feat: remove annotation

feat: add annotation
fix: wrong secret
2026-04-27 16:50:07 -05:00 · 2026-04-27 16:32:33 -05:00 · 2026-04-27 16:30:12 -05:00 · 2026-04-27 16:09:19 -05:00 · 2026-04-27 21:06:19 +00:00 · 2026-04-27 16:05:16 -05:00
25 changed files with 899 additions and 32 deletions
--- a/.gitea/workflows/renovate.yaml
+++ b/.gitea/workflows/renovate.yaml
@@ -13,7 +13,7 @@ on:
 jobs:
  renovate:
    runs-on: ubuntu-js
-    container: ghcr.io/renovatebot/renovate:43.143.1@sha256:2dd226666c8ef3413813e67ff6b34d40512997e99af896e51fe2b24eebf5150b
+    container: ghcr.io/renovatebot/renovate:43.144.0@sha256:d6c68d8226a0b4f1fc00942f1c14b33d5135c6c52e8c9d29a2588b46f199c14f
    steps:
      - name: Checkout
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
--- a/clusters/cl01tl/helm/argocd/templates/prometheus-rule.yaml
+++ b/clusters/cl01tl/helm/argocd/templates/prometheus-rule.yaml
@@ -0,0 +1,108 @@
+apiVersion: monitoring.coreos.com/v1
+kind: PrometheusRule
+metadata:
+  name: haproxy
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: haproxy
+    {{- include "custom.labels" . | nindent 4 }}
+spec:
+  groups:
+    - name: EmbeddedExporter
+      rules:
+        - alert: HAProxyHighHTTP4xxErrorRateBackend
+          expr: ((sum by (proxy) (rate(haproxy_server_http_responses_total{code="4xx"}[1m])) / sum by (proxy) (rate(haproxy_server_http_responses_total[1m]))) * 100) > 5 and sum by (proxy) (rate(haproxy_server_http_responses_total[1m])) > 0
+          for: 1m
+          labels:
+            severity: critical
+          annotations:
+            summary: HAProxy high HTTP 4xx error rate backend (instance {{ `{{ $labels.instance }}` }})
+            description: "Too many HTTP requests with status 4xx (> 5%) on backend {{ `{{ $labels.proxy }}` }}\n  VALUE = {{ `{{ $value }}` }}\n  LABELS = {{ `{{ $labels }}` }}"
+        - alert: HAProxyHighHTTP5xxErrorRateBackend
+          expr: ((sum by (proxy) (rate(haproxy_server_http_responses_total{code="5xx"}[1m])) / sum by (proxy) (rate(haproxy_server_http_responses_total[1m]))) * 100) > 5 and sum by (proxy) (rate(haproxy_server_http_responses_total[1m])) > 0
+          for: 1m
+          labels:
+            severity: critical
+          annotations:
+            summary: HAProxy high HTTP 5xx error rate backend (instance {{ `{{ $labels.instance }}` }})
+            description: "Too many HTTP requests with status 5xx (> 5%) on backend {{ `{{ $labels.proxy }}` }}\n  VALUE = {{ `{{ $value }}` }}\n  LABELS = {{ `{{ $labels }}` }}"
+        - alert: HAProxyHighHTTP4xxErrorRateServer
+          expr: ((sum by (server) (rate(haproxy_server_http_responses_total{code="4xx"}[1m])) / sum by (server) (rate(haproxy_server_http_responses_total[1m]))) * 100) > 5 and sum by (server) (rate(haproxy_server_http_responses_total[1m])) > 0
+          for: 1m
+          labels:
+            severity: critical
+          annotations:
+            summary: HAProxy high HTTP 4xx error rate server (instance {{ `{{ $labels.instance }}` }})
+            description: "Too many HTTP requests with status 4xx (> 5%) on server {{ `{{ $labels.server }}` }}\n  VALUE = {{ `{{ $value }}` }}\n  LABELS = {{ `{{ $labels }}` }}"
+        - alert: HAProxyHighHTTP5xxErrorRateServer
+          expr: ((sum by (server) (rate(haproxy_server_http_responses_total{code="5xx"}[1m])) / sum by (server) (rate(haproxy_server_http_responses_total[1m]))) * 100) > 5 and sum by (server) (rate(haproxy_server_http_responses_total[1m])) > 0
+          for: 1m
+          labels:
+            severity: critical
+          annotations:
+            summary: HAProxy high HTTP 5xx error rate server (instance {{ `{{ $labels.instance }}` }})
+            description: "Too many HTTP requests with status 5xx (> 5%) on server {{ `{{ $labels.server }}` }}\n  VALUE = {{ `{{ $value }}` }}\n  LABELS = {{ `{{ $labels }}` }}"
+        - alert: HAProxyServerResponseErrors
+          expr: (sum by (server) (rate(haproxy_server_response_errors_total[1m])) / sum by (server) (rate(haproxy_server_http_responses_total[1m]))) * 100 > 5 and sum by (server) (rate(haproxy_server_http_responses_total[1m])) > 0
+          for: 1m
+          labels:
+            severity: critical
+          annotations:
+            summary: HAProxy server response errors (instance {{ `{{ $labels.instance }}` }})
+            description: "Too many response errors to {{ `{{ $labels.server }}` }} server (> 5%).\n  VALUE = {{ `{{ $value }}` }}\n  LABELS = {{ `{{ $labels }}` }}"
+        - alert: HAProxyBackendConnectionErrors
+          expr: (sum by (proxy) (rate(haproxy_backend_connection_errors_total[1m]))) > 100
+          for: 1m
+          labels:
+            severity: critical
+          annotations:
+            summary: HAProxy backend connection errors (instance {{ `{{ $labels.instance }}` }})
+            description: "Too many connection errors to {{ `{{ $labels.proxy }}` }} backend (> 100 req/s). Request throughput may be too high.\n  VALUE = {{ `{{ $value }}` }}\n  LABELS = {{ `{{ $labels }}` }}"
+        - alert: HAProxyServerConnectionErrors
+          expr: (sum by (proxy) (rate(haproxy_server_connection_errors_total[1m]))) > 100
+          for: 0m
+          labels:
+            severity: critical
+          annotations:
+            summary: HAProxy server connection errors (instance {{ `{{ $labels.instance }}` }})
+            description: "Too many connection errors to {{ `{{ $labels.proxy }}` }} (> 100 req/s). Request throughput may be too high.\n  VALUE = {{ `{{ $value }}` }}\n  LABELS = {{ `{{ $labels }}` }}"
+        - alert: HAProxyBackendMaxActiveSession>80%
+          expr: (haproxy_backend_current_sessions / haproxy_backend_limit_sessions * 100) > 80 and haproxy_backend_limit_sessions > 0
+          for: 2m
+          labels:
+            severity: warning
+          annotations:
+            summary: HAProxy backend max active session > 80% (instance {{ `{{ $labels.instance }}` }})
+            description: "Session limit from backend {{ `{{ $labels.proxy }}` }} reached 80% of limit - {{ `{{ $value | printf \"%.2f\"}}` }}%\n  VALUE = {{ `{{ $value }}` }}\n  LABELS = {{ `{{ $labels }}` }}"
+        - alert: HAProxyPendingRequests
+          expr: sum by (proxy) (haproxy_backend_current_queue) > 0
+          for: 2m
+          labels:
+            severity: warning
+          annotations:
+            summary: HAProxy pending requests (instance {{ `{{ $labels.instance }}` }})
+            description: "Some HAProxy requests are pending on {{ `{{ $labels.proxy }}` }} - {{ `{{ $value | printf \"%.2f\"}}` }}\n  VALUE = {{ `{{ $value }}` }}\n  LABELS = {{ `{{ $labels }}` }}"
+        - alert: HAProxyRetryHigh
+          expr: sum by (proxy) (rate(haproxy_backend_retry_warnings_total[1m])) > 10
+          for: 2m
+          labels:
+            severity: warning
+          annotations:
+            summary: HAProxy retry high (instance {{ `{{ $labels.instance }}` }})
+            description: "High rate of retry on {{ `{{ $labels.proxy }}` }} - {{ `{{ $value | printf \"%.2f\"}}` }}\n  VALUE = {{ `{{ $value }}` }}\n  LABELS = {{ `{{ $labels }}` }}"
+        - alert: HAProxyFrontendSecurityBlockedRequests
+          expr: sum by (proxy) (rate(haproxy_frontend_denied_connections_total[2m])) > 10
+          for: 2m
+          labels:
+            severity: warning
+          annotations:
+            summary: HAProxy frontend security blocked requests (instance {{ `{{ $labels.instance }}` }})
+            description: "HAProxy is blocking requests for security reason\n  VALUE = {{ `{{ $value }}` }}\n  LABELS = {{ `{{ $labels }}` }}"
+        - alert: HAProxyServerHealthcheckFailure
+          expr: increase(haproxy_server_check_failures_total[1m]) > 2
+          for: 0m
+          labels:
+            severity: warning
+          annotations:
+            summary: HAProxy server healthcheck failure (instance {{ `{{ $labels.instance }}` }})
+            description: "Some server healthcheck are failing on {{ `{{ $labels.server }}` }} ({{ `{{ $value }}` }} in the last 1m)\n  VALUE = {{ `{{ $value }}` }}\n  LABELS = {{ `{{ $labels }}` }}"
--- a/clusters/cl01tl/helm/cert-manager/templates/prometheus-rule.yaml
+++ b/clusters/cl01tl/helm/cert-manager/templates/prometheus-rule.yaml
@@ -0,0 +1,44 @@
+apiVersion: monitoring.coreos.com/v1
+kind: PrometheusRule
+metadata:
+  name: cert-manager
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: cert-manager
+    {{- include "custom.labels" . | nindent 4 }}
+spec:
+  groups:
+    - name: EmbeddedExporter
+      rules:
+        - alert: Cert-ManagerAbsent
+          expr: absent(up{job="cert-manager"})
+          for: 10m
+          labels:
+            severity: critical
+          annotations:
+            summary: Cert-Manager absent (instance {{ `{{ $labels.instance }}` }})
+            description: "Cert-Manager has disappeared from Prometheus service discovery. New certificates will not be able to be minted, and existing ones can't be renewed until cert-manager is back.\n  VALUE = {{ `{{ $value }}` }}\n  LABELS = {{ `{{ $labels }}` }}"
+        - alert: Cert-ManagerCertificateExpiringSoon
+          expr: avg by (exported_namespace, namespace, name) (certmanager_certificate_expiration_timestamp_seconds - time()) < (21 * 24 * 3600)
+          for: 1h
+          labels:
+            severity: warning
+          annotations:
+            summary: Cert-Manager certificate expiring soon (instance {{ `{{ $labels.instance }}` }})
+            description: "The certificate {{ `{{ $labels.name }}` }} is expiring in less than 21 days.\n  VALUE = {{ `{{ $value }}` }}\n  LABELS = {{ `{{ $labels }}` }}"
+        - alert: Cert-ManagerCertificateNotReady
+          expr: max by (name, exported_namespace, namespace, condition) (certmanager_certificate_ready_status{condition!="True"} == 1)
+          for: 10m
+          labels:
+            severity: critical
+          annotations:
+            summary: Cert-Manager certificate not ready (instance {{ `{{ $labels.instance }}` }})
+            description: "The certificate {{ `{{ $labels.name }}` }} in namespace {{ `{{ $labels.exported_namespace }}` }} is not ready to serve traffic.\n  VALUE = {{ `{{ $value }}` }}\n  LABELS = {{ `{{ $labels }}` }}"
+        - alert: Cert-ManagerHittingACMERateLimits
+          expr: sum by (host) (rate(certmanager_acme_client_request_count{status="429"}[5m])) > 0
+          for: 5m
+          labels:
+            severity: critical
+          annotations:
+            summary: Cert-Manager hitting ACME rate limits (instance {{ `{{ $labels.instance }}` }})
+            description: "Cert-Manager is being rate-limited by the ACME provider. Certificate issuance and renewal may be blocked for up to a week.\n  VALUE = {{ `{{ $value }}` }}\n  LABELS = {{ `{{ $labels }}` }}"
--- a/clusters/cl01tl/helm/cloudnative-pg/values.yaml
+++ b/clusters/cl01tl/helm/cloudnative-pg/values.yaml
@@ -18,7 +18,7 @@ rclone-postgres-backups-remote:
  nameOverride: postgres-backups-remote-rclone
  cronJob:
    suspend: false
-    schedule: 0 1 * * *
+    schedule: 0 6 * * 6
  rclone:
    source:
      bucketName: postgres-backups
@@ -45,7 +45,7 @@ rclone-postgres-backups-external:
  nameOverride: postgres-backups-external-rclone
  cronJob:
    suspend: true
-    schedule: 20 1 * * *
+    schedule: 0 6 * * 6
  rclone:
    source:
      bucketName: openbao-backups
--- a/clusters/cl01tl/helm/dawarich/values.yaml
+++ b/clusters/cl01tl/helm/dawarich/values.yaml
@@ -8,7 +8,7 @@ dawarich:
        main:
          image:
            repository: freikin/dawarich
-            tag: 1.6.1@sha256:a884f69f19ce0f66992f3872d24544d1e587e133b8a003e072711aafc1e02429
+            tag: 1.7.0@sha256:7d5f99c61121fcfa4cbdd6a153392630d9f059ffb0156759278d3e049085ec62
          command:
            - "web-entrypoint.sh"
          args:
@@ -111,7 +111,7 @@ dawarich:
        sidekiq:
          image:
            repository: freikin/dawarich
-            tag: 1.6.1@sha256:a884f69f19ce0f66992f3872d24544d1e587e133b8a003e072711aafc1e02429
+            tag: 1.7.0@sha256:7d5f99c61121fcfa4cbdd6a153392630d9f059ffb0156759278d3e049085ec62
          command:
            - "sidekiq-entrypoint.sh"
          args:
@@ -161,12 +161,12 @@ dawarich:
            - name: OIDC_CLIENT_ID
              valueFrom:
                secretKeyRef:
-                  name: dawarich-oidc-secret
+                  name: dawarich-oidc-authentik
                  key: client
            - name: OIDC_CLIENT_SECRET
              valueFrom:
                secretKeyRef:
-                  name: dawarich-oidc-secret
+                  name: dawarich-oidc-authentik
                  key: secret
            - name: OIDC_PROVIDER_NAME
              value: Authentik
@@ -181,7 +181,7 @@ dawarich:
            - name: SECRET_KEY_BASE
              valueFrom:
                secretKeyRef:
-                  name: dawarich-key-secret
+                  name: dawarich-key
                  key: key
            - name: RAILS_LOG_TO_STDOUT
              value: true
--- a/clusters/cl01tl/helm/democratic-csi-synology-iscsi/values.yaml
+++ b/clusters/cl01tl/helm/democratic-csi-synology-iscsi/values.yaml
@@ -47,6 +47,8 @@ democratic-csi:
        fsType: ext4
  node:
    hostPID: true
+    rbac:
+      enabled: true
    driver:
      extraEnv:
        - name: ISCSIADM_HOST_STRATEGY
--- a/clusters/cl01tl/helm/gitea/templates/prometheus-rule.yaml
+++ b/clusters/cl01tl/helm/gitea/templates/prometheus-rule.yaml
@@ -0,0 +1,28 @@
+apiVersion: monitoring.coreos.com/v1
+kind: PrometheusRule
+metadata:
+  name: meilisearch
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: meilisearch
+    {{- include "custom.labels" . | nindent 4 }}
+spec:
+  groups:
+    - name: EmbeddedExporter
+      rules:
+        - alert: MeilisearchIndexIsEmpty
+          expr: meilisearch_index_docs_count == 0
+          for: 0m
+          labels:
+            severity: warning
+          annotations:
+            summary: Meilisearch index is empty (instance {{ `{{ $labels.instance }}` }})
+            description: "Meilisearch index {{ `{{ $labels.index }}` }} has zero documents\n  VALUE = {{ `{{ $value }}` }}\n  LABELS = {{ `{{ $labels }}` }}"
+        - alert: MeilisearchHttpResponseTime
+          expr: meilisearch_http_response_time_seconds > 0.5
+          for: 0m
+          labels:
+            severity: warning
+          annotations:
+            summary: Meilisearch http response time (instance {{ `{{ $labels.instance }}` }})
+            description: "Meilisearch http response time is too high\n  VALUE = {{ `{{ $value }}` }}\n  LABELS = {{ `{{ $labels }}` }}"
--- a/clusters/cl01tl/helm/jellyfin/templates/prometheus-rule.yaml
+++ b/clusters/cl01tl/helm/jellyfin/templates/prometheus-rule.yaml
@@ -0,0 +1,28 @@
+apiVersion: monitoring.coreos.com/v1
+kind: PrometheusRule
+metadata:
+  name: meilisearch
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: meilisearch
+    {{- include "custom.labels" . | nindent 4 }}
+spec:
+  groups:
+    - name: EmbeddedExporter
+      rules:
+        - alert: MeilisearchIndexIsEmpty
+          expr: meilisearch_index_docs_count == 0
+          for: 0m
+          labels:
+            severity: warning
+          annotations:
+            summary: Meilisearch index is empty (instance {{ `{{ $labels.instance }}` }})
+            description: "Meilisearch index {{ `{{ $labels.index }}` }} has zero documents\n  VALUE = {{ `{{ $value }}` }}\n  LABELS = {{ `{{ $labels }}` }}"
+        - alert: MeilisearchHttpResponseTime
+          expr: meilisearch_http_response_time_seconds > 0.5
+          for: 0m
+          labels:
+            severity: warning
+          annotations:
+            summary: Meilisearch http response time (instance {{ `{{ $labels.instance }}` }})
+            description: "Meilisearch http response time is too high\n  VALUE = {{ `{{ $value }}` }}\n  LABELS = {{ `{{ $labels }}` }}"
--- a/clusters/cl01tl/helm/karakeep/templates/prometheus-rule.yaml
+++ b/clusters/cl01tl/helm/karakeep/templates/prometheus-rule.yaml
@@ -0,0 +1,28 @@
+apiVersion: monitoring.coreos.com/v1
+kind: PrometheusRule
+metadata:
+  name: meilisearch
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: meilisearch
+    {{- include "custom.labels" . | nindent 4 }}
+spec:
+  groups:
+    - name: EmbeddedExporter
+      rules:
+        - alert: MeilisearchIndexIsEmpty
+          expr: meilisearch_index_docs_count == 0
+          for: 0m
+          labels:
+            severity: warning
+          annotations:
+            summary: Meilisearch index is empty (instance {{ `{{ $labels.instance }}` }})
+            description: "Meilisearch index {{ `{{ $labels.index }}` }} has zero documents\n  VALUE = {{ `{{ $value }}` }}\n  LABELS = {{ `{{ $labels }}` }}"
+        - alert: MeilisearchHttpResponseTime
+          expr: meilisearch_http_response_time_seconds > 0.5
+          for: 0m
+          labels:
+            severity: warning
+          annotations:
+            summary: Meilisearch http response time (instance {{ `{{ $labels.instance }}` }})
+            description: "Meilisearch http response time is too high\n  VALUE = {{ `{{ $value }}` }}\n  LABELS = {{ `{{ $labels }}` }}"
--- a/clusters/cl01tl/helm/kube-prometheus-stack/Chart.lock
+++ b/clusters/cl01tl/helm/kube-prometheus-stack/Chart.lock
@@ -1,7 +1,7 @@
 dependencies:
 - name: kube-prometheus-stack
  repository: oci://ghcr.io/prometheus-community/charts
-  version: 84.2.1
+  version: 84.3.0
 - name: prometheus-operator-crds
  repository: oci://ghcr.io/prometheus-community/charts
  version: 28.0.1
@@ -11,5 +11,5 @@ dependencies:
 - name: valkey
  repository: oci://harbor.alexlebens.net/helm-charts
  version: 0.6.1
-digest: sha256:4d3525495bf1c15bf3508fc9948fa46b2194b8e0439f4aeaf27bf855e9964f65
-generated: "2026-04-27T16:01:33.493574911Z"
+digest: sha256:88beedf9486adb9cb27b36c24021759401fcff106fc0e0cadbb3282d7e57d03c
+generated: "2026-04-27T19:03:58.288039768Z"
--- a/clusters/cl01tl/helm/kube-prometheus-stack/Chart.yaml
+++ b/clusters/cl01tl/helm/kube-prometheus-stack/Chart.yaml
@@ -20,7 +20,7 @@ maintainers:
  - name: alexlebens
 dependencies:
  - name: kube-prometheus-stack
-    version: 84.2.1
+    version: 84.3.0
    repository: oci://ghcr.io/prometheus-community/charts
  - name: prometheus-operator-crds
    version: 28.0.1
--- a/clusters/cl01tl/helm/kube-prometheus-stack/values.yaml
+++ b/clusters/cl01tl/helm/kube-prometheus-stack/values.yaml
@@ -98,8 +98,8 @@ kube-prometheus-stack:
            namespace: traefik
    prometheusSpec:
      scrapeInterval: 30s
-      retention: 45d
-      retentionSize: 240GiB
+      retention: 60d
+      retentionSize: 450GiB
      externalUrl: https://prometheus.alexlebens.net
      ruleSelectorNilUsesHelmValues: false
      serviceMonitorSelectorNilUsesHelmValues: false
@@ -112,7 +112,7 @@ kube-prometheus-stack:
            accessModes: ["ReadWriteOnce"]
            resources:
              requests:
-                storage: 250Gi
+                storage: 500Gi
 ntfy-alertmanager:
  global:
    fullnameOverride: ntfy-alertmanager
--- a/clusters/cl01tl/helm/openbao/values.yaml
+++ b/clusters/cl01tl/helm/openbao/values.yaml
@@ -120,20 +120,52 @@ openbao:
    prometheusRules:
      enabled: true
      rules:
-        - alert: vault-HighResponseTime
+        - alert: openBao-HighResponseTime
          annotations:
-            message: The response time of Vault is over 500ms on average over the last 5 minutes.
