dev (#4785 )

Co-authored-by: Renovate Bot <renovate-bot@alexlebens.net> Reviewed-on: #4785
dev (#4776 )
2026-03-16 05:14:58 +00:00 · 2026-03-15 22:51:25 +00:00 · 2026-03-15 22:50:30 +00:00 · 2026-03-15 22:34:42 +00:00 · 2026-03-15 22:32:42 +00:00 · 2026-03-15 21:57:31 +00:00
27 changed files with 186 additions and 1854 deletions
--- a/.gitea/workflows/lint-test-docker.yaml
+++ b/.gitea/workflows/lint-test-docker.yaml
@@ -131,4 +131,4 @@ jobs:
          tags: action,failed
          details: "Docker linting for compose dirs: ${{ steps.check-dir-changes.outputs.compose-dir-csv }}"
          icon: 'https://cdn.jsdelivr.net/gh/selfhst/icons/png/gitea.png'
-          actions: '[{"action": "view", "label": "View Logs", "url": "${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}", "clear": true}]'
+          actions: '[{"action": "view", "label": "View Logs", "url": "${{ vars.USER_URL }}/${{ github.repository }}/actions/runs/${{ github.run_id }}", "clear": true}]'
--- a/.gitea/workflows/lint-test-helm.yaml
+++ b/.gitea/workflows/lint-test-helm.yaml
@@ -218,9 +218,9 @@ jobs:
          priority: 3
          headers: '{"Authorization": "Bearer ${{ secrets.NTFY_CRED }}"}'
          tags: action,failed
-          details: "Helm linting for cluster '${CLUSTER}' failed on charts: ${{ steps.lint.outputs.failed-charts }}"
+          details: "Helm linting for cluster '${{ env.CLUSTER }}' failed on charts: ${{ steps.lint.outputs.failed-charts }}"
          icon: 'https://cdn.jsdelivr.net/gh/selfhst/icons/png/gitea.png'
-          actions: '[{"action": "view", "label": "View Run", "url": "${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}", "clear": true}]'
+          actions: '[{"action": "view", "label": "View Run", "url": "${{ vars.USER_URL }}/${{ github.repository }}/actions/runs/${{ github.run_id }}", "clear": true}]'
          image: true
  validate-kubeconform:
@@ -361,7 +361,7 @@ jobs:
          priority: 3
          headers: '{"Authorization": "Bearer ${{ secrets.NTFY_CRED }}"}'
          tags: action,failed
-          details: "Kubeconform for cluster '${CLUSTER}' failed on charts: ${{ steps.validate.outputs.failed-charts }}"
+          details: "Kubeconform for cluster '${{ env.CLUSTER }}' failed on charts: ${{ steps.validate.outputs.failed-charts }}"
          icon: 'https://cdn.jsdelivr.net/gh/selfhst/icons/png/gitea.png'
-          actions: '[{"action": "view", "label": "View Run", "url": "${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}", "clear": true}]'
+          actions: '[{"action": "view", "label": "View Run", "url": "${{ vars.USER_URL }}/${{ github.repository }}/actions/runs/${{ github.run_id }}", "clear": true}]'
          image: true
--- a/.gitea/workflows/render-manifests-automerge.yaml
+++ b/.gitea/workflows/render-manifests-automerge.yaml
@@ -1,463 +0,0 @@
 name: render-manifests-automerge
 on:
  workflow_dispatch:
  # pull_request:
  #   branches:
  #     - main
  #   paths:
  #     - 'clusters/cl01tl/helm/**'
  #   types:
  #     - closed
 env:
  CLUSTER: cl01tl
  BASE_BRANCH: manifests
  BRANCH_NAME_BASE: auto/update-manifests-automerge
  MAIN_DIR: /workspace/alexlebens/infrastructure/infrastructure
  MANIFEST_DIR: /workspace/alexlebens/infrastructure/infrastructure-manifests
 jobs:
  render-manifests-automerge:
    runs-on: ubuntu-js
    if: ${{ (github.event.pull_request.merged == true) && (contains(github.event.pull_request.labels.*.name, 'automerge')) }}
    steps:
      - name: Checkout Main
        uses: actions/checkout@v6
        with:
          path: infrastructure
          fetch-depth: 0
      - name: Checkout Manifests
        uses: actions/checkout@v6
        with:
          ref: manifests
          path: infrastructure-manifests
      - name: Set up Helm
        uses: azure/setup-helm@v4
        with:
          token: ${{ secrets.GITEA_TOKEN }}
          version: v3.17.2 # Pending https://github.com/helm/helm/pull/30743
          cache: true
      - name: Configure Kubeconfig
        uses: azure/k8s-set-context@v4
        with:
          method: kubeconfig
          kubeconfig: ${{ secrets.KUBECONFIG }}
      - name: Cache Helm Dependencies
        uses: actions/cache@v5
        with:
          path: |
            ~/.cache/helm
            ~/.config/helm
          key: helm-cache-${{ runner.os }}-${{ hashFiles('infrastructure/clusters/cl01tl/helm/**/Chart.yaml', 'infrastructure/clusters/cl01tl/helm/**/Chart.lock') }}
          restore-keys: |
            helm-cache-${{ runner.os }}-
      - name: Prepare Manifest Branch
        id: prepare-manifest-branch
        run: |
          cd ${MANIFEST_DIR}
          BRANCH_NAME="${BRANCH_NAME_BASE}-$(date +%Y%m%d%H%M%S)"
          echo ""
          echo ">> Configure git to use gitea-bot as user ..."
          git config user.name "gitea-bot"
          git config user.email "gitea-bot@alexlebens.net"
          echo ""
          echo ">> Creating branch ..."
          git checkout -b $BRANCH_NAME
          echo "----"
          echo "BRANCH_NAME=${BRANCH_NAME}" >> $GITEA_OUTPUT
      - name: Check which Directories have Changes
        id: check-dir-changes
        run: |
          cd "${MAIN_DIR}"
          echo ""
          echo ">> Checking for changes from HEAD^..HEAD ..."
          # Extract the chart names from the git diff
          RENDER_DIR=$(git diff --name-only HEAD^..HEAD | grep -E "^clusters/${CLUSTER}/helm/" | awk -F '/' '{print $4}' | sort -u || true)
          if [ -n "${RENDER_DIR}" ]; then
            echo ""
            echo ">> Directories to Render:"
            echo "${RENDER_DIR}"
            echo "----"
            echo "changes-detected=true" >> "$GITEA_OUTPUT"
            echo "render-dir<<EOF" >> "$GITEA_OUTPUT"
            echo "${RENDER_DIR}" >> "$GITEA_OUTPUT"
            echo "EOF" >> "$GITEA_OUTPUT"
          else
            echo ""
            echo ">> No chart changes detected"
            echo "changes-detected=false" >> "$GITEA_OUTPUT"
          fi
      - name: Add Repositories
        if: steps.check-dir-changes.outputs.changes-detected == 'true'
        env:
          RENDER_DIR: ${{ steps.check-dir-changes.outputs.render-dir }}
        run: |
          cd "${MAIN_DIR}"
          echo ""
          echo ">> Adding repositories for chart dependencies ..."
          for DIR in ${RENDER_DIR}; do
            helm dependency list --max-col-width 120 "${MAIN_DIR}/clusters/${CLUSTER}/helm/${DIR}" 2> /dev/null \
              | tail -n +2 \
              | awk 'NF > 0 { print $1, $3 }' \
              | while read -r REPO_NAME REPO_URL; do
                if [[ "${REPO_URL}" == oci://* ]]; then
                  echo ""
                  echo ">> Ignoring OCI repo: ${REPO_URL}"
                elif [[ -n "${REPO_NAME}" && -n "${REPO_URL}" ]]; then
                  helm repo add "${REPO_NAME}" "${REPO_URL}"
                fi
              done || true
          done
          if helm repo list > /dev/null 2>&1; then
            echo ""
            echo ">> Update repository cache ..."
            helm repo update
          fi
          echo "----"
      - name: Remove Changed Manifest Files
        if: steps.check-dir-changes.outputs.changes-detected == 'true'
        env:
          RENDER_DIR: ${{ steps.check-dir-changes.outputs.render-dir }}
        run: |
          cd "${MANIFEST_DIR}"
          echo ""
          echo ">> Remove manfiest files and rebuild from source ..."
          for DIR in ${RENDER_DIR}; do
            CHART_PATH=${MANIFEST_DIR}/clusters/${CLUSTER}/manifests/${DIR}
            echo "${CHART_PATH}"
            rm -rf ${CHART_PATH}/*
          done
          echo "----"
      - name: Render Helm Manifests
        id: render-manifests
        if: steps.check-dir-changes.outputs.changes-detected == 'true'
        env:
          RENDER_DIR: ${{ steps.check-dir-changes.outputs.render-dir }}
        run: |
          cd ${MAIN_DIR}
          echo ""
          echo ">> Rendering Manifests ..."
          render_chart() {
            local DIR="$1"
            local CHART_PATH="${MAIN_DIR}/clusters/${CLUSTER}/helm/${DIR}"
            local CHART_NAME=$(basename "${CHART_PATH}")
            echo ""
            echo ">> Rendering ..."
            echo ">> Chart: ${CHART_NAME}"
            echo ">> Path: ${CHART_PATH}"
            if [ -f "${CHART_PATH}/Chart.yaml" ]; then
              local OUTPUT_FOLDER="${MANIFEST_DIR}/clusters/${CLUSTER}/manifests/${CHART_NAME}/"
              mkdir -p "${OUTPUT_FOLDER}"
              cd "${CHART_PATH}"
              echo ""
              echo ">> Updating helm dependencies ..."
              helm dependency update --skip-refresh > /dev/null
              echo ""
              echo ">> Linting helm chart ..."
              helm lint --namespace "${CHART_NAME}" --quiet
              local NAMESPACE="${CHART_NAME}"
              case "${CHART_NAME}" in
                "stack")
                  NAMESPACE="argocd"
                  echo ""
                  echo ">> Special Rendering into 'argocd' namespace ..."
                  ;;
                "cilium" | "coredns" | "metrics-server" | "prometheus-operator-crds")
                  NAMESPACE="kube-system"
                  echo ""
                  echo ">> Special Rendering for ${CHART_NAME} into 'kube-system' namespace ..."
