Merge pull request 'chore(deps): update cloudflared docker tag to v2.6.0' (#6233) from renovate/unified-cloudflared into main

Reviewed-on: #6233

.gitea/workflows/lint-test-helm.yaml

@@ -169,9 +169,10 @@ jobs:
 
           echo ">> Running linting on changed charts ..."
 
-          for DIR in ${CHANGED_CHARTS}; do
+          lint_chart() {
-            CHART_PATH="clusters/${CLUSTER}/helm/${DIR}"
+            local DIR="$1"
-            CHART_NAME=$(basename "${CHART_PATH}")
+            local CHART_PATH="clusters/${CLUSTER}/helm/${DIR}"
+            local CHART_NAME=$(basename "${CHART_PATH}")
 
             if [ -f "${CHART_PATH}/Chart.yaml" ]; then
               echo ""
@@ -182,15 +183,8 @@ jobs:
               echo ">> Linting helm chart ${CHART_NAME} ..."
 
               if ! helm lint "${CHART_PATH}" --namespace "default"; then
-                EXIT_CODE=1
+                echo "${DIR}" > ".failed_chart_${CHART_NAME}"
-
+                return 1
-                if [ -z "${FAILED_CHARTS}" ]; then
-                  FAILED_CHARTS="${DIR}"
-
-                else
-                  FAILED_CHARTS="${FAILED_CHARTS}, ${DIR}"
-
-                fi
               fi
 
             else
@@ -198,8 +192,20 @@ jobs:
               echo ">> Directory ${CHART_PATH} does not contain a Chart.yaml. Skipping ..."
 
             fi
+          }
 
-          done
+          export -f lint_chart
+          export CLUSTER
+
+          for DIR in ${CHANGED_CHARTS}; do
+            echo "${DIR}"
+          done | xargs -P 4 -I {} bash -c 'OUT=$(lint_chart "$@" 2>&1); printf "%s\n" "$OUT"' _ {}
+
+          if ls .failed_chart_* 1> /dev/null 2>&1; then
+            EXIT_CODE=1
+            FAILED_CHARTS=$(cat .failed_chart_* | paste -sd ',' - | sed 's/,/, /g')
+            rm -f .failed_chart_*
+          fi
 
           echo ""
           echo "----"
@@ -329,8 +335,9 @@ jobs:
           EXIT_CODE=0
           FAILED_CHARTS=""
 
-          for DIR in ${CHANGED_CHARTS}; do
+          validate_chart() {
-            CHART_PATH="clusters/${CLUSTER}/helm/${DIR}"
+            local DIR="$1"
+            local CHART_PATH="clusters/${CLUSTER}/helm/${DIR}"
             echo ""
             echo ">> Validating: ${DIR}"
 
@@ -343,18 +350,23 @@ jobs:
                 -strict \
                 -summary; then
 
+              echo "${DIR}" > ".failed_chart_${DIR}"
+              return 1
+            fi
+          }
+
+          export -f validate_chart
+          export CLUSTER SCHEMA_LOCATIONS
+
+          for DIR in ${CHANGED_CHARTS}; do
+            echo "${DIR}"
+          done | xargs -P 4 -I {} bash -c 'OUT=$(validate_chart "$@" 2>&1); printf "%s\n" "$OUT"' _ {}
+
+          if ls .failed_chart_* 1> /dev/null 2>&1; then
             EXIT_CODE=1
-
+            FAILED_CHARTS=$(cat .failed_chart_* | paste -sd ',' - | sed 's/,/, /g')
-              if [ -z "${FAILED_CHARTS}" ]; then
+            rm -f .failed_chart_*
-                FAILED_CHARTS="${DIR}"
-
-              else
-                FAILED_CHARTS="${FAILED_CHARTS}, ${DIR}"
-
           fi
-            fi
-
-          done
 
           echo ""
           echo "----"

.gitea/workflows/renovate.yaml

@@ -13,7 +13,7 @@ on:
 jobs:
   renovate:
     runs-on: ubuntu-latest
-    container: ghcr.io/renovatebot/renovate:43.138.2@sha256:79765b2442117d5c87e17456aa79ae54b4e0e2a4d9212a10508e233706375556
+    container: ghcr.io/renovatebot/renovate:43.141.5@sha256:8fb9e3cfdadc0994fb87f57be624d1c1940c41c1c53c074465caff85a2b6d3a4
     steps:
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6

clusters/cl01tl/helm/actual/Chart.yaml

@@ -18,10 +18,10 @@ dependencies:
     alias: actual
     repository: https://bjw-s-labs.github.io/helm-charts/
     version: 4.6.2
-  # - name: volsync-target
+  - name: volsync-target
-  #   alias: volsync-target-data
+    alias: volsync-target-data
-  #   version: 0.8.0
+    version: 1.0.0
-  #   repository: oci://harbor.alexlebens.net/helm-charts
+    repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/actual-budget.png
 # renovate: datasource=github-releases depName=actualbudget/actual
 appVersion: 26.4.0

clusters/cl01tl/helm/actual/templates/_helpers.tpl

@@ -0,0 +1,14 @@
+{{/*
+Common labels
+*/}}
+{{- define "custom.labels" -}}
+{{ include "custom.selectorLabels" $ }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "custom.selectorLabels" -}}
+app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/part-of: {{ .Release.Name }}
+{{- end }}

clusters/cl01tl/helm/argocd/Chart.lock

@@ -1,6 +1,6 @@
 dependencies:
 - name: argo-cd
   repository: https://argoproj.github.io/argo-helm
-  version: 9.5.2
+  version: 9.5.4
-digest: sha256:5d9e6405ee944bf94df6af247164ebb9b8899144853b9a7eafabe8606affe84e
+digest: sha256:3d21f3de99812af73615ef0e75f835d41d49b81a840107194b44e06057d7311f
-generated: "2026-04-19T19:53:40.43789-05:00"
+generated: "2026-04-24T18:07:49.106452954Z"

clusters/cl01tl/helm/argocd/Chart.yaml

@@ -13,8 +13,8 @@ maintainers:
   - name: alexlebens
 dependencies:
   - name: argo-cd
-    version: 9.5.2
+    version: 9.5.4
     repository: https://argoproj.github.io/argo-helm
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/argo-cd.png
 # renovate: datasource=github-releases depName=argoproj/argo-cd
-appVersion: v3.3.7
+appVersion: v3.3.8

clusters/cl01tl/helm/argocd/values.yaml

@@ -103,7 +103,7 @@ argo-cd:
       enabled: true
       image:
         repository: haproxy
-        tag: 3.3.6-alpine@sha256:744be2dca649a44d490a4c565d36968d19482dd387f1bdd44c168f4322bc6b1e
+        tag: 3.3.6-alpine@sha256:4f97a2cb7f02fd08402259e74a65ef12fcfa3dff1ef78fddecb5228a17b7f4ad
       resources:
         requests:
           cpu: 5m

clusters/cl01tl/helm/audiobookshelf/Chart.yaml

@@ -24,11 +24,11 @@ dependencies:
     version: 4.6.2
   - name: volsync-target
     alias: volsync-target-config
-    version: 0.8.0
+    version: 1.0.0
     repository: oci://harbor.alexlebens.net/helm-charts
   - name: volsync-target
     alias: volsync-target-metadata
-    version: 0.8.0
+    version: 1.0.0
     repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/audiobookshelf.png
 # renovate: datasource=github-releases depName=advplyr/audiobookshelf

clusters/cl01tl/helm/audiobookshelf/templates/external-secret.yaml

@@ -15,9 +15,13 @@ spec:
       mergePolicy: Merge
       engineVersion: v2
       data:
-        ntfy-url: "{{ `{{ .endpoint }}` }}/audiobookshelf"
+        ntfy-url: "{{ `{{ .endpoint }}` }}/{{ `{{ .topic }}` }}"
   data:
     - secretKey: endpoint
       remoteRef:
         key: /cl01tl/ntfy/users/cl01tl
         property: internal-endpoint-credential
+    - secretKey: topic
+      remoteRef:
+        key: /cl01tl/ntfy/topics
+        property: audiobookshelf

clusters/cl01tl/helm/authentik/Chart.lock

@@ -4,12 +4,12 @@ dependencies:
   version: 2026.2.2
 - name: cloudflared
   repository: oci://harbor.alexlebens.net/helm-charts
-  version: 2.5.0
+  version: 2.6.0
 - name: postgres-cluster
   repository: oci://harbor.alexlebens.net/helm-charts
   version: 7.11.2
 - name: valkey
   repository: oci://harbor.alexlebens.net/helm-charts
   version: 0.6.1
-digest: sha256:22fe4d9ec592aa74cbff5596e8d900f607bd68ea14c7df70a94b4ef76727614d
+digest: sha256:473a1dde30128f861acfb8e0faa09a27c7b192e2ba25dc78dfee6bd41336c225
-generated: "2026-04-13T20:32:12.748342469Z"
+generated: "2026-04-24T21:05:53.141254098Z"

clusters/cl01tl/helm/authentik/Chart.yaml

@@ -22,7 +22,7 @@ dependencies:
     repository: https://charts.goauthentik.io/
   - name: cloudflared
     repository: oci://harbor.alexlebens.net/helm-charts
-    version: 2.5.0
+    version: 2.6.0
   - name: postgres-cluster
     alias: postgres-18-cluster
     version: 7.11.2

clusters/cl01tl/helm/authentik/templates/ingress.yaml

@@ -5,8 +5,8 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: {{ .Release.Name }}-tailscale
-    tailscale.com/proxy-class: no-metrics
     {{- include "custom.labels" . | nindent 4 }}
+    tailscale.com/proxy-class: no-metrics
   annotations:
     tailscale.com/experimental-forward-cluster-traffic-via-ingress: "true"
 spec:
@@ -25,4 +25,4 @@ spec:
               service:
                 name: authentik-server
                 port:
-                  number: 80
+                  name: http