+            message: The response time of OpenBao is over 500ms on average over the last 5 minutes.
          expr: vault_core_handle_request{quantile="0.5", namespace="mynamespace"} > 500
          for: 5m
          labels:
            severity: warning
-        - alert: vault-HighResponseTime
+        - alert: openBao-HighResponseTime
          annotations:
-            message: The response time of Vault is over 1s on average over the last 5 minutes.
+            message: The response time of OpenBao is over 1s on average over the last 5 minutes.
          expr: vault_core_handle_request{quantile="0.5", namespace="mynamespace"} > 1000
          for: 5m
          labels:
            severity: critical
+        - alert: openBao-Sealed
+          expr: vault_core_unsealed == 0
+          for: 1m
+          labels:
+            severity: critical
+          annotations:
+            summary: OpenBao sealed (instance {{ $labels.instance }})
+            description: "OpenBao instance is sealed on {{ $labels.instance }}\n  VALUE = {{ $value }}\n  LABELS = {{ $labels }}"
+        - alert: OpenBao-TooManyPendingTokens
+          expr: avg(vault_token_create_count - vault_token_store_count) > 0
+          for: 5m
+          labels:
+            severity: warning
+          annotations:
+            summary: OpenBao too many pending tokens (instance {{ $labels.instance }})
+            description: "Too many pending tokens on {{ $labels.instance }}: {{ $value }} tokens created but not yet stored.\n  VALUE = {{ $value }}\n  LABELS = {{ $labels }}"
+        - alert: OpenBao-TooManyInfinityTokens
+          expr: vault_token_count_by_ttl{creation_ttl="+Inf"} > 3
+          for: 5m
+          labels:
+            severity: warning
+          annotations:
+            summary: OpenBao too many infinity tokens (instance {{ $labels.instance }})
+            description: "Too many non-expiring tokens on {{ $labels.instance }}: {{ $value }} tokens with infinite TTL.\n  VALUE = {{ $value }}\n  LABELS = {{ $labels }}"
+        - alert: OpenBao-ClusterHealth
+          expr: sum(vault_core_active) / count(vault_core_active) <= 0.5 and count(vault_core_active) > 0
+          for: 0m
+          labels:
+            severity: critical
+          annotations:
+            summary: OpenBao cluster health (instance {{ $labels.instance }})
+            description: "OpenBao cluster is not healthy: only {{ $value | humanizePercentage }} of nodes are active.\n  VALUE = {{ $value }}\n  LABELS = {{ $labels }}"
  snapshotAgent:
    enabled: true
    schedule: 0 4 * * *
--- a/clusters/cl01tl/helm/paperless-ngx/Chart.yaml
+++ b/clusters/cl01tl/helm/paperless-ngx/Chart.yaml
@@ -48,4 +48,4 @@ dependencies:
    repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/paperless-ngx.png
 # renovate: datasource=github-releases depName=paperless-ngx/paperless-ngx
-appVersion: 2.20.14
+appVersion: 2.20.15
--- a/clusters/cl01tl/helm/paperless-ngx/values.yaml
+++ b/clusters/cl01tl/helm/paperless-ngx/values.yaml
@@ -8,7 +8,7 @@ paperless-ngx:
        main:
          image:
            repository: ghcr.io/paperless-ngx/paperless-ngx
-            tag: 2.20.14@sha256:b89f83345532cfba72690185257eb6c4f92fc2a782332a42abe19c07b7a6595f
+            tag: 2.20.15@sha256:6c86cad803970ea782683a8e80e7403444c5bf3cf70de63b4d3c8e87500db92f
          env:
            - name: PAPERLESS_REDIS
              value: redis://paperless-ngx-valkey.paperless-ngx:6379
--- a/clusters/cl01tl/helm/plex/Chart.yaml
+++ b/clusters/cl01tl/helm/plex/Chart.yaml
@@ -20,4 +20,4 @@ dependencies:
    version: 4.6.2
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/plex.png
 # renovate: datasource=github-releases depName=linuxserver/docker-plex
-appVersion: 1.43.1.10611-1e34174b1-ls302
+appVersion: 1.43.1.10611-1e34174b1-ls303
--- a/clusters/cl01tl/helm/plex/values.yaml
+++ b/clusters/cl01tl/helm/plex/values.yaml
@@ -22,7 +22,7 @@ plex:
        main:
          image:
            repository: ghcr.io/linuxserver/plex
-            tag: 1.43.1.10611-1e34174b1-ls302@sha256:e5c7c283b242966416a4bed2d666acf6f3fb8f957c704be8333f8dc987364825
+            tag: 1.43.1.10611-1e34174b1-ls303@sha256:b785bdd60e781662f16e0526a6b54c07856739df95ab558a674a3c084dbde423
          env:
            - name: TZ
              value: America/Chicago
--- a/clusters/cl01tl/helm/rybbit/templates/prometheus-rule.yaml
+++ b/clusters/cl01tl/helm/rybbit/templates/prometheus-rule.yaml
@@ -0,0 +1,156 @@
+apiVersion: monitoring.coreos.com/v1
+kind: PrometheusRule
+metadata:
+  name: clickhouse
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: clickhouse
+    {{- include "custom.labels" . | nindent 4 }}
+spec:
+  groups:
+    - name: EmbeddedExporter
+      rules:
+        - alert: ClickHouseNodeDown
+          expr: up{job="clickhouse"} == 0
+          for: 2m
+          labels:
+            severity: critical
+          annotations:
+            summary: ClickHouse node down (instance {{ `{{ $labels.instance }}` }})
+            description: "No metrics received from ClickHouse exporter for over 2 minutes.\n  VALUE = {{ `{{ $value }}` }}\n  LABELS = {{ `{{ $labels }}` }}"
+        - alert: ClickHouseMemoryUsageCritical
+          expr: ClickHouseAsyncMetrics_CGroupMemoryUsed / ClickHouseAsyncMetrics_CGroupMemoryTotal * 100 > 90 and ClickHouseAsyncMetrics_CGroupMemoryTotal > 0
+          for: 5m
+          labels:
+            severity: critical
+          annotations:
+            summary: ClickHouse Memory Usage Critical (instance {{ `{{ $labels.instance }}` }})
+            description: "Memory usage is critically high, over 90%.\n  VALUE = {{ `{{ $value }}` }}\n  LABELS = {{ `{{ $labels }}` }}"
+        - alert: ClickHouseMemoryUsageWarning
+          expr: ClickHouseAsyncMetrics_CGroupMemoryUsed / ClickHouseAsyncMetrics_CGroupMemoryTotal * 100 > 80 and ClickHouseAsyncMetrics_CGroupMemoryTotal > 0
+          for: 5m
+          labels:
+            severity: warning
+          annotations:
+            summary: ClickHouse Memory Usage Warning (instance {{ `{{ $labels.instance }}` }})
+            description: "Memory usage is over 80%.\n  VALUE = {{ `{{ $value }}` }}\n  LABELS = {{ `{{ $labels }}` }}"
+        - alert: ClickHouseDiskSpaceLowOnDefault
+          expr: ClickHouseAsyncMetrics_DiskAvailable_default / (ClickHouseAsyncMetrics_DiskAvailable_default + ClickHouseAsyncMetrics_DiskUsed_default) * 100 < 20 and (ClickHouseAsyncMetrics_DiskAvailable_default + ClickHouseAsyncMetrics_DiskUsed_default) > 0
+          for: 2m
+          labels:
+            severity: warning
+          annotations:
+            summary: ClickHouse Disk Space Low on Default (instance {{ `{{ $labels.instance }}` }})
+            description: "Disk space on default is below 20%.\n  VALUE = {{ `{{ $value }}` }}\n  LABELS = {{ `{{ $labels }}` }}"
+        - alert: ClickHouseDiskSpaceCriticalOnDefault
+          expr: ClickHouseAsyncMetrics_DiskAvailable_default / (ClickHouseAsyncMetrics_DiskAvailable_default + ClickHouseAsyncMetrics_DiskUsed_default) * 100 < 10 and (ClickHouseAsyncMetrics_DiskAvailable_default + ClickHouseAsyncMetrics_DiskUsed_default) > 0
+          for: 2m
+          labels:
+            severity: critical
+          annotations:
+            summary: ClickHouse Disk Space Critical on Default (instance {{ `{{ $labels.instance }}` }})
+            description: "Disk space on default disk is critically low, below 10%.\n  VALUE = {{ `{{ $value }}` }}\n  LABELS = {{ `{{ $labels }}` }}"
+        - alert: ClickHouseDiskSpaceLowOnBackups
+          expr: ClickHouseAsyncMetrics_DiskAvailable_backups / (ClickHouseAsyncMetrics_DiskAvailable_backups + ClickHouseAsyncMetrics_DiskUsed_backups) * 100 < 20 and (ClickHouseAsyncMetrics_DiskAvailable_backups + ClickHouseAsyncMetrics_DiskUsed_backups) > 0
+          for: 2m
+          labels:
+            severity: warning
+          annotations:
+            summary: ClickHouse Disk Space Low on Backups (instance {{ `{{ $labels.instance }}` }})
+            description: "Disk space on backups is below 20%.\n  VALUE = {{ `{{ $value }}` }}\n  LABELS = {{ `{{ $labels }}` }}"
+        - alert: ClickHouseReplicaErrors
+          expr: ClickHouseErrorMetric_ALL_REPLICAS_ARE_STALE == 1 or ClickHouseErrorMetric_ALL_REPLICAS_LOST == 1
+          for: 0m
+          labels:
+            severity: critical
+          annotations:
+            summary: ClickHouse Replica Errors (instance {{ `{{ $labels.instance }}` }})
