feat: remove yubal playlist

This PR contains the following updates:

| Package | Update | Change |
|---|---|---|
| [ghcr.io/guillevc/yubal](https://github.com/guillevc/yubal) | major | `0.4.0` → `4.0.0` |
| [guillevc/yubal](https://github.com/guillevc/yubal) | major | `v0.4.0` → `v4.0.0` |

---

### Release Notes

<details>
<summary>guillevc/yubal (ghcr.io/guillevc/yubal)</summary>

### [`v4.0.0`](https://github.com/guillevc/yubal/releases/tag/v4.0.0): 🕐 v0.4.0 — Playlist sync

[Compare Source](https://github.com/guillevc/yubal/compare/v0.4.0...v4.0.0)

This release introduces **scheduled playlist sync** — subscribe to playlists and let yubal keep them updated automatically on a cron schedule.

##### ✨ What's New

- **Playlist subscriptions** — Register playlists to sync periodically with configurable track limits ([#&#8203;33](https://github.com/guillevc/yubal/issues/33))
- **Cron-based scheduler** — Set your preferred sync schedule (e.g., `0 3 * * *` for daily at 3 AM)
- **Unicode filename support** — File and folder names now preserve special characters (e.g., `Björk` instead of `Bjork`) ([#&#8203;44](https://github.com/guillevc/yubal/issues/44))

##### 🔧 Improvements

- **Format selection optimization** — yt-dlp now prefers the configured codec when selecting source streams, avoiding unnecessary transcoding when the source is already in the desired format ([#&#8203;48](https://github.com/guillevc/yubal/issues/48) by [@&#8203;ergosteur](https://github.com/ergosteur) 🚀 )
- **Update yt-dlp to latest version** — Fixes YouTube extraction failures caused by recent player JS changes ([yt-dlp/yt-dlp#15818](https://github.com/yt-dlp/yt-dlp/pull/15818))

##### 🐛 Bug Fixes

- **Cookie authentication** — Fixed failures with large or space-containing `cookies.txt` files, and improved validation with clearer error logging ([#&#8203;30](https://github.com/guillevc/yubal/issues/30), [#&#8203;47](https://github.com/guillevc/yubal/issues/47))

##### ⚠️ Heads Up

File and folder names now preserve unicode characters instead of transliterating them to ASCII. For example:

```
Before: data/Bjork/1997 - Homogenic/01 - Hunter.opus
After:  data/Björk/1997 - Homogenic/01 - Hunter.opus
```

If you have existing downloads for artists with non-ASCII names, re-downloading or syncing will create new folders alongside the old ones. Check your library and merge any duplicates after upgrading.

***

**Full Changelog**: <https://github.com/guillevc/yubal/compare/v0.3.1...v4.0.0>

</details>

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about these updates again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box

---

This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4zLjYiLCJ1cGRhdGVkSW5WZXIiOiI0My4zLjYiLCJ0YXJnZXRCcmFuY2giOiJtYWluIiwibGFiZWxzIjpbImltYWdlIl19-->

Reviewed-on: https://gitea.alexlebens.dev/alexlebens/infrastructure/pulls/3794
Co-authored-by: Renovate Bot <renovate-bot@alexlebens.net>
Co-committed-by: Renovate Bot <renovate-bot@alexlebens.net>

clusters/cl01tl/helm/blocky/values.yaml

@@ -157,13 +157,14 @@ blocky:
               sonarr                          IN      CNAME   traefik-cl01tl
               sonarr-4k                       IN      CNAME   traefik-cl01tl
               sonarr-anime                    IN      CNAME   traefik-cl01tl
+              spotisub                        IN      CNAME   traefik-cl01tl
               stalwart                        IN      CNAME   traefik-cl01tl
               tdarr                           IN      CNAME   traefik-cl01tl
               tubearchivist                   IN      CNAME   traefik-cl01tl
               vault                           IN      CNAME   traefik-cl01tl
               whodb                           IN      CNAME   traefik-cl01tl
               yamtrack                        IN      CNAME   traefik-cl01tl
-              yubal-playlist                  IN      CNAME   traefik-cl01tl
+              yubal                           IN      CNAME   traefik-cl01tl
 
           blocking:
             denylists:

clusters/cl01tl/helm/external-secrets/Chart.lock

@@ -1,6 +1,6 @@
 dependencies:
 - name: external-secrets
   repository: https://charts.external-secrets.io
-  version: 1.3.2
-digest: sha256:7b7c6dee59f2ea630f0e7a1124aeeda52cdff23769136300384b28210e03945a
-generated: "2026-02-03T21:41:32.061135319Z"
+  version: 2.0.0
+digest: sha256:3833a9f099d80f50e8a7c9874138b9eba42c18fe5f5f5dc605031f7c44bd3971
+generated: "2026-02-06T15:40:39.917039721Z"

clusters/cl01tl/helm/external-secrets/Chart.yaml

@@ -12,8 +12,8 @@ sources:
   - https://github.com/external-secrets/external-secrets/tree/main/deploy/charts/external-secrets
 dependencies:
   - name: external-secrets
-    version: 1.3.2
+    version: 2.0.0
     repository: https://charts.external-secrets.io
 icon: https://avatars.githubusercontent.com/u/68335991?s=48&v=4
 # renovate: datasource=github-releases depName=external-secrets/external-secrets
-appVersion: v1.3.2
+appVersion: v2.0.0

clusters/cl01tl/helm/freshrss/values.yaml

@@ -88,7 +88,7 @@ freshrss:
             - name: PUID
               value: "568"
             - name: TZ
-              value: US/Central
+              value: America/Chicago
             - name: FRESHRSS_ENV
               value: production
             - name: CRON_MIN

clusters/cl01tl/helm/gatus/values.yaml

@@ -310,8 +310,11 @@ gatus:
       - name: lidarr
         url: https://lidarr.alexlebens.net
         <<: *defaults
-      - name: yubal-playlist
-        url: https://yubal-playlist.alexlebens.net
+      - name: spotisub
+        url: https://spotisub.alexlebens.net
+        <<: *defaults
+      - name: yubal
+        url: https://yubal.alexlebens.net
         <<: *defaults
       - name: slskd
         url: https://slskd.alexlebens.net

clusters/cl01tl/helm/homepage/values.yaml

@@ -655,11 +655,17 @@ homepage:
                     url: http://lidarr.lidarr:80
                     key: {{ "{{HOMEPAGE_VAR_LIDARR_KEY}}" }}
                     fields: ["wanted", "queued", "artists"]
-              - Yubal Playlist:
+              - Yubal:
                   icon: sh-yubal.webp
                   description: Replicate Youtube playlist
-                  href: https://yubal-playlist.alexlebens.net
-                  siteMonitor: http://yubal-playlist.yubal-playlist:80
+                  href: https://yubal.alexlebens.net
+                  siteMonitor: http://yubal.yubal:80
+                  statusStyle: dot
+              - Spotisub:
+                  icon: sh-spotify.webp
+                  description: Replicate Spotify playlist
+                  href: https://spotisub.alexlebens.net
+                  siteMonitor: http://spotisub.spotisub:80
                   statusStyle: dot
               - slskd:
                   icon: sh-slskd.webp

clusters/cl01tl/helm/komodo/templates/external-secret.yaml

@@ -47,3 +47,33 @@ spec:
         key: /authentik/oidc/komodo
         metadataPolicy: None
         property: secret
+
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: komodo-postgresql-17-fdb-cluster-ferret
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: komodo-postgresql-17-fdb-cluster-ferret
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  data:
+    - secretKey: uri
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cl01tl/komodo/ferret
+        metadataPolicy: None
+        property: uri
+    - secretKey: password
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cl01tl/komodo/ferret
+        metadataPolicy: None
+        property: password

clusters/cl01tl/helm/komodo/values.yaml

@@ -2,7 +2,7 @@ komodo:
   controllers:
     main:
       type: deployment
-      replicas: 0
+      replicas: 1
       strategy: Recreate
       revisionHistoryLimit: 3
       containers:
@@ -53,14 +53,11 @@ komodo:
             - name: PERIPHERY_SSL_ENABLED
               value: false
             - name: DB_USERNAME
-              valueFrom:
-                secretKeyRef:
-                  name: komodo-postgresql-17-fdb-cluster-app
-                  key: user
+              value: ferret
             - name: DB_PASSWORD
               valueFrom:
                 secretKeyRef:
-                  name: komodo-postgresql-17-fdb-cluster-app
+                  name: komodo-postgresql-17-fdb-cluster-ferret
                   key: password
             - name: KOMODO_DATABASE_URI
               value: mongodb://$(DB_USERNAME):$(DB_PASSWORD)@komodo-ferretdb-2.komodo:27017/komodo
@@ -98,11 +95,15 @@ komodo:
             tag: 2.7.0
             pullPolicy: IfNotPresent
           env:
-            - name: FERRETDB_POSTGRESQL_URL
+            - name: DB_USERNAME
+              value: ferret
+            - name: DB_PASSWORD
               valueFrom:
                 secretKeyRef:
-                  name: komodo-postgresql-17-fdb-cluster-app
-                  key: uri
+                  name: komodo-postgresql-17-fdb-cluster-ferret
+                  key: password
+            - name: FERRETDB_POSTGRESQL_URL
+              value: postgresql://$(DB_USERNAME):$(DB_PASSWORD)@komodo-postgresql-17-fdb-cluster-rw.komodo.svc.cluster.local:5432/ferretDB
           resources:
             requests:
               cpu: 10m
@@ -173,7 +174,6 @@ postgresql-17-fdb-cluster:
       tag: "17-0.106.0-ferretdb-2.5.0"
     postgresUID: 999
     postgresGID: 999
-    enableSuperuserAccess: true
     postgresql:
       parameters:
         cron.database_name: 'ferretDB'
@@ -202,11 +202,6 @@ postgresql-17-fdb-cluster:
         - CREATE EXTENSION IF NOT EXISTS pg_cron;
         - CREATE EXTENSION IF NOT EXISTS documentdb CASCADE;
         - GRANT documentdb_admin_role TO ferret;
-        - GRANT USAGE ON SCHEMA documentdb_core TO ferret;
-        - GRANT USAGE ON SCHEMA documentdb_api TO ferret;
-        - GRANT USAGE ON SCHEMA documentdb_core TO pg_monitor;
-        - GRANT USAGE ON SCHEMA documentdb_api TO pg_monitor;
-        - GRANT SELECT ON ALL TABLES IN SCHEMA documentdb_core TO pg_monitor;
   recovery:
     method: objectStore
     objectStore:
@@ -233,7 +228,7 @@ postgresql-17-fdb-cluster:
       #   isWALArchiver: false
     scheduledBackups:
       - name: live-backup
-        suspend: true
+        suspend: false
         immediate: true
         schedule: "0 0 0 * * *"
         backupName: garage-local

clusters/cl01tl/helm/kube-prometheus-stack/Chart.yaml

@@ -31,4 +31,4 @@ dependencies:
     repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/prometheus.png
 # renovate: datasource=github-releases depName=prometheus-operator/prometheus-operator
-appVersion: v0.88.1
+appVersion: v0.89.0

clusters/cl01tl/helm/navidrome/values.yaml

@@ -24,6 +24,8 @@ navidrome:
               value: false
             - name: ND_PROMETHEUS_ENABLED
               value: true
+            - name: ND_AUTOIMPORTPLAYLISTS
+              value: true
           resources:
             limits:
               gpu.intel.com/i915: 1

clusters/cl01tl/helm/prometheus-operator-crds/Chart.lock

@@ -1,6 +1,6 @@
 dependencies:
 - name: prometheus-operator-crds
   repository: oci://ghcr.io/prometheus-community/charts
-  version: 26.0.0
-digest: sha256:fb73bc68bbf8ab128ff7fc641413ce3f004677d351038517ed68f5b39eeafb08
-generated: "2026-01-09T20:11:58.398634666Z"
+  version: 27.0.0
+digest: sha256:ab76a45fb53268d4afdad507277c244af11c50344e50a24799182bbd9757258d
+generated: "2026-02-06T14:05:22.069162277Z"

clusters/cl01tl/helm/prometheus-operator-crds/Chart.yaml

@@ -15,8 +15,8 @@ maintainers:
   - name: alexlebens
 dependencies:
   - name: prometheus-operator-crds
-    version: 26.0.0
+    version: 27.0.0
     repository: oci://ghcr.io/prometheus-community/charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/prometheus.png
 # renovate: datasource=github-releases depName=prometheus-operator/prometheus-operator
-appVersion: v0.88.1
+appVersion: v0.89.0

clusters/cl01tl/helm/searxng/values.yaml

@@ -9,7 +9,7 @@ searxng:
         main:
           image:
             repository: searxng/searxng
-            tag: latest@sha256:8d77102a0d2c615e88c5184868dc2c32cd361413dbc104abc301f54079fd40a2
+            tag: latest@sha256:670bd1076097640fc25221bf92a8af7d344503ce17ba3305abedf28e3634e807
             pullPolicy: IfNotPresent
           env:
             - name: SEARXNG_BASE_URL
@@ -39,7 +39,7 @@ searxng:
         main:
           image:
             repository: searxng/searxng
-            tag: latest@sha256:8d77102a0d2c615e88c5184868dc2c32cd361413dbc104abc301f54079fd40a2
+            tag: latest@sha256:670bd1076097640fc25221bf92a8af7d344503ce17ba3305abedf28e3634e807
             pullPolicy: IfNotPresent
           env:
             - name: SEARXNG_BASE_URL

clusters/cl01tl/helm/shelfmark/Chart.yaml

@@ -23,4 +23,4 @@ dependencies:
     repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons@main/webp/shelfmark.webp
 # renovate: datasource=github-releases depName=calibrain/shelfmark
-appVersion: v1.0.3
+appVersion: v1.0.4

clusters/cl01tl/helm/shelfmark/values.yaml

@@ -9,7 +9,7 @@ shelfmark:
         main:
           image:
             repository: ghcr.io/calibrain/shelfmark
-            tag: v1.0.3
+            tag: v1.0.4
             pullPolicy: IfNotPresent
           env:
             - name: FLASK_PORT

clusters/cl01tl/helm/spotisub/Chart.lock

@@ -0,0 +1,6 @@
+dependencies:
+- name: app-template
+  repository: https://bjw-s-labs.github.io/helm-charts/
+  version: 4.6.2
+digest: sha256:3b63381e4968f95ce2d99fae620f3d1ae6af295b1bacc4ed0fbe9f1ccb0e9405
+generated: "2026-02-06T11:04:57.311195-06:00"

clusters/cl01tl/helm/spotisub/Chart.yaml

@@ -0,0 +1,21 @@
+apiVersion: v2
+name: spotisub
+version: 1.0.0
+description: Spotisub
+keywords:
+  - spotisub
+  - music
+  - spotify
+home: https://wiki.alexlebens.dev/s/
+sources:
+  - https://github.com/blastbeng/spotisub
+  - https://github.com/bjw-s-labs/helm-charts/tree/main/charts/other/app-template
+maintainers:
+  - name: alexlebens
+dependencies:
+  - name: app-template
+    alias: spotisub
+    repository: https://bjw-s-labs.github.io/helm-charts/
+    version: 4.6.2
+# renovate: datasource=github-releases depName=blastbeng/spotisub
+appVersion: v0.3.6

clusters/cl01tl/helm/spotisub/templates/external-secret.yaml

@@ -1,10 +1,10 @@
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
-  name: yubal-playlist-config-secret
+  name: spotisub-config-secret
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: yubal-playlist-config-secret
+    app.kubernetes.io/name: spotisub-config-secret
     app.kubernetes.io/instance: {{ .Release.Name }}
     app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
@@ -12,6 +12,41 @@ spec:
     kind: ClusterSecretStore
     name: vault
   data:
+    - secretKey: spotify-client-id
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /spotify/andrew
+        metadataPolicy: None
+        property: client-id
+    - secretKey: spotify-client-secret
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /spotify/andrew
+        metadataPolicy: None
+        property: client-secret
+    - secretKey: spotify-redirect-uri
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /spotify/andrew
+        metadataPolicy: None
+        property: redirect-uri
+    - secretKey: subsonic-user
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cl01tl/navidrome/andrew
+        metadataPolicy: None
+        property: user
+    - secretKey: subsonic-password
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cl01tl/navidrome/andrew
+        metadataPolicy: None
+        property: password
     - secretKey: lidarr-key
       remoteRef:
         conversionStrategy: Default
@@ -19,52 +54,15 @@ spec:
         key: /cl01tl/lidarr2/key
         metadataPolicy: None
         property: key
-    - secretKey: subsonic-user
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /cl01tl/navidrome/admin
-        metadataPolicy: None
-        property: user
-    - secretKey: subsonic-password
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /cl01tl/navidrome/admin
-        metadataPolicy: None
-        property: password
 
 ---
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
-  name: yubal-playlist-cookie
+  name: spotisub-wireguard-conf
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: yubal-playlist-cookie
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: vault
-  data:
-    - secretKey: cookies.txt
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /youtube/cookie
-        metadataPolicy: None
-        property: cookies
-
----
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: yubal-playlist-wireguard-conf
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: yubal-playlist-wireguard-conf
+    app.kubernetes.io/name: spotisub-wireguard-conf
     app.kubernetes.io/instance: {{ .Release.Name }}
     app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:

clusters/cl01tl/helm/spotisub/templates/namespace.yaml

@@ -1,9 +1,9 @@
 apiVersion: v1
 kind: Namespace
 metadata:
-  name: yubal-playlist
+  name: spotisub
   labels:
-    app.kubernetes.io/name: yubal-playlist
+    app.kubernetes.io/name: spotisub
     app.kubernetes.io/instance: {{ .Release.Name }}
     app.kubernetes.io/part-of: {{ .Release.Name }}
     pod-security.kubernetes.io/audit: privileged

clusters/cl01tl/helm/spotisub/templates/persistent-volume-claim.yaml

@@ -1,14 +1,14 @@
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
-  name: yubal-playlist-nfs-storage
+  name: spotisub-nfs-storage
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: yubal-playlist-nfs-storage
+    app.kubernetes.io/name: spotisub-nfs-storage
     app.kubernetes.io/instance: {{ .Release.Name }}
     app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
-  volumeName: yubal-playlist-nfs-storage
+  volumeName: spotisub-nfs-storage
   storageClassName: nfs-client
   accessModes:
     - ReadWriteMany

clusters/cl01tl/helm/spotisub/templates/persistent-volume.yaml

@@ -1,10 +1,10 @@
 apiVersion: v1
 kind: PersistentVolume
 metadata:
-  name: yubal-playlist-nfs-storage
+  name: spotisub-nfs-storage
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: yubal-playlist-nfs-storage
+    app.kubernetes.io/name: spotisub-nfs-storage
     app.kubernetes.io/instance: {{ .Release.Name }}
     app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:

clusters/cl01tl/helm/spotisub/values.yaml

@@ -1,65 +1,84 @@
-yubal-playlist:
+spotisub:
   controllers:
     main:
       type: deployment
-      replicas: 1
+      replicas: 0
       strategy: Recreate
       revisionHistoryLimit: 3
-      initContainers:
-        init-copy-cookie:
-          image:
-            repository: busybox
-            tag: 1.37.0
-            pullPolicy: IfNotPresent
-          command:
-            - /bin/sh
-            - -ec
-            - |
-              if [ ! -f "/app/ytdlp/cookies.txt" ]; then
-                echo ">> Coping files ..."
-                ls /app/ytdlp
-                cp -fv /app/ytdlp/cookies-ro.txt /app/ytdlp/cookies.txt
-                echo ">> Files in ytdlp:"
-                ls /app/ytdlp
-              fi
       containers:
         main:
           image:
-            repository: harbor.alexlebens.net/images/yubal-playlist
-            tag: 0.1.10
+            repository: blastbeng/spotisub
+            tag: v0.3.7
             pullPolicy: IfNotPresent
           env:
-            - name: YUBAL_TZ
-              value: America/Chicago
-            - name: YUBAL_HOST
-              value: 0.0.0.0
-            - name: YUBAL_PORT
-              value: 8080
-            - name: YUBAL_DEBUG
-              value: true
-            - name: YUBAL_MB_USER_AGENT
-              value: alexanderlebens@gmail.com
-            - name: YUBAL_LIDARR_ENDPOINT
-              value: http://lidarr.lidarr:80
-            - name: YUBAL_LIDARR_API_KEY
+            - name: SPOTIPY_CLIENT_ID
               valueFrom:
                 secretKeyRef:
-                  name: yubal-playlist-config-secret
-                  key: lidarr-key
-            - name: YUBAL_SUBSONIC_ENDPOINT
+                  name: spotisub-config-secret
+                  key: spotify-client-id
+            - name: SPOTIPY_CLIENT_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: spotisub-config-secret
+                  key: spotify-client-secret
+            - name: SPOTIPY_REDIRECT_URI
+              valueFrom:
+                secretKeyRef:
+                  name: spotisub-config-secret
+                  key: spotify-redirect-uri
+            - name: SUBSONIC_API_HOST
               value: http://navidrome-main.navidrome
-            - name: YUBAL_SUBSONIC_PORT
+            - name: SUBSONIC_API_PORT
               value: 80
-            - name: YUBAL_SUBSONIC_USER
+            - name: SUBSONIC_API_USER
               valueFrom:
                 secretKeyRef:
-                  name: yubal-playlist-config-secret
+                  name: spotisub-config-secret
                   key: subsonic-user
-            - name: YUBAL_SUBSONIC_PASSWORD
+            - name: SUBSONIC_API_PASS
               valueFrom:
                 secretKeyRef:
-                  name: yubal-playlist-config-secret
+                  name: spotisub-config-secret
                   key: subsonic-password
+            - name: PLAYLIST_PREFIX
+              value: "Spotify - "
+            - name: NUM_USER_PLAYLISTS
+              value: 0
+            - name: ARTIST_GEN_SCHED
+              value: 0
+            - name: RECOMEND_GEN_SCHED
+              value: 0
+            - name: SPOTDL_ENABLED
+              value: 1
+            - name: SPOTDL_OUT_FORMAT
+              value: "/mnt/store/Music Youtube/Andrew Lebens/{artist}/{album} ({year})/{artists} - {album} - {track-number} - {title}.{output-ext}"
+            - name: LIDARR_ENABLED
+              value: 1
+            - name: LIDARR_IP
+              value: http://lidarr.lidarr
+            - name: LIDARR_PORT
+              value: 80
+            - name: LIDARR_TOKEN
+              valueFrom:
+                secretKeyRef:
+                  name: spotisub-config-secret
+                  key: lidarr-key
+          probes:
+            liveness:
+              enabled: true
+              custom: true
+              spec:
+                exec:
+                  command:
+                    - /bin/sh
+                    - -c
+                    - "curl -s http://127.0.0.1:5183/api/v1/utils/healthcheck | grep -q 'Ok!'"
+                failureThreshold: 5
+                initialDelaySeconds: 30
+                periodSeconds: 30
+                successThreshold: 1
+                timeoutSeconds: 15
           resources:
             requests:
               cpu: 10m
@@ -81,22 +100,22 @@ yubal-playlist:
             - name: WIREGUARD_PRIVATE_KEY
               valueFrom:
                 secretKeyRef:
-                  name: yubal-playlist-wireguard-conf
+                  name: spotisub-wireguard-conf
                   key: private-key
             - name: UPDATER_PROTONVPN_EMAIL
               valueFrom:
                 secretKeyRef:
-                  name: yubal-playlist-wireguard-conf
+                  name: spotisub-wireguard-conf
                   key: proton-email
             - name: UPDATER_PROTONVPN_PASSWORD
               valueFrom:
                 secretKeyRef:
-                  name: yubal-playlist-wireguard-conf
+                  name: spotisub-wireguard-conf
                   key: proton-password
             - name: FIREWALL_OUTBOUND_SUBNETS
               value: 10.0.0.0/8
             - name: FIREWALL_INPUT_PORTS
-              value: 8080
+              value: 5183
             - name: DNS_UPSTREAM_RESOLVER_TYPE
               value: dot
           securityContext:
@@ -132,7 +151,7 @@ yubal-playlist:
       ports:
         http:
           port: 80
-          targetPort: 8080
+          targetPort: 5183
           protocol: HTTP
   route:
     main:
@@ -143,12 +162,12 @@ yubal-playlist:
           name: traefik-gateway
           namespace: traefik
       hostnames:
-        - yubal-playlist.alexlebens.net
+        - spotisub.alexlebens.net
       rules:
         - backendRefs:
             - group: ''
               kind: Service
-              name: yubal-playlist
+              name: spotisub
               port: 80
               weight: 100
           matches:
@@ -156,34 +175,20 @@ yubal-playlist:
                 type: PathPrefix
                 value: /
   persistence:
-    cookie:
-      enabled: true
-      type: secret
-      name: yubal-playlist-cookie
-      advancedMounts:
-        main:
-          init-copy-cookie:
-            - path: /app/ytdlp/cookies-ro.txt
-              readOnly: true
-              mountPropagation: None
-              subPath: cookies.txt
-    config:
+    cache:
       storageClass: ceph-block
       accessMode: ReadWriteOnce
       size: 1Gi
       retain: true
       advancedMounts:
         main:
-          init-copy-cookie:
-            - path: /app/ytdlp
-              readOnly: false
           main:
-            - path: /app/ytdlp
+            - path: /home/user/spotisub/cache
               readOnly: false
     music:
-      existingClaim: yubal-playlist-nfs-storage
+      existingClaim: spotisub-nfs-storage
       advancedMounts:
         main:
           main:
-            - path: /app/data
+            - path: /mnt/store/Music Youtube/
               readOnly: false

clusters/cl01tl/helm/yubal/Chart.yaml

@@ -1,22 +1,21 @@
 apiVersion: v2
-name: yubal-playlist
+name: yubal
 version: 1.0.0
-description: yubal-playlist
+description: yubal
 keywords:
-  - yubal-playlist
+  - yubal
   - music
   - youtube
 home: https://wiki.alexlebens.dev/s/
 sources:
-  - https://gitea.alexlebens.dev/alexlebens/yubal-playlist
   - https://github.com/guillevc/yubal
   - https://github.com/bjw-s-labs/helm-charts/tree/main/charts/other/app-template
 maintainers:
   - name: alexlebens
 dependencies:
   - name: app-template
-    alias: yubal-playlist
+    alias: yubal
     repository: https://bjw-s-labs.github.io/helm-charts/
     version: 4.6.2
-# renovate: datasource=github-releases depName=alexlebens/yubal-playlist
-appVersion: 0.0.7
+# renovate: datasource=github-releases depName=guillevc/yubal
+appVersion: v4.0.0

clusters/cl01tl/helm/yubal/templates/external-secret.yaml

@@ -0,0 +1,35 @@
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: yubal-wireguard-conf
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: yubal-wireguard-conf
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  data:
+    - secretKey: private-key
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /protonvpn/conf/cl01tl
+        metadataPolicy: None
+        property: private-key
+    - secretKey: proton-email
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /protonvpn/conf/cl01tl
+        metadataPolicy: None
+        property: email
+    - secretKey: proton-password
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /protonvpn/conf/cl01tl
+        metadataPolicy: None
+        property: password

clusters/cl01tl/helm/yubal/templates/namespace.yaml

@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: yubal
+  labels:
+    app.kubernetes.io/name: yubal
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+    pod-security.kubernetes.io/audit: privileged
+    pod-security.kubernetes.io/enforce: privileged
+    pod-security.kubernetes.io/warn: privileged

clusters/cl01tl/helm/yubal/templates/persistent-volume-claim.yaml

@@ -0,0 +1,17 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: yubal-nfs-storage
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: yubal-nfs-storage
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  volumeName: yubal-nfs-storage
+  storageClassName: nfs-client
+  accessModes:
+    - ReadWriteMany
+  resources:
+    requests:
+      storage: 1Gi

clusters/cl01tl/helm/yubal/templates/persistent-volume.yaml

@@ -0,0 +1,23 @@
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: yubal-nfs-storage
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: yubal-nfs-storage
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  persistentVolumeReclaimPolicy: Retain
+  storageClassName: nfs-client
+  capacity:
+    storage: 1Gi
+  accessModes:
+    - ReadWriteMany
+  nfs:
+    path: /volume2/Storage/Music Youtube/
+    server: synologybond.alexlebens.net
+  mountOptions:
+    - vers=4
+    - minorversion=1
+    - noac

clusters/cl01tl/helm/yubal/values.yaml

@@ -0,0 +1,144 @@
+yubal:
+  controllers:
+    main:
+      type: deployment
+      replicas: 1
+      strategy: Recreate
+      revisionHistoryLimit: 3
+      pod:
+        securityContext:
+          runAsUser: 1000
+          runAsGroup: 1000
+          fsGroup: 1000
+      containers:
+        main:
+          image:
+            repository: ghcr.io/guillevc/yubal
+            tag: 4.0.0
+            pullPolicy: IfNotPresent
+          env:
+            - name: YUBAL_TZ
+              value: America/Chicago
+            - name: YUBAL_HOST
+              value: 0.0.0.0
+            - name: YUBAL_PORT
+              value: 8000
+            - name: YUBAL_LOG_LEVEL
+              value: INFO
+          resources:
+            requests:
+              cpu: 10m
+              memory: 128Mi
+        # gluetun:
+        #   image:
+        #     repository: ghcr.io/qdm12/gluetun
+        #     tag: v3.41.0@sha256:6b54856716d0de56e5bb00a77029b0adea57284cf5a466f23aad5979257d3045
+        #     pullPolicy: IfNotPresent
+        #   lifecycle:
+        #     postStart:
+        #       exec:
+        #         command: ["/bin/sh", "-c", "(ip rule del table 51820; ip -6 rule del table 51820) || true"]
+        #   env:
+        #     - name: VPN_SERVICE_PROVIDER
+        #       value: protonvpn
+        #     - name: PUID
+        #       value: "1000"
+        #     - name: PGID
+        #       value: "1000"
+        #     - name: VPN_TYPE
+        #       value: wireguard
+        #     - name: WIREGUARD_PRIVATE_KEY
+        #       valueFrom:
+        #         secretKeyRef:
+        #           name: yubal-wireguard-conf
+        #           key: private-key
+        #     - name: UPDATER_PROTONVPN_EMAIL
+        #       valueFrom:
+        #         secretKeyRef:
+        #           name: yubal-wireguard-conf
+        #           key: proton-email
+        #     - name: UPDATER_PROTONVPN_PASSWORD
+        #       valueFrom:
+        #         secretKeyRef:
+        #           name: yubal-wireguard-conf
+        #           key: proton-password
+        #     - name: FIREWALL_OUTBOUND_SUBNETS
+        #       value: 10.0.0.0/8
+        #     - name: FIREWALL_INPUT_PORTS
+        #       value: 8000
+        #     - name: DNS_UPSTREAM_RESOLVER_TYPE
+        #       value: dot
+        #   securityContext:
+        #     privileged: True
+        #     capabilities:
+        #       add:
+        #         - NET_ADMIN
+        #         - SYS_MODULE
+        #   probes:
+        #     liveness:
+        #       enabled: true
+        #       custom: true
+        #       spec:
+        #         exec:
+        #           command:
+        #             - /gluetun-entrypoint
+        #             - healthcheck
+        #         failureThreshold: 5
+        #         initialDelaySeconds: 30
+        #         periodSeconds: 30
+        #         successThreshold: 1
+        #         timeoutSeconds: 15
+        #   resources:
+        #     limits:
+        #       devic.es/tun: "1"
+        #     requests:
+        #       devic.es/tun: "1"
+        #       cpu: 10m
+        #       memory: 128Mi
+  service:
+    main:
+      controller: main
+      ports:
+        http:
+          port: 80
+          targetPort: 8000
+          protocol: HTTP
+  route:
+    main:
+      kind: HTTPRoute
+      parentRefs:
+        - group: gateway.networking.k8s.io
+          kind: Gateway
+          name: traefik-gateway
+          namespace: traefik
+      hostnames:
+        - yubal.alexlebens.net
+      rules:
+        - backendRefs:
+            - group: ''
+              kind: Service
+              name: yubal
+              port: 80
+              weight: 100
+          matches:
+            - path:
+                type: PathPrefix
+                value: /
+  persistence:
+    config:
+      storageClass: ceph-block
+      accessMode: ReadWriteOnce
+      size: 1Gi
+      retain: true
+      advancedMounts:
+        main:
+          main:
+            - path: /app/config
+              readOnly: false
+    music:
+      existingClaim: yubal-nfs-storage
+      advancedMounts:
+        main:
+          main:
+            - path: /app/data
+              readOnly: false

hosts/ps08rp/blocky/config.yml

@@ -132,13 +132,14 @@ customDNS:
     sonarr                          IN      CNAME   traefik-cl01tl
     sonarr-4k                       IN      CNAME   traefik-cl01tl
     sonarr-anime                    IN      CNAME   traefik-cl01tl
+    spotisub                        IN      CNAME   traefik-cl01tl
     stalwart                        IN      CNAME   traefik-cl01tl
     tdarr                           IN      CNAME   traefik-cl01tl
     tubearchivist                   IN      CNAME   traefik-cl01tl
     vault                           IN      CNAME   traefik-cl01tl
     whodb                           IN      CNAME   traefik-cl01tl
     yamtrack                        IN      CNAME   traefik-cl01tl
-    yubal-playlist                  IN      CNAME   traefik-cl01tl
+    yubal                           IN      CNAME   traefik-cl01tl
 
 blocking:
   denylists:

hosts/ps09rp/blocky/config.yml

@@ -153,13 +153,14 @@ customDNS:
     sonarr                          IN      CNAME   traefik-cl01tl
     sonarr-4k                       IN      CNAME   traefik-cl01tl
     sonarr-anime                    IN      CNAME   traefik-cl01tl
+    spotisub                        IN      CNAME   traefik-cl01tl
     stalwart                        IN      CNAME   traefik-cl01tl
     tdarr                           IN      CNAME   traefik-cl01tl
     tubearchivist                   IN      CNAME   traefik-cl01tl
     vault                           IN      CNAME   traefik-cl01tl
     whodb                           IN      CNAME   traefik-cl01tl
     yamtrack                        IN      CNAME   traefik-cl01tl
-    yubal-playlist                  IN      CNAME   traefik-cl01tl
+    yubal                           IN      CNAME   traefik-cl01tl
 
 blocking:
   denylists: