feat: remove commented files

Reviewed-on: #6095

.gitea/workflows/renovate.yaml

@@ -13,7 +13,7 @@ on:
 jobs:
   renovate:
     runs-on: ubuntu-latest
-    container: ghcr.io/renovatebot/renovate:43.129.0@sha256:e4abd88d1d6326fe8a702b38c5ee76487d94b455ba4f305bd904521aba9f5a08
+    container: ghcr.io/renovatebot/renovate:43.132.1@sha256:2ccc5b1f0340593c40e1598547aa98feee4e521a0906a423fe0be0431a733dfa
     steps:
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6

clusters/cl01tl/helm/argocd/Chart.lock

@@ -1,6 +1,6 @@
 dependencies:
 - name: argo-cd
   repository: https://argoproj.github.io/argo-helm
-  version: 9.5.1
+  version: 9.5.2
-digest: sha256:52a9bcfdc287dac30b8833cd34654b7e62c864aa3d23bda7644a8acf5f75eb78
+digest: sha256:5d9e6405ee944bf94df6af247164ebb9b8899144853b9a7eafabe8606affe84e
-generated: "2026-04-16T15:57:15.168206017Z"
+generated: "2026-04-19T19:53:40.43789-05:00"

clusters/cl01tl/helm/argocd/templates/_helpers.tpl

@@ -0,0 +1,14 @@
+{{/*
+Common labels
+*/}}
+{{- define "argocd.labels" -}}
+{{ include "argocd.selectorLabels" $ }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "argocd.selectorLabels" -}}
+app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/part-of: {{ .Release.Name }}
+{{- end }}

clusters/cl01tl/helm/argocd/templates/external-secret.yaml

@@ -1,70 +1,40 @@
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
-  name: argocd-oidc-secret
+  name: argocd-oidc-authentik
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: argocd-oidc-secret
+    app.kubernetes.io/name: argocd-oidc-authentik
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "argocd.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   secretStoreRef:
     kind: ClusterSecretStore
-    name: vault
+    name: openbao
   data:
     - secretKey: secret
       remoteRef:
-        key: /authentik/oidc/argocd
+        key: /cl01tl/authentik/oidc/argocd
         property: secret
     - secretKey: client
       remoteRef:
-        key: /authentik/oidc/argocd
+        key: /cl01tk/authentik/oidc/argocd
         property: client
 
 ---
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
-  name: argocd-notifications-secret
+  name: argocd-notifications-ntfy
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: argocd-notifications-secret
+    app.kubernetes.io/name: argocd-notifications-ntfy
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "argocd.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   secretStoreRef:
     kind: ClusterSecretStore
-    name: vault
+    name: openbao
   data:
     - secretKey: ntfy-token
       remoteRef:
-        key: /ntfy/user/cl01tl
+        key: /cl01tl/ntfy/users/cl01tl
         property: token
-
----
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: argocd-gitea-repo-infrastructure-secret
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: argocd-gitea-repo-infrastructure-secret
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: vault
-  data:
-    - secretKey: type
-      remoteRef:
-        key: /cl01tl/argocd/credentials/repo/infrastructure
-        property: type
-    - secretKey: url
-      remoteRef:
-        key: /cl01tl/argocd/credentials/repo/infrastructure
-        property: url
-    - secretKey: sshPrivateKey
-      remoteRef:
-        key: /cl01tl/argocd/credentials/repo/infrastructure
-        property: sshPrivateKey

clusters/cl01tl/helm/argocd/values.yaml

@@ -13,8 +13,8 @@ argo-cd:
         connectors:
         - config:
             issuer: https://authentik.alexlebens.net/application/o/argocd/
-            clientID: $argocd-oidc-secret:client
+            clientID: $argocd-oidc-authentik:client
-            clientSecret: $argocd-oidc-secret:secret
+            clientSecret: $argocd-oidc-authentik:secret
             insecureEnableGroups: true
             scopes:
               - openid
@@ -205,7 +205,7 @@ argo-cd:
     argocdUrl: https://argocd.alexlebens.net
     secret:
       create: false
-      name: argocd-notifications-secret
+      name: argocd-notifications-ntfy
     metrics:
       enabled: true
       serviceMonitor:

clusters/cl01tl/helm/audiobookshelf/Chart.yaml

@@ -32,4 +32,4 @@ dependencies:
     repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/audiobookshelf.png
 # renovate: datasource=github-releases depName=advplyr/audiobookshelf
-appVersion: 2.33.1
+appVersion: 2.33.2

clusters/cl01tl/helm/audiobookshelf/templates/_helpers.tpl

@@ -0,0 +1,27 @@
+{{/*
+Common labels
+*/}}
+{{- define "audiobookshelf.labels" -}}
+{{ include "audiobookshelf.selectorLabels" $ }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "audiobookshelf.selectorLabels" -}}
+app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/part-of: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+NFS names
+*/}}
+{{- define "audiobookshelf.booksNfsName" -}}
+audiobookshelf-books-nfs-storage
+{{- end -}}
+{{- define "audiobookshelf.audiobooksNfsName" -}}
+audiobookshelf-audiobooks-nfs-storage
+{{- end -}}
+{{- define "audiobookshelf.podcastsNfsName" -}}
+audiobookshelf-podcasts-nfs-storage
+{{- end -}}

clusters/cl01tl/helm/audiobookshelf/templates/external-secret.yaml

@@ -1,18 +1,23 @@
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
-  name: audiobookshelf-apprise-config
+  name: audiobookshelf-config-apprise
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: audiobookshelf-apprise-config
+    app.kubernetes.io/name: audiobookshelf-config-apprise
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "audiobookshelf.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   secretStoreRef:
     kind: ClusterSecretStore
-    name: vault
+    name: openbao
+  target:
+    template:
+      mergePolicy: Merge
+      engineVersion: v2
+      data:
+        ntfy-url: "{{ `{{ .internal-endpoint-credential }}` }}/audiobookshelf"
   data:
-    - secretKey: ntfy-url
+    - secretKey: internal-endpoint-credential
       remoteRef:
-        key: /cl01tl/audiobookshelf/apprise
+        key: /cl01tl/ntfy/users/cl01tl
-        property: ntfy-url
+        property: internal-endpoint-credential

