Update docker.io/postgres Docker tag to v18

This PR contains the following updates:

| Package | Update | Change |
|---|---|---|
| [postgres-cluster](https://github.com/cloudnative-pg/cloudnative-pg) | patch | `6.16.0` -> `6.16.1` |

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Enabled.

♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box

---

This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0Mi41LjAiLCJ1cGRhdGVkSW5WZXIiOiI0Mi41LjAiLCJ0YXJnZXRCcmFuY2giOiJtYWluIiwibGFiZWxzIjpbImF1dG9tZXJnZSIsImltYWdlIl19-->

Reviewed-on: #2237
Co-authored-by: Renovate Bot <renovate-bot@alexlebens.net>
Co-committed-by: Renovate Bot <renovate-bot@alexlebens.net>

.gitea/workflows/lint-test-docker-pull.yaml

@@ -1,87 +0,0 @@
-name: lint-test-docker
-
-on:
-  pull_request:
-    branches:
-      - main
-    paths:
-      - 'hosts/**'
-      - ! 'hosts/archive'
-
-jobs:
-  docker-lint:
-    runs-on: ubuntu-js
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v6
-        with:
-          fetch-depth: 0
-
-      - name: Check Branch Exists
-        id: check-branch-exists
-        uses: GuillaumeFalourd/branch-exists@v1.1
-        with:
-          branch: "${{ github.base_ref }}"
-
-      - name: Branch Does Not Exist
-        if: steps.check-branch-exists.outputs.exists == 'false'
-        run: echo "Branch ${{ github.base_ref }} was not found, likely already merged"
-
-      - name: Set up Node.js
-        if: steps.check-branch-exists.outputs.exists == 'true'
-        uses: actions/setup-node@v6
-        with:
-          node-version: '24'
-
-      - name: Lint Docker Compose
-        if: steps.check-branch-exists.outputs.exists == 'true'
-        run: |
-          set -e  # Exit immediately if a command exits with a non-zero status.
-
-          TARGET_BRANCH="origin/${{ github.base_ref }}"
-          echo ">> Target branch for diff is: $TARGET_BRANCH"
-
-          CHANGED_FILES=$(git diff --name-only "$TARGET_BRANCH" -- 'hosts/**')
-
-          echo ">> Found changed files:"
-          echo "$CHANGED_FILES"
-
-          # For each changed file, find its parent chart directory (the one with compose.yaml).
-          # Then, create a unique list of those directories.
-          CHANGED_COMPOSE=$(echo "$CHANGED_FILES" | while read -r file; do
-            dir=$(dirname "$file")
-            while [[ "$dir" != "." && ! -f "$dir/compose.yaml" ]]; do
-              dir=$(dirname "$dir")
-            done
-            if [[ "$dir" != "." ]]; then
-              echo "$dir"
-            fi
-          done | sort -u)
-
-          if [[ -z "$CHANGED_COMPOSE" ]]; then
-            echo ">> Could not determine changed compose files. This will happen if only files outside a compose file were changed."
-            exit 0
-          fi
-
-          echo ">> Running dclint on changed compose files:"
-          echo "$CHANGED_COMPOSE"
-
-          echo "$CHANGED_COMPOSE" | while read -r compose; do
-            echo ">> Linting $compose ..."
-            npx dclint $compose
-          done
-
-      - name: ntfy Failed
-        uses: niniyas/ntfy-action@master
-        if: failure()
-        with:
-          url: '${{ secrets.NTFY_URL }}'
-          topic: '${{ secrets.NTFY_TOPIC }}'
-          title: 'Test Failure - Infrastructure'
-          priority: 3
-          headers: '{"Authorization": "Bearer ${{ secrets.NTFY_CRED }}"}'
-          tags: action,failed
-          details: 'Docker linting on Pull Request for Infrastructure has failed!'
-          icon: 'https://cdn.jsdelivr.net/gh/selfhst/icons/png/gitea.png'
-          actions: '[{"action": "view", "label": "Open Gitea", "url": "https://gitea.alexlebens.dev/alexlebens/infrastructure/actions?workflow=lint-test-docker-pull.yaml", "clear": true}]'
-          image: true

.gitea/workflows/lint-test-docker-push.yaml

@@ -1,75 +0,0 @@
-name: lint-test-docker
-
-on:
-  push:
-    branches:
-      - main
-    paths:
-      - 'hosts/**'
-      - ! 'hosts/archive'
-
-jobs:
-  docker-lint:
-    runs-on: ubuntu-js
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v6
-        with:
-          fetch-depth: 0
-
-      - name: Set up Node.js
-        uses: actions/setup-node@v6
-        with:
-          node-version: '24'
-
-      - name: Lint Docker Compose
-        run: |
-          set -e  # Exit immediately if a command exits with a non-zero status.
-
-          TARGET_BRANCH="origin/main"
-          echo ">> Target branch for diff is: $TARGET_BRANCH"
-
-          CHANGED_FILES=$(git diff --name-only "$TARGET_BRANCH" -- 'hosts/**')
-
-          echo ">> Found changed files:"
-          echo "$CHANGED_FILES"
-
-          # For each changed file, find its parent chart directory (the one with compose.yaml).
-          # Then, create a unique list of those directories.
-          CHANGED_COMPOSE=$(echo "$CHANGED_FILES" | while read -r file; do
-            dir=$(dirname "$file")
-            while [[ "$dir" != "." && ! -f "$dir/compose.yaml" ]]; do
-              dir=$(dirname "$dir")
-            done
-            if [[ "$dir" != "." ]]; then
-              echo "$dir"
-            fi
-          done | sort -u)
-
-          if [[ -z "$CHANGED_COMPOSE" ]]; then
-            echo ">> Could not determine changed compose files. This will happen if only files outside a compose file were changed."
-            exit 0
-          fi
-
-          echo ">> Running dclint on changed compose files:"
-          echo "$CHANGED_COMPOSE"
-
-          echo "$CHANGED_COMPOSE" | while read -r compose; do
-            echo ">> Linting $compose ..."
-            npx dclint $compose
-          done
-
-      - name: ntfy Failed
-        uses: niniyas/ntfy-action@master
-        if: failure()
-        with:
-          url: '${{ secrets.NTFY_URL }}'
-          topic: '${{ secrets.NTFY_TOPIC }}'
-          title: 'Test Failure - Infrastructure'
-          priority: 4
-          headers: '{"Authorization": "Bearer ${{ secrets.NTFY_CRED }}"}'
-          tags: action,failed
-          details: 'Docker linting on Push for Infrastructure has failed!'
-          icon: 'https://cdn.jsdelivr.net/gh/selfhst/icons/png/gitea.png'
-          actions: '[{"action": "view", "label": "Open Gitea", "url": "https://gitea.alexlebens.dev/alexlebens/infrastructure/actions?workflow=lint-test-docker-push.yaml", "clear": true}]'
-          image: true

.gitea/workflows/lint-test-docker.yaml

@@ -0,0 +1,125 @@
+name: lint-test-docker
+
+on:
+  pull_request:
+    branches:
+      - main
+    paths:
+      - 'hosts/**'
+
+  push:
+    branches:
+      - main
+    paths:
+      - 'hosts/**'
+
+env:
+  BASE_BRANCH: "origin/${{ gitea.base_ref }}"
+
+jobs:
+  lint-docker-compose:
+    runs-on: ubuntu-js
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+        with:
+          fetch-depth: 0
+
+      - name: Check Branch Exists
+        id: check-branch-exists
+        if: github.event_name == 'pull_request'
+        uses: GuillaumeFalourd/branch-exists@v1.1
+        with:
+          branch: "${{ github.base_ref }}"
+
+      - name: Report Branch Exists
+        id: branch-exists
+        if: github.event_name == 'push' || steps.check-branch-exists.outputs.exists == 'true' && github.event_name == 'pull_request'
+        run: |
+          echo ">> Branch ${{ gitea.base_ref }} exists, will continue with linting"
+
+          echo "----"
+
+          echo "exists=true" >> $GITEA_OUTPUT
+
+      - name: Set up Node.js
+        if: steps.check-branch-exists.outputs.exists == 'true'
+        uses: actions/setup-node@v6
+        with:
+          node-version: '24'
+
+      - name: Check Directories for Changes
+        id: check-dir-changes
+        if: steps.branch-exists.outputs.exists == 'true'
+        run: |
+          CHANGED_COMPOSE=()
+
+          echo ">> Target branch for diff is: ${BASE_BRANCH}"
+
+          if [ "${{ github.event_name }}" == "pull_request" ]; then
+            echo ""
+            echo ">> Checking for changes in a pull request ..."
+            GIT_DIFF=$(git diff --name-only "${BASE_BRANCH}" | xargs -I {} dirname {} | sort -u | grep -E "hosts/[^/]+/[^/]+")
+          else
+            echo ""
+            echo ">> Checking for changes from a push ..."
+            GIT_DIFF=$(git diff --name-only ${{ gitea.event.before }}..HEAD | xargs -I {} dirname {} | sort -u | grep -E "hosts/[^/]+/[^/]+")
+          fi
+
+          if [ -n "${GIT_DIFF}" ]; then
+            echo ""
+            echo ">> Changes detected:"
+            echo "$GIT_DIFF"
+
+            for path in $GIT_DIFF; do
+              CHANGED_COMPOSE+=$(echo "$path")
+            done
+
+          else
+            echo ""
+            echo ">> No changes detected"
+
+          fi
+
+          if [ -n "${CHANGED_COMPOSE}" ]; then
+            echo ""
+            echo ">> Compose to Lint:"
+            echo "$(echo "${CHANGED_COMPOSE[@]}" | sort -u)"
+
+            echo "----"
+
+            echo "changes-detected=true" >> $GITEA_OUTPUT
+            echo "compose-dir<<EOF" >> $GITEA_OUTPUT
+            echo "$(echo "${CHANGED_COMPOSE[@]}" | sort -u)" >> $GITEA_OUTPUT
+            echo "EOF" >> $GITEA_OUTPUT
+          else
+            echo "changes-detected=false" >> $GITEA_OUTPUT
+          fi
+
+      - name: Lint Docker Compose
+        if: steps.check-branch-exists.outputs.exists == 'true'
+        env:
+          CHANGED_COMPOSE: ${{ steps.check-dir-changes.outputs.compose-dir }}
+        run: |
+          echo ">> Running dclint on changed compose files:"
+          echo "$CHANGED_COMPOSE"
+
+          echo "$CHANGED_COMPOSE" | while read -r compose; do
+            echo ">> Linting $compose ..."
+            npx dclint $compose
+          done
+
+      - name: ntfy Failed
+        uses: niniyas/ntfy-action@master
+        if: failure()
+        with:
+          url: '${{ secrets.NTFY_URL }}'
+          topic: '${{ secrets.NTFY_TOPIC }}'
+          title: 'Test Failure - Infrastructure'
+          priority: 3
+          headers: '{"Authorization": "Bearer ${{ secrets.NTFY_CRED }}"}'
+          tags: action,failed
+          details: 'Docker linting on Pull Request for Infrastructure has failed!'
+          icon: 'https://cdn.jsdelivr.net/gh/selfhst/icons/png/gitea.png'
+          actions: '[{"action": "view", "label": "Open Gitea", "url": "https://gitea.alexlebens.dev/alexlebens/infrastructure/actions?workflow=lint-test-docker-pull.yaml", "clear": true}]'
+          image: true

.gitea/workflows/lint-test-helm-pull.yaml

@@ -1,90 +0,0 @@
-name: lint-test-helm
-
-on:
-  pull_request:
-    branches:
-      - main
-    paths:
-      - 'clusters/**'
-      - ! 'clusters/*/archive'
-
-jobs:
-  helm-lint:
-    runs-on: ubuntu-js
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v6
-        with:
-          fetch-depth: 0
-
-      - name: Check Branch Exists
-        id: check-branch-exists
-        uses: GuillaumeFalourd/branch-exists@v1.1
-        with:
-          branch: ${{ github.base_ref }}
-
-      - name: Branch Does Not Exist
-        if: steps.check-branch-exists.outputs.exists == 'false'
-        run: echo "Branch ${{ github.base_ref }} was not found, likely already merged"
-
-      - name: Set up Helm
-        if: steps.check-branch-exists.outputs.exists == 'true'
-        uses: azure/setup-helm@v4
-        with:
-          token: ${{ secrets.GITEA_TOKEN }}
-          version: latest
-
-      - name: Lint Helm Chart
-        if: steps.check-branch-exists.outputs.exists == 'true'
-        run: |
-          set -e  # Exit immediately if a command exits with a non-zero status.
-
-          TARGET_BRANCH="origin/${{ github.base_ref }}"
-          echo ">> Target branch for diff is: $TARGET_BRANCH"
-
-          CHANGED_FILES=$(git diff --name-only "$TARGET_BRANCH" -- 'clusters/**')
-
-          echo ">> Found changed files:"
-          echo "$CHANGED_FILES"
-
-          # For each changed file, find its parent chart directory (the one with Chart.yaml).
-          # Then, create a unique list of those directories.
-          CHANGED_CHARTS=$(echo "$CHANGED_FILES" | while read -r file; do
-            dir=$(dirname "$file")
-            while [[ "$dir" != "." && ! -f "$dir/Chart.yaml" ]]; do
-              dir=$(dirname "$dir")
-            done
-            if [[ "$dir" != "." ]]; then
-              echo "$dir"
-            fi
-          done | sort -u)
-
-          if [[ -z "$CHANGED_CHARTS" ]]; then
-            echo ">> Could not determine changed charts. This could happen if only files outside a chart were changed."
-            exit 0
-          fi
-
-          echo ">> Running helm lint on changed charts:"
-          echo "$CHANGED_CHARTS"
-
-          echo "$CHANGED_CHARTS" | while read -r chart; do
-            echo ">> Building dependency for "$chart" ..."
-            helm dependency build "$chart"
-            echo ">> Linting $chart..."
-            helm lint "$chart"
-          done
-
-      - name: ntfy Failed
-        uses: niniyas/ntfy-action@master
-        if: failure()
-        with:
-          url: '${{ secrets.NTFY_URL }}'
-          topic: '${{ secrets.NTFY_TOPIC }}'
-          title: 'Test Failure - Infrastructure'
-          priority: 3
-          headers: '{"Authorization": "Bearer ${{ secrets.NTFY_CRED }}"}'
-          tags: action,failed
-          details: 'Helm linting on Pull Request for Infrastructure has failed!'
-          icon: 'https://cdn.jsdelivr.net/gh/selfhst/icons/png/gitea.png'
-          actions: '[{"action": "view", "label": "Open Gitea", "url": "https://gitea.alexlebens.dev/alexlebens/infrastructure/actions?workflow=lint-test-helm-pull.yaml", "clear": true}]'
-          image: true

.gitea/workflows/lint-test-helm-push.yaml

@@ -1,78 +0,0 @@
-name: lint-test-helm
-
-on:
-  push:
-    branches:
-      - main
-    paths:
-      - 'clusters/**'
-      - ! 'clusters/*/archive'
-
-jobs:
-  helm-lint:
-    runs-on: ubuntu-js
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v6
-        with:
-          fetch-depth: 0
-
-      - name: Set up Helm
-        uses: azure/setup-helm@v4
-        with:
-          token: ${{ secrets.GITEA_TOKEN }}
-          version: latest
-
-      - name: Lint Helm Chart
-        run: |
-          set -e  # Exit immediately if a command exits with a non-zero status.
-
-          TARGET_BRANCH="origin/main"
-          echo ">> Target branch for diff is: $TARGET_BRANCH"
-
-          CHANGED_FILES=$(git diff --name-only "$TARGET_BRANCH" -- 'clusters/**')
-
-          echo ">> Found changed files:"
-          echo "$CHANGED_FILES"
-
-          # For each changed file, find its parent chart directory (the one with Chart.yaml).
-          # Then, create a unique list of those directories.
-          CHANGED_CHARTS=$(echo "$CHANGED_FILES" | while read -r file; do
-            dir=$(dirname "$file")
-            while [[ "$dir" != "." && ! -f "$dir/Chart.yaml" ]]; do
-              dir=$(dirname "$dir")
-            done
-            if [[ "$dir" != "." ]]; then
-              echo "$dir"
-            fi
-          done | sort -u)
-
-          if [[ -z "$CHANGED_CHARTS" ]]; then
-            echo ">> Could not determine changed charts. This could happen if only files outside a chart were changed."
-            exit 0
-          fi
-
-          echo ">> Running helm lint on changed charts:"
-          echo "$CHANGED_CHARTS"
-
-          echo "$CHANGED_CHARTS" | while read -r chart; do
-            echo ">> Building dependency for "$chart" ..."
-            helm dependency build "$chart"
-            echo ">> Linting $chart..."
-            helm lint "$chart"
-          done
-
-      - name: ntfy Failed
-        uses: niniyas/ntfy-action@master
-        if: failure()
-        with:
-          url: '${{ secrets.NTFY_URL }}'
-          topic: '${{ secrets.NTFY_TOPIC }}'
-          title: 'Test Failure - Infrastructure'
-          priority: 4
-          headers: '{"Authorization": "Bearer ${{ secrets.NTFY_CRED }}"}'
-          tags: action,failed
-          details: 'Helm linting on Push for Infrastructure has failed!'
-          icon: 'https://cdn.jsdelivr.net/gh/selfhst/icons/png/gitea.png'
-          actions: '[{"action": "view", "label": "Open Gitea", "url": "https://gitea.alexlebens.dev/alexlebens/infrastructure/actions?workflow=lint-test-helm-push.yaml", "clear": true}]'
-          image: true

