClassName: nfs-client
  accessModes:
    - ReadWriteMany
  resources:
    requests:
      storage: 1Gi
--- a/clusters/standby/applications/calibre-web-automated/templates/persistent-volume.yaml
+++ b/clusters/standby/applications/calibre-web-automated/templates/persistent-volume.yaml
@@ -1,52 +0,0 @@
 apiVersion: v1
 kind: PersistentVolume
 metadata:
  name: calibre-web-automated-nfs-storage
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: calibre-web-automated-nfs-storage
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: storage
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  persistentVolumeReclaimPolicy: Retain
  storageClassName: nfs-client
  capacity:
    storage: 1Gi
  accessModes:
    - ReadWriteMany
  nfs:
    path: /volume2/Storage/Calibre
    server: synologybond.alexlebens.net
  mountOptions:
    - vers=4
    - minorversion=1
    - noac
 ---
 apiVersion: v1
 kind: PersistentVolume
 metadata:
  name: calibre-web-automated-ingest-nfs-storage
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: calibre-web-automated-ingest-nfs-storage
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: storage
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  persistentVolumeReclaimPolicy: Retain
  storageClassName: nfs-client
  capacity:
    storage: 1Gi
  accessModes:
    - ReadWriteMany
  nfs:
    path: /volume2/Storage/Calibre Import
    server: synologybond.alexlebens.net
  mountOptions:
    - vers=4
    - minorversion=1
    - noac
--- a/clusters/standby/applications/calibre-web-automated/templates/replication-source.yaml
+++ b/clusters/standby/applications/calibre-web-automated/templates/replication-source.yaml
@@ -1,30 +0,0 @@
 apiVersion: volsync.backube/v1alpha1
 kind: ReplicationSource
 metadata:
  name: calibre-web-automated-config-backup-source
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: calibre-web-automated-config-backup-source
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: backup
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  sourcePVC: calibre-web-automated-config
  trigger:
    schedule: 0 0 */3 * *
  restic:
    pruneIntervalDays: 14
    repository: calibre-web-automated-config-backup-secret
    retain:
      hourly: 1
      daily: 1
      weekly: 1
      monthly: 2
      yearly: 4
    moverSecurityContext:
      runAsUser: 1000
      runAsGroup: 100
    copyMethod: Snapshot
    storageClassName: ceph-block-delete
    volumeSnapshotClassName: ceph-blockpool-snapshot
--- a/clusters/standby/applications/calibre-web-automated/values.yaml
+++ b/clusters/standby/applications/calibre-web-automated/values.yaml
@@ -1,151 +0,0 @@
 calibre-web-automated:
  controllers:
    main:
      type: deployment
      replicas: 1
      strategy: Recreate
      revisionHistoryLimit: 3
      containers:
        main:
          image:
            repository: crocodilestick/calibre-web-automated
            tag: V2.1.2@sha256:64cc0b6a563ef626c0f905792d6be976251149b30ee1e7fb49d60ef3ee966cb6
            pullPolicy: IfNotPresent
          env:
            - name: TZ
              value: US/Central
            - name: PUID
              value: 1000
            - name: PGID
              value: 100
            - name: DOCKER_MODS
              value: lscr.io/linuxserver/mods:universal-calibre-v7.23.0
          resources:
            requests:
              cpu: 100m
              memory: 256Mi
    downloader:
      type: deployment
      replicas: 1
      strategy: Recreate
      revisionHistoryLimit: 3
      containers:
        main:
          image:
            repository: ghcr.io/calibrain/calibre-web-automated-book-downloader
            tag: latest@sha256:29757639bff2263a0de383e6b4855b09457e6c5944f41e934247bbb9bec5c8b7
            pullPolicy: IfNotPresent
          env:
            - name: FLASK_PORT
              value: 8084
            - name: UID
              value: 1000
            - name: GID
              value: 100
            - name: USE_CF_BYPASS
              value: true
            - name: CLOUDFLARE_PROXY_URL
              value: http://localhost:8000
            - name: INGEST_DIR
              value: /cwa-book-ingest
            - name: BOOK_LANGUAGE
              value: end
          resources:
            requests:
              cpu: 10m
              memory: 256Mi
        bypass:
          image:
            repository: ghcr.io/sarperavci/cloudflarebypassforscraping
            tag: latest@sha256:e937223b9321168efec4ce4b60958d399b6dde37791ea6dc67d05b057c0f167e
            pullPolicy: IfNotPresent
          resources:
            requests:
              cpu: 10m
              memory: 128Mi
  serviceAccount:
    create: true
  service:
    main:
      controller: main
      ports:
        http:
          port: 8083
          targetPort: 8083
          protocol: HTTP
    downloader:
      controller: downloader
      ports:
        http:
          port: 8084
          targetPort: 8084
          protocol: HTTP
  ingress:
    tailscale-main:
      enabled: true
      className: tailscale
      hosts:
        - host: calibre-cl01tl
          paths:
            - path: /
              pathType: Prefix
              service:
                name: calibre-web-automated-main
                port: 8083
      tls:
        - hosts:
            - calibre-cl01tl
    tailscale-downloader:
      enabled: true
      className: tailscale
      hosts:
        - host: calibre-downloader-cl01tl
          paths:
            - path: /
              pathType: Prefix
              service:
                name: calibre-web-automated-downloader
                port: 8084
      tls:
        - hosts:
            - calibre-downloader-cl01tl
  persistence:
    config:
      storageClass: ceph-block
      accessMode: ReadWriteOnce
      size: 5Gi
      retain: true
      advancedMounts:
        main:
          main:
            - path: /config
              readOnly: false
    gmail:
      enabled: true
      type: secret
      name: calibre-web-automated-gmail-config
      advancedMounts:
        main:
          main:
            - path: /app/calibre-web/gmail.json
              readOnly: true
              mountPropagation: None
              subPath: gmail.json
    books:
      existingClaim: calibre-web-automated-nfs-storage
      advancedMounts:
        main:
          main:
            - path: /calibre-library
              readOnly: false
    ingest:
      existingClaim: calibre-web-automated-ingest-nfs-storage
      advancedMounts:
        main:
          main:
            - path: /cwa-book-ingest
              readOnly: false
        downloader:
          main:
            - path: /cwa-book-ingest
              readOnly: false
--- a/clusters/standby/applications/checkrr/Chart.yaml
+++ b/clusters/standby/applications/checkrr/Chart.yaml
@@ -1,20 +0,0 @@
 apiVersion: v2
 name: checkrr
 version: 1.0.0
 description: Checkrr
 keywords:
  - checkrr
  - servarr
  - healthchecks
 home: https://wiki.alexlebens.dev/doc/checkrr
 sources:
  - https://github.com/aetaric/checkrr
  - https://github.com/bjw-s/helm-charts/tree/main/charts/other/app-template
 maintainers:
  - name: alexlebens
 dependencies:
  - name: app-template
    alias: checkrr
    repository: https://bjw-s.github.io/helm-charts/
    version: 3.6.1
 appVersion: v3.4.0
--- a/clusters/standby/applications/checkrr/templates/external-secret.yaml
+++ b/clusters/standby/applications/checkrr/templates/external-secret.yaml
@@ -1,23 +0,0 @@
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
  name: checkrr-config-secret
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: checkrr-config-secret
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: backup
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: vault
  data:
    - secretKey: checkrr.yaml
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /cl01tl/checkrr
        metadataPolicy: None
        property: checkrr.yaml
--- a/clusters/standby/applications/checkrr/templates/persistent-volume-claim.yaml
+++ b/clusters/standby/applications/checkrr/templates/persistent-volume-claim.yaml
@@ -1,19 +0,0 @@
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
  name: checkrr-nfs-storage
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: checkrr-nfs-storage
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: storage
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  volumeName: checkrr-nfs-storage
  storageClassName: nfs-client
  accessModes:
    - ReadWriteMany
  resources:
    requests:
      storage: 1Gi
--- a/clusters/standby/applications/checkrr/templates/persistent-volume.yaml
+++ b/clusters/standby/applications/checkrr/templates/persistent-volume.yaml
@@ -1,25 +0,0 @@
 apiVersion: v1
 kind: PersistentVolume
 metadata:
  name: checkrr-nfs-storage
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: checkrr-nfs-storage
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: storage
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  persistentVolumeReclaimPolicy: Retain
  storageClassName: nfs-client
  capacity:
    storage: 1Gi
  accessModes:
    - ReadWriteMany
  nfs:
    path: /volume2/Storage
    server: synologybond.alexlebens.net
  mountOptions:
    - vers=4
    - minorversion=1
    - noac
--- a/clusters/standby/applications/checkrr/values.yaml
+++ b/clusters/standby/applications/checkrr/values.yaml
@@ -1,92 +0,0 @@
 checkrr:
  controllers:
    main:
      type: deployment
      replicas: 1
      strategy: Recreate
      revisionHistoryLimit: 3
      initContainers:
        init-create-db:
          securityContext:
            runAsUser: 0
          image:
            repository: busybox
            tag: 1.37.0
            pullPolicy: IfNotPresent
          command:
            - /bin/sh
            - -ec
            - |
              if [ ! -f /app/checkrr.db ]; then
                touch /app/checkrr.db;
              fi;
          resources:
            requests:
              cpu: 100m
              memory: 128Mi
      containers:
        main:
          image:
            repository: aetaric/checkrr
            tag: 3.4.0
            pullPolicy: IfNotPresent
          resources:
            requests:
              cpu: 2
              memory: 512Mi
  serviceAccount:
    create: true
  service:
    main:
      controller: main
      ports:
        http:
          port: 80
          targetPort: 8585
          protocol: HTTP
  ingress:
    tailscale:
      enabled: true
      className: tailscale
      hosts:
        - host: checkrr-cl01tl
          paths:
            - path: /
              pathType: Prefix
              service:
                name: checkrr
                port: 80
      tls:
        - hosts:
            - checkrr-cl01tl
  persistence:
    config:
      enabled: true
      type: secret
      name: checkrr-config-secret
      advancedMounts:
        main:
          main:
            - path: /etc/checkrr.yaml
              readOnly: true
              mountPropagation: None
              subPath: checkrr.yaml
    db:
      storageClass: ceph-block-delete
      accessMode: ReadWriteOnce
      size: 5Gi
      advancedMounts:
        main:
          init-create-db:
            - path: /app
              readOnly: false
          main:
            - path: /app
              readOnly: false
    media:
      existingClaim: checkrr-nfs-storage
      advancedMounts:
        main:
          main:
            - path: /mnt/store
              readOnly: false
--- a/clusters/standby/applications/code-server/Chart.yaml
+++ b/clusters/standby/applications/code-server/Chart.yaml
@@ -1,28 +0,0 @@
 apiVersion: v2
 name: code-server
 version: 1.0.0
 description: Code Server
 keywords:
  - code-server
  - code
  - ide
 home: https://wiki.alexlebens.dev/doc/code-server-1WziinqCFS
 sources:
  - https://github.com/coder/code-server
  - https://github.com/cloudflare/cloudflared
  - https://hub.docker.com/r/linuxserver/code-server
  - https://github.com/bjw-s/helm-charts/tree/main/charts/other/app-template
  - https://github.com/alexlebens/helm-charts/tree/main/charts/cloudflared
 maintainers:
  - name: alexlebens
 dependencies:
  - name: app-template
    alias: code-server
    repository: https://bjw-s.github.io/helm-charts/
    version: 3.6.1
  - name: cloudflared
    alias: cloudflared
    repository: http://alexlebens.github.io/helm-charts
    version: 1.13.0
 icon: https://raw.githubusercontent.com/walkxcode/dashboard-icons/main/png/code-server.png
 appVersion: 4.96.1
--- a/clusters/standby/applications/code-server/templates/external-secret.yaml
+++ b/clusters/standby/applications/code-server/templates/external-secret.yaml
@@ -1,55 +0,0 @@
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
  name: codeserver-password-secret
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: codeserver-password-secret
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: web
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: vault
  data:
    - secretKey: PASSWORD
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /cl01tl/code-server/auth
        metadataPolicy: None
        property: PASSWORD
    - secretKey: SUDO_PASSWORD
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /cl01tl/code-server/auth
        metadataPolicy: None
        property: SUDO_PASSWORD
 ---
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
  name: code-server-cloudflared-secret
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: code-server-cloudflared-secret
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: web
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: vault
  data:
    - secretKey: cf-tunnel-token
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /cloudflare/tunnels/codeserver
        metadataPolicy: None
        property: token
--- a/clusters/standby/applications/code-server/templates/persistent-volume-claim.yaml
+++ b/clusters/standby/applications/code-server/templates/persistent-volume-claim.yaml
@@ -1,19 +0,0 @@
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
  name: code-server-nfs-storage
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: code-server-nfs-storage
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: storage
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  volumeMode: Filesystem
  storageClassName: nfs-client
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 1Gi
--- a/clusters/standby/applications/code-server/values.yaml
+++ b/clusters/standby/applications/code-server/values.yaml
@@ -1,49 +0,0 @@
 code-server:
  controllers:
    main:
      type: deployment
      replicas: 1
      strategy: Recreate
      revisionHistoryLimit: 3
      containers:
        main:
          image:
            repository: ghcr.io/linuxserver/code-server
            tag: 4.96.4@sha256:11f009e81643d28f4527e3aa23f64bcd672be5ec2046be46c84755c82b5ad471
            pullPolicy: IfNotPresent
          env:
            - name: TZ
              value: US/Central
            - name: PUID
              value: 1000
            - name: PGID
              value: 1000
            - name: DEFAULT_WORKSPACE
              value: /config
          envFrom:
            - secretRef:
                name: codeserver-password-secret
          resources:
            requests:
              cpu: 10m
              memory: 128Mi
  serviceAccount:
    create: true
  service:
    main:
      controller: main
      ports:
        http:
          port: 8443
          targetPort: 8443
          protocol: HTTP
  persistence:
    config:
      existingClaim: code-server-nfs-storage
      advancedMounts:
        main:
          main:
            - path: /config
              readOnly: false
 cloudflared:
  existingSecretName: code-server-cloudflared-secret
--- a/clusters/standby/applications/directus/Chart.yaml
+++ b/clusters/standby/applications/directus/Chart.yaml
@@ -1,44 +0,0 @@
 apiVersion: v2
 name: directus
 version: 1.0.0
 description: Directus
 keywords:
  - directus
  - cms
 home: https://wiki.alexlebens.dev/doc/directus-EvV9wese9H
 sources:
  - https://github.com/directus/directus
  - https://github.com/minio/operator
  - https://github.com/valkey-io/valkey
  - https://github.com/cloudflare/cloudflared
  - https://github.com/cloudnative-pg/cloudnative-pg
  - https://hub.docker.com/r/directus/directus
  - https://github.com/bjw-s/helm-charts/tree/main/charts/other/app-template
  - https://github.com/minio/operator/tree/master/helm/tenant
  - https://github.com/bitnami/charts/tree/main/bitnami/valkey
  - https://github.com/alexlebens/helm-charts/charts/cloudflared
  - https://github.com/alexlebens/helm-charts/charts/postgres-cluster
 maintainers:
  - name: alexlebens
 dependencies:
  - name: app-template
    alias: directus
    repository: https://bjw-s.github.io/helm-charts/
    version: 3.6.1
  - name: tenant
    alias: minio
    version: 7.0.0
    repository: https://operator.min.io/
  - name: valkey
    version: 2.2.3
    repository: https://charts.bitnami.com/bitnami
  - name: cloudflared
    alias: cloudflared-directus
    repository: http://alexlebens.github.io/helm-charts
    version: 1.13.0
  - name: postgres-cluster
    alias: postgres-17-cluster
    version: 4.1.4
    repository: http://alexlebens.github.io/helm-charts
 icon: https://raw.githubusercontent.com/walkxcode/dashboard-icons/main/png/directus.png
 appVersion: 11.3.2
--- a/clusters/standby/applications/directus/templates/external-secret.yaml
+++ b/clusters/standby/applications/directus/templates/external-secret.yaml
@@ -1,272 +0,0 @@
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
  name: directus-config
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: directus-config
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: web
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: vault
  data:
    - secretKey: admin-email
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /cl01tl/directus/config
        metadataPolicy: None
        property: admin-email
    - secretKey: admin-password
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /cl01tl/directus/config
        metadataPolicy: None
        property: admin-password
    - secretKey: secret
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /cl01tl/directus/config
        metadataPolicy: None
        property: secret
    - secretKey: key
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /cl01tl/directus/config
        metadataPolicy: None
        property: key
 ---
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
  name: directus-valkey-config
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: directus-valkey-config
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: web
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: vault
  data:
    - secretKey: user
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /cl01tl/directus/valkey
        metadataPolicy: None
        property: user
