Update Helm release tailscale-operator to v1.92.4

This PR contains the following updates:

| Package | Update | Change | Pending |
|---|---|---|---|
| [stalwartlabs/stalwart](https://github.com/stalwartlabs/stalwart) | minor | `v0.14.1` -> `v0.15.0` | `v0.15.1` |

---

### Release Notes

<details>
<summary>stalwartlabs/stalwart (stalwartlabs/stalwart)</summary>

### [`v0.15.0`](https://github.com/stalwartlabs/stalwart/releases/tag/v0.15.0)

[Compare Source](https://github.com/stalwartlabs/stalwart/compare/v0.14.1...v0.15.0)

#### \[0.15.0] - 2025-12-16

This version includes **multiple breaking changes**. Please read the [upgrading documentation](https://github.com/stalwartlabs/stalwart/blob/main/UPGRADING/v0_15.md) for more information on how to upgrade from previous versions.

#### Added

- Linear spam classifier using FTRL-Proximal and feature/cuckoo hashing.
- Meilisearch store backend implementation ([#&#8203;1482](https://github.com/stalwartlabs/stalwart/issues/1482)).
- PostgreSQL and mySQL native full-text search support.
- Multiple performance improvements and database access optimizations.
- Encryption-at-rest: Spam training privacy setting.
- Enterprise: Undelete e-mail feature now includes From/Subject/Received information.
- IMAP: Implemented new keywords and mailbox attributes described in [draft-ietf-mailmaint-messageflag-mailboxattribute-13](https://datatracker.ietf.org/doc/html/draft-ietf-mailmaint-messageflag-mailboxattribute-13)

#### Changed

- IMAP: Always return special use flags in responses.

#### Fixed

- JMAP: `FileNode/set` fails to delete files ([#&#8203;2485](https://github.com/stalwartlabs/stalwart/issues/2485)).
- JMAP: Return error when using `blobId` in JSContact and JSCalendar ([#&#8203;2431](https://github.com/stalwartlabs/stalwart/issues/2431)).
- Directory: Deletion of list or domain issues ([#&#8203;2415](https://github.com/stalwartlabs/stalwart/issues/2415)).
- MTA: Headers and body stripped from mail delivery subsystem failure notifications ([#&#8203;2344](https://github.com/stalwartlabs/stalwart/issues/2344)).
- MTA: Hooks only run if sieve script, milter or rewrite is configured ([#&#8203;2317](https://github.com/stalwartlabs/stalwart/issues/2317)).
- Autodiscover: Endpoint should be case insensitive ([#&#8203;2440](https://github.com/stalwartlabs/stalwart/issues/2440)).
- Housekeeper: Panic during DST transition ([#&#8203;2366](https://github.com/stalwartlabs/stalwart/issues/2366)).
- Import/Export: Fix import/export utility ([#&#8203;1882](https://github.com/stalwartlabs/stalwart/issues/1882)).
- Enterprise: Remove tenant admin permissions when license is invalid.

<hr />

##### Check binary attestation at [here](https://github.com/stalwartlabs/stalwart/attestations/15221862)

</details>

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box

---

This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0Mi4zOS4xIiwidXBkYXRlZEluVmVyIjoiNDIuMzkuMSIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiaW1hZ2UiXX0=-->

Reviewed-on: https://gitea.alexlebens.dev/alexlebens/infrastructure/pulls/2672
Co-authored-by: Renovate Bot <renovate-bot@alexlebens.net>
Co-committed-by: Renovate Bot <renovate-bot@alexlebens.net>

.gitea/workflows/lint-test-helm.yaml

@@ -55,6 +55,7 @@ jobs:
         with:
           token: ${{ secrets.GITEA_TOKEN }}
           version: v3.19.2
+          cache: true
 
       - name: Check Directories for Changes
         id: check-dir-changes
@@ -84,7 +85,7 @@ jobs:
                 echo ""
                 echo ">> Adding path: $path"
                 CHANGED_CHARTS+=$(echo "$path" | awk -F '/' '{print $4}')
-                CHANGED_CHARTS+=$(echo " ")
+                CHANGED_CHARTS+=$(echo "\n")
               fi
             done
 
@@ -124,7 +125,14 @@ jobs:
             helm dependency list --max-col-width 120 clusters/${CLUSTER}/helm/$dir 2> /dev/null \
               | tail +2 | head -n -1 \
               | awk '{ print "helm repo add " $1 " " $3 }' \
-              | while read cmd; do echo "$cmd" | sh; done || true
+              | while read cmd; do
+                if [[ "$cmd" == "*oci://*" ]]; then
+                  echo ">> Ignoring OCI repo"
+                else
+                  echo ">> Command: $cmd"
+                  echo "$cmd" | sh;
+                fi
+              done || true
           done
 
           if helm repo list | tail +2 | read -r; then

.gitea/workflows/render-manifests-automerge.yaml

@@ -38,6 +38,7 @@ jobs:
         with:
           token: ${{ secrets.GITEA_TOKEN }}
           version: v3.17.2 # Pending https://github.com/helm/helm/pull/30743
+          cache: true
 
       - name: Prepare Manifest Branch
         id: prepare-manifest-branch
@@ -106,7 +107,13 @@ jobs:
             helm dependency list --max-col-width 120 ${MAIN_DIR}/clusters/${CLUSTER}/helm/$dir 2> /dev/null \
               | tail +2 | head -n -1 \
               | awk '{ print "helm repo add " $1 " " $3 }' \
-              | while read cmd; do echo "$cmd" | sh; done || true
+              | while read cmd; do
+                if [[ "$cmd" == "*oci://*" ]]; then
+                  echo ">> Ignoring OCI repo"
+                else
+                  echo "$cmd" | sh;
+                fi
+              done || true
           done
 
           if helm repo list | tail +2 | read -r; then

.gitea/workflows/render-manifests-dispatch.yaml

@@ -32,6 +32,7 @@ jobs:
         with:
           token: ${{ secrets.GITEA_TOKEN }}
           version: v3.17.2 # Pending https://github.com/helm/helm/pull/30743
+          cache: true
 
       - name: Prepare Manifest Branch
         run: |
@@ -91,7 +92,13 @@ jobs:
             helm dependency list --max-col-width 120 ${MAIN_DIR}/clusters/${CLUSTER}/helm/$dir 2> /dev/null \
               | tail +2 | head -n -1 \
               | awk '{ print "helm repo add " $1 " " $3 }' \
-              | while read cmd; do echo "$cmd" | sh; done || true
+              | while read cmd; do
+                if [[ "$cmd" == "*oci://*" ]]; then
+                  echo ">> Ignoring OCI repo"
+                else
+                  echo "$cmd" | sh;
+                fi
+              done || true
           done
 
           if helm repo list | tail +2 | read -r; then

.gitea/workflows/render-manifests-merge.yaml

@@ -39,6 +39,7 @@ jobs:
         with:
           token: ${{ secrets.GITEA_TOKEN }}
           version: v3.17.2 # Pending https://github.com/helm/helm/pull/30743
+          cache: true
 
       - name: Prepare Manifest Branch
         run: |
@@ -111,7 +112,13 @@ jobs:
             helm dependency list --max-col-width 120 ${MAIN_DIR}/clusters/${CLUSTER}/helm/$dir 2> /dev/null \
               | tail +2 | head -n -1 \
               | awk '{ print "helm repo add " $1 " " $3 }' \
-              | while read cmd; do echo "$cmd" | sh; done || true
+              | while read cmd; do
+                if [[ "$cmd" == "*oci://*" ]]; then
+                  echo ">> Ignoring OCI repo"
+                else
+                  echo "$cmd" | sh;
+                fi
+              done || true
           done
 
           if helm repo list | tail +2 | read -r; then

.gitea/workflows/render-manifests-push.yaml

@@ -37,6 +37,7 @@ jobs:
         with:
           token: ${{ secrets.GITEA_TOKEN }}
           version: v3.17.2 # Pending https://github.com/helm/helm/pull/30743
+          cache: true
 
       - name: Prepare Manifest Branch
         run: |
@@ -109,7 +110,13 @@ jobs:
             helm dependency list --max-col-width 120 ${MAIN_DIR}/clusters/${CLUSTER}/helm/$dir 2> /dev/null \
               | tail +2 | head -n -1 \
               | awk '{ print "helm repo add " $1 " " $3 }' \
-              | while read cmd; do echo "$cmd" | sh; done || true
+              | while read cmd; do
+                if [[ "$cmd" == "*oci://*" ]]; then
+                  echo ">> Ignoring OCI repo"
+                else
+                  echo "$cmd" | sh;
+                fi
+              done || true
           done
 
           if helm repo list | tail +2 | read -r; then

.gitignore

@@ -1,3 +1,4 @@
 /**/archive/
 /**/charts/
 /**/manifests/
+/**/tmpcharts*/

README.md

@@ -2,6 +2,12 @@
 
 GitOps definied infrastrucutre for the alexlebens.net domain.
 
+## Stack-cl01tl
+
+https://argocd.alexlebens.net/api/badge?name=stack-cl01tl&revision=true&showAppName=true
+
+App-of-Apps Application for cl01tl
+
 ## License
 
 This project is licensed under the terms of the Apache 2.0 License license.

clusters/cl01tl/helm/actual/Chart.lock

@@ -2,5 +2,8 @@ dependencies:
 - name: app-template
   repository: https://bjw-s-labs.github.io/helm-charts/
   version: 4.5.0
-digest: sha256:926b8da839684072fd79954aff0c9852c2ff3b618b0fa35177bdec8e2dff4986
+- name: volsync-target
-generated: "2025-12-05T17:02:01.15162583Z"
+  repository: oci://harbor.alexlebens.net/helm-charts
+  version: 0.6.0
+digest: sha256:09dae69cd64556ed0b8ce2d8afe304720af3a71f64610ee6c70219572ccfdf5e
+generated: "2025-12-18T02:42:53.481944952Z"

clusters/cl01tl/helm/actual/Chart.yaml

@@ -17,5 +17,9 @@ dependencies:
     alias: actual
     repository: https://bjw-s-labs.github.io/helm-charts/
     version: 4.5.0
+  - name: volsync-target
+    alias: volsync-target-data
+    version: 0.6.0
+    repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/actual-budget.png
 appVersion: 25.12.0

clusters/cl01tl/helm/actual/templates/external-secret.yaml

@@ -1,55 +0,0 @@
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: actual-data-backup-secret
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: actual-data-backup-secret
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: vault
-  target:
-    template:
-      mergePolicy: Merge
-      engineVersion: v2
-      data:
-        RESTIC_REPOSITORY: "{{ `{{ .BUCKET_ENDPOINT }}` }}/actual/actual-data"
-  data:
-    - secretKey: BUCKET_ENDPOINT
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /cl01tl/volsync/restic/config
-        metadataPolicy: None
-        property: S3_BUCKET_ENDPOINT
-    - secretKey: RESTIC_PASSWORD
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /cl01tl/volsync/restic/config
-        metadataPolicy: None
-        property: RESTIC_PASSWORD
-    - secretKey: AWS_DEFAULT_REGION
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /cl01tl/volsync/restic/config
-        metadataPolicy: None
-        property: AWS_DEFAULT_REGION
-    - secretKey: AWS_ACCESS_KEY_ID
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /digital-ocean/home-infra/volsync-backups
-        metadataPolicy: None
-        property: access_key
-    - secretKey: AWS_SECRET_ACCESS_KEY
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /digital-ocean/home-infra/volsync-backups
-        metadataPolicy: None
-        property: secret_key

clusters/cl01tl/helm/actual/templates/replication-source.yaml

@@ -1,25 +0,0 @@
-apiVersion: volsync.backube/v1alpha1
-kind: ReplicationSource
-metadata:
-  name: actual-data-backup-source
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: actual-data-backup-source
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  sourcePVC: actual-data
-  trigger:
-    schedule: 0 4 * * *
-  restic:
-    pruneIntervalDays: 7
-    repository: actual-data-backup-secret
-    retain:
-      hourly: 1
-      daily: 3
-      weekly: 2
-      monthly: 2
-      yearly: 4
-    copyMethod: Snapshot
-    storageClassName: ceph-block
-    volumeSnapshotClassName: ceph-blockpool-snapshot

clusters/cl01tl/helm/actual/values.yaml

@@ -54,3 +54,5 @@ actual:
           main:
             - path: /data
               readOnly: false
+volsync-target-data:
+  pvcTarget: actual-data

clusters/cl01tl/helm/argo-workflows/Chart.lock

@@ -7,6 +7,6 @@ dependencies:
   version: 2.4.19
 - name: postgres-cluster
   repository: oci://harbor.alexlebens.net/helm-charts
-  version: 6.16.1
+  version: 7.1.3
-digest: sha256:40a93dfcabbc5746682bac631e9a620588cf0cb6fdf79a42446a823e93a531c8
+digest: sha256:fb51f9312fd003df7f9beced8e3583eb66c74a57820effab510bd80ce3a91558
-generated: "2025-12-11T15:49:57.970719-06:00"
+generated: "2025-12-17T16:08:51.370582257Z"

clusters/cl01tl/helm/argo-workflows/Chart.yaml

@@ -25,7 +25,7 @@ dependencies:
     repository: https://argoproj.github.io/argo-helm
   - name: postgres-cluster
     alias: postgres-18-cluster
-    version: 6.16.1
+    version: 7.1.3
     repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/argo-cd.png
 appVersion: v3.7.6