.gitea/workflows/lint-test-helm.yaml

@@ -0,0 +1,164 @@
+name: lint-test-helm
+
+on:
+  pull_request:
+    branches:
+      - main
+    paths:
+      - 'clusters/*/helm/**'
+
+  push:
+    branches:
+      - main
+    paths:
+      - 'clusters/*/helm/**'
+
+env:
+  CLUSTER: cl01tl
+  BASE_BRANCH: "origin/${{ gitea.base_ref }}"
+
+jobs:
+  lint-helm:
+    runs-on: ubuntu-js
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+        with:
+          fetch-depth: 0
+
+      - name: Check Branch Exists
+        id: check-branch-exists
+        if: github.event_name == 'pull_request'
+        uses: GuillaumeFalourd/branch-exists@v1.1
+        with:
+          branch: ${{ gitea.base_ref }}
+
+      - name: Report Branch Exists
+        id: branch-exists
+        if: github.event_name == 'push' || steps.check-branch-exists.outputs.exists == 'true' && github.event_name == 'pull_request'
+        run: |
+          echo ">> Branch ${{ gitea.base_ref }} exists, will continue with linting"
+
+          echo "----"
+
+          echo "exists=true" >> $GITEA_OUTPUT
+
+      - name: Set up Helm
+        if: steps.branch-exists.outputs.exists == 'true'
+        uses: azure/setup-helm@v4
+        with:
+          token: ${{ secrets.GITEA_TOKEN }}
+          version: v3
+
+      - name: Check Directories for Changes
+        id: check-dir-changes
+        if: steps.branch-exists.outputs.exists == 'true'
+        run: |
+          CHANGED_CHARTS=()
+
+          echo ">> Target branch for diff is: ${BASE_BRANCH}"
+
+          if [ "${{ github.event_name }}" == "pull_request" ]; then
+            echo ""
+            echo ">> Checking for changes in a pull request ..."
+            GIT_DIFF=$(git diff --name-only "${BASE_BRANCH}" | xargs -I {} dirname {} | sort -u | grep -E "clusters/[^/]+/helm/[^/]+")
+          else
+            echo ""
+            echo ">> Checking for changes from a push ..."
+            GIT_DIFF=$(git diff --name-only ${{ gitea.event.before }}..HEAD | xargs -I {} dirname {} | sort -u | grep -E "clusters/[^/]+/helm/[^/]+")
+          fi
+
+          if [ -n "${GIT_DIFF}" ]; then
+            echo ""
+            echo ">> Changes detected:"
+            echo "$GIT_DIFF"
+
+            for path in $GIT_DIFF; do
+              CHANGED_CHARTS+=$(echo "$path" | awk -F '/' '{print $4}')
+            done
+
+          else
+            echo ""
+            echo ">> No changes detected"
+
+          fi
+
+          if [ -n "${CHANGED_CHARTS}" ]; then
+            echo ""
+            echo ">> Chart to Lint:"
+            echo "$(echo "${CHANGED_CHARTS[@]}" | sort -u)"
+
+            echo "----"
+
+            echo "changes-detected=true" >> $GITEA_OUTPUT
+            echo "chart-dir<<EOF" >> $GITEA_OUTPUT
+            echo "$(echo "${CHANGED_CHARTS[@]}" | sort -u)" >> $GITEA_OUTPUT
+            echo "EOF" >> $GITEA_OUTPUT
+          else
+            echo "changes-detected=false" >> $GITEA_OUTPUT
+          fi
+
+      - name: Add Repositories
+        if: steps.check-dir-changes.outputs.changes-detected == 'true'
+        env:
+          CHANGED_CHARTS: ${{ steps.check-dir-changes.outputs.chart-dir }}
+        run: |
+          echo ">> Adding repositories for chart dependencies ..."
+          for dir in ${CHANGED_CHARTS}; do
+            helm dependency list --max-col-width 120 clusters/${CLUSTER}/helm/$dir 2> /dev/null \
+              | tail +2 | head -n -1 \
+              | awk '{ print "helm repo add " $1 " " $3 }' \
+              | while read cmd; do echo "$cmd" | sh; done || true
+          done
+
+          if helm repo list | tail +2 | read -r; then
+            echo ""
+            echo ">> Update repository cache ..."
+            helm repo update
+          fi
+
+          echo "----"
+
+      - name: Lint Helm Chart
+        if: steps.check-dir-changes.outputs.changes-detected == 'true'
+        env:
+          CHANGED_CHARTS: ${{ steps.check-dir-changes.outputs.chart-dir }}
+        run: |
+          echo ">> Running linting on changed charts ..."
+
+          for dir in ${CHANGED_CHARTS}; do
+            chart_path=clusters/${CLUSTER}/helm/$dir
+            chart_name=$(basename "$chart_path")
+
+            if [ -f "$chart_path/Chart.yaml" ]; then
+              cd $chart_path
+
+              echo ""
+              echo ">> Building helm dependency ..."
+              helm dependency build --skip-refresh
+
+              echo ""
+              echo ">> Linting helm ..."
+              helm lint --namespace "$chart_name"
+
+            else
+              echo ""
+              echo ">> Directory $chart_path does not contain a Chart.yaml. Skipping ..."
+              echo ""
+            fi
+          done
+
+      - name: ntfy Failed
+        uses: niniyas/ntfy-action@master
+        if: failure()
+        with:
+          url: '${{ secrets.NTFY_URL }}'
+          topic: '${{ secrets.NTFY_TOPIC }}'
+          title: 'Test Failure - Infrastructure'
+          priority: 3
+          headers: '{"Authorization": "Bearer ${{ secrets.NTFY_CRED }}"}'
+          tags: action,failed
+          details: 'Helm linting on Pull Request for Infrastructure has failed!'
+          icon: 'https://cdn.jsdelivr.net/gh/selfhst/icons/png/gitea.png'
+          actions: '[{"action": "view", "label": "Open Gitea", "url": "https://gitea.alexlebens.dev/alexlebens/infrastructure/actions?workflow=lint-test-helm-pull.yaml", "clear": true}]'
+          image: true

.gitea/workflows/render-manifests-automerge.yaml

@@ -0,0 +1,410 @@
+name: render-manifests-automerge
+
+on:
+  pull_request:
+    branches:
+      - main
+    paths:
+      - 'clusters/cl01tl/helm/**'
+    types:
+      - closed
+
+env:
+  CLUSTER: cl01tl
+  BASE_BRANCH: manifests
+  BRANCH_NAME_BASE: auto/update-manifests-automerge
+  MAIN_DIR: /workspace/alexlebens/infrastructure/infrastructure
+  MANIFEST_DIR: /workspace/alexlebens/infrastructure/infrastructure-manifests
+
+jobs:
+  render-manifests-automerge:
+    runs-on: ubuntu-js
+    if: ${{ (github.event.pull_request.merged == true) && (contains(github.event.pull_request.labels.*.name, 'automerge')) }}
+    steps:
+      - name: Checkout Main
+        uses: actions/checkout@v6
+        with:
+          path: infrastructure
+          fetch-depth: 0
+
+      - name: Checkout Manifests
+        uses: actions/checkout@v6
+        with:
+          ref: manifests
+          path: infrastructure-manifests
+
+      - name: Set up Helm
+        uses: azure/setup-helm@v4
+        with:
+          token: ${{ secrets.GITEA_TOKEN }}
+          version: v3.17.2 # Pending https://github.com/helm/helm/pull/30743
+
+      - name: Prepare Manifest Branch
+        id: prepare-manifest-branch
+        run: |
+          cd ${MANIFEST_DIR}
+
+          BRANCH_NAME="${BRANCH_NAME_BASE}-$(date +%Y%m%d%H%M%S)"
+
+          echo ">> Configure git to use gitea-bot as user ..."
+          git config user.name "gitea-bot"
+          git config user.email "gitea-bot@alexlebens.net"
+
+          echo ">> Creating branch ..."
+          git checkout -b $BRANCH_NAME
+
+          echo "----"
+
+          echo "BRANCH_NAME=${BRANCH_NAME}" >> $GITEA_OUTPUT
+
+      - name: Check which Directories have Changes
+        id: check-dir-changes
+        run: |
+          cd ${MAIN_DIR}
+
+          RENDER_DIR=()
+
+          echo ">> Checking for changes from HEAD^..HEAD ..."
+          GIT_DIFF=$(git diff --name-only HEAD^..HEAD | xargs -I {} dirname {} | sort -u | grep -E "clusters/[^/]+/helm/[^/]+")
+
+          if [ -n "${GIT_DIFF}" ]; then
+            echo ">> Changes detected:"
+            echo "$GIT_DIFF"
+            for path in $GIT_DIFF; do
+              RENDER_DIR+=$(echo "$path" | awk -F '/' '{print $4}')
+            done
+
+          else
+            echo ">> No changes detected"
+
+          fi
+
+          if [ -n "${RENDER_DIR}" ]; then
+            echo ">> Directories to Render:"
+            echo "$(echo "${RENDER_DIR[@]}" | sort -u)"
+
+            echo "----"
+
+            echo "changes-detected=true" >> $GITEA_OUTPUT
+            echo "render-dir<<EOF" >> $GITEA_OUTPUT
+            echo "$(echo "${RENDER_DIR[@]}" | sort -u)" >> $GITEA_OUTPUT
+            echo "EOF" >> $GITEA_OUTPUT
+          else
+            echo "changes-detected=false" >> $GITEA_OUTPUT
+          fi
+
+      - name: Add Repositories
+        if: steps.check-dir-changes.outputs.changes-detected == 'true'
+        env:
+          RENDER_DIR: ${{ steps.check-dir-changes.outputs.render-dir }}
+        run: |
+          cd ${MAIN_DIR}
+
+          echo ">> Adding repositories for chart dependencies ..."
+          for dir in ${RENDER_DIR}; do
+            helm dependency list --max-col-width 120 ${MAIN_DIR}/clusters/${CLUSTER}/helm/$dir 2> /dev/null \
+              | tail +2 | head -n -1 \
+              | awk '{ print "helm repo add " $1 " " $3 }' \
+              | while read cmd; do echo "$cmd" | sh; done || true
+          done
+
+          if helm repo list | tail +2 | read -r; then
+            echo ">> Update repository cache ..."
+            helm repo update
+          fi
+
+          echo "----"
+
+      - name: Remove Changed Manifest Files
+        if: steps.check-dir-changes.outputs.changes-detected == 'true'
+        env:
+          RENDER_DIR: ${{ steps.check-dir-changes.outputs.render-dir }}
+        run: |
+          cd ${MANIFEST_DIR}
+
+          echo ">> Remove manfiest files and rebuild from source ..."
+
+          for dir in ${RENDER_DIR}; do
+            chart_path=${MANIFEST_DIR}/clusters/${CLUSTER}/manifests/$dir
+
+            echo "$chart_path"
+            rm -rf $chart_path/*
+          done
+
+          echo "----"
+
+      - name: Render Helm Manifests
+        id: render-manifests
+        if: steps.check-dir-changes.outputs.changes-detected == 'true'
+        env:
+          RENDER_DIR: ${{ steps.check-dir-changes.outputs.render-dir }}
+        run: |
+          cd ${MAIN_DIR}
+
+          echo ">> Rendering Manifests ..."
+
+          for dir in ${RENDER_DIR}; do
+            chart_path=${MAIN_DIR}/clusters/${CLUSTER}/helm/$dir
+            chart_name=$(basename "$chart_path")
+
+            echo ""
+            echo ""
+            echo ">> Rendering chart: $chart_name"
+            echo ">> Chart path $chart_path"
+
+            if [ -f "$chart_path/Chart.yaml" ]; then
+              OUTPUT_FOLDER="${MANIFEST_DIR}/clusters/${CLUSTER}/manifests/$chart_name/"
+              TEMPLATE=""
+
+              mkdir -p ${MANIFEST_DIR}/clusters/${CLUSTER}/manifests/$chart_name
+
+              cd $chart_path
+
+              echo ""
+              echo ">> Building helm dependency ..."
+              helm dependency build --skip-refresh
+
+              echo ""
+              echo ">> Linting helm ..."
+              helm lint --namespace "$chart_name"
+
+              echo ""
+              echo ">> Rendering templates ..."
+              case "$chart_name" in
+                "stack")
+                  echo ""
+                  echo ">> Special Rendering for stack into argocd namespace ..."
+                  TEMPLATE=$(helm template $chart_name ./ --namespace argocd --include-crds --dry-run)
+                  ;;
+                "cilium" | "coredns" | "metrics-server" |"prometheus-operator-crds")
+                  echo ""
+                  echo ">> Special Rendering for $chart_name into kube-system namespace ..."
+                  TEMPLATE=$(helm template $chart_name ./ --namespace kube-system --include-crds --dry-run)
+                  ;;
+                *)
+                  echo ""
+                  echo ">> Standard Rendering for $chart_name ..."
+                  TEMPLATE=$(helm template "$chart_name" ./ --namespace "$chart_name" --include-crds --dry-run)
+                  ;;
+              esac
+
+              echo ""
+              echo ">> Formating rendered template ..."
+              echo "$TEMPLATE" | yq 'select(. != null)' | yq -s '"'"$OUTPUT_FOLDER"'" + .kind + "-" + .metadata.name + ".yaml"'
+
+              echo ""
+              echo ">> Manifests for $chart_name rendered to $OUTPUT_FOLDER"
+              ls $OUTPUT_FOLDER
+              echo ""
+            else
+              echo ""
+              echo ">> Directory $chart_path does not contain a Chart.yaml. Skipping ..."
+              echo ""
+            fi
+          done
+
+          echo "----"
+
+      - name: Check for Changes
+        id: check-changes
+        if: steps.check-dir-changes.outputs.changes-detected == 'true'
+        run: |
+          cd ${MANIFEST_DIR}
+
+          if git status --porcelain | grep -q .; then
+            echo ">> Changes detected"
+            git status --porcelain
+            echo "changes-detected=true" >> $GITEA_OUTPUT
+          else
+            echo ">> No changes detected, skipping PR creation"
+            exit 0
+          fi
+
+          echo "----"
+
+      - name: Commit and Push Changes
+        id: commit-push
+        if: steps.check-changes.outputs.changes-detected == 'true'
+        env:
+          BRANCH_NAME: ${{ steps.prepare-manifest-branch.outputs.BRANCH_NAME }}
+        run: |
+          cd ${MANIFEST_DIR}
+
+          echo ">> Commiting changes to ${BRANCH_NAME} ..."
+          git add .
+          git commit -m "chore: Update manifests after automerge"
+
+          REPO_URL="${{ secrets.REPO_URL }}/${{ gitea.repository }}"
+          echo ">> Pushing changes to $REPO_URL ..."
+          git push -u "https://oauth2:${{ secrets.BOT_TOKEN }}@$(echo $REPO_URL | sed -e 's|https://||')" ${BRANCH_NAME}
+
+          echo "----"
+
+          echo "push=true" >> $GITEA_OUTPUT
+
+      - name: Create Pull Request
+        id: create-pull-request
+        if: steps.commit-push.outputs.push == 'true'
+        env:
+          GITEA_TOKEN: ${{ secrets.BOT_TOKEN }}
+          GITEA_URL: ${{ secrets.REPO_URL }}
+          BRANCH_NAME: ${{ steps.prepare-manifest-branch.outputs.BRANCH_NAME }}
+        run: |
+          cd ${MANIFEST_DIR}
+
+          API_ENDPOINT="${GITEA_URL}/api/v1/repos/${{ gitea.repository }}/pulls"
+
+          PAYLOAD=$( jq -n \
+            --arg head "${BRANCH_NAME}" \
+            --arg base "${BASE_BRANCH}" \
+            --arg title "Automated Manifest Update - Automerge" \
+            --arg body "This PR contains newly rendered Kubernetes manifests automatically generated by the CI workflow. This is expected to be automerged." \
+            '{head: $head, base: $base, title: $title, body: $body}' )
+
+          echo ">> Creating PR from branch ${BRANCH_NAME} into ${BASE_BRANCH}"
+          echo ">> With Endpoint of:"
+          echo "$API_ENDPOINT"
+          echo ">> With Payload of:"
+          echo "$PAYLOAD"
+
+          HTTP_STATUS=$(
+            curl -X POST \
+              --silent \
+              --write-out '%{http_code}' \
+              --output response_body.json \
+              --dump-header response_headers.txt \
+              --data "$PAYLOAD" \
+              -H "Authorization: token ${GITEA_TOKEN}" \
+              -H "Content-Type: application/json" \
+              "$API_ENDPOINT" 2> response_errors.txt
+          )
+
+          echo ">> HTTP Status Code: $HTTP_STATUS"
+          echo ">> Response Output ..."
+          echo "----"
+          cat response_body.json
+          echo "----"
+          cat response_headers.txt
+          echo "----"
+          cat response_errors.txt
+          echo "----"
+
+          if [ "$HTTP_STATUS" == "201" ]; then
+            echo ">> Pull Request created successfully!"
+            PR_URL=$(cat response_body.json | jq -r .html_url)
+            echo "pull-request-url=${PR_URL}" >> $GITEA_OUTPUT
+            PR_ID=$(cat response_body.json | jq -r .id)
+            echo "pull-request-id=${PR_ID}" >> $GITEA_OUTPUT
+            echo "pull-request-operation=created" >> $GITEA_OUTPUT
+
+          elif [ "$HTTP_STATUS" == "422" ]; then
+            echo ">> Failed to create PR (HTTP 422: Unprocessable Entity), PR may already exist"
+
+          elif [ "$HTTP_STATUS" == "409" ]; then
+            echo ">> Failed to create PR (HTTP 409: Conflict), PR already exists"
+
+          else
+            echo ">> Failed to create PR, HTTP status code: $HTTP_STATUS"
+            exit 1
+          fi
+
+          echo "----"
+
+      - name: Merge Changes
+        id: merge-changes
+        if: steps.commit-push.outputs.push == 'true'
+        env:
+          GITEA_TOKEN: ${{ secrets.BOT_TOKEN }}
+          GITEA_URL: ${{ secrets.REPO_URL }}
+          BRANCH_NAME: ${{ steps.prepare-manifest-branch.outputs.BRANCH_NAME }}
+          PR_ID: ${{ steps.create-pull-request.outputs.pull-request-id }}
+        run: |
+          cd ${MANIFEST_DIR}
+
+          API_ENDPOINT="${GITEA_URL}/api/v1/repos/${{ gitea.repository }}/pulls/${PR_ID}/merge"
+
+          PAYLOAD=$( jq -n \
+            --arg Do "merge" \
+            --arg delete_branch_after_merge "true" \
+            '{Do: $Do, delete_branch_after_merge: $delete_branch_after_merge}' )
+
+          echo ">> Merging PR with ID: ${PR_ID}"
+          echo ">> With Endpoint of:"
+          echo "$API_ENDPOINT"
+          echo ">> With Payload of:"
+          echo "$PAYLOAD"
+
+          HTTP_STATUS=$(
+            curl -X POST \
+              --silent \
+              --write-out '%{http_code}' \
+              --output response_body.json \
+              --dump-header response_headers.txt \
+              --data "$PAYLOAD" \
+              -H "Authorization: token ${GITEA_TOKEN}" \
+              -H "Content-Type: application/json" \
+              "$API_ENDPOINT" 2> response_errors.txt
+          )
+
+          echo ">> HTTP Status Code: $HTTP_STATUS"
+          echo ">> Response Output ..."
+          echo "----"
+          cat response_body.json
+          echo "----"
+          cat response_headers.txt
+          echo "----"
+          cat response_errors.txt
+          echo "----"
+
+          if [ "$HTTP_STATUS" == "200" ]; then
+            echo ">> Pull Request merged successfully!"
+            echo "pull-request-operation=merged" >> $GITEA_OUTPUT
+
+          else
+            echo ">> Failed to create PR, HTTP status code: $HTTP_STATUS"
+            echo "pull-request-operation=failed" >> $GITEA_OUTPUT
+            exit 1
+          fi
+
+          echo "----"
+
+      - name: Cleanup Branch
+        if: failure()
+        env:
+          BRANCH_NAME: ${{ steps.prepare-manifest-branch.outputs.BRANCH_NAME }}
+        run: |
+          cd ${MANIFEST_DIR}
+
+          echo ">> Removing branch: ${BRANCH_NAME}"
+          git push origin --delete ${BRANCH_NAME}
+
+          echo "----"
+
+      - name: ntfy Merged
+        uses: niniyas/ntfy-action@master
+        if: steps.merge-changes.outputs.pull-request-operation == 'merged'
+        with:
+          url: "${{ secrets.NTFY_URL }}"
+          topic: "${{ secrets.NTFY_TOPIC }}"
+          title: "Manifest Render PR Merged - Infrastructure"
+          priority: 3
+          headers: '{"Authorization": "Bearer ${{ secrets.NTFY_CRED }}"}'
+          tags: action,successfully,completed
+          details: "Automerge Manifest rendering for Infrastructure!"
+          icon: "https://cdn.jsdelivr.net/gh/selfhst/icons/png/gitea.png"
+          actions: '[{"action": "view", "label": "Open Gitea", "url": "${{ steps.create-pull-request.outputs.pull-request-url }}", "clear": true}]'
+
+      - name: ntfy Failed
+        uses: niniyas/ntfy-action@master
+        if: failure()
+        with:
+          url: "${{ secrets.NTFY_URL }}"
+          topic: "${{ secrets.NTFY_TOPIC }}"
+          title: "Manifest Render Failure - Infrastructure"
+          priority: 4
+          headers: '{"Authorization": "Bearer ${{ secrets.NTFY_CRED }}"}'
+          tags: action,failed
+          details: "Automerge Manifest rendering for Infrastructure has failed!"
+          icon: "https://cdn.jsdelivr.net/gh/selfhst/icons/png/gitea.png"
+          actions: '[{"action": "view", "label": "Open Gitea", "url": "https://gitea.alexlebens.dev/alexlebens/infrastructure/actions?workflow=render-manifests-automerge.yaml", "clear": true}]'
+          image: true