    - secretKey: password
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /cl01tl/directus/valkey
        metadataPolicy: None
        property: password
 ---
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
  name: directus-oidc-secret
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: directus-oidc-secret
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: web
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: vault
  data:
    - secretKey: OIDC_CLIENT_ID
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /authentik/oidc/directus
        metadataPolicy: None
        property: client
    - secretKey: OIDC_CLIENT_SECRET
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /authentik/oidc/directus
        metadataPolicy: None
        property: secret
 ---
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
  name: directus-minio-user-secret
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: directus-minio-user-secret
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: database
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: vault
  data:
    - secretKey: AWS_ACCESS_KEY_ID
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /cl01tl/directus/minio/auth
        metadataPolicy: None
        property: AWS_ACCESS_KEY_ID
    - secretKey: AWS_SECRET_ACCESS_KEY
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /cl01tl/directus/minio/auth
        metadataPolicy: None
        property: AWS_SECRET_ACCESS_KEY
 ---
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
  name: directus-minio-root-secret
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: directus-minio-root-secret
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: database
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: vault
  data:
    - secretKey: config.env
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /cl01tl/directus/minio/config
        metadataPolicy: None
        property: root-config.env
 ---
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
  name: directus-minio-config-secret
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: directus-minio-config-secret
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: database
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: vault
  data:
    - secretKey: config.env
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /cl01tl/directus/minio/config
        metadataPolicy: None
        property: config.env
 ---
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
  name: directus-cloudflared-secret
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: directus-cloudflared-secret
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: web
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: vault
  data:
    - secretKey: cf-tunnel-token
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /cloudflare/tunnels/directus
        metadataPolicy: None
        property: token
 ---
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
  name: directus-minio-cloudflared-secret
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: directus-minio-cloudflared-secret
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: web
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: vault
  data:
    - secretKey: cf-tunnel-token
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /cloudflare/tunnels/directus-minio
        metadataPolicy: None
        property: token
 ---
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
  name: directus-postgresql-17-cluster-backup-secret
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: directus-postgresql-17-cluster-backup-secret
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: database
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: vault
  data:
    - secretKey: ACCESS_KEY_ID
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /digital-ocean/home-infra/postgres-backups
        metadataPolicy: None
        property: access
    - secretKey: ACCESS_SECRET_KEY
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /digital-ocean/home-infra/postgres-backups
        metadataPolicy: None
        property: secret
--- a/clusters/standby/applications/directus/values.yaml
+++ b/clusters/standby/applications/directus/values.yaml
@@ -1,205 +0,0 @@
 directus:
  controllers:
    main:
      type: deployment
      replicas: 1
      strategy: Recreate
      revisionHistoryLimit: 3
      containers:
        main:
          image:
            repository: directus/directus
            tag: 11.4.1
            pullPolicy: IfNotPresent
          env:
            - name: PUBLIC_URL
              value: https://directus.alexlebens.dev
            - name: WEBSOCKETS_ENABLED
              value: true
            - name: ADMIN_EMAIL
              valueFrom:
                secretKeyRef:
                  name: directus-config
                  key: admin-email
            - name: ADMIN_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: directus-config
                  key: admin-password
            - name: SECRET
              valueFrom:
                secretKeyRef:
                  name: directus-config
                  key: secret
            - name: KEY
              valueFrom:
                secretKeyRef:
                  name: directus-config
                  key: key
            - name: DB_CLIENT
              value: postgres
            - name: DB_HOST
              valueFrom:
                secretKeyRef:
                  name: directus-postgresql-17-cluster-app
                  key: host
            - name: DB_DATABASE
              valueFrom:
                secretKeyRef:
                  name: directus-postgresql-17-cluster-app
                  key: dbname
            - name: DB_PORT
              valueFrom:
                secretKeyRef:
                  name: directus-postgresql-17-cluster-app
                  key: port
            - name: DB_USER
              valueFrom:
                secretKeyRef:
                  name: directus-postgresql-17-cluster-app
                  key: user
            - name: DB_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: directus-postgresql-17-cluster-app
                  key: password
            - name: REDIS_ENABLED
              value: true
            - name: REDIS_HOST
              value: directus-valkey-primary
            - name: REDIS_PORT
              value: 6379
            - name: REDIS_USERNAME
              valueFrom:
                secretKeyRef:
                  name: directus-valkey-config
                  key: user
            - name: REDIS_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: directus-valkey-config
                  key: password
            - name: STORAGE_LOCATIONS
              value: s3
            - name: STORAGE_S3_DRIVER
              value: s3
            - name: STORAGE_S3_KEY
              valueFrom:
                secretKeyRef:
                  name: directus-minio-user-secret
                  key: AWS_ACCESS_KEY_ID
            - name: STORAGE_S3_SECRET
              valueFrom:
                secretKeyRef:
                  name: directus-minio-user-secret
                  key: AWS_SECRET_ACCESS_KEY
            - name: STORAGE_S3_BUCKET
              value: directus
            - name: STORAGE_S3_REGION
              value: us-east-1
            - name: STORAGE_S3_ENDPOINT
              value: http://minio.directus:80
            - name: STORAGE_S3_FORCE_PATH_STYLE
              value: "true"
            - name: AUTH_PROVIDERS
              value: AUTHENTIK
            - name: AUTH_AUTHENTIK_DRIVER
              value: openid
            - name: AUTH_AUTHENTIK_CLIENT_ID
              valueFrom:
                secretKeyRef:
                  name: directus-oidc-secret
                  key: OIDC_CLIENT_ID
            - name: AUTH_AUTHENTIK_CLIENT_SECRET
              valueFrom:
                secretKeyRef:
                  name: directus-oidc-secret
                  key: OIDC_CLIENT_SECRET
            - name: AUTH_AUTHENTIK_SCOPE
              value: openid profile email
            - name: AUTH_AUTHENTIK_ISSUER_URL
              value: https://auth.alexlebens.dev/application/o/directus/.well-known/openid-configuration
            - name: AUTH_AUTHENTIK_IDENTIFIER_KEY
              value: email
            - name: AUTH_AUTHENTIK_ALLOW_PUBLIC_REGISTRATION
              value: true
            - name: AUTH_AUTHENTIK_LABEL
              value: Authentik Login
            - name: TELEMETRY
              value: false
          resources:
            requests:
              cpu: 10m
              memory: 256Mi
  serviceAccount:
    create: true
  service:
    main:
      controller: main
      ports:
        http:
          port: 80
          targetPort: 8055
          protocol: TCP
 minio:
  existingSecret:
    name: directus-minio-root-secret
  tenant:
    name: minio-directus
    configuration:
      name: directus-minio-config-secret
    pools:
      - servers: 3
        name: pool
        volumesPerServer: 2
        size: 10Gi
        storageClassName: ceph-block
    mountPath: /export
    subPath: /data
    metrics:
      enabled: true
      port: 9000
      protocol: http
    certificate:
      requestAutoCert: false
  ingress:
    console:
      enabled: true
      ingressClassName: tailscale
      tls:
        - secretName: minio-directus-cl01tl
          hosts:
            - minio-directus-cl01tl
      host: minio-directus-cl01tl
      path: /
      pathType: Prefix
 valkey:
  architecture: standalone
  auth:
    enabled: true
    existingSecret: directus-valkey-config
    existingSecretPasswordKey: password
  primary:
    persistence:
      enabled: false
  replica:
    persistence:
      enabled: false
 cloudflared-directus:
  name: cloudflared-directus
  existingSecretName: directus-cloudflared-secret
 postgres-17-cluster:
  mode: standalone
  cluster:
    walStorage:
      storageClass: local-path
    storage:
      storageClass: local-path
    monitoring:
      enabled: true
  backup:
    enabled: true
    endpointURL: https://nyc3.digitaloceanspaces.com
    destinationPath: s3://postgres-backups-ce540ddf106d186bbddca68a/cl01tl/directus/directus-postgresql-17-cluster
    endpointCredentials: directus-postgresql-17-cluster-backup-secret
    backupIndex: 1
--- a/clusters/standby/applications/element-web/Chart.yaml
+++ b/clusters/standby/applications/element-web/Chart.yaml
@@ -1,27 +0,0 @@
 apiVersion: v2
 name: element-web
 version: 1.0.0
 description: Element Web
 keywords:
  - element-web
  - chat
  - matrix
 home: https://wiki.alexlebens.dev/doc/element-web-R4dzXXspgr
 sources:
  - https://github.com/element-hq/element-web
  - https://github.com/cloudflare/cloudflared
  - https://hub.docker.com/r/vectorim/element-web
  - https://gitlab.com/ananace/charts/-/tree/master/charts/element-web
  - https://github.com/alexlebens/helm-charts/tree/main/charts/cloudflared
 maintainers:
  - name: alexlebens
 dependencies:
  - name: element-web
    version: 1.4.2
    repository: https://ananace.gitlab.io/charts
  - name: cloudflared
    alias: cloudflared
    repository: http://alexlebens.github.io/helm-charts
    version: 1.13.0
 icon: https://raw.githubusercontent.com/walkxcode/dashboard-icons/main/png/element.png
 appVersion: v1.11.88
--- a/clusters/standby/applications/element-web/templates/external-secret.yaml
+++ b/clusters/standby/applications/element-web/templates/external-secret.yaml
@@ -1,23 +0,0 @@
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
  name: element-web-cloudflared-secret
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: element-web-cloudflared-secret
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: web
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: vault
  data:
    - secretKey: cf-tunnel-token
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /cloudflare/tunnels/element
        metadataPolicy: None
        property: token
--- a/clusters/standby/applications/element-web/values.yaml
+++ b/clusters/standby/applications/element-web/values.yaml
@@ -1,28 +0,0 @@
 element-web:
  replicaCount: 1
  image:
    repository: vectorim/element-web
    tag: v1.11.92
    pullPolicy: IfNotPresent
  defaultServer:
    url: https://matrix.alexlebens.dev
    name: alexlebens.dev
    identity_url: https://alexlebens.dev
  config:
    disable_3pid_login: true
    brand: "Alex Lebens"
    branding:
      welcome_background_url: https://web-assets-3bfcb5585cbd63dc365d32a3.nyc3.cdn.digitaloceanspaces.com/alexlebens-net/background-2.jpg
      auth_header_logo_url: https://web-assets-3bfcb5585cbd63dc365d32a3.nyc3.cdn.digitaloceanspaces.com/alexlebens-net/icon_white.png
    sso_redirect_options:
      immediate: true
    default_theme: dark
    default_country_code: US
  ingress:
    enabled: false
  resources:
    requests:
      cpu: 10m
      memory: 128Mi
 cloudflared:
  existingSecretName: element-web-cloudflared-secret
--- a/clusters/standby/applications/freshrss/Chart.yaml
+++ b/clusters/standby/applications/freshrss/Chart.yaml
@@ -1,33 +0,0 @@
 apiVersion: v2
 name: freshrss
 version: 1.0.0
 description: FreshRSS
 keywords:
  - freshrss
  - rss
 home: https://wiki.alexlebens.dev/doc/freshrss-W6nFVTmKJw
 sources:
  - https://github.com/FreshRSS/FreshRSS
  - https://github.com/cloudflare/cloudflared
  - https://github.com/cloudnative-pg/cloudnative-pg
  - https://hub.docker.com/r/freshrss/freshrss
  - https://github.com/bjw-s/helm-charts/tree/main/charts/other/app-template
  - https://github.com/alexlebens/helm-charts/tree/main/charts/cloudflared
  - https://github.com/alexlebens/helm-charts/tree/main/charts/postgres-cluster
 maintainers:
  - name: alexlebens
 dependencies:
  - name: app-template
    alias: freshrss
    repository: https://bjw-s.github.io/helm-charts/
    version: 3.6.1
  - name: cloudflared
    alias: cloudflared
    repository: http://alexlebens.github.io/helm-charts
    version: 1.13.0
  - name: postgres-cluster
    alias: postgres-17-cluster
    version: 4.1.4
    repository: http://alexlebens.github.io/helm-charts
 icon: https://raw.githubusercontent.com/walkxcode/dashboard-icons/main/png/freshrss.png
 appVersion: 1.24.3
--- a/clusters/standby/applications/freshrss/templates/external-secret.yaml
+++ b/clusters/standby/applications/freshrss/templates/external-secret.yaml
@@ -1,192 +0,0 @@
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
  name: freshrss-install-secret
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: freshrss-install-secret
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: web
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: vault
  data:
    - secretKey: ADMIN_EMAIL
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /cl01tl/freshrss/config
        metadataPolicy: None
        property: ADMIN_EMAIL
    - secretKey: ADMIN_PASSWORD
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /cl01tl/freshrss/config
        metadataPolicy: None
        property: ADMIN_PASSWORD
    - secretKey: ADMIN_API_PASSWORD
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /cl01tl/freshrss/config
        metadataPolicy: None
        property: ADMIN_API_PASSWORD
 ---
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
  name: freshrss-oidc-secret
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: {{ .Release.Name }}
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: web
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: vault
  data:
    - secretKey: OIDC_CLIENT_ID
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /authentik/oidc/freshrss
        metadataPolicy: None
        property: client
    - secretKey: OIDC_CLIENT_SECRET
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /authentik/oidc/freshrss
        metadataPolicy: None
        property: secret
    - secretKey: OIDC_CLIENT_CRYPTO_KEY
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /authentik/oidc/freshrss
        metadataPolicy: None
        property: crypto-key
 ---
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
  name: freshrss-cloudflared-secret
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: freshrss-cloudflared-secret
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: web
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: vault
  data:
    - secretKey: cf-tunnel-token
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /cloudflare/tunnels/freshrss
        metadataPolicy: None
        property: token
 ---
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
  name: freshrss-data-backup-secret
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: freshrss-data-backup-secret
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: backup
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: vault
  target:
    template:
      mergePolicy: Merge
      engineVersion: v2
      data:
        RESTIC_REPOSITORY: "{{ `{{ .BUCKET_ENDPOINT }}` }}/freshrss/freshrss-data"
  data:
    - secretKey: BUCKET_ENDPOINT
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /cl01tl/volsync/restic/config
        metadataPolicy: None
        property: S3_BUCKET_ENDPOINT
    - secretKey: RESTIC_PASSWORD
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /cl01tl/volsync/restic/config
        metadataPolicy: None
        property: RESTIC_PASSWORD
    - secretKey: AWS_DEFAULT_REGION
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /cl01tl/volsync/restic/config
        metadataPolicy: None
        property: AWS_DEFAULT_REGION
    - secretKey: AWS_ACCESS_KEY_ID
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /digital-ocean/home-infra/volsync-backups
        metadataPolicy: None
        property: access_key
    - secretKey: AWS_SECRET_ACCESS_KEY
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /digital-ocean/home-infra/volsync-backups
        metadataPolicy: None
        property: secret_key
 ---
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
  name: freshrss-postgresql-17-cluster-backup-secret
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: freshrss-postgresql-17-cluster-backup-secret
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: database
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: vault
  data:
    - secretKey: ACCESS_KEY_ID
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /digital-ocean/home-infra/postgres-backups
        metadataPolicy: None
        property: access
    - secretKey: ACCESS_SECRET_KEY
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /digital-ocean/home-infra/postgres-backups
        metadataPolicy: None
        property: secret
--- a/clusters/standby/applications/freshrss/templates/replication-source.yaml
+++ b/clusters/standby/applications/freshrss/templates/replication-source.yaml
@@ -1,37 +0,0 @@
 apiVersion: volsync.backube/v1alpha1
 kind: ReplicationSource
 metadata:
  name: freshrss-data-backup-source
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: freshrss-data-backup-source