                  ;;
                *)
                  echo ""
                  echo ">> Standard Rendering for ${CHART_NAME} ..."
              esac
              echo ""
              echo ">> Formating rendered template ..."
              local TEMPLATE
              TEMPLATE=$(helm template "${CHART_NAME}" ./ --namespace "${NAMESPACE}" --include-crds --dry-run=server --api-versions "gateway.networking.k8s.io/v1/HTTPRoute")
              # Format and split rendered template
              echo "${TEMPLATE}" | yq '... comments=""' | yq 'select(. != null)' | yq -s '"'"${OUTPUT_FOLDER}"'" + .kind + "-" + .metadata.name + ".yaml"'
              # Strip comments again to ensure formatting correctness
              for file in "$OUTPUT_FOLDER"/*; do
                yq -i '... comments=""' $file
              done
              echo ""
              echo ">> Manifests for ${CHART_NAME} rendered to ${OUTPUT_FOLDER}:"
              ls $OUTPUT_FOLDER
              echo ""
            else
              echo ""
              echo ">> Directory ${CHART_PATH} does not contain a Chart.yaml. Skipping ..."
              echo ""
            fi
          }
          export -f render_chart
          export MAIN_DIR CLUSTER MANIFEST_DIR
          # Run rendering in parallel
          for DIR in ${RENDER_DIR}; do
            echo "${DIR}"
          done | xargs -n 1 -P 4 -I {} bash -c 'render_chart "$@"' _ {}
          echo "----"
      - name: Check for Changes
        id: check-changes
        if: steps.check-dir-changes.outputs.changes-detected == 'true'
        run: |
          cd "${MANIFEST_DIR}"
          GIT_CHANGES=$(git status --porcelain)
          if [ -n "${GIT_CHANGES}" ]; then
            echo ""
            echo ">> Changes detected"
            git status --porcelain
            echo "changes-detected=true" >> $GITEA_OUTPUT
          else
            echo ""
            echo ">> No changes detected, skipping PR creation"
          fi
          echo "----"
      - name: Commit and Push Changes
        id: commit-push
        if: steps.check-changes.outputs.changes-detected == 'true'
        env:
          BRANCH_NAME: ${{ steps.prepare-manifest-branch.outputs.BRANCH_NAME }}
        run: |
          cd "${MANIFEST_DIR}"
          echo ""
          echo ">> Commiting changes to ${BRANCH_NAME} ..."
          git add .
          git commit -m "chore: Update manifests after automerge"
          REPO_URL="${{ secrets.REPO_URL }}/${{ gitea.repository }}"
          echo ""
          echo ">> Pushing changes to ${REPO_URL} ..."
          git push -u "https://oauth2:${{ secrets.BOT_TOKEN }}@${REPO_URL#*://}" "${BRANCH_NAME}"
          echo "----"
          echo "push=true" >> "$GITEA_OUTPUT"
      - name: Create Pull Request
        id: create-pull-request
        if: steps.commit-push.outputs.push == 'true'
        env:
          GITEA_TOKEN: ${{ secrets.BOT_TOKEN }}
          GITEA_URL: ${{ secrets.REPO_URL }}
          BRANCH_NAME: ${{ steps.prepare-manifest-branch.outputs.BRANCH_NAME }}
        run: |
          cd ${MANIFEST_DIR}
          API_ENDPOINT="${GITEA_URL}/api/v1/repos/${{ gitea.repository }}/pulls"
          PAYLOAD=$( jq -n \
            --arg head "${BRANCH_NAME}" \
            --arg base "${BASE_BRANCH}" \
            --arg title "Automated Manifest Update - Automerge" \
            --arg body "This PR contains newly rendered Kubernetes manifests automatically generated by the CI workflow. This is expected to be automerged." \
            '{head: $head, base: $base, title: $title, body: $body}' )
          echo ">> Creating PR from branch ${BRANCH_NAME} into ${BASE_BRANCH}"
          echo ">> With Endpoint of:"
          echo "$API_ENDPOINT"
          echo ">> With Payload of:"
          echo "$PAYLOAD"
          HTTP_STATUS=$(
            curl -X POST \
              --silent \
              --write-out '%{http_code}' \
              --output response_body.json \
              --dump-header response_headers.txt \
              --data "$PAYLOAD" \
              -H "Authorization: token ${GITEA_TOKEN}" \
              -H "Content-Type: application/json" \
              "$API_ENDPOINT" 2> response_errors.txt
          )
          echo ">> HTTP Status Code: $HTTP_STATUS"
          echo ">> Response Output ..."
          echo "----"
          cat response_body.json
          echo "----"
          cat response_headers.txt
          echo "----"
          cat response_errors.txt
          echo "----"
          if [ "$HTTP_STATUS" == "201" ]; then
            echo ">> Pull Request created successfully!"
            PR_URL=$(cat response_body.json | jq -r .html_url)
            echo ">> Pull Request URL: $PR_URL"
            echo "pull-request-url=${PR_URL}" >> $GITEA_OUTPUT
            PR_NUMBER=$(cat response_body.json | jq -r .number)
            echo ">> Pull Request Number: $PR_NUMBER"
            echo "pull-request-number=${PR_NUMBER}" >> $GITEA_OUTPUT
            echo "pull-request-operation=created" >> $GITEA_OUTPUT
          elif [ "$HTTP_STATUS" == "422" ]; then
            echo ">> Failed to create PR (HTTP 422: Unprocessable Entity), PR may already exist"
          elif [ "$HTTP_STATUS" == "409" ]; then
            echo ">> Failed to create PR (HTTP 409: Conflict), PR already exists"
          else
            echo ">> Failed to create PR, HTTP status code: $HTTP_STATUS"
            exit 1
          fi
          echo "----"
      - name: Merge Changes
        id: merge-changes
        if: steps.commit-push.outputs.push == 'true'
        env:
          GITEA_TOKEN: ${{ secrets.BOT_TOKEN }}
          GITEA_URL: ${{ secrets.REPO_URL }}
          BRANCH_NAME: ${{ steps.prepare-manifest-branch.outputs.BRANCH_NAME }}
          PR_NUMBER: ${{ steps.create-pull-request.outputs.pull-request-number }}
        run: |
          cd ${MANIFEST_DIR}
          API_ENDPOINT="${GITEA_URL}/api/v1/repos/${{ gitea.repository }}/pulls/${PR_NUMBER}/merge"
          PAYLOAD=$( jq -n \
            --arg Do "merge" \
            '{Do: $Do}' )
          echo ">> Merging PR with ID: ${PR_NUMBER}"
          echo ">> With Endpoint of:"
          echo "$API_ENDPOINT"
          echo ">> With Payload of:"
          echo "$PAYLOAD"
          HTTP_STATUS=$(
            curl -X POST \
              --silent \
              --write-out '%{http_code}' \
              --output response_body.json \
              --dump-header response_headers.txt \
              --data "$PAYLOAD" \
              -H "Authorization: token ${GITEA_TOKEN}" \
              -H "Content-Type: application/json" \
              "$API_ENDPOINT" 2> response_errors.txt
          )
          echo ">> HTTP Status Code: $HTTP_STATUS"
          echo ">> Response Output ..."
          echo "----"
          cat response_body.json
          echo "----"
          cat response_headers.txt
          echo "----"
          cat response_errors.txt
          echo "----"
          if [ "$HTTP_STATUS" == "200" ]; then
            echo ">> Pull Request merged successfully!"
            echo "pull-request-operation=merged" >> $GITEA_OUTPUT
          else
            echo ">> Failed to create PR, HTTP status code: $HTTP_STATUS"
            echo "pull-request-operation=failed" >> $GITEA_OUTPUT
            exit 1
          fi
          echo "----"
      - name: Cleanup Branch
        if: failure()
        env:
          BRANCH_NAME: ${{ steps.prepare-manifest-branch.outputs.BRANCH_NAME }}
        run: |
          cd ${MANIFEST_DIR}
          echo ">> Removing branch: ${BRANCH_NAME}"
          git push origin --delete ${BRANCH_NAME}
          echo "----"
      - name: ntfy Merged
        uses: niniyas/ntfy-action@master
        if: steps.merge-changes.outputs.pull-request-operation == 'merged'
        with:
          url: "${{ secrets.NTFY_URL }}"
          topic: "${{ secrets.NTFY_TOPIC }}"
          title: "Manifest Render PR Merged - Infrastructure"
          priority: 3
          headers: '{"Authorization": "Bearer ${{ secrets.NTFY_CRED }}"}'
          tags: action,successfully,completed
          details: "Automerge Manifest rendering for Infrastructure!"
          icon: "https://cdn.jsdelivr.net/gh/selfhst/icons/png/gitea.png"
          actions: '[{"action": "view", "label": "Open Gitea", "url": "${{ steps.create-pull-request.outputs.pull-request-url }}", "clear": true}]'
      - name: ntfy Failed
        uses: niniyas/ntfy-action@master
        if: failure()
        with:
          url: "${{ secrets.NTFY_URL }}"
          topic: "${{ secrets.NTFY_TOPIC }}"
          title: "Manifest Render Failure - Infrastructure"
          priority: 4
          headers: '{"Authorization": "Bearer ${{ secrets.NTFY_CRED }}"}'
          tags: action,failed
          details: "Automerge Manifest rendering for Infrastructure has failed!"
          icon: "https://cdn.jsdelivr.net/gh/selfhst/icons/png/gitea.png"
          actions: '[{"action": "view", "label": "Open Gitea", "url": "https://gitea.alexlebens.dev/alexlebens/infrastructure/actions?workflow=render-manifests-automerge.yaml", "clear": true}]'
          image: true
--- a/.gitea/workflows/render-manifests-dispatch.yaml
+++ b/.gitea/workflows/render-manifests-dispatch.yaml
@@ -1,445 +0,0 @@
 name: render-manifests-dispatch
 on:
  workflow_dispatch:
  # schedule:
  #   - cron: '0 15 * * *'
  # workflow_dispatch:
 env:
  CLUSTER: cl01tl
  BASE_BRANCH: manifests
  BRANCH_NAME: auto/update-manifests
  ASSIGNEE: alexlebens
  MAIN_DIR: /workspace/alexlebens/infrastructure/infrastructure
  MANIFEST_DIR: /workspace/alexlebens/infrastructure/infrastructure-manifests
 jobs:
  render-manifests-dispatch:
    runs-on: ubuntu-js
    steps:
      - name: Checkout Main
        uses: actions/checkout@v6
        with:
          path: infrastructure
          fetch-depth: 0
      - name: Checkout Manifests
        uses: actions/checkout@v6
        with:
          ref: manifests
          path: infrastructure-manifests
      - name: Set up Helm
        uses: azure/setup-helm@v4
        with:
          token: ${{ secrets.GITEA_TOKEN }}
          version: v3.17.2 # Pending https://github.com/helm/helm/pull/30743
          cache: true
      - name: Configure Kubeconfig
        uses: azure/k8s-set-context@v4
        with:
          method: kubeconfig
          kubeconfig: ${{ secrets.KUBECONFIG }}
      - name: Cache Helm Dependencies
        uses: actions/cache@v5
        with:
          path: |
            ~/.cache/helm
            ~/.config/helm
          key: helm-cache-${{ runner.os }}-${{ hashFiles('infrastructure/clusters/cl01tl/helm/**/Chart.yaml', 'infrastructure/clusters/cl01tl/helm/**/Chart.lock') }}
          restore-keys: |
            helm-cache-${{ runner.os }}-
      - name: Prepare Manifest Branch
        run: |
          cd "${MANIFEST_DIR}"
          echo ""
          echo ">> Configure git to use gitea-bot as user ..."
          git config user.name "gitea-bot"
          git config user.email "gitea-bot@alexlebens.net"
          echo ""
          echo ">> Checking if PR branch exists ..."
          if git ls-remote --exit-code --heads origin "${BRANCH_NAME}" > /dev/null 2>&1; then
            echo ""
            echo ">> Branch '${BRANCH_NAME}' exists, pulling changes ..."
            git fetch origin "${BRANCH_NAME}"
            git checkout "${BRANCH_NAME}"
            git pull --rebase
          else
            echo ""
            echo ">> Branch '${BRANCH_NAME}' does not exist, creating ..."
            git checkout -b "${BRANCH_NAME}"
          fi
          echo "----"
      - name: Check which Directories have Changes
        id: check-dir-changes
        run: |
          cd "${MAIN_DIR}"
          echo ""
          echo ">> Triggered on dispatch, will check all paths ..."
          # Extract names of charts
          RENDER_DIR=$(find "clusters/${CLUSTER}/helm" -mindepth 1 -maxdepth 1 -type d -exec basename {} \; | sort -u)
          if [ -n "${RENDER_DIR}" ]; then
            echo ""
            echo ">> Directories to Render:"
            echo "${RENDER_DIR}"
            echo "----"
            echo "changes-detected=true" >> "$GITEA_OUTPUT"
            echo "render-dir<<EOF" >> "$GITEA_OUTPUT"
            echo "${RENDER_DIR}" >> "$GITEA_OUTPUT"
            echo "EOF" >> "$GITEA_OUTPUT"
          else
            echo ">> No directories found"
            echo "changes-detected=false" >> "$GITEA_OUTPUT"
          fi
      - name: Add Repositories
        if: steps.check-dir-changes.outputs.changes-detected == 'true'
        env:
          RENDER_DIR: ${{ steps.check-dir-changes.outputs.render-dir }}
        run: |
          cd "${MAIN_DIR}"
          echo ""
          echo ">> Adding repositories for chart dependencies ..."
          for DIR in ${RENDER_DIR}; do
            helm dependency list --max-col-width 120 "${MAIN_DIR}/clusters/${CLUSTER}/helm/${DIR}" 2> /dev/null \
              | tail -n +2 \
              | awk 'NF > 0 { print $1, $3 }' \
              | while read -r REPO_NAME REPO_URL; do
                if [[ "${REPO_URL}" == oci://* ]]; then
                  echo ""
                  echo ">> Ignoring OCI repo: ${REPO_URL}"
                elif [[ -n "${REPO_NAME}" && -n "${REPO_URL}" ]]; then
                  helm repo add "${REPO_NAME}" "${REPO_URL}"
                fi
              done || true
          done
          if helm repo list > /dev/null 2>&1; then
            echo ""
            echo ">> Update repository cache ..."
            helm repo update
          fi
          echo "----"
      - name: Remove Changed Manifest Files
        if: steps.check-dir-changes.outputs.changes-detected == 'true'
        env:
          RENDER_DIR: ${{ steps.check-dir-changes.outputs.render-dir }}
        run: |
          cd "${MANIFEST_DIR}"
          echo ""
          echo ">> Remove manfiest files and rebuild from source ..."
          for DIR in ${RENDER_DIR}; do
            CHART_PATH=${MANIFEST_DIR}/clusters/${CLUSTER}/manifests/${DIR}
            echo "${CHART_PATH}"
            rm -rf ${CHART_PATH}/*
          done
          echo "----"
      - name: Render Helm Manifests
        id: render-manifests
        if: steps.check-dir-changes.outputs.changes-detected == 'true'
        env:
          RENDER_DIR: ${{ steps.check-dir-changes.outputs.render-dir }}
        run: |
          cd ${MAIN_DIR}
          echo ""
          echo ">> Rendering Manifests ..."
          render_chart() {
            local DIR="$1"
            local CHART_PATH="${MAIN_DIR}/clusters/${CLUSTER}/helm/${DIR}"
            local CHART_NAME=$(basename "${CHART_PATH}")
            echo ""
            echo ">> Rendering ..."
            echo ">> Chart: ${CHART_NAME}"
            echo ">> Path: ${CHART_PATH}"
            if [ -f "${CHART_PATH}/Chart.yaml" ]; then
              local OUTPUT_FOLDER="${MANIFEST_DIR}/clusters/${CLUSTER}/manifests/${CHART_NAME}/"
              mkdir -p "${OUTPUT_FOLDER}"
              cd "${CHART_PATH}"
              echo ""
              echo ">> Updating helm dependencies ..."
              helm dependency update --skip-refresh > /dev/null
              echo ""
              echo ">> Linting helm chart ..."
              helm lint --namespace "${CHART_NAME}" --quiet
              local NAMESPACE="${CHART_NAME}"
              case "${CHART_NAME}" in
                "stack")
                  NAMESPACE="argocd"
                  echo ""
                  echo ">> Special Rendering into 'argocd' namespace ..."
                  ;;
                "cilium" | "coredns" | "metrics-server" | "prometheus-operator-crds")
                  NAMESPACE="kube-system"
                  echo ""
                  echo ">> Special Rendering for ${CHART_NAME} into 'kube-system' namespace ..."
                  ;;
                *)
                  echo ""
                  echo ">> Standard Rendering for ${CHART_NAME} ..."
              esac
              echo ""
              echo ">> Formating rendered template ..."
              local TEMPLATE
              TEMPLATE=$(helm template "${CHART_NAME}" ./ --namespace "${NAMESPACE}" --include-crds --dry-run=server --api-versions "gateway.networking.k8s.io/v1/HTTPRoute")
              # Format and split rendered template
              echo "${TEMPLATE}" | yq '... comments=""' | yq 'select(. != null)' | yq -s '"'"${OUTPUT_FOLDER}"'" + .kind + "-" + .metadata.name + ".yaml"'
              # Strip comments again to ensure formatting correctness
              for file in "$OUTPUT_FOLDER"/*; do
                yq -i '... comments=""' $file
              done
              echo ""
              echo ">> Manifests for ${CHART_NAME} rendered to ${OUTPUT_FOLDER}:"
              ls $OUTPUT_FOLDER
              echo ""
            else
              echo ""
              echo ">> Directory ${CHART_PATH} does not contain a Chart.yaml. Skipping ..."
              echo ""
            fi
          }
          export -f render_chart
          export MAIN_DIR CLUSTER MANIFEST_DIR
          # Run rendering in parallel
          for DIR in ${RENDER_DIR}; do
            echo "${DIR}"
          done | xargs -n 1 -P 4 -I {} bash -c 'render_chart "$@"' _ {}
          echo "----"
      - name: Check for Changes
        id: check-changes
        if: steps.check-dir-changes.outputs.changes-detected == 'true'
        run: |
          cd "${MANIFEST_DIR}"
          GIT_CHANGES=$(git status --porcelain)
          if [ -n "${GIT_CHANGES}" ]; then
            echo ""
            echo ">> Changes detected"
            git status --porcelain
            echo "changes-detected=true" >> $GITEA_OUTPUT
          else
            echo ""
            echo ">> No changes detected, skipping PR creation"
          fi
          echo "----"
      - name: Commit and Push Changes
        id: commit-push
        if: steps.check-changes.outputs.changes-detected == 'true'
        run: |
          cd "${MANIFEST_DIR}"
          echo ""
          echo ">> Commiting changes to ${BRANCH_NAME} ..."
          git add .
          git commit -m "chore: Update manifests after change"
          REPO_URL="${{ secrets.REPO_URL }}/${{ gitea.repository }}"
          echo ""
          echo ">> Pushing changes to ${REPO_URL} ..."
          git push -u "https://oauth2:${{ secrets.BOT_TOKEN }}@${REPO_URL#*://}" "${BRANCH_NAME}"
          echo "----"
          echo "HEAD_BRANCH=${BRANCH_NAME}" >> "$GITEA_OUTPUT"
          echo "push=true" >> "$GITEA_OUTPUT"
      - name: Check for Pull Request
        id: check-for-pull-requst
        if: steps.commit-push.outputs.push == 'true'
        env:
          GITEA_TOKEN: ${{ secrets.BOT_TOKEN }}
          GITEA_URL: ${{ secrets.REPO_URL }}
          HEAD_BRANCH: ${{ steps.commit-push.outputs.HEAD_BRANCH }}
        run: |
          cd ${MANIFEST_DIR}
          API_ENDPOINT="${GITEA_URL}/api/v1/repos/${{ gitea.repository }}/pulls?base_branch=${BASE_BRANCH}&state=open&page=1"
          echo ">> Checking if PR from branch ${HEAD_BRANCH} into ${BASE_BRANCH}"
          echo ">> With Endpoint of:"
          echo "$API_ENDPOINT"
          HTTP_STATUS=$(
            curl -X GET \
              --silent \
              --write-out '%{http_code}' \
              --output response_body.json \
              --dump-header response_headers.txt \
              -H "Authorization: token ${GITEA_TOKEN}" \
              -H "Content-Type: application/json" \
              "$API_ENDPOINT" 2> response_errors.txt
          )
          echo ">> HTTP Status Code: $HTTP_STATUS"
          echo ">> Response Output ..."
          echo "----"
          cat response_body.json
          echo "----"
          cat response_headers.txt
          echo "----"
          cat response_errors.txt
          echo "----"
          if [ "$HTTP_STATUS" == "200" ] && [ "$(cat response_body.json | jq -r .[0].state)" == "open" ]; then
            echo ">> Pull Request has been found open, will update"
            PR_INDEX=$(cat response_body.json | jq -r .[0].number)
            echo "pull-request-exists=${PR_INDEX}" >> $GITEA_OUTPUT
            echo "pull-request-index=true" >> $GITEA_OUTPUT
          elif [ "$HTTP_STATUS" == "200" ] && [ "$(cat response_body.json | jq -r .[0].state)" == "closed" ]; then
            echo ">> Pull Request found, but was closed"
            echo "pull-request-exists=false" >> $GITEA_OUTPUT
          else
            echo ">> Pull Request not found"
            echo "pull-request-exists=false" >> $GITEA_OUTPUT
          fi
          echo "----"
      - name: Create Pull Request
        id: create-pull-request
        if: steps.commit-push.outputs.push == 'true' && steps.check-for-pull-requst.outputs.pull-request-exists == 'false'
        env:
          GITEA_TOKEN: ${{ secrets.BOT_TOKEN }}
          GITEA_URL: ${{ secrets.REPO_URL }}
          HEAD_BRANCH: ${{ steps.commit-push.outputs.HEAD_BRANCH }}
        run: |
          cd ${MANIFEST_DIR}
          API_ENDPOINT="${GITEA_URL}/api/v1/repos/${{ gitea.repository }}/pulls"
          PAYLOAD=$( jq -n \
            --arg head "${HEAD_BRANCH}" \
            --arg base "${BASE_BRANCH}" \
            --arg assignee "${ASSIGNEE}" \
            --arg title "Automated Manifest Update" \
            --arg body "This PR contains newly rendered Kubernetes manifests automatically generated by the CI workflow." \
            '{head: $head, base: $base, assignee: $assignee, title: $title, body: $body}' )
          echo ">> Creating PR from branch ${HEAD_BRANCH} into ${BASE_BRANCH}"
          echo ">> With Endpoint of:"
          echo "$API_ENDPOINT"
          echo ">> With Payload of:"
          echo "$PAYLOAD"
          HTTP_STATUS=$(
            curl -X POST \
              --silent \
              --write-out '%{http_code}' \
              --output response_body.json \
              --dump-header response_headers.txt \
              --data "$PAYLOAD" \
              -H "Authorization: token ${GITEA_TOKEN}" \
              -H "Content-Type: application/json" \
              "$API_ENDPOINT" 2> response_errors.txt
          )
          echo ">> HTTP Status Code: $HTTP_STATUS"
          echo ">> Response Output ..."
          echo "----"
          cat response_body.json
          echo "----"
          cat response_headers.txt
          echo "----"
          cat response_errors.txt
          echo "----"
          if [ "$HTTP_STATUS" == "201" ]; then
            echo ">> Pull Request created successfully!"
