chore(config): migrate config renovate.json

Reviewed-on: #5227

.gitea/workflows/renovate.yaml

@@ -13,7 +13,7 @@ on:
 jobs:
   renovate:
     runs-on: ubuntu-latest
-    container: ghcr.io/renovatebot/renovate:43.91.1@sha256:63e27dd3ed7dd5feb755e0f3c8e50516f5845be124311b4f6b3c898b5d767b49
+    container: ghcr.io/renovatebot/renovate:43.96.0@sha256:41af2f21008f8f5785833277ac951b4f44e936b61394dc7edccdc0fe09e59132
     steps:
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6

clusters/cl01tl/helm/argocd/Chart.lock

@@ -1,6 +1,6 @@
 dependencies:
 - name: argo-cd
   repository: https://argoproj.github.io/argo-helm
-  version: 9.4.16
-digest: sha256:f9ecc47369d4401df61c17f55cc59c9b2d4543f57cf122653abb1a27a4f7bf35
-generated: "2026-03-26T21:01:52.678525211Z"
+  version: 9.4.17
+digest: sha256:17752dbf03861cf70ee31c9a17373a5175656a2edd00ba5fcd3988a195147da8
+generated: "2026-03-28T01:51:34.832601868Z"

clusters/cl01tl/helm/argocd/Chart.yaml

@@ -13,8 +13,8 @@ maintainers:
   - name: alexlebens
 dependencies:
   - name: argo-cd
-    version: 9.4.16
+    version: 9.4.17
     repository: https://argoproj.github.io/argo-helm
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/argo-cd.png
 # renovate: datasource=github-releases depName=argoproj/argo-cd
-appVersion: v3.3.5
+appVersion: v3.3.6

clusters/cl01tl/helm/cert-manager/Chart.lock

@@ -1,6 +1,6 @@
 dependencies:
 - name: cert-manager
   repository: https://charts.jetstack.io
-  version: v1.20.0
-digest: sha256:1543bd17649cb32982de3cce017fcbed1b44c41d50b76c6471b266f33e261c29
-generated: "2026-03-10T16:06:49.332999536Z"
+  version: v1.20.1
+digest: sha256:1bf36eba44cf096b40355a697b8cffb302f07f9135374222aabdf686f017b7a9
+generated: "2026-03-28T01:35:24.542754563Z"

clusters/cl01tl/helm/cert-manager/Chart.yaml

@@ -13,8 +13,8 @@ maintainers:
   - name: alexlebens
 dependencies:
   - name: cert-manager
-    version: v1.20.0
+    version: v1.20.1
     repository: https://charts.jetstack.io
 icon: https://raw.githubusercontent.com/cert-manager/cert-manager/refs/heads/master/logo/logo.png
 # renovate: datasource=github-releases depName=cert-manager/cert-manager
-appVersion: v1.20.0
+appVersion: v1.20.1

clusters/cl01tl/helm/directus/Chart.yaml

@@ -4,16 +4,14 @@ version: 1.0.0
 description: Directus
 keywords:
   - directus
-  - cms
-home: https://wiki.alexlebens.dev/s/c2d242de-dcaa-4801-86a2-c4761dc8bf9b
+  - content-management-system
+home: https://docs.alexlebens.dev/applications/descheduler/
 sources:
   - https://github.com/directus/directus
-  - https://github.com/cloudflare/cloudflared
-  - https://github.com/cloudnative-pg/cloudnative-pg
-  - https://hub.docker.com/r/directus/directus
+  - https://github.com/directus/directus/pkgs/container/directus
   - https://github.com/bjw-s-labs/helm-charts/tree/main/charts/other/app-template
-  - https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/cloudflared
   - https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/postgres-cluster
+  - https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/valkey
 maintainers:
   - name: alexlebens
 dependencies:

clusters/cl01tl/helm/directus/templates/external-secret.yaml

@@ -14,31 +14,19 @@ spec:
   data:
     - secretKey: admin-email
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: /cl01tl/directus/config
-        metadataPolicy: None
         property: admin-email
     - secretKey: admin-password
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: /cl01tl/directus/config
-        metadataPolicy: None
         property: admin-password
     - secretKey: secret
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: /cl01tl/directus/config
-        metadataPolicy: None
         property: secret
     - secretKey: key
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: /cl01tl/directus/config
-        metadataPolicy: None
         property: key
 
 ---
@@ -58,17 +46,11 @@ spec:
   data:
     - secretKey: OIDC_CLIENT_ID
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: /authentik/oidc/directus
-        metadataPolicy: None
         property: client
     - secretKey: OIDC_CLIENT_SECRET
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: /authentik/oidc/directus
-        metadataPolicy: None
         property: secret
 
 ---
@@ -88,10 +70,7 @@ spec:
   data:
     - secretKey: metric-token
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: /cl01tl/directus/metrics
-        metadataPolicy: None
         property: metric-token
 
 ---
@@ -111,24 +90,15 @@ spec:
   data:
     - secretKey: ACCESS_KEY_ID
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: /garage/home-infra/directus-assets
-        metadataPolicy: None
         property: ACCESS_KEY_ID
     - secretKey: ACCESS_SECRET_KEY
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: /garage/home-infra/directus-assets
-        metadataPolicy: None
         property: ACCESS_SECRET_KEY
     - secretKey: ACCESS_REGION
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: /garage/home-infra/directus-assets
-        metadataPolicy: None
         property: ACCESS_REGION
 
 ---
@@ -148,22 +118,13 @@ spec:
   data:
     - secretKey: default
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: /cl01tl/directus/valkey
-        metadataPolicy: None
         property: password
     - secretKey: user
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: /cl01tl/directus/valkey
-        metadataPolicy: None
         property: user
     - secretKey: password
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: /cl01tl/directus/valkey
-        metadataPolicy: None
         property: password

clusters/cl01tl/helm/directus/values.yaml

@@ -4,12 +4,11 @@ directus:
       type: deployment
       replicas: 1
       strategy: Recreate
-      revisionHistoryLimit: 3
       containers:
         main:
           image:
-            repository: directus/directus
-            tag: 11.17.0
+            repository: ghcr.io/directus/directus
+            tag: 11.17.0@sha256:076269ccbe7d4a0c44ce5f5b7f11e2ea5f7b3e4c4f704c0f88a52805e069c1c6
             pullPolicy: IfNotPresent
           env:
             - name: PUBLIC_URL
@@ -144,7 +143,7 @@ directus:
           resources:
             requests:
               cpu: 10m
-              memory: 256Mi
+              memory: 1Gi
   service:
     main:
       controller: main
@@ -180,11 +179,8 @@ directus:
         - directus.alexlebens.net
       rules:
         - backendRefs:
-            - group: ''
-              kind: Service
-              name: directus
+            - name: directus
               port: 80
-              weight: 100
           matches:
             - path:
                 type: PathPrefix
@@ -202,35 +198,12 @@ postgres-18-cluster:
         destinationBucket: postgres-backups
         externalSecretCredentialPath: /garage/home-infra/postgres-backups
         isWALArchiver: true
-      # - name: garage-remote
-      #   index: 1
-      #   destinationBucket: postgres-backups
-      #   externalSecretCredentialPath: /garage/home-infra/postgres-backups
-      #   retentionPolicy: "90d"
-      #   data:
-      #     compression: bzip2
-      # - name: external
-      #   index: 1
-      #   endpointURL: https://nyc3.digitaloceanspaces.com
-      #   destinationBucket: postgres-backups-ce540ddf106d186bbddca68a
-      #   externalSecretCredentialPath: /garage/home-infra/postgres-backups
-      #   isWALArchiver: false
     scheduledBackups:
       - name: live-backup
         suspend: false
         immediate: true
         schedule: "0 15 14 * * *"
         backupName: garage-local
-      # - name: weekly-backup
-      #   suspend: true
-      #   immediate: true
-      #   schedule: "0 0 4 * * SAT"
-      #   backupName: garage-remote
-      # - name: daily-backup
-      #   suspend: true
-      #   immediate: true
-      #   schedule: "0 0 0 * * *"
-      #   backupName: external
 valkey:
   valkey:
     auth:
@@ -239,5 +212,3 @@ valkey:
       aclUsers:
         default:
           permissions: "~* &* +@all"
-    metrics:
-      enabled: false

clusters/cl01tl/helm/elastic-operator/Chart.yaml

@@ -6,8 +6,7 @@ keywords:
   - elastic-operator
   - operator
   - elastic-search
-  - kubernetes
-home: https://wiki.alexlebens.dev/s/
+home: https://docs.alexlebens.dev/applications/elastic-operator/
 sources:
   - https://github.com/elastic/cloud-on-k8s
   - https://github.com/elastic/cloud-on-k8s/tree/main/deploy/eck-operator
@@ -17,6 +16,6 @@ dependencies:
   - name: eck-operator
     version: 3.3.1
     repository: https://helm.elastic.co
-icon: https://helm.elastic.co/icons/eck.png
+icon: https://cdn.jsdelivr.net/gh/selfhst/icons@main/png/elastic.png
 # renovate: datasource=github-releases depName=elastic/cloud-on-k8s
 appVersion: v3.3.1

clusters/cl01tl/helm/elastic-operator/values.yaml

@@ -4,6 +4,13 @@ eck-operator:
     - stalwart
   installCRDs: true
   replicaCount: 2
+  resources:
+    limits:
+      cpu: null
+      memory: null
+    requests:
+      cpu: 2m
+      memory: 50Mi
   telemetry:
     disabled: true
   config:

clusters/cl01tl/helm/element-web/Chart.yaml

@@ -4,13 +4,11 @@ version: 1.0.0
 description: Element Web
 keywords:
   - element-web
-  - chat
-  - matrix
-home: https://wiki.alexlebens.dev/s/e3b03481-1a1d-4b56-8cd9-e75a8dcc0f6c
+  - matrix-chat
+home: https://docs.alexlebens.dev/applications/element-web/
 sources:
   - https://github.com/element-hq/element-web
-  - https://github.com/cloudflare/cloudflared
-  - https://hub.docker.com/r/vectorim/element-web
+  - https://github.com/element-hq/element-web/pkgs/container/element-web
   - https://gitlab.com/ananace/charts/-/tree/master/charts/element-web
   - https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/cloudflared
 maintainers:

clusters/cl01tl/helm/element-web/values.yaml

@@ -1,9 +1,8 @@
 element-web:
   replicaCount: 1
   image:
-    repository: vectorim/element-web
-    tag: v1.12.13
-    pullPolicy: IfNotPresent
+    repository: ghcr.io/element-hq/element-web
+    tag: v1.12.13@sha256:5107e63026c13ed014f743e485821b7d4b56d275a41e76303859bb14f5f94eb6
   defaultServer:
     url: https://matrix.alexlebens.dev
     name: alexlebens.dev
@@ -18,9 +17,7 @@ element-web:
       immediate: true
     default_theme: dark
     default_country_code: US
-  ingress:
-    enabled: false
   resources:
     requests:
-      cpu: 10m
-      memory: 128Mi
+      cpu: 1m
+      memory: 10Mi

clusters/cl01tl/helm/eraser/Chart.yaml

@@ -5,10 +5,10 @@ description: Eraser
 keywords:
   - eraser
   - images
-  - kubernetes
-home: https://wiki.alexlebens.dev/s/bb53ffae-0eda-4ed6-9fdd-894e672b4377
+home: https://docs.alexlebens.dev/applications/eraser/
 sources:
   - https://github.com/eraser-dev/eraser
+  - https://github.com/eraser-dev/eraser/pkgs/container/eraser-manager
   - https://github.com/eraser-dev/eraser/tree/main/charts/eraser
 maintainers:
   - name: alexlebens
@@ -16,6 +16,6 @@ dependencies:
   - name: eraser
     version: 1.4.1
     repository: https://eraser-dev.github.io/eraser/charts
-icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/kubernetes.png
+icon: https://raw.githubusercontent.com/eraser-dev/eraser/refs/heads/main/images/eraser-logo-color-1c.png
 # renovate: datasource=github-releases depName=eraser-dev/eraser
 appVersion: v1.4.1

clusters/cl01tl/helm/eraser/values.yaml

@@ -1,50 +1,37 @@
 eraser:
   runtimeConfig:
-    apiVersion: eraser.sh/v1alpha3
-    kind: EraserConfig
     manager:
-      runtime:
-        name: containerd
-        address: unix:///run/containerd/containerd.sock
-      logLevel: info
       scheduling:
         repeatInterval: 24h
         beginImmediately: true
-      profile:
-        enabled: false
-        port: 6060
       imageJob:
-        successRatio: 1.0
         cleanup:
           delayOnSuccess: 0s
           delayOnFailure: 24h
-      nodeFilter:
-        type: exclude
-        selectors:
-          - eraser.sh/cleanup.filter
-          - kubernetes.io/os=windows
     components:
       collector:
-        enabled: true
+        image:
+          repo: ghcr.io/eraser-dev/collector
+          tag: v1.4.1@sha256:827588ff826c3558bf2c50b1fc94f20122b054dfcf3480c3ffe6f0bae25c3dad
         request:
-          cpu: 10m
-          memory: 128Mi
+          cpu: 1m
+          memory: 20Mi
       scanner:
         enabled: false
-        request:
-          cpu: 100m
-          memory: 128Mi
-        config: ""
       remover:
+        image:
+          repo: ghcr.io/eraser-dev/remover
+          tag: v1.4.1@sha256:e57592157d717588f69c011cd0b6ab783a19a53b447a5350b27e7e66aae67525
         request:
-          cpu: 10m
-          memory: 128Mi
+          cpu: 1m
+          memory: 20Mi
   deploy:
-    securityContext:
-      allowPrivilegeEscalation: false
+    image:
+      repo: ghcr.io/eraser-dev/eraser-manager
+      tag: v1.4.1@sha256:5f18fb7da4ccad93a8643ece496681f1489b0d7b0ce45e18a94774cf8b6a717d
     resources:
+      limits:
+        memory: null
       requests:
-        cpu: 10m
-        memory: 30Mi
-    nodeSelector:
-      kubernetes.io/os: linux
+        cpu: 1m
+        memory: 20Mi

clusters/cl01tl/helm/excalidraw/Chart.yaml

@@ -4,7 +4,8 @@ version: 1.0.0
 description: Excalidraw
 keywords:
   - excalidraw
-home: https://wiki.alexlebens.dev/
+  - drawing
+home: https://docs.alexlebens.dev/applications/eraser/
 sources:
   - https://github.com/excalidraw/excalidraw
   - https://hub.docker.com/r/excalidraw/excalidraw

clusters/cl01tl/helm/excalidraw/values.yaml

@@ -4,13 +4,11 @@ excalidraw:
       type: deployment
       replicas: 1
       strategy: Recreate
-      revisionHistoryLimit: 3
       containers:
         main:
           image:
             repository: excalidraw/excalidraw
             tag: latest@sha256:3c2513e830bb6e195147c05b34ecf8393d0ba2b1cc86e93b407a5777d6135c6c
-            pullPolicy: IfNotPresent
           env:
             - name: NODE_ENV
               value: production
@@ -18,8 +16,8 @@ excalidraw:
               value: America/Chicago
           resources:
             requests:
-              cpu: 10m
-              memory: 128Mi
+              cpu: 1m
+              memory: 10Mi
   service:
     main:
       controller: main
@@ -40,11 +38,8 @@ excalidraw:
         - excalidraw.alexlebens.net
       rules:
         - backendRefs:
-            - group: ''
-              kind: Service
-              name: excalidraw
+            - name: excalidraw
               port: 80
-              weight: 100
           matches:
             - path:
                 type: PathPrefix

clusters/cl01tl/helm/external-dns/Chart.yaml

@@ -5,11 +5,10 @@ description: External DNS
 keywords:
   - external-dns
   - dns
-  - unifi
-  - kubernetes
-home: https://wiki.alexlebens.dev/s/7b50e4da-5dc1-4f62-baf9-14b5fed64552
+home: https://docs.alexlebens.dev/applications/eraser/
 sources:
   - https://github.com/kubernetes-sigs/external-dns
+  - https://github.com/kashalls/external-dns-unifi-webhook
   - https://github.com/kubernetes-sigs/external-dns/tree/master/charts/external-dns
 maintainers:
   - name: alexlebens

clusters/cl01tl/helm/external-dns/templates/external-secret.yaml

@@ -14,8 +14,5 @@ spec:
   data:
     - secretKey: api-key
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: /unifi/auth/cl01tl
-        metadataPolicy: None
         property: api-key

clusters/cl01tl/helm/external-dns/values.yaml

@@ -1,25 +1,27 @@
 external-dns-unifi:
   fullnameOverride: external-dns-unifi
+  resources:
+    requests:
+      cpu: 1m
+      memory: 80Mi
   serviceMonitor:
     enabled: true
-  interval: 1m
+  interval: 360m
   sources:
-    - ingress
     - crd
     - gateway-httproute
     - gateway-tlsroute
   policy: sync
-  registry: txt
   txtOwnerId: default
   txtPrefix: k8s.
   domainFilters: ["alexlebens.net"]
-  excludeDomains: []
+  excludeDomains: ["alexlebens.dev"]
   provider:
     name: webhook
     webhook:
       image:
         repository: ghcr.io/kashalls/external-dns-unifi-webhook
-        tag: v0.8.2
+        tag: v0.8.2@sha256:7f0ddbbc83a36a2a9d762e25eef9cafcb3adf0493068a27d72ae71087eafe6f0
       env:
         - name: UNIFI_HOST
           value: https://192.168.1.1
@@ -29,18 +31,14 @@ external-dns-unifi:
               name: external-dns-unifi-secret
               key: api-key
         - name: LOG_LEVEL
-          value: debug
+          value: info
       livenessProbe:
         httpGet:
           path: /healthz
           port: http-webhook
-        initialDelaySeconds: 10
-        timeoutSeconds: 5
       readinessProbe:
         httpGet:
           path: /readyz
           port: http-webhook
-        initialDelaySeconds: 10
-        timeoutSeconds: 5
   extraArgs:
     - --ignore-ingress-tls-spec

clusters/cl01tl/helm/external-secrets/Chart.lock

@@ -2,5 +2,5 @@ dependencies:
 - name: external-secrets
   repository: https://charts.external-secrets.io
   version: 2.2.0
-digest: sha256:832fc3f8d3728bdea2b696a6044e4c18967cd9ab9c5cc74adbf40aaa270a84b4
-generated: "2026-03-20T20:53:08.407747649Z"
+digest: sha256:3894df20e1f3d56bc9789177181a84d8ae1402ef76ec6328e417ce5a568738ae
+generated: "2026-03-26T19:19:15.734454-05:00"

clusters/cl01tl/helm/external-secrets/Chart.yaml

@@ -5,15 +5,17 @@ description: External Secrets
 keywords:
   - external-secrets
   - secrets
-  - vault
-home: https://wiki.alexlebens.dev/s/d29044fb-0d63-4500-8853-2971964f356a
+  - operator
+home: https://docs.alexlebens.dev/applications/eraser/
 sources:
   - https://github.com/external-secrets/external-secrets
+  - https://github.com/external-secrets/external-secrets/pkgs/container/external-secrets
   - https://github.com/external-secrets/external-secrets/tree/main/deploy/charts/external-secrets
 dependencies:
   - name: external-secrets
+    alias: external-secrets
     version: 2.2.0
     repository: https://charts.external-secrets.io
-icon: https://avatars.githubusercontent.com/u/68335991?s=48&v=4
+icon: https://raw.githubusercontent.com/external-secrets/external-secrets/refs/heads/main/assets/eso-logo-large.png
 # renovate: datasource=github-releases depName=external-secrets/external-secrets
 appVersion: v2.2.0

clusters/cl01tl/helm/external-secrets/values.yaml

@@ -0,0 +1,44 @@
+external-secrets:
+  replicaCount: 3
+  image:
+    repository: ghcr.io/external-secrets/external-secrets
+    tag: v2.2.0@sha256:876e627dbee5b0edd12da49b035469d12418cd6c3c4be5e383ae6a82e8bd4565
+  installCRDs: true
+  crds:
+    createClusterExternalSecret: true
+    createClusterSecretStore: true
+    createSecretStore: true
+    createClusterGenerator: true
+    createClusterPushSecret: true
+    createPushSecret: true
+  leaderElect: true
+  extendedMetricLabels: true
+  resources:
+    requests:
+      cpu: 5m
+      memory: 50Mi
+  serviceMonitor:
+    enabled: true
+  livenessProbe:
+    enabled: true
+  readinessProbe:
+    enabled: true
+  podDisruptionBudget:
+    enabled: true
+    minAvailable: 1
+  webhook:
+    image:
+      repository: ghcr.io/external-secrets/external-secrets
+      tag: v2.2.0@sha256:876e627dbee5b0edd12da49b035469d12418cd6c3c4be5e383ae6a82e8bd4565
+    resources:
+      requests:
+        cpu: 1m
+        memory: 30Mi
+  certController:
+    image:
+      repository: ghcr.io/external-secrets/external-secrets
+      tag: v2.2.0@sha256:876e627dbee5b0edd12da49b035469d12418cd6c3c4be5e383ae6a82e8bd4565
+    resources:
+      requests:
+        cpu: 1m
+        memory: 60Mi

clusters/cl01tl/helm/foldergram/Chart.yaml

@@ -5,10 +5,12 @@ description: Foldergram
 keywords:
   - foldergram
   - pictures
-home: https://wiki.alexlebens.dev/
+home: https://docs.alexlebens.dev/applications/foldergram/
 sources:
   - https://github.com/foldergram/foldergram
+  - https://github.com/foldergram/foldergram/pkgs/container/foldergram
   - https://github.com/bjw-s-labs/helm-charts/tree/main/charts/other/app-template
+  - https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/volsync-target
 maintainers:
   - name: alexlebens
 dependencies:
@@ -22,4 +24,4 @@ dependencies:
     repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://raw.githubusercontent.com/foldergram/foldergram/refs/heads/main/client/public/icon-512.png
 # renovate: datasource=github-releases depName=foldergram/foldergram
-appVersion: v1.0.6
+appVersion: v1.0.8

clusters/cl01tl/helm/foldergram/values.yaml

@@ -4,12 +4,15 @@ foldergram:
       type: deployment
       replicas: 1
       strategy: Recreate
-      revisionHistoryLimit: 3
+      pod:
+        securityContext:
+          fsGroup: 1000
+          fsGroupChangePolicy: OnRootMismatch
       containers:
         main:
           image:
             repository: ghcr.io/foldergram/foldergram
-            tag: 1.0.6
+            tag: 1.0.8@sha256:3546dc1da4ec12cb27aaecbf77896d708ac7601eb0225e0f6e181d7ef35273f9
             pullPolicy: IfNotPresent
           env:
             - name: IMAGE_DETAIL_SOURCE
@@ -24,8 +27,8 @@ foldergram:
               value: https://foldergram.alexlebens.net
           resources:
             requests:
-              cpu: 10m
-              memory: 128Mi
+              cpu: 1m
+              memory: 230Mi
   service:
     main:
       controller: main
@@ -46,11 +49,8 @@ foldergram:
         - foldergram.alexlebens.net
       rules:
         - backendRefs:
-            - group: ''
-              kind: Service
-              name: foldergram
+            - name: foldergram
               port: 80
-              weight: 100
           matches:
             - path:
                 type: PathPrefix
@@ -61,7 +61,6 @@ foldergram:
       storageClass: ceph-block
       accessMode: ReadWriteOnce
       size: 10Gi
-      retain: false
       advancedMounts:
         main:
           main:

clusters/cl01tl/helm/freshrss/Chart.yaml

@@ -5,15 +5,14 @@ description: FreshRSS
 keywords:
   - freshrss
   - rss
-home: https://wiki.alexlebens.dev/s/251cb7cb-2797-4bbb-8597-32757aa96391
+home: https://docs.alexlebens.dev/applications/freshrss/
 sources:
   - https://github.com/FreshRSS/FreshRSS
-  - https://github.com/cloudflare/cloudflared
-  - https://github.com/cloudnative-pg/cloudnative-pg
   - https://hub.docker.com/r/freshrss/freshrss
   - https://github.com/bjw-s-labs/helm-charts/tree/main/charts/other/app-template
   - https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/cloudflared
   - https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/postgres-cluster
+  - https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/volsync-target
 maintainers:
   - name: alexlebens
 dependencies:

clusters/cl01tl/helm/freshrss/templates/external-secret.yaml

@@ -14,24 +14,15 @@ spec:
   data:
     - secretKey: ADMIN_EMAIL
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: /cl01tl/freshrss/config
-        metadataPolicy: None
         property: ADMIN_EMAIL
     - secretKey: ADMIN_PASSWORD
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: /cl01tl/freshrss/config
-        metadataPolicy: None
         property: ADMIN_PASSWORD
     - secretKey: ADMIN_API_PASSWORD
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: /cl01tl/freshrss/config
-        metadataPolicy: None
         property: ADMIN_API_PASSWORD
 
 ---
@@ -51,22 +42,13 @@ spec:
   data:
     - secretKey: OIDC_CLIENT_ID
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: /authentik/oidc/freshrss
-        metadataPolicy: None
         property: client
     - secretKey: OIDC_CLIENT_SECRET
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: /authentik/oidc/freshrss
-        metadataPolicy: None
         property: secret
     - secretKey: OIDC_CLIENT_CRYPTO_KEY
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: /authentik/oidc/freshrss
-        metadataPolicy: None
         property: crypto-key

clusters/cl01tl/helm/freshrss/values.yaml

@@ -4,84 +4,11 @@ freshrss:
       type: deployment
       replicas: 1
       strategy: Recreate
-      revisionHistoryLimit: 3
-      initContainers:
-        init-download-extension-1:
-          securityContext:
-            runAsUser: 0
-          image:
-            repository: alpine
-            tag: 3.23.3
-            pullPolicy: IfNotPresent
-          command:
-            - /bin/sh
-            - -ec
-            - |
-              apk add --no-cache git;
-              cd /tmp;
-              git clone -n --depth=1 --filter=tree:0 https://github.com/cn-tools/cntools_FreshRssExtensions.git;
-              cd cntools_FreshRssExtensions;
-              git sparse-checkout set --no-cone /xExtension-YouTubeChannel2RssFeed;
-              git checkout;
-              rm -rf /var/www/FreshRSS/extensions/xExtension-YouTubeChannel2RssFeed
-              cp -r xExtension-YouTubeChannel2RssFeed /var/www/FreshRSS/extensions
-              chown -R 568:568 /var/www/FreshRSS/extensions/xExtension-YouTubeChannel2RssFeed
-          resources:
-            requests:
-              cpu: 10m
-              memory: 128Mi
-        init-download-extension-2:
-          securityContext:
-            runAsUser: 0
-          image:
-            repository: alpine
-            tag: 3.23.3
-            pullPolicy: IfNotPresent
-          command:
-            - /bin/sh
-            - -ec
-            - |
-              apk add --no-cache git;
-              cd /tmp;
-              git clone -n --depth=1 --filter=tree:0 https://github.com/FreshRSS/Extensions.git;
-              cd Extensions;
-              git sparse-checkout set --no-cone /xExtension-ImageProxy;
-              git checkout;
-              rm -rf /var/www/FreshRSS/extensions/xExtension-ImageProxy
-              cp -r xExtension-ImageProxy /var/www/FreshRSS/extensions
-              chown -R 568:568 /var/www/FreshRSS/extensions/xExtension-ImageProxy
-          resources:
-            requests:
-              cpu: 10m
-              memory: 128Mi
-        init-download-extension-3:
-          securityContext:
-            runAsUser: 0
-          image:
-            repository: alpine
-            tag: 3.23.3
-            pullPolicy: IfNotPresent
-          command:
-            - /bin/sh
-            - -ec
-            - |
-              cd /tmp;
-              wget https://github.com/zimmra/xExtension-karakeep-button/archive/refs/tags/v1.1.tar.gz;
-              tar -xvzf *.tar.gz;
-              rm -rf /var/www/FreshRSS/extensions/xExtension-karakeep-button
-              mkdir /var/www/FreshRSS/extensions/xExtension-karakeep-button
-              cp -r /tmp/xExtension-karakeep-button-*/* /var/www/FreshRSS/extensions/xExtension-karakeep-button
-              chown -R 568:568 /var/www/FreshRSS/extensions/xExtension-karakeep-button
-          resources:
-            requests:
-              cpu: 10m
-              memory: 128Mi
       containers:
         main:
           image:
             repository: freshrss/freshrss
-            tag: 1.28.1
-            pullPolicy: IfNotPresent
+            tag: 1.28.1@sha256:9100f649f5c946f589f54cdb9be7a65996528f48f691ef90eb262a0e06e5a522
           env:
             - name: PGID
               value: "568"
@@ -151,7 +78,7 @@ freshrss:
                 name: freshrss-install-secret
           resources:
             requests:
-              cpu: 10m
+              cpu: 1m
               memory: 128Mi
   service:
     main:
@@ -167,31 +94,11 @@ freshrss:
       storageClass: ceph-block
       accessMode: ReadWriteOnce
       size: 5Gi
-      retain: true
       advancedMounts:
         main:
           main:
             - path: /var/www/FreshRSS/data
               readOnly: false
-    extensions:
-      storageClass: ceph-block
-      accessMode: ReadWriteOnce
-      size: 1Gi
-      retain: true
-      advancedMounts:
-        main:
-          init-download-extension-1:
-            - path: /var/www/FreshRSS/extensions
-              readOnly: false
-          init-download-extension-2:
-            - path: /var/www/FreshRSS/extensions
-              readOnly: false
-          init-download-extension-3:
-            - path: /var/www/FreshRSS/extensions
-              readOnly: false
-          main:
-            - path: /var/www/FreshRSS/extensions
-              readOnly: false
 postgres-18-cluster:
   mode: recovery
   recovery:
@@ -205,35 +112,12 @@ postgres-18-cluster:
         destinationBucket: postgres-backups
         externalSecretCredentialPath: /garage/home-infra/postgres-backups
         isWALArchiver: true
-      # - name: garage-remote
-      #   index: 1
-      #   destinationBucket: postgres-backups
-      #   externalSecretCredentialPath: /garage/home-infra/postgres-backups
-      #   retentionPolicy: "90d"
-      #   data:
-      #     compression: bzip2
-      # - name: external
-      #   index: 1
-      #   endpointURL: https://nyc3.digitaloceanspaces.com
-      #   destinationBucket: postgres-backups-ce540ddf106d186bbddca68a
-      #   externalSecretCredentialPath: /garage/home-infra/postgres-backups
-      #   isWALArchiver: false
     scheduledBackups:
       - name: live-backup
         suspend: false
         immediate: true
         schedule: "0 20 14 * * *"
         backupName: garage-local
-      # - name: weekly-backup
-      #   suspend: true
-      #   immediate: true
-      #   schedule: "0 0 4 * * SAT"
-      #   backupName: garage-remote
-      # - name: daily-backup
-      #   suspend: true
-      #   immediate: true
-      #   schedule: "0 0 0 * * *"
-      #   backupName: external
 volsync-target-data:
   pvcTarget: freshrss-data
   moverSecurityContext:
@@ -241,11 +125,6 @@ volsync-target-data:
     runAsGroup: 568
     fsGroup: 568
     fsGroupChangePolicy: OnRootMismatch
-    supplementalGroups:
-      - 44
-      - 100
-      - 109
-      - 65539
   local:
     enabled: true
     schedule: 18 8 * * *

clusters/cl01tl/helm/garage/Chart.yaml

@@ -4,12 +4,13 @@ version: 1.0.0
 description: Garage
 keywords:
   - garage
-  - storage
   - s3
-home: https://wiki.alexlebens.dev/s/
+home: https://docs.alexlebens.dev/applications/garage/
 sources:
   - https://git.deuxfleurs.fr/Deuxfleurs/garage
+  - https://github.com/khairul169/garage-webui
   - https://hub.docker.com/r/dxflrs/garage
+  - https://hub.docker.com/r/khairul169/garage-webui
   - https://github.com/bjw-s-labs/helm-charts/tree/main/charts/other/app-template
 maintainers:
   - name: alexlebens
@@ -18,6 +19,6 @@ dependencies:
     alias: garage
     repository: https://bjw-s-labs.github.io/helm-charts/
     version: 4.6.2
-icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/kubernetes.png
-# renovate: datasource=github-releases depName=deuxfleurs-org/garage
-appVersion: v2.1.0
+icon: https://cdn.jsdelivr.net/gh/selfhst/icons@main/png/garage.png
+# renovate: datasource=docker depName=dxflrs/garage
+appVersion: v2.2.0

clusters/cl01tl/helm/garage/templates/external-secret.yaml

@@ -14,22 +14,13 @@ spec:
   data:
     - secretKey: GARAGE_RPC_SECRET
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: /cl01tl/garage/token
-        metadataPolicy: None
         property: rpc
     - secretKey: GARAGE_ADMIN_TOKEN
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: /cl01tl/garage/token
-        metadataPolicy: None
         property: admin
     - secretKey: GARAGE_METRICS_TOKEN
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: /cl01tl/garage/token
-        metadataPolicy: None
         property: metric

