Update ghcr.io/linuxserver/bazarr:1.5.3 Docker digest to 648f694 (#2601)

This PR contains the following updates:

| Package | Update | Change |
|---|---|---|
| [redis-replication](https://github.com/OT-CONTAINER-KIT/redis-operator) | minor | `0.4.0` -> `0.5.0` |

---

### Release Notes

<details>
<summary>OT-CONTAINER-KIT/redis-operator (redis-replication)</summary>

### [`v0.5.0`](https://github.com/OT-CONTAINER-KIT/redis-operator/blob/HEAD/CHANGELOG.md#v050)

[Compare Source](https://github.com/OT-CONTAINER-KIT/redis-operator/compare/v0.4.0...v0.5.0)

##### May 1, 2021

##### 🎉 Features

- Added support for recovering redis nodes from failover
- Added toleration support for redis statefuls
- Added capability to use existing secret created inside K8s

##### 🪲 Bug Fixes

- Fixed logic for service and statefulset comparison in K8s

</details>

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box

---

This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0Mi4zOS4xIiwidXBkYXRlZEluVmVyIjoiNDIuMzkuMSIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiaW1hZ2UiXX0=-->

Reviewed-on: #2563
Co-authored-by: Renovate Bot <renovate-bot@alexlebens.net>
Co-committed-by: Renovate Bot <renovate-bot@alexlebens.net>

.gitea/workflows/lint-test-docker.yaml

@@ -6,14 +6,12 @@ on:
       - main
     paths:
       - 'hosts/**'
-      - '!clusters/**'
 
   push:
     branches:
       - main
     paths:
       - 'hosts/**'
-      - '!clusters/**'
 
 env:
   BASE_BRANCH: "origin/${{ gitea.base_ref }}"
@@ -67,11 +65,11 @@ jobs:
           if [ "${{ github.event_name }}" == "pull_request" ]; then
             echo ""
             echo ">> Checking for changes in a pull request ..."
-            GIT_DIFF=$(git diff --name-only "${BASE_BRANCH}" | xargs -I {} dirname {} | sort -u | grep -E "hosts/[^/]+/[^/]+")
+            GIT_DIFF=$(git diff --name-only "${BASE_BRANCH}" | xargs -I {} dirname {} | sort -u)
           else
             echo ""
             echo ">> Checking for changes from a push ..."
-            GIT_DIFF=$(git diff --name-only ${{ gitea.event.before }}..HEAD | xargs -I {} dirname {} | sort -u | grep -E "hosts/[^/]+/[^/]+")
+            GIT_DIFF=$(git diff --name-only ${{ gitea.event.before }}..HEAD | xargs -I {} dirname {} | sort -u)
           fi
 
           if [ -n "${GIT_DIFF}" ]; then
@@ -80,8 +78,12 @@ jobs:
             echo "$GIT_DIFF"
 
             for path in $GIT_DIFF; do
+              if echo "$path" | grep -q -E "hosts/[^/]+/[^/]+"; then
+                echo ""
+                echo ">> Adding path: $path"
                 CHANGED_COMPOSE+=$(echo "$path")
                 CHANGED_COMPOSE+=$(echo " ")
+              fi
             done
 
           else
@@ -102,6 +104,11 @@ jobs:
             echo "$(echo "${CHANGED_COMPOSE}" | sort -u)" >> $GITEA_OUTPUT
             echo "EOF" >> $GITEA_OUTPUT
           else
+            echo ""
+            echo ">> Did not find any docker compose files to lint"
+
+            echo "----"
+
             echo "changes-detected=false" >> $GITEA_OUTPUT
           fi
 

.gitea/workflows/lint-test-helm.yaml

@@ -6,14 +6,12 @@ on:
       - main
     paths:
       - 'clusters/cl01tl/helm/**'
-      - '!hosts/**'
 
   push:
     branches:
       - main
     paths:
       - 'clusters/cl01tl/helm/**'
-      - '!hosts/**'
 
 env:
   CLUSTER: cl01tl
@@ -69,12 +67,11 @@ jobs:
           if [ "${{ github.event_name }}" == "pull_request" ]; then
             echo ""
             echo ">> Checking for changes in a pull request ..."
-            git diff --name-only "${BASE_BRANCH}" | xargs -I {} dirname {} | sort -u | grep -E "clusters/[^/]+/helm/[^/]+"
+            GIT_DIFF=$(git diff --name-only "${BASE_BRANCH}" | xargs -I {} dirname {} | sort -u)
-            GIT_DIFF=$(git diff --name-only "${BASE_BRANCH}" | xargs -I {} dirname {} | sort -u | grep -E "clusters/[^/]+/helm/[^/]+")
           else
             echo ""
             echo ">> Checking for changes from a push ..."
-            GIT_DIFF=$(git diff --name-only ${{ gitea.event.before }}..HEAD | xargs -I {} dirname {} | sort -u | grep -E "clusters/[^/]+/helm/[^/]+")
+            GIT_DIFF=$(git diff --name-only ${{ gitea.event.before }}..HEAD | xargs -I {} dirname {} | sort -u)
           fi
 
           if [ -n "${GIT_DIFF}" ]; then
@@ -83,8 +80,12 @@ jobs:
             echo "$GIT_DIFF"
 
             for path in $GIT_DIFF; do
+              if echo "$path" | grep -q -E "clusters/[^/]+/helm/[^/]+"; then
+                echo ""
+                echo ">> Adding path: $path"
                 CHANGED_CHARTS+=$(echo "$path" | awk -F '/' '{print $4}')
-              CHANGED_CHARTS+=$(echo " ")
+                CHANGED_CHARTS+=$(echo "\n")
+              fi
             done
 
           else
@@ -105,6 +106,11 @@ jobs:
             echo "$(echo "${CHANGED_CHARTS}" | sort -u)" >> $GITEA_OUTPUT
             echo "EOF" >> $GITEA_OUTPUT
           else
+            echo ""
+            echo ">> Did not find any helm charts files to lint"
+
+            echo "----"
+
             echo "changes-detected=false" >> $GITEA_OUTPUT
           fi
 
@@ -118,7 +124,14 @@ jobs:
             helm dependency list --max-col-width 120 clusters/${CLUSTER}/helm/$dir 2> /dev/null \
               | tail +2 | head -n -1 \
               | awk '{ print "helm repo add " $1 " " $3 }' \
-              | while read cmd; do echo "$cmd" | sh; done || true
+              | while read cmd; do
+                if [[ "$cmd" == "*oci://*" ]]; then
+                  echo ">> Ignoring OCI repo"
+                else
+                  echo ">> Command: $cmd"
+                  echo "$cmd" | sh;
+                fi
+              done || true
           done
 
           if helm repo list | tail +2 | read -r; then

.gitea/workflows/render-manifests-automerge.yaml

@@ -106,7 +106,13 @@ jobs:
             helm dependency list --max-col-width 120 ${MAIN_DIR}/clusters/${CLUSTER}/helm/$dir 2> /dev/null \
               | tail +2 | head -n -1 \
               | awk '{ print "helm repo add " $1 " " $3 }' \
-              | while read cmd; do echo "$cmd" | sh; done || true
+              | while read cmd; do
+                if [[ "$cmd" == "*oci://*" ]]; then
+                  echo ">> Ignoring OCI repo"
+                else
+                  echo "$cmd" | sh;
+                fi
+              done || true
           done
 
           if helm repo list | tail +2 | read -r; then
@@ -161,6 +167,10 @@ jobs:
 
               cd $chart_path
 
+              echo ""
+              echo ">> Updating helm dependency ..."
+              helm dependency update --skip-refresh
+
               echo ""
               echo ">> Building helm dependency ..."
               helm dependency build --skip-refresh

.gitea/workflows/render-manifests-dispatch.yaml

@@ -91,7 +91,13 @@ jobs:
             helm dependency list --max-col-width 120 ${MAIN_DIR}/clusters/${CLUSTER}/helm/$dir 2> /dev/null \
               | tail +2 | head -n -1 \
               | awk '{ print "helm repo add " $1 " " $3 }' \
-              | while read cmd; do echo "$cmd" | sh; done || true
+              | while read cmd; do
+                if [[ "$cmd" == "*oci://*" ]]; then
+                  echo ">> Ignoring OCI repo"
+                else
+                  echo "$cmd" | sh;
+                fi
+              done || true
           done
 
           if helm repo list | tail +2 | read -r; then
@@ -146,6 +152,10 @@ jobs:
 
               cd $chart_path
 
+              echo ""
+              echo ">> Updating helm dependency ..."
+              helm dependency update --skip-refresh
+
               echo ""
               echo ">> Building helm dependency ..."
               helm dependency build --skip-refresh

.gitea/workflows/render-manifests-merge.yaml

@@ -111,7 +111,13 @@ jobs:
             helm dependency list --max-col-width 120 ${MAIN_DIR}/clusters/${CLUSTER}/helm/$dir 2> /dev/null \
               | tail +2 | head -n -1 \
               | awk '{ print "helm repo add " $1 " " $3 }' \
-              | while read cmd; do echo "$cmd" | sh; done || true
+              | while read cmd; do
+                if [[ "$cmd" == "*oci://*" ]]; then
+                  echo ">> Ignoring OCI repo"
+                else
+                  echo "$cmd" | sh;
+                fi
+              done || true
           done
 
           if helm repo list | tail +2 | read -r; then
@@ -166,6 +172,10 @@ jobs:
 
               cd $chart_path
 
+              echo ""
+              echo ">> Updating helm dependency ..."
+              helm dependency update --skip-refresh
+
               echo ""
               echo ">> Building helm dependency ..."
               helm dependency build --skip-refresh

.gitea/workflows/render-manifests-push.yaml

@@ -109,7 +109,13 @@ jobs:
             helm dependency list --max-col-width 120 ${MAIN_DIR}/clusters/${CLUSTER}/helm/$dir 2> /dev/null \
               | tail +2 | head -n -1 \
               | awk '{ print "helm repo add " $1 " " $3 }' \
-              | while read cmd; do echo "$cmd" | sh; done || true
+              | while read cmd; do
+                if [[ "$cmd" == "*oci://*" ]]; then
+                  echo ">> Ignoring OCI repo"
+                else
+                  echo "$cmd" | sh;
+                fi
+              done || true
           done
 
           if helm repo list | tail +2 | read -r; then
@@ -164,6 +170,10 @@ jobs:
 
               cd $chart_path
 
+              echo ""
+              echo ">> Updating helm dependency ..."
+              helm dependency update --skip-refresh
+
               echo ""
               echo ">> Building helm dependency ..."
               helm dependency build --skip-refresh

clusters/cl01tl/helm/actual/Chart.lock

@@ -2,5 +2,8 @@ dependencies:
 - name: app-template
   repository: https://bjw-s-labs.github.io/helm-charts/
   version: 4.5.0
-digest: sha256:926b8da839684072fd79954aff0c9852c2ff3b618b0fa35177bdec8e2dff4986
+- name: volsync-target
-generated: "2025-12-05T17:02:01.15162583Z"
+  repository: oci://harbor.alexlebens.net/helm-charts
+  version: 0.3.0
+digest: sha256:3763d6c5c0b45219235229aa1d72bfa426abd29aa8d92c1b1ca958b6afb3bfc8
+generated: "2025-12-15T17:43:51.908308-06:00"

clusters/cl01tl/helm/actual/Chart.yaml

@@ -17,5 +17,9 @@ dependencies:
     alias: actual
     repository: https://bjw-s-labs.github.io/helm-charts/
     version: 4.5.0
+  - name: volsync-target
+    alias: volsync-target-data
+    version: 0.3.0
+    repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/actual-budget.png
-appVersion: 25.11.0
+appVersion: 25.12.0

clusters/cl01tl/helm/actual/templates/external-secret.yaml

@@ -1,55 +0,0 @@
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: actual-data-backup-secret
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: actual-data-backup-secret
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: vault
-  target:
-    template:
-      mergePolicy: Merge
-      engineVersion: v2
-      data:
-        RESTIC_REPOSITORY: "{{ `{{ .BUCKET_ENDPOINT }}` }}/actual/actual-data"
-  data:
-    - secretKey: BUCKET_ENDPOINT
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /cl01tl/volsync/restic/config
-        metadataPolicy: None
-        property: S3_BUCKET_ENDPOINT
-    - secretKey: RESTIC_PASSWORD
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /cl01tl/volsync/restic/config
-        metadataPolicy: None
-        property: RESTIC_PASSWORD
-    - secretKey: AWS_DEFAULT_REGION
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /cl01tl/volsync/restic/config
-        metadataPolicy: None
-        property: AWS_DEFAULT_REGION
-    - secretKey: AWS_ACCESS_KEY_ID
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /digital-ocean/home-infra/volsync-backups
-        metadataPolicy: None
-        property: access_key
-    - secretKey: AWS_SECRET_ACCESS_KEY
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /digital-ocean/home-infra/volsync-backups
-        metadataPolicy: None
-        property: secret_key

clusters/cl01tl/helm/actual/templates/replication-source.yaml

@@ -1,25 +0,0 @@
-apiVersion: volsync.backube/v1alpha1
-kind: ReplicationSource
-metadata:
-  name: actual-data-backup-source
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: actual-data-backup-source
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  sourcePVC: actual-data
-  trigger:
-    schedule: 0 4 * * *
-  restic:
-    pruneIntervalDays: 7
-    repository: actual-data-backup-secret
-    retain:
-      hourly: 1
-      daily: 3
-      weekly: 2
-      monthly: 2
-      yearly: 4
-    copyMethod: Snapshot
-    storageClassName: ceph-block
-    volumeSnapshotClassName: ceph-blockpool-snapshot

clusters/cl01tl/helm/actual/values.yaml

@@ -54,3 +54,5 @@ actual:
           main:
             - path: /data
               readOnly: false
+volsync-target-data:
+  pvcTarget: actual-data

clusters/cl01tl/helm/argo-workflows/Chart.lock

@@ -7,6 +7,6 @@ dependencies:
   version: 2.4.19
 - name: postgres-cluster
   repository: oci://harbor.alexlebens.net/helm-charts
-  version: 6.16.1
+  version: 7.1.1
-digest: sha256:d7a4a646857a3f9161d7590857fa18fc5d26861a5cf45e208dd7c2b86378ccb4
+digest: sha256:796a0f9ae054268c9a4e2752f29004b6547e5ee41e623b8506b531f6836b7313
-generated: "2025-12-10T16:01:53.661262327Z"
+generated: "2025-12-15T14:27:02.068848-06:00"

clusters/cl01tl/helm/argo-workflows/Chart.yaml

@@ -24,8 +24,8 @@ dependencies:
     version: 2.4.19
     repository: https://argoproj.github.io/argo-helm
   - name: postgres-cluster
-    alias: postgres-17-cluster
+    alias: postgres-18-cluster
-    version: 6.16.1
+    version: 7.1.1
     repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/argo-cd.png
-appVersion: v3.6.7
+appVersion: v3.7.6