            PR_URL=$(cat response_body.json | jq -r .html_url)
            echo "pull-request-url=${PR_URL}" >> $GITEA_OUTPUT
            PR_ID=$(cat response_body.json | jq -r .id)
            echo "pull-request-id=${PR_ID}" >> $GITEA_OUTPUT
            echo "pull-request-operation=created" >> $GITEA_OUTPUT
          elif [ "$HTTP_STATUS" == "422" ]; then
            echo ">> Failed to create PR (HTTP 422: Unprocessable Entity), PR may already exist"
          elif [ "$HTTP_STATUS" == "409" ]; then
            echo ">> Failed to create PR (HTTP 409: Conflict), PR already exists"
          else
            echo ">> Failed to create PR, HTTP status code: $HTTP_STATUS"
            exit 1
          fi
          echo "----"
      - name: ntfy Created
        uses: niniyas/ntfy-action@master
        if: steps.create-pull-request.outputs.pull-request-operation == 'created'
        with:
          url: "${{ secrets.NTFY_URL }}"
          topic: "${{ secrets.NTFY_TOPIC }}"
          title: "Manifest Render PR Created - Infrastructure"
          priority: 3
          headers: '{"Authorization": "Bearer ${{ secrets.NTFY_CRED }}"}'
          tags: action,successfully,completed
          details: "Manifest rendering for Infrastructure has created a new Pull Request with ID: ${{ steps.create-pull-request.outputs.pull-request-id }}!"
          icon: "https://cdn.jsdelivr.net/gh/selfhst/icons/png/gitea.png"
          actions: '[{"action": "view", "label": "Open Gitea", "url": "${{ steps.create-pull-request.outputs.pull-request-url }}", "clear": true}]'
      - name: ntfy Failed
        uses: niniyas/ntfy-action@master
        if: failure()
        with:
          url: "${{ secrets.NTFY_URL }}"
          topic: "${{ secrets.NTFY_TOPIC }}"
          title: "Manifest Render Failure - Infrastructure"
          priority: 4
          headers: '{"Authorization": "Bearer ${{ secrets.NTFY_CRED }}"}'
          tags: action,failed
          details: "Manifest rendering for Infrastructure has failed!"
          icon: "https://cdn.jsdelivr.net/gh/selfhst/icons/png/gitea.png"
          actions: '[{"action": "view", "label": "Open Gitea", "url": "https://gitea.alexlebens.dev/alexlebens/infrastructure/actions?workflow=render-manifests.yaml", "clear": true}]'
          image: true
--- a/.gitea/workflows/render-manifests-merge.yaml
+++ b/.gitea/workflows/render-manifests-merge.yaml
@@ -1,451 +0,0 @@
 name: render-manifests-merge
 on:
  workflow_dispatch:
  # pull_request:
  #   branches:
  #     - main
  #   paths:
  #     - 'clusters/cl01tl/helm/**'
  #   types:
  #     - closed
 env:
  CLUSTER: cl01tl
  BASE_BRANCH: manifests
  BRANCH_NAME: auto/update-manifests
  ASSIGNEE: alexlebens
  MAIN_DIR: /workspace/alexlebens/infrastructure/infrastructure
  MANIFEST_DIR: /workspace/alexlebens/infrastructure/infrastructure-manifests
 jobs:
  render-manifests-merge:
    runs-on: ubuntu-js
    if: ${{ (github.event.pull_request.merged == true) && !(contains(github.event.pull_request.labels.*.name, 'automerge')) }}
    steps:
      - name: Checkout Main
        uses: actions/checkout@v6
        with:
          path: infrastructure
          fetch-depth: 0
      - name: Checkout Manifests
        uses: actions/checkout@v6
        with:
          ref: manifests
          path: infrastructure-manifests
      - name: Set up Helm
        uses: azure/setup-helm@v4
        with:
          token: ${{ secrets.GITEA_TOKEN }}
          version: v3.17.2 # Pending https://github.com/helm/helm/pull/30743
          cache: true
      - name: Configure Kubeconfig
        uses: azure/k8s-set-context@v4
        with:
          method: kubeconfig
          kubeconfig: ${{ secrets.KUBECONFIG }}
      - name: Cache Helm Dependencies
        uses: actions/cache@v5
        with:
          path: |
            ~/.cache/helm
            ~/.config/helm
          key: helm-cache-${{ runner.os }}-${{ hashFiles('infrastructure/clusters/cl01tl/helm/**/Chart.yaml', 'infrastructure/clusters/cl01tl/helm/**/Chart.lock') }}
          restore-keys: |
            helm-cache-${{ runner.os }}-
      - name: Prepare Manifest Branch
        run: |
          cd "${MANIFEST_DIR}"
          echo ""
          echo ">> Configure git to use gitea-bot as user ..."
          git config user.name "gitea-bot"
          git config user.email "gitea-bot@alexlebens.net"
          echo ""
          echo ">> Checking if PR branch exists ..."
          if git ls-remote --exit-code --heads origin "${BRANCH_NAME}" > /dev/null 2>&1; then
            echo ""
            echo ">> Branch '${BRANCH_NAME}' exists, pulling changes ..."
            git fetch origin "${BRANCH_NAME}"
            git checkout "${BRANCH_NAME}"
            git pull --rebase
          else
            echo ""
            echo ">> Branch '${BRANCH_NAME}' does not exist, creating ..."
            git checkout -b "${BRANCH_NAME}"
          fi
          echo "----"
      - name: Check which Directories have Changes
        id: check-dir-changes
        run: |
          cd "${MAIN_DIR}"
          echo ""
          echo ">> Checking for changes from HEAD^..HEAD ..."
          # Extract the chart names from the git diff
          RENDER_DIR=$(git diff --name-only HEAD^..HEAD | grep -E "^clusters/${CLUSTER}/helm/" | awk -F '/' '{print $4}' | sort -u || true)
          if [ -n "${RENDER_DIR}" ]; then
            echo ""
            echo ">> Directories to Render:"
            echo "${RENDER_DIR}"
            echo "----"
            echo "changes-detected=true" >> "$GITEA_OUTPUT"
            echo "render-dir<<EOF" >> "$GITEA_OUTPUT"
            echo "${RENDER_DIR}" >> "$GITEA_OUTPUT"
            echo "EOF" >> "$GITEA_OUTPUT"
          else
            echo ""
            echo ">> No chart changes detected"
            echo "changes-detected=false" >> "$GITEA_OUTPUT"
          fi
      - name: Add Repositories
        if: steps.check-dir-changes.outputs.changes-detected == 'true'
        env:
          RENDER_DIR: ${{ steps.check-dir-changes.outputs.render-dir }}
        run: |
          cd "${MAIN_DIR}"
          echo ""
          echo ">> Adding repositories for chart dependencies ..."
          for DIR in ${RENDER_DIR}; do
            helm dependency list --max-col-width 120 "${MAIN_DIR}/clusters/${CLUSTER}/helm/${DIR}" 2> /dev/null \
              | tail -n +2 \
              | awk 'NF > 0 { print $1, $3 }' \
              | while read -r REPO_NAME REPO_URL; do
                if [[ "${REPO_URL}" == oci://* ]]; then
                  echo ""
                  echo ">> Ignoring OCI repo: ${REPO_URL}"
                elif [[ -n "${REPO_NAME}" && -n "${REPO_URL}" ]]; then
                  helm repo add "${REPO_NAME}" "${REPO_URL}"
                fi
              done || true
          done
          if helm repo list > /dev/null 2>&1; then
            echo ""
            echo ">> Update repository cache ..."
            helm repo update
          fi
          echo "----"
      - name: Remove Changed Manifest Files
        if: steps.check-dir-changes.outputs.changes-detected == 'true'
        env:
          RENDER_DIR: ${{ steps.check-dir-changes.outputs.render-dir }}
        run: |
          cd "${MANIFEST_DIR}"
          echo ""
          echo ">> Remove manfiest files and rebuild from source ..."
          for DIR in ${RENDER_DIR}; do
            CHART_PATH=${MANIFEST_DIR}/clusters/${CLUSTER}/manifests/${DIR}
            echo "${CHART_PATH}"
            rm -rf ${CHART_PATH}/*
          done
          echo "----"
      - name: Render Helm Manifests
        id: render-manifests
        if: steps.check-dir-changes.outputs.changes-detected == 'true'
        env:
          RENDER_DIR: ${{ steps.check-dir-changes.outputs.render-dir }}
        run: |
          cd ${MAIN_DIR}
          echo ""
          echo ">> Rendering Manifests ..."
          render_chart() {
            local DIR="$1"
            local CHART_PATH="${MAIN_DIR}/clusters/${CLUSTER}/helm/${DIR}"
            local CHART_NAME=$(basename "${CHART_PATH}")
            echo ""
            echo ">> Rendering ..."
            echo ">> Chart: ${CHART_NAME}"
            echo ">> Path: ${CHART_PATH}"
            if [ -f "${CHART_PATH}/Chart.yaml" ]; then
              local OUTPUT_FOLDER="${MANIFEST_DIR}/clusters/${CLUSTER}/manifests/${CHART_NAME}/"
              mkdir -p "${OUTPUT_FOLDER}"
              cd "${CHART_PATH}"
              echo ""
              echo ">> Updating helm dependencies ..."
              helm dependency update --skip-refresh > /dev/null
              echo ""
              echo ">> Linting helm chart ..."
              helm lint --namespace "${CHART_NAME}" --quiet
              local NAMESPACE="${CHART_NAME}"
              case "${CHART_NAME}" in
                "stack")
                  NAMESPACE="argocd"
                  echo ""
                  echo ">> Special Rendering into 'argocd' namespace ..."
                  ;;
                "cilium" | "coredns" | "metrics-server" | "prometheus-operator-crds")
                  NAMESPACE="kube-system"
                  echo ""
                  echo ">> Special Rendering for ${CHART_NAME} into 'kube-system' namespace ..."
