chore(deps): update element-web to v1.12.16

Merge pull request 'chore(deps): update helm release argo-cd to v9.5.6' (#6355 ) from renovate/unified-argo-cd into main
chore(deps): update helm release argo-cd to v9.5.6
2026-04-28 18:29:44 +00:00 · 2026-04-28 18:25:15 +00:00 · 2026-04-28 18:24:50 +00:00 · 2026-04-28 18:20:21 +00:00 · 2026-04-28 17:42:37 +00:00 · 2026-04-28 17:39:23 +00:00
540 changed files with 5923 additions and 4205 deletions
--- a/.gitea/workflows/lint-test-helm.yaml
+++ b/.gitea/workflows/lint-test-helm.yaml
@@ -169,9 +169,10 @@ jobs:
          echo ">> Running linting on changed charts ..."
-          for DIR in ${CHANGED_CHARTS}; do
+          lint_chart() {
-            CHART_PATH="clusters/${CLUSTER}/helm/${DIR}"
+            local DIR="$1"
-            CHART_NAME=$(basename "${CHART_PATH}")
+            local CHART_PATH="clusters/${CLUSTER}/helm/${DIR}"
            local CHART_NAME=$(basename "${CHART_PATH}")
            if [ -f "${CHART_PATH}/Chart.yaml" ]; then
              echo ""
@@ -182,15 +183,8 @@ jobs:
              echo ">> Linting helm chart ${CHART_NAME} ..."
              if ! helm lint "${CHART_PATH}" --namespace "default"; then
-                EXIT_CODE=1
+                echo "${DIR}" > ".failed_chart_${CHART_NAME}"
-
+                return 1
                if [ -z "${FAILED_CHARTS}" ]; then
                  FAILED_CHARTS="${DIR}"
                else
                  FAILED_CHARTS="${FAILED_CHARTS}, ${DIR}"
                fi
              fi
            else
@@ -198,8 +192,20 @@ jobs:
              echo ">> Directory ${CHART_PATH} does not contain a Chart.yaml. Skipping ..."
            fi
          }
-          done
+          export -f lint_chart
          export CLUSTER
          for DIR in ${CHANGED_CHARTS}; do
            echo "${DIR}"
          done | xargs -P 4 -I {} bash -c 'OUT=$(lint_chart "$@" 2>&1); printf "%s\n" "$OUT"' _ {}
          if ls .failed_chart_* 1> /dev/null 2>&1; then
            EXIT_CODE=1
            FAILED_CHARTS=$(cat .failed_chart_* | paste -sd ',' - | sed 's/,/, /g')
            rm -f .failed_chart_*
          fi
          echo ""
          echo "----"
@@ -329,8 +335,9 @@ jobs:
          EXIT_CODE=0
          FAILED_CHARTS=""
-          for DIR in ${CHANGED_CHARTS}; do
+          validate_chart() {
-            CHART_PATH="clusters/${CLUSTER}/helm/${DIR}"
+            local DIR="$1"
            local CHART_PATH="clusters/${CLUSTER}/helm/${DIR}"
            echo ""
            echo ">> Validating: ${DIR}"
@@ -343,18 +350,23 @@ jobs:
                -strict \
                -summary; then
-              EXIT_CODE=1
+              echo "${DIR}" > ".failed_chart_${DIR}"
-
+              return 1
              if [ -z "${FAILED_CHARTS}" ]; then
                FAILED_CHARTS="${DIR}"
              else
                FAILED_CHARTS="${FAILED_CHARTS}, ${DIR}"
              fi
            fi
          }
-          done
+          export -f validate_chart
          export CLUSTER SCHEMA_LOCATIONS
          for DIR in ${CHANGED_CHARTS}; do
            echo "${DIR}"
          done | xargs -P 4 -I {} bash -c 'OUT=$(validate_chart "$@" 2>&1); printf "%s\n" "$OUT"' _ {}
          if ls .failed_chart_* 1> /dev/null 2>&1; then
            EXIT_CODE=1
            FAILED_CHARTS=$(cat .failed_chart_* | paste -sd ',' - | sed 's/,/, /g')
            rm -f .failed_chart_*
          fi
          echo ""
          echo "----"
@@ -482,6 +494,7 @@ jobs:
  #           echo ">> Render templates for ${APP_NAME} ..."
  #           CHART_PATH="clusters/${CLUSTER}/helm/${APP_NAME}"
  #           OUTPUT_FOLDER="clusters/${CLUSTER}/manifests/${APP_NAME}/"
  #           mkdir -p "${OUTPUT_FOLDER}"
  #           helm dependency build "${CHART_PATH}" --skip-refresh
@@ -499,7 +512,7 @@ jobs:
  #               echo ">> Standard Rendering ..."
  #           esac
-  #           TEMPLATE=$(helm template "${APP_NAME}" "${CHART_PATH}" --include-crds --namespace "${NAMESPACE}" --include-crds --api-versions "gateway.networking.k8s.io/v1/HTTPRoute,monitoring.coreos.com/v1,monitoring.coreos.com/v1/ServiceMonitor")
+  #           TEMPLATE=$(helm template "${APP_NAME}" "${CHART_PATH}" --include-crds --namespace "${NAMESPACE}" --api-versions "gateway.networking.k8s.io/v1/HTTPRoute,monitoring.coreos.com/v1,monitoring.coreos.com/v1/ServiceMonitor")
  #           # Format and split rendered template
  #           echo "${TEMPLATE}" | yq '... comments=""' | yq 'select(. != null)' | yq -s '"'"${OUTPUT_FOLDER}"'" + .kind + "-" + .metadata.name + ".yaml"'
@@ -526,29 +539,38 @@ jobs:
  #       run: |
  #         FAILED_CHARTS=""
  #         DIFF_FOUND="false"
  #         EXIT_CODE=0
  #         for APP_NAME in ${CHANGED_CHARTS}; do
  #           echo ">> Running argocd app diff for ${APP_NAME} ..."
-  #           argocd app diff "${APP_NAME}" \
+  #           if ! argocd app diff "${APP_NAME}" \
  #             --server "${ARGOCD_SERVER}" \
-  #             --revision ${{ gitea.sha }} \
+  #             --auth-token "${ARGOCD_AUTH_TOKEN}" \
-  #             --diff-exit-code 0 \
+  #             --revision ${{ github.sha }} \
  #             --local "clusters/${CLUSTER}/manifests/${APP_NAME}" \
  #             --local-repo-root "." \
-  #             --grpc-web > "diff_output_${APP_NAME}.txt"
+  #             --grpc-web > "diff_output_${APP_NAME}.txt" 2>&1; then
  #             # ArgoCD diff returns non-zero on diff or error.
  #             # Let's capture if it actually generated a diff output to post.
  #             DIFF_FOUND="true"
  #             # Check if the output contains validation/connection errors
  #             if grep -iE 'error|failed|connection refused|timeout' "diff_output_${APP_NAME}.txt"; then
  #                echo ">> ArgoCD encountered an error validating ${APP_NAME}!"
  #                EXIT_CODE=1
  #                FAILED_CHARTS="${FAILED_CHARTS} ${APP_NAME}"
  #             fi
  #           fi
  #           if [ -s "diff_output_${APP_NAME}.txt" ]; then
-  #             echo ">> Argo diff:"
+  #             echo ">> Argo diff or errors:"
  #             echo ""
  #             cat diff_output_${APP_NAME}.txt
  #             echo ""
  #             DIFF_FOUND="true"
  #           else
  #             echo ">> No Argo diff found for ${APP_NAME}"
  #             rm "diff_output_${APP_NAME}.txt"
  #           fi
  #         done
@@ -556,13 +578,13 @@ jobs:
  #         echo "diff-detected=${DIFF_FOUND}" >> "$GITHUB_OUTPUT"
  #         echo "failed-charts=${FAILED_CHARTS}" >> "$GITHUB_OUTPUT"
-  #         exit $OVERALL_EXIT_CODE
+  #         exit $EXIT_CODE
  #     - name: Post Diff
  #       if: |
  #         always() &&
  #         steps.diff.outputs.diff-detected == 'true' &&
-  #         gitea.event.pull_request.number != null
+  #         github.event.pull_request.number != null
  #       env:
  #         GITEA_TOKEN: ${{ secrets.GITEA_TOKEN }}
  #       run: |
@@ -588,7 +610,7 @@ jobs:
  #         done
  #         curl -X 'POST' \
-  #           "${{ gitea.server_url }}/api/v1/repos/${{ gitea.repository }}/issues/${{ gitea.event.pull_request.number }}/comments" \
+  #           "${{ github.server_url }}/api/v1/repos/${{ github.repository }}/issues/${{ github.event.pull_request.number }}/comments" \
  #           -H "Authorization: token ${GITEA_TOKEN}" \
  #           -H "Content-Type: application/json" \
  #           -d "$(jq -n --arg body "$COMMENT_BODY" '{body: $body}')"
--- a/.gitea/workflows/renovate.yaml
+++ b/.gitea/workflows/renovate.yaml
@@ -12,8 +12,8 @@ on:
 jobs:
  renovate:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-js
-    container: ghcr.io/renovatebot/renovate:43.132.0@sha256:fc54bbc724d1924fa72c331729eefb5acd1385a9ce30617b0264a7fb4b8878da
+    container: ghcr.io/renovatebot/renovate:43.150.0@sha256:f2d4c467a8eb4b885630a8ca7d068173db69a5a1156ba41480c0a3a2e011d759
    steps:
      - name: Checkout
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
--- a/clusters/cl01tl/helm/actual/Chart.lock
+++ b/clusters/cl01tl/helm/actual/Chart.lock
@@ -2,5 +2,8 @@ dependencies:
 - name: app-template
  repository: https://bjw-s-labs.github.io/helm-charts/
  version: 4.6.2
-digest: sha256:1c04c187e6cf768117f7f91f3a3b082937ad5854c1cf6a681ad7c02687cd543d
+- name: volsync-target
-generated: "2026-04-18T20:15:22.778699-05:00"
+  repository: oci://harbor.alexlebens.net/helm-charts
  version: 1.0.0
 digest: sha256:ee1ff98af82f76ddf0b672abf9f4973ae41faff3cd61d81849f496c089cfdbd3
 generated: "2026-04-26T14:57:34.863614-05:00"
--- a/clusters/cl01tl/helm/actual/Chart.yaml
+++ b/clusters/cl01tl/helm/actual/Chart.yaml
@@ -18,10 +18,10 @@ dependencies:
    alias: actual
    repository: https://bjw-s-labs.github.io/helm-charts/
    version: 4.6.2
-  # - name: volsync-target
+  - name: volsync-target
-  #   alias: volsync-target-data
+    alias: volsync-target-data
-  #   version: 0.8.0
+    version: 1.0.0
-  #   repository: oci://harbor.alexlebens.net/helm-charts
+    repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/actual-budget.png
 # renovate: datasource=github-releases depName=actualbudget/actual
 appVersion: 26.4.0
--- a/clusters/cl01tl/helm/actual/templates/_helpers.tpl
+++ b/clusters/cl01tl/helm/actual/templates/_helpers.tpl
@@ -0,0 +1,14 @@
 {{/*
 Common labels
 */}}
 {{- define "custom.labels" -}}
 {{ include "custom.selectorLabels" $ }}
 {{- end }}
 {{/*
 Selector labels
 */}}
 {{- define "custom.selectorLabels" -}}
 app.kubernetes.io/instance: {{ .Release.Name }}
 app.kubernetes.io/part-of: {{ .Release.Name }}
 {{- end }}
--- a/clusters/cl01tl/helm/argocd/Chart.lock
+++ b/clusters/cl01tl/helm/argocd/Chart.lock
@@ -1,6 +1,6 @@
 dependencies:
 - name: argo-cd
  repository: https://argoproj.github.io/argo-helm
-  version: 9.5.1
+  version: 9.5.6
-digest: sha256:52a9bcfdc287dac30b8833cd34654b7e62c864aa3d23bda7644a8acf5f75eb78
+digest: sha256:81edcf69a6e3d7c8a567984024ed0c3a1ccf7db284f547492dcce9af1b4ecbfa
-generated: "2026-04-16T15:57:15.168206017Z"
+generated: "2026-04-28T18:24:45.609699191Z"
--- a/clusters/cl01tl/helm/argocd/Chart.yaml
+++ b/clusters/cl01tl/helm/argocd/Chart.yaml
@@ -13,8 +13,8 @@ maintainers:
  - name: alexlebens
 dependencies:
  - name: argo-cd
-    version: 9.5.2
+    version: 9.5.6
    repository: https://argoproj.github.io/argo-helm
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/argo-cd.png
 # renovate: datasource=github-releases depName=argoproj/argo-cd
-appVersion: v3.3.7
+appVersion: v3.3.8
--- a/clusters/cl01tl/helm/argocd/templates/_helpers.tpl
+++ b/clusters/cl01tl/helm/argocd/templates/_helpers.tpl
@@ -0,0 +1,14 @@
 {{/*
 Common labels
 */}}
 {{- define "custom.labels" -}}
 {{ include "custom.selectorLabels" $ }}
 {{- end }}
 {{/*
 Selector labels
 */}}
 {{- define "custom.selectorLabels" -}}
 app.kubernetes.io/instance: {{ .Release.Name }}
 app.kubernetes.io/part-of: {{ .Release.Name }}
 {{- end }}
--- a/clusters/cl01tl/helm/argocd/templates/external-secret.yaml
+++ b/clusters/cl01tl/helm/argocd/templates/external-secret.yaml
@@ -1,70 +1,40 @@
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
-  name: argocd-oidc-secret
+  name: argocd-oidc-authentik
  namespace: {{ .Release.Namespace }}
  labels:
-    app.kubernetes.io/name: argocd-oidc-secret
+    app.kubernetes.io/name: argocd-oidc-authentik
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
-    name: vault
+    name: openbao
  data:
    - secretKey: secret
      remoteRef:
-        key: /authentik/oidc/argocd
+        key: /cl01tl/authentik/oidc/argocd
        property: secret
    - secretKey: client
      remoteRef:
-        key: /authentik/oidc/argocd
+        key: /cl01tl/authentik/oidc/argocd
        property: client
 ---
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
-  name: argocd-notifications-secret
+  name: argocd-notifications-ntfy
  namespace: {{ .Release.Namespace }}
  labels:
-    app.kubernetes.io/name: argocd-notifications-secret
+    app.kubernetes.io/name: argocd-notifications-ntfy
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
-    name: vault
+    name: openbao
  data:
    - secretKey: ntfy-token
      remoteRef:
-        key: /ntfy/user/cl01tl
+        key: /cl01tl/ntfy/users/cl01tl
        property: token
 ---
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
  name: argocd-gitea-repo-infrastructure-secret
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: argocd-gitea-repo-infrastructure-secret
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: vault
  data:
    - secretKey: type
      remoteRef:
        key: /cl01tl/argocd/credentials/repo/infrastructure
        property: type
    - secretKey: url
      remoteRef:
        key: /cl01tl/argocd/credentials/repo/infrastructure
        property: url
    - secretKey: sshPrivateKey
      remoteRef:
        key: /cl01tl/argocd/credentials/repo/infrastructure
        property: sshPrivateKey
--- a/clusters/cl01tl/helm/argocd/templates/prometheus-rule.yaml
+++ b/clusters/cl01tl/helm/argocd/templates/prometheus-rule.yaml
@@ -0,0 +1,108 @@
 apiVersion: monitoring.coreos.com/v1
 kind: PrometheusRule
 metadata:
  name: haproxy
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: haproxy
    {{- include "custom.labels" . | nindent 4 }}
 spec:
  groups:
    - name: EmbeddedExporter
      rules:
        - alert: HAProxyHighHTTP4xxErrorRateBackend
          expr: ((sum by (proxy) (rate(haproxy_server_http_responses_total{code="4xx"}[1m])) / sum by (proxy) (rate(haproxy_server_http_responses_total[1m]))) * 100) > 5 and sum by (proxy) (rate(haproxy_server_http_responses_total[1m])) > 0
          for: 1m
          labels:
            severity: critical
          annotations:
            summary: HAProxy high HTTP 4xx error rate backend (instance {{ `{{ $labels.instance }}` }})
            description: "Too many HTTP requests with status 4xx (> 5%) on backend {{ `{{ $labels.proxy }}` }}\n  VALUE = {{ `{{ $value }}` }}\n  LABELS = {{ `{{ $labels }}` }}"
        - alert: HAProxyHighHTTP5xxErrorRateBackend
          expr: ((sum by (proxy) (rate(haproxy_server_http_responses_total{code="5xx"}[1m])) / sum by (proxy) (rate(haproxy_server_http_responses_total[1m]))) * 100) > 5 and sum by (proxy) (rate(haproxy_server_http_responses_total[1m])) > 0
          for: 1m
          labels:
            severity: critical
          annotations:
            summary: HAProxy high HTTP 5xx error rate backend (instance {{ `{{ $labels.instance }}` }})
            description: "Too many HTTP requests with status 5xx (> 5%) on backend {{ `{{ $labels.proxy }}` }}\n  VALUE = {{ `{{ $value }}` }}\n  LABELS = {{ `{{ $labels }}` }}"
        - alert: HAProxyHighHTTP4xxErrorRateServer
          expr: ((sum by (server) (rate(haproxy_server_http_responses_total{code="4xx"}[1m])) / sum by (server) (rate(haproxy_server_http_responses_total[1m]))) * 100) > 5 and sum by (server) (rate(haproxy_server_http_responses_total[1m])) > 0
          for: 1m
          labels:
            severity: critical
          annotations:
            summary: HAProxy high HTTP 4xx error rate server (instance {{ `{{ $labels.instance }}` }})
            description: "Too many HTTP requests with status 4xx (> 5%) on server {{ `{{ $labels.server }}` }}\n  VALUE = {{ `{{ $value }}` }}\n  LABELS = {{ `{{ $labels }}` }}"
        - alert: HAProxyHighHTTP5xxErrorRateServer
          expr: ((sum by (server) (rate(haproxy_server_http_responses_total{code="5xx"}[1m])) / sum by (server) (rate(haproxy_server_http_responses_total[1m]))) * 100) > 5 and sum by (server) (rate(haproxy_server_http_responses_total[1m])) > 0
          for: 1m
          labels:
            severity: critical
          annotations:
            summary: HAProxy high HTTP 5xx error rate server (instance {{ `{{ $labels.instance }}` }})
            description: "Too many HTTP requests with status 5xx (> 5%) on server {{ `{{ $labels.server }}` }}\n  VALUE = {{ `{{ $value }}` }}\n  LABELS = {{ `{{ $labels }}` }}"
        - alert: HAProxyServerResponseErrors
          expr: (sum by (server) (rate(haproxy_server_response_errors_total[1m])) / sum by (server) (rate(haproxy_server_http_responses_total[1m]))) * 100 > 5 and sum by (server) (rate(haproxy_server_http_responses_total[1m])) > 0
          for: 1m
          labels:
            severity: critical
          annotations:
            summary: HAProxy server response errors (instance {{ `{{ $labels.instance }}` }})
            description: "Too many response errors to {{ `{{ $labels.server }}` }} server (> 5%).\n  VALUE = {{ `{{ $value }}` }}\n  LABELS = {{ `{{ $labels }}` }}"
        - alert: HAProxyBackendConnectionErrors
          expr: (sum by (proxy) (rate(haproxy_backend_connection_errors_total[1m]))) > 100
          for: 1m
          labels:
            severity: critical
          annotations:
            summary: HAProxy backend connection errors (instance {{ `{{ $labels.instance }}` }})
            description: "Too many connection errors to {{ `{{ $labels.proxy }}` }} backend (> 100 req/s). Request throughput may be too high.\n  VALUE = {{ `{{ $value }}` }}\n  LABELS = {{ `{{ $labels }}` }}"
        - alert: HAProxyServerConnectionErrors
          expr: (sum by (proxy) (rate(haproxy_server_connection_errors_total[1m]))) > 100
          for: 0m
          labels:
            severity: critical
          annotations:
            summary: HAProxy server connection errors (instance {{ `{{ $labels.instance }}` }})
            description: "Too many connection errors to {{ `{{ $labels.proxy }}` }} (> 100 req/s). Request throughput may be too high.\n  VALUE = {{ `{{ $value }}` }}\n  LABELS = {{ `{{ $labels }}` }}"
        - alert: HAProxyBackendMaxActiveSession>80%
          expr: (haproxy_backend_current_sessions / haproxy_backend_limit_sessions * 100) > 80 and haproxy_backend_limit_sessions > 0
          for: 2m
          labels:
            severity: warning
          annotations:
            summary: HAProxy backend max active session > 80% (instance {{ `{{ $labels.instance }}` }})
            description: "Session limit from backend {{ `{{ $labels.proxy }}` }} reached 80% of limit - {{ `{{ $value | printf \"%.2f\"}}` }}%\n  VALUE = {{ `{{ $value }}` }}\n  LABELS = {{ `{{ $labels }}` }}"
        - alert: HAProxyPendingRequests
          expr: sum by (proxy) (haproxy_backend_current_queue) > 0
          for: 2m
          labels:
            severity: warning
          annotations:
            summary: HAProxy pending requests (instance {{ `{{ $labels.instance }}` }})
            description: "Some HAProxy requests are pending on {{ `{{ $labels.proxy }}` }} - {{ `{{ $value | printf \"%.2f\"}}` }}\n  VALUE = {{ `{{ $value }}` }}\n  LABELS = {{ `{{ $labels }}` }}"
        - alert: HAProxyRetryHigh
          expr: sum by (proxy) (rate(haproxy_backend_retry_warnings_total[1m])) > 10
          for: 2m
          labels:
            severity: warning
          annotations:
            summary: HAProxy retry high (instance {{ `{{ $labels.instance }}` }})
            description: "High rate of retry on {{ `{{ $labels.proxy }}` }} - {{ `{{ $value | printf \"%.2f\"}}` }}\n  VALUE = {{ `{{ $value }}` }}\n  LABELS = {{ `{{ $labels }}` }}"
        - alert: HAProxyFrontendSecurityBlockedRequests
          expr: sum by (proxy) (rate(haproxy_frontend_denied_connections_total[2m])) > 10
          for: 2m
          labels:
            severity: warning
          annotations:
            summary: HAProxy frontend security blocked requests (instance {{ `{{ $labels.instance }}` }})
            description: "HAProxy is blocking requests for security reason\n  VALUE = {{ `{{ $value }}` }}\n  LABELS = {{ `{{ $labels }}` }}"
        - alert: HAProxyServerHealthcheckFailure
          expr: increase(haproxy_server_check_failures_total[1m]) > 2
          for: 0m
          labels:
            severity: warning
          annotations:
            summary: HAProxy server healthcheck failure (instance {{ `{{ $labels.instance }}` }})
            description: "Some server healthcheck are failing on {{ `{{ $labels.server }}` }} ({{ `{{ $value }}` }} in the last 1m)\n  VALUE = {{ `{{ $value }}` }}\n  LABELS = {{ `{{ $labels }}` }}"
--- a/clusters/cl01tl/helm/argocd/values.yaml
+++ b/clusters/cl01tl/helm/argocd/values.yaml
@@ -13,8 +13,8 @@ argo-cd:
        connectors:
        - config:
            issuer: https://authentik.alexlebens.net/application/o/argocd/
-            clientID: $argocd-oidc-secret:client
+            clientID: $argocd-oidc-authentik:client
-            clientSecret: $argocd-oidc-secret:secret
+            clientSecret: $argocd-oidc-authentik:secret
            insecureEnableGroups: true
            scopes:
              - openid
@@ -103,7 +103,7 @@ argo-cd:
      enabled: true
      image:
        repository: haproxy
-        tag: 3.3.6-alpine@sha256:744be2dca649a44d490a4c565d36968d19482dd387f1bdd44c168f4322bc6b1e
+        tag: 3.3.7-alpine@sha256:2afa53c856e4e9fcc7dfb35b807fcb189896d7e62b38d363f9bedea92bce7f9a
      resources:
        requests:
          cpu: 5m
@@ -205,7 +205,7 @@ argo-cd:
    argocdUrl: https://argocd.alexlebens.net
    secret:
      create: false
-      name: argocd-notifications-secret
+      name: argocd-notifications-ntfy
    metrics:
      enabled: true
      serviceMonitor:
--- a/clusters/cl01tl/helm/audiobookshelf/Chart.lock
+++ b/clusters/cl01tl/helm/audiobookshelf/Chart.lock
@@ -4,9 +4,9 @@ dependencies:
  version: 4.6.2
 - name: volsync-target
  repository: oci://harbor.alexlebens.net/helm-charts
-  version: 0.8.0
+  version: 1.0.0
 - name: volsync-target
  repository: oci://harbor.alexlebens.net/helm-charts
-  version: 0.8.0
+  version: 1.0.0
-digest: sha256:7ee4cfdf7f908401c39b3cda0cf8783b25dcb9cf93e7c911609bab9e303ec5bf
+digest: sha256:c6af4b1dd96410281d53ff8f63235bc79bd9a1d493d6da097d9e4ff088e09538
-generated: "2026-03-06T01:05:03.534042627Z"
+generated: "2026-04-26T14:57:40.219612-05:00"
--- a/clusters/cl01tl/helm/audiobookshelf/Chart.yaml
+++ b/clusters/cl01tl/helm/audiobookshelf/Chart.yaml
@@ -24,12 +24,12 @@ dependencies:
    version: 4.6.2
  - name: volsync-target
    alias: volsync-target-config
-    version: 0.8.0
+    version: 1.0.0
    repository: oci://harbor.alexlebens.net/helm-charts
  - name: volsync-target
    alias: volsync-target-metadata
-    version: 0.8.0
+    version: 1.0.0
    repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/audiobookshelf.png
 # renovate: datasource=github-releases depName=advplyr/audiobookshelf
-appVersion: 2.33.1
+appVersion: 2.34.0
--- a/clusters/cl01tl/helm/audiobookshelf/templates/_helpers.tpl
+++ b/clusters/cl01tl/helm/audiobookshelf/templates/_helpers.tpl
@@ -0,0 +1,27 @@
 {{/*
 Common labels
 */}}
 {{- define "custom.labels" -}}
 {{ include "custom.selectorLabels" $ }}
 {{- end }}
 {{/*
 Selector labels
 */}}
 {{- define "custom.selectorLabels" -}}
 app.kubernetes.io/instance: {{ .Release.Name }}
 app.kubernetes.io/part-of: {{ .Release.Name }}
 {{- end }}
 {{/*
 NFS names
 */}}
 {{- define "custom.booksNfsName" -}}
 audiobookshelf-books-nfs-storage
 {{- end -}}
 {{- define "custom.audiobooksNfsName" -}}
 audiobookshelf-audiobooks-nfs-storage
 {{- end -}}
 {{- define "custom.podcastsNfsName" -}}
 audiobookshelf-podcasts-nfs-storage
 {{- end -}}
--- a/clusters/cl01tl/helm/audiobookshelf/templates/external-secret.yaml
+++ b/clusters/cl01tl/helm/audiobookshelf/templates/external-secret.yaml
@@ -1,18 +1,27 @@
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
-  name: audiobookshelf-apprise-config
+  name: audiobookshelf-config-apprise
  namespace: {{ .Release.Namespace }}
  labels:
-    app.kubernetes.io/name: audiobookshelf-apprise-config
+    app.kubernetes.io/name: audiobookshelf-config-apprise
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
-    name: vault
+    name: openbao
  target:
    template:
      mergePolicy: Merge
      engineVersion: v2
      data:
        ntfy-url: "{{ `{{ .endpoint }}` }}/{{ `{{ .topic }}` }}"
  data:
-    - secretKey: ntfy-url
+    - secretKey: endpoint
      remoteRef:
-        key: /cl01tl/audiobookshelf/apprise
+        key: /cl01tl/ntfy/users/cl01tl
-        property: ntfy-url
+        property: internal-endpoint-credential
    - secretKey: topic
      remoteRef:
        key: /cl01tl/ntfy/topics
        property: audiobookshelf
--- a/clusters/cl01tl/helm/audiobookshelf/templates/persistent-volume-claim.yaml
+++ b/clusters/cl01tl/helm/audiobookshelf/templates/persistent-volume-claim.yaml
@@ -1,14 +1,13 @@
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
-  name: audiobookshelf-books-nfs-storage
+  name: {{ include "custom.booksNfsName" . }}
  namespace: {{ .Release.Namespace }}
  labels:
-    app.kubernetes.io/name: audiobookshelf-books-nfs-storage
+    app.kubernetes.io/name: {{ include "custom.booksNfsName" . }}
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{ include "custom.labels" . | nindent 4 }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
-  volumeName: audiobookshelf-books-nfs-storage
+  volumeName: {{ include "custom.booksNfsName" . }}
  storageClassName: nfs-client
  accessModes:
    - ReadWriteMany
@@ -20,14 +19,13 @@ spec:
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
-  name: audiobookshelf-audiobooks-nfs-storage
+  name: {{ include "custom.audiobooksNfsName" . }}
  namespace: {{ .Release.Namespace }}
  labels:
-    app.kubernetes.io/name: audiobookshelf-audiobooks-nfs-storage
+    app.kubernetes.io/name: {{ include "custom.audiobooksNfsName" . }}
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
-  volumeName: audiobookshelf-audiobooks-nfs-storage
+  volumeName: {{ include "custom.audiobooksNfsName" . }}
  storageClassName: nfs-client
  accessModes:
    - ReadWriteMany
@@ -39,14 +37,13 @@ spec:
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
-  name: audiobookshelf-podcasts-nfs-storage
+  name: {{ include "custom.podcastsNfsName" . }}
  namespace: {{ .Release.Namespace }}
  labels:
-    app.kubernetes.io/name: audiobookshelf-podcasts-nfs-storage
+    app.kubernetes.io/name: {{ include "custom.podcastsNfsName" . }}
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
-  volumeName: audiobookshelf-podcasts-nfs-storage
+  volumeName: {{ include "custom.podcastsNfsName" . }}
  storageClassName: nfs-client
  accessModes:
    - ReadWriteMany
--- a/clusters/cl01tl/helm/audiobookshelf/templates/persistent-volume.yaml
+++ b/clusters/cl01tl/helm/audiobookshelf/templates/persistent-volume.yaml
@@ -1,12 +1,11 @@
 apiVersion: v1
 kind: PersistentVolume
 metadata:
-  name: audiobookshelf-books-nfs-storage
+  name: {{ include "custom.booksNfsName" . }}
  namespace: {{ .Release.Namespace }}
  labels:
-    app.kubernetes.io/name: audiobookshelf-books-nfs-storage
+    app.kubernetes.io/name: {{ include "custom.booksNfsName" . }}
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  persistentVolumeReclaimPolicy: Retain
  storageClassName: nfs-client
@@ -26,12 +25,11 @@ spec:
 apiVersion: v1
 kind: PersistentVolume
 metadata:
-  name: audiobookshelf-audiobooks-nfs-storage
+  name: {{ include "custom.audiobooksNfsName" . }}
  namespace: {{ .Release.Namespace }}
  labels:
-    app.kubernetes.io/name: audiobookshelf-audiobooks-nfs-storage
+    app.kubernetes.io/name: {{ include "custom.audiobooksNfsName" . }}
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  persistentVolumeReclaimPolicy: Retain
  storageClassName: nfs-client
@@ -51,12 +49,11 @@ spec:
 apiVersion: v1
 kind: PersistentVolume
 metadata:
-  name: audiobookshelf-podcasts-nfs-storage
+  name: {{ include "custom.podcastsNfsName" . }}
  namespace: {{ .Release.Namespace }}
  labels:
-    app.kubernetes.io/name: audiobookshelf-podcasts-nfs-storage
+    app.kubernetes.io/name: {{ include "custom.podcastsNfsName" . }}
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  persistentVolumeReclaimPolicy: Retain
  storageClassName: nfs-client
--- a/clusters/cl01tl/helm/audiobookshelf/values.yaml
+++ b/clusters/cl01tl/helm/audiobookshelf/values.yaml
@@ -12,7 +12,7 @@ audiobookshelf:
        main:
          image:
            repository: ghcr.io/advplyr/audiobookshelf
-            tag: 2.33.1@sha256:a4a5841bba093d81e5f4ad1eaedb4da3fda6dbb2528c552349da50ad1f7ae708
+            tag: 2.34.0@sha256:4143292c530f6ac6700afd13360c04f477e4f1a81c1c97c4224b1c7e4330c5c4
          env:
            - name: TZ
              value: America/Chicago
@@ -23,7 +23,7 @@ audiobookshelf:
        apprise-api:
          image:
            repository: ghcr.io/caronc/apprise
-            tag: v1.3.3@sha256:4bfeac268ba87b8e08e308c9aa0182fe99e9501ec464027afc333d1634e65977
+            tag: v1.4.0@sha256:9d97a6b9b42cf6afdf3b5466dbed2a59cd42a4bb777ec6aa57b5f2ee623569eb
          env:
            - name: TZ
              value: America/Chicago
@@ -40,7 +40,7 @@ audiobookshelf:
            - name: APPRISE_STATELESS_URLS
              valueFrom:
                secretKeyRef:
-                  name: audiobookshelf-apprise-config
+                  name: audiobookshelf-config-apprise
                  key: ntfy-url
  service:
    main:
--- a/clusters/cl01tl/helm/authentik/Chart.lock
+++ b/clusters/cl01tl/helm/authentik/Chart.lock
@@ -4,12 +4,12 @@ dependencies:
  version: 2026.2.2
 - name: cloudflared
  repository: oci://harbor.alexlebens.net/helm-charts
-  version: 2.5.0
+  version: 2.6.0
 - name: postgres-cluster
  repository: oci://harbor.alexlebens.net/helm-charts
-  version: 7.11.2
+  version: 7.12.1
 - name: valkey
  repository: oci://harbor.alexlebens.net/helm-charts
  version: 0.6.1
-digest: sha256:22fe4d9ec592aa74cbff5596e8d900f607bd68ea14c7df70a94b4ef76727614d
+digest: sha256:d1dbca83e5b63a58a9bf9f2903d1b45bbadca3e8599541367bc61ef2ce938cdb
-generated: "2026-04-13T20:32:12.748342469Z"
+generated: "2026-04-24T21:50:21.398658595Z"
--- a/clusters/cl01tl/helm/authentik/Chart.yaml
+++ b/clusters/cl01tl/helm/authentik/Chart.yaml
@@ -22,10 +22,10 @@ dependencies:
    repository: https://charts.goauthentik.io/
  - name: cloudflared
    repository: oci://harbor.alexlebens.net/helm-charts
-    version: 2.5.0
+    version: 2.6.0
  - name: postgres-cluster
    alias: postgres-18-cluster
-    version: 7.11.2
+    version: 7.12.1
    repository: oci://harbor.alexlebens.net/helm-charts
  - name: valkey
    alias: valkey
--- a/clusters/cl01tl/helm/authentik/templates/_helpers.tpl
+++ b/clusters/cl01tl/helm/authentik/templates/_helpers.tpl
@@ -0,0 +1,14 @@
 {{/*
 Common labels
 */}}
 {{- define "custom.labels" -}}
 {{ include "custom.selectorLabels" $ }}
 {{- end }}
 {{/*
 Selector labels
 */}}
 {{- define "custom.selectorLabels" -}}
 app.kubernetes.io/instance: {{ .Release.Name }}
 app.kubernetes.io/part-of: {{ .Release.Name }}
 {{- end }}
--- a/clusters/cl01tl/helm/authentik/templates/external-secret.yaml
+++ b/clusters/cl01tl/helm/authentik/templates/external-secret.yaml
@@ -1,16 +1,15 @@
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
-  name: authentik-key-secret
+  name: authentik-key
  namespace: {{ .Release.Namespace }}
  labels:
-    app.kubernetes.io/name: authentik-key-secret
+    app.kubernetes.io/name: authentik-key
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
-    name: vault
+    name: openbao
  data:
    - secretKey: key
      remoteRef:
--- a/clusters/cl01tl/helm/authentik/templates/ingress.yaml
+++ b/clusters/cl01tl/helm/authentik/templates/ingress.yaml
@@ -1,12 +1,11 @@
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
-  name: authentik-tailscale
+  name: {{ .Release.Name }}-tailscale
  namespace: {{ .Release.Namespace }}
  labels:
-    app.kubernetes.io/name: authentik-tailscale
+    app.kubernetes.io/name: {{ .Release.Name }}-tailscale
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
    tailscale.com/proxy-class: no-metrics
  annotations:
    tailscale.com/experimental-forward-cluster-traffic-via-ingress: "true"
@@ -26,4 +25,4 @@ spec:
              service:
                name: authentik-server
                port:
-                  number: 80
+                  name: http
--- a/clusters/cl01tl/helm/authentik/templates/reference-grant.yaml
+++ b/clusters/cl01tl/helm/authentik/templates/reference-grant.yaml
@@ -5,8 +5,7 @@ metadata:
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: allow-outpost-cross-namespace-access
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  from:
    - group: gateway.networking.k8s.io
--- a/clusters/cl01tl/helm/authentik/values.yaml
+++ b/clusters/cl01tl/helm/authentik/values.yaml
@@ -4,7 +4,7 @@ authentik:
      - name: AUTHENTIK_SECRET_KEY
        valueFrom:
          secretKeyRef:
-            name: authentik-key-secret
+            name: authentik-key
            key: key
      - name: AUTHENTIK_POSTGRESQL__HOST
        valueFrom:
--- a/clusters/cl01tl/helm/backrest/Chart.lock
+++ b/clusters/cl01tl/helm/backrest/Chart.lock
@@ -4,9 +4,9 @@ dependencies:
  version: 4.6.2
 - name: volsync-target
  repository: oci://harbor.alexlebens.net/helm-charts
-  version: 0.8.0
+  version: 1.0.0
 - name: volsync-target
  repository: oci://harbor.alexlebens.net/helm-charts
-  version: 0.8.0
+  version: 1.0.0
-digest: sha256:f203538010828e77336f3cf39451a1072c90aeb8ece7c173a3476c49883b46d1
+digest: sha256:4c3010c4ef30f7baaad7564d1fda9bdfe18184fab0e3f47a8a1f4c74e340e557
-generated: "2026-03-06T01:05:24.935421139Z"
+generated: "2026-04-24T22:50:23.056323614Z"
--- a/clusters/cl01tl/helm/backrest/Chart.yaml
+++ b/clusters/cl01tl/helm/backrest/Chart.yaml
@@ -20,11 +20,11 @@ dependencies:
    version: 4.6.2
  - name: volsync-target
    alias: volsync-target-config
-    version: 0.8.0
+    version: 1.0.0
    repository: oci://harbor.alexlebens.net/helm-charts
  - name: volsync-target
    alias: volsync-target-data
-    version: 0.8.0
+    version: 1.0.0
    repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/backrest.png
 # renovate: datasource=github-releases depName=garethgeorge/backrest
--- a/clusters/cl01tl/helm/backrest/templates/_helpers.tpl
+++ b/clusters/cl01tl/helm/backrest/templates/_helpers.tpl
@@ -0,0 +1,24 @@
 {{/*
 Common labels
 */}}
 {{- define "custom.labels" -}}
 {{ include "custom.selectorLabels" $ }}
 {{- end }}
 {{/*
 Selector labels
 */}}
 {{- define "custom.selectorLabels" -}}
 app.kubernetes.io/instance: {{ .Release.Name }}
 app.kubernetes.io/part-of: {{ .Release.Name }}
 {{- end }}
 {{/*
 NFS names
 */}}
 {{- define "custom.storageNfsName" -}}
 backrest-nfs-storage
 {{- end -}}
 {{- define "custom.shareNfsName" -}}
 backrest-nfs-share
 {{- end -}}
--- a/clusters/cl01tl/helm/backrest/templates/persistent-volume-claim.yaml
+++ b/clusters/cl01tl/helm/backrest/templates/persistent-volume-claim.yaml
@@ -1,14 +1,13 @@
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
-  name: backrest-nfs-storage
+  name: {{ include "custom.storageNfsName" . }}
  namespace: {{ .Release.Namespace }}
  labels:
-    app.kubernetes.io/name: backrest-nfs-storage
+    app.kubernetes.io/name: {{ include "custom.storageNfsName" . }}
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
-  volumeName: backrest-nfs-storage
+  volumeName: {{ include "custom.storageNfsName" . }}
  storageClassName: nfs-client
  accessModes:
    - ReadWriteMany
@@ -20,14 +19,13 @@ spec:
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
-  name: backrest-nfs-share
+  name: {{ include "custom.shareNfsName" . }}
  namespace: {{ .Release.Namespace }}
  labels:
-    app.kubernetes.io/name: backrest-nfs-share
+    app.kubernetes.io/name: {{ include "custom.shareNfsName" . }}
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
-  volumeName: backrest-nfs-share
+  volumeName: {{ include "custom.shareNfsName" . }}
  storageClassName: nfs-client
  accessModes:
    - ReadWriteMany
--- a/clusters/cl01tl/helm/backrest/templates/persistent-volume.yaml
+++ b/clusters/cl01tl/helm/backrest/templates/persistent-volume.yaml
@@ -1,12 +1,11 @@
 apiVersion: v1
 kind: PersistentVolume
 metadata:
-  name: backrest-nfs-storage
+  name: {{ include "custom.storageNfsName" . }}
  namespace: {{ .Release.Namespace }}
  labels:
-    app.kubernetes.io/name: backrest-nfs-storage
+    app.kubernetes.io/name: {{ include "custom.storageNfsName" . }}
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  persistentVolumeReclaimPolicy: Retain
  storageClassName: nfs-client
@@ -26,12 +25,11 @@ spec:
 apiVersion: v1
 kind: PersistentVolume
 metadata:
-  name: backrest-nfs-share
+  name: {{ include "custom.shareNfsName" . }}
  namespace: {{ .Release.Namespace }}
  labels:
-    app.kubernetes.io/name: backrest-nfs-share
+    app.kubernetes.io/name: {{ include "custom.shareNfsName" . }}
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  persistentVolumeReclaimPolicy: Retain
  storageClassName: nfs-client
--- a/clusters/cl01tl/helm/bazarr/Chart.lock
+++ b/clusters/cl01tl/helm/bazarr/Chart.lock
@@ -4,6 +4,6 @@ dependencies:
  version: 4.6.2
 - name: volsync-target
  repository: oci://harbor.alexlebens.net/helm-charts
-  version: 0.8.0
+  version: 1.0.0
-digest: sha256:ce88e4cd451613c9dbc25d285700970789ff678452ef277f3c8465dbf6157f1f
+digest: sha256:ee94a588fa517303597c8a6159befdbac00b651afc5c1d7c779b3cb28d3ba8c6
-generated: "2026-03-06T01:05:44.405374459Z"
+generated: "2026-04-24T22:50:33.529825344Z"
--- a/clusters/cl01tl/helm/bazarr/Chart.yaml
+++ b/clusters/cl01tl/helm/bazarr/Chart.yaml
@@ -24,7 +24,7 @@ dependencies:
    version: 4.6.2
  - name: volsync-target
    alias: volsync-target-config
-    version: 0.8.0
+    version: 1.0.0
    repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/bazarr.png
 # renovate: datasource=github-releases depName=linuxserver/docker-bazarr
--- a/clusters/cl01tl/helm/bazarr/templates/_helpers.tpl
+++ b/clusters/cl01tl/helm/bazarr/templates/_helpers.tpl
@@ -0,0 +1,21 @@
 {{/*
 Common labels
 */}}
 {{- define "custom.labels" -}}
 {{ include "custom.selectorLabels" $ }}
 {{- end }}
 {{/*
 Selector labels
 */}}
 {{- define "custom.selectorLabels" -}}
 app.kubernetes.io/instance: {{ .Release.Name }}
 app.kubernetes.io/part-of: {{ .Release.Name }}
 {{- end }}
 {{/*
 NFS names
 */}}
 {{- define "custom.storageNfsName" -}}
 bazarr-nfs-storage
 {{- end -}}
--- a/clusters/cl01tl/helm/bazarr/templates/external-secret.yaml
+++ b/clusters/cl01tl/helm/bazarr/templates/external-secret.yaml
@@ -1,16 +1,15 @@
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
-  name: bazarr-key-secret
+  name: bazarr-key
  namespace: {{ .Release.Namespace }}
  labels:
-    app.kubernetes.io/name: bazarr-key-secret
+    app.kubernetes.io/name: bazarr-key
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
-    name: vault
+    name: openbao
  data:
    - secretKey: key
      remoteRef:
--- a/clusters/cl01tl/helm/bazarr/templates/persistent-volume-claim.yaml
+++ b/clusters/cl01tl/helm/bazarr/templates/persistent-volume-claim.yaml
@@ -1,14 +1,13 @@
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
-  name: bazarr-nfs-storage
+  name: {{ include "custom.storageNfsName" . }}
  namespace: {{ .Release.Namespace }}
  labels:
-    app.kubernetes.io/name: bazarr-nfs-storage
+    app.kubernetes.io/name: {{ include "custom.storageNfsName" . }}
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
-  volumeName: bazarr-nfs-storage
+  volumeName: {{ include "custom.storageNfsName" . }}
  storageClassName: nfs-client
  accessModes:
    - ReadWriteMany
--- a/clusters/cl01tl/helm/bazarr/templates/persistent-volume.yaml
+++ b/clusters/cl01tl/helm/bazarr/templates/persistent-volume.yaml
@@ -1,12 +1,11 @@
 apiVersion: v1
 kind: PersistentVolume
 metadata:
-  name: bazarr-nfs-storage
+  name: {{ include "custom.storageNfsName" . }}
  namespace: {{ .Release.Namespace }}
  labels:
-    app.kubernetes.io/name: bazarr-nfs-storage
+    app.kubernetes.io/name: {{ include "custom.storageNfsName" . }}
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  persistentVolumeReclaimPolicy: Retain
  storageClassName: nfs-client
--- a/clusters/cl01tl/helm/bazarr/values.yaml
+++ b/clusters/cl01tl/helm/bazarr/values.yaml
@@ -39,7 +39,7 @@ bazarr:
            - name: APIKEY
              valueFrom:
                secretKeyRef:
-                  name: bazarr-key-secret
+                  name: bazarr-key
                  key: key
            - name: ENABLE_ADDITIONAL_METRICS
              value: false
--- a/clusters/cl01tl/helm/blocky/templates/_helpers.tpl
+++ b/clusters/cl01tl/helm/blocky/templates/_helpers.tpl
@@ -0,0 +1,14 @@
 {{/*
 Common labels
 */}}
 {{- define "custom.labels" -}}
 {{ include "custom.selectorLabels" $ }}
 {{- end }}
 {{/*
 Selector labels
 */}}
 {{- define "custom.selectorLabels" -}}
 app.kubernetes.io/instance: {{ .Release.Name }}
 app.kubernetes.io/part-of: {{ .Release.Name }}
 {{- end }}
--- a/clusters/cl01tl/helm/cert-manager/templates/_helpers.tpl
+++ b/clusters/cl01tl/helm/cert-manager/templates/_helpers.tpl
@@ -0,0 +1,24 @@
 {{/*
 Common labels
 */}}
 {{- define "custom.labels" -}}
 {{ include "custom.selectorLabels" $ }}
 {{- end }}
 {{/*
 Selector labels
 */}}
 {{- define "custom.selectorLabels" -}}
 app.kubernetes.io/instance: {{ .Release.Name }}
 app.kubernetes.io/part-of: {{ .Release.Name }}
 {{- end }}
 {{/*
 NFS names
 */}}
 {{- define "custom.cloudflareSecretName" -}}
 cert-manager-cloudflare-api-token
 {{- end -}}
 {{- define "custom.cloudflareSecretKey" -}}
 api-token
 {{- end -}}
--- a/clusters/cl01tl/helm/cert-manager/templates/cluster-issuer.yaml
+++ b/clusters/cl01tl/helm/cert-manager/templates/cluster-issuer.yaml
@@ -5,8 +5,7 @@ metadata:
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: letsencrypt-issuer
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  acme:
    email: alexanderlebens@gmail.com
@@ -22,5 +21,5 @@ spec:
          cloudflare:
            email: alexanderlebens@gmail.com
            apiTokenSecretRef:
-              name: cloudflare-api-token
+              name: {{ include "custom.cloudflareSecretName" . }}
-              key: api-token
+              key: {{ include "custom.cloudflareSecretKey" . }}
--- a/clusters/cl01tl/helm/cert-manager/templates/external-secret.yaml
+++ b/clusters/cl01tl/helm/cert-manager/templates/external-secret.yaml
@@ -1,18 +1,17 @@
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
-  name: cloudflare-api-token
+  name: {{ include "custom.cloudflareSecretName" . }}
  namespace: {{ .Release.Namespace }}
  labels:
-    app.kubernetes.io/name: cloudflare-api-token
+    app.kubernetes.io/name: {{ include "custom.cloudflareSecretName" . }}
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
-    name: vault
+    name: openbao
  data:
-    - secretKey: api-token
+    - secretKey: {{ include "custom.cloudflareSecretKey" . }}
      remoteRef:
-        key: /cloudflare/alexlebens.net/clusterissuer
+        key: /cloudflare/alexlebens.net/cl01tl-issuer-certificate
        property: token
--- a/clusters/cl01tl/helm/cert-manager/templates/prometheus-rule.yaml
+++ b/clusters/cl01tl/helm/cert-manager/templates/prometheus-rule.yaml
@@ -0,0 +1,44 @@
 apiVersion: monitoring.coreos.com/v1
 kind: PrometheusRule
 metadata:
  name: cert-manager
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: cert-manager
    {{- include "custom.labels" . | nindent 4 }}
 spec:
  groups:
    - name: EmbeddedExporter
      rules:
        - alert: Cert-ManagerAbsent
          expr: absent(up{job="cert-manager"})
          for: 10m
          labels:
            severity: critical
          annotations:
            summary: Cert-Manager absent (instance {{ `{{ $labels.instance }}` }})
            description: "Cert-Manager has disappeared from Prometheus service discovery. New certificates will not be able to be minted, and existing ones can't be renewed until cert-manager is back.\n  VALUE = {{ `{{ $value }}` }}\n  LABELS = {{ `{{ $labels }}` }}"
        - alert: Cert-ManagerCertificateExpiringSoon
          expr: avg by (exported_namespace, namespace, name) (certmanager_certificate_expiration_timestamp_seconds - time()) < (21 * 24 * 3600)
          for: 1h
          labels:
            severity: warning
          annotations:
            summary: Cert-Manager certificate expiring soon (instance {{ `{{ $labels.instance }}` }})
            description: "The certificate {{ `{{ $labels.name }}` }} is expiring in less than 21 days.\n  VALUE = {{ `{{ $value }}` }}\n  LABELS = {{ `{{ $labels }}` }}"
        - alert: Cert-ManagerCertificateNotReady
          expr: max by (name, exported_namespace, namespace, condition) (certmanager_certificate_ready_status{condition!="True"} == 1)
          for: 10m
          labels:
            severity: critical
          annotations:
            summary: Cert-Manager certificate not ready (instance {{ `{{ $labels.instance }}` }})
            description: "The certificate {{ `{{ $labels.name }}` }} in namespace {{ `{{ $labels.exported_namespace }}` }} is not ready to serve traffic.\n  VALUE = {{ `{{ $value }}` }}\n  LABELS = {{ `{{ $labels }}` }}"
        - alert: Cert-ManagerHittingACMERateLimits
          expr: sum by (host) (rate(certmanager_acme_client_request_count{status="429"}[5m])) > 0
          for: 5m
          labels:
            severity: critical
          annotations:
            summary: Cert-Manager hitting ACME rate limits (instance {{ `{{ $labels.instance }}` }})
            description: "Cert-Manager is being rate-limited by the ACME provider. Certificate issuance and renewal may be blocked for up to a week.\n  VALUE = {{ `{{ $value }}` }}\n  LABELS = {{ `{{ $labels }}` }}"
--- a/clusters/cl01tl/helm/cilium/templates/_helpers.tpl
+++ b/clusters/cl01tl/helm/cilium/templates/_helpers.tpl
@@ -0,0 +1,14 @@
 {{/*
 Common labels
 */}}
 {{- define "custom.labels" -}}
 {{ include "custom.selectorLabels" $ }}
 {{- end }}
 {{/*
 Selector labels
 */}}
 {{- define "custom.selectorLabels" -}}
 app.kubernetes.io/instance: {{ .Release.Name }}
 app.kubernetes.io/part-of: {{ .Release.Name }}
 {{- end }}
--- a/clusters/cl01tl/helm/cilium/templates/cilium-bgp-advertisement.yaml
+++ b/clusters/cl01tl/helm/cilium/templates/cilium-bgp-advertisement.yaml
@@ -1,19 +0,0 @@
 # apiVersion: cilium.io/v2
 # kind: CiliumBGPAdvertisement
 # metadata:
 #   name: cilium-bgp-advertisements
 #   namespace: {{ .Release.Namespace }}
 #   labels:
 #     app.kubernetes.io/name: cilium-bgp-advertisements
 #     app.kubernetes.io/instance: {{ .Release.Name }}
 #     app.kubernetes.io/part-of: {{ .Release.Name }}
 # spec:
 #   advertisements:
 #     - advertisementType: "Service"
 #       service:
 #         addresses:
 #           - ExternalIP
 #           - LoadBalancerIP
 #       selector:
 #         matchExpressions:
 #          - {key: somekey, operator: NotIn, values: ['never-used-value']}
--- a/clusters/cl01tl/helm/cilium/templates/cilium-bgp-cluster-config.yaml
+++ b/clusters/cl01tl/helm/cilium/templates/cilium-bgp-cluster-config.yaml
@@ -1,22 +0,0 @@
 # apiVersion: cilium.io/v2
 # kind: CiliumBGPClusterConfig
 # metadata:
 #   name: cilium-bgp
 #   namespace: {{ .Release.Namespace }}
 #   labels:
 #     app.kubernetes.io/name: cilium-bgp
 #     app.kubernetes.io/instance: {{ .Release.Name }}
 #     app.kubernetes.io/part-of: {{ .Release.Name }}
 # spec:
 #   nodeSelector:
 #     matchLabels:
 #       node-role.kubernetes.io/bgp: "65020"
 #   bgpInstances:
 #     - name: "65020"
 #       localASN: 65020
 #       peers:
 #         - name: "udm-65000"
 #           peerASN: 65000
 #           peerAddress: 192.168.1.1
 #           peerConfigRef:
 #             name: "cilium-peer"
--- a/clusters/cl01tl/helm/cilium/templates/cilium-bgp-peer-config.yaml
+++ b/clusters/cl01tl/helm/cilium/templates/cilium-bgp-peer-config.yaml
@@ -1,23 +0,0 @@
 # apiVersion: cilium.io/v2
 # kind: CiliumBGPPeerConfig
 # metadata:
 #   name: cilium-peer
 #   namespace: {{ .Release.Namespace }}
 #   labels:
 #     app.kubernetes.io/name: cilium-peer
 #     app.kubernetes.io/instance: {{ .Release.Name }}
 #     app.kubernetes.io/part-of: {{ .Release.Name }}
 # spec:
 #   timers:
 #     holdTimeSeconds: 9
 #     keepAliveTimeSeconds: 3
 #   ebgpMultihop: 4
 #   gracefulRestart:
 #     enabled: true
 #     restartTimeSeconds: 15
 #   families:
 #     - afi: ipv4
 #       safi: unicast
 #       advertisements:
 #         matchLabels:
 #           app.kubernetes.io/name: cilium-bgp-advertisements
--- a/clusters/cl01tl/helm/cilium/templates/cilium-load-balancer-ip-pool.yaml
+++ b/clusters/cl01tl/helm/cilium/templates/cilium-load-balancer-ip-pool.yaml
@@ -5,8 +5,7 @@ metadata:
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: default-ip-pool
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  blocks:
    - start: "10.232.1.21"
@@ -20,8 +19,7 @@ metadata:
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: bgp-ip-pool
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  blocks:
    - start: "10.232.2.100"
--- a/clusters/cl01tl/helm/cilium/templates/gateway.yaml
+++ b/clusters/cl01tl/helm/cilium/templates/gateway.yaml
@@ -1,45 +0,0 @@
 # apiVersion: gateway.networking.k8s.io/v1
 # kind: Gateway
 # metadata:
 #   name: cilium-tls-gateway
 #   namespace: {{ .Release.Namespace }}
 #   labels:
 #     app.kubernetes.io/name: cilium-tls-gateway
 #     app.kubernetes.io/instance: {{ .Release.Name }}
 #     app.kubernetes.io/part-of: {{ .Release.Name }}
 #   annotations:
 #     cert-manager.io/cluster-issuer: letsencrypt-issuer
 # spec:
 #   addresses:
 #     - type: IPAddress
 #       value: 10.232.1.23
 #   gatewayClassName: cilium
 #   listeners:
 #     - allowedRoutes:
 #         namespaces:
 #           from: All
 #       hostname: '*.alexlebens.net'
 #       name: https
 #       port: 443
 #       protocol: HTTPS
 #       tls:
 #         certificateRefs:
 #           - group: ''
 #             kind: Secret
 #             name: https-gateway-cert
 #             namespace: kube-system
 #         mode: Terminate
 #     - allowedRoutes:
 #         namespaces:
 #           from: All
 #       hostname: 'alexlebens.net'
 #       name: https-domain
 #       port: 443
 #       protocol: HTTPS
 #       tls:
 #         certificateRefs:
 #           - group: ''
 #             kind: Secret
 #             name: https-gateway-cert
 #             namespace: kube-system
 #         mode: Terminate
--- a/clusters/cl01tl/helm/cilium/templates/http-route.yaml
+++ b/clusters/cl01tl/helm/cilium/templates/http-route.yaml
@@ -5,8 +5,7 @@ metadata:
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: hubble
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  parentRefs:
    - group: gateway.networking.k8s.io
@@ -21,8 +20,6 @@ spec:
          type: PathPrefix
          value: /
      backendRefs:
-        - group: ''
+        - kind: Service
          kind: Service
          name: hubble-ui
          port: 80
          weight: 100
--- a/clusters/cl01tl/helm/cloudnative-pg/Chart.lock
+++ b/clusters/cl01tl/helm/cloudnative-pg/Chart.lock
@@ -5,5 +5,11 @@ dependencies:
 - name: plugin-barman-cloud
  repository: https://cloudnative-pg.io/charts/
  version: 0.6.0
-digest: sha256:48241acb753e635a01b306b90cfbce13ed3c0105a33ec7d36f159e3a7fe607f3
+- name: rclone-bucket
-generated: "2026-04-14T09:03:10.332065288Z"
+  repository: oci://harbor.alexlebens.net/helm-charts
  version: 0.4.3
 - name: rclone-bucket
  repository: oci://harbor.alexlebens.net/helm-charts
  version: 0.4.3
 digest: sha256:75d7078b7009082521a1bb8b49141e20b442343dabe7f76f5e7a16a352cfe205
 generated: "2026-04-26T15:36:31.678086-05:00"
--- a/clusters/cl01tl/helm/cloudnative-pg/Chart.yaml
+++ b/clusters/cl01tl/helm/cloudnative-pg/Chart.yaml
@@ -13,6 +13,7 @@ sources:
  - https://github.com/cloudnative-pg/postgres-containers/pkgs/container/postgresql
  - https://github.com/cloudnative-pg/charts/tree/main/charts/cloudnative-pg
  - https://github.com/cloudnative-pg/charts/tree/main/charts/plugin-barman-cloud
  - https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/rclone-bucket
 maintainers:
  - name: alexlebens
 dependencies:
@@ -22,6 +23,14 @@ dependencies:
  - name: plugin-barman-cloud
    version: 0.6.0
    repository: https://cloudnative-pg.io/charts/
  - name: rclone-bucket
    alias: rclone-postgres-backups-remote
    repository: oci://harbor.alexlebens.net/helm-charts
    version: 0.4.3
  - name: rclone-bucket
    alias: rclone-postgres-backups-external
    repository: oci://harbor.alexlebens.net/helm-charts
    version: 0.4.3
 icon: https://raw.githubusercontent.com/cloudnative-pg/cloudnative-pg.github.io/refs/heads/main/assets/images/hero_image.png
 # renovate: datasource=github-releases depName=cloudnative-pg/cloudnative-pg
 appVersion: 1.29.0
--- a/clusters/cl01tl/helm/cloudnative-pg/templates/_helpers.tpl
+++ b/clusters/cl01tl/helm/cloudnative-pg/templates/_helpers.tpl
@@ -0,0 +1,14 @@
 {{/*
 Common labels
 */}}
 {{- define "custom.labels" -}}
 {{ include "custom.selectorLabels" $ }}
 {{- end }}
 {{/*
 Selector labels
 */}}
 {{- define "custom.selectorLabels" -}}
 app.kubernetes.io/instance: {{ .Release.Name }}
 app.kubernetes.io/part-of: {{ .Release.Name }}
 {{- end }}
--- a/clusters/cl01tl/helm/cloudnative-pg/values.yaml
+++ b/clusters/cl01tl/helm/cloudnative-pg/values.yaml
@@ -14,3 +14,62 @@ plugin-barman-cloud:
    requests:
      cpu: 1m
      memory: 20Mi
 rclone-postgres-backups-remote:
  nameOverride: postgres-backups-remote-rclone
  cronJob:
    suspend: false
    schedule: 0 6 * * 6
  rclone:
    source:
      bucketName: postgres-backups
    destination:
      bucketName: postgres-backups
  prune:
    enabled: true
    ageToPrune: 45d
    include: "/cl01tl/*/*/*/base/**"
    exclude: "**/walls/**"
  secret:
    externalSecret:
      source:
        credentials:
          path: /garage/home-infra/postgres-backups
        config:
          path: /garage/config
      destination:
        credentials:
          path: /garage/home-infra/postgres-backups
        config:
          path: /garage/config
 rclone-postgres-backups-external:
  nameOverride: postgres-backups-external-rclone
  cronJob:
    suspend: true
    schedule: 0 6 * * 6
  rclone:
    source:
      bucketName: openbao-backups
    destination:
      bucketName: postgres-backups-ecc1010276b61716
      providerType: DigitalOcean
  prune:
    enabled: true
    ageToPrune: 45d
    include: "/cl01tl/*/*/*/base/**"
    exclude: "**/walls/**"
  secret:
    externalSecret:
      source:
        credentials:
          path: /garage/home-infra/postgres-backups
        config:
          path: /garage/config
      destination:
        credentials:
          path: /digital-ocean/home-infra/postgres-backups
          keyIdProperty: AWS_ACCESS_KEY_ID
          secretKeyProperty: AWS_SECRET_ACCESS_KEY
          regionProperty: AWS_REGION
        config:
          path: /digital-ocean/config
          endpointProperty: ENDPOINT
--- a/clusters/cl01tl/helm/coredns/Chart.yaml
+++ b/clusters/cl01tl/helm/coredns/Chart.yaml
@@ -17,4 +17,4 @@ dependencies:
    repository: https://coredns.github.io/helm
 icon: https://raw.githubusercontent.com/coredns/coredns.io/refs/heads/master/static/images/favicon.png
 # renovate: datasource=github-releases depName=coredns/coredns
-appVersion: v1.14.2
+appVersion: v1.14.3
--- a/clusters/cl01tl/helm/coredns/templates/_helpers.tpl
+++ b/clusters/cl01tl/helm/coredns/templates/_helpers.tpl
@@ -0,0 +1,14 @@
 {{/*
 Common labels
 */}}
 {{- define "custom.labels" -}}
 {{ include "custom.selectorLabels" $ }}
 {{- end }}
 {{/*
 Selector labels
 */}}
 {{- define "custom.selectorLabels" -}}
 app.kubernetes.io/instance: {{ .Release.Name }}
 app.kubernetes.io/part-of: {{ .Release.Name }}
 {{- end }}
--- a/clusters/cl01tl/helm/dawarich/Chart.lock
+++ b/clusters/cl01tl/helm/dawarich/Chart.lock
@@ -4,18 +4,18 @@ dependencies:
  version: 4.6.2
 - name: postgres-cluster
  repository: oci://harbor.alexlebens.net/helm-charts
-  version: 7.11.2
+  version: 7.12.1
 - name: valkey
  repository: oci://harbor.alexlebens.net/helm-charts
  version: 0.6.1
 - name: volsync-target
  repository: oci://harbor.alexlebens.net/helm-charts
-  version: 0.8.0
+  version: 1.0.0
 - name: volsync-target
  repository: oci://harbor.alexlebens.net/helm-charts
-  version: 0.8.0
+  version: 1.0.0
 - name: volsync-target
  repository: oci://harbor.alexlebens.net/helm-charts
-  version: 0.8.0
+  version: 1.0.0
-digest: sha256:6ece439d5549b7d7ccd75053846bb9b2e8f9798a2e2163eac6f62bf5cf222587
+digest: sha256:675bca89787669fd5b23eb2d4b49a44acee2556044982bb634f678a39cec7db4
-generated: "2026-04-13T20:32:54.380897459Z"
+generated: "2026-04-24T22:50:43.987901153Z"
--- a/clusters/cl01tl/helm/dawarich/Chart.yaml
+++ b/clusters/cl01tl/helm/dawarich/Chart.yaml
@@ -22,7 +22,7 @@ dependencies:
    version: 4.6.2
  - name: postgres-cluster
    alias: postgres-18-cluster
-    version: 7.11.2
+    version: 7.12.1
    repository: oci://harbor.alexlebens.net/helm-charts
  - name: valkey
    alias: valkey
@@ -30,16 +30,16 @@ dependencies:
    repository: oci://harbor.alexlebens.net/helm-charts
  - name: volsync-target
    alias: volsync-target-storage
-    version: 0.8.0
+    version: 1.0.0
    repository: oci://harbor.alexlebens.net/helm-charts
  - name: volsync-target
    alias: volsync-target-public
-    version: 0.8.0
+    version: 1.0.0
    repository: oci://harbor.alexlebens.net/helm-charts
  - name: volsync-target
    alias: volsync-target-watched
-    version: 0.8.0
+    version: 1.0.0
    repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons@main/png/dawarich.png
 # renovate: datasource=github-releases depName=Freika/dawarich
-appVersion: 1.6.1
+appVersion: 1.7.0
--- a/clusters/cl01tl/helm/dawarich/templates/_helpers.tpl
+++ b/clusters/cl01tl/helm/dawarich/templates/_helpers.tpl
@@ -0,0 +1,14 @@
 {{/*
 Common labels
 */}}
 {{- define "custom.labels" -}}
 {{ include "custom.selectorLabels" $ }}
 {{- end }}
 {{/*
 Selector labels
 */}}
 {{- define "custom.selectorLabels" -}}
 app.kubernetes.io/instance: {{ .Release.Name }}
 app.kubernetes.io/part-of: {{ .Release.Name }}
 {{- end }}
--- a/clusters/cl01tl/helm/dawarich/templates/external-secret.yaml
+++ b/clusters/cl01tl/helm/dawarich/templates/external-secret.yaml
@@ -1,42 +1,52 @@
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
-  name: dawarich-key-secret
+  name: dawarich-key
  namespace: {{ .Release.Namespace }}
  labels:
-    app.kubernetes.io/name: dawarich-key-secret
+    app.kubernetes.io/name: dawarich-key
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
-    name: vault
+    name: openbao
  data:
    - secretKey: key
      remoteRef:
        key: /cl01tl/dawarich/key
        property: key
    - secretKey: otp-primary-key
      remoteRef:
        key: /cl01tl/dawarich/key
        property: otp-primary-key
    - secretKey: otp-deterministic-key
      remoteRef:
        key: /cl01tl/dawarich/key
        property: otp-deterministic-key
    - secretKey: otp-derivation-salt
      remoteRef:
        key: /cl01tl/dawarich/key
        property: otp-derivation-salt
 ---
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
-  name: dawarich-oidc-secret
+  name: dawarich-oidc-authentik
  namespace: {{ .Release.Namespace }}
  labels:
-    app.kubernetes.io/name: dawarich-oidc-secret
+    app.kubernetes.io/name: dawarich-oidc-authentik
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
-    name: vault
+    name: openbao
  data:
    - secretKey: client
      remoteRef:
-        key: /authentik/oidc/dawarich
+        key: /cl01tl/authentik/oidc/dawarich
        property: client
    - secretKey: secret
      remoteRef:
-        key: /authentik/oidc/dawarich
+        key: /cl01tl/authentik/oidc/dawarich
        property: secret
--- a/clusters/cl01tl/helm/dawarich/values.yaml
+++ b/clusters/cl01tl/helm/dawarich/values.yaml
@@ -8,7 +8,7 @@ dawarich:
        main:
          image:
            repository: freikin/dawarich
-            tag: 1.6.1@sha256:a884f69f19ce0f66992f3872d24544d1e587e133b8a003e072711aafc1e02429
+            tag: 1.7.0@sha256:7d5f99c61121fcfa4cbdd6a153392630d9f059ffb0156759278d3e049085ec62
          command:
            - "web-entrypoint.sh"
          args:
@@ -61,12 +61,12 @@ dawarich:
            - name: OIDC_CLIENT_ID
              valueFrom:
                secretKeyRef:
-                  name: dawarich-oidc-secret
+                  name: dawarich-oidc-authentik
                  key: client
            - name: OIDC_CLIENT_SECRET
              valueFrom:
                secretKeyRef:
-                  name: dawarich-oidc-secret
+                  name: dawarich-oidc-authentik
                  key: secret
            - name: OIDC_PROVIDER_NAME
              value: Authentik
@@ -81,8 +81,23 @@ dawarich:
            - name: SECRET_KEY_BASE
              valueFrom:
                secretKeyRef:
-                  name: dawarich-key-secret
+                  name: dawarich-key
                  key: key
            - name: OTP_ENCRYPTION_PRIMARY_KEY
              valueFrom:
                secretKeyRef:
                  name: dawarich-key
                  key: otp-primary-key
            - name: OTP_ENCRYPTION_DETERMINISTIC_KEY
              valueFrom:
                secretKeyRef:
                  name: dawarich-key
                  key: otp-deterministic-key
            - name: OTP_ENCRYPTION_KEY_DERIVATION_SALT
              valueFrom:
                secretKeyRef:
                  name: dawarich-key
                  key: otp-derivation-salt
            - name: RAILS_LOG_TO_STDOUT
              value: true
            - name: SELF_HOSTED
@@ -111,7 +126,7 @@ dawarich:
        sidekiq:
          image:
            repository: freikin/dawarich
-            tag: 1.6.1@sha256:a884f69f19ce0f66992f3872d24544d1e587e133b8a003e072711aafc1e02429
+            tag: 1.7.0@sha256:7d5f99c61121fcfa4cbdd6a153392630d9f059ffb0156759278d3e049085ec62
          command:
            - "sidekiq-entrypoint.sh"
          args:
@@ -161,12 +176,12 @@ dawarich:
            - name: OIDC_CLIENT_ID
              valueFrom:
                secretKeyRef:
-                  name: dawarich-oidc-secret
+                  name: dawarich-oidc-authentik
                  key: client
            - name: OIDC_CLIENT_SECRET
              valueFrom:
                secretKeyRef:
-                  name: dawarich-oidc-secret
+                  name: dawarich-oidc-authentik
                  key: secret
            - name: OIDC_PROVIDER_NAME
              value: Authentik
@@ -181,8 +196,23 @@ dawarich:
            - name: SECRET_KEY_BASE
              valueFrom:
                secretKeyRef:
-                  name: dawarich-key-secret
+                  name: dawarich-key
                  key: key
            - name: OTP_ENCRYPTION_PRIMARY_KEY
              valueFrom:
                secretKeyRef:
                  name: dawarich-key
                  key: otp-primary-key
            - name: OTP_ENCRYPTION_DETERMINISTIC_KEY
              valueFrom:
                secretKeyRef:
                  name: dawarich-key
                  key: otp-deterministic-key
            - name: OTP_ENCRYPTION_KEY_DERIVATION_SALT
              valueFrom:
                secretKeyRef:
                  name: dawarich-key
                  key: otp-derivation-salt
            - name: RAILS_LOG_TO_STDOUT
              value: true
            - name: SELF_HOSTED
--- a/clusters/cl01tl/helm/democratic-csi-synology-iscsi/templates/_helpers.tpl
+++ b/clusters/cl01tl/helm/democratic-csi-synology-iscsi/templates/_helpers.tpl
@@ -0,0 +1,14 @@
 {{/*
 Common labels
 */}}
 {{- define "custom.labels" -}}
 {{ include "custom.selectorLabels" $ }}
 {{- end }}
 {{/*
 Selector labels
 */}}
 {{- define "custom.selectorLabels" -}}
 app.kubernetes.io/instance: {{ .Release.Name }}
 app.kubernetes.io/part-of: {{ .Release.Name }}
 {{- end }}
--- a/clusters/cl01tl/helm/democratic-csi-synology-iscsi/templates/external-secret.yaml
+++ b/clusters/cl01tl/helm/democratic-csi-synology-iscsi/templates/external-secret.yaml
@@ -1,16 +1,15 @@
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
-  name: synology-iscsi-config-secret
+  name: synology-iscsi-config
  namespace: {{ .Release.Namespace }}
  labels:
-    app.kubernetes.io/name: synology-iscsi-config-secret
+    app.kubernetes.io/name: synology-iscsi-config
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
-    name: vault
+    name: openbao
  data:
    - secretKey: driver-config-file.yaml
      remoteRef:
--- a/clusters/cl01tl/helm/democratic-csi-synology-iscsi/templates/namespace.yaml
+++ b/clusters/cl01tl/helm/democratic-csi-synology-iscsi/templates/namespace.yaml
@@ -1,11 +1,10 @@
 apiVersion: v1
 kind: Namespace
 metadata:
-  name: democratic-csi-synology-iscsi
+  name: {{ .Release.Namespace }}
  labels:
-    app.kubernetes.io/name: democratic-csi-synology-iscsi
+    app.kubernetes.io/name: {{ .Release.Namespace }}
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
    pod-security.kubernetes.io/audit: privileged
    pod-security.kubernetes.io/enforce: privileged
    pod-security.kubernetes.io/warn: privileged
--- a/clusters/cl01tl/helm/democratic-csi-synology-iscsi/values.yaml
+++ b/clusters/cl01tl/helm/democratic-csi-synology-iscsi/values.yaml
@@ -3,7 +3,7 @@ democratic-csi:
    image:
      registry: ghcr.io/democratic-csi/democratic-csi
      tag: v1.9.5@@sha256:fc3b7d7ed3a616714139525075312758e23a5d425ffb539ad12c9bd20fb6001f
-    existingConfigSecret: synology-iscsi-config-secret
+    existingConfigSecret: synology-iscsi-config
    config:
      driver: synology-iscsi
    resources:
@@ -47,6 +47,8 @@ democratic-csi:
        fsType: ext4
  node:
    hostPID: true
    rbac:
      enabled: true
    driver:
      extraEnv:
        - name: ISCSIADM_HOST_STRATEGY
--- a/clusters/cl01tl/helm/descheduler/templates/_helpers.tpl
+++ b/clusters/cl01tl/helm/descheduler/templates/_helpers.tpl
@@ -0,0 +1,14 @@
 {{/*
 Common labels
 */}}
 {{- define "custom.labels" -}}
 {{ include "custom.selectorLabels" $ }}
 {{- end }}
 {{/*
 Selector labels
 */}}
 {{- define "custom.selectorLabels" -}}
 app.kubernetes.io/instance: {{ .Release.Name }}
 app.kubernetes.io/part-of: {{ .Release.Name }}
 {{- end }}
--- a/clusters/cl01tl/helm/directus/Chart.lock
+++ b/clusters/cl01tl/helm/directus/Chart.lock
@@ -4,9 +4,12 @@ dependencies:
  version: 4.6.2
 - name: postgres-cluster
  repository: oci://harbor.alexlebens.net/helm-charts
-  version: 7.11.2
+  version: 7.12.1
 - name: valkey
  repository: oci://harbor.alexlebens.net/helm-charts
  version: 0.6.1
-digest: sha256:78f5065d1125792c88e4d24f5ac1ee3d6310b4997f552020c44d0615335ea329
+- name: rclone-bucket
-generated: "2026-04-13T20:33:13.909018545Z"
+  repository: oci://harbor.alexlebens.net/helm-charts
  version: 0.4.3
 digest: sha256:df3b79c6b8868d749d98d232741fef4a26b73894bce3bf4588581340c15fc3da
 generated: "2026-04-26T21:06:27.85398357Z"
--- a/clusters/cl01tl/helm/directus/Chart.yaml
+++ b/clusters/cl01tl/helm/directus/Chart.yaml
@@ -5,13 +5,14 @@ description: Directus
 keywords:
  - directus
  - content-management-system
-home: https://docs.alexlebens.dev/applications/descheduler/
+home: https://docs.alexlebens.dev/applications/directus/
 sources:
  - https://github.com/directus/directus
  - https://github.com/directus/directus/pkgs/container/directus
  - https://github.com/bjw-s-labs/helm-charts/tree/main/charts/other/app-template
  - https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/postgres-cluster
  - https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/valkey
  - https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/rclone-bucket
 maintainers:
  - name: alexlebens
 dependencies:
@@ -21,12 +22,16 @@ dependencies:
    version: 4.6.2
  - name: postgres-cluster
    alias: postgres-18-cluster
-    version: 7.11.2
+    version: 7.12.1
    repository: oci://harbor.alexlebens.net/helm-charts
  - name: valkey
    alias: valkey
    version: 0.6.1
    repository: oci://harbor.alexlebens.net/helm-charts
  - name: rclone-bucket
    alias: rclone-directus-assets-remote
    repository: oci://harbor.alexlebens.net/helm-charts
    version: 0.4.3
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/directus.png
 # renovate: datasource=github-releases depName=directus/directus
 appVersion: 11.17.3
--- a/clusters/cl01tl/helm/directus/templates/_helpers.tpl
+++ b/clusters/cl01tl/helm/directus/templates/_helpers.tpl
@@ -0,0 +1,14 @@
 {{/*
 Common labels
 */}}
 {{- define "custom.labels" -}}
 {{ include "custom.selectorLabels" $ }}
 {{- end }}
 {{/*
 Selector labels
 */}}
 {{- define "custom.selectorLabels" -}}
 app.kubernetes.io/instance: {{ .Release.Name }}
 app.kubernetes.io/part-of: {{ .Release.Name }}
 {{- end }}
--- a/clusters/cl01tl/helm/directus/templates/external-secret.yaml
+++ b/clusters/cl01tl/helm/directus/templates/external-secret.yaml
@@ -5,13 +5,20 @@ metadata:
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: directus-config
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
-    name: vault
+    name: openbao
  data:
    - secretKey: key
      remoteRef:
        key: /cl01tl/directus/key
        property: key
    - secretKey: secret
      remoteRef:
        key: /cl01tl/directus/key
        property: secret
    - secretKey: admin-email
      remoteRef:
        key: /cl01tl/directus/config
@@ -20,38 +27,6 @@ spec:
      remoteRef:
        key: /cl01tl/directus/config
        property: admin-password
    - secretKey: secret
      remoteRef:
        key: /cl01tl/directus/config
        property: secret
    - secretKey: key
      remoteRef:
        key: /cl01tl/directus/config
        property: key
 ---
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
  name: directus-oidc-secret
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: directus-oidc-secret
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: vault
  data:
    - secretKey: OIDC_CLIENT_ID
      remoteRef:
        key: /authentik/oidc/directus
        property: client
    - secretKey: OIDC_CLIENT_SECRET
      remoteRef:
        key: /authentik/oidc/directus
        property: secret
 ---
 apiVersion: external-secrets.io/v1
@@ -61,18 +36,67 @@ metadata:
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: directus-metric-token
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
-    name: vault
+    name: openbao
  data:
    - secretKey: metric-token
      remoteRef:
        key: /cl01tl/directus/metrics
        property: metric-token
 ---
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
  name: directus-valkey-config
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: directus-valkey-config
    {{- include "custom.labels" . | nindent 4 }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: openbao
  data:
    - secretKey: user
      remoteRef:
        key: /cl01tl/directus/valkey
        property: user
    - secretKey: password
      remoteRef:
        key: /cl01tl/directus/valkey
        property: password
    - secretKey: default
      remoteRef:
        key: /cl01tl/directus/valkey
        property: password
 ---
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
  name: directus-oidc-authentik
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: directus-oidc-authentik
    {{- include "custom.labels" . | nindent 4 }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: openbao
  data:
    - secretKey: OIDC_CLIENT_ID
      remoteRef:
        key: /cl01tl/authentik/oidc/directus
        property: client
    - secretKey: OIDC_CLIENT_SECRET
      remoteRef:
        key: /cl01tl/authentik/oidc/directus
        property: secret
 ---
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
@@ -81,12 +105,11 @@ metadata:
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: directus-bucket-garage
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
-    name: vault
+    name: openbao
  data:
    - secretKey: ACCESS_KEY_ID
      remoteRef:
@@ -100,31 +123,3 @@ spec:
      remoteRef:
        key: /garage/home-infra/directus-assets
        property: ACCESS_REGION
 ---
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
  name: directus-valkey-config
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: directus-valkey-config
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: vault
  data:
    - secretKey: default
      remoteRef:
        key: /cl01tl/directus/valkey
        property: password
    - secretKey: user
      remoteRef:
        key: /cl01tl/directus/valkey
        property: user
    - secretKey: password
      remoteRef:
        key: /cl01tl/directus/valkey
        property: password
--- a/clusters/cl01tl/helm/directus/values.yaml
+++ b/clusters/cl01tl/helm/directus/values.yaml
@@ -113,12 +113,12 @@ directus:
            - name: AUTH_AUTHENTIK_CLIENT_ID
              valueFrom:
                secretKeyRef:
-                  name: directus-oidc-secret
+                  name: directus-oidc-authentik
                  key: OIDC_CLIENT_ID
            - name: AUTH_AUTHENTIK_CLIENT_SECRET
              valueFrom:
                secretKeyRef:
-                  name: directus-oidc-secret
+                  name: directus-oidc-authentik
                  key: OIDC_CLIENT_SECRET
            - name: AUTH_AUTHENTIK_SCOPE
              value: openid profile email
@@ -214,3 +214,24 @@ valkey:
    # https://github.com/valkey-io/valkey-helm/issues/135
    metrics:
      enabled: false
 rclone-directus-assets-remote:
  cronJob:
    suspend: false
    schedule: 0 0 * * *
  rclone:
    source:
      bucketName: directus-assets
    destination:
      bucketName: directus-assets
  secret:
    externalSecret:
      source:
        credentials:
          path: /garage/home-infra/directus-assets
        config:
          path: /garage/config
      destination:
        credentials:
          path: /garage/home-infra/directus-assets
        config:
          path: /garage/config
--- a/clusters/cl01tl/helm/elastic-operator/templates/_helpers.tpl
+++ b/clusters/cl01tl/helm/elastic-operator/templates/_helpers.tpl
@@ -0,0 +1,14 @@
 {{/*
 Common labels
 */}}
 {{- define "custom.labels" -}}
 {{ include "custom.selectorLabels" $ }}
 {{- end }}
 {{/*
 Selector labels
 */}}
 {{- define "custom.selectorLabels" -}}
 app.kubernetes.io/instance: {{ .Release.Name }}
 app.kubernetes.io/part-of: {{ .Release.Name }}
 {{- end }}
--- a/clusters/cl01tl/helm/element-web/Chart.lock
+++ b/clusters/cl01tl/helm/element-web/Chart.lock
@@ -4,6 +4,6 @@ dependencies:
  version: 1.4.34
 - name: cloudflared
  repository: oci://harbor.alexlebens.net/helm-charts
-  version: 2.5.0
+  version: 2.6.0
-digest: sha256:8640b8a250bdcd9e7561e3d28538ccf4644a7159a035ee0a5fdbcf71dc5b2bbe
+digest: sha256:e988be9f997351a8f658bf5151ec4fb04ae7d877389c9bf01b7331e1a58005ef
-generated: "2026-04-10T01:17:19.932208699Z"
+generated: "2026-04-24T21:06:15.882448748Z"
--- a/clusters/cl01tl/helm/element-web/Chart.yaml
+++ b/clusters/cl01tl/helm/element-web/Chart.yaml
@@ -19,7 +19,7 @@ dependencies:
    repository: https://ananace.gitlab.io/charts
  - name: cloudflared
    repository: oci://harbor.alexlebens.net/helm-charts
-    version: 2.5.0
+    version: 2.6.0
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/element.png
 # renovate: datasource=github-releases depName=element-hq/element-web
-appVersion: v1.12.15
+appVersion: v1.12.16
--- a/clusters/cl01tl/helm/element-web/templates/_helpers.tpl
+++ b/clusters/cl01tl/helm/element-web/templates/_helpers.tpl
@@ -0,0 +1,14 @@
 {{/*
 Common labels
 */}}
 {{- define "custom.labels" -}}
 {{ include "custom.selectorLabels" $ }}
 {{- end }}
 {{/*
 Selector labels
 */}}
 {{- define "custom.selectorLabels" -}}
 app.kubernetes.io/instance: {{ .Release.Name }}
 app.kubernetes.io/part-of: {{ .Release.Name }}
 {{- end }}
--- a/clusters/cl01tl/helm/element-web/values.yaml
+++ b/clusters/cl01tl/helm/element-web/values.yaml
@@ -2,7 +2,7 @@ element-web:
  replicaCount: 1
  image:
    repository: ghcr.io/element-hq/element-web
-    tag: v1.12.15@sha256:c7fa40b5ba3891f8af3ce63da0818f457c1802a9ee4d2f5e46a9df36a2388eed
+    tag: v1.12.16@sha256:8399a9e03c8891d60edc40e3e2dde1ad7a9c90010076324cbe21d2b581ddffb1
  defaultServer:
    url: https://matrix.alexlebens.dev
    name: alexlebens.dev
--- a/clusters/cl01tl/helm/eraser/templates/_helpers.tpl
+++ b/clusters/cl01tl/helm/eraser/templates/_helpers.tpl
@@ -0,0 +1,14 @@
 {{/*
 Common labels
 */}}
 {{- define "custom.labels" -}}
 {{ include "custom.selectorLabels" $ }}
 {{- end }}
 {{/*
 Selector labels
 */}}
 {{- define "custom.selectorLabels" -}}
 app.kubernetes.io/instance: {{ .Release.Name }}
 app.kubernetes.io/part-of: {{ .Release.Name }}
 {{- end }}
--- a/clusters/cl01tl/helm/excalidraw/Chart.yaml
+++ b/clusters/cl01tl/helm/excalidraw/Chart.yaml
@@ -5,7 +5,7 @@ description: Excalidraw
 keywords:
  - excalidraw
  - drawing
-home: https://docs.alexlebens.dev/applications/eraser/
+home: https://docs.alexlebens.dev/applications/excalidraw/
 sources:
  - https://github.com/excalidraw/excalidraw
  - https://hub.docker.com/r/excalidraw/excalidraw
@@ -19,4 +19,4 @@ dependencies:
    version: 4.6.2
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/excalidraw.png
 # renovate: datasource=github-releases depName=excalidraw/excalidraw
-appVersion: v0.18.0
+appVersion: v0.18.1
--- a/clusters/cl01tl/helm/excalidraw/templates/_helpers.tpl
+++ b/clusters/cl01tl/helm/excalidraw/templates/_helpers.tpl
@@ -0,0 +1,14 @@
 {{/*
 Common labels
 */}}
 {{- define "custom.labels" -}}
 {{ include "custom.selectorLabels" $ }}
 {{- end }}
 {{/*
 Selector labels
 */}}
 {{- define "custom.selectorLabels" -}}
 app.kubernetes.io/instance: {{ .Release.Name }}
 app.kubernetes.io/part-of: {{ .Release.Name }}
 {{- end }}
--- a/clusters/cl01tl/helm/excalidraw/values.yaml
+++ b/clusters/cl01tl/helm/excalidraw/values.yaml
@@ -8,7 +8,7 @@ excalidraw:
        main:
          image:
            repository: excalidraw/excalidraw
-            tag: latest@sha256:3c2513e830bb6e195147c05b34ecf8393d0ba2b1cc86e93b407a5777d6135c6c
+            tag: latest@sha256:20ffa04668e19616bb0c1b3632849e5cd96e0bc7a1336b73d9d072667f2c2854
          env:
            - name: NODE_ENV
              value: production
--- a/clusters/cl01tl/helm/external-dns/Chart.yaml
+++ b/clusters/cl01tl/helm/external-dns/Chart.yaml
@@ -5,7 +5,7 @@ description: External DNS
 keywords:
  - external-dns
  - dns
-home: https://docs.alexlebens.dev/applications/eraser/
+home: https://docs.alexlebens.dev/applications/external-dns/
 sources:
  - https://github.com/kubernetes-sigs/external-dns
  - https://explore.ggcr.dev/?repo=registry.k8s.io%2Fexternal-dns%2Fexternal-dns
--- a/clusters/cl01tl/helm/external-dns/templates/_helpers.tpl
+++ b/clusters/cl01tl/helm/external-dns/templates/_helpers.tpl
@@ -0,0 +1,14 @@
 {{/*
 Common labels
 */}}
 {{- define "custom.labels" -}}
 {{ include "custom.selectorLabels" $ }}
 {{- end }}
 {{/*
 Selector labels
 */}}
 {{- define "custom.selectorLabels" -}}
 app.kubernetes.io/instance: {{ .Release.Name }}
 app.kubernetes.io/part-of: {{ .Release.Name }}
 {{- end }}
--- a/clusters/cl01tl/helm/external-dns/templates/dns-endpoint.yaml
+++ b/clusters/cl01tl/helm/external-dns/templates/dns-endpoint.yaml
@@ -5,8 +5,7 @@ metadata:
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: external-device-names
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  endpoints:
    # Unifi UDM
@@ -48,8 +47,7 @@ metadata:
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: iot-device-names
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  endpoints:
    # Airgradient
@@ -82,6 +80,18 @@ spec:
      recordType: A
      targets:
        - 10.230.0.100
    # HD Homerun
    - dnsName: dv01hr.alexlebens.net
      recordTTL: 180
      recordType: A
      targets:
        - 10.232.1.72
    # Pi KVM
    - dnsName: dv02kv.alexlebens.net
      recordTTL: 180
      recordType: A
      targets:
        - 10.232.1.71
 ---
 apiVersion: externaldns.k8s.io/v1alpha1
@@ -91,8 +101,7 @@ metadata:
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: server-host-names
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  endpoints:
    # Unifi Gateway
@@ -125,6 +134,18 @@ spec:
      recordType: A
      targets:
        - 10.232.1.52
    # Desktop
    - dnsName: pd05wd.alexlebens.net
      recordTTL: 180
      recordType: A
      targets:
        - 10.230.0.115
    # Laptop
    - dnsName: pl02mc.alexlebens.net
      recordTTL: 180
      recordType: A
      targets:
        - 10.230.0.105
 ---
 apiVersion: externaldns.k8s.io/v1alpha1
@@ -134,8 +155,7 @@ metadata:
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: cluster-service-names
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  endpoints:
    # Treafik Proxy
--- a/clusters/cl01tl/helm/external-dns/templates/external-secret.yaml
+++ b/clusters/cl01tl/helm/external-dns/templates/external-secret.yaml
@@ -5,14 +5,13 @@ metadata:
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: external-dns-unifi-secret
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
-    name: vault
+    name: openbao
  data:
    - secretKey: api-key
      remoteRef:
-        key: /unifi/auth/cl01tl
+        key: /unifi/users/cl01tl
        property: api-key
--- a/clusters/cl01tl/helm/external-secrets/Chart.lock
+++ b/clusters/cl01tl/helm/external-secrets/Chart.lock
@@ -1,6 +1,6 @@
 dependencies:
 - name: external-secrets
  repository: https://charts.external-secrets.io
-  version: 2.3.0
+  version: 2.4.0
-digest: sha256:fedb79c937be24d4bb72f665122b468b445de95f3f02de419903e3136186e42f
+digest: sha256:a31b4ba5b5ec296036576c8d7d26f8b42061eec7142817f9ca0c256a457a2ea1
-generated: "2026-04-10T15:10:52.488487421Z"
+generated: "2026-04-24T19:03:31.856576444Z"
--- a/clusters/cl01tl/helm/external-secrets/Chart.yaml
+++ b/clusters/cl01tl/helm/external-secrets/Chart.yaml
@@ -14,8 +14,8 @@ sources:
 dependencies:
  - name: external-secrets
    alias: external-secrets
-    version: 2.3.0
+    version: 2.4.0
    repository: https://charts.external-secrets.io
 icon: https://raw.githubusercontent.com/external-secrets/external-secrets/refs/heads/main/assets/eso-logo-large.png
 # renovate: datasource=github-releases depName=external-secrets/external-secrets
-appVersion: v2.3.0
+appVersion: v2.4.0
--- a/clusters/cl01tl/helm/external-secrets/templates/_helpers.tpl
+++ b/clusters/cl01tl/helm/external-secrets/templates/_helpers.tpl
@@ -0,0 +1,14 @@
 {{/*
 Common labels
 */}}
 {{- define "custom.labels" -}}
 {{ include "custom.selectorLabels" $ }}
 {{- end }}
 {{/*
 Selector labels
 */}}
 {{- define "custom.selectorLabels" -}}
 app.kubernetes.io/instance: {{ .Release.Name }}
 app.kubernetes.io/part-of: {{ .Release.Name }}
 {{- end }}
--- a/clusters/cl01tl/helm/external-secrets/templates/cluster-role-binding.yaml
+++ b/clusters/cl01tl/helm/external-secrets/templates/cluster-role-binding.yaml
@@ -5,13 +5,12 @@ metadata:
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: external-secrets
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: system:auth-delegator
 subjects:
  - kind: ServiceAccount
-    name: external-secrets
+    name: {{ .Release.Name }}
    namespace: {{ .Release.Namespace }}
--- a/clusters/cl01tl/helm/external-secrets/templates/cluster-secret-store.yaml
+++ b/clusters/cl01tl/helm/external-secrets/templates/cluster-secret-store.yaml
@@ -1,33 +1,11 @@
 apiVersion: external-secrets.io/v1
 kind: ClusterSecretStore
 metadata:
  name: vault
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: vault
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  provider:
    vault:
      server: http://vault-internal.vault:8200
      path: secret
      auth:
        tokenSecretRef:
          namespace: vault
          name: vault-token
          key: token
 ---
 apiVersion: external-secrets.io/v1
 kind: ClusterSecretStore
 metadata:
  name: openbao
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: openbao
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  provider:
    vault:
@@ -39,7 +17,7 @@ spec:
          mountPath: kubernetes
          role: external-secrets
          serviceAccountRef:
-            name: external-secrets
+            name: {{ .Release.Name }}
-            namespace: {{ .Release.Name }}
+            namespace: {{ .Release.Namespace }}
            audiences:
              - openbao
--- a/clusters/cl01tl/helm/external-secrets/values.yaml
+++ b/clusters/cl01tl/helm/external-secrets/values.yaml
@@ -2,7 +2,7 @@ external-secrets:
  replicaCount: 3
  image:
    repository: ghcr.io/external-secrets/external-secrets
-    tag: v2.3.0@sha256:c425f51f422506c380550ad32fbf155412c7be84dd1c4b196130dcf04497be80
+    tag: v2.4.0@sha256:d2b74514f63f5b55360d08351f1fe5af3b1db794a81fa10389abe2ff2999c566
  installCRDs: true
  crds:
    createClusterExternalSecret: true
@@ -29,7 +29,7 @@ external-secrets:
  webhook:
    image:
      repository: ghcr.io/external-secrets/external-secrets
-      tag: v2.3.0@sha256:c425f51f422506c380550ad32fbf155412c7be84dd1c4b196130dcf04497be80
+      tag: v2.4.0@sha256:d2b74514f63f5b55360d08351f1fe5af3b1db794a81fa10389abe2ff2999c566
    resources:
      requests:
        cpu: 1m
@@ -37,7 +37,7 @@ external-secrets:
  certController:
    image:
      repository: ghcr.io/external-secrets/external-secrets
-      tag: v2.3.0@sha256:c425f51f422506c380550ad32fbf155412c7be84dd1c4b196130dcf04497be80
+      tag: v2.4.0@sha256:d2b74514f63f5b55360d08351f1fe5af3b1db794a81fa10389abe2ff2999c566
    resources:
      requests:
        cpu: 1m
--- a/clusters/cl01tl/helm/foldergram/Chart.lock
+++ b/clusters/cl01tl/helm/foldergram/Chart.lock
@@ -4,9 +4,9 @@ dependencies:
  version: 4.6.2
 - name: cloudflared
  repository: oci://harbor.alexlebens.net/helm-charts
-  version: 2.5.0
+  version: 2.6.0
 - name: volsync-target
  repository: oci://harbor.alexlebens.net/helm-charts
-  version: 0.8.0
+  version: 1.0.0
-digest: sha256:06e321d19ffe0df94b3cd6bcc306804729710f74ca2f9962652628377836c33e
+digest: sha256:c42d896ab065b1278e0ae9f297e15ba2165fec99148003bf67f56aa641cf406a
-generated: "2026-04-11T15:26:16.743784-05:00"
+generated: "2026-04-24T22:50:55.336683873Z"
--- a/clusters/cl01tl/helm/foldergram/Chart.yaml
+++ b/clusters/cl01tl/helm/foldergram/Chart.yaml
@@ -21,10 +21,10 @@ dependencies:
    version: 4.6.2
  - name: cloudflared
    repository: oci://harbor.alexlebens.net/helm-charts
-    version: 2.5.0
+    version: 2.6.0
  - name: volsync-target
    alias: volsync-target-db
-    version: 0.8.0
+    version: 1.0.0
    repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://raw.githubusercontent.com/foldergram/foldergram/refs/heads/main/client/public/icon-512.png
 # renovate: datasource=github-releases depName=foldergram/foldergram
--- a/clusters/cl01tl/helm/foldergram/templates/_helpers.tpl
+++ b/clusters/cl01tl/helm/foldergram/templates/_helpers.tpl
@@ -0,0 +1,21 @@
 {{/*
 Common labels
 */}}
 {{- define "custom.labels" -}}
 {{ include "custom.selectorLabels" $ }}
 {{- end }}
 {{/*
 Selector labels
 */}}
 {{- define "custom.selectorLabels" -}}
 app.kubernetes.io/instance: {{ .Release.Name }}
 app.kubernetes.io/part-of: {{ .Release.Name }}
 {{- end }}
 {{/*
 NFS names
 */}}
 {{- define "custom.storageMiaNfsName" -}}
 foldergram-pictures-collection-mia-nfs-storage
 {{- end -}}
--- a/clusters/cl01tl/helm/foldergram/templates/persistent-volume-claim.yaml
+++ b/clusters/cl01tl/helm/foldergram/templates/persistent-volume-claim.yaml
@@ -1,14 +1,13 @@
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
-  name: foldergram-pictures-collections-nfs-storage
+  name: {{ include "custom.storageMiaNfsName" . }}
  namespace: {{ .Release.Namespace }}
  labels:
-    app.kubernetes.io/name: foldergram-pictures-collections-nfs-storage
+    app.kubernetes.io/name: {{ include "custom.storageMiaNfsName" . }}
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
-  volumeName: foldergram-pictures-collections-nfs-storage
+  volumeName: {{ include "custom.storageMiaNfsName" . }}
  storageClassName: nfs-client
  accessModes:
    - ReadWriteMany
--- a/clusters/cl01tl/helm/foldergram/templates/persistent-volume.yaml
+++ b/clusters/cl01tl/helm/foldergram/templates/persistent-volume.yaml
@@ -1,12 +1,11 @@
 apiVersion: v1
 kind: PersistentVolume
 metadata:
-  name: foldergram-pictures-collections-nfs-storage
+  name: {{ include "custom.storageMiaNfsName" . }}
  namespace: {{ .Release.Namespace }}
  labels:
-    app.kubernetes.io/name: foldergram-pictures-collections-nfs-storage
+    app.kubernetes.io/name: {{ include "custom.storageMiaNfsName" . }}
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  persistentVolumeReclaimPolicy: Retain
  storageClassName: nfs-client
@@ -15,7 +14,7 @@ spec:
  accessModes:
    - ReadWriteMany
  nfs:
-    path: /volume2/Storage/Pictures/Collections
+    path: '/volume2/Storage/Pictures/Collections/Minneapolis Institute of Art'
    server: synologybond.alexlebens.net
  mountOptions:
    - vers=4
--- a/clusters/cl01tl/helm/foldergram/values.yaml
+++ b/clusters/cl01tl/helm/foldergram/values.yaml
@@ -17,7 +17,7 @@ foldergram:
            - name: IMAGE_DETAIL_SOURCE
              value: original
            - name: DERIVATIVE_MODE
-              value: eager
+              value: lazy
            - name: DATA_ROOT
              value: ./data
            - name: GALLERY_ROOT
@@ -70,18 +70,18 @@ foldergram:
      forceRename: foldergram-data
      storageClass: synology-iscsi-delete
      accessMode: ReadWriteOnce
-      size: 250Gi
+      size: 500Gi
      advancedMounts:
        main:
          main:
            - path: /app/data
              readOnly: false
-    pictures:
+    pictures-mia:
-      existingClaim: foldergram-pictures-collections-nfs-storage
+      existingClaim: foldergram-pictures-collection-mia-nfs-storage
      advancedMounts:
        main:
          main:
-            - path: /gallery
+            - path: '/gallery/Minneapolis Institute of Art'
              readOnly: true
 volsync-target-db:
  pvcTarget: foldergram-db
--- a/clusters/cl01tl/helm/freshrss/Chart.lock
+++ b/clusters/cl01tl/helm/freshrss/Chart.lock
@@ -4,12 +4,12 @@ dependencies:
  version: 4.6.2
 - name: cloudflared
  repository: oci://harbor.alexlebens.net/helm-charts
-  version: 2.5.0
+  version: 2.6.0
 - name: postgres-cluster
  repository: oci://harbor.alexlebens.net/helm-charts
-  version: 7.11.2
+  version: 7.12.1
 - name: volsync-target
  repository: oci://harbor.alexlebens.net/helm-charts
-  version: 0.8.0
+  version: 1.0.0
-digest: sha256:2a13aac2d207555bf33ee01db493d210e860e660433cd6f5b9b67fadf91f8f74
+digest: sha256:ad75160abdeec46eb8cbcfa25ce69cc99c0ec5e73142560df3ef5b1490a2a3f3
-generated: "2026-04-10T01:17:32.585138713Z"
+generated: "2026-04-24T22:51:06.194383563Z"
--- a/clusters/cl01tl/helm/freshrss/Chart.yaml
+++ b/clusters/cl01tl/helm/freshrss/Chart.yaml
@@ -22,14 +22,14 @@ dependencies:
    version: 4.6.2
  - name: cloudflared
    repository: oci://harbor.alexlebens.net/helm-charts
-    version: 2.5.0
+    version: 2.6.0
  - name: postgres-cluster
    alias: postgres-18-cluster
-    version: 7.11.2
+    version: 7.12.1
    repository: oci://harbor.alexlebens.net/helm-charts
  - name: volsync-target
    alias: volsync-target-data
-    version: 0.8.0
+    version: 1.0.0
    repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/freshrss.png
 # renovate: datasource=github-releases depName=FreshRSS/FreshRSS
--- a/clusters/cl01tl/helm/freshrss/templates/_helpers.tpl
+++ b/clusters/cl01tl/helm/freshrss/templates/_helpers.tpl
@@ -0,0 +1,14 @@
 {{/*
 Common labels
 */}}
 {{- define "custom.labels" -}}
 {{ include "custom.selectorLabels" $ }}
 {{- end }}
 {{/*
 Selector labels
 */}}
 {{- define "custom.selectorLabels" -}}
 app.kubernetes.io/instance: {{ .Release.Name }}
 app.kubernetes.io/part-of: {{ .Release.Name }}
 {{- end }}
--- a/clusters/cl01tl/helm/freshrss/templates/external-secret.yaml
+++ b/clusters/cl01tl/helm/freshrss/templates/external-secret.yaml
@@ -1,54 +1,52 @@
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
-  name: freshrss-install-secret
+  name: freshrss-install-config
  namespace: {{ .Release.Namespace }}
  labels:
-    app.kubernetes.io/name: freshrss-install-secret
+    app.kubernetes.io/name: freshrss-install-config
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
-    name: vault
+    name: openbao
  data:
    - secretKey: ADMIN_EMAIL
      remoteRef:
        key: /cl01tl/freshrss/config
-        property: ADMIN_EMAIL
+        property: admin-email
    - secretKey: ADMIN_PASSWORD
      remoteRef:
        key: /cl01tl/freshrss/config
-        property: ADMIN_PASSWORD
+        property: admin-password
    - secretKey: ADMIN_API_PASSWORD
      remoteRef:
        key: /cl01tl/freshrss/config
-        property: ADMIN_API_PASSWORD
+        property: admin-api-password
 ---
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
-  name: freshrss-oidc-secret
+  name: freshrss-oidc-authentik
  namespace: {{ .Release.Namespace }}
  labels:
-    app.kubernetes.io/name: freshrss-oidc-secret
+    app.kubernetes.io/name: freshrss-oidc-authentik
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
-    name: vault
+    name: openbao
  data:
    - secretKey: OIDC_CLIENT_ID
      remoteRef:
-        key: /authentik/oidc/freshrss
+        key: /cl01tl/authentik/oidc/freshrss
        property: client
    - secretKey: OIDC_CLIENT_SECRET
      remoteRef:
-        key: /authentik/oidc/freshrss
+        key: /cl01tl/authentik/oidc/freshrss
        property: secret
    - secretKey: OIDC_CLIENT_CRYPTO_KEY
      remoteRef:
-        key: /authentik/oidc/freshrss
+        key: /cl01tl/freshrss/key
-        property: crypto-key
+        property: oidc-client-crypto-key
--- a/clusters/cl01tl/helm/freshrss/values.yaml
+++ b/clusters/cl01tl/helm/freshrss/values.yaml
@@ -73,9 +73,9 @@ freshrss:
              value: preferred_username
          envFrom:
            - secretRef:
-                name: freshrss-oidc-secret
+                name: freshrss-oidc-authentik
            - secretRef:
-                name: freshrss-install-secret
+                name: freshrss-install-config
          resources:
            requests:
              cpu: 1m
--- a/Show More
+++ b/Show More