chore(deps): update ghcr.io/renovatebot/renovate docker tag to v43.99.0 (#5243 )

chore(deps): update searxng/searxng:latest docker digest to c026ed4 (#5240 )
chore(deps): update searxng/searxng:latest docker digest to 8ba6e51 (#5238 )
2026-03-28 19:02:54 +00:00 · 2026-03-28 18:02:25 +00:00 · 2026-03-28 16:03:40 +00:00 · 2026-03-28 14:04:27 +00:00 · 2026-03-28 12:04:10 +00:00 · 2026-03-28 07:04:31 +00:00
24 changed files with 133 additions and 186 deletions
--- a/.gitea/workflows/renovate.yaml
+++ b/.gitea/workflows/renovate.yaml
@@ -13,7 +13,7 @@ on:
 jobs:
  renovate:
    runs-on: ubuntu-latest
-    container: ghcr.io/renovatebot/renovate:43.96.0@sha256:41af2f21008f8f5785833277ac951b4f44e936b61394dc7edccdc0fe09e59132
+    container: ghcr.io/renovatebot/renovate:43.99.0@sha256:aae697086b93427dcde46eb92e08e334b018946ce19339bf044ce971ca1626e2
    steps:
      - name: Checkout
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
--- a/clusters/cl01tl/helm/argocd/Chart.lock
+++ b/clusters/cl01tl/helm/argocd/Chart.lock
@@ -1,6 +1,6 @@
 dependencies:
 - name: argo-cd
  repository: https://argoproj.github.io/argo-helm
-  version: 9.4.16
-digest: sha256:f9ecc47369d4401df61c17f55cc59c9b2d4543f57cf122653abb1a27a4f7bf35
-generated: "2026-03-26T21:01:52.678525211Z"
+  version: 9.4.17
+digest: sha256:17752dbf03861cf70ee31c9a17373a5175656a2edd00ba5fcd3988a195147da8
+generated: "2026-03-28T01:51:34.832601868Z"
--- a/clusters/cl01tl/helm/argocd/Chart.yaml
+++ b/clusters/cl01tl/helm/argocd/Chart.yaml
@@ -13,7 +13,7 @@ maintainers:
  - name: alexlebens
 dependencies:
  - name: argo-cd
-    version: 9.4.16
+    version: 9.4.17
    repository: https://argoproj.github.io/argo-helm
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/argo-cd.png
 # renovate: datasource=github-releases depName=argoproj/argo-cd
--- a/clusters/cl01tl/helm/cert-manager/Chart.lock
+++ b/clusters/cl01tl/helm/cert-manager/Chart.lock
@@ -1,6 +1,6 @@
 dependencies:
 - name: cert-manager
  repository: https://charts.jetstack.io
-  version: v1.20.0
-digest: sha256:1543bd17649cb32982de3cce017fcbed1b44c41d50b76c6471b266f33e261c29
-generated: "2026-03-10T16:06:49.332999536Z"
+  version: v1.20.1
+digest: sha256:1bf36eba44cf096b40355a697b8cffb302f07f9135374222aabdf686f017b7a9
+generated: "2026-03-28T01:35:24.542754563Z"
--- a/clusters/cl01tl/helm/cert-manager/Chart.yaml
+++ b/clusters/cl01tl/helm/cert-manager/Chart.yaml
@@ -13,8 +13,8 @@ maintainers:
  - name: alexlebens
 dependencies:
  - name: cert-manager
-    version: v1.20.0
+    version: v1.20.1
    repository: https://charts.jetstack.io
 icon: https://raw.githubusercontent.com/cert-manager/cert-manager/refs/heads/master/logo/logo.png
 # renovate: datasource=github-releases depName=cert-manager/cert-manager
-appVersion: v1.20.0
+appVersion: v1.20.1
--- a/clusters/cl01tl/helm/grafana-operator/Chart.yaml
+++ b/clusters/cl01tl/helm/grafana-operator/Chart.yaml
@@ -5,14 +5,13 @@ description: Grafana Operator
 keywords:
  - grafana-operator
  - dashboard
-  - metrics
-  - logs
-home: https://wiki.alexlebens.dev/s/3e5723e1-2ab7-45ab-b496-b8854907fa39
+home: https://docs.alexlebens.dev/applications/grafana-operator/
 sources:
  - https://github.com/grafana/grafana-operator
-  - https://github.com/cloudnative-pg/cloudnative-pg
+  - https://github.com/grafana/grafana/pkgs/container/grafana%2Fgrafana
  - https://github.com/grafana/grafana-operator/tree/master/deploy/helm/grafana-operator
  - https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/postgres-cluster
+  - https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/valkey
 maintainers:
  - name: alexlebens
 dependencies:
--- a/clusters/cl01tl/helm/grafana-operator/templates/external-secret.yaml
+++ b/clusters/cl01tl/helm/grafana-operator/templates/external-secret.yaml
@@ -14,17 +14,11 @@ spec:
  data:
    - secretKey: admin-user
      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
        key: /cl01tl/grafana/auth
-        metadataPolicy: None
        property: admin-user
    - secretKey: admin-password
      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
        key: /cl01tl/grafana/auth
-        metadataPolicy: None
        property: admin-password

 ---
@@ -44,17 +38,11 @@ spec:
  data:
    - secretKey: AUTH_CLIENT_ID
      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
        key: /authentik/oidc/grafana
-        metadataPolicy: None
        property: client
    - secretKey: AUTH_CLIENT_SECRET
      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
        key: /authentik/oidc/grafana
-        metadataPolicy: None
        property: secret