.gitea/workflows/render-manifests-dispatch.yaml

@@ -0,0 +1,381 @@
+name: render-manifests-dispatch
+
+on:
+  workflow_dispatch:
+
+env:
+  CLUSTER: cl01tl
+  BASE_BRANCH: manifests
+  BRANCH_NAME: auto/update-manifests
+  ASSIGNEE: alexlebens
+  MAIN_DIR: /workspace/alexlebens/infrastructure/infrastructure
+  MANIFEST_DIR: /workspace/alexlebens/infrastructure/infrastructure-manifests
+
+jobs:
+  render-manifests-dispatch:
+    runs-on: ubuntu-js
+    steps:
+      - name: Checkout Main
+        uses: actions/checkout@v6
+        with:
+          path: infrastructure
+          fetch-depth: 0
+
+      - name: Checkout Manifests
+        uses: actions/checkout@v6
+        with:
+          ref: manifests
+          path: infrastructure-manifests
+
+      - name: Set up Helm
+        uses: azure/setup-helm@v4
+        with:
+          token: ${{ secrets.GITEA_TOKEN }}
+          version: v3.17.2 # Pending https://github.com/helm/helm/pull/30743
+
+      - name: Prepare Manifest Branch
+        run: |
+          cd ${MANIFEST_DIR}
+
+          echo ">> Configure git to use gitea-bot as user ..."
+          git config user.name "gitea-bot"
+          git config user.email "gitea-bot@alexlebens.net"
+
+          echo ">> Checking if PR branch exists ..."
+          if [[ $(git ls-remote --heads origin "${BRANCH_NAME}" | wc -l) -gt 0 ]]; then
+            echo ">> Branch '${BRANCH_NAME}' exists, pulling changes ..."
+            git fetch origin "${BRANCH_NAME}"
+            git checkout "${BRANCH_NAME}"
+            git pull --rebase
+
+          else
+            echo ">> Branch '${BRANCH_NAME}' does not exist, creating ..."
+            git checkout -b $BRANCH_NAME
+          fi
+
+          echo "----"
+
+      - name: Check which Directories have Changes
+        id: check-dir-changes
+        run: |
+          cd ${MAIN_DIR}
+
+          RENDER_DIR=()
+
+          echo ">> Triggered on dispatch, will check all paths ..."
+          RENDER_DIR+=$(ls clusters/cl01tl/helm/)
+
+          if [ -n "${RENDER_DIR}" ]; then
+            echo ">> Directories to Render:"
+            echo "$(echo "${RENDER_DIR[@]}" | sort -u)"
+
+            echo "----"
+
+            echo "changes-detected=true" >> $GITEA_OUTPUT
+            echo "render-dir<<EOF" >> $GITEA_OUTPUT
+            echo "$(echo "${RENDER_DIR[@]}" | sort -u)" >> $GITEA_OUTPUT
+            echo "EOF" >> $GITEA_OUTPUT
+          else
+            echo "changes-detected=false" >> $GITEA_OUTPUT
+          fi
+
+      - name: Add Repositories
+        if: steps.check-dir-changes.outputs.changes-detected == 'true'
+        env:
+          RENDER_DIR: ${{ steps.check-dir-changes.outputs.render-dir }}
+        run: |
+          cd ${MAIN_DIR}
+
+          echo ">> Adding repositories for chart dependencies ..."
+          for dir in ${RENDER_DIR}; do
+            helm dependency list --max-col-width 120 ${MAIN_DIR}/clusters/${CLUSTER}/helm/$dir 2> /dev/null \
+              | tail +2 | head -n -1 \
+              | awk '{ print "helm repo add " $1 " " $3 }' \
+              | while read cmd; do echo "$cmd" | sh; done || true
+          done
+
+          if helm repo list | tail +2 | read -r; then
+            echo ">> Update repository cache ..."
+            helm repo update
+          fi
+
+          echo "----"
+
+      - name: Remove Changed Manifest Files
+        if: steps.check-dir-changes.outputs.changes-detected == 'true'
+        env:
+          RENDER_DIR: ${{ steps.check-dir-changes.outputs.render-dir }}
+        run: |
+          cd ${MANIFEST_DIR}
+
+          echo ">> Remove manfiest files and rebuild from source ..."
+
+          for dir in ${RENDER_DIR}; do
+            chart_path=${MANIFEST_DIR}/clusters/${CLUSTER}/manifests/$dir
+
+            echo "$chart_path"
+            rm -rf $chart_path/*
+          done
+
+          echo "----"
+
+      - name: Render Helm Manifests
+        id: render-manifests
+        if: steps.check-dir-changes.outputs.changes-detected == 'true'
+        env:
+          RENDER_DIR: ${{ steps.check-dir-changes.outputs.render-dir }}
+        run: |
+          cd ${MAIN_DIR}
+
+          echo ">> Rendering Manifests ..."
+
+          for dir in ${RENDER_DIR}; do
+            chart_path=${MAIN_DIR}/clusters/${CLUSTER}/helm/$dir
+            chart_name=$(basename "$chart_path")
+
+            echo ""
+            echo ""
+            echo ">> Rendering chart: $chart_name"
+            echo ">> Chart path $chart_path"
+
+            if [ -f "$chart_path/Chart.yaml" ]; then
+              OUTPUT_FOLDER="${MANIFEST_DIR}/clusters/${CLUSTER}/manifests/$chart_name/"
+              TEMPLATE=""
+
+              mkdir -p ${MANIFEST_DIR}/clusters/${CLUSTER}/manifests/$chart_name
+
+              cd $chart_path
+
+              echo ""
+              echo ">> Building helm dependency ..."
+              helm dependency build --skip-refresh
+
+              echo ""
+              echo ">> Linting helm ..."
+              helm lint --namespace "$chart_name"
+
+              echo ""
+              echo ">> Rendering templates ..."
+              case "$chart_name" in
+                "stack")
+                  echo ""
+                  echo ">> Special Rendering for stack into argocd namespace ..."
+                  TEMPLATE=$(helm template $chart_name ./ --namespace argocd --include-crds --dry-run)
+                  ;;
+                "cilium" | "coredns" | "metrics-server" |"prometheus-operator-crds")
+                  echo ""
+                  echo ">> Special Rendering for $chart_name into kube-system namespace ..."
+                  TEMPLATE=$(helm template $chart_name ./ --namespace kube-system --include-crds --dry-run)
+                  ;;
+                *)
+                  echo ""
+                  echo ">> Standard Rendering for $chart_name ..."
+                  TEMPLATE=$(helm template "$chart_name" ./ --namespace "$chart_name" --include-crds --dry-run)
+                  ;;
+              esac
+
+              echo ""
+              echo ">> Formating rendered template ..."
+              echo "$TEMPLATE" | yq 'select(. != null)' | yq -s '"'"$OUTPUT_FOLDER"'" + .kind + "-" + .metadata.name + ".yaml"'
+
+              echo ""
+              echo ">> Manifests for $chart_name rendered to $OUTPUT_FOLDER"
+              ls $OUTPUT_FOLDER
+              echo ""
+            else
+              echo ""
+              echo ">> Directory $chart_path does not contain a Chart.yaml. Skipping ..."
+              echo ""
+            fi
+          done
+
+          echo "----"
+
+      - name: Check for Changes
+        id: check-changes
+        if: steps.check-dir-changes.outputs.changes-detected == 'true'
+        run: |
+          cd ${MANIFEST_DIR}
+
+          if git status --porcelain --untracked-files=all | grep -q '^.' ; then
+            echo ">> Changes detected"
+            # git status --porcelain --untracked-files=all
+            echo "changes-detected=true" >> $GITEA_OUTPUT
+
+          else
+            echo ">> No changes detected, skipping PR creation"
+
+          fi
+
+          echo "----"
+
+      - name: Commit and Push Changes
+        id: commit-push
+        if: steps.check-changes.outputs.changes-detected == 'true'
+        run: |
+          cd ${MANIFEST_DIR}
+
+          echo ">> Commiting changes to ${BRANCH_NAME} ..."
+          git add .
+          git commit -m "chore: Update manifests after change"
+
+          REPO_URL="${{ secrets.REPO_URL }}/${{ gitea.repository }}"
+          echo ">> Pushing changes to $REPO_URL ..."
+          git push -u "https://oauth2:${{ secrets.BOT_TOKEN }}@$(echo $REPO_URL | sed -e 's|https://||')" ${BRANCH_NAME}
+
+          echo "----"
+
+          echo "HEAD_BRANCH=${BRANCH_NAME}" >> $GITEA_OUTPUT
+          echo "push=true" >> $GITEA_OUTPUT
+
+      - name: Check for Pull Request
+        id: check-for-pull-requst
+        if: steps.commit-push.outputs.push == 'true'
+        env:
+          GITEA_TOKEN: ${{ secrets.BOT_TOKEN }}
+          GITEA_URL: ${{ secrets.REPO_URL }}
+          HEAD_BRANCH: ${{ steps.commit-push.outputs.HEAD_BRANCH }}
+        run: |
+          cd ${MANIFEST_DIR}
+
+          API_ENDPOINT="${GITEA_URL}/api/v1/repos/${{ gitea.repository }}/pulls?base_branch=${BASE_BRANCH}&state=open&page=1"
+
+          echo ">> Checking if PR from branch ${HEAD_BRANCH} into ${BASE_BRANCH}"
+          echo ">> With Endpoint of:"
+          echo "$API_ENDPOINT"
+
+          HTTP_STATUS=$(
+            curl -X GET \
+              --silent \
+              --write-out '%{http_code}' \
+              --output response_body.json \
+              --dump-header response_headers.txt \
+              -H "Authorization: token ${GITEA_TOKEN}" \
+              -H "Content-Type: application/json" \
+              "$API_ENDPOINT" 2> response_errors.txt
+          )
+
+          echo ">> HTTP Status Code: $HTTP_STATUS"
+          echo ">> Response Output ..."
+          echo "----"
+          cat response_body.json
+          echo "----"
+          cat response_headers.txt
+          echo "----"
+          cat response_errors.txt
+          echo "----"
+
+          if [ "$HTTP_STATUS" == "200" ] && [ "$(cat response_body.json | jq -r .[0].state)" == "open" ]; then
+            echo ">> Pull Request has been found open, will update"
+            PR_INDEX=$(cat response_body.json | jq -r .[0].number)
+            echo "pull-request-exists=${PR_INDEX}" >> $GITEA_OUTPUT
+            echo "pull-request-index=true" >> $GITEA_OUTPUT
+
+          elif [ "$HTTP_STATUS" == "200" ] && [ "$(cat response_body.json | jq -r .[0].state)" == "closed" ]; then
+            echo ">> Pull Request found, but was closed"
+            echo "pull-request-exists=false" >> $GITEA_OUTPUT
+
+          else
+            echo ">> Pull Request not found"
+            echo "pull-request-exists=false" >> $GITEA_OUTPUT
+          fi
+
+          echo "----"
+
+      - name: Create Pull Request
+        id: create-pull-request
+        if: steps.commit-push.outputs.push == 'true' && steps.check-for-pull-requst.outputs.pull-request-exists == 'false'
+        env:
+          GITEA_TOKEN: ${{ secrets.BOT_TOKEN }}
+          GITEA_URL: ${{ secrets.REPO_URL }}
+          HEAD_BRANCH: ${{ steps.commit-push.outputs.HEAD_BRANCH }}
+        run: |
+          cd ${MANIFEST_DIR}
+
+          API_ENDPOINT="${GITEA_URL}/api/v1/repos/${{ gitea.repository }}/pulls"
+
+          PAYLOAD=$( jq -n \
+            --arg head "${HEAD_BRANCH}" \
+            --arg base "${BASE_BRANCH}" \
+            --arg assignee "${ASSIGNEE}" \
+            --arg title "Automated Manifest Update" \
+            --arg body "This PR contains newly rendered Kubernetes manifests automatically generated by the CI workflow." \
+            '{head: $head, base: $base, assignee: $assignee, title: $title, body: $body}' )
+
+          echo ">> Creating PR from branch ${HEAD_BRANCH} into ${BASE_BRANCH}"
+          echo ">> With Endpoint of:"
+          echo "$API_ENDPOINT"
+          echo ">> With Payload of:"
+          echo "$PAYLOAD"
+
+          HTTP_STATUS=$(
+            curl -X POST \
+              --silent \
+              --write-out '%{http_code}' \
+              --output response_body.json \
+              --dump-header response_headers.txt \
+              --data "$PAYLOAD" \
+              -H "Authorization: token ${GITEA_TOKEN}" \
+              -H "Content-Type: application/json" \
+              "$API_ENDPOINT" 2> response_errors.txt
+          )
+
+          echo ">> HTTP Status Code: $HTTP_STATUS"
+          echo ">> Response Output ..."
+          echo "----"
+          cat response_body.json
+          echo "----"
+          cat response_headers.txt
+          echo "----"
+          cat response_errors.txt
+          echo "----"
+
+          if [ "$HTTP_STATUS" == "201" ]; then
+            echo ">> Pull Request created successfully!"
+            PR_URL=$(cat response_body.json | jq -r .html_url)
+            echo "pull-request-url=${PR_URL}" >> $GITEA_OUTPUT
+            PR_ID=$(cat response_body.json | jq -r .id)
+            echo "pull-request-id=${PR_ID}" >> $GITEA_OUTPUT
+            echo "pull-request-operation=created" >> $GITEA_OUTPUT
+
+          elif [ "$HTTP_STATUS" == "422" ]; then
+            echo ">> Failed to create PR (HTTP 422: Unprocessable Entity), PR may already exist"
+
+          elif [ "$HTTP_STATUS" == "409" ]; then
+            echo ">> Failed to create PR (HTTP 409: Conflict), PR already exists"
+
+          else
+            echo ">> Failed to create PR, HTTP status code: $HTTP_STATUS"
+            exit 1
+          fi
+
+          echo "----"
+
+      - name: ntfy Created
+        uses: niniyas/ntfy-action@master
+        if: steps.create-pull-request.outputs.pull-request-operation == 'created'
+        with:
+          url: "${{ secrets.NTFY_URL }}"
+          topic: "${{ secrets.NTFY_TOPIC }}"
+          title: "Manifest Render PR Created - Infrastructure"
+          priority: 3
+          headers: '{"Authorization": "Bearer ${{ secrets.NTFY_CRED }}"}'
+          tags: action,successfully,completed
+          details: "Manifest rendering for Infrastructure has created a new Pull Request with ID: ${{ steps.create-pull-request.outputs.pull-request-id }}!"
+          icon: "https://cdn.jsdelivr.net/gh/selfhst/icons/png/gitea.png"
+          actions: '[{"action": "view", "label": "Open Gitea", "url": "${{ steps.create-pull-request.outputs.pull-request-url }}", "clear": true}]'
+
+      - name: ntfy Failed
+        uses: niniyas/ntfy-action@master
+        if: failure()
+        with:
+          url: "${{ secrets.NTFY_URL }}"
+          topic: "${{ secrets.NTFY_TOPIC }}"
+          title: "Manifest Render Failure - Infrastructure"
+          priority: 4
+          headers: '{"Authorization": "Bearer ${{ secrets.NTFY_CRED }}"}'
+          tags: action,failed
+          details: "Manifest rendering for Infrastructure has failed!"
+          icon: "https://cdn.jsdelivr.net/gh/selfhst/icons/png/gitea.png"
+          actions: '[{"action": "view", "label": "Open Gitea", "url": "https://gitea.alexlebens.dev/alexlebens/infrastructure/actions?workflow=render-manifests.yaml", "clear": true}]'
+          image: true

