fix: change log level

This PR contains the following updates:

| Package | Update | Change |
|---|---|---|
| [ghcr.io/guillevc/yubal](https://github.com/guillevc/yubal) | major | `0.4.0` → `4.0.0` |
| [guillevc/yubal](https://github.com/guillevc/yubal) | major | `v0.4.0` → `v4.0.0` |

---

### Release Notes

<details>
<summary>guillevc/yubal (ghcr.io/guillevc/yubal)</summary>

### [`v4.0.0`](https://github.com/guillevc/yubal/releases/tag/v4.0.0): 🕐 v0.4.0 — Playlist sync

[Compare Source](https://github.com/guillevc/yubal/compare/v0.4.0...v4.0.0)

This release introduces **scheduled playlist sync** — subscribe to playlists and let yubal keep them updated automatically on a cron schedule.

##### ✨ What's New

- **Playlist subscriptions** — Register playlists to sync periodically with configurable track limits ([#&#8203;33](https://github.com/guillevc/yubal/issues/33))
- **Cron-based scheduler** — Set your preferred sync schedule (e.g., `0 3 * * *` for daily at 3 AM)
- **Unicode filename support** — File and folder names now preserve special characters (e.g., `Björk` instead of `Bjork`) ([#&#8203;44](https://github.com/guillevc/yubal/issues/44))

##### 🔧 Improvements

- **Format selection optimization** — yt-dlp now prefers the configured codec when selecting source streams, avoiding unnecessary transcoding when the source is already in the desired format ([#&#8203;48](https://github.com/guillevc/yubal/issues/48) by [@&#8203;ergosteur](https://github.com/ergosteur) 🚀 )
- **Update yt-dlp to latest version** — Fixes YouTube extraction failures caused by recent player JS changes ([yt-dlp/yt-dlp#15818](https://github.com/yt-dlp/yt-dlp/pull/15818))

##### 🐛 Bug Fixes

- **Cookie authentication** — Fixed failures with large or space-containing `cookies.txt` files, and improved validation with clearer error logging ([#&#8203;30](https://github.com/guillevc/yubal/issues/30), [#&#8203;47](https://github.com/guillevc/yubal/issues/47))

##### ⚠️ Heads Up

File and folder names now preserve unicode characters instead of transliterating them to ASCII. For example:

```
Before: data/Bjork/1997 - Homogenic/01 - Hunter.opus
After:  data/Björk/1997 - Homogenic/01 - Hunter.opus
```

If you have existing downloads for artists with non-ASCII names, re-downloading or syncing will create new folders alongside the old ones. Check your library and merge any duplicates after upgrading.

***

**Full Changelog**: <https://github.com/guillevc/yubal/compare/v0.3.1...v4.0.0>

</details>

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about these updates again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box

---

This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4zLjYiLCJ1cGRhdGVkSW5WZXIiOiI0My4zLjYiLCJ0YXJnZXRCcmFuY2giOiJtYWluIiwibGFiZWxzIjpbImltYWdlIl19-->

Reviewed-on: https://gitea.alexlebens.dev/alexlebens/infrastructure/pulls/3794
Co-authored-by: Renovate Bot <renovate-bot@alexlebens.net>
Co-committed-by: Renovate Bot <renovate-bot@alexlebens.net>

clusters/cl01tl/helm/argo-workflows/Chart.yaml

@@ -29,4 +29,4 @@ dependencies:
     repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/argo-cd.png
 # renovate: datasource=github-releases depName=argoproj/argo-workflows
-appVersion: v3.7.9
+appVersion: v4.0.0

clusters/cl01tl/helm/argocd/Chart.lock

@@ -1,6 +1,6 @@
 dependencies:
 - name: argo-cd
   repository: https://argoproj.github.io/argo-helm
-  version: 9.4.0
+  version: 9.4.1
-digest: sha256:9313d45f1c8c22f25b445b10c3befde61bc7d6e3d9c7f49d857c0abf641b1636
+digest: sha256:6686031538b67a4b79a89b90de06199758c4718a9b7e0a0e6863a5be8964ed9d
-generated: "2026-02-02T23:52:13.741194572Z"
+generated: "2026-02-05T20:06:46.998124019Z"

clusters/cl01tl/helm/argocd/Chart.yaml

@@ -15,7 +15,7 @@ maintainers:
   - name: alexlebens
 dependencies:
   - name: argo-cd
-    version: 9.4.0
+    version: 9.4.1
     repository: https://argoproj.github.io/argo-helm
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/argo-cd.png
 # renovate: datasource=github-releases depName=argoproj/argo-cd

clusters/cl01tl/helm/blocky/values.yaml

@@ -157,12 +157,14 @@ blocky:
               sonarr                          IN      CNAME   traefik-cl01tl
               sonarr-4k                       IN      CNAME   traefik-cl01tl
               sonarr-anime                    IN      CNAME   traefik-cl01tl
+              spotisub                        IN      CNAME   traefik-cl01tl
               stalwart                        IN      CNAME   traefik-cl01tl
               tdarr                           IN      CNAME   traefik-cl01tl
               tubearchivist                   IN      CNAME   traefik-cl01tl
               vault                           IN      CNAME   traefik-cl01tl
               whodb                           IN      CNAME   traefik-cl01tl
               yamtrack                        IN      CNAME   traefik-cl01tl
+              yubal                           IN      CNAME   traefik-cl01tl
               yubal-playlist                  IN      CNAME   traefik-cl01tl
 
           blocking:

clusters/cl01tl/helm/cilium/Chart.lock

@@ -3,4 +3,4 @@ dependencies:
   repository: https://helm.cilium.io/
   version: 1.18.6
 digest: sha256:8ea328ac238524b5b423e6289f5e25d05ef64e6aa19cfd5de238f1d5dd533e9b
-generated: "2026-01-14T11:02:31.272963463Z"
+generated: "2026-02-05T12:00:20.15778-06:00"

clusters/cl01tl/helm/cilium/templates/cilium-bgp-advertisement.yaml

@@ -1,4 +1,4 @@
-# apiVersion: cilium.io/v2alpha1
+# apiVersion: cilium.io/v2
 # kind: CiliumBGPAdvertisement
 # metadata:
 #   name: cilium-bgp-advertisements

clusters/cl01tl/helm/cilium/templates/cilium-bgp-cluster-config.yaml

@@ -1,4 +1,4 @@
-# apiVersion: cilium.io/v2alpha1
+# apiVersion: cilium.io/v2
 # kind: CiliumBGPClusterConfig
 # metadata:
 #   name: cilium-bgp

clusters/cl01tl/helm/cilium/templates/cilium-bgp-peer-config.yaml

@@ -1,4 +1,4 @@
-# apiVersion: cilium.io/v2alpha1
+# apiVersion: cilium.io/v2
 # kind: CiliumBGPPeerConfig
 # metadata:
 #   name: cilium-peer

clusters/cl01tl/helm/cilium/templates/cilium-l2-announcement-policy.yaml

@@ -1,17 +1,16 @@
 # apiVersion: "cilium.io/v2alpha1"
 # kind: CiliumL2AnnouncementPolicy
 # metadata:
-#   name: general-l2-policy
+#   name: node-gateway-l2-policy
 #   namespace: {{ .Release.Namespace }}
 #   labels:
-#     app.kubernetes.io/name: general-l2-policy
+#     app.kubernetes.io/name: node-gateway-l2-policy
 #     app.kubernetes.io/instance: {{ .Release.Name }}
 #     app.kubernetes.io/part-of: {{ .Release.Name }}
 # spec:
 #   nodeSelector:
-#     matchExpressions:
+#     matchLabels:
-#       - key: kubernetes.io/hostname
+#       kubernetes.io/hostname: talos-ix7-xku
-#         operator: Exists
 #   interfaces:
 #     - end0
 #     - enp6s0

clusters/cl01tl/helm/cilium/templates/cilium-load-balancer-ip-pool.yaml

@@ -1,4 +1,4 @@
-apiVersion: "cilium.io/v2alpha1"
+apiVersion: cilium.io/v2
 kind: CiliumLoadBalancerIPPool
 metadata:
   name: default-ip-pool
@@ -15,7 +15,7 @@ spec:
       stop: "10.232.2.23"
 
 ---
-apiVersion: "cilium.io/v2alpha1"
+apiVersion: cilium.io/v2
 kind: CiliumLoadBalancerIPPool
 metadata:
   name: bgp-ip-pool

clusters/cl01tl/helm/cilium/templates/gateway.yaml

@@ -4,25 +4,22 @@
 #   name: cilium-tls-gateway
 #   namespace: {{ .Release.Namespace }}
 #   labels:
-#     app.kubernetes.io/name: tls-gateway
+#     app.kubernetes.io/name: cilium-tls-gateway
 #     app.kubernetes.io/instance: {{ .Release.Name }}
 #     app.kubernetes.io/part-of: {{ .Release.Name }}
 #   annotations:
 #     cert-manager.io/cluster-issuer: letsencrypt-issuer
+#     io.cilium/lb-ipam-ips: "10.232.1.23"
 # spec:
+#   addresses:
+#     - type: IPAddress
+#       value: 10.232.1.23
 #   gatewayClassName: cilium
 #   listeners:
 #     - allowedRoutes:
 #         namespaces:
 #           from: All
 #       hostname: '*.alexlebens.net'
-#       name: http
-#       port: 80
-#       protocol: HTTP
-#     - allowedRoutes:
-#         namespaces:
-#           from: All
-#       hostname: '*.alexlebens.net'
 #       name: https
 #       port: 443
 #       protocol: HTTPS
@@ -33,3 +30,17 @@
 #             name: https-gateway-cert
 #             namespace: kube-system
 #         mode: Terminate
+#     - allowedRoutes:
+#         namespaces:
+#           from: All
+#       hostname: 'alexlebens.net'
+#       name: https-domain
+#       port: 443
+#       protocol: HTTPS
+#       tls:
+#         certificateRefs:
+#           - group: ''
+#             kind: Secret
+#             name: https-gateway-cert
+#             namespace: kube-system
+#         mode: Terminate

clusters/cl01tl/helm/cilium/values.yaml

@@ -35,6 +35,8 @@ cilium:
       enabled: true
     routerIDAllocation:
       mode: "default"
+  bpf:
+    hostLegacyRouting: true
   devices: end0 enp6s0
   enableK8sEndpointSlice: true
   ciliumEndpointSlice:

clusters/cl01tl/helm/cloudnative-pg/Chart.lock

@@ -1,9 +1,9 @@
 dependencies:
 - name: cloudnative-pg
   repository: https://cloudnative-pg.io/charts/
-  version: 0.27.0
+  version: 0.27.1
 - name: plugin-barman-cloud
   repository: https://cloudnative-pg.io/charts/
   version: 0.5.0
-digest: sha256:960d00c93523c5669d0f200d440ffa1009eb1c37629485bf7de320ee3a41fd8f
+digest: sha256:e7089ffd089cae87529e28f0e71302b9fc4a869b389cbb6628f1c559644a3a10
-generated: "2026-02-04T19:02:19.528616588Z"
+generated: "2026-02-05T19:36:19.473447121Z"

clusters/cl01tl/helm/cloudnative-pg/Chart.yaml

@@ -16,11 +16,11 @@ maintainers:
   - name: alexlebens
 dependencies:
   - name: cloudnative-pg
-    version: 0.27.0
+    version: 0.27.1
     repository: https://cloudnative-pg.io/charts/
   - name: plugin-barman-cloud
     version: 0.5.0
     repository: https://cloudnative-pg.io/charts/
 icon: https://avatars.githubusercontent.com/u/100373852?s=200&v=4
 # renovate: datasource=github-releases depName=cloudnative-pg/cloudnative-pg
-appVersion: 1.28.0
+appVersion: 1.28.1

clusters/cl01tl/helm/directus/Chart.yaml

@@ -33,4 +33,4 @@ dependencies:
     repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/directus.png
 # renovate: datasource=github-releases depName=directus/directus
-appVersion: 11.14.1
+appVersion: 11.15.0

clusters/cl01tl/helm/directus/values.yaml

@@ -9,7 +9,7 @@ directus:
         main:
           image:
             repository: directus/directus
-            tag: 11.14.1
+            tag: 11.15.0
             pullPolicy: IfNotPresent
           env:
             - name: PUBLIC_URL

clusters/cl01tl/helm/external-secrets/Chart.lock

@@ -1,6 +1,6 @@
 dependencies:
 - name: external-secrets
   repository: https://charts.external-secrets.io
-  version: 1.3.2
+  version: 2.0.0
-digest: sha256:7b7c6dee59f2ea630f0e7a1124aeeda52cdff23769136300384b28210e03945a
+digest: sha256:3833a9f099d80f50e8a7c9874138b9eba42c18fe5f5f5dc605031f7c44bd3971
-generated: "2026-02-03T21:41:32.061135319Z"
+generated: "2026-02-06T15:40:39.917039721Z"

clusters/cl01tl/helm/external-secrets/Chart.yaml

@@ -12,8 +12,8 @@ sources:
   - https://github.com/external-secrets/external-secrets/tree/main/deploy/charts/external-secrets
 dependencies:
   - name: external-secrets
-    version: 1.3.2
+    version: 2.0.0
     repository: https://charts.external-secrets.io
 icon: https://avatars.githubusercontent.com/u/68335991?s=48&v=4
 # renovate: datasource=github-releases depName=external-secrets/external-secrets
-appVersion: v1.3.2
+appVersion: v2.0.0

clusters/cl01tl/helm/freshrss/values.yaml

@@ -88,7 +88,7 @@ freshrss:
             - name: PUID
               value: "568"
             - name: TZ
-              value: US/Central
+              value: America/Chicago
             - name: FRESHRSS_ENV
               value: production
             - name: CRON_MIN
@@ -201,7 +201,7 @@ postgres-18-cluster:
   backup:
     objectStore:
       - name: garage-local
-        index: 1
+        index: 2
         destinationBucket: postgres-backups
         externalSecretCredentialPath: /garage/home-infra/postgres-backups
         isWALArchiver: true

clusters/cl01tl/helm/gatus/values.yaml

@@ -310,6 +310,12 @@ gatus:
       - name: lidarr
         url: https://lidarr.alexlebens.net
         <<: *defaults
+      - name: spotisub
+        url: https://spotisub.alexlebens.net
+        <<: *defaults
+      - name: yubal
+        url: https://yubal.alexlebens.net
+        <<: *defaults
       - name: yubal-playlist
         url: https://yubal-playlist.alexlebens.net
         <<: *defaults

clusters/cl01tl/helm/harbor/values.yaml

@@ -105,7 +105,7 @@ postgres-18-cluster:
   backup:
     objectStore:
       - name: garage-local
-        index: 1
+        index: 2
         destinationBucket: postgres-backups
         externalSecretCredentialPath: /garage/home-infra/postgres-backups
         isWALArchiver: true

clusters/cl01tl/helm/headlamp/Chart.lock

@@ -1,6 +1,6 @@
 dependencies:
 - name: headlamp
   repository: https://kubernetes-sigs.github.io/headlamp/
-  version: 0.39.0
+  version: 0.40.0
-digest: sha256:870e456773199684c150585c12c2e18b3f0895ee8cc73481a53b23c8e94560b1
+digest: sha256:b7f8f176f8c4902130e87660adb39211fd5ca454f89f5a7e9ed577cd4c3a2255
-generated: "2025-12-20T00:03:40.10414707Z"
+generated: "2026-02-05T18:23:45.100522813Z"

clusters/cl01tl/helm/headlamp/Chart.yaml

@@ -14,8 +14,8 @@ maintainers:
   - name: alexlebens
 dependencies:
   - name: headlamp
-    version: 0.39.0
+    version: 0.40.0
     repository: https://kubernetes-sigs.github.io/headlamp/
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/headlamp.png
 # renovate: datasource=github-releases depName=headlamp-k8s/headlamp
-appVersion: v0.39.0
+appVersion: v0.40.0

clusters/cl01tl/helm/home-assistant/Chart.yaml

@@ -25,4 +25,4 @@ dependencies:
     repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/home-assistant.png
 # renovate: datasource=github-releases depName=home-assistant/core
-appVersion: 2026.1.3
+appVersion: 2026.2.0

clusters/cl01tl/helm/home-assistant/values.yaml

@@ -9,7 +9,7 @@ home-assistant:
         main:
           image:
             repository: ghcr.io/home-assistant/home-assistant
-            tag: 2026.1.3
+            tag: 2026.2.0
             pullPolicy: IfNotPresent
           env:
             - name: TZ

clusters/cl01tl/helm/homepage-dev/Chart.yaml

@@ -24,4 +24,4 @@ dependencies:
     version: 2.2.2
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/homepage.png
 # renovate: datasource=github-releases depName=gethomepage/homepage
-appVersion: v1.9.0
+appVersion: v1.10.1

clusters/cl01tl/helm/homepage-dev/values.yaml

@@ -11,7 +11,7 @@ homepage:
         main:
           image:
             repository: ghcr.io/gethomepage/homepage
-            tag: v1.9.0
+            tag: v1.10.1
             pullPolicy: IfNotPresent
           env:
             - name: HOMEPAGE_ALLOWED_HOSTS

clusters/cl01tl/helm/homepage/Chart.yaml

@@ -19,4 +19,4 @@ dependencies:
     version: 4.6.2
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/homepage.png
 # renovate: datasource=github-releases depName=gethomepage/homepage
-appVersion: v1.9.0
+appVersion: v1.10.1

clusters/cl01tl/helm/homepage/values.yaml

@@ -15,7 +15,7 @@ homepage:
         main:
           image:
             repository: ghcr.io/gethomepage/homepage
-            tag: v1.9.0
+            tag: v1.10.1
             pullPolicy: IfNotPresent
           env:
             - name: HOMEPAGE_ALLOWED_HOSTS
@@ -655,12 +655,24 @@ homepage:
                     url: http://lidarr.lidarr:80
                     key: {{ "{{HOMEPAGE_VAR_LIDARR_KEY}}" }}
                     fields: ["wanted", "queued", "artists"]
+              - Yubal:
+                  icon: sh-yubal.webp
+                  description: Download Youtube playlist
+                  href: https://yubal.alexlebens.net
+                  siteMonitor: http://yubal.yubal:80
+                  statusStyle: dot
               - Yubal Playlist:
                   icon: sh-yubal.webp
                   description: Replicate Youtube playlist
                   href: https://yubal-playlist.alexlebens.net
                   siteMonitor: http://yubal-playlist.yubal-playlist:80
                   statusStyle: dot
+              - Spotisub:
+                  icon: sh-spotify.webp
+                  description: Replicate Spotify playlist
+                  href: https://spotisub.alexlebens.net
+                  siteMonitor: http://spotisub.spotisub:80
+                  statusStyle: dot
               - slskd:
                   icon: sh-slskd.webp
                   description: slskd

clusters/cl01tl/helm/huntarr/Chart.yaml

@@ -23,4 +23,4 @@ dependencies:
     repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/huntarr.png
 # renovate: datasource=github-releases depName=plexguide/huntarr
-appVersion: 9.1.9
+appVersion: 9.2.1

clusters/cl01tl/helm/huntarr/values.yaml

@@ -9,7 +9,7 @@ huntarr:
         main:
           image:
             repository: ghcr.io/plexguide/huntarr
-            tag: 9.1.9
+            tag: 9.2.1
             pullPolicy: IfNotPresent
           env:
             - name: TZ

clusters/cl01tl/helm/komodo/templates/external-secret.yaml

@@ -47,3 +47,33 @@ spec:
         key: /authentik/oidc/komodo
         metadataPolicy: None
         property: secret
+
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: komodo-postgresql-17-fdb-cluster-ferret
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: komodo-postgresql-17-fdb-cluster-ferret
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  data:
+    - secretKey: uri
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cl01tl/komodo/ferret
+        metadataPolicy: None
+        property: uri
+    - secretKey: password
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cl01tl/komodo/ferret
+        metadataPolicy: None
+        property: password

clusters/cl01tl/helm/komodo/values.yaml

@@ -53,14 +53,11 @@ komodo:
             - name: PERIPHERY_SSL_ENABLED
               value: false
             - name: DB_USERNAME
-              valueFrom:
+              value: ferret
-                secretKeyRef:
-                  name: komodo-postgresql-17-fdb-cluster-app
-                  key: user
             - name: DB_PASSWORD
               valueFrom:
                 secretKeyRef:
-                  name: komodo-postgresql-17-fdb-cluster-app
+                  name: komodo-postgresql-17-fdb-cluster-ferret
                   key: password
             - name: KOMODO_DATABASE_URI
               value: mongodb://$(DB_USERNAME):$(DB_PASSWORD)@komodo-ferretdb-2.komodo:27017/komodo
@@ -98,11 +95,15 @@ komodo:
             tag: 2.7.0
             pullPolicy: IfNotPresent
           env:
-            - name: FERRETDB_POSTGRESQL_URL
+            - name: DB_USERNAME
+              value: ferret
+            - name: DB_PASSWORD
               valueFrom:
                 secretKeyRef:
-                  name: komodo-postgresql-17-fdb-cluster-app
+                  name: komodo-postgresql-17-fdb-cluster-ferret
-                  key: uri
+                  key: password
+            - name: FERRETDB_POSTGRESQL_URL
+              value: postgresql://$(DB_USERNAME):$(DB_PASSWORD)@komodo-postgresql-17-fdb-cluster-rw.komodo.svc.cluster.local:5432/ferretDB
           resources:
             requests:
               cpu: 10m
@@ -198,9 +199,9 @@ postgresql-17-fdb-cluster:
       database: ferretDB
       owner: ferret
       postInitApplicationSQL:
-        - create extension if not exists pg_cron;
+        - CREATE EXTENSION IF NOT EXISTS pg_cron;
-        - create extension if not exists documentdb cascade;
+        - CREATE EXTENSION IF NOT EXISTS documentdb CASCADE;
-        - grant documentdb_admin_role to ferret;
+        - GRANT documentdb_admin_role TO ferret;
   recovery:
     method: objectStore
     objectStore:
@@ -208,7 +209,7 @@ postgresql-17-fdb-cluster:
   backup:
     objectStore:
       - name: garage-local
-        index: 1
+        index: 2
         destinationBucket: postgres-backups
         externalSecretCredentialPath: /garage/home-infra/postgres-backups
         isWALArchiver: true

clusters/cl01tl/helm/kube-prometheus-stack/Chart.yaml

@@ -31,4 +31,4 @@ dependencies:
     repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/prometheus.png
 # renovate: datasource=github-releases depName=prometheus-operator/prometheus-operator
-appVersion: v0.88.1
+appVersion: v0.89.0

clusters/cl01tl/helm/loki/Chart.lock

@@ -1,9 +1,9 @@
 dependencies:
 - name: loki
   repository: https://grafana.github.io/helm-charts
-  version: 6.51.0
+  version: 6.52.0
 - name: alloy
   repository: https://grafana.github.io/helm-charts
-  version: 1.5.3
+  version: 1.6.0
-digest: sha256:88c8067aa21d8dd0e994e9ab7ff39eed17bdd993eea853721fd42aedb4bec400
+digest: sha256:097f893b362b3ba6a1498d6df00dc57030c4d1321cf3301268adb9e30d5043ed
-generated: "2026-02-02T17:28:04.623156-06:00"
+generated: "2026-02-05T22:01:50.699662067Z"

clusters/cl01tl/helm/loki/Chart.yaml

@@ -16,10 +16,10 @@ maintainers:
   - name: alexlebens
 dependencies:
   - name: loki
-    version: 6.51.0
+    version: 6.52.0
     repository: https://grafana.github.io/helm-charts
   - name: alloy
-    version: 1.5.3
+    version: 1.6.0
     repository: https://grafana.github.io/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/loki.png
 # renovate: datasource=github-releases depName=grafana/loki

clusters/cl01tl/helm/ollama/Chart.yaml

@@ -31,4 +31,4 @@ dependencies:
     repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/ollama.png
 # renovate: datasource=github-releases depName=ollama/ollama
-appVersion: 0.15.4
+appVersion: 0.15.5

clusters/cl01tl/helm/ollama/values.yaml

@@ -22,7 +22,7 @@ ollama:
         main:
           image:
             repository: ollama/ollama
-            tag: 0.15.4
+            tag: 0.15.5
             pullPolicy: IfNotPresent
           env:
             - name: OLLAMA_KEEP_ALIVE
@@ -58,7 +58,7 @@ ollama:
         main:
           image:
             repository: ollama/ollama
-            tag: 0.15.4
+            tag: 0.15.5
             pullPolicy: IfNotPresent
           env:
             - name: OLLAMA_KEEP_ALIVE
@@ -94,7 +94,7 @@ ollama:
         main:
           image:
             repository: ollama/ollama
-            tag: 0.15.4
+            tag: 0.15.5
             pullPolicy: IfNotPresent
           env:
             - name: OLLAMA_KEEP_ALIVE

clusters/cl01tl/helm/prometheus-operator-crds/Chart.lock

@@ -1,6 +1,6 @@
 dependencies:
 - name: prometheus-operator-crds
   repository: oci://ghcr.io/prometheus-community/charts
-  version: 26.0.0
+  version: 27.0.0
-digest: sha256:fb73bc68bbf8ab128ff7fc641413ce3f004677d351038517ed68f5b39eeafb08
+digest: sha256:ab76a45fb53268d4afdad507277c244af11c50344e50a24799182bbd9757258d
-generated: "2026-01-09T20:11:58.398634666Z"
+generated: "2026-02-06T14:05:22.069162277Z"

clusters/cl01tl/helm/prometheus-operator-crds/Chart.yaml

@@ -15,8 +15,8 @@ maintainers:
   - name: alexlebens
 dependencies:
   - name: prometheus-operator-crds
-    version: 26.0.0
+    version: 27.0.0
     repository: oci://ghcr.io/prometheus-community/charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/prometheus.png
 # renovate: datasource=github-releases depName=prometheus-operator/prometheus-operator
-appVersion: v0.88.1
+appVersion: v0.89.0

clusters/cl01tl/helm/rook-ceph/Chart.lock

@@ -1,12 +1,12 @@
 dependencies:
 - name: rook-ceph
   repository: https://charts.rook.io/release
-  version: v1.19.0
+  version: v1.19.1
 - name: rook-ceph-cluster
   repository: https://charts.rook.io/release
-  version: v1.19.0
+  version: v1.19.1
 - name: cloudflared
   repository: oci://harbor.alexlebens.net/helm-charts
   version: 2.2.2
-digest: sha256:edc2a4064d509365e371418609b4068674429526c0198ca1793867124bb5dcdb
+digest: sha256:fbb82644c29122639312301d76b2f2300f2a86eeb17159e9f368b2d46e4e6a7c
-generated: "2026-02-03T03:44:06.685680039Z"
+generated: "2026-02-06T03:39:57.898917443Z"

clusters/cl01tl/helm/rook-ceph/Chart.yaml

@@ -16,10 +16,10 @@ maintainers:
   - name: alexlebens
 dependencies:
   - name: rook-ceph
-    version: v1.19.0
+    version: v1.19.1
     repository: https://charts.rook.io/release
   - name: rook-ceph-cluster
-    version: v1.19.0
+    version: v1.19.1
     repository: https://charts.rook.io/release
   - name: cloudflared
     alias: cloudflared-rgw
@@ -27,4 +27,4 @@ dependencies:
     version: 2.2.2
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/ceph.png
 # renovate: datasource=github-releases depName=rook/rook
-appVersion: v1.19.0
+appVersion: v1.19.1

clusters/cl01tl/helm/roundcube/values.yaml

@@ -58,7 +58,7 @@ roundcube:
         nginx:
           image:
             repository: nginx
-            tag: 1.29.4-alpine
+            tag: 1.29.5-alpine-slim
             pullPolicy: IfNotPresent
           env:
             - name: NGINX_HOST

clusters/cl01tl/helm/searxng/values.yaml

@@ -9,7 +9,7 @@ searxng:
         main:
           image:
             repository: searxng/searxng
-            tag: latest@sha256:8d77102a0d2c615e88c5184868dc2c32cd361413dbc104abc301f54079fd40a2
+            tag: latest@sha256:670bd1076097640fc25221bf92a8af7d344503ce17ba3305abedf28e3634e807
             pullPolicy: IfNotPresent
           env:
             - name: SEARXNG_BASE_URL
@@ -39,7 +39,7 @@ searxng:
         main:
           image:
             repository: searxng/searxng
-            tag: latest@sha256:8d77102a0d2c615e88c5184868dc2c32cd361413dbc104abc301f54079fd40a2
+            tag: latest@sha256:670bd1076097640fc25221bf92a8af7d344503ce17ba3305abedf28e3634e807
             pullPolicy: IfNotPresent
           env:
             - name: SEARXNG_BASE_URL

clusters/cl01tl/helm/shelfmark/Chart.yaml

@@ -23,4 +23,4 @@ dependencies:
     repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons@main/webp/shelfmark.webp
 # renovate: datasource=github-releases depName=calibrain/shelfmark
-appVersion: v1.0.3
+appVersion: v1.0.4

clusters/cl01tl/helm/shelfmark/values.yaml

@@ -9,7 +9,7 @@ shelfmark:
         main:
           image:
             repository: ghcr.io/calibrain/shelfmark
-            tag: v1.0.3
+            tag: v1.0.4
             pullPolicy: IfNotPresent
           env:
             - name: FLASK_PORT

clusters/cl01tl/helm/spotisub/Chart.lock

@@ -0,0 +1,6 @@
+dependencies:
+- name: app-template
+  repository: https://bjw-s-labs.github.io/helm-charts/
+  version: 4.6.2
+digest: sha256:3b63381e4968f95ce2d99fae620f3d1ae6af295b1bacc4ed0fbe9f1ccb0e9405
+generated: "2026-02-06T11:04:57.311195-06:00"

clusters/cl01tl/helm/spotisub/Chart.yaml

@@ -0,0 +1,21 @@
+apiVersion: v2
+name: spotisub
+version: 1.0.0
+description: Spotisub
+keywords:
+  - spotisub
+  - music
+  - spotify
+home: https://wiki.alexlebens.dev/s/
+sources:
+  - https://github.com/blastbeng/spotisub
+  - https://github.com/bjw-s-labs/helm-charts/tree/main/charts/other/app-template
+maintainers:
+  - name: alexlebens
+dependencies:
+  - name: app-template
+    alias: spotisub
+    repository: https://bjw-s-labs.github.io/helm-charts/
+    version: 4.6.2
+# renovate: datasource=github-releases depName=blastbeng/spotisub
+appVersion: v0.3.6

clusters/cl01tl/helm/spotisub/templates/external-secret.yaml

@@ -0,0 +1,93 @@
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: spotisub-config-secret
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: spotisub-config-secret
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  data:
+    - secretKey: spotify-client-id
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /spotify/andrew
+        metadataPolicy: None
+        property: client-id
+    - secretKey: spotify-client-secret
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /spotify/andrew
+        metadataPolicy: None
+        property: client-secret
+    - secretKey: spotify-redirect-uri
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /spotify/andrew
+        metadataPolicy: None
+        property: redirect-uri
+    - secretKey: subsonic-user
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cl01tl/navidrome/andrew
+        metadataPolicy: None
+        property: user
+    - secretKey: subsonic-password
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cl01tl/navidrome/andrew
+        metadataPolicy: None
+        property: password
+    - secretKey: lidarr-key
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cl01tl/lidarr2/key
+        metadataPolicy: None
+        property: key
+
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: spotisub-wireguard-conf
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: spotisub-wireguard-conf
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  data:
+    - secretKey: private-key
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /protonvpn/conf/cl01tl
+        metadataPolicy: None
+        property: private-key
+    - secretKey: proton-email
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /protonvpn/conf/cl01tl
+        metadataPolicy: None
+        property: email
+    - secretKey: proton-password
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /protonvpn/conf/cl01tl
+        metadataPolicy: None
+        property: password

clusters/cl01tl/helm/spotisub/templates/namespace.yaml

@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: spotisub
+  labels:
+    app.kubernetes.io/name: spotisub
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+    pod-security.kubernetes.io/audit: privileged
+    pod-security.kubernetes.io/enforce: privileged
+    pod-security.kubernetes.io/warn: privileged

clusters/cl01tl/helm/spotisub/templates/persistent-volume-claim.yaml

@@ -0,0 +1,17 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: spotisub-nfs-storage
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: spotisub-nfs-storage
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  volumeName: spotisub-nfs-storage
+  storageClassName: nfs-client
+  accessModes:
+    - ReadWriteMany
+  resources:
+    requests:
+      storage: 1Gi

clusters/cl01tl/helm/spotisub/templates/persistent-volume.yaml

@@ -0,0 +1,23 @@
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: spotisub-nfs-storage
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: spotisub-nfs-storage
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  persistentVolumeReclaimPolicy: Retain
+  storageClassName: nfs-client
+  capacity:
+    storage: 1Gi
+  accessModes:
+    - ReadWriteMany
+  nfs:
+    path: /volume2/Storage/Music Youtube/
+    server: synologybond.alexlebens.net
+  mountOptions:
+    - vers=4
+    - minorversion=1
+    - noac

clusters/cl01tl/helm/spotisub/values.yaml

@@ -0,0 +1,194 @@
+spotisub:
+  controllers:
+    main:
+      type: deployment
+      replicas: 0
+      strategy: Recreate
+      revisionHistoryLimit: 3
+      containers:
+        main:
+          image:
+            repository: blastbeng/spotisub
+            tag: v0.3.7
+            pullPolicy: IfNotPresent
+          env:
+            - name: SPOTIPY_CLIENT_ID
+              valueFrom:
+                secretKeyRef:
+                  name: spotisub-config-secret
+                  key: spotify-client-id
+            - name: SPOTIPY_CLIENT_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: spotisub-config-secret
+                  key: spotify-client-secret
+            - name: SPOTIPY_REDIRECT_URI
+              valueFrom:
+                secretKeyRef:
+                  name: spotisub-config-secret
+                  key: spotify-redirect-uri
+            - name: SUBSONIC_API_HOST
+              value: http://navidrome-main.navidrome
+            - name: SUBSONIC_API_PORT
+              value: 80
+            - name: SUBSONIC_API_USER
+              valueFrom:
+                secretKeyRef:
+                  name: spotisub-config-secret
+                  key: subsonic-user
+            - name: SUBSONIC_API_PASS
+              valueFrom:
+                secretKeyRef:
+                  name: spotisub-config-secret
+                  key: subsonic-password
+            - name: PLAYLIST_PREFIX
+              value: "Spotify - "
+            - name: NUM_USER_PLAYLISTS
+              value: 0
+            - name: ARTIST_GEN_SCHED
+              value: 0
+            - name: RECOMEND_GEN_SCHED
+              value: 0
+            - name: SPOTDL_ENABLED
+              value: 1
+            - name: SPOTDL_OUT_FORMAT
+              value: "/mnt/store/Music Youtube/Andrew Lebens/{artist}/{album} ({year})/{artists} - {album} - {track-number} - {title}.{output-ext}"
+            - name: LIDARR_ENABLED
+              value: 1
+            - name: LIDARR_IP
+              value: http://lidarr.lidarr
+            - name: LIDARR_PORT
+              value: 80
+            - name: LIDARR_TOKEN
+              valueFrom:
+                secretKeyRef:
+                  name: spotisub-config-secret
+                  key: lidarr-key
+          probes:
+            liveness:
+              enabled: true
+              custom: true
+              spec:
+                exec:
+                  command:
+                    - /bin/sh
+                    - -c
+                    - "curl -s http://127.0.0.1:5183/api/v1/utils/healthcheck | grep -q 'Ok!'"
+                failureThreshold: 5
+                initialDelaySeconds: 30
+                periodSeconds: 30
+                successThreshold: 1
+                timeoutSeconds: 15
+          resources:
+            requests:
+              cpu: 10m
+              memory: 128Mi
+        gluetun:
+          image:
+            repository: ghcr.io/qdm12/gluetun
+            tag: v3.41.0@sha256:6b54856716d0de56e5bb00a77029b0adea57284cf5a466f23aad5979257d3045
+            pullPolicy: IfNotPresent
+          lifecycle:
+            postStart:
+              exec:
+                command: ["/bin/sh", "-c", "(ip rule del table 51820; ip -6 rule del table 51820) || true"]
+          env:
+            - name: VPN_SERVICE_PROVIDER
+              value: protonvpn
+            - name: VPN_TYPE
+              value: wireguard
+            - name: WIREGUARD_PRIVATE_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: spotisub-wireguard-conf
+                  key: private-key
+            - name: UPDATER_PROTONVPN_EMAIL
+              valueFrom:
+                secretKeyRef:
+                  name: spotisub-wireguard-conf
+                  key: proton-email
+            - name: UPDATER_PROTONVPN_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: spotisub-wireguard-conf
+                  key: proton-password
+            - name: FIREWALL_OUTBOUND_SUBNETS
+              value: 10.0.0.0/8
+            - name: FIREWALL_INPUT_PORTS
+              value: 5183
+            - name: DNS_UPSTREAM_RESOLVER_TYPE
+              value: dot
+          securityContext:
+            privileged: True
+            capabilities:
+              add:
+                - NET_ADMIN
+                - SYS_MODULE
+          probes:
+            liveness:
+              enabled: true
+              custom: true
+              spec:
+                exec:
+                  command:
+                    - /gluetun-entrypoint
+                    - healthcheck
+                failureThreshold: 5
+                initialDelaySeconds: 30
+                periodSeconds: 30
+                successThreshold: 1
+                timeoutSeconds: 15
+          resources:
+            limits:
+              devic.es/tun: "1"
+            requests:
+              devic.es/tun: "1"
+              cpu: 10m
+              memory: 128Mi
+  service:
+    main:
+      controller: main
+      ports:
+        http:
+          port: 80
+          targetPort: 5183
+          protocol: HTTP
+  route:
+    main:
+      kind: HTTPRoute
+      parentRefs:
+        - group: gateway.networking.k8s.io
+          kind: Gateway
+          name: traefik-gateway
+          namespace: traefik
+      hostnames:
+        - spotisub.alexlebens.net
+      rules:
+        - backendRefs:
+            - group: ''
+              kind: Service
+              name: spotisub
+              port: 80
+              weight: 100
+          matches:
+            - path:
+                type: PathPrefix
+                value: /
+  persistence:
+    cache:
+      storageClass: ceph-block
+      accessMode: ReadWriteOnce
+      size: 1Gi
+      retain: true
+      advancedMounts:
+        main:
+          main:
+            - path: /home/user/spotisub/cache
+              readOnly: false
+    music:
+      existingClaim: spotisub-nfs-storage
+      advancedMounts:
+        main:
+          main:
+            - path: /mnt/store/Music Youtube/
+              readOnly: false

clusters/cl01tl/helm/tailscale-operator/Chart.lock

@@ -1,6 +1,6 @@
 dependencies:
 - name: tailscale-operator
   repository: https://pkgs.tailscale.com/helmcharts
-  version: 1.92.5
+  version: 1.94.1
-digest: sha256:75f2ca2d5932228c484b5f6b535d61786a0246c8c4d6947466d03a0c0a614ce0
+digest: sha256:194c4f0a24b460064db0e2cda00226de0d85a764d9eaab26b1cbb337e7e9a750
-generated: "2026-01-07T01:54:43.539104104Z"
+generated: "2026-02-05T19:56:58.797357494Z"

clusters/cl01tl/helm/tailscale-operator/Chart.yaml

@@ -17,7 +17,7 @@ maintainers:
   - name: alexlebens
 dependencies:
   - name: tailscale-operator
-    version: 1.92.5
+    version: 1.94.1
     repository: https://pkgs.tailscale.com/helmcharts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/tailscale-light.png
 # renovate: datasource=github-releases depName=tailscale/tailscale

clusters/cl01tl/helm/vault/values.yaml

@@ -12,7 +12,7 @@ vault:
     enabled: true
     image:
       repository: hashicorp/vault
-      tag: 1.21.2
+      tag: 1.21.3
     updateStrategyType: "RollingUpdate"
     logLevel: debug
     logFormat: standard
@@ -170,7 +170,7 @@ snapshot:
         snapshot:
           image:
             repository: hashicorp/vault
-            tag: 1.21.2
+            tag: 1.21.3
             pullPolicy: IfNotPresent
           command:
             - /bin/ash

clusters/cl01tl/helm/whodb/Chart.yaml

@@ -20,4 +20,4 @@ dependencies:
     version: 4.6.2
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/whodb.png
 # renovate: datasource=github-releases depName=clidey/whodb
-appVersion: 0.90.0
+appVersion: 0.91.0

clusters/cl01tl/helm/whodb/values.yaml

@@ -8,7 +8,7 @@ whodb:
         main:
           image:
             repository: clidey/whodb
-            tag: 0.90.0
+            tag: 0.91.0
             pullPolicy: IfNotPresent
           env:
             - name: WHODB_OLLAMA_HOST

clusters/cl01tl/helm/yubal/Chart.lock

@@ -0,0 +1,6 @@
+dependencies:
+- name: app-template
+  repository: https://bjw-s-labs.github.io/helm-charts/
+  version: 4.6.2
+digest: sha256:f8966d4e96cba272ddc29e3bdc508ca11ea758e3f784849f598a724819ab9d04
+generated: "2026-01-16T18:57:07.816828126Z"

clusters/cl01tl/helm/yubal/Chart.yaml

@@ -0,0 +1,21 @@
+apiVersion: v2
+name: yubal
+version: 1.0.0
+description: yubal
+keywords:
+  - yubal
+  - music
+  - youtube
+home: https://wiki.alexlebens.dev/s/
+sources:
+  - https://github.com/guillevc/yubal
+  - https://github.com/bjw-s-labs/helm-charts/tree/main/charts/other/app-template
+maintainers:
+  - name: alexlebens
+dependencies:
+  - name: app-template
+    alias: yubal
+    repository: https://bjw-s-labs.github.io/helm-charts/
+    version: 4.6.2
+# renovate: datasource=github-releases depName=guillevc/yubal
+appVersion: v4.0.0

clusters/cl01tl/helm/yubal/templates/external-secret.yaml

@@ -0,0 +1,35 @@
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: yubal-wireguard-conf
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: yubal-wireguard-conf
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  data:
+    - secretKey: private-key
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /protonvpn/conf/cl01tl
+        metadataPolicy: None
+        property: private-key
+    - secretKey: proton-email
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /protonvpn/conf/cl01tl
+        metadataPolicy: None
+        property: email
+    - secretKey: proton-password
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /protonvpn/conf/cl01tl
+        metadataPolicy: None
+        property: password

clusters/cl01tl/helm/yubal/templates/namespace.yaml

@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: yubal
+  labels:
+    app.kubernetes.io/name: yubal
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+    pod-security.kubernetes.io/audit: privileged
+    pod-security.kubernetes.io/enforce: privileged
+    pod-security.kubernetes.io/warn: privileged

clusters/cl01tl/helm/yubal/templates/persistent-volume-claim.yaml

@@ -0,0 +1,17 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: yubal-nfs-storage
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: yubal-nfs-storage
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  volumeName: yubal-nfs-storage
+  storageClassName: nfs-client
+  accessModes:
+    - ReadWriteMany
+  resources:
+    requests:
+      storage: 1Gi

clusters/cl01tl/helm/yubal/templates/persistent-volume.yaml

@@ -0,0 +1,23 @@
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: yubal-nfs-storage
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: yubal-nfs-storage
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  persistentVolumeReclaimPolicy: Retain
+  storageClassName: nfs-client
+  capacity:
+    storage: 1Gi
+  accessModes:
+    - ReadWriteMany
+  nfs:
+    path: /volume2/Storage/Music Youtube/
+    server: synologybond.alexlebens.net
+  mountOptions:
+    - vers=4
+    - minorversion=1
+    - noac

clusters/cl01tl/helm/yubal/values.yaml

@@ -0,0 +1,151 @@
+yubal:
+  controllers:
+    main:
+      type: deployment
+      replicas: 1
+      strategy: Recreate
+      revisionHistoryLimit: 3
+      pod:
+        securityContext:
+          runAsUser: 1000
+          runAsGroup: 1000
+          fsGroup: 1000
+          fsGroupChangePolicy: OnRootMismatch
+      containers:
+        main:
+          image:
+            repository: ghcr.io/guillevc/yubal
+            tag: 4.0.0
+            pullPolicy: IfNotPresent
+          env:
+            - name: YUBAL_TZ
+              value: America/Chicago
+            - name: YUBAL_HOST
+              value: 0.0.0.0
+            - name: YUBAL_PORT
+              value: 8080
+            - name: YUBAL_LOG_LEVEL
+              value: INFO
+          resources:
+            requests:
+              cpu: 10m
+              memory: 128Mi
+        gluetun:
+          image:
+            repository: ghcr.io/qdm12/gluetun
+            tag: v3.41.0@sha256:6b54856716d0de56e5bb00a77029b0adea57284cf5a466f23aad5979257d3045
+            pullPolicy: IfNotPresent
+          lifecycle:
+            postStart:
+              exec:
+                command: ["/bin/sh", "-c", "(ip rule del table 51820; ip -6 rule del table 51820) || true"]
+          env:
+            - name: VPN_SERVICE_PROVIDER
+              value: protonvpn
+            - name: VPN_TYPE
+              value: wireguard
+            - name: WIREGUARD_PRIVATE_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: yubal-wireguard-conf
+                  key: private-key
+            - name: UPDATER_PROTONVPN_EMAIL
+              valueFrom:
+                secretKeyRef:
+                  name: yubal-wireguard-conf
+                  key: proton-email
+            - name: UPDATER_PROTONVPN_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: yubal-wireguard-conf
+                  key: proton-password
+            - name: FIREWALL_OUTBOUND_SUBNETS
+              value: 10.0.0.0/8
+            - name: FIREWALL_INPUT_PORTS
+              value: 8000
+            - name: DNS_UPSTREAM_RESOLVER_TYPE
+              value: dot
+          securityContext:
+            privileged: True
+            capabilities:
+              add:
+                - NET_ADMIN
+                - SYS_MODULE
+          probes:
+            liveness:
+              enabled: true
+              custom: true
+              spec:
+                exec:
+                  command:
+                    - /gluetun-entrypoint
+                    - healthcheck
+                failureThreshold: 5
+                initialDelaySeconds: 30
+                periodSeconds: 30
+                successThreshold: 1
+                timeoutSeconds: 15
+          resources:
+            limits:
+              devic.es/tun: "1"
+            requests:
+              devic.es/tun: "1"
+              cpu: 10m
+              memory: 128Mi
+  service:
+    main:
+      controller: main
+      ports:
+        http:
+          port: 80
+          targetPort: 8000
+          protocol: HTTP
+  route:
+    main:
+      kind: HTTPRoute
+      parentRefs:
+        - group: gateway.networking.k8s.io
+          kind: Gateway
+          name: traefik-gateway
+          namespace: traefik
+      hostnames:
+        - yubal.alexlebens.net
+      rules:
+        - backendRefs:
+            - group: ''
+              kind: Service
+              name: yubal
+              port: 80
+              weight: 100
+          matches:
+            - path:
+                type: PathPrefix
+                value: /
+  persistence:
+    config:
+      storageClass: ceph-block
+      accessMode: ReadWriteOnce
+      size: 1Gi
+      retain: true
+      advancedMounts:
+        main:
+          main:
+            - path: /app/config
+              readOnly: false
+    ytdlp:
+      storageClass: ceph-block
+      accessMode: ReadWriteOnce
+      size: 1Gi
+      retain: true
+      advancedMounts:
+        main:
+          main:
+            - path: /app/ytdlp
+              readOnly: false
+    music:
+      existingClaim: yubal-nfs-storage
+      advancedMounts:
+        main:
+          main:
+            - path: /app/data
+              readOnly: false

hosts/ps08rp/blocky/compose.yaml

@@ -1,7 +1,7 @@
 ---
 services:
     tailscale-blocky:
-        image: ghcr.io/tailscale/tailscale:v1.92.5
+        image: ghcr.io/tailscale/tailscale:v1.94.1
         container_name: tailscale-blocky
         cap_add:
             - net_admin

hosts/ps08rp/blocky/config.yml

@@ -132,12 +132,14 @@ customDNS:
     sonarr                          IN      CNAME   traefik-cl01tl
     sonarr-4k                       IN      CNAME   traefik-cl01tl
     sonarr-anime                    IN      CNAME   traefik-cl01tl
+    spotisub                        IN      CNAME   traefik-cl01tl
     stalwart                        IN      CNAME   traefik-cl01tl
     tdarr                           IN      CNAME   traefik-cl01tl
     tubearchivist                   IN      CNAME   traefik-cl01tl
     vault                           IN      CNAME   traefik-cl01tl
     whodb                           IN      CNAME   traefik-cl01tl
     yamtrack                        IN      CNAME   traefik-cl01tl
+    yubal                           IN      CNAME   traefik-cl01tl
     yubal-playlist                  IN      CNAME   traefik-cl01tl
 
 blocking:

hosts/ps09rp/blocky/compose.yaml

@@ -1,7 +1,7 @@
 ---
 services:
     tailscale-blocky:
-        image: ghcr.io/tailscale/tailscale:v1.92.5
+        image: ghcr.io/tailscale/tailscale:v1.94.1
         container_name: tailscale-blocky
         cap_add:
             - net_admin

hosts/ps09rp/blocky/config.yml

@@ -153,12 +153,14 @@ customDNS:
     sonarr                          IN      CNAME   traefik-cl01tl
     sonarr-4k                       IN      CNAME   traefik-cl01tl
     sonarr-anime                    IN      CNAME   traefik-cl01tl
+    spotisub                        IN      CNAME   traefik-cl01tl
     stalwart                        IN      CNAME   traefik-cl01tl
     tdarr                           IN      CNAME   traefik-cl01tl
     tubearchivist                   IN      CNAME   traefik-cl01tl
     vault                           IN      CNAME   traefik-cl01tl
     whodb                           IN      CNAME   traefik-cl01tl
     yamtrack                        IN      CNAME   traefik-cl01tl
+    yubal                           IN      CNAME   traefik-cl01tl
     yubal-playlist                  IN      CNAME   traefik-cl01tl
 
 blocking:

hosts/ps10rp/blocky/compose.yaml

@@ -1,7 +1,7 @@
 ---
 services:
     tailscale-blocky:
-        image: ghcr.io/tailscale/tailscale:v1.92.5
+        image: ghcr.io/tailscale/tailscale:v1.94.1
         container_name: tailscale-blocky
         cap_add:
             - net_admin

hosts/ps10rp/garage/compose.yaml

@@ -1,6 +1,6 @@
 services:
     tailscale-garage:
-        image: ghcr.io/tailscale/tailscale:v1.92.5
+        image: ghcr.io/tailscale/tailscale:v1.94.1
         container_name: tailscale-garage
         cap_add:
             - net_admin
@@ -20,7 +20,7 @@ services:
             - /dev/net/tun:/dev/net/tun
 
     tailscale-garage-ui:
-        image: ghcr.io/tailscale/tailscale:v1.92.5
+        image: ghcr.io/tailscale/tailscale:v1.94.1
         container_name: tailscale-garage-ui
         cap_add:
             - net_admin

hosts/ps10rp/gitea/compose.yaml

@@ -1,6 +1,6 @@
 services:
     tailscale-gitea:
-        image: ghcr.io/tailscale/tailscale:v1.92.5
+        image: ghcr.io/tailscale/tailscale:v1.94.1
         container_name: tailscale-gitea
         cap_add:
             - net_admin

hosts/ps10rp/homepage/compose.yaml

@@ -1,7 +1,7 @@
 ---
 services:
     tailscale-homepage:
-        image: ghcr.io/tailscale/tailscale:v1.92.5
+        image: ghcr.io/tailscale/tailscale:v1.94.1
         container_name: tailscale-homepage
         cap_add:
             - net_admin
@@ -32,7 +32,7 @@ services:
             - /var/run/docker.sock:/var/run/docker.sock:ro
 
     homepage:
-        image: ghcr.io/gethomepage/homepage:v1.9.0
+        image: ghcr.io/gethomepage/homepage:v1.10.1
         container_name: homepage
         labels:
             traefik.enable: true

hosts/ps10rp/komodo-periphery/compose.yaml

@@ -12,8 +12,6 @@ services:
             - TS_HOSTNAME=komodo-periphery-ps10rp
         env_file:
             - .ts-env
-        labels:
-            - "com.centurylinklabs.watchtower.scope=komodo"
         network_mode: service:komodo-periphery
         restart: always
         volumes:
@@ -21,23 +19,6 @@ services:
         devices:
             - /dev/net/tun:/dev/net/tun
 
-    watchtower:
-        image: ghcr.io/containrrr/watchtower:latest
-        container_name: komodo-periphery-watchtower
-        command: --scope komodo
-        environment:
-            - TZ=America/Chicago
-            - WATCHTOWER_HTTP_API_METRICS=true
-            - WATCHTOWER_HTTP_API_TOKEN=token
-            - WATCHTOWER_CLEANUP=true
-            - WATCHTOWER_POLL_INTERVAL=3600
-        labels:
-            - "com.centurylinklabs.watchtower.scope=komodo"
-        network_mode: service:komodo-periphery
-        restart: always
-        volumes:
-            - /var/run/docker.sock:/var/run/docker.sock
-
     komodo-periphery:
         image: ghcr.io/moghtech/komodo-periphery:latest
         container_name: komodo-periphery
@@ -45,8 +26,6 @@ services:
             - .env
         environment:
             - TZ=America/Chicago
-        labels:
-            - "com.centurylinklabs.watchtower.scope=komodo"
         restart: always
         volumes:
             - /var/run/docker.sock:/var/run/docker.sock

hosts/ps10rp/node-exporter/compose.yaml

@@ -1,7 +1,7 @@
 ---
 services:
     tailscale-node-exporter:
-        image: ghcr.io/tailscale/tailscale:v1.92.5
+        image: ghcr.io/tailscale/tailscale:v1.94.1
         container_name: tailscale-node-exporter
         cap_add:
             - net_admin

hosts/ps10rp/tailscale-subnet/compose.yaml

@@ -1,7 +1,7 @@
 ---
 services:
     tailscale:
-        image: ghcr.io/tailscale/tailscale:v1.92.5
+        image: ghcr.io/tailscale/tailscale:v1.94.1
         container_name: tailscale-subnet
         cap_add:
             - net_admin

hosts/ps10rp/traefik/compose.yaml

@@ -1,7 +1,7 @@
 ---
 services:
     tailscale-traefik:
-        image: ghcr.io/tailscale/tailscale:v1.92.5
+        image: ghcr.io/tailscale/tailscale:v1.94.1
         container_name: tailscale-traefik
         cap_add:
             - net_admin