chore(deps): update ghcr.io/renovatebot/renovate docker tag to v43.90.0 (#5128)

This PR contains the following updates:

| Package | Update | Change |
|---|---|---|
| [harbor.alexlebens.net/images/site-documentation](https://gitea.alexlebens.dev/alexlebens/site-documentation) | minor | `0.7.0` → `0.8.0` |

---

### Release Notes

<details>
<summary>alexlebens/site-documentation (harbor.alexlebens.net/images/site-documentation)</summary>

### [`v0.8.0`](https://gitea.alexlebens.dev/alexlebens/site-documentation/releases/tag/0.8.0)

[Compare Source](https://gitea.alexlebens.dev/alexlebens/site-documentation/compare/0.7.0...0.8.0)

### [0.8.0](http://gitea-http.gitea:3000/alexlebens/site-documentation/compare/0.7.0...0.8.0) (2026-03-25)

##### Features

- add more apps ([c69fde3](c69fde38f9))

</details>

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box

---

This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My44OS4zIiwidXBkYXRlZEluVmVyIjoiNDMuODkuMyIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiZG9ja2VyIiwiaW1hZ2UiXX0=-->

Reviewed-on: #5123
Co-authored-by: Renovate Bot <renovate-bot@alexlebens.net>
Co-committed-by: Renovate Bot <renovate-bot@alexlebens.net>

.gitea/workflows/renovate.yaml

@@ -13,7 +13,7 @@ on:
 jobs:
   renovate:
     runs-on: ubuntu-latest
-    container: ghcr.io/renovatebot/renovate:43.89.2@sha256:a823bf9ff1f04c31d46267b78330e06f802dbf6e1af899e21c6a8e3197d45354
+    container: ghcr.io/renovatebot/renovate:43.91.1@sha256:63e27dd3ed7dd5feb755e0f3c8e50516f5845be124311b4f6b3c898b5d767b49
     steps:
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6

clusters/cl01tl/helm/argocd/values.yaml

@@ -91,7 +91,7 @@ argo-cd:
     enabled: true
     image:
       repository: redis
-      tag: 8.6.1-alpine@sha256:315270d166080f537bbdf1b489b603aaaa213cb55a544acfa51feb7481abb1c0
+      tag: 8.6.2-alpine@sha256:81b6f81d6a6c5b9019231a2e8eb10085e3a139a34f833dcc965a8a959b040b72
     persistentVolume:
       enabled: true
     redis:

clusters/cl01tl/helm/cert-manager/Chart.yaml

@@ -5,8 +5,7 @@ description: Cert Manager
 keywords:
   - cert-manager
   - certificates
-  - kubernetes
+home: https://docs.alexlebens.dev/applications/cert-manager/
-home: https://wiki.alexlebens.dev/s/368fe718-eedb-40e0-a5a7-fad03cdc6b09
 sources:
   - https://github.com/cert-manager/cert-manager
   - https://github.com/cert-manager/cert-manager/tree/master/deploy/charts/cert-manager
@@ -16,6 +15,6 @@ dependencies:
   - name: cert-manager
     version: v1.20.0
     repository: https://charts.jetstack.io
-icon: https://raw.githubusercontent.com/walkxcode/dashboard-icons/main/png/cert-manager.png
+icon: https://raw.githubusercontent.com/cert-manager/cert-manager/refs/heads/master/logo/logo.png
 # renovate: datasource=github-releases depName=cert-manager/cert-manager
 appVersion: v1.20.0

clusters/cl01tl/helm/cert-manager/templates/cluster-issuer.yaml

@@ -2,6 +2,11 @@ apiVersion: cert-manager.io/v1
 kind: ClusterIssuer
 metadata:
   name: letsencrypt-issuer
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: letsencrypt-issuer
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   acme:
     email: alexanderlebens@gmail.com

clusters/cl01tl/helm/cert-manager/templates/external-secret.yaml

@@ -14,8 +14,5 @@ spec:
   data:
     - secretKey: api-token
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: /cloudflare/alexlebens.net/clusterissuer
-        metadataPolicy: None
         property: token

clusters/cl01tl/helm/cert-manager/values.yaml

@@ -3,10 +3,16 @@ cert-manager:
     enabled: true
     keep: true
   replicaCount: 2
+  podDisruptionBudget:
+    enabled: true
+    minAvailable: 1
   extraArgs:
     - --enable-gateway-api
+  resources:
+    requests:
+      cpu: 10m
+      memory: 64Mi
   prometheus:
-    enabled: true
     servicemonitor:
       enabled: true
       honorLabels: true

clusters/cl01tl/helm/cilium/Chart.yaml

@@ -4,13 +4,12 @@ version: 1.0.0
 description: Cilium
 keywords:
   - cilium
-  - cni
+  - operator
   - network
-  - kubernetes
+home: https://docs.alexlebens.dev/applications/cilium/
-home: https://wiki.alexlebens.dev/s/9e6f5b17-e186-4af0-81cd-af647b162d3d
 sources:
   - https://github.com/cilium/cilium
-  - https://github.com/cilium/charts
+  - https://github.com/cilium/cilium/tree/main/install/kubernetes/cilium
 maintainers:
   - name: alexlebens
 dependencies:
@@ -19,4 +18,4 @@ dependencies:
     repository: https://helm.cilium.io/
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/cilium.png
 # renovate: datasource=github-releases depName=cilium/cilium
-appVersion: 1.19.2
+appVersion: 1.18.6

clusters/cl01tl/helm/cilium/values.yaml

@@ -25,36 +25,24 @@ cilium:
         - NET_ADMIN
         - SYS_ADMIN
         - SYS_RESOURCE
-  l2announcements:
-    enabled: false
   bgpControlPlane:
     enabled: false
-    secretsNamespace:
-      name: kube-system
-    statusReport:
-      enabled: true
-    routerIDAllocation:
-      mode: "default"
   bpf:
     hostLegacyRouting: true
   devices: end0 enp6s0
   ciliumEndpointSlice:
     enabled: true
-  ingressController:
-    enabled: false
   gatewayAPI:
     enabled: true
-    enableAlpn: true
     enableAppProtocol: true
-    gatewayClass:
+    enableAlpn: true
-      create: auto
+    secretsNamespace:
-  externalIPs:
+      create: false
-    enabled: true
+      name: kube-system
   socketLB:
     enabled: true
     hostNamespaceOnly: true
   hubble:
-    enabled: true
     metrics:
       serviceMonitor:
         enabled: true
@@ -68,8 +56,6 @@ cilium:
           enabled: true
     ui:
       enabled: true
-      ingress:
-        enabled: false
   ipam:
     mode: "kubernetes"
   ipv4:
@@ -77,12 +63,11 @@ cilium:
   ipv6:
     enabled: false
   kubeProxyReplacement: true
-  l7Proxy: true
   prometheus:
     enabled: true
     serviceMonitor:
-      trustCRDsExist: true
       enabled: true
+      trustCRDsExist: true
   envoy:
     enabled: true
     securityContext:
@@ -94,14 +79,11 @@ cilium:
           - PERFMON
           - BPF
     prometheus:
-      enabled: true
       serviceMonitor:
         enabled: true
   operator:
-    enabled: true
     rollOutPods: true
     prometheus:
-      enabled: true
       serviceMonitor:
         enabled: true
   cgroup:

clusters/cl01tl/helm/cloudnative-pg/Chart.yaml

@@ -6,10 +6,11 @@ keywords:
   - cloudnative-pg
   - operator
   - postgresql
-  - kubernetes
+home: https://docs.alexlebens.dev/applications/cloudnative-pg/
-home: https://wiki.alexlebens.dev/s/9fb10833-0278-4e64-a34c-d348d833839f
 sources:
   - https://github.com/cloudnative-pg/cloudnative-pg
+  - https://github.com/cloudnative-pg/plugin-barman-cloud
+  - https://github.com/cloudnative-pg/postgres-containers/pkgs/container/postgresql
   - https://github.com/cloudnative-pg/charts/tree/main/charts/cloudnative-pg
   - https://github.com/cloudnative-pg/charts/tree/main/charts/plugin-barman-cloud
 maintainers:
@@ -21,6 +22,6 @@ dependencies:
   - name: plugin-barman-cloud
     version: 0.5.0
     repository: https://cloudnative-pg.io/charts/
-icon: https://avatars.githubusercontent.com/u/100373852?s=200&v=4
+icon: https://raw.githubusercontent.com/cloudnative-pg/cloudnative-pg.github.io/refs/heads/main/assets/images/hero_image.png
 # renovate: datasource=github-releases depName=cloudnative-pg/cloudnative-pg
 appVersion: 1.28.1

clusters/cl01tl/helm/cloudnative-pg/values.yaml

@@ -1,16 +1,16 @@
 cloudnative-pg:
   replicaCount: 2
+  resources:
+    requests:
+      cpu: 10m
+      memory: 64Mi
   monitoring:
     podMonitorEnabled: true
 plugin-barman-cloud:
   replicaCount: 1
-  image:
-    registry: ghcr.io
-    repository: cloudnative-pg/plugin-barman-cloud
-    tag: v0.11.0
-  sidecarImage:
-    registry: ghcr.io
-    repository: cloudnative-pg/plugin-barman-cloud-sidecar
-    tag: v0.11.0
   crds:
     create: true
+  resources:
+    requests:
+      cpu: 10m
+      memory: 64Mi

clusters/cl01tl/helm/code-server/Chart.yaml

@@ -5,14 +5,14 @@ description: Code Server
 keywords:
   - code-server
   - code
-  - ide
+home: https://docs.alexlebens.dev/applications/code-server/
-home: https://wiki.alexlebens.dev/s/233f96bb-db70-47e4-8b22-a8efcbb0f93d
 sources:
   - https://github.com/coder/code-server
-  - https://github.com/cloudflare/cloudflared
+  - https://github.com/linuxserver/docker-code-server
-  - https://hub.docker.com/r/linuxserver/code-server
+  - https://github.com/linuxserver/docker-code-server/pkgs/container/code-server
   - https://github.com/bjw-s-labs/helm-charts/tree/main/charts/other/app-template
   - https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/cloudflared
+  - https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/volsync-target
 maintainers:
   - name: alexlebens
 dependencies:
@@ -28,5 +28,5 @@ dependencies:
     version: 0.8.0
     repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/visual-studio-code.png
-# renovate: datasource=github-releases depName=linuxserver/docker-code-server
+# renovate: datasource=github-releases depName=coder/code-server
-appVersion: 4.108.1
+appVersion: 4.112.0