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: backup
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  sourcePVC: freshrss-data
  trigger:
    schedule: 0 0 */3 * *
  restic:
    pruneIntervalDays: 14
    repository: freshrss-data-backup-secret
    retain:
      hourly: 1
      daily: 1
      weekly: 1
      monthly: 2
      yearly: 4
    moverSecurityContext:
      runAsUser: 568
      runAsGroup: 568
      fsGroup: 568
      fsGroupChangePolicy: OnRootMismatch
      supplementalGroups:
        - 44
        - 100
        - 109
        - 65539
    copyMethod: Snapshot
    storageClassName: ceph-block-delete
    volumeSnapshotClassName: ceph-blockpool-snapshot
--- a/clusters/standby/applications/freshrss/values.yaml
+++ b/clusters/standby/applications/freshrss/values.yaml
@@ -1,132 +0,0 @@
 freshrss:
  controllers:
    main:
      type: deployment
      replicas: 1
      strategy: Recreate
      revisionHistoryLimit: 3
      containers:
        main:
          image:
            repository: freshrss/freshrss
            tag: 1.25.0
            pullPolicy: IfNotPresent
          env:
            - name: PGID
              value: "568"
            - name: PUID
              value: "568"
            - name: TZ
              value: US/Central
            - name: FRESHRSS_ENV
              value: production
            - name: CRON_MIN
              value: 13,43
            - name: BASE_URL
              value: https://rss.alexlebens.dev
            - name: DB_HOST
              valueFrom:
                secretKeyRef:
                  name: freshrss-postgresql-17-cluster-app
                  key: host
            - name: DB_BASE
              valueFrom:
                secretKeyRef:
                  name: freshrss-postgresql-17-cluster-app
                  key: dbname
            - name: DB_USER
              valueFrom:
                secretKeyRef:
                  name: freshrss-postgresql-17-cluster-app
                  key: user
            - name: DB_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: freshrss-postgresql-17-cluster-app
                  key: password
            - name: FRESHRSS_INSTALL
              value: |
                --api-enabled
                --base-url $(BASE_URL)
                --db-base $(DB_BASE)
                --db-host $(DB_HOST)
                --db-password $(DB_PASSWORD)
                --db-type pgsql
                --db-user $(DB_USER)
                --auth-type http_auth
                --default-user admin
                --language en
            - name: FRESHRSS_USER
              value: |
                --api-password $(ADMIN_API_PASSWORD)
                --email $(ADMIN_EMAIL)
                --language en
                --password $(ADMIN_PASSWORD)
                --user admin
            - name: OIDC_ENABLED
              value: 1
            - name: OIDC_PROVIDER_METADATA_URL
              value: https://auth.alexlebens.dev/application/o/freshrss/.well-known/openid-configuration
            - name: OIDC_X_FORWARDED_HEADERS
              value: X-Forwarded-Port X-Forwarded-Proto X-Forwarded-Host
            - name: OIDC_SCOPES
              value: openid email profile
            - name: OIDC_REMOTE_USER_CLAIM
              value: preferred_username
          envFrom:
            - secretRef:
                name: freshrss-oidc-secret
            - secretRef:
                name: freshrss-install-secret
          resources:
            requests:
              cpu: 10m
              memory: 128Mi
  serviceAccount:
    create: true
  service:
    main:
      controller: main
      ports:
        http:
          port: 80
          targetPort: 80
          protocol: HTTP
  persistence:
    data:
      storageClass: ceph-block
      accessMode: ReadWriteOnce
      size: 5Gi
      retain: true
      advancedMounts:
        main:
          main:
            - path: /var/www/FreshRSS/data
              readOnly: false
    extensions:
      storageClass: ceph-block
      accessMode: ReadWriteOnce
      size: 1Gi
      retain: true
      advancedMounts:
        main:
          main:
            - path: /var/www/FreshRSS/extensions
              readOnly: false
 cloudflared:
  existingSecretName: freshrss-cloudflared-secret
 postgres-17-cluster:
  mode: standalone
  cluster:
    walStorage:
      storageClass: local-path
    storage:
      storageClass: local-path
    monitoring:
      enabled: true
  backup:
    enabled: true
    endpointURL: https://nyc3.digitaloceanspaces.com
    destinationPath: s3://postgres-backups-ce540ddf106d186bbddca68a/cl01tl/freshrss/freshrss-postgresql-17-cluster
    endpointCredentials: freshrss-postgresql-17-cluster-backup-secret
    backupIndex: 1
--- a/clusters/standby/applications/hoarder/Chart.yaml
+++ b/clusters/standby/applications/hoarder/Chart.yaml
@@ -1,32 +0,0 @@
 apiVersion: v2
 name: hoarder
 version: 1.0.0
 description: Hoarder
 keywords:
  - hoarder
  - bookmarks
 home: https://wiki.alexlebens.dev/doc/hoarder-
 sources:
  - https://github.com/hoarder-app/hoarder
  - https://github.com/cloudflare/cloudflared
  - https://github.com/meilisearch/meilisearch
  - https://github.com/hoarder-app/hoarder/pkgs/container/hoarder
  - https://github.com/bjw-s/helm-charts/tree/main/charts/other/app-template
  - https://github.com/alexlebens/helm-charts/tree/main/charts/cloudflared
  - https://github.com/meilisearch/meilisearch-kubernetes/tree/main/charts/meilisearch
 maintainers:
  - name: alexlebens
 dependencies:
  - name: app-template
    alias: hoarder
    repository: https://bjw-s.github.io/helm-charts/
    version: 3.6.1
  - name: meilisearch
    version: 0.11.0
    repository: https://meilisearch.github.io/meilisearch-kubernetes
  - name: cloudflared
    alias: cloudflared
    repository: http://alexlebens.github.io/helm-charts
    version: 1.13.0
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/svg/hoarder.svg
 appVersion: 0.19.0
--- a/clusters/standby/applications/hoarder/templates/external-secret.yaml
+++ b/clusters/standby/applications/hoarder/templates/external-secret.yaml
@@ -1,164 +0,0 @@
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
  name: hoarder-key-secret
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: hoarder-key-secret
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: web
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: vault
  data:
    - secretKey: key
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /cl01tl/hoarder/key
        metadataPolicy: None
        property: key
 ---
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
  name: hoarder-oidc-secret
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: hoarder-oidc-secret
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: web
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: vault
  data:
    - secretKey: AUTHENTIK_CLIENT_ID
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /authentik/oidc/hoarder
        metadataPolicy: None
        property: client
    - secretKey: AUTHENTIK_CLIENT_SECRET
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /authentik/oidc/hoarder
        metadataPolicy: None
        property: secret
 ---
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
  name: hoarder-meilisearch-master-key-secret
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: hoarder-meilisearch-master-key-secret
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: meilisearch
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: vault
  data:
    - secretKey: MEILI_MASTER_KEY
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /cl01tl/hoarder/meilisearch
        metadataPolicy: None
        property: MEILI_MASTER_KEY
 ---
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
  name: hoarder-cloudflared-secret
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: hoarder-cloudflared-secret
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: web
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: vault
  data:
    - secretKey: cf-tunnel-token
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /cloudflare/tunnels/hoarder
        metadataPolicy: None
        property: token
 ---
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
  name: hoarder-data-backup-secret
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: hoarder-data-backup-secret
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: backup
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: vault
  target:
    template:
      mergePolicy: Merge
      engineVersion: v2
      data:
        RESTIC_REPOSITORY: "{{ `{{ .BUCKET_ENDPOINT }}` }}/hoarder/hoarder-data"
  data:
    - secretKey: BUCKET_ENDPOINT
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /cl01tl/volsync/restic/config
        metadataPolicy: None
        property: S3_BUCKET_ENDPOINT
    - secretKey: RESTIC_PASSWORD
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /cl01tl/volsync/restic/config
        metadataPolicy: None
        property: RESTIC_PASSWORD
    - secretKey: AWS_DEFAULT_REGION
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /cl01tl/volsync/restic/config
        metadataPolicy: None
        property: AWS_DEFAULT_REGION
    - secretKey: AWS_ACCESS_KEY_ID
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /digital-ocean/home-infra/volsync-backups
        metadataPolicy: None
        property: access_key
    - secretKey: AWS_SECRET_ACCESS_KEY
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /digital-ocean/home-infra/volsync-backups
        metadataPolicy: None
        property: secret_key
--- a/clusters/standby/applications/hoarder/templates/replication-source.yaml
+++ b/clusters/standby/applications/hoarder/templates/replication-source.yaml
@@ -1,27 +0,0 @@
 apiVersion: volsync.backube/v1alpha1
 kind: ReplicationSource
 metadata:
  name: hoarder-data-backup-source
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: hoarder-data-backup-source
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: backup
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  sourcePVC: hoarder-data
  trigger:
    schedule: 0 0 */3 * *
  restic:
    pruneIntervalDays: 14
    repository: hoarder-data-backup-secret
    retain:
      hourly: 1
      daily: 1
      weekly: 1
      monthly: 2
      yearly: 4
    copyMethod: Snapshot
    storageClassName: ceph-block-delete
    volumeSnapshotClassName: ceph-blockpool-snapshot
--- a/clusters/standby/applications/hoarder/values.yaml
+++ b/clusters/standby/applications/hoarder/values.yaml
@@ -1,128 +0,0 @@
 hoarder:
  controllers:
    main:
      type: deployment
      replicas: 1
      strategy: Recreate
      revisionHistoryLimit: 3
      containers:
        main:
          image:
            repository: ghcr.io/hoarder-app/hoarder
            tag: 0.22.0
            pullPolicy: IfNotPresent
          env:
            - name: DATA_DIR
              value: /data
            - name: NEXTAUTH_URL
              value: https://hoarder.alexlebens.dev/
            - name: NEXTAUTH_SECRET
              valueFrom:
                secretKeyRef:
                  name: hoarder-key-secret
                  key: key
            - name: MEILI_ADDR
              value: http://hoarder-meilisearch.hoarder:7700
            - name: MEILI_MASTER_KEY
              valueFrom:
                secretKeyRef:
                  name: hoarder-meilisearch-master-key-secret
                  key: MEILI_MASTER_KEY
            - name: BROWSER_WEB_URL
              value: http://hoarder.hoarder:9222
            - name: DISABLE_SIGNUPS
              value: true
            - name: OAUTH_PROVIDER_NAME
              value: "Authentik"
            - name: OAUTH_WELLKNOWN_URL
              value: https://auth.alexlebens.dev/application/o/hoarder/.well-known/openid-configuration
            - name: OAUTH_SCOPE
              value: "openid email profile"
            - name: OAUTH_CLIENT_ID
              valueFrom:
                secretKeyRef:
                  name: hoarder-oidc-secret
                  key: AUTHENTIK_CLIENT_ID
            - name: OAUTH_CLIENT_SECRET
              valueFrom:
                secretKeyRef:
                  name: hoarder-oidc-secret
                  key: AUTHENTIK_CLIENT_SECRET
            - name: OLLAMA_BASE_URL
              value: http://ollama-server-1.ollama:11434
            - name: OLLAMA_KEEP_ALIVE
              value: 5m
            - name: INFERENCE_TEXT_MODEL
              value: llama3.1:8b
            - name: INFERENCE_IMAGE_MODEL
              value: llama3.2-vision:11b
            - name: EMBEDDING_TEXT_MODEL
              value: mxbai-embed-large
            - name: INFERENCE_JOB_TIMEOUT_SEC
              value: 720
          resources:
            requests:
              cpu: 10m
              memory: 256Mi
        chrome:
          image:
            repository: gcr.io/zenika-hub/alpine-chrome
            tag: 124
            pullPolicy: IfNotPresent
          args:
            - --no-sandbox
            - --disable-gpu
            - --disable-dev-shm-usage
            - --remote-debugging-address=0.0.0.0
            - --remote-debugging-port=9222
            - --hide-scrollbars
          resources:
            requests:
              cpu: 10m
              memory: 128Mi
  serviceAccount:
    create: true
  service:
    main:
      controller: main
      ports:
        http:
          port: 3000
          targetPort: 3000
          protocol: HTTP
        chrome:
          port: 9222
          targetPort: 9222
          protocol: HTTP
  persistence:
    data:
      storageClass: ceph-block
      accessMode: ReadWriteOnce
      size: 10Gi
      retain: true
      advancedMounts:
        main:
          main:
            - path: /data
              readOnly: false
 meilisearch:
  environment:
    MEILI_NO_ANALYTICS: true
    MEILI_ENV: production
  auth:
    existingMasterKeySecret: hoarder-meilisearch-master-key-secret
  service:
    type: ClusterIP
    port: 7700
  persistence:
    enabled: true
    storageClass: ceph-block
    size: 10Gi
  resources:
    requests:
      cpu: 10m
      memory: 128Mi
  serviceMonitor:
    enabled: true
 cloudflared:
  existingSecretName: hoarder-cloudflared-secret
--- a/clusters/standby/applications/immich/Chart.yaml
+++ b/clusters/standby/applications/immich/Chart.yaml
@@ -1,31 +0,0 @@
 apiVersion: v2
 name: immich
 version: 1.0.0
 description: Immich
 keywords:
  - immich
  - photos
 home: https://wiki.alexlebens.dev/doc/immich-AVxvAWeWQ5
 sources:
  - https://github.com/immich-app/immich
  - https://github.com/valkey-io/valkey
  - https://github.com/cloudnative-pg/cloudnative-pg
  - https://github.com/bjw-s/helm-charts/tree/main/charts/other/app-template
  - https://github.com/bitnami/charts/tree/main/bitnami/valkey
  - https://github.com/alexlebens/helm-charts/charts/postgres-cluster
 maintainers:
  - name: alexlebens
 dependencies:
  - name: app-template
    alias: immich
    repository: https://bjw-s.github.io/helm-charts/
    version: 3.6.1
  - name: valkey
    version: 2.2.3
    repository: https://charts.bitnami.com/bitnami
  - name: postgres-cluster
    alias: postgres-16-cluster
    version: 4.1.4
    repository: http://alexlebens.github.io/helm-charts
 icon: https://raw.githubusercontent.com/immich-app/immich/main/design/immich-logo.svg
 appVersion: v1.123.0
--- a/clusters/standby/applications/immich/templates/external-secrets.yaml
+++ b/clusters/standby/applications/immich/templates/external-secrets.yaml
@@ -1,55 +0,0 @@
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
  name: immich-config-secret
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: immich-config-secret
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: config
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: vault
  data:
    - secretKey: immich-config.yaml
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /cl01tl/immich/config
        metadataPolicy: None
        property: immich-config.yaml
 ---
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
  name: immich-postgresql-16-cluster-backup-secret
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: immich-postgresql-16-cluster-backup-secret
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: database
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: vault
  data:
    - secretKey: ACCESS_KEY_ID
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /digital-ocean/home-infra/postgres-backups
        metadataPolicy: None
        property: access
    - secretKey: ACCESS_SECRET_KEY
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /digital-ocean/home-infra/postgres-backups
        metadataPolicy: None
        property: secret
--- a/clusters/standby/applications/immich/templates/persistent-volume-claim.yaml
+++ b/clusters/standby/applications/immich/templates/persistent-volume-claim.yaml
@@ -1,19 +0,0 @@
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
  name: immich-nfs-storage
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: immich-nfs-storage
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: storage
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  volumeName: immich-nfs-storage
  storageClassName: nfs-client
  accessModes:
    - ReadWriteMany
  resources:
    requests:
      storage: 1Gi
--- a/clusters/standby/applications/immich/templates/persistent-volume.yaml
+++ b/clusters/standby/applications/immich/templates/persistent-volume.yaml
@@ -1,25 +0,0 @@
 apiVersion: v1
 kind: PersistentVolume
 metadata:
  name: immich-nfs-storage
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: immich-nfs-storage
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: storage
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  persistentVolumeReclaimPolicy: Retain
  storageClassName: nfs-client
  capacity:
    storage: 1Gi
  accessModes:
    - ReadWriteMany
  nfs:
    path: /volume2/Storage/Immich
    server: synologybond.alexlebens.net
  mountOptions:
    - vers=4
    - minorversion=1
    - noac
--- a/clusters/standby/applications/immich/templates/service-monitor.yaml
+++ b/clusters/standby/applications/immich/templates/service-monitor.yaml
@@ -1,25 +0,0 @@
 apiVersion: monitoring.coreos.com/v1
 kind: ServiceMonitor
 metadata:
  name: immich
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: immich
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: metrics
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  selector:
    matchLabels:
      app.kubernetes.io/name: immich
      app.kubernetes.io/instance: {{ .Release.Name }}
  endpoints:
    - port: metrics-api
      interval: 3m
      scrapeTimeout: 1m
      path: /metrics
    - port: metrics-ms
      interval: 3m
      scrapeTimeout: 1m
      path: /metrics
--- a/clusters/standby/applications/immich/values.yaml
+++ b/clusters/standby/applications/immich/values.yaml
@@ -1,250 +0,0 @@