clusters/cl01tl/helm/argo-workflows/templates/external-secret.yaml

@@ -31,10 +31,10 @@ spec:
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
-  name: argo-workflows-postgresql-17-cluster-backup-secret
+  name: argo-workflows-postgresql-18-cluster-backup-secret
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: argo-workflows-postgresql-17-cluster-backup-secret
+    app.kubernetes.io/name: argo-workflows-postgresql-18-cluster-backup-secret
     app.kubernetes.io/instance: {{ .Release.Name }}
     app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
@@ -61,10 +61,10 @@ spec:
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
-  name: argo-workflows-postgresql-17-cluster-backup-secret-garage
+  name: argo-workflows-postgresql-18-cluster-backup-secret-garage
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: argo-workflows-postgresql-17-cluster-backup-secret-garage
+    app.kubernetes.io/name: argo-workflows-postgresql-18-cluster-backup-secret-garage
     app.kubernetes.io/instance: {{ .Release.Name }}
     app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:

clusters/cl01tl/helm/argo-workflows/values.yaml

@@ -9,15 +9,15 @@ argo-workflows:
       nodeStatusOffLoad: true
       archive: true
       postgresql:
-        host: argo-workflows-postgresql-17-cluster-rw
+        host: argo-workflows-postgresql-18-cluster-rw
         port: 5432
         database: app
         tableName: app
         userNameSecret:
-          name: argo-workflows-postgresql-17-cluster-app
+          name: argo-workflows-postgresql-18-cluster-app
           key: username
         passwordSecret:
-          name: argo-workflows-postgresql-17-cluster-app
+          name: argo-workflows-postgresql-18-cluster-app
           key: password
         ssl: false
         sslMode: disable
@@ -59,20 +59,6 @@ argo-workflows:
   useStaticCredentials: true
   artifactRepository:
     archiveLogs: false
-    s3: {}
-      # accessKeySecret:
-      #   name: "{{ .Release.Name }}-minio"
-      #   key: accesskey
-      # secretKeySecret:
-      #   name: "{{ .Release.Name }}-minio"
-      #   key: secretkey
-      # insecure: true
-      # bucket:
-      # endpoint:
-      # region:
-      # encryptionOptions:
-      #   enableEncryption: true
-
 argo-events:
   controller:
     resources:
@@ -89,59 +75,57 @@ argo-events:
       requests:
         cpu: 10m
         memory: 128Mi
-postgres-17-cluster:
+postgres-18-cluster:
   mode: recovery
   cluster:
     storage:
       storageClass: local-path
     walStorage:
       storageClass: local-path
-    monitoring:
-      enabled: true
-      prometheusRule:
-        enabled: true
   recovery:
     method: objectStore
     objectStore:
-      destinationPath: s3://postgres-backups/cl01tl/argo-workflows/argo-workflows-postgresql-17-cluster
+      destinationPath: s3://postgres-backups/cl01tl/argo-workflows/argo-workflows-postgresql-18-cluster
       endpointURL: http://garage-main.garage:3900
       index: 1
-      endpointCredentials: argo-workflows-postgresql-17-cluster-backup-secret-garage
+      endpointCredentials: argo-workflows-postgresql-18-cluster-backup-secret-garage
   backup:
     objectStore:
-      - name: external
-        destinationPath: s3://postgres-backups-ce540ddf106d186bbddca68a/cl01tl/argo-workflows/argo-workflows-postgresql-17-cluster
-        index: 1
-        retentionPolicy: "30d"
-        isWALArchiver: false
       - name: garage-local
-        destinationPath: s3://postgres-backups/cl01tl/argo-workflows/argo-workflows-postgresql-17-cluster
+        destinationPath: s3://postgres-backups/cl01tl/argo-workflows/argo-workflows-postgresql-18-cluster
         index: 1
         endpointURL: http://garage-main.garage:3900
-        endpointCredentials: argo-workflows-postgresql-17-cluster-backup-secret-garage
+        endpointCredentials: argo-workflows-postgresql-18-cluster-backup-secret-garage
         endpointCredentialsIncludeRegion: true
         retentionPolicy: "3d"
         isWALArchiver: true
+      # - name: external
+      #   destinationPath: s3://postgres-backups-ce540ddf106d186bbddca68a/cl01tl/argo-workflows/argo-workflows-postgresql-18-cluster
+      #   index: 1
+      #   retentionPolicy: "30d"
+      #   isWALArchiver: false
       # - name: garage-remote
-      #   destinationPath: s3://postgres-backups/cl01tl/argo-workflows/argo-workflows-postgresql-17-cluster
+      #   destinationPath: s3://postgres-backups/cl01tl/argo-workflows/argo-workflows-postgresql-18-cluster
       #   index: 1
       #   endpointURL: https://garage-ps10rp.boreal-beaufort.ts.net:3900
-      #   endpointCredentials: argo-workflows-postgresql-17-cluster-backup-secret-garage
+      #   endpointCredentials: argo-workflows-postgresql-18-cluster-backup-secret-garage
       #   endpointCredentialsIncludeRegion: true
       #   retentionPolicy: "30d"
       #   data:
       #     compression: bzip2
     scheduledBackups:
-      - name: daily-backup
-        suspend: false
-        schedule: "0 0 0 * * *"
-        backupName: external
       - name: live-backup
         suspend: false
         immediate: true
         schedule: "0 0 0 * * *"
         backupName: garage-local
+      # - name: daily-backup
+      #   suspend: false
+      #   immediate: true
+      #   schedule: "0 0 0 * * *"
+      #   backupName: external
       # - name: weekly-backup
       #   suspend: true
+      #   immediate: true
       #   schedule: "0 0 4 * * SAT"
       #   backupName: garage-remote

clusters/cl01tl/helm/argocd/Chart.yaml

@@ -18,4 +18,4 @@ dependencies:
     version: 9.1.7
     repository: https://argoproj.github.io/argo-helm
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/argo-cd.png
-appVersion: 3.0.0
+appVersion: v3.2.1

clusters/cl01tl/helm/argocd/values.yaml

@@ -25,6 +25,7 @@ argo-cd:
           id: authentik
     params:
       server.insecure: true
+      controller.diff.server.side: true
     rbac:
       policy.csv: |
         g, ArgoCD Admins, role:admin

clusters/cl01tl/helm/audiobookshelf/Chart.lock

@@ -2,5 +2,11 @@ dependencies:
 - name: app-template
   repository: https://bjw-s-labs.github.io/helm-charts/
   version: 4.5.0
-digest: sha256:977ed15091e9ed30d647a626214701d22f3a8a5232a900e33f753cc7e090042f
+- name: volsync-target
-generated: "2025-12-05T17:02:13.674405673Z"
+  repository: oci://harbor.alexlebens.net/helm-charts
+  version: 0.3.0
+- name: volsync-target
+  repository: oci://harbor.alexlebens.net/helm-charts
+  version: 0.3.0
+digest: sha256:88e0d8008795451a64f3a2e4fa4fc120d48cef4badb4305e8e60afbb494352c5
+generated: "2025-12-15T18:19:02.989735-06:00"

clusters/cl01tl/helm/audiobookshelf/Chart.yaml

@@ -19,5 +19,13 @@ dependencies:
     alias: audiobookshelf
     repository: https://bjw-s-labs.github.io/helm-charts/
     version: 4.5.0
+  - name: volsync-target
+    alias: volsync-target-config
+    version: 0.3.0
+    repository: oci://harbor.alexlebens.net/helm-charts
+  - name: volsync-target
+    alias: volsync-target-metadata
+    version: 0.3.0
+    repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/audiobookshelf.png
-appVersion: 2.21.0
+appVersion: 2.31.0

clusters/cl01tl/helm/audiobookshelf/templates/external-secret.yaml

@@ -19,117 +19,3 @@ spec:
         key: /cl01tl/audiobookshelf/apprise
         metadataPolicy: None
         property: ntfy-url
-
----
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: audiobookshelf-config-backup-secret
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: audiobookshelf-config-backup-secret
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: vault
-  target:
-    template:
-      mergePolicy: Merge
-      engineVersion: v2
-      data:
-        RESTIC_REPOSITORY: "{{ `{{ .BUCKET_ENDPOINT }}` }}/audiobookshelf/audiobookshelf-config"
-  data:
-    - secretKey: BUCKET_ENDPOINT
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /cl01tl/volsync/restic/config
-        metadataPolicy: None
-        property: S3_BUCKET_ENDPOINT
-    - secretKey: RESTIC_PASSWORD
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /cl01tl/volsync/restic/config
-        metadataPolicy: None
-        property: RESTIC_PASSWORD
-    - secretKey: AWS_DEFAULT_REGION
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /cl01tl/volsync/restic/config
-        metadataPolicy: None
-        property: AWS_DEFAULT_REGION
-    - secretKey: AWS_ACCESS_KEY_ID
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /digital-ocean/home-infra/volsync-backups
-        metadataPolicy: None
-        property: access_key
-    - secretKey: AWS_SECRET_ACCESS_KEY
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /digital-ocean/home-infra/volsync-backups
-        metadataPolicy: None
-        property: secret_key
-
----
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: audiobookshelf-metadata-backup-secret
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: audiobookshelf-metadata-backup-secret
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: vault
-  target:
-    template:
-      mergePolicy: Merge
-      engineVersion: v2
-      data:
-        RESTIC_REPOSITORY: "{{ `{{ .BUCKET_ENDPOINT }}` }}/audiobookshelf/audiobookshelf-metadata"
-  data:
-    - secretKey: BUCKET_ENDPOINT
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /cl01tl/volsync/restic/config
-        metadataPolicy: None
-        property: S3_BUCKET_ENDPOINT
-    - secretKey: RESTIC_PASSWORD
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /cl01tl/volsync/restic/config
-        metadataPolicy: None
-        property: RESTIC_PASSWORD
-    - secretKey: AWS_DEFAULT_REGION
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /cl01tl/volsync/restic/config
-        metadataPolicy: None
-        property: AWS_DEFAULT_REGION
-    - secretKey: AWS_ACCESS_KEY_ID
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /digital-ocean/home-infra/volsync-backups
-        metadataPolicy: None
-        property: access_key
-    - secretKey: AWS_SECRET_ACCESS_KEY
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /digital-ocean/home-infra/volsync-backups
-        metadataPolicy: None
-        property: secret_key

clusters/cl01tl/helm/audiobookshelf/templates/persistent-volume-claim.yaml

@@ -1,24 +1,5 @@
 apiVersion: v1
 kind: PersistentVolumeClaim
-metadata:
-  name: audiobookshelf-nfs-storage-backup
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: audiobookshelf-nfs-storage-backup
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  volumeMode: Filesystem
-  storageClassName: nfs-client
-  accessModes:
-    - ReadWriteOnce
-  resources:
-    requests:
-      storage: 1Gi
-
----
-apiVersion: v1
-kind: PersistentVolumeClaim
 metadata:
   name: audiobookshelf-nfs-storage
   namespace: {{ .Release.Namespace }}

clusters/cl01tl/helm/audiobookshelf/templates/replication-source.yaml

@@ -1,52 +0,0 @@
-apiVersion: volsync.backube/v1alpha1
-kind: ReplicationSource
-metadata:
-  name: audiobookshelf-config-backup-source
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: audiobookshelf-config-backup-source
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  sourcePVC: audiobookshelf-config
-  trigger:
-    schedule: 0 4 * * *
-  restic:
-    pruneIntervalDays: 7
-    repository: audiobookshelf-config-backup-secret
-    retain:
-      hourly: 1
-      daily: 3
-      weekly: 2
-      monthly: 2
-      yearly: 4
-    copyMethod: Snapshot
-    storageClassName: ceph-block
-    volumeSnapshotClassName: ceph-blockpool-snapshot
-
----
-apiVersion: volsync.backube/v1alpha1
-kind: ReplicationSource
-metadata:
-  name: audiobookshelf-metadata-backup-source
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: audiobookshelf-metadata-backup-source
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  sourcePVC: audiobookshelf-metadata
-  trigger:
-    schedule: 0 4 * * *
-  restic:
-    pruneIntervalDays: 7
-    repository: audiobookshelf-metadata-backup-secret
-    retain:
-      hourly: 1
-      daily: 3
-      weekly: 2
-      monthly: 2
-      yearly: 4
-    copyMethod: Snapshot
-    storageClassName: ceph-block
-    volumeSnapshotClassName: ceph-blockpool-snapshot

clusters/cl01tl/helm/audiobookshelf/values.yaml

@@ -21,7 +21,7 @@ audiobookshelf:
         apprise-api:
           image:
             repository: caronc/apprise
-            tag: 1.2.6
+            tag: 1.3.0
             pullPolicy: IfNotPresent
           env:
             - name: TZ
@@ -59,6 +59,7 @@ audiobookshelf:
           protocol: HTTP
   persistence:
     config:
+      forceRename: audiobookshelf-config
       storageClass: ceph-block
       accessMode: ReadWriteOnce
       size: 2Gi
@@ -69,6 +70,7 @@ audiobookshelf:
             - path: /config
               readOnly: false
     metadata:
+      forceRename: audiobookshelf-metadata
       storageClass: ceph-block
       accessMode: ReadWriteOnce
       size: 10Gi
@@ -78,13 +80,6 @@ audiobookshelf:
           main:
             - path: /metadata
               readOnly: false
-    backup:
-      existingClaim: audiobookshelf-nfs-storage-backup
-      advancedMounts:
-        main:
-          main:
-            - path: /metadata/backups
-              readOnly: false
     audiobooks:
       existingClaim: audiobookshelf-nfs-storage
       advancedMounts:
@@ -92,3 +87,7 @@ audiobookshelf:
           main:
             - path: /mnt/store/
               readOnly: false
+volsync-target-config:
+  pvcTarget: audiobookshelf-config
+volsync-target-metadata:
+  pvcTarget: audiobookshelf-metadata

clusters/cl01tl/helm/authentik/Chart.lock

@@ -7,6 +7,9 @@ dependencies:
   version: 1.23.2
 - name: postgres-cluster
   repository: oci://harbor.alexlebens.net/helm-charts
-  version: 6.16.1
+  version: 7.1.1
-digest: sha256:e6ea05d8bdb96164bc19da117078b5101f329ad5f1b461fa02f198bef45454f3
+- name: redis-replication
-generated: "2025-12-07T02:54:01.695741198Z"
+  repository: oci://harbor.alexlebens.net/helm-charts
+  version: 0.5.0
+digest: sha256:e593d25ebf07b1274768045f028e1ceeccbcdc1c8e35414d6bbd9a8d09086991
+generated: "2025-12-15T14:36:33.783343-06:00"

clusters/cl01tl/helm/authentik/Chart.yaml

@@ -28,8 +28,11 @@ dependencies:
     repository: oci://harbor.alexlebens.net/helm-charts
     version: 1.23.2
   - name: postgres-cluster
-    alias: postgres-17-cluster
+    alias: postgres-18-cluster
-    version: 6.16.1
+    version: 7.1.1
+    repository: oci://harbor.alexlebens.net/helm-charts
+  - name: redis-replication
+    version: 0.5.0
     repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/authentik.png
-appVersion: 2025.4.1
+appVersion: 2025.10.2

clusters/cl01tl/helm/authentik/templates/external-secret.yaml

@@ -47,10 +47,10 @@ spec:
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
-  name: authentik-postgresql-17-cluster-backup-secret
+  name: authentik-postgresql-18-cluster-backup-secret
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: authentik-postgresql-17-cluster-backup-secret
+    app.kubernetes.io/name: authentik-postgresql-18-cluster-backup-secret
     app.kubernetes.io/instance: {{ .Release.Name }}
     app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
@@ -77,10 +77,10 @@ spec:
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
-  name: authentik-postgresql-17-cluster-backup-secret-garage
+  name: authentik-postgresql-18-cluster-backup-secret-garage
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: authentik-postgresql-17-cluster-backup-secret-garage
+    app.kubernetes.io/name: authentik-postgresql-18-cluster-backup-secret-garage
     app.kubernetes.io/instance: {{ .Release.Name }}
     app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:

clusters/cl01tl/helm/authentik/templates/redis-replication.yaml

@@ -1,32 +0,0 @@
-apiVersion: redis.redis.opstreelabs.in/v1beta2
-kind: RedisReplication
-metadata:
-  name: redis-replication-authentik
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: redis-replication-authentik
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  clusterSize: 3
-  podSecurityContext:
-    runAsUser: 1000
-    fsGroup: 1000
-  kubernetesConfig:
-    image: quay.io/opstree/redis:v8.0.3
-    imagePullPolicy: IfNotPresent
-    resources:
-      requests:
-        cpu: 50m
-        memory: 128Mi
-  storage:
-    volumeClaimTemplate:
-      spec:
-        storageClassName: ceph-block
-        accessModes: ["ReadWriteOnce"]
-        resources:
-          requests:
-            storage: 1Gi
-  redisExporter:
-    enabled: true
-    image: quay.io/opstree/redis-exporter:v1.48.0

clusters/cl01tl/helm/authentik/templates/service-monitor.yaml

@@ -1,19 +0,0 @@
-apiVersion: monitoring.coreos.com/v1
-kind: ServiceMonitor
-metadata:
-  name: redis-replication-authentik
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: redis-replication-authentik
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-    redis-operator: "true"
-    env: production
-spec:
-  selector:
-    matchLabels:
-      redis_setup_type: replication
-  endpoints:
-    - port: redis-exporter
-      interval: 30s
-      scrapeTimeout: 10s

clusters/cl01tl/helm/authentik/values.yaml

@@ -9,22 +9,22 @@ authentik:
       - name: AUTHENTIK_POSTGRESQL__HOST
         valueFrom:
           secretKeyRef:
-            name: authentik-postgresql-17-cluster-app
+            name: authentik-postgresql-18-cluster-app
             key: host
       - name: AUTHENTIK_POSTGRESQL__NAME
         valueFrom:
           secretKeyRef:
-            name: authentik-postgresql-17-cluster-app
+            name: authentik-postgresql-18-cluster-app
             key: dbname
       - name: AUTHENTIK_POSTGRESQL__USER
         valueFrom:
           secretKeyRef:
-            name: authentik-postgresql-17-cluster-app
+            name: authentik-postgresql-18-cluster-app
             key: user
       - name: AUTHENTIK_POSTGRESQL__PASSWORD
         valueFrom:
           secretKeyRef:
-            name: authentik-postgresql-17-cluster-app
+            name: authentik-postgresql-18-cluster-app
             key: password
   authentik:
     redis:
@@ -50,59 +50,65 @@ authentik:
     enabled: false
 cloudflared:
   existingSecretName: authentik-cloudflared-secret
-postgres-17-cluster:
+postgres-18-cluster:
   mode: recovery
   cluster:
     storage:
       storageClass: local-path
     walStorage:
       storageClass: local-path
-    monitoring:
-      enabled: true
-      prometheusRule:
-        enabled: true
   recovery:
     method: objectStore
     objectStore:
-      destinationPath: s3://postgres-backups/cl01tl/authentik/authentik-postgresql-17-cluster
+      destinationPath: s3://postgres-backups/cl01tl/authentik/authentik-postgresql-18-cluster
       endpointURL: http://garage-main.garage:3900
       index: 1
-      endpointCredentials: authentik-postgresql-17-cluster-backup-secret-garage
+      endpointCredentials: authentik-postgresql-18-cluster-backup-secret-garage
   backup:
     objectStore:
-      - name: external
-        destinationPath: s3://postgres-backups-ce540ddf106d186bbddca68a/cl01tl/authentik/authentik-postgresql-17-cluster
-        index: 1
-        retentionPolicy: "30d"
-        isWALArchiver: false
       - name: garage-local
-        destinationPath: s3://postgres-backups/cl01tl/authentik/authentik-postgresql-17-cluster
+        destinationPath: s3://postgres-backups/cl01tl/authentik/authentik-postgresql-18-cluster
         index: 1
         endpointURL: http://garage-main.garage:3900
-        endpointCredentials: authentik-postgresql-17-cluster-backup-secret-garage
+        endpointCredentials: authentik-postgresql-18-cluster-backup-secret-garage
         endpointCredentialsIncludeRegion: true
         retentionPolicy: "3d"
         isWALArchiver: true
+      # - name: external
+      #   destinationPath: s3://postgres-backups-ce540ddf106d186bbddca68a/cl01tl/authentik/authentik-postgresql-18-cluster
+      #   index: 1
+      #   retentionPolicy: "30d"
+      #   isWALArchiver: false
       # - name: garage-remote
-      #   destinationPath: s3://postgres-backups/cl01tl/authentik/authentik-postgresql-17-cluster
+      #   destinationPath: s3://postgres-backups/cl01tl/authentik/authentik-postgresql-18-cluster
       #   index: 1
       #   endpointURL: https://garage-ps10rp.boreal-beaufort.ts.net:3900
-      #   endpointCredentials: authentik-postgresql-17-cluster-backup-secret-garage
+      #   endpointCredentials: authentik-postgresql-18-cluster-backup-secret-garage
       #   retentionPolicy: "30d"
       #   data:
       #     compression: bzip2
       #     jobs: 2
     scheduledBackups:
-      - name: daily-backup
-        suspend: false
-        schedule: "0 0 0 * * *"
-        backupName: external
       - name: live-backup
         suspend: false
         immediate: true
         schedule: "0 0 0 * * *"
         backupName: garage-local
+      # - name: daily-backup
+      #   suspend: false
+      #   immediate: true
+      #   schedule: "0 0 0 * * *"
+      #   backupName: external
       # - name: weekly-backup
       #   suspend: false
+      #   immediate: true
       #   schedule: "0 0 4 * * SAT"
       #   backupName: garage-remote
+redis-replication:
+  existingSecret:
+    enabled: false
+  redisReplication:
+    clusterSize: 3
+  redisSentinel:
+    enabled: true
+    clusterSize: 3

clusters/cl01tl/helm/backrest/Chart.lock

@@ -2,5 +2,11 @@ dependencies:
 - name: app-template
   repository: https://bjw-s-labs.github.io/helm-charts/
   version: 4.5.0
-digest: sha256:6e6f20320a485b57288a6febae1b7623076059c370f88b7fbe92460fc4047db3
+- name: volsync-target
-generated: "2025-12-05T17:02:26.599646463Z"
+  repository: oci://harbor.alexlebens.net/helm-charts
+  version: 0.3.0
+- name: volsync-target
+  repository: oci://harbor.alexlebens.net/helm-charts
+  version: 0.3.0
+digest: sha256:13c950ad5cd6accd192e6768557c0df74af2cd767d2372dc38c1cdb7e1563399
+generated: "2025-12-15T18:33:59.961957-06:00"

clusters/cl01tl/helm/backrest/Chart.yaml

@@ -17,5 +17,13 @@ dependencies:
     alias: backrest
     repository: https://bjw-s-labs.github.io/helm-charts/
     version: 4.5.0
+  - name: volsync-target
+    alias: volsync-target-config
+    version: 0.3.0
+    repository: oci://harbor.alexlebens.net/helm-charts
+  - name: volsync-target
+    alias: volsync-target-data
+    version: 0.3.0
+    repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/backrest.png
 appVersion: v1.10.1

clusters/cl01tl/helm/backrest/values.yaml

@@ -35,6 +35,7 @@ backrest:
           protocol: TCP
   persistence:
     data:
+      forceRename: backrest-data
       storageClass: ceph-block
       accessMode: ReadWriteOnce
       size: 10Gi
@@ -45,6 +46,7 @@ backrest:
             - path: /data
               readOnly: false
     config:
+      forceRename: backrest-config
       storageClass: ceph-block
       accessMode: ReadWriteOnce
       size: 1Gi
@@ -82,3 +84,7 @@ backrest:
           main:
             - path: /mnt/share
               readOnly: true
+volsync-target-data:
+  pvcTarget: backrest-data
+volsync-target-config:
+  pvcTarget: backrest-config

clusters/cl01tl/helm/bazarr/Chart.lock

@@ -2,5 +2,8 @@ dependencies:
 - name: app-template
   repository: https://bjw-s-labs.github.io/helm-charts/
   version: 4.5.0
-digest: sha256:54c88d51b4067dec5b22623957970b64092bf3f417fabb58277f6bc3e01eca20
+- name: volsync-target
-generated: "2025-12-05T17:02:40.843820962Z"
+  repository: oci://harbor.alexlebens.net/helm-charts
+  version: 0.5.0
+digest: sha256:cb702f316026bdb487ace1abec56cc3c505376cf14a45528e3e593e4cc7effab
+generated: "2025-12-15T19:04:05.574701-06:00"

clusters/cl01tl/helm/bazarr/Chart.yaml

@@ -19,5 +19,9 @@ dependencies:
     alias: bazarr
     repository: https://bjw-s-labs.github.io/helm-charts/
     version: 4.5.0
+  - name: volsync-target
+    alias: volsync-target-config
+    version: 0.5.0
+    repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/bazarr.png
-appVersion: 1.5.2
+appVersion: 1.5.3

clusters/cl01tl/helm/bazarr/templates/external-secret.yaml

@@ -1,55 +0,0 @@
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: bazarr-config-backup-secret
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: bazarr-config-backup-secret
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: vault
-  target:
-    template:
-      mergePolicy: Merge
-      engineVersion: v2
-      data:
-        RESTIC_REPOSITORY: "{{ `{{ .BUCKET_ENDPOINT }}` }}/bazarr/bazarr-config"
-  data:
-    - secretKey: BUCKET_ENDPOINT
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /cl01tl/volsync/restic/config
-        metadataPolicy: None
-        property: S3_BUCKET_ENDPOINT
-    - secretKey: RESTIC_PASSWORD
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /cl01tl/volsync/restic/config
-        metadataPolicy: None
-        property: RESTIC_PASSWORD
-    - secretKey: AWS_DEFAULT_REGION
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /cl01tl/volsync/restic/config
-        metadataPolicy: None
-        property: AWS_DEFAULT_REGION
-    - secretKey: AWS_ACCESS_KEY_ID
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /digital-ocean/home-infra/volsync-backups
-        metadataPolicy: None
-        property: access_key
-    - secretKey: AWS_SECRET_ACCESS_KEY
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /digital-ocean/home-infra/volsync-backups
-        metadataPolicy: None
-        property: secret_key

clusters/cl01tl/helm/bazarr/templates/replication-source.yaml

@@ -1,30 +0,0 @@
-apiVersion: volsync.backube/v1alpha1
-kind: ReplicationSource
-metadata:
-  name: bazarr-config-backup-source
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: bazarr-config-backup-source
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  sourcePVC: bazarr-config
-  trigger:
-    schedule: 0 4 * * *
-  restic:
-    pruneIntervalDays: 7
-    repository: bazarr-config-backup-secret
-    retain:
-      hourly: 1
-      daily: 3
-      weekly: 2
-      monthly: 2
-      yearly: 4
-    moverSecurityContext:
-      runAsUser: 1000
-      runAsGroup: 1000
-      fsGroup: 1000
-      fsGroupChangePolicy: OnRootMismatch
-    copyMethod: Snapshot
-    storageClassName: ceph-block
-    volumeSnapshotClassName: ceph-blockpool-snapshot

clusters/cl01tl/helm/bazarr/values.yaml

@@ -15,7 +15,7 @@ bazarr:
         main:
           image:
             repository: ghcr.io/linuxserver/bazarr
-            tag: 1.5.3@sha256:4aa1e82d1e96ae712095d881b7e3840e6db6ca862c335be5b00001f31156650b
+            tag: 1.5.3@sha256:648f694532a3a53d8cf78bc888919ef538659bad41af4c680b0427ad1047d171
             pullPolicy: IfNotPresent
           env:
             - name: TZ
@@ -55,3 +55,10 @@ bazarr:
           main:
             - path: /mnt/store
               readOnly: false
+volsync-target-config:
+  pvcTarget: bazarr-config
+  moverSecurityContext:
+    runAsUser: 1000
+    runAsGroup: 1000
+    fsGroup: 1000
+    fsGroupChangePolicy: OnRootMismatch

clusters/cl01tl/helm/blocky/Chart.lock

@@ -2,5 +2,8 @@ dependencies:
 - name: app-template
   repository: https://bjw-s-labs.github.io/helm-charts/
   version: 4.5.0
-digest: sha256:b8516161886b87344848ad2b3bdafbd66da61ca8ffc5e9a5ebed462f205c9912
+- name: redis-replication
-generated: "2025-12-05T17:02:59.562863413Z"
+  repository: oci://harbor.alexlebens.net/helm-charts
+  version: 0.5.0
+digest: sha256:a7840240d52d7c66aa2e542132e32907dd0c48d3051eb15190a209215cbd4dce
+generated: "2025-12-15T20:06:31.995318697Z"

clusters/cl01tl/helm/blocky/Chart.yaml

@@ -17,5 +17,8 @@ dependencies:
     alias: blocky
     repository: https://bjw-s-labs.github.io/helm-charts/
     version: 4.5.0
+  - name: redis-replication
+    version: 0.5.0
+    repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/blocky.png
-appVersion: v0.25
+appVersion: v0.28.2

clusters/cl01tl/helm/blocky/templates/redis-replication.yaml

@@ -1,32 +0,0 @@
-apiVersion: redis.redis.opstreelabs.in/v1beta2
-kind: RedisReplication
-metadata:
-  name: redis-replication-blocky
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: redis-replication-blocky
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  clusterSize: 3
-  podSecurityContext:
-    runAsUser: 1000
-    fsGroup: 1000
-  kubernetesConfig:
-    image: quay.io/opstree/redis:v8.0.3
-    imagePullPolicy: IfNotPresent
-    resources:
-      requests:
-        cpu: 50m
-        memory: 128Mi
-  storage:
-    volumeClaimTemplate:
-      spec:
-        storageClassName: ceph-block
-        accessModes: ["ReadWriteOnce"]
-        resources:
-          requests:
-            storage: 1Gi
-  redisExporter:
-    enabled: true
-    image: quay.io/opstree/redis-exporter:v1.48.0

clusters/cl01tl/helm/blocky/templates/service-monitor.yaml

@@ -17,24 +17,3 @@ spec:
       interval: 30s
       scrapeTimeout: 10s
       path: /metrics
-
----
-apiVersion: monitoring.coreos.com/v1
-kind: ServiceMonitor
-metadata:
-  name: redis-replication-blocky
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: redis-replication-blocky
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-    redis-operator: "true"
-    env: production
-spec:
-  selector:
-    matchLabels:
-      redis_setup_type: replication
-  endpoints:
-    - port: redis-exporter
-      interval: 30s
-      scrapeTimeout: 10s

clusters/cl01tl/helm/blocky/values.yaml

@@ -129,10 +129,10 @@ blocky:
               huntarr                         IN      CNAME   traefik-cl01tl
               immich                          IN      CNAME   traefik-cl01tl
               jellyfin                        IN      CNAME   traefik-cl01tl
+              jellyfin-vue                    IN      CNAME   traefik-cl01tl
               jellystat                       IN      CNAME   traefik-cl01tl
               kiwix                           IN      CNAME   traefik-cl01tl
               komodo                          IN      CNAME   traefik-cl01tl
-              kronic                          IN      CNAME   traefik-cl01tl
               lidarr                          IN      CNAME   traefik-cl01tl
               lidatube                        IN      CNAME   traefik-cl01tl
               listenarr                       IN      CNAME   traefik-cl01tl
@@ -143,7 +143,6 @@ blocky:
               ollama                          IN      CNAME   traefik-cl01tl
               omni-tools                      IN      CNAME   traefik-cl01tl
               overseerr                       IN      CNAME   traefik-cl01tl
-              pgadmin                         IN      CNAME   traefik-cl01tl
               photoview                       IN      CNAME   traefik-cl01tl
               plex                            IN      CNAME   traefik-cl01tl
               postiz                          IN      CNAME   traefik-cl01tl
@@ -302,3 +301,10 @@ blocky:
               readOnly: true
               mountPropagation: None
               subPath: config.yml
+redis-replication:
+  existingSecret:
+    enabled: false
+  redisReplication:
+    clusterSize: 3
+  redisSentinel:
+    enabled: false

clusters/cl01tl/helm/booklore/Chart.lock

@@ -5,5 +5,11 @@ dependencies:
 - name: mariadb-cluster
   repository: https://helm.mariadb.com/mariadb-operator
   version: 25.10.2
-digest: sha256:58d978bd46c61285b06acc6d9a40404d8059f2df7b953dea13c528b35350d0a8
+- name: volsync-target
-generated: "2025-12-05T17:03:15.7199669Z"
+  repository: oci://harbor.alexlebens.net/helm-charts
+  version: 0.5.0
+- name: volsync-target
+  repository: oci://harbor.alexlebens.net/helm-charts
+  version: 0.5.0
+digest: sha256:6981b2c060c19bac6517578bd9b5b11a300a4deb431110bf90da317237a4a252
+generated: "2025-12-15T19:15:49.886575-06:00"

clusters/cl01tl/helm/booklore/Chart.yaml

@@ -20,5 +20,13 @@ dependencies:
   - name: mariadb-cluster
     version: 25.10.2
     repository: https://helm.mariadb.com/mariadb-operator
+  - name: volsync-target
+    alias: volsync-target-config
+    version: 0.5.0
+    repository: oci://harbor.alexlebens.net/helm-charts
+  - name: volsync-target
+    alias: volsync-target-data
+    version: 0.5.0
+    repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/booklore.png
-appVersion: v.1.10.0
+appVersion: v1.13.2

clusters/cl01tl/helm/booklore/templates/external-secret.yaml

@@ -43,234 +43,6 @@ spec:
         metadataPolicy: None
         property: psk.txt
 
----
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: booklore-config-backup-secret
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: booklore-config-backup-secret
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: vault
-  target:
-    template:
-      mergePolicy: Merge
-      engineVersion: v2
-      data:
-        RESTIC_REPOSITORY: "{{ `{{ .BUCKET_ENDPOINT }}` }}/booklore/booklore-config"
-  data:
-    - secretKey: BUCKET_ENDPOINT
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /volsync/restic/digital-ocean
-        metadataPolicy: None
-        property: BUCKET_ENDPOINT
-    - secretKey: RESTIC_PASSWORD
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /volsync/restic/digital-ocean
-        metadataPolicy: None
-        property: RESTIC_PASSWORD
-    - secretKey: AWS_DEFAULT_REGION
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /digital-ocean/home-infra/volsync-backups
-        metadataPolicy: None
-        property: AWS_DEFAULT_REGION
-    - secretKey: AWS_ACCESS_KEY_ID
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /digital-ocean/home-infra/volsync-backups
-        metadataPolicy: None
-        property: AWS_ACCESS_KEY_ID
-    - secretKey: AWS_SECRET_ACCESS_KEY
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /digital-ocean/home-infra/volsync-backups
-        metadataPolicy: None
-        property: AWS_SECRET_ACCESS_KEY
-
----
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: booklore-data-backup-secret-local
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: booklore-data-backup-secret-local
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: vault
-  target:
-    template:
-      mergePolicy: Merge
-      engineVersion: v2
-      data:
-        RESTIC_REPOSITORY: "{{ `{{ .BUCKET_ENDPOINT }}` }}/booklore/booklore-data"
-  data:
-    - secretKey: BUCKET_ENDPOINT
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /volsync/restic/garage-local
-        metadataPolicy: None
-        property: BUCKET_ENDPOINT
-    - secretKey: RESTIC_PASSWORD
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /volsync/restic/garage-local
-        metadataPolicy: None
-        property: RESTIC_PASSWORD
-    - secretKey: AWS_DEFAULT_REGION
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /garage/home-infra/volsync-backups
-        metadataPolicy: None
-        property: ACCESS_REGION
-    - secretKey: AWS_ACCESS_KEY_ID
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /garage/home-infra/volsync-backups
-        metadataPolicy: None
-        property: ACCESS_KEY_ID
-    - secretKey: AWS_SECRET_ACCESS_KEY
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /garage/home-infra/volsync-backups
-        metadataPolicy: None
-        property: ACCESS_SECRET_KEY
-
----
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: booklore-data-backup-secret-remote
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: booklore-data-backup-secret-remote
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: vault
-  target:
-    template:
-      mergePolicy: Merge
-      engineVersion: v2
-      data:
-        RESTIC_REPOSITORY: "{{ `{{ .BUCKET_ENDPOINT }}` }}/booklore/booklore-data"
-  data:
-    - secretKey: BUCKET_ENDPOINT
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /volsync/restic/garage-remote
-        metadataPolicy: None
-        property: BUCKET_ENDPOINT
-    - secretKey: RESTIC_PASSWORD
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /volsync/restic/garage-remote
-        metadataPolicy: None
-        property: RESTIC_PASSWORD
-    - secretKey: AWS_DEFAULT_REGION
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /garage/home-infra/volsync-backups
-        metadataPolicy: None
-        property: ACCESS_REGION
-    - secretKey: AWS_ACCESS_KEY_ID
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /garage/home-infra/volsync-backups
-        metadataPolicy: None
-        property: ACCESS_KEY_ID
-    - secretKey: AWS_SECRET_ACCESS_KEY
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /garage/home-infra/volsync-backups
-        metadataPolicy: None
-        property: ACCESS_SECRET_KEY
-
----
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: booklore-data-backup-secret-external
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: booklore-data-backup-secret-external
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: vault
-  target:
-    template:
-      mergePolicy: Merge
-      engineVersion: v2
-      data:
-        RESTIC_REPOSITORY: "{{ `{{ .BUCKET_ENDPOINT }}` }}/booklore/booklore-data"
-  data:
-    - secretKey: BUCKET_ENDPOINT
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /volsync/restic/digital-ocean
-        metadataPolicy: None
-        property: BUCKET_ENDPOINT
-    - secretKey: RESTIC_PASSWORD
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /volsync/restic/digital-ocean
-        metadataPolicy: None
-        property: RESTIC_PASSWORD
-    - secretKey: AWS_DEFAULT_REGION
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /digital-ocean/home-infra/volsync-backups
-        metadataPolicy: None
-        property: AWS_DEFAULT_REGION
-    - secretKey: AWS_ACCESS_KEY_ID
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /digital-ocean/home-infra/volsync-backups
-        metadataPolicy: None
-        property: AWS_ACCESS_KEY_ID
-    - secretKey: AWS_SECRET_ACCESS_KEY
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /digital-ocean/home-infra/volsync-backups
-        metadataPolicy: None
-        property: AWS_SECRET_ACCESS_KEY
-
 ---
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret

clusters/cl01tl/helm/booklore/templates/namespace.yaml

@@ -8,3 +8,6 @@ metadata:
     app.kubernetes.io/name: booklore
     app.kubernetes.io/instance: {{ .Release.Name }}
     app.kubernetes.io/part-of: {{ .Release.Name }}
+    pod-security.kubernetes.io/audit: privileged
+    pod-security.kubernetes.io/enforce: privileged
+    pod-security.kubernetes.io/warn: privileged

clusters/cl01tl/helm/booklore/templates/replication-source.yaml

@@ -15,115 +15,3 @@ spec:
     keySecret: booklore-data-replication-secret
     address: volsync-rsync-tls-dst-booklore-data-replication-destination
     copyMethod: Snapshot
-
----
-apiVersion: volsync.backube/v1alpha1
-kind: ReplicationSource
-metadata:
-  name: booklore-config-backup-source
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: booklore-config-backup-source
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  sourcePVC: booklore-config
-  trigger:
-    schedule: 0 4 * * *
-  restic:
-    pruneIntervalDays: 7
-    repository: booklore-config-backup-secret
-    retain:
-      hourly: 1
-      daily: 3
-      weekly: 2
-      monthly: 2
-      yearly: 4
-    copyMethod: Snapshot
-    storageClassName: ceph-block
-    volumeSnapshotClassName: ceph-blockpool-snapshot
-    cacheCapacity: 10Gi
-
----
-apiVersion: volsync.backube/v1alpha1
-kind: ReplicationSource
-metadata:
-  name: booklore-data-backup-source-local
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: booklore-data-backup-source-local
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  sourcePVC: booklore-data
-  trigger:
-    schedule: 0 2 * * *
-  restic:
-    pruneIntervalDays: 7
-    repository: booklore-data-backup-secret-local
-    retain:
-      hourly: 1
-      daily: 3
-      weekly: 2
-      monthly: 2
-      yearly: 4
-    copyMethod: Snapshot
-    storageClassName: ceph-block
-    volumeSnapshotClassName: ceph-blockpool-snapshot
-    cacheCapacity: 10Gi
-
----
-apiVersion: volsync.backube/v1alpha1
-kind: ReplicationSource
-metadata:
-  name: booklore-data-backup-source-remote
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: booklore-data-backup-source-remote
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  sourcePVC: booklore-data
-  trigger:
-    schedule: 0 3 * * *
-  restic:
-    pruneIntervalDays: 7
-    repository: booklore-data-backup-secret-remote
-    retain:
-      hourly: 1
-      daily: 3
-      weekly: 2
-      monthly: 2
-      yearly: 4
-    copyMethod: Snapshot
-    storageClassName: ceph-block
-    volumeSnapshotClassName: ceph-blockpool-snapshot
-    cacheCapacity: 10Gi
-
----
-apiVersion: volsync.backube/v1alpha1
-kind: ReplicationSource
-metadata:
-  name: booklore-data-backup-source-external
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: booklore-data-backup-source-external
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  sourcePVC: booklore-data
-  trigger:
-    schedule: 0 4 * * *
-  restic:
-    pruneIntervalDays: 7
-    repository: booklore-data-backup-secret-external
-    retain:
-      hourly: 1
-      daily: 3
-      weekly: 2
-      monthly: 2
-      yearly: 4
-    copyMethod: Snapshot
-    storageClassName: ceph-block
-    volumeSnapshotClassName: ceph-blockpool-snapshot
-    cacheCapacity: 10Gi

clusters/cl01tl/helm/booklore/values.yaml

@@ -41,6 +41,7 @@ booklore:
           protocol: HTTP
   persistence:
     config:
+      forceRename: booklore-config
       storageClass: ceph-block
       accessMode: ReadWriteOnce
       size: 5Gi
@@ -51,6 +52,7 @@ booklore:
             - path: /app/data
               readOnly: false
     data:
+      forceRename: booklore-data
       storageClass: ceph-block
       accessMode: ReadWriteOnce
       size: 10Gi
@@ -119,7 +121,8 @@ mariadb-cluster:
         suspend: false
         immediate: true
       compression: gzip
-      maxRetention: 720h
+      maxRetention: 2160h
+      successfulJobsHistoryLimit: 1
       storage:
         s3:
           bucket: mariadb-backups-b230a2f5aecf080a4b372c08
@@ -134,6 +137,28 @@ mariadb-cluster:
             key: secret
           tls:
             enabled: true
+    - name: backup-remote
+      schedule:
+        cron: "0 0 * * 0"
+        suspend: false
+        immediate: true
+      compression: gzip
+      maxRetention: 2160h
+      successfulJobsHistoryLimit: 1
+      storage:
+        s3:
+          bucket: mariadb-backups
+          prefix: cl01tl/booklore
+          endpoint: garage-ps10rp.boreal-beaufort.ts.net:3900
+          region: us-east-1
+          accessKeyIdSecretKeyRef:
+            name: booklore-mariadb-cluster-backup-secret-garage
+            key: access
+          secretAccessKeySecretKeyRef:
+            name: booklore-mariadb-cluster-backup-secret-garage
+            key: secret
+          tls:
+            enabled: true
     - name: backup-garage
       schedule:
         cron: "0 0 * * *"
@@ -141,6 +166,7 @@ mariadb-cluster:
         immediate: true
       compression: gzip
       maxRetention: 360h
+      successfulJobsHistoryLimit: 1
       storage:
         s3:
           bucket: mariadb-backups
@@ -153,3 +179,16 @@ mariadb-cluster:
           secretAccessKeySecretKeyRef:
             name: booklore-mariadb-cluster-backup-secret-garage
             key: secret
+volsync-target-config:
+  pvcTarget: booklore-config
+volsync-target-data:
+  pvcTarget: booklore-data
+  local:
+    restic:
+      cacheCapacity: 10Gi
+  remote:
+    restic:
+      cacheCapacity: 10Gi
+  external:
+    restic:
+      cacheCapacity: 10Gi

clusters/cl01tl/helm/cert-manager/Chart.yaml

@@ -17,4 +17,4 @@ dependencies:
     version: v1.19.2
     repository: https://charts.jetstack.io
 icon: https://raw.githubusercontent.com/walkxcode/dashboard-icons/main/png/cert-manager.png
-appVersion: v1.17.2
+appVersion: v1.19.2

clusters/cl01tl/helm/cilium/Chart.yaml

@@ -18,4 +18,4 @@ dependencies:
     version: 1.18.4
     repository: https://helm.cilium.io/
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/cilium.png
-appVersion: 1.17.3
+appVersion: 1.18.4

clusters/cl01tl/helm/cilium/values.yaml

@@ -55,6 +55,9 @@ cilium:
     metrics:
       serviceMonitor:
         enabled: true
+    tls:
+      auto:
+        method: cronJob
     relay:
       enabled: true
       metrics:

clusters/cl01tl/helm/cloudnative-pg/Chart.yaml

@@ -22,4 +22,4 @@ dependencies:
     version: 0.3.1
     repository: https://cloudnative-pg.io/charts/
 icon: https://avatars.githubusercontent.com/u/100373852?s=200&v=4
-appVersion: 1.26.0
+appVersion: 1.28.0

clusters/cl01tl/helm/code-server/Chart.lock

@@ -5,5 +5,8 @@ dependencies:
 - name: cloudflared
   repository: oci://harbor.alexlebens.net/helm-charts
   version: 1.23.2
-digest: sha256:3cf78630cd7670e1157a87fc7ccbeca248ef4ced8a3170e69140ea3e1b0ff564
+- name: volsync-target
-generated: "2025-12-07T02:54:11.675097664Z"
+  repository: oci://harbor.alexlebens.net/helm-charts
+  version: 0.5.0
+digest: sha256:bd1cbd66ccb360978a342ee218bfb01006a486fb85c5714acd593b9e1389b151
+generated: "2025-12-15T21:50:58.968382-06:00"

clusters/cl01tl/helm/code-server/Chart.yaml

@@ -24,5 +24,9 @@ dependencies:
     alias: cloudflared
     repository: oci://harbor.alexlebens.net/helm-charts
     version: 1.23.2
+  - name: volsync-target
+    alias: volsync-target-config
+    version: 0.5.0
+    repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/visual-studio-code.png
-appVersion: 4.100.2
+appVersion: 4.106.3

clusters/cl01tl/helm/code-server/templates/persistent-volume-claim.yaml

@@ -1,17 +0,0 @@
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  name: code-server-nfs-storage
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: code-server-nfs-storage
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  volumeMode: Filesystem
-  storageClassName: nfs-client
-  accessModes:
-    - ReadWriteOnce
-  resources:
-    requests:
-      storage: 1Gi

clusters/cl01tl/helm/code-server/values.yaml

@@ -9,7 +9,7 @@ code-server:
         main:
           image:
             repository: ghcr.io/linuxserver/code-server
-            tag: 4.106.3@sha256:aab9520fe923b2d93dccc2c806f3dc60649c2f4a2847fcd40c942227d0f1ae8f
+            tag: 4.106.3@sha256:83793e4460090d6c46f4842ff6ab8aa26ad8a567885112bbe754b45c61935055
             pullPolicy: IfNotPresent
           env:
             - name: TZ
@@ -37,7 +37,11 @@ code-server:
           protocol: HTTP
   persistence:
     config:
-      existingClaim: code-server-nfs-storage
+      forceRename: code-server-config
+      storageClass: ceph-block
+      accessMode: ReadWriteOnce
+      size: 2Gi
+      retain: true
       advancedMounts:
         main:
           main:
@@ -45,3 +49,10 @@ code-server:
               readOnly: false
 cloudflared:
   existingSecretName: code-server-cloudflared-secret
+volsync-target-config:
+  pvcTarget: code-server-config
+  moverSecurityContext:
+    runAsUser: 1000
+    runAsGroup: 1000
+    fsGroup: 1000
+    fsGroupChangePolicy: OnRootMismatch

clusters/cl01tl/helm/coredns/Chart.yaml

@@ -18,4 +18,4 @@ dependencies:
     version: 1.45.0
     repository: https://coredns.github.io/helm
 icon: https://raw.githubusercontent.com/walkxcode/dashboard-icons/main/png/coredns.png
-appVersion: v1.12.1
+appVersion: v1.13.2

clusters/cl01tl/helm/descheduler/Chart.yaml

@@ -17,4 +17,4 @@ dependencies:
     version: 0.34.0
     repository: https://kubernetes-sigs.github.io/descheduler/
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/kubernetes.png
-appVersion: 0.33.0
+appVersion: 0.34.0

clusters/cl01tl/helm/directus/Chart.lock

@@ -7,6 +7,9 @@ dependencies:
   version: 1.23.2
 - name: postgres-cluster
   repository: oci://harbor.alexlebens.net/helm-charts
-  version: 6.16.1
+  version: 7.1.1
-digest: sha256:73ab37385c3d0ec2db83a3640bc03b08ddd06fd015e1b7138e49bc8c3be9382e
+- name: redis-replication
-generated: "2025-12-07T02:54:20.639142398Z"
+  repository: oci://harbor.alexlebens.net/helm-charts
+  version: 0.5.0
+digest: sha256:1035fe225f5439c73fdc8b498c2164bad362e0198bc2ad40eab6b5d0bae9f86d
+generated: "2025-12-15T14:37:45.474556-06:00"

clusters/cl01tl/helm/directus/Chart.yaml

@@ -26,8 +26,11 @@ dependencies:
     repository: oci://harbor.alexlebens.net/helm-charts
     version: 1.23.2
   - name: postgres-cluster
-    alias: postgres-17-cluster
+    alias: postgres-18-cluster
-    version: 6.16.1
+    version: 7.1.1
+    repository: oci://harbor.alexlebens.net/helm-charts
+  - name: redis-replication
+    version: 0.5.0
     repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/directus.png
-appVersion: 11.7.2
+appVersion: 11.14.0

clusters/cl01tl/helm/directus/templates/external-secret.yaml

@@ -151,10 +151,10 @@ spec:
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
-  name: directus-postgresql-17-cluster-backup-secret
+  name: directus-postgresql-18-cluster-backup-secret
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: directus-postgresql-17-cluster-backup-secret
+    app.kubernetes.io/name: directus-postgresql-18-cluster-backup-secret
     app.kubernetes.io/instance: {{ .Release.Name }}
     app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
@@ -181,40 +181,10 @@ spec:
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
-  name: directus-postgresql-17-cluster-backup-secret-weekly
+  name: directus-postgresql-18-cluster-backup-secret-garage
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: directus-postgresql-17-cluster-backup-secret-weekly
+    app.kubernetes.io/name: directus-postgresql-18-cluster-backup-secret-garage
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: vault
-  data:
-    - secretKey: ACCESS_KEY_ID
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /garage/home-infra/postgres-backups
-        metadataPolicy: None
-        property: ACCESS_KEY_ID
-    - secretKey: ACCESS_SECRET_KEY
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /garage/home-infra/postgres-backups
-        metadataPolicy: None
-        property: ACCESS_SECRET_KEY
-
----
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: directus-postgresql-17-cluster-backup-secret-garage
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: directus-postgresql-17-cluster-backup-secret-garage
     app.kubernetes.io/instance: {{ .Release.Name }}
     app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:

clusters/cl01tl/helm/directus/templates/redis-replication.yaml

@@ -1,35 +0,0 @@
-apiVersion: redis.redis.opstreelabs.in/v1beta2
-kind: RedisReplication
-metadata:
-  name: redis-replication-directus
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: redis-replication-directus
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  clusterSize: 3
-  podSecurityContext:
-    runAsUser: 1000
-    fsGroup: 1000
-  kubernetesConfig:
-    image: quay.io/opstree/redis:v8.2.1
-    imagePullPolicy: IfNotPresent
-    redisSecret:
-      name: directus-redis-config
-      key: password
-    resources:
-      requests:
-        cpu: 50m
-        memory: 128Mi
-  storage:
-    volumeClaimTemplate:
-      spec:
-        storageClassName: ceph-block
-        accessModes: ["ReadWriteOnce"]
-        resources:
-          requests:
-            storage: 1Gi
-  redisExporter:
-    enabled: true
-    image: quay.io/opstree/redis-exporter:v1.76.0

clusters/cl01tl/helm/directus/templates/redis-sentinel.yaml

@@ -1,30 +0,0 @@
-apiVersion: redis.redis.opstreelabs.in/v1beta2
-kind: RedisSentinel
-metadata:
-  name: redis-sentinel-directus
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: redis-sentinel-directus
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  clusterSize: 3
-  podSecurityContext:
-    runAsUser: 1000
-    fsGroup: 1000
-  redisSentinelConfig:
-    redisReplicationName: redis-replication-directus
-    redisReplicationPassword:
-      secretKeyRef:
-        name: directus-redis-config
-        key: password
-  kubernetesConfig:
-    image: quay.io/opstree/redis-sentinel:v7.0.15
-    imagePullPolicy: IfNotPresent
-    redisSecret:
-      name: directus-redis-config
-      key: password
-    resources:
-      requests:
-        cpu: 10m
-        memory: 128Mi

clusters/cl01tl/helm/directus/templates/service-monitor.yaml

@@ -20,24 +20,3 @@ spec:
       bearerTokenSecret:
         name: directus-metric-token
         key: metric-token
-
----
-apiVersion: monitoring.coreos.com/v1
-kind: ServiceMonitor
-metadata:
-  name: redis-replication-directus
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: redis-replication-directus
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-    redis-operator: "true"
-    env: production
-spec:
-  selector:
-    matchLabels:
-      redis_setup_type: replication
-  endpoints:
-    - port: redis-exporter
-      interval: 30s
-      scrapeTimeout: 10s

clusters/cl01tl/helm/directus/values.yaml

@@ -41,27 +41,27 @@ directus:
             - name: DB_HOST
               valueFrom:
                 secretKeyRef:
-                  name: directus-postgresql-17-cluster-app
+                  name: directus-postgresql-18-cluster-app
                   key: host
             - name: DB_DATABASE
               valueFrom:
                 secretKeyRef:
-                  name: directus-postgresql-17-cluster-app
+                  name: directus-postgresql-18-cluster-app
                   key: dbname
             - name: DB_PORT
               valueFrom:
                 secretKeyRef:
-                  name: directus-postgresql-17-cluster-app
+                  name: directus-postgresql-18-cluster-app
                   key: port
             - name: DB_USER
               valueFrom:
                 secretKeyRef:
-                  name: directus-postgresql-17-cluster-app
+                  name: directus-postgresql-18-cluster-app
                   key: user
             - name: DB_PASSWORD
               valueFrom:
                 secretKeyRef:
-                  name: directus-postgresql-17-cluster-app
+                  name: directus-postgresql-18-cluster-app
                   key: password
             - name: SYNCHRONIZATION_STORE
               value: redis
@@ -156,59 +156,67 @@ directus:
 cloudflared-directus:
   name: cloudflared-directus
   existingSecretName: directus-cloudflared-secret
-postgres-17-cluster:
+postgres-18-cluster:
   mode: recovery
   cluster:
     storage:
       storageClass: local-path
     walStorage:
       storageClass: local-path
-    monitoring:
-      enabled: true
-      prometheusRule:
-        enabled: true
   recovery:
     method: objectStore
     objectStore:
-      destinationPath: s3://postgres-backups/cl01tl/directus/directus-postgresql-17-cluster
+      destinationPath: s3://postgres-backups/cl01tl/directus/directus-postgresql-18-cluster
       endpointURL: http://garage-main.garage:3900
       index: 1
-      endpointCredentials: directus-postgresql-17-cluster-backup-secret-garage
+      endpointCredentials: directus-postgresql-18-cluster-backup-secret-garage
   backup:
     objectStore:
-      - name: external
-        destinationPath: s3://postgres-backups-ce540ddf106d186bbddca68a/cl01tl/directus/directus-postgresql-17-cluster
-        index: 1
-        retentionPolicy: "30d"
-        isWALArchiver: false
       - name: garage-local
-        destinationPath: s3://postgres-backups/cl01tl/directus/directus-postgresql-17-cluster
+        destinationPath: s3://postgres-backups/cl01tl/directus/directus-postgresql-18-cluster
         index: 1
         endpointURL: http://garage-main.garage:3900
-        endpointCredentials: directus-postgresql-17-cluster-backup-secret-garage
+        endpointCredentials: directus-postgresql-18-cluster-backup-secret-garage
         endpointCredentialsIncludeRegion: true
         retentionPolicy: "3d"
         isWALArchiver: true
+      # - name: external
+      #   destinationPath: s3://postgres-backups-ce540ddf106d186bbddca68a/cl01tl/directus/directus-postgresql-18-cluster
+      #   index: 1
+      #   retentionPolicy: "30d"
+      #   isWALArchiver: false
       # - name: garage-remote
-      #   destinationPath: s3://postgres-backups/cl01tl/directus/directus-postgresql-17-cluster
+      #   destinationPath: s3://postgres-backups/cl01tl/directus/directus-postgresql-18-cluster
       #   index: 1
       #   endpointURL: https://garage-ps10rp.boreal-beaufort.ts.net:3900
-      #   endpointCredentials: directus-postgresql-17-cluster-backup-secret-garage
+      #   endpointCredentials: directus-postgresql-18-cluster-backup-secret-garage
       #   retentionPolicy: "30d"
       #   data:
       #     compression: bzip2
       #     jobs: 2
     scheduledBackups:
-      - name: daily-backup
-        suspend: false
-        schedule: "0 0 0 * * *"
-        backupName: external
       - name: live-backup
         suspend: false
         immediate: true
         schedule: "0 0 0 * * *"
         backupName: garage-local
+      # - name: daily-backup
+      #   suspend: false
+      #   immediate: true
+      #   schedule: "0 0 0 * * *"
+      #   backupName: external
       # - name: weekly-backup
       #   suspend: false
+      #   immediate: true
       #   schedule: "0 0 4 * * SAT"
       #   backupName: garage-remote
+redis-replication:
+  existingSecret:
+    enabled: true
+    name: directus-redis-config
+    key: password
+  redisReplication:
+    clusterSize: 3
+  redisSentinel:
+    enabled: true
+    clusterSize: 3

clusters/cl01tl/helm/elastic-operator/Chart.yaml

@@ -18,4 +18,4 @@ dependencies:
     version: 3.2.0
     repository: https://helm.elastic.co
 icon: https://helm.elastic.co/icons/eck.png
-appVersion: 1.26.0
+appVersion: v3.2.0

clusters/cl01tl/helm/element-web/Chart.yaml

@@ -24,4 +24,4 @@ dependencies:
     repository: oci://harbor.alexlebens.net/helm-charts
     version: 1.23.2
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/element.png
-appVersion: v1.11.100
+appVersion: v1.12.6

clusters/cl01tl/helm/ephemera/Chart.lock

@@ -2,5 +2,8 @@ dependencies:
 - name: app-template
   repository: https://bjw-s-labs.github.io/helm-charts/
   version: 4.5.0
-digest: sha256:b08b2d3923734ba8844754727803a4b4e1de2ad418c3f755ccd64927266c1b5c
+- name: volsync-target
-generated: "2025-12-05T17:04:04.30013278Z"
+  repository: oci://harbor.alexlebens.net/helm-charts
+  version: 0.3.0
+digest: sha256:476021b852fbbd829570bcb88309eea92bd096cb4ec79efe2d895ee0c46f1c49
+generated: "2025-12-15T21:43:24.262051-06:00"

clusters/cl01tl/helm/ephemera/Chart.yaml

@@ -19,5 +19,9 @@ dependencies:
     alias: ephemera
     repository: https://bjw-s-labs.github.io/helm-charts/
     version: 4.5.0
+  - name: volsync-target
+    alias: volsync-target-config
+    version: 0.3.0
+    repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/ephemera.png
 appVersion: 1.3.1

clusters/cl01tl/helm/ephemera/templates/external-secret.yaml

@@ -42,60 +42,3 @@ spec:
         key: /cl01tl/ephemera/config
         metadataPolicy: None
         property: ntfy-url
-
----
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: ephemera-config-backup-secret
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: ephemera-config-backup-secret
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: vault
-  target:
-    template:
-      mergePolicy: Merge
-      engineVersion: v2
-      data:
-        RESTIC_REPOSITORY: "{{ `{{ .BUCKET_ENDPOINT }}` }}/ephemera/ephemera-config"
-  data:
-    - secretKey: BUCKET_ENDPOINT
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /cl01tl/volsync/restic/config
-        metadataPolicy: None
-        property: S3_BUCKET_ENDPOINT
-    - secretKey: RESTIC_PASSWORD
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /cl01tl/volsync/restic/config
-        metadataPolicy: None
-        property: RESTIC_PASSWORD
-    - secretKey: AWS_DEFAULT_REGION
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /cl01tl/volsync/restic/config
-        metadataPolicy: None
-        property: AWS_DEFAULT_REGION
-    - secretKey: AWS_ACCESS_KEY_ID
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /digital-ocean/home-infra/volsync-backups
-        metadataPolicy: None
-        property: access_key
-    - secretKey: AWS_SECRET_ACCESS_KEY
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /digital-ocean/home-infra/volsync-backups
-        metadataPolicy: None
-        property: secret_key

clusters/cl01tl/helm/ephemera/templates/replication-source.yaml

@@ -1,26 +0,0 @@
-apiVersion: volsync.backube/v1alpha1
-kind: ReplicationSource
-metadata:
-  name: ephemera-config-backup-source
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: ephemera-config-backup-source
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  sourcePVC: ephemera-config
-  trigger:
-    schedule: 0 4 * * *
-  restic:
-    pruneIntervalDays: 7
-    repository: ephemera-config-backup-secret
-    retain:
-      hourly: 1
-      daily: 3
-      weekly: 2
-      monthly: 2
-      yearly: 4
-    copyMethod: Snapshot
-    storageClassName: ceph-block
-    volumeSnapshotClassName: ceph-blockpool-snapshot
-    cacheCapacity: 10Gi

clusters/cl01tl/helm/ephemera/values.yaml

@@ -52,7 +52,7 @@ ephemera:
         apprise-api:
           image:
             repository: caronc/apprise
-            tag: 1.2.6
+            tag: 1.3.0
             pullPolicy: IfNotPresent
           env:
             - name: TZ
@@ -82,6 +82,7 @@ ephemera:
           protocol: HTTP
   persistence:
     config:
+      forceRename: ephemera
       storageClass: ceph-block
       accessMode: ReadWriteOnce
       size: 5Gi
@@ -105,3 +106,5 @@ ephemera:
           main:
             - path: /app/ingest
               readOnly: false
+volsync-target-config:
+  pvcTarget: ephemera

clusters/cl01tl/helm/eraser/Chart.yaml

@@ -17,4 +17,4 @@ dependencies:
     version: 1.4.1
     repository: https://eraser-dev.github.io/eraser/charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/kubernetes.png
-appVersion: v1.3.1
+appVersion: v1.4.1

clusters/cl01tl/helm/external-dns/Chart.yaml

@@ -19,4 +19,4 @@ dependencies:
     version: 1.19.0
     repository: https://kubernetes-sigs.github.io/external-dns/
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/kubernetes.png
-appVersion: 1.16.1
+appVersion: v0.20.0

clusters/cl01tl/helm/external-secrets/Chart.yaml

@@ -15,4 +15,4 @@ dependencies:
     version: 1.1.1
     repository: https://charts.external-secrets.io
 icon: https://avatars.githubusercontent.com/u/68335991?s=48&v=4
-appVersion: 0.17.0
+appVersion: v1.1.1

clusters/cl01tl/helm/freshrss/Chart.lock

@@ -7,6 +7,9 @@ dependencies:
   version: 1.23.2
 - name: postgres-cluster
   repository: oci://harbor.alexlebens.net/helm-charts
-  version: 6.16.1
+  version: 7.1.1
-digest: sha256:d4b26fd1608a0c767c6ebb226173cef133ed53f45098851713121e429bc614a1
+- name: volsync-target
-generated: "2025-12-07T02:54:39.594902963Z"
+  repository: oci://harbor.alexlebens.net/helm-charts
+  version: 0.5.0
+digest: sha256:80a27ffb18fd1a635f16e70b90c2395f2de300ed50d072a8b87353f1ec3304cb
+generated: "2025-12-15T21:47:10.578165-06:00"

clusters/cl01tl/helm/freshrss/Chart.yaml

@@ -26,8 +26,12 @@ dependencies:
     repository: oci://harbor.alexlebens.net/helm-charts
     version: 1.23.2
   - name: postgres-cluster
-    alias: postgres-17-cluster
+    alias: postgres-18-cluster
-    version: 6.16.1
+    version: 7.1.1
+    repository: oci://harbor.alexlebens.net/helm-charts
+  - name: volsync-target
+    alias: volsync-target-data
+    version: 0.5.0
     repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/freshrss.png
-appVersion: 1.26.2
+appVersion: 1.27.1

clusters/cl01tl/helm/freshrss/templates/external-secret.yaml

@@ -98,67 +98,10 @@ spec:
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
-  name: freshrss-data-backup-secret
+  name: freshrss-postgresql-18-cluster-backup-secret
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: freshrss-data-backup-secret
+    app.kubernetes.io/name: freshrss-postgresql-18-cluster-backup-secret
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: vault
-  target:
-    template:
-      mergePolicy: Merge
-      engineVersion: v2
-      data:
-        RESTIC_REPOSITORY: "{{ `{{ .BUCKET_ENDPOINT }}` }}/freshrss/freshrss-data"
-  data:
-    - secretKey: BUCKET_ENDPOINT
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /cl01tl/volsync/restic/config
-        metadataPolicy: None
-        property: S3_BUCKET_ENDPOINT
-    - secretKey: RESTIC_PASSWORD
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /cl01tl/volsync/restic/config
-        metadataPolicy: None
-        property: RESTIC_PASSWORD
-    - secretKey: AWS_DEFAULT_REGION
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /cl01tl/volsync/restic/config
-        metadataPolicy: None
-        property: AWS_DEFAULT_REGION
-    - secretKey: AWS_ACCESS_KEY_ID
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /digital-ocean/home-infra/volsync-backups
-        metadataPolicy: None
-        property: access_key
-    - secretKey: AWS_SECRET_ACCESS_KEY
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /digital-ocean/home-infra/volsync-backups
-        metadataPolicy: None
-        property: secret_key
-
----
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: freshrss-postgresql-17-cluster-backup-secret
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: freshrss-postgresql-17-cluster-backup-secret
     app.kubernetes.io/instance: {{ .Release.Name }}
     app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
@@ -185,10 +128,10 @@ spec:
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
-  name: freshrss-postgresql-17-cluster-backup-secret-garage
+  name: freshrss-postgresql-18-cluster-backup-secret-garage
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: freshrss-postgresql-17-cluster-backup-secret-garage
+    app.kubernetes.io/name: freshrss-postgresql-18-cluster-backup-secret-garage
     app.kubernetes.io/instance: {{ .Release.Name }}
     app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:

clusters/cl01tl/helm/freshrss/templates/replication-source.yaml

@@ -1,35 +0,0 @@
-apiVersion: volsync.backube/v1alpha1
-kind: ReplicationSource
-metadata:
-  name: freshrss-data-backup-source
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: freshrss-data-backup-source
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  sourcePVC: freshrss-data
-  trigger:
-    schedule: 0 4 * * *
-  restic:
-    pruneIntervalDays: 7
-    repository: freshrss-data-backup-secret
-    retain:
-      hourly: 1
-      daily: 3
-      weekly: 2
-      monthly: 2
-      yearly: 4
-    moverSecurityContext:
-      runAsUser: 568
-      runAsGroup: 568
-      fsGroup: 568
-      fsGroupChangePolicy: OnRootMismatch
-      supplementalGroups:
-        - 44
-        - 100
-        - 109
-        - 65539
-    copyMethod: Snapshot
-    storageClassName: ceph-block
-    volumeSnapshotClassName: ceph-blockpool-snapshot

clusters/cl01tl/helm/freshrss/values.yaml

@@ -98,22 +98,22 @@ freshrss:
             - name: DB_HOST
               valueFrom:
                 secretKeyRef:
-                  name: freshrss-postgresql-17-cluster-app
+                  name: freshrss-postgresql-18-cluster-app
                   key: host
             - name: DB_BASE
               valueFrom:
                 secretKeyRef:
-                  name: freshrss-postgresql-17-cluster-app
+                  name: freshrss-postgresql-18-cluster-app
                   key: dbname
             - name: DB_USER
               valueFrom:
                 secretKeyRef:
-                  name: freshrss-postgresql-17-cluster-app
+                  name: freshrss-postgresql-18-cluster-app
                   key: user
             - name: DB_PASSWORD
               valueFrom:
                 secretKeyRef:
-                  name: freshrss-postgresql-17-cluster-app
+                  name: freshrss-postgresql-18-cluster-app
                   key: password
             - name: FRESHRSS_INSTALL
               value: |
@@ -163,6 +163,7 @@ freshrss:
           protocol: HTTP
   persistence:
     data:
+      forceRename: freshrss-data
       storageClass: ceph-block
       accessMode: ReadWriteOnce
       size: 5Gi
@@ -193,59 +194,69 @@ freshrss:
               readOnly: false
 cloudflared:
   existingSecretName: freshrss-cloudflared-secret
-postgres-17-cluster:
+postgres-18-cluster:
   mode: recovery
   cluster:
     storage:
       storageClass: local-path
     walStorage:
       storageClass: local-path
-    monitoring:
-      enabled: true
-      prometheusRule:
-        enabled: true
   recovery:
     method: objectStore
     objectStore:
-      destinationPath: s3://postgres-backups/cl01tl/freshrss/freshrss-postgresql-17-cluster
+      destinationPath: s3://postgres-backups/cl01tl/freshrss/freshrss-postgresql-18-cluster
       endpointURL: http://garage-main.garage:3900
       index: 1
-      endpointCredentials: freshrss-postgresql-17-cluster-backup-secret-garage
+      endpointCredentials: freshrss-postgresql-18-cluster-backup-secret-garage
   backup:
     objectStore:
-      - name: external
-        destinationPath: s3://postgres-backups-ce540ddf106d186bbddca68a/cl01tl/freshrss/freshrss-postgresql-17-cluster
-        index: 1
-        retentionPolicy: "30d"
-        isWALArchiver: false
       - name: garage-local
-        destinationPath: s3://postgres-backups/cl01tl/freshrss/freshrss-postgresql-17-cluster
+        destinationPath: s3://postgres-backups/cl01tl/freshrss/freshrss-postgresql-18-cluster
         index: 1
         endpointURL: http://garage-main.garage:3900
-        endpointCredentials: freshrss-postgresql-17-cluster-backup-secret-garage
+        endpointCredentials: freshrss-postgresql-18-cluster-backup-secret-garage
         endpointCredentialsIncludeRegion: true
         retentionPolicy: "3d"
         isWALArchiver: true
+      # - name: external
+      #   destinationPath: s3://postgres-backups-ce540ddf106d186bbddca68a/cl01tl/freshrss/freshrss-postgresql-18-cluster
+      #   index: 1
+      #   retentionPolicy: "30d"
+      #   isWALArchiver: false
       # - name: garage-remote
-      #   destinationPath: s3://postgres-backups/cl01tl/freshrss/freshrss-postgresql-17-cluster
+      #   destinationPath: s3://postgres-backups/cl01tl/freshrss/freshrss-postgresql-18-cluster
       #   index: 1
       #   endpointURL: https://garage-ps10rp.boreal-beaufort.ts.net:3900
-      #   endpointCredentials: freshrss-postgresql-17-cluster-backup-secret-garage
+      #   endpointCredentials: freshrss-postgresql-18-cluster-backup-secret-garage
       #   retentionPolicy: "30d"
       #   data:
       #     compression: bzip2
       #     jobs: 2
     scheduledBackups:
-      - name: daily-backup
-        suspend: false
-        schedule: "0 0 0 * * *"
-        backupName: external
       - name: live-backup
         suspend: false
         immediate: true
         schedule: "0 0 0 * * *"
         backupName: garage-local
-      # - name: weekly-backup
+      # - name: daily-backup
       #   suspend: false
-      #   schedule: "0 2 4 * * SAT"
+      #   immediate: true
+      #   schedule: "0 0 0 * * *"
+      #   backupName: external
+      # - name: weekly-backup
+      #   suspend: true
+      #   immediate: true
+      #   schedule: "0 0 4 * * SAT"
       #   backupName: garage-remote
+volsync-target-data:
+  pvcTarget: freshrss-data
+  moverSecurityContext:
+    runAsUser: 568
+    runAsGroup: 568
+    fsGroup: 568
+    fsGroupChangePolicy: OnRootMismatch
+    supplementalGroups:
+      - 44
+      - 100
+      - 109
+      - 65539

clusters/cl01tl/helm/garage/Chart.lock

@@ -2,5 +2,8 @@ dependencies:
 - name: app-template
   repository: https://bjw-s-labs.github.io/helm-charts/
   version: 4.5.0
-digest: sha256:36e920ce6efee3b33b40641652f814c888ae3c50272895ef286fb8236a010924
+- name: volsync-target
-generated: "2025-12-05T17:04:29.153093714Z"
+  repository: oci://harbor.alexlebens.net/helm-charts
+  version: 0.5.0
+digest: sha256:3d3469c5177b9501cbb34a5faf376fbe4d9b98bd033ad51ee51487a1c2f28d4e
+generated: "2025-12-15T22:10:00.495878-06:00"

clusters/cl01tl/helm/garage/Chart.yaml

@@ -18,5 +18,9 @@ dependencies:
     alias: garage
     repository: https://bjw-s-labs.github.io/helm-charts/
     version: 4.5.0
+  - name: volsync-target
+    alias: volsync-target-db
+    version: 0.5.0
+    repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/kubernetes.png
 appVersion: v2.1.0