clusters/cl01tl/helm/blocky/templates/_helpers.tpl

@@ -0,0 +1,14 @@
+{{/*
+Common labels
+*/}}
+{{- define "custom.labels" -}}
+{{ include "custom.selectorLabels" $ }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "custom.selectorLabels" -}}
+app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/part-of: {{ .Release.Name }}
+{{- end }}

clusters/cl01tl/helm/cilium/templates/http-route.yaml

@@ -20,8 +20,6 @@ spec:
           type: PathPrefix
           value: /
       backendRefs:
-        - group: ''
+        - kind: Service
-          kind: Service
           name: hubble-ui
           port: 80
-          weight: 100

clusters/cl01tl/helm/cloudnative-pg/templates/_helpers.tpl

@@ -0,0 +1,14 @@
+{{/*
+Common labels
+*/}}
+{{- define "custom.labels" -}}
+{{ include "custom.selectorLabels" $ }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "custom.selectorLabels" -}}
+app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/part-of: {{ .Release.Name }}
+{{- end }}

clusters/cl01tl/helm/coredns/Chart.yaml

@@ -17,4 +17,4 @@ dependencies:
     repository: https://coredns.github.io/helm
 icon: https://raw.githubusercontent.com/coredns/coredns.io/refs/heads/master/static/images/favicon.png
 # renovate: datasource=github-releases depName=coredns/coredns
-appVersion: v1.14.2
+appVersion: v1.14.3

clusters/cl01tl/helm/coredns/templates/_helpers.tpl

@@ -0,0 +1,14 @@
+{{/*
+Common labels
+*/}}
+{{- define "custom.labels" -}}
+{{ include "custom.selectorLabels" $ }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "custom.selectorLabels" -}}
+app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/part-of: {{ .Release.Name }}
+{{- end }}

clusters/cl01tl/helm/dawarich/Chart.yaml

@@ -22,7 +22,7 @@ dependencies:
     version: 4.6.2
   - name: postgres-cluster
     alias: postgres-18-cluster
-    version: 7.11.2
+    version: 7.12.1
     repository: oci://harbor.alexlebens.net/helm-charts
   - name: valkey
     alias: valkey

clusters/cl01tl/helm/democratic-csi-synology-iscsi/templates/_helpers.tpl

@@ -0,0 +1,14 @@
+{{/*
+Common labels
+*/}}
+{{- define "custom.labels" -}}
+{{ include "custom.selectorLabels" $ }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "custom.selectorLabels" -}}
+app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/part-of: {{ .Release.Name }}
+{{- end }}

clusters/cl01tl/helm/democratic-csi-synology-iscsi/templates/external-secret.yaml

@@ -1,16 +1,15 @@
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
-  name: synology-iscsi-config-secret
+  name: synology-iscsi-config
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: synology-iscsi-config-secret
+    app.kubernetes.io/name: synology-iscsi-config
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   secretStoreRef:
     kind: ClusterSecretStore
-    name: vault
+    name: openbao
   data:
     - secretKey: driver-config-file.yaml
       remoteRef:

clusters/cl01tl/helm/democratic-csi-synology-iscsi/templates/namespace.yaml

@@ -1,11 +1,10 @@
 apiVersion: v1
 kind: Namespace
 metadata:
-  name: democratic-csi-synology-iscsi
+  name: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: democratic-csi-synology-iscsi
+    app.kubernetes.io/name: {{ .Release.Namespace }}
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
     pod-security.kubernetes.io/audit: privileged
     pod-security.kubernetes.io/enforce: privileged
     pod-security.kubernetes.io/warn: privileged

clusters/cl01tl/helm/democratic-csi-synology-iscsi/values.yaml

@@ -3,7 +3,7 @@ democratic-csi:
     image:
       registry: ghcr.io/democratic-csi/democratic-csi
       tag: v1.9.5@@sha256:fc3b7d7ed3a616714139525075312758e23a5d425ffb539ad12c9bd20fb6001f
-    existingConfigSecret: synology-iscsi-config-secret
+    existingConfigSecret: synology-iscsi-config
     config:
       driver: synology-iscsi
     resources:

clusters/cl01tl/helm/descheduler/templates/_helpers.tpl

@@ -0,0 +1,14 @@
+{{/*
+Common labels
+*/}}
+{{- define "custom.labels" -}}
+{{ include "custom.selectorLabels" $ }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "custom.selectorLabels" -}}
+app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/part-of: {{ .Release.Name }}
+{{- end }}

clusters/cl01tl/helm/directus/Chart.yaml

@@ -5,7 +5,7 @@ description: Directus
 keywords:
   - directus
   - content-management-system
-home: https://docs.alexlebens.dev/applications/descheduler/
+home: https://docs.alexlebens.dev/applications/directus/
 sources:
   - https://github.com/directus/directus
   - https://github.com/directus/directus/pkgs/container/directus

clusters/cl01tl/helm/directus/templates/_helpers.tpl

@@ -0,0 +1,14 @@
+{{/*
+Common labels
+*/}}
+{{- define "custom.labels" -}}
+{{ include "custom.selectorLabels" $ }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "custom.selectorLabels" -}}
+app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/part-of: {{ .Release.Name }}
+{{- end }}

clusters/cl01tl/helm/directus/templates/external-secret.yaml

@@ -5,13 +5,20 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: directus-config
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   secretStoreRef:
     kind: ClusterSecretStore
-    name: vault
+    name: openbao
   data:
+    - secretKey: key
+      remoteRef:
+        key: /cl01tl/directus/key
+        property: key
+    - secretKey: secret
+      remoteRef:
+        key: /cl01tl/directus/key
+        property: secret
     - secretKey: admin-email
       remoteRef:
         key: /cl01tl/directus/config
@@ -20,38 +27,6 @@ spec:
       remoteRef:
         key: /cl01tl/directus/config
         property: admin-password
-    - secretKey: secret
-      remoteRef:
-        key: /cl01tl/directus/config
-        property: secret
-    - secretKey: key
-      remoteRef:
-        key: /cl01tl/directus/config
-        property: key
-
----
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: directus-oidc-secret
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: directus-oidc-secret
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: vault
-  data:
-    - secretKey: OIDC_CLIENT_ID
-      remoteRef:
-        key: /authentik/oidc/directus
-        property: client
-    - secretKey: OIDC_CLIENT_SECRET
-      remoteRef:
-        key: /authentik/oidc/directus
-        property: secret
 
 ---
 apiVersion: external-secrets.io/v1
@@ -61,18 +36,67 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: directus-metric-token
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   secretStoreRef:
     kind: ClusterSecretStore
-    name: vault
+    name: openbao
   data:
     - secretKey: metric-token
       remoteRef:
         key: /cl01tl/directus/metrics
         property: metric-token
 
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: directus-valkey-config
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: directus-valkey-config
+    {{- include "custom.labels" . | nindent 4 }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: openbao
+  data:
+    - secretKey: user
+      remoteRef:
+        key: /cl01tl/directus/valkey
+        property: user
+    - secretKey: password
+      remoteRef:
+        key: /cl01tl/directus/valkey
+        property: password
+    - secretKey: default
+      remoteRef:
+        key: /cl01tl/directus/valkey
+        property: password
+
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: directus-oidc-authentik
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: directus-oidc-authentik
+    {{- include "custom.labels" . | nindent 4 }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: openbao
+  data:
+    - secretKey: OIDC_CLIENT_ID
+      remoteRef:
+        key: /cl01tl/authentik/oidc/directus
+        property: client
+    - secretKey: OIDC_CLIENT_SECRET
+      remoteRef:
+        key: /cl01tl/authentik/oidc/directus
+        property: secret
+
 ---
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
@@ -81,12 +105,11 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: directus-bucket-garage
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   secretStoreRef:
     kind: ClusterSecretStore
-    name: vault
+    name: openbao
   data:
     - secretKey: ACCESS_KEY_ID
       remoteRef:
@@ -100,31 +123,3 @@ spec:
       remoteRef:
         key: /garage/home-infra/directus-assets
         property: ACCESS_REGION
-
----
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: directus-valkey-config
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: directus-valkey-config
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: vault
-  data:
-    - secretKey: default
-      remoteRef:
-        key: /cl01tl/directus/valkey
-        property: password
-    - secretKey: user
-      remoteRef:
-        key: /cl01tl/directus/valkey
-        property: user
-    - secretKey: password
-      remoteRef:
-        key: /cl01tl/directus/valkey
-        property: password

clusters/cl01tl/helm/directus/values.yaml

@@ -113,12 +113,12 @@ directus:
             - name: AUTH_AUTHENTIK_CLIENT_ID
               valueFrom:
                 secretKeyRef:
-                  name: directus-oidc-secret
+                  name: directus-oidc-authentik
                   key: OIDC_CLIENT_ID
             - name: AUTH_AUTHENTIK_CLIENT_SECRET
               valueFrom:
                 secretKeyRef:
-                  name: directus-oidc-secret
+                  name: directus-oidc-authentik
                   key: OIDC_CLIENT_SECRET
             - name: AUTH_AUTHENTIK_SCOPE
               value: openid profile email

clusters/cl01tl/helm/elastic-operator/templates/_helpers.tpl

@@ -0,0 +1,14 @@
+{{/*
+Common labels
+*/}}
+{{- define "custom.labels" -}}
+{{ include "custom.selectorLabels" $ }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "custom.selectorLabels" -}}
+app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/part-of: {{ .Release.Name }}
+{{- end }}

