Update searxng/searxng:latest Docker digest to 6a4ca30 (#2074)

This PR contains the following updates:

| Package | Update | Change |
|---|---|---|
| [postgres-cluster](https://github.com/cloudnative-pg/charts) ([source](https://github.com/cloudnative-pg/charts/tree/HEAD/charts/cluster)) | minor | `6.15.0` -> `6.16.0` |

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box

---

This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0Mi41LjAiLCJ1cGRhdGVkSW5WZXIiOiI0Mi41LjAiLCJ0YXJnZXRCcmFuY2giOiJtYWluIiwibGFiZWxzIjpbImNoYXJ0Il19-->

Reviewed-on: #2058
Co-authored-by: Renovate Bot <renovate-bot@alexlebens.net>
Co-committed-by: Renovate Bot <renovate-bot@alexlebens.net>

clusters/cl01tl/applications/booklore/Chart.yaml

@@ -0,0 +1,24 @@
+apiVersion: v2
+name: booklore
+version: 1.0.0
+description: booklore
+keywords:
+  - booklore
+  - books
+home: https://wiki.alexlebens.dev/
+sources:
+  - https://github.com/booklore-app/BookLore
+  - https://github.com/booklore-app/booklore/pkgs/container/booklore
+  - https://github.com/bjw-s-labs/helm-charts/tree/main/charts/other/app-template
+maintainers:
+  - name: alexlebens
+dependencies:
+  - name: app-template
+    alias: booklore
+    repository: https://bjw-s-labs.github.io/helm-charts/
+    version: 4.4.0
+  - name: mariadb-cluster
+    version: 25.10.2
+    repository: https://helm.mariadb.com/mariadb-operator
+icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/booklore.png
+appVersion: v.1.10.0

clusters/cl01tl/applications/booklore/templates/external-secret.yaml

@@ -0,0 +1,309 @@
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: booklore-database-secret
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: booklore-database-secret
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  data:
+    - secretKey: password
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cl01tl/booklore/database
+        metadataPolicy: None
+        property: password
+
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: booklore-config-backup-secret
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: booklore-config-backup-secret
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  target:
+    template:
+      mergePolicy: Merge
+      engineVersion: v2
+      data:
+        RESTIC_REPOSITORY: "{{ `{{ .BUCKET_ENDPOINT }}` }}/booklore/booklore-config"
+  data:
+    - secretKey: BUCKET_ENDPOINT
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /volsync/restic/digital-ocean
+        metadataPolicy: None
+        property: BUCKET_ENDPOINT
+    - secretKey: RESTIC_PASSWORD
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /volsync/restic/digital-ocean
+        metadataPolicy: None
+        property: RESTIC_PASSWORD
+    - secretKey: AWS_DEFAULT_REGION
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /digital-ocean/home-infra/volsync-backups
+        metadataPolicy: None
+        property: AWS_DEFAULT_REGION
+    - secretKey: AWS_ACCESS_KEY_ID
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /digital-ocean/home-infra/volsync-backups
+        metadataPolicy: None
+        property: AWS_ACCESS_KEY_ID
+    - secretKey: AWS_SECRET_ACCESS_KEY
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /digital-ocean/home-infra/volsync-backups
+        metadataPolicy: None
+        property: AWS_SECRET_ACCESS_KEY
+
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: booklore-data-backup-secret-local
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: booklore-data-backup-secret-local
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  target:
+    template:
+      mergePolicy: Merge
+      engineVersion: v2
+      data:
+        RESTIC_REPOSITORY: "{{ `{{ .BUCKET_ENDPOINT }}` }}/booklore/booklore-data"
+  data:
+    - secretKey: BUCKET_ENDPOINT
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /volsync/restic/garage-local
+        metadataPolicy: None
+        property: BUCKET_ENDPOINT
+    - secretKey: RESTIC_PASSWORD
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /volsync/restic/garage-local
+        metadataPolicy: None
+        property: RESTIC_PASSWORD
+    - secretKey: AWS_DEFAULT_REGION
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /garage/home-infra/volsync-backups
+        metadataPolicy: None
+        property: ACCESS_REGION
+    - secretKey: AWS_ACCESS_KEY_ID
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /garage/home-infra/volsync-backups
+        metadataPolicy: None
+        property: ACCESS_KEY_ID
+    - secretKey: AWS_SECRET_ACCESS_KEY
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /garage/home-infra/volsync-backups
+        metadataPolicy: None
+        property: ACCESS_SECRET_KEY
+
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: booklore-data-backup-secret-remote
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: booklore-data-backup-secret-remote
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  target:
+    template:
+      mergePolicy: Merge
+      engineVersion: v2
+      data:
+        RESTIC_REPOSITORY: "{{ `{{ .BUCKET_ENDPOINT }}` }}/booklore/booklore-data"
+  data:
+    - secretKey: BUCKET_ENDPOINT
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /volsync/restic/garage-remote
+        metadataPolicy: None
+        property: BUCKET_ENDPOINT
+    - secretKey: RESTIC_PASSWORD
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /volsync/restic/garage-remote
+        metadataPolicy: None
+        property: RESTIC_PASSWORD
+    - secretKey: AWS_DEFAULT_REGION
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /garage/home-infra/volsync-backups
+        metadataPolicy: None
+        property: ACCESS_REGION
+    - secretKey: AWS_ACCESS_KEY_ID
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /garage/home-infra/volsync-backups
+        metadataPolicy: None
+        property: ACCESS_KEY_ID
+    - secretKey: AWS_SECRET_ACCESS_KEY
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /garage/home-infra/volsync-backups
+        metadataPolicy: None
+        property: ACCESS_SECRET_KEY
+
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: booklore-data-backup-secret-external
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: booklore-data-backup-secret-external
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  target:
+    template:
+      mergePolicy: Merge
+      engineVersion: v2
+      data:
+        RESTIC_REPOSITORY: "{{ `{{ .BUCKET_ENDPOINT }}` }}/booklore/booklore-data"
+  data:
+    - secretKey: BUCKET_ENDPOINT
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /volsync/restic/digital-ocean
+        metadataPolicy: None
+        property: BUCKET_ENDPOINT
+    - secretKey: RESTIC_PASSWORD
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /volsync/restic/digital-ocean
+        metadataPolicy: None
+        property: RESTIC_PASSWORD
+    - secretKey: AWS_DEFAULT_REGION
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /digital-ocean/home-infra/volsync-backups
+        metadataPolicy: None
+        property: AWS_DEFAULT_REGION
+    - secretKey: AWS_ACCESS_KEY_ID
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /digital-ocean/home-infra/volsync-backups
+        metadataPolicy: None
+        property: AWS_ACCESS_KEY_ID
+    - secretKey: AWS_SECRET_ACCESS_KEY
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /digital-ocean/home-infra/volsync-backups
+        metadataPolicy: None
+        property: AWS_SECRET_ACCESS_KEY
+
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: booklore-mariadb-cluster-backup-secret-external
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: booklore-mariadb-cluster-backup-secret-external
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  data:
+    - secretKey: access
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /digital-ocean/home-infra/mariadb-backups
+        metadataPolicy: None
+        property: access
+    - secretKey: secret
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /digital-ocean/home-infra/mariadb-backups
+        metadataPolicy: None
+        property: secret
+
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: booklore-mariadb-cluster-backup-secret-garage
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: booklore-mariadb-cluster-backup-secret-garage
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  data:
+    - secretKey: access
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /garage/home-infra/mariadb-backups
+        metadataPolicy: None
+        property: access
+    - secretKey: secret
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /garage/home-infra/mariadb-backups
+        metadataPolicy: None
+        property: secret

