Merge pull request 'feat: refactor apps' (#5703) from tmp/refactor-42 into main

Reviewed-on: #5703

clusters/cl01tl/helm/harbor/Chart.lock

@@ -4,9 +4,9 @@ dependencies:
   version: 1.18.3
 - name: postgres-cluster
   repository: https://gitea.alexlebens.net/api/packages/alexlebens/helm
-  version: 7.11.1
+  version: 7.11.2
 - name: valkey
   repository: oci://harbor.alexlebens.net/helm-charts
   version: 0.5.0
-digest: sha256:fb17e2bad9c3a303da2b9d65ee5bd082a58ca6a5cee17d337e2536747982aa2c
+digest: sha256:2ef60d6315a21e0d92970570630cc74720643e7e51e0574107249684ddc2fab5
-generated: "2026-03-31T18:38:15.510833-05:00"
+generated: "2026-04-07T20:36:47.509644-05:00"

clusters/cl01tl/helm/harbor/Chart.yaml

@@ -20,7 +20,7 @@ dependencies:
     repository: https://helm.goharbor.io
   - name: postgres-cluster
     alias: postgres-18-cluster
-    version: 7.11.1
+    version: 7.11.2
     repository: https://gitea.alexlebens.net/api/packages/alexlebens/helm
   - name: valkey
     alias: valkey

clusters/cl01tl/helm/kube-prometheus-stack/Chart.yaml

@@ -5,6 +5,7 @@ description: Kube Prometheus Stack
 keywords:
   - kube-prometheus-stack
   - prometheus
+  - metrics
 home: https://docs.alexlebens.dev/applications/kube-prometheus-stack/
 sources:
   - https://github.com/prometheus/prometheus

clusters/cl01tl/helm/s3-exporter/Chart.yaml

@@ -5,6 +5,7 @@ description: S3 Exporter
 keywords:
   - s3-exporter
   - storage
+  - metrics
 home: https://docs.alexlebens.dev/applications/s3-exporter/
 sources:
   - https://github.com/molu8bits/s3bucket_exporter

clusters/cl01tl/helm/speedtest-exporter/Chart.yaml

@@ -5,6 +5,7 @@ description: Speedtest Exporter
 keywords:
   - speedtest-exporter
   - internet-speed
+  - metrics
 home: https://docs.alexlebens.dev/applications/speedtest-exporter/
 sources:
   - https://github.com/MiguelNdeCarvalho/speedtest-exporter

clusters/cl01tl/helm/talos/values.yaml

@@ -376,7 +376,7 @@ etcd-defrag:
       cronjob:
         suspend: false
         timeZone: America/Chicago
-        schedule: "0 0 * * 0"
+        schedule: 0 0 * * 0
         backoffLimit: 3
         parallelism: 1
       containers:
@@ -404,7 +404,7 @@ etcd-defrag:
       cronjob:
         suspend: false
         timeZone: America/Chicago
-        schedule: "10 0 * * 0"
+        schedule: 10 0 * * 0
         backoffLimit: 3
         parallelism: 1
       containers:
@@ -432,7 +432,7 @@ etcd-defrag:
       cronjob:
         suspend: false
         timeZone: America/Chicago
-        schedule: "20 0 * * 0"
+        schedule: 20 0 * * 0
         backoffLimit: 3
         parallelism: 1
       containers:

clusters/cl01tl/helm/tdarr/values.yaml

@@ -12,7 +12,7 @@ tdarr:
         main:
           image:
             repository: ghcr.io/haveagitgat/tdarr
-            tag: 2.67.01@sha256:dc23becc667f77d2489b1042bd3af87fdd2fd85c2802e126928ef2ced9a8f560
+            tag: 2.67.01@sha256:048ae8ed4de8e9f0de51ad739b2105bee3e4d1a8575120df468cec5f6ef2b1da
           env:
             - name: TZ
               value: America/Chicago
@@ -68,7 +68,7 @@ tdarr:
         main:
           image:
             repository: ghcr.io/haveagitgat/tdarr_node
-            tag: 2.67.01@sha256:048ae8ed4de8e9f0de51ad739b2105bee3e4d1a8575120df468cec5f6ef2b1da
+            tag: 2.67.01@sha256:dc23becc667f77d2489b1042bd3af87fdd2fd85c2802e126928ef2ced9a8f560
           env:
             - name: TZ
               value: America/Chicago

clusters/cl01tl/helm/unpackerr/Chart.yaml

@@ -6,7 +6,7 @@ keywords:
   - unpackerr
   - archive
   - servarr
-home: https://wiki.alexlebens.dev/s/7d3193ee-4ca3-4477-bdb0-44f2258bc088
+home: https://docs.alexlebens.dev/applications/unpackerr/
 sources:
   - https://github.com/Unpackerr/unpackerr
   - https://hub.docker.com/r/golift/unpackerr

clusters/cl01tl/helm/unpackerr/templates/external-secret.yaml

@@ -14,57 +14,33 @@ spec:
   data:
     - secretKey: UN_SONARR_0_API_KEY
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: /cl01tl/sonarr4/key
-        metadataPolicy: None
         property: key
     - secretKey: UN_SONARR_1_API_KEY
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: /cl01tl/sonarr4-4k/key
-        metadataPolicy: None
         property: key
     - secretKey: UN_SONARR_2_API_KEY
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: /cl01tl/sonarr4-anime/key
-        metadataPolicy: None
         property: key
     - secretKey: UN_RADARR_0_API_KEY
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: /cl01tl/radarr5/key
-        metadataPolicy: None
         property: key
     - secretKey: UN_RADARR_1_API_KEY
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: /cl01tl/radarr5-4k/key
-        metadataPolicy: None
         property: key
     - secretKey: UN_RADARR_2_API_KEY
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: /cl01tl/radarr5-anime/key
-        metadataPolicy: None
         property: key
     - secretKey: UN_RADARR_3_API_KEY
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: /cl01tl/radarr5-standup/key
-        metadataPolicy: None
         property: key
     - secretKey: UN_LIDARR_0_API_KEY
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: /cl01tl/lidarr2/key
-        metadataPolicy: None
         property: key

clusters/cl01tl/helm/unpackerr/values.yaml

@@ -4,16 +4,18 @@ unpackerr:
       type: deployment
       replicas: 1
       strategy: Recreate
-      revisionHistoryLimit: 3
+      pod:
+        securityContext:
+          fsGroup: 1000
+          fsGroupChangePolicy: OnRootMismatch
       containers:
         main:
           image:
             repository: golift/unpackerr
-            tag: 0.15.2
+            tag: 0.15.2@sha256:057e34740d26c34d81ec8e2faf8ec11f8dbfc77489b7a42826f52b37e5ee1b6c
-            pullPolicy: IfNotPresent
           env:
             - name: TZ
-              value: US/Central
+              value: America/Chicago
             - name: UN_WEBSERVER_METRICS
               value: true
             - name: UN_SONARR_0_URL
@@ -54,7 +56,7 @@ unpackerr:
           resources:
             requests:
               cpu: 10m
-              memory: 128Mi
+              memory: 10Mi
   persistence:
     storage:
       existingClaim: unpackerr-nfs-storage

clusters/cl01tl/helm/unpoller/Chart.yaml

@@ -5,9 +5,8 @@ description: Unpoller
 keywords:
   - unpoller
   - ubiquiti
-  - unifi
   - metrics
-home: https://wiki.alexlebens.dev/s/cac4e7b1-3d8e-4a32-993c-c6b3f1d2c344
+home: https://docs.alexlebens.dev/applications/unpoller/
 sources:
   - https://github.com/unpoller/unpoller
   - https://github.com/unpoller/unpoller/pkgs/container/unpoller
@@ -19,6 +18,6 @@ dependencies:
     alias: unpoller
     repository: https://bjw-s-labs.github.io/helm-charts/
     version: 4.6.2
-icon: https://camo.githubusercontent.com/c5d07a5b3acfeac8e1c25bf56f440ffe032b86e4e7f15de82357f022a43fc927/68747470733a2f2f756e706f6c6c65722e636f6d2f696d672f6c6f676f2e706e67
+icon: https://cdn.jsdelivr.net/gh/selfhst/icons@main/png/ubiquiti-unifi.png
 # renovate: datasource=github-releases depName=unpoller/unpoller
 appVersion: v2.39.0

clusters/cl01tl/helm/unpoller/templates/external-secret.yaml

@@ -14,15 +14,9 @@ spec:
   data:
     - secretKey: UP_UNIFI_CONTROLLER_0_USER
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: /unifi/auth/cl01tl
-        metadataPolicy: None
         property: user
     - secretKey: UP_UNIFI_CONTROLLER_0_PASS
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: /unifi/auth/cl01tl
-        metadataPolicy: None
         property: password

clusters/cl01tl/helm/unpoller/values.yaml

@@ -4,16 +4,14 @@ unpoller:
       type: deployment
       replicas: 1
       strategy: Recreate
-      revisionHistoryLimit: 3
       containers:
         main:
           image:
             repository: ghcr.io/unpoller/unpoller
-            tag: v2.39.0
+            tag: v2.39.0@sha256:1cf63ad43121acc6995da1bd636063de9023b4bfc16599a4297951a6fb6b7fd2
-            pullPolicy: IfNotPresent
           env:
             - name: UP_UNIFI_CONTROLLER_0_SAVE_ALARMS
-              value: 'false'
+              value: 'true'
             - name: UP_UNIFI_CONTROLLER_0_SAVE_ANOMALIES
               value: 'false'
             - name: UP_UNIFI_CONTROLLER_0_SAVE_DPI
@@ -21,7 +19,7 @@ unpoller:
             - name: UP_UNIFI_CONTROLLER_0_SAVE_EVENTS
               value: 'false'
             - name: UP_UNIFI_CONTROLLER_0_SAVE_IDS
-              value: 'false'
+              value: 'true'
             - name: UP_UNIFI_CONTROLLER_0_SAVE_SITES
               value: 'true'
             - name: UP_UNIFI_CONTROLLER_0_URL
@@ -44,7 +42,7 @@ unpoller:
           resources:
             requests:
               cpu: 10m
-              memory: 64Mi
+              memory: 20Mi
   service:
     main:
       controller: main
@@ -52,7 +50,6 @@ unpoller:
         metrics:
           port: 9130
           targetPort: 9130
-          protocol: TCP
   serviceMonitor:
     main:
       selector:

clusters/cl01tl/helm/vault/Chart.yaml

@@ -5,7 +5,7 @@ description: Vault
 keywords:
   - vault
   - secrets
-home: https://wiki.alexlebens.dev/s/5e40fae1-53a5-4bd0-9953-6fcbe88f1987
+home: https://docs.alexlebens.dev/applications/vault/
 sources:
   - https://github.com/hashicorp/vault
   - https://github.com/Angatar/s3cmd
@@ -29,6 +29,6 @@ dependencies:
     alias: unseal
     repository: https://bjw-s-labs.github.io/helm-charts/
     version: 4.6.2
-icon: https://raw.githubusercontent.com/walkxcode/dashboard-icons/main/png/vault.png
+icon: https://cdn.jsdelivr.net/gh/selfhst/icons@main/png/hashicorp-vault.png
 # renovate: datasource=github-releases depName=hashicorp/vault
 appVersion: 1.21.4

clusters/cl01tl/helm/vault/templates/external-secret.yaml

@@ -14,17 +14,11 @@ spec:
   data:
     - secretKey: VAULT_APPROLE_ROLE_ID
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: /cl01tl/vault/snapshot
-        metadataPolicy: None
         property: VAULT_APPROLE_ROLE_ID
     - secretKey: VAULT_APPROLE_SECRET_ID
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: /cl01tl/vault/snapshot
-        metadataPolicy: None
         property: VAULT_APPROLE_SECRET_ID
 
 ---
@@ -44,17 +38,11 @@ spec:
   data:
     - secretKey: .s3cfg
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: /garage/home-infra/vault-backups
-        metadataPolicy: None
         property: s3cfg-local
     - secretKey: BUCKET
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: /garage/home-infra/vault-backups
-        metadataPolicy: None
         property: BUCKET
 
 ---
@@ -74,17 +62,11 @@ spec:
   data:
     - secretKey: .s3cfg
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: /garage/home-infra/vault-backups
-        metadataPolicy: None
         property: s3cfg-remote
     - secretKey: BUCKET
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: /garage/home-infra/vault-backups
-        metadataPolicy: None
         property: BUCKET
 
 ---
@@ -104,17 +86,11 @@ spec:
   data:
     - secretKey: .s3cfg
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: /digital-ocean/home-infra/vault-backup
-        metadataPolicy: None
         property: s3cfg
     - secretKey: BUCKET
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: /digital-ocean/home-infra/vault-backup
-        metadataPolicy: None
         property: BUCKET
 
 ---
@@ -134,24 +110,15 @@ spec:
   data:
     - secretKey: NTFY_TOKEN
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: /ntfy/user/cl01tl
-        metadataPolicy: None
         property: token
     - secretKey: NTFY_ENDPOINT
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: /ntfy/user/cl01tl
-        metadataPolicy: None
         property: endpoint
     - secretKey: NTFY_TOPIC
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: /cl01tl/vault/snapshot
-        metadataPolicy: None
         property: NTFY_TOPIC
 
 ---
@@ -171,66 +138,39 @@ spec:
   data:
     - secretKey: ENVIRONMENT
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: /cl01tl/vault/unseal/config-1
-        metadataPolicy: None
         property: ENVIRONMENT
     - secretKey: CHECK_INTERVAL
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: /cl01tl/vault/unseal/config-1
-        metadataPolicy: None
         property: CHECK_INTERVAL
     - secretKey: MAX_CHECK_INTERVAL
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: /cl01tl/vault/unseal/config-1
-        metadataPolicy: None
         property: MAX_CHECK_INTERVAL
     - secretKey: NODES
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: /cl01tl/vault/unseal/config-1
-        metadataPolicy: None
         property: NODES
     - secretKey: TLS_SKIP_VERIFY
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: /cl01tl/vault/unseal/config-1
-        metadataPolicy: None
         property: TLS_SKIP_VERIFY
     - secretKey: TOKENS
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: /cl01tl/vault/unseal/config-1
-        metadataPolicy: None
         property: TOKENS
     - secretKey: EMAIL_ENABLED
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: /cl01tl/vault/unseal/config-1
-        metadataPolicy: None
         property: EMAIL_ENABLED
     - secretKey: NOTIFY_MAX_ELAPSED
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: /cl01tl/vault/unseal/config-1
-        metadataPolicy: None
         property: NOTIFY_MAX_ELAPSED
     - secretKey: NOTIFY_QUEUE_DELAY
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: /cl01tl/vault/unseal/config-1
-        metadataPolicy: None
         property: NOTIFY_QUEUE_DELAY
 
 ---
@@ -250,66 +190,39 @@ spec:
   data:
     - secretKey: ENVIRONMENT
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: /cl01tl/vault/unseal/config-2
-        metadataPolicy: None
         property: ENVIRONMENT
     - secretKey: CHECK_INTERVAL
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: /cl01tl/vault/unseal/config-2
-        metadataPolicy: None
         property: CHECK_INTERVAL
     - secretKey: MAX_CHECK_INTERVAL
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: /cl01tl/vault/unseal/config-2
-        metadataPolicy: None
         property: MAX_CHECK_INTERVAL
     - secretKey: NODES
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: /cl01tl/vault/unseal/config-2
-        metadataPolicy: None
         property: NODES
     - secretKey: TLS_SKIP_VERIFY
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: /cl01tl/vault/unseal/config-2
-        metadataPolicy: None
         property: TLS_SKIP_VERIFY
     - secretKey: TOKENS
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: /cl01tl/vault/unseal/config-2
-        metadataPolicy: None
         property: TOKENS
     - secretKey: EMAIL_ENABLED
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: /cl01tl/vault/unseal/config-2
-        metadataPolicy: None
         property: EMAIL_ENABLED
     - secretKey: NOTIFY_MAX_ELAPSED
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: /cl01tl/vault/unseal/config-2
-        metadataPolicy: None
         property: NOTIFY_MAX_ELAPSED
     - secretKey: NOTIFY_QUEUE_DELAY
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: /cl01tl/vault/unseal/config-2
-        metadataPolicy: None
         property: NOTIFY_QUEUE_DELAY
 
 ---
@@ -329,66 +242,39 @@ spec:
   data:
     - secretKey: ENVIRONMENT
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: /cl01tl/vault/unseal/config-3
-        metadataPolicy: None
         property: ENVIRONMENT
     - secretKey: CHECK_INTERVAL
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: /cl01tl/vault/unseal/config-3
-        metadataPolicy: None
         property: CHECK_INTERVAL
     - secretKey: MAX_CHECK_INTERVAL
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: /cl01tl/vault/unseal/config-3
-        metadataPolicy: None
         property: MAX_CHECK_INTERVAL
     - secretKey: NODES
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: /cl01tl/vault/unseal/config-3
-        metadataPolicy: None
         property: NODES
     - secretKey: TLS_SKIP_VERIFY
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: /cl01tl/vault/unseal/config-3
-        metadataPolicy: None
         property: TLS_SKIP_VERIFY
     - secretKey: TOKENS
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: /cl01tl/vault/unseal/config-3
-        metadataPolicy: None
         property: TOKENS
     - secretKey: EMAIL_ENABLED
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: /cl01tl/vault/unseal/config-3
-        metadataPolicy: None
         property: EMAIL_ENABLED
     - secretKey: NOTIFY_MAX_ELAPSED
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: /cl01tl/vault/unseal/config-3
-        metadataPolicy: None
         property: NOTIFY_MAX_ELAPSED
     - secretKey: NOTIFY_QUEUE_DELAY
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: /cl01tl/vault/unseal/config-3
-        metadataPolicy: None
         property: NOTIFY_QUEUE_DELAY
 
 ---
@@ -408,43 +294,25 @@ spec:
   data:
     - secretKey: token
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: /cl01tl/vault/token
-        metadataPolicy: None
         property: token
     - secretKey: unseal_key_1
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: /cl01tl/vault/token
-        metadataPolicy: None
         property: unseal_key_1
     - secretKey: unseal_key_2
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: /cl01tl/vault/token
-        metadataPolicy: None
         property: unseal_key_2
     - secretKey: unseal_key_3
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: /cl01tl/vault/token
-        metadataPolicy: None
         property: unseal_key_3
     - secretKey: unseal_key_4
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: /cl01tl/vault/token
-        metadataPolicy: None
         property: unseal_key_4
     - secretKey: unseal_key_5
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: /cl01tl/vault/token
-        metadataPolicy: None
         property: unseal_key_5

clusters/cl01tl/helm/vault/templates/http-route.yaml

@@ -25,4 +25,3 @@ spec:
           kind: Service
           name: vault-active
           port: 8200
-          weight: 100

clusters/cl01tl/helm/vault/values.yaml

@@ -1,9 +1,5 @@
 vault:
   global:
-    enabled: true
-    tlsDisable: true
-    psp:
-      enable: false
     serverTelemetry:
       prometheusOperator: true
   injector:
@@ -12,23 +8,14 @@ vault:
     enabled: true
     image:
       repository: hashicorp/vault
-      tag: 1.21.4
+      tag: 1.21.4@sha256:4e33b126a59c0c333b76fb4e894722462659a6bec7c48c9ee8cea56fccfd2569
-    updateStrategyType: "RollingUpdate"
+    updateStrategyType: RollingUpdate
-    logLevel: debug
-    logFormat: standard
     resources:
       requests:
         cpu: 50m
-        memory: 512Mi
+        memory: 90Mi
-    ingress:
-      enabled: false
-    route:
-      enabled: false
     authDelegator:
       enabled: false
-    readinessProbe:
-      enabled: true
-      port: 8200
     livenessProbe:
       enabled: false
     volumes:
@@ -39,43 +26,17 @@ vault:
       - mountPath: /opt/backups/
         name: vault-storage-backup
         readOnly: false
-    affinity: |
-      podAntiAffinity:
-        requiredDuringSchedulingIgnoredDuringExecution:
-          - labelSelector:
-              matchLabels:
-                app.kubernetes.io/name: {{ template "vault.name" . }}
-                app.kubernetes.io/instance: "{{ .Release.Name }}"
-                component: server
-            topologyKey: kubernetes.io/hostname
-    networkPolicy:
-      enabled: false
-    service:
-      enabled: true
-      active:
-        enabled: true
-      standby:
-        enabled: false
-      type: ClusterIP
-      port: 8200
-      targetPort: 8200
     dataStorage:
-      enabled: true
       size: 1Gi
-      mountPath: "/vault/data"
+      storageClass: ceph-block
-      accessMode: ReadWriteOnce
     auditStorage:
-      enabled: false
+      enabled: true
       size: 5Gi
-      mountPath: "/vault/audit"
+      storageClass: ceph-block
-      accessMode: ReadWriteOnce
-    dev:
-      enabled: false
     standalone:
       enabled: false
     ha:
       enabled: true
-      replicas: 3
       raft:
         enabled: true
         config: |
@@ -109,30 +70,12 @@ vault:
             prometheus_retention_time = "30s"
             disable_hostname = true
           }
-
       disruptionBudget:
         enabled: true
-        maxUnavailable: null
+        maxUnavailable: 1
-    serviceAccount:
-      create: true
-      serviceDiscovery:
-        enabled: true
-    hostNetwork: false
-  ui:
-    enabled: true
-    publishNotReadyAddresses: true
-    activeVaultPodOnly: false
-    serviceType: "ClusterIP"
-    serviceNodePort: null
-    externalPort: 8200
-    targetPort: 8200
-  csi:
-    enabled: false
   serverTelemetry:
     serviceMonitor:
       enabled: true
-      interval: 30s
-      scrapeTimeout: 10s
     prometheusRules:
       enabled: true
       rules:
@@ -158,20 +101,15 @@ snapshot:
       type: cronjob
       cronjob:
         suspend: false
-        concurrencyPolicy: Forbid
+        timeZone: America/Chicago
-        timeZone: US/Central
         schedule: 0 4 * * *
-        startingDeadlineSeconds: 90
-        successfulJobsHistory: 1
-        failedJobsHistory: 3
         backoffLimit: 3
         parallelism: 1
       initContainers:
         snapshot:
           image:
             repository: hashicorp/vault
-            tag: 1.21.4
+            tag: 1.21.4@sha256:4e33b126a59c0c333b76fb4e894722462659a6bec7c48c9ee8cea56fccfd2569
-            pullPolicy: IfNotPresent
           command:
             - /bin/ash
           args:
@@ -328,53 +266,47 @@ unseal:
       type: deployment
       replicas: 1
       strategy: Recreate
-      revisionHistoryLimit: 3
       containers:
         main:
           image:
             repository: ghcr.io/lrstanley/vault-unseal
-            tag: 0.7.2
+            tag: 0.7.2@sha256:b25d0c2f6a73d1b9a3907befa473f08fe9fac828d248d7e9702517c5b967733c
-            pullPolicy: IfNotPresent
           envFrom:
             - secretRef:
                 name: vault-unseal-config-1
           resources:
             requests:
-              cpu: 10m
+              cpu: 1m
-              memory: 24Mi
+              memory: 10Mi
     unseal-2:
       type: deployment
       replicas: 1
       strategy: Recreate
-      revisionHistoryLimit: 3
       containers:
         main:
           image:
             repository: ghcr.io/lrstanley/vault-unseal
-            tag: 0.7.2
+            tag: 0.7.2@sha256:b25d0c2f6a73d1b9a3907befa473f08fe9fac828d248d7e9702517c5b967733c
-            pullPolicy: IfNotPresent
           envFrom:
             - secretRef:
                 name: vault-unseal-config-2
           resources:
             requests:
-              cpu: 10m
+              cpu: 1m
-              memory: 24Mi
+              memory: 10Mi
     unseal-3:
       type: deployment
       replicas: 1
       strategy: Recreate
-      revisionHistoryLimit: 3
       containers:
         main:
           image:
             repository: ghcr.io/lrstanley/vault-unseal
-            tag: 0.7.2
+            tag: 0.7.2@sha256:b25d0c2f6a73d1b9a3907befa473f08fe9fac828d248d7e9702517c5b967733c
-            pullPolicy: IfNotPresent
           envFrom:
             - secretRef:
                 name: vault-unseal-config-3
           resources:
             requests:
-              cpu: 10m
+              cpu: 1m
-              memory: 24Mi
+              memory: 10Mi

clusters/cl01tl/helm/vaultwarden/Chart.lock

@@ -7,9 +7,9 @@ dependencies:
   version: 2.4.0
 - name: postgres-cluster
   repository: oci://harbor.alexlebens.net/helm-charts
-  version: 7.10.0
+  version: 7.11.2
 - name: volsync-target
   repository: oci://harbor.alexlebens.net/helm-charts
   version: 0.8.0
-digest: sha256:6f78b41937412c1db5e0f612287d29ea81c1d9169b8a0efd98a0dd4be3e532d1
+digest: sha256:1b1949361ed77479733f8634a2ac6d74d4d8ba3144339446f5508643a0b57a31
-generated: "2026-03-15T20:10:47.852109985Z"
+generated: "2026-04-07T20:19:48.079671-05:00"

clusters/cl01tl/helm/vaultwarden/Chart.yaml

@@ -4,17 +4,15 @@ version: 1.0.0
 description: Vaultwarden
 keywords:
   - vaultwarden
-  - bitwarden
+  - password-manager
-  - password
+home: https://docs.alexlebens.dev/applications/vault/
-home: https://wiki.alexlebens.dev/s/fecd00f9-ebce-43eb-b066-3721b15432e3
 sources:
   - https://github.com/dani-garcia/vaultwarden
-  - https://github.com/cloudflare/cloudflared
-  - https://github.com/cloudnative-pg/cloudnative-pg
   - https://hub.docker.com/r/vaultwarden/server
   - https://github.com/bjw-s-labs/helm-charts/tree/main/charts/other/app-template
   - https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/cloudflared
   - https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/postgres-cluster
+  - https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/volsync-target
 maintainers:
   - name: alexlebens
 dependencies:
@@ -27,7 +25,7 @@ dependencies:
     version: 2.4.0
   - name: postgres-cluster
     alias: postgres-18-cluster
-    version: 7.10.0
+    version: 7.11.2
     repository: oci://harbor.alexlebens.net/helm-charts
   - name: volsync-target
     alias: volsync-target-data

clusters/cl01tl/helm/vaultwarden/templates/external-secret.yaml

@@ -14,15 +14,9 @@ spec:
   data:
     - secretKey: client
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: /authentik/oidc/vaultwarden
-        metadataPolicy: None
         property: client
     - secretKey: secret
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: /authentik/oidc/vaultwarden
-        metadataPolicy: None
         property: secret

clusters/cl01tl/helm/vaultwarden/values.yaml

@@ -4,13 +4,11 @@ vaultwarden:
       type: deployment
       replicas: 1
       strategy: Recreate
-      revisionHistoryLimit: 3
       containers:
         main:
           image:
-            repository: vaultwarden/server
+            repository: ghcr.io/vaultwarden/server
-            tag: 1.35.4
+            tag: 1.35.4@sha256:43498a94b22f9563f2a94b53760ab3e710eefc0d0cac2efda4b12b9eb8690664
-            pullPolicy: IfNotPresent
           env:
             - name: DOMAIN
               value: https://passwords.alexlebens.dev
@@ -44,7 +42,7 @@ vaultwarden:
           resources:
             requests:
               cpu: 10m
-              memory: 128Mi
+              memory: 30Mi
   service:
     main:
       controller: main
@@ -52,14 +50,12 @@ vaultwarden:
         http:
           port: 80
           targetPort: 80
-          protocol: HTTP
   persistence:
     config:
       forceRename: vaultwarden-data
       storageClass: ceph-block
       accessMode: ReadWriteOnce
       size: 5Gi
-      retain: true
       advancedMounts:
         main:
           main:
@@ -78,35 +74,12 @@ postgres-18-cluster:
         destinationBucket: postgres-backups
         externalSecretCredentialPath: /garage/home-infra/postgres-backups
         isWALArchiver: true
-      # - name: garage-remote
-      #   index: 1
-      #   destinationBucket: postgres-backups
-      #   externalSecretCredentialPath: /garage/home-infra/postgres-backups
-      #   retentionPolicy: "90d"
-      #   data:
-      #     compression: bzip2
-      # - name: external
-      #   index: 1
-      #   endpointURL: https://nyc3.digitaloceanspaces.com
-      #   destinationBucket: postgres-backups-ce540ddf106d186bbddca68a
-      #   externalSecretCredentialPath: /garage/home-infra/postgres-backups
-      #   isWALArchiver: false
     scheduledBackups:
       - name: live-backup
         suspend: false
         immediate: true
         schedule: "0 0 0 * * *"
         backupName: garage-local
-      # - name: weekly-backup
-      #   suspend: true
-      #   immediate: true
-      #   schedule: "0 0 4 * * SAT"
-      #   backupName: garage-remote
-      # - name: daily-backup
-      #   suspend: true
-      #   immediate: true
-      #   schedule: "0 0 0 * * *"
-      #   backupName: external
 volsync-target-data:
   pvcTarget: vaultwarden-data
   local:

clusters/cl01tl/helm/version-checker/Chart.yaml

@@ -5,6 +5,7 @@ description: Version Checker
 keywords:
   - version-checker
   - update-tracker
+  - metrics
 home: https://docs.alexlebens.dev/applications/version-checker/
 sources:
   - https://github.com/jetstack/version-checker

clusters/cl01tl/helm/version-checker/templates/service-monitor.yaml

@@ -0,0 +1,16 @@
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: version-checker
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: version-checker
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  selector:
+    matchLabels:
+      app: version-checker
+  endpoints:
+    - port: web
+      path: /metrics

clusters/cl01tl/helm/version-checker/values.yaml

@@ -10,8 +10,7 @@ version-checker:
   resources:
     requests:
       cpu: 1m
-      memory: 40Mi
+      memory: 400Mi
   prometheus:
     enabled: true
-    replicas: 1
     serviceAccountName: version-checker-prometheus

clusters/cl01tl/helm/volsync/Chart.yaml

@@ -5,12 +5,10 @@ description: Volsync
 keywords:
   - volsync
   - backup
-  - storage
+home: https://docs.alexlebens.dev/applications/volsync/
-  - s3
-  - kubernetes
-home: https://wiki.alexlebens.dev/s/6858726b-5219-46ee-b9b7-6e1f6c125f6b
 sources:
   - https://github.com/backube/volsync
+  - https://quay.io/repository/backube/volsync?tab=tags
   - https://github.com/backube/volsync/tree/main/helm/volsync
 maintainers:
   - name: alexlebens

clusters/cl01tl/helm/volsync/values.yaml

@@ -1,15 +1,15 @@
 volsync:
   replicaCount: 2
+  image:
+    repository: quay.io/backube/volsync
+    image: 0.15.0@sha256:4fedd41b3101dde090542009c4177f703d241bf4760d1767bd9df08fd8fd93a4
   manageCRDs: true
   metrics:
     disableAuth: true
-  securityContext:
-    allowPrivilegeEscalation: false
-    capabilities:
-      drop:
-        - ALL
-    readOnlyRootFilesystem: true
   resources:
+    limits:
+      cpu: null
+      memory: null
     requests:
-      cpu: 10m
+      cpu: 1m
-      memory: 128Mi
+      memory: 80Mi