clusters/cl01tl/helm/argo-workflows/values.yaml

@@ -78,17 +78,10 @@ argo-events:
 postgres-18-cluster:
   mode: recovery
   cluster:
-    image:
-      repository: ghcr.io/cloudnative-pg/postgresql
-      tag: 18.1-standard-trixie
     storage:
       storageClass: local-path
     walStorage:
       storageClass: local-path
-    monitoring:
-      enabled: true
-      prometheusRule:
-        enabled: true
   recovery:
     method: objectStore
     objectStore:
@@ -98,11 +91,6 @@ postgres-18-cluster:
       endpointCredentials: argo-workflows-postgresql-18-cluster-backup-secret-garage
   backup:
     objectStore:
-      - name: external
-        destinationPath: s3://postgres-backups-ce540ddf106d186bbddca68a/cl01tl/argo-workflows/argo-workflows-postgresql-18-cluster
-        index: 1
-        retentionPolicy: "30d"
-        isWALArchiver: false
       - name: garage-local
         destinationPath: s3://postgres-backups/cl01tl/argo-workflows/argo-workflows-postgresql-18-cluster
         index: 1
@@ -111,6 +99,11 @@ postgres-18-cluster:
         endpointCredentialsIncludeRegion: true
         retentionPolicy: "3d"
         isWALArchiver: true
+      # - name: external
+      #   destinationPath: s3://postgres-backups-ce540ddf106d186bbddca68a/cl01tl/argo-workflows/argo-workflows-postgresql-18-cluster
+      #   index: 1
+      #   retentionPolicy: "30d"
+      #   isWALArchiver: false
       # - name: garage-remote
       #   destinationPath: s3://postgres-backups/cl01tl/argo-workflows/argo-workflows-postgresql-18-cluster
       #   index: 1
@@ -121,16 +114,16 @@ postgres-18-cluster:
       #   data:
       #     compression: bzip2
     scheduledBackups:
-      - name: daily-backup
-        suspend: false
-        immediate: true
-        schedule: "0 0 0 * * *"
-        backupName: external
       - name: live-backup
         suspend: false
         immediate: true
         schedule: "0 0 0 * * *"
         backupName: garage-local
+      # - name: daily-backup
+      #   suspend: false
+      #   immediate: true
+      #   schedule: "0 0 0 * * *"
+      #   backupName: external
       # - name: weekly-backup
       #   suspend: true
       #   immediate: true

clusters/cl01tl/helm/argocd/Chart.lock

@@ -1,6 +1,6 @@
 dependencies:
 - name: argo-cd
   repository: https://argoproj.github.io/argo-helm
-  version: 9.1.7
+  version: 9.1.9
-digest: sha256:ed1ae26f3e642750f6dd970c1adc4fa14a627fad13daf74169213199f74425b3
+digest: sha256:20cb350f423b4a9352085a7f44aa832e9640120f10c4ea1899d0b341d482a761
-generated: "2025-12-09T23:01:55.027301875Z"
+generated: "2025-12-19T13:02:04.764462089Z"

clusters/cl01tl/helm/argocd/Chart.yaml

@@ -15,7 +15,7 @@ maintainers:
   - name: alexlebens
 dependencies:
   - name: argo-cd
-    version: 9.1.7
+    version: 9.1.9
     repository: https://argoproj.github.io/argo-helm
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/argo-cd.png
 appVersion: v3.2.1

clusters/cl01tl/helm/audiobookshelf/Chart.lock

@@ -2,5 +2,11 @@ dependencies:
 - name: app-template
   repository: https://bjw-s-labs.github.io/helm-charts/
   version: 4.5.0
-digest: sha256:977ed15091e9ed30d647a626214701d22f3a8a5232a900e33f753cc7e090042f
+- name: volsync-target
-generated: "2025-12-05T17:02:13.674405673Z"
+  repository: oci://harbor.alexlebens.net/helm-charts
+  version: 0.6.0
+- name: volsync-target
+  repository: oci://harbor.alexlebens.net/helm-charts
+  version: 0.6.0
+digest: sha256:67571554c39c1acdb1cd286024e7bdc0d7c94f0c4bfff5bf5fb225817f495616
+generated: "2025-12-18T02:43:02.876706511Z"

clusters/cl01tl/helm/audiobookshelf/Chart.yaml

@@ -19,5 +19,13 @@ dependencies:
     alias: audiobookshelf
     repository: https://bjw-s-labs.github.io/helm-charts/
     version: 4.5.0
+  - name: volsync-target
+    alias: volsync-target-config
+    version: 0.6.0
+    repository: oci://harbor.alexlebens.net/helm-charts
+  - name: volsync-target
+    alias: volsync-target-metadata
+    version: 0.6.0
+    repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/audiobookshelf.png
 appVersion: 2.31.0

clusters/cl01tl/helm/audiobookshelf/templates/external-secret.yaml

@@ -19,117 +19,3 @@ spec:
         key: /cl01tl/audiobookshelf/apprise
         metadataPolicy: None
         property: ntfy-url
-
----
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: audiobookshelf-config-backup-secret
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: audiobookshelf-config-backup-secret
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: vault
-  target:
-    template:
-      mergePolicy: Merge
-      engineVersion: v2
-      data:
-        RESTIC_REPOSITORY: "{{ `{{ .BUCKET_ENDPOINT }}` }}/audiobookshelf/audiobookshelf-config"
-  data:
-    - secretKey: BUCKET_ENDPOINT
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /cl01tl/volsync/restic/config
-        metadataPolicy: None
-        property: S3_BUCKET_ENDPOINT
-    - secretKey: RESTIC_PASSWORD
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /cl01tl/volsync/restic/config
-        metadataPolicy: None
-        property: RESTIC_PASSWORD
-    - secretKey: AWS_DEFAULT_REGION
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /cl01tl/volsync/restic/config
-        metadataPolicy: None
-        property: AWS_DEFAULT_REGION
-    - secretKey: AWS_ACCESS_KEY_ID
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /digital-ocean/home-infra/volsync-backups
-        metadataPolicy: None
-        property: access_key
-    - secretKey: AWS_SECRET_ACCESS_KEY
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /digital-ocean/home-infra/volsync-backups
-        metadataPolicy: None
-        property: secret_key
-
----
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: audiobookshelf-metadata-backup-secret
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: audiobookshelf-metadata-backup-secret
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: vault
-  target:
-    template:
-      mergePolicy: Merge
-      engineVersion: v2
-      data:
-        RESTIC_REPOSITORY: "{{ `{{ .BUCKET_ENDPOINT }}` }}/audiobookshelf/audiobookshelf-metadata"
-  data:
-    - secretKey: BUCKET_ENDPOINT
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /cl01tl/volsync/restic/config
-        metadataPolicy: None
-        property: S3_BUCKET_ENDPOINT
-    - secretKey: RESTIC_PASSWORD
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /cl01tl/volsync/restic/config
-        metadataPolicy: None
-        property: RESTIC_PASSWORD
-    - secretKey: AWS_DEFAULT_REGION
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /cl01tl/volsync/restic/config
-        metadataPolicy: None
-        property: AWS_DEFAULT_REGION
-    - secretKey: AWS_ACCESS_KEY_ID
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /digital-ocean/home-infra/volsync-backups
-        metadataPolicy: None
-        property: access_key
-    - secretKey: AWS_SECRET_ACCESS_KEY
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /digital-ocean/home-infra/volsync-backups
-        metadataPolicy: None
-        property: secret_key

clusters/cl01tl/helm/audiobookshelf/templates/persistent-volume-claim.yaml

@@ -1,24 +1,5 @@
 apiVersion: v1
 kind: PersistentVolumeClaim
-metadata:
-  name: audiobookshelf-nfs-storage-backup
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: audiobookshelf-nfs-storage-backup
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  volumeMode: Filesystem
-  storageClassName: nfs-client
-  accessModes:
-    - ReadWriteOnce
-  resources:
-    requests:
-      storage: 1Gi
-
----
-apiVersion: v1
-kind: PersistentVolumeClaim
 metadata:
   name: audiobookshelf-nfs-storage
   namespace: {{ .Release.Namespace }}

clusters/cl01tl/helm/audiobookshelf/templates/replication-source.yaml

@@ -1,52 +0,0 @@
-apiVersion: volsync.backube/v1alpha1
-kind: ReplicationSource
-metadata:
-  name: audiobookshelf-config-backup-source
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: audiobookshelf-config-backup-source
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  sourcePVC: audiobookshelf-config
-  trigger:
-    schedule: 0 4 * * *
-  restic:
-    pruneIntervalDays: 7
-    repository: audiobookshelf-config-backup-secret
-    retain:
-      hourly: 1
-      daily: 3
-      weekly: 2
-      monthly: 2
-      yearly: 4
-    copyMethod: Snapshot
-    storageClassName: ceph-block
-    volumeSnapshotClassName: ceph-blockpool-snapshot
-
----
-apiVersion: volsync.backube/v1alpha1
-kind: ReplicationSource
-metadata:
-  name: audiobookshelf-metadata-backup-source
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: audiobookshelf-metadata-backup-source
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  sourcePVC: audiobookshelf-metadata
-  trigger:
-    schedule: 0 4 * * *
-  restic:
-    pruneIntervalDays: 7
-    repository: audiobookshelf-metadata-backup-secret
-    retain:
-      hourly: 1
-      daily: 3
-      weekly: 2
-      monthly: 2
-      yearly: 4
-    copyMethod: Snapshot
-    storageClassName: ceph-block
-    volumeSnapshotClassName: ceph-blockpool-snapshot

clusters/cl01tl/helm/audiobookshelf/values.yaml

@@ -21,7 +21,7 @@ audiobookshelf:
         apprise-api:
           image:
             repository: caronc/apprise
-            tag: 1.2.6
+            tag: 1.3.0
             pullPolicy: IfNotPresent
           env:
             - name: TZ
@@ -59,6 +59,7 @@ audiobookshelf:
           protocol: HTTP
   persistence:
     config:
+      forceRename: audiobookshelf-config
       storageClass: ceph-block
       accessMode: ReadWriteOnce
       size: 2Gi
@@ -69,6 +70,7 @@ audiobookshelf:
             - path: /config
               readOnly: false
     metadata:
+      forceRename: audiobookshelf-metadata
       storageClass: ceph-block
       accessMode: ReadWriteOnce
       size: 10Gi
@@ -78,13 +80,6 @@ audiobookshelf:
           main:
             - path: /metadata
               readOnly: false
-    backup:
-      existingClaim: audiobookshelf-nfs-storage-backup
-      advancedMounts:
-        main:
-          main:
-            - path: /metadata/backups
-              readOnly: false
     audiobooks:
       existingClaim: audiobookshelf-nfs-storage
       advancedMounts:
@@ -92,3 +87,7 @@ audiobookshelf:
           main:
             - path: /mnt/store/
               readOnly: false
+volsync-target-config:
+  pvcTarget: audiobookshelf-config
+volsync-target-metadata:
+  pvcTarget: audiobookshelf-metadata

clusters/cl01tl/helm/authentik/Chart.lock

@@ -1,12 +1,15 @@
 dependencies:
 - name: authentik
   repository: https://charts.goauthentik.io/
-  version: 2025.10.2
+  version: 2025.10.3
 - name: cloudflared
   repository: oci://harbor.alexlebens.net/helm-charts
-  version: 1.23.2
+  version: 2.1.4
 - name: postgres-cluster
   repository: oci://harbor.alexlebens.net/helm-charts
-  version: 6.16.1
+  version: 7.1.3
-digest: sha256:fdd5cc597cf958ca0f6f43dd403915c89c45718eff80920c2d322264dc8b09e1
+- name: redis-replication
-generated: "2025-12-11T16:14:14.729827-06:00"
+  repository: oci://harbor.alexlebens.net/helm-charts
+  version: 0.5.0
+digest: sha256:46b5b516beba0263c6434eb41f52e9628ae14022db5a6a62aae16db01388d57b
+generated: "2025-12-17T19:05:21.540808-06:00"

clusters/cl01tl/helm/authentik/Chart.yaml

@@ -21,15 +21,17 @@ maintainers:
   - name: alexlebens
 dependencies:
   - name: authentik
-    version: 2025.10.2
+    version: 2025.10.3
     repository: https://charts.goauthentik.io/
   - name: cloudflared
-    alias: cloudflared
     repository: oci://harbor.alexlebens.net/helm-charts
-    version: 1.23.2
+    version: 2.1.4
   - name: postgres-cluster
     alias: postgres-18-cluster
-    version: 6.16.1
+    version: 7.1.3
+    repository: oci://harbor.alexlebens.net/helm-charts
+  - name: redis-replication
+    version: 0.5.0
     repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/authentik.png
 appVersion: 2025.10.2

clusters/cl01tl/helm/authentik/templates/external-secret.yaml

@@ -20,29 +20,6 @@ spec:
         metadataPolicy: None
         property: key
 
----
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: authentik-cloudflared-secret
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: authentik-cloudflared-secret
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: vault
-  data:
-    - secretKey: cf-tunnel-token
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /cloudflare/tunnels/authentik
-        metadataPolicy: None
-        property: token
-
 ---
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret

clusters/cl01tl/helm/authentik/templates/redis-replication.yaml

@@ -1,32 +0,0 @@
-apiVersion: redis.redis.opstreelabs.in/v1beta2
-kind: RedisReplication
-metadata:
-  name: redis-replication-authentik
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: redis-replication-authentik
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  clusterSize: 3
-  podSecurityContext:
-    runAsUser: 1000
-    fsGroup: 1000
-  kubernetesConfig:
-    image: quay.io/opstree/redis:v8.4.0
-    imagePullPolicy: IfNotPresent
-    resources:
-      requests:
-        cpu: 50m
-        memory: 128Mi
-  storage:
-    volumeClaimTemplate:
-      spec:
-        storageClassName: ceph-block
-        accessModes: ["ReadWriteOnce"]
-        resources:
-          requests:
-            storage: 1Gi
-  redisExporter:
-    enabled: true
-    image: quay.io/opstree/redis-exporter:v1.80.1

clusters/cl01tl/helm/authentik/templates/service-monitor.yaml

@@ -1,19 +0,0 @@
-apiVersion: monitoring.coreos.com/v1
-kind: ServiceMonitor
-metadata:
-  name: redis-replication-authentik
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: redis-replication-authentik
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-    redis-operator: "true"
-    env: production
-spec:
-  selector:
-    matchLabels:
-      redis_setup_type: replication
-  endpoints:
-    - port: redis-exporter
-      interval: 30s
-      scrapeTimeout: 10s