clusters/cl01tl/helm/garage/values.yaml

@@ -123,9 +123,10 @@ garage:
               mountPropagation: None
               subPath: garage.toml
     db:
+      forceRename: garage-db
       storageClass: ceph-block
       accessMode: ReadWriteOnce
-      size: 10Gi
+      size: 50Gi
       retain: true
       advancedMounts:
         main:
@@ -152,3 +153,12 @@ garage:
           main:
             - path: /var/lib/garage/snapshots
               readOnly: false
+volsync-target-db:
+  pvcTarget: garage-db
+  local:
+    enabled: false
+  remote:
+    restic:
+      cacheCapacity: 10Gi
+  external:
+    enabled: false

clusters/cl01tl/helm/gatus/Chart.lock

@@ -4,6 +4,9 @@ dependencies:
   version: 1.4.4
 - name: postgres-cluster
   repository: oci://harbor.alexlebens.net/helm-charts
-  version: 6.16.1
+  version: 7.1.1
-digest: sha256:53e3b31b3fa3916ac4478c0ca3733a18f7145a0129b6a9c7aefdaf8169cb525c
+- name: volsync-target
-generated: "2025-12-04T00:00:45.882393108Z"
+  repository: oci://harbor.alexlebens.net/helm-charts
+  version: 0.5.0
+digest: sha256:367bfee3e6811bfd4591cf76f09a419f312007d797b83311e76c8d01318e73fe
+generated: "2025-12-15T22:11:48.014486-06:00"

clusters/cl01tl/helm/gatus/Chart.yaml

@@ -21,8 +21,12 @@ dependencies:
     repository: https://twin.github.io/helm-charts
     version: 1.4.4
   - name: postgres-cluster
-    alias: postgres-17-cluster
+    alias: postgres-18-cluster
-    version: 6.16.1
+    version: 7.1.1
+    repository: oci://harbor.alexlebens.net/helm-charts
+  - name: volsync-target
+    alias: volsync-target-data
+    version: 0.5.0
     repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/gatus.png
-appVersion: v5.12.0
+appVersion: v5.33.0

clusters/cl01tl/helm/gatus/templates/external-secret.yaml

@@ -54,10 +54,10 @@ spec:
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
-  name: gatus-postgresql-17-cluster-backup-secret
+  name: gatus-postgresql-18-cluster-backup-secret
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: gatus-postgresql-17-cluster-backup-secret
+    app.kubernetes.io/name: gatus-postgresql-18-cluster-backup-secret
     app.kubernetes.io/instance: {{ .Release.Name }}
     app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
@@ -84,10 +84,10 @@ spec:
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
-  name: gatus-postgresql-17-cluster-backup-secret-garage
+  name: gatus-postgresql-18-cluster-backup-secret-garage
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: gatus-postgresql-17-cluster-backup-secret-garage
+    app.kubernetes.io/name: gatus-postgresql-18-cluster-backup-secret-garage
     app.kubernetes.io/instance: {{ .Release.Name }}
     app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:

clusters/cl01tl/helm/gatus/values.yaml

@@ -36,27 +36,27 @@ gatus:
     POSTGRES_USER:
       valueFrom:
         secretKeyRef:
-          name: gatus-postgresql-17-cluster-app
+          name: gatus-postgresql-18-cluster-app
           key: username
     POSTGRES_PASSWORD:
       valueFrom:
         secretKeyRef:
-          name: gatus-postgresql-17-cluster-app
+          name: gatus-postgresql-18-cluster-app
           key: password
     POSTGRES_HOST:
       valueFrom:
         secretKeyRef:
-          name: gatus-postgresql-17-cluster-app
+          name: gatus-postgresql-18-cluster-app
           key: host
     POSTGRES_PORT:
       valueFrom:
         secretKeyRef:
-          name: gatus-postgresql-17-cluster-app
+          name: gatus-postgresql-18-cluster-app
           key: port
     POSTGRES_DB:
       valueFrom:
         secretKeyRef:
-          name: gatus-postgresql-17-cluster-app
+          name: gatus-postgresql-18-cluster-app
           key: dbname
   resources:
     requests:
@@ -122,6 +122,9 @@ gatus:
       - name: jellyfin
         url: https://jellyfin.alexlebens.net
         <<: *defaults
+      - name: jellyfin-vue
+        url: https://jellyfin-vue.alexlebens.net
+        <<: *defaults
       - name: overseerr
         url: https://overseerr.alexlebens.net
         <<: *defaults
@@ -182,11 +185,6 @@ gatus:
       - name: n8n
         url: https://n8n.alexlebens.net
         <<: *defaults
-      - name: kronic
-        url: https://kronic.alexlebens.net
-        <<: *defaults
-        conditions:
-          - "[STATUS] == 401"
       - name: omni-tools
         url: https://omni-tools.alexlebens.net
         <<: *defaults
@@ -259,9 +257,6 @@ gatus:
       - name: garage
         url: https://garage-webui.alexlebens.net
         <<: *defaults
-      - name: pgadmin
-        url: https://pgadmin.alexlebens.net
-        <<: *defaults
       - name: whodb
         url: https://whodb.alexlebens.net
         <<: *defaults
@@ -378,59 +373,59 @@ gatus:
         url: https://home.alexlebens.dev
         <<: *defaults
         group: external
-postgres-17-cluster:
+postgres-18-cluster:
   mode: recovery
   cluster:
     storage:
       storageClass: local-path
     walStorage:
       storageClass: local-path
-    monitoring:
-      enabled: true
-      prometheusRule:
-        enabled: true
   recovery:
     method: objectStore
     objectStore:
-      destinationPath: s3://postgres-backups/cl01tl/gatus/gatus-postgresql-17-cluster
+      destinationPath: s3://postgres-backups/cl01tl/gatus/gatus-postgresql-18-cluster
       endpointURL: http://garage-main.garage:3900
       index: 1
-      endpointCredentials: gatus-postgresql-17-cluster-backup-secret-garage
+      endpointCredentials: gatus-postgresql-18-cluster-backup-secret-garage
   backup:
     objectStore:
-      - name: external
-        destinationPath: s3://postgres-backups-ce540ddf106d186bbddca68a/cl01tl/gatus/gatus-postgresql-17-cluster
-        index: 2
-        retentionPolicy: "30d"
-        isWALArchiver: false
       - name: garage-local
-        destinationPath: s3://postgres-backups/cl01tl/gatus/gatus-postgresql-17-cluster
+        destinationPath: s3://postgres-backups/cl01tl/gatus/gatus-postgresql-18-cluster
         index: 1
         endpointURL: http://garage-main.garage:3900
-        endpointCredentials: gatus-postgresql-17-cluster-backup-secret-garage
+        endpointCredentials: gatus-postgresql-18-cluster-backup-secret-garage
         endpointCredentialsIncludeRegion: true
         retentionPolicy: "3d"
         isWALArchiver: true
+      # - name: external
+      #   destinationPath: s3://postgres-backups-ce540ddf106d186bbddca68a/cl01tl/gatus/gatus-postgresql-18-cluster
+      #   index: 1
+      #   retentionPolicy: "30d"
+      #   isWALArchiver: false
       # - name: garage-remote
-      #   destinationPath: s3://postgres-backups/cl01tl/gatus/gatus-postgresql-17-cluster
+      #   destinationPath: s3://postgres-backups/cl01tl/gatus/gatus-postgresql-18-cluster
       #   index: 1
       #   endpointURL: https://garage-ps10rp.boreal-beaufort.ts.net:3900
-      #   endpointCredentials: gatus-postgresql-17-cluster-backup-secret-garage
+      #   endpointCredentials: gatus-postgresql-18-cluster-backup-secret-garage
       #   retentionPolicy: "30d"
       #   data:
       #     compression: bzip2
       #     jobs: 2
     scheduledBackups:
-      - name: daily-backup
-        suspend: false
-        schedule: "0 0 0 * * *"
-        backupName: external
       - name: live-backup
         suspend: false
         immediate: true
         schedule: "0 0 0 * * *"
         backupName: garage-local
-      # - name: weekly-backup
+      # - name: daily-backup
       #   suspend: false
+      #   immediate: true
+      #   schedule: "0 0 0 * * *"
+      #   backupName: external
+      # - name: weekly-backup
+      #   suspend: true
+      #   immediate: true
       #   schedule: "0 0 4 * * SAT"
       #   backupName: garage-remote
+volsync-target-data:
+  pvcTarget: gatus

clusters/cl01tl/helm/generic-device-plugin/Chart.lock

@@ -1,6 +1,6 @@
 dependencies:
 - name: generic-device-plugin
   repository: https://gitea.alexlebens.dev/api/packages/alexlebens/helm
-  version: 0.20.5
+  version: 0.20.8
-digest: sha256:329b2d00301ab1467a8654dd92febfd7078db121c00c0960548010c01dee66b6
+digest: sha256:166bd29d6e7c70d6a5ffae32b6a140535bc08211140b40cadd93596aa8f4be5f
-generated: "2025-12-08T03:02:06.697075532Z"
+generated: "2025-12-16T18:01:57.978660845Z"

clusters/cl01tl/helm/generic-device-plugin/Chart.yaml

@@ -15,6 +15,6 @@ maintainers:
 dependencies:
   - name: generic-device-plugin
     repository: https://gitea.alexlebens.dev/api/packages/alexlebens/helm
-    version: 0.20.5
+    version: 0.20.8
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/kubernetes.png
 appVersion: 1.0.0

clusters/cl01tl/helm/gitea/Chart.lock

@@ -5,17 +5,20 @@ dependencies:
 - name: gitea-actions
   repository: oci://harbor.alexlebens.net/helm-charts
   version: 0.2.1
-- name: app-template
-  repository: https://bjw-s-labs.github.io/helm-charts/
-  version: 4.5.0
 - name: meilisearch
   repository: https://meilisearch.github.io/meilisearch-kubernetes
-  version: 0.17.2
+  version: 0.18.0
 - name: cloudflared
   repository: oci://harbor.alexlebens.net/helm-charts
   version: 1.23.2
 - name: postgres-cluster
   repository: oci://harbor.alexlebens.net/helm-charts
-  version: 6.16.1
+  version: 7.1.1
-digest: sha256:392636c97a9be96f21c70f9b53559398aa15e67a0cae551041ee64f23088b59a
+- name: redis-replication
-generated: "2025-12-07T02:54:49.861996743Z"
+  repository: oci://harbor.alexlebens.net/helm-charts
+  version: 0.5.0
+- name: redis-replication
+  repository: oci://harbor.alexlebens.net/helm-charts
+  version: 0.5.0
+digest: sha256:6ba40bb2558ce298d05c6330d3eb34a6beae2b22f9c100649d6bba11efc5092d
+generated: "2025-12-15T23:46:50.99338-06:00"

clusters/cl01tl/helm/gitea/Chart.yaml

@@ -31,20 +31,28 @@ dependencies:
   - name: gitea-actions
     repository: oci://harbor.alexlebens.net/helm-charts
     version: 0.2.1
-  - name: app-template
-    alias: backup
-    repository: https://bjw-s-labs.github.io/helm-charts/
-    version: 4.5.0
   - name: meilisearch
-    version: 0.17.2
+    version: 0.18.0
     repository: https://meilisearch.github.io/meilisearch-kubernetes
   - name: cloudflared
     alias: cloudflared
     repository: oci://harbor.alexlebens.net/helm-charts
     version: 1.23.2
   - name: postgres-cluster
-    alias: postgres-17-cluster
+    alias: postgres-18-cluster
-    version: 6.16.1
+    version: 7.1.1
     repository: oci://harbor.alexlebens.net/helm-charts
+  - name: redis-replication
+    alias: redis-replication-gitea
+    version: 0.5.0
+    repository: oci://harbor.alexlebens.net/helm-charts
+  - name: redis-replication
+    alias: redis-replication-renovate
+    version: 0.5.0
+    repository: oci://harbor.alexlebens.net/helm-charts
+  # - name: volsync-target
+  #   alias: volsync-target-storage
+  #   version: 0.5.0
+  #   repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://raw.githubusercontent.com/walkxcode/dashboard-icons/main/png/gitea.png
-appVersion: 1.23.7
+appVersion: 1.25.2

clusters/cl01tl/helm/gitea/templates/external-secret.yaml

@@ -168,36 +168,6 @@ spec:
         metadataPolicy: None
         property: id_rsa.pub
 
----
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: gitea-s3cmd-config
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: gitea-s3cmd-config
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: vault
-  data:
-    - secretKey: .s3cfg
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /digital-ocean/home-infra/gitea-backup
-        metadataPolicy: None
-        property: s3cfg
-    - secretKey: BUCKET
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /digital-ocean/home-infra/gitea-backup
-        metadataPolicy: None
-        property: BUCKET
-
 ---
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
@@ -254,10 +224,10 @@ spec:
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
-  name: gitea-postgresql-17-cluster-backup-secret
+  name: gitea-postgresql-18-cluster-backup-secret
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: gitea-postgresql-17-cluster-backup-secret
+    app.kubernetes.io/name: gitea-postgresql-18-cluster-backup-secret
     app.kubernetes.io/instance: {{ .Release.Name }}
     app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
@@ -284,10 +254,10 @@ spec:
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
-  name: gitea-postgresql-17-cluster-backup-secret-garage
+  name: gitea-postgresql-18-cluster-backup-secret-garage
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: gitea-postgresql-17-cluster-backup-secret-garage
+    app.kubernetes.io/name: gitea-postgresql-18-cluster-backup-secret-garage
     app.kubernetes.io/instance: {{ .Release.Name }}
     app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:

clusters/cl01tl/helm/gitea/templates/persistent-volume-claim.yaml

@@ -1,24 +1,5 @@
 apiVersion: v1
 kind: PersistentVolumeClaim
-metadata:
-  name: gitea-nfs-storage-backup
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: gitea-nfs-storage-backup
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  volumeMode: Filesystem
-  storageClassName: nfs-client
-  accessModes:
-    - ReadWriteOnce
-  resources:
-    requests:
-      storage: 1Gi
-
----
-apiVersion: v1
-kind: PersistentVolumeClaim
 metadata:
   name: gitea-themes-storage
   namespace: {{ .Release.Namespace }}
@@ -28,9 +9,9 @@ metadata:
     app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   volumeMode: Filesystem
-  storageClassName: nfs-client
+  storageClassName: ceph-filesystem
   accessModes:
-    - ReadWriteOnce
+    - ReadWriteMany
   resources:
     requests:
       storage: 1Gi

clusters/cl01tl/helm/gitea/templates/redis-replication.yaml

@@ -1,66 +0,0 @@
-apiVersion: redis.redis.opstreelabs.in/v1beta2
-kind: RedisReplication
-metadata:
-  name: redis-replication-gitea
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: redis-replication-gitea
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  clusterSize: 3
-  podSecurityContext:
-    runAsUser: 1000
-    fsGroup: 1000
-  kubernetesConfig:
-    image: quay.io/opstree/redis:v8.0.3
-    imagePullPolicy: IfNotPresent
-    resources:
-      requests:
-        cpu: 50m
-        memory: 128Mi
-  storage:
-    volumeClaimTemplate:
-      spec:
-        storageClassName: ceph-block
-        accessModes: ["ReadWriteOnce"]
-        resources:
-          requests:
-            storage: 10Gi
-  redisExporter:
-    enabled: true
-    image: quay.io/opstree/redis-exporter:v1.48.0
-
----
-apiVersion: redis.redis.opstreelabs.in/v1beta2
-kind: RedisReplication
-metadata:
-  name: redis-replication-renovate
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: redis-replication-renovate
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  clusterSize: 3
-  podSecurityContext:
-    runAsUser: 1000
-    fsGroup: 1000
-  kubernetesConfig:
-    image: quay.io/opstree/redis:v8.0.3
-    imagePullPolicy: IfNotPresent
-    resources:
-      requests:
-        cpu: 50m
-        memory: 128Mi
-  storage:
-    volumeClaimTemplate:
-      spec:
-        storageClassName: ceph-block
-        accessModes: ["ReadWriteOnce"]
-        resources:
-          requests:
-            storage: 1Gi
-  redisExporter:
-    enabled: true
-    image: quay.io/opstree/redis-exporter:v1.48.0

clusters/cl01tl/helm/gitea/templates/role-binding.yaml

@@ -1,17 +0,0 @@
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: gitea-backup
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: gitea-backup
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: gitea-backup
-subjects:
-  - kind: ServiceAccount
-    name: gitea-backup
-    namespace: {{ .Release.Namespace }}

clusters/cl01tl/helm/gitea/templates/role.yaml

@@ -1,25 +0,0 @@
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: gitea-backup
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: gitea-backup
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-rules:
-  - apiGroups:
-      - ""
-    resources:
-      - pods
-      - pods/exec
-    verbs:
-      - create
-      - list
-  - apiGroups:
-      - apps
-    resources:
-      - deployments
-    verbs:
-      - get
-      - list

clusters/cl01tl/helm/gitea/templates/service-monitor.yaml

@@ -14,24 +14,3 @@ spec:
       app.kubernetes.io/instance: {{ .Release.Name }}
   endpoints:
     - port: http
-
----
-apiVersion: monitoring.coreos.com/v1
-kind: ServiceMonitor
-metadata:
-  name: redis-replication-gitea
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: redis-replication-gitea
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-    redis-operator: "true"
-    env: production
-spec:
-  selector:
-    matchLabels:
-      redis_setup_type: replication
-  endpoints:
-    - port: redis-exporter
-      interval: 30s
-      scrapeTimeout: 10s

clusters/cl01tl/helm/gitea/values.yaml

@@ -22,9 +22,6 @@ gitea:
     accessModes:
       - ReadWriteMany
   extraVolumes:
-    - name: gitea-nfs-storage-backup
-      persistentVolumeClaim:
-        claimName: gitea-nfs-storage-backup
     - name: gitea-themes-storage
       persistentVolumeClaim:
         claimName: gitea-themes-storage
@@ -33,9 +30,6 @@ gitea:
       readOnly: false
       mountPath: /data/gitea/public/assets/css
   extraContainerVolumeMounts:
-    - mountPath: /opt/backup
-      name: gitea-nfs-storage-backup
-      readOnly: false
     - name: gitea-themes-storage
       readOnly: true
       mountPath: /data/gitea/public/assets/css
@@ -108,22 +102,22 @@ gitea:
       - name: GITEA__DATABASE__HOST
         valueFrom:
           secretKeyRef:
-            name: gitea-postgresql-17-cluster-app
+            name: gitea-postgresql-18-cluster-app
             key: host
       - name: GITEA__DATABASE__NAME
         valueFrom:
           secretKeyRef:
-            name: gitea-postgresql-17-cluster-app
+            name: gitea-postgresql-18-cluster-app
             key: dbname
       - name: GITEA__DATABASE__USER
         valueFrom:
           secretKeyRef:
-            name: gitea-postgresql-17-cluster-app
+            name: gitea-postgresql-18-cluster-app
             key: user
       - name: GITEA__DATABASE__PASSWD
         valueFrom:
           secretKeyRef:
-            name: gitea-postgresql-17-cluster-app
+            name: gitea-postgresql-18-cluster-app
             key: password
       - name: GITEA__INDEXER__ISSUE_INDEXER_CONN_STR
         valueFrom:
@@ -171,135 +165,6 @@ gitea-actions:
   existingSecret: gitea-runner-secret
   existingSecretKey: token
   giteaRootURL: http://gitea-http.gitea:3000
-backup:
-  global:
-    fullnameOverride: gitea-backup
-    labels:
-      app.kubernetes.io/instance: gitea-backup
-      app.kubernetes.io/name: gitea-backup
-  controllers:
-    backup:
-      type: cronjob
-      cronjob:
-        suspend: false
-        concurrencyPolicy: Forbid
-        timeZone: US/Central
-        schedule: 0 4 */2 * *
-        startingDeadlineSeconds: 90
-        successfulJobsHistory: 3
-        failedJobsHistory: 3
-        backoffLimit: 3
-        parallelism: 1
-      serviceAccount:
-        name: gitea-backup
-      pod:
-        automountServiceAccountToken: true
-        labels:
-          app.kubernetes.io/instance: gitea-backup
-          app.kubernetes.io/name: gitea-backup
-      initContainers:
-        backup:
-          image:
-            repository: bitnami/kubectl
-            tag: latest
-            pullPolicy: IfNotPresent
-          command:
-            - sh
-          args:
-            - -ec
-            - |
-              kubectl exec -it deploy/gitea -n gitea -- rm -f /opt/backup/gitea-backup.zip;
-              kubectl exec -it deploy/gitea -n gitea -- /app/gitea/gitea dump -c /data/gitea/conf/app.ini --file /opt/backup/gitea-backup.zip;
-          resources:
-            requests:
-              cpu: 100m
-              memory: 128Mi
-      containers:
-        s3-backup:
-          image:
-            repository: d3fk/s3cmd
-            tag: latest@sha256:a4ef406e37628ee56e608b1567aeb0345e51142f56741b715322111be3b6ebcc
-            pullPolicy: IfNotPresent
-          command:
-            - /bin/sh
-          args:
-            - -ec
-            - |
-              echo ">> Running S3 backup for Gitea"
-              s3cmd put --no-check-md5 --no-check-certificate -v /opt/backup/gitea-backup.zip ${BUCKET}/cl01tl/gitea-backup-$(date +"%Y%m%d-%H-%M").zip;
-              mv /opt/backup/gitea-backup.zip /opt/backup/gitea-backup-$(date +"%Y%m%d-%H-%M").zip;
-              echo ">> Completed S3 backup for Gitea"
-          env:
-            - name: BUCKET
-              valueFrom:
-                secretKeyRef:
-                  name: gitea-s3cmd-config
-                  key: BUCKET
-          resources:
-            requests:
-              cpu: 100m
-              memory: 128Mi
-        s3-prune:
-          image:
-            repository: d3fk/s3cmd
-            tag: latest@sha256:a4ef406e37628ee56e608b1567aeb0345e51142f56741b715322111be3b6ebcc
-            pullPolicy: IfNotPresent
-          command:
-            - /bin/sh
-          args:
-            - -ec
-            - |
-              export DATE_RANGE=$(date -d @$(( $(date +%s) - 604800 )) +%Y%m%d);
-              export FILE_MATCH="$BUCKET/cl01tl/gitea-backup-$DATE_RANGE-09-00.zip"
-              echo ">> Running S3 prune for Gitea backup repository"
-              echo ">> Backups prior to '$DATE_RANGE' will be removed"
-              echo ">> Backups to be removed:"
-              s3cmd ls ${BUCKET}/cl01tl/ |
-                awk -v file_match="$FILE_MATCH" '$4 < file_match {print $4}'
-              echo ">> Deleting ..."
-              s3cmd ls ${BUCKET}/cl01tl/ |
-                awk -v file_match="$FILE_MATCH" '$4 < file_match {print $4}' |
-                while read file; do
-                  s3cmd del "$file";
-                done;
-              echo ">> Completed S3 prune for Gitea backup repository"
-          env:
-            - name: BUCKET
-              valueFrom:
-                secretKeyRef:
-                  name: gitea-s3cmd-config
-                  key: BUCKET
-          resources:
-            requests:
-              cpu: 100m
-              memory: 128Mi
-  serviceAccount:
-    gitea-backup:
-      enabled: true
-  persistence:
-    config:
-      existingClaim: gitea-nfs-storage-backup
-      advancedMounts:
-        backup:
-          s3-backup:
-            - path: /opt/backup
-              readOnly: false
-    s3cmd-config:
-      enabled: true
-      type: secret
-      name: gitea-s3cmd-config
-      advancedMounts:
-        backup:
-          s3-backup:
-            - path: /root/.s3cfg
-              readOnly: true
-              mountPropagation: None
-              subPath: .s3cfg
-          s3-prune:
-            - path: /root/.s3cfg
-              readOnly: true
-              mountPropagation: None
-              subPath: .s3cfg
 meilisearch:
   environment:
     MEILI_NO_ANALYTICS: true
@@ -322,17 +187,13 @@ meilisearch:
     enabled: true
 cloudflared:
   existingSecretName: gitea-cloudflared-secret
-postgres-17-cluster:
+postgres-18-cluster:
   mode: recovery
   cluster:
     storage:
       storageClass: local-path
     walStorage:
       storageClass: local-path
-    monitoring:
-      enabled: true
-      prometheusRule:
-        enabled: true
     resources:
       requests:
         memory: 1Gi
@@ -340,45 +201,95 @@ postgres-17-cluster:
   recovery:
     method: objectStore
     objectStore:
-      destinationPath: s3://postgres-backups/cl01tl/gitea/gitea-postgresql-17-cluster
+      destinationPath: s3://postgres-backups/cl01tl/gitea/gitea-postgresql-18-cluster
       endpointURL: http://garage-main.garage:3900
       index: 1
-      endpointCredentials: gitea-postgresql-17-cluster-backup-secret-garage
+      endpointCredentials: gitea-postgresql-18-cluster-backup-secret-garage
   backup:
     objectStore:
-      - name: external
-        destinationPath: s3://postgres-backups-ce540ddf106d186bbddca68a/cl01tl/gitea/gitea-postgresql-17-cluster
-        index: 1
-        retentionPolicy: "30d"
-        isWALArchiver: false
       - name: garage-local
-        destinationPath: s3://postgres-backups/cl01tl/gitea/gitea-postgresql-17-cluster
+        destinationPath: s3://postgres-backups/cl01tl/gitea/gitea-postgresql-18-cluster
         index: 1
         endpointURL: http://garage-main.garage:3900
-        endpointCredentials: gitea-postgresql-17-cluster-backup-secret-garage
+        endpointCredentials: gitea-postgresql-18-cluster-backup-secret-garage
         endpointCredentialsIncludeRegion: true
         retentionPolicy: "3d"
         isWALArchiver: true
+      # - name: external
+      #   destinationPath: s3://postgres-backups-ce540ddf106d186bbddca68a/cl01tl/gitea/gitea-postgresql-18-cluster
+      #   index: 1
+      #   retentionPolicy: "30d"
+      #   isWALArchiver: false
       # - name: garage-remote
-      #   destinationPath: s3://postgres-backups/cl01tl/gitea/gitea-postgresql-17-cluster
+      #   destinationPath: s3://postgres-backups/cl01tl/gitea/gitea-postgresql-18-cluster
       #   index: 1
       #   endpointURL: https://garage-ps10rp.boreal-beaufort.ts.net:3900
-      #   endpointCredentials: gitea-postgresql-17-cluster-backup-secret-garage
+      #   endpointCredentials: gitea-postgresql-18-cluster-backup-secret-garage
       #   retentionPolicy: "30d"
       #   data:
       #     compression: bzip2
       #     jobs: 2
     scheduledBackups:
-      - name: daily-backup
-        suspend: false
-        schedule: "0 0 0 * * *"
-        backupName: external
       - name: live-backup
         suspend: false
         immediate: true
         schedule: "0 0 0 * * *"
         backupName: garage-local
-      # - name: weekly-backup
+      # - name: daily-backup
       #   suspend: false
+      #   immediate: true
+      #   schedule: "0 0 0 * * *"
+      #   backupName: external
+      # - name: weekly-backup
+      #   suspend: true
+      #   immediate: true
       #   schedule: "0 0 4 * * SAT"
       #   backupName: garage-remote
+redis-replication-gitea:
+  replicationNameOverride: redis-replication-gitea
+  sentinelNameOverride: redis-sentinel-gitea
+  existingSecret:
+    enabled: false
+  redisReplication:
+    clusterSize: 3
+    resources:
+      requests:
+        cpu: 20m
+        memory: 400Mi
+    volumeClaimTemplate:
+      spec:
+        resources:
+          requests:
+            storage: 10Gi
+  redisSentinel:
+    enabled: true
+    clusterSize: 3
+redis-replication-renovate:
+  replicationNameOverride: redis-replication-renovate
+  existingSecret:
+    enabled: false
+  redisReplication:
+    clusterSize: 1
+  redisSentinel:
+    enabled: false
+volsync-target-storage:
+  pvcTarget: gitea-shared-storage
+  local:
+    enabled: true
+    schedule: 0 0 0 * * *
+    restic:
+      pruneIntervalDays: 3
+      retain:
+        hourly: 1
+        daily: 1
+        weekly: 3
+        monthly: 0
+        yearly: 0
+      copyMethod: Snapshot
+      storageClassName: ceph-filesystem
+      volumeSnapshotClassName: ceph-filesystem
+      cacheCapacity: 40Gi
+  external:
+    enabled: false
+  remote:
+    enabled: false

clusters/cl01tl/helm/grafana-operator/Chart.lock

@@ -4,6 +4,12 @@ dependencies:
   version: v5.20.0
 - name: postgres-cluster
   repository: oci://harbor.alexlebens.net/helm-charts
-  version: 6.16.1
+  version: 7.1.1
-digest: sha256:3bd7096e4401df5818733b3e0b08f281c12af9b54a272fbe3e753b2616d725dd
+- name: redis-replication
-generated: "2025-12-04T00:01:28.278027037Z"
+  repository: oci://harbor.alexlebens.net/helm-charts
+  version: 0.5.0
+- name: redis-replication
+  repository: oci://harbor.alexlebens.net/helm-charts
+  version: 0.5.0
+digest: sha256:7089382a69a87a15afef83277e5b59a59b192a734c402384a61e4c65319f4891
+generated: "2025-12-15T15:30:54.939003-06:00"

clusters/cl01tl/helm/grafana-operator/Chart.yaml

@@ -20,8 +20,16 @@ dependencies:
     version: v5.20.0
     repository: https://grafana.github.io/helm-charts
   - name: postgres-cluster
-    alias: postgres-17-cluster
+    alias: postgres-18-cluster
-    version: 6.16.1
+    version: 7.1.1
+    repository: oci://harbor.alexlebens.net/helm-charts
+  - name: redis-replication
+    alias: redis-replication-unified-alerting
+    version: 0.5.0
+    repository: oci://harbor.alexlebens.net/helm-charts
+  - name: redis-replication
+    alias: redis-replication-remote-cache
+    version: 0.5.0
     repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/grafana.png
-appVersion: v5.18.0
+appVersion: v5.20.0