clusters/cl01tl/helm/garage/values.yaml

@@ -4,7 +4,6 @@ garage:
       type: deployment
       replicas: 1
       strategy: Recreate
-      revisionHistoryLimit: 3
       pod:
         labels:
           garage-type: server
@@ -22,32 +21,18 @@ garage:
         main:
           image:
             repository: dxflrs/garage
-            tag: v2.2.0
-            pullPolicy: IfNotPresent
+            tag: v2.2.0@sha256:45a61ce3f7c9c24fc23d9ed2b09b27ed560ab87b34605d175d5c588f539c24e4
           envFrom:
             - secretRef:
                 name: garage-token-secret
           resources:
             requests:
               cpu: 10m
-              memory: 128Mi
-        debug:
-          image:
-            repository: ubuntu
-            tag: resolute-20260312
-            pullPolicy: IfNotPresent
-          command:
-            - "sleep"
-            - "infinity"
-          resources:
-            requests:
-              cpu: 10m
-              memory: 32Mi
+              memory: 400Mi
     server-2:
       type: deployment
       replicas: 1
       strategy: Recreate
-      revisionHistoryLimit: 3
       pod:
         labels:
           garage-type: server
@@ -65,20 +50,18 @@ garage:
         main:
           image:
             repository: dxflrs/garage
-            tag: v2.2.0
-            pullPolicy: IfNotPresent
+            tag: v2.2.0@sha256:45a61ce3f7c9c24fc23d9ed2b09b27ed560ab87b34605d175d5c588f539c24e4
           envFrom:
             - secretRef:
                 name: garage-token-secret
           resources:
             requests:
               cpu: 10m
-              memory: 128Mi
+              memory: 400Mi
     server-3:
       type: deployment
       replicas: 1
       strategy: Recreate
-      revisionHistoryLimit: 3
       pod:
         labels:
           garage-type: server
@@ -96,26 +79,23 @@ garage:
         main:
           image:
             repository: dxflrs/garage
-            tag: v2.2.0
-            pullPolicy: IfNotPresent
+            tag: v2.2.0@sha256:45a61ce3f7c9c24fc23d9ed2b09b27ed560ab87b34605d175d5c588f539c24e4
           envFrom:
             - secretRef:
                 name: garage-token-secret
           resources:
             requests:
               cpu: 10m
-              memory: 128Mi
+              memory: 400Mi
     webui:
       type: deployment
       replicas: 1
       strategy: Recreate
-      revisionHistoryLimit: 3
       containers:
         main:
           image:
             repository: khairul169/garage-webui
-            tag: 1.1.0
-            pullPolicy: IfNotPresent
+            tag: 1.1.0@sha256:17c793551873155065bf9a022dabcde874de808a1f26e648d4b82e168806439c
           env:
             - name: API_BASE_URL
               value: http://garage-main.garage:3903
@@ -128,8 +108,8 @@ garage:
                   key: GARAGE_ADMIN_TOKEN
           resources:
             requests:
-              cpu: 10m
-              memory: 128Mi
+              cpu: 1m
+              memory: 10Mi
   configMaps:
     config:
       enabled: true
@@ -320,11 +300,8 @@ garage:
         - garage-webui.alexlebens.net
       rules:
         - backendRefs:
-            - group: ''
-              kind: Service
-              name: garage-webui
+            - name: garage-webui
               port: 3909
-              weight: 100
           matches:
             - path:
                 type: PathPrefix
@@ -340,11 +317,8 @@ garage:
         - garage-s3.alexlebens.net
       rules:
         - backendRefs:
-            - group: ''
-              kind: Service
-              name: garage-main
+            - name: garage-main
               port: 3900
-              weight: 100
           matches:
             - path:
                 type: PathPrefix
@@ -361,11 +335,6 @@ garage:
               readOnly: true
               mountPropagation: None
               subPath: garage-1.toml
-          debug:
-            - path: /etc/garage.toml
-              readOnly: true
-              mountPropagation: None
-              subPath: garage-1.toml
         server-2:
           main:
             - path: /etc/garage.toml
@@ -389,21 +358,16 @@ garage:
       storageClass: ceph-block
       accessMode: ReadWriteOnce
       size: 50Gi
-      retain: true
       advancedMounts:
         server-1:
           main:
             - path: /var/lib/garage/meta
               readOnly: false
-          debug:
-            - path: /var/lib/garage/meta
-              readOnly: false
     db-2:
       forceRename: garage-db-2
       storageClass: ceph-block
       accessMode: ReadWriteOnce
       size: 50Gi
-      retain: true
       advancedMounts:
         server-2:
           main:
@@ -414,7 +378,6 @@ garage:
       storageClass: ceph-block
       accessMode: ReadWriteOnce
       size: 50Gi
-      retain: true
       advancedMounts:
         server-3:
           main:
@@ -425,15 +388,11 @@ garage:
       storageClass: synology-iscsi-delete
       accessMode: ReadWriteOnce
       size: 800Gi
-      retain: true
       advancedMounts:
         server-1:
           main:
             - path: /var/lib/garage/data
               readOnly: false
-          debug:
-            - path: /var/lib/garage/data
-              readOnly: false
     data-2:
       forceRename: garage-data-2
       storageClass: synology-iscsi-delete

clusters/cl01tl/helm/gatus/Chart.yaml

@@ -4,16 +4,14 @@ version: 1.0.0
 description: Gatus
 keywords:
   - gatus
-  - healthcheck
-  - uptime
-  - metrics
-home: https://wiki.alexlebens.dev/s/2a2b0c83-81c7-49e3-aafc-daff4ff23ce2
+  - uptime-monitor
+home: https://docs.alexlebens.dev/applications/gatus/
 sources:
   - https://github.com/TwiN/gatus
-  - https://github.com/cloudnative-pg/cloudnative-pg
   - https://github.com/TwiN/gatus/pkgs/container/gatus
   - https://github.com/TwiN/helm-charts/tree/master/charts/gatus
   - https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/postgres-cluster
+  - https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/volsync-target
 maintainers:
   - name: alexlebens
 dependencies:

clusters/cl01tl/helm/gatus/templates/external-secret.yaml

@@ -14,10 +14,7 @@ spec:
   data:
     - secretKey: NTFY_TOKEN
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: /ntfy/user/cl01tl
-        metadataPolicy: None
         property: token
 
 ---
@@ -37,15 +34,9 @@ spec:
   data:
     - secretKey: OIDC_CLIENT_ID
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: /authentik/oidc/gatus
-        metadataPolicy: None
         property: client
     - secretKey: OIDC_CLIENT_SECRET
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: /authentik/oidc/gatus
-        metadataPolicy: None
         property: secret

clusters/cl01tl/helm/gatus/values.yaml

@@ -1,27 +1,14 @@
 gatus:
   deployment:
     strategy: Recreate
-  readinessProbe:
-    enabled: true
-  livenessProbe:
-    enabled: true
   image:
     repository: ghcr.io/twin/gatus
-    tag: v5.35.0
+    tag: v5.35.0@sha256:21609f31be8c4e680ce3004b24276305666239c99aff58391503f3fb6142f39d
   annotations:
     reloader.stakater.com/auto: "true"
-  service:
-    type: ClusterIP
-    port: 80
-    targetPort: 8080
-    portName: http
-  ingress:
-    enabled: false
   gateway:
-    apiVersion: gateway.networking.k8s.io/v1
     route:
       enabled: true
-      path: /
       parentRefs:
         - group: gateway.networking.k8s.io
           kind: Gateway
@@ -73,24 +60,13 @@ gatus:
   resources:
     requests:
       cpu: 10m
-      memory: 128Mi
+      memory: 20Mi
   persistence:
     enabled: true
     size: 1Gi
-    mountPath: /data
-    accessModes:
-      - ReadWriteOnce
-    finalizers:
-      - kubernetes.io/pvc-protection
     storageClassName: ceph-block
   serviceMonitor:
     enabled: true
-    interval: 1m
-    path: /metrics
-    scheme: http
-    scrapeTimeout: 30s
-  networkPolicy:
-    enabled: false
   config:
     metrics: true
     connectivity:
@@ -425,35 +401,12 @@ postgres-18-cluster:
         destinationBucket: postgres-backups
         externalSecretCredentialPath: /garage/home-infra/postgres-backups
         isWALArchiver: true
-      # - name: garage-remote
-      #   index: 1
-      #   destinationBucket: postgres-backups
-      #   externalSecretCredentialPath: /garage/home-infra/postgres-backups
-      #   retentionPolicy: "90d"
-      #   data:
-      #     compression: bzip2
-      # - name: external
-      #   index: 1
-      #   endpointURL: https://nyc3.digitaloceanspaces.com
-      #   destinationBucket: postgres-backups-ce540ddf106d186bbddca68a
-      #   externalSecretCredentialPath: /garage/home-infra/postgres-backups
-      #   isWALArchiver: false
     scheduledBackups:
       - name: live-backup
         suspend: false
         immediate: true
         schedule: "0 25 14 * * *"
         backupName: garage-local
-      # - name: weekly-backup
-      #   suspend: true
-      #   immediate: true
-      #   schedule: "0 0 4 * * SAT"
-      #   backupName: garage-remote
-      # - name: daily-backup
-      #   suspend: true
-      #   immediate: true
-      #   schedule: "0 0 0 * * *"
-      #   backupName: external
 volsync-target-data:
   pvcTarget: gatus
   local:

clusters/cl01tl/helm/generic-device-plugin/Chart.yaml

@@ -5,8 +5,7 @@ description: Generic Device Plugin
 keywords:
   - generic-device-plugin
   - device
-  - plugin
-home: https://wiki.alexlebens.dev/s/ee9ba1be-119c-4e83-aea9-b087481554f2
+home: https://docs.alexlebens.dev/applications/generic-device-plugin/
 sources:
   - https://github.com/squat/generic-device-plugin
   - https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/generic-device-plugin

clusters/cl01tl/helm/gitea/Chart.lock

@@ -1,6 +1,6 @@
 dependencies:
 - name: gitea
-  repository: https://dl.gitea.io/charts/
+  repository: https://dl.gitea.com/charts/
   version: 12.5.0
 - name: actions
   repository: https://dl.gitea.com/charts/
@@ -23,5 +23,5 @@ dependencies:
 - name: volsync-target
   repository: oci://harbor.alexlebens.net/helm-charts
   version: 0.8.0
-digest: sha256:65910bce24fc36bd8e3e4ab0d79c2a18ae076b34aff28bfea8a60598707fe617
-generated: "2026-03-26T16:02:55.325421053Z"
+digest: sha256:49862b06fe4884f504d0a892cb899f577262b584053b64a3504bacaf96d70f39
+generated: "2026-03-26T20:59:30.690577-05:00"

clusters/cl01tl/helm/gitea/Chart.yaml

@@ -5,29 +5,28 @@ description: Gitea
 keywords:
   - gitea
   - git
-  - code
-home: https://wiki.alexlebens.dev/s/94060f71-fd05-4f78-9af2-053f8f221acd
+home: https://docs.alexlebens.dev/applications/gitea/
 sources:
   - https://github.com/go-gitea/gitea
   - https://github.com/renovatebot/renovate
   - https://github.com/Angatar/s3cmd
   - https://github.com/meilisearch/meilisearch
-  - https://github.com/cloudflare/cloudflared
-  - https://github.com/cloudnative-pg/cloudnative-pg
   - https://hub.docker.com/r/gitea/gitea
   - https://hub.docker.com/r/renovate/renovate
   - https://hub.docker.com/r/d3fk/s3cmd/
   - https://gitea.com/gitea/helm-chart
-  - https://github.com/bjw-s-labs/helm-charts/tree/main/charts/other/app-template
+  - https://gitea.com/gitea/helm-actions
   - https://github.com/meilisearch/meilisearch-kubernetes/tree/main/charts/meilisearch
   - https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/cloudflared
   - https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/postgres-cluster
+  - https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/valkey
+  - https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/volsync-target
 maintainers:
   - name: alexlebens
 dependencies:
   - name: gitea
     version: 12.5.0
-    repository: https://dl.gitea.io/charts/
+    repository: https://dl.gitea.com/charts/
   - name: actions
     alias: gitea-actions
     repository: https://dl.gitea.com/charts/
@@ -54,6 +53,6 @@ dependencies:
     alias: volsync-target-storage
     version: 0.8.0
     repository: oci://harbor.alexlebens.net/helm-charts
-icon: https://raw.githubusercontent.com/walkxcode/dashboard-icons/main/png/gitea.png
+icon: https://cdn.jsdelivr.net/gh/selfhst/icons@main/png/gitea.png
 # renovate: datasource=github-releases depName=go-gitea/gitea
 appVersion: 1.25.5

clusters/cl01tl/helm/gitea/templates/external-secret.yaml

@@ -14,17 +14,11 @@ spec:
   data:
     - secretKey: username
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: /cl01tl/gitea/auth/admin
-        metadataPolicy: None
         property: username
     - secretKey: password
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: /cl01tl/gitea/auth/admin
-        metadataPolicy: None
         property: password
 
 ---
@@ -44,17 +38,11 @@ spec:
   data:
     - secretKey: secret
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: /authentik/oidc/gitea
-        metadataPolicy: None
         property: secret
     - secretKey: key
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: /authentik/oidc/gitea
-        metadataPolicy: None
         property: client
 
 ---
@@ -74,10 +62,7 @@ spec:
   data:
     - secretKey: token
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: /cl01tl/gitea/runner
-        metadataPolicy: None
         property: token
 
 ---
@@ -97,38 +82,23 @@ spec:
   data:
     - secretKey: RENOVATE_ENDPOINT
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: /cl01tl/gitea/renovate
-        metadataPolicy: None
         property: RENOVATE_ENDPOINT
     - secretKey: RENOVATE_GIT_AUTHOR
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: /cl01tl/gitea/renovate
-        metadataPolicy: None
         property: RENOVATE_GIT_AUTHOR
     - secretKey: RENOVATE_TOKEN
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: /cl01tl/gitea/renovate
-        metadataPolicy: None
         property: RENOVATE_TOKEN
     - secretKey: RENOVATE_GIT_PRIVATE_KEY
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: /cl01tl/gitea/renovate
-        metadataPolicy: None
         property: id_rsa
     - secretKey: RENOVATE_GITHUB_COM_TOKEN
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: /github/gitea-cl01tl
-        metadataPolicy: None
         property: token
 
 ---
@@ -148,24 +118,15 @@ spec:
   data:
     - secretKey: config
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: /cl01tl/gitea/renovate
-        metadataPolicy: None
         property: ssh_config
     - secretKey: id_rsa
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: /cl01tl/gitea/renovate
-        metadataPolicy: None
         property: id_rsa
     - secretKey: id_rsa.pub
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: /cl01tl/gitea/renovate
-        metadataPolicy: None
         property: id_rsa.pub
 
 ---
@@ -191,8 +152,5 @@ spec:
   data:
     - secretKey: MEILI_MASTER_KEY
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: /cl01tl/gitea/meilisearch
-        metadataPolicy: None
         property: MEILI_MASTER_KEY

clusters/cl01tl/helm/gitea/values.yaml

@@ -2,6 +2,11 @@ gitea:
   global:
     imageRegistry: registry.hub.docker.com
   replicaCount: 3
+  strategy:
+    type: "RollingUpdate"
+    rollingUpdate:
+      maxSurge: "100%"
+      maxUnavailable: 1
   image:
     repository: gitea/gitea
     tag: 1.25.5
@@ -14,8 +19,10 @@ gitea:
       type: ClusterIP
       port: 22
       clusterIP: 10.103.160.140
-  ingress:
-    enabled: false
+  resources:
+    requests:
+      cpu: 1000m
+      memory: 600Mi
   persistence:
     storageClass: ceph-filesystem
     size: 40Gi
@@ -41,7 +48,7 @@ gitea:
     metrics:
       enabled: true
       serviceMonitor:
-        enabled: false
+        enabled: true
     oauth:
       - name: Authentik
         provider: openidConnect
@@ -139,9 +146,10 @@ gitea-actions:
     replicas: 6
     timezone: America/Chicago
     actRunner:
-      registry: ""
+      registry: docker.io
       repository: gitea/act_runner
-      tag: 0.2.13
+      # renovate: datasource=docker depName=gitea/act_runner
+      tag: 0.3.1@sha256:c2a169c5e99864c25e32527cef3d82203225e09558773022bf3dc164a2e6d762
       config: |
         log:
           level: debug
@@ -154,17 +162,19 @@ gitea-actions:
             - "ubuntu-24.04:docker://harbor.alexlebens.net/proxy-hub.docker/gitea/runner-images:ubuntu-24.04"
             - "ubuntu-22.04:docker://harbor.alexlebens.net/proxy-hub.docker/gitea/runner-images:ubuntu-22.04"
     dind:
-      registry: ""
+      registry: docker.io
       repository: docker
-      tag: 28.3.3-dind
+      # renovate: datasource=docker depName=docker
+      tag: 29.3.1-dind@sha256:4d90f1f6c400315c2dba96d3ec93c01e64198395cbba04f79d12adce4f737029
     persistence:
       storageClass: ceph-block
-      size: 5Gi
+      size: 10Gi
   init:
     image:
-      registry: ""
+      registry: docker.io
       repository: busybox
-      tag: "1.37.0"
+      # renovate: datasource=docker depName=busybox
+      tag: 1.37.0@sha256:1487d0af5f52b4ba31c7e465126ee2123fe3f2305d638e7827681e7cf6c83d5e
   existingSecret: gitea-runner-secret
   existingSecretKey: token
   giteaRootURL: http://gitea-http.gitea:3000
@@ -175,17 +185,14 @@ meilisearch:
     MEILI_EXPERIMENTAL_DUMPLESS_UPGRADE: true
   auth:
     existingMasterKeySecret: gitea-meilisearch-master-key-secret
-  service:
-    type: ClusterIP
-    port: 7700
   persistence:
     enabled: true
     storageClass: ceph-block
     size: 5Gi
   resources:
     requests:
-      cpu: 10m
-      memory: 128Mi
+      cpu: 1m
+      memory: 160Mi
   serviceMonitor:
     enabled: true
 postgres-18-cluster:
@@ -193,8 +200,8 @@ postgres-18-cluster:
   cluster:
     resources:
       requests:
-        memory: 1Gi
-        cpu: 200m
+        cpu: 100m
+        memory: 100Mi
   recovery:
     method: objectStore
     objectStore:
@@ -206,41 +213,18 @@ postgres-18-cluster:
         destinationBucket: postgres-backups
         externalSecretCredentialPath: /garage/home-infra/postgres-backups
         isWALArchiver: true
-      # - name: garage-remote
-      #   index: 1
-      #   destinationBucket: postgres-backups
-      #   externalSecretCredentialPath: /garage/home-infra/postgres-backups
-      #   retentionPolicy: "90d"
-      #   data:
-      #     compression: bzip2
-      # - name: external
-      #   index: 1
-      #   endpointURL: https://nyc3.digitaloceanspaces.com
-      #   destinationBucket: postgres-backups-ce540ddf106d186bbddca68a
-      #   externalSecretCredentialPath: /garage/home-infra/postgres-backups
-      #   isWALArchiver: false
     scheduledBackups:
       - name: live-backup
         suspend: false
         immediate: true
         schedule: "0 0 7 * * *"
         backupName: garage-local
-      # - name: weekly-backup
-      #   suspend: true
-      #   immediate: true
-      #   schedule: "0 0 4 * * SAT"
-      #   backupName: garage-remote
-      # - name: daily-backup
-      #   suspend: true
-      #   immediate: true
-      #   schedule: "0 0 0 * * *"
-      #   backupName: external
 valkey-gitea:
   valkey:
     resources:
       requests:
         cpu: 20m
-        memory: 256Mi
+        memory: 2Gi
     dataStorage:
       requestedSize: 10Gi
     replica:

clusters/cl01tl/helm/grafana-operator/Chart.yaml

@@ -5,14 +5,13 @@ description: Grafana Operator
 keywords:
   - grafana-operator
   - dashboard
-  - metrics
-  - logs
-home: https://wiki.alexlebens.dev/s/3e5723e1-2ab7-45ab-b496-b8854907fa39
+home: https://docs.alexlebens.dev/applications/grafana-operator/
 sources:
   - https://github.com/grafana/grafana-operator
-  - https://github.com/cloudnative-pg/cloudnative-pg
+  - https://github.com/grafana/grafana/pkgs/container/grafana%2Fgrafana
   - https://github.com/grafana/grafana-operator/tree/master/deploy/helm/grafana-operator
   - https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/postgres-cluster
+  - https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/valkey
 maintainers:
   - name: alexlebens
 dependencies:

clusters/cl01tl/helm/grafana-operator/templates/external-secret.yaml

@@ -14,17 +14,11 @@ spec:
   data:
     - secretKey: admin-user
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: /cl01tl/grafana/auth
-        metadataPolicy: None
         property: admin-user
     - secretKey: admin-password
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: /cl01tl/grafana/auth
-        metadataPolicy: None
         property: admin-password
 
 ---
@@ -44,17 +38,11 @@ spec:
   data:
     - secretKey: AUTH_CLIENT_ID
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: /authentik/oidc/grafana
-        metadataPolicy: None
         property: client
     - secretKey: AUTH_CLIENT_SECRET
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: /authentik/oidc/grafana
-        metadataPolicy: None
         property: secret
 
 ---
@@ -74,17 +62,11 @@ spec:
   data:
     - secretKey: ACCESS_KEY_ID
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: /digital-ocean/home-infra/postgres-backups
-        metadataPolicy: None
         property: access
     - secretKey: ACCESS_SECRET_KEY
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: /digital-ocean/home-infra/postgres-backups
-        metadataPolicy: None
         property: secret
 
 ---
@@ -104,22 +86,13 @@ spec:
   data:
     - secretKey: ACCESS_KEY_ID
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: /garage/home-infra/postgres-backups
-        metadataPolicy: None
         property: ACCESS_KEY_ID
     - secretKey: ACCESS_SECRET_KEY
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: /garage/home-infra/postgres-backups
-        metadataPolicy: None
         property: ACCESS_SECRET_KEY
     - secretKey: ACCESS_REGION
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: /garage/home-infra/postgres-backups
-        metadataPolicy: None
         property: ACCESS_REGION

clusters/cl01tl/helm/grafana-operator/templates/grafana-dashboard.yaml

@@ -11,9 +11,9 @@ spec:
   instanceSelector:
     matchLabels:
       app: grafana-main
-  contentCacheDuration: 1h
+  contentCacheDuration: 6h
   folderUID: grafana-folder-system
-  resyncPeriod: 1h
+  resyncPeriod: 6h
   url: http://gitea-http.gitea:3000/alexlebens/grafana-dashboards/raw/branch/main/dashboards/system/ceph.json
 
 ---
@@ -30,9 +30,9 @@ spec:
   instanceSelector:
     matchLabels:
       app: grafana-main
-  contentCacheDuration: 1h
+  contentCacheDuration: 6h
   folderUID: grafana-folder-system
-  resyncPeriod: 1h
+  resyncPeriod: 6h
   url: http://gitea-http.gitea:3000/alexlebens/grafana-dashboards/raw/branch/main/dashboards/system/coredns.json
 
 ---
@@ -49,9 +49,9 @@ spec:
   instanceSelector:
     matchLabels:
       app: grafana-main
-  contentCacheDuration: 1h
+  contentCacheDuration: 6h
   folderUID: grafana-folder-system
-  resyncPeriod: 1h
+  resyncPeriod: 6h
   url: http://gitea-http.gitea:3000/alexlebens/grafana-dashboards/raw/branch/main/dashboards/system/etcd.json
 
 ---
@@ -68,9 +68,9 @@ spec:
   instanceSelector:
     matchLabels:
       app: grafana-main
-  contentCacheDuration: 1h
+  contentCacheDuration: 6h
   folderUID: grafana-folder-system
-  resyncPeriod: 1h
+  resyncPeriod: 6h
   url: http://gitea-http.gitea:3000/alexlebens/grafana-dashboards/raw/branch/main/dashboards/system/garage.json
 
 ---
@@ -87,9 +87,9 @@ spec:
   instanceSelector:
     matchLabels:
       app: grafana-main
-  contentCacheDuration: 1h
+  contentCacheDuration: 6h
   folderUID: grafana-folder-system
-  resyncPeriod: 1h
+  resyncPeriod: 6h
   url: http://gitea-http.gitea:3000/alexlebens/grafana-dashboards/raw/branch/main/dashboards/system/loki.json
 
 ---
@@ -106,9 +106,9 @@ spec:
   instanceSelector:
     matchLabels:
       app: grafana-main
-  contentCacheDuration: 1h
+  contentCacheDuration: 6h
   folderUID: grafana-folder-system
-  resyncPeriod: 1h
+  resyncPeriod: 6h
   url: http://gitea-http.gitea:3000/alexlebens/grafana-dashboards/raw/branch/main/dashboards/system/node-full.json
 
 ---
@@ -125,9 +125,9 @@ spec:
   instanceSelector:
     matchLabels:
       app: grafana-main
-  contentCacheDuration: 1h
+  contentCacheDuration: 6h
   folderUID: grafana-folder-system
-  resyncPeriod: 1h
+  resyncPeriod: 6h
   url: http://gitea-http.gitea:3000/alexlebens/grafana-dashboards/raw/branch/main/dashboards/system/node-short.json
 
 ---
@@ -144,9 +144,9 @@ spec:
   instanceSelector:
     matchLabels:
       app: grafana-main
-  contentCacheDuration: 1h
+  contentCacheDuration: 6h
   folderUID: grafana-folder-system
-  resyncPeriod: 1h
+  resyncPeriod: 6h
   url: http://gitea-http.gitea:3000/alexlebens/grafana-dashboards/raw/branch/main/dashboards/system/pods.json
 
 ---
@@ -163,9 +163,9 @@ spec:
   instanceSelector:
     matchLabels:
       app: grafana-main
-  contentCacheDuration: 1h
+  contentCacheDuration: 6h
   folderUID: grafana-folder-service
-  resyncPeriod: 1h
+  resyncPeriod: 6h
   url: http://gitea-http.gitea:3000/alexlebens/grafana-dashboards/raw/branch/main/dashboards/service/argocd.json
 
 ---
@@ -182,9 +182,9 @@ spec:
   instanceSelector:
     matchLabels:
       app: grafana-main
-  contentCacheDuration: 1h
+  contentCacheDuration: 6h
   folderUID: grafana-folder-service
-  resyncPeriod: 1h
+  resyncPeriod: 6h
   url: http://gitea-http.gitea:3000/alexlebens/grafana-dashboards/raw/branch/main/dashboards/service/blocky.json
 
 ---
@@ -201,9 +201,9 @@ spec:
   instanceSelector:
     matchLabels:
       app: grafana-main
-  contentCacheDuration: 1h
+  contentCacheDuration: 6h
   folderUID: grafana-folder-service
-  resyncPeriod: 1h
+  resyncPeriod: 6h
   url: http://gitea-http.gitea:3000/alexlebens/grafana-dashboards/raw/branch/main/dashboards/service/cert-manager.json
 
 ---
@@ -220,9 +220,9 @@ spec:
   instanceSelector:
     matchLabels:
       app: grafana-main
-  contentCacheDuration: 1h
+  contentCacheDuration: 6h
   folderUID: grafana-folder-service
-  resyncPeriod: 1h
+  resyncPeriod: 6h
   url: http://gitea-http.gitea:3000/alexlebens/grafana-dashboards/raw/branch/main/dashboards/service/cloudnative-pg.json
 
 ---
@@ -239,9 +239,9 @@ spec:
   instanceSelector:
     matchLabels:
       app: grafana-main
-  contentCacheDuration: 1h
+  contentCacheDuration: 6h
   folderUID: grafana-folder-service
-  resyncPeriod: 1h
+  resyncPeriod: 6h
   url: http://gitea-http.gitea:3000/alexlebens/grafana-dashboards/raw/branch/main/dashboards/service/descheduler.json
 
 ---
@@ -258,9 +258,9 @@ spec:
   instanceSelector:
     matchLabels:
       app: grafana-main
-  contentCacheDuration: 1h
+  contentCacheDuration: 6h
   folderUID: grafana-folder-service
-  resyncPeriod: 1h
+  resyncPeriod: 6h
   url: http://gitea-http.gitea:3000/alexlebens/grafana-dashboards/raw/branch/main/dashboards/service/gatus.json
 
 ---
@@ -277,9 +277,9 @@ spec:
   instanceSelector:
     matchLabels:
       app: grafana-main
-  contentCacheDuration: 1h
+  contentCacheDuration: 6h
   folderUID: grafana-folder-service
-  resyncPeriod: 1h
+  resyncPeriod: 6h
   url: http://gitea-http.gitea:3000/alexlebens/grafana-dashboards/raw/branch/main/dashboards/service/grafana-operator.json
 
 ---
@@ -296,9 +296,9 @@ spec:
   instanceSelector:
     matchLabels:
       app: grafana-main
-  contentCacheDuration: 1h
+  contentCacheDuration: 6h
   folderUID: grafana-folder-service
-  resyncPeriod: 1h
+  resyncPeriod: 6h
   url: http://gitea-http.gitea:3000/alexlebens/grafana-dashboards/raw/branch/main/dashboards/service/harbor.json
 
 ---
@@ -315,9 +315,9 @@ spec:
   instanceSelector:
     matchLabels:
       app: grafana-main
-  contentCacheDuration: 1h
+  contentCacheDuration: 6h
   folderUID: grafana-folder-service
-  resyncPeriod: 1h
+  resyncPeriod: 6h
   url: http://gitea-http.gitea:3000/alexlebens/grafana-dashboards/raw/branch/main/dashboards/service/speedtest-exporter.json
 
 ---
@@ -334,9 +334,9 @@ spec:
   instanceSelector:
     matchLabels:
       app: grafana-main
-  contentCacheDuration: 1h
+  contentCacheDuration: 6h
   folderUID: grafana-folder-service
-  resyncPeriod: 1h
+  resyncPeriod: 6h
   url: http://gitea-http.gitea:3000/alexlebens/grafana-dashboards/raw/branch/main/dashboards/service/spegel.json
 
 ---
@@ -353,9 +353,9 @@ spec:
   instanceSelector:
     matchLabels:
       app: grafana-main
-  contentCacheDuration: 1h
+  contentCacheDuration: 6h
   folderUID: grafana-folder-service
-  resyncPeriod: 1h
+  resyncPeriod: 6h
   url: http://gitea-http.gitea:3000/alexlebens/grafana-dashboards/raw/branch/main/dashboards/service/traefik.json
 
 ---
@@ -372,9 +372,9 @@ spec:
   instanceSelector:
     matchLabels:
       app: grafana-main
-  contentCacheDuration: 1h
+  contentCacheDuration: 6h
   folderUID: grafana-folder-service
-  resyncPeriod: 1h
+  resyncPeriod: 6h
   url: http://gitea-http.gitea:3000/alexlebens/grafana-dashboards/raw/branch/main/dashboards/service/tdarr.json
 
 ---
@@ -391,9 +391,9 @@ spec:
   instanceSelector:
     matchLabels:
       app: grafana-main
-  contentCacheDuration: 1h
+  contentCacheDuration: 6h
   folderUID: grafana-folder-service
-  resyncPeriod: 1h
+  resyncPeriod: 6h
   url: http://gitea-http.gitea:3000/alexlebens/grafana-dashboards/raw/branch/main/dashboards/service/unpoller.json
 
 ---
@@ -410,9 +410,9 @@ spec:
   instanceSelector:
     matchLabels:
       app: grafana-main
-  contentCacheDuration: 1h
+  contentCacheDuration: 6h
   folderUID: grafana-folder-service
-  resyncPeriod: 1h
+  resyncPeriod: 6h
   url: http://gitea-http.gitea:3000/alexlebens/grafana-dashboards/raw/branch/main/dashboards/service/volsync.json
 
 ---
@@ -429,9 +429,9 @@ spec:
   instanceSelector:
     matchLabels:
       app: grafana-main
-  contentCacheDuration: 1h
+  contentCacheDuration: 6h
   folderUID: grafana-folder-platform
-  resyncPeriod: 1h
+  resyncPeriod: 6h
   url: http://gitea-http.gitea:3000/alexlebens/grafana-dashboards/raw/branch/main/dashboards/platform/s3.json
 
 ---
@@ -448,9 +448,9 @@ spec:
   instanceSelector:
     matchLabels:
       app: grafana-main
-  contentCacheDuration: 1h
+  contentCacheDuration: 6h
   folderUID: grafana-folder-platform
-  resyncPeriod: 1h
+  resyncPeriod: 6h
   url: http://gitea-http.gitea:3000/alexlebens/grafana-dashboards/raw/branch/main/dashboards/platform/authentik.json
 
 ---
@@ -467,9 +467,9 @@ spec:
   instanceSelector:
     matchLabels:
       app: grafana-main
-  contentCacheDuration: 1h
+  contentCacheDuration: 6h
   folderUID: grafana-folder-platform
-  resyncPeriod: 1h
+  resyncPeriod: 6h
   url: http://gitea-http.gitea:3000/alexlebens/grafana-dashboards/raw/branch/main/dashboards/platform/gitea.json
 
 ---
@@ -486,9 +486,9 @@ spec:
   instanceSelector:
     matchLabels:
       app: grafana-main
-  contentCacheDuration: 1h
+  contentCacheDuration: 6h
   folderUID: grafana-folder-platform
-  resyncPeriod: 1h
+  resyncPeriod: 6h
   url: http://gitea-http.gitea:3000/alexlebens/grafana-dashboards/raw/branch/main/dashboards/platform/ntfy.json
 
 ---
@@ -505,9 +505,9 @@ spec:
   instanceSelector:
     matchLabels:
       app: grafana-main
-  contentCacheDuration: 1h
+  contentCacheDuration: 6h
   folderUID: grafana-folder-platform
-  resyncPeriod: 1h
+  resyncPeriod: 6h
   url: http://gitea-http.gitea:3000/alexlebens/grafana-dashboards/raw/branch/main/dashboards/platform/qbittorrent.json
 
 ---
@@ -524,9 +524,9 @@ spec:
   instanceSelector:
     matchLabels:
       app: grafana-main
-  contentCacheDuration: 1h
+  contentCacheDuration: 6h
   folderUID: grafana-folder-platform
-  resyncPeriod: 1h
+  resyncPeriod: 6h
   url: http://gitea-http.gitea:3000/alexlebens/grafana-dashboards/raw/branch/main/dashboards/platform/vault.json
 
 ---
@@ -543,9 +543,9 @@ spec:
   instanceSelector:
     matchLabels:
       app: grafana-main
-  contentCacheDuration: 1h
+  contentCacheDuration: 6h
   folderUID: grafana-folder-iot
-  resyncPeriod: 1h
+  resyncPeriod: 6h
   url: http://gitea-http.gitea:3000/alexlebens/grafana-dashboards/raw/branch/main/dashboards/iot/airgradient.json
 
 ---
@@ -562,9 +562,9 @@ spec:
   instanceSelector:
     matchLabels:
       app: grafana-main
-  contentCacheDuration: 1h
+  contentCacheDuration: 6h
   folderUID: grafana-folder-iot
-  resyncPeriod: 1h
+  resyncPeriod: 6h
   url: http://gitea-http.gitea:3000/alexlebens/grafana-dashboards/raw/branch/main/dashboards/iot/server-power-consumption.json
 
 ---
@@ -581,9 +581,9 @@ spec:
   instanceSelector:
     matchLabels:
       app: grafana-main
-  contentCacheDuration: 1h
+  contentCacheDuration: 6h
   folderUID: grafana-folder-application
-  resyncPeriod: 1h
+  resyncPeriod: 6h
   url: http://gitea-http.gitea:3000/alexlebens/grafana-dashboards/raw/branch/main/dashboards/application/immich.json
 
 ---
@@ -600,9 +600,9 @@ spec:
   instanceSelector:
     matchLabels:
       app: grafana-main
-  contentCacheDuration: 1h
+  contentCacheDuration: 6h
   folderUID: grafana-folder-application
-  resyncPeriod: 1h
+  resyncPeriod: 6h
   url: http://gitea-http.gitea:3000/alexlebens/grafana-dashboards/raw/branch/main/dashboards/application/jellyfin.json
 
 ---
@@ -619,9 +619,9 @@ spec:
   instanceSelector:
     matchLabels:
       app: grafana-main
-  contentCacheDuration: 1h
+  contentCacheDuration: 6h
   folderUID: grafana-folder-application
-  resyncPeriod: 1h
+  resyncPeriod: 6h
   url: http://gitea-http.gitea:3000/alexlebens/grafana-dashboards/raw/branch/main/dashboards/application/radarr.json
 
 ---
@@ -638,7 +638,7 @@ spec:
   instanceSelector:
     matchLabels:
       app: grafana-main
-  contentCacheDuration: 1h
+  contentCacheDuration: 6h
   folderUID: grafana-folder-application
-  resyncPeriod: 1h
+  resyncPeriod: 6h
   url: http://gitea-http.gitea:3000/alexlebens/grafana-dashboards/raw/branch/main/dashboards/application/sonarr.json

clusters/cl01tl/helm/grafana-operator/templates/grafana.yaml

@@ -56,11 +56,12 @@ spec:
         spec:
           containers:
             - name: grafana
-              image: grafana/grafana:12.0.0
+              # renovate: datasource=docker depName=grafana/grafana
+              image: grafana/grafana:12.4.2@sha256:83749231c3835e390a3144e5e940203e42b9589761f20ef3169c716e734ad505
               resources:
                 requests:
-                  cpu: 100m
-                  memory: 128Mi
+                  cpu: 20m
+                  memory: 120Mi
               env:
                 - name: AUTH_CLIENT_ID
                   valueFrom:
@@ -107,3 +108,12 @@ spec:
                     secretKeyRef:
                       name: grafana-operator-postgresql-18-cluster-app
                       key: password
+  httpRoute:
+    spec:
+      parentRefs:
+        - group: gateway.networking.k8s.io
+          kind: Gateway
+          name: traefik-gateway
+          namespace: traefik
+      hostnames:
+        - grafana.alexlebens.net

clusters/cl01tl/helm/grafana-operator/templates/http-route.yaml

@@ -1,28 +0,0 @@
-apiVersion: gateway.networking.k8s.io/v1
-kind: HTTPRoute
-metadata:
-  name: grafana
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: grafana
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  parentRefs:
-    - group: gateway.networking.k8s.io
-      kind: Gateway
-      name: traefik-gateway
-      namespace: traefik
-  hostnames:
-    - grafana.alexlebens.net
-  rules:
-    - matches:
-      - path:
-          type: PathPrefix
-          value: /
-      backendRefs:
-        - group: ''
-          kind: Service
-          name: grafana-main-service
-          port: 3000
-          weight: 100

clusters/cl01tl/helm/grafana-operator/values.yaml

@@ -1,17 +1,11 @@
 grafana-operator:
   replicas: 2
-  serviceAccount:
-    create: true
-  rbac:
-    create: true
   resources:
     requests:
-      cpu: 10m
-      memory: 64Mi
+      cpu: 1m
+      memory: 50Mi
   serviceMonitor:
     enabled: true
-  dashboard:
-    enabled: false
 postgres-18-cluster:
   mode: recovery
   recovery:
@@ -25,35 +19,12 @@ postgres-18-cluster:
         destinationBucket: postgres-backups
         externalSecretCredentialPath: /garage/home-infra/postgres-backups
         isWALArchiver: true
-      # - name: garage-remote
-      #   index: 1
-      #   destinationBucket: postgres-backups
-      #   externalSecretCredentialPath: /garage/home-infra/postgres-backups
-      #   retentionPolicy: "90d"
-      #   data:
-      #     compression: bzip2
-      # - name: external
-      #   index: 1
-      #   endpointURL: https://nyc3.digitaloceanspaces.com
-      #   destinationBucket: postgres-backups-ce540ddf106d186bbddca68a
-      #   externalSecretCredentialPath: /garage/home-infra/postgres-backups
-      #   isWALArchiver: false
     scheduledBackups:
       - name: live-backup
         suspend: false
         immediate: true
         schedule: "0 30 14 * * *"
         backupName: garage-local
-      # - name: weekly-backup
-      #   suspend: true
-      #   immediate: true
-      #   schedule: "0 0 4 * * SAT"
-      #   backupName: garage-remote
-      # - name: daily-backup
-      #   suspend: true
-      #   immediate: true
-      #   schedule: "0 0 0 * * *"
-      #   backupName: external
 valkey-unified-alerting:
   valkey:
     nameOverride: valkey-unified-alerting

clusters/cl01tl/helm/homepage/Chart.yaml

@@ -19,4 +19,4 @@ dependencies:
     version: 4.6.2
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/homepage.png
 # renovate: datasource=github-releases depName=gethomepage/homepage
-appVersion: v1.11.0
+appVersion: v1.12.0

clusters/cl01tl/helm/homepage/values.yaml

@@ -16,7 +16,7 @@ homepage:
         main:
           image:
             repository: ghcr.io/gethomepage/homepage
-            tag: v1.11.0
+            tag: v1.12.0
             pullPolicy: IfNotPresent
           env:
             - name: HOMEPAGE_ALLOWED_HOSTS

clusters/cl01tl/helm/houndarr/Chart.yaml

@@ -22,4 +22,4 @@ dependencies:
     repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://raw.githubusercontent.com/av1155/houndarr/main/src/houndarr/static/img/houndarr-logo-dark.png
 # renovate: datasource=github-releases depName=av1155/houndarr
-appVersion: v1.6.2
+appVersion: v1.6.3

clusters/cl01tl/helm/houndarr/values.yaml

@@ -9,7 +9,7 @@ houndarr:
         main:
           image:
             repository: ghcr.io/av1155/houndarr
-            tag: v1.6.2
+            tag: v1.6.3
             pullPolicy: IfNotPresent
           env:
             - name: TZ

clusters/cl01tl/helm/immich/Chart.yaml

@@ -32,4 +32,4 @@ dependencies:
     repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/immich.png
 # renovate: datasource=github-releases depName=immich-app/immich
-appVersion: v2.6.2
+appVersion: v2.6.3

clusters/cl01tl/helm/immich/values.yaml

@@ -9,7 +9,7 @@ immich:
         main:
           image:
             repository: ghcr.io/immich-app/immich-server
-            tag: v2.6.2
+            tag: v2.6.3
             pullPolicy: IfNotPresent
           env:
             - name: TZ

clusters/cl01tl/helm/kube-prometheus-stack/Chart.lock

@@ -1,12 +1,12 @@
 dependencies:
 - name: kube-prometheus-stack
   repository: oci://ghcr.io/prometheus-community/charts
-  version: 82.15.0
+  version: 82.15.1
 - name: app-template
   repository: https://bjw-s-labs.github.io/helm-charts/
   version: 4.6.2
 - name: valkey
   repository: oci://harbor.alexlebens.net/helm-charts
   version: 0.4.0
-digest: sha256:524759b57f9500d5742b962bcdb114ec556d80ec4418921c93a722e00df57647
-generated: "2026-03-26T23:02:03.558664114Z"
+digest: sha256:7be2f0d61a12e674af175046960df7ba06a7248dc92db0b2d9c9b63a77a5bc17
+generated: "2026-03-28T01:54:34.406941487Z"

clusters/cl01tl/helm/kube-prometheus-stack/Chart.yaml

@@ -20,7 +20,7 @@ maintainers:
   - name: alexlebens
 dependencies:
   - name: kube-prometheus-stack
-    version: 82.15.0
+    version: 82.15.1
     repository: oci://ghcr.io/prometheus-community/charts
   - name: app-template
     alias: ntfy-alertmanager

clusters/cl01tl/helm/loki/Chart.yaml

@@ -23,4 +23,4 @@ dependencies:
     repository: https://grafana.github.io/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/loki.png
 # renovate: datasource=github-releases depName=grafana/loki
-appVersion: 3.7.0
+appVersion: 3.7.1

clusters/cl01tl/helm/movie-roulette/Chart.yaml

@@ -19,4 +19,4 @@ dependencies:
     version: 4.6.2
 icon: https://raw.githubusercontent.com/sahara101/Movie-Roulette/refs/heads/main/static/icons/icon.png
 # renovate: datasource=github-releases depName=sahara101/Movie-Roulette
-appVersion: v5.3.0
+appVersion: v5.4.0

clusters/cl01tl/helm/movie-roulette/values.yaml

@@ -9,7 +9,7 @@ movie-roulette:
         main:
           image:
             repository: ghcr.io/sahara101/movie-roulette
-            tag: v5.3.0
+            tag: v5.4.0
             pullPolicy: IfNotPresent
           env:
             - name: FLASK_SECRET_KEY

clusters/cl01tl/helm/ntfy/Chart.yaml

@@ -20,4 +20,4 @@ dependencies:
     version: 4.6.2
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/ntfy.png
 # renovate: datasource=github-releases depName=binwiederhier/ntfy
-appVersion: 2.20.0
+appVersion: 2.20.1

clusters/cl01tl/helm/ntfy/values.yaml

@@ -9,7 +9,7 @@ ntfy:
         main:
           image:
             repository: binwiederhier/ntfy
-            tag: v2.20.0
+            tag: v2.20.1
             pullPolicy: IfNotPresent
           args: ["serve"]
           env:

clusters/cl01tl/helm/ollama/values.yaml

@@ -22,7 +22,7 @@ ollama:
         main:
           image:
             repository: ollama/ollama
-            tag: 0.18.2
+            tag: 0.18.3
             pullPolicy: IfNotPresent
           env:
             - name: OLLAMA_KEEP_ALIVE
@@ -58,7 +58,7 @@ ollama:
         main:
           image:
             repository: ollama/ollama
-            tag: 0.18.2
+            tag: 0.18.3
             pullPolicy: IfNotPresent
           env:
             - name: OLLAMA_KEEP_ALIVE
@@ -94,7 +94,7 @@ ollama:
         main:
           image:
             repository: ollama/ollama
-            tag: 0.18.2
+            tag: 0.18.3
             pullPolicy: IfNotPresent
           env:
             - name: OLLAMA_KEEP_ALIVE
@@ -117,7 +117,7 @@ ollama:
         main:
           image:
             repository: ghcr.io/open-webui/open-webui
-            tag: v0.8.10
+            tag: v0.8.12
             pullPolicy: IfNotPresent
           env:
             - name: ENV

clusters/cl01tl/helm/postiz/values.yaml

@@ -9,7 +9,7 @@ postiz:
         main:
           image:
             repository: ghcr.io/gitroomhq/postiz-app
-            tag: v2.21.0
+            tag: v2.21.2
             pullPolicy: IfNotPresent
           env:
             - name: MAIN_URL

clusters/cl01tl/helm/rybbit/values.yaml

@@ -122,7 +122,7 @@ rybbit:
         main:
           image:
             repository: clickhouse/clickhouse-server
-            tag: 26.2.5
+            tag: 26.3.2
             pullPolicy: IfNotPresent
           env:
             - name: CLICKHOUSE_DB

clusters/cl01tl/helm/searxng/values.yaml

@@ -9,7 +9,7 @@ searxng:
         main:
           image:
             repository: searxng/searxng
-            tag: latest@sha256:f01ceee858fe70e0ba6bf96934cdfad1ecc51fc528e72e17065b800f98ea87bb
+            tag: latest@sha256:032eec8dcd3799007059d0753e9d04837fc8dba8d8b749a08469118a8039b703
             pullPolicy: IfNotPresent
           env:
             - name: SEARXNG_BASE_URL
@@ -39,7 +39,7 @@ searxng:
         main:
           image:
             repository: searxng/searxng
-            tag: latest@sha256:f01ceee858fe70e0ba6bf96934cdfad1ecc51fc528e72e17065b800f98ea87bb
+            tag: latest@sha256:032eec8dcd3799007059d0753e9d04837fc8dba8d8b749a08469118a8039b703
             pullPolicy: IfNotPresent
           env:
             - name: SEARXNG_BASE_URL

clusters/cl01tl/helm/site-documentation/values.yaml

@@ -11,7 +11,7 @@ site-documentation:
         main:
           image:
             repository: harbor.alexlebens.net/images/site-documentation
-            tag: 0.9.0
+            tag: 0.11.0
             pullPolicy: IfNotPresent
           resources:
             requests:

clusters/cl01tl/helm/tailscale-operator/Chart.yaml

@@ -21,4 +21,4 @@ dependencies:
     repository: https://pkgs.tailscale.com/helmcharts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/tailscale-light.png
 # renovate: datasource=github-releases depName=tailscale/tailscale
-appVersion: v1.96.3
+appVersion: v1.96.4

clusters/cl01tl/helm/traefik/Chart.yaml

@@ -22,4 +22,4 @@ dependencies:
     repository: https://traefik.github.io/charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/webp/traefik.webp
 # renovate: datasource=github-releases depName=traefik/traefik
-appVersion: v3.6.11
+appVersion: v3.6.12

clusters/cl01tl/helm/whodb/Chart.yaml

@@ -20,4 +20,4 @@ dependencies:
     version: 4.6.2
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/whodb.png
 # renovate: datasource=github-releases depName=clidey/whodb
-appVersion: 0.101.0
+appVersion: 0.103.0

clusters/cl01tl/helm/whodb/values.yaml

@@ -8,7 +8,7 @@ whodb:
         main:
           image:
             repository: clidey/whodb
-            tag: 0.101.0
+            tag: 0.103.0
             pullPolicy: IfNotPresent
           env:
             - name: WHODB_OLLAMA_HOST

hosts/ps08rp/traefik/compose.yaml

@@ -1,7 +1,7 @@
 ---
 services:
     traefik:
-        image: ghcr.io/traefik/traefik:v3.6.11@sha256:acfc80650104f0194a15f73dc1648f517561bc1645391a15705332a064cfc33c
+        image: ghcr.io/traefik/traefik:v3.6.12@sha256:171c9c3565b29f6c133f1c1b43c5d4e5853415198e9e1078c001f8702ff66aec
         container_name: traefik
         command:
             - "--global.checkNewVersion=false"

hosts/ps09rp/traefik/compose.yaml

@@ -1,7 +1,7 @@
 ---
 services:
     traefik:
-        image: ghcr.io/traefik/traefik:v3.6.11@sha256:acfc80650104f0194a15f73dc1648f517561bc1645391a15705332a064cfc33c
+        image: ghcr.io/traefik/traefik:v3.6.12@sha256:171c9c3565b29f6c133f1c1b43c5d4e5853415198e9e1078c001f8702ff66aec
         container_name: traefik
         command:
             - "--global.checkNewVersion=false"

hosts/ps10rp/homepage/compose.yaml

@@ -32,7 +32,7 @@ services:
             - /var/run/docker.sock:/var/run/docker.sock:ro
 
     homepage:
-        image: ghcr.io/gethomepage/homepage:v1.11.0@sha256:b129cb0f674bd6d204e215bde2c2fc3f11d6ad0e82f6d20007cf80f74e1acbb1
+        image: ghcr.io/gethomepage/homepage:v1.12.0@sha256:5bb66eac5d48f021fd60414add03aa123d1feb85770550ddb1d99a5b8851c6c2
         container_name: homepage
         labels:
             traefik.enable: true

hosts/ps10rp/traefik/compose.yaml

@@ -20,7 +20,7 @@ services:
             - /dev/net/tun:/dev/net/tun
 
     traefik:
-        image: ghcr.io/traefik/traefik:v3.6.11@sha256:acfc80650104f0194a15f73dc1648f517561bc1645391a15705332a064cfc33c
+        image: ghcr.io/traefik/traefik:v3.6.12@sha256:171c9c3565b29f6c133f1c1b43c5d4e5853415198e9e1078c001f8702ff66aec
         container_name: traefik
         command:
             - "--global.checkNewVersion=false"

renovate.json

@@ -28,6 +28,18 @@
       ],
       "versioningTemplate": "{{#if versioning}}{{{versioning}}}{{else}}semver-coerced{{/if}}"
     },
+    {
+      "description": "Update specific images in values",
+      "customType": "regex",
+      "managerFilePatterns": [
+        "(^|/)values\\.yaml$"
+      ],
+      "matchStrings": [
+        "#\\s*renovate:\\s*datasource=(?<datasource>[^\\s]+)\\s+depName=(?<depName>[^\\s]+)\\s*\\n\\s+tag:\\s*[\"']?(?<currentValue>[^\"'\\s]+)[\"']?"
+      ],
+      "depNameTemplate": "{{{depName}}}",
+      "datasourceTemplate": "{{{datasource}}}"
+    },
     {
       "description": "Update images in templates",
       "customType": "regex",
@@ -73,15 +85,6 @@
       ],
       "enabled": false
     },
-    {
-      "description": "Versioning for LinuxServer images",
-      "versioning": "regex:^v?(?<major>\\d+)\\.(?<minor>\\d+)\\.(?<patch>\\d+)-ls(?<revision>\\d+)$",
-      "matchPackageNames": [
-        "/^linuxserver\\//",
-        "/^ghcr\\.io/linuxserver\\//",
-        "/^lscr\\.io/linuxserver\\//"
-      ]
-    },
     {
       "description": "Label by datasource",
       "matchDatasources": [
@@ -91,8 +94,35 @@
       ],
       "addLabels": [
         "{{{datasource}}}"
+      ]
+    },
+    {
+      "description": "Versioning for LinuxServer images",
+      "versioning": "regex:^v?(?<major>\d+)\.(?<minor>\d+)\.(?<patch>\d+)-ls(?<revision>\d+)$",
+      "matchPackageNames": [
+        "/^linuxserver\\//",
+        "/^ghcr\\.io/linuxserver\\//",
+        "/^lscr\\.io/linuxserver\\//"
+      ]
+    },
+    {
+      "description": "Group packages together when stripping registry",
+      "matchManagers": [
+        "custom.regex",
+        "helm-values",
+        "docker"
       ],
-      "automerge": false
+      "groupName": "{{#if packageName}}{{{replace 'ghcr.io/' '' (replace 'docker.io/' '' packageName)}}}{{else}}{{{replace 'ghcr.io/' '' (replace 'docker.io/' '' depName)}}}{{/if}}",
+      "groupSlug": "unified-{{{groupName}}}"
+    },
+    {
+      "description": "Group for specific apps",
+      "matchPackageNames": [
+        "/(^|/)(argo-cd|bazarr|cilium|code-server|dawarich|element-web|home-assistant|immich|komodo|rook-ceph|tdarr|traefik)/",
+        "/^rook(-ceph|\\/rook|\\/ceph)/"
+      ],
+      "groupName": "{{{replace '^.*(argo-cd|bazarr|cilium|code-server|dawarich|element-web|home-assistant|immich|komodo|rook-ceph|tdarr|traefik).*$' '$1' depName}}}",
+      "groupSlug": "unified-{{{groupName}}}"
     },
     {
       "description": "Automerge helm chart lock files",
@@ -109,84 +139,14 @@
       "automergeType": "branch"
     },
     {
-      "description": "Automerge patches",
+      "description": "Open for digest updates, specific packages",
       "matchUpdateTypes": [
-        "patch",
-        "pinDigest"
+        "digest"
       ],
-      "matchDatasources": [
-        "helm",
-        "docker",
-        "github-actions"
-      ],
-      "addLabels": [
-        "automerge"
-      ],
-      "automerge": true,
-      "minimumReleaseAge": "1 days"
-    },
-    {
-      "description": "Label appVersion and images, grouped",
-      "matchManagers": [
-        "custom.regex",
-        "helm-values"
-      ],
-      "groupName": "{{#if packageName}}{{{replace 'ghcr.io/' '' (replace 'docker.io/' '' packageName)}}}{{else}}{{{replace 'ghcr.io/' '' (replace 'docker.io/' '' depName)}}}{{/if}}",
-      "groupSlug": "unified-{{{groupName}}}",
-      "addLabels": [
-        "docker"
-      ],
-      "automerge": false
-    },
-    {
-      "description": "Automerge appVersion and images, grouped",
-      "matchUpdateTypes": [
-        "patch",
-        "pinDigest"
-      ],
-      "matchManagers": [
-        "custom.regex",
-        "helm-values"
-      ],
-      "groupName": "{{#if packageName}}{{{replace 'ghcr.io/' '' (replace 'docker.io/' '' packageName)}}}{{else}}{{{replace 'ghcr.io/' '' (replace 'docker.io/' '' depName)}}}{{/if}}",
-      "groupSlug": "unified-{{{groupName}}}",
-      "addLabels": [
-        "automerge"
-      ],
-      "automerge": true,
-      "minimumReleaseAge": "1 days"
-    },
-    {
-      "description": "Group apps by their keyword",
-      "groupName": "{{{replace '^.*(dawarich|komodo|immich|home-assistant|element-web|cilium|tdarr|argo-cd).*$' '$1' depName}}}",
-      "groupSlug": "unified-{{{groupName}}}",
       "matchPackageNames": [
-        "/(^|/)(?<appName>dawarich|komodo|immich|home-assistant|element-web|cilium|tdarr|argo-cd)/"
-      ]
-    },
-    {
-      "description": "Group Bazarr dependencies",
-      "groupName": "bazarr",
-      "groupSlug": "unified-bazarr",
-      "matchPackageNames": [
-        "bazarr$"
-      ]
-    },
-    {
-      "description": "Group Code Server dependencies",
-      "groupName": "code-server",
-      "groupSlug": "unified-code-server",
-      "matchPackageNames": [
-        "code-server$"
-      ]
-    },
-    {
-      "description": "Group Rook-Ceph dependencies",
-      "groupName": "rook-ceph",
-      "groupSlug": "unified-rook-ceph",
-      "matchPackageNames": [
-        "/^rook(-ceph|\\/rook|\\/ceph)/"
-      ]
+        "excalidraw/excalidraw"
+      ],
+      "enabled": true
     },
     {
       "description": "Automerge digest updates, specific packages",
@@ -205,6 +165,23 @@
       "enabled": true,
       "automerge": true
     },
+    {
+      "description": "Automerge patches",
+      "matchUpdateTypes": [
+        "patch",
+        "pinDigest"
+      ],
+      "matchDatasources": [
+        "helm",
+        "docker",
+        "github-actions"
+      ],
+      "addLabels": [
+        "automerge"
+      ],
+      "automerge": true,
+      "minimumReleaseAge": "1 days"
+    },
     {
       "description": "Automerge images, specific packages",
       "matchUpdateTypes": [