 immich:
  controllers:
    main:
      type: deployment
      replicas: 1
      strategy: Recreate
      revisionHistoryLimit: 3
      containers:
        main:
          image:
            repository: ghcr.io/immich-app/immich-server
            tag: v1.125.7
            pullPolicy: IfNotPresent
          env:
            - name: TZ
              value: US/Central
            - name: IMMICH_TELEMETRY_INCLUDE
              value: all
            - name: IMMICH_CONFIG_FILE
              value: /config/immich-config.yaml
            - name: IMMICH_MACHINE_LEARNING_URL
              value: http://immich-machine-learning.immich:3003
            - name: REDIS_HOSTNAME
              value: immich-valkey-primary
            - name: DB_VECTOR_EXTENSION
              value: pgvecto.rs
            - name: DB_HOSTNAME
              valueFrom:
                secretKeyRef:
                  name: immich-postgresql-16-cluster-app
                  key: host
            - name: DB_DATABASE_NAME
              valueFrom:
                secretKeyRef:
                  name: immich-postgresql-16-cluster-app
                  key: dbname
            - name: DB_PORT
              valueFrom:
                secretKeyRef:
                  name: immich-postgresql-16-cluster-app
                  key: port
            - name: DB_USERNAME
              valueFrom:
                secretKeyRef:
                  name: immich-postgresql-16-cluster-app
                  key: user
            - name: DB_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: immich-postgresql-16-cluster-app
                  key: password
          probes:
            liveness:
              enabled: true
              custom: true
              spec:
                httpGet:
                  path: /api/server/ping
                  port: 2283
                initialDelaySeconds: 0
                periodSeconds: 10
                timeoutSeconds: 1
                failureThreshold: 3
            readiness:
              enabled: true
              custom: true
              spec:
                httpGet:
                  path: /api/server/ping
                  port: 2283
                initialDelaySeconds: 0
                periodSeconds: 10
                timeoutSeconds: 1
                failureThreshold: 3
            startup:
              enabled: true
              custom: true
              spec:
                httpGet:
                  path: /api/server/ping
                  port: 2283
                initialDelaySeconds: 0
                periodSeconds: 10
                timeoutSeconds: 1
                failureThreshold: 30
          resources:
            requests:
              gpu.intel.com/i915: 1
              cpu: 10m
              memory: 512Mi
            limits:
              gpu.intel.com/i915: 1
              cpu: 2
    machine-learning:
      type: deployment
      replicas: 1
      strategy: Recreate
      revisionHistoryLimit: 3
      containers:
        main:
          image:
            repository: ghcr.io/immich-app/immich-machine-learning
            tag: v1.125.7
            pullPolicy: IfNotPresent
          env:
            - name: TRANSFORMERS_CACHE
              value: /cache
          probes:
            liveness:
              enabled: true
              custom: true
              spec:
                httpGet:
                  path: /ping
                  port: 3003
                initialDelaySeconds: 0
                periodSeconds: 10
                timeoutSeconds: 1
                failureThreshold: 3
            readiness:
              enabled: true
              custom: true
              spec:
                httpGet:
                  path: /ping
                  port: 3003
                initialDelaySeconds: 0
                periodSeconds: 10
                timeoutSeconds: 1
                failureThreshold: 3
            startup:
              enabled: false
          resources:
            requests:
              gpu.intel.com/i915: 1
              cpu: 10m
              memory: 256Mi
            limits:
              gpu.intel.com/i915: 1
              cpu: 8
              memory: 10Gi
  serviceAccount:
    create: true
  service:
    main:
      controller: main
      ports:
        http:
          port: 2283
          targetPort: 2283
          protocol: TCP
        metrics-api:
          port: 8081
          targetPort: 8081
          protocol: TCP
        metrics-ms:
          port: 8082
          targetPort: 8082
          protocol: TCP
    machine-learning:
      controller: machine-learning
      ports:
        http:
          port: 3003
          targetPort: 3003
          protocol: TCP
  ingress:
    main:
      enabled: true
      className: tailscale
      hosts:
        - host: immich-cl01tl
          paths:
            - path: /
              pathType: Prefix
              service:
                name: immich-main
                port: 2283
      tls:
        - hosts:
            - immich-cl01tl
  persistence:
    config:
      enabled: true
      type: secret
      name: immich-config-secret
      advancedMounts:
        main:
          main:
            - path: /config/immich-config.yaml
              readOnly: true
              mountPropagation: None
              subPath: immich-config.yaml
    media:
      existingClaim: immich-nfs-storage
      advancedMounts:
        main:
          main:
            - path: /usr/src/app/upload
              readOnly: false
    cache:
      storageClass: ceph-block
      accessMode: ReadWriteOnce
      size: 10Gi
      retain: true
      advancedMounts:
        machine-learning:
          main:
            - path: /cache
              readOnly: false
 valkey:
  architecture: standalone
  auth:
    enabled: false
  primary:
    persistence:
      enabled: false
  replica:
    persistence:
      enabled: false
 postgres-16-cluster:
  # Tensorchord
  #--- https://github.com/immich-app/immich/discussions/9060
  #--- https://docs.pgvecto.rs/admin/kubernetes.html
  #--- https://github.com/tensorchord/cloudnative-pgvecto.rs
  type: tensorchord
  mode: standalone
  cluster:
    image:
      repository: ghcr.io/tensorchord/cloudnative-pgvecto.rs
      tag: 16.3-v0.2.1
    walStorage:
      storageClass: local-path
    storage:
      storageClass: local-path
    resources:
      requests:
        memory: 384Mi
        cpu: 200m
    monitoring:
      enabled: true
    postgresql:
      parameters:
        shared_buffers: 256MB
  backup:
    enabled: true
    endpointURL: https://nyc3.digitaloceanspaces.com
    destinationPath: s3://postgres-backups-ce540ddf106d186bbddca68a/cl01tl/immich/immich-postgresql-16-cluster
    endpointCredentials: immich-postgresql-16-cluster-backup-secret
    backupIndex: 1
--- a/clusters/standby/applications/jellyfin/Chart.yaml
+++ b/clusters/standby/applications/jellyfin/Chart.yaml
@@ -1,27 +0,0 @@
 apiVersion: v2
 name: jellyfin
 version: 1.0.0
 description: Jellyfin
 keywords:
  - jellyfin
  - media
  - movies
  - tv shows
  - books
  - music
 home: https://wiki.alexlebens.dev/doc/jellyfin-li98lrEiuA
 sources:
  - https://github.com/jellyfin/jellyfin
  - https://github.com/jellyfin/jellyfin-vue
  - https://hub.docker.com/r/jellyfin/jellyfin
  - https://github.com/jellyfin/jellyfin-vue/pkgs/container/jellyfin-vue
  - https://github.com/bjw-s/helm-charts/tree/main/charts/other/app-template
 maintainers:
  - name: alexlebens
 dependencies:
  - name: app-template
    alias: jellyfin
    repository: https://bjw-s.github.io/helm-charts/
    version: 3.6.1
 icon: https://raw.githubusercontent.com/walkxcode/dashboard-icons/main/png/jellyfin.png
 appVersion: 10.10.3
--- a/clusters/standby/applications/jellyfin/templates/external-secret.yaml
+++ b/clusters/standby/applications/jellyfin/templates/external-secret.yaml
@@ -1,57 +0,0 @@
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
  name: jellyfin-config-backup-secret
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: jellyfin-config-backup-secret
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: backup
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: vault
  target:
    template:
      mergePolicy: Merge
      engineVersion: v2
      data:
        RESTIC_REPOSITORY: "{{ `{{ .BUCKET_ENDPOINT }}` }}/jellyfin/jellyfin-config"
  data:
    - secretKey: BUCKET_ENDPOINT
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /cl01tl/volsync/restic/config
        metadataPolicy: None
        property: S3_BUCKET_ENDPOINT
    - secretKey: RESTIC_PASSWORD
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /cl01tl/volsync/restic/config
        metadataPolicy: None
        property: RESTIC_PASSWORD
    - secretKey: AWS_DEFAULT_REGION
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /cl01tl/volsync/restic/config
        metadataPolicy: None
        property: AWS_DEFAULT_REGION
    - secretKey: AWS_ACCESS_KEY_ID
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /digital-ocean/home-infra/volsync-backups
        metadataPolicy: None
        property: access_key
    - secretKey: AWS_SECRET_ACCESS_KEY
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /digital-ocean/home-infra/volsync-backups
        metadataPolicy: None
        property: secret_key
--- a/clusters/standby/applications/jellyfin/templates/persistent-volume-claim.yaml
+++ b/clusters/standby/applications/jellyfin/templates/persistent-volume-claim.yaml
@@ -1,40 +0,0 @@
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
  name: jellyfin-nfs-storage
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: jellyfin-nfs-storage
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: storage
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  volumeName: jellyfin-nfs-storage
  storageClassName: nfs-client
  accessModes:
    - ReadWriteMany
  resources:
    requests:
      storage: 1Gi
 ---
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
  name: jellyfin-youtube-nfs-storage
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: jellyfin-youtube-nfs-storage
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: storage
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  volumeName: jellyfin-youtube-nfs-storage
  storageClassName: nfs-client
  accessModes:
    - ReadOnlyMany
  resources:
    requests:
      storage: 1Gi
--- a/clusters/standby/applications/jellyfin/templates/persistent-volume.yaml
+++ b/clusters/standby/applications/jellyfin/templates/persistent-volume.yaml
@@ -1,52 +0,0 @@
 apiVersion: v1
 kind: PersistentVolume
 metadata:
  name: jellyfin-nfs-storage
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: jellyfin-nfs-storage
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: storage
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  persistentVolumeReclaimPolicy: Retain
  storageClassName: nfs-client
  capacity:
    storage: 1Gi
  accessModes:
    - ReadWriteMany
  nfs:
    path: /volume2/Storage
    server: synologybond.alexlebens.net
  mountOptions:
    - vers=4
    - minorversion=1
    - noac
 ---
 apiVersion: v1
 kind: PersistentVolume
 metadata:
  name: jellyfin-youtube-nfs-storage
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: jellyfin-youtube-nfs-storage
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: storage
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  persistentVolumeReclaimPolicy: Retain
  storageClassName: nfs-client
  capacity:
    storage: 1Gi
  accessModes:
    - ReadOnlyMany
  nfs:
    path: /volume2/Storage/YouTube
    server: synologybond.alexlebens.net
  mountOptions:
    - vers=4
    - minorversion=1
    - noac
--- a/clusters/standby/applications/jellyfin/templates/replication-source.yaml
+++ b/clusters/standby/applications/jellyfin/templates/replication-source.yaml
@@ -1,27 +0,0 @@
 apiVersion: volsync.backube/v1alpha1
 kind: ReplicationSource
 metadata:
  name: jellyfin-config-backup-source
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: jellyfin-config-backup-source
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: backup
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  sourcePVC: jellyfin-config
  trigger:
    schedule: 0 0 */3 * *
  restic:
    pruneIntervalDays: 14
    repository: jellyfin-config-backup-secret
    retain:
      hourly: 1
      daily: 1
      weekly: 1
      monthly: 2
      yearly: 4
    copyMethod: Snapshot
    storageClassName: ceph-block-delete
    volumeSnapshotClassName: ceph-blockpool-snapshot
--- a/clusters/standby/applications/jellyfin/values.yaml
+++ b/clusters/standby/applications/jellyfin/values.yaml
@@ -1,124 +0,0 @@
 jellyfin:
  controllers:
    main:
      type: deployment
      replicas: 1
      strategy: Recreate
      revisionHistoryLimit: 3
      containers:
        main:
          image:
            repository: ghcr.io/jellyfin/jellyfin
            tag: 10.10.5
            pullPolicy: IfNotPresent
          env:
            - name: TZ
              value: US/Central
            - name: JELLYFIN_hostwebclient
              value: true
            - name: JELLYFIN_PublishedServerUrl
              value: https://jellyfin-cl01tl.boreal-beaufort.ts.net/
          resources:
            requests:
              gpu.intel.com/i915: 1
              cpu: 1
              memory: 2Gi
            limits:
              gpu.intel.com/i915: 1
              cpu: 4
    vue:
      type: deployment
      replicas: 1
      strategy: Recreate
      revisionHistoryLimit: 3
      containers:
        main:
          image:
            repository: ghcr.io/jellyfin/jellyfin-vue
            tag: unstable.2025-01-30.8e8cba9
            pullPolicy: IfNotPresent
          env:
            - name: TZ
              value: US/Central
          resources:
            requests:
              cpu: 10m
              memory: 128Mi
  serviceAccount:
    create: true
  service:
    main:
      controller: main
      ports:
        http:
          port: 80
          targetPort: 8096
          protocol: HTTP
    vue:
      controller: vue
      ports:
        http:
          port: 80
          targetPort: 80
          protocol: HTTP
  ingress:
    tailscale-main:
      enabled: true
      className: tailscale
      hosts:
        - host: jellyfin-cl01tl
          paths:
            - path: /
              pathType: Prefix
              service:
                name: jellyfin-main
                port: 80
      tls:
        - hosts:
            - jellyfin-cl01tl
    tailscale-vue:
      enabled: true
      className: tailscale
      hosts:
        - host: jellyfin-vue-cl01tl
          paths:
            - path: /
              pathType: Prefix
              service:
                name: jellyfin-vue
                port: 80
      tls:
        - hosts:
            - jellyfin-vue-cl01tl
  persistence:
    config:
      storageClass: ceph-block
      accessMode: ReadWriteOnce
      size: 60Gi
      retain: true
      advancedMounts:
        main:
          main:
            - path: /config
              readOnly: false
    cache:
      type: emptyDir
      advancedMounts:
        main:
          main:
            - path: /cache
              readOnly: false
    media:
      existingClaim: jellyfin-nfs-storage
      advancedMounts:
        main:
          main:
            - path: /mnt/store
              readOnly: false
    youtube:
      existingClaim: jellyfin-youtube-nfs-storage
      advancedMounts:
        main:
          main:
            - path: /mnt/youtube
              readOnly: true
--- a/clusters/standby/applications/jellystat/Chart.yaml
+++ b/clusters/standby/applications/jellystat/Chart.yaml
@@ -1,27 +0,0 @@
 apiVersion: v2
 name: jellystat
 version: 1.0.0
 description: Jellystat
 keywords:
  - jellystat
  - jellyfin
 home: https://wiki.alexlebens.dev/doc/jellystat-0FixP7GqGZ
 sources:
  - https://github.com/CyferShepard/Jellystat
  - https://github.com/cloudnative-pg/cloudnative-pg
  - https://hub.docker.com/r/cyfershepard/jellystat
  - https://github.com/bjw-s/helm-charts/tree/main/charts/other/app-template
  - https://github.com/alexlebens/helm-charts/charts/postgres-cluster
 maintainers:
  - name: alexlebens
 dependencies:
  - name: app-template
    alias: jellystat
    repository: https://bjw-s.github.io/helm-charts/
    version: 3.6.1
  - name: postgres-cluster
    alias: postgres-17-cluster
    version: 4.1.4
    repository: http://alexlebens.github.io/helm-charts
 icon: https://raw.githubusercontent.com/walkxcode/dashboard-icons/main/png/jellystat.png
 appVersion: 1.1.1
--- a/clusters/standby/applications/jellystat/templates/external-secret.yaml
+++ b/clusters/standby/applications/jellystat/templates/external-secret.yaml
@@ -1,128 +0,0 @@
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
  name: jellystat-secret
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: jellystat-secret
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: web
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: vault
  data:
    - secretKey: secret-key
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /cl01tl/jellystat
        metadataPolicy: None
        property: secret-key
    - secretKey: user
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /cl01tl/jellystat
        metadataPolicy: None
        property: user
    - secretKey: password
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /cl01tl/jellystat
        metadataPolicy: None
        property: password
 ---
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
  name: jellystat-data-backup-secret
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: jellystat-data-backup-secret
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: backup
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: vault
  target:
    template:
      mergePolicy: Merge
      engineVersion: v2
      data:
        RESTIC_REPOSITORY: "{{ `{{ .BUCKET_ENDPOINT }}` }}/jellystat/jellystat-data"
  data:
    - secretKey: BUCKET_ENDPOINT
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /cl01tl/volsync/restic/config
        metadataPolicy: None
        property: S3_BUCKET_ENDPOINT
    - secretKey: RESTIC_PASSWORD
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /cl01tl/volsync/restic/config
        metadataPolicy: None
        property: RESTIC_PASSWORD
    - secretKey: AWS_DEFAULT_REGION
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /cl01tl/volsync/restic/config
        metadataPolicy: None
        property: AWS_DEFAULT_REGION
    - secretKey: AWS_ACCESS_KEY_ID
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /digital-ocean/home-infra/volsync-backups
        metadataPolicy: None
        property: access_key
    - secretKey: AWS_SECRET_ACCESS_KEY
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /digital-ocean/home-infra/volsync-backups
        metadataPolicy: None
        property: secret_key
 ---
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