clusters/cl01tl/helm/element-web/Chart.lock

@@ -4,6 +4,6 @@ dependencies:
   version: 1.4.34
 - name: cloudflared
   repository: oci://harbor.alexlebens.net/helm-charts
-  version: 2.5.0
+  version: 2.6.0
-digest: sha256:8640b8a250bdcd9e7561e3d28538ccf4644a7159a035ee0a5fdbcf71dc5b2bbe
+digest: sha256:e988be9f997351a8f658bf5151ec4fb04ae7d877389c9bf01b7331e1a58005ef
-generated: "2026-04-10T01:17:19.932208699Z"
+generated: "2026-04-24T21:06:15.882448748Z"

clusters/cl01tl/helm/element-web/Chart.yaml

@@ -19,7 +19,7 @@ dependencies:
     repository: https://ananace.gitlab.io/charts
   - name: cloudflared
     repository: oci://harbor.alexlebens.net/helm-charts
-    version: 2.5.0
+    version: 2.6.0
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/element.png
 # renovate: datasource=github-releases depName=element-hq/element-web
 appVersion: v1.12.15

clusters/cl01tl/helm/element-web/templates/_helpers.tpl

@@ -0,0 +1,14 @@
+{{/*
+Common labels
+*/}}
+{{- define "custom.labels" -}}
+{{ include "custom.selectorLabels" $ }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "custom.selectorLabels" -}}
+app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/part-of: {{ .Release.Name }}
+{{- end }}

clusters/cl01tl/helm/eraser/templates/_helpers.tpl

@@ -0,0 +1,14 @@
+{{/*
+Common labels
+*/}}
+{{- define "custom.labels" -}}
+{{ include "custom.selectorLabels" $ }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "custom.selectorLabels" -}}
+app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/part-of: {{ .Release.Name }}
+{{- end }}

clusters/cl01tl/helm/excalidraw/Chart.yaml

@@ -5,7 +5,7 @@ description: Excalidraw
 keywords:
   - excalidraw
   - drawing
-home: https://docs.alexlebens.dev/applications/eraser/
+home: https://docs.alexlebens.dev/applications/excalidraw/
 sources:
   - https://github.com/excalidraw/excalidraw
   - https://hub.docker.com/r/excalidraw/excalidraw
@@ -19,4 +19,4 @@ dependencies:
     version: 4.6.2
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/excalidraw.png
 # renovate: datasource=github-releases depName=excalidraw/excalidraw
-appVersion: v0.18.0
+appVersion: v0.18.1

clusters/cl01tl/helm/excalidraw/templates/_helpers.tpl

@@ -0,0 +1,14 @@
+{{/*
+Common labels
+*/}}
+{{- define "custom.labels" -}}
+{{ include "custom.selectorLabels" $ }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "custom.selectorLabels" -}}
+app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/part-of: {{ .Release.Name }}
+{{- end }}

clusters/cl01tl/helm/external-dns/Chart.yaml

@@ -5,7 +5,7 @@ description: External DNS
 keywords:
   - external-dns
   - dns
-home: https://docs.alexlebens.dev/applications/eraser/
+home: https://docs.alexlebens.dev/applications/external-dns/
 sources:
   - https://github.com/kubernetes-sigs/external-dns
   - https://explore.ggcr.dev/?repo=registry.k8s.io%2Fexternal-dns%2Fexternal-dns

clusters/cl01tl/helm/external-dns/templates/_helpers.tpl

@@ -0,0 +1,14 @@
+{{/*
+Common labels
+*/}}
+{{- define "custom.labels" -}}
+{{ include "custom.selectorLabels" $ }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "custom.selectorLabels" -}}
+app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/part-of: {{ .Release.Name }}
+{{- end }}

clusters/cl01tl/helm/external-dns/templates/dns-endpoint.yaml

@@ -5,8 +5,7 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: external-device-names
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   endpoints:
     # Unifi UDM
@@ -48,8 +47,7 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: iot-device-names
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   endpoints:
     # Airgradient
@@ -82,6 +80,18 @@ spec:
       recordType: A
       targets:
         - 10.230.0.100
+    # HD Homerun
+    - dnsName: dv01hr.alexlebens.net
+      recordTTL: 180
+      recordType: A
+      targets:
+        - 10.232.1.72
+    # Pi KVM
+    - dnsName: dv02kv.alexlebens.net
+      recordTTL: 180
+      recordType: A
+      targets:
+        - 10.232.1.71
 
 ---
 apiVersion: externaldns.k8s.io/v1alpha1
@@ -91,8 +101,7 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: server-host-names
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   endpoints:
     # Unifi Gateway
@@ -125,6 +134,18 @@ spec:
       recordType: A
       targets:
         - 10.232.1.52
+    # Desktop
+    - dnsName: pd05wd.alexlebens.net
+      recordTTL: 180
+      recordType: A
+      targets:
+        - 10.230.0.115
+    # Laptop
+    - dnsName: pl02mc.alexlebens.net
+      recordTTL: 180
+      recordType: A
+      targets:
+        - 10.230.0.105
 
 ---
 apiVersion: externaldns.k8s.io/v1alpha1
@@ -134,8 +155,7 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: cluster-service-names
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   endpoints:
     # Treafik Proxy

clusters/cl01tl/helm/external-dns/templates/external-secret.yaml

@@ -5,14 +5,13 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: external-dns-unifi-secret
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   secretStoreRef:
     kind: ClusterSecretStore
-    name: vault
+    name: openbao
   data:
     - secretKey: api-key
       remoteRef:
-        key: /unifi/auth/cl01tl
+        key: /unifi/users/cl01tl
         property: api-key

clusters/cl01tl/helm/external-secrets/Chart.lock

@@ -1,6 +1,6 @@
 dependencies:
 - name: external-secrets
   repository: https://charts.external-secrets.io
-  version: 2.3.0
+  version: 2.4.0
-digest: sha256:fedb79c937be24d4bb72f665122b468b445de95f3f02de419903e3136186e42f
+digest: sha256:a31b4ba5b5ec296036576c8d7d26f8b42061eec7142817f9ca0c256a457a2ea1
-generated: "2026-04-10T15:10:52.488487421Z"
+generated: "2026-04-24T19:03:31.856576444Z"

clusters/cl01tl/helm/external-secrets/Chart.yaml

@@ -14,8 +14,8 @@ sources:
 dependencies:
   - name: external-secrets
     alias: external-secrets
-    version: 2.3.0
+    version: 2.4.0
     repository: https://charts.external-secrets.io
 icon: https://raw.githubusercontent.com/external-secrets/external-secrets/refs/heads/main/assets/eso-logo-large.png
 # renovate: datasource=github-releases depName=external-secrets/external-secrets
-appVersion: v2.3.0
+appVersion: v2.4.0

clusters/cl01tl/helm/external-secrets/templates/_helpers.tpl

@@ -0,0 +1,14 @@
+{{/*
+Common labels
+*/}}
+{{- define "custom.labels" -}}
+{{ include "custom.selectorLabels" $ }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "custom.selectorLabels" -}}
+app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/part-of: {{ .Release.Name }}
+{{- end }}

clusters/cl01tl/helm/external-secrets/templates/cluster-role-binding.yaml

@@ -5,13 +5,12 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: external-secrets
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
   name: system:auth-delegator
 subjects:
   - kind: ServiceAccount
-    name: external-secrets
+    name: {{ .Release.Name }}
     namespace: {{ .Release.Namespace }}

clusters/cl01tl/helm/external-secrets/templates/cluster-secret-store.yaml

@@ -5,8 +5,7 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: vault
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   provider:
     vault:
@@ -26,8 +25,7 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: openbao
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   provider:
     vault:
@@ -39,7 +37,7 @@ spec:
           mountPath: kubernetes
           role: external-secrets
           serviceAccountRef:
-            name: external-secrets
+            name: {{ .Release.Name }}
-            namespace: {{ .Release.Name }}
+            namespace: {{ .Release.Namespace }}
             audiences:
               - openbao

clusters/cl01tl/helm/external-secrets/values.yaml

@@ -2,7 +2,7 @@ external-secrets:
   replicaCount: 3
   image:
     repository: ghcr.io/external-secrets/external-secrets
-    tag: v2.3.0@sha256:c425f51f422506c380550ad32fbf155412c7be84dd1c4b196130dcf04497be80
+    tag: v2.4.0@sha256:d2b74514f63f5b55360d08351f1fe5af3b1db794a81fa10389abe2ff2999c566
   installCRDs: true
   crds:
     createClusterExternalSecret: true
@@ -29,7 +29,7 @@ external-secrets:
   webhook:
     image:
       repository: ghcr.io/external-secrets/external-secrets
-      tag: v2.3.0@sha256:c425f51f422506c380550ad32fbf155412c7be84dd1c4b196130dcf04497be80
+      tag: v2.4.0@sha256:d2b74514f63f5b55360d08351f1fe5af3b1db794a81fa10389abe2ff2999c566
     resources:
       requests:
         cpu: 1m
@@ -37,7 +37,7 @@ external-secrets:
   certController:
     image:
       repository: ghcr.io/external-secrets/external-secrets
-      tag: v2.3.0@sha256:c425f51f422506c380550ad32fbf155412c7be84dd1c4b196130dcf04497be80
+      tag: v2.4.0@sha256:d2b74514f63f5b55360d08351f1fe5af3b1db794a81fa10389abe2ff2999c566
     resources:
       requests:
         cpu: 1m