 ---
@@ -74,17 +62,11 @@ spec:
  data:
    - secretKey: ACCESS_KEY_ID
      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
        key: /digital-ocean/home-infra/postgres-backups
-        metadataPolicy: None
        property: access
    - secretKey: ACCESS_SECRET_KEY
      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
        key: /digital-ocean/home-infra/postgres-backups
-        metadataPolicy: None
        property: secret

 ---
@@ -104,22 +86,13 @@ spec:
  data:
    - secretKey: ACCESS_KEY_ID
      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
        key: /garage/home-infra/postgres-backups
-        metadataPolicy: None
        property: ACCESS_KEY_ID
    - secretKey: ACCESS_SECRET_KEY
      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
        key: /garage/home-infra/postgres-backups
-        metadataPolicy: None
        property: ACCESS_SECRET_KEY
    - secretKey: ACCESS_REGION
      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
        key: /garage/home-infra/postgres-backups
-        metadataPolicy: None
        property: ACCESS_REGION
--- a/clusters/cl01tl/helm/grafana-operator/templates/grafana-dashboard.yaml
+++ b/clusters/cl01tl/helm/grafana-operator/templates/grafana-dashboard.yaml
@@ -11,9 +11,9 @@ spec:
  instanceSelector:
    matchLabels:
      app: grafana-main
-  contentCacheDuration: 1h
+  contentCacheDuration: 6h
  folderUID: grafana-folder-system
-  resyncPeriod: 1h
+  resyncPeriod: 6h
  url: http://gitea-http.gitea:3000/alexlebens/grafana-dashboards/raw/branch/main/dashboards/system/ceph.json

 ---
@@ -30,9 +30,9 @@ spec:
  instanceSelector:
    matchLabels:
      app: grafana-main
-  contentCacheDuration: 1h
+  contentCacheDuration: 6h
  folderUID: grafana-folder-system
-  resyncPeriod: 1h
+  resyncPeriod: 6h
  url: http://gitea-http.gitea:3000/alexlebens/grafana-dashboards/raw/branch/main/dashboards/system/coredns.json

 ---
@@ -49,9 +49,9 @@ spec:
  instanceSelector:
    matchLabels:
      app: grafana-main
-  contentCacheDuration: 1h
+  contentCacheDuration: 6h
  folderUID: grafana-folder-system
-  resyncPeriod: 1h
+  resyncPeriod: 6h
  url: http://gitea-http.gitea:3000/alexlebens/grafana-dashboards/raw/branch/main/dashboards/system/etcd.json

 ---
@@ -68,9 +68,9 @@ spec:
  instanceSelector:
    matchLabels:
      app: grafana-main
-  contentCacheDuration: 1h
+  contentCacheDuration: 6h
  folderUID: grafana-folder-system
-  resyncPeriod: 1h
+  resyncPeriod: 6h
  url: http://gitea-http.gitea:3000/alexlebens/grafana-dashboards/raw/branch/main/dashboards/system/garage.json

 ---
@@ -87,9 +87,9 @@ spec:
  instanceSelector:
    matchLabels:
      app: grafana-main
-  contentCacheDuration: 1h
+  contentCacheDuration: 6h
  folderUID: grafana-folder-system
-  resyncPeriod: 1h
+  resyncPeriod: 6h
  url: http://gitea-http.gitea:3000/alexlebens/grafana-dashboards/raw/branch/main/dashboards/system/loki.json

 ---
@@ -106,9 +106,9 @@ spec:
  instanceSelector:
    matchLabels:
      app: grafana-main
-  contentCacheDuration: 1h
+  contentCacheDuration: 6h
  folderUID: grafana-folder-system
-  resyncPeriod: 1h
+  resyncPeriod: 6h
  url: http://gitea-http.gitea:3000/alexlebens/grafana-dashboards/raw/branch/main/dashboards/system/node-full.json

 ---
@@ -125,9 +125,9 @@ spec:
  instanceSelector:
    matchLabels:
      app: grafana-main
-  contentCacheDuration: 1h
+  contentCacheDuration: 6h
  folderUID: grafana-folder-system
-  resyncPeriod: 1h
+  resyncPeriod: 6h
  url: http://gitea-http.gitea:3000/alexlebens/grafana-dashboards/raw/branch/main/dashboards/system/node-short.json

 ---
@@ -144,9 +144,9 @@ spec:
  instanceSelector:
    matchLabels:
      app: grafana-main
-  contentCacheDuration: 1h
+  contentCacheDuration: 6h
  folderUID: grafana-folder-system
-  resyncPeriod: 1h
+  resyncPeriod: 6h
  url: http://gitea-http.gitea:3000/alexlebens/grafana-dashboards/raw/branch/main/dashboards/system/pods.json

 ---
@@ -163,9 +163,9 @@ spec:
  instanceSelector:
    matchLabels:
      app: grafana-main
-  contentCacheDuration: 1h
+  contentCacheDuration: 6h
  folderUID: grafana-folder-service
-  resyncPeriod: 1h
+  resyncPeriod: 6h
  url: http://gitea-http.gitea:3000/alexlebens/grafana-dashboards/raw/branch/main/dashboards/service/argocd.json

 ---
@@ -182,9 +182,9 @@ spec:
  instanceSelector:
    matchLabels:
      app: grafana-main
-  contentCacheDuration: 1h
+  contentCacheDuration: 6h
  folderUID: grafana-folder-service
-  resyncPeriod: 1h
+  resyncPeriod: 6h
  url: http://gitea-http.gitea:3000/alexlebens/grafana-dashboards/raw/branch/main/dashboards/service/blocky.json

 ---
@@ -201,9 +201,9 @@ spec:
  instanceSelector:
    matchLabels:
      app: grafana-main
-  contentCacheDuration: 1h
+  contentCacheDuration: 6h
  folderUID: grafana-folder-service
-  resyncPeriod: 1h
+  resyncPeriod: 6h
  url: http://gitea-http.gitea:3000/alexlebens/grafana-dashboards/raw/branch/main/dashboards/service/cert-manager.json

 ---
@@ -220,9 +220,9 @@ spec:
  instanceSelector:
    matchLabels:
      app: grafana-main
-  contentCacheDuration: 1h
+  contentCacheDuration: 6h
  folderUID: grafana-folder-service
-  resyncPeriod: 1h
+  resyncPeriod: 6h
  url: http://gitea-http.gitea:3000/alexlebens/grafana-dashboards/raw/branch/main/dashboards/service/cloudnative-pg.json

 ---
@@ -239,9 +239,9 @@ spec:
  instanceSelector:
    matchLabels:
      app: grafana-main
-  contentCacheDuration: 1h
+  contentCacheDuration: 6h
  folderUID: grafana-folder-service
-  resyncPeriod: 1h
+  resyncPeriod: 6h
  url: http://gitea-http.gitea:3000/alexlebens/grafana-dashboards/raw/branch/main/dashboards/service/descheduler.json

 ---
@@ -258,9 +258,9 @@ spec:
  instanceSelector:
    matchLabels:
      app: grafana-main
-  contentCacheDuration: 1h
+  contentCacheDuration: 6h
  folderUID: grafana-folder-service
-  resyncPeriod: 1h
+  resyncPeriod: 6h
  url: http://gitea-http.gitea:3000/alexlebens/grafana-dashboards/raw/branch/main/dashboards/service/gatus.json

 ---
@@ -277,9 +277,9 @@ spec:
  instanceSelector:
    matchLabels:
      app: grafana-main
-  contentCacheDuration: 1h
+  contentCacheDuration: 6h
  folderUID: grafana-folder-service
-  resyncPeriod: 1h
+  resyncPeriod: 6h
  url: http://gitea-http.gitea:3000/alexlebens/grafana-dashboards/raw/branch/main/dashboards/service/grafana-operator.json

 ---
@@ -296,9 +296,9 @@ spec:
  instanceSelector:
    matchLabels:
      app: grafana-main
-  contentCacheDuration: 1h
+  contentCacheDuration: 6h
  folderUID: grafana-folder-service
-  resyncPeriod: 1h
+  resyncPeriod: 6h
  url: http://gitea-http.gitea:3000/alexlebens/grafana-dashboards/raw/branch/main/dashboards/service/harbor.json

 ---
@@ -315,9 +315,9 @@ spec:
  instanceSelector:
    matchLabels:
      app: grafana-main
-  contentCacheDuration: 1h
+  contentCacheDuration: 6h
  folderUID: grafana-folder-service
-  resyncPeriod: 1h
+  resyncPeriod: 6h
  url: http://gitea-http.gitea:3000/alexlebens/grafana-dashboards/raw/branch/main/dashboards/service/speedtest-exporter.json

 ---
@@ -334,9 +334,9 @@ spec:
  instanceSelector:
    matchLabels:
      app: grafana-main
-  contentCacheDuration: 1h
+  contentCacheDuration: 6h
  folderUID: grafana-folder-service
-  resyncPeriod: 1h
+  resyncPeriod: 6h
  url: http://gitea-http.gitea:3000/alexlebens/grafana-dashboards/raw/branch/main/dashboards/service/spegel.json

 ---
@@ -353,9 +353,9 @@ spec:
  instanceSelector:
    matchLabels:
      app: grafana-main
-  contentCacheDuration: 1h
+  contentCacheDuration: 6h
  folderUID: grafana-folder-service
-  resyncPeriod: 1h
+  resyncPeriod: 6h
  url: http://gitea-http.gitea:3000/alexlebens/grafana-dashboards/raw/branch/main/dashboards/service/traefik.json

 ---
@@ -372,9 +372,9 @@ spec:
  instanceSelector:
    matchLabels:
      app: grafana-main
-  contentCacheDuration: 1h
+  contentCacheDuration: 6h
  folderUID: grafana-folder-service
-  resyncPeriod: 1h
+  resyncPeriod: 6h
  url: http://gitea-http.gitea:3000/alexlebens/grafana-dashboards/raw/branch/main/dashboards/service/tdarr.json

 ---
@@ -391,9 +391,9 @@ spec:
  instanceSelector:
    matchLabels:
      app: grafana-main
-  contentCacheDuration: 1h
+  contentCacheDuration: 6h
  folderUID: grafana-folder-service
-  resyncPeriod: 1h
+  resyncPeriod: 6h
  url: http://gitea-http.gitea:3000/alexlebens/grafana-dashboards/raw/branch/main/dashboards/service/unpoller.json

 ---
@@ -410,9 +410,9 @@ spec:
  instanceSelector:
    matchLabels:
      app: grafana-main
-  contentCacheDuration: 1h
+  contentCacheDuration: 6h
  folderUID: grafana-folder-service
-  resyncPeriod: 1h
+  resyncPeriod: 6h
  url: http://gitea-http.gitea:3000/alexlebens/grafana-dashboards/raw/branch/main/dashboards/service/volsync.json

 ---
@@ -429,9 +429,9 @@ spec:
  instanceSelector:
    matchLabels:
      app: grafana-main
-  contentCacheDuration: 1h
+  contentCacheDuration: 6h
  folderUID: grafana-folder-platform
-  resyncPeriod: 1h
+  resyncPeriod: 6h
  url: http://gitea-http.gitea:3000/alexlebens/grafana-dashboards/raw/branch/main/dashboards/platform/s3.json

 ---
@@ -448,9 +448,9 @@ spec:
  instanceSelector:
    matchLabels:
      app: grafana-main
-  contentCacheDuration: 1h
+  contentCacheDuration: 6h
  folderUID: grafana-folder-platform
-  resyncPeriod: 1h
+  resyncPeriod: 6h
  url: http://gitea-http.gitea:3000/alexlebens/grafana-dashboards/raw/branch/main/dashboards/platform/authentik.json

 ---
@@ -467,9 +467,9 @@ spec:
  instanceSelector:
    matchLabels:
      app: grafana-main
-  contentCacheDuration: 1h
+  contentCacheDuration: 6h
  folderUID: grafana-folder-platform
-  resyncPeriod: 1h
+  resyncPeriod: 6h
  url: http://gitea-http.gitea:3000/alexlebens/grafana-dashboards/raw/branch/main/dashboards/platform/gitea.json

 ---
@@ -486,9 +486,9 @@ spec:
  instanceSelector:
    matchLabels:
      app: grafana-main
-  contentCacheDuration: 1h
+  contentCacheDuration: 6h
  folderUID: grafana-folder-platform
-  resyncPeriod: 1h
+  resyncPeriod: 6h
  url: http://gitea-http.gitea:3000/alexlebens/grafana-dashboards/raw/branch/main/dashboards/platform/ntfy.json

 ---
@@ -505,9 +505,9 @@ spec:
  instanceSelector:
    matchLabels:
      app: grafana-main
-  contentCacheDuration: 1h
+  contentCacheDuration: 6h
  folderUID: grafana-folder-platform
-  resyncPeriod: 1h
+  resyncPeriod: 6h
  url: http://gitea-http.gitea:3000/alexlebens/grafana-dashboards/raw/branch/main/dashboards/platform/qbittorrent.json

 ---
@@ -524,9 +524,9 @@ spec:
  instanceSelector:
    matchLabels:
      app: grafana-main
-  contentCacheDuration: 1h
+  contentCacheDuration: 6h
  folderUID: grafana-folder-platform
-  resyncPeriod: 1h
+  resyncPeriod: 6h
  url: http://gitea-http.gitea:3000/alexlebens/grafana-dashboards/raw/branch/main/dashboards/platform/vault.json

 ---
@@ -543,9 +543,9 @@ spec:
  instanceSelector:
    matchLabels:
      app: grafana-main
-  contentCacheDuration: 1h
+  contentCacheDuration: 6h
  folderUID: grafana-folder-iot
-  resyncPeriod: 1h
+  resyncPeriod: 6h
  url: http://gitea-http.gitea:3000/alexlebens/grafana-dashboards/raw/branch/main/dashboards/iot/airgradient.json

 ---
@@ -562,9 +562,9 @@ spec:
  instanceSelector:
    matchLabels:
      app: grafana-main
-  contentCacheDuration: 1h
+  contentCacheDuration: 6h
  folderUID: grafana-folder-iot
-  resyncPeriod: 1h
+  resyncPeriod: 6h
  url: http://gitea-http.gitea:3000/alexlebens/grafana-dashboards/raw/branch/main/dashboards/iot/server-power-consumption.json

 ---
@@ -581,9 +581,9 @@ spec:
  instanceSelector:
    matchLabels:
      app: grafana-main
-  contentCacheDuration: 1h
+  contentCacheDuration: 6h
  folderUID: grafana-folder-application
-  resyncPeriod: 1h
+  resyncPeriod: 6h
  url: http://gitea-http.gitea:3000/alexlebens/grafana-dashboards/raw/branch/main/dashboards/application/immich.json

 ---
@@ -600,9 +600,9 @@ spec:
  instanceSelector:
    matchLabels:
      app: grafana-main
-  contentCacheDuration: 1h
+  contentCacheDuration: 6h
  folderUID: grafana-folder-application
-  resyncPeriod: 1h
+  resyncPeriod: 6h
  url: http://gitea-http.gitea:3000/alexlebens/grafana-dashboards/raw/branch/main/dashboards/application/jellyfin.json

 ---
@@ -619,9 +619,9 @@ spec:
  instanceSelector:
    matchLabels:
      app: grafana-main
-  contentCacheDuration: 1h
+  contentCacheDuration: 6h
  folderUID: grafana-folder-application
-  resyncPeriod: 1h
+  resyncPeriod: 6h
  url: http://gitea-http.gitea:3000/alexlebens/grafana-dashboards/raw/branch/main/dashboards/application/radarr.json

 ---
@@ -638,7 +638,7 @@ spec:
  instanceSelector:
    matchLabels:
      app: grafana-main
-  contentCacheDuration: 1h
+  contentCacheDuration: 6h
  folderUID: grafana-folder-application
-  resyncPeriod: 1h
+  resyncPeriod: 6h
  url: http://gitea-http.gitea:3000/alexlebens/grafana-dashboards/raw/branch/main/dashboards/application/sonarr.json
--- a/clusters/cl01tl/helm/grafana-operator/templates/grafana.yaml
+++ b/clusters/cl01tl/helm/grafana-operator/templates/grafana.yaml
@@ -56,11 +56,12 @@ spec:
        spec:
          containers:
            - name: grafana
-              image: grafana/grafana:12.0.0
+              # renovate: datasource=docker depName=grafana/grafana
+              image: grafana/grafana:12.4.2@sha256:83749231c3835e390a3144e5e940203e42b9589761f20ef3169c716e734ad505
              resources:
                requests:
-                  cpu: 100m
-                  memory: 128Mi
+                  cpu: 20m
+                  memory: 120Mi
              env:
                - name: AUTH_CLIENT_ID
                  valueFrom:
@@ -107,3 +108,12 @@ spec:
                    secretKeyRef:
                      name: grafana-operator-postgresql-18-cluster-app
                      key: password
+  httpRoute:
+    spec:
+      parentRefs:
+        - group: gateway.networking.k8s.io
+          kind: Gateway
+          name: traefik-gateway
+          namespace: traefik
+      hostnames:
+        - grafana.alexlebens.net
--- a/clusters/cl01tl/helm/grafana-operator/templates/http-route.yaml
+++ b/clusters/cl01tl/helm/grafana-operator/templates/http-route.yaml
@@ -1,28 +0,0 @@
-apiVersion: gateway.networking.k8s.io/v1
-kind: HTTPRoute
-metadata:
-  name: grafana
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: grafana
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  parentRefs:
-    - group: gateway.networking.k8s.io
-      kind: Gateway
-      name: traefik-gateway
-      namespace: traefik
-  hostnames:
-    - grafana.alexlebens.net
-  rules:
-    - matches:
-      - path:
-          type: PathPrefix
-          value: /
-      backendRefs:
-        - group: ''
-          kind: Service
-          name: grafana-main-service
-          port: 3000
-          weight: 100
--- a/clusters/cl01tl/helm/grafana-operator/values.yaml
+++ b/clusters/cl01tl/helm/grafana-operator/values.yaml
@@ -1,17 +1,11 @@
 grafana-operator:
  replicas: 2
-  serviceAccount:
-    create: true
-  rbac:
-    create: true
  resources:
    requests:
-      cpu: 10m
-      memory: 64Mi
+      cpu: 1m
+      memory: 50Mi
  serviceMonitor:
    enabled: true
-  dashboard:
-    enabled: false
 postgres-18-cluster:
  mode: recovery
  recovery:
@@ -25,35 +19,12 @@ postgres-18-cluster:
        destinationBucket: postgres-backups
        externalSecretCredentialPath: /garage/home-infra/postgres-backups
        isWALArchiver: true
-      # - name: garage-remote
-      #   index: 1
-      #   destinationBucket: postgres-backups
-      #   externalSecretCredentialPath: /garage/home-infra/postgres-backups
-      #   retentionPolicy: "90d"
-      #   data:
-      #     compression: bzip2
-      # - name: external
-      #   index: 1
-      #   endpointURL: https://nyc3.digitaloceanspaces.com
-      #   destinationBucket: postgres-backups-ce540ddf106d186bbddca68a
-      #   externalSecretCredentialPath: /garage/home-infra/postgres-backups
-      #   isWALArchiver: false
    scheduledBackups:
      - name: live-backup
        suspend: false
        immediate: true
        schedule: "0 30 14 * * *"
        backupName: garage-local
-      # - name: weekly-backup
-      #   suspend: true
-      #   immediate: true
-      #   schedule: "0 0 4 * * SAT"
-      #   backupName: garage-remote
-      # - name: daily-backup
-      #   suspend: true
-      #   immediate: true
-      #   schedule: "0 0 0 * * *"
-      #   backupName: external
 valkey-unified-alerting:
  valkey:
    nameOverride: valkey-unified-alerting
--- a/clusters/cl01tl/helm/houndarr/values.yaml
+++ b/clusters/cl01tl/helm/houndarr/values.yaml
@@ -9,7 +9,7 @@ houndarr:
        main:
          image:
            repository: ghcr.io/av1155/houndarr
-            tag: v1.6.2
+            tag: v1.6.3
            pullPolicy: IfNotPresent
          env:
            - name: TZ
--- a/clusters/cl01tl/helm/immich/values.yaml
+++ b/clusters/cl01tl/helm/immich/values.yaml
@@ -9,7 +9,7 @@ immich:
        main:
          image:
            repository: ghcr.io/immich-app/immich-server
-            tag: v2.6.2
+            tag: v2.6.3
            pullPolicy: IfNotPresent
          env:
            - name: TZ
--- a/clusters/cl01tl/helm/kube-prometheus-stack/Chart.lock
+++ b/clusters/cl01tl/helm/kube-prometheus-stack/Chart.lock
@@ -1,12 +1,12 @@
 dependencies:
 - name: kube-prometheus-stack
  repository: oci://ghcr.io/prometheus-community/charts
-  version: 82.15.0
+  version: 82.15.1
 - name: app-template
  repository: https://bjw-s-labs.github.io/helm-charts/
  version: 4.6.2
 - name: valkey
  repository: oci://harbor.alexlebens.net/helm-charts
  version: 0.4.0
-digest: sha256:524759b57f9500d5742b962bcdb114ec556d80ec4418921c93a722e00df57647
-generated: "2026-03-26T23:02:03.558664114Z"
+digest: sha256:7be2f0d61a12e674af175046960df7ba06a7248dc92db0b2d9c9b63a77a5bc17
+generated: "2026-03-28T01:54:34.406941487Z"
--- a/clusters/cl01tl/helm/kube-prometheus-stack/Chart.yaml
+++ b/clusters/cl01tl/helm/kube-prometheus-stack/Chart.yaml
@@ -20,7 +20,7 @@ maintainers:
  - name: alexlebens
 dependencies:
  - name: kube-prometheus-stack
-    version: 82.15.0
+    version: 82.15.1
    repository: oci://ghcr.io/prometheus-community/charts
  - name: app-template
    alias: ntfy-alertmanager
--- a/clusters/cl01tl/helm/loki/Chart.yaml
+++ b/clusters/cl01tl/helm/loki/Chart.yaml
@@ -23,4 +23,4 @@ dependencies:
    repository: https://grafana.github.io/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/loki.png
 # renovate: datasource=github-releases depName=grafana/loki
-appVersion: 3.7.0
+appVersion: 3.7.1
--- a/clusters/cl01tl/helm/ntfy/values.yaml
+++ b/clusters/cl01tl/helm/ntfy/values.yaml
@@ -9,7 +9,7 @@ ntfy:
        main:
          image:
            repository: binwiederhier/ntfy
-            tag: v2.20.0
+            tag: v2.20.1
            pullPolicy: IfNotPresent
          args: ["serve"]
          env:
--- a/clusters/cl01tl/helm/ollama/values.yaml
+++ b/clusters/cl01tl/helm/ollama/values.yaml
@@ -117,7 +117,7 @@ ollama:
        main:
          image:
            repository: ghcr.io/open-webui/open-webui
-            tag: v0.8.10
+            tag: v0.8.12
            pullPolicy: IfNotPresent
          env:
            - name: ENV
--- a/clusters/cl01tl/helm/postiz/values.yaml
+++ b/clusters/cl01tl/helm/postiz/values.yaml
@@ -9,7 +9,7 @@ postiz:
        main:
          image:
            repository: ghcr.io/gitroomhq/postiz-app
-            tag: v2.21.0
+            tag: v2.21.2
            pullPolicy: IfNotPresent
          env:
            - name: MAIN_URL
--- a/clusters/cl01tl/helm/searxng/values.yaml
+++ b/clusters/cl01tl/helm/searxng/values.yaml
@@ -9,7 +9,7 @@ searxng:
        main:
          image:
            repository: searxng/searxng
-            tag: latest@sha256:032eec8dcd3799007059d0753e9d04837fc8dba8d8b749a08469118a8039b703
+            tag: latest@sha256:c026ed4cb1a29b21878fed2c13f4c31fa811b8b03d931aa8764e8528177e2862
            pullPolicy: IfNotPresent
          env:
            - name: SEARXNG_BASE_URL
@@ -39,7 +39,7 @@ searxng:
        main:
          image:
            repository: searxng/searxng
-            tag: latest@sha256:032eec8dcd3799007059d0753e9d04837fc8dba8d8b749a08469118a8039b703
+            tag: latest@sha256:c026ed4cb1a29b21878fed2c13f4c31fa811b8b03d931aa8764e8528177e2862
            pullPolicy: IfNotPresent
          env:
            - name: SEARXNG_BASE_URL
--- a/hosts/ps08rp/traefik/compose.yaml
+++ b/hosts/ps08rp/traefik/compose.yaml
@@ -1,7 +1,7 @@
 ---
 services:
    traefik:
-        image: ghcr.io/traefik/traefik:v3.6.11@sha256:acfc80650104f0194a15f73dc1648f517561bc1645391a15705332a064cfc33c
+        image: ghcr.io/traefik/traefik:v3.6.12@sha256:171c9c3565b29f6c133f1c1b43c5d4e5853415198e9e1078c001f8702ff66aec
        container_name: traefik
        command:
            - "--global.checkNewVersion=false"
--- a/hosts/ps09rp/traefik/compose.yaml
+++ b/hosts/ps09rp/traefik/compose.yaml
@@ -1,7 +1,7 @@
 ---
 services:
    traefik:
-        image: ghcr.io/traefik/traefik:v3.6.11@sha256:acfc80650104f0194a15f73dc1648f517561bc1645391a15705332a064cfc33c
+        image: ghcr.io/traefik/traefik:v3.6.12@sha256:171c9c3565b29f6c133f1c1b43c5d4e5853415198e9e1078c001f8702ff66aec
        container_name: traefik
        command:
            - "--global.checkNewVersion=false"
--- a/hosts/ps10rp/traefik/compose.yaml
+++ b/hosts/ps10rp/traefik/compose.yaml
@@ -20,7 +20,7 @@ services:
            - /dev/net/tun:/dev/net/tun

    traefik:
-        image: ghcr.io/traefik/traefik:v3.6.11@sha256:acfc80650104f0194a15f73dc1648f517561bc1645391a15705332a064cfc33c
+        image: ghcr.io/traefik/traefik:v3.6.12@sha256:171c9c3565b29f6c133f1c1b43c5d4e5853415198e9e1078c001f8702ff66aec
        container_name: traefik
        command:
            - "--global.checkNewVersion=false"
--- a/renovate.json
+++ b/renovate.json
@@ -16,6 +16,16 @@
  "baseBranchPatterns": [
    "main"
  ],
+  "regexManagers": [
+    {
+      "fileMatch": ["(^|/)values\\.yaml$", "(^|/)values-.*\\.yaml$"],
+      "matchStrings": [
+        "# renovate: datasource=(?<datasource>.*?) depName=(?<depName>.*?)\\s+tag:\\s+(?<currentValue>.*)"
+      ],
+      "datasourceTemplate": "{{{datasource}}}",
+      "depNameTemplate": "{{{depName}}}"
+    }
+  ],
  "customManagers": [
    {
      "description": "Update appVersion in Chart.yaml",
@@ -28,6 +38,18 @@
      ],
      "versioningTemplate": "{{#if versioning}}{{{versioning}}}{{else}}semver-coerced{{/if}}"
    },
+    {
+      "description": "Update specific images in values",
+      "customType": "regex",
+      "managerFilePatterns": [
+        "(^|/)values\\.yaml$"
+      ],
+      "matchStrings": [
+        "#\\s*renovate:\\s*datasource=(?<datasource>[^\\s]+)\\s+depName=(?<depName>[^\\s]+)\\s*\\n\\s+tag:\\s*[\"']?(?<currentValue>[^\"'\\s]+)[\"']?"
+      ],
+      "depNameTemplate": "{{{depName}}}",
+      "datasourceTemplate": "{{{datasource}}}"
+    },
    {
      "description": "Update images in templates",
      "customType": "regex",
Author	SHA1	Message	Date
Renovate Bot	f8eeba73e8	chore(deps): update ghcr.io/renovatebot/renovate docker tag to v43.99.0 (#5243 ) All checks were successful renovate / renovate (push) Successful in 2m19s Details	2026-03-28 19:02:54 +00:00
Renovate Bot	e8c5224912	chore(deps): update searxng/searxng:latest docker digest to c026ed4 (#5240 ) All checks were successful lint-test-helm / lint-helm (push) Successful in 26s Details lint-test-helm / validate-kubeconform (push) Has been skipped Details renovate / renovate (push) Successful in 2m27s Details	2026-03-28 18:02:25 +00:00
Renovate Bot	dd6336fe90	chore(deps): update searxng/searxng:latest docker digest to 8ba6e51 (#5238 ) All checks were successful lint-test-helm / lint-helm (push) Successful in 1m10s Details lint-test-helm / validate-kubeconform (push) Has been skipped Details renovate / renovate (push) Successful in 2m18s Details	2026-03-28 16:03:40 +00:00
Renovate Bot	a63adb27b0	chore(deps): update ghcr.io/renovatebot/renovate docker tag to v43.98.0 (#5236 ) All checks were successful render-manifests / render-manifests (push) Successful in 8m7s Details renovate / renovate (push) Successful in 3m30s Details	2026-03-28 14:04:27 +00:00
Renovate Bot	be43a836eb	chore(deps): update ghcr.io/renovatebot/renovate docker tag to v43.97.0 (#5235 ) All checks were successful renovate / renovate (push) Successful in 4m4s Details	2026-03-28 12:04:10 +00:00
Renovate Bot	6520e9bd58	chore(deps): update searxng/searxng:latest docker digest to 9704da5 (#5232 ) All checks were successful renovate / renovate (push) Successful in 3m49s Details	2026-03-28 07:04:31 +00:00
Renovate Bot	7049a5616f	chore(deps): update searxng/searxng:latest docker digest to 9704da5 (#5232 ) Some checks failed renovate / renovate (push) Has been cancelled Details lint-test-helm / lint-helm (push) Successful in 22s Details lint-test-helm / validate-kubeconform (push) Has been skipped Details	2026-03-28 07:04:19 +00:00
Alex Lebens	773288917d	ci: add manager All checks were successful renovate / renovate (push) Successful in 4m7s Details	2026-03-27 21:55:27 -05:00
Alex Lebens	4d58538504	feat: refactor apps (#5227 ) All checks were successful lint-test-helm / lint-helm (push) Successful in 17s Details lint-test-helm / validate-kubeconform (push) Has been skipped Details renovate / renovate (push) Successful in 2m31s Details Reviewed-on: #5227	2026-03-28 02:36:08 +00:00
Renovate Bot	d156c5b9da	chore(deps): update kube-prometheus-stack docker tag to v82.15.1 (#5225 ) All checks were successful lint-test-helm / lint-helm (push) Successful in 17s Details lint-test-helm / validate-kubeconform (push) Has been skipped Details renovate / renovate (push) Successful in 4m46s Details	2026-03-28 01:55:23 +00:00
Renovate Bot	c46e12ba5f	chore(deps): update helm release argo-cd to v9.4.17 (#5223 ) Some checks failed lint-test-helm / lint-helm (push) Successful in 13s Details lint-test-helm / validate-kubeconform (push) Has been skipped Details renovate / renovate (push) Has been cancelled Details	2026-03-28 01:51:51 +00:00
Renovate Bot	a33a0207bf	chore(deps): update ghcr.io/immich-app/immich-server docker tag to v2.6.3 (#5221 ) Some checks failed lint-test-helm / lint-helm (push) Successful in 14s Details lint-test-helm / validate-kubeconform (push) Has been skipped Details renovate / renovate (push) Has been cancelled Details	2026-03-28 01:49:58 +00:00
Renovate Bot	abb39dfbba	chore(deps): update ghcr.io/gitroomhq/postiz-app docker tag to v2.21.2 (#5218 ) Some checks failed lint-test-helm / lint-helm (push) Successful in 1m30s Details lint-test-helm / validate-kubeconform (push) Has been skipped Details renovate / renovate (push) Has been cancelled Details	2026-03-28 01:47:20 +00:00
Renovate Bot	ff1dd70ec1	chore(deps): update ghcr.io/av1155/houndarr docker tag to v1.6.3 (#5217 ) Some checks failed lint-test-helm / validate-kubeconform (push) Has been cancelled Details lint-test-helm / lint-helm (push) Has been cancelled Details	2026-03-28 01:47:06 +00:00
Renovate Bot	715c7229c8	chore(deps): update binwiederhier/ntfy docker tag to v2.20.1 (#5215 ) Some checks failed lint-test-helm / lint-helm (push) Successful in 59s Details lint-test-helm / validate-kubeconform (push) Has been skipped Details renovate / renovate (push) Has been cancelled Details	2026-03-28 01:43:59 +00:00
Renovate Bot	77efef53ce	chore(deps): update ghcr.io/traefik/traefik docker tag to v3.6.12 (#5213 ) Some checks failed lint-test-docker / lint-docker-compose (push) Successful in 17s Details renovate / renovate (push) Has been cancelled Details	2026-03-28 01:41:19 +00:00
Renovate Bot	01dcf530f4	chore(deps): update ghcr.io/open-webui/open-webui docker tag to v0.8.12 (#5212 ) Some checks failed renovate / renovate (push) Has been cancelled Details lint-test-helm / lint-helm (push) Successful in 1m8s Details lint-test-helm / validate-kubeconform (push) Has been skipped Details	2026-03-28 01:41:04 +00:00
Renovate Bot	53e37544f9	chore(deps): update dependency cert-manager/cert-manager to v1.20.1 (#5206 ) Some checks failed lint-test-helm / lint-helm (push) Successful in 18s Details lint-test-helm / validate-kubeconform (push) Has been skipped Details renovate / renovate (push) Has been cancelled Details This PR contains the following updates: \| Package \| Update \| Change \| \|---\|---\|---\| \| [cert-manager/cert-manager](https://github.com/cert-manager/cert-manager) \| patch \| `v1.20.0` → `v1.20.1` \| --- ### Release Notes <details> <summary>cert-manager/cert-manager (cert-manager/cert-manager)</summary> ### [`v1.20.1`](https://github.com/cert-manager/cert-manager/releases/tag/v1.20.1) [Compare Source](https://github.com/cert-manager/cert-manager/compare/v1.20.0...v1.20.1) v1.20.1 fixes an issue for OpenShift users that has to do with the finalizer RBAC, bumps gRPC to address a reported non-affecting vulnerability, and fixes a duplicate `parentRef` bug when both issuer config and annotations are present (Gateway API). ##### Bug or Regression - Fixed duplicate `parentRef` bug when both issuer config and annotations are present. ([#8658](https://github.com/cert-manager/cert-manager/issues/8658), [@hjoshi123](https://github.com/hjoshi123)) - Add missing issuer finalizer RBAC to the order controller to support owner references. This was preventing OpenShift users from being able to upgrade to v1.20.0. ([#8655](https://github.com/cert-manager/cert-manager/issues/8655), [@erikgb](https://github.com/erikgb)) - Bump google.golang.org/grpc to fix vulnerability reported by scanners. This isn't a vulnerability that affects cert-manager, but we are bumping it because it is reported by scanners. ([#8657](https://github.com/cert-manager/cert-manager/issues/8657), [@erikgb](https://github.com/erikgb)) </details> --- ### Configuration 📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied. ♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 Ignore: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My45Ni4wIiwidXBkYXRlZEluVmVyIjoiNDMuOTYuMCIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOltdfQ==--> Reviewed-on: https://gitea.alexlebens.dev/alexlebens/infrastructure/pulls/5206 Co-authored-by: Renovate Bot <renovate-bot@alexlebens.net> Co-committed-by: Renovate Bot <renovate-bot@alexlebens.net>	2026-03-28 01:38:15 +00:00
Renovate Bot	1e6f7ac684	chore(deps): update helm release cert-manager to v1.20.1 (#5210 ) All checks were successful lint-test-helm / lint-helm (push) Successful in 48s Details lint-test-helm / validate-kubeconform (push) Has been skipped Details renovate / renovate (push) Successful in 2m7s Details	2026-03-28 01:35:46 +00:00
Renovate Bot	03e31eb306	chore(deps): update dependency tailscale/tailscale to v1.96.4 (#5208 ) Some checks failed lint-test-helm / lint-helm (push) Successful in 1m3s Details lint-test-helm / validate-kubeconform (push) Has been skipped Details renovate / renovate (push) Has been cancelled Details This PR contains the following updates: \| Package \| Update \| Change \| \|---\|---\|---\| \| [tailscale/tailscale](https://github.com/tailscale/tailscale) \| patch \| `v1.96.3` → `v1.96.4` \| --- ### Release Notes <details> <summary>tailscale/tailscale (tailscale/tailscale)</summary> ### [`v1.96.4`](https://github.com/tailscale/tailscale/releases/tag/v1.96.4) [Compare Source](https://github.com/tailscale/tailscale/compare/v1.96.3...v1.96.4) Please refer to the changelog available at <https://tailscale.com/changelog> </details> --- ### Configuration 📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied. ♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 Ignore: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My45Ni4wIiwidXBkYXRlZEluVmVyIjoiNDMuOTYuMCIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOltdfQ==--> Reviewed-on: #5208 Co-authored-by: Renovate Bot <renovate-bot@alexlebens.net> Co-committed-by: Renovate Bot <renovate-bot@alexlebens.net>	2026-03-28 01:31:35 +00:00
Renovate Bot	3083087091	chore(deps): update dependency grafana/loki to v3.7.1 (#5207 ) Some checks failed lint-test-helm / lint-helm (push) Successful in 18s Details lint-test-helm / validate-kubeconform (push) Has been skipped Details renovate / renovate (push) Has been cancelled Details This PR contains the following updates: \| Package \| Update \| Change \| \|---\|---\|---\| \| [grafana/loki](https://github.com/grafana/loki) \| patch \| `3.7.0` → `3.7.1` \| --- ### Release Notes <details> <summary>grafana/loki (grafana/loki)</summary> ### [`v3.7.1`](https://github.com/grafana/loki/releases/tag/v3.7.1) [Compare Source](https://github.com/grafana/loki/compare/v3.7.0...v3.7.1) ##### Bug Fixes - Upgrade Go and gRPC versions on 3.7.x ([#21282](https://github.com/grafana/loki/issues/21282)) ([2c8fff2](`2c8fff222b`)) </details> --- ### Configuration 📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied. ♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 Ignore: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My45Ni4wIiwidXBkYXRlZEluVmVyIjoiNDMuOTYuMCIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOltdfQ==--> Reviewed-on: #5207 Co-authored-by: Renovate Bot <renovate-bot@alexlebens.net> Co-committed-by: Renovate Bot <renovate-bot@alexlebens.net>	2026-03-28 01:29:53 +00:00