  name: jellystat-postgresql-17-cluster-backup-secret
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: jellystat-postgresql-17-cluster-backup-secret
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: database
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: vault
  data:
    - secretKey: ACCESS_KEY_ID
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /digital-ocean/home-infra/postgres-backups
        metadataPolicy: None
        property: access
    - secretKey: ACCESS_SECRET_KEY
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /digital-ocean/home-infra/postgres-backups
        metadataPolicy: None
        property: secret
--- a/clusters/standby/applications/jellystat/templates/replication-source.yaml
+++ b/clusters/standby/applications/jellystat/templates/replication-source.yaml
@@ -1,27 +0,0 @@
 apiVersion: volsync.backube/v1alpha1
 kind: ReplicationSource
 metadata:
  name: jellystat-data-backup-source
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: jellystat-data-backup-source
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: backup
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  sourcePVC: jellystat-data
  trigger:
    schedule: 0 0 */3 * *
  restic:
    pruneIntervalDays: 14
    repository: jellystat-data-backup-secret
    retain:
      hourly: 1
      daily: 1
      weekly: 1
      monthly: 2
      yearly: 4
    copyMethod: Snapshot
    storageClassName: ceph-block-delete
    volumeSnapshotClassName: ceph-blockpool-snapshot
--- a/clusters/standby/applications/jellystat/values.yaml
+++ b/clusters/standby/applications/jellystat/values.yaml
@@ -1,112 +0,0 @@
 jellystat:
  controllers:
    main:
      type: deployment
      replicas: 1
      strategy: Recreate
      revisionHistoryLimit: 3
      containers:
        main:
          image:
            repository: cyfershepard/jellystat
            tag: 1.1.3
            pullPolicy: IfNotPresent
          env:
            - name: TZ
              value: US/Central
            - name: JWT_SECRET
              valueFrom:
                secretKeyRef:
                  name: jellystat-secret
                  key: secret-key
            - name: JS_USER
              valueFrom:
                secretKeyRef:
                  name: jellystat-secret
                  key: user
            - name: JS_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: jellystat-secret
                  key: password
            - name: POSTGRES_USER
              valueFrom:
                secretKeyRef:
                  name: jellystat-postgresql-17-cluster-app
                  key: username
            - name: POSTGRES_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: jellystat-postgresql-17-cluster-app
                  key: password
            - name: POSTGRES_DB
              valueFrom:
                secretKeyRef:
                  name: jellystat-postgresql-17-cluster-app
                  key: dbname
            - name: POSTGRES_IP
              valueFrom:
                secretKeyRef:
                  name: jellystat-postgresql-17-cluster-app
                  key: host
            - name: POSTGRES_PORT
              valueFrom:
                secretKeyRef:
                  name: jellystat-postgresql-17-cluster-app
                  key: port
          resources:
            requests:
              cpu: 10m
              memory: 256Mi
  serviceAccount:
    create: true
  service:
    main:
      controller: main
      ports:
        http:
          port: 3000
          targetPort: 3000
          protocol: HTTP
  ingress:
    tailscale:
      enabled: true
      className: tailscale
      hosts:
        - host: jellystat-cl01tl
          paths:
            - path: /
              pathType: Prefix
              service:
                name: jellystat
                port: 3000
      tls:
        - hosts:
            - jellystat-cl01tl
  persistence:
    data:
      storageClass: ceph-block
      accessMode: ReadWriteOnce
      size: 5Gi
      retain: true
      advancedMounts:
        main:
          main:
            - path: /app/backend/backup-data
              readOnly: false
 postgres-17-cluster:
  mode: standalone
  cluster:
    walStorage:
      storageClass: local-path
    storage:
      storageClass: local-path
    monitoring:
      enabled: true
  backup:
    enabled: true
    endpointURL: https://nyc3.digitaloceanspaces.com
    destinationPath: s3://postgres-backups-ce540ddf106d186bbddca68a/cl01tl/jellystat/jellystat-postgresql-17-cluster
    endpointCredentials: jellystat-postgresql-17-cluster-backup-secret
    backupIndex: 1
    retentionPolicy: "7d"
--- a/clusters/standby/applications/lidarr2/Chart.yaml
+++ b/clusters/standby/applications/lidarr2/Chart.yaml
@@ -1,30 +0,0 @@
 apiVersion: v2
 name: lidarr2
 version: 1.0.0
 description: Lidarr
 keywords:
  - lidarr
  - servarr
  - music
  - metrics
 home: https://wiki.alexlebens.dev/doc/lidarr-BIqpxux60p
 sources:
  - https://github.com/Lidarr/Lidarr
  - https://github.com/linuxserver/docker-lidarr
  - https://github.com/cloudnative-pg/cloudnative-pg
  - https://github.com/onedr0p/exportarr/pkgs/container/exportarr
  - https://github.com/bjw-s/helm-charts/tree/main/charts/other/app-template
  - https://github.com/alexlebens/helm-charts/charts/postgres-cluster
 maintainers:
  - name: alexlebens
 dependencies:
  - name: app-template
    alias: lidarr2
    repository: https://bjw-s.github.io/helm-charts/
    version: 3.6.1
  - name: postgres-cluster
    alias: postgres-17-cluster
    version: 4.1.4
    repository: http://alexlebens.github.io/helm-charts
 icon: https://raw.githubusercontent.com/walkxcode/dashboard-icons/main/png/lidarr.png
 appVersion: 2.8.2
--- a/clusters/standby/applications/lidarr2/templates/external-secret.yaml
+++ b/clusters/standby/applications/lidarr2/templates/external-secret.yaml
@@ -1,89 +0,0 @@
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
  name: lidarr2-config-backup-secret
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: lidarr2-config-backup-secret
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: backup
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: vault
  target:
    template:
      mergePolicy: Merge
      engineVersion: v2
      data:
        RESTIC_REPOSITORY: "{{ `{{ .BUCKET_ENDPOINT }}` }}/lidarr2/lidarr2-config"
  data:
    - secretKey: BUCKET_ENDPOINT
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /cl01tl/volsync/restic/config
        metadataPolicy: None
        property: S3_BUCKET_ENDPOINT
    - secretKey: RESTIC_PASSWORD
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /cl01tl/volsync/restic/config
        metadataPolicy: None
        property: RESTIC_PASSWORD
    - secretKey: AWS_DEFAULT_REGION
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /cl01tl/volsync/restic/config
        metadataPolicy: None
        property: AWS_DEFAULT_REGION
    - secretKey: AWS_ACCESS_KEY_ID
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /digital-ocean/home-infra/volsync-backups
        metadataPolicy: None
        property: access_key
    - secretKey: AWS_SECRET_ACCESS_KEY
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /digital-ocean/home-infra/volsync-backups
        metadataPolicy: None
        property: secret_key
 ---
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
  name: lidarr2-postgresql-17-cluster-backup-secret
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: lidarr2-postgresql-17-cluster-backup-secret
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: database
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: vault
  data:
    - secretKey: ACCESS_KEY_ID
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /digital-ocean/home-infra/postgres-backups
        metadataPolicy: None
        property: access
    - secretKey: ACCESS_SECRET_KEY
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /digital-ocean/home-infra/postgres-backups
        metadataPolicy: None
        property: secret
--- a/clusters/standby/applications/lidarr2/templates/persistent-volume-claim.yaml
+++ b/clusters/standby/applications/lidarr2/templates/persistent-volume-claim.yaml
@@ -1,19 +0,0 @@
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
  name: lidarr2-nfs-storage
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: lidarr2-nfs-storage
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: storage
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  volumeName: lidarr2-nfs-storage
  storageClassName: nfs-client
  accessModes:
    - ReadWriteMany
  resources:
    requests:
      storage: 1Gi
--- a/clusters/standby/applications/lidarr2/templates/persistent-volume.yaml
+++ b/clusters/standby/applications/lidarr2/templates/persistent-volume.yaml
@@ -1,25 +0,0 @@
 apiVersion: v1
 kind: PersistentVolume
 metadata:
  name: lidarr2-nfs-storage
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: lidarr2-nfs-storage
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: storage
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  persistentVolumeReclaimPolicy: Retain
  storageClassName: nfs-client
  capacity:
    storage: 1Gi
  accessModes:
    - ReadWriteMany
  nfs:
    path: /volume2/Storage
    server: synologybond.alexlebens.net
  mountOptions:
    - vers=4
    - minorversion=1
    - noac
--- a/clusters/standby/applications/lidarr2/templates/prometheus-rule.yaml
+++ b/clusters/standby/applications/lidarr2/templates/prometheus-rule.yaml
@@ -1,34 +0,0 @@
 apiVersion: monitoring.coreos.com/v1
 kind: PrometheusRule
 metadata:
  name: lidarr2
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: lidarr2
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: metrics
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  groups:
    - name: lidarr2
      rules:
        - alert: ExportarrAbsent
          annotations:
            description: Lidarr Exportarr has disappeared from Prometheus
              service discovery.
            summary: Exportarr is down.
          expr: |
            absent(up{job=~".*lidarr2.*"} == 1)
          for: 5m
          labels:
            severity: critical
        - alert: LidarrDown
          annotations:
            description: Lidarr service is down.
            summary: Lidarr is down.
          expr: |
            lidarr_system_status{job=~".*lidarr2.*"} == 0
          for: 5m
          labels:
            severity: critical
--- a/clusters/standby/applications/lidarr2/templates/replication-source.yaml
+++ b/clusters/standby/applications/lidarr2/templates/replication-source.yaml
@@ -1,30 +0,0 @@
 apiVersion: volsync.backube/v1alpha1
 kind: ReplicationSource
 metadata:
  name: lidarr2-config-backup-source
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: lidarr2-config-backup-source
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: backup
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  sourcePVC: lidarr2-config
  trigger:
    schedule: 0 0 */3 * *
  restic:
    pruneIntervalDays: 14
    repository: lidarr2-config-backup-secret
    retain:
      hourly: 1
      daily: 1
      weekly: 1
      monthly: 2
      yearly: 4
    moverSecurityContext:
      runAsUser: 1000
      runAsGroup: 1000
    copyMethod: Snapshot
    storageClassName: ceph-block-delete
    volumeSnapshotClassName: ceph-blockpool-snapshot
--- a/clusters/standby/applications/lidarr2/templates/service-monitor.yaml
+++ b/clusters/standby/applications/lidarr2/templates/service-monitor.yaml
@@ -1,21 +0,0 @@
 apiVersion: monitoring.coreos.com/v1
 kind: ServiceMonitor
 metadata:
  name: lidarr2
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: lidarr2
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: metrics
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  selector:
    matchLabels:
      app.kubernetes.io/name: lidarr2
      app.kubernetes.io/instance: {{ .Release.Name }}
  endpoints:
    - port: metrics
      interval: 3m
      scrapeTimeout: 1m
      path: /metrics
--- a/clusters/standby/applications/lidarr2/values.yaml
+++ b/clusters/standby/applications/lidarr2/values.yaml
@@ -1,143 +0,0 @@
 lidarr2:
  controllers:
    main:
      type: deployment
      replicas: 1
      strategy: Recreate
      revisionHistoryLimit: 3
      pod:
        securityContext:
          runAsUser: 1000
          runAsGroup: 1000
          fsGroup: 1000
          fsGroupChangePolicy: OnRootMismatch
      containers:
        main:
          image:
            repository: ghcr.io/linuxserver/lidarr
            tag: version-2.8.2.4493@sha256:108ecf0fcbd8f77b6e8a513be6f3446feb47666dd1b45ea360569e9aac0960e4
            pullPolicy: IfNotPresent
          env:
            - name: TZ
              value: US/Central
            - name: PUID
              value: 1000
            - name: PGID
              value: 1000
          probes:
            liveness:
              enabled: true
              custom: true
              spec:
                exec:
                  command:
                  - /usr/bin/env
                  - bash
                  - -c
                  - curl --fail localhost:8686/api/v1/system/status?apiKey=`IFS=\> && while
                    read -d \< E C; do if [[ $E = "ApiKey" ]]; then echo $C; fi; done < /config/config.xml`
                failureThreshold: 5
                initialDelaySeconds: 60
                periodSeconds: 10
                successThreshold: 1
                timeoutSeconds: 10
          resources:
            requests:
              cpu: 100m
              memory: 256Mi
        metrics:
          image:
            repository: ghcr.io/onedr0p/exportarr
            tag: v2.0.1
            pullPolicy: IfNotPresent
          args: ["lidarr"]
          env:
            - name: URL
              value: http://localhost
            - name: CONFIG
              value: /config/config.xml
            - name: PORT
              value: 9792
            - name: ENABLE_ADDITIONAL_METRICS
              value: false
            - name: ENABLE_UNKNOWN_QUEUE_ITEMS
              value: false
          resources:
            requests:
              cpu: 100m
              memory: 256Mi
  serviceAccount:
    create: true
  service:
    main:
      controller: main
      ports:
        http:
          port: 80
          targetPort: 8686
          protocol: HTTP
        metrics:
          port: 9792
          targetPort: 9792
          protocol: TCP
  ingress:
    tailscale:
      enabled: true
      className: tailscale
      hosts:
        - host: lidarr-cl01tl
          paths:
            - path: /
              pathType: Prefix
              service:
                name: lidarr2
                port: 80
      tls:
        - hosts:
            - lidarr-cl01tl
  persistence:
    config:
      storageClass: ceph-block
      accessMode: ReadWriteOnce
      size: 10Gi
      retain: true
      advancedMounts:
        main:
          main:
            - path: /config
              readOnly: false
          metrics:
            - path: /config
              readOnly: true
    media:
      existingClaim: lidarr2-nfs-storage
      advancedMounts:
        main:
          main:
            - path: /mnt/store
              readOnly: false
 postgres-17-cluster:
  mode: standalone
  cluster:
    walStorage:
      storageClass: local-path
    storage:
      storageClass: local-path
    resources:
      requests:
        memory: 1Gi
        cpu: 200m
    monitoring:
      enabled: true
  bootstrap:
    initdb:
      postInitSQL:
        - CREATE DATABASE "lidarr-main" OWNER "app";
        - CREATE DATABASE "lidarr-log" OWNER "app";
  backup:
    enabled: true
    endpointURL: https://nyc3.digitaloceanspaces.com
    destinationPath: s3://postgres-backups-ce540ddf106d186bbddca68a/cl01tl/lidarr2/lidarr2-postgresql-17-cluster
    endpointCredentials: lidarr2-postgresql-17-cluster-backup-secret
    backupIndex: 1
    retentionPolicy: "7d"
--- a/clusters/standby/applications/lidatube/Chart.yaml
+++ b/clusters/standby/applications/lidatube/Chart.yaml
@@ -1,22 +0,0 @@
 apiVersion: v2
 name: lidatube
 version: 1.0.0
 description: LidaTube
 keywords:
  - lidatube
  - music
  - yt-dlp
 home: https://wiki.alexlebens.dev/doc/lidatube-Rm5ioxwcaS
 sources:
  - https://github.com/TheWicklowWolf/LidaTube
  - https://registry.hub.docker.com/r/thewicklowwolf/lidatube
  - https://github.com/bjw-s/helm-charts/tree/main/charts/other/app-template
 maintainers:
  - name: alexlebens
 dependencies:
  - name: app-template
    alias: lidatube
    repository: https://bjw-s.github.io/helm-charts/
    version: 3.6.1
 icon: https://raw.githubusercontent.com/TheWicklowWolf/LidaTube/main/src/static/lidatube.png
 appVersion: 0.2.9
--- a/clusters/standby/applications/lidatube/templates/external-secret.yaml
+++ b/clusters/standby/applications/lidatube/templates/external-secret.yaml
@@ -1,23 +0,0 @@
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
  name: lidatube-secret
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: lidatube-secret
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: web
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: vault
  data:
    - secretKey: lidarr_api_key
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /cl01tl/lidarr2/key
        metadataPolicy: None
        property: key
--- a/clusters/standby/applications/lidatube/templates/persistent-volume-claim.yaml
+++ b/clusters/standby/applications/lidatube/templates/persistent-volume-claim.yaml
@@ -1,19 +0,0 @@
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
  name: lidatube-nfs-storage
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: lidatube-nfs-storage
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: storage
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  volumeName: lidatube-nfs-storage
  storageClassName: nfs-client
  accessModes:
    - ReadWriteMany
  resources:
    requests:
      storage: 1Gi
--- a/clusters/standby/applications/lidatube/templates/persistent-volume.yaml
+++ b/clusters/standby/applications/lidatube/templates/persistent-volume.yaml
@@ -1,25 +0,0 @@
 apiVersion: v1
 kind: PersistentVolume
 metadata:
  name: lidatube-nfs-storage
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: lidatube-nfs-storage
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: storage
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  persistentVolumeReclaimPolicy: Retain
  storageClassName: nfs-client
  capacity:
    storage: 1Gi
  accessModes:
    - ReadWriteMany
  nfs:
    path: /volume2/Storage/Music
    server: synologybond.alexlebens.net
  mountOptions:
    - vers=4
    - minorversion=1
    - noac
--- a/clusters/standby/applications/lidatube/values.yaml
+++ b/clusters/standby/applications/lidatube/values.yaml
@@ -1,82 +0,0 @@
 lidatube:
  controllers:
    main:
      type: deployment
      replicas: 1
      strategy: Recreate
      revisionHistoryLimit: 3