clusters/cl01tl/helm/code-server/templates/external-secret.yaml

@@ -14,15 +14,9 @@ spec:
   data:
     - secretKey: PASSWORD
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: /cl01tl/code-server/auth
-        metadataPolicy: None
         property: PASSWORD
     - secretKey: SUDO_PASSWORD
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: /cl01tl/code-server/auth
-        metadataPolicy: None
         property: SUDO_PASSWORD

clusters/cl01tl/helm/code-server/values.yaml

@@ -4,16 +4,18 @@ code-server:
       type: deployment
       replicas: 1
       strategy: Recreate
-      revisionHistoryLimit: 3
+      pod:
+        securityContext:
+          fsGroup: 1000
+          fsGroupChangePolicy: OnRootMismatch
       containers:
         main:
           image:
             repository: ghcr.io/linuxserver/code-server
             tag: 4.112.0@sha256:4bb5b8ad22268001687c047f0f04933799fb03df1eb0e1e266ba15ed2d9f4e8b
-            pullPolicy: IfNotPresent
           env:
             - name: TZ
-              value: US/Central
+              value: America/Chicago
             - name: PUID
               value: 1000
             - name: PGID
@@ -26,7 +28,7 @@ code-server:
           resources:
             requests:
               cpu: 10m
-              memory: 128Mi
+              memory: 80Mi
   service:
     main:
       controller: main
@@ -47,11 +49,8 @@ code-server:
         - code-server.alexlebens.net
       rules:
         - backendRefs:
-            - group: ''
+            - name: code-server
-              kind: Service
-              name: code-server
               port: 8443
-              weight: 100
           matches:
             - path:
                 type: PathPrefix
@@ -62,7 +61,6 @@ code-server:
       storageClass: ceph-block
       accessMode: ReadWriteOnce
       size: 2Gi
-      retain: true
       advancedMounts:
         main:
           main:

clusters/cl01tl/helm/coredns/Chart.yaml

@@ -5,9 +5,7 @@ description: CoreDNS
 keywords:
   - coredns
   - dns
-  - network
+home: https://docs.alexlebens.dev/applications/coredns/
-  - kubernetes
-home: https://wiki.alexlebens.dev/s/
 sources:
   - https://github.com/coredns/coredns
   - https://github.com/coredns/helm
@@ -17,6 +15,6 @@ dependencies:
   - name: coredns
     version: 1.45.2
     repository: https://coredns.github.io/helm
-icon: https://raw.githubusercontent.com/walkxcode/dashboard-icons/main/png/coredns.png
+icon: https://raw.githubusercontent.com/coredns/coredns.io/refs/heads/master/static/images/favicon.png
 # renovate: datasource=github-releases depName=coredns/coredns
 appVersion: v1.14.2

clusters/cl01tl/helm/coredns/values.yaml

@@ -1,23 +1,18 @@
 coredns:
   image:
     repository: registry.k8s.io/coredns/coredns
-    tag: v1.14.2
+    tag: v1.14.2@sha256:e7e6440cfd1e919280958f5b5a6ab2b184d385bba774c12ad2a9e1e4183f90d9
   replicaCount: 3
   resources:
+    limits:
+      cpu: null
+      memory: null
     requests:
-      cpu: 50m
+      cpu: 20m
-      memory: 128Mi
+      memory: 32Mi
-  rollingUpdate:
-    maxUnavailable: 1
-    maxSurge: 25%
-  terminationGracePeriodSeconds: 30
-  serviceType: "ClusterIP"
   prometheus:
     service:
       enabled: true
-      annotations:
-        prometheus.io/scrape: "true"
-        prometheus.io/port: "9153"
     monitor:
       enabled: true
       namespace: kube-system
@@ -29,18 +24,7 @@ coredns:
   serviceAccount:
     create: true
     name: coredns
-  rbac:
-    create: true
-  isClusterService: true
   priorityClassName: system-cluster-critical
-  securityContext:
-    capabilities:
-      add:
-        - NET_BIND_SERVICE
-      drop:
-        - ALL
-    readOnlyRootFilesystem: true
-    allowPrivilegeEscalation: false
   servers:
     - zones:
         - zone: .
@@ -77,6 +61,8 @@ coredns:
         - name: errors
         - name: cache
           parameters: 30
+        - name: prometheus
+          parameters: :9153
         - name: forward
           parameters: . 10.111.232.172
     - zones:
@@ -88,6 +74,8 @@ coredns:
         - name: errors
         - name: cache
           parameters: 30
+        - name: prometheus
+          parameters: :9153
         - name: forward
           parameters: . 10.97.20.219
   nodeSelector:
@@ -100,6 +88,4 @@ coredns:
       operator: Exists
       effect: NoSchedule
   deployment:
-    skipConfig: false
-    enabled: true
     name: coredns

clusters/cl01tl/helm/dawarich/Chart.yaml

@@ -5,10 +5,13 @@ description: Dawarich
 keywords:
   - dawarich
   - location
-home: https://wiki.alexlebens.dev/s/
+home: https://docs.alexlebens.dev/applications/dawarich/
 sources:
   - https://github.com/Freika/dawarich
+  - https://hub.docker.com/r/freikin/dawarich
   - https://github.com/bjw-s-labs/helm-charts/tree/main/charts/other/app-template
+  - https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/postgres-cluster
+  - https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/valkey
 maintainers:
   - name: alexlebens
 dependencies:

clusters/cl01tl/helm/dawarich/templates/external-secret.yaml

@@ -14,10 +14,7 @@ spec:
   data:
     - secretKey: key
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: /cl01tl/dawarich/key
-        metadataPolicy: None
         property: key
 
 ---
@@ -37,15 +34,9 @@ spec:
   data:
     - secretKey: client
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: /authentik/oidc/dawarich
-        metadataPolicy: None
         property: client
     - secretKey: secret
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: /authentik/oidc/dawarich
-        metadataPolicy: None
         property: secret

clusters/cl01tl/helm/dawarich/values.yaml

@@ -4,15 +4,20 @@ dawarich:
       type: deployment
       replicas: 1
       strategy: Recreate
-      revisionHistoryLimit: 3
       containers:
         main:
           image:
             repository: freikin/dawarich
-            tag: 1.4.0
+            tag: 1.4.0@sha256:07adb7643b00d1d8f606c675931d3604317fa3851b91b74ec503df8d50734cb8
-            pullPolicy: IfNotPresent
+          command:
-          command: ["web-entrypoint.sh"]
+            - "web-entrypoint.sh"
-          args: ["bin/rails", "server", "-p", "3000", "-b", "::"]
+          args:
+            - "bin/rails"
+            - "server"
+            - "-p"
+            - "3000"
+            - "-b"
+            - "::"
           env:
             - name: RAILS_ENV
               value: production
@@ -86,14 +91,14 @@ dawarich:
               value: true
           probes:
             liveness:
-              enabled: false
+              enabled: true
               custom: true
               spec:
                 exec:
                   command:
                     - /bin/sh
                     - -c
-                    - wget -qO - http://127.0.0.1:3000/api/v1/health | grep -Eq '\"status\"\\s*:\\s*\"ok\"'
+                    - "wget -qO - http://127.0.0.1:3000/api/v1/health | grep -q '\"status\"\\s*:\\s*\"ok\"'"
                 failureThreshold: 5
                 initialDelaySeconds: 60
                 periodSeconds: 10
@@ -102,14 +107,15 @@ dawarich:
           resources:
             requests:
               cpu: 10m
-              memory: 128Mi
+              memory: 750Mi
         sidekiq:
           image:
             repository: freikin/dawarich
-            tag: 1.4.0
+            tag: 1.4.0@sha256:07adb7643b00d1d8f606c675931d3604317fa3851b91b74ec503df8d50734cb8
-            pullPolicy: IfNotPresent
+          command:
-          command: ["sidekiq-entrypoint.sh"]
+            - "sidekiq-entrypoint.sh"
-          args: ["sidekiq"]
+          args:
+            - "sidekiq"
           env:
             - name: RAILS_ENV
               value: production
@@ -185,23 +191,19 @@ dawarich:
               value: true
           probes:
             liveness:
-              enabled: false
+              enabled: true
               custom: true
               spec:
                 exec:
                   command:
-                    - /bin/sh
+                    - pgrep
-                    - -c
+                    - -f
-                    - pgrep -f sidekiq
+                    - sidekiq
                 failureThreshold: 5
                 initialDelaySeconds: 60
                 periodSeconds: 10
                 successThreshold: 1
                 timeoutSeconds: 10
-          resources:
-            requests:
-              cpu: 10m
-              memory: 128Mi
   service:
     main:
       controller: main
@@ -238,11 +240,8 @@ dawarich:
         - dawarich.alexlebens.net
       rules:
         - backendRefs:
-            - group: ""
+            - name: dawarich
-              kind: Service
-              name: dawarich
               port: 80
-              weight: 100
           matches:
             - path:
                 type: PathPrefix
@@ -253,7 +252,6 @@ dawarich:
       storageClass: ceph-block
       accessMode: ReadWriteOnce
       size: 5Gi
-      retain: true
       advancedMounts:
         main:
           main:
@@ -267,7 +265,6 @@ dawarich:
       storageClass: ceph-block
       accessMode: ReadWriteOnce
       size: 5Gi
-      retain: true
       advancedMounts:
         main:
           main:
@@ -281,7 +278,6 @@ dawarich:
       storageClass: ceph-block
       accessMode: ReadWriteOnce
       size: 1Gi
-      retain: true
       advancedMounts:
         main:
           main:
@@ -313,32 +309,9 @@ postgres-18-cluster:
         destinationBucket: postgres-backups
         externalSecretCredentialPath: /garage/home-infra/postgres-backups
         isWALArchiver: true
-      # - name: garage-remote
-      #   index: 1
-      #   destinationBucket: postgres-backups
-      #   externalSecretCredentialPath: /garage/home-infra/postgres-backups
-      #   retentionPolicy: "90d"
-      #   data:
-      #     compression: bzip2
-      # - name: external
-      #   index: 1
-      #   endpointURL: https://nyc3.digitaloceanspaces.com
-      #   destinationBucket: postgres-backups-ce540ddf106d186bbddca68a
-      #   externalSecretCredentialPath: /garage/home-infra/postgres-backups
-      #   isWALArchiver: false
     scheduledBackups:
       - name: live-backup
         suspend: false
         immediate: true
         schedule: "0 10 14 * * *"
         backupName: garage-local
-      # - name: weekly-backup
-      #   suspend: true
-      #   immediate: true
-      #   schedule: "0 0 4 * * SAT"
-      #   backupName: garage-remote
-      # - name: daily-backup
-      #   suspend: true
-      #   immediate: true
-      #   schedule: "0 0 0 * * *"
-      #   backupName: external

clusters/cl01tl/helm/harbor/values.yaml

@@ -40,21 +40,21 @@ harbor:
     enabled: true
   portal:
     image:
-      repository: goharbor/harbor-portal
+      repository: ghcr.io/goharbor/harbor-portal
-      tag: v2.15.0
+      tag: v2.15.0@sha256:541d5fa95bf77240d46a438f86245cdfd6afa6dd7fdd0cf4dd4c905af6a980b1
     replicas: 2
   core:
     image:
-      repository: goharbor/harbor-core
+      repository: ghcr.io/goharbor/harbor-core
-      tag: v2.15.0
+      tag: v2.15.0@sha256:32a13f6693a278261e9c9cb7eb606c5e2aa021308ae44fdc73225755048500a8
     replicas: 2
     existingSecret: harbor-secret
     secretName: harbor-secret
     existingXsrfSecret: harbor-secret
   jobservice:
     image:
-      repository: goharbor/harbor-jobservice
+      repository: ghcr.io/goharbor/harbor-jobservice
-      tag: v2.15.0
+      tag: v2.15.0@sha256:a22c7cccba4673b26ffb96f5c37971d85d879dd837bc82448e01c0170b68cf28
     replicas: 2
     jobLoggers:
       - stdout
@@ -63,11 +63,11 @@ harbor:
     registry:
       image:
         repository: goharbor/registry-photon
-        tag: v2.15.0
+        tag: v2.15.0@sha256:beb49fd16cf0906c04a2bf51a22f7210289e7cc2ae43a733e2a0364380aceae6
     controller:
       image:
-        repository: goharbor/harbor-registryctl
+        repository: ghcr.io/goharbor/harbor-registryctl
-        tag: v2.15.0
+        tag: v2.15.0@sha256:463172f71d3a1e8d4f9e3b4e687a447f41fbc3126316d8c150dba04a903bbc47
     existingSecret: harbor-secret
     relativeurls: true
     credentials:
@@ -93,8 +93,8 @@ harbor:
       addr: harbor-valkey.harbor:6379
   exporter:
     image:
-      repository: goharbor/harbor-exporter
+      repository: ghcr.io/goharbor/harbor-exporter
-      tag: v2.15.0
+      tag: v2.15.0@sha256:ad065e4e1a0ee900a0bb1a03d57028ed4b51dc04933f5c1cb5c4aee301a72ddb
     replicas: 2
 postgres-18-cluster:
   mode: recovery

clusters/cl01tl/helm/homepage/values.yaml

@@ -40,20 +40,6 @@ homepage:
             html {
                 font-size: 18px;
             }
-            ul#myTab {
-                background-color: rgba(240, 230, 215, 0.12) !important;
-                color: white !important;
-            }
-            li.service div.service-card,
-            li.bookmark a.rounded-md {
-                color: white !important;
-                background-color: rgba(240, 230, 215, 0.12) !important;
-                transition: all 150ms ease !important;
-            }
-            li.service div.service-card:hover,
-            li.bookmark a.rounded-md:hover {
-                background-color: rgba(240, 230, 215, 0.18) !important;
-            }
         docker.yaml: ""
         kubernetes.yaml: |
           mode: cluster

clusters/cl01tl/helm/kube-prometheus-stack/Chart.lock

@@ -1,12 +1,12 @@
 dependencies:
 - name: kube-prometheus-stack
   repository: oci://ghcr.io/prometheus-community/charts
-  version: 82.13.6
+  version: 82.14.0
 - name: app-template
   repository: https://bjw-s-labs.github.io/helm-charts/
   version: 4.6.2
 - name: valkey
   repository: oci://harbor.alexlebens.net/helm-charts
   version: 0.4.0
-digest: sha256:6c29e37c4a0b08244b3ab0c60b2e07a2574f382f18183d98017d2d0dbcab7f21
+digest: sha256:767eea1e633cefea72a9428ca888bfb47e82febdfd647d7d5f199523eace0154
-generated: "2026-03-24T17:20:56.086048387Z"
+generated: "2026-03-24T20:52:31.377221183Z"

clusters/cl01tl/helm/kube-prometheus-stack/Chart.yaml

@@ -20,7 +20,7 @@ maintainers:
   - name: alexlebens
 dependencies:
   - name: kube-prometheus-stack
-    version: 82.13.6
+    version: 82.14.0
     repository: oci://ghcr.io/prometheus-community/charts
   - name: app-template
     alias: ntfy-alertmanager

clusters/cl01tl/helm/music-grabber/values.yaml

@@ -9,7 +9,7 @@ music-grabber:
         main:
           image:
             repository: g33kphr33k/musicgrabber
-            tag: 2.5.1
+            tag: 2.5.2
             pullPolicy: IfNotPresent
           env:
             - name: MUSIC_DIR

clusters/cl01tl/helm/rook-ceph/Chart.lock

@@ -1,12 +1,9 @@
 dependencies:
 - name: rook-ceph
   repository: https://charts.rook.io/release
-  version: v1.19.2
+  version: v1.19.3
 - name: rook-ceph-cluster
   repository: https://charts.rook.io/release
-  version: v1.19.2
+  version: v1.19.3
-- name: cloudflared
+digest: sha256:f485e0ac0fe7a70972491078f37b8be4aff2c6dfa7346bdb18d296f1dbd15b1e
-  repository: oci://harbor.alexlebens.net/helm-charts
+generated: "2026-03-24T22:57:30.323965591Z"
-  version: 2.4.0
-digest: sha256:4bd2987d8b6b91e0c4dc026c5d20419c69bd81c82063d7850bbfe8d7dbea3b82
-generated: "2026-03-09T22:05:44.444530464Z"

clusters/cl01tl/helm/rook-ceph/Chart.yaml

@@ -16,11 +16,11 @@ maintainers:
   - name: alexlebens
 dependencies:
   - name: rook-ceph
-    version: v1.19.2
+    version: v1.19.3
     repository: https://charts.rook.io/release
   - name: rook-ceph-cluster
-    version: v1.19.2
+    version: v1.19.3
     repository: https://charts.rook.io/release
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/ceph.png
 # renovate: datasource=github-releases depName=rook/rook
-appVersion: v1.19.2
+appVersion: v1.19.3

clusters/cl01tl/helm/searxng/values.yaml

@@ -9,7 +9,7 @@ searxng:
         main:
           image:
             repository: searxng/searxng
-            tag: latest@sha256:5cb5844fcb0f6e739cca03352a9d48e6e936323cb90f717cd07cee872b6d081a
+            tag: latest@sha256:0ae88cc7056eddde1f02df272f39f6fb2884640ed7af428c5b0a6b9c3d5bb918
             pullPolicy: IfNotPresent
           env:
             - name: SEARXNG_BASE_URL
@@ -39,7 +39,7 @@ searxng:
         main:
           image:
             repository: searxng/searxng
-            tag: latest@sha256:5cb5844fcb0f6e739cca03352a9d48e6e936323cb90f717cd07cee872b6d081a
+            tag: latest@sha256:0ae88cc7056eddde1f02df272f39f6fb2884640ed7af428c5b0a6b9c3d5bb918
             pullPolicy: IfNotPresent
           env:
             - name: SEARXNG_BASE_URL

clusters/cl01tl/helm/site-documentation/values.yaml

@@ -11,7 +11,7 @@ site-documentation:
         main:
           image:
             repository: harbor.alexlebens.net/images/site-documentation
-            tag: 0.6.0
+            tag: 0.8.0
             pullPolicy: IfNotPresent
           resources:
             requests:

clusters/cl01tl/helm/talos/values.yaml

@@ -405,7 +405,7 @@ etcd-defrag:
         main:
           image:
             repository: ghcr.io/siderolabs/talosctl
-            tag: v1.12.5
+            tag: v1.12.6
             pullPolicy: IfNotPresent
           args:
             - etcd
@@ -438,7 +438,7 @@ etcd-defrag:
         main:
           image:
             repository: ghcr.io/siderolabs/talosctl
-            tag: v1.12.5
+            tag: v1.12.6
             pullPolicy: IfNotPresent
           args:
             - etcd
@@ -471,7 +471,7 @@ etcd-defrag:
         main:
           image:
             repository: ghcr.io/siderolabs/talosctl
-            tag: v1.12.5
+            tag: v1.12.6
             pullPolicy: IfNotPresent
           args:
             - etcd

clusters/cl01tl/helm/yubal/Chart.yaml

@@ -22,4 +22,4 @@ dependencies:
     version: 0.8.0
     repository: oci://harbor.alexlebens.net/helm-charts
 # renovate: datasource=github-releases depName=guillevc/yubal
-appVersion: v4.0.0
+appVersion: v0.7.2

clusters/cl01tl/helm/yubal/values.yaml

@@ -14,7 +14,7 @@ yubal:
         main:
           image:
             repository: ghcr.io/guillevc/yubal
-            tag: 4.0.0
+            tag: 0.7.2@sha256:906b7c90b738e77ad140178f6a5145f98c12af36e8321d427148c092836c37be
             pullPolicy: IfNotPresent
           env:
             - name: YUBAL_TZ
@@ -29,72 +29,6 @@ yubal:
             requests:
               cpu: 10m
               memory: 128Mi
-        # gluetun:
-        #   image:
-        #     repository: ghcr.io/qdm12/gluetun
-        #     tag: v3.41.0@sha256:6b54856716d0de56e5bb00a77029b0adea57284cf5a466f23aad5979257d3045
-        #     pullPolicy: IfNotPresent
-        #   lifecycle:
-        #     postStart:
-        #       exec:
-        #         command: ["/bin/sh", "-c", "(ip rule del table 51820; ip -6 rule del table 51820) || true"]
-        #   env:
-        #     - name: VPN_SERVICE_PROVIDER
-        #       value: airvpn
-        #     - name: VPN_TYPE
-        #       value: wireguard
-        #     - name: WIREGUARD_PRIVATE_KEY
-        #       valueFrom:
-        #         secretKeyRef:
-        #           name: yubal-wireguard-conf
-        #           key: private-key
-        #     - name: WIREGUARD_PRESHARED_KEY
-        #       valueFrom:
-        #         secretKeyRef:
-        #           name: yubal-wireguard-conf
-        #           key: preshared-key
-        #     - name: WIREGUARD_ADDRESSES
-        #       valueFrom:
-        #         secretKeyRef:
-        #           name: yubal-wireguard-conf
-        #           key: addresses
-        #     - name: FIREWALL_OUTBOUND_SUBNETS
-        #       value: 10.0.0.0/8
-        #     - name: FIREWALL_INPUT_PORTS
-        #       value: 8000
-        #     - name: DNS_UPSTREAM_RESOLVER_TYPE
-        #       value: dot
-        #     - name: HTTPPROXY
-        #       value: "off"
-        #     - name: SHADOWSOCKS
-        #       value: "off"
-        #   securityContext:
-        #     privileged: True
-        #     capabilities:
-        #       add:
-        #         - NET_ADMIN
-        #         - SYS_MODULE
-        #   probes:
-        #     liveness:
-        #       enabled: true
-        #       custom: true
-        #       spec:
-        #         exec:
-        #           command:
-        #             - /gluetun-entrypoint
-        #             - healthcheck
-        #         failureThreshold: 5
-        #         initialDelaySeconds: 30
-        #         periodSeconds: 30
-        #         successThreshold: 1
-        #         timeoutSeconds: 15
-        #   resources:
-        #     limits:
-        #       devic.es/tun: "1"
-        #     requests:
-        #       devic.es/tun: "1"
-        #       cpu: 10m
-        #       memory: 128Mi
   service:
     main:
       controller: main

renovate.json

@@ -3,7 +3,10 @@
   "extends": [
     "config:recommended",
     "mergeConfidence:all-badges",
-    ":rebaseStalePrs"
+    ":rebaseStalePrs",
+    "group:recommended",
+    "group:monorepos",
+    "group:kubernetesMonorepo"
   ],
   "timezone": "America/Chicago",
   "labels": [],
@@ -71,88 +74,16 @@
       "enabled": false
     },
     {
-      "description": "Label charts",
+      "description": "Label by datasource",
       "matchDatasources": [
-        "helm"
+        "helm",
-      ],
+        "docker",
-      "addLabels": [
-        "chart"
-      ],
-      "automerge": false
-    },
-    {
-      "description": "Label images",
-      "matchDatasources": [
-        "docker"
-      ],
-      "addLabels": [
-        "image"
-      ],
-      "automerge": false
-    },
-
-    {
-      "description": "Label appVersion and images, merged",
-      "matchManagers": [
-        "custom.regex",
-        "helm-values"
-      ],
-      "groupName": "{{#if packageName}}{{{replace 'ghcr.io/' '' (replace 'docker.io/' '' packageName)}}}{{else}}{{{replace 'ghcr.io/' '' (replace 'docker.io/' '' depName)}}}{{/if}}",
-      "groupSlug": "unified-{{{groupName}}}",
-      "addLabels": [
-        "image"
-      ],
-      "automerge": false
-    },
-    {
-      "description": "Automerge appVersion and images, merged",
-      "matchUpdateTypes": [
-        "patch",
-        "pinDigest"
-      ],
-      "matchManagers": [
-        "custom.regex",
-        "helm-values"
-      ],
-      "groupName": "{{#if packageName}}{{{replace 'ghcr.io/' '' (replace 'docker.io/' '' packageName)}}}{{else}}{{{replace 'ghcr.io/' '' (replace 'docker.io/' '' depName)}}}{{/if}}",
-      "groupSlug": "unified-{{{groupName}}}",
-      "addLabels": [
-        "image",
-        "automerge"
-      ],
-      "automerge": true,
-      "minimumReleaseAge": "1 days"
-    },
-    {
-      "description": "Automerge digests for actions",
-      "matchManagers": [
         "github-actions"
       ],
-      "matchUpdateTypes": [
-        "digest"
-      ],
       "addLabels": [
-        "actions",
+        "{{{datasource}}}"
-        "automerge"
       ],
-      "enabled": true,
+      "automerge": false
-      "automerge": true,
-      "minimumReleaseAge": "1 days"
-    },
-    {
-      "description": "Automerge chart patches",
-      "matchUpdateTypes": [
-        "patch"
-      ],
-      "matchDatasources": [
-        "helm"
-      ],
-      "addLabels": [
-        "chart",
-        "automerge"
-      ],
-      "automerge": true,
-      "minimumReleaseAge": "1 days"
     },
     {
       "description": "Automerge helm chart lock files",
@@ -163,46 +94,90 @@
         "enabled": true
       },
       "addLabels": [
-        "chart",
         "automerge"
       ],
       "automerge": true,
       "automergeType": "branch"
     },
     {
-      "description": "Automerge image patches",
+      "description": "Automerge patches",
       "matchUpdateTypes": [
         "patch",
         "pinDigest"
       ],
       "matchDatasources": [
-        "docker"
+        "helm",
+        "docker",
+        "github-actions"
       ],
       "addLabels": [
-        "image",
         "automerge"
       ],
       "automerge": true,
       "minimumReleaseAge": "1 days"
     },
     {
-      "description": "Automerge images, specific packages",
+      "description": "Label appVersion and images, grouped",
+      "matchManagers": [
+        "custom.regex",
+        "helm-values"
+      ],
+      "groupName": "{{#if packageName}}{{{replace 'ghcr.io/' '' (replace 'docker.io/' '' packageName)}}}{{else}}{{{replace 'ghcr.io/' '' (replace 'docker.io/' '' depName)}}}{{/if}}",
+      "groupSlug": "unified-{{{groupName}}}",
+      "addLabels": [
+        "image"
+      ],
+      "automerge": false
+    },
+    {
+      "description": "Automerge appVersion and images, grouped",
       "matchUpdateTypes": [
         "patch",
-        "minor"
+        "pinDigest"
       ],
-      "matchDatasources": [
+      "matchManagers": [
-        "docker"
+        "custom.regex",
-      ],
+        "helm-values"
-      "matchPackageNames": [
-        "ghcr.io/renovatebot/renovate",
-        "kube-prometheus-stack"
       ],
+      "groupName": "{{#if packageName}}{{{replace 'ghcr.io/' '' (replace 'docker.io/' '' packageName)}}}{{else}}{{{replace 'ghcr.io/' '' (replace 'docker.io/' '' depName)}}}{{/if}}",
+      "groupSlug": "unified-{{{groupName}}}",
       "addLabels": [
-        "image",
         "automerge"
       ],
-      "automerge": true
+      "automerge": true,
+      "minimumReleaseAge": "1 days"
+    },
+    {
+      "description": "Group apps by their keyword",
+      "groupName": "{{{replace '^.*(dawarich|komodo|immich|home-assistant|element-web|cilium).*$' '$1' depName}}}",
+      "groupSlug": "unified-{{{groupName}}}",
+      "matchPackageNames": [
+        "/(^|/)(?<appName>dawarich|komodo|immich|home-assistant|element-web|cilium)/"
+      ]
+    },
+    {
+      "description": "Group Bazarr dependencies",
+      "groupName": "bazarr",
+      "groupSlug": "unified-bazarr",
+      "matchPackageNames": [
+        "bazarr$"
+      ]
+    },
+    {
+      "description": "Group Code Server dependencies",
+      "groupName": "code-server",
+      "groupSlug": "unified-code-server",
+      "matchPackageNames": [
+        "code-server$"
+      ]
+    },
+    {
+      "description": "Group Rook-Ceph dependencies",
+      "groupName": "rook-ceph",
+      "groupSlug": "unified-rook-ceph",
+      "matchPackageNames": [
+        "/^rook(-ceph|\\/rook|\\/ceph)/"
+      ]
     },
     {
       "description": "Automerge digest updates, specific packages",
@@ -216,59 +191,28 @@
         "searxng/searxng"
       ],
       "addLabels": [
-        "image",
         "automerge"
       ],
       "enabled": true,
       "automerge": true
     },
     {
-      "description": "Group Dawarich dependencies",
+      "description": "Automerge images, specific packages",
-      "groupName": "dawarich",
+      "matchUpdateTypes": [
-      "groupSlug": "unified-dawarich",
+        "patch",
+        "minor"
+      ],
+      "matchDatasources": [
+        "docker"
+      ],
       "matchPackageNames": [
-        "/^(ghcr\\.io/|docker\\.io/)?(freika|freikin)/dawarich/"
+        "ghcr.io/renovatebot/renovate",
-      ]
+        "ghcr.io/prometheus-community/charts/kube-prometheus-stack"
-    },
+      ],
-    {
+      "addLabels": [
-      "description": "Group Komodo dependencies",
+        "automerge"
-      "groupName": "komodo",
+      ],
-      "groupSlug": "unified-komodo",
+      "automerge": true
-      "matchPackageNames": [
-        "/^moghtech/komodo/",
-        "/^ghcr\\.io/moghtech/komodo/",
-        "/^docker\\.io/moghtech/komodo/"
-      ]
-    },
-    {
-      "description": "Group Immich dependencies",
-      "groupName": "immich",
-      "groupSlug": "unified-immich",
-      "matchPackageNames": [
-        "/^immich-app/immich/",
-        "/^ghcr\\.io/immich-app/immich/",
-        "/^docker\\.io/immich-app/immich/"
-      ]
-    },
-    {
-      "description": "Group Home Assistant dependencies",
-      "groupName": "home-assistant",
-      "groupSlug": "unified-home-assistant",
-      "matchPackageNames": [
-        "/^home-assistant//",
-        "/^ghcr\\.io/home-assistant//",
-        "/^docker\\.io/home-assistant//"
-      ]
-    },
-    {
-      "description": "Group Element Web updates",
-      "groupName": "element-web",
-      "groupSlug": "unified-element-web",
-      "matchPackageNames": [
-        "/element-web/",
-        "/vectorim/element-web/",
-        "/element-hq/element-web/"
-      ]
     }
   ]
 }