Update ghcr.io/kashalls/external-dns-unifi-webhook Docker tag to v0.8.0

This PR contains the following updates:

| Package | Update | Change |
|---|---|---|
| [vaultwarden/server](https://github.com/dani-garcia/vaultwarden) | minor | `1.34.3` → `1.35.0` |

---

### Release Notes

<details>
<summary>dani-garcia/vaultwarden (vaultwarden/server)</summary>

### [`v1.35.0`](https://github.com/dani-garcia/vaultwarden/releases/tag/1.35.0)

[Compare Source](https://github.com/dani-garcia/vaultwarden/compare/1.34.3...1.35.0)

#### Notable changes

- Implemented support for SSO with OpenID Connect, <https://github.com/dani-garcia/vaultwarden/wiki/Enabling-SSO-support-using-OpenId-Connect>
- Updated web vault to 2025.12.0
- Added support for future mobile apps with versions 2026.1.0+
- This is the first vaultwarden release using [immutable releases](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/immutable-releases) and release attestation!

#### What's Changed

- Fix multi delete slowdown by [@&#8203;BlackDex](https://github.com/BlackDex) in [#&#8203;6144](https://github.com/dani-garcia/vaultwarden/pull/6144)
- Perform same checks when setting kdf by [@&#8203;Timshel](https://github.com/Timshel) in [#&#8203;6141](https://github.com/dani-garcia/vaultwarden/pull/6141)
- SSO using OpenID Connect by [@&#8203;Timshel](https://github.com/Timshel) in [#&#8203;3899](https://github.com/dani-garcia/vaultwarden/pull/3899)
- Delete SSO.md by [@&#8203;dani-garcia](https://github.com/dani-garcia) in [#&#8203;6152](https://github.com/dani-garcia/vaultwarden/pull/6152)
- Update webauthn-rs to 0.5.x by [@&#8203;zUnixorn](https://github.com/zUnixorn) in [#&#8203;5934](https://github.com/dani-garcia/vaultwarden/pull/5934)
- a little cleanup after SSO merge by [@&#8203;stefan0xC](https://github.com/stefan0xC) in [#&#8203;6153](https://github.com/dani-garcia/vaultwarden/pull/6153)
- Fix link to point to the wiki by [@&#8203;Timshel](https://github.com/Timshel) in [#&#8203;6157](https://github.com/dani-garcia/vaultwarden/pull/6157)
- Fix Email 2FA for mobile apps by [@&#8203;dfunkt](https://github.com/dfunkt) in [#&#8203;6156](https://github.com/dani-garcia/vaultwarden/pull/6156)
- Update Rust to 1.89.0 by [@&#8203;dfunkt](https://github.com/dfunkt) in [#&#8203;6150](https://github.com/dani-garcia/vaultwarden/pull/6150)
- Fix several more multi select push issues by [@&#8203;BlackDex](https://github.com/BlackDex) in [#&#8203;6151](https://github.com/dani-garcia/vaultwarden/pull/6151)
- Fix minor typo by [@&#8203;ncguk](https://github.com/ncguk) in [#&#8203;6165](https://github.com/dani-garcia/vaultwarden/pull/6165)
- Update crates, fixes some yanked crates by [@&#8203;BlackDex](https://github.com/BlackDex) in [#&#8203;6167](https://github.com/dani-garcia/vaultwarden/pull/6167)
- Fix WebauthN issue with Software Keys by [@&#8203;BlackDex](https://github.com/BlackDex) in [#&#8203;6168](https://github.com/dani-garcia/vaultwarden/pull/6168)
- Fix Playwright test conf and update deps by [@&#8203;Timshel](https://github.com/Timshel) in [#&#8203;6176](https://github.com/dani-garcia/vaultwarden/pull/6176)
- Misc updates by [@&#8203;BlackDex](https://github.com/BlackDex) in [#&#8203;6185](https://github.com/dani-garcia/vaultwarden/pull/6185)
- fix typo in description of helo\_name by [@&#8203;Flottegurke](https://github.com/Flottegurke) in [#&#8203;6194](https://github.com/dani-garcia/vaultwarden/pull/6194)
- Fix Playwright by [@&#8203;Timshel](https://github.com/Timshel) in [#&#8203;6206](https://github.com/dani-garcia/vaultwarden/pull/6206)
- Switch to GHA's concurrency control by [@&#8203;dfunkt](https://github.com/dfunkt) in [#&#8203;6164](https://github.com/dani-garcia/vaultwarden/pull/6164)
- Make database connection pool dynamic by [@&#8203;Samoth69](https://github.com/Samoth69) in [#&#8203;6166](https://github.com/dani-garcia/vaultwarden/pull/6166)
- Re-add `if` check to release workflow by [@&#8203;dfunkt](https://github.com/dfunkt) in [#&#8203;6227](https://github.com/dani-garcia/vaultwarden/pull/6227)
- Fix Webauthn/Passkey 2FA migration/validation issues by [@&#8203;BlackDex](https://github.com/BlackDex) in [#&#8203;6190](https://github.com/dani-garcia/vaultwarden/pull/6190)
- refactor(config): update template, add validation by [@&#8203;tessus](https://github.com/tessus) in [#&#8203;6229](https://github.com/dani-garcia/vaultwarden/pull/6229)
- Show SSO\_ALLOW\_UNKNOWN\_EMAIL\_VERIFICATION in admin by [@&#8203;Timshel](https://github.com/Timshel) in [#&#8203;6235](https://github.com/dani-garcia/vaultwarden/pull/6235)
- Update crates, gha and web-vault by [@&#8203;BlackDex](https://github.com/BlackDex) in [#&#8203;6234](https://github.com/dani-garcia/vaultwarden/pull/6234)
- Fix panic around sso\_master\_password\_policy by [@&#8203;Timshel](https://github.com/Timshel) in [#&#8203;6233](https://github.com/dani-garcia/vaultwarden/pull/6233)
- make webauthn more optional by [@&#8203;stefan0xC](https://github.com/stefan0xC) in [#&#8203;6160](https://github.com/dani-garcia/vaultwarden/pull/6160)
- Fix 2fa recovery endpoint by [@&#8203;BlackDex](https://github.com/BlackDex) in [#&#8203;6240](https://github.com/dani-garcia/vaultwarden/pull/6240)
- update trivy-action to v0.33.0 by [@&#8203;stefan0xC](https://github.com/stefan0xC) in [#&#8203;6248](https://github.com/dani-garcia/vaultwarden/pull/6248)
- update web vault to v2025.9.1 and allow new policy by [@&#8203;stefan0xC](https://github.com/stefan0xC) in [#&#8203;6340](https://github.com/dani-garcia/vaultwarden/pull/6340)
- prevent changing collections when hide\_passwords is true by [@&#8203;stefan0xC](https://github.com/stefan0xC) in [#&#8203;6278](https://github.com/dani-garcia/vaultwarden/pull/6278)
- Fix `sso_user` dropped on `User::save` by [@&#8203;Timshel](https://github.com/Timshel) in [#&#8203;6262](https://github.com/dani-garcia/vaultwarden/pull/6262)
- Change OIDC dummy identifier by [@&#8203;Timshel](https://github.com/Timshel) in [#&#8203;6263](https://github.com/dani-garcia/vaultwarden/pull/6263)
- add new billing warnings endpoint by [@&#8203;stefan0xC](https://github.com/stefan0xC) in [#&#8203;6369](https://github.com/dani-garcia/vaultwarden/pull/6369)
- Add auth\_request pending endpoint by [@&#8203;Timshel](https://github.com/Timshel) in [#&#8203;6368](https://github.com/dani-garcia/vaultwarden/pull/6368)
- Fix Org identifier by [@&#8203;Timshel](https://github.com/Timshel) in [#&#8203;6364](https://github.com/dani-garcia/vaultwarden/pull/6364)
- add mail address change warning for invited accounts by [@&#8203;stefan0xC](https://github.com/stefan0xC) in [#&#8203;6377](https://github.com/dani-garcia/vaultwarden/pull/6377)
- add missing media-src directive by [@&#8203;stefan0xC](https://github.com/stefan0xC) in [#&#8203;6381](https://github.com/dani-garcia/vaultwarden/pull/6381)
- add seat limit for the invite dialog by [@&#8203;stefan0xC](https://github.com/stefan0xC) in [#&#8203;6371](https://github.com/dani-garcia/vaultwarden/pull/6371)
- \[Playwright] Improvements around node by [@&#8203;Timshel](https://github.com/Timshel) in [#&#8203;6321](https://github.com/dani-garcia/vaultwarden/pull/6321)
- Use Diesels MultiConnections Derive by [@&#8203;BlackDex](https://github.com/BlackDex) in [#&#8203;6279](https://github.com/dani-garcia/vaultwarden/pull/6279)
- Improve protected actions by [@&#8203;dani-garcia](https://github.com/dani-garcia) in [#&#8203;6411](https://github.com/dani-garcia/vaultwarden/pull/6411)
- Fix issue with key-rotation and emergency-access by [@&#8203;BlackDex](https://github.com/BlackDex) in [#&#8203;6421](https://github.com/dani-garcia/vaultwarden/pull/6421)
- Optimizations and build speedup by [@&#8203;BlackDex](https://github.com/BlackDex) in [#&#8203;6339](https://github.com/dani-garcia/vaultwarden/pull/6339)
- Use an older version of mariadb to prevent a panic by [@&#8203;BlackDex](https://github.com/BlackDex) in [#&#8203;6453](https://github.com/dani-garcia/vaultwarden/pull/6453)
- Playwright against abitrary web-vault by [@&#8203;Timshel](https://github.com/Timshel) in [#&#8203;6380](https://github.com/dani-garcia/vaultwarden/pull/6380)
- Fix KDF Change with new web-vault by [@&#8203;BlackDex](https://github.com/BlackDex) in [#&#8203;6458](https://github.com/dani-garcia/vaultwarden/pull/6458)
- Fix: admin theme emoji alignment by [@&#8203;joepduin](https://github.com/joepduin) in [#&#8203;6459](https://github.com/dani-garcia/vaultwarden/pull/6459)
- remove invalid emergency access dummy value by [@&#8203;stefan0xC](https://github.com/stefan0xC) in [#&#8203;6463](https://github.com/dani-garcia/vaultwarden/pull/6463)
- Add `pm-25373-windows-biometrics-v2` feature flag by [@&#8203;Ephemera42](https://github.com/Ephemera42) in [#&#8203;6468](https://github.com/dani-garcia/vaultwarden/pull/6468)
- Switch to multiple runners per arch by [@&#8203;dfunkt](https://github.com/dfunkt) in [#&#8203;6472](https://github.com/dani-garcia/vaultwarden/pull/6472)
- Fix icon redirect caching by [@&#8203;BlackDex](https://github.com/BlackDex) in [#&#8203;6487](https://github.com/dani-garcia/vaultwarden/pull/6487)
- Fix around singleorg policy by [@&#8203;Timshel](https://github.com/Timshel) in [#&#8203;6247](https://github.com/dani-garcia/vaultwarden/pull/6247)
- fix email as 2fa provider by [@&#8203;stefan0xC](https://github.com/stefan0xC) in [#&#8203;6473](https://github.com/dani-garcia/vaultwarden/pull/6473)
- Update crates and Rust version by [@&#8203;BlackDex](https://github.com/BlackDex) in [#&#8203;6485](https://github.com/dani-garcia/vaultwarden/pull/6485)
- Add option to prefer IPv6 resolving by [@&#8203;BlackDex](https://github.com/BlackDex) in [#&#8203;6494](https://github.com/dani-garcia/vaultwarden/pull/6494)
- Some small admin js/css updates by [@&#8203;BlackDex](https://github.com/BlackDex) in [#&#8203;6501](https://github.com/dani-garcia/vaultwarden/pull/6501)
- Update crates and workflows and some fixes by [@&#8203;BlackDex](https://github.com/BlackDex) in [#&#8203;6508](https://github.com/dani-garcia/vaultwarden/pull/6508)
- Fixed a typo in the default TTL value by [@&#8203;k725](https://github.com/k725) in [#&#8203;6528](https://github.com/dani-garcia/vaultwarden/pull/6528)
- Iterate over tags on release by [@&#8203;Timshel](https://github.com/Timshel) in [#&#8203;6518](https://github.com/dani-garcia/vaultwarden/pull/6518)
- Org.put\_policy type not in body anymore by [@&#8203;Timshel](https://github.com/Timshel) in [#&#8203;6514](https://github.com/dani-garcia/vaultwarden/pull/6514)
- Android want response property in camelCase by [@&#8203;Timshel](https://github.com/Timshel) in [#&#8203;6513](https://github.com/dani-garcia/vaultwarden/pull/6513)
- Fix admin invite with SSO by [@&#8203;Timshel](https://github.com/Timshel) in [#&#8203;6498](https://github.com/dani-garcia/vaultwarden/pull/6498)
- Improve sso auth flow by [@&#8203;Timshel](https://github.com/Timshel) in [#&#8203;6205](https://github.com/dani-garcia/vaultwarden/pull/6205)
- fix email as 2fa for sso by [@&#8203;stefan0xC](https://github.com/stefan0xC) in [#&#8203;6495](https://github.com/dani-garcia/vaultwarden/pull/6495)
- Fix release workflow by [@&#8203;BlackDex](https://github.com/BlackDex) in [#&#8203;6532](https://github.com/dani-garcia/vaultwarden/pull/6532)
- Further fixes for the release workflow by [@&#8203;dfunkt](https://github.com/dfunkt) in [#&#8203;6533](https://github.com/dani-garcia/vaultwarden/pull/6533)
- add empty /api/tasks endpoint by [@&#8203;stefan0xC](https://github.com/stefan0xC) in [#&#8203;6557](https://github.com/dani-garcia/vaultwarden/pull/6557)
- Revert to gzip compression by [@&#8203;dfunkt](https://github.com/dfunkt) in [#&#8203;6566](https://github.com/dani-garcia/vaultwarden/pull/6566)
- support UriMatchDefaults policy by [@&#8203;stefan0xC](https://github.com/stefan0xC) in [#&#8203;6570](https://github.com/dani-garcia/vaultwarden/pull/6570)
- Add new accountKeys and masterPasswordUnlock fields by [@&#8203;dani-garcia](https://github.com/dani-garcia) in [#&#8203;6572](https://github.com/dani-garcia/vaultwarden/pull/6572)
- Update crates and Rust by [@&#8203;BlackDex](https://github.com/BlackDex) in [#&#8203;6551](https://github.com/dani-garcia/vaultwarden/pull/6551)
- Add UserDecryption on /sync too by [@&#8203;dani-garcia](https://github.com/dani-garcia) in [#&#8203;6574](https://github.com/dani-garcia/vaultwarden/pull/6574)
- Update web-vault to v2025.12.0 by [@&#8203;BlackDex](https://github.com/BlackDex) in [#&#8203;6577](https://github.com/dani-garcia/vaultwarden/pull/6577)
- Fix posting cipher with readonly collections by [@&#8203;BlackDex](https://github.com/BlackDex) in [#&#8203;6578](https://github.com/dani-garcia/vaultwarden/pull/6578)
- Update crates by [@&#8203;BlackDex](https://github.com/BlackDex) in [#&#8203;6585](https://github.com/dani-garcia/vaultwarden/pull/6585)
- Simplify binary extraction by [@&#8203;dfunkt](https://github.com/dfunkt) in [#&#8203;6554](https://github.com/dani-garcia/vaultwarden/pull/6554)
- Remove unnecessary output sharing between jobs by [@&#8203;dfunkt](https://github.com/dfunkt) in [#&#8203;6555](https://github.com/dani-garcia/vaultwarden/pull/6555)
- Add wrapped named variants to UserDecryptionOptions by [@&#8203;dani-garcia](https://github.com/dani-garcia) in [#&#8203;6598](https://github.com/dani-garcia/vaultwarden/pull/6598)

#### New Contributors

- [@&#8203;zUnixorn](https://github.com/zUnixorn) made their first contribution in [#&#8203;5934](https://github.com/dani-garcia/vaultwarden/pull/5934)
- [@&#8203;ncguk](https://github.com/ncguk) made their first contribution in [#&#8203;6165](https://github.com/dani-garcia/vaultwarden/pull/6165)
- [@&#8203;Flottegurke](https://github.com/Flottegurke) made their first contribution in [#&#8203;6194](https://github.com/dani-garcia/vaultwarden/pull/6194)
- [@&#8203;Samoth69](https://github.com/Samoth69) made their first contribution in [#&#8203;6166](https://github.com/dani-garcia/vaultwarden/pull/6166)
- [@&#8203;joepduin](https://github.com/joepduin) made their first contribution in [#&#8203;6459](https://github.com/dani-garcia/vaultwarden/pull/6459)
- [@&#8203;k725](https://github.com/k725) made their first contribution in [#&#8203;6528](https://github.com/dani-garcia/vaultwarden/pull/6528)

**Full Changelog**: <https://github.com/dani-garcia/vaultwarden/compare/1.34.3...1.35.0>

</details>

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box

---

This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0Mi42Ni45IiwidXBkYXRlZEluVmVyIjoiNDIuNjYuOSIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiaW1hZ2UiXX0=-->

Reviewed-on: #2946
Co-authored-by: Renovate Bot <renovate-bot@alexlebens.net>
Co-committed-by: Renovate Bot <renovate-bot@alexlebens.net>

clusters/cl01tl/helm/gitea/values.yaml

@@ -1,7 +1,7 @@
 gitea:
   global:
     imageRegistry: registry.hub.docker.com
-  replicaCount: 2
+  replicaCount: 1
   image:
     repository: gitea/gitea
     tag: 1.25.3

clusters/cl01tl/helm/grafana-operator/values.yaml

@@ -17,11 +17,11 @@ postgres-18-cluster:
   recovery:
     method: objectStore
     objectStore:
-      index: 1
+      index: 2
   backup:
     objectStore:
       - name: garage-local
-        index: 1
+        index: 2
         destinationBucket: postgres-backups
         externalSecretCredentialPath: /garage/home-infra/postgres-backups
         isWALArchiver: true

clusters/cl01tl/helm/kube-prometheus-stack/Chart.lock

@@ -1,12 +1,12 @@
 dependencies:
 - name: kube-prometheus-stack
   repository: oci://ghcr.io/prometheus-community/charts
-  version: 80.6.0
+  version: 80.8.0
 - name: app-template
   repository: https://bjw-s-labs.github.io/helm-charts/
   version: 4.5.0
 - name: redis-replication
   repository: oci://harbor.alexlebens.net/helm-charts
   version: 0.5.0
-digest: sha256:6f046a936f1d732a44113eb0b7e54330a4261042179f37f4c94fccc9f20ee511
-generated: "2025-12-20T01:04:57.413744271Z"
+digest: sha256:8e4076f0ba94134eb91dc12364fde4f50bffc6dc3c4cc32a5ea6b9ede777a3b6
+generated: "2025-12-28T21:56:15.664575212Z"

clusters/cl01tl/helm/kube-prometheus-stack/Chart.yaml

@@ -20,7 +20,7 @@ maintainers:
   - name: alexlebens
 dependencies:
   - name: kube-prometheus-stack
-    version: 80.6.0
+    version: 80.8.0
     repository: oci://ghcr.io/prometheus-community/charts
   - name: app-template
     alias: ntfy-alertmanager

clusters/cl01tl/helm/libation/values.yaml

@@ -60,6 +60,17 @@ libation:
           main:
             - path: /config
               readOnly: false
+    audiobooks:
+      existingClaim: libation-nfs-storage
+      advancedMounts:
+        main:
+          main:
+            - path: /data
+              readOnly: false
+        debug:
+          main:
+            - path: /data
+              readOnly: false
 volsync-target-config:
   pvcTarget: libation
   local:

clusters/cl01tl/helm/searxng/values.yaml

@@ -9,7 +9,7 @@ searxng:
         main:
           image:
             repository: searxng/searxng
-            tag: latest@sha256:8d98d5c1b678714c3b20dacfab5ea5e3b67f79e50df6d5dbc92ed4f0a964ccbd
+            tag: latest@sha256:6f3a875c64bd804d1ccf2fe3c8df35e985b75ffbf0322f216544e79912fabab2
             pullPolicy: IfNotPresent
           env:
             - name: SEARXNG_BASE_URL
@@ -39,7 +39,7 @@ searxng:
         main:
           image:
             repository: searxng/searxng
-            tag: latest@sha256:8d98d5c1b678714c3b20dacfab5ea5e3b67f79e50df6d5dbc92ed4f0a964ccbd
+            tag: latest@sha256:6f3a875c64bd804d1ccf2fe3c8df35e985b75ffbf0322f216544e79912fabab2
             pullPolicy: IfNotPresent
           env:
             - name: SEARXNG_BASE_URL

clusters/cl01tl/helm/vaultwarden/templates/external-secret.yaml

@@ -0,0 +1,28 @@
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: vaultwarden-oidc-secret
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: vaultwarden-oidc-secret
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  data:
+    - secretKey: client
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /authentik/oidc/vaultwarden
+        metadataPolicy: None
+        property: client
+    - secretKey: secret
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /authentik/oidc/vaultwarden
+        metadataPolicy: None
+        property: secret

clusters/cl01tl/helm/vaultwarden/values.yaml

@@ -9,7 +9,7 @@ vaultwarden:
         main:
           image:
             repository: vaultwarden/server
-            tag: 1.34.3
+            tag: 1.35.0
             pullPolicy: IfNotPresent
           env:
             - name: DOMAIN
@@ -23,6 +23,24 @@ vaultwarden:
                 secretKeyRef:
                   name: vaultwarden-postgresql-18-cluster-app
                   key: uri
+            - name: SSO_ENABLED
+              value: true
+            - name: SSO_SIGNUPS_MATCH_EMAIL
+              value: true
+            - name: SSO_AUTHORITY
+              value: https://auth.alexlebens.dev/application/o/vaultwarden/
+            - name: SSO_SCOPES
+              value: "email profile offline_access"
+            - name: SSO_CLIENT_ID
+              valueFrom:
+                secretKeyRef:
+                  name: vaultwarden-oidc-secret
+                  key: client
+            - name: SSO_CLIENT_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: vaultwarden-oidc-secret
+                  key: secret
           resources:
             requests:
               cpu: 10m

clusters/cl01tl/helm/ytdl-sub/Chart.yaml

@@ -0,0 +1,22 @@
+apiVersion: v2
+name: ytdl-sub
+version: 1.0.0
+description: ytdl-sub
+keywords:
+  - ytdl-sub
+  - music
+  - youtube
+home: https://wiki.alexlebens.dev/s/
+sources:
+  - https://github.com/jmbannon/ytdl-sub
+  - https://github.com/jmbannon/ytdl-sub/pkgs/container/ytdl-sub
+  - https://github.com/bjw-s-labs/helm-charts/tree/main/charts/other/app-template
+maintainers:
+  - name: alexlebens
+dependencies:
+  - name: app-template
+    alias: ytdl-sub
+    repository: https://bjw-s-labs.github.io/helm-charts/
+    version: 4.5.0
+# renovate: github=jmbannon/ytdl-sub
+appVersion: 2025.12.26

clusters/cl01tl/helm/ytdl-sub/templates/persistent-volume-claim.yaml

@@ -0,0 +1,17 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: ytdl-sub-nfs-storage
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: ytdl-sub-nfs-storage
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  volumeName: ytdl-sub-nfs-storage
+  storageClassName: nfs-client
+  accessModes:
+    - ReadWriteMany
+  resources:
+    requests:
+      storage: 1Gi

clusters/cl01tl/helm/ytdl-sub/templates/persistent-volume.yaml

@@ -0,0 +1,23 @@
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: ytdl-sub-nfs-storage
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: ytdl-sub-nfs-storage
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  persistentVolumeReclaimPolicy: Retain
+  storageClassName: nfs-client
+  capacity:
+    storage: 1Gi
+  accessModes:
+    - ReadWriteMany
+  nfs:
+    path: /volume2/Storage/Music Youtube/
+    server: synologybond.alexlebens.net
+  mountOptions:
+    - vers=4
+    - minorversion=1
+    - noac

clusters/cl01tl/helm/ytdl-sub/values.yaml

@@ -0,0 +1,101 @@
+ytdl-sub:
+  controllers:
+    main:
+      type: cronjob
+      cronjob:
+        suspend: false
+        concurrencyPolicy: Forbid
+        timeZone: US/Central
+        schedule: 0 0 1 1 *
+        startingDeadlineSeconds: 90
+        successfulJobsHistory: 1
+        failedJobsHistory: 1
+        backoffLimit: 3
+        parallelism: 1
+      containers:
+        main:
+          image:
+            repository: ghcr.io/jmbannon/ytdl-sub
+            tag: 2025.12.26
+            pullPolicy: IfNotPresent
+          command:
+            - ytdl-sub
+            - --dry-run
+            - -c
+            - /config/config.yaml
+            - sub
+            - /config/subscriptions.yaml
+          env:
+            - name: TZ
+              value: America/Chicago
+            - name: CRON_RUN_ON_START
+              value: false
+          resources:
+            requests:
+              cpu: 10m
+              memory: 128Mi
+  configMaps:
+    config:
+      enabled: true
+      data:
+        config.yaml: |
+          configuration:
+            working_directory: /cache
+
+          presets:
+            Custom MP3:
+              preset:
+                - "Max MP3 Quality"
+
+              embed_thumbnail: True
+
+              square_thumbnail: True
+
+              throttle_protection:
+                sleep_per_download_s:
+                  min: 5
+                  max: 15
+                sleep_per_subscription_s:
+                  min: 5
+                  max: 15
+                max_downloads_per_subscription:
+                  min: 1
+                  max: 200
+
+              overrides:
+                music_directory: "/music"
+
+        subscriptions.yaml: |
+          YT Music | Custom MP3:
+            - "https://www.youtube.com/playlist?list=PLtiOoYqxYXtKK3fMya_xhqK0Wit0i10Gy&si=8wNBH-kGT9Nx0XBK"  # Music Saved
+
+  persistence:
+    config:
+      enabled: true
+      type: configMap
+      name: ytdl-sub
+      advancedMounts:
+        main:
+          main:
+            - path: /config/config.yaml
+              readOnly: true
+              mountPropagation: None
+              subPath: config.yaml
+            - path: /config/subscriptions.yaml
+              readOnly: true
+              mountPropagation: None
+              subPath: subscriptions.yaml
+    cache:
+      type: emptyDir
+      advancedMounts:
+        main:
+          main:
+            - path: /cache
+              readOnly: false
+    music:
+      existingClaim: ytdl-sub-nfs-storage
+      advancedMounts:
+        main:
+          main:
+            - path: /music
+              readOnly: false

renovate.json

@@ -18,8 +18,7 @@
       "addLabels": [
         "chart"
       ],
-      "automerge": false,
-      "minimumReleaseAge": "1 days"
+      "automerge": false
     },
     {
       "description": "Automerge chart patches",
@@ -59,8 +58,7 @@
       "addLabels": [
         "image"
       ],
-      "automerge": false,
-      "minimumReleaseAge": "1 days"
+      "automerge": false
     },
     {
       "description": "Automerge image patches",