      pod:
        securityContext:
          fsGroup: 1000
          fsGroupChangePolicy: OnRootMismatch
      containers:
        main:
          image:
            repository: thewicklowwolf/lidatube
            tag: 0.2.15
            pullPolicy: IfNotPresent
          env:
            - name: PUID
              value: 1000
            - name: PGID
              value: 1000
            - name: lidarr_address
              value: http://lidarr2.lidarr2:80
            - name: lidarr_api_key
              valueFrom:
                secretKeyRef:
                  name: lidatube-secret
                  key: lidarr_api_key
            - name: sleep_interval
              value: 360
            - name: sync_schedule
              value: 4
            - name: attempt_lidarr_import
              value: true
          resources:
            requests:
              cpu: 10m
              memory: 128Mi
  serviceAccount:
    create: true
  service:
    main:
      controller: main
      ports:
        http:
          port: 80
          targetPort: 5000
          protocol: HTTP
  ingress:
    tailscale:
      enabled: true
      className: tailscale
      hosts:
        - host: lidatube-cl01tl
          paths:
            - path: /
              pathType: Prefix
              service:
                name: lidatube
                port: 80
      tls:
        - hosts:
            - lidatube-cl01tl
  persistence:
    config:
      storageClass: ceph-block
      accessMode: ReadWriteOnce
      size: 5Gi
      retain: true
      advancedMounts:
        main:
          main:
            - path: /lidatube/config
              readOnly: false
    music:
      existingClaim: lidatube-nfs-storage
      advancedMounts:
        main:
          main:
            - path: /lidatube/downloads
              readOnly: false
--- a/clusters/standby/applications/outline/Chart.yaml
+++ b/clusters/standby/applications/outline/Chart.yaml
@@ -1,49 +0,0 @@
 apiVersion: v2
 name: outline
 version: 1.0.0
 description: Outline
 keywords:
  - outline
  - wiki
  - documentation
 home: https://wiki.alexlebens.dev/doc/outline-JOaS8Mn0Bt
 sources:
  - https://github.com/outline/outline
  - https://github.com/minio/operator
  - https://github.com/valkey-io/valkey
  - https://github.com/cloudflare/cloudflared
  - https://github.com/cloudnative-pg/cloudnative-pg
  - https://hub.docker.com/r/outlinewiki/outline
  - https://github.com/bjw-s/helm-charts/tree/main/charts/other/app-template
  - https://github.com/minio/operator/tree/master/helm/tenant
  - https://github.com/bitnami/charts/tree/main/bitnami/valkey
  - https://github.com/alexlebens/helm-charts/charts/cloudflared
  - https://github.com/alexlebens/helm-charts/charts/postgres-cluster
 maintainers:
  - name: alexlebens
 dependencies:
  - name: app-template
    alias: outline
    repository: https://bjw-s.github.io/helm-charts/
    version: 3.6.1
  - name: tenant
    alias: minio
    version: 7.0.0
    repository: https://operator.min.io/
  - name: valkey
    version: 2.2.3
    repository: https://charts.bitnami.com/bitnami
  - name: cloudflared
    alias: cloudflared-outline
    repository: http://alexlebens.github.io/helm-charts
    version: 1.13.0
  - name: cloudflared
    alias: cloudflared-minio
    repository: http://alexlebens.github.io/helm-charts
    version: 1.13.0
  - name: postgres-cluster
    alias: postgres-17-cluster
    version: 4.1.4
    repository: http://alexlebens.github.io/helm-charts
 icon: https://raw.githubusercontent.com/walkxcode/dashboard-icons/main/png/outline.png
 appVersion: 0.81.1
--- a/clusters/standby/applications/outline/templates/external-secret.yaml
+++ b/clusters/standby/applications/outline/templates/external-secret.yaml
@@ -1,226 +0,0 @@
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
  name: outline-key-secret
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: outline-key-secret
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: web
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: vault
  data:
    - secretKey: secret-key
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /cl01tl/outline/key
        metadataPolicy: None
        property: secret-key
    - secretKey: utils-key
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /cl01tl/outline/key
        metadataPolicy: None
        property: utils-key
 ---
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
  name: outline-oidc-secret
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: outline-oidc-secret
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: web
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: vault
  data:
    - secretKey: client
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /authentik/oidc/outline
        metadataPolicy: None
        property: client
    - secretKey: secret
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /authentik/oidc/outline
        metadataPolicy: None
        property: secret
 ---
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
  name: outline-minio-user-secret
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: outline-minio-user-secret
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: database
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: vault
  data:
    - secretKey: AWS_ACCESS_KEY_ID
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /cl01tl/outline/minio/auth
        metadataPolicy: None
        property: AWS_ACCESS_KEY_ID
    - secretKey: AWS_SECRET_ACCESS_KEY
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /cl01tl/outline/minio/auth
        metadataPolicy: None
        property: AWS_SECRET_ACCESS_KEY
 ---
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
  name: outline-minio-root-secret
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: outline-minio-root-secret
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: database
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: vault
  data:
    - secretKey: config.env
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /cl01tl/outline/minio/config
        metadataPolicy: None
        property: root-config.env
 ---
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
  name: outline-cloudflared-secret
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: outline-cloudflared-secret
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: web
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: vault
  data:
    - secretKey: cf-tunnel-token
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /cloudflare/tunnels/outline
        metadataPolicy: None
        property: token
 ---
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
  name: outline-minio-cloudflared-secret
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: outline-cloudflared-secret
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: web
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: vault
  data:
    - secretKey: cf-tunnel-token
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /cloudflare/tunnels/outline-minio
        metadataPolicy: None
        property: token
 ---
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
  name: outline-minio-config-secret
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: outline-minio-config-secret
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: database
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: vault
  data:
    - secretKey: config.env
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /cl01tl/outline/minio/config
        metadataPolicy: None
        property: config.env
 ---
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
  name: outline-postgresql-17-cluster-backup-secret
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: outline-postgresql-17-cluster-backup-secret
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: database
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: vault
  data:
    - secretKey: ACCESS_KEY_ID
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /digital-ocean/home-infra/postgres-backups
        metadataPolicy: None
        property: access
    - secretKey: ACCESS_SECRET_KEY
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /digital-ocean/home-infra/postgres-backups
        metadataPolicy: None
        property: secret
--- a/clusters/standby/applications/outline/values.yaml
+++ b/clusters/standby/applications/outline/values.yaml
@@ -1,208 +0,0 @@
 outline:
  controllers:
    main:
      type: deployment
      replicas: 1
      strategy: Recreate
      revisionHistoryLimit: 3
      containers:
        main:
          image:
            repository: outlinewiki/outline
            tag: 0.81.1
            pullPolicy: IfNotPresent
          env:
            - name: NODE_ENV
              value: production
            - name: URL
              value: https://wiki.alexlebens.dev
            - name: PORT
              value: 3000
            - name: SECRET_KEY
              valueFrom:
                secretKeyRef:
                  name: outline-key-secret
                  key: secret-key
            - name: UTILS_SECRET
              valueFrom:
                secretKeyRef:
                  name: outline-key-secret
                  key: utils-key
            - name: POSTGRES_USERNAME
              valueFrom:
                secretKeyRef:
                  name: outline-postgresql-17-cluster-app
                  key: username
            - name: POSTGRES_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: outline-postgresql-17-cluster-app
                  key: password
            - name: POSTGRES_DATABASE_NAME
              valueFrom:
                secretKeyRef:
                  name: outline-postgresql-17-cluster-app
                  key: dbname
            - name: POSTGRES_DATABASE_HOST
              valueFrom:
                secretKeyRef:
                  name: outline-postgresql-17-cluster-app
                  key: host
            - name: POSTGRES_DATABASE_PORT
              valueFrom:
                secretKeyRef:
                  name: outline-postgresql-17-cluster-app
                  key: port
            - name: DATABASE_URL
              value: postgres://$(POSTGRES_USERNAME):$(POSTGRES_PASSWORD)@$(POSTGRES_DATABASE_HOST):$(POSTGRES_DATABASE_PORT)/$(POSTGRES_DATABASE_NAME)
            - name: DATABASE_URL_TEST
              value: postgres://$(POSTGRES_USERNAME):$(POSTGRES_PASSWORD)@$(POSTGRES_DATABASE_HOST):$(POSTGRES_DATABASE_PORT)/$(POSTGRES_DATABASE_NAME)-test
            - name: DATABASE_CONNECTION_POOL_MIN
              value: "2"
            - name: DATABASE_CONNECTION_POOL_MAX
              value: "20"
            - name: PGSSLMODE
              value: disable
            - name: REDIS_URL
              value: redis://outline-valkey-primary.outline:6379
            - name: FILE_STORAGE
              value: s3
            - name: AWS_ACCESS_KEY_ID
              valueFrom:
                secretKeyRef:
                  name: outline-minio-user-secret
                  key: AWS_ACCESS_KEY_ID
            - name: AWS_SECRET_ACCESS_KEY
              valueFrom:
                secretKeyRef:
                  name: outline-minio-user-secret
                  key: AWS_SECRET_ACCESS_KEY
            - name: AWS_REGION
              value: us-east-1
            - name: AWS_S3_UPLOAD_BUCKET_NAME
              value: outline
            - name: AWS_S3_UPLOAD_BUCKET_URL
              value: https://outline-storage.alexlebens.dev/outline
            - name: AWS_S3_ACCELERATE_URL
              value: https://outline-storage.alexlebens.dev/outline
            - name: AWS_S3_FORCE_PATH_STYLE
              value: false
            - name: AWS_S3_ACL
              value: private
            - name: FILE_STORAGE_UPLOAD_MAX_SIZE
              value: "26214400"
            - name: FORCE_HTTPS
              value: false
            - name: ENABLE_UPDATES
              value: false
            - name: WEB_CONCURRENCY
              value: 1
            - name: FILE_STORAGE_IMPORT_MAX_SIZE
              value: 5120000
            - name: LOG_LEVEL
              value: info
            - name: DEFAULT_LANGUAGE
              value: en_US
            - name: RATE_LIMITER_ENABLED
              value: false
            - name: DEVELOPMENT_UNSAFE_INLINE_CSP
              value: false
            - name: OIDC_CLIENT_ID
              valueFrom:
                secretKeyRef:
                  name: outline-oidc-secret
                  key: client
            - name: OIDC_CLIENT_SECRET
              valueFrom:
                secretKeyRef:
                  name: outline-oidc-secret
                  key: secret
            - name: OIDC_AUTH_URI
              value: https://auth.alexlebens.dev/application/o/authorize/
            - name: OIDC_TOKEN_URI
              value: https://auth.alexlebens.dev/application/o/token/
            - name: OIDC_USERINFO_URI
              value: https://auth.alexlebens.dev/application/o/userinfo/
            - name: OIDC_USERNAME_CLAIM
              value: email
            - name: OIDC_DISPLAY_NAME
              value: Authentik
            - name: OIDC_SCOPES
              value: openid profile email
          resources:
            requests:
              cpu: 10m
              memory: 512Mi
  serviceAccount:
    create: true
  service:
    main:
      controller: main
      ports:
        http:
          port: 3000
          targetPort: 3000
          protocol: HTTP
 minio:
  existingSecret:
    name: outline-minio-root-secret
  tenant:
    name: minio-outline
    configuration:
      name: outline-minio-config-secret
    pools:
      - servers: 3
        name: pool
        volumesPerServer: 2
        size: 10Gi
        storageClassName: ceph-block
    mountPath: /export
    subPath: /data
    metrics:
      enabled: true
      port: 9000
      protocol: http
    certificate:
      requestAutoCert: false
  ingress:
    console:
      enabled: true
      ingressClassName: tailscale
      tls:
        - secretName: minio-outline-cl01tl
          hosts:
            - minio-outline-cl01tl
      host: minio-outline-cl01tl
      path: /
      pathType: Prefix
 valkey:
  architecture: standalone
  auth:
    enabled: false
  primary:
    persistence:
      enabled: false
  replica:
    persistence:
      enabled: false
 cloudflared-outline:
  existingSecretName: outline-cloudflared-secret
  name: cloudflared-outline
 cloudflared-minio:
  existingSecretName: outline-minio-cloudflared-secret
  name: cloudflared-minio
 postgres-17-cluster:
  mode: standalone
  cluster:
    walStorage:
      storageClass: local-path
    storage:
      storageClass: local-path
    monitoring:
      enabled: true
  backup:
    enabled: true
    endpointURL: https://nyc3.digitaloceanspaces.com
    destinationPath: s3://postgres-backups-ce540ddf106d186bbddca68a/cl01tl/outline/outline-postgresql-17-cluster
    endpointCredentials: outline-postgresql-17-cluster-backup-secret
    backupIndex: 1
--- a/clusters/standby/applications/overseerr/Chart.yaml
+++ b/clusters/standby/applications/overseerr/Chart.yaml
@@ -1,21 +0,0 @@
 apiVersion: v2
 name: overseerr
 version: 1.0.0
 description: Overseerr
 keywords:
  - overseer
  - media
  - request
 home: https://wiki.alexlebens.dev/doc/overseerr-pCUN6XnGR5
 sources:
  - https://github.com/sct/overseerr
  - https://github.com/sct/overseerr/pkgs/container/overseerr
  - https://github.com/bjw-s/helm-charts/tree/main/charts/other/app-template
 maintainers:
  - name: alexlebens
 dependencies:
  - name: app-template
    repository: https://bjw-s.github.io/helm-charts/
    version: 3.6.1
 icon: https://raw.githubusercontent.com/walkxcode/dashboard-icons/main/png/overseerr.png
 appVersion: 1.33.2
--- a/clusters/standby/applications/overseerr/templates/external-secret.yaml
+++ b/clusters/standby/applications/overseerr/templates/external-secret.yaml
@@ -1,57 +0,0 @@
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
  name: overseerr-main-backup-secret
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: overseerr-main-backup-secret
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: backup
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: vault
  target:
    template:
      mergePolicy: Merge
      engineVersion: v2
      data:
        RESTIC_REPOSITORY: "{{ `{{ .BUCKET_ENDPOINT }}` }}/overseerr/overseerr-main"
  data:
    - secretKey: BUCKET_ENDPOINT
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /cl01tl/volsync/restic/config
        metadataPolicy: None
        property: S3_BUCKET_ENDPOINT
    - secretKey: RESTIC_PASSWORD
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /cl01tl/volsync/restic/config
        metadataPolicy: None
        property: RESTIC_PASSWORD
    - secretKey: AWS_DEFAULT_REGION
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /cl01tl/volsync/restic/config
        metadataPolicy: None
        property: AWS_DEFAULT_REGION
    - secretKey: AWS_ACCESS_KEY_ID
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /digital-ocean/home-infra/volsync-backups
        metadataPolicy: None
        property: access_key
    - secretKey: AWS_SECRET_ACCESS_KEY
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /digital-ocean/home-infra/volsync-backups
        metadataPolicy: None
        property: secret_key
--- a/clusters/standby/applications/overseerr/templates/replication-source.yaml
+++ b/clusters/standby/applications/overseerr/templates/replication-source.yaml
@@ -1,27 +0,0 @@
 apiVersion: volsync.backube/v1alpha1
 kind: ReplicationSource
 metadata:
  name: overseerr-main-backup-source
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: overseerr-main-backup-source
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: backup
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  sourcePVC: overseerr-main
  trigger:
    schedule: 0 0 */3 * *
  restic:
    pruneIntervalDays: 14
    repository: overseerr-main-backup-secret
    retain:
      hourly: 1
      daily: 1
      weekly: 1
      monthly: 2
      yearly: 4
    copyMethod: Snapshot
    storageClassName: ceph-block-delete
    volumeSnapshotClassName: ceph-blockpool-snapshot
--- a/clusters/standby/applications/overseerr/values.yaml
+++ b/clusters/standby/applications/overseerr/values.yaml
@@ -1,56 +0,0 @@
 app-template:
  controllers:
    main:
      type: deployment
      replicas: 1
      strategy: Recreate
      revisionHistoryLimit: 3
      containers:
        main:
          image:
            repository: ghcr.io/sct/overseerr
            tag: 1.33.2
            pullPolicy: IfNotPresent
          env:
            - name: TZ
              value: US/Central
          resources:
            requests:
              cpu: 10m
              memory: 512Mi
  serviceAccount:
    create: true
  service:
    main:
      controller: main
      ports:
        http:
          port: 80
          targetPort: 5055
          protocol: HTTP
  ingress:
    tailscale:
      enabled: true
      className: tailscale
      hosts:
        - host: overseerr-cl01tl
          paths:
            - path: /
              pathType: Prefix
              service:
                name: overseerr
                port: 80
      tls:
        - hosts:
            - overseerr-cl01tl
  persistence:
    main:
      storageClass: ceph-block
      accessMode: ReadWriteOnce
      size: 10Gi
      retain: true
      advancedMounts:
        main:
          main:
            - path: /app/config
              readOnly: false
--- a/clusters/standby/applications/photoview/Chart.yaml
+++ b/clusters/standby/applications/photoview/Chart.yaml
@@ -1,28 +0,0 @@
 apiVersion: v2
 name: photoview
 version: 1.0.0
 description: Photoview
 keywords:
  - photoview
  - pictures
 home: https://wiki.alexlebens.dev/doc/photoview-WSRscnhpwv
 sources:
  - https://github.com/immich-app/immich
  - https://github.com/valkey-io/valkey
  - https://github.com/cloudnative-pg/cloudnative-pg
  - https://github.com/bjw-s/helm-charts/tree/main/charts/other/app-template
  - https://github.com/bitnami/charts/tree/main/bitnami/valkey
  - https://github.com/alexlebens/helm-charts/charts/postgres-cluster
 maintainers:
  - name: alexlebens
 dependencies:
  - name: app-template
    alias: photoview
    repository: https://bjw-s.github.io/helm-charts/
    version: 3.6.1
  - name: postgres-cluster
    alias: postgres-17-cluster
    version: 4.1.4
    repository: http://alexlebens.github.io/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/photoview.png
 appVersion: 2.4.0
--- a/clusters/standby/applications/photoview/templates/external-secrets.yaml
+++ b/clusters/standby/applications/photoview/templates/external-secrets.yaml
@@ -1,30 +0,0 @@
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
  name: photoview-postgresql-17-cluster-backup-secret
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: photoview-postgresql-17-cluster-backup-secret
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: database
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: vault
  data:
    - secretKey: ACCESS_KEY_ID
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /digital-ocean/home-infra/postgres-backups
        metadataPolicy: None
        property: access
    - secretKey: ACCESS_SECRET_KEY
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /digital-ocean/home-infra/postgres-backups
        metadataPolicy: None
        property: secret
--- a/clusters/standby/applications/photoview/templates/persistent-volume-claim.yaml
+++ b/clusters/standby/applications/photoview/templates/persistent-volume-claim.yaml
@@ -1,19 +0,0 @@
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
  name: photoview-nfs-storage
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: photoview-nfs-storage
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: storage
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  volumeName: photoview-nfs-storage
  storageClassName: nfs-client
  accessModes:
    - ReadWriteMany
  resources:
    requests:
      storage: 1Gi
--- a/clusters/standby/applications/photoview/templates/persistent-volume.yaml
+++ b/clusters/standby/applications/photoview/templates/persistent-volume.yaml
@@ -1,25 +0,0 @@
 apiVersion: v1
 kind: PersistentVolume
 metadata:
  name: photoview-nfs-storage
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: photoview-nfs-storage
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: storage
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  persistentVolumeReclaimPolicy: Retain
  storageClassName: nfs-client
  capacity:
    storage: 1Gi
  accessModes:
    - ReadWriteMany
  nfs:
    path: /volume2/Storage/Pictures
    server: synologybond.alexlebens.net
  mountOptions:
    - vers=4
    - minorversion=1
    - noac
--- a/clusters/standby/applications/photoview/values.yaml
+++ b/clusters/standby/applications/photoview/values.yaml
@@ -1,111 +0,0 @@
 photoview:
  controllers:
    main:
      type: deployment
      replicas: 1
      strategy: Recreate
      revisionHistoryLimit: 3
      initContainers:
        init-chmod-data:
          securityContext:
            runAsUser: 0
          image:
            repository: busybox
            tag: 1.37.0
            pullPolicy: IfNotPresent
          command:
            - /bin/sh
            - -ec
            - |
              /bin/chown -R 999:999 /app/cache
          resources:
            requests:
              cpu: 100m
              memory: 128Mi
      containers:
        main:
          image:
            repository: photoview/photoview
            tag: 2.4.0
            pullPolicy: IfNotPresent
          env:
            - name: PHOTOVIEW_DATABASE_DRIVER
              value: postgres
            - name: PHOTOVIEW_POSTGRES_URL
              valueFrom:
                secretKeyRef:
                  name: photoview-postgresql-17-cluster-app
                  key: uri
            - name: PHOTOVIEW_MEDIA_CACHE
              value: /app/cache
            - name: PHOTOVIEW_VIDEO_HARDWARE_ACCELERATION
              value: qsv
          resources:
            requests:
              gpu.intel.com/i915: 1
              cpu: 10m
              memory: 512Mi
            limits:
              gpu.intel.com/i915: 1
  serviceAccount:
    create: true
  service:
    main:
      controller: main
      ports:
        http:
          port: 80
          targetPort: 80
          protocol: HTTP
  ingress:
    main:
      enabled: true
      className: tailscale
      hosts:
        - host: photoview-cl01tl
          paths:
            - path: /
              pathType: Prefix
              service:
                name: photoview
                port: 80
      tls:
        - hosts:
            - photoview-cl01tl
  persistence:
    media:
      existingClaim: photoview-nfs-storage
      advancedMounts:
        main:
          main:
            - path: /photos
              readOnly: true
    cache:
      storageClass: ceph-block-delete
      accessMode: ReadWriteOnce
      size: 10Gi
      retain: false
      advancedMounts:
        main:
          init-chmod-data:
            - path: /app/cache
              readOnly: false
          main:
            - path: /app/cache
              readOnly: false
 postgres-17-cluster:
  mode: standalone
  cluster:
    walStorage:
      storageClass: local-path
    storage:
      storageClass: local-path
    monitoring:
      enabled: true
  backup:
    enabled: false
    endpointURL: https://nyc3.digitaloceanspaces.com
    destinationPath: s3://postgres-backups-ce540ddf106d186bbddca68a/cl01tl/photoview/photoview-postgresql-17-cluster
    endpointCredentials: photoview-postgresql-17-cluster-backup-secret
    backupIndex: 1
    retentionPolicy: "7d"
--- a/clusters/standby/applications/prowlarr/Chart.yaml
+++ b/clusters/standby/applications/prowlarr/Chart.yaml
@@ -1,22 +0,0 @@
 apiVersion: v2
 name: prowlarr
 version: 1.0.0
 description: Prowlarr
 keywords:
  - prowlarr
  - servarr
  - trackers
 home: https://wiki.alexlebens.dev/doc/prowlarr-ERparmlGES
 sources:
  - https://github.com/Prowlarr/Prowlarr
  - https://github.com/onedr0p/containers/pkgs/container/prowlarr
  - https://github.com/bjw-s/helm-charts/tree/main/charts/other/app-template
 maintainers:
  - name: alexlebens
 dependencies:
  - name: app-template
    alias: prowlarr
    repository: https://bjw-s.github.io/helm-charts/
    version: 3.6.1
 icon: https://raw.githubusercontent.com/walkxcode/dashboard-icons/main/png/prowlarr.png
 appVersion: 1.28.2.4885
--- a/clusters/standby/applications/prowlarr/templates/external-secret.yaml
+++ b/clusters/standby/applications/prowlarr/templates/external-secret.yaml
@@ -1,89 +0,0 @@
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
  name: prowlarr-config-backup-secret
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: prowlarr-config-backup-secret
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: backup
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: vault
  target:
    template:
      mergePolicy: Merge
      engineVersion: v2
      data:
        RESTIC_REPOSITORY: "{{ `{{ .BUCKET_ENDPOINT }}` }}/prowlarr/prowlarr-config"
  data:
    - secretKey: BUCKET_ENDPOINT
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /cl01tl/volsync/restic/config
        metadataPolicy: None
        property: S3_BUCKET_ENDPOINT
    - secretKey: RESTIC_PASSWORD
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /cl01tl/volsync/restic/config
        metadataPolicy: None
        property: RESTIC_PASSWORD
    - secretKey: AWS_DEFAULT_REGION
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /cl01tl/volsync/restic/config
        metadataPolicy: None
        property: AWS_DEFAULT_REGION
    - secretKey: AWS_ACCESS_KEY_ID
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /digital-ocean/home-infra/volsync-backups
        metadataPolicy: None
        property: access_key
    - secretKey: AWS_SECRET_ACCESS_KEY
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /digital-ocean/home-infra/volsync-backups
        metadataPolicy: None
        property: secret_key
 ---
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
  name: lidarr2-postgresql-16-cluster-backup-secret
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: lidarr2-postgresql-16-cluster-backup-secret
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: database
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: vault
  data:
    - secretKey: ACCESS_KEY_ID
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /aws/keys/cl01tl-lidarr-postgresql
        metadataPolicy: None
        property: access_key
    - secretKey: ACCESS_SECRET_KEY
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /aws/keys/cl01tl-lidarr-postgresql
        metadataPolicy: None
        property: secret_key
--- a/clusters/standby/applications/prowlarr/templates/replication-source.yaml
+++ b/clusters/standby/applications/prowlarr/templates/replication-source.yaml
@@ -1,37 +0,0 @@
 apiVersion: volsync.backube/v1alpha1
 kind: ReplicationSource
 metadata:
  name: prowlarr-config-backup-source
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: prowlarr-config-backup-source
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: backup
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  sourcePVC: prowlarr-config
  trigger:
    schedule: 0 0 */3 * *
  restic:
    pruneIntervalDays: 14
    repository: prowlarr-config-backup-secret
    retain:
      hourly: 1
      daily: 1
      weekly: 1
      monthly: 2
      yearly: 4
    moverSecurityContext:
      runAsUser: 568
      runAsGroup: 568
      fsGroup: 568
      fsGroupChangePolicy: OnRootMismatch
      supplementalGroups:
        - 44
        - 100
        - 109
        - 65539
    copyMethod: Snapshot
    storageClassName: ceph-block-delete
    volumeSnapshotClassName: ceph-blockpool-snapshot
--- a/clusters/standby/applications/prowlarr/values.yaml
+++ b/clusters/standby/applications/prowlarr/values.yaml
@@ -1,84 +0,0 @@
 prowlarr:
  controllers:
    main:
      type: deployment
      replicas: 1
      strategy: Recreate
      revisionHistoryLimit: 3
      pod:
        securityContext:
          runAsUser: 568
          runAsGroup: 568
          fsGroup: 568
          fsGroupChangePolicy: OnRootMismatch
          supplementalGroups:
            - 44
            - 100
            - 109
            - 65539
      containers:
        main:
          image:
            repository: ghcr.io/onedr0p/prowlarr
            tag: 1.30.2.4939
            pullPolicy: IfNotPresent
          env:
            - name: TZ
              value: US/Central
          probes:
            liveness:
              enabled: false
              custom: true
              spec:
                exec:
                  command:
                  - /usr/bin/env
                  - bash
                  - -c
                  - curl --fail localhost:8686/api/v1/system/status?apiKey=`IFS=\> && while
                    read -d \< E C; do if [[ $E = "ApiKey" ]]; then echo $C; fi; done < /config/config.xml`
                failureThreshold: 5
                initialDelaySeconds: 60
                periodSeconds: 10
                successThreshold: 1
                timeoutSeconds: 10
          resources:
            requests:
              cpu: 10m
              memory: 256Mi
  serviceAccount:
    create: true
  service:
    main:
      controller: main
      ports:
        http:
          port: 80
          targetPort: 9696
          protocol: HTTP
  ingress:
    tailscale:
      enabled: true
      className: tailscale
      hosts:
        - host: prowlarr-cl01tl
          paths:
            - path: /
              pathType: Prefix
              service:
                name: prowlarr
                port: 80
      tls:
        - hosts:
            - prowlarr-cl01tl
  persistence:
    config:
      storageClass: ceph-block
      accessMode: ReadWriteOnce
      size: 1Gi
      retain: true
      advancedMounts:
        main:
          main:
            - path: /config
              readOnly: false
--- a/clusters/standby/applications/radarr5-4k/Chart.yaml
+++ b/clusters/standby/applications/radarr5-4k/Chart.yaml
@@ -1,31 +0,0 @@
 apiVersion: v2
 name: radarr5-4k
 version: 1.0.0
 description: Radarr v5 4K
 keywords:
  - radarr
  - servarr
  - movies
  - 4k
  - metrics
 home: https://wiki.alexlebens.dev/doc/radarr-T6nPLajWDP
 sources:
  - https://github.com/Radarr/Radarr
  - https://github.com/cloudnative-pg/cloudnative-pg
  - https://github.com/onedr0p/containers/pkgs/container/radarr
  - https://github.com/onedr0p/exportarr/pkgs/container/exportarr
  - https://github.com/bjw-s/helm-charts/tree/main/charts/other/app-template
  - https://github.com/alexlebens/helm-charts/charts/postgres-cluster
 maintainers:
  - name: alexlebens
 dependencies:
  - name: app-template
    alias: radarr5-4k
    repository: https://bjw-s.github.io/helm-charts/
    version: 3.6.1
  - name: postgres-cluster
    alias: postgres-17-cluster
    version: 4.1.4
    repository: http://alexlebens.github.io/helm-charts
 icon: https://raw.githubusercontent.com/walkxcode/dashboard-icons/main/png/radarr.png
 appVersion: 5.16.3
--- a/clusters/standby/applications/radarr5-4k/templates/external-secret.yaml
+++ b/clusters/standby/applications/radarr5-4k/templates/external-secret.yaml
@@ -1,89 +0,0 @@
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
  name: radarr5-4k-config-backup-secret
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: radarr5-4k-config-backup-secret
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: backup
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: vault
  target:
    template:
      mergePolicy: Merge
      engineVersion: v2
      data:
        RESTIC_REPOSITORY: "{{ `{{ .BUCKET_ENDPOINT }}` }}/radarr5-4k/radarr5-4k-config"
  data:
    - secretKey: BUCKET_ENDPOINT
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /cl01tl/volsync/restic/config
        metadataPolicy: None
        property: S3_BUCKET_ENDPOINT
    - secretKey: RESTIC_PASSWORD
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /cl01tl/volsync/restic/config
        metadataPolicy: None
        property: RESTIC_PASSWORD
    - secretKey: AWS_DEFAULT_REGION
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /cl01tl/volsync/restic/config
        metadataPolicy: None
        property: AWS_DEFAULT_REGION
    - secretKey: AWS_ACCESS_KEY_ID
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /digital-ocean/home-infra/volsync-backups
        metadataPolicy: None
        property: access_key
    - secretKey: AWS_SECRET_ACCESS_KEY
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /digital-ocean/home-infra/volsync-backups
        metadataPolicy: None
        property: secret_key
 ---
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
  name: radarr5-4k-postgresql-17-cluster-backup-secret
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: radarr5-4k-postgresql-17-cluster-backup-secret
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: database
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: vault
  data:
    - secretKey: ACCESS_KEY_ID
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /digital-ocean/home-infra/postgres-backups
        metadataPolicy: None
        property: access
    - secretKey: ACCESS_SECRET_KEY
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /digital-ocean/home-infra/postgres-backups
        metadataPolicy: None
        property: secret
--- a/clusters/standby/applications/radarr5-4k/templates/persistent-volume-claim.yaml
+++ b/clusters/standby/applications/radarr5-4k/templates/persistent-volume-claim.yaml
@@ -1,19 +0,0 @@
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
  name: radarr5-4k-nfs-storage
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: radarr5-4k-nfs-storage
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: storage
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  volumeName: radarr5-4k-nfs-storage
  storageClassName: nfs-client
  accessModes:
    - ReadWriteMany
  resources:
    requests:
      storage: 1Gi
--- a/clusters/standby/applications/radarr5-4k/templates/persistent-volume.yaml
+++ b/clusters/standby/applications/radarr5-4k/templates/persistent-volume.yaml
@@ -1,25 +0,0 @@
 apiVersion: v1
 kind: PersistentVolume
 metadata:
  name: radarr5-4k-nfs-storage
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: {{ .Release.Name }}
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: storage
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  persistentVolumeReclaimPolicy: Retain
  storageClassName: nfs-client
  capacity:
    storage: 1Gi
  accessModes:
    - ReadWriteMany
  nfs:
    path: /volume2/Storage
    server: synologybond.alexlebens.net
  mountOptions:
    - vers=4
    - minorversion=1
    - noac
--- a/clusters/standby/applications/radarr5-4k/templates/prometheus-rule.yaml
+++ b/clusters/standby/applications/radarr5-4k/templates/prometheus-rule.yaml
@@ -1,34 +0,0 @@
 apiVersion: monitoring.coreos.com/v1
 kind: PrometheusRule
 metadata:
  name: radarr5-4k
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: radarr5-4k
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: metrics
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  groups:
    - name: radarr5-4k
      rules:
        - alert: ExportarrAbsent
          annotations:
            description: Radarr5 4K Exportarr has disappeared from Prometheus
              service discovery.
            summary: Exportarr is down.
          expr: |
            absent(up{job=~".*radarr5_4k.*"} == 1)
          for: 5m
          labels:
            severity: critical
        - alert: Radarr54kDown
          annotations:
            description: Radarr5 4K service is down.
            summary: Radarr5 4K is down.