                  ;;
                *)
                  echo ""
                  echo ">> Standard Rendering for ${CHART_NAME} ..."
              esac
              echo ""
              echo ">> Formating rendered template ..."
              local TEMPLATE
              TEMPLATE=$(helm template "${CHART_NAME}" ./ --namespace "${NAMESPACE}" --include-crds --dry-run=server --api-versions "gateway.networking.k8s.io/v1/HTTPRoute")
              # Format and split rendered template
              echo "${TEMPLATE}" | yq '... comments=""' | yq 'select(. != null)' | yq -s '"'"${OUTPUT_FOLDER}"'" + .kind + "-" + .metadata.name + ".yaml"'
              # Strip comments again to ensure formatting correctness
              for file in "$OUTPUT_FOLDER"/*; do
                yq -i '... comments=""' $file
              done
              echo ""
              echo ">> Manifests for ${CHART_NAME} rendered to ${OUTPUT_FOLDER}:"
              ls $OUTPUT_FOLDER
              echo ""
            else
              echo ""
              echo ">> Directory ${CHART_PATH} does not contain a Chart.yaml. Skipping ..."
              echo ""
            fi
          }
          export -f render_chart
          export MAIN_DIR CLUSTER MANIFEST_DIR
          # Run rendering in parallel
          for DIR in ${RENDER_DIR}; do
            echo "${DIR}"
          done | xargs -n 1 -P 4 -I {} bash -c 'render_chart "$@"' _ {}
          echo "----"
      - name: Check for Changes
        id: check-changes
        if: steps.check-dir-changes.outputs.changes-detected == 'true'
        run: |
          cd "${MANIFEST_DIR}"
          GIT_CHANGES=$(git status --porcelain)
          if [ -n "${GIT_CHANGES}" ]; then
            echo ""
            echo ">> Changes detected"
            git status --porcelain
            echo "changes-detected=true" >> $GITEA_OUTPUT
          else
            echo ""
            echo ">> No changes detected, skipping PR creation"
          fi
          echo "----"
      - name: Commit and Push Changes
        id: commit-push
        if: steps.check-changes.outputs.changes-detected == 'true'
        run: |
          cd "${MANIFEST_DIR}"
          echo ""
          echo ">> Commiting changes to ${BRANCH_NAME} ..."
          git add .
          git commit -m "chore: Update manifests after change"
          REPO_URL="${{ secrets.REPO_URL }}/${{ gitea.repository }}"
          echo ""
          echo ">> Pushing changes to ${REPO_URL} ..."
          git push -u "https://oauth2:${{ secrets.BOT_TOKEN }}@${REPO_URL#*://}" "${BRANCH_NAME}"
          echo "----"
          echo "HEAD_BRANCH=${BRANCH_NAME}" >> "$GITEA_OUTPUT"
          echo "push=true" >> "$GITEA_OUTPUT"
      - name: Check for Pull Request
        id: check-for-pull-requst
        if: steps.commit-push.outputs.push == 'true'
        env:
          GITEA_TOKEN: ${{ secrets.BOT_TOKEN }}
          GITEA_URL: ${{ secrets.REPO_URL }}
          HEAD_BRANCH: ${{ steps.commit-push.outputs.HEAD_BRANCH }}
        run: |
          cd ${MANIFEST_DIR}
          API_ENDPOINT="${GITEA_URL}/api/v1/repos/${{ gitea.repository }}/pulls?base_branch=${BASE_BRANCH}&state=open&page=1"
          echo ">> Checking if PR from branch ${HEAD_BRANCH} into ${BASE_BRANCH}"
          echo ">> With Endpoint of:"
          echo "$API_ENDPOINT"
          HTTP_STATUS=$(
            curl -X GET \
              --silent \
              --write-out '%{http_code}' \
              --output response_body.json \
              --dump-header response_headers.txt \
              -H "Authorization: token ${GITEA_TOKEN}" \
              -H "Content-Type: application/json" \
              "$API_ENDPOINT" 2> response_errors.txt
          )
          echo ">> HTTP Status Code: $HTTP_STATUS"
          echo ">> Response Output ..."
          echo "----"
          cat response_body.json
          echo "----"
          cat response_headers.txt
          echo "----"
          cat response_errors.txt
          echo "----"
          if [ "$HTTP_STATUS" == "200" ] && [ "$(cat response_body.json | jq -r .[0].state)" == "open" ]; then
            echo ">> Pull Request has been found open, will update"
            PR_INDEX=$(cat response_body.json | jq -r .[0].number)
            echo "pull-request-exists=${PR_INDEX}" >> $GITEA_OUTPUT
            echo "pull-request-index=true" >> $GITEA_OUTPUT
          elif [ "$HTTP_STATUS" == "200" ] && [ "$(cat response_body.json | jq -r .[0].state)" == "closed" ]; then
            echo ">> Pull Request found, but was closed"
            echo "pull-request-exists=false" >> $GITEA_OUTPUT
          else
            echo ">> Pull Request not found"
            echo "pull-request-exists=false" >> $GITEA_OUTPUT
          fi
          echo "----"
      - name: Create Pull Request
        id: create-pull-request
        if: steps.commit-push.outputs.push == 'true' && steps.check-for-pull-requst.outputs.pull-request-exists == 'false'
        env:
          GITEA_TOKEN: ${{ secrets.BOT_TOKEN }}
          GITEA_URL: ${{ secrets.REPO_URL }}
          HEAD_BRANCH: ${{ steps.commit-push.outputs.HEAD_BRANCH }}
        run: |
          cd ${MANIFEST_DIR}
          API_ENDPOINT="${GITEA_URL}/api/v1/repos/${{ gitea.repository }}/pulls"
          PAYLOAD=$( jq -n \
            --arg head "${HEAD_BRANCH}" \
            --arg base "${BASE_BRANCH}" \
            --arg assignee "${ASSIGNEE}" \
            --arg title "Automated Manifest Update" \
            --arg body "This PR contains newly rendered Kubernetes manifests automatically generated by the CI workflow." \
            '{head: $head, base: $base, assignee: $assignee, title: $title, body: $body}' )
          echo ">> Creating PR from branch ${HEAD_BRANCH} into ${BASE_BRANCH}"
          echo ">> With Endpoint of:"
          echo "$API_ENDPOINT"
          echo ">> With Payload of:"
          echo "$PAYLOAD"
          HTTP_STATUS=$(
            curl -X POST \
              --silent \
              --write-out '%{http_code}' \
              --output response_body.json \
              --dump-header response_headers.txt \
              --data "$PAYLOAD" \
              -H "Authorization: token ${GITEA_TOKEN}" \
              -H "Content-Type: application/json" \
              "$API_ENDPOINT" 2> response_errors.txt
          )
          echo ">> HTTP Status Code: $HTTP_STATUS"
          echo ">> Response Output ..."
          echo "----"
          cat response_body.json
          echo "----"
          cat response_headers.txt
          echo "----"
          cat response_errors.txt
          echo "----"
          if [ "$HTTP_STATUS" == "201" ]; then
            echo ">> Pull Request created successfully!"
            PR_URL=$(cat response_body.json | jq -r .html_url)
            echo "pull-request-url=${PR_URL}" >> $GITEA_OUTPUT
            PR_ID=$(cat response_body.json | jq -r .id)
            echo "pull-request-id=${PR_ID}" >> $GITEA_OUTPUT
            echo "pull-request-operation=created" >> $GITEA_OUTPUT
          elif [ "$HTTP_STATUS" == "422" ]; then
            echo ">> Failed to create PR (HTTP 422: Unprocessable Entity), PR may already exist"
          elif [ "$HTTP_STATUS" == "409" ]; then
            echo ">> Failed to create PR (HTTP 409: Conflict), PR already exists"
          else
            echo ">> Failed to create PR, HTTP status code: $HTTP_STATUS"
            exit 1
          fi
          echo "----"
      - name: ntfy Created
        uses: niniyas/ntfy-action@master
        if: steps.create-pull-request.outputs.pull-request-operation == 'created'
        with:
          url: "${{ secrets.NTFY_URL }}"
          topic: "${{ secrets.NTFY_TOPIC }}"
          title: "Manifest Render PR Created - Infrastructure"
          priority: 3
          headers: '{"Authorization": "Bearer ${{ secrets.NTFY_CRED }}"}'
          tags: action,successfully,completed
          details: "Manifest rendering for Infrastructure has created a new Pull Request with ID: ${{ steps.create-pull-request.outputs.pull-request-id }}!"
          icon: "https://cdn.jsdelivr.net/gh/selfhst/icons/png/gitea.png"
          actions: '[{"action": "view", "label": "Open Gitea", "url": "${{ steps.create-pull-request.outputs.pull-request-url }}", "clear": true}]'
      - name: ntfy Failed
        uses: niniyas/ntfy-action@master
        if: failure()
        with:
          url: "${{ secrets.NTFY_URL }}"
          topic: "${{ secrets.NTFY_TOPIC }}"
          title: "Manifest Render Failure - Infrastructure"
          priority: 4
          headers: '{"Authorization": "Bearer ${{ secrets.NTFY_CRED }}"}'
          tags: action,failed
          details: "Manifest rendering for Infrastructure has failed!"
          icon: "https://cdn.jsdelivr.net/gh/selfhst/icons/png/gitea.png"
          actions: '[{"action": "view", "label": "Open Gitea", "url": "https://gitea.alexlebens.dev/alexlebens/infrastructure/actions?workflow=render-manifests.yaml", "clear": true}]'
          image: true
--- a/.gitea/workflows/render-manifests-push.yaml
+++ b/.gitea/workflows/render-manifests-push.yaml
@@ -1,449 +0,0 @@
 name: render-manifests-push
 on:
  workflow_dispatch:
  # push:
  #   branches:
  #     - main
  #   paths:
  #     - 'clusters/cl01tl/helm/**'
 env:
  CLUSTER: cl01tl
  BASE_BRANCH: manifests
  BRANCH_NAME: auto/update-manifests
  ASSIGNEE: alexlebens
  MAIN_DIR: /workspace/alexlebens/infrastructure/infrastructure
  MANIFEST_DIR: /workspace/alexlebens/infrastructure/infrastructure-manifests
 jobs:
  render-manifests-push:
    runs-on: ubuntu-js
    if: gitea.event.commits[0].author.username != 'renovate-bot'
    steps:
      - name: Checkout Main
        uses: actions/checkout@v6
        with:
          path: infrastructure
          fetch-depth: 0
      - name: Checkout Manifests
        uses: actions/checkout@v6
        with:
          ref: manifests
          path: infrastructure-manifests
      - name: Set up Helm
        uses: azure/setup-helm@v4
        with:
          token: ${{ secrets.GITEA_TOKEN }}
          version: v3.17.2 # Pending https://github.com/helm/helm/pull/30743
          cache: true
      - name: Configure Kubeconfig
        uses: azure/k8s-set-context@v4
        with:
          method: kubeconfig
          kubeconfig: ${{ secrets.KUBECONFIG }}
      - name: Cache Helm Dependencies
        uses: actions/cache@v5
        with:
          path: |
            ~/.cache/helm
            ~/.config/helm
          key: helm-cache-${{ runner.os }}-${{ hashFiles('infrastructure/clusters/cl01tl/helm/**/Chart.yaml', 'infrastructure/clusters/cl01tl/helm/**/Chart.lock') }}
          restore-keys: |
            helm-cache-${{ runner.os }}-
      - name: Prepare Manifest Branch
        run: |
          cd "${MANIFEST_DIR}"
          echo ""
          echo ">> Configure git to use gitea-bot as user ..."
          git config user.name "gitea-bot"
          git config user.email "gitea-bot@alexlebens.net"
          echo ">> Checking if PR branch exists ..."
          if git ls-remote --exit-code --heads origin "${BRANCH_NAME}" > /dev/null 2>&1; then
            echo ""
            echo ">> Branch '${BRANCH_NAME}' exists, pulling changes ..."
            git fetch origin "${BRANCH_NAME}"
            git checkout "${BRANCH_NAME}"
            git pull --rebase
          else
            echo ""
            echo ">> Branch '${BRANCH_NAME}' does not exist, creating ..."
            git checkout -b "${BRANCH_NAME}"
          fi
          echo "----"
      - name: Check which Directories have Changes
        id: check-dir-changes
        run: |
          cd "${MAIN_DIR}"
          echo ""
          echo ">> Checking for changes ..."
