alexlebens/infrastructure
1
0
Fork 0
Code Issues 1 Pull Requests 5 Actions Activity

Compare commits

base: alexlebens:ceded410a12f31c34da05750b2c1400e57523727
Branches Tags
alexlebens:main alexlebens:renovate/unified-valkey alexlebens:renovate/unified-tdarr alexlebens:renovate/unified-postgres-cluster alexlebens:manifests alexlebens:renovate/unified-whatsapp alexlebens:renovate/unified-cilium
..
compare: alexlebens:renovate/unified-valkey
Branches Tags
alexlebens:renovate/unified-valkey alexlebens:renovate/unified-tdarr alexlebens:renovate/unified-postgres-cluster alexlebens:manifests alexlebens:renovate/unified-whatsapp alexlebens:renovate/unified-cilium alexlebens:main

7 Commits
ceded410a1 ... renovate/u

Author SHA1 Message Date
Renovate Bot
e63c342174 chore(deps): update valkey docker tag to v0.5.0
All checks were successful
lint-test-helm / lint-helm (pull_request) Successful in 1m17s
Details
lint-test-helm / validate-kubeconform (pull_request) Successful in 1m10s
Details
2026-03-31 02:08:54 +00:00
Alex Lebens
d67fe3cfdf fix: add dbname (#5306)
All checks were successful
lint-test-helm / lint-helm (push) Successful in 19s
Details
lint-test-helm / validate-kubeconform (push) Has been skipped
Details
renovate / renovate (push) Successful in 2m0s
Details 
Reviewed-on: #5306
 2026-03-31 01:47:52 +00:00
Alex Lebens
fcb24f62af fix: wrong paths (#5304)
Some checks failed
lint-test-helm / lint-helm (push) Successful in 25s
Details
lint-test-helm / validate-kubeconform (push) Has been skipped
Details
renovate / renovate (push) Has been cancelled
Details 
Reviewed-on: #5304
 2026-03-31 01:40:22 +00:00
Alex Lebens
286e43b5de tmp/paperless (#5302)
Some checks failed
lint-test-helm / lint-helm (push) Successful in 42s
Details
lint-test-helm / validate-kubeconform (push) Has been skipped
Details
lint-test-docker / lint-docker-compose (push) Successful in 57s
Details
renovate / renovate (push) Has been cancelled
Details 
Reviewed-on: #5302
 2026-03-31 01:30:37 +00:00
Renovate Bot
4c1cfa5fa5 chore(deps): update dependency binwiederhier/ntfy to v2.21.0 (#5300)
Some checks failed
lint-test-helm / lint-helm (push) Successful in 27s
Details
lint-test-helm / validate-kubeconform (push) Has been skipped
Details
renovate / renovate (push) Has been cancelled
Details 
This PR contains the following updates:

| Package | Update | Change |
|---|---|---|
| [binwiederhier/ntfy](https://github.com/binwiederhier/ntfy) | minor | `2.20.1` → `2.21.0` |
| [binwiederhier/ntfy](https://ntfy.sh/) ([source](https://github.com/binwiederhier/ntfy)) | minor | `v2.20.1` → `v2.21.0` |

---

### Release Notes

<details>
<summary>binwiederhier/ntfy (binwiederhier/ntfy)</summary>

### [`v2.21.0`](https://github.com/binwiederhier/ntfy/releases/tag/v2.21.0)

[Compare Source](https://github.com/binwiederhier/ntfy/compare/v2.20.1...v2.21.0)

This release adds the ability to verify email addresses using the `smtp-sender-verify` flag. This is a change that is required because ntfy.sh was used to send unsolicited emails and the AWS SES account was suspended. Going forward, ntfy.sh won't be able to send emails unless the email address was verified ahead of time.

**Features:**

- Add verified email recipients feature with `smtp-sender-verify` config flag, allowing server admins to require email
  address verification before sending email notifications ([#&#8203;1681](https://github.com/binwiederhier/ntfy/pull/1681))

</details>

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about these updates again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box

---

This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xMDEuMSIsInVwZGF0ZWRJblZlciI6IjQzLjEwMS4xIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkb2NrZXIiXX0=-->

Reviewed-on: #5300
Co-authored-by: Renovate Bot <renovate-bot@alexlebens.net>
Co-committed-by: Renovate Bot <renovate-bot@alexlebens.net>
 2026-03-31 01:24:10 +00:00
Renovate Bot
859059a996 chore(deps): update favonia/cloudflare-ddns docker tag to v1.16.0 (#5301)
Some checks failed
lint-test-docker / lint-docker-compose (push) Successful in 32s
Details
renovate / renovate (push) Has been cancelled
Details 
This PR contains the following updates:

| Package | Update | Change |
|---|---|---|
| [favonia/cloudflare-ddns](https://github.com/favonia/cloudflare-ddns) | minor | `1.15.1` → `1.16.0` |

---

### Release Notes

<details>
<summary>favonia/cloudflare-ddns (favonia/cloudflare-ddns)</summary>

### [`v1.16.0`](https://github.com/favonia/cloudflare-ddns/blob/HEAD/CHANGELOG.markdown#1160-2026-03-30)

[Compare Source](https://github.com/favonia/cloudflare-ddns/compare/v1.15.1...v1.16.0)

Despite the gap of over a year since the last release, we are not aware of any security vulnerability affecting the default configuration. As always, please review the changelog and watch for warnings or errors when upgrading.

#### Highlights

1. **WAF lists now support /128 IPv6 entries.** Cloudflare’s API now accepts individual IPv6 addresses in WAF lists. New `IP4_DEFAULT_PREFIX_LEN` (default `/32`) and `IP6_DEFAULT_PREFIX_LEN` (default `/64`) control how bare addresses are stored in WAF lists. Users can now set `IP6_DEFAULT_PREFIX_LEN` to `128` for per-address granularity. DNS records currently ignore prefix lengths, but will use these in the future.
2. **Multi-instance support via comment-based selection.** New `MANAGED_RECORDS_COMMENT_REGEX` and `MANAGED_WAF_LIST_ITEMS_COMMENT_REGEX` let multiple updater instances safely share the same domain or WAF list, each managing only records or items with matching comments. New `WAF_LIST_ITEM_COMMENT` provides a fallback comment for WAF list items, similar to how `RECORD_COMMENT` serves as a fallback for DNS records.
3. **Multi-IP detection and reconciliation.** Providers now return multiple IP addresses, each with a CIDR prefix length, and the reconciliation algorithm has been redesigned to handle them correctly. The experimental `local.iface` provider now collects all matching global unicast addresses from the specified interface, instead of just the first one. Multi-address support in `url:` and `file:` providers is also experimental.
4. **New `file:` provider.** Reads IP addresses from a local file, re-reading each detection cycle. This enables integration with external scripts or monitoring systems without restarting the updater. (Multi-address support is experimental.)
5. **New variants of `url:` (`url.via4:` and `url.via6:`) for transport overrides.** By default, `url:<url>` connects using the same IP family as the address being detected. Override the IP family used to connect with `url.via4:<url>` or `url.via6:<url>` (e.g., get an IPv6 address over an IPv4 connection). (Multi-address support in URL-based providers is experimental.)
6. **Rewritten user-facing messages.** Many log messages have been reworded into clearer, more natural English.

#### Your Feedback Wanted

The IP prefix length work in this release lays the groundwork for several upcoming features. We’d love your input on the proposed configuration syntax:

- **Per-domain IPv6 host IDs** ([#&#8203;764](https://github.com/favonia/cloudflare-ddns/issues/764)):
  - `IP6_DOMAINS=sub.example.com{hostid6=::2}`
  - `IP6_DOMAINS=sub.example.com{hostid6=preserve}` (keep the detected host IDs)
  - `IP6_DOMAINS=sub.example.com{hostid6=mac(77:cc:a7:f9:45:94)}` (compute an [EUI-64](https://en.wikipedia.org/wiki/IPv6_address#Modified_EUI-64) host ID from a MAC address)
  - `DOMAINS=sub1.example.com{hostid6=::aad1},sub2.example.com{hostid6=preserve}`
- **Detection IP filtering** ([#&#8203;1138](https://github.com/favonia/cloudflare-ddns/issues/1138)):
  - `IP6_DETECTION_FILTER=keep-all`
  - `IP6_DETECTION_FILTER=!addr-in(fc00::/7)`
  - `IP6_DETECTION_FILTER=subnet-in(2001:db8:abcd::/48)`
  - `IP4_DETECTION_FILTER=!addr-in(10.0.0.0/8) && !addr-in(192.168.0.0/16)`
  - `IP6_DETECTION_FILTER=contains(2002:dead:beef::/100) || contains(2005:dead:beef::/100)`

| input        | `addr-in(1.1.0.0/16)`              | `subnet-in(1.1.0.0/16)` | `contains(1.1.0.0/16)` |
| ------------ | ---------------------------------- | ----------------------- | ---------------------- |
| `1.1.1.1/8`  | ✔️                                 | ️                      | ✔️                     |
| `1.1.1.1/16` | ✔️                                 | ✔️                      | ✔️                     |
| `1.1.1.1/24` | ✔️                                 | ✔️                      | ️                     |
| `1.2.2.2/8`  | ️ (`1.2.2.2` not in `1.1.0.0/16`) | ️                      | ✔️                     |

Also planned: a linter for boolean expressions targeting advanced usage of `PROXIED` and the upcoming `IP4/6_DETECTION_FILTER`, and further robustness improvements to the default `cloudflare.trace` provider.

#### Reminder from the Past

As a reminder, since 1.13.0, **the updater no longer drops privileges internally, and `PUID` and `PGID` are ignored.** Please use Docker’s built-in mechanism to drop privileges. The old Docker Compose template may grant unneeded privileges to the new updater, which is not recommended. Please review the new, simpler, and more secure template in [README](./README.markdown). In a nutshell, **remove the `cap_add` attribute and replace the environment variables `PUID` and `PGID` with the [`user: "UID:GID"` attribute](https://docs.docker.com/reference/compose-file/services/#user)**. Similar options may exist for systems not using Docker Compose.

#### Other Notes

**Shoutrrr support is no longer experimental.** The shoutrrr notification integration, introduced in 1.12.0, is now considered stable.

#### Detailed Changes

##### Features

- The detection model has been redesigned so that providers return multiple IP addresses, each with a CIDR prefix length. New `IP4_DEFAULT_PREFIX_LEN` and `IP6_DEFAULT_PREFIX_LEN` settings control how bare addresses are stored in WAF lists. ([#&#8203;1144](https://github.com/favonia/cloudflare-ddns/issues/1144)) ([#&#8203;1156](https://github.com/favonia/cloudflare-ddns/issues/1156))
- The reconciliation algorithm has been redesigned to handle complex metadata mismatches when multiple IP addresses result in multiple records. ([#&#8203;1015](https://github.com/favonia/cloudflare-ddns/issues/1015)) ([#&#8203;1020](https://github.com/favonia/cloudflare-ddns/issues/1020)) ([#&#8203;1022](https://github.com/favonia/cloudflare-ddns/issues/1022)) ([#&#8203;1115](https://github.com/favonia/cloudflare-ddns/issues/1115))
- New `file:` provider reads IP addresses from a local file. ([#&#8203;1148](https://github.com/favonia/cloudflare-ddns/issues/1148))
- New `static:<ip1>,<ip2>,...` and `static.empty` providers have been added. `static.empty` actively clears managed content for a given IP family. ([#&#8203;1102](https://github.com/favonia/cloudflare-ddns/issues/1102)) ([#&#8203;1135](https://github.com/favonia/cloudflare-ddns/issues/1135))
- The `url:`, `file:`, and `static:` providers now accept addresses in CIDR notation (e.g., `198.51.100.1/24`). ([#&#8203;1159](https://github.com/favonia/cloudflare-ddns/issues/1159)) ([#&#8203;1169](https://github.com/favonia/cloudflare-ddns/issues/1169))
- The experimental `local.iface` provider now collects all matching global unicast addresses. ([#&#8203;1095](https://github.com/favonia/cloudflare-ddns/issues/1095))
- New `MANAGED_RECORDS_COMMENT_REGEX` selects only DNS records whose comments match a regex. ([#&#8203;1103](https://github.com/favonia/cloudflare-ddns/issues/1103))
- New `MANAGED_WAF_LIST_ITEMS_COMMENT_REGEX` and `WAF_LIST_ITEM_COMMENT` provide the same comment-based selection for WAF list items. ([#&#8203;1106](https://github.com/favonia/cloudflare-ddns/issues/1106))
- New `url.via4:<url>` and `url.via6:<url>` providers override the IP family used to connect to a custom URL. ([#&#8203;1131](https://github.com/favonia/cloudflare-ddns/issues/1131))
- The updater now warns about likely misconfigured `SHOUTRRR` values. ([#&#8203;1111](https://github.com/favonia/cloudflare-ddns/issues/1111))

##### Bug Fixes

- The configuration parser now warns about extra commas in lists (e.g., `a,,b`) except for trailing commas, which were silently ignored. ([#&#8203;1177](https://github.com/favonia/cloudflare-ddns/issues/1177))
- The updater now exits gracefully when `EMOJI` or `QUIET` is invalid. ([#&#8203;1174](https://github.com/favonia/cloudflare-ddns/issues/1174))
- The updater invalidates relevant zone search cache entries when a zone cannot be found for faster recovery. ([#&#8203;1125](https://github.com/favonia/cloudflare-ddns/issues/1125))
- API token verification is now stricter, catching malformed tokens before any update attempts. ([#&#8203;1126](https://github.com/favonia/cloudflare-ddns/issues/1126))
- Providers (especially `cloudflare.trace` and `cloudflare.doh`) now validate detected IP addresses more strictly. ([#&#8203;1097](https://github.com/favonia/cloudflare-ddns/issues/1097)) ([#&#8203;1099](https://github.com/favonia/cloudflare-ddns/issues/1099)) ([#&#8203;1101](https://github.com/favonia/cloudflare-ddns/issues/1101)) ([#&#8203;1151](https://github.com/favonia/cloudflare-ddns/issues/1151))
- WAF list entries in the configuration are now deduplicated. ([#&#8203;1091](https://github.com/favonia/cloudflare-ddns/issues/1091))
- The updater now warns when a configured domain does not look like a fully qualified domain name. ([#&#8203;1019](https://github.com/favonia/cloudflare-ddns/issues/1019))
- The updater now warns when DNS records and WAF list items for the same domain have mixed ownership (some managed, some not). ([#&#8203;1173](https://github.com/favonia/cloudflare-ddns/issues/1173))

</details>

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box

---

This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xMDEuMiIsInVwZGF0ZWRJblZlciI6IjQzLjEwMS4yIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkb2NrZXIiXX0=-->

Reviewed-on: https://gitea.alexlebens.dev/alexlebens/infrastructure/pulls/5301
Co-authored-by: Renovate Bot <renovate-bot@alexlebens.net>
Co-committed-by: Renovate Bot <renovate-bot@alexlebens.net>
 2026-03-31 01:23:36 +00:00
Renovate Bot
d916bc7460 chore(deps): update ghcr.io/renovatebot/renovate docker tag to v43.101.2 (#5299)
All checks were successful
renovate / renovate (push) Successful in 2m35s
Details
2026-03-30 21:04:02 +00:00
44 changed files with 424 additions and 74 deletions
Expand all files Collapse all files

2
.gitea/workflows/renovate.yaml
View File

@@ -13,7 +13,7 @@ on:
jobs:
renovate:
runs-on: ubuntu-latest
container: ghcr.io/renovatebot/renovate:43.101.1@sha256:06c9297754f7d487adca6446b9970fecade3202190138259e7888c30ec8d4277
container: ghcr.io/renovatebot/renovate:43.101.2@sha256:89a1fd5861ee1c95be19f7d18669c7dcc94c516f8399436f1465e3ef3af7f452
steps:
- name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6

6
clusters/cl01tl/helm/authentik/Chart.lock
View File

@@ -10,6 +10,6 @@ dependencies:
version: 7.10.0
- name: valkey
repository: oci://harbor.alexlebens.net/helm-charts
version: 0.4.0
digest: sha256:8c353c5dad4c3d04d518c1445497f0d1cb64261a4201ae17a2c0874454b807a7
generated: "2026-03-15T20:04:35.99407071Z"
version: 0.5.0
digest: sha256:61594c78fbb79aca6131bfc07805050e47c7999ce9bbca6283c30530f7695d44
generated: "2026-03-31T02:03:30.323057589Z"

2
clusters/cl01tl/helm/authentik/Chart.yaml
View File

@@ -29,7 +29,7 @@ dependencies:
repository: oci://harbor.alexlebens.net/helm-charts
- name: valkey
alias: valkey
version: 0.4.0
version: 0.5.0
repository: oci://harbor.alexlebens.net/helm-charts
icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/authentik.png
# renovate: datasource=github-releases depName=goauthentik/authentik

6
clusters/cl01tl/helm/blocky/Chart.lock
View File

@@ -4,6 +4,6 @@ dependencies:
version: 4.6.2
- name: valkey
repository: oci://harbor.alexlebens.net/helm-charts
version: 0.4.0
digest: sha256:a5b0099261d772b24a302a106d106cfa82ac07fa14564141e00cf107d708e859
generated: "2026-03-09T23:06:16.853255429Z"
version: 0.5.0
digest: sha256:49b0e666059bad492ebaa4a20119ce5bbd1959a1ee6b22b271a9ca9529122697
generated: "2026-03-31T02:03:52.433689587Z"

2
clusters/cl01tl/helm/blocky/Chart.yaml
View File

@@ -20,7 +20,7 @@ dependencies:
version: 4.6.2
- name: valkey
alias: valkey
version: 0.4.0
version: 0.5.0
repository: oci://harbor.alexlebens.net/helm-charts
icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/blocky.png
# renovate: datasource=github-releases depName=0xerr0r/blocky

1
clusters/cl01tl/helm/blocky/values.yaml
View File

@@ -144,6 +144,7 @@ blocky:
objects IN CNAME traefik-cl01tl
ollama IN CNAME traefik-cl01tl
omni-tools IN CNAME traefik-cl01tl
paperless-ngx IN CNAME traefik-cl01tl
photoview IN CNAME traefik-cl01tl
plex IN CNAME traefik-cl01tl
postiz IN CNAME traefik-cl01tl

6
clusters/cl01tl/helm/dawarich/Chart.lock
View File

@@ -7,6 +7,6 @@ dependencies:
version: 7.10.0
- name: valkey
repository: oci://harbor.alexlebens.net/helm-charts
version: 0.4.0
digest: sha256:7584c2a1613454bbd83b66df46170fd0157df5186842844d483e2dd131398574
generated: "2026-03-15T20:04:49.68456485Z"
version: 0.5.0
digest: sha256:8db0a7a2ef774f3a729378cb84ee16c8ca929906c4de33572fdaa06c062a5066
generated: "2026-03-31T02:04:12.232594668Z"

2
clusters/cl01tl/helm/dawarich/Chart.yaml
View File

@@ -25,7 +25,7 @@ dependencies:
repository: oci://harbor.alexlebens.net/helm-charts
- name: valkey
alias: valkey
version: 0.4.0
version: 0.5.0
repository: oci://harbor.alexlebens.net/helm-charts
icon: https://cdn.jsdelivr.net/gh/selfhst/icons@main/png/dawarich.png
# renovate: datasource=github-releases depName=Freika/dawarich

6
clusters/cl01tl/helm/directus/Chart.lock
View File

@@ -7,6 +7,6 @@ dependencies:
version: 7.10.0
- name: valkey
repository: oci://harbor.alexlebens.net/helm-charts
version: 0.4.0
digest: sha256:dfcb5d35e03ecdc4206227d206d36509319f0dcdaed54363840d71337debb3f7
generated: "2026-03-15T20:05:03.156596646Z"
version: 0.5.0
digest: sha256:5547185ded7e1416cb9b3142bc997f176622633437f68607f8b17359fcd032a0
generated: "2026-03-31T02:04:31.187202744Z"

2
clusters/cl01tl/helm/directus/Chart.yaml
View File

@@ -25,7 +25,7 @@ dependencies:
repository: oci://harbor.alexlebens.net/helm-charts
- name: valkey
alias: valkey
version: 0.4.0
version: 0.5.0
repository: oci://harbor.alexlebens.net/helm-charts
icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/directus.png
# renovate: datasource=github-releases depName=directus/directus

6
clusters/cl01tl/helm/gatus/values.yaml
View File

@@ -164,15 +164,15 @@ gatus:
- name: roundcube
url: https://mail.alexlebens.net
<<: *defaults
- name: paperless-ngx
url: https://paperless-ngx.alexlebens.net
<<: *defaults
- name: kiwix
url: https://kiwix.alexlebens.net
<<: *defaults
- name: excalidraw
url: https://excalidraw.alexlebens.net
<<: *defaults
- name: languagetool
url: https://languagetool.alexlebens.net
<<: *defaults
- name: gitea
url: https://gitea.alexlebens.net
<<: *defaults

8
clusters/cl01tl/helm/gitea/Chart.lock
View File

@@ -16,12 +16,12 @@ dependencies:
version: 7.10.0
- name: valkey
repository: oci://harbor.alexlebens.net/helm-charts
version: 0.4.0
version: 0.5.0
- name: valkey
repository: oci://harbor.alexlebens.net/helm-charts
version: 0.4.0
version: 0.5.0
- name: volsync-target
repository: oci://harbor.alexlebens.net/helm-charts
version: 0.8.0
digest: sha256:e2c79d0dc5bee77c31bb92f117eac6fe248def2c17eaa589cc4388e7ad55c84f
generated: "2026-03-30T16:13:01.539524905Z"
digest: sha256:bbc7c8c9da52c79c8b8cfe93ec75a1df75fd2985e82417e61eae6ba11da52a89
generated: "2026-03-31T02:04:50.941257129Z"

4
clusters/cl01tl/helm/gitea/Chart.yaml
View File

@@ -43,11 +43,11 @@ dependencies:
repository: oci://harbor.alexlebens.net/helm-charts
- name: valkey
alias: valkey-gitea
version: 0.4.0
version: 0.5.0
repository: oci://harbor.alexlebens.net/helm-charts
- name: valkey
alias: valkey-renovate
version: 0.4.0
version: 0.5.0
repository: oci://harbor.alexlebens.net/helm-charts
- name: volsync-target
alias: volsync-target-storage

8
clusters/cl01tl/helm/grafana-operator/Chart.lock
View File

@@ -7,9 +7,9 @@ dependencies:
version: 7.10.0
- name: valkey
repository: oci://harbor.alexlebens.net/helm-charts
version: 0.4.0
version: 0.5.0
- name: valkey
repository: oci://harbor.alexlebens.net/helm-charts
version: 0.4.0
digest: sha256:a3bf183bcecb4d4b5354fe91a549075997dccb41c193da9daec9ccbe4d659fe2
generated: "2026-03-18T10:04:15.165729555Z"
version: 0.5.0
digest: sha256:1924dca439d3a8c9c5bd31a4b8602011a37e913d8c1ad7550cad817eb7470951
generated: "2026-03-31T02:05:18.88765675Z"

4
clusters/cl01tl/helm/grafana-operator/Chart.yaml
View File

@@ -24,11 +24,11 @@ dependencies:
repository: oci://harbor.alexlebens.net/helm-charts
- name: valkey
alias: valkey-unified-alerting
version: 0.4.0
version: 0.5.0
repository: oci://harbor.alexlebens.net/helm-charts
- name: valkey
alias: valkey-remote-cache
version: 0.4.0
version: 0.5.0
repository: oci://harbor.alexlebens.net/helm-charts
icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/grafana.png
# renovate: datasource=github-releases depName=grafana/grafana-operator

6
clusters/cl01tl/helm/harbor/Chart.lock
View File

@@ -7,6 +7,6 @@ dependencies:
version: 7.10.0
- name: valkey
repository: oci://harbor.alexlebens.net/helm-charts
version: 0.4.0
digest: sha256:e7a5cee56dddb4abc07ff18677cb6ddf55571b38da2eeb7e654e8ad8f7709bfa
generated: "2026-03-19T04:16:54.362332682Z"
version: 0.5.0
digest: sha256:7c558ba0072be3d383ea0368ef7822f26c91f0cb5ea22f1f09087cc694613010
generated: "2026-03-31T02:05:40.719139189Z"

2
clusters/cl01tl/helm/harbor/Chart.yaml
View File

@@ -24,7 +24,7 @@ dependencies:
repository: https://gitea.alexlebens.net/api/packages/alexlebens/helm
- name: valkey
alias: valkey
version: 0.4.0
version: 0.5.0
repository: oci://harbor.alexlebens.net/helm-charts
icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/harbor.png
# renovate: datasource=github-releases depName=goharbor/harbor

6
clusters/cl01tl/helm/homepage/values.yaml
View File

@@ -304,6 +304,12 @@ homepage:
href: https://mail.alexlebens.net
siteMonitor: http://roundcube.roundcube:80
statusStyle: dot
- Documents:
icon: sh-paperless-ngx.webp
description: Paperless-ngx
href: https://paperless-ngx.alexlebens.net
siteMonitor: http://paperless-ngx.paperless-ngx:80
statusStyle: dot
- Wiki:
icon: sh-kiwix-light.webp
description: Kiwix

6
clusters/cl01tl/helm/immich/Chart.lock
View File

@@ -7,9 +7,9 @@ dependencies:
version: 7.10.0
- name: valkey
repository: oci://harbor.alexlebens.net/helm-charts
version: 0.4.0
version: 0.5.0
- name: volsync-target
repository: oci://harbor.alexlebens.net/helm-charts
version: 0.8.0
digest: sha256:b79ea8c506f0172deed820247a33c79329f34426435c8b5eb27b206ac8831b13
generated: "2026-03-15T20:06:27.091094433Z"
digest: sha256:fa48b88dd941293142c5601553f32c0d5cb1a7c193ad9be1ca3607ac4156c43b
generated: "2026-03-31T02:06:05.614354076Z"

2
clusters/cl01tl/helm/immich/Chart.yaml
View File

@@ -24,7 +24,7 @@ dependencies:
repository: oci://harbor.alexlebens.net/helm-charts
- name: valkey
alias: valkey
version: 0.4.0
version: 0.5.0
repository: oci://harbor.alexlebens.net/helm-charts
- name: volsync-target
alias: volsync-target-data

6
clusters/cl01tl/helm/kube-prometheus-stack/Chart.lock
View File

@@ -7,6 +7,6 @@ dependencies:
version: 4.6.2
- name: valkey
repository: oci://harbor.alexlebens.net/helm-charts
version: 0.4.0
digest: sha256:7be2f0d61a12e674af175046960df7ba06a7248dc92db0b2d9c9b63a77a5bc17
generated: "2026-03-28T01:54:34.406941487Z"
version: 0.5.0
digest: sha256:532272c1cf1d0054ff2f0a4e728505502a1dda9f31444762def0c743a265a2c6
generated: "2026-03-31T02:06:25.715234173Z"

2
clusters/cl01tl/helm/kube-prometheus-stack/Chart.yaml
View File

@@ -28,7 +28,7 @@ dependencies:
version: 4.6.2
- name: valkey
alias: valkey
version: 0.4.0
version: 0.5.0
repository: oci://harbor.alexlebens.net/helm-charts
icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/prometheus.png
# renovate: datasource=github-releases depName=prometheus-operator/prometheus-operator

8
clusters/cl01tl/helm/matrix-synapse/Chart.lock
View File

@@ -22,10 +22,10 @@ dependencies:
version: 7.10.0
- name: valkey
repository: oci://harbor.alexlebens.net/helm-charts
version: 0.4.0
version: 0.5.0
- name: valkey
repository: oci://harbor.alexlebens.net/helm-charts
version: 0.4.0
version: 0.5.0
- name: volsync-target
repository: oci://harbor.alexlebens.net/helm-charts
version: 0.8.0
@@ -38,5 +38,5 @@ dependencies:
- name: volsync-target
repository: oci://harbor.alexlebens.net/helm-charts
version: 0.8.0
digest: sha256:8fb2d00605ade15db97e778f47ecc1ffae3705ce3408a17e0a21f7def65de884
generated: "2026-03-24T16:59:56.540825394Z"
digest: sha256:4768c191b140a310d8b24f9dd9e50f8638cfef58614abeb1bb9846d847e44a62
generated: "2026-03-31T02:06:48.520513399Z"

4
clusters/cl01tl/helm/matrix-synapse/Chart.yaml
View File

@@ -57,11 +57,11 @@ dependencies:
repository: oci://harbor.alexlebens.net/helm-charts
- name: valkey
alias: valkey-matrix-synapse
version: 0.4.0
version: 0.5.0
repository: oci://harbor.alexlebens.net/helm-charts
- name: valkey
alias: valkey-hookshot
version: 0.4.0
version: 0.5.0
repository: oci://harbor.alexlebens.net/helm-charts
- name: volsync-target
alias: volsync-target-synapse

2
clusters/cl01tl/helm/matrix-synapse/values.yaml
View File

@@ -345,7 +345,7 @@ mautrix-whatsapp:
main:
image:
repository: dock.mau.dev/mautrix/whatsapp
tag: v0.2603.0
tag: v0.2602.0
pullPolicy: IfNotPresent
resources:
requests:

2
clusters/cl01tl/helm/ntfy/Chart.yaml
View File

@@ -20,4 +20,4 @@ dependencies:
version: 4.6.2
icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/ntfy.png
# renovate: datasource=github-releases depName=binwiederhier/ntfy
appVersion: 2.20.1
appVersion: 2.21.0

2
clusters/cl01tl/helm/ntfy/values.yaml
View File

@@ -9,7 +9,7 @@ ntfy:
main:
image:
repository: binwiederhier/ntfy
tag: v2.20.1
tag: v2.21.0
pullPolicy: IfNotPresent
args: ["serve"]
env:

6
clusters/cl01tl/helm/outline/Chart.lock
View File

@@ -10,9 +10,9 @@ dependencies:
version: 7.10.0
- name: valkey
repository: oci://harbor.alexlebens.net/helm-charts
version: 0.4.0
version: 0.5.0
- name: volsync-target
repository: oci://harbor.alexlebens.net/helm-charts
version: 0.8.0
digest: sha256:02780454fad48c10e95851e73e45e8a98091596d9dce8ada9e361e7212e581df
generated: "2026-03-15T20:07:38.818063491Z"
digest: sha256:fce70d7d6aab875ba9d71267e626cea4b723979a019864543d98687a274291cf
generated: "2026-03-31T02:07:15.884015887Z"

2
clusters/cl01tl/helm/outline/Chart.yaml
View File

@@ -31,7 +31,7 @@ dependencies:
repository: oci://harbor.alexlebens.net/helm-charts
- name: valkey
alias: valkey
version: 0.4.0
version: 0.5.0
repository: oci://harbor.alexlebens.net/helm-charts
- name: volsync-target
alias: volsync-target-data

24
clusters/cl01tl/helm/paperless-ngx/Chart.lock Normal file
View File

@@ -0,0 +1,24 @@
dependencies:
- name: app-template
repository: https://bjw-s-labs.github.io/helm-charts/
version: 4.6.2
- name: postgres-cluster
repository: oci://harbor.alexlebens.net/helm-charts
version: 7.11.0
- name: valkey
repository: oci://harbor.alexlebens.net/helm-charts
version: 0.5.0
- name: volsync-target
repository: oci://harbor.alexlebens.net/helm-charts
version: 0.8.0
- name: volsync-target
repository: oci://harbor.alexlebens.net/helm-charts
version: 0.8.0
- name: volsync-target
repository: oci://harbor.alexlebens.net/helm-charts
version: 0.8.0
- name: volsync-target
repository: oci://harbor.alexlebens.net/helm-charts
version: 0.8.0
digest: sha256:08acc0818deaede4bb7515be7cbb1253f30036b70af6038caa69e4bd3cc02412
generated: "2026-03-30T20:25:47.995874-05:00"

51
clusters/cl01tl/helm/paperless-ngx/Chart.yaml Normal file
View File

@@ -0,0 +1,51 @@
apiVersion: v2
name: paperless-ngx
version: 1.0.0
description: Paperless-ngx
keywords:
- paperless-ngx
- documents
home: https://docs.alexlebens.dev/applications/paperless-ngx/
sources:
- https://github.com/paperless-ngx/paperless-ngx
- https://github.com/gotenberg/gotenberg
- https://github.com/paperless-ngx/paperless-ngx/pkgs/container/paperless-ngx
- https://hub.docker.com/r/gotenberg/gotenberg
- https://github.com/bjw-s-labs/helm-charts/tree/main/charts/other/app-template
- https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/postgres-cluster
- https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/valkey
- https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/volsync-target
maintainers:
- name: alexlebens
dependencies:
- name: app-template
alias: paperless-ngx
repository: https://bjw-s-labs.github.io/helm-charts/
version: 4.6.2
- name: postgres-cluster
alias: postgres-18-cluster
version: 7.11.0
repository: oci://harbor.alexlebens.net/helm-charts
- name: valkey
alias: valkey
version: 0.5.0
repository: oci://harbor.alexlebens.net/helm-charts
- name: volsync-target
alias: volsync-target-data
version: 0.8.0
repository: oci://harbor.alexlebens.net/helm-charts
- name: volsync-target
alias: volsync-target-media
version: 0.8.0
repository: oci://harbor.alexlebens.net/helm-charts
- name: volsync-target
alias: volsync-target-export
version: 0.8.0
repository: oci://harbor.alexlebens.net/helm-charts
- name: volsync-target
alias: volsync-target-consume
version: 0.8.0
repository: oci://harbor.alexlebens.net/helm-charts
icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/paperless-ngx.png
# renovate: datasource=github-releases depName=paperless-ngx/paperless-ngx
appVersion: 2.20.13

54
clusters/cl01tl/helm/paperless-ngx/templates/external-secret.yaml Normal file
View File

@@ -0,0 +1,54 @@
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: paperless-ngx-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: paperless-ngx-secret
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: secret-key
remoteRef:
key: /cl01tl/paperless-ngx/secret
property: secret-key
- secretKey: admin-user
remoteRef:
key: /cl01tl/paperless-ngx/secret
property: admin-user
- secretKey: admin-password
remoteRef:
key: /cl01tl/paperless-ngx/secret
property: admin-password
---
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: paperless-ngx-oidc-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: paperless-ngx-oidc-secret
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: OIDC_CLIENT_ID
remoteRef:
key: /authentik/oidc/paperless-ngx
property: client
- secretKey: OIDC_CLIENT_SECRET
remoteRef:
key: /authentik/oidc/paperless-ngx
property: secret
- secretKey: PAPERLESS_SOCIALACCOUNT_PROVIDERS
remoteRef:
key: /authentik/oidc/paperless-ngx
property: PAPERLESS_SOCIALACCOUNT_PROVIDERS

212
clusters/cl01tl/helm/paperless-ngx/values.yaml Normal file
View File

@@ -0,0 +1,212 @@
paperless-ngx:
controllers:
main:
type: deployment
replicas: 1
strategy: Recreate
containers:
main:
image:
repository: ghcr.io/paperless-ngx/paperless-ngx
tag: 2.20.13@sha256:4b05bcd28e6923768000b5d247cbf2c66fd49bdc3f3b05955bd4f6790a638b01
env:
- name: PAPERLESS_REDIS
value: redis://paperless-ngx-valkey.paperless-ngx:6379
- name: PAPERLESS_DBHOST
valueFrom:
secretKeyRef:
name: paperless-ngx-postgresql-18-cluster-app
key: host
- name: PAPERLESS_DBPORT
valueFrom:
secretKeyRef:
name: paperless-ngx-postgresql-18-cluster-app
key: port
- name: PAPERLESS_DBNAME
valueFrom:
secretKeyRef:
name: paperless-ngx-postgresql-18-cluster-app
key: dbname
- name: PAPERLESS_DBUSER
valueFrom:
secretKeyRef:
name: paperless-ngx-postgresql-18-cluster-app
key: user
- name: PAPERLESS_DBPASS
valueFrom:
secretKeyRef:
name: paperless-ngx-postgresql-18-cluster-app
key: password
- name: PAPERLESS_TIKA_ENABLED
value: true
- name: PAPERLESS_TIKA_GOTENBERG_ENDPOINT
value: http://localhost:3000/
- name: PAPERLESS_SECRET_KEY
valueFrom:
secretKeyRef:
name: paperless-ngx-secret
key: secret-key
- name: PAPERLESS_URL
value: https://paperless-ngx.alexlebens.net
- name: PAPERLESS_ALLOWED_HOSTS
value: paperless-ngx.alexlebens.net, paperless-ngx.paperless-ngx
- name: PAPERLESS_ADMIN_USER
valueFrom:
secretKeyRef:
name: paperless-ngx-secret
key: admin-user
- name: PAPERLESS_ADMIN_PASSWORD
valueFrom:
secretKeyRef:
name: paperless-ngx-secret
key: admin-password
- name: PAPERLESS_ACCOUNT_ALLOW_SIGNUPS
value: true
- name: PAPERLESS_SOCIAL_AUTO_SIGNUP
value: true
- name: PAPERLESS_SOCIALACCOUNT_ALLOW_SIGNUPS
value: true
- name: PAPERLESS_APPS
value: allauth.socialaccount.providers.openid_connect
- name: PAPERLESS_LOGOUT_REDIRECT_URL
value: https://authentik.alexlebens.net/application/o/paperless-ngx/end-session/
- name: PAPERLESS_SOCIALACCOUNT_PROVIDERS
valueFrom:
secretKeyRef:
name: paperless-ngx-oidc-secret
key: PAPERLESS_SOCIALACCOUNT_PROVIDERS
- name: PAPERLESS_TIME_ZONE
value: America/Chicago
resources:
requests:
cpu: 1m
memory: 100Mi
gotenberg:
image:
repository: gotenberg/gotenberg
tag: 8.29.1@sha256:36c925776fa0db0fd1030408d131fde7ac3453027a559883555155b72adb16a7
service:
main:
controller: main
ports:
http:
port: 80
targetPort: 8000
route:
main:
kind: HTTPRoute
parentRefs:
- group: gateway.networking.k8s.io
kind: Gateway
name: traefik-gateway
namespace: traefik
hostnames:
- paperless-ngx.alexlebens.net
rules:
- backendRefs:
- name: paperless-ngx
port: 80
matches:
- path:
type: PathPrefix
value: /
persistence:
data:
forceRename: paperless-ngx-data
storageClass: ceph-block
accessMode: ReadWriteOnce
size: 2Gi
advancedMounts:
main:
main:
- path: /usr/src/paperless/data
media:
forceRename: paperless-ngx-media
storageClass: ceph-block
accessMode: ReadWriteOnce
size: 10Gi
advancedMounts:
main:
main:
- path: /usr/src/paperless/media
export:
forceRename: paperless-ngx-export
storageClass: ceph-block
accessMode: ReadWriteOnce
size: 2Gi
advancedMounts:
main:
main:
- path: /usr/src/paperless/export
consume:
forceRename: paperless-ngx-consume
storageClass: ceph-block
accessMode: ReadWriteOnce
size: 2Gi
advancedMounts:
main:
main:
- path: /usr/src/paperless/consume
postgres-18-cluster:
mode: recovery
recovery:
method: objectStore
objectStore:
index: 1
backup:
objectStore:
- name: garage-local
index: 1
destinationBucket: postgres-backups
externalSecretCredentialPath: /garage/home-infra/postgres-backups
isWALArchiver: true
scheduledBackups:
- name: live-backup
suspend: false
immediate: true
schedule: "0 15 15 * * *"
backupName: garage-local
volsync-target-data:
pvcTarget: paperless-ngx-data
local:
enabled: true
schedule: 2 8 * * *
remote:
enabled: true
schedule: 2 9 * * *
external:
enabled: true
schedule: 2 10 * * *
volsync-target-media:
pvcTarget: paperless-ngx-metadata
local:
enabled: true
schedule: 4 8 * * *
remote:
enabled: true
schedule: 4 9 * * *
external:
enabled: true
schedule: 4 10 * * *
volsync-target-export:
pvcTarget: paperless-ngx-data
local:
enabled: true
schedule: 2 8 * * *
remote:
enabled: true
schedule: 2 9 * * *
external:
enabled: true
schedule: 2 10 * * *
volsync-target-consume:
pvcTarget: paperless-ngx-metadata
local:
enabled: true
schedule: 4 8 * * *
remote:
enabled: true
schedule: 4 9 * * *
external:
enabled: true
schedule: 4 10 * * *

6
clusters/cl01tl/helm/postiz/Chart.lock
View File

@@ -10,12 +10,12 @@ dependencies:
version: 7.10.0
- name: valkey
repository: oci://harbor.alexlebens.net/helm-charts
version: 0.4.0
version: 0.5.0
- name: volsync-target
repository: oci://harbor.alexlebens.net/helm-charts
version: 0.8.0
- name: volsync-target
repository: oci://harbor.alexlebens.net/helm-charts
version: 0.8.0
digest: sha256:de3fb540df1cf7385a19316741854d01e002740c0bf346f3da0ff3a809b1fc3d
generated: "2026-03-15T20:08:06.855136249Z"
digest: sha256:7727504ece1f5caf7aa18c828d684a3809c4c0b0671d0fcec332a06d56270b82
generated: "2026-03-31T02:07:36.530633058Z"

2
clusters/cl01tl/helm/postiz/Chart.yaml
View File

@@ -30,7 +30,7 @@ dependencies:
repository: oci://harbor.alexlebens.net/helm-charts
- name: valkey
alias: valkey
version: 0.4.0
version: 0.5.0
repository: oci://harbor.alexlebens.net/helm-charts
- name: volsync-target
alias: volsync-target-config

6
clusters/cl01tl/helm/stalwart/Chart.lock
View File

@@ -7,9 +7,9 @@ dependencies:
version: 7.10.0
- name: valkey
repository: oci://harbor.alexlebens.net/helm-charts
version: 0.4.0
version: 0.5.0
- name: volsync-target
repository: oci://harbor.alexlebens.net/helm-charts
version: 0.8.0
digest: sha256:6ffe4bd6af377f2ba5134389027e86085928d5e1108bb5ecf0d4b1e4cc908b67
generated: "2026-03-15T20:10:31.966910173Z"
digest: sha256:0748823c0bfd24bfc51828854b16098505f72c35ec9bc20287f3a331749b051c
generated: "2026-03-31T02:07:58.941915766Z"

2
clusters/cl01tl/helm/stalwart/Chart.yaml
View File

@@ -27,7 +27,7 @@ dependencies:
repository: oci://harbor.alexlebens.net/helm-charts
- name: valkey
alias: valkey
version: 0.4.0
version: 0.5.0
repository: oci://harbor.alexlebens.net/helm-charts
- name: volsync-target
alias: volsync-target-config

6
clusters/cl01tl/helm/tubearchivist/Chart.lock
View File

@@ -4,6 +4,6 @@ dependencies:
version: 4.6.2
- name: valkey
repository: oci://harbor.alexlebens.net/helm-charts
version: 0.4.0
digest: sha256:39a57c1505ed39180cffe9153ce69233c2376ba62c9287bc411071cf986f44de
generated: "2026-03-09T23:08:53.501770729Z"
version: 0.5.0
digest: sha256:bbceeb6ebc7a358798e706280aa2eaba8b47b018ea0fb736b30ece5419979c4e
generated: "2026-03-31T02:08:21.943410591Z"

2
clusters/cl01tl/helm/tubearchivist/Chart.yaml
View File

@@ -22,7 +22,7 @@ dependencies:
version: 4.6.2
- name: valkey
alias: valkey
version: 0.4.0
version: 0.5.0
repository: oci://harbor.alexlebens.net/helm-charts
icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/tube-archivist.png
# renovate: datasource=github-releases depName=tubearchivist/tubearchivist

6
clusters/cl01tl/helm/yamtrack/Chart.lock
View File

@@ -7,6 +7,6 @@ dependencies:
version: 7.10.0
- name: valkey
repository: oci://harbor.alexlebens.net/helm-charts
version: 0.4.0
digest: sha256:71da007e1cef75e45b1678caa51b0d2317cb8f4dfdf7df675d534194f03650aa
generated: "2026-03-15T20:11:03.591727143Z"
version: 0.5.0
digest: sha256:3ca767f6530d29c36ae1dc5456e0ac5f889481c4b98955eb9b2d1b6c8fbf702a
generated: "2026-03-31T02:08:41.464866575Z"

2
clusters/cl01tl/helm/yamtrack/Chart.yaml
View File

@@ -26,7 +26,7 @@ dependencies:
repository: oci://harbor.alexlebens.net/helm-charts
- name: valkey
alias: valkey
version: 0.4.0
version: 0.5.0
repository: oci://harbor.alexlebens.net/helm-charts
icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/yamtrack.png
# renovate: datasource=github-releases depName=FuzzyGrim/Yamtrack

1
hosts/ps08rp/blocky/config.yml
View File

@@ -121,6 +121,7 @@ customDNS:
objects IN CNAME traefik-cl01tl
ollama IN CNAME traefik-cl01tl
omni-tools IN CNAME traefik-cl01tl
paperless-ngx IN CNAME traefik-cl01tl
photoview IN CNAME traefik-cl01tl
plex IN CNAME traefik-cl01tl
postiz IN CNAME traefik-cl01tl

1
hosts/ps09rp/blocky/config.yml
View File

@@ -142,6 +142,7 @@ customDNS:
objects IN CNAME traefik-cl01tl
ollama IN CNAME traefik-cl01tl
omni-tools IN CNAME traefik-cl01tl
paperless-ngx IN CNAME traefik-cl01tl
photoview IN CNAME traefik-cl01tl
plex IN CNAME traefik-cl01tl
postiz IN CNAME traefik-cl01tl

2
hosts/ps10rp/cloudflare-ddns/compose.yaml
View File

@@ -1,7 +1,7 @@
---
services:
cloudflare-ddns:
image: favonia/cloudflare-ddns:1.15.1@sha256:a4e2089b3531eec8c9328c7a9a586f80e8d67dcd94856e0b596b7896e1de3f62
image: favonia/cloudflare-ddns:1.16.0@sha256:8e0f869aed97beeed4e172a01e97090673cb9b04e7e1d62fcb6cfc656f9761ad
container_name: cloudflare-ddns
cap_drop:
- all