          expr: |
            radarr5_4k_system_status{job=~".*radarr5_4k.*"} == 0
          for: 5m
          labels:
            severity: critical
--- a/clusters/standby/applications/radarr5-4k/templates/replication-source.yaml
+++ b/clusters/standby/applications/radarr5-4k/templates/replication-source.yaml
@@ -1,32 +0,0 @@
 apiVersion: volsync.backube/v1alpha1
 kind: ReplicationSource
 metadata:
  name: radarr5-4k-config-backup-source
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: radarr5-4k-config-backup-source
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: backup
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  sourcePVC: radarr5-4k-config
  trigger:
    schedule: 0 0 */3 * *
  restic:
    pruneIntervalDays: 14
    repository: radarr5-4k-config-backup-secret
    retain:
      hourly: 1
      daily: 1
      weekly: 1
      monthly: 2
      yearly: 4
    moverSecurityContext:
      runAsUser: 1000
      runAsGroup: 1000
      fsGroup: 1000
      fsGroupChangePolicy: OnRootMismatch
    copyMethod: Snapshot
    storageClassName: ceph-block-delete
    volumeSnapshotClassName: ceph-blockpool-snapshot
--- a/clusters/standby/applications/radarr5-4k/templates/service-monitor.yaml
+++ b/clusters/standby/applications/radarr5-4k/templates/service-monitor.yaml
@@ -1,21 +0,0 @@
 apiVersion: monitoring.coreos.com/v1
 kind: ServiceMonitor
 metadata:
  name: radarr5-4k
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: radarr5-4k
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: metrics
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  selector:
    matchLabels:
      app.kubernetes.io/name: radarr5-4k
      app.kubernetes.io/instance: {{ .Release.Name }}
  endpoints:
    - port: metrics
      interval: 3m
      scrapeTimeout: 1m
      path: /metrics
--- a/clusters/standby/applications/radarr5-4k/values.yaml
+++ b/clusters/standby/applications/radarr5-4k/values.yaml
@@ -1,141 +0,0 @@
 radarr5-4k:
  controllers:
    main:
      type: deployment
      replicas: 1
      strategy: Recreate
      revisionHistoryLimit: 3
      pod:
        securityContext:
          runAsUser: 1000
          runAsGroup: 1000
          fsGroup: 1000
          fsGroupChangePolicy: OnRootMismatch
      containers:
        main:
          image:
            repository: ghcr.io/linuxserver/radarr
            tag: 5.18.4@sha256:b2d2bc9bafb76073d96142bda07ea90c6d6afd9207fe4ff2d4f9d3b50fcdbd76
            pullPolicy: IfNotPresent
          env:
            - name: TZ
              value: US/Central
            - name: PUID
              value: 1000
            - name: PGID
              value: 1000
          probes:
            liveness:
              enabled: false
              custom: true
              spec:
                exec:
                  command:
                  - /usr/bin/env
                  - bash
                  - -c
                  - curl --fail localhost:7878/api/v1/system/status?apiKey=`IFS=\> && while
                    read -d \< E C; do if [[ $E = "ApiKey" ]]; then echo $C; fi; done < /config/config.xml`
                failureThreshold: 5
                initialDelaySeconds: 60
                periodSeconds: 10
                successThreshold: 1
                timeoutSeconds: 10
          resources:
            requests:
              cpu: 100m
              memory: 256Mi
        metrics:
          image:
            repository: ghcr.io/onedr0p/exportarr
            tag: v2.0.1
            pullPolicy: IfNotPresent
          args: ["radarr"]
          env:
            - name: URL
              value: http://localhost
            - name: CONFIG
              value: /config/config.xml
            - name: PORT
              value: 9793
            - name: ENABLE_ADDITIONAL_METRICS
              value: false
            - name: ENABLE_UNKNOWN_QUEUE_ITEMS
              value: false
          resources:
            requests:
              cpu: 10m
              memory: 256Mi
  serviceAccount:
    create: true
  service:
    main:
      controller: main
      ports:
        http:
          port: 80
          targetPort: 7878
          protocol: HTTP
        metrics:
          port: 9793
          targetPort: 9793
          protocol: TCP
  ingress:
    tailscale:
      enabled: true
      className: tailscale
      hosts:
        - host: radarr-4k-cl01tl
          paths:
            - path: /
              pathType: Prefix
              service:
                name: radarr5-4k
                port: 80
      tls:
        - hosts:
            - radarr-4k-cl01tl
  persistence:
    config:
      storageClass: ceph-block
      accessMode: ReadWriteOnce
      size: 20Gi
      retain: true
      advancedMounts:
        main:
          main:
            - path: /config
              readOnly: false
          metrics:
            - path: /config
              readOnly: true
    media:
      existingClaim: radarr5-4k-nfs-storage
      advancedMounts:
        main:
          main:
            - path: /mnt/store
              readOnly: false
 postgres-17-cluster:
  mode: standalone
  cluster:
    walStorage:
      storageClass: local-path
    storage:
      storageClass: local-path
    monitoring:
      enabled: true
  bootstrap:
    initdb:
      database: app
      owner: app
      postInitSQL:
        - CREATE DATABASE "radarr-main" OWNER "app";
        - CREATE DATABASE "radarr-log" OWNER "app";
  backup:
    enabled: true
    endpointURL: https://nyc3.digitaloceanspaces.com
    destinationPath: s3://postgres-backups-ce540ddf106d186bbddca68a/cl01tl/radarr5-4k/radarr5-4k-postgresql-17-cluster
    endpointCredentials: radarr5-4k-postgresql-17-cluster-backup-secret
    backupIndex: 1
    retentionPolicy: "7d"
--- a/clusters/standby/applications/radarr5-anime/Chart.yaml
+++ b/clusters/standby/applications/radarr5-anime/Chart.yaml
@@ -1,31 +0,0 @@
 apiVersion: v2
 name: radarr5-anime
 version: 1.0.0
 description: Radarr v5 Anime
 keywords:
  - radarr
  - servarr
  - movies
  - anime
  - metrics
 home: https://wiki.alexlebens.dev/doc/radarr-T6nPLajWDP
 sources:
  - https://github.com/Radarr/Radarr
  - https://github.com/cloudnative-pg/cloudnative-pg
  - https://github.com/linuxserver/docker-radarr
  - https://github.com/onedr0p/exportarr/pkgs/container/exportarr
  - https://github.com/bjw-s/helm-charts/tree/main/charts/other/app-template
  - https://github.com/alexlebens/helm-charts/charts/postgres-cluster
 maintainers:
  - name: alexlebens
 dependencies:
  - name: app-template
    alias: radarr5-anime
    repository: https://bjw-s.github.io/helm-charts/
    version: 3.6.1
  - name: postgres-cluster
    alias: postgres-17-cluster
    version: 4.1.4
    repository: http://alexlebens.github.io/helm-charts
 icon: https://raw.githubusercontent.com/walkxcode/dashboard-icons/main/png/radarr.png
 appVersion: 5.16.3
--- a/clusters/standby/applications/radarr5-anime/templates/external-secret.yaml
+++ b/clusters/standby/applications/radarr5-anime/templates/external-secret.yaml
@@ -1,89 +0,0 @@
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
  name: radarr5-anime-config-backup-secret
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: radarr5-anime-config-backup-secret
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: backup
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: vault
  target:
    template:
      mergePolicy: Merge
      engineVersion: v2
      data:
        RESTIC_REPOSITORY: "{{ `{{ .BUCKET_ENDPOINT }}` }}/radarr5-anime/radarr5-anime-config"
  data:
    - secretKey: BUCKET_ENDPOINT
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /cl01tl/volsync/restic/config
        metadataPolicy: None
        property: S3_BUCKET_ENDPOINT
    - secretKey: RESTIC_PASSWORD
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /cl01tl/volsync/restic/config
        metadataPolicy: None
        property: RESTIC_PASSWORD
    - secretKey: AWS_DEFAULT_REGION
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /cl01tl/volsync/restic/config
        metadataPolicy: None
        property: AWS_DEFAULT_REGION
    - secretKey: AWS_ACCESS_KEY_ID
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /digital-ocean/home-infra/volsync-backups
        metadataPolicy: None
        property: access_key
    - secretKey: AWS_SECRET_ACCESS_KEY
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /digital-ocean/home-infra/volsync-backups
        metadataPolicy: None
        property: secret_key
 ---
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
  name: radarr5-anime-postgresql-17-cluster-backup-secret
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: radarr5-anime-postgresql-17-cluster-backup-secret
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: database
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: vault
  data:
    - secretKey: ACCESS_KEY_ID
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /digital-ocean/home-infra/postgres-backups
        metadataPolicy: None
        property: access
    - secretKey: ACCESS_SECRET_KEY
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /digital-ocean/home-infra/postgres-backups
        metadataPolicy: None
        property: secret
--- a/clusters/standby/applications/radarr5-anime/templates/persistent-volume-claim.yaml
+++ b/clusters/standby/applications/radarr5-anime/templates/persistent-volume-claim.yaml
@@ -1,19 +0,0 @@
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
  name: radarr5-anime-nfs-storage
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: radarr5-anime-nfs-storage
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: storage
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  volumeName: radarr5-anime-nfs-storage
  storageClassName: nfs-client
  accessModes:
    - ReadWriteMany
  resources:
    requests:
      storage: 1Gi
--- a/clusters/standby/applications/radarr5-anime/templates/persistent-volume.yaml
+++ b/clusters/standby/applications/radarr5-anime/templates/persistent-volume.yaml
@@ -1,25 +0,0 @@
 apiVersion: v1
 kind: PersistentVolume
 metadata:
  name: radarr5-anime-nfs-storage
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: {{ .Release.Name }}
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: storage
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  persistentVolumeReclaimPolicy: Retain
  storageClassName: nfs-client
  capacity:
    storage: 1Gi
  accessModes:
    - ReadWriteMany
  nfs:
    path: /volume2/Storage
    server: synologybond.alexlebens.net
  mountOptions:
    - vers=4
    - minorversion=1
    - noac
--- a/clusters/standby/applications/radarr5-anime/templates/prometheus-rule.yaml
+++ b/clusters/standby/applications/radarr5-anime/templates/prometheus-rule.yaml
@@ -1,34 +0,0 @@
 apiVersion: monitoring.coreos.com/v1
 kind: PrometheusRule
 metadata:
  name: radarr5-anime
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: radarr5-anime
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: metrics
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  groups:
    - name: radarr5-anime
      rules:
        - alert: ExportarrAbsent
          annotations:
            description: Radarr5 Anime Exportarr has disappeared from Prometheus
              service discovery.
            summary: Exportarr is down.
          expr: |
            absent(up{job=~".*radarr5_anime.*"} == 1)
          for: 5m
          labels:
            severity: critical
        - alert: Radarr5animeDown
          annotations:
            description: Radarr5 Anime service is down.
            summary: Radarr5 Anime is down.
          expr: |
            radarr5_anime_system_status{job=~".*radarr5_anime.*"} == 0
          for: 5m
          labels:
            severity: critical
--- a/clusters/standby/applications/radarr5-anime/templates/replication-source.yaml
+++ b/clusters/standby/applications/radarr5-anime/templates/replication-source.yaml
@@ -1,30 +0,0 @@
 apiVersion: volsync.backube/v1alpha1
 kind: ReplicationSource
 metadata:
  name: radarr5-anime-config-backup-source
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: radarr5-anime-config-backup-source
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: backup
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  sourcePVC: radarr5-anime-config
  trigger:
    schedule: 0 0 */3 * *
  restic:
    pruneIntervalDays: 14
    repository: radarr5-anime-config-backup-secret
    retain:
      hourly: 1
      daily: 1
      weekly: 1
      monthly: 2
      yearly: 4
    moverSecurityContext:
      fsGroup: 1000
      fsGroupChangePolicy: OnRootMismatch
    copyMethod: Snapshot
    storageClassName: ceph-block-delete
    volumeSnapshotClassName: ceph-blockpool-snapshot
--- a/clusters/standby/applications/radarr5-anime/templates/service-monitor.yaml
+++ b/clusters/standby/applications/radarr5-anime/templates/service-monitor.yaml
@@ -1,21 +0,0 @@
 apiVersion: monitoring.coreos.com/v1
 kind: ServiceMonitor
 metadata:
  name: radarr5-anime
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: radarr5-anime
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: metrics
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  selector:
    matchLabels:
      app.kubernetes.io/name: radarr5-anime
      app.kubernetes.io/instance: {{ .Release.Name }}
  endpoints:
    - port: metrics
      interval: 3m
      scrapeTimeout: 1m
      path: /metrics
--- a/clusters/standby/applications/radarr5-anime/values.yaml
+++ b/clusters/standby/applications/radarr5-anime/values.yaml
@@ -1,139 +0,0 @@
 radarr5-anime:
  controllers:
    main:
      type: deployment
      replicas: 1
      strategy: Recreate
      revisionHistoryLimit: 3
      pod:
        securityContext:
          fsGroup: 1000
          fsGroupChangePolicy: OnRootMismatch
      containers:
        main:
          image:
            repository: ghcr.io/linuxserver/radarr
            tag: 5.18.4@sha256:b2d2bc9bafb76073d96142bda07ea90c6d6afd9207fe4ff2d4f9d3b50fcdbd76
            pullPolicy: IfNotPresent
          env:
            - name: TZ
              value: US/Central
            - name: PUID
              value: 1000
            - name: PGID
              value: 1000
          probes:
            liveness:
              enabled: false
              custom: true
              spec:
                exec:
                  command:
                  - /usr/bin/env
                  - bash
                  - -c
                  - curl --fail localhost:7878/api/v1/system/status?apiKey=`IFS=\> && while
                    read -d \< E C; do if [[ $E = "ApiKey" ]]; then echo $C; fi; done < /config/config.xml`
                failureThreshold: 5
                initialDelaySeconds: 60
                periodSeconds: 10
                successThreshold: 1
                timeoutSeconds: 10
          resources:
            requests:
              cpu: 10m
              memory: 256Mi
        metrics:
          image:
            repository: ghcr.io/onedr0p/exportarr
            tag: v2.0.1
            pullPolicy: IfNotPresent
          args: ["radarr"]
          env:
            - name: URL
              value: http://localhost
            - name: CONFIG
              value: /config/config.xml
            - name: PORT
              value: 9793
            - name: ENABLE_ADDITIONAL_METRICS
              value: false
            - name: ENABLE_UNKNOWN_QUEUE_ITEMS
              value: false
          resources:
            requests:
              cpu: 100m
              memory: 256Mi
  serviceAccount:
    create: true
  service:
    main:
      controller: main
      ports:
        http:
          port: 80
          targetPort: 7878
          protocol: HTTP
        metrics:
          port: 9793
          targetPort: 9793
          protocol: TCP
  ingress:
    tailscale:
      enabled: true
      className: tailscale
      hosts:
        - host: radarr-anime-cl01tl
          paths:
            - path: /
              pathType: Prefix
              service:
                name: radarr5-anime
                port: 80
      tls:
        - hosts:
            - radarr-anime-cl01tl
  persistence:
    config:
      storageClass: ceph-block
      accessMode: ReadWriteOnce
      size: 20Gi
      retain: true
      advancedMounts:
        main:
          main:
            - path: /config
              readOnly: false
          metrics:
            - path: /config
              readOnly: true
    media:
      existingClaim: radarr5-anime-nfs-storage
      advancedMounts:
        main:
          main:
            - path: /mnt/store
              readOnly: false
 postgres-17-cluster:
  mode: standalone
  cluster:
    walStorage:
      storageClass: local-path
    storage:
      storageClass: local-path
    monitoring:
      enabled: true
  bootstrap:
    initdb:
      database: app
      owner: app
      postInitSQL:
        - CREATE DATABASE "radarr-main" OWNER "app";
        - CREATE DATABASE "radarr-log" OWNER "app";
  backup:
    enabled: true
    endpointURL: https://nyc3.digitaloceanspaces.com
    destinationPath: s3://postgres-backups-ce540ddf106d186bbddca68a/cl01tl/radarr5-anime/radarr5-anime-postgresql-17-cluster
    endpointCredentials: radarr5-anime-postgresql-17-cluster-backup-secret
    backupIndex: 1
    retentionPolicy: "7d"
--- a/clusters/standby/applications/radarr5-standup/Chart.yaml
+++ b/clusters/standby/applications/radarr5-standup/Chart.yaml
@@ -1,30 +0,0 @@
 apiVersion: v2
 name: radarr5-standup
 version: 1.0.0
 description: Radarr v5 Stand Up
 keywords:
  - radarr
  - servarr
  - standup
  - metrics
 home: https://wiki.alexlebens.dev/doc/radarr-T6nPLajWDP
 sources:
  - https://github.com/Radarr/Radarr
  - https://github.com/cloudnative-pg/cloudnative-pg
  - https://github.com/linuxserver/docker-radarr
  - https://github.com/onedr0p/exportarr/pkgs/container/exportarr
  - https://github.com/bjw-s/helm-charts/tree/main/charts/other/app-template
  - https://github.com/alexlebens/helm-charts/charts/postgres-cluster
 maintainers:
  - name: alexlebens
 dependencies:
  - name: app-template
    alias: radarr5-standup
    repository: https://bjw-s.github.io/helm-charts/
    version: 3.6.1
  - name: postgres-cluster
    alias: postgres-17-cluster
    version: 4.1.4
    repository: http://alexlebens.github.io/helm-charts
 icon: https://raw.githubusercontent.com/walkxcode/dashboard-icons/main/png/radarr.png
 appVersion: 5.16.3
--- a/clusters/standby/applications/radarr5-standup/templates/external-secret.yaml
+++ b/clusters/standby/applications/radarr5-standup/templates/external-secret.yaml
@@ -1,89 +0,0 @@
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
  name: radarr5-standup-config-backup-secret
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: radarr5-standup-config-backup-secret
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: backup
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: vault
  target:
    template:
      mergePolicy: Merge
      engineVersion: v2
      data:
        RESTIC_REPOSITORY: "{{ `{{ .BUCKET_ENDPOINT }}` }}/radarr5-standup/radarr5-standup-config"
  data:
    - secretKey: BUCKET_ENDPOINT
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /cl01tl/volsync/restic/config
        metadataPolicy: None
        property: S3_BUCKET_ENDPOINT
    - secretKey: RESTIC_PASSWORD
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /cl01tl/volsync/restic/config
        metadataPolicy: None
        property: RESTIC_PASSWORD
    - secretKey: AWS_DEFAULT_REGION
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /cl01tl/volsync/restic/config
        metadataPolicy: None
        property: AWS_DEFAULT_REGION
    - secretKey: AWS_ACCESS_KEY_ID
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /digital-ocean/home-infra/volsync-backups
        metadataPolicy: None
        property: access_key
    - secretKey: AWS_SECRET_ACCESS_KEY
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /digital-ocean/home-infra/volsync-backups
        metadataPolicy: None
        property: secret_key
 ---
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
  name: radarr5-standup-postgresql-17-cluster-backup-secret
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: radarr5-standup-postgresql-17-cluster-backup-secret
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: database
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: vault
  data:
    - secretKey: ACCESS_KEY_ID
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /digital-ocean/home-infra/postgres-backups
        metadataPolicy: None
        property: access
    - secretKey: ACCESS_SECRET_KEY
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /digital-ocean/home-infra/postgres-backups
        metadataPolicy: None
        property: secret
--- a/clusters/standby/applications/radarr5-standup/templates/persistent-volume-claim.yaml
+++ b/clusters/standby/applications/radarr5-standup/templates/persistent-volume-claim.yaml
@@ -1,19 +0,0 @@
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
  name: radarr5-standup-nfs-storage
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: radarr5-standup-nfs-storage
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: storage
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  volumeName: radarr5-standup-nfs-storage
  storageClassName: nfs-client
  accessModes:
    - ReadWriteMany
  resources:
    requests:
      storage: 1Gi
--- a/clusters/standby/applications/radarr5-standup/templates/persistent-volume.yaml
+++ b/clusters/standby/applications/radarr5-standup/templates/persistent-volume.yaml
@@ -1,25 +0,0 @@
 apiVersion: v1
 kind: PersistentVolume
 metadata:
  name: radarr5-standup-nfs-storage
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: {{ .Release.Name }}
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: storage
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  persistentVolumeReclaimPolicy: Retain
  storageClassName: nfs-client
  capacity:
    storage: 1Gi
  accessModes:
    - ReadWriteMany
  nfs:
    path: /volume2/Storage
    server: synologybond.alexlebens.net
  mountOptions:
    - vers=4
    - minorversion=1
    - noac
--- a/Show More
+++ b/Show More