clusters/cl01tl/helm/audiobookshelf/templates/persistent-volume-claim.yaml

@@ -1,14 +1,13 @@
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
-  name: audiobookshelf-books-nfs-storage
+  name: {{- include "audiobookshelf.booksNfsName" . }}
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: audiobookshelf-books-nfs-storage
+    app.kubernetes.io/name: {{- include "audiobookshelf.booksNfsName" . }}
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "audiobookshelf.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
-  volumeName: audiobookshelf-books-nfs-storage
+  volumeName: {{- include "audiobookshelf.booksNfsName" . }}
   storageClassName: nfs-client
   accessModes:
     - ReadWriteMany
@@ -20,14 +19,13 @@ spec:
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
-  name: audiobookshelf-audiobooks-nfs-storage
+  name: {{- include "audiobookshelf.audiobooksNfsName" . }}
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: audiobookshelf-audiobooks-nfs-storage
+    app.kubernetes.io/name: {{- include "audiobookshelf.audiobooksNfsName" . }}
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "audiobookshelf.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
-  volumeName: audiobookshelf-audiobooks-nfs-storage
+  volumeName: {{- include "audiobookshelf.audiobooksNfsName" . }}
   storageClassName: nfs-client
   accessModes:
     - ReadWriteMany
@@ -39,14 +37,13 @@ spec:
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
-  name: audiobookshelf-podcasts-nfs-storage
+  name: {{- include "audiobookshelf.podcastsNfsName" . }}
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: audiobookshelf-podcasts-nfs-storage
+    app.kubernetes.io/name: {{- include "audiobookshelf.podcastsNfsName" . }}
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "audiobookshelf.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
-  volumeName: audiobookshelf-podcasts-nfs-storage
+  volumeName: {{- include "audiobookshelf.podcastsNfsName" . }}
   storageClassName: nfs-client
   accessModes:
     - ReadWriteMany

clusters/cl01tl/helm/audiobookshelf/templates/persistent-volume.yaml

@@ -1,12 +1,11 @@
 apiVersion: v1
 kind: PersistentVolume
 metadata:
-  name: audiobookshelf-books-nfs-storage
+  name: {{- include "audiobookshelf.booksNfsName" . }}
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: audiobookshelf-books-nfs-storage
+    app.kubernetes.io/name: {{- include "audiobookshelf.booksNfsName" . }}
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "audiobookshelf.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   persistentVolumeReclaimPolicy: Retain
   storageClassName: nfs-client
@@ -26,12 +25,11 @@ spec:
 apiVersion: v1
 kind: PersistentVolume
 metadata:
-  name: audiobookshelf-audiobooks-nfs-storage
+  name: {{- include "audiobookshelf.audiobooksNfsName" . }}
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: audiobookshelf-audiobooks-nfs-storage
+    app.kubernetes.io/name: {{- include "audiobookshelf.audiobooksNfsName" . }}
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "audiobookshelf.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   persistentVolumeReclaimPolicy: Retain
   storageClassName: nfs-client
@@ -51,12 +49,11 @@ spec:
 apiVersion: v1
 kind: PersistentVolume
 metadata:
-  name: audiobookshelf-podcasts-nfs-storage
+  name: {{- include "audiobookshelf.podcastsNfsName" . }}
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: audiobookshelf-podcasts-nfs-storage
+    app.kubernetes.io/name: {{- include "audiobookshelf.podcastsNfsName" . }}
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "audiobookshelf.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   persistentVolumeReclaimPolicy: Retain
   storageClassName: nfs-client

clusters/cl01tl/helm/audiobookshelf/values.yaml

@@ -12,7 +12,7 @@ audiobookshelf:
         main:
           image:
             repository: ghcr.io/advplyr/audiobookshelf
-            tag: 2.33.1@sha256:a4a5841bba093d81e5f4ad1eaedb4da3fda6dbb2528c552349da50ad1f7ae708
+            tag: 2.33.2@sha256:a44ed89b3e845faa1f7d353f2cc89b2fcd8011737dd14075fa963cf9468da3a5
           env:
             - name: TZ
               value: America/Chicago
@@ -40,7 +40,7 @@ audiobookshelf:
             - name: APPRISE_STATELESS_URLS
               valueFrom:
                 secretKeyRef:
-                  name: audiobookshelf-apprise-config
+                  name: audiobookshelf-config-apprise
                   key: ntfy-url
   service:
     main:

clusters/cl01tl/helm/authentik/templates/_helpers.tpl

@@ -0,0 +1,14 @@
+{{/*
+Common labels
+*/}}
+{{- define "authentik.labels" -}}
+{{ include "authentik.selectorLabels" $ }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "authentik.selectorLabels" -}}
+app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/part-of: {{ .Release.Name }}
+{{- end }}

clusters/cl01tl/helm/authentik/templates/external-secret.yaml

@@ -1,16 +1,15 @@
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
-  name: authentik-key-secret
+  name: authentik-key
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: authentik-key-secret
+    app.kubernetes.io/name: authentik-key
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "authentik.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   secretStoreRef:
     kind: ClusterSecretStore
-    name: vault
+    name: openbao
   data:
     - secretKey: key
       remoteRef:

clusters/cl01tl/helm/authentik/templates/ingress.yaml

@@ -1,13 +1,12 @@
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
-  name: authentik-tailscale
+  name: {{ .Release.Name }}-tailscale
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: authentik-tailscale
+    app.kubernetes.io/name: {{ .Release.Name }}-tailscale
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
     tailscale.com/proxy-class: no-metrics
+    {{- include "authentik.labels" . | nindent 4 }}
   annotations:
     tailscale.com/experimental-forward-cluster-traffic-via-ingress: "true"
 spec:

clusters/cl01tl/helm/authentik/templates/reference-grant.yaml

@@ -5,8 +5,7 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: allow-outpost-cross-namespace-access
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "authentik.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   from:
     - group: gateway.networking.k8s.io

clusters/cl01tl/helm/authentik/values.yaml

@@ -4,7 +4,7 @@ authentik:
       - name: AUTHENTIK_SECRET_KEY
         valueFrom:
           secretKeyRef:
-            name: authentik-key-secret
+            name: authentik-key
             key: key
       - name: AUTHENTIK_POSTGRESQL__HOST
         valueFrom:

clusters/cl01tl/helm/backrest/templates/_helpers.tpl

@@ -0,0 +1,24 @@
+{{/*
+Common labels
+*/}}
+{{- define "backrest.labels" -}}
+{{ include "backrest.selectorLabels" $ }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "backrest.selectorLabels" -}}
+app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/part-of: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+NFS names
+*/}}
+{{- define "backrest.storageNfsName" -}}
+backrest-nfs-storage
+{{- end -}}
+{{- define "backrest.shareNfsName" -}}
+backrest-nfs-share
+{{- end -}}

clusters/cl01tl/helm/backrest/templates/persistent-volume-claim.yaml

@@ -1,14 +1,13 @@
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
-  name: backrest-nfs-storage
+  name: {{- include "backrest.storageNfsName" . }}
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: backrest-nfs-storage
+    app.kubernetes.io/name: {{- include "backrest.storageNfsName" . }}
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "backrest.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
-  volumeName: backrest-nfs-storage
+  volumeName: {{- include "backrest.storageNfsName" . }}
   storageClassName: nfs-client
   accessModes:
     - ReadWriteMany
@@ -20,14 +19,13 @@ spec:
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
-  name: backrest-nfs-share
+  name: {{- include "backrest.shareNfsName" . }}
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: backrest-nfs-share
+    app.kubernetes.io/name: {{- include "backrest.shareNfsName" . }}
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "backrest.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
-  volumeName: backrest-nfs-share
+  volumeName: {{- include "backrest.shareNfsName" . }}
   storageClassName: nfs-client
   accessModes:
     - ReadWriteMany

clusters/cl01tl/helm/backrest/templates/persistent-volume.yaml

@@ -1,12 +1,11 @@
 apiVersion: v1
 kind: PersistentVolume
 metadata:
-  name: backrest-nfs-storage
+  name: {{- include "backrest.storageNfsName" . }}
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: backrest-nfs-storage
+    app.kubernetes.io/name: {{- include "backrest.storageNfsName" . }}
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "backrest.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   persistentVolumeReclaimPolicy: Retain
   storageClassName: nfs-client
@@ -26,12 +25,11 @@ spec:
 apiVersion: v1
 kind: PersistentVolume
 metadata:
-  name: backrest-nfs-share
+  name: {{- include "backrest.shareNfsName" . }}
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: backrest-nfs-share
+    app.kubernetes.io/name: {{- include "backrest.shareNfsName" . }}
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "backrest.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   persistentVolumeReclaimPolicy: Retain
   storageClassName: nfs-client

clusters/cl01tl/helm/bazarr/templates/_helpers.tpl

@@ -0,0 +1,21 @@
+{{/*
+Common labels
+*/}}
+{{- define "bazarr.labels" -}}
+{{ include "bazarr.selectorLabels" $ }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "bazarr.selectorLabels" -}}
+app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/part-of: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+NFS names
+*/}}
+{{- define "bazarr.storageNfsName" -}}
+bazarr-nfs-storage
+{{- end -}}

clusters/cl01tl/helm/bazarr/templates/external-secret.yaml

@@ -1,16 +1,15 @@
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
-  name: bazarr-key-secret
+  name: bazarr-key
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: bazarr-key-secret
+    app.kubernetes.io/name: bazarr-key
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "bazarr.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   secretStoreRef:
     kind: ClusterSecretStore
-    name: vault
+    name: openbao
   data:
     - secretKey: key
       remoteRef:

clusters/cl01tl/helm/bazarr/templates/persistent-volume-claim.yaml

@@ -1,14 +1,13 @@
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
-  name: bazarr-nfs-storage
+  name: {{- include "bazarr.storageNfsName" . }}
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: bazarr-nfs-storage
+    app.kubernetes.io/name: {{- include "bazarr.storageNfsName" . }}
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "bazarr.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
-  volumeName: bazarr-nfs-storage
+  volumeName: {{ .Template.Name }}
   storageClassName: nfs-client
   accessModes:
     - ReadWriteMany

clusters/cl01tl/helm/bazarr/templates/persistent-volume.yaml

@@ -1,12 +1,11 @@
 apiVersion: v1
 kind: PersistentVolume
 metadata:
-  name: bazarr-nfs-storage
+  name: {{- include "bazarr.storageNfsName" . }}
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: bazarr-nfs-storage
+    app.kubernetes.io/name: {{- include "bazarr.storageNfsName" . }}
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "bazarr.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   persistentVolumeReclaimPolicy: Retain
   storageClassName: nfs-client

clusters/cl01tl/helm/bazarr/values.yaml

@@ -39,7 +39,7 @@ bazarr:
             - name: APIKEY
               valueFrom:
                 secretKeyRef:
-                  name: bazarr-key-secret
+                  name: bazarr-key
                   key: key
             - name: ENABLE_ADDITIONAL_METRICS
               value: false

clusters/cl01tl/helm/cert-manager/templates/_helpers.tpl

@@ -0,0 +1,24 @@
+{{/*
+Common labels
+*/}}
+{{- define "cert-manager.labels" -}}
+{{ include "cert-manager.selectorLabels" $ }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "cert-manager.selectorLabels" -}}
+app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/part-of: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+NFS names
+*/}}
+{{- define "cert-manager.cloudflareSecretName" -}}
+cert-manager-cloudflare-api-token
+{{- end -}}
+{{- define "cert-manager.cloudflareSecretKey" -}}
+api-token
+{{- end -}}

clusters/cl01tl/helm/cert-manager/templates/cluster-issuer.yaml

@@ -5,8 +5,7 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: letsencrypt-issuer
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "cert-manager.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   acme:
     email: alexanderlebens@gmail.com
@@ -22,5 +21,5 @@ spec:
           cloudflare:
             email: alexanderlebens@gmail.com
             apiTokenSecretRef:
-              name: cloudflare-api-token
+              name: {{- include "cert-manager.cloudflareSecretName" . }}
-              key: api-token
+              key: {{- include "cert-manager.cloudflareSecretKey" . }}

clusters/cl01tl/helm/cert-manager/templates/external-secret.yaml

@@ -1,18 +1,17 @@
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
-  name: cloudflare-api-token
+  name: {{- include "cert-manager.cloudflareSecretName" . }}
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: cloudflare-api-token
+    app.kubernetes.io/name: {{- include "cert-manager.cloudflareSecretName" . }}
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "cert-manager.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   secretStoreRef:
     kind: ClusterSecretStore
-    name: vault
+    name: openbao
   data:
-    - secretKey: api-token
+    - secretKey: {{- include "cert-manager.cloudflareSecretKey" . }}
       remoteRef:
-        key: /cloudflare/alexlebens.net/clusterissuer
+        key: /cloudflare/alexlebens.net/cl01tl-issuer-certificate
         property: token

clusters/cl01tl/helm/cilium/templates/_helpers.tpl

@@ -0,0 +1,14 @@
+{{/*
+Common labels
+*/}}
+{{- define "cilium.labels" -}}
+{{ include "cilium.selectorLabels" $ }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "cilium.selectorLabels" -}}
+app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/part-of: {{ .Release.Name }}
+{{- end }}

clusters/cl01tl/helm/cilium/templates/cilium-bgp-advertisement.yaml

@@ -1,19 +0,0 @@
-# apiVersion: cilium.io/v2
-# kind: CiliumBGPAdvertisement
-# metadata:
-#   name: cilium-bgp-advertisements
-#   namespace: {{ .Release.Namespace }}
-#   labels:
-#     app.kubernetes.io/name: cilium-bgp-advertisements
-#     app.kubernetes.io/instance: {{ .Release.Name }}
-#     app.kubernetes.io/part-of: {{ .Release.Name }}
-# spec:
-#   advertisements:
-#     - advertisementType: "Service"
-#       service:
-#         addresses:
-#           - ExternalIP
-#           - LoadBalancerIP
-#       selector:
-#         matchExpressions:
-#          - {key: somekey, operator: NotIn, values: ['never-used-value']}

clusters/cl01tl/helm/cilium/templates/cilium-bgp-cluster-config.yaml

@@ -1,22 +0,0 @@
-# apiVersion: cilium.io/v2
-# kind: CiliumBGPClusterConfig
-# metadata:
-#   name: cilium-bgp
-#   namespace: {{ .Release.Namespace }}
-#   labels:
-#     app.kubernetes.io/name: cilium-bgp
-#     app.kubernetes.io/instance: {{ .Release.Name }}
-#     app.kubernetes.io/part-of: {{ .Release.Name }}
-# spec:
-#   nodeSelector:
-#     matchLabels:
-#       node-role.kubernetes.io/bgp: "65020"
-#   bgpInstances:
-#     - name: "65020"
-#       localASN: 65020
-#       peers:
-#         - name: "udm-65000"
-#           peerASN: 65000
-#           peerAddress: 192.168.1.1
-#           peerConfigRef:
-#             name: "cilium-peer"

clusters/cl01tl/helm/cilium/templates/cilium-bgp-peer-config.yaml

@@ -1,23 +0,0 @@
-# apiVersion: cilium.io/v2
-# kind: CiliumBGPPeerConfig
-# metadata:
-#   name: cilium-peer
-#   namespace: {{ .Release.Namespace }}
-#   labels:
-#     app.kubernetes.io/name: cilium-peer
-#     app.kubernetes.io/instance: {{ .Release.Name }}
-#     app.kubernetes.io/part-of: {{ .Release.Name }}
-# spec:
-#   timers:
-#     holdTimeSeconds: 9
-#     keepAliveTimeSeconds: 3
-#   ebgpMultihop: 4
-#   gracefulRestart:
-#     enabled: true
-#     restartTimeSeconds: 15
-#   families:
-#     - afi: ipv4
-#       safi: unicast
-#       advertisements:
-#         matchLabels:
-#           app.kubernetes.io/name: cilium-bgp-advertisements

clusters/cl01tl/helm/cilium/templates/cilium-load-balancer-ip-pool.yaml

@@ -5,8 +5,7 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: default-ip-pool
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "cilium.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   blocks:
     - start: "10.232.1.21"
@@ -20,8 +19,7 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: bgp-ip-pool
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "cilium.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   blocks:
     - start: "10.232.2.100"

clusters/cl01tl/helm/cilium/templates/gateway.yaml

@@ -1,45 +0,0 @@
-# apiVersion: gateway.networking.k8s.io/v1
-# kind: Gateway
-# metadata:
-#   name: cilium-tls-gateway
-#   namespace: {{ .Release.Namespace }}
-#   labels:
-#     app.kubernetes.io/name: cilium-tls-gateway
-#     app.kubernetes.io/instance: {{ .Release.Name }}
-#     app.kubernetes.io/part-of: {{ .Release.Name }}
-#   annotations:
-#     cert-manager.io/cluster-issuer: letsencrypt-issuer
-# spec:
-#   addresses:
-#     - type: IPAddress
-#       value: 10.232.1.23
-#   gatewayClassName: cilium
-#   listeners:
-#     - allowedRoutes:
-#         namespaces:
-#           from: All
-#       hostname: '*.alexlebens.net'
-#       name: https
-#       port: 443
-#       protocol: HTTPS
-#       tls:
-#         certificateRefs:
-#           - group: ''
-#             kind: Secret
-#             name: https-gateway-cert
-#             namespace: kube-system
-#         mode: Terminate
-#     - allowedRoutes:
-#         namespaces:
-#           from: All
-#       hostname: 'alexlebens.net'
-#       name: https-domain
-#       port: 443
-#       protocol: HTTPS
-#       tls:
-#         certificateRefs:
-#           - group: ''
-#             kind: Secret
-#             name: https-gateway-cert
-#             namespace: kube-system
-#         mode: Terminate

clusters/cl01tl/helm/cilium/templates/http-route.yaml

@@ -5,8 +5,7 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: hubble
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "cilium.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   parentRefs:
     - group: gateway.networking.k8s.io

clusters/cl01tl/helm/dawarich/templates/_helpers.tpl

@@ -0,0 +1,14 @@
+{{/*
+Common labels
+*/}}
+{{- define "dawarich.labels" -}}
+{{ include "dawarich.selectorLabels" $ }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "dawarich.selectorLabels" -}}
+app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/part-of: {{ .Release.Name }}
+{{- end }}

clusters/cl01tl/helm/dawarich/templates/external-secret.yaml

@@ -1,16 +1,15 @@
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
-  name: dawarich-key-secret
+  name: dawarich-key
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: dawarich-key-secret
+    app.kubernetes.io/name: dawarich-key
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "dawarich.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   secretStoreRef:
     kind: ClusterSecretStore
-    name: vault
+    name: openbao
   data:
     - secretKey: key
       remoteRef:
@@ -21,22 +20,21 @@ spec:
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
-  name: dawarich-oidc-secret
+  name: dawarich-oidc-authentik
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: dawarich-oidc-secret
+    app.kubernetes.io/name: dawarich-oidc-authentik
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "dawarich.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   secretStoreRef:
     kind: ClusterSecretStore
-    name: vault
+    name: openbao
   data:
     - secretKey: client
       remoteRef:
-        key: /authentik/oidc/dawarich
+        key: /cl01tl/authentik/oidc/dawarich
         property: client
     - secretKey: secret
       remoteRef:
-        key: /authentik/oidc/dawarich
+        key: /cl01tl/authentik/oidc/dawarich
         property: secret

clusters/cl01tl/helm/dawarich/values.yaml

@@ -61,12 +61,12 @@ dawarich:
             - name: OIDC_CLIENT_ID
               valueFrom:
                 secretKeyRef:
-                  name: dawarich-oidc-secret
+                  name: dawarich-oidc-authentik
                   key: client
             - name: OIDC_CLIENT_SECRET
               valueFrom:
                 secretKeyRef:
-                  name: dawarich-oidc-secret
+                  name: dawarich-oidc-authentik
                   key: secret
             - name: OIDC_PROVIDER_NAME
               value: Authentik
@@ -81,7 +81,7 @@ dawarich:
             - name: SECRET_KEY_BASE
               valueFrom:
                 secretKeyRef:
-                  name: dawarich-key-secret
+                  name: dawarich-key
                   key: key
             - name: RAILS_LOG_TO_STDOUT
               value: true

clusters/cl01tl/helm/gitea/Chart.yaml

@@ -56,4 +56,4 @@ dependencies:
     repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons@main/png/gitea.png
 # renovate: datasource=github-releases depName=go-gitea/gitea
-appVersion: 1.25.5
+appVersion: 1.26.0

clusters/cl01tl/helm/gitea/values.yaml

@@ -194,7 +194,7 @@ gitea-actions:
       registry: docker.io
       repository: gitea/act_runner
       # renovate: datasource=docker depName=gitea/act_runner
-      tag: 0.4.0@sha256:e7364b8252e74d5eb047abe64c98a856da37d9dad848af51e011b249206b36ba
+      tag: 0.4.1@sha256:696a59b51ad3d149521e3beb0229d5fb88f87295e1616f940199793274415b56
       extraVolumeMounts:
         - name: workspace-vol
           mountPath: /workspace

clusters/cl01tl/helm/houndarr/values.yaml

@@ -8,7 +8,7 @@ houndarr:
         main:
           image:
             repository: ghcr.io/av1155/houndarr
-            tag: v1.9.0@sha256:30a581a9ffacbb4e20de54dc602ffd4e2d61dd7b58fa2b6664ade1fc67936725
+            tag: v1.9.0@sha256:2a9c9e0de43412f683f00cce6f5d0f3e059b27e50350434ae4029ade720e85a0
           env:
             - name: TZ
               value: America/Chicago

clusters/cl01tl/helm/music-grabber/Chart.yaml

@@ -24,4 +24,4 @@ dependencies:
     repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons@main/png/music-grabber.png
 # renovate: datasource=docker depName=g33kphr33k/musicgrabber
-appVersion: 2.6.4
+appVersion: 2.6.5

clusters/cl01tl/helm/music-grabber/values.yaml

@@ -12,7 +12,7 @@ music-grabber:
         main:
           image:
             repository: g33kphr33k/musicgrabber
-            tag: 2.6.4@sha256:e54d4b7abb395cd95ed4d9c9c8ca230ea789620484da148cc128b3981577c066
+            tag: 2.6.5@sha256:5d276415a764a56955207ae41fe2df3341a152812fdf8a87e7c0b7e4e1fb681d
           env:
             - name: MUSIC_DIR
               value: /mnt/store/Music Grabber/

clusters/cl01tl/helm/radarr-4k/Chart.yaml

@@ -33,4 +33,4 @@ dependencies:
     repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/radarr-4k.png
 # renovate: datasource=github-releases depName=linuxserver/docker-radarr
-appVersion: 6.1.1.10360-ls299
+appVersion: 6.1.1.10360-ls300

clusters/cl01tl/helm/radarr-4k/values.yaml

@@ -14,7 +14,7 @@ radarr-4k:
         main:
           image:
             repository: ghcr.io/linuxserver/radarr
-            tag: 6.1.1.10360-ls299@sha256:6f1dda18354ea7f28cead8f6d099fc8222498c3ae165f567d504ed04d70980d7
+            tag: 6.1.1.10360-ls300@sha256:b01097ad2d948c9f5eca39eb60bb529e2e55b0738c4bf7db09383bef0abab59d
           env:
             - name: TZ
               value: America/Chicago

clusters/cl01tl/helm/radarr-anime/Chart.yaml

@@ -33,4 +33,4 @@ dependencies:
     repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/radarr-anime.png
 # renovate: datasource=github-releases depName=linuxserver/docker-radarr
-appVersion: 6.1.1.10360-ls299
+appVersion: 6.1.1.10360-ls300

clusters/cl01tl/helm/radarr-anime/values.yaml

@@ -14,7 +14,7 @@ radarr-anime:
         main:
           image:
             repository: ghcr.io/linuxserver/radarr
-            tag: 6.1.1.10360-ls299@sha256:6f1dda18354ea7f28cead8f6d099fc8222498c3ae165f567d504ed04d70980d7
+            tag: 6.1.1.10360-ls300@sha256:b01097ad2d948c9f5eca39eb60bb529e2e55b0738c4bf7db09383bef0abab59d
           env:
             - name: TZ
               value: America/Chicago

clusters/cl01tl/helm/radarr-standup/Chart.yaml

@@ -33,4 +33,4 @@ dependencies:
     repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/radarr.png
 # renovate: datasource=github-releases depName=linuxserver/docker-radarr
-appVersion: 6.1.1.10360-ls299
+appVersion: 6.1.1.10360-ls300

clusters/cl01tl/helm/radarr-standup/values.yaml

@@ -14,7 +14,7 @@ radarr-standup:
         main:
           image:
             repository: ghcr.io/linuxserver/radarr
-            tag: 6.1.1.10360-ls299@sha256:6f1dda18354ea7f28cead8f6d099fc8222498c3ae165f567d504ed04d70980d7
+            tag: 6.1.1.10360-ls300@sha256:b01097ad2d948c9f5eca39eb60bb529e2e55b0738c4bf7db09383bef0abab59d
           env:
             - name: TZ
               value: America/Chicago

clusters/cl01tl/helm/radarr/Chart.yaml

@@ -33,4 +33,4 @@ dependencies:
     repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/radarr.png
 # renovate: datasource=github-releases depName=linuxserver/docker-radarr
-appVersion: 6.1.1.10360-ls299
+appVersion: 6.1.1.10360-ls300

clusters/cl01tl/helm/radarr/values.yaml

@@ -14,7 +14,7 @@ radarr:
         main:
           image:
             repository: ghcr.io/linuxserver/radarr
-            tag: 6.1.1.10360-ls299@sha256:6f1dda18354ea7f28cead8f6d099fc8222498c3ae165f567d504ed04d70980d7
+            tag: 6.1.1.10360-ls300@sha256:b01097ad2d948c9f5eca39eb60bb529e2e55b0738c4bf7db09383bef0abab59d
           env:
             - name: TZ
               value: America/Chicago

clusters/cl01tl/helm/rclone/Chart.yaml

@@ -20,4 +20,4 @@ dependencies:
     version: 4.6.2
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons@main/png/rclone.png
 # renovate: datasource=github-releases depName=rclone/rclone
-appVersion: v1.73.4
+appVersion: v1.73.5

clusters/cl01tl/helm/rclone/values.yaml

@@ -12,7 +12,7 @@ rclone:
         sync:
           image:
             repository: rclone/rclone
-            tag: 1.73.4@sha256:654f6517c7aaec7e377690b2caf7c272dbe5f3b8200afbc14a00df6b4a9aa6ef
+            tag: 1.73.5@sha256:1619a625f845e169c34b952cf40c483c0392965b821c5155cde8cbfd35254a96
           args:
             - sync
             - src:directus-assets
@@ -90,7 +90,7 @@ rclone:
         sync:
           image:
             repository: rclone/rclone
-            tag: 1.73.4@sha256:654f6517c7aaec7e377690b2caf7c272dbe5f3b8200afbc14a00df6b4a9aa6ef
+            tag: 1.73.5@sha256:1619a625f845e169c34b952cf40c483c0392965b821c5155cde8cbfd35254a96
           args:
             - sync
             - src:karakeep-assets
@@ -168,7 +168,7 @@ rclone:
         sync:
           image:
             repository: rclone/rclone
-            tag: 1.73.4@sha256:654f6517c7aaec7e377690b2caf7c272dbe5f3b8200afbc14a00df6b4a9aa6ef
+            tag: 1.73.5@sha256:1619a625f845e169c34b952cf40c483c0392965b821c5155cde8cbfd35254a96
           args:
             - sync
             - src:talos-backups
@@ -239,7 +239,7 @@ rclone:
         prune:
           image:
             repository: rclone/rclone
-            tag: 1.73.4@sha256:654f6517c7aaec7e377690b2caf7c272dbe5f3b8200afbc14a00df6b4a9aa6ef
+            tag: 1.73.5@sha256:1619a625f845e169c34b952cf40c483c0392965b821c5155cde8cbfd35254a96
           args:
             - delete
             - dest:talos-backups
@@ -287,7 +287,7 @@ rclone:
         sync:
           image:
             repository: rclone/rclone
-            tag: 1.73.4@sha256:654f6517c7aaec7e377690b2caf7c272dbe5f3b8200afbc14a00df6b4a9aa6ef
+            tag: 1.73.5@sha256:1619a625f845e169c34b952cf40c483c0392965b821c5155cde8cbfd35254a96
           args:
             - sync
             - src:web-assets
@@ -365,7 +365,7 @@ rclone:
         sync:
           image:
             repository: rclone/rclone
-            tag: 1.73.4@sha256:654f6517c7aaec7e377690b2caf7c272dbe5f3b8200afbc14a00df6b4a9aa6ef
+            tag: 1.73.5@sha256:1619a625f845e169c34b952cf40c483c0392965b821c5155cde8cbfd35254a96
           args:
             - sync
             - src:postgres-backups
@@ -440,7 +440,7 @@ rclone:
         prune:
           image:
             repository: rclone/rclone
-            tag: 1.73.4@sha256:654f6517c7aaec7e377690b2caf7c272dbe5f3b8200afbc14a00df6b4a9aa6ef
+            tag: 1.73.5@sha256:1619a625f845e169c34b952cf40c483c0392965b821c5155cde8cbfd35254a96
           args:
             - delete
             - dest:postgres-backups
@@ -488,7 +488,7 @@ rclone:
         sync:
           image:
             repository: rclone/rclone
-            tag: 1.73.4@sha256:654f6517c7aaec7e377690b2caf7c272dbe5f3b8200afbc14a00df6b4a9aa6ef
+            tag: 1.73.5@sha256:1619a625f845e169c34b952cf40c483c0392965b821c5155cde8cbfd35254a96
           args:
             - sync
             - src:ntfy-attachments
@@ -566,7 +566,7 @@ rclone:
         sync:
           image:
             repository: rclone/rclone
-            tag: 1.73.4@sha256:654f6517c7aaec7e377690b2caf7c272dbe5f3b8200afbc14a00df6b4a9aa6ef
+            tag: 1.73.5@sha256:1619a625f845e169c34b952cf40c483c0392965b821c5155cde8cbfd35254a96
           args:
             - sync
             - src:openbao-backups
@@ -637,7 +637,7 @@ rclone:
         prune:
           image:
             repository: rclone/rclone
-            tag: 1.73.4@sha256:654f6517c7aaec7e377690b2caf7c272dbe5f3b8200afbc14a00df6b4a9aa6ef
+            tag: 1.73.5@sha256:1619a625f845e169c34b952cf40c483c0392965b821c5155cde8cbfd35254a96
           args:
             - delete
             - dest:openbao-backups
@@ -685,7 +685,7 @@ rclone:
         sync:
           image:
             repository: rclone/rclone
-            tag: 1.73.4@sha256:654f6517c7aaec7e377690b2caf7c272dbe5f3b8200afbc14a00df6b4a9aa6ef
+            tag: 1.73.5@sha256:1619a625f845e169c34b952cf40c483c0392965b821c5155cde8cbfd35254a96
           args:
             - sync
             - src:openbao-backups
@@ -756,7 +756,7 @@ rclone:
         prune:
           image:
             repository: rclone/rclone
-            tag: 1.73.4@sha256:654f6517c7aaec7e377690b2caf7c272dbe5f3b8200afbc14a00df6b4a9aa6ef
+            tag: 1.73.5@sha256:1619a625f845e169c34b952cf40c483c0392965b821c5155cde8cbfd35254a96
           args:
             - delete
             - dest:openbao-backups-6e088aad5fad110b

clusters/cl01tl/helm/site-documentation/values.yaml

@@ -10,7 +10,7 @@ site-documentation:
         main:
           image:
             repository: harbor.alexlebens.net/images/site-documentation
-            tag: 0.26.0@sha256:fbd3167788a75a637aef0be6ef32bef685ce4af59f45e955cc6eb57ed8b1fd87
+            tag: 0.27.0@sha256:dafa3c8aa9401009c299bb274d140acc10d8531dd40c8253783b1f8ed8519d76
           resources:
             requests:
               cpu: 10m

clusters/cl01tl/helm/site-profile/values.yaml

@@ -10,7 +10,7 @@ site-profile:
         main:
           image:
             repository: harbor.alexlebens.net/images/site-profile
-            tag: 3.18.2@sha256:8deb9624b2564fabd1f5cc6822306fd198b245858317be2d9ab4ca044ae3ded5
+            tag: 3.18.5@sha256:2ad5cbbdbf1011f74c5fa804584236ffea266c37f046f837625af79a97bc0b56
           resources:
             requests:
               cpu: 10m

clusters/cl01tl/helm/slskd/Chart.yaml

@@ -22,4 +22,4 @@ dependencies:
     version: 4.6.2
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/slskd.png
 # renovate: datasource=github-releases depName=slskd/slskd
-appVersion: 0.24.5
+appVersion: 0.25.0

clusters/cl01tl/helm/slskd/templates/external-secret.yaml

@@ -1,51 +1,66 @@
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
-  name: slskd-config-secret
+  name: airvpn-wireguard-conf
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: slskd-config-secret
+    app.kubernetes.io/name: airvpn-wireguard-conf
     app.kubernetes.io/instance: {{ .Release.Name }}
     app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   secretStoreRef:
     kind: ClusterSecretStore
-    name: vault
+    name: openbao
   data:
-    - secretKey: slskd.yml
+    - secretKey: conf
       remoteRef:
-        key: /cl01tl/slskd/config
+        key: /airvpn/config
-
+        property: conf
-        property: slskd.yml
+    - secretKey: private-key
+      remoteRef:
+        key: /airvpn/config
+        property: private-key
+    - secretKey: preshared-key
+      remoteRef:
+        key: /airvpn/config
+        property: preshared-key
+    - secretKey: addresses
+      remoteRef:
+        key: /airvpn/config
+        property: addresses
+    - secretKey: input-ports
+      remoteRef:
+        key: /airvpn/config
+        property: input-ports
 
 ---
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
-  name: slskd-wireguard-conf
+  name: protonvpn-wireguard-conf
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: slskd-wireguard-conf
+    app.kubernetes.io/name: protonvpn-wireguard-conf
     app.kubernetes.io/instance: {{ .Release.Name }}
     app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   secretStoreRef:
     kind: ClusterSecretStore
-    name: vault
+    name: openbao
   data:
+    - secretKey: conf
+      remoteRef:
+        key: /protonvpn/config
+        property: conf
+    - secretKey: email
+      remoteRef:
+        key: /protonvpn/config
+        property: email
+    - secretKey: password
+      remoteRef:
+        key: /protonvpn/config
+        property: password
     - secretKey: private-key
       remoteRef:
-        key: /airvpn/conf/cl01tl
+        key: /protonvpn/config
         property: private-key
-    - secretKey: preshared-key
-      remoteRef:
-        key: /airvpn/conf/cl01tl
-        property: preshared-key
-    - secretKey: addresses
-      remoteRef:
-        key: /airvpn/conf/cl01tl
-        property: addresses
-    - secretKey: input-ports
-      remoteRef:
-        key: /airvpn/conf/cl01tl
-        property: input-ports

clusters/cl01tl/helm/slskd/templates/secret-provider-class.yaml

@@ -0,0 +1,19 @@
+apiVersion: secrets-store.csi.x-k8s.io/v1
+kind: SecretProviderClass
+metadata:
+  name: slskd-config-secret
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: slskd-config-secret
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  provider: openbao
+  parameters:
+    baoAddress: "http://openbao-internal.openbao:8200"
+    roleName: slskd
+    objects: |
+      - objectName: slskd.yml
+        fileName: slskd.yml
+        secretPath: secret/data/cl01tl/slskd/config
+        secretKey: slskd.yml

clusters/cl01tl/helm/slskd/values.yaml

@@ -4,6 +4,8 @@ slskd:
       type: deployment
       replicas: 1
       strategy: Recreate
+      serviceAccount:
+        name: slskd
       pod:
         securityContext:
           fsGroup: 1000
@@ -36,7 +38,7 @@ slskd:
         main:
           image:
             repository: slskd/slskd
-            tag: 0.24.5@sha256:17ef977563be206f3b5932080b1e23883b2cb39dc9010640f6f39b4eaec887e3
+            tag: 0.25.0@sha256:6a91991c05b7cbbe4e3dcc1f5e10f88d00a68f7ad2ef8a820b79496441b9b78c
           env:
             - name: TZ
               value: America/Chicago
@@ -46,6 +48,8 @@ slskd:
               value: 1000
             - name: SLSKD_UMASK
               value: 000
+            - name: SLSKD_CONFIG
+              value: /config/slskd.yml
           resources:
             requests:
               cpu: 100m
@@ -60,29 +64,14 @@ slskd:
                 command: ["/bin/sh", "-c", "(ip rule del table 51820; ip -6 rule del table 51820) || true"]
           env:
             - name: VPN_SERVICE_PROVIDER
-              value: airvpn
+              value: protonvpn
             - name: VPN_TYPE
               value: wireguard
             - name: WIREGUARD_PRIVATE_KEY
               valueFrom:
                 secretKeyRef:
-                  name: slskd-wireguard-conf
+                  name: protonvpn-wireguard-conf
                   key: private-key
-            - name: WIREGUARD_PRESHARED_KEY
-              valueFrom:
-                secretKeyRef:
-                  name: slskd-wireguard-conf
-                  key: preshared-key
-            - name: WIREGUARD_ADDRESSES
-              valueFrom:
-                secretKeyRef:
-                  name: slskd-wireguard-conf
-                  key: addresses
-            - name: FIREWALL_VPN_INPUT_PORTS
-              valueFrom:
-                secretKeyRef:
-                  name: slskd-wireguard-conf
-                  key: input-ports
             - name: FIREWALL_OUTBOUND_SUBNETS
               value: 192.168.1.0/24,10.244.0.0/16
             - name: FIREWALL_INPUT_PORTS
@@ -159,13 +148,17 @@ slskd:
                 value: /
   persistence:
     slskd-config:
-      enabled: true
+      type: custom
-      type: secret
+      volumeSpec:
-      name: slskd-config-secret
+        csi:
+          driver: secrets-store.csi.k8s.io
+          readOnly: true
+          volumeAttributes:
+            secretProviderClass: slskd-config-secret
       advancedMounts:
         main:
           main:
-            - path: /app/slskd.yml
+            - path: /config/slskd.yml
               readOnly: true
               mountPropagation: None
               subPath: slskd.yml

clusters/cl01tl/helm/traefik/values.yaml

@@ -45,9 +45,6 @@ traefik:
       entryPoints: ["websecure"]
   updateStrategy:
     type: RollingUpdate
-    rollingUpdate:
-      maxUnavailable: 1
-      maxSurge: 1
   providers:
     kubernetesCRD:
       allowCrossNamespace: true

hosts/ps10rp/gitea/compose.yaml

@@ -33,7 +33,7 @@ services:
             - postgresql18:/var/lib/postgresql
 
     gitea:
-        image: gitea/gitea:1.25.5@sha256:f846d26a4fc389c5806a580a765e00bfdd1fd181e6f2060da98ea2669d914472
+        image: gitea/gitea:1.26.0@sha256:af07b88edbb2173d20932f9c75ebcf4e61d7d5c2d6a7ab5cc6b97cba28aea352
         container_name: gitea
         depends_on:
             - postgresql