clusters/cl01tl/applications/booklore/templates/http-route.yaml

@@ -0,0 +1,28 @@
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: http-route-booklore
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: http-route-booklore
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  parentRefs:
+    - group: gateway.networking.k8s.io
+      kind: Gateway
+      name: traefik-gateway
+      namespace: traefik
+  hostnames:
+    - booklore.alexlebens.net
+  rules:
+    - matches:
+      - path:
+          type: PathPrefix
+          value: /
+      backendRefs:
+        - group: ''
+          kind: Service
+          name: booklore
+          port: 80
+          weight: 100

clusters/cl01tl/applications/booklore/templates/persistent-volume-claim.yaml

@@ -0,0 +1,36 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: booklore-books-nfs-storage
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: booklore-books-nfs-storage
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  volumeName: booklore-books-nfs-storage
+  storageClassName: nfs-client
+  accessModes:
+    - ReadWriteMany
+  resources:
+    requests:
+      storage: 1Gi
+
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: booklore-books-import-nfs-storage
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: booklore-books-import-nfs-storage
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  volumeName: booklore-books-import-nfs-storage
+  storageClassName: nfs-client
+  accessModes:
+    - ReadWriteMany
+  resources:
+    requests:
+      storage: 1Gi

clusters/cl01tl/applications/booklore/templates/persistent-volume.yaml

@@ -0,0 +1,48 @@
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: booklore-books-nfs-storage
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: booklore-books-nfs-storage
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  persistentVolumeReclaimPolicy: Retain
+  storageClassName: nfs-client
+  capacity:
+    storage: 1Gi
+  accessModes:
+    - ReadWriteMany
+  nfs:
+    path: /volume2/Storage/Books
+    server: synologybond.alexlebens.net
+  mountOptions:
+    - vers=4
+    - minorversion=1
+    - noac
+
+---
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: booklore-books-import-nfs-storage
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: booklore-books-import-nfs-storage
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  persistentVolumeReclaimPolicy: Retain
+  storageClassName: nfs-client
+  capacity:
+    storage: 1Gi
+  accessModes:
+    - ReadWriteMany
+  nfs:
+    path: /volume2/Storage/Books Import
+    server: synologybond.alexlebens.net
+  mountOptions:
+    - vers=4
+    - minorversion=1
+    - noac

clusters/cl01tl/applications/booklore/templates/replication-source.yaml

@@ -0,0 +1,110 @@
+apiVersion: volsync.backube/v1alpha1
+kind: ReplicationSource
+metadata:
+  name: booklore-config-backup-source
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: booklore-config-backup-source
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  sourcePVC: booklore-config
+  trigger:
+    schedule: 0 4 * * *
+  restic:
+    pruneIntervalDays: 7
+    repository: booklore-config-backup-secret
+    retain:
+      hourly: 1
+      daily: 3
+      weekly: 2
+      monthly: 2
+      yearly: 4
+    copyMethod: Snapshot
+    storageClassName: ceph-block
+    volumeSnapshotClassName: ceph-blockpool-snapshot
+    cacheCapacity: 10Gi
+
+---
+apiVersion: volsync.backube/v1alpha1
+kind: ReplicationSource
+metadata:
+  name: booklore-data-backup-source-local
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: booklore-data-backup-source-local
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  sourcePVC: booklore-data
+  trigger:
+    schedule: 0 2 * * *
+  restic:
+    pruneIntervalDays: 7
+    repository: booklore-data-backup-secret-local
+    retain:
+      hourly: 1
+      daily: 3
+      weekly: 2
+      monthly: 2
+      yearly: 4
+    copyMethod: Snapshot
+    storageClassName: ceph-block
+    volumeSnapshotClassName: ceph-blockpool-snapshot
+    cacheCapacity: 10Gi
+
+---
+apiVersion: volsync.backube/v1alpha1
+kind: ReplicationSource
+metadata:
+  name: booklore-data-backup-source-remote
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: booklore-data-backup-source-remote
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  sourcePVC: booklore-data
+  trigger:
+    schedule: 0 3 * * *
+  restic:
+    pruneIntervalDays: 7
+    repository: booklore-data-backup-secret-remote
+    retain:
+      hourly: 1
+      daily: 3
+      weekly: 2
+      monthly: 2
+      yearly: 4
+    copyMethod: Snapshot
+    storageClassName: ceph-block
+    volumeSnapshotClassName: ceph-blockpool-snapshot
+    cacheCapacity: 10Gi
+
+---
+apiVersion: volsync.backube/v1alpha1
+kind: ReplicationSource
+metadata:
+  name: booklore-data-backup-source-external
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: booklore-data-backup-source-external
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  sourcePVC: booklore-data
+  trigger:
+    schedule: 0 4 * * *
+  restic:
+    pruneIntervalDays: 7
+    repository: booklore-data-backup-secret-external
+    retain:
+      hourly: 1
+      daily: 3
+      weekly: 2
+      monthly: 2
+      yearly: 4
+    copyMethod: Snapshot
+    storageClassName: ceph-block
+    volumeSnapshotClassName: ceph-blockpool-snapshot
+    cacheCapacity: 10Gi

clusters/cl01tl/applications/booklore/templates/service.yaml

@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: garage-ps10rp
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: garage-ps10rp
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+  annotations:
+    tailscale.com/tailnet-fqdn: garage-ps10rp.boreal-beaufort.ts.net
+spec:
+  externalName: placeholder
+  type: ExternalName

clusters/cl01tl/applications/booklore/values.yaml

@@ -0,0 +1,155 @@
+booklore:
+  controllers:
+    main:
+      type: deployment
+      replicas: 1
+      strategy: Recreate
+      revisionHistoryLimit: 3
+      containers:
+        main:
+          image:
+            repository: ghcr.io/booklore-app/booklore
+            tag: v1.10.0
+            pullPolicy: IfNotPresent
+          env:
+            - name: TZ
+              value: America/Chicago
+            - name: DATABASE_URL
+              value: jdbc:mariadb://booklore-mariadb-cluster-primary.booklore:3306/booklore
+            - name: DATABASE_USERNAME
+              value: booklore
+            - name: DATABASE_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: booklore-database-secret
+                  key: password
+            - name: BOOKLORE_PORT
+              value: 6060
+            - name: SWAGGER_ENABLED
+              value: false
+          resources:
+            requests:
+              cpu: 50m
+              memory: 128Mi
+  service:
+    main:
+      controller: main
+      ports:
+        http:
+          port: 80
+          targetPort: 6060
+          protocol: HTTP
+  persistence:
+    config:
+      storageClass: ceph-block
+      accessMode: ReadWriteOnce
+      size: 5Gi
+      retain: true
+      advancedMounts:
+        main:
+          main:
+            - path: /app/data
+              readOnly: false
+    data:
+      storageClass: ceph-block
+      accessMode: ReadWriteOnce
+      size: 10Gi
+      retain: true
+      advancedMounts:
+        main:
+          main:
+            - path: /data
+              readOnly: false
+    books:
+      existingClaim: booklore-books-nfs-storage
+      advancedMounts:
+        main:
+          main:
+            - path: /books
+              readOnly: false
+    books-import:
+      existingClaim: booklore-books-import-nfs-storage
+      advancedMounts:
+        main:
+          main:
+            - path: /bookdrop
+              readOnly: false
+mariadb-cluster:
+  mariadb:
+    rootPasswordSecretKeyRef:
+      generate: false
+      name: booklore-database-secret
+      key: password
+    storage:
+      size: 5Gi
+    replicas: 3
+    galera:
+      enabled: true
+  databases:
+    - name: booklore
+      characterSet: utf8
+      collate: utf8_general_ci
+      cleanupPolicy: Delete
+      requeueInterval: 10h
+  users:
+    - name: booklore
+      passwordSecretKeyRef:
+        name: booklore-database-secret
+        key: password
+      host: '%'
+      cleanupPolicy: Delete
+      requeueInterval: 10h
+      retryInterval: 30s
+  grants:
+    - name: booklore
+      privileges:
+        - "ALL PRIVILEGES"
+      database: "booklore"
+      table: "*"
+      username: booklore
+      grantOption: true
+      host: '%'
+      cleanupPolicy: Delete
+      requeueInterval: 10h
+      retryInterval: 30s
+  physicalBackups:
+    - name: backup-external
+      schedule:
+        cron: "0 0 * * 0"
+        suspend: false
+        immediate: true
+      compression: gzip
+      maxRetention: 720h
+      storage:
+        s3:
+          bucket: mariadb-backups-b230a2f5aecf080a4b372c08
+          prefix: cl01tl/booklore
+          endpoint: nyc3.digitaloceanspaces.com
+          region: us-east-1
+          accessKeyIdSecretKeyRef:
+            name: booklore-mariadb-cluster-backup-secret-external
+            key: access
+          secretAccessKeySecretKeyRef:
+            name: booklore-mariadb-cluster-backup-secret-external
+            key: secret
+          tls:
+            enabled: true
+    - name: backup-garage
+      schedule:
+        cron: "0 0 * * *"
+        suspend: false
+        immediate: true
+      compression: gzip
+      maxRetention: 360h
+      storage:
+        s3:
+          bucket: mariadb-backups
+          prefix: cl01tl/booklore
+          endpoint: garage-main.garage:3900
+          region: us-east-1
+          accessKeyIdSecretKeyRef:
+            name: booklore-mariadb-cluster-backup-secret-garage
+            key: access
+          secretAccessKeySecretKeyRef:
+            name: booklore-mariadb-cluster-backup-secret-garage
+            key: secret

clusters/cl01tl/applications/calibre-web-automated/values.yaml

@@ -55,7 +55,7 @@ calibre-web-automated:
         bypass:
           image:
             repository: ghcr.io/sarperavci/cloudflarebypassforscraping
-            tag: latest@sha256:37ef0669d4ffc24b2cea3e0b3be62dc5bf72cad3750fe592483b1398aae810da
+            tag: latest@sha256:53b50a04bc9bc70cac350040a13bb23e9f31de59ca94d50d0bf8e4c50a73c656
             pullPolicy: IfNotPresent
           resources:
             requests:

clusters/cl01tl/applications/directus/values.yaml

@@ -9,7 +9,7 @@ directus:
         main:
           image:
             repository: directus/directus
-            tag: 11.13.2
+            tag: 11.13.3
             pullPolicy: IfNotPresent
           env:
             - name: PUBLIC_URL

clusters/cl01tl/applications/element-web/Chart.yaml

@@ -17,7 +17,7 @@ maintainers:
   - name: alexlebens
 dependencies:
   - name: element-web
-    version: 1.4.23
+    version: 1.4.24
     repository: https://ananace.gitlab.io/charts
   - name: cloudflared
     alias: cloudflared

clusters/cl01tl/applications/element-web/values.yaml

@@ -2,7 +2,7 @@ element-web:
   replicaCount: 1
   image:
     repository: vectorim/element-web
-    tag: v1.12.3
+    tag: v1.12.4
     pullPolicy: IfNotPresent
   defaultServer:
     url: https://matrix.alexlebens.dev

clusters/cl01tl/applications/ephemera/Chart.yaml

@@ -0,0 +1,23 @@
+apiVersion: v2
+name: ephemera
+version: 1.0.0
+description: ephemera
+keywords:
+  - ephemera
+  - books
+home: https://wiki.alexlebens.dev/
+sources:
+  - https://github.com/OrwellianEpilogue/ephemera
+  - https://github.com/FlareSolverr/FlareSolverr
+  - https://github.com/orwellianepilogue/ephemera/pkgs/container/ephemera
+  - https://github.com/flaresolverr/FlareSolverr/pkgs/container/flaresolverr
+  - https://github.com/bjw-s-labs/helm-charts/tree/main/charts/other/app-template
+maintainers:
+  - name: alexlebens
+dependencies:
+  - name: app-template
+    alias: ephemera
+    repository: https://bjw-s-labs.github.io/helm-charts/
+    version: 4.4.0
+icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/ephemera.png
+appVersion: 1.3.1

clusters/cl01tl/applications/ephemera/templates/external-secret.yaml

@@ -0,0 +1,101 @@
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: ephemera-key-secret
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: ephemera-key-secret
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  data:
+    - secretKey: key
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cl01tl/ephemera/config
+        metadataPolicy: None
+        property: key
+
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: ephemera-apprise-config
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: ephemera-apprise-config
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  data:
+    - secretKey: ntfy-url
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cl01tl/ephemera/config
+        metadataPolicy: None
+        property: ntfy-url
+
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: ephemera-config-backup-secret
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: ephemera-config-backup-secret
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  target:
+    template:
+      mergePolicy: Merge
+      engineVersion: v2
+      data:
+        RESTIC_REPOSITORY: "{{ `{{ .BUCKET_ENDPOINT }}` }}/ephemera/ephemera-config"
+  data:
+    - secretKey: BUCKET_ENDPOINT
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cl01tl/volsync/restic/config
+        metadataPolicy: None
+        property: S3_BUCKET_ENDPOINT
+    - secretKey: RESTIC_PASSWORD
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cl01tl/volsync/restic/config
+        metadataPolicy: None
+        property: RESTIC_PASSWORD
+    - secretKey: AWS_DEFAULT_REGION
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cl01tl/volsync/restic/config
+        metadataPolicy: None
+        property: AWS_DEFAULT_REGION
+    - secretKey: AWS_ACCESS_KEY_ID
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /digital-ocean/home-infra/volsync-backups
+        metadataPolicy: None
+        property: access_key
+    - secretKey: AWS_SECRET_ACCESS_KEY
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /digital-ocean/home-infra/volsync-backups
+        metadataPolicy: None
+        property: secret_key

clusters/cl01tl/applications/ephemera/templates/http-route.yaml

@@ -0,0 +1,28 @@
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: http-route-ephemera
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: http-route-ephemera
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  parentRefs:
+    - group: gateway.networking.k8s.io
+      kind: Gateway
+      name: traefik-gateway
+      namespace: traefik
+  hostnames:
+    - ephemera.alexlebens.net
+  rules:
+    - matches:
+      - path:
+          type: PathPrefix
+          value: /
+      backendRefs:
+        - group: ''
+          kind: Service
+          name: ephemera
+          port: 80
+          weight: 100

clusters/cl01tl/applications/ephemera/templates/persistent-volume-claim.yaml

@@ -0,0 +1,17 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: ephemera-nfs-storage
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: ephemera-nfs-storage
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  volumeName: ephemera-nfs-storage
+  storageClassName: nfs-client
+  accessModes:
+    - ReadWriteMany
+  resources:
+    requests:
+      storage: 1Gi

clusters/cl01tl/applications/ephemera/templates/persistent-volume.yaml

@@ -0,0 +1,23 @@
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: ephemera-nfs-storage
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: ephemera-nfs-storage
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  persistentVolumeReclaimPolicy: Retain
+  storageClassName: nfs-client
+  capacity:
+    storage: 1Gi
+  accessModes:
+    - ReadWriteMany
+  nfs:
+    path: /volume2/Storage/Books Import
+    server: synologybond.alexlebens.net
+  mountOptions:
+    - vers=4
+    - minorversion=1
+    - noac

clusters/cl01tl/applications/ephemera/templates/replication-source.yaml

@@ -0,0 +1,26 @@
+apiVersion: volsync.backube/v1alpha1
+kind: ReplicationSource
+metadata:
+  name: ephemera-config-backup-source
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: ephemera-config-backup-source
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  sourcePVC: ephemera-config
+  trigger:
+    schedule: 0 4 * * *
+  restic:
+    pruneIntervalDays: 7
+    repository: ephemera-config-backup-secret
+    retain:
+      hourly: 1
+      daily: 3
+      weekly: 2
+      monthly: 2
+      yearly: 4
+    copyMethod: Snapshot
+    storageClassName: ceph-block
+    volumeSnapshotClassName: ceph-blockpool-snapshot
+    cacheCapacity: 10Gi

clusters/cl01tl/applications/ephemera/values.yaml

@@ -0,0 +1,107 @@
+ephemera:
+  controllers:
+    main:
+      type: deployment
+      replicas: 1
+      strategy: Recreate
+      revisionHistoryLimit: 3
+      containers:
+        main:
+          image:
+            repository: ghcr.io/orwellianepilogue/ephemera
+            tag: 1.3.1
+            pullPolicy: IfNotPresent
+          env:
+            - name: AA_BASE_URL
+              value: https://annas-archive.org
+            - name: AA_API_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: ephemera-key-secret
+                  key: key
+            - name: FLARESOLVERR_URL
+              value: http://127.0.0.1:8191
+            - name: LG_BASE_URL
+              value: https://gen.com
+            - name: PUID
+              value: 0
+            - name: PGID
+              value: 0
+          resources:
+            requests:
+              cpu: 50m
+              memory: 128Mi
+        flaresolverr:
+          image:
+            repository: ghcr.io/flaresolverr/flaresolverr
+            tag: v3.4.5
+            pullPolicy: IfNotPresent
+          env:
+            - name: LOG_LEVEL
+              value: info
+            - name: LOG_HTML
+              value: false
+            - name: CAPTCHA_SOLVER
+              value: none
+            - name: TZ
+              value: America/Chicago
+          resources:
+            requests:
+              cpu: 10m
+              memory: 128Mi
+        apprise-api:
+          image:
+            repository: caronc/apprise
+            tag: 1.2.2
+            pullPolicy: IfNotPresent
+          env:
+            - name: TZ
+              value: US/Central
+            - name: APPRISE_STORAGE_MODE
+              value: memory
+            - name: APPRISE_STATEFUL_MODE
+              value: disabled
+            - name: APPRISE_WORKER_COUNT
+              value: 1
+            - name: APPRISE_STATELESS_URLS
+              valueFrom:
+                secretKeyRef:
+                  name: ephemera-apprise-config
+                  key: ntfy-url
+          resources:
+            requests:
+              cpu: 10m
+              memory: 128Mi
+  service:
+    main:
+      controller: main
+      ports:
+        http:
+          port: 80
+          targetPort: 8286
+          protocol: HTTP
+  persistence:
+    config:
+      storageClass: ceph-block
+      accessMode: ReadWriteOnce
+      size: 5Gi
+      retain: true
+      advancedMounts:
+        main:
+          main:
+            - path: /app/data
+              readOnly: false
+    cache:
+      type: emptyDir
+      advancedMounts:
+        main:
+          main:
+            - path: /app/downloads
+              readOnly: false
+    books-import:
+      existingClaim: ephemera-nfs-storage
+      advancedMounts:
+        main:
+          main:
+            - path: /app/ingest
+              readOnly: false

clusters/cl01tl/applications/homepage/values.yaml

@@ -76,6 +76,9 @@ homepage:
             - Storage:
                 tab: Services
                 icon: mdi-database-#ffffff
+            - Servarr:
+                tab: Services
+                icon: mdi-multimedia-#ffffff
             - TV Shows:
                 tab: Servarr
                 icon: mdi-television-#ffffff
@@ -85,9 +88,9 @@ homepage:
             - Music:
                 tab: Servarr
                 icon: mdi-music-box-multiple-#ffffff
-            - Services (Servarr):
+            - Books:
                 tab: Servarr
-                icon: mdi-radar-#ffffff
+                icon: mdi-book-open-variant-#ffffff
             - External Services:
                 tab: Bookmarks
                 icon: mdi-cloud-#ffffff
@@ -180,6 +183,12 @@ homepage:
                   href: https://calibre.alexlebens.net
                   siteMonitor: http://calibre-web-automated-main.calibre-web-automated:8083
                   statusStyle: dot
+              - Books (Booklore):
+                  icon: sh-booklore.webp
+                  description: Booklore
+                  href: https://booklore.alexlebens.net
+                  siteMonitor: http://booklore.booklore:80
+                  statusStyle: dot
           - Public:
               - Site:
                   icon: https://web-assets-3bfcb5585cbd63dc365d32a3.nyc3.cdn.digitaloceanspaces.com/alexlebens-net/logo-new-round.png
@@ -528,6 +537,44 @@ homepage:
                   href: https://backrest.alexlebens.net
                   siteMonitor: http://backrest.backrest:80
                   statusStyle: dot
+          - Servarr:
+              - qUI:
+                  icon: https://raw.githubusercontent.com/autobrr/qui/8487c818886df9abb2b1456f43b54e0ba180a2bd/web/public/icons.svg
+                  description: qbitorrent
+                  href: https://qui.alexlebens.net
+                  siteMonitor: http://qbittorrent-qui.qbittorrent:80
+                  statusStyle: dot
+                  widget:
+                    type: qbittorrent
+                    url: http://qbittorrent.qbittorrent:8080
+                    enableLeechProgress: true
+              - Prowlarr:
+                  icon: sh-prowlarr.webp
+                  description: Indexers
+                  href: https://prowlarr.alexlebens.net
+                  siteMonitor: http://prowlarr.prowlarr:80
+                  statusStyle: dot
+              - Huntarr:
+                  icon: https://raw.githubusercontent.com/plexguide/Huntarr.io/main/frontend/static/logo/128.png
+                  description: Content upgrader
+                  href: https://huntarr.alexlebens.net
+                  siteMonitor: http://huntarr.huntarr:80
+                  statusStyle: dot
+              - Bazarr:
+                  icon: sh-bazarr.webp
+                  description: Subtitles
+                  href: https://bazarr.alexlebens.net
+                  siteMonitor: http://bazarr.bazarr:80
+                  statusStyle: dot
+              - Tdarr:
+                  icon: sh-tdarr.webp
+                  description: Media transcoding and health checks
+                  href: https://tdarr.alexlebens.net
+                  siteMonitor: http://tdarr-web.tdarr:8265
+                  statusStyle: dot
+                  widget:
+                    type: tdarr
+                    url: http://tdarr-web.tdarr:8265
           - TV Shows:
               - Sonarr:
                   icon: sh-sonarr.webp
@@ -638,50 +685,25 @@ homepage:
                   href: https://slskd.alexlebens.net
                   siteMonitor: http://slskd.slskd:5030
                   statusStyle: dot
-          - Services (Servarr):
+          - Books:
-              - qUI:
+              - Ephemera:
-                  icon: https://raw.githubusercontent.com/autobrr/qui/8487c818886df9abb2b1456f43b54e0ba180a2bd/web/public/icons.svg
+                  icon: sh-ephemera.webp
-                  description: qbitorrent
+                  description: Books
-                  href: https://qui.alexlebens.net
+                  href: https://ephemera.alexlebens.net
-                  siteMonitor: http://qbittorrent-qui.qbittorrent:80
+                  siteMonitor: http://ephemera.ephemera:80
-                  statusStyle: dot
-                  widget:
-                    type: qbittorrent
-                    url: http://qbittorrent.qbittorrent:8080
-                    enableLeechProgress: true
-              - Prowlarr:
-                  icon: sh-prowlarr.webp
-                  description: Indexers
-                  href: https://prowlarr.alexlebens.net
-                  siteMonitor: http://prowlarr.prowlarr:80
-                  statusStyle: dot
-              - Bazarr:
-                  icon: sh-bazarr.webp
-                  description: Indexers
-                  href: https://bazarr.alexlebens.net
-                  siteMonitor: http://bazarr.bazarr:80
-                  statusStyle: dot
-              - Huntarr:
-                  icon: https://raw.githubusercontent.com/plexguide/Huntarr.io/main/frontend/static/logo/128.png
-                  description: Indexers
-                  href: https://huntarr.alexlebens.net
-                  siteMonitor: http://huntarr.huntarr:80
                   statusStyle: dot
               - CWA Downloader:
-                  icon: sh-calibre.webp
+                  icon: sh-cwa-book-downloader.webp
-                  description: Calibre Web Automated Book Downloader
+                  description: Books
                   href: https://calibre-downloader.alexlebens.net
                   siteMonitor: http://calibre-web-automated-downloader.calibre-web-automated:8084
                   statusStyle: dot
-              - Tdarr:
+              - Listenarr:
-                  icon: sh-tdarr.webp
+                  icon: sh-audiobookrequest.webp
-                  description: Media transcoding and health checks
+                  description: Audiobooks
-                  href: https://tdarr.alexlebens.net
+                  href: https://listenarr.alexlebens.net
-                  siteMonitor: http://tdarr-web.tdarr:8265
+                  siteMonitor: http://listenarr.listenarr:80
                   statusStyle: dot
-                  widget:
-                    type: tdarr
-                    url: http://tdarr-web.tdarr:8265
           - Other Homes:
               - Dev:
                   icon: sh-homepage.webp

clusters/cl01tl/applications/listenarr/Chart.yaml

@@ -0,0 +1,20 @@
+apiVersion: v2
+name: listenarr
+version: 1.0.0
+description: Listenarr
+keywords:
+  - listenarr
+  - audiobooks
+home: https://wiki.alexlebens.dev/
+sources:
+  - https://github.com/therobbiedavis/Listenarr
+  - https://hub.docker.com/r/therobbiedavis/listenarr
+  - https://github.com/bjw-s-labs/helm-charts/tree/main/charts/other/app-template
+maintainers:
+  - name: alexlebens
+dependencies:
+  - name: app-template
+    alias: listenarr
+    repository: https://bjw-s-labs.github.io/helm-charts/
+    version: 4.4.0
+appVersion: 0.2.35

clusters/cl01tl/applications/listenarr/templates/http-route.yaml

@@ -0,0 +1,28 @@
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: http-route-listenarr
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: http-route-listenarr
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  parentRefs:
+    - group: gateway.networking.k8s.io
+      kind: Gateway
+      name: traefik-gateway
+      namespace: traefik
+  hostnames:
+    - listenarr.alexlebens.net
+  rules:
+    - matches:
+      - path:
+          type: PathPrefix
+          value: /
+      backendRefs:
+        - group: ''
+          kind: Service
+          name: listenarr
+          port: 80
+          weight: 100

clusters/cl01tl/applications/listenarr/templates/persistent-volume-claim.yaml

@@ -0,0 +1,17 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: listenarr-nfs-storage
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: listenarr-nfs-storage
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  volumeName: listenarr-nfs-storage
+  storageClassName: nfs-client
+  accessModes:
+    - ReadWriteMany
+  resources:
+    requests:
+      storage: 1Gi

clusters/cl01tl/applications/listenarr/templates/persistent-volume.yaml

@@ -0,0 +1,23 @@
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: listenarr-nfs-storage
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: listenarr-nfs-storage
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  persistentVolumeReclaimPolicy: Retain
+  storageClassName: nfs-client
+  capacity:
+    storage: 1Gi
+  accessModes:
+    - ReadWriteMany
+  nfs:
+    path: /volume2/Storage/Audiobooks
+    server: synologybond.alexlebens.net
+  mountOptions:
+    - vers=4
+    - minorversion=1
+    - noac

clusters/cl01tl/applications/listenarr/values.yaml

@@ -0,0 +1,46 @@
+listenarr:
+  controllers:
+    main:
+      type: deployment
+      replicas: 1
+      strategy: Recreate
+      revisionHistoryLimit: 3
+      containers:
+        main:
+          image:
+            repository: therobbiedavis/listenarr
+            tag: canary-0.2.35
+            pullPolicy: IfNotPresent
+          env:
+            - name: LISTENARR_PUBLIC_URL
+              value: https://listenarr.alexlebens.net
+          resources:
+            requests:
+              cpu: 50m
+              memory: 128Mi
+  service:
+    main:
+      controller: main
+      ports:
+        http:
+          port: 80
+          targetPort: 5000
+          protocol: HTTP
+  persistence:
+    config:
+      storageClass: ceph-block
+      accessMode: ReadWriteOnce
+      size: 5Gi
+      retain: true
+      advancedMounts:
+        main:
+          main:
+            - path: /app/config
+              readOnly: false
+    media:
+      existingClaim: listenarr-nfs-storage
+      advancedMounts:
+        main:
+          main:
+            - path: /data
+              readOnly: false

clusters/cl01tl/applications/outline/values.yaml

@@ -9,7 +9,7 @@ outline:
         main:
           image:
             repository: outlinewiki/outline
-            tag: 1.0.1
+            tag: 1.1.0
             pullPolicy: IfNotPresent
           env:
             - name: NODE_ENV

clusters/cl01tl/applications/searxng/values.yaml

@@ -9,7 +9,7 @@ searxng:
         main:
           image:
             repository: searxng/searxng
-            tag: latest@sha256:49e149fe5227b8d44c02d0095145ce14a214fbfa9bc44c826d0baa14827d4f4e
+            tag: latest@sha256:6a4ca3058a439d96805b7340ae84dacce6ade5456c24a1dde0bc6415ad76c1c6
             pullPolicy: IfNotPresent
           env:
             - name: SEARXNG_BASE_URL
@@ -43,7 +43,7 @@ searxng:
         main:
           image:
             repository: searxng/searxng
-            tag: latest@sha256:49e149fe5227b8d44c02d0095145ce14a214fbfa9bc44c826d0baa14827d4f4e
+            tag: latest@sha256:6a4ca3058a439d96805b7340ae84dacce6ade5456c24a1dde0bc6415ad76c1c6
             pullPolicy: IfNotPresent
           env:
             - name: SEARXNG_BASE_URL

clusters/cl01tl/deployment/argocd/Chart.yaml

@@ -15,7 +15,7 @@ maintainers:
   - name: alexlebens
 dependencies:
   - name: argo-cd
-    version: 9.1.2
+    version: 9.1.3
     repository: https://argoproj.github.io/argo-helm
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/argo-cd.png
 appVersion: 3.0.0

clusters/cl01tl/deployment/stack/values.yaml

@@ -100,6 +100,11 @@ applicationSet:
       syncOptions:
         serverSideApply: true
   - name: storage
+    ignoreDifferences:
+      - group: ""
+        kind: Service
+        jqPathExpressions:
+          - .spec.externalName
     syncPolicy:
       automated:
         prune: true

clusters/cl01tl/monitoring/loki/Chart.yaml

@@ -16,7 +16,7 @@ maintainers:
   - name: alexlebens
 dependencies:
   - name: loki
-    version: 6.44.0
+    version: 6.46.0
     repository: https://grafana.github.io/helm-charts
   - name: promtail
     version: 6.17.1

clusters/cl01tl/platform/authentik/Chart.yaml

@@ -21,7 +21,7 @@ maintainers:
   - name: alexlebens
 dependencies:
   - name: authentik
-    version: 2025.10.1
+    version: 2025.10.2
     repository: https://charts.goauthentik.io/
   - name: cloudflared
     alias: cloudflared

clusters/cl01tl/platform/gitea/values.yaml

@@ -212,7 +212,7 @@ backup:
         s3-backup:
           image:
             repository: d3fk/s3cmd
-            tag: latest@sha256:4252b3d04c18dc7fec2117259ab5dc0e51cb46b8719e661762222b44f6559189
+            tag: latest@sha256:caccff69634d420705b9f676d69e15d574fb65d1dd475b7412d3bc18df99e00f
             pullPolicy: IfNotPresent
           command:
             - /bin/sh
@@ -236,7 +236,7 @@ backup:
         s3-prune:
           image:
             repository: d3fk/s3cmd
-            tag: latest@sha256:4252b3d04c18dc7fec2117259ab5dc0e51cb46b8719e661762222b44f6559189
+            tag: latest@sha256:caccff69634d420705b9f676d69e15d574fb65d1dd475b7412d3bc18df99e00f
             pullPolicy: IfNotPresent
           command:
             - /bin/sh

clusters/cl01tl/platform/ntfy/values.yaml

@@ -9,7 +9,7 @@ ntfy:
         main:
           image:
             repository: binwiederhier/ntfy
-            tag: v2.14.0
+            tag: v2.15.0
             pullPolicy: IfNotPresent
           args: ["serve"]
           env:

clusters/cl01tl/platform/ollama/values.yaml

@@ -22,7 +22,7 @@ ollama:
         main:
           image:
             repository: ollama/ollama
-            tag: 0.12.10
+            tag: 0.12.11
             pullPolicy: IfNotPresent
           env:
             - name: OLLAMA_KEEP_ALIVE
@@ -58,7 +58,7 @@ ollama:
         main:
           image:
             repository: ollama/ollama
-            tag: 0.12.10
+            tag: 0.12.11
             pullPolicy: IfNotPresent
           env:
             - name: OLLAMA_KEEP_ALIVE
@@ -94,7 +94,7 @@ ollama:
         main:
           image:
             repository: ollama/ollama
-            tag: 0.12.10
+            tag: 0.12.11
             pullPolicy: IfNotPresent
           env:
             - name: OLLAMA_KEEP_ALIVE

clusters/cl01tl/platform/qbittorrent/values.yaml

@@ -28,7 +28,7 @@ qbittorrent:
         qbittorrent:
           image:
             repository: ghcr.io/linuxserver/qbittorrent
-            tag: 5.1.2@sha256:a5b277bd1cb098dcba6215ab03ada24c28101ac16022e0e6c1ffed40743d4448
+            tag: 5.1.2@sha256:7034f73a3c6fa4ea40fd67df462939d1665d765231b572523921c98c2db5362e
             pullPolicy: IfNotPresent
           env:
             - name: TZ

clusters/cl01tl/platform/vault/values.yaml

@@ -12,7 +12,7 @@ vault:
     enabled: true
     image:
       repository: hashicorp/vault
-      tag: 1.21.0
+      tag: 1.21.1
     updateStrategyType: "RollingUpdate"
     logLevel: debug
     logFormat: standard
@@ -170,7 +170,7 @@ snapshot:
         snapshot:
           image:
             repository: hashicorp/vault
-            tag: 1.21.0
+            tag: 1.21.1
             pullPolicy: IfNotPresent
           command:
             - /bin/ash
@@ -198,7 +198,7 @@ snapshot:
         s3-backup:
           image:
             repository: d3fk/s3cmd
-            tag: latest@sha256:4252b3d04c18dc7fec2117259ab5dc0e51cb46b8719e661762222b44f6559189
+            tag: latest@sha256:caccff69634d420705b9f676d69e15d574fb65d1dd475b7412d3bc18df99e00f
             pullPolicy: IfNotPresent
           command:
             - /bin/sh

clusters/cl01tl/services/blocky/values.yaml

@@ -111,10 +111,12 @@ blocky:
               authentik                       IN      CNAME   traefik-cl01tl
               backrest                        IN      CNAME   traefik-cl01tl
               bazarr                          IN      CNAME   traefik-cl01tl
+              booklore                        IN      CNAME   traefik-cl01tl
               calibre                         IN      CNAME   traefik-cl01tl
               calibre-downloader              IN      CNAME   traefik-cl01tl
               ceph                            IN      CNAME   traefik-cl01tl
               code-server                     IN      CNAME   traefik-cl01tl
+              ephemera                        IN      CNAME   traefik-cl01tl
               garage-s3                       IN      CNAME   traefik-cl01tl
               garage-webui                    IN      CNAME   traefik-cl01tl
               gatus                           IN      CNAME   traefik-cl01tl
@@ -135,6 +137,7 @@ blocky:
               kronic                          IN      CNAME   traefik-cl01tl
               lidarr                          IN      CNAME   traefik-cl01tl
               lidatube                        IN      CNAME   traefik-cl01tl
+              listenarr                       IN      CNAME   traefik-cl01tl
               mail                            IN      CNAME   traefik-cl01tl
               n8n                             IN      CNAME   traefik-cl01tl
               ntfy                            IN      CNAME   traefik-cl01tl

clusters/cl01tl/services/harbor/Chart.yaml

@@ -21,7 +21,7 @@ dependencies:
     repository: https://helm.goharbor.io
   - name: postgres-cluster
     alias: postgres-17-cluster
-    version: 6.15.0
+    version: 6.16.0
     repository: http://gitea-http.gitea:3000/api/packages/alexlebens/helm
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/harbor.png
 appVersion: v2.13.0

clusters/cl01tl/services/tailscale-operator/Chart.yaml

@@ -17,7 +17,7 @@ maintainers:
   - name: alexlebens
 dependencies:
   - name: tailscale-operator
-    version: 1.90.6
+    version: 1.90.8
     repository: https://pkgs.tailscale.com/helmcharts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/tailscale-light.png
 appVersion: v1.82.5

clusters/cl01tl/services/tailscale-operator/templates/dns-config.yaml

@@ -11,4 +11,4 @@ spec:
   nameserver:
     image:
       repo: tailscale/k8s-nameserver
-      tag: unstable-v1.83.106
+      tag: unstable-v1.91.88

clusters/cl01tl/services/talos/values.yaml

@@ -73,7 +73,7 @@ etcd-backup:
         s3-prune:
           image:
             repository: d3fk/s3cmd
-            tag: latest@sha256:4252b3d04c18dc7fec2117259ab5dc0e51cb46b8719e661762222b44f6559189
+            tag: latest@sha256:caccff69634d420705b9f676d69e15d574fb65d1dd475b7412d3bc18df99e00f
             pullPolicy: IfNotPresent
           command:
             - /bin/sh

clusters/cl01tl/storage/backrest/templates/persistent-volume-claim.yaml

@@ -15,3 +15,22 @@ spec:
   resources:
     requests:
       storage: 1Gi
+
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: backrest-nfs-share
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: backrest-nfs-share
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  volumeName: backrest-nfs-share
+  storageClassName: nfs-client
+  accessModes:
+    - ReadWriteMany
+  resources:
+    requests:
+      storage: 1Gi

clusters/cl01tl/storage/backrest/templates/persistent-volume.yaml

@@ -21,3 +21,28 @@ spec:
     - vers=4
     - minorversion=1
     - noac
+
+---
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: backrest-nfs-share
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: backrest-nfs-share
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  persistentVolumeReclaimPolicy: Retain
+  storageClassName: nfs-client
+  capacity:
+    storage: 1Gi
+  accessModes:
+    - ReadWriteMany
+  nfs:
+    path: /volume2/Share
+    server: synologybond.alexlebens.net
+  mountOptions:
+    - vers=4
+    - minorversion=1
+    - noac

clusters/cl01tl/storage/backrest/values.yaml

@@ -73,5 +73,12 @@ backrest:
       advancedMounts:
         main:
           main:
-            - path: /userdata
+            - path: /mnt/storage
+              readOnly: true
+    share:
+      existingClaim: backrest-nfs-share
+      advancedMounts:
+        main:
+          main:
+            - path: /mnt/share
               readOnly: true

clusters/cl01tl/storage/mariadb-operator/Chart.yaml

@@ -0,0 +1,24 @@
+apiVersion: v2
+name: mariadb-operator
+version: 1.0.0
+description: MariaDB Operator
+keywords:
+  - mariadb-operator
+  - database
+  - storage
+  - kubernetes
+home: https://wiki.alexlebens.dev/
+sources:
+  - https://github.com/mariadb-operator/mariadb-operator
+  - https://github.com/mariadb-operator/mariadb-operator/tree/main/deploy/charts/mariadb-operator
+maintainers:
+  - name: alexlebens
+dependencies:
+  - name: mariadb-operator
+    version: 25.10.2
+    repository: https://helm.mariadb.com/mariadb-operator
+  - name: mariadb-operator-crds
+    version: 25.10.2
+    repository: https://helm.mariadb.com/mariadb-operator
+icon: https://mariadb-operator.github.io/mariadb-operator/assets/mariadb_profile.svg
+appVersion: 25.10.2

clusters/cl01tl/storage/mariadb-operator/values.yaml

@@ -0,0 +1,11 @@
+mariadb-operator:
+  ha:
+    enabled: true
+    replicas: 3
+  metrics:
+    enabled: true
+    serviceMonitor:
+      enabled: true
+  pdb:
+    enabled: true
+    maxUnavailable: 1

clusters/cl01tl/storage/rook-ceph/values.yaml

@@ -3,8 +3,8 @@ rook-ceph:
     enabled: true
   csi:
     rookUseCsiOperator: true
-    enableMetadata: true
     cephFSKernelMountOptions: "ms_mode=secure"
+    enableMetadata: true
     provisionerReplicas: 3
     serviceMonitor:
       enabled: true
@@ -13,7 +13,6 @@ rook-ceph:
     enabled: true
 
 rook-ceph-cluster:
-  operatorNamespace: rook-ceph
   toolbox:
     enabled: true
   monitoring:
@@ -22,12 +21,11 @@ rook-ceph-cluster:
     prometheusRuleOverrides:
       CephNodeDiskspaceWarning:
         disabled: true
+  cephImage:
+    # https://quay.io/repository/ceph/ceph?tab=tags
+    repository: quay.io/ceph/ceph
+    tag: v19.2.3-20250717
   cephClusterSpec:
-    cephVersion:
-      # https://quay.io/repository/ceph/ceph?tab=tags
-      image: quay.io/ceph/ceph:v19.2.3-20250717
-    mon:
-      count: 3
     mgr:
       count: 1
       modules:
@@ -85,11 +83,9 @@ rook-ceph-cluster:
           cpu: 100m
           memory: 128Mi
     storage:
-      useAllNodes: true
-      useAllDevices: true
       deviceFilter: sda
       config:
-          osdsPerDevice: "1"
+        osdsPerDevice: "1"
     csi:
       readAffinity:
         enabled: true

clusters/cl01tl/storage/whodb/values.yaml

@@ -8,7 +8,7 @@ whodb:
         main:
           image:
             repository: clidey/whodb
-            tag: 0.72.0
+            tag: 0.75.0
             pullPolicy: IfNotPresent
           env:
             - name: WHODB_OLLAMA_HOST

hosts/ps08rp/blocky/config.yml

@@ -87,10 +87,12 @@ customDNS:
     authentik                       IN      CNAME   traefik-cl01tl
     backrest                        IN      CNAME   traefik-cl01tl
     bazarr                          IN      CNAME   traefik-cl01tl
+    booklore                        IN      CNAME   traefik-cl01tl
     calibre                         IN      CNAME   traefik-cl01tl
     calibre-downloader              IN      CNAME   traefik-cl01tl
     ceph                            IN      CNAME   traefik-cl01tl
     code-server                     IN      CNAME   traefik-cl01tl
+    ephemera                        IN      CNAME   traefik-cl01tl
     garage-s3                       IN      CNAME   traefik-cl01tl
     garage-webui                    IN      CNAME   traefik-cl01tl
     gatus                           IN      CNAME   traefik-cl01tl
@@ -111,6 +113,7 @@ customDNS:
     kronic                          IN      CNAME   traefik-cl01tl
     lidarr                          IN      CNAME   traefik-cl01tl
     lidatube                        IN      CNAME   traefik-cl01tl
+    listenarr                       IN      CNAME   traefik-cl01tl
     mail                            IN      CNAME   traefik-cl01tl
     n8n                             IN      CNAME   traefik-cl01tl
     ntfy                            IN      CNAME   traefik-cl01tl

hosts/ps09rp/blocky/config.yml

@@ -87,10 +87,12 @@ customDNS:
     authentik                       IN      CNAME   traefik-cl01tl
     backrest                        IN      CNAME   traefik-cl01tl
     bazarr                          IN      CNAME   traefik-cl01tl
+    booklore                        IN      CNAME   traefik-cl01tl
     calibre                         IN      CNAME   traefik-cl01tl
     calibre-downloader              IN      CNAME   traefik-cl01tl
     ceph                            IN      CNAME   traefik-cl01tl
     code-server                     IN      CNAME   traefik-cl01tl
+    ephemera                        IN      CNAME   traefik-cl01tl
     garage-s3                       IN      CNAME   traefik-cl01tl
     garage-webui                    IN      CNAME   traefik-cl01tl
     gatus                           IN      CNAME   traefik-cl01tl
@@ -111,6 +113,7 @@ customDNS:
     kronic                          IN      CNAME   traefik-cl01tl
     lidarr                          IN      CNAME   traefik-cl01tl
     lidatube                        IN      CNAME   traefik-cl01tl
+    listenarr                       IN      CNAME   traefik-cl01tl
     mail                            IN      CNAME   traefik-cl01tl
     n8n                             IN      CNAME   traefik-cl01tl
     ntfy                            IN      CNAME   traefik-cl01tl

hosts/ps10rp/gitea/compose.yaml

@@ -19,7 +19,7 @@ services:
             - /dev/net/tun:/dev/net/tun
 
     postgresql:
-        image: docker.io/postgres:17.6-alpine3.21
+        image: docker.io/postgres:17.7-alpine3.21
         container_name: gitea-postgres
         env_file:
             - .env