clusters/cl01tl/helm/foldergram/Chart.lock

@@ -4,9 +4,9 @@ dependencies:
   version: 4.6.2
 - name: cloudflared
   repository: oci://harbor.alexlebens.net/helm-charts
-  version: 2.5.0
+  version: 2.6.0
 - name: volsync-target
   repository: oci://harbor.alexlebens.net/helm-charts
   version: 0.8.0
-digest: sha256:06e321d19ffe0df94b3cd6bcc306804729710f74ca2f9962652628377836c33e
+digest: sha256:d7d18929b42e955a885d29bc6d670fd115ded725318673a0906b726581dca9c6
-generated: "2026-04-11T15:26:16.743784-05:00"
+generated: "2026-04-24T21:06:36.001492023Z"

clusters/cl01tl/helm/foldergram/Chart.yaml

@@ -21,7 +21,7 @@ dependencies:
     version: 4.6.2
   - name: cloudflared
     repository: oci://harbor.alexlebens.net/helm-charts
-    version: 2.5.0
+    version: 2.6.0
   - name: volsync-target
     alias: volsync-target-db
     version: 0.8.0

clusters/cl01tl/helm/foldergram/templates/_helpers.tpl

@@ -0,0 +1,21 @@
+{{/*
+Common labels
+*/}}
+{{- define "custom.labels" -}}
+{{ include "custom.selectorLabels" $ }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "custom.selectorLabels" -}}
+app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/part-of: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+NFS names
+*/}}
+{{- define "custom.storageNfsName" -}}
+foldergram-pictures-collections-nfs-storage
+{{- end -}}

clusters/cl01tl/helm/foldergram/templates/persistent-volume-claim.yaml

@@ -1,14 +1,13 @@
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
-  name: foldergram-pictures-collections-nfs-storage
+  name: {{ include "custom.storageNfsName" . }}
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: foldergram-pictures-collections-nfs-storage
+    app.kubernetes.io/name: {{ include "custom.storageNfsName" . }}
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
-  volumeName: foldergram-pictures-collections-nfs-storage
+  volumeName: {{ include "custom.storageNfsName" . }}
   storageClassName: nfs-client
   accessModes:
     - ReadWriteMany

clusters/cl01tl/helm/foldergram/templates/persistent-volume.yaml

@@ -1,12 +1,11 @@
 apiVersion: v1
 kind: PersistentVolume
 metadata:
-  name: foldergram-pictures-collections-nfs-storage
+  name: {{ include "custom.storageNfsName" . }}
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: foldergram-pictures-collections-nfs-storage
+    app.kubernetes.io/name: {{ include "custom.storageNfsName" . }}
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   persistentVolumeReclaimPolicy: Retain
   storageClassName: nfs-client

clusters/cl01tl/helm/foldergram/values.yaml

@@ -70,7 +70,7 @@ foldergram:
       forceRename: foldergram-data
       storageClass: synology-iscsi-delete
       accessMode: ReadWriteOnce
-      size: 250Gi
+      size: 500Gi
       advancedMounts:
         main:
           main:

clusters/cl01tl/helm/freshrss/Chart.lock

@@ -4,12 +4,12 @@ dependencies:
   version: 4.6.2
 - name: cloudflared
   repository: oci://harbor.alexlebens.net/helm-charts
-  version: 2.5.0
+  version: 2.6.0
 - name: postgres-cluster
   repository: oci://harbor.alexlebens.net/helm-charts
   version: 7.11.2
 - name: volsync-target
   repository: oci://harbor.alexlebens.net/helm-charts
   version: 0.8.0
-digest: sha256:2a13aac2d207555bf33ee01db493d210e860e660433cd6f5b9b67fadf91f8f74
+digest: sha256:f53cff62f0241d3bdc5b3711727502bf4fea76734c66987c68d36f0c52f7d4f1
-generated: "2026-04-10T01:17:32.585138713Z"
+generated: "2026-04-24T21:06:58.744576776Z"

clusters/cl01tl/helm/freshrss/Chart.yaml

@@ -22,7 +22,7 @@ dependencies:
     version: 4.6.2
   - name: cloudflared
     repository: oci://harbor.alexlebens.net/helm-charts
-    version: 2.5.0
+    version: 2.6.0
   - name: postgres-cluster
     alias: postgres-18-cluster
     version: 7.11.2

clusters/cl01tl/helm/freshrss/templates/_helpers.tpl

@@ -0,0 +1,14 @@
+{{/*
+Common labels
+*/}}
+{{- define "custom.labels" -}}
+{{ include "custom.selectorLabels" $ }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "custom.selectorLabels" -}}
+app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/part-of: {{ .Release.Name }}
+{{- end }}

clusters/cl01tl/helm/freshrss/templates/external-secret.yaml

@@ -1,54 +1,52 @@
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
-  name: freshrss-install-secret
+  name: freshrss-install-config
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: freshrss-install-secret
+    app.kubernetes.io/name: freshrss-install-config
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   secretStoreRef:
     kind: ClusterSecretStore
-    name: vault
+    name: openbao
   data:
     - secretKey: ADMIN_EMAIL
       remoteRef:
         key: /cl01tl/freshrss/config
-        property: ADMIN_EMAIL
+        property: admin-email
     - secretKey: ADMIN_PASSWORD
       remoteRef:
         key: /cl01tl/freshrss/config
-        property: ADMIN_PASSWORD
+        property: admin-password
     - secretKey: ADMIN_API_PASSWORD
       remoteRef:
         key: /cl01tl/freshrss/config
-        property: ADMIN_API_PASSWORD
+        property: admin-api-password
 
 ---
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
-  name: freshrss-oidc-secret
+  name: freshrss-oidc-authentik
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: freshrss-oidc-secret
+    app.kubernetes.io/name: freshrss-oidc-authentik
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   secretStoreRef:
     kind: ClusterSecretStore
-    name: vault
+    name: openbao
   data:
     - secretKey: OIDC_CLIENT_ID
       remoteRef:
-        key: /authentik/oidc/freshrss
+        key: /cl01tl/authentik/oidc/freshrss
         property: client
     - secretKey: OIDC_CLIENT_SECRET
       remoteRef:
-        key: /authentik/oidc/freshrss
+        key: /cl01tl/authentik/oidc/freshrss
         property: secret
     - secretKey: OIDC_CLIENT_CRYPTO_KEY
       remoteRef:
-        key: /authentik/oidc/freshrss
+        key: /cl01tl/freshrss/key
-        property: crypto-key
+        property: oidc-client-crypto-key

clusters/cl01tl/helm/freshrss/values.yaml

@@ -73,9 +73,9 @@ freshrss:
               value: preferred_username
           envFrom:
             - secretRef:
-                name: freshrss-oidc-secret
+                name: freshrss-oidc-authentik
             - secretRef:
-                name: freshrss-install-secret
+                name: freshrss-install-config
           resources:
             requests:
               cpu: 1m

clusters/cl01tl/helm/garage/templates/_helpers.tpl

@@ -0,0 +1,14 @@
+{{/*
+Common labels
+*/}}
+{{- define "custom.labels" -}}
+{{ include "custom.selectorLabels" $ }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "custom.selectorLabels" -}}
+app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/part-of: {{ .Release.Name }}
+{{- end }}

clusters/cl01tl/helm/garage/templates/external-secret.yaml

@@ -1,26 +1,25 @@
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
-  name: garage-token-secret
+  name: garage-token
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: garage-token-secret
+    app.kubernetes.io/name: garage-token
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   secretStoreRef:
     kind: ClusterSecretStore
-    name: vault
+    name: openbao
   data:
     - secretKey: GARAGE_RPC_SECRET
       remoteRef:
-        key: /cl01tl/garage/token
+        key: /cl01tl/garage/config
-        property: rpc
+        property: rpc-secret
     - secretKey: GARAGE_ADMIN_TOKEN
       remoteRef:
-        key: /cl01tl/garage/token
+        key: /cl01tl/garage/config
-        property: admin
+        property: admin-token
     - secretKey: GARAGE_METRICS_TOKEN
       remoteRef:
-        key: /cl01tl/garage/token
+        key: /cl01tl/garage/config
-        property: metric
+        property: metrics-token

clusters/cl01tl/helm/garage/templates/service.yaml

@@ -6,8 +6,7 @@ metadata:
   labels:
     app.kubernetes.io/name: garage-main
     app.kubernetes.io/service: garage-main
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   ports:
     - name: admin
@@ -27,6 +26,6 @@ spec:
       protocol: TCP
       targetPort: 3902
   selector:
-    app.kubernetes.io/instance: garage
     app.kubernetes.io/name: garage
+    app.kubernetes.io/instance: garage
     garage-type: server

clusters/cl01tl/helm/garage/values.yaml

@@ -24,7 +24,7 @@ garage:
             tag: v2.3.0@sha256:866bd13ed2038ba7e7190e840482bc27234c4afaf77be8cfa439ae088c1e4690
           envFrom:
             - secretRef:
-                name: garage-token-secret
+                name: garage-token
           resources:
             requests:
               cpu: 10m
@@ -53,7 +53,7 @@ garage:
             tag: v2.3.0@sha256:866bd13ed2038ba7e7190e840482bc27234c4afaf77be8cfa439ae088c1e4690
           envFrom:
             - secretRef:
-                name: garage-token-secret
+                name: garage-token
           resources:
             requests:
               cpu: 10m
@@ -82,7 +82,7 @@ garage:
             tag: v2.3.0@sha256:866bd13ed2038ba7e7190e840482bc27234c4afaf77be8cfa439ae088c1e4690
           envFrom:
             - secretRef:
-                name: garage-token-secret
+                name: garage-token
           resources:
             requests:
               cpu: 10m
@@ -104,7 +104,7 @@ garage:
             - name: API_ADMIN_KEY
               valueFrom:
                 secretKeyRef:
-                  name: garage-token-secret
+                  name: garage-token
                   key: GARAGE_ADMIN_TOKEN
           resources:
             requests:
@@ -273,7 +273,7 @@ garage:
           scrapeTimeout: 2m
           path: /metrics
           bearerTokenSecret:
-            name: garage-token-secret
+            name: garage-token
             key: GARAGE_METRICS_TOKEN
   route:
     webui:

clusters/cl01tl/helm/gatus/templates/_helpers.tpl

@@ -0,0 +1,14 @@
+{{/*
+Common labels
+*/}}
+{{- define "custom.labels" -}}
+{{ include "custom.selectorLabels" $ }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "custom.selectorLabels" -}}
+app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/part-of: {{ .Release.Name }}
+{{- end }}

clusters/cl01tl/helm/gatus/templates/external-secret.yaml

@@ -1,42 +1,40 @@
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
-  name: gatus-config-secret
+  name: gatus-config
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: gatus-config-secret
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   secretStoreRef:
     kind: ClusterSecretStore
-    name: vault
+    name: openbao
   data:
     - secretKey: NTFY_TOKEN
       remoteRef:
-        key: /ntfy/user/cl01tl
+        key: /cl01tl/ntfy/users/cl01tl
         property: token
 
 ---
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
-  name: gatus-oidc-secret
+  name: gatus-oidc-authentik
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: gatus-oidc-secret
+    app.kubernetes.io/name: gatus-oidc-authentik
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   secretStoreRef:
     kind: ClusterSecretStore
-    name: vault
+    name: openbao
   data:
     - secretKey: OIDC_CLIENT_ID
       remoteRef:
-        key: /authentik/oidc/gatus
+        key: /cl01tl/authentik/oidc/gatus
         property: client
     - secretKey: OIDC_CLIENT_SECRET
       remoteRef:
-        key: /authentik/oidc/gatus
+        key: /cl01tl/authentik/oidc/gatus
         property: secret

clusters/cl01tl/helm/gatus/values.yaml

@@ -20,17 +20,17 @@ gatus:
     NTFY_TOKEN:
       valueFrom:
         secretKeyRef:
-          name: gatus-config-secret
+          name: gatus-config
           key: NTFY_TOKEN
     OIDC_CLIENT_ID:
       valueFrom:
         secretKeyRef:
-          name: gatus-oidc-secret
+          name: gatus-oidc-authentik
           key: OIDC_CLIENT_ID
     OIDC_CLIENT_SECRET:
       valueFrom:
         secretKeyRef:
-          name: gatus-oidc-secret
+          name: gatus-oidc-authentik
           key: OIDC_CLIENT_SECRET
     POSTGRES_USER:
       valueFrom:

clusters/cl01tl/helm/generic-device-plugin/templates/_helpers.tpl

@@ -0,0 +1,14 @@
+{{/*
+Common labels
+*/}}
+{{- define "custom.labels" -}}
+{{ include "custom.selectorLabels" $ }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "custom.selectorLabels" -}}
+app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/part-of: {{ .Release.Name }}
+{{- end }}

clusters/cl01tl/helm/generic-device-plugin/templates/namespace.yaml

@@ -1,11 +1,10 @@
 apiVersion: v1
 kind: Namespace
 metadata:
-  name: generic-device-plugin
+  name: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: generic-device-plugin
+    app.kubernetes.io/name: {{ .Release.Namespace }}
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
     pod-security.kubernetes.io/audit: privileged
     pod-security.kubernetes.io/enforce: privileged
     pod-security.kubernetes.io/warn: privileged

clusters/cl01tl/helm/gitea/Chart.lock

@@ -10,7 +10,7 @@ dependencies:
   version: 0.32.0
 - name: cloudflared
   repository: oci://harbor.alexlebens.net/helm-charts
-  version: 2.5.0
+  version: 2.6.0
 - name: postgres-cluster
   repository: oci://harbor.alexlebens.net/helm-charts
   version: 7.11.2
@@ -23,5 +23,5 @@ dependencies:
 - name: volsync-target
   repository: oci://harbor.alexlebens.net/helm-charts
   version: 0.8.0
-digest: sha256:2144d55ea34ba25bd81c1e479ee5cd27097fafb5676b96e63aa0e32ad2868925
+digest: sha256:dfa0fc1af472312073ab23670776cd7c8765ac15c2b3e47bdf511a571ce265a1
-generated: "2026-04-16T20:09:26.031592859Z"
+generated: "2026-04-24T21:07:22.48441382Z"

clusters/cl01tl/helm/gitea/Chart.yaml

@@ -37,7 +37,7 @@ dependencies:
     repository: https://meilisearch.github.io/meilisearch-kubernetes
   - name: cloudflared
     repository: oci://harbor.alexlebens.net/helm-charts
-    version: 2.5.0
+    version: 2.6.0
   - name: postgres-cluster
     alias: postgres-18-cluster
     version: 7.11.2

clusters/cl01tl/helm/gitea/templates/_helpers.tpl

@@ -0,0 +1,14 @@
+{{/*
+Common labels
+*/}}
+{{- define "custom.labels" -}}
+{{ include "custom.selectorLabels" $ }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "custom.selectorLabels" -}}
+app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/part-of: {{ .Release.Name }}
+{{- end }}

clusters/cl01tl/helm/gitea/templates/config-map.yaml

@@ -5,8 +5,7 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: gitea-custom-templates
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 data:
   header.tmpl: |
     <script defer src="https://rybbit.alexlebens.dev/api/script.js" data-site-id="b515c34a6dcc"></script>

clusters/cl01tl/helm/gitea/templates/external-secret.yaml

@@ -1,64 +1,15 @@
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
-metadata:
-  name: gitea-admin-secret
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: gitea-admin-secret
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: vault
-  data:
-    - secretKey: username
-      remoteRef:
-        key: /cl01tl/gitea/auth/admin
-        property: username
-    - secretKey: password
-      remoteRef:
-        key: /cl01tl/gitea/auth/admin
-        property: password
-
----
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: gitea-oidc-secret
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: gitea-oidc-secret
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: vault
-  data:
-    - secretKey: secret
-      remoteRef:
-        key: /authentik/oidc/gitea
-        property: secret
-    - secretKey: key
-      remoteRef:
-        key: /authentik/oidc/gitea
-        property: client
-
----
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
 metadata:
   name: gitea-runner-secret
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: gitea-runner-secret
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   secretStoreRef:
     kind: ClusterSecretStore
-    name: vault
+    name: openbao
   data:
     - secretKey: token
       remoteRef:
@@ -69,80 +20,15 @@ spec:
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
-  name: gitea-renovate-secret
+  name: gitea-meilisearch-key
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: gitea-renovate-secret
+    app.kubernetes.io/name: gitea-meilisearch-key
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   secretStoreRef:
     kind: ClusterSecretStore
-    name: vault
+    name: openbao
-  data:
-    - secretKey: RENOVATE_ENDPOINT
-      remoteRef:
-        key: /cl01tl/gitea/renovate
-        property: RENOVATE_ENDPOINT
-    - secretKey: RENOVATE_GIT_AUTHOR
-      remoteRef:
-        key: /cl01tl/gitea/renovate
-        property: RENOVATE_GIT_AUTHOR
-    - secretKey: RENOVATE_TOKEN
-      remoteRef:
-        key: /cl01tl/gitea/renovate
-        property: RENOVATE_TOKEN
-    - secretKey: RENOVATE_GIT_PRIVATE_KEY
-      remoteRef:
-        key: /cl01tl/gitea/renovate
-        property: id_rsa
-    - secretKey: RENOVATE_GITHUB_COM_TOKEN
-      remoteRef:
-        key: /github/gitea-cl01tl
-        property: token
-
----
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: gitea-renovate-ssh-secret
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: gitea-renovate-ssh-secret
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: vault
-  data:
-    - secretKey: config
-      remoteRef:
-        key: /cl01tl/gitea/renovate
-        property: ssh_config
-    - secretKey: id_rsa
-      remoteRef:
-        key: /cl01tl/gitea/renovate
-        property: id_rsa
-    - secretKey: id_rsa.pub
-      remoteRef:
-        key: /cl01tl/gitea/renovate
-        property: id_rsa.pub
-
----
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: gitea-meilisearch-master-key-secret
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: gitea-meilisearch-master-key-secret
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: vault
   target:
     template:
       mergePolicy: Merge
@@ -153,4 +39,27 @@ spec:
     - secretKey: MEILI_MASTER_KEY
       remoteRef:
         key: /cl01tl/gitea/meilisearch
-        property: MEILI_MASTER_KEY
+        property: master-key
+
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: gitea-oidc-authentik
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: gitea-oidc-authentik
+    {{- include "custom.labels" . | nindent 4 }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: openbao
+  data:
+    - secretKey: secret
+      remoteRef:
+        key: /cl01tl/authentik/oidc/gitea
+        property: secret
+    - secretKey: key
+      remoteRef:
+        key: /cl01tl/authentik/oidc/gitea
+        property: client

clusters/cl01tl/helm/gitea/templates/http-route.yaml

@@ -5,8 +5,7 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: gitea
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   parentRefs:
     - group: gateway.networking.k8s.io
@@ -21,8 +20,6 @@ spec:
           type: PathPrefix
           value: /
       backendRefs:
-        - group: ''
+        - kind: Service
-          kind: Service
           name: gitea-http
           port: 3000
-          weight: 100

clusters/cl01tl/helm/gitea/templates/ingress.yaml

@@ -1,12 +1,11 @@
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
-  name: gitea-tailscale
+  name: {{ .Release.Name }}-tailscale
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: gitea-tailscale
+    app.kubernetes.io/name: {{ .Release.Name }}-tailscale
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
     tailscale.com/proxy-class: no-metrics
   annotations:
     tailscale.com/experimental-forward-cluster-traffic-via-ingress: "true"
@@ -21,7 +20,7 @@ spec:
       http:
         paths:
           - path: /
-            pathType: ImplementationSpecific
+            pathType: Prefix
             backend:
               service:
                 name: gitea-http

clusters/cl01tl/helm/gitea/templates/namespace.yaml

@@ -1,11 +1,10 @@
 apiVersion: v1
 kind: Namespace
 metadata:
-  name: gitea
+  name: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: gitea
+    app.kubernetes.io/name: {{ .Release.Namespace }}
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
     pod-security.kubernetes.io/audit: privileged
     pod-security.kubernetes.io/enforce: privileged
     pod-security.kubernetes.io/warn: privileged

clusters/cl01tl/helm/gitea/templates/persistent-volume-claim.yaml

@@ -5,8 +5,7 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: gitea-themes-storage
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   volumeMode: Filesystem
   storageClassName: ceph-filesystem

clusters/cl01tl/helm/gitea/templates/service-monitor.yaml

@@ -5,8 +5,7 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: gitea
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   selector:
     matchLabels:

clusters/cl01tl/helm/gitea/templates/tcp-route.yaml

@@ -5,8 +5,7 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: gitea-ssh
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   parentRefs:
     - group: gateway.networking.k8s.io
@@ -16,8 +15,6 @@ spec:
       sectionName: ssh
   rules:
     - backendRefs:
-        - group: ''
+        - kind: Service
-          kind: Service
           name: gitea-ssh
           port: 22
-          weight: 100

clusters/cl01tl/helm/gitea/values.yaml

@@ -59,7 +59,7 @@ gitea:
     oauth:
       - name: Authentik
         provider: openidConnect
-        existingSecret: gitea-oidc-secret
+        existingSecret: gitea-oidc-authentik
         autoDiscoverUrl: https://auth.alexlebens.dev/application/o/gitea/.well-known/openid-configuration
         iconUrl: https://goauthentik.io/img/icon.png
         scopes: "email profile"
@@ -137,7 +137,7 @@ gitea:
       - name: GITEA__INDEXER__ISSUE_INDEXER_CONN_STR
         valueFrom:
           secretKeyRef:
-            name: gitea-meilisearch-master-key-secret
+            name: gitea-meilisearch-key
             key: ISSUE_INDEXER_CONN_STR
   valkey-cluster:
     enabled: false
@@ -213,7 +213,7 @@ gitea-actions:
       registry: docker.io
       repository: docker
       # renovate: datasource=docker depName=docker
-      tag: 29.4.0-dind@sha256:f80c26212befc1c1988b529495532c6b9180d9b1dab1611f4a1efbe9da8ec821
+      tag: 29.4.1-dind@sha256:c77e5d7912f9b137cc67051fdc2991d8f5ae22c55ddf532bb836dcb693a04940
       extraVolumeMounts:
         - name: docker-vol
           mountPath: /var/lib/docker
@@ -235,7 +235,7 @@ meilisearch:
     MEILI_ENV: production
     MEILI_EXPERIMENTAL_DUMPLESS_UPGRADE: true
   auth:
-    existingMasterKeySecret: gitea-meilisearch-master-key-secret
+    existingMasterKeySecret: gitea-meilisearch-key
   persistence:
     enabled: true
     storageClass: ceph-block

clusters/cl01tl/helm/grafana-operator/templates/_helpers.tpl

@@ -0,0 +1,14 @@
+{{/*
+Common labels
+*/}}
+{{- define "custom.labels" -}}
+{{ include "custom.selectorLabels" $ }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "custom.selectorLabels" -}}
+app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/part-of: {{ .Release.Name }}
+{{- end }}

clusters/cl01tl/helm/grafana-operator/templates/external-secret.yaml

@@ -1,98 +1,44 @@
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
-  name: grafana-auth-secret
+  name: grafana-config
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: grafana-auth-secret
+    app.kubernetes.io/name: grafana-config
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   secretStoreRef:
     kind: ClusterSecretStore
-    name: vault
+    name: openbao
   data:
     - secretKey: admin-user
       remoteRef:
-        key: /cl01tl/grafana/auth
+        key: /cl01tl/grafana/config
         property: admin-user
     - secretKey: admin-password
       remoteRef:
-        key: /cl01tl/grafana/auth
+        key: /cl01tl/grafana/config
         property: admin-password
 
 ---
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
-  name: grafana-oauth-secret
+  name: grafana-oidc-authentik
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: grafana-oauth-secret
+    app.kubernetes.io/name: grafana-oidc-authentik
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   secretStoreRef:
     kind: ClusterSecretStore
-    name: vault
+    name: openbao
   data:
     - secretKey: AUTH_CLIENT_ID
       remoteRef:
-        key: /authentik/oidc/grafana
+        key: /cl01tl/authentik/oidc/grafana
         property: client
     - secretKey: AUTH_CLIENT_SECRET
       remoteRef:
-        key: /authentik/oidc/grafana
+        key: /cl01tl/authentik/oidc/grafana
         property: secret
-
----
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: grafana-operator-postgresql-18-cluster-backup-secret
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: grafana-operator-postgresql-18-cluster-backup-secret
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: vault
-  data:
-    - secretKey: ACCESS_KEY_ID
-      remoteRef:
-        key: /digital-ocean/home-infra/postgres-backups
-        property: access
-    - secretKey: ACCESS_SECRET_KEY
-      remoteRef:
-        key: /digital-ocean/home-infra/postgres-backups
-        property: secret
-
----
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: grafana-operator-postgresql-18-cluster-backup-secret-garage
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: grafana-operator-postgresql-18-cluster-backup-secret-garage
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: vault
-  data:
-    - secretKey: ACCESS_KEY_ID
-      remoteRef:
-        key: /garage/home-infra/postgres-backups
-        property: ACCESS_KEY_ID
-    - secretKey: ACCESS_SECRET_KEY
-      remoteRef:
-        key: /garage/home-infra/postgres-backups
-        property: ACCESS_SECRET_KEY
-    - secretKey: ACCESS_REGION
-      remoteRef:
-        key: /garage/home-infra/postgres-backups
-        property: ACCESS_REGION

clusters/cl01tl/helm/grafana-operator/templates/grafana-dashboard.yaml

@@ -5,8 +5,7 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: grafana-dashboard-ceph
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   instanceSelector:
     matchLabels:
@@ -24,8 +23,7 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: grafana-dashboard-coredns
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   instanceSelector:
     matchLabels:
@@ -43,8 +41,7 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: grafana-dashboard-etcd
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   instanceSelector:
     matchLabels:
@@ -62,8 +59,7 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: grafana-dashboard-garage
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   instanceSelector:
     matchLabels:
@@ -81,8 +77,7 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: grafana-dashboard-loki
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   instanceSelector:
     matchLabels:
@@ -100,8 +95,7 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: grafana-dashboard-node-full
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   instanceSelector:
     matchLabels:
@@ -119,8 +113,7 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: grafana-dashboard-node-short
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   instanceSelector:
     matchLabels:
@@ -138,8 +131,7 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: grafana-dashboard-pods
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   instanceSelector:
     matchLabels:
@@ -157,8 +149,7 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: grafana-dashboard-argocd
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   instanceSelector:
     matchLabels:
@@ -176,8 +167,7 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: grafana-dashboard-blocky
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   instanceSelector:
     matchLabels:
@@ -195,8 +185,7 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: grafana-dashboard-cert-manager
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   instanceSelector:
     matchLabels:
@@ -214,8 +203,7 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: grafana-dashboard-cloudnative-pg
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   instanceSelector:
     matchLabels:
@@ -233,8 +221,7 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: grafana-dashboard-descheduler
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   instanceSelector:
     matchLabels:
@@ -252,8 +239,7 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: grafana-dashboard-external-dns
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   instanceSelector:
     matchLabels:
@@ -271,8 +257,7 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: grafana-dashboard-external-secrets
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   instanceSelector:
     matchLabels:
@@ -290,8 +275,7 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: grafana-dashboard-gatus
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   instanceSelector:
     matchLabels:
@@ -309,8 +293,7 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: grafana-dashboard-operator
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   instanceSelector:
     matchLabels:
@@ -328,8 +311,7 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: grafana-dashboard-harbor
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   instanceSelector:
     matchLabels:
@@ -347,8 +329,7 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: grafana-dashboard-speedtest-exporter
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   instanceSelector:
     matchLabels:
@@ -366,8 +347,7 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: grafana-dashboard-spegel
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   instanceSelector:
     matchLabels:
@@ -385,8 +365,7 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: grafana-dashboard-traefik
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   instanceSelector:
     matchLabels:
@@ -404,8 +383,7 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: grafana-dashboard-tdarr
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   instanceSelector:
     matchLabels:
@@ -423,8 +401,7 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: grafana-dashboard-unpoller
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   instanceSelector:
     matchLabels:
@@ -442,8 +419,7 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: grafana-dashboard-version-checker-internal
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   instanceSelector:
     matchLabels:
@@ -461,8 +437,7 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: grafana-dashboard-version-checker
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   instanceSelector:
     matchLabels:
@@ -480,8 +455,7 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: grafana-dashboard-volsync
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   instanceSelector:
     matchLabels:
@@ -499,8 +473,7 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: grafana-dashboard-s3
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   instanceSelector:
     matchLabels:
@@ -518,8 +491,7 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: grafana-dashboard-authentik
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   instanceSelector:
     matchLabels:
@@ -537,8 +509,7 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: grafana-dashboard-gitea
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   instanceSelector:
     matchLabels:
@@ -556,8 +527,7 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: grafana-dashboard-ntfy
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   instanceSelector:
     matchLabels:
@@ -575,8 +545,7 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: grafana-dashboard-openbao
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   instanceSelector:
     matchLabels:
@@ -594,8 +563,7 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: grafana-dashboard-qbittorrent
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   instanceSelector:
     matchLabels:
@@ -613,8 +581,7 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: grafana-dashboard-vault
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   instanceSelector:
     matchLabels:
@@ -632,8 +599,7 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: grafana-dashboard-unpackerr
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   instanceSelector:
     matchLabels:
@@ -651,8 +617,7 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: grafana-dashboard-airgradient
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   instanceSelector:
     matchLabels:
@@ -670,8 +635,7 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: grafana-dashboard-server-power-consumption
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   instanceSelector:
     matchLabels:
@@ -689,8 +653,7 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: grafana-dashboard-immich
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   instanceSelector:
     matchLabels:
@@ -708,8 +671,7 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: grafana-dashboard-jellyfin
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   instanceSelector:
     matchLabels:
@@ -727,8 +689,7 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: grafana-dashboard-navidrome
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   instanceSelector:
     matchLabels:
@@ -746,8 +707,7 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: grafana-dashboard-radarr
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   instanceSelector:
     matchLabels:
@@ -765,8 +725,7 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: grafana-dashboard-servarr
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   instanceSelector:
     matchLabels:
@@ -784,8 +743,7 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: grafana-dashboard-sonarr
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   instanceSelector:
     matchLabels:

clusters/cl01tl/helm/grafana-operator/templates/grafana-datasource.yaml

@@ -5,8 +5,7 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: grafana-datasource-prometheus
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   datasource:
     name: Prometheus
@@ -33,8 +32,7 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: grafana-datasource-loki
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   datasource:
     name: Loki

clusters/cl01tl/helm/grafana-operator/templates/grafana-folder.yaml

@@ -5,8 +5,7 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: grafana-folder-application
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   instanceSelector:
     matchLabels:
@@ -40,8 +39,7 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: grafana-folder-iot
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   instanceSelector:
     matchLabels:
@@ -75,8 +73,7 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: grafana-folder-platform
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   instanceSelector:
     matchLabels:
@@ -110,8 +107,7 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: grafana-folder-service
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   instanceSelector:
     matchLabels:
@@ -145,8 +141,7 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: grafana-folder-system
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   instanceSelector:
     matchLabels:

clusters/cl01tl/helm/grafana-operator/templates/grafana.yaml

@@ -5,8 +5,7 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: grafana-main
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
     app: grafana-main
 spec:
   config:
@@ -66,22 +65,22 @@ spec:
                 - name: AUTH_CLIENT_ID
                   valueFrom:
                     secretKeyRef:
-                      name: grafana-oauth-secret
+                      name: grafana-oidc-authentik
                       key: AUTH_CLIENT_ID
                 - name: AUTH_CLIENT_SECRET
                   valueFrom:
                     secretKeyRef:
-                      name: grafana-oauth-secret
+                      name: grafana-oidc-authentik
                       key: AUTH_CLIENT_SECRET
                 - name: ADMIN_USER
                   valueFrom:
                     secretKeyRef:
-                      name: grafana-auth-secret
+                      name: grafana-config
                       key: admin-user
                 - name: ADMIN_PASSWORD
                   valueFrom:
                     secretKeyRef:
-                      name: grafana-auth-secret
+                      name: grafana-config
                       key: admin-password
                 - name: DB_HOST
                   valueFrom:

clusters/cl01tl/helm/grimmory/Chart.yaml

@@ -28,4 +28,4 @@ dependencies:
     repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/grimmory.png
 # renovate: datasource=github-releases depName=grimmory-tools/grimmory
-appVersion: v2.3.0
+appVersion: v3.0.0

clusters/cl01tl/helm/grimmory/templates/_helpers.tpl

@@ -0,0 +1,24 @@
+{{/*
+Common labels
+*/}}
+{{- define "custom.labels" -}}
+{{ include "custom.selectorLabels" $ }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "custom.selectorLabels" -}}
+app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/part-of: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+NFS names
+*/}}
+{{- define "custom.booksNfsName" -}}
+grimmory-books-nfs-storage
+{{- end -}}
+{{- define "custom.booksImportNfsName" -}}
+grimmory-books-import-nfs-storage
+{{- end -}}

clusters/cl01tl/helm/grimmory/templates/external-secret.yaml

@@ -5,38 +5,17 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: grimmory-database-secret
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   secretStoreRef:
     kind: ClusterSecretStore
-    name: vault
+    name: openbao
   data:
     - secretKey: password
       remoteRef:
         key: /cl01tl/grimmory/database
         property: password
 
----
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: grimmory-data-replication-secret
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: grimmory-data-replication-secret
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: vault
-  data:
-    - secretKey: psk.txt
-      remoteRef:
-        key: /cl01tl/grimmory/replication
-        property: psk.txt
-
 ---
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
@@ -45,21 +24,20 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: grimmory-mariadb-cluster-backup-secret-external
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   secretStoreRef:
     kind: ClusterSecretStore
-    name: vault
+    name: openbao
   data:
     - secretKey: access
       remoteRef:
         key: /digital-ocean/home-infra/mariadb-backups
-        property: access
+        property: AWS_ACCESS_KEY_ID
     - secretKey: secret
       remoteRef:
         key: /digital-ocean/home-infra/mariadb-backups
-        property: secret
+        property: AWS_SECRET_ACCESS_KEY
 
 ---
 apiVersion: external-secrets.io/v1
@@ -69,18 +47,17 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: grimmory-mariadb-cluster-backup-secret-garage
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   secretStoreRef:
     kind: ClusterSecretStore
-    name: vault
+    name: openbao
   data:
     - secretKey: access
       remoteRef:
         key: /garage/home-infra/mariadb-backups
-        property: access
+        property: ACCESS_KEY_ID
     - secretKey: secret
       remoteRef:
         key: /garage/home-infra/mariadb-backups
-        property: secret
+        property: ACCESS_SECRET_KEY

clusters/cl01tl/helm/grimmory/templates/namespace.yaml

@@ -1,13 +1,7 @@
 apiVersion: v1
 kind: Namespace
 metadata:
-  name: grimmory
+  name: {{ .Release.Namespace }}
-  annotations:
-    volsync.backube/privileged-movers: "true"
   labels:
-    app.kubernetes.io/name: grimmory
+    app.kubernetes.io/name: {{ .Release.Namespace }}
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-    pod-security.kubernetes.io/audit: privileged
-    pod-security.kubernetes.io/enforce: privileged
-    pod-security.kubernetes.io/warn: privileged

clusters/cl01tl/helm/grimmory/templates/persistent-volume-claim.yaml

@@ -1,14 +1,13 @@
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
-  name: grimmory-books-nfs-storage
+  name: {{ include "custom.booksNfsName" . }}
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: grimmory-books-nfs-storage
+    app.kubernetes.io/name: {{ include "custom.booksNfsName" . }}
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
-  volumeName: grimmory-books-nfs-storage
+  volumeName: {{ include "custom.booksNfsName" . }}
   storageClassName: nfs-client
   accessModes:
     - ReadWriteMany
@@ -20,14 +19,13 @@ spec:
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
-  name: grimmory-books-import-nfs-storage
+  name: {{ include "custom.booksImportNfsName" . }}
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: grimmory-books-import-nfs-storage
+    app.kubernetes.io/name: {{ include "custom.booksImportNfsName" . }}
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
-  volumeName: grimmory-books-import-nfs-storage
+  volumeName: {{ include "custom.booksImportNfsName" . }}
   storageClassName: nfs-client
   accessModes:
     - ReadWriteMany

clusters/cl01tl/helm/grimmory/templates/persistent-volume.yaml

@@ -1,12 +1,11 @@
 apiVersion: v1
 kind: PersistentVolume
 metadata:
-  name: grimmory-books-nfs-storage
+  name: {{ include "custom.booksNfsName" . }}
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: grimmory-books-nfs-storage
+    app.kubernetes.io/name: {{ include "custom.booksNfsName" . }}
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   persistentVolumeReclaimPolicy: Retain
   storageClassName: nfs-client
@@ -26,12 +25,11 @@ spec:
 apiVersion: v1
 kind: PersistentVolume
 metadata:
-  name: grimmory-books-import-nfs-storage
+  name: {{ include "custom.booksImportNfsName" . }}
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: grimmory-books-import-nfs-storage
+    app.kubernetes.io/name: {{ include "custom.booksImportNfsName" . }}
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   persistentVolumeReclaimPolicy: Retain
   storageClassName: nfs-client
@@ -40,7 +38,7 @@ spec:
   accessModes:
     - ReadWriteMany
   nfs:
-    path: /volume2/Storage/Books Import
+    path: '/volume2/Storage/Books Import'
     server: synologybond.alexlebens.net
   mountOptions:
     - vers=4

clusters/cl01tl/helm/grimmory/values.yaml

@@ -12,7 +12,7 @@ grimmory:
         main:
           image:
             repository: ghcr.io/grimmory-tools/grimmory
-            tag: v2.3.0@sha256:9014247f591074529894f81115ca40f899db697e89f72c2fe91ec530e3f19597
+            tag: v3.0.0@sha256:0130c338d4c1186f2f6b6acdc4a7ee56388dfdab9cb0b9a23ac0fc91b79e7d75
           env:
             - name: TZ
               value: America/Chicago

clusters/cl01tl/helm/harbor/templates/_helpers.tpl

@@ -0,0 +1,14 @@
+{{/*
+Common labels
+*/}}
+{{- define "custom.labels" -}}
+{{ include "custom.selectorLabels" $ }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "custom.selectorLabels" -}}
+app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/part-of: {{ .Release.Name }}
+{{- end }}

clusters/cl01tl/helm/harbor/templates/external-secret.yaml

@@ -5,12 +5,11 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: harbor-secret
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   secretStoreRef:
     kind: ClusterSecretStore
-    name: vault
+    name: openbao
   data:
     - secretKey: HARBOR_ADMIN_PASSWORD
       remoteRef:
@@ -18,12 +17,12 @@ spec:
         property: admin-password
     - secretKey: secretKey
       remoteRef:
-        key: /cl01tl/harbor/config
+        key: /cl01tl/harbor/key
-        property: secretKey
+        property: secret-key
     - secretKey: CSRF_KEY
       remoteRef:
-        key: /cl01tl/harbor/core
+        key: /cl01tl/harbor/key
-        property: CSRF_KEY
+        property: csrf-key
     - secretKey: secret
       remoteRef:
         key: /cl01tl/harbor/core
@@ -39,24 +38,20 @@ spec:
     - secretKey: JOBSERVICE_SECRET
       remoteRef:
         key: /cl01tl/harbor/jobservice
-        property: JOBSERVICE_SECRET
+        property: secret
     - secretKey: REGISTRY_HTTP_SECRET
       remoteRef:
         key: /cl01tl/harbor/registry
-        property: REGISTRY_HTTP_SECRET
+        property: http-secret
-    - secretKey: REGISTRY_REDIS_PASSWORD
-      remoteRef:
-        key: /cl01tl/harbor/registry
-        property: REGISTRY_REDIS_PASSWORD
     - secretKey: REGISTRY_HTPASSWD
       remoteRef:
         key: /cl01tl/harbor/registry
-        property: REGISTRY_HTPASSWD
+        property: ht-passwd
     - secretKey: REGISTRY_CREDENTIAL_PASSWORD
       remoteRef:
         key: /cl01tl/harbor/registry
-        property: REGISTRY_CREDENTIAL_PASSWORD
+        property: credential-password
     - secretKey: REGISTRY_PASSWD
       remoteRef:
         key: /cl01tl/harbor/registry
-        property: REGISTRY_CREDENTIAL_PASSWORD
+        property: credential-password

clusters/cl01tl/helm/headlamp/templates/_helpers.tpl

@@ -0,0 +1,21 @@
+{{/*
+Common labels
+*/}}
+{{- define "custom.labels" -}}
+{{ include "custom.selectorLabels" $ }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "custom.selectorLabels" -}}
+app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/part-of: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+ServiceAccount name
+*/}}
+{{- define "custom.serviceAccountName" -}}
+headlamp-admin
+{{- end -}}

clusters/cl01tl/helm/headlamp/templates/cluster-role-binding.yaml

@@ -5,16 +5,15 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: cluster-admin-oidc
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 roleRef:
+  apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
   name: cluster-admin
-  apiGroup: rbac.authorization.k8s.io
 subjects:
-  - kind: User
+  - apiGroup: rbac.authorization.k8s.io
+    kind: User
     name: https://authentik.alexlebens.net/application/o/headlamp/#alexanderlebens@gmail.com
-    apiGroup: rbac.authorization.k8s.io
   - kind: ServiceAccount
-    name: headlamp-admin
+    name: {{ include "custom.serviceAccountName" . }}
-    namespace: headlamp
+    namespace: {{ .Release.Namespace }}

clusters/cl01tl/helm/headlamp/templates/external-secret.yaml

@@ -1,38 +1,37 @@
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
-  name: headlamp-oidc-secret
+  name: headlamp-oidc-authentik
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: headlamp-oidc-secret
+    app.kubernetes.io/name: headlamp-oidc-authentik
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   secretStoreRef:
     kind: ClusterSecretStore
-    name: vault
+    name: openbao
   data:
     - secretKey: OIDC_CLIENT_ID
       remoteRef:
-        key: /authentik/oidc/headlamp
+        key: /cl01tl/authentik/oidc/headlamp
         property: client
     - secretKey: OIDC_CLIENT_SECRET
       remoteRef:
-        key: /authentik/oidc/headlamp
+        key: /cl01tl/authentik/oidc/headlamp
         property: secret
     - secretKey: OIDC_ISSUER_URL
       remoteRef:
-        key: /authentik/oidc/headlamp
+        key: /cl01tl/authentik/oidc/headlamp
         property: issuer
     - secretKey: OIDC_SCOPES
       remoteRef:
-        key: /authentik/oidc/headlamp
+        key: /cl01tl/authentik/oidc/headlamp
         property: scopes
     - secretKey: HEADLAMP_CONFIG_OIDC_VALIDATOR_IDP_ISSUER_URL
       remoteRef:
-        key: /authentik/oidc/headlamp
+        key: /cl01tl/authentik/oidc/headlamp
-        property: validator-issuer-url
+        property: issuer
     - secretKey: HEADLAMP_CONFIG_OIDC_VALIDATOR_CLIENT_ID
       remoteRef:
-        key: /authentik/oidc/headlamp
+        key: /cl01tl/authentik/oidc/headlamp
-        property: validator-client-id
+        property: client

clusters/cl01tl/helm/headlamp/templates/service-account.yaml

@@ -1,9 +1,8 @@
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  name: headlamp-admin
+  name: {{ include "custom.serviceAccountName" . }}
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: headlamp-admin
+    app.kubernetes.io/name: {{ include "custom.serviceAccountName" . }}
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}

clusters/cl01tl/helm/headlamp/values.yaml

@@ -10,7 +10,7 @@ headlamp:
         create: false
       externalSecret:
         enabled: true
-        name: headlamp-oidc-secret
+        name: headlamp-oidc-authentik
     watchPlugins: true
   httpRoute:
     enabled: true
@@ -27,11 +27,9 @@ headlamp:
             type: PathPrefix
             value: /
         backendRefs:
-          - group: ''
+          - kind: Service
-            kind: Service
             name: headlamp
             port: 80
-            weight: 100
   resources:
     requests:
       cpu: 1m

clusters/cl01tl/helm/home-assistant/Chart.yaml

@@ -24,4 +24,4 @@ dependencies:
     repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/home-assistant.png
 # renovate: datasource=github-releases depName=home-assistant/core
-appVersion: 2026.4.3
+appVersion: 2026.4.4

clusters/cl01tl/helm/home-assistant/templates/_helpers.tpl

@@ -0,0 +1,14 @@
+{{/*
+Common labels
+*/}}
+{{- define "custom.labels" -}}
+{{ include "custom.selectorLabels" $ }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "custom.selectorLabels" -}}
+app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/part-of: {{ .Release.Name }}
+{{- end }}

clusters/cl01tl/helm/home-assistant/templates/external-secret.yaml

@@ -1,42 +1,40 @@
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
-  name: home-assistant-code-server-password-secret
+  name: home-assistant-code-server-password
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: home-assistant-code-server-password-secret
+    app.kubernetes.io/name: home-assistant-code-server-password
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   secretStoreRef:
     kind: ClusterSecretStore
-    name: vault
+    name: openbao
   data:
     - secretKey: PASSWORD
       remoteRef:
-        key: /cl01tl/home-assistant/code-server/auth
+        key: /cl01tl/home-assistant/code-server
-        property: PASSWORD
+        property: password
     - secretKey: SUDO_PASSWORD
       remoteRef:
-        key: /cl01tl/home-assistant/code-server/auth
+        key: /cl01tl/home-assistant/code-server
-        property: SUDO_PASSWORD
+        property: sudo-password
 
 ---
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
-  name: home-assistant-token-secret
+  name: home-assistant-metric-token
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: home-assistant-token-secret
+    app.kubernetes.io/name: home-assistant-metric-token
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   secretStoreRef:
     kind: ClusterSecretStore
-    name: vault
+    name: openbao
   data:
     - secretKey: bearer-token
       remoteRef:
-        key: /cl01tl/home-assistant/auth
+        key: /cl01tl/home-assistant/config
         property: bearer-token

clusters/cl01tl/helm/home-assistant/values.yaml

@@ -12,7 +12,7 @@ home-assistant:
         main:
           image:
             repository: ghcr.io/home-assistant/home-assistant
-            tag: 2026.4.3@sha256:ae0800c81fea16bc1241ce03bddb9c6260566e90f58b09d3e5a629e4f68bdc0b
+            tag: 2026.4.4@sha256:c1e5f0147f4cb51ccb05bb30b62a1269cc1bd48a6274792d3b38a77ab274dfd2
           env:
             - name: TZ
               value: America/Chicago
@@ -23,7 +23,7 @@ home-assistant:
         code-server:
           image:
             repository: ghcr.io/linuxserver/code-server
-            tag: 4.116.0-ls333@sha256:4620adace18935dd6ca79d77e3bc1c379e21875392192f970cf5d6b0fb4aefcd
+            tag: 4.117.0-ls334@sha256:1f384394d473c43ab6a39b2227ba3aa9c95af648ce3a67e1b4da1969c16c7c0d
           env:
             - name: TZ
               value: America/Chicago
@@ -35,7 +35,7 @@ home-assistant:
               value: /config
           envFrom:
             - secretRef:
-                name: home-assistant-code-server-password-secret
+                name: home-assistant-code-server-password
   service:
     main:
       controller: main
@@ -63,7 +63,7 @@ home-assistant:
           scrapeTimeout: 1m
           path: /api/prometheus
           bearerTokenSecret:
-            name: home-assistant-token-secret
+            name: home-assistant-metric-token
             key: bearer-token
   route:
     main: