Update Helm release argo-workflows to v0.46.1

This PR contains the following updates:

| Package | Update | Change |
|---|---|---|
| [rmcrackan/libation](https://github.com/rmcrackan/Libation) | minor | `12.7.5` -> `12.8.0` |

---

### Release Notes

<details>
<summary>rmcrackan/Libation (rmcrackan/libation)</summary>

### [`v12.8.0`](https://github.com/rmcrackan/Libation/releases/tag/v12.8.0): Libation 12.8

[Compare Source](https://github.com/rmcrackan/Libation/compare/v12.7.5...v12.8.0)

- New feature: Add dark mode to Classic
- New setting: Allow users to choose whether Libation imports Audible Plus titles
- New feature [#&#8203;1436](https://github.com/rmcrackan/Libation/issues/1436) : Add "Download split by chapters" context menu item
- Bug fix [#&#8203;1473](https://github.com/rmcrackan/Libation/issues/1473) : Fix LibationCli reusing content licenses
- Bug fix [#&#8203;1470](https://github.com/rmcrackan/Libation/issues/1470) : Fix PDF validation error

Thanks to [@&#8203;Mbucari](https://github.com/Mbucari)

[Libation](https://github.com/rmcrackan/Libation) is a free, open source audible library manager. Decrypt, backup, organize, and search your audible library

I intend to keep Libation free and open source, but if you want to [leave a tip](https://paypal.me/mcrackan?locale.x=en_us), who am I to argue?

</details>

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box

---

This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0Mi41LjAiLCJ1cGRhdGVkSW5WZXIiOiI0Mi41LjAiLCJ0YXJnZXRCcmFuY2giOiJtYWluIiwibGFiZWxzIjpbImltYWdlIl19-->

Reviewed-on: https://gitea.alexlebens.dev/alexlebens/infrastructure/pulls/2219
Co-authored-by: Renovate Bot <renovate-bot@alexlebens.net>
Co-committed-by: Renovate Bot <renovate-bot@alexlebens.net>

.gitea/workflows/lint-test-docker-pull.yaml

@@ -6,7 +6,6 @@ on:
       - main
     paths:
       - 'hosts/**'
-      - ! 'hosts/archive'
 
 jobs:
   docker-lint:

.gitea/workflows/lint-test-docker-push.yaml

@@ -6,7 +6,6 @@ on:
       - main
     paths:
       - 'hosts/**'
-      - ! 'hosts/archive'
 
 jobs:
   docker-lint:

.gitea/workflows/lint-test-helm-pull.yaml

@@ -6,7 +6,6 @@ on:
       - main
     paths:
       - 'clusters/**'
-      - ! 'clusters/*/archive'
 
 jobs:
   helm-lint:
@@ -32,7 +31,7 @@ jobs:
         uses: azure/setup-helm@v4
         with:
           token: ${{ secrets.GITEA_TOKEN }}
-          version: latest
+          version: v3.19.2
 
       - name: Lint Helm Chart
         if: steps.check-branch-exists.outputs.exists == 'true'
@@ -68,6 +67,11 @@ jobs:
           echo "$CHANGED_CHARTS"
 
           echo "$CHANGED_CHARTS" | while read -r chart; do
+            helm dependency list --max-col-width 120 $chart 2> /dev/null \
+              | tail +2 | head -n -1 \
+              | awk '{ print "helm repo add " $1 " " $3 }' \
+              | while read cmd; do echo "$cmd" | sh; done || true
+
             echo ">> Building dependency for "$chart" ..."
             helm dependency build "$chart"
             echo ">> Linting $chart..."

.gitea/workflows/lint-test-helm-push.yaml

@@ -6,7 +6,6 @@ on:
       - main
     paths:
       - 'clusters/**'
-      - ! 'clusters/*/archive'
 
 jobs:
   helm-lint:
@@ -21,12 +20,10 @@ jobs:
         uses: azure/setup-helm@v4
         with:
           token: ${{ secrets.GITEA_TOKEN }}
-          version: latest
+          version: v3.19.2
 
       - name: Lint Helm Chart
         run: |
-          set -e  # Exit immediately if a command exits with a non-zero status.
-
           TARGET_BRANCH="origin/main"
           echo ">> Target branch for diff is: $TARGET_BRANCH"
 
@@ -56,6 +53,11 @@ jobs:
           echo "$CHANGED_CHARTS"
 
           echo "$CHANGED_CHARTS" | while read -r chart; do
+            helm dependency list --max-col-width 120 $chart 2> /dev/null \
+              | tail +2 | head -n -1 \
+              | awk '{ print "helm repo add " $1 " " $3 }' \
+              | while read cmd; do echo "$cmd" | sh; done || true
+
             echo ">> Building dependency for "$chart" ..."
             helm dependency build "$chart"
             echo ">> Linting $chart..."

.gitea/workflows/render-manifests-automerge.yaml

@@ -0,0 +1,411 @@
+name: render-manifests-automerge
+
+on:
+  pull_request:
+    branches:
+      - main
+    paths:
+      - 'clusters/cl01tl/helm/**'
+    types:
+      - closed
+
+env:
+  CLUSTER: cl01tl
+  BASE_BRANCH: manifests
+  BRANCH_NAME_BASE: auto/update-manifests-automerge
+  MAIN_DIR: /workspace/alexlebens/infrastructure/infrastructure
+  MANIFEST_DIR: /workspace/alexlebens/infrastructure/infrastructure-manifests
+
+jobs:
+  render-manifests-automerge:
+    runs-on: ubuntu-js
+    if: ${{ (github.event.pull_request.merged == true) && (contains(github.event.pull_request.labels.*.name, 'automerge')) }}
+    steps:
+      - name: Checkout Main
+        uses: actions/checkout@v6
+        with:
+          path: infrastructure
+          fetch-depth: 0
+
+      - name: Checkout Manifests
+        uses: actions/checkout@v6
+        with:
+          ref: manifests
+          path: infrastructure-manifests
+
+      - name: Set up Helm
+        uses: azure/setup-helm@v4
+        with:
+          token: ${{ secrets.GITEA_TOKEN }}
+          version: v3.17.2 # Pending https://github.com/helm/helm/pull/30743
+
+      - name: Prepare Manifest Branch
+        id: prepare-manifest-branch
+        run: |
+          cd ${MANIFEST_DIR}
+
+          BRANCH_NAME="${BRANCH_NAME_BASE}-$(date +%Y%m%d%H%M%S)"
+
+          echo ">> Configure git to use gitea-bot as user ..."
+          git config user.name "gitea-bot"
+          git config user.email "gitea-bot@alexlebens.net"
+
+          echo ">> Creating branch ..."
+          git checkout -b $BRANCH_NAME
+
+          echo "----"
+
+          echo "BRANCH_NAME=${BRANCH_NAME}" >> $GITEA_OUTPUT
+
+      - name: Check which Directories have Changes
+        id: check-dir-changes
+        run: |
+          cd ${MAIN_DIR}
+
+          RENDER_DIR=()
+
+          echo ">> Checking for changes from HEAD^..HEAD ..."
+          GIT_DIFF=$(git diff --name-only HEAD^..HEAD | xargs -I {} dirname {} | sort -u | grep "clusters/cl01tl/helm/")
+
+          if [ -n "${GIT_DIFF}" ]; then
+            echo ">> Changes detected:"
+            echo "$GIT_DIFF"
+            for path in $GIT_DIFF; do
+              RENDER_DIR+=$(echo "$path" | awk -F '/' '{print $4}')
+            done
+
+          else
+            echo ">> No changes detected"
+
+          fi
+
+          if [ -n "${RENDER_DIR}" ]; then
+            echo ">> Directories to Render:"
+            echo "$(printf "%s\n" "${RENDER_DIR[@]}" | sort -u)"
+
+            echo "----"
+
+            echo "changes-detected=true" >> $GITEA_OUTPUT
+            echo "render-dir<<EOF" >> $GITEA_OUTPUT
+            echo "$(printf "%s\n" "${RENDER_DIR[@]}" | sort -u)" >> $GITEA_OUTPUT
+            echo "EOF" >> $GITEA_OUTPUT
+          else
+            echo "changes-detected=false" >> $GITEA_OUTPUT
+          fi
+
+      - name: Add Repositories
+        if: steps.check-dir-changes.outputs.changes-detected == 'true'
+        env:
+          RENDER_DIR: ${{ steps.check-dir-changes.outputs.render-dir }}
+        run: |
+          cd ${MAIN_DIR}
+
+          echo ">> Adding repositories for chart dependencies ..."
+          for dir in ${RENDER_DIR}; do
+            helm dependency list --max-col-width 120 ${MAIN_DIR}/clusters/${CLUSTER}/helm/$dir 2> /dev/null \
+              | tail +2 | head -n -1 \
+              | awk '{ print "helm repo add " $1 " " $3 }' \
+              | while read cmd; do echo "$cmd" | sh; done || true
+          done
+
+          if helm repo list | tail +2 | read -r; then
+            echo ">> Update repository cache ..."
+            helm repo update
+          fi
+
+          echo "----"
+
+      - name: Remove Changed Manifest Files
+        if: steps.check-dir-changes.outputs.changes-detected == 'true'
+        env:
+          RENDER_DIR: ${{ steps.check-dir-changes.outputs.render-dir }}
+        run: |
+          cd ${MANIFEST_DIR}
+
+          echo ">> Remove manfiest files and rebuild from source ..."
+
+          for dir in ${RENDER_DIR}; do
+            chart_path=${MANIFEST_DIR}/clusters/${CLUSTER}/manifests/$dir
+
+            echo "$chart_path"
+            rm -rf $chart_path/*
+          done
+
+          echo "----"
+
+      - name: Render Helm Manifests
+        id: render-manifests
+        if: steps.check-dir-changes.outputs.changes-detected == 'true'
+        env:
+          RENDER_DIR: ${{ steps.check-dir-changes.outputs.render-dir }}
+        run: |
+          cd ${MAIN_DIR}
+
+          echo ">> Rendering Manifests ..."
+
+          for dir in ${RENDER_DIR}; do
+            chart_path=${MAIN_DIR}/clusters/${CLUSTER}/helm/$dir
+            chart_name=$(basename "$chart_path")
+
+            echo ">> Rendering chart: $chart_name"
+            echo ">> Chart path $chart_path"
+
+            if [ -f "$chart_path/Chart.yaml" ]; then
+              mkdir -p ${MANIFEST_DIR}/clusters/${CLUSTER}/manifests/$chart_name
+              OUTPUT_FILE="${MANIFEST_DIR}/clusters/${CLUSTER}/manifests/$chart_name/$chart_name.yaml"
+
+              cd $chart_path
+
+              echo ""
+              echo ">> Building helm dependency ..."
+              helm dependency build --skip-refresh
+
+              echo ""
+              echo ">> Linting helm ..."
+              helm lint --namespace "$chart_name"
+
+              echo ""
+              echo ">> Rendering templates ..."
+
+              case "$chart_name" in
+                "stack")
+                  echo ">> Special Rendering for stack ..."
+                  helm template stack ./ --namespace argocd --include-crds > "$OUTPUT_FILE"
+                  ;;
+                "cilium")
+                  echo ">> Special Rendering for cilium ..."
+                  helm template cilium ./ --namespace kube-system --include-crds > "$OUTPUT_FILE"
+                  ;;
+                "coredns")
+                  echo ">> Special Rendering for coredns ..."
+                  helm template coredns ./ --namespace kube-system --include-crds > "$OUTPUT_FILE"
+                  ;;
+                "metrics-server")
+                  echo ">> Special Rendering for metrics-server ..."
+                  helm template metrics-server ./ --namespace kube-system --include-crds > "$OUTPUT_FILE"
+                  ;;
+                "prometheus-operator-crds")
+                  echo ">> Special Rendering for prometheus-operator-crds ..."
+                  helm template prometheus-operator-crds ./ --namespace kube-system --include-crds > "$OUTPUT_FILE"
+                  ;;
+                *)
+                  echo ">> Standard Rendering for $chart_name ..."
+                  helm template "$chart_name" ./ --namespace "$chart_name" --include-crds > "$OUTPUT_FILE"
+                  ;;
+              esac
+
+              echo ""
+              echo ">> Manifests for $chart_name rendered to $OUTPUT_FILE"
+              echo ""
+            else
+              echo ""
+              echo ">> Directory $chart_path does not contain a Chart.yaml. Skipping ..."
+              echo ""
+            fi
+          done
+
+          echo "----"
+
+      - name: Check for Changes
+        id: check-changes
+        if: steps.check-dir-changes.outputs.changes-detected == 'true'
+        run: |
+          cd ${MANIFEST_DIR}
+
+          if git status --porcelain | grep -q .; then
+            echo ">> Changes detected"
+            git status --porcelain
+            echo "changes-detected=true" >> $GITEA_OUTPUT
+          else
+            echo ">> No changes detected, skipping PR creation"
+            exit 0
+          fi
+
+          echo "----"
+
+      - name: Commit and Push Changes
+        id: commit-push
+        if: steps.check-changes.outputs.changes-detected == 'true'
+        env:
+          BRANCH_NAME: ${{ steps.prepare-manifest-branch.outputs.BRANCH_NAME }}
+        run: |
+          cd ${MANIFEST_DIR}
+
+          echo ">> Commiting changes to ${BRANCH_NAME} ..."
+          git add .
+          git commit -m "chore: Update manifests after automerge"
+
+          REPO_URL="${{ secrets.REPO_URL }}/${{ gitea.repository }}"
+          echo ">> Pushing changes to $REPO_URL ..."
+          git push -u "https://oauth2:${{ secrets.BOT_TOKEN }}@$(echo $REPO_URL | sed -e 's|https://||')" ${BRANCH_NAME}
+
+          echo "----"
+
+          echo "push=true" >> $GITEA_OUTPUT
+
+      - name: Create Pull Request
+        id: create-pull-request
+        if: steps.commit-push.outputs.push == 'true'
+        env:
+          GITEA_TOKEN: ${{ secrets.BOT_TOKEN }}
+          GITEA_URL: ${{ secrets.REPO_URL }}
+          BRANCH_NAME: ${{ steps.prepare-manifest-branch.outputs.BRANCH_NAME }}
+        run: |
+          cd ${MANIFEST_DIR}
+
+          API_ENDPOINT="${GITEA_URL}/api/v1/repos/${{ gitea.repository }}/pulls"
+
+          PAYLOAD=$( jq -n \
+            --arg head "${BRANCH_NAME}" \
+            --arg base "${BASE_BRANCH}" \
+            --arg title "Automated Manifest Update" \
+            --arg body "This PR contains newly rendered Kubernetes manifests automatically generated by the CI workflow. This is expected to be automerged." \
+            '{head: $head, base: $base, title: $title, body: $body'} )
+
+          echo ">> Creating PR from branch ${BRANCH_NAME} into ${BASE_BRANCH}"
+          echo ">> With Endpoint of:"
+          echo "$API_ENDPOINT"
+          echo ">> With Payload of:"
+          echo "$PAYLOAD"
+
+          HTTP_STATUS=$(
+            curl -X POST \
+              --silent \
+              --write-out '%{http_code}' \
+              --output response_body.json \
+              --dump-header response_headers.txt \
+              --data "$PAYLOAD" \
+              -H "Authorization: token ${GITEA_TOKEN}" \
+              -H "Content-Type: application/json" \
+              "$API_ENDPOINT" 2> response_errors.txt
+          )
+
+          echo ">> HTTP Status Code: $HTTP_STATUS"
+          echo ">> Response Output ..."
+          echo "----"
+          cat response_body.json
+          echo "----"
+          cat response_headers.txt
+          echo "----"
+          cat response_errors.txt
+          echo "----"
+
+          if [ "$HTTP_STATUS" == "201" ]; then
+            echo ">> Pull Request created successfully!"
+            PR_URL=$(cat response_body.json | jq -r .html_url)
+            echo "pull-request-url=${PR_URL}" >> $GITEA_OUTPUT
+            PR_ID=$(cat response_body.json | jq -r .id)
+            echo "pull-request-id=${PR_ID}" >> $GITEA_OUTPUT
+            echo "pull-request-operation=created" >> $GITEA_OUTPUT
+
+          elif [ "$HTTP_STATUS" == "422" ]; then
+            echo ">> Failed to create PR (HTTP 422: Unprocessable Entity), PR may already exist"
+
+          elif [ "$HTTP_STATUS" == "409" ]; then
+            echo ">> Failed to create PR (HTTP 409: Conflict), PR already exists"
+
+          else
+            echo ">> Failed to create PR, HTTP status code: $HTTP_STATUS"
+            exit 1
+          fi
+
+          echo "----"
+
+      - name: Merge Changes
+        id: merge-changes
+        if: steps.commit-push.outputs.push == 'true'
+        env:
+          GITEA_TOKEN: ${{ secrets.BOT_TOKEN }}
+          GITEA_URL: ${{ secrets.REPO_URL }}
+          BRANCH_NAME: ${{ steps.prepare-manifest-branch.outputs.BRANCH_NAME }}
+          PR_ID: ${{ steps.prepare-manifest-branch.outputs.pull-request-id }}
+        run: |
+          cd ${MANIFEST_DIR}
+
+          API_ENDPOINT="${GITEA_URL}/api/v1/repos/${{ gitea.repository }}/pulls/${PR_ID}/merge"
+
+          PAYLOAD=$( jq -n \
+            --arg Do "merge" \
+            --arg delete_branch_after_merge "true" \
+            '{Do: $Do, delete_branch_after_merge: $delete_branch_after_merge'} )
+
+          echo ">> Merging PR with ID: ${PR_ID}"
+          echo ">> With Endpoint of:"
+          echo "$API_ENDPOINT"
+          echo ">> With Payload of:"
+          echo "$PAYLOAD"
+
+          HTTP_STATUS=$(
+            curl -X POST \
+              --silent \
+              --write-out '%{http_code}' \
+              --output response_body.json \
+              --dump-header response_headers.txt \
+              --data "$PAYLOAD" \
+              -H "Authorization: token ${GITEA_TOKEN}" \
+              -H "Content-Type: application/json" \
+              "$API_ENDPOINT" 2> response_errors.txt
+          )
+
+          echo ">> HTTP Status Code: $HTTP_STATUS"
+          echo ">> Response Output ..."
+          echo "----"
+          cat response_body.json
+          echo "----"
+          cat response_headers.txt
+          echo "----"
+          cat response_errors.txt
+          echo "----"
+
+          if [ "$HTTP_STATUS" == "200" ]; then
+            echo ">> Pull Request merged successfully!"
+            echo "pull-request-operation=merged" >> $GITEA_OUTPUT
+
+          else
+            echo ">> Failed to create PR, HTTP status code: $HTTP_STATUS"
+            echo "pull-request-operation=failed" >> $GITEA_OUTPUT
+            exit 1
+          fi
+
+          echo "----"
+
+      - name: Cleanup Branch
+        if: failure()
+        env:
+          BRANCH_NAME: ${{ steps.prepare-manifest-branch.outputs.BRANCH_NAME }}
+        run: |
+          cd ${MANIFEST_DIR}
+
+          echo ">> Removing branch: ${BRANCH_NAME}"
+          git push origin --delete ${BRANCH_NAME}
+
+          echo "----"
+
+      - name: ntfy Merged
+        uses: niniyas/ntfy-action@master
+        if: steps.merge-changes.outputs.pull-request-operation == 'merged'
+        with:
+          url: "${{ secrets.NTFY_URL }}"
+          topic: "${{ secrets.NTFY_TOPIC }}"
+          title: "Manifest Render PR Merged - Infrastructure"
+          priority: 3
+          headers: '{"Authorization": "Bearer ${{ secrets.NTFY_CRED }}"}'
+          tags: action,successfully,completed
+          details: "Automerge Manifest rendering for Infrastructure!"
+          icon: "https://cdn.jsdelivr.net/gh/selfhst/icons/png/gitea.png"
+          actions: '[{"action": "view", "label": "Open Gitea", "url": "${{ steps.create-pull-request.outputs.pull-request-url }}", "clear": true}]'
+
+      - name: ntfy Failed
+        uses: niniyas/ntfy-action@master
+        if: failure()
+        with:
+          url: "${{ secrets.NTFY_URL }}"
+          topic: "${{ secrets.NTFY_TOPIC }}"
+          title: "Manifest Render Failure - Infrastructure"
+          priority: 4
+          headers: '{"Authorization": "Bearer ${{ secrets.NTFY_CRED }}"}'
+          tags: action,failed
+          details: "Automerge Manifest rendering for Infrastructure has failed!"
+          icon: "https://cdn.jsdelivr.net/gh/selfhst/icons/png/gitea.png"
+          actions: '[{"action": "view", "label": "Open Gitea", "url": "https://gitea.alexlebens.dev/alexlebens/infrastructure/actions?workflow=render-manifests-automerge.yaml", "clear": true}]'
+          image: true

.gitea/workflows/render-manifests-dispatch.yaml

@@ -0,0 +1,381 @@
+name: render-manifests-dispatch
+
+on:
+  workflow_dispatch:
+
+env:
+  CLUSTER: cl01tl
+  BASE_BRANCH: manifests
+  BRANCH_NAME: auto/update-manifests
+  ASSIGNEE: alexlebens
+  MAIN_DIR: /workspace/alexlebens/infrastructure/infrastructure
+  MANIFEST_DIR: /workspace/alexlebens/infrastructure/infrastructure-manifests
+
+jobs:
+  render-manifests-dispatch:
+    runs-on: ubuntu-js
+    steps:
+      - name: Checkout Main
+        uses: actions/checkout@v6
+        with:
+          path: infrastructure
+          fetch-depth: 0
+
+      - name: Checkout Manifests
+        uses: actions/checkout@v6
+        with:
+          ref: manifests
+          path: infrastructure-manifests
+
+      - name: Set up Helm
+        uses: azure/setup-helm@v4
+        with:
+          token: ${{ secrets.GITEA_TOKEN }}
+          version: v3.17.2 # Pending https://github.com/helm/helm/pull/30743
+
+      - name: Prepare Manifest Branch
+        run: |
+          cd ${MANIFEST_DIR}
+
+          echo ">> Configure git to use gitea-bot as user ..."
+          git config user.name "gitea-bot"
+          git config user.email "gitea-bot@alexlebens.net"
+
+          echo ">> Checking if PR branch exists ..."
+          if [[ $(git ls-remote --heads origin "${BRANCH_NAME}" | wc -l) -gt 0 ]]; then
+            echo ">> Branch '${BRANCH_NAME}' exists, pulling changes ..."
+            git fetch origin "${BRANCH_NAME}"
+            git checkout "${BRANCH_NAME}"
+            git pull --rebase
+
+          else
+            echo ">> Branch '${BRANCH_NAME}' does not exist, creating ..."
+            git checkout -b $BRANCH_NAME
+          fi
+
+          echo "----"
+
+      - name: Check which Directories have Changes
+        id: check-dir-changes
+        run: |
+          cd ${MAIN_DIR}
+
+          RENDER_DIR=()
+
+          echo ">> Triggered on dispatch, will check all paths ..."
+          RENDER_DIR+=$(ls clusters/cl01tl/helm/)
+
+          if [ -n "${RENDER_DIR}" ]; then
+            echo ">> Directories to Render:"
+            echo "$(printf "%s\n" "${RENDER_DIR[@]}" | sort -u)"
+
+            echo "----"
+
+            echo "changes-detected=true" >> $GITEA_OUTPUT
+            echo "render-dir<<EOF" >> $GITEA_OUTPUT
+            echo "$(printf "%s\n" "${RENDER_DIR[@]}" | sort -u)" >> $GITEA_OUTPUT
+            echo "EOF" >> $GITEA_OUTPUT
+          else
+            echo "changes-detected=false" >> $GITEA_OUTPUT
+          fi
+
+      - name: Add Repositories
+        if: steps.check-dir-changes.outputs.changes-detected == 'true'
+        env:
+          RENDER_DIR: ${{ steps.check-dir-changes.outputs.render-dir }}
+        run: |
+          cd ${MAIN_DIR}
+
+          echo ">> Adding repositories for chart dependencies ..."
+          for dir in ${RENDER_DIR}; do
+            helm dependency list --max-col-width 120 ${MAIN_DIR}/clusters/${CLUSTER}/helm/$dir 2> /dev/null \
+              | tail +2 | head -n -1 \
+              | awk '{ print "helm repo add " $1 " " $3 }' \
+              | while read cmd; do echo "$cmd" | sh; done || true
+          done
+
+          if helm repo list | tail +2 | read -r; then
+            echo ">> Update repository cache ..."
+            helm repo update
+          fi
+
+          echo "----"
+
+      - name: Remove Changed Manifest Files
+        if: steps.check-dir-changes.outputs.changes-detected == 'true'
+        env:
+          RENDER_DIR: ${{ steps.check-dir-changes.outputs.render-dir }}
+        run: |
+          cd ${MANIFEST_DIR}
+
+          echo ">> Remove manfiest files and rebuild from source ..."
+
+          for dir in ${RENDER_DIR}; do
+            chart_path=${MANIFEST_DIR}/clusters/${CLUSTER}/manifests/$dir
+
+            echo "$chart_path"
+            rm -rf $chart_path/*
+          done
+
+          echo "----"
+
+      - name: Render Helm Manifests
+        id: render-manifests
+        if: steps.check-dir-changes.outputs.changes-detected == 'true'
+        env:
+          RENDER_DIR: ${{ steps.check-dir-changes.outputs.render-dir }}
+        run: |
+          cd ${MAIN_DIR}
+
+          echo ">> Rendering Manifests ..."
+
+          for dir in ${RENDER_DIR}; do
+            chart_path=${MAIN_DIR}/clusters/${CLUSTER}/helm/$dir
+            chart_name=$(basename "$chart_path")
+
+            echo ">> Rendering chart: $chart_name"
+            echo ">> Chart path $chart_path"
+
+            if [ -f "$chart_path/Chart.yaml" ]; then
+              mkdir -p ${MANIFEST_DIR}/clusters/${CLUSTER}/manifests/$chart_name
+              OUTPUT_FILE="${MANIFEST_DIR}/clusters/${CLUSTER}/manifests/$chart_name/$chart_name.yaml"
+
+              cd $chart_path
+
+              echo ""
+              echo ">> Building helm dependency ..."
+              helm dependency build --skip-refresh
+
+              echo ""
+              echo ">> Linting helm ..."
+              helm lint --namespace "$chart_name"
+
+              echo ""
+              echo ">> Rendering templates ..."
+
+              case "$chart_name" in
+                "stack")
+                  echo ">> Special Rendering for stack ..."
+                  helm template stack ./ --namespace argocd --include-crds > "$OUTPUT_FILE"
+                  ;;
+                "cilium")
+                  echo ">> Special Rendering for cilium ..."
+                  helm template cilium ./ --namespace kube-system --include-crds > "$OUTPUT_FILE"
+                  ;;
+                "coredns")
+                  echo ">> Special Rendering for coredns ..."
+                  helm template coredns ./ --namespace kube-system --include-crds > "$OUTPUT_FILE"
+                  ;;
+                "metrics-server")
+                  echo ">> Special Rendering for metrics-server ..."
+                  helm template metrics-server ./ --namespace kube-system --include-crds > "$OUTPUT_FILE"
+                  ;;
+                "prometheus-operator-crds")
+                  echo ">> Special Rendering for prometheus-operator-crds ..."
+                  helm template prometheus-operator-crds ./ --namespace kube-system --include-crds > "$OUTPUT_FILE"
+                  ;;
+                *)
+                  echo ">> Standard Rendering for $chart_name ..."
+                  helm template "$chart_name" ./ --namespace "$chart_name" --include-crds > "$OUTPUT_FILE"
+                  ;;
+              esac
+
+              echo ""
+              echo ">> Manifests for $chart_name rendered to $OUTPUT_FILE"
+              echo ""
+            else
+              echo ""
+              echo ">> Directory $chart_path does not contain a Chart.yaml. Skipping ..."
+              echo ""
+            fi
+          done
+
+          echo "----"
+
+      - name: Check for Changes
+        id: check-changes
+        if: steps.check-dir-changes.outputs.changes-detected == 'true'
+        run: |
+          cd ${MANIFEST_DIR}
+
+          if git status --porcelain | grep -q .; then
+            echo ">> Changes detected"
+            git status --porcelain
+            echo "changes-detected=true" >> $GITEA_OUTPUT
+          else
+            echo ">> No changes detected, skipping PR creation"
+            exit 0
+          fi
+
+          echo "----"
+
+      - name: Commit and Push Changes
+        id: commit-push
+        if: steps.check-changes.outputs.changes-detected == 'true'
+        run: |
+          cd ${MANIFEST_DIR}
+
+          echo ">> Commiting changes to ${BRANCH_NAME} ..."
+          git add .
+          git commit -m "chore: Update manifests after change"
+
+          REPO_URL="${{ secrets.REPO_URL }}/${{ gitea.repository }}"
+          echo ">> Pushing changes to $REPO_URL ..."
+          git push -u "https://oauth2:${{ secrets.BOT_TOKEN }}@$(echo $REPO_URL | sed -e 's|https://||')" ${BRANCH_NAME}
+
+          echo "----"
+
+          echo "HEAD_BRANCH=${BRANCH_NAME}" >> $GITEA_OUTPUT
+          echo "push=true" >> $GITEA_OUTPUT
+
+      - name: Check for Pull Request
+        id: check-for-pull-requst
+        if: steps.commit-push.outputs.push == 'true'
+        env:
+          GITEA_TOKEN: ${{ secrets.BOT_TOKEN }}
+          GITEA_URL: ${{ secrets.REPO_URL }}
+          HEAD_BRANCH: ${{ steps.commit-push.outputs.HEAD_BRANCH }}
+        run: |
+          cd ${MANIFEST_DIR}
+
+          API_ENDPOINT="${GITEA_URL}/api/v1/repos/${{ gitea.repository }}/pulls?base_branch=${BASE_BRANCH}&state=open&page=1"
+
+          echo ">> Checking if PR from branch ${HEAD_BRANCH} into ${BASE_BRANCH}"
+          echo ">> With Endpoint of:"
+          echo "$API_ENDPOINT"
+
+          HTTP_STATUS=$(
+            curl -X GET \
+              --silent \
+              --write-out '%{http_code}' \
+              --output response_body.json \
+              --dump-header response_headers.txt \
+              -H "Authorization: token ${GITEA_TOKEN}" \
+              -H "Content-Type: application/json" \
+              "$API_ENDPOINT" 2> response_errors.txt
+          )
+
+          echo ">> HTTP Status Code: $HTTP_STATUS"
+          echo ">> Response Output ..."
+          echo "----"
+          cat response_body.json
+          echo "----"
+          cat response_headers.txt
+          echo "----"
+          cat response_errors.txt
+          echo "----"
+
+          if [ "$HTTP_STATUS" == "200" ] && [ "$(cat response_body.json | jq -r .[0].state)" == "open" ]; then
+            echo ">> Pull Request has been found open, will update"
+            PR_INDEX=$(cat response_body.json | jq -r .[0].number)
+            echo "pull-request-exists=${PR_INDEX}" >> $GITEA_OUTPUT
+            echo "pull-request-index=true" >> $GITEA_OUTPUT
+
+          elif [ "$HTTP_STATUS" == "200" ] && [ "$(cat response_body.json | jq -r .[0].state)" == "closed" ]; then
+            echo ">> Pull Request found, but was closed"
+            echo "pull-request-exists=false" >> $GITEA_OUTPUT
+
+          else
+            echo ">> Pull Request not found"
+            echo "pull-request-exists=false" >> $GITEA_OUTPUT
+          fi
+
+          echo "----"
+
+      - name: Create Pull Request
+        id: create-pull-request
+        if: steps.commit-push.outputs.push == 'true' && steps.check-for-pull-requst.outputs.pull-request-exists == 'false'
+        env:
+          GITEA_TOKEN: ${{ secrets.BOT_TOKEN }}
+          GITEA_URL: ${{ secrets.REPO_URL }}
+          HEAD_BRANCH: ${{ steps.commit-push.outputs.HEAD_BRANCH }}
+        run: |
+          cd ${MANIFEST_DIR}
+
+          API_ENDPOINT="${GITEA_URL}/api/v1/repos/${{ gitea.repository }}/pulls"
+
+          PAYLOAD=$( jq -n \
+            --arg head "${HEAD_BRANCH}" \
+            --arg base "${BASE_BRANCH}" \
+            --arg assignee "${ASSIGNEE}" \
+            --arg title "Automated Manifest Update" \
+            --arg body "This PR contains newly rendered Kubernetes manifests automatically generated by the CI workflow." \
+            '{head: $head, base: $base, assignee: $assignee, title: $title, body: $body'} )
+
+          echo ">> Creating PR from branch ${HEAD_BRANCH} into ${BASE_BRANCH}"
+          echo ">> With Endpoint of:"
+          echo "$API_ENDPOINT"
+          echo ">> With Payload of:"
+          echo "$PAYLOAD"
+
+          HTTP_STATUS=$(
+            curl -X POST \
+              --silent \
+              --write-out '%{http_code}' \
+              --output response_body.json \
+              --dump-header response_headers.txt \
+              --data "$PAYLOAD" \
+              -H "Authorization: token ${GITEA_TOKEN}" \
+              -H "Content-Type: application/json" \
+              "$API_ENDPOINT" 2> response_errors.txt
+          )
+
+          echo ">> HTTP Status Code: $HTTP_STATUS"
+          echo ">> Response Output ..."
+          echo "----"
+          cat response_body.json
+          echo "----"
+          cat response_headers.txt
+          echo "----"
+          cat response_errors.txt
+          echo "----"
+
+          if [ "$HTTP_STATUS" == "201" ]; then
+            echo ">> Pull Request created successfully!"
+            PR_URL=$(cat response_body.json | jq -r .html_url)
+            echo "pull-request-url=${PR_URL}" >> $GITEA_OUTPUT
+            PR_ID=$(cat response_body.json | jq -r .id)
+            echo "pull-request-id=${PR_ID}" >> $GITEA_OUTPUT
+            echo "pull-request-operation=created" >> $GITEA_OUTPUT
+
+          elif [ "$HTTP_STATUS" == "422" ]; then
+            echo ">> Failed to create PR (HTTP 422: Unprocessable Entity), PR may already exist"
+
+          elif [ "$HTTP_STATUS" == "409" ]; then
+            echo ">> Failed to create PR (HTTP 409: Conflict), PR already exists"
+
+          else
+            echo ">> Failed to create PR, HTTP status code: $HTTP_STATUS"
+            exit 1
+          fi
+
+          echo "----"
+
+      - name: ntfy Created
+        uses: niniyas/ntfy-action@master
+        if: steps.create-pull-request.outputs.pull-request-operation == 'created'
+        with:
+          url: "${{ secrets.NTFY_URL }}"
+          topic: "${{ secrets.NTFY_TOPIC }}"
+          title: "Manifest Render PR Created - Infrastructure"
+          priority: 3
+          headers: '{"Authorization": "Bearer ${{ secrets.NTFY_CRED }}"}'
+          tags: action,successfully,completed
+          details: "Manifest rendering for Infrastructure has created a new Pull Request with ID: ${{ steps.create-pull-request.outputs.pull-request-id }}!"
+          icon: "https://cdn.jsdelivr.net/gh/selfhst/icons/png/gitea.png"
+          actions: '[{"action": "view", "label": "Open Gitea", "url": "${{ steps.create-pull-request.outputs.pull-request-url }}", "clear": true}]'
+
+      - name: ntfy Failed
+        uses: niniyas/ntfy-action@master
+        if: failure()
+        with:
+          url: "${{ secrets.NTFY_URL }}"
+          topic: "${{ secrets.NTFY_TOPIC }}"
+          title: "Manifest Render Failure - Infrastructure"
+          priority: 4
+          headers: '{"Authorization": "Bearer ${{ secrets.NTFY_CRED }}"}'
+          tags: action,failed
+          details: "Manifest rendering for Infrastructure has failed!"
+          icon: "https://cdn.jsdelivr.net/gh/selfhst/icons/png/gitea.png"
+          actions: '[{"action": "view", "label": "Open Gitea", "url": "https://gitea.alexlebens.dev/alexlebens/infrastructure/actions?workflow=render-manifests.yaml", "clear": true}]'
+          image: true

.gitea/workflows/render-manifests-merge.yaml

@@ -0,0 +1,400 @@
+name: render-manifests-merge
+
+on:
+  pull_request:
+    branches:
+      - main
+    paths:
+      - 'clusters/cl01tl/helm/**'
+    types:
+      - closed
+
+env:
+  CLUSTER: cl01tl
+  BASE_BRANCH: manifests
+  BRANCH_NAME: auto/update-manifests
+  ASSIGNEE: alexlebens
+  MAIN_DIR: /workspace/alexlebens/infrastructure/infrastructure
+  MANIFEST_DIR: /workspace/alexlebens/infrastructure/infrastructure-manifests
+
+jobs:
+  render-manifests-merge:
+    runs-on: ubuntu-js
+    if: ${{ (github.event.pull_request.merged == true) && !(contains(github.event.pull_request.labels.*.name, 'automerge')) }}
+    steps:
+      - name: Checkout Main
+        uses: actions/checkout@v6
+        with:
+          path: infrastructure
+          fetch-depth: 0
+
+      - name: Checkout Manifests
+        uses: actions/checkout@v6
+        with:
+          ref: manifests
+          path: infrastructure-manifests
+
+      - name: Set up Helm
+        uses: azure/setup-helm@v4
+        with:
+          token: ${{ secrets.GITEA_TOKEN }}
+          version: v3.17.2 # Pending https://github.com/helm/helm/pull/30743
+
+      - name: Prepare Manifest Branch
+        run: |
+          cd ${MANIFEST_DIR}
+
+          echo ">> Configure git to use gitea-bot as user ..."
+          git config user.name "gitea-bot"
+          git config user.email "gitea-bot@alexlebens.net"
+
+          echo ">> Checking if PR branch exists ..."
+          if [[ $(git ls-remote --heads origin "${BRANCH_NAME}" | wc -l) -gt 0 ]]; then
+            echo ">> Branch '${BRANCH_NAME}' exists, pulling changes ..."
+            git fetch origin "${BRANCH_NAME}"
+            git checkout "${BRANCH_NAME}"
+            git pull --rebase
+
+          else
+            echo ">> Branch '${BRANCH_NAME}' does not exist, creating ..."
+            git checkout -b $BRANCH_NAME
+          fi
+
+          echo "----"
+
+      - name: Check which Directories have Changes
+        id: check-dir-changes
+        run: |
+          cd ${MAIN_DIR}
+
+          RENDER_DIR=()
+
+          echo ">> Checking for changes ..."
+          GIT_DIFF=$(git diff --name-only ${{ gitea.event.before }}..HEAD | xargs -I {} dirname {} | sort -u | grep "clusters/cl01tl/helm/")
+
+          if [ -n "${GIT_DIFF}" ]; then
+            echo ">> Changes detected:"
+            echo "$GIT_DIFF"
+            for path in $GIT_DIFF; do
+              RENDER_DIR+=$(echo "$path" | awk -F '/' '{print $4}')
+            done
+
+          else
+            echo ">> No changes detected"
+
+          fi
+
+          if [ -n "${RENDER_DIR}" ]; then
+            echo ">> Directories to Render:"
+            echo "$(printf "%s\n" "${RENDER_DIR[@]}" | sort -u)"
+
+            echo "----"
+
+            echo "changes-detected=true" >> $GITEA_OUTPUT
+            echo "render-dir<<EOF" >> $GITEA_OUTPUT
+            echo "$(printf "%s\n" "${RENDER_DIR[@]}" | sort -u)" >> $GITEA_OUTPUT
+            echo "EOF" >> $GITEA_OUTPUT
+          else
+            echo "changes-detected=false" >> $GITEA_OUTPUT
+          fi
+
+      - name: Add Repositories
+        if: steps.check-dir-changes.outputs.changes-detected == 'true'
+        env:
+          RENDER_DIR: ${{ steps.check-dir-changes.outputs.render-dir }}
+        run: |
+          cd ${MAIN_DIR}
+
+          echo ">> Adding repositories for chart dependencies ..."
+          for dir in ${RENDER_DIR}; do
+            helm dependency list --max-col-width 120 ${MAIN_DIR}/clusters/${CLUSTER}/helm/$dir 2> /dev/null \
+              | tail +2 | head -n -1 \
+              | awk '{ print "helm repo add " $1 " " $3 }' \
+              | while read cmd; do echo "$cmd" | sh; done || true
+          done
+
+          if helm repo list | tail +2 | read -r; then
+            echo ">> Update repository cache ..."
+            helm repo update
+          fi
+
+          echo "----"
+
+      - name: Remove Changed Manifest Files
+        if: steps.check-dir-changes.outputs.changes-detected == 'true'
+        env:
+          RENDER_DIR: ${{ steps.check-dir-changes.outputs.render-dir }}
+        run: |
+          cd ${MANIFEST_DIR}
+
+          echo ">> Remove manfiest files and rebuild from source ..."
+
+          for dir in ${RENDER_DIR}; do
+            chart_path=${MANIFEST_DIR}/clusters/${CLUSTER}/manifests/$dir
+
+            echo "$chart_path"
+            rm -rf $chart_path/*
+          done
+
+          echo "----"
+
+      - name: Render Helm Manifests
+        id: render-manifests
+        if: steps.check-dir-changes.outputs.changes-detected == 'true'
+        env:
+          RENDER_DIR: ${{ steps.check-dir-changes.outputs.render-dir }}
+        run: |
+          cd ${MAIN_DIR}
+
+          echo ">> Rendering Manifests ..."
+
+          for dir in ${RENDER_DIR}; do
+            chart_path=${MAIN_DIR}/clusters/${CLUSTER}/helm/$dir
+            chart_name=$(basename "$chart_path")
+
+            echo ">> Rendering chart: $chart_name"
+            echo ">> Chart path $chart_path"
+
+            if [ -f "$chart_path/Chart.yaml" ]; then
+              mkdir -p ${MANIFEST_DIR}/clusters/${CLUSTER}/manifests/$chart_name
+              OUTPUT_FILE="${MANIFEST_DIR}/clusters/${CLUSTER}/manifests/$chart_name/$chart_name.yaml"
+
+              cd $chart_path
+
+              echo ""
+              echo ">> Building helm dependency ..."
+              helm dependency build --skip-refresh
+
+              echo ""
+              echo ">> Linting helm ..."
+              helm lint --namespace "$chart_name"
+
+              echo ""
+              echo ">> Rendering templates ..."
+
+              case "$chart_name" in
+                "stack")
+                  echo ">> Special Rendering for stack ..."
+                  helm template stack ./ --namespace argocd --include-crds > "$OUTPUT_FILE"
+                  ;;
+                "cilium")
+                  echo ">> Special Rendering for cilium ..."
+                  helm template cilium ./ --namespace kube-system --include-crds > "$OUTPUT_FILE"
+                  ;;
+                "coredns")
+                  echo ">> Special Rendering for coredns ..."
+                  helm template coredns ./ --namespace kube-system --include-crds > "$OUTPUT_FILE"
+                  ;;
+                "metrics-server")
+                  echo ">> Special Rendering for metrics-server ..."
+                  helm template metrics-server ./ --namespace kube-system --include-crds > "$OUTPUT_FILE"
+                  ;;
+                "prometheus-operator-crds")
+                  echo ">> Special Rendering for prometheus-operator-crds ..."
+                  helm template prometheus-operator-crds ./ --namespace kube-system --include-crds > "$OUTPUT_FILE"
+                  ;;
+                *)
+                  echo ">> Standard Rendering for $chart_name ..."
+                  helm template "$chart_name" ./ --namespace "$chart_name" --include-crds > "$OUTPUT_FILE"
+                  ;;
+              esac
+
+              echo ""
+              echo ">> Manifests for $chart_name rendered to $OUTPUT_FILE"
+              echo ""
+            else
+              echo ""
+              echo ">> Directory $chart_path does not contain a Chart.yaml. Skipping ..."
+              echo ""
+            fi
+          done
+
+          echo "----"
+
+      - name: Check for Changes
+        id: check-changes
+        if: steps.check-dir-changes.outputs.changes-detected == 'true'
+        run: |
+          cd ${MANIFEST_DIR}
+
+          if git status --porcelain | grep -q .; then
+            echo ">> Changes detected"
+            git status --porcelain
+            echo "changes-detected=true" >> $GITEA_OUTPUT
+          else
+            echo ">> No changes detected, skipping PR creation"
+            exit 0
+          fi
+
+          echo "----"
+
+      - name: Commit and Push Changes
+        id: commit-push
+        if: steps.check-changes.outputs.changes-detected == 'true'
+        run: |
+          cd ${MANIFEST_DIR}
+
+          echo ">> Commiting changes to ${BRANCH_NAME} ..."
+          git add .
+          git commit -m "chore: Update manifests after change"
+
+          REPO_URL="${{ secrets.REPO_URL }}/${{ gitea.repository }}"
+          echo ">> Pushing changes to $REPO_URL ..."
+          git push -u "https://oauth2:${{ secrets.BOT_TOKEN }}@$(echo $REPO_URL | sed -e 's|https://||')" ${BRANCH_NAME}
+
+          echo "----"
+
+          echo "HEAD_BRANCH=${BRANCH_NAME}" >> $GITEA_OUTPUT
+          echo "push=true" >> $GITEA_OUTPUT
+
+      - name: Check for Pull Request
+        id: check-for-pull-requst
+        if: steps.commit-push.outputs.push == 'true'
+        env:
+          GITEA_TOKEN: ${{ secrets.BOT_TOKEN }}
+          GITEA_URL: ${{ secrets.REPO_URL }}
+          HEAD_BRANCH: ${{ steps.commit-push.outputs.HEAD_BRANCH }}
+        run: |
+          cd ${MANIFEST_DIR}
+
+          API_ENDPOINT="${GITEA_URL}/api/v1/repos/${{ gitea.repository }}/pulls?base_branch=${BASE_BRANCH}&state=open&page=1"
+
+          echo ">> Checking if PR from branch ${HEAD_BRANCH} into ${BASE_BRANCH}"
+          echo ">> With Endpoint of:"
+          echo "$API_ENDPOINT"
+
+          HTTP_STATUS=$(
+            curl -X GET \
+              --silent \
+              --write-out '%{http_code}' \
+              --output response_body.json \
+              --dump-header response_headers.txt \
+              -H "Authorization: token ${GITEA_TOKEN}" \
+              -H "Content-Type: application/json" \
+              "$API_ENDPOINT" 2> response_errors.txt
+          )
+
+          echo ">> HTTP Status Code: $HTTP_STATUS"
+          echo ">> Response Output ..."
+          echo "----"
+          cat response_body.json
+          echo "----"
+          cat response_headers.txt
+          echo "----"
+          cat response_errors.txt
+          echo "----"
+
+          if [ "$HTTP_STATUS" == "200" ] && [ "$(cat response_body.json | jq -r .[0].state)" == "open" ]; then
+            echo ">> Pull Request has been found open, will update"
+            PR_INDEX=$(cat response_body.json | jq -r .[0].number)
+            echo "pull-request-exists=${PR_INDEX}" >> $GITEA_OUTPUT
+            echo "pull-request-index=true" >> $GITEA_OUTPUT
+
+          elif [ "$HTTP_STATUS" == "200" ] && [ "$(cat response_body.json | jq -r .[0].state)" == "closed" ]; then
+            echo ">> Pull Request found, but was closed"
+            echo "pull-request-exists=false" >> $GITEA_OUTPUT
+
+          else
+            echo ">> Pull Request not found"
+            echo "pull-request-exists=false" >> $GITEA_OUTPUT
+          fi
+
+          echo "----"
+
+      - name: Create Pull Request
+        id: create-pull-request
+        if: steps.commit-push.outputs.push == 'true' && steps.check-for-pull-requst.outputs.pull-request-exists == 'false'
+        env:
+          GITEA_TOKEN: ${{ secrets.BOT_TOKEN }}
+          GITEA_URL: ${{ secrets.REPO_URL }}
+          HEAD_BRANCH: ${{ steps.commit-push.outputs.HEAD_BRANCH }}
+        run: |
+          cd ${MANIFEST_DIR}
+
+          API_ENDPOINT="${GITEA_URL}/api/v1/repos/${{ gitea.repository }}/pulls"
+
+          PAYLOAD=$( jq -n \
+            --arg head "${HEAD_BRANCH}" \
+            --arg base "${BASE_BRANCH}" \
+            --arg assignee "${ASSIGNEE}" \
+            --arg title "Automated Manifest Update" \
+            --arg body "This PR contains newly rendered Kubernetes manifests automatically generated by the CI workflow." \
+            '{head: $head, base: $base, assignee: $assignee, title: $title, body: $body'} )
+
+          echo ">> Creating PR from branch ${HEAD_BRANCH} into ${BASE_BRANCH}"
+          echo ">> With Endpoint of:"
+          echo "$API_ENDPOINT"
+          echo ">> With Payload of:"
+          echo "$PAYLOAD"
+
+          HTTP_STATUS=$(
+            curl -X POST \
+              --silent \
+              --write-out '%{http_code}' \
+              --output response_body.json \
+              --dump-header response_headers.txt \
+              --data "$PAYLOAD" \
+              -H "Authorization: token ${GITEA_TOKEN}" \
+              -H "Content-Type: application/json" \
+              "$API_ENDPOINT" 2> response_errors.txt
+          )
+
+          echo ">> HTTP Status Code: $HTTP_STATUS"
+          echo ">> Response Output ..."
+          echo "----"
+          cat response_body.json
+          echo "----"
+          cat response_headers.txt
+          echo "----"
+          cat response_errors.txt
+          echo "----"
+
+          if [ "$HTTP_STATUS" == "201" ]; then
+            echo ">> Pull Request created successfully!"
+            PR_URL=$(cat response_body.json | jq -r .html_url)
+            echo "pull-request-url=${PR_URL}" >> $GITEA_OUTPUT
+            PR_ID=$(cat response_body.json | jq -r .id)
+            echo "pull-request-id=${PR_ID}" >> $GITEA_OUTPUT
+            echo "pull-request-operation=created" >> $GITEA_OUTPUT
+
+          elif [ "$HTTP_STATUS" == "422" ]; then
+            echo ">> Failed to create PR (HTTP 422: Unprocessable Entity), PR may already exist"
+
+          elif [ "$HTTP_STATUS" == "409" ]; then
+            echo ">> Failed to create PR (HTTP 409: Conflict), PR already exists"
+
+          else
+            echo ">> Failed to create PR, HTTP status code: $HTTP_STATUS"
+            exit 1
+          fi
+
+          echo "----"
+
+      - name: ntfy Created
+        uses: niniyas/ntfy-action@master
+        if: steps.create-pull-request.outputs.pull-request-operation == 'created'
+        with:
+          url: "${{ secrets.NTFY_URL }}"
+          topic: "${{ secrets.NTFY_TOPIC }}"
+          title: "Manifest Render PR Created - Infrastructure"
+          priority: 3
+          headers: '{"Authorization": "Bearer ${{ secrets.NTFY_CRED }}"}'
+          tags: action,successfully,completed
+          details: "Manifest rendering for Infrastructure has created a new Pull Request with ID: ${{ steps.create-pull-request.outputs.pull-request-id }}!"
+          icon: "https://cdn.jsdelivr.net/gh/selfhst/icons/png/gitea.png"
+          actions: '[{"action": "view", "label": "Open Gitea", "url": "${{ steps.create-pull-request.outputs.pull-request-url }}", "clear": true}]'
+
+      - name: ntfy Failed
+        uses: niniyas/ntfy-action@master
+        if: failure()
+        with:
+          url: "${{ secrets.NTFY_URL }}"
+          topic: "${{ secrets.NTFY_TOPIC }}"
+          title: "Manifest Render Failure - Infrastructure"
+          priority: 4
+          headers: '{"Authorization": "Bearer ${{ secrets.NTFY_CRED }}"}'
+          tags: action,failed
+          details: "Manifest rendering for Infrastructure has failed!"
+          icon: "https://cdn.jsdelivr.net/gh/selfhst/icons/png/gitea.png"
+          actions: '[{"action": "view", "label": "Open Gitea", "url": "https://gitea.alexlebens.dev/alexlebens/infrastructure/actions?workflow=render-manifests.yaml", "clear": true}]'
+          image: true

.gitea/workflows/render-manifests-push.yaml

@@ -0,0 +1,421 @@
+name: render-manifests-push
+
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - 'clusters/cl01tl/helm/**'
+
+env:
+  CLUSTER: cl01tl
+  BASE_BRANCH: manifests
+  BRANCH_NAME: auto/update-manifests
+  ASSIGNEE: alexlebens
+  MAIN_DIR: /workspace/alexlebens/infrastructure/infrastructure
+  MANIFEST_DIR: /workspace/alexlebens/infrastructure/infrastructure-manifests
+
+jobs:
+  render-manifests-push:
+    runs-on: ubuntu-js
+    steps:
+      - name: Checkout Main
+        uses: actions/checkout@v6
+        with:
+          path: infrastructure
+          fetch-depth: 0
+
+      - name: Checkout Manifests
+        uses: actions/checkout@v6
+        with:
+          ref: manifests
+          path: infrastructure-manifests
+
+      - name: Check if Commit is from Push
+        id: check-push-type
+        run: |
+          echo "">> Checking if Commit is from Push ..."
+          git checkout ${{ gitea.event.after }}
+          PARENT_COUNT=$(git rev-list --parents -n 1 ${{ gitea.event.after }} | wc -w)
+
+          echo ">> Commit SHA: ${{ gitea.event.after }}"
+          echo ">> Word Count (Parent Count + 1): $PARENT_COUNT"
+
+          if [ $PARENT_COUNT > 1]; do
+            echo "">> Commit detected to be a direct commit to main"
+          fi
+
+          echo "parent-count=$PARENT_COUNT" >> "$GITHUB_OUTPUT"
+
+      - name: Run CI for Direct Pushes Only
+        if: steps.check-push-type.outputs.parent-count == '2'
+        run: |
+          echo "This is a direct push (non-merge). Running CI/Tests in Gitea."
+
+      - name: Set up Helm
+        uses: azure/setup-helm@v4
+        if: steps.check-push-type.outputs.parent-count == '2'
+        with:
+          token: ${{ secrets.GITEA_TOKEN }}
+          version: v3.17.2 # Pending https://github.com/helm/helm/pull/30743
+
+      - name: Prepare Manifest Branch
+        if: steps.check-push-type.outputs.parent-count == '2'
+        run: |
+          cd ${MANIFEST_DIR}
+
+          echo ">> Configure git to use gitea-bot as user ..."
+          git config user.name "gitea-bot"
+          git config user.email "gitea-bot@alexlebens.net"
+
+          echo ">> Checking if PR branch exists ..."
+          if [[ $(git ls-remote --heads origin "${BRANCH_NAME}" | wc -l) -gt 0 ]]; then
+            echo ">> Branch '${BRANCH_NAME}' exists, pulling changes ..."
+            git fetch origin "${BRANCH_NAME}"
+            git checkout "${BRANCH_NAME}"
+            git pull --rebase
+
+          else
+            echo ">> Branch '${BRANCH_NAME}' does not exist, creating ..."
+            git checkout -b $BRANCH_NAME
+          fi
+
+          echo "----"
+
+      - name: Check which Directories have Changes
+        id: check-dir-changes
+        if: steps.check-push-type.outputs.parent-count == '2'
+        run: |
+          cd ${MAIN_DIR}
+
+          RENDER_DIR=()
+
+          echo ">> Checking for changes ..."
+          GIT_DIFF=$(git diff --name-only ${{ gitea.event.before }}..HEAD | xargs -I {} dirname {} | sort -u | grep "clusters/cl01tl/helm/")
+
+          if [ -n "${GIT_DIFF}" ]; then
+            echo ">> Changes detected:"
+            echo "$GIT_DIFF"
+            for path in $GIT_DIFF; do
+              RENDER_DIR+=$(echo "$path" | awk -F '/' '{print $4}')
+            done
+
+          else
+            echo ">> No changes detected"
+
+          fi
+
+          if [ -n "${RENDER_DIR}" ]; then
+            echo ">> Directories to Render:"
+            echo "$(printf "%s\n" "${RENDER_DIR[@]}" | sort -u)"
+
+            echo "----"
+
+            echo "changes-detected=true" >> $GITEA_OUTPUT
+            echo "render-dir<<EOF" >> $GITEA_OUTPUT
+            echo "$(printf "%s\n" "${RENDER_DIR[@]}" | sort -u)" >> $GITEA_OUTPUT
+            echo "EOF" >> $GITEA_OUTPUT
+          else
+            echo "changes-detected=false" >> $GITEA_OUTPUT
+          fi
+
+      - name: Add Repositories
+        if: steps.check-dir-changes.outputs.changes-detected == 'true'
+        env:
+          RENDER_DIR: ${{ steps.check-dir-changes.outputs.render-dir }}
+        run: |
+          cd ${MAIN_DIR}
+
+          echo ">> Adding repositories for chart dependencies ..."
+          for dir in ${RENDER_DIR}; do
+            helm dependency list --max-col-width 120 ${MAIN_DIR}/clusters/${CLUSTER}/helm/$dir 2> /dev/null \
+              | tail +2 | head -n -1 \
+              | awk '{ print "helm repo add " $1 " " $3 }' \
+              | while read cmd; do echo "$cmd" | sh; done || true
+          done
+
+          if helm repo list | tail +2 | read -r; then
+            echo ">> Update repository cache ..."
+            helm repo update
+          fi
+
+          echo "----"
+
+      - name: Remove Changed Manifest Files
+        if: steps.check-dir-changes.outputs.changes-detected == 'true'
+        env:
+          RENDER_DIR: ${{ steps.check-dir-changes.outputs.render-dir }}
+        run: |
+          cd ${MANIFEST_DIR}
+
+          echo ">> Remove manfiest files and rebuild from source ..."
+
+          for dir in ${RENDER_DIR}; do
+            chart_path=${MANIFEST_DIR}/clusters/${CLUSTER}/manifests/$dir
+
+            echo "$chart_path"
+            rm -rf $chart_path/*
+          done
+
+          echo "----"
+
+      - name: Render Helm Manifests
+        id: render-manifests
+        if: steps.check-dir-changes.outputs.changes-detected == 'true'
+        env:
+          RENDER_DIR: ${{ steps.check-dir-changes.outputs.render-dir }}
+        run: |
+          cd ${MAIN_DIR}
+
+          echo ">> Rendering Manifests ..."
+
+          for dir in ${RENDER_DIR}; do
+            chart_path=${MAIN_DIR}/clusters/${CLUSTER}/helm/$dir
+            chart_name=$(basename "$chart_path")
+
+            echo ">> Rendering chart: $chart_name"
+            echo ">> Chart path $chart_path"
+
+            if [ -f "$chart_path/Chart.yaml" ]; then
+              mkdir -p ${MANIFEST_DIR}/clusters/${CLUSTER}/manifests/$chart_name
+              OUTPUT_FILE="${MANIFEST_DIR}/clusters/${CLUSTER}/manifests/$chart_name/$chart_name.yaml"
+
+              cd $chart_path
+
+              echo ""
+              echo ">> Building helm dependency ..."
+              helm dependency build --skip-refresh
+
+              echo ""
+              echo ">> Linting helm ..."
+              helm lint --namespace "$chart_name"
+
+              echo ""
+              echo ">> Rendering templates ..."
+
+              case "$chart_name" in
+                "stack")
+                  echo ">> Special Rendering for stack ..."
+                  helm template stack ./ --namespace argocd --include-crds > "$OUTPUT_FILE"
+                  ;;
+                "cilium")
+                  echo ">> Special Rendering for cilium ..."
+                  helm template cilium ./ --namespace kube-system --include-crds > "$OUTPUT_FILE"
+                  ;;
+                "coredns")
+                  echo ">> Special Rendering for coredns ..."
+                  helm template coredns ./ --namespace kube-system --include-crds > "$OUTPUT_FILE"
+                  ;;
+                "metrics-server")
+                  echo ">> Special Rendering for metrics-server ..."
+                  helm template metrics-server ./ --namespace kube-system --include-crds > "$OUTPUT_FILE"
+                  ;;
+                "prometheus-operator-crds")
+                  echo ">> Special Rendering for prometheus-operator-crds ..."
+                  helm template prometheus-operator-crds ./ --namespace kube-system --include-crds > "$OUTPUT_FILE"
+                  ;;
+                *)
+                  echo ">> Standard Rendering for $chart_name ..."
+                  helm template "$chart_name" ./ --namespace "$chart_name" --include-crds > "$OUTPUT_FILE"
+                  ;;
+              esac
+
+              echo ""
+              echo ">> Manifests for $chart_name rendered to $OUTPUT_FILE"
+              echo ""
+            else
+              echo ""
+              echo ">> Directory $chart_path does not contain a Chart.yaml. Skipping ..."
+              echo ""
+            fi
+          done
+
+          echo "----"
+
+      - name: Check for Changes
+        id: check-changes
+        if: steps.check-dir-changes.outputs.changes-detected == 'true'
+        run: |
+          cd ${MANIFEST_DIR}
+
+          if git status --porcelain | grep -q .; then
+            echo ">> Changes detected"
+            git status --porcelain
+            echo "changes-detected=true" >> $GITEA_OUTPUT
+          else
+            echo ">> No changes detected, skipping PR creation"
+            exit 0
+          fi
+
+          echo "----"
+
+      - name: Commit and Push Changes
+        id: commit-push
+        if: steps.check-changes.outputs.changes-detected == 'true'
+        run: |
+          cd ${MANIFEST_DIR}
+
+          echo ">> Commiting changes to ${BRANCH_NAME} ..."
+          git add .
+          git commit -m "chore: Update manifests after change"
+
+          REPO_URL="${{ secrets.REPO_URL }}/${{ gitea.repository }}"
+          echo ">> Pushing changes to $REPO_URL ..."
+          git push -u "https://oauth2:${{ secrets.BOT_TOKEN }}@$(echo $REPO_URL | sed -e 's|https://||')" ${BRANCH_NAME}
+
+          echo "----"
+
+          echo "HEAD_BRANCH=${BRANCH_NAME}" >> $GITEA_OUTPUT
+          echo "push=true" >> $GITEA_OUTPUT
+
+      - name: Check for Pull Request
+        id: check-for-pull-requst
+        if: steps.commit-push.outputs.push == 'true'
+        env:
+          GITEA_TOKEN: ${{ secrets.BOT_TOKEN }}
+          GITEA_URL: ${{ secrets.REPO_URL }}
+          HEAD_BRANCH: ${{ steps.commit-push.outputs.HEAD_BRANCH }}
+        run: |
+          cd ${MANIFEST_DIR}
+
+          API_ENDPOINT="${GITEA_URL}/api/v1/repos/${{ gitea.repository }}/pulls?base_branch=${BASE_BRANCH}&state=open&page=1"
+
+          echo ">> Checking if PR from branch ${HEAD_BRANCH} into ${BASE_BRANCH}"
+          echo ">> With Endpoint of:"
+          echo "$API_ENDPOINT"
+
+          HTTP_STATUS=$(
+            curl -X GET \
+              --silent \
+              --write-out '%{http_code}' \
+              --output response_body.json \
+              --dump-header response_headers.txt \
+              -H "Authorization: token ${GITEA_TOKEN}" \
+              -H "Content-Type: application/json" \
+              "$API_ENDPOINT" 2> response_errors.txt
+          )
+
+          echo ">> HTTP Status Code: $HTTP_STATUS"
+          echo ">> Response Output ..."
+          echo "----"
+          cat response_body.json
+          echo "----"
+          cat response_headers.txt
+          echo "----"
+          cat response_errors.txt
+          echo "----"
+
+          if [ "$HTTP_STATUS" == "200" ] && [ "$(cat response_body.json | jq -r .[0].state)" == "open" ]; then
+            echo ">> Pull Request has been found open, will update"
+            PR_INDEX=$(cat response_body.json | jq -r .[0].number)
+            echo "pull-request-exists=${PR_INDEX}" >> $GITEA_OUTPUT
+            echo "pull-request-index=true" >> $GITEA_OUTPUT
+
+          elif [ "$HTTP_STATUS" == "200" ] && [ "$(cat response_body.json | jq -r .[0].state)" == "closed" ]; then
+            echo ">> Pull Request found, but was closed"
+            echo "pull-request-exists=false" >> $GITEA_OUTPUT
+
+          else
+            echo ">> Pull Request not found"
+            echo "pull-request-exists=false" >> $GITEA_OUTPUT
+          fi
+
+          echo "----"
+
+      - name: Create Pull Request
+        id: create-pull-request
+        if: steps.commit-push.outputs.push == 'true' && steps.check-for-pull-requst.outputs.pull-request-exists == 'false'
+        env:
+          GITEA_TOKEN: ${{ secrets.BOT_TOKEN }}
+          GITEA_URL: ${{ secrets.REPO_URL }}
+          HEAD_BRANCH: ${{ steps.commit-push.outputs.HEAD_BRANCH }}
+        run: |
+          cd ${MANIFEST_DIR}
+
+          API_ENDPOINT="${GITEA_URL}/api/v1/repos/${{ gitea.repository }}/pulls"
+
+          PAYLOAD=$( jq -n \
+            --arg head "${HEAD_BRANCH}" \
+            --arg base "${BASE_BRANCH}" \
+            --arg assignee "${ASSIGNEE}" \
+            --arg title "Automated Manifest Update" \
+            --arg body "This PR contains newly rendered Kubernetes manifests automatically generated by the CI workflow." \
+            '{head: $head, base: $base, assignee: $assignee, title: $title, body: $body'} )
+
+          echo ">> Creating PR from branch ${HEAD_BRANCH} into ${BASE_BRANCH}"
+          echo ">> With Endpoint of:"
+          echo "$API_ENDPOINT"
+          echo ">> With Payload of:"
+          echo "$PAYLOAD"
+
+          HTTP_STATUS=$(
+            curl -X POST \
+              --silent \
+              --write-out '%{http_code}' \
+              --output response_body.json \
+              --dump-header response_headers.txt \
+              --data "$PAYLOAD" \
+              -H "Authorization: token ${GITEA_TOKEN}" \
+              -H "Content-Type: application/json" \
+              "$API_ENDPOINT" 2> response_errors.txt
+          )
+
+          echo ">> HTTP Status Code: $HTTP_STATUS"
+          echo ">> Response Output ..."
+          echo "----"
+          cat response_body.json
+          echo "----"
+          cat response_headers.txt
+          echo "----"
+          cat response_errors.txt
+          echo "----"
+
+          if [ "$HTTP_STATUS" == "201" ]; then
+            echo ">> Pull Request created successfully!"
+            PR_URL=$(cat response_body.json | jq -r .html_url)
+            echo "pull-request-url=${PR_URL}" >> $GITEA_OUTPUT
+            PR_ID=$(cat response_body.json | jq -r .id)
+            echo "pull-request-id=${PR_ID}" >> $GITEA_OUTPUT
+            echo "pull-request-operation=created" >> $GITEA_OUTPUT
+
+          elif [ "$HTTP_STATUS" == "422" ]; then
+            echo ">> Failed to create PR (HTTP 422: Unprocessable Entity), PR may already exist"
+
+          elif [ "$HTTP_STATUS" == "409" ]; then
+            echo ">> Failed to create PR (HTTP 409: Conflict), PR already exists"
+
+          else
+            echo ">> Failed to create PR, HTTP status code: $HTTP_STATUS"
+            exit 1
+          fi
+
+          echo "----"
+
+      - name: ntfy Created
+        uses: niniyas/ntfy-action@master
+        if: steps.create-pull-request.outputs.pull-request-operation == 'created'
+        with:
+          url: "${{ secrets.NTFY_URL }}"
+          topic: "${{ secrets.NTFY_TOPIC }}"
+          title: "Manifest Render PR Created - Infrastructure"
+          priority: 3
+          headers: '{"Authorization": "Bearer ${{ secrets.NTFY_CRED }}"}'
+          tags: action,successfully,completed
+          details: "Manifest rendering for Infrastructure has created a new Pull Request with ID: ${{ steps.create-pull-request.outputs.pull-request-id }}!"
+          icon: "https://cdn.jsdelivr.net/gh/selfhst/icons/png/gitea.png"
+          actions: '[{"action": "view", "label": "Open Gitea", "url": "${{ steps.create-pull-request.outputs.pull-request-url }}", "clear": true}]'
+
+      - name: ntfy Failed
+        uses: niniyas/ntfy-action@master
+        if: failure()
+        with:
+          url: "${{ secrets.NTFY_URL }}"
+          topic: "${{ secrets.NTFY_TOPIC }}"
+          title: "Manifest Render Failure - Infrastructure"
+          priority: 4
+          headers: '{"Authorization": "Bearer ${{ secrets.NTFY_CRED }}"}'
+          tags: action,failed
+          details: "Manifest rendering for Infrastructure has failed!"
+          icon: "https://cdn.jsdelivr.net/gh/selfhst/icons/png/gitea.png"
+          actions: '[{"action": "view", "label": "Open Gitea", "url": "https://gitea.alexlebens.dev/alexlebens/infrastructure/actions?workflow=render-manifests.yaml", "clear": true}]'
+          image: true

.gitignore

@@ -0,0 +1,3 @@
+/**/archive/
+/**/charts/
+/**/manifests/

clusters/cl01tl/applications/calibre-web-automated/Chart.yaml

@@ -1,21 +0,0 @@
-apiVersion: v2
-name: calibre-web-automated
-version: 1.0.0
-description: Calibre Web Automated
-keywords:
-  - calibre-web-automated
-  - books
-home: https://wiki.alexlebens.dev/s/fdcfdb7e-8f73-438e-b59c-3c2de2081885
-sources:
-  - https://github.com/crocodilestick/Calibre-Web-Automator
-  - https://hub.docker.com/r/crocodilestick/calibre-web-automated
-  - https://github.com/bjw-s-labs/helm-charts/tree/main/charts/other/app-template
-maintainers:
-  - name: alexlebens
-dependencies:
-  - name: app-template
-    alias: calibre-web-automated
-    repository: https://bjw-s-labs.github.io/helm-charts/
-    version: 4.4.0
-icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/calibre-web.png
-appVersion: V3.0.4

clusters/cl01tl/applications/calibre-web-automated/templates/external-secret.yaml

@@ -1,78 +0,0 @@
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: calibre-web-automated-gmail-config
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: calibre-web-automated-gmail-config
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: vault
-  data:
-    - secretKey: gmail.json
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /cl01tl/calibre-web/gmail
-        metadataPolicy: None
-        property: gmail.json
-
----
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: calibre-web-automated-config-backup-secret
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: calibre-web-automated-config-backup-secret
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: vault
-  target:
-    template:
-      mergePolicy: Merge
-      engineVersion: v2
-      data:
-        RESTIC_REPOSITORY: "{{ `{{ .BUCKET_ENDPOINT }}` }}/calibre-web-automated/calibre-web-automated-config"
-  data:
-    - secretKey: BUCKET_ENDPOINT
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /cl01tl/volsync/restic/config
-        metadataPolicy: None
-        property: S3_BUCKET_ENDPOINT
-    - secretKey: RESTIC_PASSWORD
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /cl01tl/volsync/restic/config
-        metadataPolicy: None
-        property: RESTIC_PASSWORD
-    - secretKey: AWS_DEFAULT_REGION
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /cl01tl/volsync/restic/config
-        metadataPolicy: None
-        property: AWS_DEFAULT_REGION
-    - secretKey: AWS_ACCESS_KEY_ID
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /digital-ocean/home-infra/volsync-backups
-        metadataPolicy: None
-        property: access_key
-    - secretKey: AWS_SECRET_ACCESS_KEY
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /digital-ocean/home-infra/volsync-backups
-        metadataPolicy: None
-        property: secret_key

clusters/cl01tl/applications/calibre-web-automated/templates/http-route.yaml

@@ -1,58 +0,0 @@
-apiVersion: gateway.networking.k8s.io/v1
-kind: HTTPRoute
-metadata:
-  name: http-route-calibre
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: http-route-calibre
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  parentRefs:
-    - group: gateway.networking.k8s.io
-      kind: Gateway
-      name: traefik-gateway
-      namespace: traefik
-  hostnames:
-    - calibre.alexlebens.net
-  rules:
-    - matches:
-      - path:
-          type: PathPrefix
-          value: /
-      backendRefs:
-        - group: ''
-          kind: Service
-          name: calibre-web-automated-main
-          port: 8083
-          weight: 100
-
----
-apiVersion: gateway.networking.k8s.io/v1
-kind: HTTPRoute
-metadata:
-  name: http-route-calibre-downloader
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: http-route-calibre-downloader
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  parentRefs:
-    - group: gateway.networking.k8s.io
-      kind: Gateway
-      name: traefik-gateway
-      namespace: traefik
-  hostnames:
-    - calibre-downloader.alexlebens.net
-  rules:
-    - matches:
-      - path:
-          type: PathPrefix
-          value: /
-      backendRefs:
-        - group: ''
-          kind: Service
-          name: calibre-web-automated-downloader
-          port: 8084
-          weight: 100

clusters/cl01tl/applications/calibre-web-automated/templates/persistent-volume-claim.yaml

@@ -1,36 +0,0 @@
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  name: calibre-web-automated-nfs-storage
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: calibre-web-automated-nfs-storage
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  volumeName: calibre-web-automated-nfs-storage
-  storageClassName: nfs-client
-  accessModes:
-    - ReadWriteMany
-  resources:
-    requests:
-      storage: 1Gi
-
----
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  name: calibre-web-automated-ingest-nfs-storage
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: calibre-web-automated-ingest-nfs-storage
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  volumeName: calibre-web-automated-ingest-nfs-storage
-  storageClassName: nfs-client
-  accessModes:
-    - ReadWriteMany
-  resources:
-    requests:
-      storage: 1Gi

clusters/cl01tl/applications/calibre-web-automated/templates/persistent-volume.yaml

@@ -1,48 +0,0 @@
-apiVersion: v1
-kind: PersistentVolume
-metadata:
-  name: calibre-web-automated-nfs-storage
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: calibre-web-automated-nfs-storage
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  persistentVolumeReclaimPolicy: Retain
-  storageClassName: nfs-client
-  capacity:
-    storage: 1Gi
-  accessModes:
-    - ReadWriteMany
-  nfs:
-    path: /volume2/Storage/Calibre
-    server: synologybond.alexlebens.net
-  mountOptions:
-    - vers=4
-    - minorversion=1
-    - noac
-
----
-apiVersion: v1
-kind: PersistentVolume
-metadata:
-  name: calibre-web-automated-ingest-nfs-storage
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: calibre-web-automated-ingest-nfs-storage
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  persistentVolumeReclaimPolicy: Retain
-  storageClassName: nfs-client
-  capacity:
-    storage: 1Gi
-  accessModes:
-    - ReadWriteMany
-  nfs:
-    path: /volume2/Storage/Calibre Import
-    server: synologybond.alexlebens.net
-  mountOptions:
-    - vers=4
-    - minorversion=1
-    - noac

clusters/cl01tl/applications/calibre-web-automated/templates/replication-source.yaml

@@ -1,28 +0,0 @@
-apiVersion: volsync.backube/v1alpha1
-kind: ReplicationSource
-metadata:
-  name: calibre-web-automated-config-backup-source
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: calibre-web-automated-config-backup-source
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  sourcePVC: calibre-web-automated-config
-  trigger:
-    schedule: 0 4 * * *
-  restic:
-    pruneIntervalDays: 7
-    repository: calibre-web-automated-config-backup-secret
-    retain:
-      hourly: 1
-      daily: 3
-      weekly: 2
-      monthly: 2
-      yearly: 4
-    moverSecurityContext:
-      runAsUser: 1000
-      runAsGroup: 100
-    copyMethod: Snapshot
-    storageClassName: ceph-block
-    volumeSnapshotClassName: ceph-blockpool-snapshot

clusters/cl01tl/applications/calibre-web-automated/values.yaml

@@ -1,119 +0,0 @@
-calibre-web-automated:
-  controllers:
-    main:
-      type: deployment
-      replicas: 1
-      strategy: Recreate
-      revisionHistoryLimit: 3
-      containers:
-        main:
-          image:
-            repository: crocodilestick/calibre-web-automated
-            tag: V3.0.4
-            pullPolicy: IfNotPresent
-          env:
-            - name: TZ
-              value: US/Central
-            - name: PUID
-              value: 1000
-            - name: PGID
-              value: 100
-          resources:
-            requests:
-              cpu: 10m
-              memory: 256Mi
-    downloader:
-      type: deployment
-      replicas: 1
-      strategy: Recreate
-      revisionHistoryLimit: 3
-      containers:
-        main:
-          image:
-            repository: ghcr.io/calibrain/calibre-web-automated-book-downloader
-            tag: latest@sha256:b1296c5edc89eee8742d86392ce40707233671044a454e002821e5c76cd58deb
-            pullPolicy: IfNotPresent
-          env:
-            - name: FLASK_PORT
-              value: 8084
-            - name: UID
-              value: 1000
-            - name: GID
-              value: 100
-            - name: USE_CF_BYPASS
-              value: false
-            - name: CLOUDFLARE_PROXY_URL
-              value: http://localhost:8000
-            - name: INGEST_DIR
-              value: /cwa-book-ingest
-            - name: BOOK_LANGUAGE
-              value: end
-          resources:
-            requests:
-              cpu: 10m
-              memory: 256Mi
-        bypass:
-          image:
-            repository: ghcr.io/sarperavci/cloudflarebypassforscraping
-            tag: latest@sha256:fc8443dd96450ab10ed455a05397c8a17bab89b8408b7cbb6242fa6e4fb9edf5
-            pullPolicy: IfNotPresent
-          resources:
-            requests:
-              cpu: 10m
-              memory: 128Mi
-  service:
-    main:
-      controller: main
-      ports:
-        http:
-          port: 8083
-          targetPort: 8083
-          protocol: HTTP
-    downloader:
-      controller: downloader
-      ports:
-        http:
-          port: 8084
-          targetPort: 8084
-          protocol: HTTP
-  persistence:
-    config:
-      forceRename: calibre-web-automated-config
-      storageClass: ceph-block
-      accessMode: ReadWriteOnce
-      size: 5Gi
-      retain: true
-      advancedMounts:
-        main:
-          main:
-            - path: /config
-              readOnly: false
-    gmail:
-      enabled: true
-      type: secret
-      name: calibre-web-automated-gmail-config
-      advancedMounts:
-        main:
-          main:
-            - path: /app/calibre-web/gmail.json
-              readOnly: true
-              mountPropagation: None
-              subPath: gmail.json
-    books:
-      existingClaim: calibre-web-automated-nfs-storage
-      advancedMounts:
-        main:
-          main:
-            - path: /calibre-library
-              readOnly: false
-    ingest:
-      existingClaim: calibre-web-automated-ingest-nfs-storage
-      advancedMounts:
-        main:
-          main:
-            - path: /cwa-book-ingest
-              readOnly: false
-        downloader:
-          main:
-            - path: /cwa-book-ingest
-              readOnly: false

clusters/cl01tl/deployment/stack/templates/application-set.yaml

@@ -1,57 +0,0 @@
-{{- range $index, $stack := .Values.applicationSet }}
----
-apiVersion: argoproj.io/v1alpha1
-kind: ApplicationSet
-metadata:
-  name: {{ $stack.name }}
-  namespace: {{ $.Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: {{ $stack.name }}
-    app.kubernetes.io/instance: {{ $stack.name }}
-    app.kubernetes.io/part-of: {{ $.Release.Name }}
-spec:
-  syncPolicy:
-    applicationsSync: create-update
-    preserveResourcesOnDeletion: false
-  generators:
-    - git:
-        repoURL: {{ $.Values.git.repo }}
-        revision: {{ $.Values.git.revision }}
-        directories:
-          - path: "clusters/{{ $.Values.cluster.name }}/{{ $stack.name }}/*"
-  template:
-    metadata:
-      name: '{{ `{{path.basename}}` }}'
-    spec:
-      destination:
-        name: in-cluster
-        namespace: '{{ $stack.namespace | default `{{path.basename}}` }}'
-      project: default
-      revisionHistoryLimit: 3
-      source:
-        repoURL: {{ $.Values.git.repo }}
-        targetRevision: {{ $.Values.git.revision }}
-        path: '{{ `{{path}}` }}'
-        helm:
-          releaseName: "{{ `{{path.basename}}` }}"
-      {{- if $stack.ignoreDifferences }}
-      ignoreDifferences:
-        {{- toYaml $stack.ignoreDifferences | nindent 8 }}
-      {{ end }}
-      syncPolicy:
-        automated:
-          prune: {{ $stack.syncPolicy.automated.prune | default false }}
-          selfHeal: {{ $stack.syncPolicy.automated.selfHeal | default false }}
-        retry:
-          limit: 3
-          backoff:
-            duration: 1m
-            factor: 2
-            maxDuration: 15m
-        syncOptions:
-          - CreateNamespace={{ $stack.syncPolicy.syncOptions.createNamespace | default true }}
-          - ApplyOutOfSyncOnly={{ $stack.syncPolicy.syncOptions.applyOutOfSyncOnly | default true }}
-          - ServerSideApply={{ $stack.syncPolicy.syncOptions.serverSideApply | default true }}
-          - PruneLast={{ $stack.syncPolicy.syncOptions.pruneLast | default true }}
-          - RespectIgnoreDifferences={{ $stack.syncPolicy.syncOptions.respectIgnoreDifferences | default true }}
-{{- end }}

clusters/cl01tl/deployment/stack/values.yaml

@@ -1,112 +0,0 @@
-cluster:
-  name: cl01tl
-git:
-  # repo: git@github.com:alexlebens/infrastructure.git
-  # repo: https://github.com/alexlebens/infrastructure.git
-  repo: http://gitea-http.gitea:3000/alexlebens/infrastructure
-  # repo: ssh://git@gitea-ssh.gitea/alexlebens/infrastructure
-  revision: HEAD
-applicationSet:
-  - name: applications
-    ignoreDifferences:
-      - group: ""
-        kind: Service
-        jqPathExpressions:
-          - .spec.externalName
-    syncPolicy:
-      automated:
-        prune: true
-      syncOptions:
-        serverSideApply: true
-  - name: deployment
-    namespace: argocd
-    syncPolicy:
-      automated:
-        prune: true
-      syncOptions:
-        serverSideApply: true
-  - name: management
-    ignoreDifferences:
-      - group: ""
-        kind: Service
-        jqPathExpressions:
-          - .spec.externalName
-    syncPolicy:
-      automated:
-        prune: true
-      syncOptions:
-        serverSideApply: true
-  - name: monitoring
-    ignoreDifferences:
-      - group: ""
-        kind: Service
-        jqPathExpressions:
-          - .spec.externalName
-      - group: "apps"
-        kind: StatefulSet
-        jqPathExpressions:
-          - .spec.volumeClaimTemplates[]?.apiVersion
-          - .spec.volumeClaimTemplates[]?.kind
-          - .spec.volumeClaimTemplates[]?.metadata.creationTimestamp
-    syncPolicy:
-      automated:
-        prune: true
-      syncOptions:
-        serverSideApply: true
-  - name: platform
-    ignoreDifferences:
-      - group: ""
-        kind: Service
-        jqPathExpressions:
-          - .spec.externalName
-      - group: "apps"
-        kind: StatefulSet
-        jqPathExpressions:
-          - .spec.volumeClaimTemplates[]?.apiVersion
-          - .spec.volumeClaimTemplates[]?.kind
-          - .spec.volumeClaimTemplates[]?.metadata.creationTimestamp
-    syncPolicy:
-      automated:
-        prune: true
-      syncOptions:
-        serverSideApply: true
-  - name: services
-    ignoreDifferences:
-      - group: ""
-        kind: GpuDevicePlugin
-        jqPathExpressions:
-          - .metadata.annotations[]
-      - group: "apps"
-        kind: "Deployment"
-        jsonPointers:
-          - /spec/template/metadata/annotations/checksum~1secret
-          - /spec/template/metadata/annotations/checksum~1secret-core
-          - /spec/template/metadata/annotations/checksum~1secret-jobservice
-          - /spec/template/metadata/annotations/checksum~1tls
-      - group: "apps"
-        kind: "StatefulSet"
-        jsonPointers:
-          - /spec/template/metadata/annotations/checksum~1secret
-          - /spec/template/metadata/annotations/checksum~1tls
-      - group: "apps"
-        kind: StatefulSet
-        jqPathExpressions:
-          - .spec.volumeClaimTemplates[]?.apiVersion
-          - .spec.volumeClaimTemplates[]?.kind
-          - .spec.volumeClaimTemplates[]?.metadata.creationTimestamp
-    syncPolicy:
-      automated:
-        prune: true
-      syncOptions:
-        serverSideApply: true
-  - name: storage
-    ignoreDifferences:
-      - group: ""
-        kind: Service
-        jqPathExpressions:
-          - .spec.externalName
-    syncPolicy:
-      automated:
-        prune: true
-      syncOptions:
-        serverSideApply: true

clusters/cl01tl/helm/actual/Chart.lock

@@ -0,0 +1,6 @@
+dependencies:
+- name: app-template
+  repository: https://bjw-s-labs.github.io/helm-charts/
+  version: 4.4.0
+digest: sha256:b5d823171e1b4dc1d3856f782f0c67cbb5d49e4fa170df2f21b06303c7aff7f5
+generated: "2025-11-30T21:05:19.732832-06:00"

clusters/cl01tl/helm/actual/Chart.yaml

@@ -18,4 +18,4 @@ dependencies:
     repository: https://bjw-s-labs.github.io/helm-charts/
     version: 4.4.0
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/actual-budget.png
-appVersion: v25.5.0
+appVersion: 25.11.0

clusters/cl01tl/helm/argo-workflows/Chart.lock

@@ -0,0 +1,12 @@
+dependencies:
+- name: argo-workflows
+  repository: https://argoproj.github.io/argo-helm
+  version: 0.46.1
+- name: argo-events
+  repository: https://argoproj.github.io/argo-helm
+  version: 2.4.17
+- name: postgres-cluster
+  repository: oci://harbor.alexlebens.net/helm-charts
+  version: 6.16.0
+digest: sha256:d1e5e0a31c90bdff093db673f95c0e5f1cb5dfa0b910c21e5ec430a3cc4dd6aa
+generated: "2025-12-03T22:43:33.154562838Z"

clusters/cl01tl/helm/argo-workflows/Chart.yaml

@@ -18,7 +18,7 @@ maintainers:
   - name: alexlebens
 dependencies:
   - name: argo-workflows
-    version: 0.45.28
+    version: 0.46.1
     repository: https://argoproj.github.io/argo-helm
   - name: argo-events
     version: 2.4.17

clusters/cl01tl/helm/argocd/Chart.lock

@@ -0,0 +1,6 @@
+dependencies:
+- name: argo-cd
+  repository: https://argoproj.github.io/argo-helm
+  version: 9.1.5
+digest: sha256:07f7f6d369af426cdd213ddbc58373a4e5b4f54724efd4612662d7da0315232d
+generated: "2025-12-02T21:27:41.876154-06:00"

clusters/cl01tl/helm/argocd/Chart.yaml

@@ -15,7 +15,7 @@ maintainers:
   - name: alexlebens
 dependencies:
   - name: argo-cd
-    version: 9.1.4
+    version: 9.1.5
     repository: https://argoproj.github.io/argo-helm
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/argo-cd.png
 appVersion: 3.0.0

clusters/cl01tl/helm/audiobookshelf/Chart.lock

@@ -0,0 +1,6 @@
+dependencies:
+- name: app-template
+  repository: https://bjw-s-labs.github.io/helm-charts/
+  version: 4.4.0
+digest: sha256:f3a9990542f24965fadad0b5493059b78cdc3fae91c8214577fa6f41ca5f7de3
+generated: "2025-11-30T21:05:21.317114-06:00"

clusters/cl01tl/helm/audiobookshelf/values.yaml

@@ -9,7 +9,7 @@ audiobookshelf:
         main:
           image:
             repository: ghcr.io/advplyr/audiobookshelf
-            tag: 2.30.0
+            tag: 2.31.0
             pullPolicy: IfNotPresent
           env:
             - name: TZ

clusters/cl01tl/helm/authentik/Chart.lock

@@ -0,0 +1,12 @@
+dependencies:
+- name: authentik
+  repository: https://charts.goauthentik.io/
+  version: 2025.10.2
+- name: cloudflared
+  repository: oci://harbor.alexlebens.net/helm-charts
+  version: 1.23.1
+- name: postgres-cluster
+  repository: oci://harbor.alexlebens.net/helm-charts
+  version: 6.16.0
+digest: sha256:2c3f84ecf3c8cabb7aa7e7e8a1b38cced65156c1e1db9b984154f514c33c9f69
+generated: "2025-12-03T06:02:07.501444093Z"

clusters/cl01tl/helm/authentik/Chart.yaml

@@ -26,7 +26,7 @@ dependencies:
   - name: cloudflared
     alias: cloudflared
     repository: oci://harbor.alexlebens.net/helm-charts
-    version: 1.23.0
+    version: 1.23.1
   - name: postgres-cluster
     alias: postgres-17-cluster
     version: 6.16.0

clusters/cl01tl/helm/backrest/Chart.lock

@@ -0,0 +1,6 @@
+dependencies:
+- name: app-template
+  repository: https://bjw-s-labs.github.io/helm-charts/
+  version: 4.4.0
+digest: sha256:aa797b99d6d8b7aafe142811938408b7f234df6d429a7e076196337cc63876cb
+generated: "2025-12-01T20:25:09.888407-06:00"

clusters/cl01tl/helm/bazarr/Chart.lock

@@ -0,0 +1,6 @@
+dependencies:
+- name: app-template
+  repository: https://bjw-s-labs.github.io/helm-charts/
+  version: 4.4.0
+digest: sha256:c6f6d1f2fb9fedf54094920737a6f0bd1a2ab89f0a4122966ca98f6c9d3f11fa
+generated: "2025-11-30T21:05:22.694344-06:00"

clusters/cl01tl/helm/bazarr/values.yaml

@@ -15,7 +15,7 @@ bazarr:
         main:
           image:
             repository: ghcr.io/linuxserver/bazarr
-            tag: 1.5.3@sha256:a42fef2a5ffa1dca8714e12892ba0b8de5c6c513f1bcdb1ffe4143e715cffb45
+            tag: 1.5.3@sha256:ec11e988e8e13411c994a4d9f43ed9b97409aa92c1da54d9f23926c3da7c2032
             pullPolicy: IfNotPresent
           env:
             - name: TZ

clusters/cl01tl/helm/blocky/Chart.lock

@@ -0,0 +1,6 @@
+dependencies:
+- name: app-template
+  repository: https://bjw-s-labs.github.io/helm-charts/
+  version: 4.4.0
+digest: sha256:0009729bcf7f1941401b767fd4ae952b7a8d44f80053090b4a9224de912a14ef
+generated: "2025-12-01T20:25:13.511406-06:00"

clusters/cl01tl/helm/blocky/values.yaml

@@ -112,8 +112,6 @@ blocky:
               backrest                        IN      CNAME   traefik-cl01tl
               bazarr                          IN      CNAME   traefik-cl01tl
               booklore                        IN      CNAME   traefik-cl01tl
-              calibre                         IN      CNAME   traefik-cl01tl
-              calibre-downloader              IN      CNAME   traefik-cl01tl
               ceph                            IN      CNAME   traefik-cl01tl
               code-server                     IN      CNAME   traefik-cl01tl
               ephemera                        IN      CNAME   traefik-cl01tl

clusters/cl01tl/helm/booklore/Chart.lock

@@ -0,0 +1,9 @@
+dependencies:
+- name: app-template
+  repository: https://bjw-s-labs.github.io/helm-charts/
+  version: 4.4.0
+- name: mariadb-cluster
+  repository: https://helm.mariadb.com/mariadb-operator
+  version: 25.10.2
+digest: sha256:264725306c1d1f38140293c0820abdc7e8aa4f39764b4d91e20200705ce2ec91
+generated: "2025-11-30T21:05:24.649316-06:00"

clusters/cl01tl/helm/booklore/values.yaml

@@ -9,7 +9,7 @@ booklore:
         main:
           image:
             repository: ghcr.io/booklore-app/booklore
-            tag: v1.11.0
+            tag: v1.12.0
             pullPolicy: IfNotPresent
           env:
             - name: TZ

clusters/cl01tl/helm/cert-manager/Chart.lock

@@ -0,0 +1,6 @@
+dependencies:
+- name: cert-manager
+  repository: https://charts.jetstack.io
+  version: v1.19.1
+digest: sha256:0b1238a5552bc6d457d4b1a2a1f387a3e7f2c19f820ecb64e14d20481a1ed1ce
+generated: "2025-12-01T20:25:17.762628-06:00"

clusters/cl01tl/helm/cilium/Chart.lock

@@ -0,0 +1,6 @@
+dependencies:
+- name: cilium
+  repository: https://helm.cilium.io/
+  version: 1.18.4
+digest: sha256:e38eb92ee87c9a52b0f45a2451142ade02bac7d484b246d32379eacce3800bc8
+generated: "2025-12-02T17:17:49.043599-06:00"

clusters/cl01tl/helm/cilium/values.yaml

@@ -75,6 +75,7 @@ cilium:
   prometheus:
     enabled: true
     serviceMonitor:
+      trustCRDsExist: true
       enabled: true
   envoy:
     enabled: true

clusters/cl01tl/helm/cloudnative-pg/Chart.lock

@@ -0,0 +1,9 @@
+dependencies:
+- name: cloudnative-pg
+  repository: https://cloudnative-pg.io/charts/
+  version: 0.26.1
+- name: plugin-barman-cloud
+  repository: https://cloudnative-pg.io/charts/
+  version: 0.3.1
+digest: sha256:b38e5104d77ab1737a27a2542eda958e82038443940f07b7c2cbe3b0a477e1e6
+generated: "2025-12-01T20:25:20.341325-06:00"