Merge pull request 'feat: migrate to new chart' (#6279) from tmp/rclone-4 into main

Reviewed-on: #6279

.gitea/workflows/renovate.yaml

@@ -13,7 +13,7 @@ on:
 jobs:
   renovate:
     runs-on: ubuntu-latest
-    container: ghcr.io/renovatebot/renovate:43.141.5@sha256:8fb9e3cfdadc0994fb87f57be624d1c1940c41c1c53c074465caff85a2b6d3a4
+    container: ghcr.io/renovatebot/renovate:43.141.6@sha256:077a2aada1c508923e4e36b68f7efe3ec013a797da8aed352afd98fb0e1b4c60
     steps:
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6

clusters/cl01tl/helm/audiobookshelf/values.yaml

@@ -23,7 +23,7 @@ audiobookshelf:
         apprise-api:
           image:
             repository: ghcr.io/caronc/apprise
-            tag: v1.3.3@sha256:4bfeac268ba87b8e08e308c9aa0182fe99e9501ec464027afc333d1634e65977
+            tag: v1.4.0@sha256:9d97a6b9b42cf6afdf3b5466dbed2a59cd42a4bb777ec6aa57b5f2ee623569eb
           env:
             - name: TZ
               value: America/Chicago

clusters/cl01tl/helm/cloudnative-pg/Chart.yaml

@@ -13,6 +13,7 @@ sources:
   - https://github.com/cloudnative-pg/postgres-containers/pkgs/container/postgresql
   - https://github.com/cloudnative-pg/charts/tree/main/charts/cloudnative-pg
   - https://github.com/cloudnative-pg/charts/tree/main/charts/plugin-barman-cloud
+  - https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/rclone-bucket
 maintainers:
   - name: alexlebens
 dependencies:
@@ -22,6 +23,14 @@ dependencies:
   - name: plugin-barman-cloud
     version: 0.6.0
     repository: https://cloudnative-pg.io/charts/
+  - name: rclone-bucket
+    alias: rclone-postgres-backups-remote
+    repository: oci://harbor.alexlebens.net/helm-charts
+    version: 0.4.1
+  - name: rclone-bucket
+    alias: rclone-postgres-backups-external
+    repository: oci://harbor.alexlebens.net/helm-charts
+    version: 0.4.1
 icon: https://raw.githubusercontent.com/cloudnative-pg/cloudnative-pg.github.io/refs/heads/main/assets/images/hero_image.png
 # renovate: datasource=github-releases depName=cloudnative-pg/cloudnative-pg
 appVersion: 1.29.0

clusters/cl01tl/helm/cloudnative-pg/values.yaml

@@ -14,3 +14,60 @@ plugin-barman-cloud:
     requests:
       cpu: 1m
       memory: 20Mi
+rclone-postgres-backups-remote:
+  cronJob:
+    suspend: false
+    schedule: 0 1 * * *
+  rclone:
+    source:
+      bucketName: postgres-backups
+    destination:
+      bucketName: postgres-backups
+  prune:
+    enabled: true
+    ageToPrune: 45d
+    include: "/cl01tl/*/*/*/base/**"
+    exclude: "**/walls/**"
+  secret:
+    externalSecret:
+      source:
+        credentials:
+          path: /garage/home-infra/postgres-backups
+        config:
+          path: /garage/config
+      destination:
+        credentials:
+          path: /garage/home-infra/postgres-backups
+        config:
+          path: /garage/config
+rclone-postgres-backups-external:
+  cronJob:
+    suspend: true
+    schedule: 20 1 * * *
+  rclone:
+    source:
+      bucketName: openbao-backups
+    destination:
+      bucketName: postgres-backups-ecc1010276b61716
+      providerType: DigitalOcean
+  prune:
+    enabled: true
+    ageToPrune: 45d
+    include: "/cl01tl/*/*/*/base/**"
+    exclude: "**/walls/**"
+  secret:
+    externalSecret:
+      source:
+        credentials:
+          path: /garage/home-infra/postgres-backups
+        config:
+          path: /garage/config
+      destination:
+        credentials:
+          path: /digital-ocean/home-infra/postgres-backups
+          keyIdProperty: AWS_ACCESS_KEY_ID
+          secretKeyProperty: AWS_SECRET_ACCESS_KEY
+          regionProperty: AWS_REGION
+        config:
+          path: /digital-ocean/config
+          endpointProperty: ENDPOINT

clusters/cl01tl/helm/directus/Chart.lock

@@ -8,5 +8,8 @@ dependencies:
 - name: valkey
   repository: oci://harbor.alexlebens.net/helm-charts
   version: 0.6.1
-digest: sha256:e3d9d7bc069b79ec37769f77d691cda3b8bd92e37a9d1dd2ef8279dc6d2b6cde
+- name: rclone-bucket
-generated: "2026-04-24T21:50:43.755575922Z"
+  repository: oci://harbor.alexlebens.net/helm-charts
+  version: 0.2.0
+digest: sha256:b95c228173eb2e4914c37d5c8b3753ad644a90dc9f7f4357dbc1cbf15004961b
+generated: "2026-04-25T20:59:03.456994-05:00"

clusters/cl01tl/helm/directus/Chart.yaml

@@ -12,6 +12,7 @@ sources:
   - https://github.com/bjw-s-labs/helm-charts/tree/main/charts/other/app-template
   - https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/postgres-cluster
   - https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/valkey
+  - https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/rclone-bucket
 maintainers:
   - name: alexlebens
 dependencies:
@@ -27,6 +28,10 @@ dependencies:
     alias: valkey
     version: 0.6.1
     repository: oci://harbor.alexlebens.net/helm-charts
+  - name: rclone-bucket
+    alias: rclone-directus-assets-remote
+    repository: oci://harbor.alexlebens.net/helm-charts
+    version: 0.4.1
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/directus.png
 # renovate: datasource=github-releases depName=directus/directus
 appVersion: 11.17.3

clusters/cl01tl/helm/directus/values.yaml

@@ -214,3 +214,24 @@ valkey:
     # https://github.com/valkey-io/valkey-helm/issues/135
     metrics:
       enabled: false
+rclone-directus-assets-remote:
+  cronJob:
+    suspend: false
+    schedule: 0 0 * * *
+  rclone:
+    source:
+      bucketName: directus-assets
+    destination:
+      bucketName: directus-assets
+  secret:
+    externalSecret:
+      source:
+        credentials:
+          path: /garage/home-infra/directus-assets
+        config:
+          path: /garage/config
+      destination:
+        credentials:
+          path: /garage/home-infra/directus-assets
+        config:
+          path: /garage/config

clusters/cl01tl/helm/foldergram/templates/_helpers.tpl

@@ -16,6 +16,6 @@ app.kubernetes.io/part-of: {{ .Release.Name }}
 {{/*
 NFS names
 */}}
-{{- define "custom.storageNfsName" -}}
+{{- define "custom.storageMiaNfsName" -}}
-foldergram-pictures-collections-nfs-storage
+foldergram-pictures-collection-mia-nfs-storage
 {{- end -}}

clusters/cl01tl/helm/foldergram/templates/persistent-volume-claim.yaml

@@ -1,13 +1,13 @@
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
-  name: {{ include "custom.storageNfsName" . }}
+  name: {{ include "custom.storageMiaNfsName" . }}
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: {{ include "custom.storageNfsName" . }}
+    app.kubernetes.io/name: {{ include "custom.storageMiaNfsName" . }}
     {{- include "custom.labels" . | nindent 4 }}
 spec:
-  volumeName: {{ include "custom.storageNfsName" . }}
+  volumeName: {{ include "custom.storageMiaNfsName" . }}
   storageClassName: nfs-client
   accessModes:
     - ReadWriteMany

clusters/cl01tl/helm/foldergram/templates/persistent-volume.yaml

@@ -1,10 +1,10 @@
 apiVersion: v1
 kind: PersistentVolume
 metadata:
-  name: {{ include "custom.storageNfsName" . }}
+  name: {{ include "custom.storageMiaNfsName" . }}
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: {{ include "custom.storageNfsName" . }}
+    app.kubernetes.io/name: {{ include "custom.storageMiaNfsName" . }}
     {{- include "custom.labels" . | nindent 4 }}
 spec:
   persistentVolumeReclaimPolicy: Retain
@@ -14,7 +14,7 @@ spec:
   accessModes:
     - ReadWriteMany
   nfs:
-    path: /volume2/Storage/Pictures/Collections
+    path: '/volume2/Storage/Pictures/Collections/Minneapolis Institute of Art'
     server: synologybond.alexlebens.net
   mountOptions:
     - vers=4

clusters/cl01tl/helm/foldergram/values.yaml

@@ -17,7 +17,7 @@ foldergram:
             - name: IMAGE_DETAIL_SOURCE
               value: original
             - name: DERIVATIVE_MODE
-              value: eager
+              value: lazy
             - name: DATA_ROOT
               value: ./data
             - name: GALLERY_ROOT
@@ -76,12 +76,12 @@ foldergram:
           main:
             - path: /app/data
               readOnly: false
-    pictures:
+    pictures-mia:
-      existingClaim: foldergram-pictures-collections-nfs-storage
+      existingClaim: foldergram-pictures-collection-mia-nfs-storage
       advancedMounts:
         main:
           main:
-            - path: /gallery
+            - path: '/gallery/Minneapolis Institute of Art'
               readOnly: true
 volsync-target-db:
   pvcTarget: foldergram-db

clusters/cl01tl/helm/grimmory/Chart.yaml

@@ -28,4 +28,4 @@ dependencies:
     repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/grimmory.png
 # renovate: datasource=github-releases depName=grimmory-tools/grimmory
-appVersion: v3.0.0
+appVersion: v3.0.2

clusters/cl01tl/helm/grimmory/values.yaml

@@ -12,7 +12,7 @@ grimmory:
         main:
           image:
             repository: ghcr.io/grimmory-tools/grimmory
-            tag: v3.0.0@sha256:0130c338d4c1186f2f6b6acdc4a7ee56388dfdab9cb0b9a23ac0fc91b79e7d75
+            tag: v3.0.2@sha256:4557a78321add7d70bef7c0b89c2617c8c023246ae39698bc2cbe636f8c97f9b
           env:
             - name: TZ
               value: America/Chicago

clusters/cl01tl/helm/karakeep/Chart.yaml

@@ -15,6 +15,7 @@ sources:
   - https://github.com/meilisearch/meilisearch-kubernetes/tree/main/charts/meilisearch
   - https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/cloudflared
   - https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/volsync-target
+  - https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/rclone-bucket
 maintainers:
   - name: alexlebens
 dependencies:
@@ -32,6 +33,10 @@ dependencies:
     alias: volsync-target-data
     version: 1.0.0
     repository: oci://harbor.alexlebens.net/helm-charts
+  - name: rclone-bucket
+    alias: rclone-karakeep-assets-remote
+    repository: oci://harbor.alexlebens.net/helm-charts
+    version: 0.4.1
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons@main/png/karakeep.png
 # renovate: datasource=github-releases depName=karakeep-app/karakeep
 appVersion: 0.31.0

clusters/cl01tl/helm/karakeep/values.yaml

@@ -172,3 +172,24 @@ volsync-target-data:
   external:
     enabled: true
     schedule: 30 10 * * *
+rclone-karakeep-assets-remote:
+  cronJob:
+    suspend: false
+    schedule: 10 0 * * *
+  rclone:
+    source:
+      bucketName: karakeep-assets
+    destination:
+      bucketName: karakeep-assets
+  secret:
+    externalSecret:
+      source:
+        credentials:
+          path: /garage/home-infra/karakeep-assets
+        config:
+          path: /garage/config
+      destination:
+        credentials:
+          path: /garage/home-infra/karakeep-assets
+        config:
+          path: /garage/config

clusters/cl01tl/helm/kube-prometheus-stack/Chart.lock

@@ -1,7 +1,7 @@
 dependencies:
 - name: kube-prometheus-stack
   repository: oci://ghcr.io/prometheus-community/charts
-  version: 84.0.1
+  version: 84.1.0
 - name: prometheus-operator-crds
   repository: oci://ghcr.io/prometheus-community/charts
   version: 28.0.1
@@ -11,5 +11,5 @@ dependencies:
 - name: valkey
   repository: oci://harbor.alexlebens.net/helm-charts
   version: 0.6.1
-digest: sha256:2714de1082a27491925ba1b7adfba884a5ca9e674df22df96e8f6ccf56a54a6e
+digest: sha256:f7340793bc2c04e561d048b110cc7258fac0d5dc3d3b4ecdc6c2d8898445c5ab
-generated: "2026-04-24T17:03:37.423427661Z"
+generated: "2026-04-26T00:12:54.803217038Z"

clusters/cl01tl/helm/kube-prometheus-stack/Chart.yaml

@@ -20,7 +20,7 @@ maintainers:
   - name: alexlebens
 dependencies:
   - name: kube-prometheus-stack
-    version: 84.0.1
+    version: 84.1.0
     repository: oci://ghcr.io/prometheus-community/charts
   - name: prometheus-operator-crds
     version: 28.0.1

clusters/cl01tl/helm/music-grabber/Chart.yaml

@@ -24,4 +24,4 @@ dependencies:
     repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons@main/png/music-grabber.png
 # renovate: datasource=docker depName=g33kphr33k/musicgrabber
-appVersion: 2.6.5
+appVersion: 2.6.6

clusters/cl01tl/helm/music-grabber/values.yaml

@@ -12,7 +12,7 @@ music-grabber:
         main:
           image:
             repository: g33kphr33k/musicgrabber
-            tag: 2.6.5@sha256:5d276415a764a56955207ae41fe2df3341a152812fdf8a87e7c0b7e4e1fb681d
+            tag: 2.6.6@sha256:dad8dec4e32671ef7326d31f58ea626fa4622571e65c6bb34459bc2648f1fead
           env:
             - name: MUSIC_DIR
               value: /mnt/store/Music Grabber/
@@ -25,24 +25,24 @@ music-grabber:
             - name: NAVIDROME_USER
               valueFrom:
                 secretKeyRef:
-                  name: music-grabber-config-secret
+                  name: music-grabber-config
                   key: navidrome-user
             - name: NAVIDROME_PASS
               valueFrom:
                 secretKeyRef:
-                  name: music-grabber-config-secret
+                  name: music-grabber-config
                   key: navidrome-password
             - name: SLSKD_URL
               value: http://slskd.slskd:5030
             - name: SLSKD_USER
               valueFrom:
                 secretKeyRef:
-                  name: music-grabber-config-secret
+                  name: music-grabber-config
                   key: slskd-user
             - name: SLSKD_PASS
               valueFrom:
                 secretKeyRef:
-                  name: music-grabber-config-secret
+                  name: music-grabber-config
                   key: slskd-password
             - name: SLSKD_DOWNLOADS_PATH
               value: /mnt/store/slskd/Downloads

clusters/cl01tl/helm/ntfy/Chart.yaml

@@ -10,6 +10,7 @@ sources:
   - https://github.com/binwiederhier/ntfy
   - https://hub.docker.com/r/binwiederhier/ntfy
   - https://github.com/bjw-s-labs/helm-charts/tree/main/charts/other/app-template
+  - https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/rclone-bucket
 maintainers:
   - name: alexlebens
 dependencies:
@@ -21,6 +22,10 @@ dependencies:
     alias: postgres-18-cluster
     version: 7.12.1
     repository: oci://harbor.alexlebens.net/helm-charts
+  - name: rclone-bucket
+    alias: rclone-ntfy-attachments-remote
+    repository: oci://harbor.alexlebens.net/helm-charts
+    version: 0.4.1
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/ntfy.png
 # renovate: datasource=github-releases depName=binwiederhier/ntfy
 appVersion: 2.22.0

clusters/cl01tl/helm/ntfy/values.yaml

@@ -124,3 +124,24 @@ postgres-18-cluster:
         immediate: true
         schedule: "0 15 14 * * *"
         backupName: garage-local
+rclone-ntfy-attachments-remote:
+  cronJob:
+    suspend: false
+    schedule: 50 0 * * *
+  rclone:
+    source:
+      bucketName: ntfy-attachments
+    destination:
+      bucketName: ntfy-attachments
+  secret:
+    externalSecret:
+      source:
+        credentials:
+          path: /garage/home-infra/ntfy-attachments
+        config:
+          path: /garage/config
+      destination:
+        credentials:
+          path: /garage/home-infra/ntfy-attachments
+        config:
+          path: /garage/config

clusters/cl01tl/helm/openbao/Chart.yaml

@@ -15,6 +15,7 @@ sources:
   - https://github.com/lrstanley/vault-unseal/pkgs/container/vault-unseal
   - https://github.com/openbao/openbao-helm/tree/main/charts/openbao
   - https://github.com/bjw-s-labs/helm-charts/tree/main/charts/other/app-template
+  - https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/rclone-bucket
 maintainers:
   - name: alexlebens
 dependencies:
@@ -25,6 +26,14 @@ dependencies:
     alias: unseal
     repository: https://bjw-s-labs.github.io/helm-charts/
     version: 4.6.2
+  - name: rclone-bucket
+    alias: rclone-openbao-backups-remote
+    repository: oci://harbor.alexlebens.net/helm-charts
+    version: 0.4.1
+  - name: rclone-bucket
+    alias: rclone-openbao-backups-external
+    repository: oci://harbor.alexlebens.net/helm-charts
+    version: 0.4.1
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons@main/png/openbao.png
 # renovate: datasource=github-releases depName=openbao/openbao
 appVersion: v2.5.3

clusters/cl01tl/helm/openbao/values.yaml

@@ -207,3 +207,53 @@ unseal:
             requests:
               cpu: 1m
               memory: 10Mi
+rclone-openbao-backups-remote:
+  cronJob:
+    suspend: false
+    schedule: 0 1 * * *
+  rclone:
+    source:
+      bucketName: openbao-backups
+    destination:
+      bucketName: openbao-backups
+  prune:
+    enabled: true
+    ageToPrune: 90d
+  secret:
+    externalSecret:
+      source:
+        credentials:
+          path: /garage/home-infra/openbao-backups
+        config:
+          path: /garage/config
+      destination:
+        credentials:
+          path: /garage/home-infra/openbao-backups
+        config:
+          path: /garage/config
+rclone-openbao-backups-external:
+  cronJob:
+    suspend: false
+    schedule: 10 1 * * *
+  rclone:
+    source:
+      bucketName: openbao-backups
+    destination:
+      bucketName: openbao-backups-6e088aad5fad110b
+      providerType: DigitalOcean
+  prune:
+    enabled: true
+    ageToPrune: 90d
+  secret:
+    externalSecret:
+      source:
+        credentials:
+          path: /garage/home-infra/openbao-backups
+        config:
+          path: /garage/config
+      destination:
+        credentials:
+          path: /digital-ocean/home-infra/openbao-backups
+        config:
+          path: /digital-ocean/config
+          endpointProperty: ENDPOINT

clusters/cl01tl/helm/qbittorrent/values.yaml

@@ -168,7 +168,7 @@ qbittorrent:
         apprise-api:
           image:
             repository: ghcr.io/caronc/apprise
-            tag: v1.3.3@sha256:4bfeac268ba87b8e08e308c9aa0182fe99e9501ec464027afc333d1634e65977
+            tag: v1.4.0@sha256:9d97a6b9b42cf6afdf3b5466dbed2a59cd42a4bb777ec6aa57b5f2ee623569eb
           env:
             - name: TZ
               value: America/Chicago

clusters/cl01tl/helm/rclone/Chart.yaml

@@ -9,15 +9,14 @@ keywords:
 home: https://docs.alexlebens.dev/applications/rclone/
 sources:
   - https://github.com/rclone/rclone
-  - https://hub.docker.com/r/rclone/rclone
+  - https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/rclone-bucket
-  - https://github.com/bjw-s-labs/helm-charts/tree/main/charts/other/app-template
 maintainers:
   - name: alexlebens
 dependencies:
-  - name: app-template
+  - name: rclone-bucket
-    alias: rclone
+    alias: rclone-web-assets-remote
-    repository: https://bjw-s-labs.github.io/helm-charts/
+    repository: oci://harbor.alexlebens.net/helm-charts
-    version: 4.6.2
+    version: 0.4.1
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons@main/png/rclone.png
 # renovate: datasource=github-releases depName=rclone/rclone
 appVersion: v1.73.5

clusters/cl01tl/helm/rclone/templates/external-secret.yaml

@@ -1,270 +0,0 @@
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: garage-directus-secret
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: garage-directus-secret
-    {{- include "custom.labels" . | nindent 4 }}
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: openbao
-  data:
-    - secretKey: ACCESS_KEY_ID
-      remoteRef:
-        key: /garage/home-infra/directus-assets
-        property: ACCESS_KEY_ID
-    - secretKey: ACCESS_REGION
-      remoteRef:
-        key: /garage/home-infra/directus-assets
-        property: ACCESS_REGION
-    - secretKey: ACCESS_SECRET_KEY
-      remoteRef:
-        key: /garage/home-infra/directus-assets
-        property: ACCESS_SECRET_KEY
-    - secretKey: SRC_ENDPOINT
-      remoteRef:
-        key: /garage/config
-        property: ENDPOINT_LOCAL
-    - secretKey: DEST_ENDPOINT
-      remoteRef:
-        key: /garage/config
-        property: ENDPOINT_REMOTE
-
----
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: garage-karakeep-secret
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: garage-karakeep-secret
-    {{- include "custom.labels" . | nindent 4 }}
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: openbao
-  data:
-    - secretKey: ACCESS_KEY_ID
-      remoteRef:
-        key: /garage/home-infra/karakeep-assets
-        property: ACCESS_KEY_ID
-    - secretKey: ACCESS_REGION
-      remoteRef:
-        key: /garage/home-infra/karakeep-assets
-        property: ACCESS_REGION
-    - secretKey: ACCESS_SECRET_KEY
-      remoteRef:
-        key: /garage/home-infra/karakeep-assets
-        property: ACCESS_SECRET_KEY
-    - secretKey: SRC_ENDPOINT
-      remoteRef:
-        key: /garage/config
-        property: ENDPOINT_LOCAL
-    - secretKey: DEST_ENDPOINT
-      remoteRef:
-        key: /garage/config
-        property: ENDPOINT_REMOTE
-
----
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: garage-talos-backups-secret
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: garage-talos-backups-secret
-    {{- include "custom.labels" . | nindent 4 }}
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: openbao
-  data:
-    - secretKey: ACCESS_KEY_ID
-      remoteRef:
-        key: /garage/home-infra/talos-backups
-        property: ACCESS_KEY_ID
-    - secretKey: ACCESS_REGION
-      remoteRef:
-        key: /garage/home-infra/talos-backups
-        property: ACCESS_REGION
-    - secretKey: ACCESS_SECRET_KEY
-      remoteRef:
-        key: /garage/home-infra/talos-backups
-        property: ACCESS_SECRET_KEY
-    - secretKey: SRC_ENDPOINT
-      remoteRef:
-        key: /garage/config
-        property: ENDPOINT_LOCAL
-    - secretKey: DEST_ENDPOINT
-      remoteRef:
-        key: /garage/config
-        property: ENDPOINT_REMOTE
-
----
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: garage-web-assets-secret
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: garage-web-assets-secret
-    {{- include "custom.labels" . | nindent 4 }}
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: openbao
-  data:
-    - secretKey: ACCESS_KEY_ID
-      remoteRef:
-        key: /garage/home-infra/web-assets
-        property: ACCESS_KEY_ID
-    - secretKey: ACCESS_REGION
-      remoteRef:
-        key: /garage/home-infra/web-assets
-        property: ACCESS_REGION
-    - secretKey: ACCESS_SECRET_KEY
-      remoteRef:
-        key: /garage/home-infra/web-assets
-        property: ACCESS_SECRET_KEY
-    - secretKey: SRC_ENDPOINT
-      remoteRef:
-        key: /garage/config
-        property: ENDPOINT_LOCAL
-    - secretKey: DEST_ENDPOINT
-      remoteRef:
-        key: /garage/config
-        property: ENDPOINT_REMOTE
-
----
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: garage-postgres-backups-secret
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: garage-postgres-backups-secret
-    {{- include "custom.labels" . | nindent 4 }}
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: openbao
-  data:
-    - secretKey: ACCESS_KEY_ID
-      remoteRef:
-        key: /garage/home-infra/postgres-backups
-        property: ACCESS_KEY_ID
-    - secretKey: ACCESS_REGION
-      remoteRef:
-        key: /garage/home-infra/postgres-backups
-        property: ACCESS_REGION
-    - secretKey: ACCESS_SECRET_KEY
-      remoteRef:
-        key: /garage/home-infra/postgres-backups
-        property: ACCESS_SECRET_KEY
-    - secretKey: SRC_ENDPOINT
-      remoteRef:
-        key: /garage/config
-        property: ENDPOINT_LOCAL
-    - secretKey: DEST_ENDPOINT
-      remoteRef:
-        key: /garage/config
-        property: ENDPOINT_REMOTE
-
----
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: garage-ntfy-attachments-secret
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: garage-ntfy-attachments-secret
-    {{- include "custom.labels" . | nindent 4 }}
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: openbao
-  data:
-    - secretKey: ACCESS_KEY_ID
-      remoteRef:
-        key: /garage/home-infra/ntfy-attachments
-        property: ACCESS_KEY_ID
-    - secretKey: ACCESS_REGION
-      remoteRef:
-        key: /garage/home-infra/ntfy-attachments
-        property: ACCESS_REGION
-    - secretKey: ACCESS_SECRET_KEY
-      remoteRef:
-        key: /garage/home-infra/ntfy-attachments
-        property: ACCESS_SECRET_KEY
-    - secretKey: SRC_ENDPOINT
-      remoteRef:
-        key: /garage/config
-        property: ENDPOINT_LOCAL
-    - secretKey: DEST_ENDPOINT
-      remoteRef:
-        key: /garage/config
-        property: ENDPOINT_REMOTE
-
----
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: garage-openbao-backups-secret
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: garage-openbao-backups-secret
-    {{- include "custom.labels" . | nindent 4 }}
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: openbao
-  data:
-    - secretKey: ACCESS_KEY_ID
-      remoteRef:
-        key: /garage/home-infra/openbao-backups
-        property: ACCESS_KEY_ID
-    - secretKey: ACCESS_REGION
-      remoteRef:
-        key: /garage/home-infra/openbao-backups
-        property: ACCESS_REGION
-    - secretKey: ACCESS_SECRET_KEY
-      remoteRef:
-        key: /garage/home-infra/openbao-backups
-        property: ACCESS_SECRET_KEY
-    - secretKey: ENDPOINT_LOCAL
-      remoteRef:
-        key: /garage/config
-        property: ENDPOINT_LOCAL
-    - secretKey: ENDPOINT_REMOTE
-      remoteRef:
-        key: /garage/config
-        property: ENDPOINT_REMOTE
-
----
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: external-openbao-backups-secret
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: external-openbao-backups-secret
-    {{- include "custom.labels" . | nindent 4 }}
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: openbao
-  data:
-    - secretKey: ACCESS_KEY_ID
-      remoteRef:
-        key: /digital-ocean/home-infra/openbao-backups
-        property: ACCESS_KEY_ID
-    - secretKey: ACCESS_REGION
-      remoteRef:
-        key: /digital-ocean/home-infra/openbao-backups
-        property: ACCESS_REGION
-    - secretKey: ACCESS_SECRET_KEY
-      remoteRef:
-        key: /digital-ocean/home-infra/openbao-backups
-        property: ACCESS_SECRET_KEY

clusters/cl01tl/helm/rclone/values.yaml

@@ -1,358 +1,5 @@
 rclone:
   controllers:
-    directus-assets:
-      type: cronjob
-      cronjob:
-        suspend: false
-        timeZone: America/Chicago
-        schedule: 0 0 * * *
-        backoffLimit: 3
-        parallelism: 1
-      containers:
-        sync:
-          image:
-            repository: rclone/rclone
-            tag: 1.73.5@sha256:1619a625f845e169c34b952cf40c483c0392965b821c5155cde8cbfd35254a96
-          args:
-            - sync
-            - src:directus-assets
-            - dest:directus-assets
-            - --s3-no-check-bucket
-            - --verbose
-          env:
-            - name: RCLONE_S3_PROVIDER
-              value: Other
-            - name: RCLONE_CONFIG_SRC_TYPE
-              value: s3
-            - name: RCLONE_CONFIG_SRC_PROVIDER
-              value: Other
-            - name: RCLONE_CONFIG_SRC_ENV_AUTH
-              value: false
-            - name: RCLONE_CONFIG_SRC_ACCESS_KEY_ID
-              valueFrom:
-                secretKeyRef:
-                  name: garage-directus-secret
-                  key: ACCESS_KEY_ID
-            - name: RCLONE_CONFIG_SRC_SECRET_ACCESS_KEY
-              valueFrom:
-                secretKeyRef:
-                  name: garage-directus-secret
-                  key: ACCESS_SECRET_KEY
-            - name: RCLONE_CONFIG_SRC_REGION
-              valueFrom:
-                secretKeyRef:
-                  name: garage-directus-secret
-                  key: ACCESS_REGION
-            - name: RCLONE_CONFIG_SRC_ENDPOINT
-              valueFrom:
-                secretKeyRef:
-                  name: garage-directus-secret
-                  key: SRC_ENDPOINT
-            - name: RCLONE_CONFIG_SRC_S3_FORCE_PATH_STYLE
-              value: true
-            - name: RCLONE_CONFIG_DEST_TYPE
-              value: s3
-            - name: RCLONE_CONFIG_DEST_PROVIDER
-              value: Other
-            - name: RCLONE_CONFIG_DEST_ENV_AUTH
-              value: false
-            - name: RCLONE_CONFIG_DEST_ACCESS_KEY_ID
-              valueFrom:
-                secretKeyRef:
-                  name: garage-directus-secret
-                  key: ACCESS_KEY_ID
-            - name: RCLONE_CONFIG_DEST_SECRET_ACCESS_KEY
-              valueFrom:
-                secretKeyRef:
-                  name: garage-directus-secret
-                  key: ACCESS_SECRET_KEY
-            - name: RCLONE_CONFIG_DEST_REGION
-              valueFrom:
-                secretKeyRef:
-                  name: garage-directus-secret
-                  key: ACCESS_REGION
-            - name: RCLONE_CONFIG_DEST_ENDPOINT
-              valueFrom:
-                secretKeyRef:
-                  name: garage-directus-secret
-                  key: DEST_ENDPOINT
-            - name: RCLONE_CONFIG_DEST_S3_FORCE_PATH_STYLE
-              value: true
-    karakeep-assets:
-      type: cronjob
-      cronjob:
-        suspend: false
-        timeZone: America/Chicago
-        schedule: 10 0 * * *
-        backoffLimit: 3
-        parallelism: 1
-      containers:
-        sync:
-          image:
-            repository: rclone/rclone
-            tag: 1.73.5@sha256:1619a625f845e169c34b952cf40c483c0392965b821c5155cde8cbfd35254a96
-          args:
-            - sync
-            - src:karakeep-assets
-            - dest:karakeep-assets
-            - --s3-no-check-bucket
-            - --verbose
-          env:
-            - name: RCLONE_S3_PROVIDER
-              value: Other
-            - name: RCLONE_CONFIG_SRC_TYPE
-              value: s3
-            - name: RCLONE_CONFIG_SRC_PROVIDER
-              value: Other
-            - name: RCLONE_CONFIG_SRC_ENV_AUTH
-              value: false
-            - name: RCLONE_CONFIG_SRC_ACCESS_KEY_ID
-              valueFrom:
-                secretKeyRef:
-                  name: garage-karakeep-secret
-                  key: ACCESS_KEY_ID
-            - name: RCLONE_CONFIG_SRC_SECRET_ACCESS_KEY
-              valueFrom:
-                secretKeyRef:
-                  name: garage-karakeep-secret
-                  key: ACCESS_SECRET_KEY
-            - name: RCLONE_CONFIG_SRC_REGION
-              valueFrom:
-                secretKeyRef:
-                  name: garage-karakeep-secret
-                  key: ACCESS_REGION
-            - name: RCLONE_CONFIG_SRC_ENDPOINT
-              valueFrom:
-                secretKeyRef:
-                  name: garage-karakeep-secret
-                  key: SRC_ENDPOINT
-            - name: RCLONE_CONFIG_SRC_S3_FORCE_PATH_STYLE
-              value: true
-            - name: RCLONE_CONFIG_DEST_TYPE
-              value: s3
-            - name: RCLONE_CONFIG_DEST_PROVIDER
-              value: Other
-            - name: RCLONE_CONFIG_DEST_ENV_AUTH
-              value: false
-            - name: RCLONE_CONFIG_DEST_ACCESS_KEY_ID
-              valueFrom:
-                secretKeyRef:
-                  name: garage-karakeep-secret
-                  key: ACCESS_KEY_ID
-            - name: RCLONE_CONFIG_DEST_SECRET_ACCESS_KEY
-              valueFrom:
-                secretKeyRef:
-                  name: garage-karakeep-secret
-                  key: ACCESS_SECRET_KEY
-            - name: RCLONE_CONFIG_DEST_REGION
-              valueFrom:
-                secretKeyRef:
-                  name: garage-karakeep-secret
-                  key: ACCESS_REGION
-            - name: RCLONE_CONFIG_DEST_ENDPOINT
-              valueFrom:
-                secretKeyRef:
-                  name: garage-karakeep-secret
-                  key: DEST_ENDPOINT
-            - name: RCLONE_CONFIG_SRC_DEST_FORCE_PATH_STYLE
-              value: true
-    talos-backups:
-      type: cronjob
-      cronjob:
-        suspend: false
-        timeZone: America/Chicago
-        schedule: 20 0 * * *
-        backoffLimit: 3
-        parallelism: 1
-      containers:
-        sync:
-          image:
-            repository: rclone/rclone
-            tag: 1.73.5@sha256:1619a625f845e169c34b952cf40c483c0392965b821c5155cde8cbfd35254a96
-          args:
-            - sync
-            - src:talos-backups
-            - dest:talos-backups
-            - --s3-no-check-bucket
-            - --max-age
-            - 90d
-            - --verbose
-          env:
-            - name: RCLONE_S3_PROVIDER
-              value: Other
-            - name: RCLONE_CONFIG_SRC_TYPE
-              value: s3
-            - name: RCLONE_CONFIG_SRC_PROVIDER
-              value: Other
-            - name: RCLONE_CONFIG_SRC_ENV_AUTH
-              value: false
-            - name: RCLONE_CONFIG_SRC_ACCESS_KEY_ID
-              valueFrom:
-                secretKeyRef:
-                  name: garage-talos-backups-secret
-                  key: ACCESS_KEY_ID
-            - name: RCLONE_CONFIG_SRC_SECRET_ACCESS_KEY
-              valueFrom:
-                secretKeyRef:
-                  name: garage-talos-backups-secret
-                  key: ACCESS_SECRET_KEY
-            - name: RCLONE_CONFIG_SRC_REGION
-              valueFrom:
-                secretKeyRef:
-                  name: garage-talos-backups-secret
-                  key: ACCESS_REGION
-            - name: RCLONE_CONFIG_SRC_ENDPOINT
-              valueFrom:
-                secretKeyRef:
-                  name: garage-talos-backups-secret
-                  key: SRC_ENDPOINT
-            - name: RCLONE_CONFIG_SRC_S3_FORCE_PATH_STYLE
-              value: true
-            - name: RCLONE_CONFIG_DEST_TYPE
-              value: s3
-            - name: RCLONE_CONFIG_DEST_PROVIDER
-              value: Other
-            - name: RCLONE_CONFIG_DEST_ENV_AUTH
-              value: false
-            - name: RCLONE_CONFIG_DEST_ACCESS_KEY_ID
-              valueFrom:
-                secretKeyRef:
-                  name: garage-talos-backups-secret
-                  key: ACCESS_KEY_ID
-            - name: RCLONE_CONFIG_DEST_SECRET_ACCESS_KEY
-              valueFrom:
-                secretKeyRef:
-                  name: garage-talos-backups-secret
-                  key: ACCESS_SECRET_KEY
-            - name: RCLONE_CONFIG_DEST_REGION
-              valueFrom:
-                secretKeyRef:
-                  name: garage-talos-backups-secret
-                  key: ACCESS_REGION
-            - name: RCLONE_CONFIG_DEST_ENDPOINT
-              valueFrom:
-                secretKeyRef:
-                  name: garage-talos-backups-secret
-                  key: DEST_ENDPOINT
-            - name: RCLONE_CONFIG_SRC_DEST_FORCE_PATH_STYLE
-              value: true
-        prune:
-          image:
-            repository: rclone/rclone
-            tag: 1.73.5@sha256:1619a625f845e169c34b952cf40c483c0392965b821c5155cde8cbfd35254a96
-          args:
-            - delete
-            - dest:talos-backups
-            - --min-age
-            - 90d
-            - --verbose
-          env:
-            - name: RCLONE_CONFIG_DEST_TYPE
-              value: s3
-            - name: RCLONE_CONFIG_DEST_PROVIDER
-              value: Other
-            - name: RCLONE_CONFIG_DEST_ENV_AUTH
-              value: false
-            - name: RCLONE_CONFIG_DEST_ACCESS_KEY_ID
-              valueFrom:
-                secretKeyRef:
-                  name: garage-talos-backups-secret
-                  key: ACCESS_KEY_ID
-            - name: RCLONE_CONFIG_DEST_SECRET_ACCESS_KEY
-              valueFrom:
-                secretKeyRef:
-                  name: garage-talos-backups-secret
-                  key: ACCESS_SECRET_KEY
-            - name: RCLONE_CONFIG_DEST_REGION
-              valueFrom:
-                secretKeyRef:
-                  name: garage-talos-backups-secret
-                  key: ACCESS_REGION
-            - name: RCLONE_CONFIG_DEST_ENDPOINT
-              valueFrom:
-                secretKeyRef:
-                  name: garage-talos-backups-secret
-                  key: DEST_ENDPOINT
-            - name: RCLONE_CONFIG_SRC_S3_FORCE_PATH_STYLE
-              value: true
-    web-assets:
-      type: cronjob
-      cronjob:
-        suspend: false
-        timeZone: America/Chicago
-        schedule: 30 0 * * *
-        backoffLimit: 3
-        parallelism: 1
-      containers:
-        sync:
-          image:
-            repository: rclone/rclone
-            tag: 1.73.5@sha256:1619a625f845e169c34b952cf40c483c0392965b821c5155cde8cbfd35254a96
-          args:
-            - sync
-            - src:web-assets
-            - dest:web-assets
-            - --s3-no-check-bucket
-            - --verbose
-          env:
-            - name: RCLONE_S3_PROVIDER
-              value: Other
-            - name: RCLONE_CONFIG_SRC_TYPE
-              value: s3
-            - name: RCLONE_CONFIG_SRC_PROVIDER
-              value: Other
-            - name: RCLONE_CONFIG_SRC_ENV_AUTH
-              value: false
-            - name: RCLONE_CONFIG_SRC_ACCESS_KEY_ID
-              valueFrom:
-                secretKeyRef:
-                  name: garage-web-assets-secret
-                  key: ACCESS_KEY_ID
-            - name: RCLONE_CONFIG_SRC_SECRET_ACCESS_KEY
-              valueFrom:
-                secretKeyRef:
-                  name: garage-web-assets-secret
-                  key: ACCESS_SECRET_KEY
-            - name: RCLONE_CONFIG_SRC_REGION
-              valueFrom:
-                secretKeyRef:
-                  name: garage-web-assets-secret
-                  key: ACCESS_REGION
-            - name: RCLONE_CONFIG_SRC_ENDPOINT
-              valueFrom:
-                secretKeyRef:
-                  name: garage-web-assets-secret
-                  key: SRC_ENDPOINT
-            - name: RCLONE_CONFIG_SRC_S3_FORCE_PATH_STYLE
-              value: true
-            - name: RCLONE_CONFIG_DEST_TYPE
-              value: s3
-            - name: RCLONE_CONFIG_DEST_PROVIDER
-              value: Other
-            - name: RCLONE_CONFIG_DEST_ENV_AUTH
-              value: false
-            - name: RCLONE_CONFIG_DEST_ACCESS_KEY_ID
-              valueFrom:
-                secretKeyRef:
-                  name: garage-web-assets-secret
-                  key: ACCESS_KEY_ID
-            - name: RCLONE_CONFIG_DEST_SECRET_ACCESS_KEY
-              valueFrom:
-                secretKeyRef:
-                  name: garage-web-assets-secret
-                  key: ACCESS_SECRET_KEY
-            - name: RCLONE_CONFIG_DEST_REGION
-              valueFrom:
-                secretKeyRef:
-                  name: garage-web-assets-secret
-                  key: ACCESS_REGION
-            - name: RCLONE_CONFIG_DEST_ENDPOINT
-              valueFrom:
-                secretKeyRef:
-                  name: garage-web-assets-secret
-                  key: DEST_ENDPOINT
-            - name: RCLONE_CONFIG_DEST_S3_FORCE_PATH_STYLE
-              value: true
     postgres-backups:
       type: cronjob
       cronjob:
@@ -476,313 +123,24 @@ rclone:
                   key: DEST_ENDPOINT
             - name: RCLONE_CONFIG_SRC_S3_FORCE_PATH_STYLE
               value: true
-    ntfy-attachments:
+rclone-web-assets-remote:
-      type: cronjob
+  cronJob:
-      cronjob:
+    suspend: false
-        suspend: false
+    schedule: 30 0 * * *
-        timeZone: America/Chicago
+  rclone:
-        schedule: 50 0 * * *
+    source:
-        backoffLimit: 3
+      bucketName: web-assets
-        parallelism: 1
+    destination:
-      containers:
+      bucketName: web-assets
-        sync:
+  secret:
-          image:
+    externalSecret:
-            repository: rclone/rclone
+      source:
-            tag: 1.73.5@sha256:1619a625f845e169c34b952cf40c483c0392965b821c5155cde8cbfd35254a96
+        credentials:
-          args:
+          path: /garage/home-infra/web-assets
-            - sync
+        config:
-            - src:ntfy-attachments
+          path: /garage/config
-            - dest:ntfy-attachments
+      destination:
-            - --s3-no-check-bucket
+        credentials:
-            - --verbose
+          path: /garage/home-infra/web-assets
-          env:
+        config:
-            - name: RCLONE_S3_PROVIDER
+          path: /garage/config
-              value: Other
-            - name: RCLONE_CONFIG_SRC_TYPE
-              value: s3
-            - name: RCLONE_CONFIG_SRC_PROVIDER
-              value: Other
-            - name: RCLONE_CONFIG_SRC_ENV_AUTH
-              value: false
-            - name: RCLONE_CONFIG_SRC_ACCESS_KEY_ID
-              valueFrom:
-                secretKeyRef:
-                  name: garage-ntfy-attachments-secret
-                  key: ACCESS_KEY_ID
-            - name: RCLONE_CONFIG_SRC_SECRET_ACCESS_KEY
-              valueFrom:
-                secretKeyRef:
-                  name: garage-ntfy-attachments-secret
-                  key: ACCESS_SECRET_KEY
-            - name: RCLONE_CONFIG_SRC_REGION
-              valueFrom:
-                secretKeyRef:
-                  name: garage-ntfy-attachments-secret
-                  key: ACCESS_REGION
-            - name: RCLONE_CONFIG_SRC_ENDPOINT
-              valueFrom:
-                secretKeyRef:
-                  name: garage-ntfy-attachments-secret
-                  key: SRC_ENDPOINT
-            - name: RCLONE_CONFIG_SRC_S3_FORCE_PATH_STYLE
-              value: true
-            - name: RCLONE_CONFIG_DEST_TYPE
-              value: s3
-            - name: RCLONE_CONFIG_DEST_PROVIDER
-              value: Other
-            - name: RCLONE_CONFIG_DEST_ENV_AUTH
-              value: false
-            - name: RCLONE_CONFIG_DEST_ACCESS_KEY_ID
-              valueFrom:
-                secretKeyRef:
-                  name: garage-ntfy-attachments-secret
-                  key: ACCESS_KEY_ID
-            - name: RCLONE_CONFIG_DEST_SECRET_ACCESS_KEY
-              valueFrom:
-                secretKeyRef:
-                  name: garage-ntfy-attachments-secret
-                  key: ACCESS_SECRET_KEY
-            - name: RCLONE_CONFIG_DEST_REGION
-              valueFrom:
-                secretKeyRef:
-                  name: garage-ntfy-attachments-secret
-                  key: ACCESS_REGION
-            - name: RCLONE_CONFIG_DEST_ENDPOINT
-              valueFrom:
-                secretKeyRef:
-                  name: garage-ntfy-attachments-secret
-                  key: DEST_ENDPOINT
-            - name: RCLONE_CONFIG_SRC_DEST_FORCE_PATH_STYLE
-              value: true
-    openbao-backups-remote:
-      type: cronjob
-      cronjob:
-        suspend: false
-        timeZone: America/Chicago
-        schedule: 0 1 * * *
-        backoffLimit: 3
-        parallelism: 1
-      containers:
-        sync:
-          image:
-            repository: rclone/rclone
-            tag: 1.73.5@sha256:1619a625f845e169c34b952cf40c483c0392965b821c5155cde8cbfd35254a96
-          args:
-            - sync
-            - src:openbao-backups
-            - dest:openbao-backups
-            - --s3-no-check-bucket
-            - --max-age
-            - 90d
-            - --verbose
-          env:
-            - name: RCLONE_S3_PROVIDER
-              value: Other
-            - name: RCLONE_CONFIG_SRC_TYPE
-              value: s3
-            - name: RCLONE_CONFIG_SRC_PROVIDER
-              value: Other
-            - name: RCLONE_CONFIG_SRC_ENV_AUTH
-              value: false
-            - name: RCLONE_CONFIG_SRC_ACCESS_KEY_ID
-              valueFrom:
-                secretKeyRef:
-                  name: garage-openbao-backups-secret
-                  key: ACCESS_KEY_ID
-            - name: RCLONE_CONFIG_SRC_SECRET_ACCESS_KEY
-              valueFrom:
-                secretKeyRef:
-                  name: garage-openbao-backups-secret
-                  key: ACCESS_SECRET_KEY
-            - name: RCLONE_CONFIG_SRC_REGION
-              valueFrom:
-                secretKeyRef:
-                  name: garage-openbao-backups-secret
-                  key: ACCESS_REGION
-            - name: RCLONE_CONFIG_SRC_ENDPOINT
-              valueFrom:
-                secretKeyRef:
-                  name: garage-openbao-backups-secret
-                  key: ENDPOINT_LOCAL
-            - name: RCLONE_CONFIG_SRC_S3_FORCE_PATH_STYLE
-              value: true
-            - name: RCLONE_CONFIG_DEST_TYPE
-              value: s3
-            - name: RCLONE_CONFIG_DEST_PROVIDER
-              value: Other
-            - name: RCLONE_CONFIG_DEST_ENV_AUTH
-              value: false
-            - name: RCLONE_CONFIG_DEST_ACCESS_KEY_ID
-              valueFrom:
-                secretKeyRef:
-                  name: garage-openbao-backups-secret
-                  key: ACCESS_KEY_ID
-            - name: RCLONE_CONFIG_DEST_SECRET_ACCESS_KEY
-              valueFrom:
-                secretKeyRef:
-                  name: garage-openbao-backups-secret
-                  key: ACCESS_SECRET_KEY
-            - name: RCLONE_CONFIG_DEST_REGION
-              valueFrom:
-                secretKeyRef:
-                  name: garage-openbao-backups-secret
-                  key: ACCESS_REGION
-            - name: RCLONE_CONFIG_DEST_ENDPOINT
-              valueFrom:
-                secretKeyRef:
-                  name: garage-openbao-backups-secret
-                  key: ENDPOINT_REMOTE
-            - name: RCLONE_CONFIG_SRC_DEST_FORCE_PATH_STYLE
-              value: true
-        prune:
-          image:
-            repository: rclone/rclone
-            tag: 1.73.5@sha256:1619a625f845e169c34b952cf40c483c0392965b821c5155cde8cbfd35254a96
-          args:
-            - delete
-            - dest:openbao-backups
-            - --min-age
-            - 90d
-            - --verbose
-          env:
-            - name: RCLONE_CONFIG_DEST_TYPE
-              value: s3
-            - name: RCLONE_CONFIG_DEST_PROVIDER
-              value: Other
-            - name: RCLONE_CONFIG_DEST_ENV_AUTH
-              value: false
-            - name: RCLONE_CONFIG_DEST_ACCESS_KEY_ID
-              valueFrom:
-                secretKeyRef:
-                  name: garage-openbao-backups-secret
-                  key: ACCESS_KEY_ID
-            - name: RCLONE_CONFIG_DEST_SECRET_ACCESS_KEY
-              valueFrom:
-                secretKeyRef:
-                  name: garage-openbao-backups-secret
-                  key: ACCESS_SECRET_KEY
-            - name: RCLONE_CONFIG_DEST_REGION
-              valueFrom:
-                secretKeyRef:
-                  name: garage-openbao-backups-secret
-                  key: ACCESS_REGION
-            - name: RCLONE_CONFIG_DEST_ENDPOINT
-              valueFrom:
-                secretKeyRef:
-                  name: garage-openbao-backups-secret
-                  key: ENDPOINT_REMOTE
-            - name: RCLONE_CONFIG_SRC_S3_FORCE_PATH_STYLE
-              value: true
-    openbao-backups-external:
-      type: cronjob
-      cronjob:
-        suspend: false
-        timeZone: America/Chicago
-        schedule: 10 1 * * *
-        backoffLimit: 3
-        parallelism: 1
-      containers:
-        sync:
-          image:
-            repository: rclone/rclone
-            tag: 1.73.5@sha256:1619a625f845e169c34b952cf40c483c0392965b821c5155cde8cbfd35254a96
-          args:
-            - sync
-            - src:openbao-backups
-            - dest:openbao-backups-6e088aad5fad110b
-            - --s3-no-check-bucket
-            - --max-age
-            - 90d
-            - --verbose
-          env:
-            - name: RCLONE_S3_PROVIDER
-              value: Other
-            - name: RCLONE_CONFIG_SRC_TYPE
-              value: s3
-            - name: RCLONE_CONFIG_SRC_PROVIDER
-              value: Other
-            - name: RCLONE_CONFIG_SRC_ENV_AUTH
-              value: false
-            - name: RCLONE_CONFIG_SRC_ACCESS_KEY_ID
-              valueFrom:
-                secretKeyRef:
-                  name: garage-openbao-backups-secret
-                  key: ACCESS_KEY_ID
-            - name: RCLONE_CONFIG_SRC_SECRET_ACCESS_KEY
-              valueFrom:
-                secretKeyRef:
-                  name: garage-openbao-backups-secret
-                  key: ACCESS_SECRET_KEY
-            - name: RCLONE_CONFIG_SRC_REGION
-              valueFrom:
-                secretKeyRef:
-                  name: garage-openbao-backups-secret
-                  key: ACCESS_REGION
-            - name: RCLONE_CONFIG_SRC_ENDPOINT
-              valueFrom:
-                secretKeyRef:
-                  name: garage-openbao-backups-secret
-                  key: ENDPOINT_LOCAL
-            - name: RCLONE_CONFIG_SRC_S3_FORCE_PATH_STYLE
-              value: true
-            - name: RCLONE_CONFIG_DEST_TYPE
-              value: s3
-            - name: RCLONE_CONFIG_DEST_PROVIDER
-              value: DigitalOcean
-            - name: RCLONE_CONFIG_DEST_ENV_AUTH
-              value: false
-            - name: RCLONE_CONFIG_DEST_ACCESS_KEY_ID
-              valueFrom:
-                secretKeyRef:
-                  name: external-openbao-backups-secret
-                  key: ACCESS_KEY_ID
-            - name: RCLONE_CONFIG_DEST_SECRET_ACCESS_KEY
-              valueFrom:
-                secretKeyRef:
-                  name: external-openbao-backups-secret
-                  key: ACCESS_SECRET_KEY
-            - name: RCLONE_CONFIG_DEST_REGION
-              valueFrom:
-                secretKeyRef:
-                  name: external-openbao-backups-secret
-                  key: ACCESS_REGION
-            - name: RCLONE_CONFIG_DEST_ENDPOINT
-              value: https://nyc3.digitaloceanspaces.com
-            - name: RCLONE_CONFIG_DEST_S3_FORCE_PATH_STYLE
-              value: true
-        prune:
-          image:
-            repository: rclone/rclone
-            tag: 1.73.5@sha256:1619a625f845e169c34b952cf40c483c0392965b821c5155cde8cbfd35254a96
-          args:
-            - delete
-            - dest:openbao-backups-6e088aad5fad110b
-            - --min-age
-            - 90d
-            - --verbose
-          env:
-            - name: RCLONE_CONFIG_DEST_TYPE
-              value: s3
-            - name: RCLONE_CONFIG_DEST_PROVIDER
-              value: DigitalOcean
-            - name: RCLONE_CONFIG_DEST_ENV_AUTH
-              value: false
-            - name: RCLONE_CONFIG_DEST_ACCESS_KEY_ID
-              valueFrom:
-                secretKeyRef:
-                  name: external-openbao-backups-secret
-                  key: ACCESS_KEY_ID
-            - name: RCLONE_CONFIG_DEST_SECRET_ACCESS_KEY
-              valueFrom:
-                secretKeyRef:
-                  name: external-openbao-backups-secret
-                  key: ACCESS_SECRET_KEY
-            - name: RCLONE_CONFIG_DEST_REGION
-              valueFrom:
-                secretKeyRef:
-                  name: external-openbao-backups-secret
-                  key: ACCESS_REGION
-            - name: RCLONE_CONFIG_DEST_ENDPOINT
-              value: https://nyc3.digitaloceanspaces.com
-            - name: RCLONE_CONFIG_DEST_S3_FORCE_PATH_STYLE
-              value: true

clusters/cl01tl/helm/site-documentation/values.yaml

@@ -10,7 +10,7 @@ site-documentation:
         main:
           image:
             repository: harbor.alexlebens.net/images/site-documentation
-            tag: 0.27.0@sha256:dafa3c8aa9401009c299bb274d140acc10d8531dd40c8253783b1f8ed8519d76
+            tag: 0.27.1@sha256:a9e8659827375e7ee65ea8bc8550f4c0604316b48f39da7fa255fa9f3b5a17d6
           resources:
             requests:
               cpu: 10m

clusters/cl01tl/helm/site-profile/values.yaml

@@ -10,7 +10,7 @@ site-profile:
         main:
           image:
             repository: harbor.alexlebens.net/images/site-profile
-            tag: 3.18.5@sha256:2ad5cbbdbf1011f74c5fa804584236ffea266c37f046f837625af79a97bc0b56
+            tag: 3.18.6@sha256:6aacdb7270d21b02d85cd593999014c91614e70c8f6f84774e532f9141237a6c
           resources:
             requests:
               cpu: 10m

clusters/cl01tl/helm/site-saralebens/values.yaml

@@ -10,7 +10,7 @@ site-saralebens:
         main:
           image:
             repository: harbor.alexlebens.net/images/site-saralebens
-            tag: 1.1.1@sha256:b1a92f492127dd0e6b1756dd6798e72fbc991c7b334c0bec87ba39cb9bb14ee3
+            tag: 1.1.2@sha256:53389e7b38dd543eb453ddbfa3a25cb77aada734cb403a29c3e9f5ab77f57996
           resources:
             requests:
               cpu: 10m

clusters/cl01tl/helm/sonarr-4k/Chart.yaml

@@ -33,4 +33,4 @@ dependencies:
     repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/sonarr.png
 # renovate: datasource=github-releases depName=linuxserver/docker-sonarr
-appVersion: 4.0.17.2952-ls308
+appVersion: 4.0.17.2952-ls309

clusters/cl01tl/helm/sonarr-4k/values.yaml

@@ -13,7 +13,7 @@ sonarr-4k:
         main:
           image:
             repository: ghcr.io/linuxserver/sonarr
-            tag: 4.0.17.2952-ls308@sha256:e6c9a091735fede0c2a205c69e7d4c2f0188eaf2bec7e42d8a26c017e5f2a910
+            tag: 4.0.17.2952-ls309@sha256:3580aec3802c915f0f819a88d5099abce61734b925732b8393d176b5dc561020
           env:
             - name: TZ
               value: America/Chicago

clusters/cl01tl/helm/sonarr-anime/Chart.yaml

@@ -33,4 +33,4 @@ dependencies:
     repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/sonarr.png
 # renovate: datasource=github-releases depName=linuxserver/docker-sonarr
-appVersion: 4.0.17.2952-ls308
+appVersion: 4.0.17.2952-ls309

clusters/cl01tl/helm/sonarr-anime/values.yaml

@@ -13,7 +13,7 @@ sonarr-anime:
         main:
           image:
             repository: ghcr.io/linuxserver/sonarr
-            tag: 4.0.17.2952-ls308@sha256:e6c9a091735fede0c2a205c69e7d4c2f0188eaf2bec7e42d8a26c017e5f2a910
+            tag: 4.0.17.2952-ls309@sha256:3580aec3802c915f0f819a88d5099abce61734b925732b8393d176b5dc561020
           env:
             - name: TZ
               value: America/Chicago

clusters/cl01tl/helm/sonarr/Chart.yaml

@@ -33,4 +33,4 @@ dependencies:
     repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/sonarr.png
 # renovate: datasource=github-releases depName=linuxserver/docker-sonarr
-appVersion: 4.0.17.2952-ls308
+appVersion: 4.0.17.2952-ls309

clusters/cl01tl/helm/sonarr/values.yaml

@@ -12,7 +12,7 @@ sonarr:
         main:
           image:
             repository: ghcr.io/linuxserver/sonarr
-            tag: 4.0.17.2952-ls308@sha256:e6c9a091735fede0c2a205c69e7d4c2f0188eaf2bec7e42d8a26c017e5f2a910
+            tag: 4.0.17.2952-ls309@sha256:3580aec3802c915f0f819a88d5099abce61734b925732b8393d176b5dc561020
           env:
             - name: TZ
               value: America/Chicago

clusters/cl01tl/helm/talos/templates/_helpers.tpl

@@ -12,13 +12,3 @@ Selector labels
 app.kubernetes.io/instance: {{ .Release.Name }}
 app.kubernetes.io/part-of: {{ .Release.Name }}
 {{- end }}
-
-{{/*
-ServiceAccount names
-*/}}
-{{- define "custom.serviceAccountName" -}}
-talos-backup
-{{- end -}}
-{{- define "custom.serviceAccountSecretsName" -}}
-talos-backup-secrets
-{{- end -}}

clusters/cl01tl/helm/talos/templates/secret-provider-class.yaml

@@ -10,7 +10,7 @@ spec:
   provider: openbao
   parameters:
     baoAddress: "http://openbao-internal.openbao:8200"
-    roleName: {{ include "custom.serviceAccountName" . }}
+    roleName: talos-backup
     objects: |
       - objectName: .s3cfg
         fileName: .s3cfg
@@ -30,7 +30,7 @@ spec:
   provider: openbao
   parameters:
     baoAddress: "http://openbao-internal.openbao:8200"
-    roleName: {{ include "custom.serviceAccountName" . }}
+    roleName: talos-backup
     objects: |
       - objectName: .s3cfg
         fileName: .s3cfg
@@ -50,7 +50,7 @@ spec:
   provider: openbao
   parameters:
     baoAddress: "http://openbao-internal.openbao:8200"
-    roleName: {{ include "custom.serviceAccountName" . }}
+    roleName: talos-backup
     objects: |
       - objectName: .s3cfg
         fileName: .s3cfg
@@ -70,7 +70,7 @@ spec:
   provider: openbao
   parameters:
     baoAddress: "http://openbao-internal.openbao:8200"
-    roleName: {{ include "custom.serviceAccountName" . }}
+    roleName: talos-defrag
     objects: |
       - objectName: config
         fileName: config

clusters/cl01tl/helm/talos/templates/service-account.yaml

@@ -1,21 +1,31 @@
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: {{ include "custom.serviceAccountName" . }}
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: {{ include "custom.serviceAccountName" . }}
-    {{- include "custom.labels" . | nindent 4 }}
-
----
 apiVersion: talos.dev/v1alpha1
 kind: ServiceAccount
 metadata:
-  name: {{ include "custom.serviceAccountSecretsName" . }}
+  name: talos-backup-secrets
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: {{ include "custom.serviceAccountSecretsName" . }}
+    app.kubernetes.io/name: talos-backup-secrets
     {{- include "custom.labels" . | nindent 4 }}
 spec:
   roles:
     - os:etcd:backup
+
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: talos-backup
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: talos-backup
+    {{- include "custom.labels" . | nindent 4 }}
+
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: talos-defrag
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: talos-defrag
+    {{- include "custom.labels" . | nindent 4 }}

clusters/cl01tl/helm/talos/values.yaml

@@ -399,6 +399,8 @@ etcd-defrag:
         schedule: 0 0 * * 0
         backoffLimit: 3
         parallelism: 1
+      serviceAccount:
+        name: talos-defrag
       containers:
         main:
           image:
@@ -427,6 +429,8 @@ etcd-defrag:
         schedule: 10 0 * * 0
         backoffLimit: 3
         parallelism: 1
+      serviceAccount:
+        name: talos-defrag
       containers:
         main:
           image:
@@ -455,6 +459,8 @@ etcd-defrag:
         schedule: 20 0 * * 0
         backoffLimit: 3
         parallelism: 1
+      serviceAccount:
+        name: talos-defrag
       containers:
         main:
           image:

clusters/cl01tl/helm/vault/templates/config-map.yaml

@@ -9,59 +9,29 @@ metadata:
 data:
   snapshot.sh: |
     DATE=$(date +"%Y%m%d-%H-%M")
-    MAX_RETRIES=5
-    SUCCESS=false
 
     echo " "
     echo ">> Running Vault Snapshot Script ..."
 
     echo " "
-    echo ">> Verifying required commands ..."
+    echo ">> Fetching Vault token ..."
-    echo " "
+    export VAULT_TOKEN=$(vault write -field=token auth/approle/login role_id=$VAULT_APPROLE_ROLE_ID secret_id=$VAULT_APPROLE_SECRET_ID)
 
-    for i in $(seq 1 "$MAX_RETRIES"); do
+    if [ -z "$VAULT_TOKEN" ]; then
-        if apk update 2>&1 >/dev/null; then
+        echo ">> ERROR: Failed to fetch Vault token! Exiting..."
-            echo ">> Attempt $i: Repositories are reachable";
+        exit 1
-            SUCCESS=true;
-            break;
-        else
-            echo ">> Attempt $i: Connection failed, retrying in 5 seconds ...";
-            sleep 5;
-        fi;
-    done;
-
-    if [ "$SUCCESS" = false ]; then
-        echo ">> ERROR: Could not connect to apk repositories after $MAX_RETRIES attempts, exiting ...";
-        exit 1;
     fi
 
     echo " "
-
+    echo ">> Taking Vault snapshot ..."
-    if ! command -v jq 2>&1 >/dev/null; then
-        echo ">> Command jq could not be found, installing";
-        apk add --no-cache -q jq;
-        if [ $? -eq 0 ]; then
-            echo ">> Installation successful";
-        else
-            echo ">> Installation failed with exit code $?";
-            exit 1;
-        fi;
-    fi;
-
-    echo " ";
-    echo ">> Fetching Vault token ...";
-    export VAULT_TOKEN=$(vault write auth/approle/login role_id=$VAULT_APPROLE_ROLE_ID secret_id=$VAULT_APPROLE_SECRET_ID -format=json | jq -r .auth.client_token);
-
-    echo " ";
-    echo ">> Taking Vault snapsot ...";
     vault operator raft snapshot save /opt/backup/vault-snapshot-$DATE.snap
 
-    echo " ";
+    echo " "
-    echo ">> Setting ownership of Vault snapsot ...";
+    echo ">> Setting ownership of Vault snapshot ..."
     chown 100:1000 /opt/backup/vault-snapshot-$DATE.snap
 
-    echo " ";
+    echo " "
-    echo ">> Completed Vault snapshot";
+    echo ">> Completed Vault snapshot"
 
 ---
 apiVersion: v1
@@ -77,75 +47,3 @@ data:
     echo " ";
     echo ">> Running S3 backup for Vault snapshot";
     OUTPUT=$(s3cmd sync --no-check-certificate -v /opt/backup/* "${BUCKET}/cl01tl/cl01tl-vault-snapshots/" 2>&1)
-    STATUS=$?
-
-    if [ $STATUS -ne 0 ]; then
-        if echo "$OUTPUT" | grep -q "403 Forbidden"; then
-            MESSAGE="403 Authentication Error: Your keys are wrong or you don't have permission"
-        elif echo "$OUTPUT" | grep -q "404 Not Found"; then
-            MESSAGE="404 Error: The bucket or folder does not exist"
-        elif echo "$OUTPUT" | grep -q "Connection refused"; then
-            MESSAGE="Network Error: Cannot reach the S3 endpoint"
-        else
-            MESSAGE="Unknown Error"
-            echo " ";
-            echo ">> Unknown Error, output:"
-            echo " "
-            echo "$OUTPUT"
-        fi
-
-        MAX_RETRIES=5
-        SUCCESS=false
-
-        echo " "
-        echo ">> Sending message to ntfy using curl ..."
-
-        echo " "
-        echo ">> Verifying required commands ..."
-
-        for i in $(seq 1 "$MAX_RETRIES"); do
-            if apk update 2>&1 >/dev/null; then
-                echo ">> Attempt $i: Repositories are reachable";
-                SUCCESS=true;
-                break;
-            else
-                echo ">> Attempt $i: Connection failed, retrying in 5 seconds ...";
-                sleep 5;
-            fi;
-        done;
-
-        if [ "$SUCCESS" = false ]; then
-            echo ">> ERROR: Could not connect to apk repositories after $MAX_RETRIES attempts, exiting ...";
-            exit 1;
-        fi
-
-        if ! command -v curl 2>&1 >/dev/null; then
-            echo ">> Command curl could not be found, installing";
-            apk add --no-cache -q curl;
-            if [ $? -eq 0 ]; then
-                echo ">> Installation successful";
-            else
-                echo ">> Installation failed with exit code $?";
-                exit 1;
-            fi;
-        fi;
-
-        echo " "
-        echo ">> Sending to NTFY ..."
-        echo ">> Message: $MESSAGE"
-        HTTP_STATUS=$(curl \
-            --silent \
-            --write-out '%{http_code}' \
-            -H "Authorization: Bearer ${NTFY_TOKEN}" \
-            -H "X-Priority: 5" \
-            -H "X-Tags: warning" \
-            -H "X-Title: Vault Backup Failed for ${TARGET}" \
-            -d "$MESSAGE" \
-            ${NTFY_ENDPOINT}/${NTFY_TOPIC}
-        )
-        echo ">> HTTP Status Code: $HTTP_STATUS"
-
-    else
-        echo " ";
-        echo ">> S3 Sync succeeded"
-    fi

clusters/cl01tl/helm/vaultwarden/Chart.yaml

@@ -33,4 +33,4 @@ dependencies:
     repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/vaultwarden.png
 # renovate: datasource=github-releases depName=dani-garcia/vaultwarden
-appVersion: 1.35.7
+appVersion: 1.35.8

clusters/cl01tl/helm/vaultwarden/values.yaml

@@ -8,7 +8,7 @@ vaultwarden:
         main:
           image:
             repository: ghcr.io/dani-garcia/vaultwarden
-            tag: 1.35.7@sha256:9a8eec71f4a52411cc43edc7a50f33e9b6f62b5baca0dd95f0c6e7fd60f1a341
+            tag: 1.35.8@sha256:c4f6056fe0c288a052a223cecd263a90d1dda1a0177bb5b054a363a6c7b211d9
           env:
             - name: DOMAIN
               value: https://passwords.alexlebens.dev