Update php Docker tag to v8.5.0

This PR contains the following updates:

| Package | Update | Change |
|---|---|---|
| ghcr.io/booklore-app/booklore | minor | `v1.11.0` -> `v1.12.0` |

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box

---

This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0Mi41LjAiLCJ1cGRhdGVkSW5WZXIiOiI0Mi41LjAiLCJ0YXJnZXRCcmFuY2giOiJtYWluIiwibGFiZWxzIjpbImltYWdlIl19-->

Reviewed-on: #2140
Co-authored-by: Renovate Bot <renovate-bot@alexlebens.net>
Co-committed-by: Renovate Bot <renovate-bot@alexlebens.net>

.gitea/workflows/render-manifests.yaml

@@ -0,0 +1,176 @@
+name: render-manifests
+
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - "clusters/**"
+      - ! "clusters/*/archive"
+
+  workflow_dispatch:
+
+env:
+  CLUSTERS: cl01tl
+  BASE_BRANCH: manifests
+
+jobs:
+  render-manifests-helm:
+    runs-on: ubuntu-js
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+        with:
+          fetch-depth: 0
+
+      - name: Set up Helm
+        uses: azure/setup-helm@v4
+        with:
+          token: ${{ secrets.GITEA_TOKEN }}
+          version: v3.17.2 # Pending https://github.com/helm/helm/pull/30743
+
+      - name: Render Helm Manifests
+        run: |
+          for cluster in ${CLUSTERS}; do
+            mkdir -p ${{ gitea.workspace }}/clusters/$cluster/manifests
+
+            for chart_path in ${{ gitea.workspace }}/clusters/$cluster/helm/*; do
+              chart_name=$(basename "$chart_path")
+
+              echo ">> Rendering chart: $chart_name"
+
+              if [ -f "$chart_path/Chart.yaml" ]; then
+                  mkdir -p ${{ gitea.workspace }}/clusters/$cluster/manifests/$chart_name
+                  OUTPUT_FILE="${{ gitea.workspace }}/clusters/$cluster/manifests/$chart_name/$chart_name.yaml"
+
+                  cd $chart_path
+
+                  echo ""
+                  echo ">> Building helm dependency ..."
+                  helm dependency build
+
+                  echo ""
+                  echo ">> Linting helm ..."
+                  helm lint --namespace "$chart_name" --with-subcharts
+
+                  echo ""
+                  echo ">> Rendering templates ..."
+                  helm template "$chart_name" ./ --namespace "$chart_name" --include-crds > "$OUTPUT_FILE"
+
+                  echo ""
+                  echo ">> Manifests for $chart_name rendered to $OUTPUT_FILE"
+                  echo ""
+              else
+                  echo ""
+                  echo ">> Directory $chart_path does not contain a Chart.yaml. Skipping ..."
+                  echo ""
+              fi
+            done
+          done
+
+      # - name: Create Pull Request
+      #   id: pull-request
+      #   uses: peter-evans/create-pull-request@v7
+      #   with:
+      #     token: ${{ secrets.BOT_TOKEN }}
+      #     add-paths: |
+      #       clusters/cl01tl/manifests/*
+      #     commit-message: "chore: Update manifests after chart change"
+      #     committer: gitea-bot <gitea-bot@alexlebens.net>
+      #     author: gitea-bot <gitea-bot@alexlebens.net>
+      #     branch: auto/update-manifests
+      #     branch-suffix: timestamp
+      #     base: manifests
+      #     title: "Manifest Update"
+      #     body: |
+      #       This PR contains the newly rendered Kubernetes manifests.
+
+      #       * Triggered by workflow run ${{ github.run_id }}
+      #       * Review the `files changed` tab for the full YAML diff.
+      #     labels: |
+      #       manifests
+      #       automated
+
+      - name: Check for Changes
+        id: check-changes
+        run: |
+          if git status --porcelain | grep -q .; then
+            echo ">> Changes detected"
+            echo "changes-detected=true" >> $GITEA_OUTPUT
+          else
+            echo ">> No changes detected, skipping PR creation"
+            exit 0
+          fi
+
+      - name: Commit and Push Changes
+        id: commit-push
+        if: steps.check-changes.outputs.changes-detected == 'true'
+        run: |
+          BRANCH_NAME="auto/update-manifests-$(date +%s)"
+
+          # Configure Git
+          git config user.name "gitea-bot"
+          git config user.email "gitea-bot@alexlebens.net"
+
+          # Create a new branch and stage all changes
+          git checkout -b $BRANCH_NAME
+          git add .
+          git commit -m "chore: Update manifests after change"
+
+          # Push the new branch to the remote repository
+          REPO_URL="${{ secrets.REPO_URL }}/${{ gitea.repository }}"
+          git push -u "https://oauth2:${{ secrets.BOT_TOKEN }}@$(echo $REPO_URL | sed -e 's|https://||')" $BRANCH_NAME
+
+          echo "HEAD_BRANCH=$BRANCH_NAME" >> $GITEA_OUTPUT
+          echo "push=true" >> $GITEA_OUTPUT
+
+      - name: Create Pull Request
+        id: create-pull-request
+        if: steps.commit-push.outputs.push == 'true'
+        env:
+          GITEA_TOKEN: ${{ secrets.BOT_TOKEN }}
+          GITEA_URL: ${{ secrets.REPO_URL }}
+          OWNER: ${{ gitea.repository_owner }}
+          REPO: ${{ gitea.repository_name }}
+          HEAD_BRANCH: ${{ steps.commit-push.outputs.HEAD_BRANCH }}
+        run: |
+          echo ">> Creating PR from branch: ${HEAD_BRANCH} into ${BASE_BRANCH}"
+
+          apt update && apt install tea
+
+          tea pulls create \
+            --repo "${OWNER}/${REPO}" \
+            --head "${HEAD_BRANCH}" \
+            --base "${BASE_BRANCH}" \
+            --title "Automated Manifest Update: $(date +%F)" \
+            --body "This PR contains newly rendered Kubernetes manifests automatically generated by the CI workflow."
+
+          echo "pull-request-operation=created" >> $GITEA_OUTPUT
+
+      # - name: ntfy Created
+      #   uses: niniyas/ntfy-action@master
+      #   if: steps.create-pull-request.outputs.pull-request-operation == 'created'
+      #   with:
+      #     url: "${{ secrets.NTFY_URL }}"
+      #     topic: "${{ secrets.NTFY_TOPIC }}"
+      #     title: "Manifest Render PR Created - Infrastructure"
+      #     priority: 3
+      #     headers: '{"Authorization": "Bearer ${{ secrets.NTFY_CRED }}"}'
+      #     tags: action,successfully,completed
+      #     details: "Manifest rendering for Infrastructure has created PR ${{ steps.pull-request.outputs.pull-request-number }}!"
+      #     icon: "https://cdn.jsdelivr.net/gh/selfhst/icons/png/gitea.png"
+
+      # - name: ntfy Failed
+      #   uses: niniyas/ntfy-action@master
+      #   if: failure()
+      #   with:
+      #     url: "${{ secrets.NTFY_URL }}"
+      #     topic: "${{ secrets.NTFY_TOPIC }}"
+      #     title: "Manifest Render Failure - Infrastructure"
+      #     priority: 4
+      #     headers: '{"Authorization": "Bearer ${{ secrets.NTFY_CRED }}"}'
+      #     tags: action,failed
+      #     details: "Manifest rendering for Infrastructure has failed!"
+      #     icon: "https://cdn.jsdelivr.net/gh/selfhst/icons/png/gitea.png"
+      #     actions: '[{"action": "view", "label": "Open Gitea", "url": "https://gitea.alexlebens.dev/alexlebens/infrastructure/actions?workflow=render-manifests.yaml", "clear": true}]'
+      #     image: true

clusters/cl01tl/applications/audiobookshelf/values.yaml

@@ -21,11 +21,15 @@ audiobookshelf:
         apprise-api:
           image:
             repository: caronc/apprise
-            tag: 1.2.2
+            tag: 1.2.6
             pullPolicy: IfNotPresent
           env:
             - name: TZ
               value: US/Central
+            - name: PGID
+              value: "1000"
+            - name: PUID
+              value: "1000"
             - name: APPRISE_STORAGE_MODE
               value: memory
             - name: APPRISE_STATEFUL_MODE

clusters/cl01tl/applications/bazarr/values.yaml

@@ -15,7 +15,7 @@ bazarr:
         main:
           image:
             repository: ghcr.io/linuxserver/bazarr
-            tag: 1.5.3@sha256:a42fef2a5ffa1dca8714e12892ba0b8de5c6c513f1bcdb1ffe4143e715cffb45
+            tag: 1.5.3@sha256:2be164c02c0bb311b6c32e57d3d0ddc2813d524e89ab51a3408c1bf6fafecda5
             pullPolicy: IfNotPresent
           env:
             - name: TZ

clusters/cl01tl/applications/booklore/templates/persistent-volume-claim.yaml

@@ -15,3 +15,22 @@ spec:
   resources:
     requests:
       storage: 1Gi
+
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: booklore-books-import-nfs-storage
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: booklore-books-import-nfs-storage
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  volumeName: booklore-books-import-nfs-storage
+  storageClassName: nfs-client
+  accessModes:
+    - ReadWriteMany
+  resources:
+    requests:
+      storage: 1Gi

clusters/cl01tl/applications/booklore/templates/persistent-volume.yaml

@@ -21,3 +21,28 @@ spec:
     - vers=4
     - minorversion=1
     - noac
+
+---
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: booklore-books-import-nfs-storage
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: booklore-books-import-nfs-storage
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  persistentVolumeReclaimPolicy: Retain
+  storageClassName: nfs-client
+  capacity:
+    storage: 1Gi
+  accessModes:
+    - ReadWriteMany
+  nfs:
+    path: /volume2/Storage/Books Import
+    server: synologybond.alexlebens.net
+  mountOptions:
+    - vers=4
+    - minorversion=1
+    - noac

clusters/cl01tl/applications/booklore/templates/replication-source.yaml

@@ -13,7 +13,7 @@ spec:
     schedule: "0 0 * * *"
   rsyncTLS:
     keySecret: booklore-data-replication-secret
-    address: 10.97.132.22
+    address: volsync-rsync-tls-dst-booklore-data-replication-destination
     copyMethod: Snapshot
 
 ---

clusters/cl01tl/applications/booklore/values.yaml

@@ -9,7 +9,7 @@ booklore:
         main:
           image:
             repository: ghcr.io/booklore-app/booklore
-            tag: v1.10.0
+            tag: v1.12.0
             pullPolicy: IfNotPresent
           env:
             - name: TZ
@@ -67,6 +67,13 @@ booklore:
           main:
             - path: /bookdrop
               readOnly: false
+    ingest:
+      existingClaim: booklore-books-import-nfs-storage
+      advancedMounts:
+        main:
+          main:
+            - path: /bookdrop/ingest
+              readOnly: false
 mariadb-cluster:
   mariadb:
     rootPasswordSecretKeyRef:

clusters/cl01tl/applications/calibre-web-automated/Chart.yaml

@@ -1,21 +0,0 @@
-apiVersion: v2
-name: calibre-web-automated
-version: 1.0.0
-description: Calibre Web Automated
-keywords:
-  - calibre-web-automated
-  - books
-home: https://wiki.alexlebens.dev/s/fdcfdb7e-8f73-438e-b59c-3c2de2081885
-sources:
-  - https://github.com/crocodilestick/Calibre-Web-Automator
-  - https://hub.docker.com/r/crocodilestick/calibre-web-automated
-  - https://github.com/bjw-s-labs/helm-charts/tree/main/charts/other/app-template
-maintainers:
-  - name: alexlebens
-dependencies:
-  - name: app-template
-    alias: calibre-web-automated
-    repository: https://bjw-s-labs.github.io/helm-charts/
-    version: 4.4.0
-icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/calibre-web.png
-appVersion: V3.0.4

clusters/cl01tl/applications/calibre-web-automated/values.yaml

@@ -1,119 +0,0 @@
-calibre-web-automated:
-  controllers:
-    main:
-      type: deployment
-      replicas: 1
-      strategy: Recreate
-      revisionHistoryLimit: 3
-      containers:
-        main:
-          image:
-            repository: crocodilestick/calibre-web-automated
-            tag: V3.0.4
-            pullPolicy: IfNotPresent
-          env:
-            - name: TZ
-              value: US/Central
-            - name: PUID
-              value: 1000
-            - name: PGID
-              value: 100
-          resources:
-            requests:
-              cpu: 10m
-              memory: 256Mi
-    downloader:
-      type: deployment
-      replicas: 1
-      strategy: Recreate
-      revisionHistoryLimit: 3
-      containers:
-        main:
-          image:
-            repository: ghcr.io/calibrain/calibre-web-automated-book-downloader
-            tag: latest@sha256:b1296c5edc89eee8742d86392ce40707233671044a454e002821e5c76cd58deb
-            pullPolicy: IfNotPresent
-          env:
-            - name: FLASK_PORT
-              value: 8084
-            - name: UID
-              value: 1000
-            - name: GID
-              value: 100
-            - name: USE_CF_BYPASS
-              value: false
-            - name: CLOUDFLARE_PROXY_URL
-              value: http://localhost:8000
-            - name: INGEST_DIR
-              value: /cwa-book-ingest
-            - name: BOOK_LANGUAGE
-              value: end
-          resources:
-            requests:
-              cpu: 10m
-              memory: 256Mi
-        bypass:
-          image:
-            repository: ghcr.io/sarperavci/cloudflarebypassforscraping
-            tag: latest@sha256:53b50a04bc9bc70cac350040a13bb23e9f31de59ca94d50d0bf8e4c50a73c656
-            pullPolicy: IfNotPresent
-          resources:
-            requests:
-              cpu: 10m
-              memory: 128Mi
-  service:
-    main:
-      controller: main
-      ports:
-        http:
-          port: 8083
-          targetPort: 8083
-          protocol: HTTP
-    downloader:
-      controller: downloader
-      ports:
-        http:
-          port: 8084
-          targetPort: 8084
-          protocol: HTTP
-  persistence:
-    config:
-      forceRename: calibre-web-automated-config
-      storageClass: ceph-block
-      accessMode: ReadWriteOnce
-      size: 5Gi
-      retain: true
-      advancedMounts:
-        main:
-          main:
-            - path: /config
-              readOnly: false
-    gmail:
-      enabled: true
-      type: secret
-      name: calibre-web-automated-gmail-config
-      advancedMounts:
-        main:
-          main:
-            - path: /app/calibre-web/gmail.json
-              readOnly: true
-              mountPropagation: None
-              subPath: gmail.json
-    books:
-      existingClaim: calibre-web-automated-nfs-storage
-      advancedMounts:
-        main:
-          main:
-            - path: /calibre-library
-              readOnly: false
-    ingest:
-      existingClaim: calibre-web-automated-ingest-nfs-storage
-      advancedMounts:
-        main:
-          main:
-            - path: /cwa-book-ingest
-              readOnly: false
-        downloader:
-          main:
-            - path: /cwa-book-ingest
-              readOnly: false

clusters/cl01tl/applications/code-server/Chart.yaml

@@ -23,6 +23,6 @@ dependencies:
   - name: cloudflared
     alias: cloudflared
     repository: oci://harbor.alexlebens.net/helm-charts
-    version: 1.22.2
+    version: 1.23.0
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/visual-studio-code.png
 appVersion: 4.100.2

clusters/cl01tl/applications/code-server/values.yaml

@@ -9,7 +9,7 @@ code-server:
         main:
           image:
             repository: ghcr.io/linuxserver/code-server
-            tag: 4.105.1@sha256:f01693e529a6c4db98deb4bb28bf2655a403489831e962e6cc0b2c5f89f220f6
+            tag: 4.106.2@sha256:a98afdbcb59559f11e5e8df284062e55da1076b2e470e13db4aae133ea82bad0
             pullPolicy: IfNotPresent
           env:
             - name: TZ

clusters/cl01tl/applications/directus/Chart.yaml

@@ -24,10 +24,10 @@ dependencies:
   - name: cloudflared
     alias: cloudflared-directus
     repository: oci://harbor.alexlebens.net/helm-charts
-    version: 1.22.2
+    version: 1.23.0
   - name: postgres-cluster
     alias: postgres-17-cluster
-    version: 6.15.0
+    version: 6.16.0
     repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/directus.png
 appVersion: 11.7.2

clusters/cl01tl/applications/directus/values.yaml

@@ -9,7 +9,7 @@ directus:
         main:
           image:
             repository: directus/directus
-            tag: 11.13.3
+            tag: 11.13.4
             pullPolicy: IfNotPresent
           env:
             - name: PUBLIC_URL

clusters/cl01tl/applications/element-web/Chart.yaml

@@ -22,6 +22,6 @@ dependencies:
   - name: cloudflared
     alias: cloudflared
     repository: oci://harbor.alexlebens.net/helm-charts
-    version: 1.22.2
+    version: 1.23.0
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/element.png
 appVersion: v1.11.100

clusters/cl01tl/applications/ephemera/templates/persistent-volume-claim.yaml

@@ -0,0 +1,17 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: ephemera-import-nfs-storage
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: ephemera-import-nfs-storage
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  volumeName: ephemera-import-nfs-storage
+  storageClassName: nfs-client
+  accessModes:
+    - ReadWriteMany
+  resources:
+    requests:
+      storage: 1Gi

clusters/cl01tl/applications/ephemera/templates/persistent-volume.yaml

@@ -0,0 +1,23 @@
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: ephemera-import-nfs-storage
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: ephemera-import-nfs-storage
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  persistentVolumeReclaimPolicy: Retain
+  storageClassName: nfs-client
+  capacity:
+    storage: 1Gi
+  accessModes:
+    - ReadWriteMany
+  nfs:
+    path: /volume2/Storage/Books Import
+    server: synologybond.alexlebens.net
+  mountOptions:
+    - vers=4
+    - minorversion=1
+    - noac

clusters/cl01tl/applications/ephemera/values.yaml

@@ -14,11 +14,11 @@ ephemera:
           env:
             - name: AA_BASE_URL
               value: https://annas-archive.org
-            - name: AA_API_KEY
+            # - name: AA_API_KEY
-              valueFrom:
+            #   valueFrom:
-                secretKeyRef:
+            #     secretKeyRef:
-                  name: ephemera-key-secret
+            #       name: ephemera-key-secret
-                  key: key
+            #       key: key
             - name: FLARESOLVERR_URL
               value: http://127.0.0.1:8191
             - name: LG_BASE_URL
@@ -52,7 +52,7 @@ ephemera:
         apprise-api:
           image:
             repository: caronc/apprise
-            tag: 1.2.2
+            tag: 1.2.6
             pullPolicy: IfNotPresent
           env:
             - name: TZ
@@ -98,3 +98,10 @@ ephemera:
           main:
             - path: /app/downloads
               readOnly: false
+    ingest:
+      existingClaim: ephemera-import-nfs-storage
+      advancedMounts:
+        main:
+          main:
+            - path: /app/ingest
+              readOnly: false

clusters/cl01tl/applications/freshrss/Chart.yaml

@@ -24,10 +24,10 @@ dependencies:
   - name: cloudflared
     alias: cloudflared
     repository: oci://harbor.alexlebens.net/helm-charts
-    version: 1.22.2
+    version: 1.23.0
   - name: postgres-cluster
     alias: postgres-17-cluster
-    version: 6.15.0
+    version: 6.16.0
     repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/freshrss.png
 appVersion: 1.26.2

clusters/cl01tl/applications/home-assistant/values.yaml

@@ -9,7 +9,7 @@ home-assistant:
         main:
           image:
             repository: ghcr.io/home-assistant/home-assistant
-            tag: 2025.11.1
+            tag: 2025.11.3
             pullPolicy: IfNotPresent
           env:
             - name: TZ
@@ -21,7 +21,7 @@ home-assistant:
         code-server:
           image:
             repository: ghcr.io/linuxserver/code-server
-            tag: 4.105.1@sha256:f01693e529a6c4db98deb4bb28bf2655a403489831e962e6cc0b2c5f89f220f6
+            tag: 4.106.2@sha256:a98afdbcb59559f11e5e8df284062e55da1076b2e470e13db4aae133ea82bad0
             pullPolicy: IfNotPresent
           env:
             - name: TZ

clusters/cl01tl/applications/homepage-dev/Chart.yaml

@@ -22,6 +22,6 @@ dependencies:
   - name: cloudflared
     alias: cloudflared
     repository: oci://harbor.alexlebens.net/helm-charts
-    version: 1.22.2
+    version: 1.23.0
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/homepage.png
 appVersion: v1.2.0

clusters/cl01tl/applications/homepage-dev/values.yaml

@@ -11,7 +11,7 @@ homepage:
         main:
           image:
             repository: ghcr.io/gethomepage/homepage
-            tag: v1.6.1
+            tag: v1.7.0
             pullPolicy: IfNotPresent
           env:
             - name: HOMEPAGE_ALLOWED_HOSTS

clusters/cl01tl/applications/homepage/values.yaml

@@ -15,7 +15,7 @@ homepage:
         main:
           image:
             repository: ghcr.io/gethomepage/homepage
-            tag: v1.6.1
+            tag: v1.7.0
             pullPolicy: IfNotPresent
           env:
             - name: HOMEPAGE_ALLOWED_HOSTS
@@ -76,20 +76,20 @@ homepage:
             - Storage:
                 tab: Services
                 icon: mdi-database-#ffffff
-            - Servarr:
+            - Content:
                 tab: Services
                 icon: mdi-multimedia-#ffffff
             - TV Shows:
-                tab: Servarr
+                tab: Content
                 icon: mdi-television-#ffffff
             - Movies:
-                tab: Servarr
+                tab: Content
                 icon: mdi-filmstrip-#ffffff
             - Music:
-                tab: Servarr
+                tab: Content
                 icon: mdi-music-box-multiple-#ffffff
             - Books:
-                tab: Servarr
+                tab: Content
                 icon: mdi-book-open-variant-#ffffff
             - External Services:
                 tab: Bookmarks
@@ -178,12 +178,6 @@ homepage:
                   siteMonitor: http://audiobookshelf.audiobookshelf:80
                   statusStyle: dot
               - Books:
-                  icon: sh-calibre-web.webp
-                  description: Calibre Web Automated
-                  href: https://calibre.alexlebens.net
-                  siteMonitor: http://calibre-web-automated-main.calibre-web-automated:8083
-                  statusStyle: dot
-              - Books (Booklore):
                   icon: sh-booklore.webp
                   description: Booklore
                   href: https://booklore.alexlebens.net
@@ -537,7 +531,7 @@ homepage:
                   href: https://backrest.alexlebens.net
                   siteMonitor: http://backrest.backrest:80
                   statusStyle: dot
-          - Servarr:
+          - Content:
               - qUI:
                   icon: https://raw.githubusercontent.com/autobrr/qui/8487c818886df9abb2b1456f43b54e0ba180a2bd/web/public/icons.svg
                   description: qbitorrent
@@ -692,12 +686,6 @@ homepage:
                   href: https://ephemera.alexlebens.net
                   siteMonitor: http://ephemera.ephemera:80
                   statusStyle: dot
-              - CWA Downloader:
-                  icon: sh-cwa-book-downloader.webp
-                  description: Books
-                  href: https://calibre-downloader.alexlebens.net
-                  siteMonitor: http://calibre-web-automated-downloader.calibre-web-automated:8084
-                  statusStyle: dot
               - Listenarr:
                   icon: sh-audiobookrequest.webp
                   description: Audiobooks

clusters/cl01tl/applications/immich/Chart.yaml

@@ -20,7 +20,7 @@ dependencies:
     version: 4.4.0
   - name: postgres-cluster
     alias: postgres-17-cluster
-    version: 6.15.0
+    version: 6.16.0
     repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/immich.png
 appVersion: v2.0.1

clusters/cl01tl/applications/immich/values.yaml

@@ -9,7 +9,7 @@ immich:
         main:
           image:
             repository: ghcr.io/immich-app/immich-server
-            tag: v2.2.3
+            tag: v2.3.1
             pullPolicy: IfNotPresent
           env:
             - name: TZ
@@ -99,7 +99,7 @@ immich:
         main:
           image:
             repository: ghcr.io/immich-app/immich-machine-learning
-            tag: v2.2.3
+            tag: v2.3.1
             pullPolicy: IfNotPresent
           env:
             - name: TRANSFORMERS_CACHE

clusters/cl01tl/applications/jellyfin/values.yaml

@@ -9,7 +9,7 @@ jellyfin:
         main:
           image:
             repository: ghcr.io/jellyfin/jellyfin
-            tag: 10.11.2
+            tag: 10.11.3
             pullPolicy: IfNotPresent
           env:
             - name: TZ

clusters/cl01tl/applications/jellystat/Chart.yaml

@@ -21,7 +21,7 @@ dependencies:
     version: 4.4.0
   - name: postgres-cluster
     alias: postgres-17-cluster
-    version: 6.15.0
+    version: 6.16.0
     repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/jellystat.png
 appVersion: 1.1.6

clusters/cl01tl/applications/karakeep/Chart.yaml

@@ -27,6 +27,6 @@ dependencies:
   - name: cloudflared
     alias: cloudflared
     repository: oci://harbor.alexlebens.net/helm-charts
-    version: 1.22.2
+    version: 1.23.0
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/webp/karakeep.webp
 appVersion: 0.26.0

clusters/cl01tl/applications/libation/values.yaml

@@ -16,7 +16,7 @@ libation:
         main:
           image:
             repository: rmcrackan/libation
-            tag: 12.7.1
+            tag: 12.7.4
             pullPolicy: IfNotPresent
           env:
             - name: SLEEP_TIME

clusters/cl01tl/applications/lidarr/Chart.yaml

@@ -24,7 +24,7 @@ dependencies:
     version: 4.4.0
   - name: postgres-cluster
     alias: postgres-17-cluster
-    version: 6.15.0
+    version: 6.16.0
     repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/lidarr.png
 appVersion: 2.13.3

clusters/cl01tl/applications/outline/Chart.yaml

@@ -25,10 +25,10 @@ dependencies:
   - name: cloudflared
     alias: cloudflared-outline
     repository: oci://harbor.alexlebens.net/helm-charts
-    version: 1.22.2
+    version: 1.23.0
   - name: postgres-cluster
     alias: postgres-17-cluster
-    version: 6.15.0
+    version: 6.16.0
     repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/outline.png
 appVersion: 0.84.0

clusters/cl01tl/applications/photoview/Chart.yaml

@@ -20,7 +20,7 @@ dependencies:
     version: 4.4.0
   - name: postgres-cluster
     alias: postgres-17-cluster
-    version: 6.15.0
+    version: 6.16.0
     repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/photoview.png
 appVersion: 2.4.0

clusters/cl01tl/applications/plex/values.yaml

@@ -9,7 +9,7 @@ plex:
         main:
           image:
             repository: ghcr.io/linuxserver/plex
-            tag: 1.42.2@sha256:a4749f3b84dc3f923a7bd4d2bc4ddc1e871b5a656b62022d3827d3d98afd5efd
+            tag: 1.42.2@sha256:ab81c7313fb5dc4d1f9562e5bbd5e5877a8a3c5ca6b9f9fff3437b5096a2b123
             pullPolicy: IfNotPresent
           env:
             - name: TZ

clusters/cl01tl/applications/postiz/Chart.yaml

@@ -23,10 +23,10 @@ dependencies:
     version: 4.4.0
   - name: cloudflared
     repository: oci://harbor.alexlebens.net/helm-charts
-    version: 1.22.2
+    version: 1.23.0
   - name: postgres-cluster
     alias: postgres-17-cluster
-    version: 6.15.0
+    version: 6.16.0
     repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/postiz.png
 appVersion: v1.43.3

clusters/cl01tl/applications/postiz/values.yaml

@@ -9,7 +9,7 @@ postiz:
         main:
           image:
             repository: ghcr.io/gitroomhq/postiz-app
-            tag: v2.7.0
+            tag: v2.8.3
             pullPolicy: IfNotPresent
           env:
             - name: MAIN_URL

clusters/cl01tl/applications/prowlarr/values.yaml

@@ -20,7 +20,7 @@ prowlarr:
         main:
           image:
             repository: ghcr.io/linuxserver/prowlarr
-            tag: 2.1.5@sha256:643220338204525524db787ff38a607261597f49d1f550694acdb3e908e2b43e
+            tag: 2.3.0@sha256:475853535de3de8441b87c1457c30f2e695f4831228b12b6b7274e9da409d874
             pullPolicy: IfNotPresent
           env:
             - name: TZ

clusters/cl01tl/applications/radarr-4k/Chart.yaml

@@ -27,7 +27,7 @@ dependencies:
     version: 4.4.0
   - name: postgres-cluster
     alias: postgres-17-cluster
-    version: 6.15.0
+    version: 6.16.0
     repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/radarr-4k.png
 appVersion: 5.22.4

clusters/cl01tl/applications/radarr-4k/values.yaml

@@ -15,7 +15,7 @@ radarr-4k:
         main:
           image:
             repository: ghcr.io/linuxserver/radarr
-            tag: 5.28.0@sha256:c984533510abe0219a70e80d15bd0d212b7df21baa0913759c4ce6cc9092240b
+            tag: 6.0.4@sha256:06ac318ecb95a34c7b229568dcb4271f02cb5007bb189a0dd67a2032864187ca
             pullPolicy: IfNotPresent
           env:
             - name: TZ

clusters/cl01tl/applications/radarr-anime/Chart.yaml

@@ -27,7 +27,7 @@ dependencies:
     version: 4.4.0
   - name: postgres-cluster
     alias: postgres-17-cluster
-    version: 6.15.0
+    version: 6.16.0
     repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/radarr-anime.png
 appVersion: 5.22.4

clusters/cl01tl/applications/radarr-anime/values.yaml

@@ -13,7 +13,7 @@ radarr-anime:
         main:
           image:
             repository: ghcr.io/linuxserver/radarr
-            tag: 5.28.0@sha256:c984533510abe0219a70e80d15bd0d212b7df21baa0913759c4ce6cc9092240b
+            tag: 6.0.4@sha256:06ac318ecb95a34c7b229568dcb4271f02cb5007bb189a0dd67a2032864187ca
             pullPolicy: IfNotPresent
           env:
             - name: TZ

clusters/cl01tl/applications/radarr-standup/Chart.yaml

@@ -26,7 +26,7 @@ dependencies:
     version: 4.4.0
   - name: postgres-cluster
     alias: postgres-17-cluster
-    version: 6.15.0
+    version: 6.16.0
     repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/radarr.png
 appVersion: 5.22.4

clusters/cl01tl/applications/radarr-standup/values.yaml

@@ -13,7 +13,7 @@ radarr-standup:
         main:
           image:
             repository: ghcr.io/linuxserver/radarr
-            tag: 5.28.0@sha256:c984533510abe0219a70e80d15bd0d212b7df21baa0913759c4ce6cc9092240b
+            tag: 6.0.4@sha256:06ac318ecb95a34c7b229568dcb4271f02cb5007bb189a0dd67a2032864187ca
             pullPolicy: IfNotPresent
           env:
             - name: TZ

clusters/cl01tl/applications/radarr/Chart.yaml

@@ -26,7 +26,7 @@ dependencies:
     version: 4.4.0
   - name: postgres-cluster
     alias: postgres-17-cluster
-    version: 6.15.0
+    version: 6.16.0
     repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/radarr.png
 appVersion: 5.22.4

clusters/cl01tl/applications/radarr/values.yaml

@@ -15,7 +15,7 @@ radarr:
         main:
           image:
             repository: ghcr.io/linuxserver/radarr
-            tag: 5.28.0@sha256:c984533510abe0219a70e80d15bd0d212b7df21baa0913759c4ce6cc9092240b
+            tag: 6.0.4@sha256:06ac318ecb95a34c7b229568dcb4271f02cb5007bb189a0dd67a2032864187ca
             pullPolicy: IfNotPresent
           env:
             - name: TZ

clusters/cl01tl/applications/roundcube/Chart.yaml

@@ -21,7 +21,7 @@ dependencies:
     version: 4.4.0
   - name: postgres-cluster
     alias: postgres-17-cluster
-    version: 6.15.0
+    version: 6.16.0
     repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/roundcube.png
 appVersion: 1.6.10

clusters/cl01tl/applications/searxng/values.yaml

@@ -9,7 +9,7 @@ searxng:
         main:
           image:
             repository: searxng/searxng
-            tag: latest@sha256:7914267d4a3b91132aa888b889dbe0657bdb9e1af5a13eb6fbab99a94990c235
+            tag: latest@sha256:0124d32d77e0c7360d0b85f5d91882d1837e6ceb243c82e190f5d7e9f1401334
             pullPolicy: IfNotPresent
           env:
             - name: SEARXNG_BASE_URL
@@ -43,7 +43,7 @@ searxng:
         main:
           image:
             repository: searxng/searxng
-            tag: latest@sha256:7914267d4a3b91132aa888b889dbe0657bdb9e1af5a13eb6fbab99a94990c235
+            tag: latest@sha256:0124d32d77e0c7360d0b85f5d91882d1837e6ceb243c82e190f5d7e9f1401334
             pullPolicy: IfNotPresent
           env:
             - name: SEARXNG_BASE_URL

clusters/cl01tl/applications/site-documentation/Chart.yaml

@@ -23,6 +23,6 @@ dependencies:
   - name: cloudflared
     alias: cloudflared-site
     repository: oci://harbor.alexlebens.net/helm-charts
-    version: 1.22.2
+    version: 1.23.0
 icon: https://d21zlbwtcn424f.cloudfront.net/logo-new-round.png
 appVersion: 0.8.1

clusters/cl01tl/applications/site-documentation/values.yaml

@@ -11,7 +11,7 @@ site-documentation:
         main:
           image:
             repository: harbor.alexlebens.net/images/site-documentation
-            tag: 0.0.2
+            tag: 0.0.3
             pullPolicy: IfNotPresent
           resources:
             requests:

clusters/cl01tl/applications/site-profile/Chart.yaml

@@ -23,6 +23,6 @@ dependencies:
   - name: cloudflared
     alias: cloudflared-site
     repository: oci://harbor.alexlebens.net/helm-charts
-    version: 1.22.2
+    version: 1.23.0
 icon: https://d21zlbwtcn424f.cloudfront.net/logo-new-round.png
 appVersion: 2.0.1

clusters/cl01tl/applications/site-profile/values.yaml

@@ -11,7 +11,7 @@ site-profile:
         main:
           image:
             repository: harbor.alexlebens.net/images/site-profile
-            tag: 2.0.6
+            tag: 2.1.0
             pullPolicy: IfNotPresent
           resources:
             requests:

clusters/cl01tl/applications/slskd/values.yaml

@@ -46,7 +46,7 @@ slskd:
         gluetun:
           image:
             repository: ghcr.io/qdm12/gluetun
-            tag: v3.40.0@sha256:2b42bfa046757145a5155acece417b65b4443c8033fb88661a8e9dcf7fda5a00
+            tag: v3.40.3@sha256:ef4a44819a60469682c7b5e69183e6401171891feaa60186652d292c59e41b30
             pullPolicy: IfNotPresent
           env:
             - name: VPN_SERVICE_PROVIDER

clusters/cl01tl/applications/sonarr-4k/Chart.yaml

@@ -27,7 +27,7 @@ dependencies:
     version: 4.4.0
   - name: postgres-cluster
     alias: postgres-17-cluster
-    version: 6.15.0
+    version: 6.16.0
     repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/sonarr.png
 appVersion: 4.0.14

clusters/cl01tl/applications/sonarr-4k/values.yaml

@@ -13,7 +13,7 @@ sonarr-4k:
         main:
           image:
             repository: ghcr.io/linuxserver/sonarr
-            tag: 4.0.16@sha256:2fc9c36769a3f50ab529e7ccc37687d118ab42199b01588573f03b3393cc3223
+            tag: 4.0.16@sha256:60e5edcac39172294ad22d55d1b08c2c0a9fe658cad2f2c4d742ae017d7874de
             pullPolicy: IfNotPresent
           env:
             - name: TZ

clusters/cl01tl/applications/sonarr-anime/Chart.yaml

@@ -26,7 +26,7 @@ dependencies:
     version: 4.4.0
   - name: postgres-cluster
     alias: postgres-17-cluster
-    version: 6.15.0
+    version: 6.16.0
     repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/sonarr.png
 appVersion: 4.0.14

clusters/cl01tl/applications/sonarr-anime/values.yaml

@@ -13,7 +13,7 @@ sonarr-anime:
         main:
           image:
             repository: ghcr.io/linuxserver/sonarr
-            tag: 4.0.16@sha256:2fc9c36769a3f50ab529e7ccc37687d118ab42199b01588573f03b3393cc3223
+            tag: 4.0.16@sha256:60e5edcac39172294ad22d55d1b08c2c0a9fe658cad2f2c4d742ae017d7874de
             pullPolicy: IfNotPresent
           env:
             - name: TZ

clusters/cl01tl/applications/sonarr/Chart.yaml

@@ -26,7 +26,7 @@ dependencies:
     version: 4.4.0
   - name: postgres-cluster
     alias: postgres-17-cluster
-    version: 6.15.0
+    version: 6.16.0
     repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/sonarr.png
 appVersion: 4.0.14

clusters/cl01tl/applications/sonarr/values.yaml

@@ -13,7 +13,7 @@ sonarr:
         main:
           image:
             repository: ghcr.io/linuxserver/sonarr
-            tag: 4.0.16@sha256:2fc9c36769a3f50ab529e7ccc37687d118ab42199b01588573f03b3393cc3223
+            tag: 4.0.16@sha256:60e5edcac39172294ad22d55d1b08c2c0a9fe658cad2f2c4d742ae017d7874de
             pullPolicy: IfNotPresent
           env:
             - name: TZ

clusters/cl01tl/applications/tdarr/values.yaml

@@ -9,7 +9,7 @@ tdarr:
         main:
           image:
             repository: ghcr.io/haveagitgat/tdarr
-            tag: 2.54.01
+            tag: 2.58.02
             pullPolicy: IfNotPresent
           env:
             - name: TZ
@@ -48,7 +48,7 @@ tdarr:
         main:
           image:
             repository: ghcr.io/haveagitgat/tdarr_node
-            tag: 2.54.01
+            tag: 2.58.02
             pullPolicy: IfNotPresent
           env:
             - name: TZ

clusters/cl01tl/applications/tubearchivist/values.yaml

@@ -40,7 +40,7 @@ tubearchivist:
         gluetun:
           image:
             repository: ghcr.io/qdm12/gluetun
-            tag: v3.40.0@sha256:2b42bfa046757145a5155acece417b65b4443c8033fb88661a8e9dcf7fda5a00
+            tag: v3.40.3@sha256:ef4a44819a60469682c7b5e69183e6401171891feaa60186652d292c59e41b30
             pullPolicy: IfNotPresent
           env:
             - name: VPN_SERVICE_PROVIDER

clusters/cl01tl/applications/vaultwarden/Chart.yaml

@@ -25,10 +25,10 @@ dependencies:
   - name: cloudflared
     alias: cloudflared
     repository: oci://harbor.alexlebens.net/helm-charts
-    version: 1.22.2
+    version: 1.23.0
   - name: postgres-cluster
     alias: postgres-17-cluster
-    version: 6.15.0
+    version: 6.16.0
     repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/vaultwarden.png
 appVersion: 1.33.2

clusters/cl01tl/applications/yamtrack/Chart.yaml

@@ -22,7 +22,7 @@ dependencies:
     version: 4.4.0
   - name: postgres-cluster
     alias: postgres-17-cluster
-    version: 6.15.0
+    version: 6.16.0
     repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/yamtrack.png
 appVersion: 0.22.7

clusters/cl01tl/deployment/argocd/Chart.yaml

@@ -15,7 +15,7 @@ maintainers:
   - name: alexlebens
 dependencies:
   - name: argo-cd
-    version: 9.1.3
+    version: 9.1.4
     repository: https://argoproj.github.io/argo-helm
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/argo-cd.png
 appVersion: 3.0.0

clusters/cl01tl/helm/actual/Chart.yaml

@@ -0,0 +1,21 @@
+apiVersion: v2
+name: actual
+version: 1.0.0
+description: Actual
+keywords:
+  - actual
+  - budget
+home: https://wiki.alexlebens.dev/s/86192f45-94b7-45de-872c-6ef3fec7df5e
+sources:
+  - https://github.com/actualbudget/actual
+  - https://github.com/actualbudget/actual/pkgs/container/actual
+  - https://github.com/bjw-s-labs/helm-charts/tree/main/charts/other/app-template
+maintainers:
+  - name: alexlebens
+dependencies:
+  - name: app-template
+    alias: actual
+    repository: https://bjw-s-labs.github.io/helm-charts/
+    version: 4.4.0
+icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/actual-budget.png
+appVersion: 25.11.0

clusters/cl01tl/helm/actual/templates/external-secret.yaml

@@ -0,0 +1,55 @@
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: actual-data-backup-secret
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: actual-data-backup-secret
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  target:
+    template:
+      mergePolicy: Merge
+      engineVersion: v2
+      data:
+        RESTIC_REPOSITORY: "{{ `{{ .BUCKET_ENDPOINT }}` }}/actual/actual-data"
+  data:
+    - secretKey: BUCKET_ENDPOINT
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cl01tl/volsync/restic/config
+        metadataPolicy: None
+        property: S3_BUCKET_ENDPOINT
+    - secretKey: RESTIC_PASSWORD
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cl01tl/volsync/restic/config
+        metadataPolicy: None
+        property: RESTIC_PASSWORD
+    - secretKey: AWS_DEFAULT_REGION
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cl01tl/volsync/restic/config
+        metadataPolicy: None
+        property: AWS_DEFAULT_REGION
+    - secretKey: AWS_ACCESS_KEY_ID
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /digital-ocean/home-infra/volsync-backups
+        metadataPolicy: None
+        property: access_key
+    - secretKey: AWS_SECRET_ACCESS_KEY
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /digital-ocean/home-infra/volsync-backups
+        metadataPolicy: None
+        property: secret_key

clusters/cl01tl/helm/actual/templates/http-route.yaml

@@ -0,0 +1,28 @@
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: http-route-actual
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: http-route-actual
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  parentRefs:
+    - group: gateway.networking.k8s.io
+      kind: Gateway
+      name: traefik-gateway
+      namespace: traefik
+  hostnames:
+    - actual.alexlebens.net
+  rules:
+    - matches:
+      - path:
+          type: PathPrefix
+          value: /
+      backendRefs:
+        - group: ''
+          kind: Service
+          name: actual
+          port: 80
+          weight: 100

clusters/cl01tl/helm/actual/templates/replication-source.yaml

@@ -0,0 +1,25 @@
+apiVersion: volsync.backube/v1alpha1
+kind: ReplicationSource
+metadata:
+  name: actual-data-backup-source
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: actual-data-backup-source
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  sourcePVC: actual-data
+  trigger:
+    schedule: 0 4 * * *
+  restic:
+    pruneIntervalDays: 7
+    repository: actual-data-backup-secret
+    retain:
+      hourly: 1
+      daily: 3
+      weekly: 2
+      monthly: 2
+      yearly: 4
+    copyMethod: Snapshot
+    storageClassName: ceph-block
+    volumeSnapshotClassName: ceph-blockpool-snapshot

clusters/cl01tl/helm/actual/values.yaml

@@ -0,0 +1,56 @@
+actual:
+  controllers:
+    main:
+      type: deployment
+      replicas: 1
+      strategy: Recreate
+      revisionHistoryLimit: 3
+      containers:
+        main:
+          image:
+            repository: ghcr.io/actualbudget/actual
+            tag: 25.11.0
+            pullPolicy: IfNotPresent
+          env:
+            - name: TZ
+              value: US/Central
+          resources:
+            requests:
+              cpu: 10m
+              memory: 128Mi
+          probes:
+            liveness:
+              enabled: true
+              custom: true
+              spec:
+                exec:
+                  command:
+                  - /usr/bin/env
+                  - bash
+                  - -c
+                  - node src/scripts/health-check.js
+                failureThreshold: 5
+                initialDelaySeconds: 60
+                periodSeconds: 10
+                successThreshold: 1
+                timeoutSeconds: 10
+  service:
+    main:
+      controller: main
+      ports:
+        http:
+          port: 80
+          targetPort: 5006
+          protocol: HTTP
+  persistence:
+    data:
+      forceRename: actual-data
+      storageClass: ceph-block
+      accessMode: ReadWriteOnce
+      size: 2Gi
+      retain: true
+      advancedMounts:
+        main:
+          main:
+            - path: /data
+              readOnly: false

clusters/cl01tl/helm/audiobookshelf/Chart.yaml

@@ -0,0 +1,23 @@
+apiVersion: v2
+name: audiobookshelf
+version: 1.0.0
+description: Audiobookshelf
+keywords:
+  - audiobookshelf
+  - books
+  - podcasts
+  - audiobooks
+home: https://wiki.alexlebens.dev/s/d4d6719f-cd1c-4b6e-b78e-2d2d7a5097d7
+sources:
+  - https://github.com/advplyr/audiobookshelf
+  - https://github.com/advplyr/audiobookshelf/pkgs/container/audiobookshelf
+  - https://github.com/bjw-s-labs/helm-charts/tree/main/charts/other/app-template
+maintainers:
+  - name: alexlebens
+dependencies:
+  - name: app-template
+    alias: audiobookshelf
+    repository: https://bjw-s-labs.github.io/helm-charts/
+    version: 4.4.0
+icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/audiobookshelf.png
+appVersion: 2.21.0

clusters/cl01tl/helm/audiobookshelf/templates/external-secret.yaml

@@ -0,0 +1,135 @@
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: audiobookshelf-apprise-config
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: audiobookshelf-apprise-config
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  data:
+    - secretKey: ntfy-url
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cl01tl/audiobookshelf/apprise
+        metadataPolicy: None
+        property: ntfy-url
+
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: audiobookshelf-config-backup-secret
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: audiobookshelf-config-backup-secret
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  target:
+    template:
+      mergePolicy: Merge
+      engineVersion: v2
+      data:
+        RESTIC_REPOSITORY: "{{ `{{ .BUCKET_ENDPOINT }}` }}/audiobookshelf/audiobookshelf-config"
+  data:
+    - secretKey: BUCKET_ENDPOINT
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cl01tl/volsync/restic/config
+        metadataPolicy: None
+        property: S3_BUCKET_ENDPOINT
+    - secretKey: RESTIC_PASSWORD
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cl01tl/volsync/restic/config
+        metadataPolicy: None
+        property: RESTIC_PASSWORD
+    - secretKey: AWS_DEFAULT_REGION
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cl01tl/volsync/restic/config
+        metadataPolicy: None
+        property: AWS_DEFAULT_REGION
+    - secretKey: AWS_ACCESS_KEY_ID
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /digital-ocean/home-infra/volsync-backups
+        metadataPolicy: None
+        property: access_key
+    - secretKey: AWS_SECRET_ACCESS_KEY
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /digital-ocean/home-infra/volsync-backups
+        metadataPolicy: None
+        property: secret_key
+
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: audiobookshelf-metadata-backup-secret
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: audiobookshelf-metadata-backup-secret
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  target:
+    template:
+      mergePolicy: Merge
+      engineVersion: v2
+      data:
+        RESTIC_REPOSITORY: "{{ `{{ .BUCKET_ENDPOINT }}` }}/audiobookshelf/audiobookshelf-metadata"
+  data:
+    - secretKey: BUCKET_ENDPOINT
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cl01tl/volsync/restic/config
+        metadataPolicy: None
+        property: S3_BUCKET_ENDPOINT
+    - secretKey: RESTIC_PASSWORD
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cl01tl/volsync/restic/config
+        metadataPolicy: None
+        property: RESTIC_PASSWORD
+    - secretKey: AWS_DEFAULT_REGION
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cl01tl/volsync/restic/config
+        metadataPolicy: None
+        property: AWS_DEFAULT_REGION
+    - secretKey: AWS_ACCESS_KEY_ID
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /digital-ocean/home-infra/volsync-backups
+        metadataPolicy: None
+        property: access_key
+    - secretKey: AWS_SECRET_ACCESS_KEY
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /digital-ocean/home-infra/volsync-backups
+        metadataPolicy: None
+        property: secret_key

clusters/cl01tl/helm/audiobookshelf/templates/http-route.yaml

@@ -0,0 +1,28 @@
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: http-route-audiobookshelf
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: http-route-audiobookshelf
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  parentRefs:
+    - group: gateway.networking.k8s.io
+      kind: Gateway
+      name: traefik-gateway
+      namespace: traefik
+  hostnames:
+    - audiobookshelf.alexlebens.net
+  rules:
+    - matches:
+      - path:
+          type: PathPrefix
+          value: /
+      backendRefs:
+        - group: ''
+          kind: Service
+          name: audiobookshelf
+          port: 80
+          weight: 100

clusters/cl01tl/helm/audiobookshelf/templates/persistent-volume-claim.yaml

@@ -0,0 +1,36 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: audiobookshelf-nfs-storage-backup
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: audiobookshelf-nfs-storage-backup
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  volumeMode: Filesystem
+  storageClassName: nfs-client
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 1Gi
+
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: audiobookshelf-nfs-storage
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: audiobookshelf-nfs-storage
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  volumeName: audiobookshelf-nfs-storage
+  storageClassName: nfs-client
+  accessModes:
+    - ReadWriteMany
+  resources:
+    requests:
+      storage: 1Gi

clusters/cl01tl/helm/audiobookshelf/templates/persistent-volume.yaml

@@ -0,0 +1,23 @@
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: audiobookshelf-nfs-storage
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: audiobookshelf-nfs-storage
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  persistentVolumeReclaimPolicy: Retain
+  storageClassName: nfs-client
+  capacity:
+    storage: 1Gi
+  accessModes:
+    - ReadWriteMany
+  nfs:
+    path: /volume2/Storage
+    server: synologybond.alexlebens.net
+  mountOptions:
+    - vers=4
+    - minorversion=1
+    - noac

clusters/cl01tl/helm/audiobookshelf/templates/replication-source.yaml

@@ -0,0 +1,52 @@
+apiVersion: volsync.backube/v1alpha1
+kind: ReplicationSource
+metadata:
+  name: audiobookshelf-config-backup-source
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: audiobookshelf-config-backup-source
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  sourcePVC: audiobookshelf-config
+  trigger:
+    schedule: 0 4 * * *
+  restic:
+    pruneIntervalDays: 7
+    repository: audiobookshelf-config-backup-secret
+    retain:
+      hourly: 1
+      daily: 3
+      weekly: 2
+      monthly: 2
+      yearly: 4
+    copyMethod: Snapshot
+    storageClassName: ceph-block
+    volumeSnapshotClassName: ceph-blockpool-snapshot
+
+---
+apiVersion: volsync.backube/v1alpha1
+kind: ReplicationSource
+metadata:
+  name: audiobookshelf-metadata-backup-source
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: audiobookshelf-metadata-backup-source
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  sourcePVC: audiobookshelf-metadata
+  trigger:
+    schedule: 0 4 * * *
+  restic:
+    pruneIntervalDays: 7
+    repository: audiobookshelf-metadata-backup-secret
+    retain:
+      hourly: 1
+      daily: 3
+      weekly: 2
+      monthly: 2
+      yearly: 4
+    copyMethod: Snapshot
+    storageClassName: ceph-block
+    volumeSnapshotClassName: ceph-blockpool-snapshot

clusters/cl01tl/helm/audiobookshelf/templates/service-monitor.yaml

@@ -0,0 +1,19 @@
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: audiobookshelf-apprise
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: audiobookshelf-apprise
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  endpoints:
+    - port: apprise
+      interval: 30s
+      scrapeTimeout: 15s
+      path: /metrics
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: audiobookshelf
+      app.kubernetes.io/instance: {{ .Release.Name }}

clusters/cl01tl/helm/audiobookshelf/values.yaml

@@ -0,0 +1,94 @@
+audiobookshelf:
+  controllers:
+    main:
+      type: deployment
+      replicas: 1
+      strategy: Recreate
+      revisionHistoryLimit: 3
+      containers:
+        main:
+          image:
+            repository: ghcr.io/advplyr/audiobookshelf
+            tag: 2.30.0
+            pullPolicy: IfNotPresent
+          env:
+            - name: TZ
+              value: US/Central
+          resources:
+            requests:
+              cpu: 10m
+              memory: 128Mi
+        apprise-api:
+          image:
+            repository: caronc/apprise
+            tag: 1.2.6
+            pullPolicy: IfNotPresent
+          env:
+            - name: TZ
+              value: US/Central
+            - name: PGID
+              value: "1000"
+            - name: PUID
+              value: "1000"
+            - name: APPRISE_STORAGE_MODE
+              value: memory
+            - name: APPRISE_STATEFUL_MODE
+              value: disabled
+            - name: APPRISE_WORKER_COUNT
+              value: 1
+            - name: APPRISE_STATELESS_URLS
+              valueFrom:
+                secretKeyRef:
+                  name: audiobookshelf-apprise-config
+                  key: ntfy-url
+          resources:
+            requests:
+              cpu: 10m
+              memory: 128Mi
+  service:
+    main:
+      controller: main
+      ports:
+        http:
+          port: 80
+          targetPort: 80
+          protocol: HTTP
+        apprise:
+          port: 8000
+          targetPort: 8000
+          protocol: HTTP
+  persistence:
+    config:
+      storageClass: ceph-block
+      accessMode: ReadWriteOnce
+      size: 2Gi
+      retain: true
+      advancedMounts:
+        main:
+          main:
+            - path: /config
+              readOnly: false
+    metadata:
+      storageClass: ceph-block
+      accessMode: ReadWriteOnce
+      size: 10Gi
+      retain: true
+      advancedMounts:
+        main:
+          main:
+            - path: /metadata
+              readOnly: false
+    backup:
+      existingClaim: audiobookshelf-nfs-storage-backup
+      advancedMounts:
+        main:
+          main:
+            - path: /metadata/backups
+              readOnly: false
+    audiobooks:
+      existingClaim: audiobookshelf-nfs-storage
+      advancedMounts:
+        main:
+          main:
+            - path: /mnt/store/
+              readOnly: false

clusters/cl01tl/helm/bazarr/Chart.yaml

@@ -0,0 +1,23 @@
+apiVersion: v2
+name: bazarr
+version: 1.0.0
+description: Bazarr
+keywords:
+  - bazarr
+  - servarr
+  - subtitles
+home: https://wiki.alexlebens.dev/s/92784d53-1d43-42fd-b509-f42c73454226
+sources:
+  - https://github.com/morpheus65535/bazarr
+  - https://github.com/linuxserver/docker-bazarr
+  - https://github.com/linuxserver/docker-bazarr/pkgs/container/bazarr
+  - https://github.com/bjw-s-labs/helm-charts/tree/main/charts/other/app-template
+maintainers:
+  - name: alexlebens
+dependencies:
+  - name: app-template
+    alias: bazarr
+    repository: https://bjw-s-labs.github.io/helm-charts/
+    version: 4.4.0
+icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/bazarr.png
+appVersion: 1.5.2

clusters/cl01tl/helm/bazarr/templates/external-secret.yaml

@@ -0,0 +1,55 @@
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: bazarr-config-backup-secret
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: bazarr-config-backup-secret
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  target:
+    template:
+      mergePolicy: Merge
+      engineVersion: v2
+      data:
+        RESTIC_REPOSITORY: "{{ `{{ .BUCKET_ENDPOINT }}` }}/bazarr/bazarr-config"
+  data:
+    - secretKey: BUCKET_ENDPOINT
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cl01tl/volsync/restic/config
+        metadataPolicy: None
+        property: S3_BUCKET_ENDPOINT
+    - secretKey: RESTIC_PASSWORD
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cl01tl/volsync/restic/config
+        metadataPolicy: None
+        property: RESTIC_PASSWORD
+    - secretKey: AWS_DEFAULT_REGION
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cl01tl/volsync/restic/config
+        metadataPolicy: None
+        property: AWS_DEFAULT_REGION
+    - secretKey: AWS_ACCESS_KEY_ID
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /digital-ocean/home-infra/volsync-backups
+        metadataPolicy: None
+        property: access_key
+    - secretKey: AWS_SECRET_ACCESS_KEY
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /digital-ocean/home-infra/volsync-backups
+        metadataPolicy: None
+        property: secret_key

clusters/cl01tl/helm/bazarr/templates/http-route.yaml

@@ -0,0 +1,28 @@
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: http-route-bazarr
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: http-route-bazarr
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  parentRefs:
+    - group: gateway.networking.k8s.io
+      kind: Gateway
+      name: traefik-gateway
+      namespace: traefik
+  hostnames:
+    - bazarr.alexlebens.net
+  rules:
+    - matches:
+      - path:
+          type: PathPrefix
+          value: /
+      backendRefs:
+        - group: ''
+          kind: Service
+          name: bazarr
+          port: 80
+          weight: 100

clusters/cl01tl/helm/bazarr/templates/persistent-volume-claim.yaml

@@ -0,0 +1,17 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: bazarr-nfs-storage
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: bazarr-nfs-storage
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  volumeName: bazarr-nfs-storage
+  storageClassName: nfs-client
+  accessModes:
+    - ReadWriteMany
+  resources:
+    requests:
+      storage: 1Gi

clusters/cl01tl/helm/bazarr/templates/persistent-volume.yaml

@@ -0,0 +1,23 @@
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: bazarr-nfs-storage
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: bazarr-nfs-storage
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  persistentVolumeReclaimPolicy: Retain
+  storageClassName: nfs-client
+  capacity:
+    storage: 1Gi
+  accessModes:
+    - ReadWriteMany
+  nfs:
+    path: /volume2/Storage
+    server: synologybond.alexlebens.net
+  mountOptions:
+    - vers=4
+    - minorversion=1
+    - noac

clusters/cl01tl/helm/bazarr/templates/replication-source.yaml

@@ -0,0 +1,30 @@
+apiVersion: volsync.backube/v1alpha1
+kind: ReplicationSource
+metadata:
+  name: bazarr-config-backup-source
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: bazarr-config-backup-source
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  sourcePVC: bazarr-config
+  trigger:
+    schedule: 0 4 * * *
+  restic:
+    pruneIntervalDays: 7
+    repository: bazarr-config-backup-secret
+    retain:
+      hourly: 1
+      daily: 3
+      weekly: 2
+      monthly: 2
+      yearly: 4
+    moverSecurityContext:
+      runAsUser: 1000
+      runAsGroup: 1000
+      fsGroup: 1000
+      fsGroupChangePolicy: OnRootMismatch
+    copyMethod: Snapshot
+    storageClassName: ceph-block
+    volumeSnapshotClassName: ceph-blockpool-snapshot

clusters/cl01tl/helm/bazarr/values.yaml

@@ -0,0 +1,57 @@
+bazarr:
+  controllers:
+    main:
+      type: deployment
+      replicas: 1
+      strategy: Recreate
+      revisionHistoryLimit: 3
+      pod:
+        securityContext:
+          runAsUser: 1000
+          runAsGroup: 1000
+          fsGroup: 1000
+          fsGroupChangePolicy: OnRootMismatch
+      containers:
+        main:
+          image:
+            repository: ghcr.io/linuxserver/bazarr
+            tag: 1.5.3@sha256:2be164c02c0bb311b6c32e57d3d0ddc2813d524e89ab51a3408c1bf6fafecda5
+            pullPolicy: IfNotPresent
+          env:
+            - name: TZ
+              value: US/Central
+            - name: PUID
+              value: 1000
+            - name: PGID
+              value: 1000
+          resources:
+            requests:
+              cpu: 10m
+              memory: 256Mi
+  service:
+    main:
+      controller: main
+      ports:
+        http:
+          port: 80
+          targetPort: 6767
+          protocol: HTTP
+  persistence:
+    config:
+      forceRename: bazarr-config
+      storageClass: ceph-block
+      accessMode: ReadWriteOnce
+      size: 5Gi
+      retain: true
+      advancedMounts:
+        main:
+          main:
+            - path: /config
+              readOnly: false
+    media:
+      existingClaim: bazarr-nfs-storage
+      advancedMounts:
+        main:
+          main:
+            - path: /mnt/store
+              readOnly: false

clusters/cl01tl/helm/booklore/Chart.yaml

@@ -0,0 +1,24 @@
+apiVersion: v2
+name: booklore
+version: 1.0.0
+description: booklore
+keywords:
+  - booklore
+  - books
+home: https://wiki.alexlebens.dev/
+sources:
+  - https://github.com/booklore-app/BookLore
+  - https://github.com/booklore-app/booklore/pkgs/container/booklore
+  - https://github.com/bjw-s-labs/helm-charts/tree/main/charts/other/app-template
+maintainers:
+  - name: alexlebens
+dependencies:
+  - name: app-template
+    alias: booklore
+    repository: https://bjw-s-labs.github.io/helm-charts/
+    version: 4.4.0
+  - name: mariadb-cluster
+    version: 25.10.2
+    repository: https://helm.mariadb.com/mariadb-operator
+icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/booklore.png
+appVersion: v.1.10.0

clusters/cl01tl/helm/booklore/templates/external-secret.yaml

@@ -0,0 +1,332 @@
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: booklore-database-secret
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: booklore-database-secret
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  data:
+    - secretKey: password
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cl01tl/booklore/database
+        metadataPolicy: None
+        property: password
+
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: booklore-data-replication-secret
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: booklore-data-replication-secret
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  data:
+    - secretKey: psk.txt
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cl01tl/booklore/replication
+        metadataPolicy: None
+        property: psk.txt
+
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: booklore-config-backup-secret
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: booklore-config-backup-secret
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  target:
+    template:
+      mergePolicy: Merge
+      engineVersion: v2
+      data:
+        RESTIC_REPOSITORY: "{{ `{{ .BUCKET_ENDPOINT }}` }}/booklore/booklore-config"
+  data:
+    - secretKey: BUCKET_ENDPOINT
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /volsync/restic/digital-ocean
+        metadataPolicy: None
+        property: BUCKET_ENDPOINT
+    - secretKey: RESTIC_PASSWORD
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /volsync/restic/digital-ocean
+        metadataPolicy: None
+        property: RESTIC_PASSWORD
+    - secretKey: AWS_DEFAULT_REGION
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /digital-ocean/home-infra/volsync-backups
+        metadataPolicy: None
+        property: AWS_DEFAULT_REGION
+    - secretKey: AWS_ACCESS_KEY_ID
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /digital-ocean/home-infra/volsync-backups
+        metadataPolicy: None
+        property: AWS_ACCESS_KEY_ID
+    - secretKey: AWS_SECRET_ACCESS_KEY
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /digital-ocean/home-infra/volsync-backups
+        metadataPolicy: None
+        property: AWS_SECRET_ACCESS_KEY
+
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: booklore-data-backup-secret-local
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: booklore-data-backup-secret-local
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  target:
+    template:
+      mergePolicy: Merge
+      engineVersion: v2
+      data:
+        RESTIC_REPOSITORY: "{{ `{{ .BUCKET_ENDPOINT }}` }}/booklore/booklore-data"
+  data:
+    - secretKey: BUCKET_ENDPOINT
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /volsync/restic/garage-local
+        metadataPolicy: None
+        property: BUCKET_ENDPOINT
+    - secretKey: RESTIC_PASSWORD
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /volsync/restic/garage-local
+        metadataPolicy: None
+        property: RESTIC_PASSWORD
+    - secretKey: AWS_DEFAULT_REGION
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /garage/home-infra/volsync-backups
+        metadataPolicy: None
+        property: ACCESS_REGION
+    - secretKey: AWS_ACCESS_KEY_ID
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /garage/home-infra/volsync-backups
+        metadataPolicy: None
+        property: ACCESS_KEY_ID
+    - secretKey: AWS_SECRET_ACCESS_KEY
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /garage/home-infra/volsync-backups
+        metadataPolicy: None
+        property: ACCESS_SECRET_KEY
+
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: booklore-data-backup-secret-remote
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: booklore-data-backup-secret-remote
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  target:
+    template:
+      mergePolicy: Merge
+      engineVersion: v2
+      data:
+        RESTIC_REPOSITORY: "{{ `{{ .BUCKET_ENDPOINT }}` }}/booklore/booklore-data"
+  data:
+    - secretKey: BUCKET_ENDPOINT
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /volsync/restic/garage-remote
+        metadataPolicy: None
+        property: BUCKET_ENDPOINT
+    - secretKey: RESTIC_PASSWORD
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /volsync/restic/garage-remote
+        metadataPolicy: None
+        property: RESTIC_PASSWORD
+    - secretKey: AWS_DEFAULT_REGION
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /garage/home-infra/volsync-backups
+        metadataPolicy: None
+        property: ACCESS_REGION
+    - secretKey: AWS_ACCESS_KEY_ID
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /garage/home-infra/volsync-backups
+        metadataPolicy: None
+        property: ACCESS_KEY_ID
+    - secretKey: AWS_SECRET_ACCESS_KEY
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /garage/home-infra/volsync-backups
+        metadataPolicy: None
+        property: ACCESS_SECRET_KEY
+
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: booklore-data-backup-secret-external
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: booklore-data-backup-secret-external
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  target:
+    template:
+      mergePolicy: Merge
+      engineVersion: v2
+      data:
+        RESTIC_REPOSITORY: "{{ `{{ .BUCKET_ENDPOINT }}` }}/booklore/booklore-data"
+  data:
+    - secretKey: BUCKET_ENDPOINT
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /volsync/restic/digital-ocean
+        metadataPolicy: None
+        property: BUCKET_ENDPOINT
+    - secretKey: RESTIC_PASSWORD
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /volsync/restic/digital-ocean
+        metadataPolicy: None
+        property: RESTIC_PASSWORD
+    - secretKey: AWS_DEFAULT_REGION
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /digital-ocean/home-infra/volsync-backups
+        metadataPolicy: None
+        property: AWS_DEFAULT_REGION
+    - secretKey: AWS_ACCESS_KEY_ID
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /digital-ocean/home-infra/volsync-backups
+        metadataPolicy: None
+        property: AWS_ACCESS_KEY_ID
+    - secretKey: AWS_SECRET_ACCESS_KEY
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /digital-ocean/home-infra/volsync-backups
+        metadataPolicy: None
+        property: AWS_SECRET_ACCESS_KEY
+
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: booklore-mariadb-cluster-backup-secret-external
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: booklore-mariadb-cluster-backup-secret-external
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  data:
+    - secretKey: access
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /digital-ocean/home-infra/mariadb-backups
+        metadataPolicy: None
+        property: access
+    - secretKey: secret
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /digital-ocean/home-infra/mariadb-backups
+        metadataPolicy: None
+        property: secret
+
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: booklore-mariadb-cluster-backup-secret-garage
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: booklore-mariadb-cluster-backup-secret-garage
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  data:
+    - secretKey: access
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /garage/home-infra/mariadb-backups
+        metadataPolicy: None
+        property: access
+    - secretKey: secret
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /garage/home-infra/mariadb-backups
+        metadataPolicy: None
+        property: secret

clusters/cl01tl/helm/booklore/templates/http-route.yaml

@@ -0,0 +1,28 @@
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: http-route-booklore
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: http-route-booklore
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  parentRefs:
+    - group: gateway.networking.k8s.io
+      kind: Gateway
+      name: traefik-gateway
+      namespace: traefik
+  hostnames:
+    - booklore.alexlebens.net
+  rules:
+    - matches:
+      - path:
+          type: PathPrefix
+          value: /
+      backendRefs:
+        - group: ''
+          kind: Service
+          name: booklore
+          port: 80
+          weight: 100

clusters/cl01tl/helm/booklore/templates/namespace.yaml

@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: booklore
+  annotations:
+    volsync.backube/privileged-movers: "true"
+  labels:
+    app.kubernetes.io/name: booklore
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}

clusters/cl01tl/helm/booklore/templates/persistent-volume-claim.yaml

@@ -1,14 +1,14 @@
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
-  name: calibre-web-automated-nfs-storage
+  name: booklore-books-nfs-storage
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: calibre-web-automated-nfs-storage
+    app.kubernetes.io/name: booklore-books-nfs-storage
     app.kubernetes.io/instance: {{ .Release.Name }}
     app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
-  volumeName: calibre-web-automated-nfs-storage
+  volumeName: booklore-books-nfs-storage
   storageClassName: nfs-client
   accessModes:
     - ReadWriteMany
@@ -20,14 +20,14 @@ spec:
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
-  name: calibre-web-automated-ingest-nfs-storage
+  name: booklore-books-import-nfs-storage
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: calibre-web-automated-ingest-nfs-storage
+    app.kubernetes.io/name: booklore-books-import-nfs-storage
     app.kubernetes.io/instance: {{ .Release.Name }}
     app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
-  volumeName: calibre-web-automated-ingest-nfs-storage
+  volumeName: booklore-books-import-nfs-storage
   storageClassName: nfs-client
   accessModes:
     - ReadWriteMany

clusters/cl01tl/helm/booklore/templates/persistent-volume.yaml

@@ -1,10 +1,10 @@
 apiVersion: v1
 kind: PersistentVolume
 metadata:
-  name: calibre-web-automated-nfs-storage
+  name: booklore-books-nfs-storage
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: calibre-web-automated-nfs-storage
+    app.kubernetes.io/name: booklore-books-nfs-storage
     app.kubernetes.io/instance: {{ .Release.Name }}
     app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
@@ -15,7 +15,7 @@ spec:
   accessModes:
     - ReadWriteMany
   nfs:
-    path: /volume2/Storage/Calibre
+    path: /volume2/Storage/Books
     server: synologybond.alexlebens.net
   mountOptions:
     - vers=4
@@ -26,10 +26,10 @@ spec:
 apiVersion: v1
 kind: PersistentVolume
 metadata:
-  name: calibre-web-automated-ingest-nfs-storage
+  name: booklore-books-import-nfs-storage
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: calibre-web-automated-ingest-nfs-storage
+    app.kubernetes.io/name: booklore-books-import-nfs-storage
     app.kubernetes.io/instance: {{ .Release.Name }}
     app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
@@ -40,7 +40,7 @@ spec:
   accessModes:
     - ReadWriteMany
   nfs:
-    path: /volume2/Storage/Calibre Import
+    path: /volume2/Storage/Books Import
     server: synologybond.alexlebens.net
   mountOptions:
     - vers=4

clusters/cl01tl/helm/booklore/templates/replication-destination.yaml

@@ -0,0 +1,15 @@
+apiVersion: volsync.backube/v1alpha1
+kind: ReplicationDestination
+metadata:
+  name: booklore-data-replication-destination
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: booklore-data-replication-destination
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  rsyncTLS:
+    copyMethod: Direct
+    accessModes: ["ReadWriteMany"]
+    destinationPVC: booklore-books-nfs-storage
+    keySecret: booklore-data-replication-secret

clusters/cl01tl/helm/booklore/templates/replication-source.yaml

@@ -0,0 +1,129 @@
+apiVersion: volsync.backube/v1alpha1
+kind: ReplicationSource
+metadata:
+  name: booklore-data-replication-source
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: booklore-data-replication-source
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  sourcePVC: booklore-data
+  trigger:
+    schedule: "0 0 * * *"
+  rsyncTLS:
+    keySecret: booklore-data-replication-secret
+    address: volsync-rsync-tls-dst-booklore-data-replication-destination
+    copyMethod: Snapshot
+
+---
+apiVersion: volsync.backube/v1alpha1
+kind: ReplicationSource
+metadata:
+  name: booklore-config-backup-source
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: booklore-config-backup-source
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  sourcePVC: booklore-config
+  trigger:
+    schedule: 0 4 * * *
+  restic:
+    pruneIntervalDays: 7
+    repository: booklore-config-backup-secret
+    retain:
+      hourly: 1
+      daily: 3
+      weekly: 2
+      monthly: 2
+      yearly: 4
+    copyMethod: Snapshot
+    storageClassName: ceph-block
+    volumeSnapshotClassName: ceph-blockpool-snapshot
+    cacheCapacity: 10Gi
+
+---
+apiVersion: volsync.backube/v1alpha1
+kind: ReplicationSource
+metadata:
+  name: booklore-data-backup-source-local
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: booklore-data-backup-source-local
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  sourcePVC: booklore-data
+  trigger:
+    schedule: 0 2 * * *
+  restic:
+    pruneIntervalDays: 7
+    repository: booklore-data-backup-secret-local
+    retain:
+      hourly: 1
+      daily: 3
+      weekly: 2
+      monthly: 2
+      yearly: 4
+    copyMethod: Snapshot
+    storageClassName: ceph-block
+    volumeSnapshotClassName: ceph-blockpool-snapshot
+    cacheCapacity: 10Gi
+
+---
+apiVersion: volsync.backube/v1alpha1
+kind: ReplicationSource
+metadata:
+  name: booklore-data-backup-source-remote
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: booklore-data-backup-source-remote
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  sourcePVC: booklore-data
+  trigger:
+    schedule: 0 3 * * *
+  restic:
+    pruneIntervalDays: 7
+    repository: booklore-data-backup-secret-remote
+    retain:
+      hourly: 1
+      daily: 3
+      weekly: 2
+      monthly: 2
+      yearly: 4
+    copyMethod: Snapshot
+    storageClassName: ceph-block
+    volumeSnapshotClassName: ceph-blockpool-snapshot
+    cacheCapacity: 10Gi
+
+---
+apiVersion: volsync.backube/v1alpha1
+kind: ReplicationSource
+metadata:
+  name: booklore-data-backup-source-external
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: booklore-data-backup-source-external
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  sourcePVC: booklore-data
+  trigger:
+    schedule: 0 4 * * *
+  restic:
+    pruneIntervalDays: 7
+    repository: booklore-data-backup-secret-external
+    retain:
+      hourly: 1
+      daily: 3
+      weekly: 2
+      monthly: 2
+      yearly: 4
+    copyMethod: Snapshot
+    storageClassName: ceph-block
+    volumeSnapshotClassName: ceph-blockpool-snapshot
+    cacheCapacity: 10Gi

clusters/cl01tl/helm/booklore/templates/service.yaml

@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: garage-ps10rp
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: garage-ps10rp
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+  annotations:
+    tailscale.com/tailnet-fqdn: garage-ps10rp.boreal-beaufort.ts.net
+spec:
+  externalName: placeholder
+  type: ExternalName

clusters/cl01tl/helm/booklore/values.yaml

@@ -0,0 +1,155 @@
+booklore:
+  controllers:
+    main:
+      type: deployment
+      replicas: 1
+      strategy: Recreate
+      revisionHistoryLimit: 3
+      containers:
+        main:
+          image:
+            repository: ghcr.io/booklore-app/booklore
+            tag: v1.12.0
+            pullPolicy: IfNotPresent
+          env:
+            - name: TZ
+              value: America/Chicago
+            - name: DATABASE_URL
+              value: jdbc:mariadb://booklore-mariadb-cluster-primary.booklore:3306/booklore
+            - name: DATABASE_USERNAME
+              value: booklore
+            - name: DATABASE_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: booklore-database-secret
+                  key: password
+            - name: BOOKLORE_PORT
+              value: 6060
+            - name: SWAGGER_ENABLED
+              value: false
+          resources:
+            requests:
+              cpu: 50m
+              memory: 128Mi
+  service:
+    main:
+      controller: main
+      ports:
+        http:
+          port: 80
+          targetPort: 6060
+          protocol: HTTP
+  persistence:
+    config:
+      storageClass: ceph-block
+      accessMode: ReadWriteOnce
+      size: 5Gi
+      retain: true
+      advancedMounts:
+        main:
+          main:
+            - path: /app/data
+              readOnly: false
+    data:
+      storageClass: ceph-block
+      accessMode: ReadWriteOnce
+      size: 10Gi
+      retain: true
+      advancedMounts:
+        main:
+          main:
+            - path: /data
+              readOnly: false
+    books-import:
+      type: emptyDir
+      advancedMounts:
+        main:
+          main:
+            - path: /bookdrop
+              readOnly: false
+    ingest:
+      existingClaim: booklore-books-import-nfs-storage
+      advancedMounts:
+        main:
+          main:
+            - path: /bookdrop/ingest
+              readOnly: false
+mariadb-cluster:
+  mariadb:
+    rootPasswordSecretKeyRef:
+      generate: false
+      name: booklore-database-secret
+      key: password
+    storage:
+      size: 5Gi
+    replicas: 3
+    galera:
+      enabled: true
+  databases:
+    - name: booklore
+      characterSet: utf8
+      collate: utf8_general_ci
+      cleanupPolicy: Delete
+      requeueInterval: 10h
+  users:
+    - name: booklore
+      passwordSecretKeyRef:
+        name: booklore-database-secret
+        key: password
+      host: '%'
+      cleanupPolicy: Delete
+      requeueInterval: 10h
+      retryInterval: 30s
+  grants:
+    - name: booklore
+      privileges:
+        - "ALL PRIVILEGES"
+      database: "booklore"
+      table: "*"
+      username: booklore
+      grantOption: true
+      host: '%'
+      cleanupPolicy: Delete
+      requeueInterval: 10h
+      retryInterval: 30s
+  physicalBackups:
+    - name: backup-external
+      schedule:
+        cron: "0 0 * * 0"
+        suspend: false
+        immediate: true
+      compression: gzip
+      maxRetention: 720h
+      storage:
+        s3:
+          bucket: mariadb-backups-b230a2f5aecf080a4b372c08
+          prefix: cl01tl/booklore
+          endpoint: nyc3.digitaloceanspaces.com
+          region: us-east-1
+          accessKeyIdSecretKeyRef:
+            name: booklore-mariadb-cluster-backup-secret-external
+            key: access
+          secretAccessKeySecretKeyRef:
+            name: booklore-mariadb-cluster-backup-secret-external
+            key: secret
+          tls:
+            enabled: true
+    - name: backup-garage
+      schedule:
+        cron: "0 0 * * *"
+        suspend: false
+        immediate: true
+      compression: gzip
+      maxRetention: 360h
+      storage:
+        s3:
+          bucket: mariadb-backups
+          prefix: cl01tl/booklore
+          endpoint: garage-main.garage:3900
+          region: us-east-1
+          accessKeyIdSecretKeyRef:
+            name: booklore-mariadb-cluster-backup-secret-garage
+            key: access
+          secretAccessKeySecretKeyRef:
+            name: booklore-mariadb-cluster-backup-secret-garage
+            key: secret

clusters/cl01tl/helm/code-server/Chart.yaml

@@ -0,0 +1,28 @@
+apiVersion: v2
+name: code-server
+version: 1.0.0
+description: Code Server
+keywords:
+  - code-server
+  - code
+  - ide
+home: https://wiki.alexlebens.dev/s/233f96bb-db70-47e4-8b22-a8efcbb0f93d
+sources:
+  - https://github.com/coder/code-server
+  - https://github.com/cloudflare/cloudflared
+  - https://hub.docker.com/r/linuxserver/code-server
+  - https://github.com/bjw-s-labs/helm-charts/tree/main/charts/other/app-template
+  - https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/cloudflared
+maintainers:
+  - name: alexlebens
+dependencies:
+  - name: app-template
+    alias: code-server
+    repository: https://bjw-s-labs.github.io/helm-charts/
+    version: 4.4.0
+  - name: cloudflared
+    alias: cloudflared
+    repository: oci://harbor.alexlebens.net/helm-charts
+    version: 1.23.0
+icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/visual-studio-code.png
+appVersion: 4.100.2

clusters/cl01tl/helm/code-server/templates/external-secret.yaml

@@ -0,0 +1,51 @@
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: codeserver-password-secret
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: codeserver-password-secret
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  data:
+    - secretKey: PASSWORD
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cl01tl/code-server/auth
+        metadataPolicy: None
+        property: PASSWORD
+    - secretKey: SUDO_PASSWORD
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cl01tl/code-server/auth
+        metadataPolicy: None
+        property: SUDO_PASSWORD
+
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: code-server-cloudflared-secret
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: code-server-cloudflared-secret
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  data:
+    - secretKey: cf-tunnel-token
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cloudflare/tunnels/codeserver
+        metadataPolicy: None
+        property: token

clusters/cl01tl/helm/code-server/templates/http-route.yaml

@@ -0,0 +1,28 @@
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: http-route-code-server
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: http-route-code-server
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  parentRefs:
+    - group: gateway.networking.k8s.io
+      kind: Gateway
+      name: traefik-gateway
+      namespace: traefik
+  hostnames:
+    - code-server.alexlebens.net
+  rules:
+    - matches:
+      - path:
+          type: PathPrefix
+          value: /
+      backendRefs:
+        - group: ''
+          kind: Service
+          name: code-server
+          port: 8443
+          weight: 100

clusters/cl01tl/helm/code-server/templates/persistent-volume-claim.yaml

@@ -0,0 +1,17 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: code-server-nfs-storage
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: code-server-nfs-storage
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  volumeMode: Filesystem
+  storageClassName: nfs-client
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 1Gi

clusters/cl01tl/helm/code-server/values.yaml

@@ -0,0 +1,47 @@
+code-server:
+  controllers:
+    main:
+      type: deployment
+      replicas: 1
+      strategy: Recreate
+      revisionHistoryLimit: 3
+      containers:
+        main:
+          image:
+            repository: ghcr.io/linuxserver/code-server
+            tag: 4.106.2@sha256:a98afdbcb59559f11e5e8df284062e55da1076b2e470e13db4aae133ea82bad0
+            pullPolicy: IfNotPresent
+          env:
+            - name: TZ
+              value: US/Central
+            - name: PUID
+              value: 1000
+            - name: PGID
+              value: 1000
+            - name: DEFAULT_WORKSPACE
+              value: /config
+          envFrom:
+            - secretRef:
+                name: codeserver-password-secret
+          resources:
+            requests:
+              cpu: 10m
+              memory: 128Mi
+  service:
+    main:
+      controller: main
+      ports:
+        http:
+          port: 8443
+          targetPort: 8443
+          protocol: HTTP
+  persistence:
+    config:
+      existingClaim: code-server-nfs-storage
+      advancedMounts:
+        main:
+          main:
+            - path: /config
+              readOnly: false
+cloudflared:
+  existingSecretName: code-server-cloudflared-secret

clusters/cl01tl/helm/directus/Chart.yaml

@@ -0,0 +1,33 @@
+apiVersion: v2
+name: directus
+version: 1.0.0
+description: Directus
+keywords:
+  - directus
+  - cms
+home: https://wiki.alexlebens.dev/s/c2d242de-dcaa-4801-86a2-c4761dc8bf9b
+sources:
+  - https://github.com/directus/directus
+  - https://github.com/cloudflare/cloudflared
+  - https://github.com/cloudnative-pg/cloudnative-pg
+  - https://hub.docker.com/r/directus/directus
+  - https://github.com/bjw-s-labs/helm-charts/tree/main/charts/other/app-template
+  - https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/cloudflared
+  - https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/postgres-cluster
+maintainers:
+  - name: alexlebens
+dependencies:
+  - name: app-template
+    alias: directus
+    repository: https://bjw-s-labs.github.io/helm-charts/
+    version: 4.4.0
+  - name: cloudflared
+    alias: cloudflared-directus
+    repository: oci://harbor.alexlebens.net/helm-charts
+    version: 1.23.0
+  - name: postgres-cluster
+    alias: postgres-17-cluster
+    version: 6.16.0
+    repository: oci://harbor.alexlebens.net/helm-charts
+icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/directus.png
+appVersion: 11.7.2

clusters/cl01tl/helm/directus/templates/external-secret.yaml

@@ -0,0 +1,245 @@
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: directus-config
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: directus-config
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  data:
+    - secretKey: admin-email
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cl01tl/directus/config
+        metadataPolicy: None
+        property: admin-email
+    - secretKey: admin-password
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cl01tl/directus/config
+        metadataPolicy: None
+        property: admin-password
+    - secretKey: secret
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cl01tl/directus/config
+        metadataPolicy: None
+        property: secret
+    - secretKey: key
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cl01tl/directus/config
+        metadataPolicy: None
+        property: key
+
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: directus-metric-token
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: directus-metric-token
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  data:
+    - secretKey: metric-token
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cl01tl/directus/metrics
+        metadataPolicy: None
+        property: metric-token
+
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: directus-redis-config
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: directus-redis-config
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  data:
+    - secretKey: user
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cl01tl/directus/redis
+        metadataPolicy: None
+        property: user
+    - secretKey: password
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cl01tl/directus/redis
+        metadataPolicy: None
+        property: password
+
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: directus-oidc-secret
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: directus-oidc-secret
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  data:
+    - secretKey: OIDC_CLIENT_ID
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /authentik/oidc/directus
+        metadataPolicy: None
+        property: client
+    - secretKey: OIDC_CLIENT_SECRET
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /authentik/oidc/directus
+        metadataPolicy: None
+        property: secret
+
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: directus-cloudflared-secret
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: directus-cloudflared-secret
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  data:
+    - secretKey: cf-tunnel-token
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cloudflare/tunnels/directus
+        metadataPolicy: None
+        property: token
+
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: directus-postgresql-17-cluster-backup-secret
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: directus-postgresql-17-cluster-backup-secret
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  data:
+    - secretKey: ACCESS_KEY_ID
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /digital-ocean/home-infra/postgres-backups
+        metadataPolicy: None
+        property: access
+    - secretKey: ACCESS_SECRET_KEY
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /digital-ocean/home-infra/postgres-backups
+        metadataPolicy: None
+        property: secret
+
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: directus-postgresql-17-cluster-backup-secret-weekly
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: directus-postgresql-17-cluster-backup-secret-weekly
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  data:
+    - secretKey: ACCESS_KEY_ID
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /garage/home-infra/postgres-backups
+        metadataPolicy: None
+        property: ACCESS_KEY_ID
+    - secretKey: ACCESS_SECRET_KEY
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /garage/home-infra/postgres-backups
+        metadataPolicy: None
+        property: ACCESS_SECRET_KEY
+
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: directus-postgresql-17-cluster-backup-secret-garage
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: directus-postgresql-17-cluster-backup-secret-garage
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  data:
+    - secretKey: ACCESS_KEY_ID
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /garage/home-infra/postgres-backups
+        metadataPolicy: None
+        property: ACCESS_KEY_ID
+    - secretKey: ACCESS_SECRET_KEY
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /garage/home-infra/postgres-backups
+        metadataPolicy: None
+        property: ACCESS_SECRET_KEY
+    - secretKey: ACCESS_REGION
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /garage/home-infra/postgres-backups
+        metadataPolicy: None
+        property: ACCESS_REGION

clusters/cl01tl/helm/directus/templates/object-bucket-claim.yaml

@@ -0,0 +1,11 @@
+apiVersion: objectbucket.io/v1alpha1
+kind: ObjectBucketClaim
+metadata:
+  name: ceph-bucket-directus
+  labels:
+    app.kubernetes.io/name: ceph-bucket-directus
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  generateBucketName: bucket-directus
+  storageClassName: ceph-bucket

clusters/cl01tl/helm/directus/templates/redis-replication.yaml

@@ -0,0 +1,35 @@
+apiVersion: redis.redis.opstreelabs.in/v1beta2
+kind: RedisReplication
+metadata:
+  name: redis-replication-directus
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: redis-replication-directus
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  clusterSize: 3
+  podSecurityContext:
+    runAsUser: 1000
+    fsGroup: 1000
+  kubernetesConfig:
+    image: quay.io/opstree/redis:v8.2.1
+    imagePullPolicy: IfNotPresent
+    redisSecret:
+      name: directus-redis-config
+      key: password
+    resources:
+      requests:
+        cpu: 50m
+        memory: 128Mi
+  storage:
+    volumeClaimTemplate:
+      spec:
+        storageClassName: ceph-block
+        accessModes: ["ReadWriteOnce"]
+        resources:
+          requests:
+            storage: 1Gi
+  redisExporter:
+    enabled: true
+    image: quay.io/opstree/redis-exporter:v1.76.0