+            description: "Critical replica errors detected, either all replicas are stale or lost.\n  VALUE = {{ `{{ $value }}` }}\n  LABELS = {{ `{{ $labels }}` }}"
+        - alert: ClickHouseNoAvailableReplicas
+          expr: ClickHouseErrorMetric_NO_AVAILABLE_REPLICA == 1
+          for: 0m
+          labels:
+            severity: critical
+          annotations:
+            summary: ClickHouse No Available Replicas (instance {{ `{{ $labels.instance }}` }})
+            description: "No available replicas in ClickHouse.\n  VALUE = {{ `{{ $value }}` }}\n  LABELS = {{ `{{ $labels }}` }}"
+        - alert: ClickHouseNoLiveReplicas
+          expr: ClickHouseErrorMetric_TOO_FEW_LIVE_REPLICAS == 1
+          for: 0m
+          labels:
+            severity: critical
+          annotations:
+            summary: ClickHouse No Live Replicas (instance {{ `{{ $labels.instance }}` }})
+            description: "There are too few live replicas available, risking data loss and service disruption.\n  VALUE = {{ `{{ $value }}` }}\n  LABELS = {{ `{{ $labels }}` }}"
+        - alert: ClickHouseHighTCPConnections
+          expr: ClickHouseMetrics_TCPConnection > 400
+          for: 5m
+          labels:
+            severity: warning
+          annotations:
+            summary: ClickHouse High TCP Connections (instance {{ `{{ $labels.instance }}` }})
+            description: "High number of TCP connections, indicating heavy client or inter-cluster communication.\n  VALUE = {{ `{{ $value }}` }}\n  LABELS = {{ `{{ $labels }}` }}"
+        - alert: ClickHouseInterserverConnectionIssues
+          expr: ClickHouseMetrics_InterserverConnection > 50
+          for: 5m
+          labels:
+            severity: warning
+          annotations:
+            summary: ClickHouse Interserver Connection Issues (instance {{ `{{ $labels.instance }}` }})
+            description: "High number of interserver connections may indicate replication or distributed query handling issues.\n  VALUE = {{ `{{ $value }}` }}\n  LABELS = {{ `{{ $labels }}` }}"
+        - alert: ClickHouseZooKeeperConnectionIssues
+          expr: ClickHouseMetrics_ZooKeeperSession != 1
+          for: 3m
+          labels:
+            severity: warning
+          annotations:
+            summary: ClickHouse ZooKeeper Connection Issues (instance {{ `{{ $labels.instance }}` }})
+            description: "ClickHouse is experiencing issues with ZooKeeper connections, which may affect cluster state and coordination.\n  VALUE = {{ `{{ $value }}` }}\n  LABELS = {{ `{{ $labels }}` }}"
+        - alert: ClickHouseAuthenticationFailures
+          expr: increase(ClickHouseErrorMetric_AUTHENTICATION_FAILED[5m]) > 3
+          for: 0m
+          labels:
+            severity: info
+          annotations:
+            summary: ClickHouse Authentication Failures (instance {{ `{{ $labels.instance }}` }})
+            description: "Authentication failures detected, indicating potential security issues or misconfiguration.\n  VALUE = {{ `{{ $value }}` }}\n  LABELS = {{ `{{ $labels }}` }}"
+        - alert: ClickHouseAccessDeniedErrors
+          expr: increase(ClickHouseErrorMetric_RESOURCE_ACCESS_DENIED[5m]) > 3
+          for: 0m
+          labels:
+            severity: info
+          annotations:
+            summary: ClickHouse Access Denied Errors (instance {{ `{{ $labels.instance }}` }})
+            description: "Access denied errors have been logged, which could indicate permission issues or unauthorized access attempts.\n  VALUE = {{ `{{ $value }}` }}\n  LABELS = {{ `{{ $labels }}` }}"
+        - alert: ClickHouseRejectedInsertQueries
+          expr: increase(ClickHouseProfileEvents_RejectedInserts[1m]) > 2
+          for: 1m
+          labels:
+            severity: warning
+          annotations:
+            summary: ClickHouse rejected insert queries (instance {{ `{{ $labels.instance }}` }})
+            description: "INSERTs rejected due to too many active data parts. Reduce insert frequency.\n  VALUE = {{ `{{ $value }}` }}\n  LABELS = {{ `{{ $labels }}` }}"
+        - alert: ClickHouseDelayedInsertQueries
+          expr: increase(ClickHouseProfileEvents_DelayedInserts[5m]) > 10
+          for: 2m
+          labels:
+            severity: warning
+          annotations:
+            summary: ClickHouse delayed insert queries (instance {{ `{{ $labels.instance }}` }})
+            description: "INSERTs delayed due to high number of active parts.\n  VALUE = {{ `{{ $value }}` }}\n  LABELS = {{ `{{ $labels }}` }}"
+        - alert: ClickHouseZookeeperHardwareException
+          expr: increase(ClickHouseProfileEvents_ZooKeeperHardwareExceptions[1m]) > 0
+          for: 1m
+          labels:
+            severity: critical
+          annotations:
+            summary: ClickHouse zookeeper hardware exception (instance {{ `{{ $labels.instance }}` }})
+            description: "Zookeeper hardware exception: network issues communicating with ZooKeeper\n  VALUE = {{ `{{ $value }}` }}\n  LABELS = {{ `{{ $labels }}` }}"
+        - alert: ClickHouseDistributedRejectedInserts
+          expr: increase(ClickHouseProfileEvents_DistributedRejectedInserts[5m]) > 3
+          for: 2m
+          labels:
+            severity: critical
+          annotations:
+            summary: ClickHouse distributed rejected inserts (instance {{ `{{ $labels.instance }}` }})
+            description: "INSERTs into Distributed tables rejected due to pending bytes limit.\n  VALUE = {{ `{{ $value }}` }}\n  LABELS = {{ `{{ $labels }}` }}"
--- a/clusters/cl01tl/helm/rybbit/values.yaml
+++ b/clusters/cl01tl/helm/rybbit/values.yaml
@@ -150,19 +150,20 @@ rybbit:
      data:
        network.xml: |
          <clickhouse>
-              <listen_host>0.0.0.0</listen_host>
+            <listen_host>0.0.0.0</listen_host>
+            <http_port>8123</http_port>
          </clickhouse>
        enable_json.xml: |
          <clickhouse>
-              <settings>
-                  <enable_json_type>1</enable_json_type>
-              </settings>
+            <settings>
+              <enable_json_type>1</enable_json_type>
+            </settings>
          </clickhouse>
        logging_rules.xml: |
          <clickhouse>
            <logger>
-                <level>warning</level>
-                <console>true</console>
+              <level>warning</level>
+              <console>true</console>
            </logger>
            <query_thread_log remove="remove"/>
            <query_log remove="remove"/>
@@ -185,6 +186,17 @@ rybbit:
              </default>
            </profiles>
          </clickhouse>
+        metrics.xml: |
+          <clickhouse>
+            <prometheus>
+              <endpoint>/metrics</endpoint>
+              <port>9363</port>
+              <metrics>true</metrics>
+              <events>true</events>
+              <asynchronous_metrics>true</asynchronous_metrics>
+              <errors>true</errors>
+            </prometheus>
+          </clickhouse>
  service:
    backend:
      controller: backend
@@ -204,6 +216,21 @@ rybbit:
        http:
          port: 8123
          targetPort: 8123
+        metrics:
+          port: 9363
+          targetPort: 9363
+  serviceMonitor:
+    main:
+      selector:
+        matchLabels:
+          app.kubernetes.io/name: rybbit-clickhouse
+          app.kubernetes.io/instance: rybbit-clickhouse
+      serviceName: '{{ include "bjw-s.common.lib.chart.names.fullname" $ }}'
+      endpoints:
+        - port: metrics
+          interval: 30s
+          scrapeTimeout: 10s
+          path: /metrics
  persistence:
    clickhouse:
      forceRename: clickhouse-data
@@ -238,6 +265,10 @@ rybbit:
              readOnly: true
              mountPropagation: None
              subPath: user_logging.xml
+            - path: /etc/clickhouse-server/config.d/metrics.xml
+              readOnly: true
+              mountPropagation: None
+              subPath: metrics.xml
 postgres-18-cluster:
  mode: recovery
  recovery:
--- a/clusters/cl01tl/helm/secrets-store-csi-driver/values.yaml
+++ b/clusters/cl01tl/helm/secrets-store-csi-driver/values.yaml
@@ -3,12 +3,12 @@ secrets-store-csi-driver:
    enabled: true
    image:
      repository: registry.k8s.io/csi-secrets-store/driver
-      tag: v1.5.6@sha256:6df2b3b3817136d2ade3d53306dbbd98385c1c01e8b3c373192c0e5b8d183f7b
+      tag: v1.6.0@sha256:110344819630bfd41e0c6d3f215d325ad1a4d5d5b1d298f8af7d0edf4df64a4e
    crds:
      enabled: true
      image:
        repository: registry.k8s.io/csi-secrets-store/driver-crds
-        tag: v1.5.6@sha256:d40d9212beb62ee0f9f09b75d024ed807816879f38e75eca309497c3df89568c
+        tag: v1.6.0@sha256:2419b318a1c17bd741686bf1994cd37cee7162039c019435b8f534f2846fe488
    driver:
      resources:
        limits:
--- a/clusters/cl01tl/helm/site-profile/values.yaml
+++ b/clusters/cl01tl/helm/site-profile/values.yaml
@@ -10,7 +10,7 @@ site-profile:
        main:
          image:
            repository: harbor.alexlebens.net/images/site-profile
-            tag: 3.18.6@sha256:6aacdb7270d21b02d85cd593999014c91614e70c8f6f84774e532f9141237a6c
+            tag: 3.18.7@sha256:d2e31d00b58aa8e843eeaa5ba75d1bb73dd9d1587185b82e5451a585285de6a0
          resources:
            requests:
              cpu: 10m
--- a/clusters/cl01tl/helm/stalwart/templates/prometheus-rule.yaml
+++ b/clusters/cl01tl/helm/stalwart/templates/prometheus-rule.yaml
@@ -0,0 +1,169 @@
+apiVersion: monitoring.coreos.com/v1
+kind: PrometheusRule
+metadata:
+  name: elasticsearch
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: elasticsearch
+    {{- include "custom.labels" . | nindent 4 }}
+spec:
+  groups:
+    - name: ElasticsearchExporter
+      rules:
+        - alert: ElasticsearchHeapUsageTooHigh
+          expr: (elasticsearch_jvm_memory_used_bytes{area="heap"} / elasticsearch_jvm_memory_max_bytes{area="heap"}) * 100 > 90 and elasticsearch_jvm_memory_max_bytes{area="heap"} > 0
+          for: 2m
+          labels:
+            severity: critical
+          annotations:
+            summary: Elasticsearch Heap Usage Too High (instance {{ `{{ $labels.instance }}` }})
+            description: "The heap usage is over 90%\n  VALUE = {{ `{{ $value }}` }}\n  LABELS = {{ `{{ $labels }}` }}"
+        - alert: ElasticsearchHeapUsageWarning
+          expr: (elasticsearch_jvm_memory_used_bytes{area="heap"} / elasticsearch_jvm_memory_max_bytes{area="heap"}) * 100 > 80 and elasticsearch_jvm_memory_max_bytes{area="heap"} > 0
+          for: 2m
+          labels:
+            severity: warning
+          annotations:
+            summary: Elasticsearch Heap Usage warning (instance {{ `{{ $labels.instance }}` }})
+            description: "The heap usage is over 80%\n  VALUE = {{ `{{ $value }}` }}\n  LABELS = {{ `{{ $labels }}` }}"
+        - alert: ElasticsearchDiskOutOfSpace
+          expr: elasticsearch_filesystem_data_available_bytes / elasticsearch_filesystem_data_size_bytes * 100 < 10 and elasticsearch_filesystem_data_size_bytes > 0
+          for: 0m
+          labels:
+            severity: critical
+          annotations:
+            summary: Elasticsearch disk out of space (instance {{ `{{ $labels.instance }}` }})
+            description: "The disk usage is over 90%\n  VALUE = {{ `{{ $value }}` }}\n  LABELS = {{ `{{ $labels }}` }}"
+        - alert: ElasticsearchDiskSpaceLow
+          expr: elasticsearch_filesystem_data_available_bytes / elasticsearch_filesystem_data_size_bytes * 100 < 20 and elasticsearch_filesystem_data_size_bytes > 0
+          for: 2m
+          labels:
+            severity: warning
+          annotations:
+            summary: Elasticsearch disk space low (instance {{ `{{ $labels.instance }}` }})
+            description: "The disk usage is over 80%\n  VALUE = {{ `{{ $value }}` }}\n  LABELS = {{ `{{ $labels }}` }}"
+        - alert: ElasticsearchClusterRed
+          expr: elasticsearch_cluster_health_status{color="red"} == 1
+          for: 0m
+          labels:
+            severity: critical
+          annotations:
+            summary: Elasticsearch Cluster Red (instance {{ `{{ $labels.instance }}` }})
+            description: "Elastic Cluster Red status\n  VALUE = {{ `{{ $value }}` }}\n  LABELS = {{ `{{ $labels }}` }}"
+        - alert: ElasticsearchClusterYellow
+          expr: elasticsearch_cluster_health_status{color="yellow"} == 1
+          for: 0m
+          labels:
+            severity: warning
+          annotations:
+            summary: Elasticsearch Cluster Yellow (instance {{ `{{ $labels.instance }}` }})
+            description: "Elastic Cluster Yellow status\n  VALUE = {{ `{{ $value }}` }}\n  LABELS = {{ `{{ $labels }}` }}"
+          # 1m delay allows a restart without triggering an alert.
+        - alert: ElasticsearchHealthyNodes
+          expr: elasticsearch_cluster_health_number_of_nodes < 3
+          for: 1m
+          labels:
+            severity: critical
+          annotations:
+            summary: Elasticsearch Healthy Nodes (instance {{ `{{ $labels.instance }}` }})
+            description: "Missing node in Elasticsearch cluster\n  VALUE = {{ `{{ $value }}` }}\n  LABELS = {{ `{{ $labels }}` }}"
+          # 1m delay allows a restart without triggering an alert.
+        - alert: ElasticsearchHealthyDataNodes
+          expr: elasticsearch_cluster_health_number_of_data_nodes < 3
+          for: 1m
+          labels:
+            severity: critical
+          annotations:
+            summary: Elasticsearch Healthy Data Nodes (instance {{ `{{ $labels.instance }}` }})
+            description: "Missing data node in Elasticsearch cluster\n  VALUE = {{ `{{ $value }}` }}\n  LABELS = {{ `{{ $labels }}` }}"
+        - alert: ElasticsearchRelocatingShards
+          expr: elasticsearch_cluster_health_relocating_shards > 0
+          for: 0m
+          labels:
+            severity: info
+          annotations:
+            summary: Elasticsearch relocating shards (instance {{ `{{ $labels.instance }}` }})
+            description: "Elasticsearch is relocating shards\n  VALUE = {{ `{{ $value }}` }}\n  LABELS = {{ `{{ $labels }}` }}"
+        - alert: ElasticsearchRelocatingShardsTooLong
+          expr: elasticsearch_cluster_health_relocating_shards > 0
+          for: 15m
+          labels:
+            severity: warning
+          annotations:
+            summary: Elasticsearch relocating shards too long (instance {{ `{{ $labels.instance }}` }})
+            description: "Elasticsearch has been relocating shards for 15min\n  VALUE = {{ `{{ $value }}` }}\n  LABELS = {{ `{{ $labels }}` }}"
+        - alert: ElasticsearchInitializingShards
+          expr: elasticsearch_cluster_health_initializing_shards > 0
+          for: 0m
+          labels:
+            severity: info
+          annotations:
+            summary: Elasticsearch initializing shards (instance {{ `{{ $labels.instance }}` }})
+            description: "Elasticsearch is initializing shards\n  VALUE = {{ `{{ $value }}` }}\n  LABELS = {{ `{{ $labels }}` }}"
+        - alert: ElasticsearchInitializingShardsTooLong
+          expr: elasticsearch_cluster_health_initializing_shards > 0
+          for: 15m
+          labels:
+            severity: warning
+          annotations:
+            summary: Elasticsearch initializing shards too long (instance {{ `{{ $labels.instance }}` }})
+            description: "Elasticsearch has been initializing shards for 15 min\n  VALUE = {{ `{{ $value }}` }}\n  LABELS = {{ `{{ $labels }}` }}"
+        - alert: ElasticsearchUnassignedShards
+          expr: elasticsearch_cluster_health_unassigned_shards > 0
+          for: 2m
+          labels:
+            severity: critical
+          annotations:
+            summary: Elasticsearch unassigned shards (instance {{ `{{ $labels.instance }}` }})
+            description: "Elasticsearch has unassigned shards\n  VALUE = {{ `{{ $value }}` }}\n  LABELS = {{ `{{ $labels }}` }}"
+        - alert: ElasticsearchPendingTasks
+          expr: elasticsearch_cluster_health_number_of_pending_tasks > 0
+          for: 15m
+          labels:
+            severity: warning
+          annotations:
+            summary: Elasticsearch pending tasks (instance {{ `{{ $labels.instance }}` }})
+            description: "Elasticsearch has pending tasks. Cluster works slowly.\n  VALUE = {{ `{{ $value }}` }}\n  LABELS = {{ `{{ $labels }}` }}"
+        - alert: ElasticsearchNoNewDocuments
+          expr: increase(elasticsearch_indices_indexing_index_total{es_data_node="true"}[10m]) < 1
+          for: 0m
+          labels:
+            severity: warning
+          annotations:
+            summary: Elasticsearch no new documents (instance {{ `{{ $labels.instance }}` }})
+            description: "No new documents for 10 min!\n  VALUE = {{ `{{ $value }}` }}\n  LABELS = {{ `{{ $labels }}` }}"
+          # Threshold of 10ms (0.01s) per indexing operation is a rough default. Adjust based on your document size and cluster performance.
+        - alert: ElasticsearchHighIndexingLatency
+          expr: rate(elasticsearch_indices_indexing_index_time_seconds_total[5m]) / rate(elasticsearch_indices_indexing_index_total[5m]) > 0.01 and rate(elasticsearch_indices_indexing_index_total[5m]) > 0
+          for: 10m
+          labels:
+            severity: warning
+          annotations:
+            summary: Elasticsearch High Indexing Latency (instance {{ `{{ $labels.instance }}` }})
+            description: "The indexing latency on Elasticsearch cluster is higher than the threshold (current value: {{ `{{ $value }}` }}s).\n  VALUE = {{ `{{ $value }}` }}\n  LABELS = {{ `{{ $labels }}` }}"
+          # Threshold of 10000 ops/s is a rough default. Adjust based on your cluster capacity and expected workload.
+        - alert: ElasticsearchHighIndexingRate
+          expr: sum(rate(elasticsearch_indices_indexing_index_total[1m]))> 10000
+          for: 5m
+          labels:
+            severity: warning
+          annotations:
+            summary: Elasticsearch High Indexing Rate (instance {{ `{{ $labels.instance }}` }})
+            description: "The indexing rate on Elasticsearch cluster is higher than the threshold.\n  VALUE = {{ `{{ $value }}` }}\n  LABELS = {{ `{{ $labels }}` }}"
+          # Threshold of 100 queries/s is very low for most production clusters. Adjust based on your expected query volume.
+        - alert: ElasticsearchHighQueryRate
+          expr: sum(rate(elasticsearch_indices_search_query_total[1m])) > 100
+          for: 5m
+          labels:
+            severity: warning
+          annotations:
+            summary: Elasticsearch High Query Rate (instance {{ `{{ $labels.instance }}` }})
+            description: "The query rate on Elasticsearch cluster is higher than the threshold.\n  VALUE = {{ `{{ $value }}` }}\n  LABELS = {{ `{{ $labels }}` }}"
+        - alert: ElasticsearchHighQueryLatency
+          expr: rate(elasticsearch_indices_search_query_time_seconds[1m]) / rate(elasticsearch_indices_search_query_total[1m]) > 1 and rate(elasticsearch_indices_search_query_total[1m]) > 0
+          for: 5m
+          labels:
+            severity: warning
+          annotations:
+            summary: Elasticsearch High Query Latency (instance {{ `{{ $labels.instance }}` }})
+            description: "The query latency on Elasticsearch cluster is higher than the threshold (current value: {{ `{{ $value }}` }}s).\n  VALUE = {{ `{{ $value }}` }}\n  LABELS = {{ `{{ $labels }}` }}"
--- a/clusters/cl01tl/helm/stalwart/values.yaml
+++ b/clusters/cl01tl/helm/stalwart/values.yaml
@@ -1,6 +1,7 @@
 stalwart:
  controllers:
    main:
+      forceRename: stalwart
      type: deployment
      replicas: 1
      strategy: Recreate
@@ -13,9 +14,26 @@ stalwart:
            requests:
              cpu: 10m
              memory: 100Mi
+    metrics:
+      type: deployment
+      replicas: 1
+      strategy: Recreate
+      containers:
+        main:
+          image:
+            repository: quay.io/prometheuscommunity/elasticsearch-exporter
+            tag: v1.10.0@sha256:a6a4d4403f670faf6a94b8c7f9adbca3ead91f26dd64e5ccf95fa69025dc6e58
+          args:
+            - '--es.uri=https://elasticsearch-stalwart-es-http.tubearchivist:9200'
+            - '--es.ssl-skip-verify'
+          resources:
+            requests:
+              cpu: 1m
+              memory: 10Mi
  service:
    main:
      controller: main
+      forceRename: stalwart
      ports:
        http:
          port: 80
@@ -32,6 +50,24 @@ stalwart:
        imaps:
          port: 993
          targetPort: 993
+    metrics:
+      controller: metrics
+      ports:
+        metrics:
+          port: 9114
+          targetPort: 9114
+  serviceMonitor:
+    main:
+      selector:
+        matchLabels:
+          app.kubernetes.io/name: stalwart-metrics
+          app.kubernetes.io/instance: stalwart-metrics
+      serviceName: '{{ include "bjw-s.common.lib.chart.names.fullname" $ }}'
+      endpoints:
+        - port: metrics
+          interval: 30s
+          scrapeTimeout: 10s
+          path: /metrics
  route:
    main:
      kind: HTTPRoute
--- a/clusters/cl01tl/helm/tubearchivist/templates/prometheus-rule.yaml
+++ b/clusters/cl01tl/helm/tubearchivist/templates/prometheus-rule.yaml
@@ -0,0 +1,169 @@
+apiVersion: monitoring.coreos.com/v1
+kind: PrometheusRule
+metadata:
+  name: elasticsearch
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: elasticsearch
+    {{- include "custom.labels" . | nindent 4 }}
+spec:
+  groups:
+    - name: ElasticsearchExporter
+      rules:
+        - alert: ElasticsearchHeapUsageTooHigh
+          expr: (elasticsearch_jvm_memory_used_bytes{area="heap"} / elasticsearch_jvm_memory_max_bytes{area="heap"}) * 100 > 90 and elasticsearch_jvm_memory_max_bytes{area="heap"} > 0
+          for: 2m
+          labels:
+            severity: critical
+          annotations:
+            summary: Elasticsearch Heap Usage Too High (instance {{ `{{ $labels.instance }}` }})
+            description: "The heap usage is over 90%\n  VALUE = {{ `{{ $value }}` }}\n  LABELS = {{ `{{ $labels }}` }}"
+        - alert: ElasticsearchHeapUsageWarning
+          expr: (elasticsearch_jvm_memory_used_bytes{area="heap"} / elasticsearch_jvm_memory_max_bytes{area="heap"}) * 100 > 80 and elasticsearch_jvm_memory_max_bytes{area="heap"} > 0
+          for: 2m
+          labels:
+            severity: warning
+          annotations:
+            summary: Elasticsearch Heap Usage warning (instance {{ `{{ $labels.instance }}` }})
+            description: "The heap usage is over 80%\n  VALUE = {{ `{{ $value }}` }}\n  LABELS = {{ `{{ $labels }}` }}"
+        - alert: ElasticsearchDiskOutOfSpace
+          expr: elasticsearch_filesystem_data_available_bytes / elasticsearch_filesystem_data_size_bytes * 100 < 10 and elasticsearch_filesystem_data_size_bytes > 0
+          for: 0m
+          labels:
+            severity: critical
+          annotations:
+            summary: Elasticsearch disk out of space (instance {{ `{{ $labels.instance }}` }})
+            description: "The disk usage is over 90%\n  VALUE = {{ `{{ $value }}` }}\n  LABELS = {{ `{{ $labels }}` }}"
+        - alert: ElasticsearchDiskSpaceLow
+          expr: elasticsearch_filesystem_data_available_bytes / elasticsearch_filesystem_data_size_bytes * 100 < 20 and elasticsearch_filesystem_data_size_bytes > 0
+          for: 2m
+          labels:
+            severity: warning
+          annotations:
+            summary: Elasticsearch disk space low (instance {{ `{{ $labels.instance }}` }})
+            description: "The disk usage is over 80%\n  VALUE = {{ `{{ $value }}` }}\n  LABELS = {{ `{{ $labels }}` }}"
+        - alert: ElasticsearchClusterRed
+          expr: elasticsearch_cluster_health_status{color="red"} == 1
+          for: 0m
+          labels:
+            severity: critical
+          annotations:
+            summary: Elasticsearch Cluster Red (instance {{ `{{ $labels.instance }}` }})
+            description: "Elastic Cluster Red status\n  VALUE = {{ `{{ $value }}` }}\n  LABELS = {{ `{{ $labels }}` }}"
+        - alert: ElasticsearchClusterYellow
+          expr: elasticsearch_cluster_health_status{color="yellow"} == 1
+          for: 0m
+          labels:
+            severity: warning
+          annotations:
+            summary: Elasticsearch Cluster Yellow (instance {{ `{{ $labels.instance }}` }})
+            description: "Elastic Cluster Yellow status\n  VALUE = {{ `{{ $value }}` }}\n  LABELS = {{ `{{ $labels }}` }}"
+          # 1m delay allows a restart without triggering an alert.
+        - alert: ElasticsearchHealthyNodes
+          expr: elasticsearch_cluster_health_number_of_nodes < 3
+          for: 1m
+          labels:
+            severity: critical
+          annotations:
+            summary: Elasticsearch Healthy Nodes (instance {{ `{{ $labels.instance }}` }})
+            description: "Missing node in Elasticsearch cluster\n  VALUE = {{ `{{ $value }}` }}\n  LABELS = {{ `{{ $labels }}` }}"
+          # 1m delay allows a restart without triggering an alert.
+        - alert: ElasticsearchHealthyDataNodes
+          expr: elasticsearch_cluster_health_number_of_data_nodes < 3
+          for: 1m
+          labels:
+            severity: critical
+          annotations:
+            summary: Elasticsearch Healthy Data Nodes (instance {{ `{{ $labels.instance }}` }})
+            description: "Missing data node in Elasticsearch cluster\n  VALUE = {{ `{{ $value }}` }}\n  LABELS = {{ `{{ $labels }}` }}"
+        - alert: ElasticsearchRelocatingShards
+          expr: elasticsearch_cluster_health_relocating_shards > 0
+          for: 0m
+          labels:
+            severity: info
+          annotations:
+            summary: Elasticsearch relocating shards (instance {{ `{{ $labels.instance }}` }})
+            description: "Elasticsearch is relocating shards\n  VALUE = {{ `{{ $value }}` }}\n  LABELS = {{ `{{ $labels }}` }}"
+        - alert: ElasticsearchRelocatingShardsTooLong
+          expr: elasticsearch_cluster_health_relocating_shards > 0
+          for: 15m
+          labels:
+            severity: warning
+          annotations:
+            summary: Elasticsearch relocating shards too long (instance {{ `{{ $labels.instance }}` }})
+            description: "Elasticsearch has been relocating shards for 15min\n  VALUE = {{ `{{ $value }}` }}\n  LABELS = {{ `{{ $labels }}` }}"
+        - alert: ElasticsearchInitializingShards
+          expr: elasticsearch_cluster_health_initializing_shards > 0
+          for: 0m
+          labels:
+            severity: info
+          annotations:
+            summary: Elasticsearch initializing shards (instance {{ `{{ $labels.instance }}` }})
+            description: "Elasticsearch is initializing shards\n  VALUE = {{ `{{ $value }}` }}\n  LABELS = {{ `{{ $labels }}` }}"
+        - alert: ElasticsearchInitializingShardsTooLong
+          expr: elasticsearch_cluster_health_initializing_shards > 0
+          for: 15m
+          labels:
+            severity: warning
+          annotations:
+            summary: Elasticsearch initializing shards too long (instance {{ `{{ $labels.instance }}` }})
+            description: "Elasticsearch has been initializing shards for 15 min\n  VALUE = {{ `{{ $value }}` }}\n  LABELS = {{ `{{ $labels }}` }}"
+        - alert: ElasticsearchUnassignedShards
+          expr: elasticsearch_cluster_health_unassigned_shards > 0
+          for: 2m
+          labels:
+            severity: critical
+          annotations:
+            summary: Elasticsearch unassigned shards (instance {{ `{{ $labels.instance }}` }})
+            description: "Elasticsearch has unassigned shards\n  VALUE = {{ `{{ $value }}` }}\n  LABELS = {{ `{{ $labels }}` }}"
+        - alert: ElasticsearchPendingTasks
+          expr: elasticsearch_cluster_health_number_of_pending_tasks > 0
+          for: 15m
+          labels:
+            severity: warning
+          annotations:
+            summary: Elasticsearch pending tasks (instance {{ `{{ $labels.instance }}` }})
+            description: "Elasticsearch has pending tasks. Cluster works slowly.\n  VALUE = {{ `{{ $value }}` }}\n  LABELS = {{ `{{ $labels }}` }}"
+        - alert: ElasticsearchNoNewDocuments
+          expr: increase(elasticsearch_indices_indexing_index_total{es_data_node="true"}[10m]) < 1
+          for: 0m
+          labels:
+            severity: warning
+          annotations:
+            summary: Elasticsearch no new documents (instance {{ `{{ $labels.instance }}` }})
+            description: "No new documents for 10 min!\n  VALUE = {{ `{{ $value }}` }}\n  LABELS = {{ `{{ $labels }}` }}"
+          # Threshold of 10ms (0.01s) per indexing operation is a rough default. Adjust based on your document size and cluster performance.
+        - alert: ElasticsearchHighIndexingLatency
+          expr: rate(elasticsearch_indices_indexing_index_time_seconds_total[5m]) / rate(elasticsearch_indices_indexing_index_total[5m]) > 0.01 and rate(elasticsearch_indices_indexing_index_total[5m]) > 0
+          for: 10m
+          labels:
+            severity: warning
+          annotations:
+            summary: Elasticsearch High Indexing Latency (instance {{ `{{ $labels.instance }}` }})
+            description: "The indexing latency on Elasticsearch cluster is higher than the threshold (current value: {{ `{{ $value }}` }}s).\n  VALUE = {{ `{{ $value }}` }}\n  LABELS = {{ `{{ $labels }}` }}"
+          # Threshold of 10000 ops/s is a rough default. Adjust based on your cluster capacity and expected workload.
+        - alert: ElasticsearchHighIndexingRate
+          expr: sum(rate(elasticsearch_indices_indexing_index_total[1m]))> 10000
+          for: 5m
+          labels:
+            severity: warning
+          annotations:
+            summary: Elasticsearch High Indexing Rate (instance {{ `{{ $labels.instance }}` }})
+            description: "The indexing rate on Elasticsearch cluster is higher than the threshold.\n  VALUE = {{ `{{ $value }}` }}\n  LABELS = {{ `{{ $labels }}` }}"
+          # Threshold of 100 queries/s is very low for most production clusters. Adjust based on your expected query volume.
+        - alert: ElasticsearchHighQueryRate
+          expr: sum(rate(elasticsearch_indices_search_query_total[1m])) > 100
+          for: 5m
+          labels:
+            severity: warning
+          annotations:
+            summary: Elasticsearch High Query Rate (instance {{ `{{ $labels.instance }}` }})
+            description: "The query rate on Elasticsearch cluster is higher than the threshold.\n  VALUE = {{ `{{ $value }}` }}\n  LABELS = {{ `{{ $labels }}` }}"
+        - alert: ElasticsearchHighQueryLatency
+          expr: rate(elasticsearch_indices_search_query_time_seconds[1m]) / rate(elasticsearch_indices_search_query_total[1m]) > 1 and rate(elasticsearch_indices_search_query_total[1m]) > 0
+          for: 5m
+          labels:
+            severity: warning
+          annotations:
+            summary: Elasticsearch High Query Latency (instance {{ `{{ $labels.instance }}` }})
+            description: "The query latency on Elasticsearch cluster is higher than the threshold (current value: {{ `{{ $value }}` }}s).\n  VALUE = {{ `{{ $value }}` }}\n  LABELS = {{ `{{ $labels }}` }}"
--- a/clusters/cl01tl/helm/tubearchivist/values.yaml
+++ b/clusters/cl01tl/helm/tubearchivist/values.yaml
@@ -1,6 +1,7 @@
 tubearchivist:
  controllers:
    main:
+      forceRename: tubearchivist
      type: deployment
      replicas: 1
      strategy: Recreate
@@ -96,13 +97,48 @@ tubearchivist:
              devic.es/tun: "1"
            requests:
              devic.es/tun: "1"
+    metrics:
+      type: deployment
+      replicas: 1
+      strategy: Recreate
+      containers:
+        main:
+          image:
+            repository: quay.io/prometheuscommunity/elasticsearch-exporter
+            tag: v1.10.0@sha256:a6a4d4403f670faf6a94b8c7f9adbca3ead91f26dd64e5ccf95fa69025dc6e58
+          args:
+            - '--es.uri=https://elasticsearch-tubearchivist-es-http.tubearchivist:9200'
+            - '--es.ssl-skip-verify'
+          resources:
+            requests:
+              cpu: 1m
+              memory: 10Mi
  service:
    main:
      controller: main
+      forceRename: tubearchivist
      ports:
        http:
          port: 80
          targetPort: 24000
+    metrics:
+      controller: metrics
+      ports:
+        metrics:
+          port: 9114
+          targetPort: 9114
+  serviceMonitor:
+    main:
+      selector:
+        matchLabels:
+          app.kubernetes.io/name: tubearchivist-metrics
+          app.kubernetes.io/instance: tubearchivist-metrics
+      serviceName: '{{ include "bjw-s.common.lib.chart.names.fullname" $ }}'
+      endpoints:
+        - port: metrics
+          interval: 30s
+          scrapeTimeout: 10s
+          path: /metrics
  route:
    main:
      kind: HTTPRoute
Author	SHA1	Message	Date
Alex Lebens	732bf455a2	feat: remove annotation All checks were successful lint-test-helm / lint-helm (push) Successful in 22s Details lint-test-helm / validate-kubeconform (push) Has been skipped Details renovate / renovate (push) Successful in 4m11s Details	2026-04-27 16:50:07 -05:00
Alex Lebens	777181a7ff	feat: add annotation All checks were successful lint-test-helm / lint-helm (push) Successful in 23s Details lint-test-helm / validate-kubeconform (push) Has been skipped Details renovate / renovate (push) Successful in 4m39s Details	2026-04-27 16:32:33 -05:00
Alex Lebens	6e7897b002	fix: wrong secret Some checks failed lint-test-helm / lint-helm (push) Successful in 27s Details lint-test-helm / validate-kubeconform (push) Has been skipped Details renovate / renovate (push) Has been cancelled Details	2026-04-27 16:30:12 -05:00
Alex Lebens	baa67506f8	feat: add psp All checks were successful lint-test-helm / lint-helm (push) Successful in 23s Details lint-test-helm / validate-kubeconform (push) Has been skipped Details renovate / renovate (push) Successful in 3m55s Details	2026-04-27 16:09:19 -05:00
Alex Lebens	7821ec65a0	Merge pull request 'fix: wrong secret' (#6324 ) from tmp/dawarich-1 into main Some checks failed lint-test-helm / lint-helm (push) Successful in 29s Details lint-test-helm / validate-kubeconform (push) Has been skipped Details renovate / renovate (push) Has been cancelled Details Reviewed-on: #6324	2026-04-27 21:06:19 +00:00
Alex Lebens	f59710b8d0	fix: wrong secret All checks were successful lint-test-helm / lint-helm (pull_request) Successful in 25s Details lint-test-helm / validate-kubeconform (pull_request) Has been skipped Details render-manifests / render-manifests (pull_request) Successful in 1m21s Details	2026-04-27 16:05:16 -05:00
Alex Lebens	1e63174d43	feat: add permissions All checks were successful lint-test-helm / lint-helm (push) Successful in 21s Details lint-test-helm / validate-kubeconform (push) Has been skipped Details renovate / renovate (push) Successful in 10m30s Details	2026-04-27 15:47:04 -05:00
Alex Lebens	72017223f3	Merge pull request 'chore(deps): update freikin/dawarich docker tag to v1.7.0' (#6322 ) from renovate/unified-dawarich into main All checks were successful lint-test-helm / lint-helm (push) Successful in 28s Details lint-test-helm / validate-kubeconform (push) Has been skipped Details renovate / renovate (push) Successful in 4m26s Details Reviewed-on: #6322	2026-04-27 20:40:53 +00:00
Renovate Bot	beee80e9b5	chore(deps): update freikin/dawarich docker tag to v1.7.0 All checks were successful lint-test-helm / lint-helm (pull_request) Successful in 36s Details lint-test-helm / validate-kubeconform (pull_request) Successful in 35s Details render-manifests / render-manifests (pull_request) Successful in 55s Details	2026-04-27 20:38:51 +00:00
Alex Lebens	f1fd181459	feat: expand retention All checks were successful lint-test-helm / lint-helm (push) Successful in 32s Details lint-test-helm / validate-kubeconform (push) Has been skipped Details renovate / renovate (push) Successful in 4m32s Details	2026-04-27 15:35:30 -05:00
Alex Lebens	e97c28e0fb	Merge pull request 'fix: wrong arg' (#6320 ) from tmp/prom-rule-5 into main Some checks failed lint-test-helm / lint-helm (push) Successful in 27s Details lint-test-helm / validate-kubeconform (push) Has been cancelled Details renovate / renovate (push) Has been cancelled Details Reviewed-on: #6320	2026-04-27 20:34:56 +00:00
Alex Lebens	3f8f04a711	fix: wrong arg	2026-04-27 20:34:56 +00:00
Alex Lebens	c68534b9e7	feat: expand disk Some checks failed lint-test-helm / lint-helm (push) Successful in 19s Details lint-test-helm / validate-kubeconform (push) Has been cancelled Details renovate / renovate (push) Has been cancelled Details	2026-04-27 15:34:28 -05:00
Alex Lebens	1ddcd888a4	Merge pull request 'tmp/prom-rule-4' (#6318 ) from tmp/prom-rule-4 into main All checks were successful lint-test-helm / lint-helm (push) Successful in 32s Details lint-test-helm / validate-kubeconform (push) Has been skipped Details renovate / renovate (push) Successful in 5m9s Details Reviewed-on: #6318	2026-04-27 20:20:00 +00:00
Alex Lebens	d0df6c5c67	feat: set to weekly All checks were successful lint-test-helm / lint-helm (pull_request) Successful in 29s Details lint-test-helm / validate-kubeconform (pull_request) Successful in 25s Details render-manifests / render-manifests (pull_request) Successful in 1m17s Details	2026-04-27 15:14:46 -05:00
Alex Lebens	437ba24efb	feat: cleanup	2026-04-27 15:12:39 -05:00
Alex Lebens	40250eaf31	Merge pull request 'fix: wrong resource value' (#6316 ) from tmp/fix-4 into main All checks were successful lint-test-helm / lint-helm (push) Successful in 31s Details lint-test-helm / validate-kubeconform (push) Has been skipped Details renovate / renovate (push) Successful in 1m50s Details Reviewed-on: #6316	2026-04-27 19:44:58 +00:00
Alex Lebens	15faf1d9de	fix: wrong resource value	2026-04-27 19:44:58 +00:00
Alex Lebens	66aa7382bc	Merge pull request 'chore(deps): update dependency freika/dawarich to v1.7.0' (#6291 ) from renovate/unified-dawarich into main Some checks failed lint-test-helm / lint-helm (push) Successful in 38s Details lint-test-helm / validate-kubeconform (push) Has been skipped Details renovate / renovate (push) Has been cancelled Details Reviewed-on: #6291	2026-04-27 19:41:55 +00:00
Renovate Bot	25e4a6e532	chore(deps): update dependency freika/dawarich to v1.7.0 All checks were successful lint-test-helm / lint-helm (pull_request) Successful in 31s Details lint-test-helm / validate-kubeconform (pull_request) Successful in 1m7s Details render-manifests / render-manifests (pull_request) Successful in 53s Details	2026-04-27 19:36:33 +00:00
Alex Lebens	3a4542ebd4	Merge pull request 'chore(deps): update plex to v1.43.1.10611-1e34174b1-ls303' (#6308 ) from renovate/unified-plex into main All checks were successful lint-test-helm / lint-helm (push) Successful in 50s Details lint-test-helm / validate-kubeconform (push) Has been skipped Details renovate / renovate (push) Successful in 5m46s Details Reviewed-on: #6308	2026-04-27 19:31:40 +00:00
Renovate Bot	067047ceb0	chore(deps): update plex to v1.43.1.10611-1e34174b1-ls303	2026-04-27 19:31:40 +00:00
Alex Lebens	38db6bcdaf	Merge pull request 'chore(deps): update registry.k8s.io/csi-secrets-store/driver docker tag to v1.6.0' (#6298 ) from renovate/unified-driver into main Some checks failed lint-test-helm / lint-helm (push) Successful in 38s Details lint-test-helm / validate-kubeconform (push) Has been skipped Details renovate / renovate (push) Has been cancelled Details Reviewed-on: #6298	2026-04-27 19:28:47 +00:00
Renovate Bot	9fa5d7dc00	chore(deps): update registry.k8s.io/csi-secrets-store/driver docker tag to v1.6.0	2026-04-27 19:28:47 +00:00
Alex Lebens	b3fcfcfa09	Merge pull request 'chore(deps): update paperless-ngx to v2.20.15' (#6305 ) from renovate/unified-paperless-ngx into main Some checks failed lint-test-helm / lint-helm (push) Successful in 23s Details lint-test-helm / validate-kubeconform (push) Has been skipped Details renovate / renovate (push) Has been cancelled Details Reviewed-on: #6305	2026-04-27 19:26:57 +00:00
Renovate Bot	1710861eb3	chore(deps): update paperless-ngx to v2.20.15	2026-04-27 19:26:57 +00:00
Alex Lebens	70549110c0	Merge pull request 'chore(deps): update registry.k8s.io/csi-secrets-store/driver-crds docker tag to v1.6.0' (#6299 ) from renovate/unified-driver-crds into main Some checks failed lint-test-helm / lint-helm (push) Successful in 22s Details lint-test-helm / validate-kubeconform (push) Has been skipped Details renovate / renovate (push) Has been cancelled Details Reviewed-on: #6299	2026-04-27 19:26:27 +00:00
Renovate Bot	93b98ea90d	chore(deps): update registry.k8s.io/csi-secrets-store/driver-crds docker tag to v1.6.0 All checks were successful lint-test-helm / lint-helm (pull_request) Successful in 27s Details lint-test-helm / validate-kubeconform (pull_request) Successful in 30s Details render-manifests / render-manifests (pull_request) Successful in 51s Details	2026-04-27 19:15:27 +00:00
Alex Lebens	f45a4e4d8e	Merge pull request 'fix: wrong name' (#6310 ) from tmp/prom-rule-3 into main All checks were successful lint-test-helm / lint-helm (push) Successful in 28s Details lint-test-helm / validate-kubeconform (push) Has been skipped Details renovate / renovate (push) Successful in 3m43s Details Reviewed-on: #6310	2026-04-27 19:10:55 +00:00
Alex Lebens	57619c277d	fix: wrong name All checks were successful lint-test-helm / lint-helm (pull_request) Successful in 27s Details lint-test-helm / validate-kubeconform (pull_request) Successful in 25s Details render-manifests / render-manifests (pull_request) Successful in 2m0s Details	2026-04-27 14:05:19 -05:00
Renovate Bot	7a9275a49e	Merge pull request 'chore(deps): update kube-prometheus-stack docker tag to v84.3.0' (#6309 ) from renovate/unified-kube-prometheus-stack into main All checks were successful lint-test-helm / lint-helm (push) Successful in 44s Details lint-test-helm / validate-kubeconform (push) Has been skipped Details renovate / renovate (push) Successful in 4m27s Details	2026-04-27 19:04:28 +00:00
Renovate Bot	48012b885b	chore(deps): update kube-prometheus-stack docker tag to v84.3.0	2026-04-27 19:04:28 +00:00
Alex Lebens	b8a7c19e0a	Merge pull request 'feat: rename controller' (#6307 ) from tmp/prom-rule-2 into main Some checks failed lint-test-helm / lint-helm (push) Successful in 30s Details lint-test-helm / validate-kubeconform (push) Has been cancelled Details renovate / renovate (push) Has been cancelled Details Reviewed-on: #6307	2026-04-27 19:02:55 +00:00
Alex Lebens	d043dc80be	feat: rename controller All checks were successful lint-test-helm / lint-helm (pull_request) Successful in 25s Details lint-test-helm / validate-kubeconform (pull_request) Successful in 25s Details render-manifests / render-manifests (pull_request) Successful in 1m22s Details	2026-04-27 14:00:39 -05:00
Renovate Bot	e83fcdfe29	Merge pull request 'chore(deps): update harbor.alexlebens.net/images/site-profile docker tag to v3.18.7' (#6304 ) from renovate/unified-site-profile into main Some checks failed renovate / renovate (push) Successful in 3m3s Details lint-test-helm / validate-kubeconform (push) Has been cancelled Details lint-test-helm / lint-helm (push) Has been cancelled Details	2026-04-27 18:58:44 +00:00
Renovate Bot	fba19fe073	chore(deps): update harbor.alexlebens.net/images/site-profile docker tag to v3.18.7 Some checks are pending renovate/stability-days Updates have not met minimum release age requirement Details render-manifests / render-manifests (pull_request) Successful in 1m33s Details lint-test-helm / lint-helm (pull_request) Successful in 18m46s Details lint-test-helm / validate-kubeconform (pull_request) Successful in 1m22s Details	2026-04-27 18:58:28 +00:00
Alex Lebens	4216bad619	Merge pull request 'feat: add rules' (#6302 ) from tmp/prom-rule into main Some checks failed lint-test-helm / lint-helm (push) Successful in 2m42s Details lint-test-helm / validate-kubeconform (push) Has been skipped Details renovate / renovate (push) Has been cancelled Details Reviewed-on: #6302	2026-04-27 18:55:05 +00:00
Alex Lebens	03f0d37cd6	fix: wrong indent All checks were successful lint-test-helm / lint-helm (pull_request) Successful in 2m13s Details lint-test-helm / validate-kubeconform (pull_request) Successful in 2m23s Details render-manifests / render-manifests (pull_request) Successful in 1m57s Details	2026-04-27 13:49:35 -05:00
Alex Lebens	87f21b0e03	feat: add rules Some checks failed lint-test-helm / lint-helm (pull_request) Failing after 3m35s Details lint-test-helm / validate-kubeconform (pull_request) Has been skipped Details	2026-04-27 13:39:08 -05:00
Renovate Bot	988fed6179	Merge pull request 'chore(deps): update ghcr.io/renovatebot/renovate docker tag to v43.144.0' (#6300 ) from renovate/unified-renovate into main All checks were successful renovate / renovate (push) Successful in 12m46s Details	2026-04-27 17:23:01 +00:00
Renovate Bot	773c75be9b	chore(deps): update ghcr.io/renovatebot/renovate docker tag to v43.144.0	2026-04-27 17:22:33 +00:00