clusters/cl01tl/helm/authentik/values.yaml

@@ -48,22 +48,13 @@ authentik:
     enabled: false
   redis:
     enabled: false
-cloudflared:
-  existingSecretName: authentik-cloudflared-secret
 postgres-18-cluster:
   mode: recovery
   cluster:
-    image:
-      repository: ghcr.io/cloudnative-pg/postgresql
-      tag: 18.1-standard-trixie
     storage:
       storageClass: local-path
     walStorage:
       storageClass: local-path
-    monitoring:
-      enabled: true
-      prometheusRule:
-        enabled: true
   recovery:
     method: objectStore
     objectStore:
@@ -73,11 +64,6 @@ postgres-18-cluster:
       endpointCredentials: authentik-postgresql-18-cluster-backup-secret-garage
   backup:
     objectStore:
-      - name: external
-        destinationPath: s3://postgres-backups-ce540ddf106d186bbddca68a/cl01tl/authentik/authentik-postgresql-18-cluster
-        index: 1
-        retentionPolicy: "30d"
-        isWALArchiver: false
       - name: garage-local
         destinationPath: s3://postgres-backups/cl01tl/authentik/authentik-postgresql-18-cluster
         index: 1
@@ -86,6 +72,11 @@ postgres-18-cluster:
         endpointCredentialsIncludeRegion: true
         retentionPolicy: "3d"
         isWALArchiver: true
+      # - name: external
+      #   destinationPath: s3://postgres-backups-ce540ddf106d186bbddca68a/cl01tl/authentik/authentik-postgresql-18-cluster
+      #   index: 1
+      #   retentionPolicy: "30d"
+      #   isWALArchiver: false
       # - name: garage-remote
       #   destinationPath: s3://postgres-backups/cl01tl/authentik/authentik-postgresql-18-cluster
       #   index: 1
@@ -96,18 +87,26 @@ postgres-18-cluster:
       #     compression: bzip2
       #     jobs: 2
     scheduledBackups:
-      - name: daily-backup
-        suspend: false
-        immediate: true
-        schedule: "0 0 0 * * *"
-        backupName: external
       - name: live-backup
         suspend: false
         immediate: true
         schedule: "0 0 0 * * *"
         backupName: garage-local
+      # - name: daily-backup
+      #   suspend: false
+      #   immediate: true
+      #   schedule: "0 0 0 * * *"
+      #   backupName: external
       # - name: weekly-backup
       #   suspend: false
       #   immediate: true
       #   schedule: "0 0 4 * * SAT"
       #   backupName: garage-remote
+redis-replication:
+  existingSecret:
+    enabled: false
+  redisReplication:
+    clusterSize: 3
+  redisSentinel:
+    enabled: true
+    clusterSize: 3

clusters/cl01tl/helm/backrest/Chart.lock

@@ -2,5 +2,11 @@ dependencies:
 - name: app-template
   repository: https://bjw-s-labs.github.io/helm-charts/
   version: 4.5.0
-digest: sha256:6e6f20320a485b57288a6febae1b7623076059c370f88b7fbe92460fc4047db3
+- name: volsync-target
-generated: "2025-12-05T17:02:26.599646463Z"
+  repository: oci://harbor.alexlebens.net/helm-charts
+  version: 0.6.0
+- name: volsync-target
+  repository: oci://harbor.alexlebens.net/helm-charts
+  version: 0.6.0
+digest: sha256:ba31d044402f9da6705f64d21a0947730a37526fce047891162cfd2b21b8d08a
+generated: "2025-12-18T02:43:14.604382042Z"

clusters/cl01tl/helm/backrest/Chart.yaml

@@ -17,5 +17,13 @@ dependencies:
     alias: backrest
     repository: https://bjw-s-labs.github.io/helm-charts/
     version: 4.5.0
+  - name: volsync-target
+    alias: volsync-target-config
+    version: 0.6.0
+    repository: oci://harbor.alexlebens.net/helm-charts
+  - name: volsync-target
+    alias: volsync-target-data
+    version: 0.6.0
+    repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/backrest.png
 appVersion: v1.10.1

clusters/cl01tl/helm/backrest/values.yaml

@@ -35,6 +35,7 @@ backrest:
           protocol: TCP
   persistence:
     data:
+      forceRename: backrest-data
       storageClass: ceph-block
       accessMode: ReadWriteOnce
       size: 10Gi
@@ -45,6 +46,7 @@ backrest:
             - path: /data
               readOnly: false
     config:
+      forceRename: backrest-config
       storageClass: ceph-block
       accessMode: ReadWriteOnce
       size: 1Gi
@@ -82,3 +84,7 @@ backrest:
           main:
             - path: /mnt/share
               readOnly: true
+volsync-target-data:
+  pvcTarget: backrest-data
+volsync-target-config:
+  pvcTarget: backrest-config

clusters/cl01tl/helm/bazarr/Chart.lock

@@ -2,5 +2,8 @@ dependencies:
 - name: app-template
   repository: https://bjw-s-labs.github.io/helm-charts/
   version: 4.5.0
-digest: sha256:54c88d51b4067dec5b22623957970b64092bf3f417fabb58277f6bc3e01eca20
+- name: volsync-target
-generated: "2025-12-05T17:02:40.843820962Z"
+  repository: oci://harbor.alexlebens.net/helm-charts
+  version: 0.6.0
+digest: sha256:20237b7a0548ae3458b4765e01aef39b5e072da5390305eb7815b086eef4983a
+generated: "2025-12-18T02:43:26.844170003Z"

clusters/cl01tl/helm/bazarr/Chart.yaml

@@ -19,5 +19,9 @@ dependencies:
     alias: bazarr
     repository: https://bjw-s-labs.github.io/helm-charts/
     version: 4.5.0
+  - name: volsync-target
+    alias: volsync-target-config
+    version: 0.6.0
+    repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/bazarr.png
 appVersion: 1.5.3

clusters/cl01tl/helm/bazarr/templates/external-secret.yaml

@@ -1,55 +0,0 @@
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: bazarr-config-backup-secret
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: bazarr-config-backup-secret
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: vault
-  target:
-    template:
-      mergePolicy: Merge
-      engineVersion: v2
-      data:
-        RESTIC_REPOSITORY: "{{ `{{ .BUCKET_ENDPOINT }}` }}/bazarr/bazarr-config"
-  data:
-    - secretKey: BUCKET_ENDPOINT
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /cl01tl/volsync/restic/config
-        metadataPolicy: None
-        property: S3_BUCKET_ENDPOINT
-    - secretKey: RESTIC_PASSWORD
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /cl01tl/volsync/restic/config
-        metadataPolicy: None
-        property: RESTIC_PASSWORD
-    - secretKey: AWS_DEFAULT_REGION
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /cl01tl/volsync/restic/config
-        metadataPolicy: None
-        property: AWS_DEFAULT_REGION
-    - secretKey: AWS_ACCESS_KEY_ID
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /digital-ocean/home-infra/volsync-backups
-        metadataPolicy: None
-        property: access_key
-    - secretKey: AWS_SECRET_ACCESS_KEY
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /digital-ocean/home-infra/volsync-backups
-        metadataPolicy: None
-        property: secret_key

clusters/cl01tl/helm/bazarr/templates/replication-source.yaml

@@ -1,30 +0,0 @@
-apiVersion: volsync.backube/v1alpha1
-kind: ReplicationSource
-metadata:
-  name: bazarr-config-backup-source
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: bazarr-config-backup-source
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  sourcePVC: bazarr-config
-  trigger:
-    schedule: 0 4 * * *
-  restic:
-    pruneIntervalDays: 7
-    repository: bazarr-config-backup-secret
-    retain:
-      hourly: 1
-      daily: 3
-      weekly: 2
-      monthly: 2
-      yearly: 4
-    moverSecurityContext:
-      runAsUser: 1000
-      runAsGroup: 1000
-      fsGroup: 1000
-      fsGroupChangePolicy: OnRootMismatch
-    copyMethod: Snapshot
-    storageClassName: ceph-block
-    volumeSnapshotClassName: ceph-blockpool-snapshot

clusters/cl01tl/helm/bazarr/values.yaml

@@ -15,7 +15,7 @@ bazarr:
         main:
           image:
             repository: ghcr.io/linuxserver/bazarr
-            tag: 1.5.3@sha256:4aa1e82d1e96ae712095d881b7e3840e6db6ca862c335be5b00001f31156650b
+            tag: 1.5.3@sha256:648f694532a3a53d8cf78bc888919ef538659bad41af4c680b0427ad1047d171
             pullPolicy: IfNotPresent
           env:
             - name: TZ
@@ -55,3 +55,10 @@ bazarr:
           main:
             - path: /mnt/store
               readOnly: false
+volsync-target-config:
+  pvcTarget: bazarr-config
+  moverSecurityContext:
+    runAsUser: 1000
+    runAsGroup: 1000
+    fsGroup: 1000
+    fsGroupChangePolicy: OnRootMismatch

clusters/cl01tl/helm/blocky/Chart.lock

@@ -2,5 +2,8 @@ dependencies:
 - name: app-template
   repository: https://bjw-s-labs.github.io/helm-charts/
   version: 4.5.0
-digest: sha256:b8516161886b87344848ad2b3bdafbd66da61ca8ffc5e9a5ebed462f205c9912
+- name: redis-replication
-generated: "2025-12-05T17:02:59.562863413Z"
+  repository: oci://harbor.alexlebens.net/helm-charts
+  version: 0.5.0
+digest: sha256:a7840240d52d7c66aa2e542132e32907dd0c48d3051eb15190a209215cbd4dce
+generated: "2025-12-15T20:06:31.995318697Z"

clusters/cl01tl/helm/blocky/Chart.yaml

@@ -17,5 +17,8 @@ dependencies:
     alias: blocky
     repository: https://bjw-s-labs.github.io/helm-charts/
     version: 4.5.0
+  - name: redis-replication
+    version: 0.5.0
+    repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/blocky.png
 appVersion: v0.28.2

clusters/cl01tl/helm/blocky/templates/redis-replication.yaml

@@ -1,32 +0,0 @@
-apiVersion: redis.redis.opstreelabs.in/v1beta2
-kind: RedisReplication
-metadata:
-  name: redis-replication-blocky
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: redis-replication-blocky
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  clusterSize: 3
-  podSecurityContext:
-    runAsUser: 1000
-    fsGroup: 1000
-  kubernetesConfig:
-    image: quay.io/opstree/redis:v8.4.0
-    imagePullPolicy: IfNotPresent
-    resources:
-      requests:
-        cpu: 50m
-        memory: 128Mi
-  storage:
-    volumeClaimTemplate:
-      spec:
-        storageClassName: ceph-block
-        accessModes: ["ReadWriteOnce"]
-        resources:
-          requests:
-            storage: 1Gi
-  redisExporter:
-    enabled: true
-    image: quay.io/opstree/redis-exporter:v1.80.1

clusters/cl01tl/helm/blocky/templates/service-monitor.yaml

@@ -17,24 +17,3 @@ spec:
       interval: 30s
       scrapeTimeout: 10s
       path: /metrics
-
----
-apiVersion: monitoring.coreos.com/v1
-kind: ServiceMonitor
-metadata:
-  name: redis-replication-blocky
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: redis-replication-blocky
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-    redis-operator: "true"
-    env: production
-spec:
-  selector:
-    matchLabels:
-      redis_setup_type: replication
-  endpoints:
-    - port: redis-exporter
-      interval: 30s
-      scrapeTimeout: 10s

clusters/cl01tl/helm/blocky/values.yaml

@@ -129,6 +129,7 @@ blocky:
               huntarr                         IN      CNAME   traefik-cl01tl
               immich                          IN      CNAME   traefik-cl01tl
               jellyfin                        IN      CNAME   traefik-cl01tl
+              jellyfin-vue                    IN      CNAME   traefik-cl01tl
               jellystat                       IN      CNAME   traefik-cl01tl
               kiwix                           IN      CNAME   traefik-cl01tl
               komodo                          IN      CNAME   traefik-cl01tl
@@ -142,7 +143,6 @@ blocky:
               ollama                          IN      CNAME   traefik-cl01tl
               omni-tools                      IN      CNAME   traefik-cl01tl
               overseerr                       IN      CNAME   traefik-cl01tl
-              pgadmin                         IN      CNAME   traefik-cl01tl
               photoview                       IN      CNAME   traefik-cl01tl
               plex                            IN      CNAME   traefik-cl01tl
               postiz                          IN      CNAME   traefik-cl01tl
@@ -301,3 +301,10 @@ blocky:
               readOnly: true
               mountPropagation: None
               subPath: config.yml
+redis-replication:
+  existingSecret:
+    enabled: false
+  redisReplication:
+    clusterSize: 3
+  redisSentinel:
+    enabled: false

clusters/cl01tl/helm/booklore/Chart.lock

@@ -5,5 +5,11 @@ dependencies:
 - name: mariadb-cluster
   repository: https://helm.mariadb.com/mariadb-operator
   version: 25.10.2
-digest: sha256:58d978bd46c61285b06acc6d9a40404d8059f2df7b953dea13c528b35350d0a8
+- name: volsync-target
-generated: "2025-12-05T17:03:15.7199669Z"
+  repository: oci://harbor.alexlebens.net/helm-charts
+  version: 0.6.0
+- name: volsync-target
+  repository: oci://harbor.alexlebens.net/helm-charts
+  version: 0.6.0
+digest: sha256:bc29fb12a2a7fde74e243be7ee4c22f4de82cdb6867ab95ddbd47e1d755b8a82
+generated: "2025-12-18T02:43:39.236584539Z"

clusters/cl01tl/helm/booklore/Chart.yaml

@@ -20,5 +20,13 @@ dependencies:
   - name: mariadb-cluster
     version: 25.10.2
     repository: https://helm.mariadb.com/mariadb-operator
+  - name: volsync-target
+    alias: volsync-target-config
+    version: 0.6.0
+    repository: oci://harbor.alexlebens.net/helm-charts
+  - name: volsync-target
+    alias: volsync-target-data
+    version: 0.6.0
+    repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/booklore.png
 appVersion: v1.13.2

clusters/cl01tl/helm/booklore/templates/external-secret.yaml

@@ -43,234 +43,6 @@ spec:
         metadataPolicy: None
         property: psk.txt
 
----
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: booklore-config-backup-secret
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: booklore-config-backup-secret
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: vault
-  target:
-    template:
-      mergePolicy: Merge
-      engineVersion: v2
-      data:
-        RESTIC_REPOSITORY: "{{ `{{ .BUCKET_ENDPOINT }}` }}/booklore/booklore-config"
-  data:
-    - secretKey: BUCKET_ENDPOINT
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /volsync/restic/digital-ocean
-        metadataPolicy: None
-        property: BUCKET_ENDPOINT
-    - secretKey: RESTIC_PASSWORD
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /volsync/restic/digital-ocean
-        metadataPolicy: None
-        property: RESTIC_PASSWORD
-    - secretKey: AWS_DEFAULT_REGION
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /digital-ocean/home-infra/volsync-backups
-        metadataPolicy: None
-        property: AWS_DEFAULT_REGION
-    - secretKey: AWS_ACCESS_KEY_ID
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /digital-ocean/home-infra/volsync-backups
-        metadataPolicy: None
-        property: AWS_ACCESS_KEY_ID
-    - secretKey: AWS_SECRET_ACCESS_KEY
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /digital-ocean/home-infra/volsync-backups
-        metadataPolicy: None
-        property: AWS_SECRET_ACCESS_KEY
-
----
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: booklore-data-backup-secret-local
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: booklore-data-backup-secret-local
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: vault
-  target:
-    template:
-      mergePolicy: Merge
-      engineVersion: v2
-      data:
-        RESTIC_REPOSITORY: "{{ `{{ .BUCKET_ENDPOINT }}` }}/booklore/booklore-data"
-  data:
-    - secretKey: BUCKET_ENDPOINT
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /volsync/restic/garage-local
-        metadataPolicy: None
-        property: BUCKET_ENDPOINT
-    - secretKey: RESTIC_PASSWORD
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /volsync/restic/garage-local
-        metadataPolicy: None
-        property: RESTIC_PASSWORD
-    - secretKey: AWS_DEFAULT_REGION
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /garage/home-infra/volsync-backups
-        metadataPolicy: None
-        property: ACCESS_REGION
-    - secretKey: AWS_ACCESS_KEY_ID
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /garage/home-infra/volsync-backups
-        metadataPolicy: None
-        property: ACCESS_KEY_ID
-    - secretKey: AWS_SECRET_ACCESS_KEY
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /garage/home-infra/volsync-backups
-        metadataPolicy: None
-        property: ACCESS_SECRET_KEY
-
----
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: booklore-data-backup-secret-remote
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: booklore-data-backup-secret-remote
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: vault
-  target:
-    template:
-      mergePolicy: Merge
-      engineVersion: v2
-      data:
-        RESTIC_REPOSITORY: "{{ `{{ .BUCKET_ENDPOINT }}` }}/booklore/booklore-data"
-  data:
-    - secretKey: BUCKET_ENDPOINT
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /volsync/restic/garage-remote
-        metadataPolicy: None
-        property: BUCKET_ENDPOINT
-    - secretKey: RESTIC_PASSWORD
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /volsync/restic/garage-remote
-        metadataPolicy: None
-        property: RESTIC_PASSWORD
-    - secretKey: AWS_DEFAULT_REGION
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /garage/home-infra/volsync-backups
-        metadataPolicy: None
-        property: ACCESS_REGION
-    - secretKey: AWS_ACCESS_KEY_ID
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /garage/home-infra/volsync-backups
-        metadataPolicy: None
-        property: ACCESS_KEY_ID
-    - secretKey: AWS_SECRET_ACCESS_KEY
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /garage/home-infra/volsync-backups
-        metadataPolicy: None
-        property: ACCESS_SECRET_KEY
-
----
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: booklore-data-backup-secret-external
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: booklore-data-backup-secret-external
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: vault
-  target:
-    template:
-      mergePolicy: Merge
-      engineVersion: v2
-      data:
-        RESTIC_REPOSITORY: "{{ `{{ .BUCKET_ENDPOINT }}` }}/booklore/booklore-data"
-  data:
-    - secretKey: BUCKET_ENDPOINT
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /volsync/restic/digital-ocean
-        metadataPolicy: None
-        property: BUCKET_ENDPOINT
-    - secretKey: RESTIC_PASSWORD
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /volsync/restic/digital-ocean
-        metadataPolicy: None
-        property: RESTIC_PASSWORD
-    - secretKey: AWS_DEFAULT_REGION
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /digital-ocean/home-infra/volsync-backups
-        metadataPolicy: None
-        property: AWS_DEFAULT_REGION
-    - secretKey: AWS_ACCESS_KEY_ID
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /digital-ocean/home-infra/volsync-backups
-        metadataPolicy: None
-        property: AWS_ACCESS_KEY_ID
-    - secretKey: AWS_SECRET_ACCESS_KEY
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /digital-ocean/home-infra/volsync-backups
-        metadataPolicy: None
-        property: AWS_SECRET_ACCESS_KEY
-
 ---
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret

clusters/cl01tl/helm/booklore/templates/namespace.yaml

@@ -8,3 +8,6 @@ metadata:
     app.kubernetes.io/name: booklore
     app.kubernetes.io/instance: {{ .Release.Name }}
     app.kubernetes.io/part-of: {{ .Release.Name }}
+    pod-security.kubernetes.io/audit: privileged
+    pod-security.kubernetes.io/enforce: privileged
+    pod-security.kubernetes.io/warn: privileged

clusters/cl01tl/helm/booklore/templates/replication-source.yaml

@@ -15,115 +15,3 @@ spec:
     keySecret: booklore-data-replication-secret
     address: volsync-rsync-tls-dst-booklore-data-replication-destination
     copyMethod: Snapshot
-
----
-apiVersion: volsync.backube/v1alpha1
-kind: ReplicationSource
-metadata:
-  name: booklore-config-backup-source
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: booklore-config-backup-source
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  sourcePVC: booklore-config
-  trigger:
-    schedule: 0 4 * * *
-  restic:
-    pruneIntervalDays: 7
-    repository: booklore-config-backup-secret
-    retain:
-      hourly: 1
-      daily: 3
-      weekly: 2
-      monthly: 2
-      yearly: 4
-    copyMethod: Snapshot
-    storageClassName: ceph-block
-    volumeSnapshotClassName: ceph-blockpool-snapshot
-    cacheCapacity: 10Gi
-
----
-apiVersion: volsync.backube/v1alpha1
-kind: ReplicationSource
-metadata:
-  name: booklore-data-backup-source-local
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: booklore-data-backup-source-local
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  sourcePVC: booklore-data
-  trigger:
-    schedule: 0 2 * * *
-  restic:
-    pruneIntervalDays: 7
-    repository: booklore-data-backup-secret-local
-    retain:
-      hourly: 1
-      daily: 3
-      weekly: 2
-      monthly: 2
-      yearly: 4
-    copyMethod: Snapshot
-    storageClassName: ceph-block
-    volumeSnapshotClassName: ceph-blockpool-snapshot
-    cacheCapacity: 10Gi
-
----
-apiVersion: volsync.backube/v1alpha1
-kind: ReplicationSource
-metadata:
-  name: booklore-data-backup-source-remote
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: booklore-data-backup-source-remote
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  sourcePVC: booklore-data
-  trigger:
-    schedule: 0 3 * * *
-  restic:
-    pruneIntervalDays: 7
-    repository: booklore-data-backup-secret-remote
-    retain:
-      hourly: 1
-      daily: 3
-      weekly: 2
-      monthly: 2
-      yearly: 4
-    copyMethod: Snapshot
-    storageClassName: ceph-block
-    volumeSnapshotClassName: ceph-blockpool-snapshot
-    cacheCapacity: 10Gi
-
----
-apiVersion: volsync.backube/v1alpha1
-kind: ReplicationSource
-metadata:
-  name: booklore-data-backup-source-external
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: booklore-data-backup-source-external
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  sourcePVC: booklore-data
-  trigger:
-    schedule: 0 4 * * *
-  restic:
-    pruneIntervalDays: 7
-    repository: booklore-data-backup-secret-external
-    retain:
-      hourly: 1
-      daily: 3
-      weekly: 2
-      monthly: 2
-      yearly: 4
-    copyMethod: Snapshot
-    storageClassName: ceph-block
-    volumeSnapshotClassName: ceph-blockpool-snapshot
-    cacheCapacity: 10Gi

clusters/cl01tl/helm/booklore/values.yaml

@@ -9,7 +9,7 @@ booklore:
         main:
           image:
             repository: ghcr.io/booklore-app/booklore
-            tag: v1.13.2
+            tag: v1.14.1
             pullPolicy: IfNotPresent
           env:
             - name: TZ
@@ -41,6 +41,7 @@ booklore:
           protocol: HTTP
   persistence:
     config:
+      forceRename: booklore-config
       storageClass: ceph-block
       accessMode: ReadWriteOnce
       size: 5Gi
@@ -51,6 +52,7 @@ booklore:
             - path: /app/data
               readOnly: false
     data:
+      forceRename: booklore-data
       storageClass: ceph-block
       accessMode: ReadWriteOnce
       size: 10Gi
@@ -119,7 +121,8 @@ mariadb-cluster:
         suspend: false
         immediate: true
       compression: gzip
-      maxRetention: 720h
+      maxRetention: 2160h
+      successfulJobsHistoryLimit: 1
       storage:
         s3:
           bucket: mariadb-backups-b230a2f5aecf080a4b372c08
@@ -134,6 +137,28 @@ mariadb-cluster:
             key: secret
           tls:
             enabled: true
+    - name: backup-remote
+      schedule:
+        cron: "0 0 * * 0"
+        suspend: false
+        immediate: true
+      compression: gzip
+      maxRetention: 2160h
+      successfulJobsHistoryLimit: 1
+      storage:
+        s3:
+          bucket: mariadb-backups
+          prefix: cl01tl/booklore
+          endpoint: garage-ps10rp.boreal-beaufort.ts.net:3900
+          region: us-east-1
+          accessKeyIdSecretKeyRef:
+            name: booklore-mariadb-cluster-backup-secret-garage
+            key: access
+          secretAccessKeySecretKeyRef:
+            name: booklore-mariadb-cluster-backup-secret-garage
+            key: secret
+          tls:
+            enabled: true
     - name: backup-garage
       schedule:
         cron: "0 0 * * *"
@@ -141,6 +166,7 @@ mariadb-cluster:
         immediate: true
       compression: gzip
       maxRetention: 360h
+      successfulJobsHistoryLimit: 1
       storage:
         s3:
           bucket: mariadb-backups
@@ -153,3 +179,16 @@ mariadb-cluster:
           secretAccessKeySecretKeyRef:
             name: booklore-mariadb-cluster-backup-secret-garage
             key: secret
+volsync-target-config:
+  pvcTarget: booklore-config
+volsync-target-data:
+  pvcTarget: booklore-data
+  local:
+    restic:
+      cacheCapacity: 10Gi
+  remote:
+    restic:
+      cacheCapacity: 10Gi
+  external:
+    restic:
+      cacheCapacity: 10Gi

clusters/cl01tl/helm/cilium/Chart.lock

@@ -1,6 +1,6 @@
 dependencies:
 - name: cilium
   repository: https://helm.cilium.io/
-  version: 1.18.4
+  version: 1.18.5
-digest: sha256:e38eb92ee87c9a52b0f45a2451142ade02bac7d484b246d32379eacce3800bc8
+digest: sha256:b997853961dca1ed43d32b58b17e6e592581eb555db0b1457b168251cf3aaa45
-generated: "2025-12-02T17:17:49.043599-06:00"
+generated: "2025-12-17T16:05:05.870297681Z"

clusters/cl01tl/helm/cilium/Chart.yaml

@@ -15,7 +15,7 @@ maintainers:
   - name: alexlebens
 dependencies:
   - name: cilium
-    version: 1.18.4
+    version: 1.18.5
     repository: https://helm.cilium.io/
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/cilium.png
 appVersion: 1.18.4

clusters/cl01tl/helm/code-server/Chart.lock

@@ -4,6 +4,9 @@ dependencies:
   version: 4.5.0
 - name: cloudflared
   repository: oci://harbor.alexlebens.net/helm-charts
-  version: 1.23.2
+  version: 2.1.4
-digest: sha256:3cf78630cd7670e1157a87fc7ccbeca248ef4ced8a3170e69140ea3e1b0ff564
+- name: volsync-target
-generated: "2025-12-07T02:54:11.675097664Z"
+  repository: oci://harbor.alexlebens.net/helm-charts
+  version: 0.6.0
+digest: sha256:8f24ac0aa7245c517cd68f4e9fb97de110620922b9bbdf3270e83aa4ad201324
+generated: "2025-12-18T02:43:53.325443712Z"

clusters/cl01tl/helm/code-server/Chart.yaml

@@ -21,8 +21,11 @@ dependencies:
     repository: https://bjw-s-labs.github.io/helm-charts/
     version: 4.5.0
   - name: cloudflared
-    alias: cloudflared
     repository: oci://harbor.alexlebens.net/helm-charts
-    version: 1.23.2
+    version: 2.1.4
+  - name: volsync-target
+    alias: volsync-target-config
+    version: 0.6.0
+    repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/visual-studio-code.png
 appVersion: 4.106.3

clusters/cl01tl/helm/code-server/templates/external-secret.yaml

@@ -26,26 +26,3 @@ spec:
         key: /cl01tl/code-server/auth
         metadataPolicy: None
         property: SUDO_PASSWORD
-
----
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: code-server-cloudflared-secret
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: code-server-cloudflared-secret
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: vault
-  data:
-    - secretKey: cf-tunnel-token
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /cloudflare/tunnels/codeserver
-        metadataPolicy: None
-        property: token

clusters/cl01tl/helm/code-server/templates/persistent-volume-claim.yaml

@@ -1,17 +0,0 @@
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  name: code-server-nfs-storage
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: code-server-nfs-storage
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  volumeMode: Filesystem
-  storageClassName: nfs-client
-  accessModes:
-    - ReadWriteOnce
-  resources:
-    requests:
-      storage: 1Gi

clusters/cl01tl/helm/code-server/values.yaml

@@ -9,7 +9,7 @@ code-server:
         main:
           image:
             repository: ghcr.io/linuxserver/code-server
-            tag: 4.106.3@sha256:83793e4460090d6c46f4842ff6ab8aa26ad8a567885112bbe754b45c61935055
+            tag: 4.107.0@sha256:0d48d3a48b7db214556bea453ed371f0d295130fb5c3d43534aedb41627446f2
             pullPolicy: IfNotPresent
           env:
             - name: TZ
@@ -37,11 +37,20 @@ code-server:
           protocol: HTTP
   persistence:
     config:
-      existingClaim: code-server-nfs-storage
+      forceRename: code-server-config
+      storageClass: ceph-block
+      accessMode: ReadWriteOnce
+      size: 2Gi
+      retain: true
       advancedMounts:
         main:
           main:
             - path: /config
               readOnly: false
-cloudflared:
+volsync-target-config:
-  existingSecretName: code-server-cloudflared-secret
+  pvcTarget: code-server-config
+  moverSecurityContext:
+    runAsUser: 1000
+    runAsGroup: 1000
+    fsGroup: 1000
+    fsGroupChangePolicy: OnRootMismatch

clusters/cl01tl/helm/directus/Chart.lock

@@ -4,9 +4,12 @@ dependencies:
   version: 4.5.0
 - name: cloudflared
   repository: oci://harbor.alexlebens.net/helm-charts
-  version: 1.23.2
+  version: 2.1.4
 - name: postgres-cluster
   repository: oci://harbor.alexlebens.net/helm-charts
-  version: 6.16.1
+  version: 7.1.3
-digest: sha256:636b200b79efdd6ea36afdf29a5e85f3741b362dfcbf2af47c7aff9e55f02812
+- name: redis-replication
-generated: "2025-12-11T16:47:16.317535-06:00"
+  repository: oci://harbor.alexlebens.net/helm-charts
+  version: 0.5.0
+digest: sha256:a4edd6afdd831350f1d131192eed82da6673fd0f37b4bab7a139e51efb4b717a
+generated: "2025-12-17T19:05:49.085243-06:00"

clusters/cl01tl/helm/directus/Chart.yaml

@@ -22,12 +22,14 @@ dependencies:
     repository: https://bjw-s-labs.github.io/helm-charts/
     version: 4.5.0
   - name: cloudflared
-    alias: cloudflared-directus
     repository: oci://harbor.alexlebens.net/helm-charts
-    version: 1.23.2
+    version: 2.1.4
   - name: postgres-cluster
     alias: postgres-18-cluster
-    version: 6.16.1
+    version: 7.1.3
+    repository: oci://harbor.alexlebens.net/helm-charts
+  - name: redis-replication
+    version: 0.5.0
     repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/directus.png
 appVersion: 11.14.0

clusters/cl01tl/helm/directus/templates/external-secret.yaml

@@ -41,6 +41,36 @@ spec:
         metadataPolicy: None
         property: key
 
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: directus-oidc-secret
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: directus-oidc-secret
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  data:
+    - secretKey: OIDC_CLIENT_ID
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /authentik/oidc/directus
+        metadataPolicy: None
+        property: client
+    - secretKey: OIDC_CLIENT_SECRET
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /authentik/oidc/directus
+        metadataPolicy: None
+        property: secret
+
 ---
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
@@ -94,59 +124,6 @@ spec:
         metadataPolicy: None
         property: password
 
----
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: directus-oidc-secret
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: directus-oidc-secret
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: vault
-  data:
-    - secretKey: OIDC_CLIENT_ID
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /authentik/oidc/directus
-        metadataPolicy: None
-        property: client
-    - secretKey: OIDC_CLIENT_SECRET
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /authentik/oidc/directus
-        metadataPolicy: None
-        property: secret
-
----
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: directus-cloudflared-secret
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: directus-cloudflared-secret
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: vault
-  data:
-    - secretKey: cf-tunnel-token
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /cloudflare/tunnels/directus
-        metadataPolicy: None
-        property: token
-
 ---
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret

clusters/cl01tl/helm/directus/templates/redis-replication.yaml

@@ -1,35 +0,0 @@
-apiVersion: redis.redis.opstreelabs.in/v1beta2
-kind: RedisReplication
-metadata:
-  name: redis-replication-directus
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: redis-replication-directus
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  clusterSize: 3
-  podSecurityContext:
-    runAsUser: 1000
-    fsGroup: 1000
-  kubernetesConfig:
-    image: quay.io/opstree/redis:v8.4.0
-    imagePullPolicy: IfNotPresent
-    redisSecret:
-      name: directus-redis-config
-      key: password
-    resources:
-      requests:
-        cpu: 50m
-        memory: 128Mi
-  storage:
-    volumeClaimTemplate:
-      spec:
-        storageClassName: ceph-block
-        accessModes: ["ReadWriteOnce"]
-        resources:
-          requests:
-            storage: 1Gi
-  redisExporter:
-    enabled: true
-    image: quay.io/opstree/redis-exporter:v1.80.1

clusters/cl01tl/helm/directus/templates/redis-sentinel.yaml

@@ -1,30 +0,0 @@
-apiVersion: redis.redis.opstreelabs.in/v1beta2
-kind: RedisSentinel
-metadata:
-  name: redis-sentinel-directus
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: redis-sentinel-directus
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  clusterSize: 3
-  podSecurityContext:
-    runAsUser: 1000
-    fsGroup: 1000
-  redisSentinelConfig:
-    redisReplicationName: redis-replication-directus
-    redisReplicationPassword:
-      secretKeyRef:
-        name: directus-redis-config
-        key: password
-  kubernetesConfig:
-    image: quay.io/opstree/redis-sentinel:v8.4.0
-    imagePullPolicy: IfNotPresent
-    redisSecret:
-      name: directus-redis-config
-      key: password
-    resources:
-      requests:
-        cpu: 10m
-        memory: 128Mi

clusters/cl01tl/helm/directus/templates/service-monitor.yaml

@@ -20,24 +20,3 @@ spec:
       bearerTokenSecret:
         name: directus-metric-token
         key: metric-token
-
----
-apiVersion: monitoring.coreos.com/v1
-kind: ServiceMonitor
-metadata:
-  name: redis-replication-directus
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: redis-replication-directus
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-    redis-operator: "true"
-    env: production
-spec:
-  selector:
-    matchLabels:
-      redis_setup_type: replication
-  endpoints:
-    - port: redis-exporter
-      interval: 30s
-      scrapeTimeout: 10s

clusters/cl01tl/helm/directus/values.yaml

@@ -153,23 +153,13 @@ directus:
           port: 80
           targetPort: 8055
           protocol: TCP
-cloudflared-directus:
-  name: cloudflared-directus
-  existingSecretName: directus-cloudflared-secret
 postgres-18-cluster:
   mode: recovery
   cluster:
-    image:
-      repository: ghcr.io/cloudnative-pg/postgresql
-      tag: 18.1-standard-trixie
     storage:
       storageClass: local-path
     walStorage:
       storageClass: local-path
-    monitoring:
-      enabled: true
-      prometheusRule:
-        enabled: true
   recovery:
     method: objectStore
     objectStore:
@@ -179,11 +169,6 @@ postgres-18-cluster:
       endpointCredentials: directus-postgresql-18-cluster-backup-secret-garage
   backup:
     objectStore:
-      - name: external
-        destinationPath: s3://postgres-backups-ce540ddf106d186bbddca68a/cl01tl/directus/directus-postgresql-18-cluster
-        index: 1
-        retentionPolicy: "30d"
-        isWALArchiver: false
       - name: garage-local
         destinationPath: s3://postgres-backups/cl01tl/directus/directus-postgresql-18-cluster
         index: 1
@@ -192,6 +177,11 @@ postgres-18-cluster:
         endpointCredentialsIncludeRegion: true
         retentionPolicy: "3d"
         isWALArchiver: true
+      # - name: external
+      #   destinationPath: s3://postgres-backups-ce540ddf106d186bbddca68a/cl01tl/directus/directus-postgresql-18-cluster
+      #   index: 1
+      #   retentionPolicy: "30d"
+      #   isWALArchiver: false
       # - name: garage-remote
       #   destinationPath: s3://postgres-backups/cl01tl/directus/directus-postgresql-18-cluster
       #   index: 1
@@ -202,18 +192,28 @@ postgres-18-cluster:
       #     compression: bzip2
       #     jobs: 2
     scheduledBackups:
-      - name: daily-backup
-        suspend: false
-        immediate: true
-        schedule: "0 0 0 * * *"
-        backupName: external
       - name: live-backup
         suspend: false
         immediate: true
         schedule: "0 0 0 * * *"
         backupName: garage-local
+      # - name: daily-backup
+      #   suspend: false
+      #   immediate: true
+      #   schedule: "0 0 0 * * *"
+      #   backupName: external
       # - name: weekly-backup
       #   suspend: false
       #   immediate: true
       #   schedule: "0 0 4 * * SAT"
       #   backupName: garage-remote
+redis-replication:
+  existingSecret:
+    enabled: true
+    name: directus-redis-config
+    key: password
+  redisReplication:
+    clusterSize: 3
+  redisSentinel:
+    enabled: true
+    clusterSize: 3

clusters/cl01tl/helm/element-web/Chart.lock

@@ -4,6 +4,6 @@ dependencies:
   version: 1.4.26
 - name: cloudflared
   repository: oci://harbor.alexlebens.net/helm-charts
-  version: 1.23.2
+  version: 2.1.4
-digest: sha256:f9196cbede894c6da6ecedd9ae05d3f1fd0e20304eca8ca38c18334a923b2235
+digest: sha256:640ff55a95ff9fd12716bc76106d13189867832f905eaa393b5f67553bd8c961
-generated: "2025-12-07T02:54:29.895481505Z"
+generated: "2025-12-17T19:05:53.062353-06:00"

clusters/cl01tl/helm/element-web/Chart.yaml

@@ -20,8 +20,7 @@ dependencies:
     version: 1.4.26
     repository: https://ananace.gitlab.io/charts
   - name: cloudflared
-    alias: cloudflared
     repository: oci://harbor.alexlebens.net/helm-charts
-    version: 1.23.2
+    version: 2.1.4
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/element.png
 appVersion: v1.12.6

clusters/cl01tl/helm/element-web/templates/external-secret.yaml

@@ -1,21 +0,0 @@
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: element-web-cloudflared-secret
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: element-web-cloudflared-secret
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: vault
-  data:
-    - secretKey: cf-tunnel-token
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /cloudflare/tunnels/element
-        metadataPolicy: None
-        property: token

clusters/cl01tl/helm/element-web/values.yaml

@@ -2,7 +2,7 @@ element-web:
   replicaCount: 1
   image:
     repository: vectorim/element-web
-    tag: v1.12.6
+    tag: v1.12.7
     pullPolicy: IfNotPresent
   defaultServer:
     url: https://matrix.alexlebens.dev
@@ -24,5 +24,3 @@ element-web:
     requests:
       cpu: 10m
       memory: 128Mi
-cloudflared:
-  existingSecretName: element-web-cloudflared-secret

clusters/cl01tl/helm/ephemera/Chart.lock

@@ -2,5 +2,8 @@ dependencies:
 - name: app-template
   repository: https://bjw-s-labs.github.io/helm-charts/
   version: 4.5.0
-digest: sha256:b08b2d3923734ba8844754727803a4b4e1de2ad418c3f755ccd64927266c1b5c
+- name: volsync-target
-generated: "2025-12-05T17:04:04.30013278Z"
+  repository: oci://harbor.alexlebens.net/helm-charts
+  version: 0.6.0
+digest: sha256:c6d6edb1e46805147b2b8bc9371e807113480c9a97687c5a856cf7b64a204cbd
+generated: "2025-12-18T02:44:09.319124495Z"

clusters/cl01tl/helm/ephemera/Chart.yaml

@@ -19,5 +19,9 @@ dependencies:
     alias: ephemera
     repository: https://bjw-s-labs.github.io/helm-charts/
     version: 4.5.0
+  - name: volsync-target
+    alias: volsync-target-config
+    version: 0.6.0
+    repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/ephemera.png
 appVersion: 1.3.1

clusters/cl01tl/helm/ephemera/templates/external-secret.yaml

@@ -42,60 +42,3 @@ spec:
         key: /cl01tl/ephemera/config
         metadataPolicy: None
         property: ntfy-url
-
----
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: ephemera-config-backup-secret
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: ephemera-config-backup-secret
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: vault
-  target:
-    template:
-      mergePolicy: Merge
-      engineVersion: v2
-      data:
-        RESTIC_REPOSITORY: "{{ `{{ .BUCKET_ENDPOINT }}` }}/ephemera/ephemera-config"
-  data:
-    - secretKey: BUCKET_ENDPOINT
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /cl01tl/volsync/restic/config
-        metadataPolicy: None
-        property: S3_BUCKET_ENDPOINT
-    - secretKey: RESTIC_PASSWORD
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /cl01tl/volsync/restic/config
-        metadataPolicy: None
-        property: RESTIC_PASSWORD
-    - secretKey: AWS_DEFAULT_REGION
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /cl01tl/volsync/restic/config
-        metadataPolicy: None
-        property: AWS_DEFAULT_REGION
-    - secretKey: AWS_ACCESS_KEY_ID
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /digital-ocean/home-infra/volsync-backups
-        metadataPolicy: None
-        property: access_key
-    - secretKey: AWS_SECRET_ACCESS_KEY
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /digital-ocean/home-infra/volsync-backups
-        metadataPolicy: None
-        property: secret_key

clusters/cl01tl/helm/ephemera/templates/replication-source.yaml

@@ -1,26 +0,0 @@
-apiVersion: volsync.backube/v1alpha1
-kind: ReplicationSource
-metadata:
-  name: ephemera-config-backup-source
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: ephemera-config-backup-source
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  sourcePVC: ephemera
-  trigger:
-    schedule: 0 4 * * *
-  restic:
-    pruneIntervalDays: 7
-    repository: ephemera-config-backup-secret
-    retain:
-      hourly: 1
-      daily: 3
-      weekly: 2
-      monthly: 2
-      yearly: 4
-    copyMethod: Snapshot
-    storageClassName: ceph-block
-    volumeSnapshotClassName: ceph-blockpool-snapshot
-    cacheCapacity: 10Gi

clusters/cl01tl/helm/ephemera/values.yaml

@@ -52,7 +52,7 @@ ephemera:
         apprise-api:
           image:
             repository: caronc/apprise
-            tag: 1.2.6
+            tag: 1.3.0
             pullPolicy: IfNotPresent
           env:
             - name: TZ
@@ -82,6 +82,7 @@ ephemera:
           protocol: HTTP
   persistence:
     config:
+      forceRename: ephemera
       storageClass: ceph-block
       accessMode: ReadWriteOnce
       size: 5Gi
@@ -105,3 +106,5 @@ ephemera:
           main:
             - path: /app/ingest
               readOnly: false
+volsync-target-config:
+  pvcTarget: ephemera

clusters/cl01tl/helm/freshrss/Chart.lock

@@ -4,9 +4,12 @@ dependencies:
   version: 4.5.0
 - name: cloudflared
   repository: oci://harbor.alexlebens.net/helm-charts
-  version: 1.23.2
+  version: 2.1.4
 - name: postgres-cluster
   repository: oci://harbor.alexlebens.net/helm-charts
-  version: 6.16.1
+  version: 7.1.3
-digest: sha256:dc8829a1f2cea88033bfda5d412dee8124154e26bfbe9e1bd67b8bb351ad7904
+- name: volsync-target
-generated: "2025-12-11T17:07:50.35548-06:00"
+  repository: oci://harbor.alexlebens.net/helm-charts
+  version: 0.6.0
+digest: sha256:e2f6634a8effedd8545a2973c421ddf0ab99dfe05af3e442d85a6af0327de90b
+generated: "2025-12-18T02:44:21.564532423Z"

clusters/cl01tl/helm/freshrss/Chart.yaml

@@ -22,12 +22,15 @@ dependencies:
     repository: https://bjw-s-labs.github.io/helm-charts/
     version: 4.5.0
   - name: cloudflared
-    alias: cloudflared
     repository: oci://harbor.alexlebens.net/helm-charts
-    version: 1.23.2
+    version: 2.1.4
   - name: postgres-cluster
     alias: postgres-18-cluster
-    version: 6.16.1
+    version: 7.1.3
+    repository: oci://harbor.alexlebens.net/helm-charts
+  - name: volsync-target
+    alias: volsync-target-data
+    version: 0.6.0
     repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/freshrss.png
 appVersion: 1.27.1

clusters/cl01tl/helm/freshrss/templates/external-secret.yaml

@@ -71,86 +71,6 @@ spec:
         metadataPolicy: None
         property: crypto-key
 
----
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: freshrss-cloudflared-secret
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: freshrss-cloudflared-secret
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: vault
-  data:
-    - secretKey: cf-tunnel-token
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /cloudflare/tunnels/freshrss
-        metadataPolicy: None
-        property: token
-
----
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: freshrss-data-backup-secret
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: freshrss-data-backup-secret
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: vault
-  target:
-    template:
-      mergePolicy: Merge
-      engineVersion: v2
-      data:
-        RESTIC_REPOSITORY: "{{ `{{ .BUCKET_ENDPOINT }}` }}/freshrss/freshrss-data"
-  data:
-    - secretKey: BUCKET_ENDPOINT
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /cl01tl/volsync/restic/config
-        metadataPolicy: None
-        property: S3_BUCKET_ENDPOINT
-    - secretKey: RESTIC_PASSWORD
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /cl01tl/volsync/restic/config
-        metadataPolicy: None
-        property: RESTIC_PASSWORD
-    - secretKey: AWS_DEFAULT_REGION
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /cl01tl/volsync/restic/config
-        metadataPolicy: None
-        property: AWS_DEFAULT_REGION
-    - secretKey: AWS_ACCESS_KEY_ID
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /digital-ocean/home-infra/volsync-backups
-        metadataPolicy: None
-        property: access_key
-    - secretKey: AWS_SECRET_ACCESS_KEY
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /digital-ocean/home-infra/volsync-backups
-        metadataPolicy: None
-        property: secret_key
-
 ---
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret

clusters/cl01tl/helm/freshrss/templates/replication-source.yaml

@@ -1,35 +0,0 @@
-apiVersion: volsync.backube/v1alpha1
-kind: ReplicationSource
-metadata:
-  name: freshrss-data-backup-source
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: freshrss-data-backup-source
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  sourcePVC: freshrss-data
-  trigger:
-    schedule: 0 4 * * *
-  restic:
-    pruneIntervalDays: 7
-    repository: freshrss-data-backup-secret
-    retain:
-      hourly: 1
-      daily: 3
-      weekly: 2
-      monthly: 2
-      yearly: 4
-    moverSecurityContext:
-      runAsUser: 568
-      runAsGroup: 568
-      fsGroup: 568
-      fsGroupChangePolicy: OnRootMismatch
-      supplementalGroups:
-        - 44
-        - 100
-        - 109
-        - 65539
-    copyMethod: Snapshot
-    storageClassName: ceph-block
-    volumeSnapshotClassName: ceph-blockpool-snapshot

clusters/cl01tl/helm/freshrss/values.yaml

@@ -11,7 +11,7 @@ freshrss:
             runAsUser: 0
           image:
             repository: alpine
-            tag: 3.23.0
+            tag: 3.23.2
             pullPolicy: IfNotPresent
           command:
             - /bin/sh
@@ -35,7 +35,7 @@ freshrss:
             runAsUser: 0
           image:
             repository: alpine
-            tag: 3.23.0
+            tag: 3.23.2
             pullPolicy: IfNotPresent
           command:
             - /bin/sh
@@ -59,7 +59,7 @@ freshrss:
             runAsUser: 0
           image:
             repository: alpine
-            tag: 3.23.0
+            tag: 3.23.2
             pullPolicy: IfNotPresent
           command:
             - /bin/sh
@@ -163,6 +163,7 @@ freshrss:
           protocol: HTTP
   persistence:
     data:
+      forceRename: freshrss-data
       storageClass: ceph-block
       accessMode: ReadWriteOnce
       size: 5Gi
@@ -191,22 +192,13 @@ freshrss:
           main:
             - path: /var/www/FreshRSS/extensions
               readOnly: false
-cloudflared:
-  existingSecretName: freshrss-cloudflared-secret
 postgres-18-cluster:
   mode: recovery
   cluster:
-    image:
-      repository: ghcr.io/cloudnative-pg/postgresql
-      tag: 18.1-standard-trixie
     storage:
       storageClass: local-path
     walStorage:
       storageClass: local-path
-    monitoring:
-      enabled: true
-      prometheusRule:
-        enabled: true
   recovery:
     method: objectStore
     objectStore:
@@ -216,11 +208,6 @@ postgres-18-cluster:
       endpointCredentials: freshrss-postgresql-18-cluster-backup-secret-garage
   backup:
     objectStore:
-      - name: external
-        destinationPath: s3://postgres-backups-ce540ddf106d186bbddca68a/cl01tl/freshrss/freshrss-postgresql-18-cluster
-        index: 1
-        retentionPolicy: "30d"
-        isWALArchiver: false
       - name: garage-local
         destinationPath: s3://postgres-backups/cl01tl/freshrss/freshrss-postgresql-18-cluster
         index: 1
@@ -229,6 +216,11 @@ postgres-18-cluster:
         endpointCredentialsIncludeRegion: true
         retentionPolicy: "3d"
         isWALArchiver: true
+      # - name: external
+      #   destinationPath: s3://postgres-backups-ce540ddf106d186bbddca68a/cl01tl/freshrss/freshrss-postgresql-18-cluster
+      #   index: 1
+      #   retentionPolicy: "30d"
+      #   isWALArchiver: false
       # - name: garage-remote
       #   destinationPath: s3://postgres-backups/cl01tl/freshrss/freshrss-postgresql-18-cluster
       #   index: 1
@@ -239,18 +231,30 @@ postgres-18-cluster:
       #     compression: bzip2
       #     jobs: 2
     scheduledBackups:
-      - name: daily-backup
-        suspend: false
-        immediate: true
-        schedule: "0 0 0 * * *"
-        backupName: external
       - name: live-backup
         suspend: false
         immediate: true
         schedule: "0 0 0 * * *"
         backupName: garage-local
-      # - name: weekly-backup
+      # - name: daily-backup
       #   suspend: false
       #   immediate: true
-      #   schedule: "0 2 4 * * SAT"
+      #   schedule: "0 0 0 * * *"
+      #   backupName: external
+      # - name: weekly-backup
+      #   suspend: true
+      #   immediate: true
+      #   schedule: "0 0 4 * * SAT"
       #   backupName: garage-remote
+volsync-target-data:
+  pvcTarget: freshrss-data
+  moverSecurityContext:
+    runAsUser: 568
+    runAsGroup: 568
+    fsGroup: 568
+    fsGroupChangePolicy: OnRootMismatch
+    supplementalGroups:
+      - 44
+      - 100
+      - 109
+      - 65539

clusters/cl01tl/helm/garage/Chart.lock

@@ -2,5 +2,8 @@ dependencies:
 - name: app-template
   repository: https://bjw-s-labs.github.io/helm-charts/
   version: 4.5.0
-digest: sha256:36e920ce6efee3b33b40641652f814c888ae3c50272895ef286fb8236a010924
+- name: volsync-target
-generated: "2025-12-05T17:04:29.153093714Z"
+  repository: oci://harbor.alexlebens.net/helm-charts
+  version: 0.6.0
+digest: sha256:61c919869d56032bfa09b2e159a6b2dd2a43debf34968be2d66cf2211100a2c5
+generated: "2025-12-18T02:44:33.509296082Z"

clusters/cl01tl/helm/garage/Chart.yaml

@@ -18,5 +18,9 @@ dependencies:
     alias: garage
     repository: https://bjw-s-labs.github.io/helm-charts/
     version: 4.5.0
+  - name: volsync-target
+    alias: volsync-target-db
+    version: 0.6.0
+    repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/kubernetes.png
 appVersion: v2.1.0

clusters/cl01tl/helm/garage/values.yaml

@@ -123,9 +123,10 @@ garage:
               mountPropagation: None
               subPath: garage.toml
     db:
+      forceRename: garage-db
       storageClass: ceph-block
       accessMode: ReadWriteOnce
-      size: 10Gi
+      size: 50Gi
       retain: true
       advancedMounts:
         main:
@@ -152,3 +153,12 @@ garage:
           main:
             - path: /var/lib/garage/snapshots
               readOnly: false
+volsync-target-db:
+  pvcTarget: garage-db
+  local:
+    enabled: false
+  remote:
+    restic:
+      cacheCapacity: 10Gi
+  external:
+    enabled: false

clusters/cl01tl/helm/gatus/Chart.lock

@@ -4,6 +4,9 @@ dependencies:
   version: 1.4.4
 - name: postgres-cluster
   repository: oci://harbor.alexlebens.net/helm-charts
-  version: 6.16.1
+  version: 7.1.3
-digest: sha256:11d46f37e9f98a5562239e1b827a4caccc0ca14dc738681465e27ef5c5edd6d0
+- name: volsync-target
-generated: "2025-12-11T17:23:01.072262-06:00"
+  repository: oci://harbor.alexlebens.net/helm-charts
+  version: 0.6.0
+digest: sha256:74d021b2678ebf78f49dd4b2c59e93a1ed48f316182051ced8d98a5918d811f7
+generated: "2025-12-18T02:44:45.464671146Z"

clusters/cl01tl/helm/gatus/Chart.yaml

@@ -22,7 +22,11 @@ dependencies:
     version: 1.4.4
   - name: postgres-cluster
     alias: postgres-18-cluster
-    version: 6.16.1
+    version: 7.1.3
+    repository: oci://harbor.alexlebens.net/helm-charts
+  - name: volsync-target
+    alias: volsync-target-data
+    version: 0.6.0
     repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/gatus.png
 appVersion: v5.33.0

clusters/cl01tl/helm/gatus/values.yaml

@@ -7,7 +7,7 @@ gatus:
     enabled: true
   image:
     repository: ghcr.io/twin/gatus
-    tag: v5.33.0
+    tag: v5.33.1
   annotations:
     reloader.stakater.com/auto: "true"
   service:
@@ -122,6 +122,9 @@ gatus:
       - name: jellyfin
         url: https://jellyfin.alexlebens.net
         <<: *defaults
+      - name: jellyfin-vue
+        url: https://jellyfin-vue.alexlebens.net
+        <<: *defaults
       - name: overseerr
         url: https://overseerr.alexlebens.net
         <<: *defaults
@@ -254,9 +257,6 @@ gatus:
       - name: garage
         url: https://garage-webui.alexlebens.net
         <<: *defaults
-      - name: pgadmin
-        url: https://pgadmin.alexlebens.net
-        <<: *defaults
       - name: whodb
         url: https://whodb.alexlebens.net
         <<: *defaults
@@ -376,17 +376,10 @@ gatus:
 postgres-18-cluster:
   mode: recovery
   cluster:
-    image:
-      repository: ghcr.io/cloudnative-pg/postgresql
-      tag: 18.1-standard-trixie
     storage:
       storageClass: local-path
     walStorage:
       storageClass: local-path
-    monitoring:
-      enabled: true
-      prometheusRule:
-        enabled: true
   recovery:
     method: objectStore
     objectStore:
@@ -396,19 +389,19 @@ postgres-18-cluster:
       endpointCredentials: gatus-postgresql-18-cluster-backup-secret-garage
   backup:
     objectStore:
-      - name: external
-        destinationPath: s3://postgres-backups-ce540ddf106d186bbddca68a/cl01tl/gatus/gatus-postgresql-18-cluster
-        index: 2
-        retentionPolicy: "30d"
-        isWALArchiver: false
       - name: garage-local
         destinationPath: s3://postgres-backups/cl01tl/gatus/gatus-postgresql-18-cluster
         index: 1
         endpointURL: http://garage-main.garage:3900
-        endpointCredentials: gatus-postgresql-17-cluster-backup-secret-garage
+        endpointCredentials: gatus-postgresql-18-cluster-backup-secret-garage
         endpointCredentialsIncludeRegion: true
         retentionPolicy: "3d"
         isWALArchiver: true
+      # - name: external
+      #   destinationPath: s3://postgres-backups-ce540ddf106d186bbddca68a/cl01tl/gatus/gatus-postgresql-18-cluster
+      #   index: 1
+      #   retentionPolicy: "30d"
+      #   isWALArchiver: false
       # - name: garage-remote
       #   destinationPath: s3://postgres-backups/cl01tl/gatus/gatus-postgresql-18-cluster
       #   index: 1
@@ -419,18 +412,20 @@ postgres-18-cluster:
       #     compression: bzip2
       #     jobs: 2
     scheduledBackups:
-      - name: daily-backup
-        suspend: false
-        immediate: true
-        schedule: "0 0 0 * * *"
-        backupName: external
       - name: live-backup
         suspend: false
         immediate: true
         schedule: "0 0 0 * * *"
         backupName: garage-local
-      # - name: weekly-backup
+      # - name: daily-backup
       #   suspend: false
       #   immediate: true
+      #   schedule: "0 0 0 * * *"
+      #   backupName: external
+      # - name: weekly-backup
+      #   suspend: true
+      #   immediate: true
       #   schedule: "0 0 4 * * SAT"
       #   backupName: garage-remote
+volsync-target-data:
+  pvcTarget: gatus

clusters/cl01tl/helm/generic-device-plugin/Chart.lock

@@ -1,6 +1,6 @@
 dependencies:
 - name: generic-device-plugin
   repository: https://gitea.alexlebens.dev/api/packages/alexlebens/helm
-  version: 0.20.6
+  version: 0.20.8
-digest: sha256:259465f8536594c9edb2d24ffa3bc95fcbe867421d776829143f45644797f325
+digest: sha256:166bd29d6e7c70d6a5ffae32b6a140535bc08211140b40cadd93596aa8f4be5f
-generated: "2025-12-13T00:08:10.184445232Z"
+generated: "2025-12-16T18:01:57.978660845Z"

clusters/cl01tl/helm/generic-device-plugin/Chart.yaml

@@ -15,6 +15,6 @@ maintainers:
 dependencies:
   - name: generic-device-plugin
     repository: https://gitea.alexlebens.dev/api/packages/alexlebens/helm
-    version: 0.20.6
+    version: 0.20.8
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/kubernetes.png
 appVersion: 1.0.0

clusters/cl01tl/helm/gitea/Chart.lock

@@ -5,17 +5,23 @@ dependencies:
 - name: gitea-actions
   repository: oci://harbor.alexlebens.net/helm-charts
   version: 0.2.1
-- name: app-template
-  repository: https://bjw-s-labs.github.io/helm-charts/
-  version: 4.5.0
 - name: meilisearch
   repository: https://meilisearch.github.io/meilisearch-kubernetes
-  version: 0.18.0
+  version: 0.19.0
 - name: cloudflared
   repository: oci://harbor.alexlebens.net/helm-charts
-  version: 1.23.2
+  version: 2.1.4
 - name: postgres-cluster
   repository: oci://harbor.alexlebens.net/helm-charts
-  version: 6.16.1
+  version: 7.1.3
-digest: sha256:afa4fbe4d179ff78eeccdffafab61ddd2bdfec80be2e8251aa90ad130a29c81a
+- name: redis-replication
-generated: "2025-12-12T21:03:12.259080988Z"
+  repository: oci://harbor.alexlebens.net/helm-charts
+  version: 0.5.0
+- name: redis-replication
+  repository: oci://harbor.alexlebens.net/helm-charts
+  version: 0.5.0
+- name: volsync-target
+  repository: oci://harbor.alexlebens.net/helm-charts
+  version: 0.6.0
+digest: sha256:f09550045ca1edf54682da6f55dfc596c1849c42244ee50bb797e6fe1148fc55
+generated: "2025-12-18T02:44:58.69768Z"

clusters/cl01tl/helm/gitea/Chart.yaml

@@ -31,20 +31,27 @@ dependencies:
   - name: gitea-actions
     repository: oci://harbor.alexlebens.net/helm-charts
     version: 0.2.1
-  - name: app-template
-    alias: backup
-    repository: https://bjw-s-labs.github.io/helm-charts/
-    version: 4.5.0
   - name: meilisearch
-    version: 0.18.0
+    version: 0.19.0
     repository: https://meilisearch.github.io/meilisearch-kubernetes
   - name: cloudflared
-    alias: cloudflared
     repository: oci://harbor.alexlebens.net/helm-charts
-    version: 1.23.2
+    version: 2.1.4
   - name: postgres-cluster
     alias: postgres-18-cluster
-    version: 6.16.1
+    version: 7.1.3
+    repository: oci://harbor.alexlebens.net/helm-charts
+  - name: redis-replication
+    alias: redis-replication-gitea
+    version: 0.5.0
+    repository: oci://harbor.alexlebens.net/helm-charts
+  - name: redis-replication
+    alias: redis-replication-renovate
+    version: 0.5.0
+    repository: oci://harbor.alexlebens.net/helm-charts
+  - name: volsync-target
+    alias: volsync-target-storage
+    version: 0.6.0
     repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://raw.githubusercontent.com/walkxcode/dashboard-icons/main/png/gitea.png
 appVersion: 1.25.2

clusters/cl01tl/helm/gitea/templates/external-secret.yaml

@@ -168,36 +168,6 @@ spec:
         metadataPolicy: None
         property: id_rsa.pub
 
----
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: gitea-s3cmd-config
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: gitea-s3cmd-config
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: vault
-  data:
-    - secretKey: .s3cfg
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /digital-ocean/home-infra/gitea-backup
-        metadataPolicy: None
-        property: s3cfg
-    - secretKey: BUCKET
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /digital-ocean/home-infra/gitea-backup
-        metadataPolicy: None
-        property: BUCKET
-
 ---
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
@@ -227,29 +197,6 @@ spec:
         metadataPolicy: None
         property: MEILI_MASTER_KEY
 
----
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: gitea-cloudflared-secret
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: gitea-cloudflared-secret
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: vault
-  data:
-    - secretKey: cf-tunnel-token
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /cloudflare/tunnels/gitea
-        metadataPolicy: None
-        property: token
-
 ---
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret

clusters/cl01tl/helm/gitea/templates/persistent-volume-claim.yaml

@@ -1,24 +1,5 @@
 apiVersion: v1
 kind: PersistentVolumeClaim
-metadata:
-  name: gitea-nfs-storage-backup
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: gitea-nfs-storage-backup
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  volumeMode: Filesystem
-  storageClassName: nfs-client
-  accessModes:
-    - ReadWriteOnce
-  resources:
-    requests:
-      storage: 1Gi
-
----
-apiVersion: v1
-kind: PersistentVolumeClaim
 metadata:
   name: gitea-themes-storage
   namespace: {{ .Release.Namespace }}
@@ -28,9 +9,9 @@ metadata:
     app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   volumeMode: Filesystem
-  storageClassName: nfs-client
+  storageClassName: ceph-filesystem
   accessModes:
-    - ReadWriteOnce
+    - ReadWriteMany
   resources:
     requests:
       storage: 1Gi

clusters/cl01tl/helm/gitea/templates/redis-replication.yaml

@@ -1,66 +0,0 @@
-apiVersion: redis.redis.opstreelabs.in/v1beta2
-kind: RedisReplication
-metadata:
-  name: redis-replication-gitea
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: redis-replication-gitea
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  clusterSize: 3
-  podSecurityContext:
-    runAsUser: 1000
-    fsGroup: 1000
-  kubernetesConfig:
-    image: quay.io/opstree/redis:v8.4.0
-    imagePullPolicy: IfNotPresent
-    resources:
-      requests:
-        cpu: 50m
-        memory: 128Mi
-  storage:
-    volumeClaimTemplate:
-      spec:
-        storageClassName: ceph-block
-        accessModes: ["ReadWriteOnce"]
-        resources:
-          requests:
-            storage: 10Gi
-  redisExporter:
-    enabled: true
-    image: quay.io/opstree/redis-exporter:v1.80.1
-
----
-apiVersion: redis.redis.opstreelabs.in/v1beta2
-kind: RedisReplication
-metadata:
-  name: redis-replication-renovate
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: redis-replication-renovate
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  clusterSize: 3
-  podSecurityContext:
-    runAsUser: 1000
-    fsGroup: 1000
-  kubernetesConfig:
-    image: quay.io/opstree/redis:v8.4.0
-    imagePullPolicy: IfNotPresent
-    resources:
-      requests:
-        cpu: 50m
-        memory: 128Mi
-  storage:
-    volumeClaimTemplate:
-      spec:
-        storageClassName: ceph-block
-        accessModes: ["ReadWriteOnce"]
-        resources:
-          requests:
-            storage: 1Gi
-  redisExporter:
-    enabled: true
-    image: quay.io/opstree/redis-exporter:v1.80.1

clusters/cl01tl/helm/gitea/templates/redis-sentinel.yaml

@@ -1,23 +0,0 @@
-apiVersion: redis.redis.opstreelabs.in/v1beta2
-kind: RedisSentinel
-metadata:
-  name: redis-sentinel-gitea
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: redis-sentinel-gitea
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  clusterSize: 3
-  podSecurityContext:
-    runAsUser: 1000
-    fsGroup: 1000
-  redisSentinelConfig:
-    redisReplicationName: redis-replication-gitea
-  kubernetesConfig:
-    image: quay.io/opstree/redis-sentinel:v8.4.0
-    imagePullPolicy: IfNotPresent
-    resources:
-      requests:
-        cpu: 10m
-        memory: 128Mi

clusters/cl01tl/helm/gitea/templates/role-binding.yaml

@@ -1,17 +0,0 @@
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: gitea-backup
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: gitea-backup
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: gitea-backup
-subjects:
-  - kind: ServiceAccount
-    name: gitea-backup
-    namespace: {{ .Release.Namespace }}

clusters/cl01tl/helm/gitea/templates/role.yaml

@@ -1,25 +0,0 @@
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: gitea-backup
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: gitea-backup
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-rules:
-  - apiGroups:
-      - ""
-    resources:
-      - pods
-      - pods/exec
-    verbs:
-      - create
-      - list
-  - apiGroups:
-      - apps
-    resources:
-      - deployments
-    verbs:
-      - get
-      - list

clusters/cl01tl/helm/gitea/templates/service-monitor.yaml

@@ -14,24 +14,3 @@ spec:
       app.kubernetes.io/instance: {{ .Release.Name }}
   endpoints:
     - port: http
-
----
-apiVersion: monitoring.coreos.com/v1
-kind: ServiceMonitor
-metadata:
-  name: redis-replication-gitea
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: redis-replication-gitea
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-    redis-operator: "true"
-    env: production
-spec:
-  selector:
-    matchLabels:
-      redis_setup_type: replication
-  endpoints:
-    - port: redis-exporter
-      interval: 30s
-      scrapeTimeout: 10s

clusters/cl01tl/helm/gitea/values.yaml

@@ -4,7 +4,7 @@ gitea:
   replicaCount: 3
   image:
     repository: gitea/gitea
-    tag: 1.25.2
+    tag: 1.25.3
   service:
     http:
       type: ClusterIP
@@ -22,9 +22,6 @@ gitea:
     accessModes:
       - ReadWriteMany
   extraVolumes:
-    - name: gitea-nfs-storage-backup
-      persistentVolumeClaim:
-        claimName: gitea-nfs-storage-backup
     - name: gitea-themes-storage
       persistentVolumeClaim:
         claimName: gitea-themes-storage
@@ -33,9 +30,6 @@ gitea:
       readOnly: false
       mountPath: /data/gitea/public/assets/css
   extraContainerVolumeMounts:
-    - mountPath: /opt/backup
-      name: gitea-nfs-storage-backup
-      readOnly: false
     - name: gitea-themes-storage
       readOnly: true
       mountPath: /data/gitea/public/assets/css
@@ -171,133 +165,6 @@ gitea-actions:
   existingSecret: gitea-runner-secret
   existingSecretKey: token
   giteaRootURL: http://gitea-http.gitea:3000
-backup:
-  global:
-    nameOverride: gitea-backup
-    fullnameOverride: gitea-backup
-  controllers:
-    backup:
-      type: cronjob
-      cronjob:
-        suspend: false
-        concurrencyPolicy: Forbid
-        timeZone: US/Central
-        schedule: 0 4 */2 * *
-        startingDeadlineSeconds: 90
-        successfulJobsHistory: 3
-        failedJobsHistory: 3
-        backoffLimit: 3
-        parallelism: 1
-      serviceAccount:
-        name: gitea-backup
-      pod:
-        automountServiceAccountToken: true
-        labels:
-          app.kubernetes.io/instance: gitea-backup
-          app.kubernetes.io/name: gitea-backup
-      initContainers:
-        backup:
-          image:
-            repository: bitnami/kubectl
-            tag: latest
-            pullPolicy: IfNotPresent
-          command:
-            - sh
-          args:
-            - -ec
-            - |
-              kubectl exec -it deploy/gitea -n gitea -- rm -f /opt/backup/gitea-backup.zip;
-              kubectl exec -it deploy/gitea -n gitea -- /app/gitea/gitea dump -c /data/gitea/conf/app.ini --file /opt/backup/gitea-backup.zip;
-          resources:
-            requests:
-              cpu: 100m
-              memory: 128Mi
-      containers:
-        s3-backup:
-          image:
-            repository: d3fk/s3cmd
-            tag: latest@sha256:a4ef406e37628ee56e608b1567aeb0345e51142f56741b715322111be3b6ebcc
-            pullPolicy: IfNotPresent
-          command:
-            - /bin/sh
-          args:
-            - -ec
-            - |
-              echo ">> Running S3 backup for Gitea"
-              s3cmd put --no-check-md5 --no-check-certificate -v /opt/backup/gitea-backup.zip ${BUCKET}/cl01tl/gitea-backup-$(date +"%Y%m%d-%H-%M").zip;
-              mv /opt/backup/gitea-backup.zip /opt/backup/gitea-backup-$(date +"%Y%m%d-%H-%M").zip;
-              echo ">> Completed S3 backup for Gitea"
-          env:
-            - name: BUCKET
-              valueFrom:
-                secretKeyRef:
-                  name: gitea-s3cmd-config
-                  key: BUCKET
-          resources:
-            requests:
-              cpu: 100m
-              memory: 128Mi
-        s3-prune:
-          image:
-            repository: d3fk/s3cmd
-            tag: latest@sha256:a4ef406e37628ee56e608b1567aeb0345e51142f56741b715322111be3b6ebcc
-            pullPolicy: IfNotPresent
-          command:
-            - /bin/sh
-          args:
-            - -ec
-            - |
-              export DATE_RANGE=$(date -d @$(( $(date +%s) - 604800 )) +%Y%m%d);
-              export FILE_MATCH="$BUCKET/cl01tl/gitea-backup-$DATE_RANGE-09-00.zip"
-              echo ">> Running S3 prune for Gitea backup repository"
-              echo ">> Backups prior to '$DATE_RANGE' will be removed"
-              echo ">> Backups to be removed:"
-              s3cmd ls ${BUCKET}/cl01tl/ |
-                awk -v file_match="$FILE_MATCH" '$4 < file_match {print $4}'
-              echo ">> Deleting ..."
-              s3cmd ls ${BUCKET}/cl01tl/ |
-                awk -v file_match="$FILE_MATCH" '$4 < file_match {print $4}' |
-                while read file; do
-                  s3cmd del "$file";
-                done;
-              echo ">> Completed S3 prune for Gitea backup repository"
-          env:
-            - name: BUCKET
-              valueFrom:
-                secretKeyRef:
-                  name: gitea-s3cmd-config
-                  key: BUCKET
-          resources:
-            requests:
-              cpu: 100m
-              memory: 128Mi
-  serviceAccount:
-    gitea-backup:
-      enabled: true
-  persistence:
-    config:
-      existingClaim: gitea-nfs-storage-backup
-      advancedMounts:
-        backup:
-          s3-backup:
-            - path: /opt/backup
-              readOnly: false
-    s3cmd-config:
-      enabled: true
-      type: secret
-      name: gitea-s3cmd-config
-      advancedMounts:
-        backup:
-          s3-backup:
-            - path: /root/.s3cfg
-              readOnly: true
-              mountPropagation: None
-              subPath: .s3cfg
-          s3-prune:
-            - path: /root/.s3cfg
-              readOnly: true
-              mountPropagation: None
-              subPath: .s3cfg
 meilisearch:
   environment:
     MEILI_NO_ANALYTICS: true
@@ -318,22 +185,13 @@ meilisearch:
       memory: 128Mi
   serviceMonitor:
     enabled: true
-cloudflared:
-  existingSecretName: gitea-cloudflared-secret
 postgres-18-cluster:
   mode: recovery
   cluster:
-    image:
-      repository: ghcr.io/cloudnative-pg/postgresql
-      tag: 18.1-standard-trixie
     storage:
       storageClass: local-path
     walStorage:
       storageClass: local-path
-    monitoring:
-      enabled: true
-      prometheusRule:
-        enabled: true
     resources:
       requests:
         memory: 1Gi
@@ -347,11 +205,6 @@ postgres-18-cluster:
       endpointCredentials: gitea-postgresql-18-cluster-backup-secret-garage
   backup:
     objectStore:
-      - name: external
-        destinationPath: s3://postgres-backups-ce540ddf106d186bbddca68a/cl01tl/gitea/gitea-postgresql-18-cluster
-        index: 1
-        retentionPolicy: "30d"
-        isWALArchiver: false
       - name: garage-local
         destinationPath: s3://postgres-backups/cl01tl/gitea/gitea-postgresql-18-cluster
         index: 1
@@ -360,6 +213,11 @@ postgres-18-cluster:
         endpointCredentialsIncludeRegion: true
         retentionPolicy: "3d"
         isWALArchiver: true
+      # - name: external
+      #   destinationPath: s3://postgres-backups-ce540ddf106d186bbddca68a/cl01tl/gitea/gitea-postgresql-18-cluster
+      #   index: 1
+      #   retentionPolicy: "30d"
+      #   isWALArchiver: false
       # - name: garage-remote
       #   destinationPath: s3://postgres-backups/cl01tl/gitea/gitea-postgresql-18-cluster
       #   index: 1
@@ -370,18 +228,71 @@ postgres-18-cluster:
       #     compression: bzip2
       #     jobs: 2
     scheduledBackups:
-      - name: daily-backup
-        suspend: false
-        immediate: true
-        schedule: "0 0 0 * * *"
-        backupName: external
       - name: live-backup
         suspend: false
         immediate: true
         schedule: "0 0 0 * * *"
         backupName: garage-local
-      # - name: weekly-backup
+      # - name: daily-backup
       #   suspend: false
       #   immediate: true
+      #   schedule: "0 0 0 * * *"
+      #   backupName: external
+      # - name: weekly-backup
+      #   suspend: true
+      #   immediate: true
       #   schedule: "0 0 4 * * SAT"
       #   backupName: garage-remote
+redis-replication-gitea:
+  replicationNameOverride: redis-replication-gitea
+  sentinelNameOverride: redis-sentinel-gitea
+  existingSecret:
+    enabled: false
+  redisReplication:
+    clusterSize: 3
+    resources:
+      requests:
+        cpu: 20m
+        memory: 400Mi
+    volumeClaimTemplate:
+      spec:
+        resources:
+          requests:
+            storage: 10Gi
+  redisSentinel:
+    enabled: true
+    clusterSize: 3
+redis-replication-renovate:
+  replicationNameOverride: redis-replication-renovate
+  existingSecret:
+    enabled: false
+  redisReplication:
+    clusterSize: 1
+  redisSentinel:
+    enabled: false
+volsync-target-storage:
+  pvcTarget: gitea-shared-storage
+  moverSecurityContext:
+    runAsUser: 1000
+    runAsGroup: 1000
+    fsGroup: 1000
+    fsGroupChangePolicy: OnRootMismatch
+  local:
+    enabled: true
+    schedule: 0 0 0 * * *
+    restic:
+      pruneIntervalDays: 3
+      retain:
+        hourly: 1
+        daily: 1
+        weekly: 3
+        monthly: 0
+        yearly: 0
+      copyMethod: Snapshot
+      storageClassName: ceph-filesystem
+      volumeSnapshotClassName: ceph-filesystem-snapshot
+      cacheCapacity: 10Gi
+  external:
+    enabled: false
+  remote:
+    enabled: false

clusters/cl01tl/helm/grafana-operator/Chart.lock

@@ -1,9 +1,15 @@
 dependencies:
 - name: grafana-operator
   repository: https://grafana.github.io/helm-charts
-  version: v5.20.0
+  version: 5.21.3
 - name: postgres-cluster
   repository: oci://harbor.alexlebens.net/helm-charts
-  version: 6.16.1
+  version: 7.1.3
-digest: sha256:9640766b4a15b50a759edbc8a2aad816f9240be72bf06364acb387464245d51a
+- name: redis-replication
-generated: "2025-12-11T19:19:12.375716-06:00"
+  repository: oci://harbor.alexlebens.net/helm-charts
+  version: 0.5.0
+- name: redis-replication
+  repository: oci://harbor.alexlebens.net/helm-charts
+  version: 0.5.0
+digest: sha256:365d2278759e660dd77e390100d6836cc464a11fed69637aae0e6862b78430df
+generated: "2025-12-18T02:40:54.026064824Z"

clusters/cl01tl/helm/grafana-operator/Chart.yaml

@@ -17,11 +17,19 @@ maintainers:
   - name: alexlebens
 dependencies:
   - name: grafana-operator
-    version: v5.20.0
+    version: 5.21.3
     repository: https://grafana.github.io/helm-charts
   - name: postgres-cluster
     alias: postgres-18-cluster
-    version: 6.16.1
+    version: 7.1.3
+    repository: oci://harbor.alexlebens.net/helm-charts
+  - name: redis-replication
+    alias: redis-replication-unified-alerting
+    version: 0.5.0
+    repository: oci://harbor.alexlebens.net/helm-charts
+  - name: redis-replication
+    alias: redis-replication-remote-cache
+    version: 0.5.0
     repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/grafana.png
 appVersion: v5.20.0

clusters/cl01tl/helm/grafana-operator/templates/redis-replication.yaml

@@ -1,66 +0,0 @@
-apiVersion: redis.redis.opstreelabs.in/v1beta2
-kind: RedisReplication
-metadata:
-  name: redis-replication-unified-alerting
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: redis-replication-unified-alerting
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  clusterSize: 3
-  podSecurityContext:
-    runAsUser: 1000
-    fsGroup: 1000
-  kubernetesConfig:
-    image: quay.io/opstree/redis:v8.4.0
-    imagePullPolicy: IfNotPresent
-    resources:
-      requests:
-        cpu: 50m
-        memory: 128Mi
-  storage:
-    volumeClaimTemplate:
-      spec:
-        storageClassName: ceph-block
-        accessModes: ["ReadWriteOnce"]
-        resources:
-          requests:
-            storage: 1Gi
-  redisExporter:
-    enabled: true
-    image: quay.io/opstree/redis-exporter:v1.80.1
-
----
-apiVersion: redis.redis.opstreelabs.in/v1beta2
-kind: RedisReplication
-metadata:
-  name: redis-replication-remote-cache
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: redis-replication-remote-cache
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  clusterSize: 3
-  podSecurityContext:
-    runAsUser: 1000
-    fsGroup: 1000
-  kubernetesConfig:
-    image: quay.io/opstree/redis:v8.4.0
-    imagePullPolicy: IfNotPresent
-    resources:
-      requests:
-        cpu: 50m
-        memory: 128Mi
-  storage:
-    volumeClaimTemplate:
-      spec:
-        storageClassName: ceph-block
-        accessModes: ["ReadWriteOnce"]
-        resources:
-          requests:
-            storage: 1Gi
-  redisExporter:
-    enabled: true
-    image: quay.io/opstree/redis-exporter:v1.80.1

clusters/cl01tl/helm/grafana-operator/templates/service-monitor.yaml

@@ -1,19 +0,0 @@
-apiVersion: monitoring.coreos.com/v1
-kind: ServiceMonitor
-metadata:
-  name: redis-replication-grafana-operator
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: redis-replication-grafana-operator
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-    redis-operator: "true"
-    env: production
-spec:
-  selector:
-    matchLabels:
-      redis_setup_type: replication
-  endpoints:
-    - port: redis-exporter
-      interval: 30s
-      scrapeTimeout: 10s

clusters/cl01tl/helm/grafana-operator/values.yaml

@@ -15,17 +15,10 @@ grafana-operator:
 postgres-18-cluster:
   mode: recovery
   cluster:
-    image:
-      repository: ghcr.io/cloudnative-pg/postgresql
-      tag: 18.1-standard-trixie
     storage:
       storageClass: local-path
     walStorage:
       storageClass: local-path
-    monitoring:
-      enabled: true
-      prometheusRule:
-        enabled: true
   recovery:
     method: objectStore
     objectStore:
@@ -35,11 +28,6 @@ postgres-18-cluster:
       endpointCredentials: grafana-operator-postgresql-18-cluster-backup-secret-garage
   backup:
     objectStore:
-      - name: external
-        destinationPath: s3://postgres-backups-ce540ddf106d186bbddca68a/cl01tl/grafana-operator/grafana-operator-postgresql-18-cluster
-        index: 1
-        retentionPolicy: "30d"
-        isWALArchiver: false
       - name: garage-local
         destinationPath: s3://postgres-backups/cl01tl/grafana-operator/grafana-operator-postgresql-18-cluster
         index: 1
@@ -48,6 +36,11 @@ postgres-18-cluster:
         endpointCredentialsIncludeRegion: true
         retentionPolicy: "3d"
         isWALArchiver: true
+      # - name: external
+      #   destinationPath: s3://postgres-backups-ce540ddf106d186bbddca68a/cl01tl/grafana-operator/grafana-operator-postgresql-18-cluster
+      #   index: 1
+      #   retentionPolicy: "30d"
+      #   isWALArchiver: false
       # - name: garage-remote
       #   destinationPath: s3://postgres-backups/cl01tl/grafana-operator/grafana-operator-postgresql-18-cluster
       #   index: 1
@@ -58,18 +51,36 @@ postgres-18-cluster:
       #     compression: bzip2
       #     jobs: 2
     scheduledBackups:
-      - name: daily-backup
-        suspend: false
-        immediate: true
-        schedule: "0 0 0 * * *"
-        backupName: external
       - name: live-backup
         suspend: false
         immediate: true
         schedule: "0 0 0 * * *"
         backupName: garage-local
-      # - name: weekly-backup
+      # - name: daily-backup
       #   suspend: false
       #   immediate: true
+      #   schedule: "0 0 0 * * *"
+      #   backupName: external
+      # - name: weekly-backup
+      #   suspend: true
+      #   immediate: true
       #   schedule: "0 0 4 * * SAT"
       #   backupName: garage-remote
+redis-replication-unified-alerting:
+  replicationNameOverride: redis-replication-unified-alerting
+  sentinelNameOverride: redis-sentinel-unified-alerting
+  existingSecret:
+    enabled: false
+  redisReplication:
+    clusterSize: 3
+  redisSentinel:
+    enabled: true
+    clusterSize: 3
+redis-replication-remote-cache:
+  replicationNameOverride: redis-replication-remote-cache
+  existingSecret:
+    enabled: false
+  redisReplication:
+    clusterSize: 1
+  redisSentinel:
+    enabled: false

clusters/cl01tl/helm/harbor/Chart.lock

@@ -4,6 +4,9 @@ dependencies:
   version: 1.18.1
 - name: postgres-cluster
   repository: https://gitea.alexlebens.net/api/packages/alexlebens/helm
-  version: 6.16.1
+  version: 7.1.3
-digest: sha256:a8f5d259fb93f933050c498d9271a5b8606594c968a360f8be151f47b3feb49d
+- name: redis-replication
-generated: "2025-12-11T20:49:18.650522-06:00"
+  repository: oci://harbor.alexlebens.net/helm-charts
+  version: 0.5.0
+digest: sha256:8c13446e75a900ff8f217ce56dda82c0128fd7d08b6c2d4db17ed312d9ec367a
+generated: "2025-12-16T22:02:00.490136294Z"