Merge branch 'main' of https://gitea.alexlebens.net/alexlebens/infrastructure

Reviewed-on: #4972

.gitea/workflows/lint-test-docker.yaml

@@ -21,14 +21,14 @@ jobs:
     runs-on: ubuntu-js
     steps:
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           fetch-depth: 0
 
       - name: Check Branch Exists
         id: check-branch-exists
         if: github.event_name == 'pull_request'
-        uses: GuillaumeFalourd/branch-exists@v1.1
+        uses: GuillaumeFalourd/branch-exists@009290475dc3d75b5d7ec680c0c5b614b0d9855d # v1.1
         with:
           branch: "${{ github.base_ref }}"
 
@@ -51,7 +51,7 @@ jobs:
 
       - name: Set Up Node.js
         if: steps.branch-exists.outputs.exists == 'true'
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
         with:
           node-version: '24'
 
@@ -120,7 +120,7 @@ jobs:
           echo "----"
 
       - name: ntfy Failed
-        uses: niniyas/ntfy-action@master
+        uses: niniyas/ntfy-action@96acac57fdc91d4c4f50b78486c1ed6f03f9f61c # master
         if: failure()
         with:
           url: '${{ secrets.NTFY_URL }}'

.gitea/workflows/lint-test-helm.yaml

@@ -28,14 +28,14 @@ jobs:
       changes-detected: ${{ steps.check-dir-changes.outputs.changes-detected }}
     steps:
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           fetch-depth: 0
 
       - name: Check Branch Exists
         id: check-branch-exists
         if: github.event_name == 'pull_request'
-        uses: GuillaumeFalourd/branch-exists@v1.1
+        uses: GuillaumeFalourd/branch-exists@009290475dc3d75b5d7ec680c0c5b614b0d9855d # v1.1
         with:
           branch: ${{ github.base_ref }}
 
@@ -58,7 +58,7 @@ jobs:
 
       - name: Set Up Helm
         if: steps.branch-exists.outputs.exists == 'true'
-        uses: azure/setup-helm@v4
+        uses: azure/setup-helm@1a275c3b69536ee54be43f2070a358922e12c8d4 # v4
         with:
           token: ${{ secrets.GITEA_TOKEN }}
           # renovate: datasource=github-releases depName=helm/helm
@@ -67,7 +67,7 @@ jobs:
 
       - name: Cache Helm Dependencies
         if: steps.branch-exists.outputs.exists == 'true'
-        uses: actions/cache@v5
+        uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5
         with:
           path: |
             ~/.cache/helm
@@ -209,7 +209,7 @@ jobs:
           exit $EXIT_CODE
 
       - name: ntfy Failed
-        uses: niniyas/ntfy-action@master
+        uses: niniyas/ntfy-action@96acac57fdc91d4c4f50b78486c1ed6f03f9f61c # master
         if: failure()
         with:
           url: '${{ secrets.NTFY_URL }}'
@@ -232,7 +232,7 @@ jobs:
       github.event_name == 'pull_request'
     steps:
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           fetch-depth: 0
 
@@ -257,7 +257,7 @@ jobs:
           echo "----"
 
       - name: Set Up Helm
-        uses: azure/setup-helm@v4
+        uses: azure/setup-helm@1a275c3b69536ee54be43f2070a358922e12c8d4 # v4
         with:
           token: ${{ secrets.GITEA_TOKEN }}
           # renovate: datasource=github-releases depName=helm/helm
@@ -265,7 +265,7 @@ jobs:
           cache: true
 
       - name: Cache Helm Dependencies
-        uses: actions/cache@v5
+        uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5
         with:
           path: |
             ~/.cache/helm
@@ -352,7 +352,7 @@ jobs:
           exit $EXIT_CODE
 
       - name: ntfy Failed
-        uses: niniyas/ntfy-action@master
+        uses: niniyas/ntfy-action@96acac57fdc91d4c4f50b78486c1ed6f03f9f61c # master
         if: failure()
         with:
           url: '${{ secrets.NTFY_URL }}'

.gitea/workflows/render-manifests.yaml

@@ -31,32 +31,32 @@ jobs:
       (github.event_name == 'pull_request' && github.event.pull_request.merged == true)
     steps:
       - name: Checkout Main
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           path: infrastructure
           fetch-depth: 0
 
       - name: Checkout Manifests
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           ref: manifests
           path: infrastructure-manifests
 
       - name: Set Up Helm
-        uses: azure/setup-helm@v4
+        uses: azure/setup-helm@1a275c3b69536ee54be43f2070a358922e12c8d4 # v4
         with:
           token: ${{ secrets.GITEA_TOKEN }}
           version: v3.17.2 # Pending https://github.com/helm/helm/pull/30743
           cache: true
 
       - name: Configure Kubeconfig
-        uses: azure/k8s-set-context@v4
+        uses: azure/k8s-set-context@ae59a723ba9abe7a9655538854a025448dbab4aa # v4
         with:
           method: kubeconfig
           kubeconfig: ${{ secrets.KUBECONFIG }}
 
       - name: Cache Helm Dependencies
-        uses: actions/cache@v5
+        uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5
         with:
           path: |
             ~/.cache/helm
@@ -568,7 +568,7 @@ jobs:
           echo "----"
 
       - name: ntfy Created
-        uses: niniyas/ntfy-action@master
+        uses: niniyas/ntfy-action@96acac57fdc91d4c4f50b78486c1ed6f03f9f61c # master
         if: steps.create-pull-request.outputs.pull-request-operation == 'created' && steps.mode.outputs.is-automerge == 'false'
         with:
           url: "${{ secrets.NTFY_URL }}"
@@ -582,7 +582,7 @@ jobs:
           actions: '[{"action": "view", "label": "View PR", "url": "${{ vars.USER_URL }}/${{ github.repository }}/pulls/${{ steps.create-pull-request.outputs.pull-request-number }}", "clear": true}]'
 
       - name: ntfy Updated
-        uses: niniyas/ntfy-action@master
+        uses: niniyas/ntfy-action@96acac57fdc91d4c4f50b78486c1ed6f03f9f61c # master
         if: steps.commit-push.outputs.push == 'true' && steps.check-for-pull-request.outputs.pull-request-exists != 'false' && steps.mode.outputs.is-automerge == 'false'
         with:
           url: "${{ secrets.NTFY_URL }}"
@@ -596,7 +596,7 @@ jobs:
           actions: '[{"action": "view", "label": "View PR", "url": "${{ vars.USER_URL }}/${{ github.repository }}/pulls/${{ steps.create-pull-request.outputs.pull-request-number }}", "clear": true}]'
 
       - name: ntfy Merged
-        uses: niniyas/ntfy-action@master
+        uses: niniyas/ntfy-action@96acac57fdc91d4c4f50b78486c1ed6f03f9f61c # master
         if: steps.merge-changes.outputs.pull-request-operation == 'merged'
         with:
           url: "${{ secrets.NTFY_URL }}"
@@ -610,7 +610,7 @@ jobs:
           actions: '[{"action": "view", "label": "View PR", "url": "${{ vars.USER_URL }}/${{ github.repository }}/pulls/${{ steps.create-pull-request.outputs.pull-request-number }}", "clear": true}]'
 
       - name: ntfy Failed
-        uses: niniyas/ntfy-action@master
+        uses: niniyas/ntfy-action@96acac57fdc91d4c4f50b78486c1ed6f03f9f61c # master
         if: failure()
         with:
           url: "${{ secrets.NTFY_URL }}"

.gitea/workflows/renovate.yaml

@@ -13,10 +13,10 @@ on:
 jobs:
   renovate:
     runs-on: ubuntu-latest
-    container: ghcr.io/renovatebot/renovate:43
+    container: ghcr.io/renovatebot/renovate:43.84.2@sha256:92285747b3aac062a4f567762c272a12dce037843a20177a02c95b7c420e20cb
     steps:
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
       - name: Renovate
         run: renovate

clusters/cl01tl/helm/argo-workflows/Chart.lock

@@ -1,12 +1,12 @@
 dependencies:
 - name: argo-workflows
   repository: https://argoproj.github.io/argo-helm
-  version: 1.0.3
+  version: 1.0.5
 - name: argo-events
   repository: https://argoproj.github.io/argo-helm
   version: 2.4.21
 - name: postgres-cluster
   repository: oci://harbor.alexlebens.net/helm-charts
   version: 7.10.0
-digest: sha256:4c857612f12f288dcbf6903df58ac708dcbc051e5f17e94ecd0cadc41b9c32bd
+digest: sha256:d0d7ebf1c0013d001aa2f17d04a6d3f3d7a1fa7d5c62792eef856b87c24eb26e
-generated: "2026-03-19T04:33:30.206516151Z"
+generated: "2026-03-20T20:48:30.830922259Z"

clusters/cl01tl/helm/argo-workflows/Chart.yaml

@@ -18,7 +18,7 @@ maintainers:
   - name: alexlebens
 dependencies:
   - name: argo-workflows
-    version: 1.0.3
+    version: 1.0.5
     repository: https://argoproj.github.io/argo-helm
   - name: argo-events
     version: 2.4.21
@@ -29,4 +29,4 @@ dependencies:
     repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/argo-cd.png
 # renovate: datasource=github-releases depName=argoproj/argo-workflows
-appVersion: v4.0.2
+appVersion: v4.0.3

clusters/cl01tl/helm/argocd/Chart.lock

@@ -1,6 +1,6 @@
 dependencies:
 - name: argo-cd
   repository: https://argoproj.github.io/argo-helm
-  version: 9.4.14
+  version: 9.4.15
-digest: sha256:0d80c03a05176d53cc8ec94da32ef2cb5fccafc76b1648c0e4e1288515ba0824
+digest: sha256:a0eed2e174bb6b13d04653c755a359025b050d479a92180039a1990dd8ee7caa
-generated: "2026-03-19T04:27:11.289046913Z"
+generated: "2026-03-20T01:09:07.547016465Z"

clusters/cl01tl/helm/argocd/Chart.yaml

@@ -15,7 +15,7 @@ maintainers:
   - name: alexlebens
 dependencies:
   - name: argo-cd
-    version: 9.4.14
+    version: 9.4.15
     repository: https://argoproj.github.io/argo-helm
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/argo-cd.png
 # renovate: datasource=github-releases depName=argoproj/argo-cd

clusters/cl01tl/helm/argocd/values.yaml

@@ -55,14 +55,7 @@ argo-cd:
   server:
     replicas: 2
     extensions:
-      enabled: true
+      enabled: false
-      extensionList:
-        - name: extension-trivy
-          env:
-            - name: EXTENSION_URL
-              value: https://github.com/mziyabo/argocd-trivy-extension/releases/download/v0.2.0/extension-trivy.tar
-            - name: EXTENSION_CHECKSUM_URL
-              value: https://github.com/mziyabo/argocd-trivy-extension/releases/download/v0.2.0/extension-trivy_checksums.txt
     metrics:
       enabled: true
       serviceMonitor:

clusters/cl01tl/helm/blocky/values.yaml

@@ -98,7 +98,7 @@ blocky:
 
               traefik-cl01tl                  IN      A       10.232.1.21
               blocky                          IN      A       10.232.1.22
-              cilium-cl01tl                   IN      A       10.232.1.23
+              plex-lb                         IN      A       10.232.1.23
 
 
               ;; Application Names
@@ -127,12 +127,14 @@ blocky:
               home                            IN      CNAME   traefik-cl01tl
               home-assistant                  IN      CNAME   traefik-cl01tl
               home-assistant-code-server      IN      CNAME   traefik-cl01tl
+              houndarr                        IN      CNAME   traefik-cl01tl
               hubble                          IN      CNAME   traefik-cl01tl
               immich                          IN      CNAME   traefik-cl01tl
               jellyfin                        IN      CNAME   traefik-cl01tl
               jellystat                       IN      CNAME   traefik-cl01tl
               kiwix                           IN      CNAME   traefik-cl01tl
               komodo                          IN      CNAME   traefik-cl01tl
+              languagetool                    IN      CNAME   traefik-cl01tl
               lidarr                          IN      CNAME   traefik-cl01tl
               mail                            IN      CNAME   traefik-cl01tl
               medialyze                       IN      CNAME   traefik-cl01tl

clusters/cl01tl/helm/booklore/Chart.yaml

@@ -4,11 +4,14 @@ version: 1.0.0
 description: booklore
 keywords:
   - booklore
+  - grimmory
   - books
 home: https://wiki.alexlebens.dev/
 sources:
   - https://github.com/booklore-app/BookLore
+  - https://github.com/grimmory-tools/grimmory
   - https://github.com/booklore-app/booklore/pkgs/container/booklore
+  - https://github.com/grimmory-tools/grimmory/pkgs/container/grimmory
   - https://github.com/bjw-s-labs/helm-charts/tree/main/charts/other/app-template
 maintainers:
   - name: alexlebens
@@ -29,5 +32,5 @@ dependencies:
     version: 0.8.0
     repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/booklore.png
-# renovate: datasource=github-releases depName=booklore-app/BookLore
+# renovate: datasource=github-releases depName=grimmory-tools/grimmory
-appVersion: v2.2.1
+appVersion: v2.3.0

clusters/cl01tl/helm/booklore/values.yaml

@@ -8,8 +8,8 @@ booklore:
       containers:
         main:
           image:
-            repository: ghcr.io/booklore-app/booklore
+            repository: ghcr.io/grimmory-tools/grimmory
-            tag: v2.2.1
+            tag: v2.3.0
             pullPolicy: IfNotPresent
           env:
             - name: TZ

clusters/cl01tl/helm/code-server/values.yaml

@@ -9,7 +9,7 @@ code-server:
         main:
           image:
             repository: ghcr.io/linuxserver/code-server
-            tag: 4.111.0@sha256:12c04b41f601604795562ece2ac64cade7cfca632415f4bfb1742477e3226272
+            tag: 4.112.0@sha256:4bb5b8ad22268001687c047f0f04933799fb03df1eb0e1e266ba15ed2d9f4e8b
             pullPolicy: IfNotPresent
           env:
             - name: TZ

clusters/cl01tl/helm/decluttarr/Chart.lock

@@ -1,6 +0,0 @@
-dependencies:
-- name: app-template
-  repository: https://bjw-s-labs.github.io/helm-charts/
-  version: 4.6.2
-digest: sha256:548ae1f8699100a2f6bac11a4a3137402b3eea340c7a3db4d9f1813ad6a11dca
-generated: "2026-02-23T22:08:42.516245-06:00"

clusters/cl01tl/helm/decluttarr/Chart.yaml

@@ -1,20 +0,0 @@
-apiVersion: v2
-name: decluttarr
-version: 1.0.0
-description: decluttarr
-keywords:
-  - decluttarr
-  - servarr
-home: https://wiki.alexlebens.dev/s/
-sources:
-  - https://github.com/ManiMatter/decluttarr
-  - https://github.com/bjw-s-labs/helm-charts/tree/main/charts/other/app-template
-maintainers:
-  - name: alexlebens
-dependencies:
-  - name: app-template
-    alias: decluttarr
-    repository: https://bjw-s-labs.github.io/helm-charts/
-    version: 4.6.2
-# renovate: datasource=github-releases depName=ManiMatter/decluttarr
-appVersion: v2.0.0

clusters/cl01tl/helm/decluttarr/templates/external-secret.yaml

@@ -1,21 +0,0 @@
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: decluttarr-config-secret
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: decluttarr-config-secret
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: vault
-  data:
-    - secretKey: config.yaml
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /cl01tl/decluttarr/config
-        metadataPolicy: None
-        property: config.yaml

clusters/cl01tl/helm/decluttarr/values.yaml

@@ -1,32 +0,0 @@
-decluttarr:
-  controllers:
-    main:
-      type: deployment
-      replicas: 1
-      strategy: Recreate
-      revisionHistoryLimit: 3
-      containers:
-        main:
-          image:
-            repository: ghcr.io/manimatter/decluttarr
-            tag: v2.0.0
-            pullPolicy: IfNotPresent
-          env:
-            - name: TZ
-              value: America/Chicago
-          resources:
-            requests:
-              cpu: 10m
-              memory: 128Mi
-  persistence:
-    config:
-      enabled: true
-      type: secret
-      name: decluttarr-config-secret
-      advancedMounts:
-        main:
-          main:
-            - path: /app/config/config.yaml
-              readOnly: true
-              mountPropagation: None
-              subPath: config.yaml

clusters/cl01tl/helm/eraser/values.yaml

@@ -34,27 +34,7 @@ eraser:
         request:
           cpu: 100m
           memory: 128Mi
-        config: "" # |
+        config: ""
-          # cacheDir: /var/lib/trivy
-          # dbRepo: ghcr.io/aquasecurity/trivy-db
-          # deleteFailedImages: true
-          # deleteEOLImages: true
-          # vulnerabilities:
-          #   ignoreUnfixed: true
-          #   types:
-          #     - os
-          #     - library
-          #   securityChecks:
-          #     - vuln
-          #   severities:
-          #     - CRITICAL
-          #     - HIGH
-          #     - MEDIUM
-          #     - LOW
-          #   ignoredStatuses:
-          # timeout:
-          #   total: 23h
-          #   perImage: 1h
       remover:
         request:
           cpu: 10m

clusters/cl01tl/helm/external-secrets/Chart.lock

@@ -1,6 +1,6 @@
 dependencies:
 - name: external-secrets
   repository: https://charts.external-secrets.io
-  version: 2.1.0
+  version: 2.2.0
-digest: sha256:b19563d51f1922403185979c6c442531a7bb13d302e8438b5a18d450259b7245
+digest: sha256:832fc3f8d3728bdea2b696a6044e4c18967cd9ab9c5cc74adbf40aaa270a84b4
-generated: "2026-03-07T18:02:23.908145348Z"
+generated: "2026-03-20T20:53:08.407747649Z"

clusters/cl01tl/helm/external-secrets/Chart.yaml

@@ -12,8 +12,8 @@ sources:
   - https://github.com/external-secrets/external-secrets/tree/main/deploy/charts/external-secrets
 dependencies:
   - name: external-secrets
-    version: 2.1.0
+    version: 2.2.0
     repository: https://charts.external-secrets.io
 icon: https://avatars.githubusercontent.com/u/68335991?s=48&v=4
 # renovate: datasource=github-releases depName=external-secrets/external-secrets
-appVersion: v2.1.0
+appVersion: v2.2.0

clusters/cl01tl/helm/gatus/values.yaml

@@ -191,6 +191,9 @@ gatus:
       - name: excalidraw
         url: https://excalidraw.alexlebens.net
         <<: *defaults
+      - name: languagetool
+        url: https://languagetool.alexlebens.net
+        <<: *defaults
       - name: gitea
         url: https://gitea.alexlebens.net
         <<: *defaults
@@ -304,6 +307,9 @@ gatus:
       - name: tdarr
         url: https://tdarr.alexlebens.net
         <<: *defaults
+      - name: houndarr
+        url: https://houndarr.alexlebens.net
+        <<: *defaults
       - name: sonarr
         url: http://sonarr.sonarr:80
         <<: *defaults

clusters/cl01tl/helm/generic-device-plugin/Chart.lock

@@ -1,6 +1,6 @@
 dependencies:
 - name: generic-device-plugin
   repository: https://gitea.alexlebens.dev/api/packages/alexlebens/helm
-  version: 0.20.23
+  version: 0.20.24
-digest: sha256:1565d6e94921e2543bf4c302ddebb7504fbfd9113c976e4d297de18e9a0c06c6
+digest: sha256:36bf651c24198d299458046aaf449e9fb50942e1143389092a746357d402b731
-generated: "2026-03-19T01:04:01.714112981Z"
+generated: "2026-03-20T01:18:36.687250976Z"

clusters/cl01tl/helm/generic-device-plugin/Chart.yaml

@@ -15,6 +15,6 @@ maintainers:
 dependencies:
   - name: generic-device-plugin
     repository: https://gitea.alexlebens.dev/api/packages/alexlebens/helm
-    version: 0.20.23
+    version: 0.20.24
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/kubernetes.png
 appVersion: 1.0.0

clusters/cl01tl/helm/grafana-operator/templates/grafana-dashboard.yaml

@@ -377,25 +377,6 @@ spec:
   resyncPeriod: 1h
   url: http://gitea-http.gitea:3000/alexlebens/grafana-dashboards/raw/branch/main/dashboards/service/tdarr.json
 
----
-apiVersion: grafana.integreatly.org/v1beta1
-kind: GrafanaDashboard
-metadata:
-  name: grafana-dashboard-trivy
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: grafana-dashboard-trivy
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  instanceSelector:
-    matchLabels:
-      app: grafana-main
-  contentCacheDuration: 1h
-  folderUID: grafana-folder-service
-  resyncPeriod: 1h
-  url: http://gitea-http.gitea:3000/alexlebens/grafana-dashboards/raw/branch/main/dashboards/service/trivy.json
-
 ---
 apiVersion: grafana.integreatly.org/v1beta1
 kind: GrafanaDashboard

clusters/cl01tl/helm/harbor/Chart.yaml

@@ -29,4 +29,4 @@ dependencies:
     repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/harbor.png
 # renovate: datasource=github-releases depName=goharbor/harbor
-appVersion: v2.14.3
+appVersion: v2.15.0

clusters/cl01tl/helm/headlamp/values.yaml

@@ -25,9 +25,6 @@ headlamp:
         - name: cert-manager
           source: https://artifacthub.io/packages/headlamp/headlamp-plugins/headlamp_cert-manager
           version: 0.1.0
-        - name: trivy
-          source: https://artifacthub.io/packages/headlamp/headlamp-trivy/headlamp_trivy
-          version: 0.3.1
         - name: external-secrets-operator
           source: https://artifacthub.io/packages/headlamp/external-secrets-operator-headlamp-plugin/external-secrets-operator
           version: 0.1.0-beta7

clusters/cl01tl/helm/home-assistant/Chart.yaml

@@ -25,4 +25,4 @@ dependencies:
     repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/home-assistant.png
 # renovate: datasource=github-releases depName=home-assistant/core
-appVersion: 2026.3.2
+appVersion: 2026.3.3

clusters/cl01tl/helm/home-assistant/values.yaml

@@ -9,7 +9,7 @@ home-assistant:
         main:
           image:
             repository: ghcr.io/home-assistant/home-assistant
-            tag: 2026.3.2
+            tag: 2026.3.3
             pullPolicy: IfNotPresent
           env:
             - name: TZ
@@ -21,7 +21,7 @@ home-assistant:
         code-server:
           image:
             repository: ghcr.io/linuxserver/code-server
-            tag: 4.111.0@sha256:12c04b41f601604795562ece2ac64cade7cfca632415f4bfb1742477e3226272
+            tag: 4.112.0@sha256:4bb5b8ad22268001687c047f0f04933799fb03df1eb0e1e266ba15ed2d9f4e8b
             pullPolicy: IfNotPresent
           env:
             - name: TZ

clusters/cl01tl/helm/homepage/values.yaml

@@ -204,7 +204,7 @@ homepage:
                   statusStyle: dot
               - Books:
                   icon: sh-booklore.webp
-                  description: Booklore
+                  description: Grimmory
                   href: https://booklore.alexlebens.net
                   siteMonitor: http://booklore.booklore:80
                   statusStyle: dot
@@ -633,6 +633,12 @@ homepage:
                   href: https://bazarr.alexlebens.net
                   siteMonitor: http://bazarr.bazarr:80
                   statusStyle: dot
+              - Houndarr:
+                  icon: https://raw.githubusercontent.com/av1155/houndarr/main/src/houndarr/static/img/houndarr-logo-dark.png
+                  description: Media Searches
+                  href: https://houndarr.alexlebens.net
+                  siteMonitor: http://houndarr.houndarr:80
+                  statusStyle: dot
               - Tdarr:
                   icon: sh-tdarr.webp
                   description: Media transcoding and health checks
@@ -780,9 +786,6 @@ homepage:
               - Digital Ocean:
                   - abbr: DO
                     href: https://www.digitalocean.com/
-              - AWS:
-                  - abbr: AW
-                    href: https://aws.amazon.com/console/
               - Cloudflare:
                   - abbr: CF
                     href: https://dash.cloudflare.com/b76e303258b84076ee01fd0f515c0768
@@ -792,12 +795,12 @@ homepage:
               - ProtonVPN:
                   - abbr: PV
                     href: https://account.protonvpn.com/
+              - AirVPN:
+                  - abbr: AV
+                    href: https://airvpn.org/
               - Unifi:
                   - abbr: UF
                     href: https://unifi.ui.com/
-              - Pushover:
-                  - abbr: PO
-                    href: https://pushover.net
               - ReCaptcha:
                   - abbr: RC
                     href: https://www.google.com/recaptcha/admin/site/698983587

clusters/cl01tl/helm/houndarr/Chart.lock

@@ -0,0 +1,9 @@
+dependencies:
+- name: app-template
+  repository: https://bjw-s-labs.github.io/helm-charts/
+  version: 4.6.2
+- name: volsync-target
+  repository: oci://harbor.alexlebens.net/helm-charts
+  version: 0.8.0
+digest: sha256:375d6c2eb2f097717c44c5a28cb162da24f4ff154a971e5a68ccd0e0b77e936f
+generated: "2026-03-21T22:31:01.142752-05:00"

clusters/cl01tl/helm/houndarr/Chart.yaml

@@ -0,0 +1,25 @@
+apiVersion: v2
+name: houndarr
+version: 1.0.0
+description: Houndarr
+keywords:
+  - houndarr
+  - servarr
+home: https://wiki.alexlebens.dev/s/
+sources:
+  - https://github.com/av1155/houndarr
+  - https://github.com/bjw-s-labs/helm-charts/tree/main/charts/other/app-template
+maintainers:
+  - name: alexlebens
+dependencies:
+  - name: app-template
+    alias: houndarr
+    repository: https://bjw-s-labs.github.io/helm-charts/
+    version: 4.6.2
+  - name: volsync-target
+    alias: volsync-target-data
+    version: 0.8.0
+    repository: oci://harbor.alexlebens.net/helm-charts
+icon: https://raw.githubusercontent.com/av1155/houndarr/main/src/houndarr/static/img/houndarr-logo-dark.png
+# renovate: datasource=github-releases depName=av1155/houndarr
+appVersion: v1.6.0

clusters/cl01tl/helm/houndarr/values.yaml

@@ -0,0 +1,84 @@
+houndarr:
+  controllers:
+    main:
+      type: deployment
+      replicas: 1
+      strategy: Recreate
+      revisionHistoryLimit: 3
+      containers:
+        main:
+          image:
+            repository: ghcr.io/av1155/houndarr
+            tag: v1.6.0
+            pullPolicy: IfNotPresent
+          env:
+            - name: TZ
+              value: America/Chicago
+            - name: PUID
+              value: 1000
+            - name: PGID
+              value: 1000
+            - name: HOUNDARR_SECURE_COOKIES
+              value: true
+            - name: HOUNDARR_TRUSTED_PROXIES
+              value: 10.96.0.0/12
+          resources:
+            requests:
+              cpu: 10m
+              memory: 128Mi
+  service:
+    main:
+      controller: main
+      ports:
+        http:
+          port: 80
+          targetPort: 8877
+          protocol: HTTP
+  route:
+    main:
+      kind: HTTPRoute
+      parentRefs:
+        - group: gateway.networking.k8s.io
+          kind: Gateway
+          name: traefik-gateway
+          namespace: traefik
+      hostnames:
+        - houndarr.alexlebens.net
+      rules:
+        - backendRefs:
+            - group: ''
+              kind: Service
+              name: houndarr
+              port: 80
+              weight: 100
+          matches:
+            - path:
+                type: PathPrefix
+                value: /
+  persistence:
+    data:
+      forceRename: houndarr-data
+      storageClass: ceph-block
+      accessMode: ReadWriteOnce
+      size: 1Gi
+      advancedMounts:
+        main:
+          main:
+            - path: /data
+              readOnly: false
+volsync-target-data:
+  pvcTarget: houndarr-data
+  moverSecurityContext:
+    runAsUser: 1000
+    runAsGroup: 1000
+    fsGroup: 1000
+    fsGroupChangePolicy: OnRootMismatch
+  local:
+    enabled: true
+    schedule: 40 11 * * *
+  remote:
+    enabled: true
+    schedule: 40 12 * * *
+  external:
+    enabled: true
+    schedule: 40 14 * * *

clusters/cl01tl/helm/kube-prometheus-stack/Chart.lock

@@ -1,12 +1,12 @@
 dependencies:
 - name: kube-prometheus-stack
   repository: oci://ghcr.io/prometheus-community/charts
-  version: 82.12.0
+  version: 82.13.0
 - name: app-template
   repository: https://bjw-s-labs.github.io/helm-charts/
   version: 4.6.2
 - name: valkey
   repository: oci://harbor.alexlebens.net/helm-charts
   version: 0.4.0
-digest: sha256:05c8453c68596a58884eb65cc0e2f86f5aaa764a63fe4b8c53d40b5f9b40670e
+digest: sha256:1d90bebd9c0afd20f8ff780edd15da18b20f89cf35fd85832d6d8d44b2e0544b
-generated: "2026-03-19T09:02:27.865169773Z"
+generated: "2026-03-20T18:02:38.368086545Z"

clusters/cl01tl/helm/kube-prometheus-stack/Chart.yaml

@@ -20,7 +20,7 @@ maintainers:
   - name: alexlebens
 dependencies:
   - name: kube-prometheus-stack
-    version: 82.12.0
+    version: 82.13.0
     repository: oci://ghcr.io/prometheus-community/charts
   - name: app-template
     alias: ntfy-alertmanager

clusters/cl01tl/helm/languagetool/Chart.lock

@@ -0,0 +1,9 @@
+dependencies:
+- name: app-template
+  repository: https://bjw-s-labs.github.io/helm-charts/
+  version: 4.6.2
+- name: volsync-target
+  repository: oci://harbor.alexlebens.net/helm-charts
+  version: 0.8.0
+digest: sha256:cb14506ada77add5ffcb93d38763e2a5c962312e5754618265d15c4361fea783
+generated: "2026-03-20T17:49:46.393059-05:00"

clusters/cl01tl/helm/languagetool/Chart.yaml

@@ -0,0 +1,27 @@
+apiVersion: v2
+name: languagetool
+version: 1.0.0
+description: LanguageTool
+keywords:
+  - languagetool
+  - spellchecking
+home: https://wiki.alexlebens.dev/
+sources:
+  - https://github.com/languagetool-org/languagetool
+  - https://github.com/Erikvl87/docker-languagetool
+  - https://hub.docker.com/r/erikvl87/languagetool
+  - https://github.com/bjw-s-labs/helm-charts/tree/main/charts/other/app-template
+maintainers:
+  - name: alexlebens
+dependencies:
+  - name: app-template
+    alias: languagetool
+    repository: https://bjw-s-labs.github.io/helm-charts/
+    version: 4.6.2
+  - name: volsync-target
+    alias: volsync-target-data
+    version: 0.8.0
+    repository: oci://harbor.alexlebens.net/helm-charts
+icon: https://cdn.jsdelivr.net/gh/selfhst/icons@main/webp/languagetool.webp
+# renovate: datasource=github-releases depName=Erikvl87/docker-languagetool
+appVersion: "6.7"

clusters/cl01tl/helm/languagetool/values.yaml

@@ -0,0 +1,76 @@
+languagetool:
+  controllers:
+    main:
+      type: deployment
+      replicas: 1
+      strategy: Recreate
+      revisionHistoryLimit: 3
+      containers:
+        main:
+          image:
+            repository: erikvl87/languagetool
+            tag: 6.7
+            pullPolicy: IfNotPresent
+          env:
+            - name: langtool_languageModel
+              value: /ngrams
+            - name: Java_Xms
+              value: 512m
+            - name: Java_Xmx
+              value: 1g
+          resources:
+            requests:
+              cpu: 10m
+              memory: 128Mi
+  service:
+    main:
+      controller: main
+      ports:
+        http:
+          port: 80
+          targetPort: 8010
+          protocol: HTTP
+  route:
+    main:
+      kind: HTTPRoute
+      parentRefs:
+        - group: gateway.networking.k8s.io
+          kind: Gateway
+          name: traefik-gateway
+          namespace: traefik
+      hostnames:
+        - languagetool.alexlebens.net
+      rules:
+        - backendRefs:
+            - group: ''
+              kind: Service
+              name: languagetool
+              port: 80
+              weight: 100
+          matches:
+            - path:
+                type: PathPrefix
+                value: /
+  persistence:
+    data:
+      forceRename: languagetool-data
+      storageClass: ceph-block
+      accessMode: ReadWriteOnce
+      size: 1Gi
+      retain: true
+      advancedMounts:
+        main:
+          main:
+            - path: /ngrams
+              readOnly: false
+volsync-target-data:
+  pvcTarget: languagetool-data
+  local:
+    enabled: true
+    schedule: 38 11 * * *
+  remote:
+    enabled: true
+    schedule: 38 12 * * *
+  external:
+    enabled: true
+    schedule: 38 14 * * *

clusters/cl01tl/helm/medialyze/Chart.yaml

@@ -19,4 +19,4 @@ dependencies:
     version: 4.6.2
 icon: https://raw.githubusercontent.com/frederikemmer/MediaLyze/d8f69c0628bac7c047b90f91a66341648029c273/frontend/public/favicon.svg
 # renovate: datasource=github-releases depName=frederikemmer/MediaLyze
-appVersion: 0.2.2
+appVersion: 0.2.3

clusters/cl01tl/helm/medialyze/values.yaml

@@ -9,7 +9,7 @@ medialyze:
         main:
           image:
             repository: ghcr.io/frederikemmer/medialyze
-            tag: 0.2.2
+            tag: 0.2.3
             pullPolicy: IfNotPresent
           env:
             - name: HOST_PORT

clusters/cl01tl/helm/music-grabber/templates/external-secret.yaml

@@ -60,20 +60,27 @@ spec:
       remoteRef:
         conversionStrategy: Default
         decodingStrategy: None
-        key: /protonvpn/conf/cl01tl
+        key: /airvpn/conf/cl01tl
         metadataPolicy: None
         property: private-key
-    - secretKey: proton-email
+    - secretKey: preshared-key
       remoteRef:
         conversionStrategy: Default
         decodingStrategy: None
-        key: /protonvpn/conf/cl01tl
+        key: /airvpn/conf/cl01tl
         metadataPolicy: None
-        property: email
+        property: preshared-key
-    - secretKey: proton-password
+    - secretKey: addresses
       remoteRef:
         conversionStrategy: Default
         decodingStrategy: None
-        key: /protonvpn/conf/cl01tl
+        key: /airvpn/conf/cl01tl
         metadataPolicy: None
-        property: password
+        property: addresses
+    - secretKey: input-ports
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /airvpn/conf/cl01tl
+        metadataPolicy: None
+        property: input-ports

clusters/cl01tl/helm/music-grabber/values.yaml

@@ -9,7 +9,7 @@ music-grabber:
         main:
           image:
             repository: g33kphr33k/musicgrabber
-            tag: 2.4.6
+            tag: 2.5.0
             pullPolicy: IfNotPresent
           env:
             - name: MUSIC_DIR
@@ -50,72 +50,72 @@ music-grabber:
             requests:
               cpu: 10m
               memory: 512Mi
-        gluetun:
+        # gluetun:
-          image:
+        #   image:
-            repository: ghcr.io/qdm12/gluetun
+        #     repository: ghcr.io/qdm12/gluetun
-            tag: v3.41.1@sha256:1a5bf4b4820a879cdf8d93d7ef0d2d963af56670c9ebff8981860b6804ebc8ab
+        #     tag: v3.41.1@sha256:1a5bf4b4820a879cdf8d93d7ef0d2d963af56670c9ebff8981860b6804ebc8ab
-            pullPolicy: IfNotPresent
+        #     pullPolicy: IfNotPresent
-          lifecycle:
+        #   lifecycle:
-            postStart:
+        #     postStart:
-              exec:
+        #       exec:
-                command: ["/bin/sh", "-c", "(ip rule del table 51820; ip -6 rule del table 51820) || true"]
+        #         command: ["/bin/sh", "-c", "(ip rule del table 51820; ip -6 rule del table 51820) || true"]
-          env:
+        #   env:
-            - name: VPN_SERVICE_PROVIDER
+        #     - name: VPN_SERVICE_PROVIDER
-              value: protonvpn
+        #       value: airvpn
-            - name: VPN_TYPE
+        #     - name: VPN_TYPE
-              value: wireguard
+        #       value: wireguard
-            - name: WIREGUARD_PRIVATE_KEY
+        #     - name: WIREGUARD_PRIVATE_KEY
-              valueFrom:
+        #       valueFrom:
-                secretKeyRef:
+        #         secretKeyRef:
-                  name: music-grabber-wireguard-conf
+        #           name: music-grabber-wireguard-conf
-                  key: private-key
+        #           key: private-key
-            - name: UPDATER_PROTONVPN_EMAIL
+        #     - name: WIREGUARD_PRESHARED_KEY
-              valueFrom:
+        #       valueFrom:
-                secretKeyRef:
+        #         secretKeyRef:
-                  name: music-grabber-wireguard-conf
+        #           name: music-grabber-wireguard-conf
-                  key: proton-email
+        #           key: preshared-key
-            - name: UPDATER_PROTONVPN_PASSWORD
+        #     - name: WIREGUARD_ADDRESSES
-              valueFrom:
+        #       valueFrom:
-                secretKeyRef:
+        #         secretKeyRef:
-                  name: music-grabber-wireguard-conf
+        #           name: music-grabber-wireguard-conf
-                  key: proton-password
+        #           key: addresses
-            - name: FIREWALL_OUTBOUND_SUBNETS
+        #     - name: FIREWALL_OUTBOUND_SUBNETS
-              value: 10.0.0.0/8
+        #       value: 10.0.0.0/8
-            - name: FIREWALL_INPUT_PORTS
+        #     - name: FIREWALL_INPUT_PORTS
-              value: 8080
+        #       value: 8080
-            - name: DNS_UPSTREAM_RESOLVER_TYPE
+        #     - name: DNS_UPSTREAM_RESOLVER_TYPE
-              value: dot
+        #       value: dot
-            - name: HTTPPROXY
+        #     - name: HTTPPROXY
-              value: "off"
+        #       value: "off"
-            - name: SHADOWSOCKS
+        #     - name: SHADOWSOCKS
-              value: "off"
+        #       value: "off"
-          securityContext:
+        #   securityContext:
-            privileged: True
+        #     privileged: True
-            capabilities:
+        #     capabilities:
-              add:
+        #       add:
-                - NET_ADMIN
+        #         - NET_ADMIN
-                - SYS_MODULE
+        #         - SYS_MODULE
-          probes:
+        #   probes:
-            liveness:
+        #     liveness:
-              enabled: true
+        #       enabled: true
-              custom: true
+        #       custom: true
-              spec:
+        #       spec:
-                exec:
+        #         exec:
-                  command:
+        #           command:
-                    - /gluetun-entrypoint
+        #             - /gluetun-entrypoint
-                    - healthcheck
+        #             - healthcheck
-                failureThreshold: 5
+        #         failureThreshold: 5
-                initialDelaySeconds: 30
+        #         initialDelaySeconds: 30
-                periodSeconds: 30
+        #         periodSeconds: 30
-                successThreshold: 1
+        #         successThreshold: 1
-                timeoutSeconds: 15
+        #         timeoutSeconds: 15
-          resources:
+        #   resources:
-            limits:
+        #     limits:
-              devic.es/tun: "1"
+        #       devic.es/tun: "1"
-            requests:
+        #     requests:
-              devic.es/tun: "1"
+        #       devic.es/tun: "1"
-              cpu: 10m
+        #       cpu: 10m
-              memory: 128Mi
+        #       memory: 128Mi
   service:
     main:
       controller: main

clusters/cl01tl/helm/plex/values.yaml

@@ -9,7 +9,7 @@ plex:
         main:
           image:
             repository: ghcr.io/linuxserver/plex
-            tag: 1.43.0@sha256:84f8646e799f6636876ab4f283d9fc8f6c51d56098ea74cba82bfb85074b68df
+            tag: 1.43.0@sha256:a27f1ce1e1d14cd3627ed217f042bf8de0f796ed274fb27b2dc971ae22a64b95
             pullPolicy: IfNotPresent
           env:
             - name: TZ
@@ -26,6 +26,7 @@ plex:
   service:
     main:
       controller: main
+      type: LoadBalancer
       ports:
         http:
           port: 32400

clusters/cl01tl/helm/postiz/Chart.yaml

@@ -42,4 +42,4 @@ dependencies:
     repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/postiz.png
 # renovate: datasource=github-releases depName=gitroomhq/postiz-app
-appVersion: v2.20.2
+appVersion: v2.21.0

clusters/cl01tl/helm/postiz/values.yaml

@@ -9,7 +9,7 @@ postiz:
         main:
           image:
             repository: ghcr.io/gitroomhq/postiz-app
-            tag: v2.20.2
+            tag: v2.21.0
             pullPolicy: IfNotPresent
           env:
             - name: MAIN_URL

clusters/cl01tl/helm/qbittorrent/templates/external-secret.yaml

@@ -16,23 +16,30 @@ spec:
       remoteRef:
         conversionStrategy: Default
         decodingStrategy: None
-        key: /protonvpn/conf/cl01tl
+        key: /airvpn/conf/cl01tl
         metadataPolicy: None
         property: private-key
-    - secretKey: proton-email
+    - secretKey: preshared-key
       remoteRef:
         conversionStrategy: Default
         decodingStrategy: None
-        key: /protonvpn/conf/cl01tl
+        key: /airvpn/conf/cl01tl
         metadataPolicy: None
-        property: email
+        property: preshared-key
-    - secretKey: proton-password
+    - secretKey: addresses
       remoteRef:
         conversionStrategy: Default
         decodingStrategy: None
-        key: /protonvpn/conf/cl01tl
+        key: /airvpn/conf/cl01tl
         metadataPolicy: None
-        property: password
+        property: addresses
+    - secretKey: input-ports
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /airvpn/conf/cl01tl
+        metadataPolicy: None
+        property: input-ports
 
 ---
 apiVersion: external-secrets.io/v1

clusters/cl01tl/helm/qbittorrent/values.yaml

@@ -56,7 +56,7 @@ qbittorrent:
                 command: ["/bin/sh", "-c", "(ip rule del table 51820; ip -6 rule del table 51820) || true"]
           env:
             - name: VPN_SERVICE_PROVIDER
-              value: protonvpn
+              value: airvpn
             - name: VPN_TYPE
               value: wireguard
             - name: WIREGUARD_PRIVATE_KEY
@@ -64,28 +64,29 @@ qbittorrent:
                 secretKeyRef:
                   name: qbittorrent-wireguard-conf
                   key: private-key
-            - name: UPDATER_PROTONVPN_EMAIL
+            - name: WIREGUARD_PRESHARED_KEY
               valueFrom:
                 secretKeyRef:
                   name: qbittorrent-wireguard-conf
-                  key: proton-email
+                  key: preshared-key
-            - name: UPDATER_PROTONVPN_PASSWORD
+            - name: WIREGUARD_ADDRESSES
               valueFrom:
                 secretKeyRef:
                   name: qbittorrent-wireguard-conf
-                  key: proton-password
+                  key: addresses
-            - name: VPN_PORT_FORWARDING
+            - name: FIREWALL_VPN_INPUT_PORTS
-              value: "on"
+              valueFrom:
-            - name: VPN_PORT_FORWARDING_UP_COMMAND
+                secretKeyRef:
-              value: '/bin/sh -c "/gluetun/update.sh {{ printf "{{PORTS}}" }}"'
+                  name: qbittorrent-wireguard-conf
-            - name: PORT_FORWARD_ONLY
+                  key: input-ports
-              value: "on"
             - name: FIREWALL_OUTBOUND_SUBNETS
               value: 192.168.1.0/24,10.244.0.0/16
             - name: FIREWALL_INPUT_PORTS
               value: 8080,9022
             - name: DNS_UPSTREAM_RESOLVER_TYPE
               value: dot
+            - name: BLOCK_MALICIOUS
+              value: "off"
             - name: HTTPPROXY
               value: "off"
             - name: SHADOWSOCKS

clusters/cl01tl/helm/roundcube/values.yaml

@@ -9,7 +9,7 @@ roundcube:
         main:
           image:
             repository: roundcube/roundcubemail
-            tag: 1.6.13-fpm-alpine
+            tag: 1.6.14-fpm-alpine
             pullPolicy: IfNotPresent
           env:
             - name: ROUNDCUBEMAIL_DB_TYPE
@@ -85,7 +85,7 @@ roundcube:
         backup:
           image:
             repository: roundcube/roundcubemail
-            tag: 1.6.13-fpm-alpine
+            tag: 1.6.14-fpm-alpine
             pullPolicy: IfNotPresent
           env:
             - name: ROUNDCUBEMAIL_DB_TYPE

clusters/cl01tl/helm/rybbit/values.yaml

@@ -122,7 +122,7 @@ rybbit:
         main:
           image:
             repository: clickhouse/clickhouse-server
-            tag: 26.2.4
+            tag: 26.2.5
             pullPolicy: IfNotPresent
           env:
             - name: CLICKHOUSE_DB

clusters/cl01tl/helm/searxng/values.yaml

@@ -9,7 +9,7 @@ searxng:
         main:
           image:
             repository: searxng/searxng
-            tag: latest@sha256:67a3e2e339eb33e60d16df2b328961583c908c4b6f3a176b23ecb9ddd6f137fd
+            tag: latest@sha256:b6db575bb821d35279474090270db9e53e92432a66d19e7da51c0ef1b5ddb806
             pullPolicy: IfNotPresent
           env:
             - name: SEARXNG_BASE_URL
@@ -39,7 +39,7 @@ searxng:
         main:
           image:
             repository: searxng/searxng
-            tag: latest@sha256:67a3e2e339eb33e60d16df2b328961583c908c4b6f3a176b23ecb9ddd6f137fd
+            tag: latest@sha256:b6db575bb821d35279474090270db9e53e92432a66d19e7da51c0ef1b5ddb806
             pullPolicy: IfNotPresent
           env:
             - name: SEARXNG_BASE_URL

clusters/cl01tl/helm/shelfmark/Chart.yaml

@@ -23,4 +23,4 @@ dependencies:
     repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons@main/webp/shelfmark.webp
 # renovate: datasource=github-releases depName=calibrain/shelfmark
-appVersion: v1.2.0
+appVersion: v1.2.1

clusters/cl01tl/helm/shelfmark/values.yaml

@@ -9,7 +9,7 @@ shelfmark:
         main:
           image:
             repository: ghcr.io/calibrain/shelfmark
-            tag: v1.2.0
+            tag: v1.2.1
             pullPolicy: IfNotPresent
           env:
             - name: FLASK_PORT

clusters/cl01tl/helm/site-profile/values.yaml

@@ -11,7 +11,7 @@ site-profile:
         main:
           image:
             repository: harbor.alexlebens.net/images/site-profile
-            tag: 3.15.0
+            tag: 3.15.1
             pullPolicy: IfNotPresent
           resources:
             requests:

clusters/cl01tl/helm/slskd/templates/external-secret.yaml

@@ -62,20 +62,27 @@ spec:
       remoteRef:
         conversionStrategy: Default
         decodingStrategy: None
-        key: /protonvpn/conf/cl01tl
+        key: /airvpn/conf/cl01tl
         metadataPolicy: None
         property: private-key
-    - secretKey: proton-email
+    - secretKey: preshared-key
       remoteRef:
         conversionStrategy: Default
         decodingStrategy: None
-        key: /protonvpn/conf/cl01tl
+        key: /airvpn/conf/cl01tl
         metadataPolicy: None
-        property: email
+        property: preshared-key
-    - secretKey: proton-password
+    - secretKey: addresses
       remoteRef:
         conversionStrategy: Default
         decodingStrategy: None
-        key: /protonvpn/conf/cl01tl
+        key: /airvpn/conf/cl01tl
         metadataPolicy: None
-        property: password
+        property: addresses
+    - secretKey: input-ports
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /airvpn/conf/cl01tl
+        metadataPolicy: None
+        property: input-ports

clusters/cl01tl/helm/slskd/values.yaml

@@ -54,7 +54,7 @@ slskd:
                 command: ["/bin/sh", "-c", "(ip rule del table 51820; ip -6 rule del table 51820) || true"]
           env:
             - name: VPN_SERVICE_PROVIDER
-              value: protonvpn
+              value: airvpn
             - name: VPN_TYPE
               value: wireguard
             - name: WIREGUARD_PRIVATE_KEY
@@ -62,26 +62,29 @@ slskd:
                 secretKeyRef:
                   name: slskd-wireguard-conf
                   key: private-key
-            - name: UPDATER_PROTONVPN_EMAIL
+            - name: WIREGUARD_PRESHARED_KEY
               valueFrom:
                 secretKeyRef:
                   name: slskd-wireguard-conf
-                  key: proton-email
+                  key: preshared-key
-            - name: UPDATER_PROTONVPN_PASSWORD
+            - name: WIREGUARD_ADDRESSES
               valueFrom:
                 secretKeyRef:
                   name: slskd-wireguard-conf
-                  key: proton-password
+                  key: addresses
-            - name: VPN_PORT_FORWARDING
+            - name: FIREWALL_VPN_INPUT_PORTS
-              value: "on"
+              valueFrom:
-            - name: PORT_FORWARD_ONLY
+                secretKeyRef:
-              value: "on"
+                  name: slskd-wireguard-conf
+                  key: input-ports
             - name: FIREWALL_OUTBOUND_SUBNETS
               value: 192.168.1.0/24,10.244.0.0/16
             - name: FIREWALL_INPUT_PORTS
               value: 5030,50300
             - name: DNS_UPSTREAM_RESOLVER_TYPE
               value: dot
+            - name: BLOCK_MALICIOUS
+              value: "off"
             - name: HTTPPROXY
               value: "off"
             - name: SHADOWSOCKS

clusters/cl01tl/helm/sonarr-4k/values.yaml

@@ -13,7 +13,7 @@ sonarr-4k:
         main:
           image:
             repository: ghcr.io/linuxserver/sonarr
-            tag: 4.0.16@sha256:21c1c3d52248589bb064f5adafec18cad45812d7a01d317472955eef051e619b
+            tag: 4.0.17@sha256:76414c033f290d3c9f1f9dfad71150abe71d92592369a3377a5903d579e6e2b2
             pullPolicy: IfNotPresent
           env:
             - name: TZ

clusters/cl01tl/helm/sonarr-anime/values.yaml

@@ -13,7 +13,7 @@ sonarr-anime:
         main:
           image:
             repository: ghcr.io/linuxserver/sonarr
-            tag: 4.0.16@sha256:21c1c3d52248589bb064f5adafec18cad45812d7a01d317472955eef051e619b
+            tag: 4.0.17@sha256:76414c033f290d3c9f1f9dfad71150abe71d92592369a3377a5903d579e6e2b2
             pullPolicy: IfNotPresent
           env:
             - name: TZ

clusters/cl01tl/helm/sonarr/values.yaml

@@ -13,7 +13,7 @@ sonarr:
         main:
           image:
             repository: ghcr.io/linuxserver/sonarr
-            tag: 4.0.16@sha256:21c1c3d52248589bb064f5adafec18cad45812d7a01d317472955eef051e619b
+            tag: 4.0.17@sha256:76414c033f290d3c9f1f9dfad71150abe71d92592369a3377a5903d579e6e2b2
             pullPolicy: IfNotPresent
           env:
             - name: TZ

clusters/cl01tl/helm/tailscale-operator/Chart.yaml

@@ -21,4 +21,4 @@ dependencies:
     repository: https://pkgs.tailscale.com/helmcharts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/tailscale-light.png
 # renovate: datasource=github-releases depName=tailscale/tailscale
-appVersion: v1.96.2
+appVersion: v1.96.3

clusters/cl01tl/helm/traefik/Chart.lock

@@ -1,9 +1,9 @@
 dependencies:
 - name: traefik
   repository: https://traefik.github.io/charts
-  version: 39.0.5
+  version: 39.0.6
 - name: traefik-crds
   repository: https://traefik.github.io/charts
   version: 1.15.0
-digest: sha256:8edf8d2dcabdba2c2b8d6a9508f001ba5ef4bec205423f864b92f2adedd73b60
+digest: sha256:45b11c0cb1083daff76df3c90ecf7d73fc09979239bdc0f272d826fab92a3ba4
-generated: "2026-03-16T15:32:49.364653199Z"
+generated: "2026-03-20T20:50:42.131002257Z"

clusters/cl01tl/helm/traefik/Chart.yaml

@@ -15,7 +15,7 @@ maintainers:
   - name: alexlebens
 dependencies:
   - name: traefik
-    version: 39.0.5
+    version: 39.0.6
     repository: https://traefik.github.io/charts
   - name: traefik-crds
     version: 1.15.0

clusters/cl01tl/helm/tubearchivist/templates/external-secret.yaml

@@ -83,20 +83,27 @@ spec:
       remoteRef:
         conversionStrategy: Default
         decodingStrategy: None
-        key: /protonvpn/conf/cl01tl
+        key: /airvpn/conf/cl01tl
         metadataPolicy: None
         property: private-key
-    - secretKey: proton-email
+    - secretKey: preshared-key
       remoteRef:
         conversionStrategy: Default
         decodingStrategy: None
-        key: /protonvpn/conf/cl01tl
+        key: /airvpn/conf/cl01tl
         metadataPolicy: None
-        property: email
+        property: preshared-key
-    - secretKey: proton-password
+    - secretKey: addresses
       remoteRef:
         conversionStrategy: Default
         decodingStrategy: None
-        key: /protonvpn/conf/cl01tl
+        key: /airvpn/conf/cl01tl
         metadataPolicy: None
-        property: password
+        property: addresses
+    - secretKey: input-ports
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /airvpn/conf/cl01tl
+        metadataPolicy: None
+        property: input-ports

clusters/cl01tl/helm/tubearchivist/values.yaml

@@ -53,7 +53,7 @@ tubearchivist:
                 command: ["/bin/sh", "-c", "(ip rule del table 51820; ip -6 rule del table 51820) || true"]
           env:
             - name: VPN_SERVICE_PROVIDER
-              value: protonvpn
+              value: airvpn
             - name: VPN_TYPE
               value: wireguard
             - name: WIREGUARD_PRIVATE_KEY
@@ -61,16 +61,16 @@ tubearchivist:
                 secretKeyRef:
                   name: tubearchivist-wireguard-conf
                   key: private-key
-            - name: UPDATER_PROTONVPN_EMAIL
+            - name: WIREGUARD_PRESHARED_KEY
               valueFrom:
                 secretKeyRef:
                   name: tubearchivist-wireguard-conf
-                  key: proton-email
+                  key: preshared-key
-            - name: UPDATER_PROTONVPN_PASSWORD
+            - name: WIREGUARD_ADDRESSES
               valueFrom:
                 secretKeyRef:
                   name: tubearchivist-wireguard-conf
-                  key: proton-password
+                  key: addresses
             - name: FIREWALL_OUTBOUND_SUBNETS
               value: 10.0.0.0/8
             - name: FIREWALL_INPUT_PORTS

clusters/cl01tl/helm/yubal/templates/external-secret.yaml

@@ -16,20 +16,27 @@ spec:
       remoteRef:
         conversionStrategy: Default
         decodingStrategy: None
-        key: /protonvpn/conf/cl01tl
+        key: /airvpn/conf/cl01tl
         metadataPolicy: None
         property: private-key
-    - secretKey: proton-email
+    - secretKey: preshared-key
       remoteRef:
         conversionStrategy: Default
         decodingStrategy: None
-        key: /protonvpn/conf/cl01tl
+        key: /airvpn/conf/cl01tl
         metadataPolicy: None
-        property: email
+        property: preshared-key
-    - secretKey: proton-password
+    - secretKey: addresses
       remoteRef:
         conversionStrategy: Default
         decodingStrategy: None
-        key: /protonvpn/conf/cl01tl
+        key: /airvpn/conf/cl01tl
         metadataPolicy: None
-        property: password
+        property: addresses
+    - secretKey: input-ports
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /airvpn/conf/cl01tl
+        metadataPolicy: None
+        property: input-ports

clusters/cl01tl/helm/yubal/values.yaml

@@ -40,11 +40,7 @@ yubal:
         #         command: ["/bin/sh", "-c", "(ip rule del table 51820; ip -6 rule del table 51820) || true"]
         #   env:
         #     - name: VPN_SERVICE_PROVIDER
-        #       value: protonvpn
+        #       value: airvpn
-        #     - name: PUID
-        #       value: "1000"
-        #     - name: PGID
-        #       value: "1000"
         #     - name: VPN_TYPE
         #       value: wireguard
         #     - name: WIREGUARD_PRIVATE_KEY
@@ -52,22 +48,26 @@ yubal:
         #         secretKeyRef:
         #           name: yubal-wireguard-conf
         #           key: private-key
-        #     - name: UPDATER_PROTONVPN_EMAIL
+        #     - name: WIREGUARD_PRESHARED_KEY
         #       valueFrom:
         #         secretKeyRef:
         #           name: yubal-wireguard-conf
-        #           key: proton-email
+        #           key: preshared-key
-        #     - name: UPDATER_PROTONVPN_PASSWORD
+        #     - name: WIREGUARD_ADDRESSES
         #       valueFrom:
         #         secretKeyRef:
         #           name: yubal-wireguard-conf
-        #           key: proton-password
+        #           key: addresses
         #     - name: FIREWALL_OUTBOUND_SUBNETS
         #       value: 10.0.0.0/8
         #     - name: FIREWALL_INPUT_PORTS
         #       value: 8000
         #     - name: DNS_UPSTREAM_RESOLVER_TYPE
         #       value: dot
+        #     - name: HTTPPROXY
+        #       value: "off"
+        #     - name: SHADOWSOCKS
+        #       value: "off"
         #   securityContext:
         #     privileged: True
         #     capabilities:

hosts/pd05wd/ollama/compose.yaml

@@ -1,7 +1,7 @@
 ---
 services:
     tailscale-ollama:
-        image: ghcr.io/tailscale/tailscale:latest
+        image: ghcr.io/tailscale/tailscale:latest@sha256:95e528798bebe75f39b10e74e7051cf51188ee615934f232ba7ad06a3390ffa1
         container_name: tailscale-ollama
         cap_add:
             - net_admin
@@ -20,7 +20,7 @@ services:
             - /dev/net/tun:/dev/net/tun
 
     ollama:
-        image: ollama/ollama:latest
+        image: ollama/ollama:latest@sha256:5a5d014aa774f78ebe1340c0d4afc2e35afc12a2c3b34c84e71f78ea20af4ba3
         container_name: ollama
         environment:
             - OLLAMA_KEEP_ALIVE=24h

hosts/pd05wd/stable-diffusion/compose.yaml

@@ -1,7 +1,7 @@
 ---
 services:
     tailscale-stable-diffusion:
-        image: ghcr.io/tailscale/tailscale:latest
+        image: ghcr.io/tailscale/tailscale:latest@sha256:95e528798bebe75f39b10e74e7051cf51188ee615934f232ba7ad06a3390ffa1
         container_name: tailscale-stable-diffusion
         cap_add:
             - net_admin
@@ -22,7 +22,7 @@ services:
             - /dev/net/tun:/dev/net/tun
 
     stable-diffusion:
-        image: ghcr.io/ai-dock/stable-diffusion-webui:latest-cuda
+        image: ghcr.io/ai-dock/stable-diffusion-webui:latest-cuda@sha256:bc4b2b12ac8d030cc5daf25e2c32517709b7c15f59a32685c4c1a14a9606eb42
         container_name: stable-diffusion
         environment:
             - WEBUI_ARGS="--api --listen"

hosts/ps08rp/blocky/compose.yaml

@@ -1,7 +1,7 @@
 ---
 services:
     tailscale-blocky:
-        image: ghcr.io/tailscale/tailscale:v1.94.2
+        image: ghcr.io/tailscale/tailscale:v1.94.2@sha256:95e528798bebe75f39b10e74e7051cf51188ee615934f232ba7ad06a3390ffa1
         container_name: tailscale-blocky
         cap_add:
             - net_admin
@@ -18,7 +18,7 @@ services:
             - /dev/net/tun:/dev/net/tun
 
     blocky:
-        image: ghcr.io/0xerr0r/blocky:v0.29.0
+        image: ghcr.io/0xerr0r/blocky:v0.29.0@sha256:a6d99f323d3036a99a3767a52ad612f4d8f3f31167492bfc14d4ea57b24cdfd0
         container_name: blocky
         environment:
             - TZ=America/Chicago

hosts/ps08rp/blocky/config.yml

@@ -73,7 +73,7 @@ customDNS:
 
     traefik-cl01tl                  IN      A       10.232.1.21
     blocky                          IN      A       10.232.1.22
-    cilium-cl01tl                   IN      A       10.232.1.23
+    plex-lb                         IN      A       10.232.1.23
 
 
     ;; Application Names
@@ -102,12 +102,14 @@ customDNS:
     home                            IN      CNAME   traefik-cl01tl
     home-assistant                  IN      CNAME   traefik-cl01tl
     home-assistant-code-server      IN      CNAME   traefik-cl01tl
+    houndarr                        IN      CNAME   traefik-cl01tl
     hubble                          IN      CNAME   traefik-cl01tl
     immich                          IN      CNAME   traefik-cl01tl
     jellyfin                        IN      CNAME   traefik-cl01tl
     jellystat                       IN      CNAME   traefik-cl01tl
     kiwix                           IN      CNAME   traefik-cl01tl
     komodo                          IN      CNAME   traefik-cl01tl
+    languagetool                    IN      CNAME   traefik-cl01tl
     lidarr                          IN      CNAME   traefik-cl01tl
     mail                            IN      CNAME   traefik-cl01tl
     medialyze                       IN      CNAME   traefik-cl01tl

hosts/ps08rp/node-exporter/compose.yaml

@@ -1,7 +1,7 @@
 ---
 services:
     node-exporter:
-        image: quay.io/prometheus/node-exporter:v1.10.2
+        image: quay.io/prometheus/node-exporter:v1.10.2@sha256:337ff1d356b68d39cef853e8c6345de11ce7556bb34cda8bd205bcf2ed30b565
         container_name: node-exporter
         command:
             - '--path.rootfs=/rootfs'

hosts/ps08rp/traefik/compose.yaml

@@ -1,7 +1,7 @@
 ---
 services:
     traefik:
-        image: ghcr.io/traefik/traefik:v3.6.10
+        image: ghcr.io/traefik/traefik:v3.6.11@sha256:acfc80650104f0194a15f73dc1648f517561bc1645391a15705332a064cfc33c
         container_name: traefik
         command:
             - "--global.checkNewVersion=false"

hosts/ps09rp/blocky/compose.yaml

@@ -1,7 +1,7 @@
 ---
 services:
     tailscale-blocky:
-        image: ghcr.io/tailscale/tailscale:v1.94.2
+        image: ghcr.io/tailscale/tailscale:v1.94.2@sha256:95e528798bebe75f39b10e74e7051cf51188ee615934f232ba7ad06a3390ffa1
         container_name: tailscale-blocky
         cap_add:
             - net_admin
@@ -18,7 +18,7 @@ services:
             - /dev/net/tun:/dev/net/tun
 
     blocky:
-        image: ghcr.io/0xerr0r/blocky:v0.29.0
+        image: ghcr.io/0xerr0r/blocky:v0.29.0@sha256:a6d99f323d3036a99a3767a52ad612f4d8f3f31167492bfc14d4ea57b24cdfd0
         container_name: blocky
         environment:
             - TZ=America/Chicago

hosts/ps09rp/blocky/config.yml

@@ -94,7 +94,7 @@ customDNS:
 
     traefik-cl01tl                  IN      A       10.232.1.21
     blocky                          IN      A       10.232.1.22
-    cilium-cl01tl                   IN      A       10.232.1.23
+    plex-lb                         IN      A       10.232.1.23
 
 
     ;; Application Names
@@ -123,12 +123,14 @@ customDNS:
     home                            IN      CNAME   traefik-cl01tl
     home-assistant                  IN      CNAME   traefik-cl01tl
     home-assistant-code-server      IN      CNAME   traefik-cl01tl
+    houndarr                        IN      CNAME   traefik-cl01tl
     hubble                          IN      CNAME   traefik-cl01tl
     immich                          IN      CNAME   traefik-cl01tl
     jellyfin                        IN      CNAME   traefik-cl01tl
     jellystat                       IN      CNAME   traefik-cl01tl
     kiwix                           IN      CNAME   traefik-cl01tl
     komodo                          IN      CNAME   traefik-cl01tl
+    languagetool                    IN      CNAME   traefik-cl01tl
     lidarr                          IN      CNAME   traefik-cl01tl
     mail                            IN      CNAME   traefik-cl01tl
     medialyze                       IN      CNAME   traefik-cl01tl

hosts/ps09rp/node-exporter/compose.yaml

@@ -1,7 +1,7 @@
 ---
 services:
     node-exporter:
-        image: quay.io/prometheus/node-exporter:v1.10.2
+        image: quay.io/prometheus/node-exporter:v1.10.2@sha256:337ff1d356b68d39cef853e8c6345de11ce7556bb34cda8bd205bcf2ed30b565
         container_name: node-exporter
         command:
             - '--path.rootfs=/rootfs'

hosts/ps09rp/traefik/compose.yaml

@@ -1,7 +1,7 @@
 ---
 services:
     traefik:
-        image: ghcr.io/traefik/traefik:v3.6.10
+        image: ghcr.io/traefik/traefik:v3.6.11@sha256:acfc80650104f0194a15f73dc1648f517561bc1645391a15705332a064cfc33c
         container_name: traefik
         command:
             - "--global.checkNewVersion=false"

hosts/ps10rp/blocky/compose.yaml

@@ -1,7 +1,7 @@
 ---
 services:
     tailscale-blocky:
-        image: ghcr.io/tailscale/tailscale:v1.94.2
+        image: ghcr.io/tailscale/tailscale:v1.94.2@sha256:95e528798bebe75f39b10e74e7051cf51188ee615934f232ba7ad06a3390ffa1
         container_name: tailscale-blocky
         cap_add:
             - net_admin
@@ -18,7 +18,7 @@ services:
             - /dev/net/tun:/dev/net/tun
 
     blocky:
-        image: ghcr.io/0xerr0r/blocky:v0.29.0
+        image: ghcr.io/0xerr0r/blocky:v0.29.0@sha256:a6d99f323d3036a99a3767a52ad612f4d8f3f31167492bfc14d4ea57b24cdfd0
         container_name: blocky
         environment:
             - TZ=America/Chicago

hosts/ps10rp/castsponsorskip/compose.yaml

@@ -1,7 +1,7 @@
 ---
 services:
     castsponsorskip:
-        image: ghcr.io/gabe565/castsponsorskip:0.8.3
+        image: ghcr.io/gabe565/castsponsorskip:0.8.3@sha256:f556d274aab94c3140058e9f192396bc75e04d8e075769223c1edfc8c4f4daa4
         container_name: castsponsorskip
         environment:
             - TZ=America/Chicago

hosts/ps10rp/cloudflare-ddns/compose.yaml

@@ -1,7 +1,7 @@
 ---
 services:
     cloudflare-ddns:
-        image: favonia/cloudflare-ddns:1.15.1
+        image: favonia/cloudflare-ddns:1.15.1@sha256:a4e2089b3531eec8c9328c7a9a586f80e8d67dcd94856e0b596b7896e1de3f62
         container_name: cloudflare-ddns
         cap_drop:
             - all

hosts/ps10rp/garage/compose.yaml

@@ -1,6 +1,6 @@
 services:
     tailscale-garage:
-        image: ghcr.io/tailscale/tailscale:v1.94.2
+        image: ghcr.io/tailscale/tailscale:v1.94.2@sha256:95e528798bebe75f39b10e74e7051cf51188ee615934f232ba7ad06a3390ffa1
         container_name: tailscale-garage
         cap_add:
             - net_admin
@@ -20,7 +20,7 @@ services:
             - /dev/net/tun:/dev/net/tun
 
     tailscale-garage-ui:
-        image: ghcr.io/tailscale/tailscale:v1.94.2
+        image: ghcr.io/tailscale/tailscale:v1.94.2@sha256:95e528798bebe75f39b10e74e7051cf51188ee615934f232ba7ad06a3390ffa1
         container_name: tailscale-garage-ui
         cap_add:
             - net_admin
@@ -39,7 +39,7 @@ services:
             - /dev/net/tun:/dev/net/tun
 
     garage:
-        image: dxflrs/garage:v2.2.0
+        image: dxflrs/garage:v2.2.0@sha256:45a61ce3f7c9c24fc23d9ed2b09b27ed560ab87b34605d175d5c588f539c24e4
         container_name: garage
         env_file:
             - .env
@@ -54,7 +54,7 @@ services:
             - data:/var/lib/garage/data
 
     garage-ui:
-        image: khairul169/garage-webui:1.1.0
+        image: khairul169/garage-webui:1.1.0@sha256:17c793551873155065bf9a022dabcde874de808a1f26e648d4b82e168806439c
         container_name: garage-ui
         env_file:
             - .env

hosts/ps10rp/gitea/compose.yaml

@@ -1,6 +1,6 @@
 services:
     tailscale-gitea:
-        image: ghcr.io/tailscale/tailscale:v1.94.2
+        image: ghcr.io/tailscale/tailscale:v1.94.2@sha256:95e528798bebe75f39b10e74e7051cf51188ee615934f232ba7ad06a3390ffa1
         container_name: tailscale-gitea
         cap_add:
             - net_admin
@@ -19,7 +19,7 @@ services:
             - /dev/net/tun:/dev/net/tun
 
     postgresql:
-        image: docker.io/postgres:18.1-alpine3.21
+        image: docker.io/postgres:18.1-alpine3.21@sha256:44d837eb4c2ed263474a95f0cc24745413c50924df60dd73ed6c4c3e36b84259
         container_name: gitea-postgres
         env_file:
             - .env
@@ -33,7 +33,7 @@ services:
             - postgresql18:/var/lib/postgresql
 
     gitea:
-        image: gitea/gitea:1.25.5
+        image: gitea/gitea:1.25.5@sha256:f846d26a4fc389c5806a580a765e00bfdd1fd181e6f2060da98ea2669d914472
         container_name: gitea
         depends_on:
             - postgresql

hosts/ps10rp/homepage/compose.yaml

@@ -1,7 +1,7 @@
 ---
 services:
     tailscale-homepage:
-        image: ghcr.io/tailscale/tailscale:v1.94.2
+        image: ghcr.io/tailscale/tailscale:v1.94.2@sha256:95e528798bebe75f39b10e74e7051cf51188ee615934f232ba7ad06a3390ffa1
         container_name: tailscale-homepage
         cap_add:
             - net_admin
@@ -20,7 +20,7 @@ services:
             - /dev/net/tun:/dev/net/tun
 
     dockerproxy:
-        image: ghcr.io/tecnativa/docker-socket-proxy:v0.4.2
+        image: ghcr.io/tecnativa/docker-socket-proxy:v0.4.2@sha256:1f3a6f303320723d199d2316a3e82b2e2685d86c275d5e3deeaf182573b47476
         container_name: homepage-dockerproxy
         environment:
             - CONTAINERS=1
@@ -32,7 +32,7 @@ services:
             - /var/run/docker.sock:/var/run/docker.sock:ro
 
     homepage:
-        image: ghcr.io/gethomepage/homepage:v1.11.0
+        image: ghcr.io/gethomepage/homepage:v1.11.0@sha256:b129cb0f674bd6d204e215bde2c2fc3f11d6ad0e82f6d20007cf80f74e1acbb1
         container_name: homepage
         labels:
             traefik.enable: true

hosts/ps10rp/isponsorblocktv/compose.yaml

@@ -1,7 +1,7 @@
 ---
 services:
     isponsorblocktv:
-        image: ghcr.io/dmunozv04/isponsorblocktv:v2.6.1
+        image: ghcr.io/dmunozv04/isponsorblocktv:v2.6.1@sha256:545856523283753ebcf4b400a46895b9906844be5265a0f4cab98a6b0bdf84be
         container_name: isponsorblocktv
         environment:
             - TZ=America/Chicago

hosts/ps10rp/komodo-periphery/compose.yaml

@@ -1,7 +1,7 @@
 ---
 services:
     tailscale-komodo-periphery:
-        image: ghcr.io/tailscale/tailscale:latest
+        image: ghcr.io/tailscale/tailscale:latest@sha256:95e528798bebe75f39b10e74e7051cf51188ee615934f232ba7ad06a3390ffa1
         container_name: tailscale-komodo-periphery
         cap_add:
             - net_admin
@@ -20,7 +20,7 @@ services:
             - /dev/net/tun:/dev/net/tun
 
     komodo-periphery:
-        image: ghcr.io/moghtech/komodo-periphery:latest
+        image: ghcr.io/moghtech/komodo-periphery:latest@sha256:bd79cf960ed054fe8e02384322303e462448679b1149dde48bbef151417255b1
         container_name: komodo-periphery
         env_file:
             - .env

hosts/ps10rp/node-exporter/compose.yaml

@@ -1,7 +1,7 @@
 ---
 services:
     tailscale-node-exporter:
-        image: ghcr.io/tailscale/tailscale:v1.94.2
+        image: ghcr.io/tailscale/tailscale:v1.94.2@sha256:95e528798bebe75f39b10e74e7051cf51188ee615934f232ba7ad06a3390ffa1
         container_name: tailscale-node-exporter
         cap_add:
             - net_admin
@@ -20,7 +20,7 @@ services:
             - /dev/net/tun:/dev/net/tun
 
     node-exporter:
-        image: quay.io/prometheus/node-exporter:v1.10.2
+        image: quay.io/prometheus/node-exporter:v1.10.2@sha256:337ff1d356b68d39cef853e8c6345de11ce7556bb34cda8bd205bcf2ed30b565
         container_name: node-exporter
         command:
             - '--path.rootfs=/rootfs'

hosts/ps10rp/tailscale-subnet/compose.yaml

@@ -1,7 +1,7 @@
 ---
 services:
     tailscale:
-        image: ghcr.io/tailscale/tailscale:v1.94.2
+        image: ghcr.io/tailscale/tailscale:v1.94.2@sha256:95e528798bebe75f39b10e74e7051cf51188ee615934f232ba7ad06a3390ffa1
         container_name: tailscale-subnet
         cap_add:
             - net_admin

hosts/ps10rp/traefik/compose.yaml

@@ -1,7 +1,7 @@
 ---
 services:
     tailscale-traefik:
-        image: ghcr.io/tailscale/tailscale:v1.94.2
+        image: ghcr.io/tailscale/tailscale:v1.94.2@sha256:95e528798bebe75f39b10e74e7051cf51188ee615934f232ba7ad06a3390ffa1
         container_name: tailscale-traefik
         cap_add:
             - net_admin
@@ -20,7 +20,7 @@ services:
             - /dev/net/tun:/dev/net/tun
 
     traefik:
-        image: ghcr.io/traefik/traefik:v3.6.10
+        image: ghcr.io/traefik/traefik:v3.6.11@sha256:acfc80650104f0194a15f73dc1648f517561bc1645391a15705332a064cfc33c
         container_name: traefik
         command:
             - "--global.checkNewVersion=false"

renovate.json

@@ -5,6 +5,14 @@
     "mergeConfidence:all-badges",
     ":rebaseStalePrs"
   ],
+  "timezone": "America/Chicago",
+  "labels": [],
+  "prHourlyLimit": 0,
+  "prConcurrentLimit": 0,
+  "pinDigests": true,
+  "baseBranchPatterns": [
+    "main"
+  ],
   "customManagers": [
     {
       "description": "Update appVersion in Chart.yaml",
@@ -23,7 +31,7 @@
         "/(^|/)templates/.*\\.yaml$/"
       ],
       "matchStrings": [
-        "# renovate: datasource=(?<datasource>.*?) depName=(?<depName>.*?)\\s+tag: (?<currentValue>.*)"
+        "# renovate: datasource=(?<datasource>[^\\s]+)\\s+depName=(?<depName>[^\\s]+)\\s+tag:\\s*[\"']?(?<currentValue>[^@\"'\\s\n]+)(?:@(?<currentDigest>sha256:[a-f0-9]+))?[\"']?"
       ]
     },
     {
@@ -53,14 +61,30 @@
       "versioningTemplate": "semver"
     }
   ],
-  "timezone": "US/Central",
-  "labels": [],
-  "prHourlyLimit": 0,
-  "prConcurrentLimit": 0,
-  "baseBranchPatterns": [
-    "main"
-  ],
   "packageRules": [
+    {
+      "description": "Disable updates to digests",
+      "matchUpdateTypes": [
+        "digest"
+      ],
+      "enabled": false
+    },
+    {
+      "description": "Automerge digests for actions",
+      "matchManagers": [
+        "github-actions"
+      ],
+      "matchUpdateTypes": [
+        "digest"
+      ],
+      "addLabels": [
+        "actions",
+        "automerge"
+      ],
+      "enabled": true,
+      "automerge": true,
+      "minimumReleaseAge": "1 days"
+    },
     {
       "description": "Label charts",
       "matchDatasources": [
@@ -102,20 +126,7 @@
       "automergeType": "branch"
     },
     {
-      "description": "Label images, helm",
+      "description": "Label images",
-      "matchManagers": [
-        "custom.regex",
-        "helm-values"
-      ],
-      "groupName": "{{#if packageName}}{{{replace 'ghcr.io/' '' (replace 'docker.io/' '' packageName)}}}{{else}}{{{replace 'ghcr.io/' '' (replace 'docker.io/' '' depName)}}}{{/if}}",
-      "groupSlug": "unified-{{{groupName}}}",
-      "addLabels": [
-        "image"
-      ],
-      "automerge": false
-    },
-    {
-      "description": "Label images, docker",
       "matchDatasources": [
         "docker"
       ],
@@ -125,17 +136,14 @@
       "automerge": false
     },
     {
-      "description": "Automerge image patches, helm",
+      "description": "Automerge image patches",
       "matchUpdateTypes": [
         "patch",
-        "digest"
+        "pinDigest"
       ],
-      "matchManagers": [
+      "matchDatasources": [
-        "custom.regex",
+        "docker"
-        "helm-values"
       ],
-      "groupName": "{{#if packageName}}{{{replace 'ghcr.io/' '' (replace 'docker.io/' '' packageName)}}}{{else}}{{{replace 'ghcr.io/' '' (replace 'docker.io/' '' depName)}}}{{/if}}",
-      "groupSlug": "unified-{{{groupName}}}",
       "addLabels": [
         "image",
         "automerge"
@@ -144,14 +152,68 @@
       "minimumReleaseAge": "1 days"
     },
     {
-      "description": "Automerge image patches, docker",
+      "description": "Automerge images, specific packages",
       "matchUpdateTypes": [
         "patch",
+        "minor"
+      ],
+      "matchDatasources": [
+        "docker"
+      ],
+      "matchPackageNames": [
+        "ghcr.io/renovatebot/renovate"
+      ],
+      "addLabels": [
+        "image",
+        "automerge"
+      ],
+      "automerge": true,
+      "minimumReleaseAge": "1 days"
+    },
+    {
+      "description": "Automerge digest updates, specific packages",
+      "matchUpdateTypes": [
         "digest"
       ],
       "matchDatasources": [
         "docker"
       ],
+      "matchPackageNames": [
+        "searxng/searxng"
+      ],
+      "addLabels": [
+        "image",
+        "automerge"
+      ],
+      "enabled": true,
+      "automerge": true,
+      "minimumReleaseAge": "1 days"
+    },
+    {
+      "description": "Label appVersion and images, merged",
+      "matchManagers": [
+        "custom.regex",
+        "helm-values"
+      ],
+      "groupName": "{{#if packageName}}{{{replace 'ghcr.io/' '' (replace 'docker.io/' '' packageName)}}}{{else}}{{{replace 'ghcr.io/' '' (replace 'docker.io/' '' depName)}}}{{/if}}",
+      "groupSlug": "unified-{{{groupName}}}",
+      "addLabels": [
+        "image"
+      ],
+      "automerge": false
+    },
+    {
+      "description": "Automerge appVersion and images, merged",
+      "matchUpdateTypes": [
+        "patch",
+        "pinDigest"
+      ],
+      "matchManagers": [
+        "custom.regex",
+        "helm-values"
+      ],
+      "groupName": "{{#if packageName}}{{{replace 'ghcr.io/' '' (replace 'docker.io/' '' packageName)}}}{{else}}{{{replace 'ghcr.io/' '' (replace 'docker.io/' '' depName)}}}{{/if}}",
+      "groupSlug": "unified-{{{groupName}}}",
       "addLabels": [
         "image",
         "automerge"