          # Extract the chart names from the git diff
          RENDER_DIR=$(git diff --name-only ${{ gitea.event.before }}..HEAD | grep -E "^clusters/${CLUSTER}/helm/" | awk -F '/' '{print $4}' | sort -u || true)
          if [ -n "${RENDER_DIR}" ]; then
            echo ""
            echo ">> Directories to Render:"
            echo "${RENDER_DIR}"
            echo "----"
            echo "changes-detected=true" >> "$GITEA_OUTPUT"
            echo "render-dir<<EOF" >> "$GITEA_OUTPUT"
            echo "${RENDER_DIR}" >> "$GITEA_OUTPUT"
            echo "EOF" >> "$GITEA_OUTPUT"
          else
            echo ""
            echo ">> No chart changes detected"
            echo "changes-detected=false" >> "$GITEA_OUTPUT"
          fi
      - name: Add Repositories
        if: steps.check-dir-changes.outputs.changes-detected == 'true'
        env:
          RENDER_DIR: ${{ steps.check-dir-changes.outputs.render-dir }}
        run: |
          cd "${MAIN_DIR}"
          echo ""
          echo ">> Adding repositories for chart dependencies ..."
          for DIR in ${RENDER_DIR}; do
            helm dependency list --max-col-width 120 "${MAIN_DIR}/clusters/${CLUSTER}/helm/${DIR}" 2> /dev/null \
              | tail -n +2 \
              | awk 'NF > 0 { print $1, $3 }' \
              | while read -r REPO_NAME REPO_URL; do
                if [[ "${REPO_URL}" == oci://* ]]; then
                  echo ""
                  echo ">> Ignoring OCI repo: ${REPO_URL}"
                elif [[ -n "${REPO_NAME}" && -n "${REPO_URL}" ]]; then
                  helm repo add "${REPO_NAME}" "${REPO_URL}"
                fi
              done || true
          done
          if helm repo list > /dev/null 2>&1; then
            echo ""
            echo ">> Update repository cache ..."
            helm repo update
          fi
          echo "----"
      - name: Remove Changed Manifest Files
        if: steps.check-dir-changes.outputs.changes-detected == 'true'
        env:
          RENDER_DIR: ${{ steps.check-dir-changes.outputs.render-dir }}
        run: |
          cd "${MANIFEST_DIR}"
          echo ""
          echo ">> Remove manfiest files and rebuild from source ..."
          for DIR in ${RENDER_DIR}; do
            CHART_PATH=${MANIFEST_DIR}/clusters/${CLUSTER}/manifests/${DIR}
            echo ""
            echo "${CHART_PATH}"
            rm -rf ${CHART_PATH}/*
          done
          echo "----"
      - name: Render Helm Manifests
        id: render-manifests
        if: steps.check-dir-changes.outputs.changes-detected == 'true'
        env:
          RENDER_DIR: ${{ steps.check-dir-changes.outputs.render-dir }}
        run: |
          cd ${MAIN_DIR}
          echo ""
          echo ">> Rendering Manifests ..."
          render_chart() {
            local DIR="$1"
            local CHART_PATH="${MAIN_DIR}/clusters/${CLUSTER}/helm/${DIR}"
            local CHART_NAME=$(basename "${CHART_PATH}")
            echo ""
            echo ">> Rendering ..."
            echo ">> Chart: ${CHART_NAME}"
            echo ">> Path: ${CHART_PATH}"
            if [ -f "${CHART_PATH}/Chart.yaml" ]; then
              local OUTPUT_FOLDER="${MANIFEST_DIR}/clusters/${CLUSTER}/manifests/${CHART_NAME}/"
              mkdir -p "${OUTPUT_FOLDER}"
              cd "${CHART_PATH}"
              echo ""
              echo ">> Updating helm dependencies ..."
              helm dependency update --skip-refresh > /dev/null
              echo ""
              echo ">> Linting helm chart ..."
              helm lint --namespace "${CHART_NAME}" --quiet
              local NAMESPACE="${CHART_NAME}"
              case "${CHART_NAME}" in
                "stack")
                  NAMESPACE="argocd"
                  echo ""
                  echo ">> Special Rendering into 'argocd' namespace ..."
                  ;;
                "cilium" | "coredns" | "metrics-server" | "prometheus-operator-crds")
                  NAMESPACE="kube-system"
                  echo ""
                  echo ">> Special Rendering for ${CHART_NAME} into 'kube-system' namespace ..."
                  ;;
                *)
                  echo ""
                  echo ">> Standard Rendering for ${CHART_NAME} ..."
              esac
              echo ""
              echo ">> Formating rendered template ..."
              local TEMPLATE
              TEMPLATE=$(helm template "${CHART_NAME}" ./ --namespace "${NAMESPACE}" --include-crds --dry-run=server --api-versions "gateway.networking.k8s.io/v1/HTTPRoute")
              # Format and split rendered template
              echo "${TEMPLATE}" | yq '... comments=""' | yq 'select(. != null)' | yq -s '"'"${OUTPUT_FOLDER}"'" + .kind + "-" + .metadata.name + ".yaml"'
              # Strip comments again to ensure formatting correctness
              for file in "$OUTPUT_FOLDER"/*; do
                yq -i '... comments=""' $file
              done
              echo ""
              echo ">> Manifests for ${CHART_NAME} rendered to ${OUTPUT_FOLDER}:"
              ls $OUTPUT_FOLDER
              echo ""
            else
              echo ""
              echo ">> Directory ${CHART_PATH} does not contain a Chart.yaml. Skipping ..."
              echo ""
            fi
          }
          export -f render_chart
          export MAIN_DIR CLUSTER MANIFEST_DIR
          # Run rendering in parallel
          for DIR in ${RENDER_DIR}; do
            echo "${DIR}"
          done | xargs -n 1 -P 4 -I {} bash -c 'render_chart "$@"' _ {}
          echo "----"
      - name: Check for Changes
        id: check-changes
        if: steps.check-dir-changes.outputs.changes-detected == 'true'
        run: |
          cd "${MANIFEST_DIR}"
          GIT_CHANGES=$(git status --porcelain)
          if [ -n "${GIT_CHANGES}" ]; then
            echo ""
            echo ">> Changes detected"
            git status --porcelain
            echo "changes-detected=true" >> $GITEA_OUTPUT
          else
            echo ""
            echo ">> No changes detected, skipping PR creation"
          fi
          echo "----"
      - name: Commit and Push Changes
        id: commit-push
        if: steps.check-changes.outputs.changes-detected == 'true'
        run: |
          cd "${MANIFEST_DIR}"
          echo ""
          echo ">> Commiting changes to ${BRANCH_NAME} ..."
          git add .
          git commit -m "chore: Update manifests after change"
          REPO_URL="${{ secrets.REPO_URL }}/${{ gitea.repository }}"
          echo ""
          echo ">> Pushing changes to ${REPO_URL} ..."
          git push -u "https://oauth2:${{ secrets.BOT_TOKEN }}@${REPO_URL#*://}" "${BRANCH_NAME}"
          echo "----"
          echo "HEAD_BRANCH=${BRANCH_NAME}" >> "$GITEA_OUTPUT"
          echo "push=true" >> "$GITEA_OUTPUT"
      - name: Check for Pull Request
        id: check-for-pull-requst
        if: steps.commit-push.outputs.push == 'true'
        env:
          GITEA_TOKEN: ${{ secrets.BOT_TOKEN }}
          GITEA_URL: ${{ secrets.REPO_URL }}
          HEAD_BRANCH: ${{ steps.commit-push.outputs.HEAD_BRANCH }}
        run: |
          cd ${MANIFEST_DIR}
          API_ENDPOINT="${GITEA_URL}/api/v1/repos/${{ gitea.repository }}/pulls?base_branch=${BASE_BRANCH}&state=open&page=1"
          echo ">> Checking if PR from branch ${HEAD_BRANCH} into ${BASE_BRANCH}"
          echo ">> With Endpoint of:"
          echo "$API_ENDPOINT"
          HTTP_STATUS=$(
            curl -X GET \
              --silent \
              --write-out '%{http_code}' \
              --output response_body.json \
              --dump-header response_headers.txt \
              -H "Authorization: token ${GITEA_TOKEN}" \
              -H "Content-Type: application/json" \
              "$API_ENDPOINT" 2> response_errors.txt
          )
          echo ">> HTTP Status Code: $HTTP_STATUS"
          echo ">> Response Output ..."
          echo "----"
          cat response_body.json
          echo "----"
          cat response_headers.txt
          echo "----"
          cat response_errors.txt
          echo "----"
          if [ "$HTTP_STATUS" == "200" ] && [ "$(cat response_body.json | jq -r .[0].state)" == "open" ]; then
            echo ">> Pull Request has been found open, will update"
            PR_INDEX=$(cat response_body.json | jq -r .[0].number)
            echo "pull-request-exists=${PR_INDEX}" >> $GITEA_OUTPUT
            echo "pull-request-index=true" >> $GITEA_OUTPUT
          elif [ "$HTTP_STATUS" == "200" ] && [ "$(cat response_body.json | jq -r .[0].state)" == "closed" ]; then
            echo ">> Pull Request found, but was closed"
            echo "pull-request-exists=false" >> $GITEA_OUTPUT
          else
            echo ">> Pull Request not found"
            echo "pull-request-exists=false" >> $GITEA_OUTPUT
          fi
          echo "----"
      - name: Create Pull Request
        id: create-pull-request
        if: steps.commit-push.outputs.push == 'true' && steps.check-for-pull-requst.outputs.pull-request-exists == 'false'
        env:
          GITEA_TOKEN: ${{ secrets.BOT_TOKEN }}
          GITEA_URL: ${{ secrets.REPO_URL }}
          HEAD_BRANCH: ${{ steps.commit-push.outputs.HEAD_BRANCH }}
        run: |
          cd ${MANIFEST_DIR}
          API_ENDPOINT="${GITEA_URL}/api/v1/repos/${{ gitea.repository }}/pulls"
          PAYLOAD=$( jq -n \
            --arg head "${HEAD_BRANCH}" \
            --arg base "${BASE_BRANCH}" \
            --arg assignee "${ASSIGNEE}" \
            --arg title "Automated Manifest Update" \
            --arg body "This PR contains newly rendered Kubernetes manifests automatically generated by the CI workflow." \
            '{head: $head, base: $base, assignee: $assignee, title: $title, body: $body}' )
          echo ">> Creating PR from branch ${HEAD_BRANCH} into ${BASE_BRANCH}"
          echo ">> With Endpoint of:"
          echo "$API_ENDPOINT"
          echo ">> With Payload of:"
          echo "$PAYLOAD"
          HTTP_STATUS=$(
            curl -X POST \
              --silent \
              --write-out '%{http_code}' \
              --output response_body.json \
              --dump-header response_headers.txt \
              --data "$PAYLOAD" \
              -H "Authorization: token ${GITEA_TOKEN}" \
              -H "Content-Type: application/json" \
              "$API_ENDPOINT" 2> response_errors.txt
          )
          echo ">> HTTP Status Code: $HTTP_STATUS"
          echo ">> Response Output ..."
          echo "----"
          cat response_body.json
          echo "----"
          cat response_headers.txt
          echo "----"
          cat response_errors.txt
          echo "----"
          if [ "$HTTP_STATUS" == "201" ]; then
            echo ">> Pull Request created successfully!"
            PR_URL=$(cat response_body.json | jq -r .html_url)
            echo "pull-request-url=${PR_URL}" >> $GITEA_OUTPUT
            PR_ID=$(cat response_body.json | jq -r .id)
            echo "pull-request-id=${PR_ID}" >> $GITEA_OUTPUT
            echo "pull-request-operation=created" >> $GITEA_OUTPUT
          elif [ "$HTTP_STATUS" == "422" ]; then
            echo ">> Failed to create PR (HTTP 422: Unprocessable Entity), PR may already exist"
          elif [ "$HTTP_STATUS" == "409" ]; then
            echo ">> Failed to create PR (HTTP 409: Conflict), PR already exists"
          else
            echo ">> Failed to create PR, HTTP status code: $HTTP_STATUS"
            exit 1
          fi
          echo "----"
      - name: ntfy Created
        uses: niniyas/ntfy-action@master
        if: steps.create-pull-request.outputs.pull-request-operation == 'created'
        with:
          url: "${{ secrets.NTFY_URL }}"
          topic: "${{ secrets.NTFY_TOPIC }}"
          title: "Manifest Render PR Created - Infrastructure"
          priority: 3
          headers: '{"Authorization": "Bearer ${{ secrets.NTFY_CRED }}"}'
          tags: action,successfully,completed
          details: "Manifest rendering for Infrastructure has created a new Pull Request with ID: ${{ steps.create-pull-request.outputs.pull-request-id }}!"
          icon: "https://cdn.jsdelivr.net/gh/selfhst/icons/png/gitea.png"
          actions: '[{"action": "view", "label": "Open Gitea", "url": "${{ steps.create-pull-request.outputs.pull-request-url }}", "clear": true}]'
      - name: ntfy Failed
        uses: niniyas/ntfy-action@master
        if: failure()
        with:
          url: "${{ secrets.NTFY_URL }}"
          topic: "${{ secrets.NTFY_TOPIC }}"
          title: "Manifest Render Failure - Infrastructure"
          priority: 4
          headers: '{"Authorization": "Bearer ${{ secrets.NTFY_CRED }}"}'
          tags: action,failed
          details: "Manifest rendering for Infrastructure has failed!"
          icon: "https://cdn.jsdelivr.net/gh/selfhst/icons/png/gitea.png"
          actions: '[{"action": "view", "label": "Open Gitea", "url": "https://gitea.alexlebens.dev/alexlebens/infrastructure/actions?workflow=render-manifests.yaml", "clear": true}]'
          image: true
--- a/.gitea/workflows/render-manifests.yaml
+++ b/.gitea/workflows/render-manifests.yaml
@@ -6,12 +6,6 @@ on:
  workflow_dispatch:
  push:
    branches:
      - main
    paths:
      - 'clusters/cl01tl/helm/**'
  pull_request:
    branches:
      - main
@@ -34,7 +28,6 @@ jobs:
    if: >-
      github.event_name == 'schedule' ||
      github.event_name == 'workflow_dispatch' ||
      (github.event_name == 'push' && github.actor != 'renovate-bot') ||
      (github.event_name == 'pull_request' && github.event.pull_request.merged == true)
    steps:
      - name: Checkout Main
@@ -95,10 +88,6 @@ jobs:
            DIFF_TARGET="HEAD^..HEAD"
          elif [[ "${{ github.event_name }}" == "push" ]]; then
            echo ">> Mode: Push (Standard)"
            DIFF_TARGET="${{ github.event.before }}..HEAD"
          fi
          echo ""
@@ -111,6 +100,7 @@ jobs:
      - name: Prepare Manifest Branch
        id: prepare-manifest-branch
        env:
          PR_NUMBER: ${{ github.event.pull_request.number }}
          IS_AUTOMERGE: ${{ steps.mode.outputs.is-automerge }}
        run: |
          cd "${MANIFEST_DIR}"
@@ -120,10 +110,10 @@ jobs:
          git config user.email "gitea-bot@alexlebens.net"
          if [[ "$IS_AUTOMERGE" == "true" ]]; then
            BRANCH_NAME="${BRANCH_NAME_BASE}-automerge-${PR_NUMBER}"
            echo ""
            echo ">> Creating branch ${BRANCH_NAME} ..."
-            BRANCH_NAME="${BRANCH_NAME_BASE}-automerge-$(date +%Y%m%d%H%M%S)"
+            git checkout -B "$BRANCH_NAME"
            git checkout -b "$BRANCH_NAME"
          else
            echo ""
@@ -416,7 +406,6 @@ jobs:
            echo "----"
            echo "pull-request-exists=$(cat response_body.json | jq -r .[0].number)" >> "$GITHUB_OUTPUT"
            echo "pull-request-url=$(cat response_body.json | jq -r .[0].html_url)" >> "$GITHUB_OUTPUT"
          else
            echo ""
@@ -468,7 +457,6 @@ jobs:
            echo ""
            echo "----"
            echo "pull-request-url=$(jq -r .html_url response_body.json)" >> "$GITHUB_OUTPUT"
            echo "pull-request-id=$(jq -r .id response_body.json)" >> "$GITHUB_OUTPUT"
            echo "pull-request-number=$(jq -r .number response_body.json)" >> "$GITHUB_OUTPUT"
            echo "pull-request-operation=created" >> "$GITHUB_OUTPUT"
@@ -589,9 +577,9 @@ jobs:
          priority: 3
          headers: '{"Authorization": "Bearer ${{ secrets.NTFY_CRED }}"}'
          tags: action,successfully,completed
-          details: "Created renderd manifests for cluster '${CLUSTER}' with charts: ${{ steps.check-changes.outputs.changed-charts-csv }}"
+          details: "Created renderd manifests for cluster '${{ env.CLUSTER }}' with charts: ${{ steps.check-changes.outputs.changed-charts-csv }}"
          icon: "https://cdn.jsdelivr.net/gh/selfhst/icons/png/gitea.png"
-          actions: '[{"action": "view", "label": "View PR", "url": "${{ steps.create-pull-request.outputs.pull-request-url }}", "clear": true}]'
+          actions: '[{"action": "view", "label": "View PR", "url": "${{ vars.USER_URL }}/${{ github.repository }}/pulls/${{ steps.create-pull-request.outputs.pull-request-number }}", "clear": true}]'
      - name: ntfy Updated
        uses: niniyas/ntfy-action@master
@@ -603,9 +591,9 @@ jobs:
          priority: 3
          headers: '{"Authorization": "Bearer ${{ secrets.NTFY_CRED }}"}'
          tags: action,successfully,completed
-          details: "Updated rendered manifests PR for cluster '${CLUSTER}' with charts: ${{ steps.check-changes.outputs.changed-charts-csv }}"
+          details: "Updated rendered manifests PR for cluster '${{ env.CLUSTER }}' with charts: ${{ steps.check-changes.outputs.changed-charts-csv }}"
          icon: "https://cdn.jsdelivr.net/gh/selfhst/icons/png/gitea.png"
-          actions: '[{"action": "view", "label": "View PR", "url": "${{ steps.check-for-pull-request.outputs.pull-request-url }}", "clear": true}]'
+          actions: '[{"action": "view", "label": "View PR", "url": "${{ vars.USER_URL }}/${{ github.repository }}/pulls/${{ steps.create-pull-request.outputs.pull-request-number }}", "clear": true}]'
      - name: ntfy Merged
        uses: niniyas/ntfy-action@master
@@ -617,9 +605,9 @@ jobs:
          priority: 3
          headers: '{"Authorization": "Bearer ${{ secrets.NTFY_CRED }}"}'
          tags: action,successfully,completed
-          details: "Automerged manifest rendering for cluster '${CLUSTER}' with charts: ${{ steps.check-changes.outputs.changed-charts-csv }}"
+          details: "Automerged manifest rendering for cluster '${{ env.CLUSTER }}' with charts: ${{ steps.check-changes.outputs.changed-charts-csv }}"
          icon: "https://cdn.jsdelivr.net/gh/selfhst/icons/png/gitea.png"
-          actions: '[{"action": "view", "label": "View PR", "url": "${{ steps.create-pull-request.outputs.pull-request-url }}", "clear": true}]'
+          actions: '[{"action": "view", "label": "View PR", "url": "${{ vars.USER_URL }}/${{ github.repository }}/pulls/${{ steps.create-pull-request.outputs.pull-request-number }}", "clear": true}]'
      - name: ntfy Failed
        uses: niniyas/ntfy-action@master
@@ -633,4 +621,4 @@ jobs:
          tags: action,failed
          details: "Manifest rendering for Infrastructure has failed!"
          icon: "https://cdn.jsdelivr.net/gh/selfhst/icons/png/gitea.png"
-          actions: '[{"action": "view", "label": "View Logs", "url": "${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}", "clear": true}]'
+          actions: '[{"action": "view", "label": "View Logs", "url": "${{ vars.USER_URL }}/${{ github.repository }}/actions/runs/${{ github.run_id }}", "clear": true}]'
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -1,6 +1,6 @@
 repos:
  - repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v2.3.0
+    rev: v6.0.0
    hooks:
      - id: end-of-file-fixer
      - id: trailing-whitespace
@@ -9,7 +9,9 @@ repos:
        exclude: '^.*\/templates\/.*$'
        args:
          - --multi
      - id: check-merge-conflict
      - id: check-json
  - repo: https://github.com/IamTheFij/docker-pre-commit
-    rev: v2.0.0
+    rev: v3.0.1
    hooks:
      - id: docker-compose-check
--- a/clusters/cl01tl/helm/dawarich/Chart.yaml
+++ b/clusters/cl01tl/helm/dawarich/Chart.yaml
@@ -26,4 +26,4 @@ dependencies:
    repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons@main/png/dawarich.png
 # renovate: datasource=github-releases depName=Freika/dawarich
-appVersion: 1.3.3
+appVersion: 1.3.4
--- a/clusters/cl01tl/helm/dawarich/values.yaml
+++ b/clusters/cl01tl/helm/dawarich/values.yaml
@@ -9,7 +9,7 @@ dawarich:
        main:
          image:
            repository: freikin/dawarich
-            tag: 1.3.3
+            tag: 1.3.4
            pullPolicy: IfNotPresent
          command: ["web-entrypoint.sh"]
          args: ["bin/rails", "server", "-p", "3000", "-b", "::"]
@@ -106,7 +106,7 @@ dawarich:
        sidekiq:
          image:
            repository: freikin/dawarich
-            tag: 1.3.3
+            tag: 1.3.4
            pullPolicy: IfNotPresent
          command: ["sidekiq-entrypoint.sh"]
          args: ["sidekiq"]
--- a/clusters/cl01tl/helm/generic-device-plugin/Chart.lock
+++ b/clusters/cl01tl/helm/generic-device-plugin/Chart.lock
@@ -1,6 +1,6 @@
 dependencies:
 - name: generic-device-plugin
  repository: https://gitea.alexlebens.dev/api/packages/alexlebens/helm
-  version: 0.20.21
+  version: 0.20.22
-digest: sha256:4f1359a01b8b85722ab1805426a86f3ea64d0134513ce14fe9c55f3f918a21fb
+digest: sha256:14e5aa3f02ce6a1271dadc3f76997c739fc9434e669b05655c079d0b873c56ca
-generated: "2026-03-09T23:02:42.799515974Z"
+generated: "2026-03-15T20:35:40.676997293Z"
--- a/clusters/cl01tl/helm/generic-device-plugin/Chart.yaml
+++ b/clusters/cl01tl/helm/generic-device-plugin/Chart.yaml
@@ -15,6 +15,6 @@ maintainers:
 dependencies:
  - name: generic-device-plugin
    repository: https://gitea.alexlebens.dev/api/packages/alexlebens/helm
-    version: 0.20.21
+    version: 0.20.22
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/kubernetes.png
 appVersion: 1.0.0
--- a/clusters/cl01tl/helm/grafana-operator/templates/grafana-dashboard.yaml
+++ b/clusters/cl01tl/helm/grafana-operator/templates/grafana-dashboard.yaml
@@ -358,6 +358,25 @@ spec:
  resyncPeriod: 1h
  url: http://gitea-http.gitea:3000/alexlebens/grafana-dashboards/raw/branch/main/dashboards/service/traefik.json
 ---
 apiVersion: grafana.integreatly.org/v1beta1
 kind: GrafanaDashboard
 metadata:
  name: grafana-dashboard-tdarr
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: grafana-dashboard-tdarr
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  instanceSelector:
    matchLabels:
      app: grafana-main
  contentCacheDuration: 1h
  folderUID: grafana-folder-service
  resyncPeriod: 1h
  url: http://gitea-http.gitea:3000/alexlebens/grafana-dashboards/raw/branch/main/dashboards/service/tdarr.json
 ---
 apiVersion: grafana.integreatly.org/v1beta1
 kind: GrafanaDashboard
--- a/clusters/cl01tl/helm/kube-prometheus-stack/Chart.lock
+++ b/clusters/cl01tl/helm/kube-prometheus-stack/Chart.lock
@@ -1,12 +1,12 @@
 dependencies:
 - name: kube-prometheus-stack
  repository: oci://ghcr.io/prometheus-community/charts
-  version: 82.10.3
+  version: 82.10.4
 - name: app-template
  repository: https://bjw-s-labs.github.io/helm-charts/
  version: 4.6.2
 - name: valkey
  repository: oci://harbor.alexlebens.net/helm-charts
  version: 0.4.0
-digest: sha256:37ffa4a21ed29703cae9c9f3fb029566a1dd6af6e0fe8cc3862a2226d6644114
+digest: sha256:d6bbbfdd1a781b5eb82c2dc8571836a43d23bf8526eac1bcd40f38030be642db
-generated: "2026-03-10T19:02:41.11005238Z"
+generated: "2026-03-15T20:38:11.961621853Z"
--- a/clusters/cl01tl/helm/kube-prometheus-stack/Chart.yaml
+++ b/clusters/cl01tl/helm/kube-prometheus-stack/Chart.yaml
@@ -20,7 +20,7 @@ maintainers:
  - name: alexlebens
 dependencies:
  - name: kube-prometheus-stack
-    version: 82.10.3
+    version: 82.10.4
    repository: oci://ghcr.io/prometheus-community/charts
  - name: app-template
    alias: ntfy-alertmanager
--- a/clusters/cl01tl/helm/ntfy/Chart.yaml
+++ b/clusters/cl01tl/helm/ntfy/Chart.yaml
@@ -20,4 +20,4 @@ dependencies:
    version: 4.6.2
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/ntfy.png
 # renovate: datasource=github-releases depName=binwiederhier/ntfy
-appVersion: 2.18.0
+appVersion: 2.19.0
--- a/clusters/cl01tl/helm/ntfy/values.yaml
+++ b/clusters/cl01tl/helm/ntfy/values.yaml
@@ -9,7 +9,7 @@ ntfy:
        main:
          image:
            repository: binwiederhier/ntfy
-            tag: v2.18.0
+            tag: v2.19.0
            pullPolicy: IfNotPresent
          args: ["serve"]
          env:
--- a/clusters/cl01tl/helm/outline/Chart.yaml
+++ b/clusters/cl01tl/helm/outline/Chart.yaml
@@ -39,4 +39,4 @@ dependencies:
    repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/outline.png
 # renovate: datasource=github-releases depName=outline/outline
-appVersion: 1.5.0
+appVersion: 1.6.0
--- a/clusters/cl01tl/helm/outline/values.yaml
+++ b/clusters/cl01tl/helm/outline/values.yaml
@@ -12,7 +12,7 @@ outline:
        main:
          image:
            repository: outlinewiki/outline
-            tag: 1.5.0
+            tag: 1.6.0
            pullPolicy: IfNotPresent
          env:
            - name: NODE_ENV
--- a/clusters/cl01tl/helm/plex/values.yaml
+++ b/clusters/cl01tl/helm/plex/values.yaml
@@ -9,7 +9,7 @@ plex:
        main:
          image:
            repository: ghcr.io/linuxserver/plex
-            tag: 1.43.0@sha256:79dfc89947410ec120a3e34cf68f746f6f154de20772e6f27b9998ca9bd65a5e
+            tag: 1.43.0@sha256:84f8646e799f6636876ab4f283d9fc8f6c51d56098ea74cba82bfb85074b68df
            pullPolicy: IfNotPresent
          env:
            - name: TZ
--- a/clusters/cl01tl/helm/site-documentation/values.yaml
+++ b/clusters/cl01tl/helm/site-documentation/values.yaml
@@ -11,7 +11,7 @@ site-documentation:
        main:
          image:
            repository: harbor.alexlebens.net/images/site-documentation
-            tag: 0.2.0
+            tag: 0.3.0
            pullPolicy: IfNotPresent
          resources:
            requests:
--- a/clusters/cl01tl/helm/tdarr/values.yaml
+++ b/clusters/cl01tl/helm/tdarr/values.yaml
@@ -165,6 +165,7 @@ tdarr:
 tdarr-exporter:
  image:
    name: homeylab/tdarr-exporter
    # renovate: datasource=docker depName=homeylab/tdarr-exporter
    tag: 1.4.2
  metrics:
    serviceMonitor:
--- a/clusters/cl01tl/helm/trivy/Chart.lock
+++ b/clusters/cl01tl/helm/trivy/Chart.lock
@@ -0,0 +1,6 @@
 dependencies:
 - name: trivy-operator
  repository: https://aquasecurity.github.io/helm-charts/
  version: 0.32.1
 digest: sha256:7e25850fc3115f52e6c65151c76668929eee6713228e935862d9f156397c2ede
 generated: "2026-03-15T17:21:41.373519-05:00"
--- a/clusters/cl01tl/helm/trivy/Chart.yaml
+++ b/clusters/cl01tl/helm/trivy/Chart.yaml
@@ -0,0 +1,23 @@
 apiVersion: v2
 name: trivy
 version: 1.0.0
 description: Trivy
 keywords:
  - trivy
  - vulnerability
  - monitoring
  - kubernetes
 home: https://wiki.alexlebens.dev/s/
 sources:
  - https://github.com/aquasecurity/trivy
  - https://github.com/aquasecurity/trivy-operator
  - https://github.com/aquasecurity/trivy-operator/tree/main/deploy/helm
 maintainers:
  - name: alexlebens
 dependencies:
  - name: trivy-operator
    version: 0.32.1
    repository: https://aquasecurity.github.io/helm-charts/
 icon: https://raw.githubusercontent.com/aquasecurity/trivy/main/docs/imgs/logo.png
 # renovate: github=aquasecurity/trivy
 appVersion: 0.32.1
--- a/clusters/cl01tl/helm/trivy/templates/namespace.yaml
+++ b/clusters/cl01tl/helm/trivy/templates/namespace.yaml
@@ -0,0 +1,11 @@
 apiVersion: v1
 kind: Namespace
 metadata:
  name: trivy
  labels:
    app.kubernetes.io/name: trivy
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
    pod-security.kubernetes.io/audit: privileged
    pod-security.kubernetes.io/enforce: privileged
    pod-security.kubernetes.io/warn: privileged
--- a/clusters/cl01tl/helm/trivy/values.yaml
+++ b/clusters/cl01tl/helm/trivy/values.yaml
@@ -0,0 +1,87 @@
 trivy-operator:
  targetWorkloads: "pod,replicaset,replicationcontroller,statefulset,daemonset,cronjob,job"
  operator:
    replicas: 1
    scanJobsConcurrentLimit: 3
    vulnerabilityScannerEnabled: true
    sbomGenerationEnabled: true
    clusterSbomCacheEnabled: true
    configAuditScannerEnabled: true
    rbacAssessmentScannerEnabled: true
    infraAssessmentScannerEnabled: true
    clusterComplianceEnabled: false
    vulnerabilityScannerScanOnlyCurrentRevisions: true
    accessGlobalSecretsAndServiceAccount: true
    metricsFindingsEnabled: true
    exposedSecretScannerEnabled: true
  serviceMonitor:
    enabled: true
  trivy:
    createConfig: true
    image:
      registry: mirror.gcr.io
      repository: aquasec/trivy
      tag: 0.69.3
    storageClassEnabled: true
    storageClassName: ceph-block
    storageSize: "10Gi"
    registry:
      mirror:
        "registry-1.docker.io": proxy-registry-1.docker.io
        "quay.io": proxy-quay.io
        "registry.k8s.io": proxy-registry.k8s
        "gcr.io": proxy-gcr.io
        "ghcr.io": proxy-ghcr.io
        "hub.docker": proxy-hub.docker
    severity: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
    slow: true
    resources:
      requests:
        cpu: 100m
        memory: 128M
    supportedConfigAuditKinds: "Workload,Service,Role,ClusterRole,NetworkPolicy,Ingress,LimitRange,ResourceQuota"
    server:
      resources:
        requests:
          cpu: 200m
          memory: 512Mi
      replicas: 1
 nodeCollector:
  volumeMounts:
    - name: var-lib-etcd
      mountPath: /var/lib/etcd
      readOnly: true
    - name: var-lib-kubelet
      mountPath: /var/lib/kubelet
      readOnly: true
    - name: var-lib-kube-scheduler
      mountPath: /var/lib/kube-scheduler
      readOnly: true
    - name: var-lib-kube-controller-manager
      mountPath: /var/lib/kube-controller-manager
      readOnly: true
    - name: etc-kubernetes
      mountPath: /etc/kubernetes
      readOnly: true
    - name: etc-cni-netd
      mountPath: /etc/cni/net.d/
      readOnly: true
  volumes:
    - name: var-lib-etcd
      hostPath:
        path: /var/lib/etcd
    - name: var-lib-kubelet
      hostPath:
        path: /var/lib/kubelet
    - name: var-lib-kube-scheduler
      hostPath:
        path: /var/lib/kube-scheduler
    - name: var-lib-kube-controller-manager
      hostPath:
        path: /var/lib/kube-controller-manager
    - name: etc-kubernetes
      hostPath:
        path: /etc/kubernetes
    - name: etc-cni-netd
      hostPath:
        path: /etc/cni/net.d/
--- a/renovate.json
+++ b/renovate.json
@@ -57,6 +57,9 @@
  "labels": [],
  "prHourlyLimit": 0,
  "prConcurrentLimit": 0,
  "baseBranches": [
    "main"
  ],
  "packageRules": [
    {
      "description": "Label charts",