.gitea/workflows/render-manifests-merge.yaml

@@ -0,0 +1,399 @@
+name: render-manifests-merge
+
+on:
+  pull_request:
+    branches:
+      - main
+    paths:
+      - 'clusters/cl01tl/helm/**'
+    types:
+      - closed
+
+env:
+  CLUSTER: cl01tl
+  BASE_BRANCH: manifests
+  BRANCH_NAME: auto/update-manifests
+  ASSIGNEE: alexlebens
+  MAIN_DIR: /workspace/alexlebens/infrastructure/infrastructure
+  MANIFEST_DIR: /workspace/alexlebens/infrastructure/infrastructure-manifests
+
+jobs:
+  render-manifests-merge:
+    runs-on: ubuntu-js
+    if: ${{ (github.event.pull_request.merged == true) && !(contains(github.event.pull_request.labels.*.name, 'automerge')) }}
+    steps:
+      - name: Checkout Main
+        uses: actions/checkout@v6
+        with:
+          path: infrastructure
+          fetch-depth: 0
+
+      - name: Checkout Manifests
+        uses: actions/checkout@v6
+        with:
+          ref: manifests
+          path: infrastructure-manifests
+
+      - name: Set up Helm
+        uses: azure/setup-helm@v4
+        with:
+          token: ${{ secrets.GITEA_TOKEN }}
+          version: v3.17.2 # Pending https://github.com/helm/helm/pull/30743
+
+      - name: Prepare Manifest Branch
+        run: |
+          cd ${MANIFEST_DIR}
+
+          echo ">> Configure git to use gitea-bot as user ..."
+          git config user.name "gitea-bot"
+          git config user.email "gitea-bot@alexlebens.net"
+
+          echo ">> Checking if PR branch exists ..."
+          if [[ $(git ls-remote --heads origin "${BRANCH_NAME}" | wc -l) -gt 0 ]]; then
+            echo ">> Branch '${BRANCH_NAME}' exists, pulling changes ..."
+            git fetch origin "${BRANCH_NAME}"
+            git checkout "${BRANCH_NAME}"
+            git pull --rebase
+
+          else
+            echo ">> Branch '${BRANCH_NAME}' does not exist, creating ..."
+            git checkout -b $BRANCH_NAME
+          fi
+
+          echo "----"
+
+      - name: Check which Directories have Changes
+        id: check-dir-changes
+        run: |
+          cd ${MAIN_DIR}
+
+          RENDER_DIR=()
+
+          echo ">> Checking for changes from HEAD^..HEAD ..."
+          GIT_DIFF=$(git diff --name-only HEAD^..HEAD | xargs -I {} dirname {} | sort -u | grep -E "clusters/[^/]+/helm/[^/]+")
+
+          if [ -n "${GIT_DIFF}" ]; then
+            echo ">> Changes detected:"
+            echo "$GIT_DIFF"
+            for path in $GIT_DIFF; do
+              RENDER_DIR+=$(echo "$path" | awk -F '/' '{print $4}')
+            done
+
+          else
+            echo ">> No changes detected"
+
+          fi
+
+          if [ -n "${RENDER_DIR}" ]; then
+            echo ">> Directories to Render:"
+            echo "$(echo "${RENDER_DIR[@]}" | sort -u)"
+
+            echo "----"
+
+            echo "changes-detected=true" >> $GITEA_OUTPUT
+            echo "render-dir<<EOF" >> $GITEA_OUTPUT
+            echo "$(echo "${RENDER_DIR[@]}" | sort -u)" >> $GITEA_OUTPUT
+            echo "EOF" >> $GITEA_OUTPUT
+          else
+            echo "changes-detected=false" >> $GITEA_OUTPUT
+          fi
+
+      - name: Add Repositories
+        if: steps.check-dir-changes.outputs.changes-detected == 'true'
+        env:
+          RENDER_DIR: ${{ steps.check-dir-changes.outputs.render-dir }}
+        run: |
+          cd ${MAIN_DIR}
+
+          echo ">> Adding repositories for chart dependencies ..."
+          for dir in ${RENDER_DIR}; do
+            helm dependency list --max-col-width 120 ${MAIN_DIR}/clusters/${CLUSTER}/helm/$dir 2> /dev/null \
+              | tail +2 | head -n -1 \
+              | awk '{ print "helm repo add " $1 " " $3 }' \
+              | while read cmd; do echo "$cmd" | sh; done || true
+          done
+
+          if helm repo list | tail +2 | read -r; then
+            echo ">> Update repository cache ..."
+            helm repo update
+          fi
+
+          echo "----"
+
+      - name: Remove Changed Manifest Files
+        if: steps.check-dir-changes.outputs.changes-detected == 'true'
+        env:
+          RENDER_DIR: ${{ steps.check-dir-changes.outputs.render-dir }}
+        run: |
+          cd ${MANIFEST_DIR}
+
+          echo ">> Remove manfiest files and rebuild from source ..."
+
+          for dir in ${RENDER_DIR}; do
+            chart_path=${MANIFEST_DIR}/clusters/${CLUSTER}/manifests/$dir
+
+            echo "$chart_path"
+            rm -rf $chart_path/*
+          done
+
+          echo "----"
+
+      - name: Render Helm Manifests
+        id: render-manifests
+        if: steps.check-dir-changes.outputs.changes-detected == 'true'
+        env:
+          RENDER_DIR: ${{ steps.check-dir-changes.outputs.render-dir }}
+        run: |
+          cd ${MAIN_DIR}
+
+          echo ">> Rendering Manifests ..."
+
+          for dir in ${RENDER_DIR}; do
+            chart_path=${MAIN_DIR}/clusters/${CLUSTER}/helm/$dir
+            chart_name=$(basename "$chart_path")
+
+            echo ""
+            echo ""
+            echo ">> Rendering chart: $chart_name"
+            echo ">> Chart path $chart_path"
+
+            if [ -f "$chart_path/Chart.yaml" ]; then
+              OUTPUT_FOLDER="${MANIFEST_DIR}/clusters/${CLUSTER}/manifests/$chart_name/"
+              TEMPLATE=""
+
+              mkdir -p ${MANIFEST_DIR}/clusters/${CLUSTER}/manifests/$chart_name
+
+              cd $chart_path
+
+              echo ""
+              echo ">> Building helm dependency ..."
+              helm dependency build --skip-refresh
+
+              echo ""
+              echo ">> Linting helm ..."
+              helm lint --namespace "$chart_name"
+
+              echo ""
+              echo ">> Rendering templates ..."
+              case "$chart_name" in
+                "stack")
+                  echo ""
+                  echo ">> Special Rendering for stack into argocd namespace ..."
+                  TEMPLATE=$(helm template $chart_name ./ --namespace argocd --include-crds --dry-run)
+                  ;;
+                "cilium" | "coredns" | "metrics-server" |"prometheus-operator-crds")
+                  echo ""
+                  echo ">> Special Rendering for $chart_name into kube-system namespace ..."
+                  TEMPLATE=$(helm template $chart_name ./ --namespace kube-system --include-crds --dry-run)
+                  ;;
+                *)
+                  echo ""
+                  echo ">> Standard Rendering for $chart_name ..."
+                  TEMPLATE=$(helm template "$chart_name" ./ --namespace "$chart_name" --include-crds --dry-run)
+                  ;;
+              esac
+
+              echo ""
+              echo ">> Formating rendered template ..."
+              echo "$TEMPLATE" | yq 'select(. != null)' | yq -s '"'"$OUTPUT_FOLDER"'" + .kind + "-" + .metadata.name + ".yaml"'
+
+              echo ""
+              echo ">> Manifests for $chart_name rendered to $OUTPUT_FOLDER"
+              ls $OUTPUT_FOLDER
+              echo ""
+            else
+              echo ""
+              echo ">> Directory $chart_path does not contain a Chart.yaml. Skipping ..."
+              echo ""
+            fi
+          done
+
+          echo "----"
+
+      - name: Check for Changes
+        id: check-changes
+        if: steps.check-dir-changes.outputs.changes-detected == 'true'
+        run: |
+          cd ${MANIFEST_DIR}
+
+          if git status --porcelain | grep -q .; then
+            echo ">> Changes detected"
+            git status --porcelain
+            echo "changes-detected=true" >> $GITEA_OUTPUT
+          else
+            echo ">> No changes detected, skipping PR creation"
+            exit 0
+          fi
+
+          echo "----"
+
+      - name: Commit and Push Changes
+        id: commit-push
+        if: steps.check-changes.outputs.changes-detected == 'true'
+        run: |
+          cd ${MANIFEST_DIR}
+
+          echo ">> Commiting changes to ${BRANCH_NAME} ..."
+          git add .
+          git commit -m "chore: Update manifests after change"
+
+          REPO_URL="${{ secrets.REPO_URL }}/${{ gitea.repository }}"
+          echo ">> Pushing changes to $REPO_URL ..."
+          git push -u "https://oauth2:${{ secrets.BOT_TOKEN }}@$(echo $REPO_URL | sed -e 's|https://||')" ${BRANCH_NAME}
+
+          echo "----"
+
+          echo "HEAD_BRANCH=${BRANCH_NAME}" >> $GITEA_OUTPUT
+          echo "push=true" >> $GITEA_OUTPUT
+
+      - name: Check for Pull Request
+        id: check-for-pull-requst
+        if: steps.commit-push.outputs.push == 'true'
+        env:
+          GITEA_TOKEN: ${{ secrets.BOT_TOKEN }}
+          GITEA_URL: ${{ secrets.REPO_URL }}
+          HEAD_BRANCH: ${{ steps.commit-push.outputs.HEAD_BRANCH }}
+        run: |
+          cd ${MANIFEST_DIR}
+
+          API_ENDPOINT="${GITEA_URL}/api/v1/repos/${{ gitea.repository }}/pulls?base_branch=${BASE_BRANCH}&state=open&page=1"
+
+          echo ">> Checking if PR from branch ${HEAD_BRANCH} into ${BASE_BRANCH}"
+          echo ">> With Endpoint of:"
+          echo "$API_ENDPOINT"
+
+          HTTP_STATUS=$(
+            curl -X GET \
+              --silent \
+              --write-out '%{http_code}' \
+              --output response_body.json \
+              --dump-header response_headers.txt \
+              -H "Authorization: token ${GITEA_TOKEN}" \
+              -H "Content-Type: application/json" \
+              "$API_ENDPOINT" 2> response_errors.txt
+          )
+
+          echo ">> HTTP Status Code: $HTTP_STATUS"
+          echo ">> Response Output ..."
+          echo "----"
+          cat response_body.json
+          echo "----"
+          cat response_headers.txt
+          echo "----"
+          cat response_errors.txt
+          echo "----"
+
+          if [ "$HTTP_STATUS" == "200" ] && [ "$(cat response_body.json | jq -r .[0].state)" == "open" ]; then
+            echo ">> Pull Request has been found open, will update"
+            PR_INDEX=$(cat response_body.json | jq -r .[0].number)
+            echo "pull-request-exists=${PR_INDEX}" >> $GITEA_OUTPUT
+            echo "pull-request-index=true" >> $GITEA_OUTPUT
+
+          elif [ "$HTTP_STATUS" == "200" ] && [ "$(cat response_body.json | jq -r .[0].state)" == "closed" ]; then
+            echo ">> Pull Request found, but was closed"
+            echo "pull-request-exists=false" >> $GITEA_OUTPUT
+
+          else
+            echo ">> Pull Request not found"
+            echo "pull-request-exists=false" >> $GITEA_OUTPUT
+          fi
+
+          echo "----"
+
+      - name: Create Pull Request
+        id: create-pull-request
+        if: steps.commit-push.outputs.push == 'true' && steps.check-for-pull-requst.outputs.pull-request-exists == 'false'
+        env:
+          GITEA_TOKEN: ${{ secrets.BOT_TOKEN }}
+          GITEA_URL: ${{ secrets.REPO_URL }}
+          HEAD_BRANCH: ${{ steps.commit-push.outputs.HEAD_BRANCH }}
+        run: |
+          cd ${MANIFEST_DIR}
+
+          API_ENDPOINT="${GITEA_URL}/api/v1/repos/${{ gitea.repository }}/pulls"
+
+          PAYLOAD=$( jq -n \
+            --arg head "${HEAD_BRANCH}" \
+            --arg base "${BASE_BRANCH}" \
+            --arg assignee "${ASSIGNEE}" \
+            --arg title "Automated Manifest Update" \
+            --arg body "This PR contains newly rendered Kubernetes manifests automatically generated by the CI workflow." \
+            '{head: $head, base: $base, assignee: $assignee, title: $title, body: $body}' )
+
+          echo ">> Creating PR from branch ${HEAD_BRANCH} into ${BASE_BRANCH}"
+          echo ">> With Endpoint of:"
+          echo "$API_ENDPOINT"
+          echo ">> With Payload of:"
+          echo "$PAYLOAD"
+
+          HTTP_STATUS=$(
+            curl -X POST \
+              --silent \
+              --write-out '%{http_code}' \
+              --output response_body.json \
+              --dump-header response_headers.txt \
+              --data "$PAYLOAD" \
+              -H "Authorization: token ${GITEA_TOKEN}" \
+              -H "Content-Type: application/json" \
+              "$API_ENDPOINT" 2> response_errors.txt
+          )
+
+          echo ">> HTTP Status Code: $HTTP_STATUS"
+          echo ">> Response Output ..."
+          echo "----"
+          cat response_body.json
+          echo "----"
+          cat response_headers.txt
+          echo "----"
+          cat response_errors.txt
+          echo "----"
+
+          if [ "$HTTP_STATUS" == "201" ]; then
+            echo ">> Pull Request created successfully!"
+            PR_URL=$(cat response_body.json | jq -r .html_url)
+            echo "pull-request-url=${PR_URL}" >> $GITEA_OUTPUT
+            PR_ID=$(cat response_body.json | jq -r .id)
+            echo "pull-request-id=${PR_ID}" >> $GITEA_OUTPUT
+            echo "pull-request-operation=created" >> $GITEA_OUTPUT
+
+          elif [ "$HTTP_STATUS" == "422" ]; then
+            echo ">> Failed to create PR (HTTP 422: Unprocessable Entity), PR may already exist"
+
+          elif [ "$HTTP_STATUS" == "409" ]; then
+            echo ">> Failed to create PR (HTTP 409: Conflict), PR already exists"
+
+          else
+            echo ">> Failed to create PR, HTTP status code: $HTTP_STATUS"
+            exit 1
+          fi
+
+          echo "----"
+
+      - name: ntfy Created
+        uses: niniyas/ntfy-action@master
+        if: steps.create-pull-request.outputs.pull-request-operation == 'created'
+        with:
+          url: "${{ secrets.NTFY_URL }}"
+          topic: "${{ secrets.NTFY_TOPIC }}"
+          title: "Manifest Render PR Created - Infrastructure"
+          priority: 3
+          headers: '{"Authorization": "Bearer ${{ secrets.NTFY_CRED }}"}'
+          tags: action,successfully,completed
+          details: "Manifest rendering for Infrastructure has created a new Pull Request with ID: ${{ steps.create-pull-request.outputs.pull-request-id }}!"
+          icon: "https://cdn.jsdelivr.net/gh/selfhst/icons/png/gitea.png"
+          actions: '[{"action": "view", "label": "Open Gitea", "url": "${{ steps.create-pull-request.outputs.pull-request-url }}", "clear": true}]'
+
+      - name: ntfy Failed
+        uses: niniyas/ntfy-action@master
+        if: failure()
+        with:
+          url: "${{ secrets.NTFY_URL }}"
+          topic: "${{ secrets.NTFY_TOPIC }}"
+          title: "Manifest Render Failure - Infrastructure"
+          priority: 4
+          headers: '{"Authorization": "Bearer ${{ secrets.NTFY_CRED }}"}'
+          tags: action,failed
+          details: "Manifest rendering for Infrastructure has failed!"
+          icon: "https://cdn.jsdelivr.net/gh/selfhst/icons/png/gitea.png"
+          actions: '[{"action": "view", "label": "Open Gitea", "url": "https://gitea.alexlebens.dev/alexlebens/infrastructure/actions?workflow=render-manifests.yaml", "clear": true}]'
+          image: true

.gitea/workflows/render-manifests-push.yaml

@@ -0,0 +1,397 @@
+name: render-manifests-push
+
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - 'clusters/cl01tl/helm/**'
+
+env:
+  CLUSTER: cl01tl
+  BASE_BRANCH: manifests
+  BRANCH_NAME: auto/update-manifests
+  ASSIGNEE: alexlebens
+  MAIN_DIR: /workspace/alexlebens/infrastructure/infrastructure
+  MANIFEST_DIR: /workspace/alexlebens/infrastructure/infrastructure-manifests
+
+jobs:
+  render-manifests-push:
+    runs-on: ubuntu-js
+    if: gitea.event.commits[0].author.username != 'renovate-bot'
+    steps:
+      - name: Checkout Main
+        uses: actions/checkout@v6
+        with:
+          path: infrastructure
+          fetch-depth: 0
+
+      - name: Checkout Manifests
+        uses: actions/checkout@v6
+        with:
+          ref: manifests
+          path: infrastructure-manifests
+
+      - name: Set up Helm
+        uses: azure/setup-helm@v4
+        with:
+          token: ${{ secrets.GITEA_TOKEN }}
+          version: v3.17.2 # Pending https://github.com/helm/helm/pull/30743
+
+      - name: Prepare Manifest Branch
+        run: |
+          cd ${MANIFEST_DIR}
+
+          echo ">> Configure git to use gitea-bot as user ..."
+          git config user.name "gitea-bot"
+          git config user.email "gitea-bot@alexlebens.net"
+
+          echo ">> Checking if PR branch exists ..."
+          if [[ $(git ls-remote --heads origin "${BRANCH_NAME}" | wc -l) -gt 0 ]]; then
+            echo ">> Branch '${BRANCH_NAME}' exists, pulling changes ..."
+            git fetch origin "${BRANCH_NAME}"
+            git checkout "${BRANCH_NAME}"
+            git pull --rebase
+
+          else
+            echo ">> Branch '${BRANCH_NAME}' does not exist, creating ..."
+            git checkout -b $BRANCH_NAME
+          fi
+
+          echo "----"
+
+      - name: Check which Directories have Changes
+        id: check-dir-changes
+        run: |
+          cd ${MAIN_DIR}
+
+          RENDER_DIR=()
+
+          echo ">> Checking for changes ..."
+          GIT_DIFF=$(git diff --name-only ${{ gitea.event.before }}..HEAD | xargs -I {} dirname {} | sort -u | grep -E "clusters/[^/]+/helm/[^/]+")
+
+          if [ -n "${GIT_DIFF}" ]; then
+            echo ">> Changes detected:"
+            echo "$GIT_DIFF"
+            for path in $GIT_DIFF; do
+              RENDER_DIR+=$(echo "$path" | awk -F '/' '{print $4}')
+            done
+
+          else
+            echo ">> No changes detected"
+
+          fi
+
+          if [ -n "${RENDER_DIR}" ]; then
+            echo ">> Directories to Render:"
+            echo "$(echo "${RENDER_DIR[@]}" | sort -u)"
+
+            echo "----"
+
+            echo "changes-detected=true" >> $GITEA_OUTPUT
+            echo "render-dir<<EOF" >> $GITEA_OUTPUT
+            echo "$(echo "${RENDER_DIR[@]}" | sort -u)" >> $GITEA_OUTPUT
+            echo "EOF" >> $GITEA_OUTPUT
+          else
+            echo "changes-detected=false" >> $GITEA_OUTPUT
+          fi
+
+      - name: Add Repositories
+        if: steps.check-dir-changes.outputs.changes-detected == 'true'
+        env:
+          RENDER_DIR: ${{ steps.check-dir-changes.outputs.render-dir }}
+        run: |
+          cd ${MAIN_DIR}
+
+          echo ">> Adding repositories for chart dependencies ..."
+          for dir in ${RENDER_DIR}; do
+            helm dependency list --max-col-width 120 ${MAIN_DIR}/clusters/${CLUSTER}/helm/$dir 2> /dev/null \
+              | tail +2 | head -n -1 \
+              | awk '{ print "helm repo add " $1 " " $3 }' \
+              | while read cmd; do echo "$cmd" | sh; done || true
+          done
+
+          if helm repo list | tail +2 | read -r; then
+            echo ">> Update repository cache ..."
+            helm repo update
+          fi
+
+          echo "----"
+
+      - name: Remove Changed Manifest Files
+        if: steps.check-dir-changes.outputs.changes-detected == 'true'
+        env:
+          RENDER_DIR: ${{ steps.check-dir-changes.outputs.render-dir }}
+        run: |
+          cd ${MANIFEST_DIR}
+
+          echo ">> Remove manfiest files and rebuild from source ..."
+
+          for dir in ${RENDER_DIR}; do
+            chart_path=${MANIFEST_DIR}/clusters/${CLUSTER}/manifests/$dir
+
+            echo "$chart_path"
+            rm -rf $chart_path/*
+          done
+
+          echo "----"
+
+      - name: Render Helm Manifests
+        id: render-manifests
+        if: steps.check-dir-changes.outputs.changes-detected == 'true'
+        env:
+          RENDER_DIR: ${{ steps.check-dir-changes.outputs.render-dir }}
+        run: |
+          cd ${MAIN_DIR}
+
+          echo ">> Rendering Manifests ..."
+
+          for dir in ${RENDER_DIR}; do
+            chart_path=${MAIN_DIR}/clusters/${CLUSTER}/helm/$dir
+            chart_name=$(basename "$chart_path")
+
+            echo ""
+            echo ""
+            echo ">> Rendering chart: $chart_name"
+            echo ">> Chart path $chart_path"
+
+            if [ -f "$chart_path/Chart.yaml" ]; then
+              OUTPUT_FOLDER="${MANIFEST_DIR}/clusters/${CLUSTER}/manifests/$chart_name/"
+              TEMPLATE=""
+
+              mkdir -p ${MANIFEST_DIR}/clusters/${CLUSTER}/manifests/$chart_name
+
+              cd $chart_path
+
+              echo ""
+              echo ">> Building helm dependency ..."
+              helm dependency build --skip-refresh
+
+              echo ""
+              echo ">> Linting helm ..."
+              helm lint --namespace "$chart_name"
+
+              echo ""
+              echo ">> Rendering templates ..."
+              case "$chart_name" in
+                "stack")
+                  echo ""
+                  echo ">> Special Rendering for stack into argocd namespace ..."
+                  TEMPLATE=$(helm template $chart_name ./ --namespace argocd --include-crds --dry-run)
+                  ;;
+                "cilium" | "coredns" | "metrics-server" |"prometheus-operator-crds")
+                  echo ""
+                  echo ">> Special Rendering for $chart_name into kube-system namespace ..."
+                  TEMPLATE=$(helm template $chart_name ./ --namespace kube-system --include-crds --dry-run)
+                  ;;
+                *)
+                  echo ""
+                  echo ">> Standard Rendering for $chart_name ..."
+                  TEMPLATE=$(helm template "$chart_name" ./ --namespace "$chart_name" --include-crds --dry-run)
+                  ;;
+              esac
+
+              echo ""
+              echo ">> Formating rendered template ..."
+              echo "$TEMPLATE" | yq 'select(. != null)' | yq -s '"'"$OUTPUT_FOLDER"'" + .kind + "-" + .metadata.name + ".yaml"'
+
+              echo ""
+              echo ">> Manifests for $chart_name rendered to $OUTPUT_FOLDER"
+              ls $OUTPUT_FOLDER
+              echo ""
+            else
+              echo ""
+              echo ">> Directory $chart_path does not contain a Chart.yaml. Skipping ..."
+              echo ""
+            fi
+          done
+
+          echo "----"
+
+      - name: Check for Changes
+        id: check-changes
+        if: steps.check-dir-changes.outputs.changes-detected == 'true'
+        run: |
+          cd ${MANIFEST_DIR}
+
+          if git status --porcelain | grep -q .; then
+            echo ">> Changes detected"
+            git status --porcelain
+            echo "changes-detected=true" >> $GITEA_OUTPUT
+          else
+            echo ">> No changes detected, skipping PR creation"
+            exit 0
+          fi
+
+          echo "----"
+
+      - name: Commit and Push Changes
+        id: commit-push
+        if: steps.check-changes.outputs.changes-detected == 'true'
+        run: |
+          cd ${MANIFEST_DIR}
+
+          echo ">> Commiting changes to ${BRANCH_NAME} ..."
+          git add .
+          git commit -m "chore: Update manifests after change"
+
+          REPO_URL="${{ secrets.REPO_URL }}/${{ gitea.repository }}"
+          echo ">> Pushing changes to $REPO_URL ..."
+          git push -u "https://oauth2:${{ secrets.BOT_TOKEN }}@$(echo $REPO_URL | sed -e 's|https://||')" ${BRANCH_NAME}
+
+          echo "----"
+
+          echo "HEAD_BRANCH=${BRANCH_NAME}" >> $GITEA_OUTPUT
+          echo "push=true" >> $GITEA_OUTPUT
+
+      - name: Check for Pull Request
+        id: check-for-pull-requst
+        if: steps.commit-push.outputs.push == 'true'
+        env:
+          GITEA_TOKEN: ${{ secrets.BOT_TOKEN }}
+          GITEA_URL: ${{ secrets.REPO_URL }}
+          HEAD_BRANCH: ${{ steps.commit-push.outputs.HEAD_BRANCH }}
+        run: |
+          cd ${MANIFEST_DIR}
+
+          API_ENDPOINT="${GITEA_URL}/api/v1/repos/${{ gitea.repository }}/pulls?base_branch=${BASE_BRANCH}&state=open&page=1"
+
+          echo ">> Checking if PR from branch ${HEAD_BRANCH} into ${BASE_BRANCH}"
+          echo ">> With Endpoint of:"
+          echo "$API_ENDPOINT"
+
+          HTTP_STATUS=$(
+            curl -X GET \
+              --silent \
+              --write-out '%{http_code}' \
+              --output response_body.json \
+              --dump-header response_headers.txt \
+              -H "Authorization: token ${GITEA_TOKEN}" \
+              -H "Content-Type: application/json" \
+              "$API_ENDPOINT" 2> response_errors.txt
+          )
+
+          echo ">> HTTP Status Code: $HTTP_STATUS"
+          echo ">> Response Output ..."
+          echo "----"
+          cat response_body.json
+          echo "----"
+          cat response_headers.txt
+          echo "----"
+          cat response_errors.txt
+          echo "----"
+
+          if [ "$HTTP_STATUS" == "200" ] && [ "$(cat response_body.json | jq -r .[0].state)" == "open" ]; then
+            echo ">> Pull Request has been found open, will update"
+            PR_INDEX=$(cat response_body.json | jq -r .[0].number)
+            echo "pull-request-exists=${PR_INDEX}" >> $GITEA_OUTPUT
+            echo "pull-request-index=true" >> $GITEA_OUTPUT
+
+          elif [ "$HTTP_STATUS" == "200" ] && [ "$(cat response_body.json | jq -r .[0].state)" == "closed" ]; then
+            echo ">> Pull Request found, but was closed"
+            echo "pull-request-exists=false" >> $GITEA_OUTPUT
+
+          else
+            echo ">> Pull Request not found"
+            echo "pull-request-exists=false" >> $GITEA_OUTPUT
+          fi
+
+          echo "----"
+
+      - name: Create Pull Request
+        id: create-pull-request
+        if: steps.commit-push.outputs.push == 'true' && steps.check-for-pull-requst.outputs.pull-request-exists == 'false'
+        env:
+          GITEA_TOKEN: ${{ secrets.BOT_TOKEN }}
+          GITEA_URL: ${{ secrets.REPO_URL }}
+          HEAD_BRANCH: ${{ steps.commit-push.outputs.HEAD_BRANCH }}
+        run: |
+          cd ${MANIFEST_DIR}
+
+          API_ENDPOINT="${GITEA_URL}/api/v1/repos/${{ gitea.repository }}/pulls"
+
+          PAYLOAD=$( jq -n \
+            --arg head "${HEAD_BRANCH}" \
+            --arg base "${BASE_BRANCH}" \
+            --arg assignee "${ASSIGNEE}" \
+            --arg title "Automated Manifest Update" \
+            --arg body "This PR contains newly rendered Kubernetes manifests automatically generated by the CI workflow." \
+            '{head: $head, base: $base, assignee: $assignee, title: $title, body: $body}' )
+
+          echo ">> Creating PR from branch ${HEAD_BRANCH} into ${BASE_BRANCH}"
+          echo ">> With Endpoint of:"
+          echo "$API_ENDPOINT"
+          echo ">> With Payload of:"
+          echo "$PAYLOAD"
+
+          HTTP_STATUS=$(
+            curl -X POST \
+              --silent \
+              --write-out '%{http_code}' \
+              --output response_body.json \
+              --dump-header response_headers.txt \
+              --data "$PAYLOAD" \
+              -H "Authorization: token ${GITEA_TOKEN}" \
+              -H "Content-Type: application/json" \
+              "$API_ENDPOINT" 2> response_errors.txt
+          )
+
+          echo ">> HTTP Status Code: $HTTP_STATUS"
+          echo ">> Response Output ..."
+          echo "----"
+          cat response_body.json
+          echo "----"
+          cat response_headers.txt
+          echo "----"
+          cat response_errors.txt
+          echo "----"
+
+          if [ "$HTTP_STATUS" == "201" ]; then
+            echo ">> Pull Request created successfully!"
+            PR_URL=$(cat response_body.json | jq -r .html_url)
+            echo "pull-request-url=${PR_URL}" >> $GITEA_OUTPUT
+            PR_ID=$(cat response_body.json | jq -r .id)
+            echo "pull-request-id=${PR_ID}" >> $GITEA_OUTPUT
+            echo "pull-request-operation=created" >> $GITEA_OUTPUT
+
+          elif [ "$HTTP_STATUS" == "422" ]; then
+            echo ">> Failed to create PR (HTTP 422: Unprocessable Entity), PR may already exist"
+
+          elif [ "$HTTP_STATUS" == "409" ]; then
+            echo ">> Failed to create PR (HTTP 409: Conflict), PR already exists"
+
+          else
+            echo ">> Failed to create PR, HTTP status code: $HTTP_STATUS"
+            exit 1
+          fi
+
+          echo "----"
+
+      - name: ntfy Created
+        uses: niniyas/ntfy-action@master
+        if: steps.create-pull-request.outputs.pull-request-operation == 'created'
+        with:
+          url: "${{ secrets.NTFY_URL }}"
+          topic: "${{ secrets.NTFY_TOPIC }}"
+          title: "Manifest Render PR Created - Infrastructure"
+          priority: 3
+          headers: '{"Authorization": "Bearer ${{ secrets.NTFY_CRED }}"}'
+          tags: action,successfully,completed
+          details: "Manifest rendering for Infrastructure has created a new Pull Request with ID: ${{ steps.create-pull-request.outputs.pull-request-id }}!"
+          icon: "https://cdn.jsdelivr.net/gh/selfhst/icons/png/gitea.png"
+          actions: '[{"action": "view", "label": "Open Gitea", "url": "${{ steps.create-pull-request.outputs.pull-request-url }}", "clear": true}]'
+
+      - name: ntfy Failed
+        uses: niniyas/ntfy-action@master
+        if: failure()
+        with:
+          url: "${{ secrets.NTFY_URL }}"
+          topic: "${{ secrets.NTFY_TOPIC }}"
+          title: "Manifest Render Failure - Infrastructure"
+          priority: 4
+          headers: '{"Authorization": "Bearer ${{ secrets.NTFY_CRED }}"}'
+          tags: action,failed
+          details: "Manifest rendering for Infrastructure has failed!"
+          icon: "https://cdn.jsdelivr.net/gh/selfhst/icons/png/gitea.png"
+          actions: '[{"action": "view", "label": "Open Gitea", "url": "https://gitea.alexlebens.dev/alexlebens/infrastructure/actions?workflow=render-manifests.yaml", "clear": true}]'
+          image: true

.gitea/workflows/render-manifests.yaml

@@ -1,120 +0,0 @@
-name: render-manifests
-
-on:
-  push:
-    branches:
-      - main
-    paths:
-      - "clusters/**"
-      - ! "clusters/*/archive"
-
-  workflow_dispatch:
-
-env:
-  CLUSTERS: cl01tl
-
-jobs:
-  render-manifests-helm:
-    runs-on: ubuntu-js
-    permissions:
-      contents: write
-      pull-requests: write
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v6
-        with:
-          fetch-depth: 0
-
-      - name: Set up Helm
-        uses: azure/setup-helm@v4
-        with:
-          token: ${{ secrets.GITEA_TOKEN }}
-          version: v3.17.2 # Pending https://github.com/helm/helm/pull/30743
-
-      - name: Render Helm Manifests
-        run: |
-          for cluster in $CLUSTERS; do
-            mkdir -p ${{ gitea.workspace }}/clusters/$cluster/manifests
-
-            for chart_path in ${{ gitea.workspace }}/clusters/$cluster/helm/*; do
-              chart_name=$(basename "$chart_path")
-
-              echo ">> Rendering chart: $chart_name"
-
-              if [ -f "$chart_path/Chart.yaml" ]; then
-                  mkdir -p ${{ gitea.workspace }}/clusters/$cluster/manifests/$chart_name
-                  OUTPUT_FILE="${{ gitea.workspace }}/clusters/$cluster/manifests/$chart_name/$chart_name.yaml"
-
-                  cd $chart_path
-
-                  echo ""
-                  echo ">> Building helm dependency ..."
-                  helm dependency build
-
-                  echo ""
-                  echo ">> Linting helm ..."
-                  helm lint --namespace "$chart_name" --with-subcharts
-
-                  echo ""
-                  echo ">> Rendering templates ..."
-                  helm template "$chart_name" ./ --namespace "$chart_name" --include-crds > "$OUTPUT_FILE"
-
-                  echo ""
-                  echo ">> Manifests for $chart_name rendered to $OUTPUT_FILE"
-                  echo ""
-              else
-                  echo ""
-                  echo ">> Directory $chart_path does not contain a Chart.yaml. Skipping ..."
-                  echo ""
-              fi
-            done
-          done
-
-      - name: Create Pull Request
-        id: pull-request
-        uses: peter-evans/create-pull-request@v7
-        with:
-          token: ${{ secrets.BOT_TOKEN }}
-          commit-message: "chore: Update manifests after chart change"
-          branch: auto/update-manifests
-          branch-suffix: timestamp
-          base: manifests
-          title: "Manifest Update: App Changes"
-          body: |
-            This PR contains the newly rendered Kubernetes manifests.
-
-            * Triggered by workflow run ${{ github.run_id }}
-            * Review the `files changed` tab for the full YAML diff.
-          labels: |
-            manifests
-            automated
-          add-paths: |
-            clusters/cl01tl/manifests/*
-
-      - name: ntfy Created
-        uses: niniyas/ntfy-action@master
-        if: steps.pull-request.outputs.pull-request-operation == 'created'
-        with:
-          url: "${{ secrets.NTFY_URL }}"
-          topic: "${{ secrets.NTFY_TOPIC }}"
-          title: "Manifest Render PR Created - Infrastructure"
-          priority: 3
-          headers: '{"Authorization": "Bearer ${{ secrets.NTFY_CRED }}"}'
-          tags: action,successfully,completed
-          details: "Manifest rendering for Infrastructure has created PR ${{ steps.pull-request.outputs.pull-request-number }}!"
-          icon: "https://cdn.jsdelivr.net/gh/selfhst/icons/png/gitea.png"
-
-      - name: ntfy Failed
-        uses: niniyas/ntfy-action@master
-        if: failure()
-        with:
-          url: "${{ secrets.NTFY_URL }}"
-          topic: "${{ secrets.NTFY_TOPIC }}"
-          title: "Manifest Render Failure - Infrastructure"
-          priority: 4
-          headers: '{"Authorization": "Bearer ${{ secrets.NTFY_CRED }}"}'
-          tags: action,failed
-          details: "Manifest rendering for Infrastructure has failed!"
-          icon: "https://cdn.jsdelivr.net/gh/selfhst/icons/png/gitea.png"
-          actions: '[{"action": "view", "label": "Open Gitea", "url": "https://gitea.alexlebens.dev/alexlebens/infrastructure/actions?workflow=render-manifests.yaml", "clear": true}]'
-          image: true

.gitignore

@@ -0,0 +1,3 @@
+/**/archive/
+/**/charts/
+/**/manifests/

clusters/cl01tl/applications/actual/Chart.yaml

@@ -1,21 +0,0 @@
-apiVersion: v2
-name: actual
-version: 1.0.0
-description: Actual
-keywords:
-  - actual
-  - budget
-home: https://wiki.alexlebens.dev/s/86192f45-94b7-45de-872c-6ef3fec7df5e
-sources:
-  - https://github.com/actualbudget/actual
-  - https://github.com/actualbudget/actual/pkgs/container/actual
-  - https://github.com/bjw-s-labs/helm-charts/tree/main/charts/other/app-template
-maintainers:
-  - name: alexlebens
-dependencies:
-  - name: app-template
-    alias: actual
-    repository: https://bjw-s-labs.github.io/helm-charts/
-    version: 4.4.0
-icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/actual-budget.png
-appVersion: v25.5.0

clusters/cl01tl/applications/actual/templates/external-secret.yaml

@@ -1,55 +0,0 @@
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: actual-data-backup-secret
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: actual-data-backup-secret
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: vault
-  target:
-    template:
-      mergePolicy: Merge
-      engineVersion: v2
-      data:
-        RESTIC_REPOSITORY: "{{ `{{ .BUCKET_ENDPOINT }}` }}/actual/actual-data"
-  data:
-    - secretKey: BUCKET_ENDPOINT
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /cl01tl/volsync/restic/config
-        metadataPolicy: None
-        property: S3_BUCKET_ENDPOINT
-    - secretKey: RESTIC_PASSWORD
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /cl01tl/volsync/restic/config
-        metadataPolicy: None
-        property: RESTIC_PASSWORD
-    - secretKey: AWS_DEFAULT_REGION
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /cl01tl/volsync/restic/config
-        metadataPolicy: None
-        property: AWS_DEFAULT_REGION
-    - secretKey: AWS_ACCESS_KEY_ID
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /digital-ocean/home-infra/volsync-backups
-        metadataPolicy: None
-        property: access_key
-    - secretKey: AWS_SECRET_ACCESS_KEY
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /digital-ocean/home-infra/volsync-backups
-        metadataPolicy: None
-        property: secret_key

clusters/cl01tl/applications/actual/templates/http-route.yaml

@@ -1,28 +0,0 @@
-apiVersion: gateway.networking.k8s.io/v1
-kind: HTTPRoute
-metadata:
-  name: http-route-actual
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: http-route-actual
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  parentRefs:
-    - group: gateway.networking.k8s.io
-      kind: Gateway
-      name: traefik-gateway
-      namespace: traefik
-  hostnames:
-    - actual.alexlebens.net
-  rules:
-    - matches:
-      - path:
-          type: PathPrefix
-          value: /
-      backendRefs:
-        - group: ''
-          kind: Service
-          name: actual
-          port: 80
-          weight: 100

clusters/cl01tl/applications/actual/templates/replication-source.yaml

@@ -1,25 +0,0 @@
-apiVersion: volsync.backube/v1alpha1
-kind: ReplicationSource
-metadata:
-  name: actual-data-backup-source
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: actual-data-backup-source
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  sourcePVC: actual-data
-  trigger:
-    schedule: 0 4 * * *
-  restic:
-    pruneIntervalDays: 7
-    repository: actual-data-backup-secret
-    retain:
-      hourly: 1
-      daily: 3
-      weekly: 2
-      monthly: 2
-      yearly: 4
-    copyMethod: Snapshot
-    storageClassName: ceph-block
-    volumeSnapshotClassName: ceph-blockpool-snapshot

clusters/cl01tl/applications/actual/values.yaml

@@ -1,56 +0,0 @@
-actual:
-  controllers:
-    main:
-      type: deployment
-      replicas: 1
-      strategy: Recreate
-      revisionHistoryLimit: 3
-      containers:
-        main:
-          image:
-            repository: ghcr.io/actualbudget/actual
-            tag: 25.11.0
-            pullPolicy: IfNotPresent
-          env:
-            - name: TZ
-              value: US/Central
-          resources:
-            requests:
-              cpu: 10m
-              memory: 128Mi
-          probes:
-            liveness:
-              enabled: true
-              custom: true
-              spec:
-                exec:
-                  command:
-                  - /usr/bin/env
-                  - bash
-                  - -c
-                  - node src/scripts/health-check.js
-                failureThreshold: 5
-                initialDelaySeconds: 60
-                periodSeconds: 10
-                successThreshold: 1
-                timeoutSeconds: 10
-  service:
-    main:
-      controller: main
-      ports:
-        http:
-          port: 80
-          targetPort: 5006
-          protocol: HTTP
-  persistence:
-    data:
-      forceRename: actual-data
-      storageClass: ceph-block
-      accessMode: ReadWriteOnce
-      size: 2Gi
-      retain: true
-      advancedMounts:
-        main:
-          main:
-            - path: /data
-              readOnly: false

clusters/cl01tl/applications/audiobookshelf/Chart.yaml

@@ -1,23 +0,0 @@
-apiVersion: v2
-name: audiobookshelf
-version: 1.0.0
-description: Audiobookshelf
-keywords:
-  - audiobookshelf
-  - books
-  - podcasts
-  - audiobooks
-home: https://wiki.alexlebens.dev/s/d4d6719f-cd1c-4b6e-b78e-2d2d7a5097d7
-sources:
-  - https://github.com/advplyr/audiobookshelf
-  - https://github.com/advplyr/audiobookshelf/pkgs/container/audiobookshelf
-  - https://github.com/bjw-s-labs/helm-charts/tree/main/charts/other/app-template
-maintainers:
-  - name: alexlebens
-dependencies:
-  - name: app-template
-    alias: audiobookshelf
-    repository: https://bjw-s-labs.github.io/helm-charts/
-    version: 4.4.0
-icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/audiobookshelf.png
-appVersion: 2.21.0

clusters/cl01tl/applications/audiobookshelf/templates/external-secret.yaml

@@ -1,135 +0,0 @@
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: audiobookshelf-apprise-config
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: audiobookshelf-apprise-config
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: vault
-  data:
-    - secretKey: ntfy-url
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /cl01tl/audiobookshelf/apprise
-        metadataPolicy: None
-        property: ntfy-url
-
----
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: audiobookshelf-config-backup-secret
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: audiobookshelf-config-backup-secret
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: vault
-  target:
-    template:
-      mergePolicy: Merge
-      engineVersion: v2
-      data:
-        RESTIC_REPOSITORY: "{{ `{{ .BUCKET_ENDPOINT }}` }}/audiobookshelf/audiobookshelf-config"
-  data:
-    - secretKey: BUCKET_ENDPOINT
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /cl01tl/volsync/restic/config
-        metadataPolicy: None
-        property: S3_BUCKET_ENDPOINT
-    - secretKey: RESTIC_PASSWORD
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /cl01tl/volsync/restic/config
-        metadataPolicy: None
-        property: RESTIC_PASSWORD
-    - secretKey: AWS_DEFAULT_REGION
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /cl01tl/volsync/restic/config
-        metadataPolicy: None
-        property: AWS_DEFAULT_REGION
-    - secretKey: AWS_ACCESS_KEY_ID
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /digital-ocean/home-infra/volsync-backups
-        metadataPolicy: None
-        property: access_key
-    - secretKey: AWS_SECRET_ACCESS_KEY
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /digital-ocean/home-infra/volsync-backups
-        metadataPolicy: None
-        property: secret_key
-
----
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: audiobookshelf-metadata-backup-secret
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: audiobookshelf-metadata-backup-secret
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: vault
-  target:
-    template:
-      mergePolicy: Merge
-      engineVersion: v2
-      data:
-        RESTIC_REPOSITORY: "{{ `{{ .BUCKET_ENDPOINT }}` }}/audiobookshelf/audiobookshelf-metadata"
-  data:
-    - secretKey: BUCKET_ENDPOINT
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /cl01tl/volsync/restic/config
-        metadataPolicy: None
-        property: S3_BUCKET_ENDPOINT
-    - secretKey: RESTIC_PASSWORD
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /cl01tl/volsync/restic/config
-        metadataPolicy: None
-        property: RESTIC_PASSWORD
-    - secretKey: AWS_DEFAULT_REGION
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /cl01tl/volsync/restic/config
-        metadataPolicy: None
-        property: AWS_DEFAULT_REGION
-    - secretKey: AWS_ACCESS_KEY_ID
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /digital-ocean/home-infra/volsync-backups
-        metadataPolicy: None
-        property: access_key
-    - secretKey: AWS_SECRET_ACCESS_KEY
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /digital-ocean/home-infra/volsync-backups
-        metadataPolicy: None
-        property: secret_key

clusters/cl01tl/applications/audiobookshelf/templates/http-route.yaml

@@ -1,28 +0,0 @@
-apiVersion: gateway.networking.k8s.io/v1
-kind: HTTPRoute
-metadata:
-  name: http-route-audiobookshelf
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: http-route-audiobookshelf
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  parentRefs:
-    - group: gateway.networking.k8s.io
-      kind: Gateway
-      name: traefik-gateway
-      namespace: traefik
-  hostnames:
-    - audiobookshelf.alexlebens.net
-  rules:
-    - matches:
-      - path:
-          type: PathPrefix
-          value: /
-      backendRefs:
-        - group: ''
-          kind: Service
-          name: audiobookshelf
-          port: 80
-          weight: 100

clusters/cl01tl/applications/audiobookshelf/templates/persistent-volume-claim.yaml

@@ -1,36 +0,0 @@
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  name: audiobookshelf-nfs-storage-backup
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: audiobookshelf-nfs-storage-backup
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  volumeMode: Filesystem
-  storageClassName: nfs-client
-  accessModes:
-    - ReadWriteOnce
-  resources:
-    requests:
-      storage: 1Gi
-
----
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  name: audiobookshelf-nfs-storage
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: audiobookshelf-nfs-storage
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  volumeName: audiobookshelf-nfs-storage
-  storageClassName: nfs-client
-  accessModes:
-    - ReadWriteMany
-  resources:
-    requests:
-      storage: 1Gi

clusters/cl01tl/applications/audiobookshelf/templates/persistent-volume.yaml

@@ -1,23 +0,0 @@
-apiVersion: v1
-kind: PersistentVolume
-metadata:
-  name: audiobookshelf-nfs-storage
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: audiobookshelf-nfs-storage
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  persistentVolumeReclaimPolicy: Retain
-  storageClassName: nfs-client
-  capacity:
-    storage: 1Gi
-  accessModes:
-    - ReadWriteMany
-  nfs:
-    path: /volume2/Storage
-    server: synologybond.alexlebens.net
-  mountOptions:
-    - vers=4
-    - minorversion=1
-    - noac

clusters/cl01tl/applications/audiobookshelf/templates/replication-source.yaml

@@ -1,52 +0,0 @@
-apiVersion: volsync.backube/v1alpha1
-kind: ReplicationSource
-metadata:
-  name: audiobookshelf-config-backup-source
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: audiobookshelf-config-backup-source
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  sourcePVC: audiobookshelf-config
-  trigger:
-    schedule: 0 4 * * *
-  restic:
-    pruneIntervalDays: 7
-    repository: audiobookshelf-config-backup-secret
-    retain:
-      hourly: 1
-      daily: 3
-      weekly: 2
-      monthly: 2
-      yearly: 4
-    copyMethod: Snapshot
-    storageClassName: ceph-block
-    volumeSnapshotClassName: ceph-blockpool-snapshot
-
----
-apiVersion: volsync.backube/v1alpha1
-kind: ReplicationSource
-metadata:
-  name: audiobookshelf-metadata-backup-source
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: audiobookshelf-metadata-backup-source
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  sourcePVC: audiobookshelf-metadata
-  trigger:
-    schedule: 0 4 * * *
-  restic:
-    pruneIntervalDays: 7
-    repository: audiobookshelf-metadata-backup-secret
-    retain:
-      hourly: 1
-      daily: 3
-      weekly: 2
-      monthly: 2
-      yearly: 4
-    copyMethod: Snapshot
-    storageClassName: ceph-block
-    volumeSnapshotClassName: ceph-blockpool-snapshot

clusters/cl01tl/applications/audiobookshelf/templates/service-monitor.yaml

@@ -1,19 +0,0 @@
-apiVersion: monitoring.coreos.com/v1
-kind: ServiceMonitor
-metadata:
-  name: audiobookshelf-apprise
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: audiobookshelf-apprise
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  endpoints:
-    - port: apprise
-      interval: 30s
-      scrapeTimeout: 15s
-      path: /metrics
-  selector:
-    matchLabels:
-      app.kubernetes.io/name: audiobookshelf
-      app.kubernetes.io/instance: {{ .Release.Name }}

clusters/cl01tl/applications/audiobookshelf/values.yaml

@@ -1,94 +0,0 @@
-audiobookshelf:
-  controllers:
-    main:
-      type: deployment
-      replicas: 1
-      strategy: Recreate
-      revisionHistoryLimit: 3
-      containers:
-        main:
-          image:
-            repository: ghcr.io/advplyr/audiobookshelf
-            tag: 2.30.0
-            pullPolicy: IfNotPresent
-          env:
-            - name: TZ
-              value: US/Central
-          resources:
-            requests:
-              cpu: 10m
-              memory: 128Mi
-        apprise-api:
-          image:
-            repository: caronc/apprise
-            tag: 1.2.6
-            pullPolicy: IfNotPresent
-          env:
-            - name: TZ
-              value: US/Central
-            - name: PGID
-              value: "1000"
-            - name: PUID
-              value: "1000"
-            - name: APPRISE_STORAGE_MODE
-              value: memory
-            - name: APPRISE_STATEFUL_MODE
-              value: disabled
-            - name: APPRISE_WORKER_COUNT
-              value: 1
-            - name: APPRISE_STATELESS_URLS
-              valueFrom:
-                secretKeyRef:
-                  name: audiobookshelf-apprise-config
-                  key: ntfy-url
-          resources:
-            requests:
-              cpu: 10m
-              memory: 128Mi
-  service:
-    main:
-      controller: main
-      ports:
-        http:
-          port: 80
-          targetPort: 80
-          protocol: HTTP
-        apprise:
-          port: 8000
-          targetPort: 8000
-          protocol: HTTP
-  persistence:
-    config:
-      storageClass: ceph-block
-      accessMode: ReadWriteOnce
-      size: 2Gi
-      retain: true
-      advancedMounts:
-        main:
-          main:
-            - path: /config
-              readOnly: false
-    metadata:
-      storageClass: ceph-block
-      accessMode: ReadWriteOnce
-      size: 10Gi
-      retain: true
-      advancedMounts:
-        main:
-          main:
-            - path: /metadata
-              readOnly: false
-    backup:
-      existingClaim: audiobookshelf-nfs-storage-backup
-      advancedMounts:
-        main:
-          main:
-            - path: /metadata/backups
-              readOnly: false
-    audiobooks:
-      existingClaim: audiobookshelf-nfs-storage
-      advancedMounts:
-        main:
-          main:
-            - path: /mnt/store/
-              readOnly: false

clusters/cl01tl/applications/bazarr/Chart.yaml

@@ -1,23 +0,0 @@
-apiVersion: v2
-name: bazarr
-version: 1.0.0
-description: Bazarr
-keywords:
-  - bazarr
-  - servarr
-  - subtitles
-home: https://wiki.alexlebens.dev/s/92784d53-1d43-42fd-b509-f42c73454226
-sources:
-  - https://github.com/morpheus65535/bazarr
-  - https://github.com/linuxserver/docker-bazarr
-  - https://github.com/linuxserver/docker-bazarr/pkgs/container/bazarr
-  - https://github.com/bjw-s-labs/helm-charts/tree/main/charts/other/app-template
-maintainers:
-  - name: alexlebens
-dependencies:
-  - name: app-template
-    alias: bazarr
-    repository: https://bjw-s-labs.github.io/helm-charts/
-    version: 4.4.0
-icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/bazarr.png
-appVersion: 1.5.2

clusters/cl01tl/applications/bazarr/templates/external-secret.yaml

@@ -1,55 +0,0 @@
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: bazarr-config-backup-secret
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: bazarr-config-backup-secret
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: vault
-  target:
-    template:
-      mergePolicy: Merge
-      engineVersion: v2
-      data:
-        RESTIC_REPOSITORY: "{{ `{{ .BUCKET_ENDPOINT }}` }}/bazarr/bazarr-config"
-  data:
-    - secretKey: BUCKET_ENDPOINT
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /cl01tl/volsync/restic/config
-        metadataPolicy: None
-        property: S3_BUCKET_ENDPOINT
-    - secretKey: RESTIC_PASSWORD
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /cl01tl/volsync/restic/config
-        metadataPolicy: None
-        property: RESTIC_PASSWORD
-    - secretKey: AWS_DEFAULT_REGION
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /cl01tl/volsync/restic/config
-        metadataPolicy: None
-        property: AWS_DEFAULT_REGION
-    - secretKey: AWS_ACCESS_KEY_ID
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /digital-ocean/home-infra/volsync-backups
-        metadataPolicy: None
-        property: access_key
-    - secretKey: AWS_SECRET_ACCESS_KEY
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /digital-ocean/home-infra/volsync-backups
-        metadataPolicy: None
-        property: secret_key

clusters/cl01tl/applications/bazarr/templates/http-route.yaml

@@ -1,28 +0,0 @@
-apiVersion: gateway.networking.k8s.io/v1
-kind: HTTPRoute
-metadata:
-  name: http-route-bazarr
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: http-route-bazarr
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  parentRefs:
-    - group: gateway.networking.k8s.io
-      kind: Gateway
-      name: traefik-gateway
-      namespace: traefik
-  hostnames:
-    - bazarr.alexlebens.net
-  rules:
-    - matches:
-      - path:
-          type: PathPrefix
-          value: /
-      backendRefs:
-        - group: ''
-          kind: Service
-          name: bazarr
-          port: 80
-          weight: 100

clusters/cl01tl/applications/bazarr/templates/persistent-volume-claim.yaml

@@ -1,17 +0,0 @@
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  name: bazarr-nfs-storage
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: bazarr-nfs-storage
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  volumeName: bazarr-nfs-storage
-  storageClassName: nfs-client
-  accessModes:
-    - ReadWriteMany
-  resources:
-    requests:
-      storage: 1Gi

clusters/cl01tl/applications/bazarr/templates/persistent-volume.yaml

@@ -1,23 +0,0 @@
-apiVersion: v1
-kind: PersistentVolume
-metadata:
-  name: bazarr-nfs-storage
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: bazarr-nfs-storage
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  persistentVolumeReclaimPolicy: Retain
-  storageClassName: nfs-client
-  capacity:
-    storage: 1Gi
-  accessModes:
-    - ReadWriteMany
-  nfs:
-    path: /volume2/Storage
-    server: synologybond.alexlebens.net
-  mountOptions:
-    - vers=4
-    - minorversion=1
-    - noac

clusters/cl01tl/applications/bazarr/templates/replication-source.yaml

@@ -1,30 +0,0 @@
-apiVersion: volsync.backube/v1alpha1
-kind: ReplicationSource
-metadata:
-  name: bazarr-config-backup-source
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: bazarr-config-backup-source
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  sourcePVC: bazarr-config
-  trigger:
-    schedule: 0 4 * * *
-  restic:
-    pruneIntervalDays: 7
-    repository: bazarr-config-backup-secret
-    retain:
-      hourly: 1
-      daily: 3
-      weekly: 2
-      monthly: 2
-      yearly: 4
-    moverSecurityContext:
-      runAsUser: 1000
-      runAsGroup: 1000
-      fsGroup: 1000
-      fsGroupChangePolicy: OnRootMismatch
-    copyMethod: Snapshot
-    storageClassName: ceph-block
-    volumeSnapshotClassName: ceph-blockpool-snapshot

clusters/cl01tl/applications/bazarr/values.yaml

@@ -1,57 +0,0 @@
-bazarr:
-  controllers:
-    main:
-      type: deployment
-      replicas: 1
-      strategy: Recreate
-      revisionHistoryLimit: 3
-      pod:
-        securityContext:
-          runAsUser: 1000
-          runAsGroup: 1000
-          fsGroup: 1000
-          fsGroupChangePolicy: OnRootMismatch
-      containers:
-        main:
-          image:
-            repository: ghcr.io/linuxserver/bazarr
-            tag: 1.5.3@sha256:2be164c02c0bb311b6c32e57d3d0ddc2813d524e89ab51a3408c1bf6fafecda5
-            pullPolicy: IfNotPresent
-          env:
-            - name: TZ
-              value: US/Central
-            - name: PUID
-              value: 1000
-            - name: PGID
-              value: 1000
-          resources:
-            requests:
-              cpu: 10m
-              memory: 256Mi
-  service:
-    main:
-      controller: main
-      ports:
-        http:
-          port: 80
-          targetPort: 6767
-          protocol: HTTP
-  persistence:
-    config:
-      forceRename: bazarr-config
-      storageClass: ceph-block
-      accessMode: ReadWriteOnce
-      size: 5Gi
-      retain: true
-      advancedMounts:
-        main:
-          main:
-            - path: /config
-              readOnly: false
-    media:
-      existingClaim: bazarr-nfs-storage
-      advancedMounts:
-        main:
-          main:
-            - path: /mnt/store
-              readOnly: false

clusters/cl01tl/applications/booklore/Chart.yaml

@@ -1,24 +0,0 @@
-apiVersion: v2
-name: booklore
-version: 1.0.0
-description: booklore
-keywords:
-  - booklore
-  - books
-home: https://wiki.alexlebens.dev/
-sources:
-  - https://github.com/booklore-app/BookLore
-  - https://github.com/booklore-app/booklore/pkgs/container/booklore
-  - https://github.com/bjw-s-labs/helm-charts/tree/main/charts/other/app-template
-maintainers:
-  - name: alexlebens
-dependencies:
-  - name: app-template
-    alias: booklore
-    repository: https://bjw-s-labs.github.io/helm-charts/
-    version: 4.4.0
-  - name: mariadb-cluster
-    version: 25.10.2
-    repository: https://helm.mariadb.com/mariadb-operator
-icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/booklore.png
-appVersion: v.1.10.0

clusters/cl01tl/applications/booklore/templates/external-secret.yaml

@@ -1,332 +0,0 @@
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: booklore-database-secret
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: booklore-database-secret
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: vault
-  data:
-    - secretKey: password
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /cl01tl/booklore/database
-        metadataPolicy: None
-        property: password
-
----
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: booklore-data-replication-secret
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: booklore-data-replication-secret
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: vault
-  data:
-    - secretKey: psk.txt
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /cl01tl/booklore/replication
-        metadataPolicy: None
-        property: psk.txt
-
----
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: booklore-config-backup-secret
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: booklore-config-backup-secret
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: vault
-  target:
-    template:
-      mergePolicy: Merge
-      engineVersion: v2
-      data:
-        RESTIC_REPOSITORY: "{{ `{{ .BUCKET_ENDPOINT }}` }}/booklore/booklore-config"
-  data:
-    - secretKey: BUCKET_ENDPOINT
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /volsync/restic/digital-ocean
-        metadataPolicy: None
-        property: BUCKET_ENDPOINT
-    - secretKey: RESTIC_PASSWORD
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /volsync/restic/digital-ocean
-        metadataPolicy: None
-        property: RESTIC_PASSWORD
-    - secretKey: AWS_DEFAULT_REGION
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /digital-ocean/home-infra/volsync-backups
-        metadataPolicy: None
-        property: AWS_DEFAULT_REGION
-    - secretKey: AWS_ACCESS_KEY_ID
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /digital-ocean/home-infra/volsync-backups
-        metadataPolicy: None
-        property: AWS_ACCESS_KEY_ID
-    - secretKey: AWS_SECRET_ACCESS_KEY
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /digital-ocean/home-infra/volsync-backups
-        metadataPolicy: None
-        property: AWS_SECRET_ACCESS_KEY
-
----
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: booklore-data-backup-secret-local
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: booklore-data-backup-secret-local
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: vault
-  target:
-    template:
-      mergePolicy: Merge
-      engineVersion: v2
-      data:
-        RESTIC_REPOSITORY: "{{ `{{ .BUCKET_ENDPOINT }}` }}/booklore/booklore-data"
-  data:
-    - secretKey: BUCKET_ENDPOINT
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /volsync/restic/garage-local
-        metadataPolicy: None
-        property: BUCKET_ENDPOINT
-    - secretKey: RESTIC_PASSWORD
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /volsync/restic/garage-local
-        metadataPolicy: None
-        property: RESTIC_PASSWORD
-    - secretKey: AWS_DEFAULT_REGION
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /garage/home-infra/volsync-backups
-        metadataPolicy: None
-        property: ACCESS_REGION
-    - secretKey: AWS_ACCESS_KEY_ID
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /garage/home-infra/volsync-backups
-        metadataPolicy: None
-        property: ACCESS_KEY_ID
-    - secretKey: AWS_SECRET_ACCESS_KEY
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /garage/home-infra/volsync-backups
-        metadataPolicy: None
-        property: ACCESS_SECRET_KEY
-
----
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: booklore-data-backup-secret-remote
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: booklore-data-backup-secret-remote
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: vault
-  target:
-    template:
-      mergePolicy: Merge
-      engineVersion: v2
-      data:
-        RESTIC_REPOSITORY: "{{ `{{ .BUCKET_ENDPOINT }}` }}/booklore/booklore-data"
-  data:
-    - secretKey: BUCKET_ENDPOINT
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /volsync/restic/garage-remote
-        metadataPolicy: None
-        property: BUCKET_ENDPOINT
-    - secretKey: RESTIC_PASSWORD
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /volsync/restic/garage-remote
-        metadataPolicy: None
-        property: RESTIC_PASSWORD
-    - secretKey: AWS_DEFAULT_REGION
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /garage/home-infra/volsync-backups
-        metadataPolicy: None
-        property: ACCESS_REGION
-    - secretKey: AWS_ACCESS_KEY_ID
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /garage/home-infra/volsync-backups
-        metadataPolicy: None
-        property: ACCESS_KEY_ID
-    - secretKey: AWS_SECRET_ACCESS_KEY
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /garage/home-infra/volsync-backups
-        metadataPolicy: None
-        property: ACCESS_SECRET_KEY
-
----
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: booklore-data-backup-secret-external
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: booklore-data-backup-secret-external
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: vault
-  target:
-    template:
-      mergePolicy: Merge
-      engineVersion: v2
-      data:
-        RESTIC_REPOSITORY: "{{ `{{ .BUCKET_ENDPOINT }}` }}/booklore/booklore-data"
-  data:
-    - secretKey: BUCKET_ENDPOINT
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /volsync/restic/digital-ocean
-        metadataPolicy: None
-        property: BUCKET_ENDPOINT
-    - secretKey: RESTIC_PASSWORD
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /volsync/restic/digital-ocean
-        metadataPolicy: None
-        property: RESTIC_PASSWORD
-    - secretKey: AWS_DEFAULT_REGION
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /digital-ocean/home-infra/volsync-backups
-        metadataPolicy: None
-        property: AWS_DEFAULT_REGION
-    - secretKey: AWS_ACCESS_KEY_ID
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /digital-ocean/home-infra/volsync-backups
-        metadataPolicy: None
-        property: AWS_ACCESS_KEY_ID
-    - secretKey: AWS_SECRET_ACCESS_KEY
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /digital-ocean/home-infra/volsync-backups
-        metadataPolicy: None
-        property: AWS_SECRET_ACCESS_KEY
-
----
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: booklore-mariadb-cluster-backup-secret-external
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: booklore-mariadb-cluster-backup-secret-external
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: vault
-  data:
-    - secretKey: access
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /digital-ocean/home-infra/mariadb-backups
-        metadataPolicy: None
-        property: access
-    - secretKey: secret
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /digital-ocean/home-infra/mariadb-backups
-        metadataPolicy: None
-        property: secret
-
----
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: booklore-mariadb-cluster-backup-secret-garage
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: booklore-mariadb-cluster-backup-secret-garage
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: vault
-  data:
-    - secretKey: access
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /garage/home-infra/mariadb-backups
-        metadataPolicy: None
-        property: access
-    - secretKey: secret
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /garage/home-infra/mariadb-backups
-        metadataPolicy: None
-        property: secret

clusters/cl01tl/applications/booklore/templates/http-route.yaml

@@ -1,28 +0,0 @@
-apiVersion: gateway.networking.k8s.io/v1
-kind: HTTPRoute
-metadata:
-  name: http-route-booklore
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: http-route-booklore
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  parentRefs:
-    - group: gateway.networking.k8s.io
-      kind: Gateway
-      name: traefik-gateway
-      namespace: traefik
-  hostnames:
-    - booklore.alexlebens.net
-  rules:
-    - matches:
-      - path:
-          type: PathPrefix
-          value: /
-      backendRefs:
-        - group: ''
-          kind: Service
-          name: booklore
-          port: 80
-          weight: 100

clusters/cl01tl/applications/booklore/templates/namespace.yaml

@@ -1,10 +0,0 @@
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: booklore
-  annotations:
-    volsync.backube/privileged-movers: "true"
-  labels:
-    app.kubernetes.io/name: booklore
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}

clusters/cl01tl/applications/booklore/templates/persistent-volume-claim.yaml

@@ -1,36 +0,0 @@
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  name: booklore-books-nfs-storage
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: booklore-books-nfs-storage
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  volumeName: booklore-books-nfs-storage
-  storageClassName: nfs-client
-  accessModes:
-    - ReadWriteMany
-  resources:
-    requests:
-      storage: 1Gi
-
----
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  name: booklore-books-import-nfs-storage
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: booklore-books-import-nfs-storage
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  volumeName: booklore-books-import-nfs-storage
-  storageClassName: nfs-client
-  accessModes:
-    - ReadWriteMany
-  resources:
-    requests:
-      storage: 1Gi

clusters/cl01tl/applications/booklore/templates/persistent-volume.yaml

@@ -1,48 +0,0 @@
-apiVersion: v1
-kind: PersistentVolume
-metadata:
-  name: booklore-books-nfs-storage
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: booklore-books-nfs-storage
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  persistentVolumeReclaimPolicy: Retain
-  storageClassName: nfs-client
-  capacity:
-    storage: 1Gi
-  accessModes:
-    - ReadWriteMany
-  nfs:
-    path: /volume2/Storage/Books
-    server: synologybond.alexlebens.net
-  mountOptions:
-    - vers=4
-    - minorversion=1
-    - noac
-
----
-apiVersion: v1
-kind: PersistentVolume
-metadata:
-  name: booklore-books-import-nfs-storage
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: booklore-books-import-nfs-storage
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  persistentVolumeReclaimPolicy: Retain
-  storageClassName: nfs-client
-  capacity:
-    storage: 1Gi
-  accessModes:
-    - ReadWriteMany
-  nfs:
-    path: /volume2/Storage/Books Import
-    server: synologybond.alexlebens.net
-  mountOptions:
-    - vers=4
-    - minorversion=1
-    - noac

clusters/cl01tl/applications/booklore/templates/replication-destination.yaml

@@ -1,15 +0,0 @@
-apiVersion: volsync.backube/v1alpha1
-kind: ReplicationDestination
-metadata:
-  name: booklore-data-replication-destination
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: booklore-data-replication-destination
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  rsyncTLS:
-    copyMethod: Direct
-    accessModes: ["ReadWriteMany"]
-    destinationPVC: booklore-books-nfs-storage
-    keySecret: booklore-data-replication-secret

clusters/cl01tl/applications/booklore/templates/replication-source.yaml

@@ -1,129 +0,0 @@
-apiVersion: volsync.backube/v1alpha1
-kind: ReplicationSource
-metadata:
-  name: booklore-data-replication-source
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: booklore-data-replication-source
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  sourcePVC: booklore-data
-  trigger:
-    schedule: "0 0 * * *"
-  rsyncTLS:
-    keySecret: booklore-data-replication-secret
-    address: volsync-rsync-tls-dst-booklore-data-replication-destination
-    copyMethod: Snapshot
-
----
-apiVersion: volsync.backube/v1alpha1
-kind: ReplicationSource
-metadata:
-  name: booklore-config-backup-source
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: booklore-config-backup-source
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  sourcePVC: booklore-config
-  trigger:
-    schedule: 0 4 * * *
-  restic:
-    pruneIntervalDays: 7
-    repository: booklore-config-backup-secret
-    retain:
-      hourly: 1
-      daily: 3
-      weekly: 2
-      monthly: 2
-      yearly: 4
-    copyMethod: Snapshot
-    storageClassName: ceph-block
-    volumeSnapshotClassName: ceph-blockpool-snapshot
-    cacheCapacity: 10Gi
-
----
-apiVersion: volsync.backube/v1alpha1
-kind: ReplicationSource
-metadata:
-  name: booklore-data-backup-source-local
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: booklore-data-backup-source-local
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  sourcePVC: booklore-data
-  trigger:
-    schedule: 0 2 * * *
-  restic:
-    pruneIntervalDays: 7
-    repository: booklore-data-backup-secret-local
-    retain:
-      hourly: 1
-      daily: 3
-      weekly: 2
-      monthly: 2
-      yearly: 4
-    copyMethod: Snapshot
-    storageClassName: ceph-block
-    volumeSnapshotClassName: ceph-blockpool-snapshot
-    cacheCapacity: 10Gi
-
----
-apiVersion: volsync.backube/v1alpha1
-kind: ReplicationSource
-metadata:
-  name: booklore-data-backup-source-remote
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: booklore-data-backup-source-remote
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  sourcePVC: booklore-data
-  trigger:
-    schedule: 0 3 * * *
-  restic:
-    pruneIntervalDays: 7
-    repository: booklore-data-backup-secret-remote
-    retain:
-      hourly: 1
-      daily: 3
-      weekly: 2
-      monthly: 2
-      yearly: 4
-    copyMethod: Snapshot
-    storageClassName: ceph-block
-    volumeSnapshotClassName: ceph-blockpool-snapshot
-    cacheCapacity: 10Gi
-
----
-apiVersion: volsync.backube/v1alpha1
-kind: ReplicationSource
-metadata:
-  name: booklore-data-backup-source-external
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: booklore-data-backup-source-external
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  sourcePVC: booklore-data
-  trigger:
-    schedule: 0 4 * * *
-  restic:
-    pruneIntervalDays: 7
-    repository: booklore-data-backup-secret-external
-    retain:
-      hourly: 1
-      daily: 3
-      weekly: 2
-      monthly: 2
-      yearly: 4
-    copyMethod: Snapshot
-    storageClassName: ceph-block
-    volumeSnapshotClassName: ceph-blockpool-snapshot
-    cacheCapacity: 10Gi

clusters/cl01tl/applications/booklore/values.yaml

@@ -1,155 +0,0 @@
-booklore:
-  controllers:
-    main:
-      type: deployment
-      replicas: 1
-      strategy: Recreate
-      revisionHistoryLimit: 3
-      containers:
-        main:
-          image:
-            repository: ghcr.io/booklore-app/booklore
-            tag: v1.12.0
-            pullPolicy: IfNotPresent
-          env:
-            - name: TZ
-              value: America/Chicago
-            - name: DATABASE_URL
-              value: jdbc:mariadb://booklore-mariadb-cluster-primary.booklore:3306/booklore
-            - name: DATABASE_USERNAME
-              value: booklore
-            - name: DATABASE_PASSWORD
-              valueFrom:
-                secretKeyRef:
-                  name: booklore-database-secret
-                  key: password
-            - name: BOOKLORE_PORT
-              value: 6060
-            - name: SWAGGER_ENABLED
-              value: false
-          resources:
-            requests:
-              cpu: 50m
-              memory: 128Mi
-  service:
-    main:
-      controller: main
-      ports:
-        http:
-          port: 80
-          targetPort: 6060
-          protocol: HTTP
-  persistence:
-    config:
-      storageClass: ceph-block
-      accessMode: ReadWriteOnce
-      size: 5Gi
-      retain: true
-      advancedMounts:
-        main:
-          main:
-            - path: /app/data
-              readOnly: false
-    data:
-      storageClass: ceph-block
-      accessMode: ReadWriteOnce
-      size: 10Gi
-      retain: true
-      advancedMounts:
-        main:
-          main:
-            - path: /data
-              readOnly: false
-    books-import:
-      type: emptyDir
-      advancedMounts:
-        main:
-          main:
-            - path: /bookdrop
-              readOnly: false
-    ingest:
-      existingClaim: booklore-books-import-nfs-storage
-      advancedMounts:
-        main:
-          main:
-            - path: /bookdrop/ingest
-              readOnly: false
-mariadb-cluster:
-  mariadb:
-    rootPasswordSecretKeyRef:
-      generate: false
-      name: booklore-database-secret
-      key: password
-    storage:
-      size: 5Gi
-    replicas: 3
-    galera:
-      enabled: true
-  databases:
-    - name: booklore
-      characterSet: utf8
-      collate: utf8_general_ci
-      cleanupPolicy: Delete
-      requeueInterval: 10h
-  users:
-    - name: booklore
-      passwordSecretKeyRef:
-        name: booklore-database-secret
-        key: password
-      host: '%'
-      cleanupPolicy: Delete
-      requeueInterval: 10h
-      retryInterval: 30s
-  grants:
-    - name: booklore
-      privileges:
-        - "ALL PRIVILEGES"
-      database: "booklore"
-      table: "*"
-      username: booklore
-      grantOption: true
-      host: '%'
-      cleanupPolicy: Delete
-      requeueInterval: 10h
-      retryInterval: 30s
-  physicalBackups:
-    - name: backup-external
-      schedule:
-        cron: "0 0 * * 0"
-        suspend: false
-        immediate: true
-      compression: gzip
-      maxRetention: 720h
-      storage:
-        s3:
-          bucket: mariadb-backups-b230a2f5aecf080a4b372c08
-          prefix: cl01tl/booklore
-          endpoint: nyc3.digitaloceanspaces.com
-          region: us-east-1
-          accessKeyIdSecretKeyRef:
-            name: booklore-mariadb-cluster-backup-secret-external
-            key: access
-          secretAccessKeySecretKeyRef:
-            name: booklore-mariadb-cluster-backup-secret-external
-            key: secret
-          tls:
-            enabled: true
-    - name: backup-garage
-      schedule:
-        cron: "0 0 * * *"
-        suspend: false
-        immediate: true
-      compression: gzip
-      maxRetention: 360h
-      storage:
-        s3:
-          bucket: mariadb-backups
-          prefix: cl01tl/booklore
-          endpoint: garage-main.garage:3900
-          region: us-east-1
-          accessKeyIdSecretKeyRef:
-            name: booklore-mariadb-cluster-backup-secret-garage
-            key: access
-          secretAccessKeySecretKeyRef:
-            name: booklore-mariadb-cluster-backup-secret-garage
-            key: secret

clusters/cl01tl/applications/code-server/Chart.yaml

@@ -1,28 +0,0 @@
-apiVersion: v2
-name: code-server
-version: 1.0.0
-description: Code Server
-keywords:
-  - code-server
-  - code
-  - ide
-home: https://wiki.alexlebens.dev/s/233f96bb-db70-47e4-8b22-a8efcbb0f93d
-sources:
-  - https://github.com/coder/code-server
-  - https://github.com/cloudflare/cloudflared
-  - https://hub.docker.com/r/linuxserver/code-server
-  - https://github.com/bjw-s-labs/helm-charts/tree/main/charts/other/app-template
-  - https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/cloudflared
-maintainers:
-  - name: alexlebens
-dependencies:
-  - name: app-template
-    alias: code-server
-    repository: https://bjw-s-labs.github.io/helm-charts/
-    version: 4.4.0
-  - name: cloudflared
-    alias: cloudflared
-    repository: oci://harbor.alexlebens.net/helm-charts
-    version: 1.23.0
-icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/visual-studio-code.png
-appVersion: 4.100.2

clusters/cl01tl/applications/code-server/templates/external-secret.yaml

@@ -1,51 +0,0 @@
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: codeserver-password-secret
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: codeserver-password-secret
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: vault
-  data:
-    - secretKey: PASSWORD
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /cl01tl/code-server/auth
-        metadataPolicy: None
-        property: PASSWORD
-    - secretKey: SUDO_PASSWORD
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /cl01tl/code-server/auth
-        metadataPolicy: None
-        property: SUDO_PASSWORD
-
----
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: code-server-cloudflared-secret
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: code-server-cloudflared-secret
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: vault
-  data:
-    - secretKey: cf-tunnel-token
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /cloudflare/tunnels/codeserver
-        metadataPolicy: None
-        property: token

clusters/cl01tl/applications/code-server/templates/http-route.yaml

@@ -1,28 +0,0 @@
-apiVersion: gateway.networking.k8s.io/v1
-kind: HTTPRoute
-metadata:
-  name: http-route-code-server
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: http-route-code-server
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  parentRefs:
-    - group: gateway.networking.k8s.io
-      kind: Gateway
-      name: traefik-gateway
-      namespace: traefik
-  hostnames:
-    - code-server.alexlebens.net
-  rules:
-    - matches:
-      - path:
-          type: PathPrefix
-          value: /
-      backendRefs:
-        - group: ''
-          kind: Service
-          name: code-server
-          port: 8443
-          weight: 100

clusters/cl01tl/applications/code-server/templates/persistent-volume-claim.yaml

@@ -1,17 +0,0 @@
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  name: code-server-nfs-storage
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: code-server-nfs-storage
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  volumeMode: Filesystem
-  storageClassName: nfs-client
-  accessModes:
-    - ReadWriteOnce
-  resources:
-    requests:
-      storage: 1Gi

clusters/cl01tl/applications/code-server/values.yaml

@@ -1,47 +0,0 @@
-code-server:
-  controllers:
-    main:
-      type: deployment
-      replicas: 1
-      strategy: Recreate
-      revisionHistoryLimit: 3
-      containers:
-        main:
-          image:
-            repository: ghcr.io/linuxserver/code-server
-            tag: 4.106.2@sha256:a98afdbcb59559f11e5e8df284062e55da1076b2e470e13db4aae133ea82bad0
-            pullPolicy: IfNotPresent
-          env:
-            - name: TZ
-              value: US/Central
-            - name: PUID
-              value: 1000
-            - name: PGID
-              value: 1000
-            - name: DEFAULT_WORKSPACE
-              value: /config
-          envFrom:
-            - secretRef:
-                name: codeserver-password-secret
-          resources:
-            requests:
-              cpu: 10m
-              memory: 128Mi
-  service:
-    main:
-      controller: main
-      ports:
-        http:
-          port: 8443
-          targetPort: 8443
-          protocol: HTTP
-  persistence:
-    config:
-      existingClaim: code-server-nfs-storage
-      advancedMounts:
-        main:
-          main:
-            - path: /config
-              readOnly: false
-cloudflared:
-  existingSecretName: code-server-cloudflared-secret

clusters/cl01tl/applications/directus/Chart.yaml

@@ -1,33 +0,0 @@
-apiVersion: v2
-name: directus
-version: 1.0.0
-description: Directus
-keywords:
-  - directus
-  - cms
-home: https://wiki.alexlebens.dev/s/c2d242de-dcaa-4801-86a2-c4761dc8bf9b
-sources:
-  - https://github.com/directus/directus
-  - https://github.com/cloudflare/cloudflared
-  - https://github.com/cloudnative-pg/cloudnative-pg
-  - https://hub.docker.com/r/directus/directus
-  - https://github.com/bjw-s-labs/helm-charts/tree/main/charts/other/app-template
-  - https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/cloudflared
-  - https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/postgres-cluster
-maintainers:
-  - name: alexlebens
-dependencies:
-  - name: app-template
-    alias: directus
-    repository: https://bjw-s-labs.github.io/helm-charts/
-    version: 4.4.0
-  - name: cloudflared
-    alias: cloudflared-directus
-    repository: oci://harbor.alexlebens.net/helm-charts
-    version: 1.23.0
-  - name: postgres-cluster
-    alias: postgres-17-cluster
-    version: 6.16.0
-    repository: oci://harbor.alexlebens.net/helm-charts
-icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/directus.png
-appVersion: 11.7.2

clusters/cl01tl/applications/directus/templates/external-secret.yaml

@@ -1,245 +0,0 @@
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: directus-config
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: directus-config
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: vault
-  data:
-    - secretKey: admin-email
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /cl01tl/directus/config
-        metadataPolicy: None
-        property: admin-email
-    - secretKey: admin-password
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /cl01tl/directus/config
-        metadataPolicy: None
-        property: admin-password
-    - secretKey: secret
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /cl01tl/directus/config
-        metadataPolicy: None
-        property: secret
-    - secretKey: key
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /cl01tl/directus/config
-        metadataPolicy: None
-        property: key
-
----
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: directus-metric-token
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: directus-metric-token
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: vault
-  data:
-    - secretKey: metric-token
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /cl01tl/directus/metrics
-        metadataPolicy: None
-        property: metric-token
-
----
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: directus-redis-config
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: directus-redis-config
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: vault
-  data:
-    - secretKey: user
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /cl01tl/directus/redis
-        metadataPolicy: None
-        property: user
-    - secretKey: password
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /cl01tl/directus/redis
-        metadataPolicy: None
-        property: password
-
----
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: directus-oidc-secret
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: directus-oidc-secret
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: vault
-  data:
-    - secretKey: OIDC_CLIENT_ID
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /authentik/oidc/directus
-        metadataPolicy: None
-        property: client
-    - secretKey: OIDC_CLIENT_SECRET
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /authentik/oidc/directus
-        metadataPolicy: None
-        property: secret
-
----
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: directus-cloudflared-secret
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: directus-cloudflared-secret
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: vault
-  data:
-    - secretKey: cf-tunnel-token
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /cloudflare/tunnels/directus
-        metadataPolicy: None
-        property: token
-
----
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: directus-postgresql-17-cluster-backup-secret
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: directus-postgresql-17-cluster-backup-secret
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: vault
-  data:
-    - secretKey: ACCESS_KEY_ID
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /digital-ocean/home-infra/postgres-backups
-        metadataPolicy: None
-        property: access
-    - secretKey: ACCESS_SECRET_KEY
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /digital-ocean/home-infra/postgres-backups
-        metadataPolicy: None
-        property: secret
-
----
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: directus-postgresql-17-cluster-backup-secret-weekly
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: directus-postgresql-17-cluster-backup-secret-weekly
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: vault
-  data:
-    - secretKey: ACCESS_KEY_ID
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /garage/home-infra/postgres-backups
-        metadataPolicy: None
-        property: ACCESS_KEY_ID
-    - secretKey: ACCESS_SECRET_KEY
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /garage/home-infra/postgres-backups
-        metadataPolicy: None
-        property: ACCESS_SECRET_KEY
-
----
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: directus-postgresql-17-cluster-backup-secret-garage
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: directus-postgresql-17-cluster-backup-secret-garage
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: vault
-  data:
-    - secretKey: ACCESS_KEY_ID
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /garage/home-infra/postgres-backups
-        metadataPolicy: None
-        property: ACCESS_KEY_ID
-    - secretKey: ACCESS_SECRET_KEY
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /garage/home-infra/postgres-backups
-        metadataPolicy: None
-        property: ACCESS_SECRET_KEY
-    - secretKey: ACCESS_REGION
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /garage/home-infra/postgres-backups
-        metadataPolicy: None
-        property: ACCESS_REGION

clusters/cl01tl/applications/directus/templates/object-bucket-claim.yaml

@@ -1,11 +0,0 @@
-apiVersion: objectbucket.io/v1alpha1
-kind: ObjectBucketClaim
-metadata:
-  name: ceph-bucket-directus
-  labels:
-    app.kubernetes.io/name: ceph-bucket-directus
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  generateBucketName: bucket-directus
-  storageClassName: ceph-bucket

clusters/cl01tl/applications/directus/templates/redis-replication.yaml

@@ -1,35 +0,0 @@
-apiVersion: redis.redis.opstreelabs.in/v1beta2
-kind: RedisReplication
-metadata:
-  name: redis-replication-directus
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: redis-replication-directus
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  clusterSize: 3
-  podSecurityContext:
-    runAsUser: 1000
-    fsGroup: 1000
-  kubernetesConfig:
-    image: quay.io/opstree/redis:v8.2.1
-    imagePullPolicy: IfNotPresent
-    redisSecret:
-      name: directus-redis-config
-      key: password
-    resources:
-      requests:
-        cpu: 50m
-        memory: 128Mi
-  storage:
-    volumeClaimTemplate:
-      spec:
-        storageClassName: ceph-block
-        accessModes: ["ReadWriteOnce"]
-        resources:
-          requests:
-            storage: 1Gi
-  redisExporter:
-    enabled: true
-    image: quay.io/opstree/redis-exporter:v1.76.0

clusters/cl01tl/applications/directus/templates/redis-sentinel.yaml

@@ -1,30 +0,0 @@
-apiVersion: redis.redis.opstreelabs.in/v1beta2
-kind: RedisSentinel
-metadata:
-  name: redis-sentinel-directus
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: redis-sentinel-directus
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  clusterSize: 3
-  podSecurityContext:
-    runAsUser: 1000
-    fsGroup: 1000
-  redisSentinelConfig:
-    redisReplicationName: redis-replication-directus
-    redisReplicationPassword:
-      secretKeyRef:
-        name: directus-redis-config
-        key: password
-  kubernetesConfig:
-    image: quay.io/opstree/redis-sentinel:v7.0.15
-    imagePullPolicy: IfNotPresent
-    redisSecret:
-      name: directus-redis-config
-      key: password
-    resources:
-      requests:
-        cpu: 10m
-        memory: 128Mi

clusters/cl01tl/applications/directus/templates/service-monitor.yaml

@@ -1,43 +0,0 @@
-apiVersion: monitoring.coreos.com/v1
-kind: ServiceMonitor
-metadata:
-  name: directus
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: directus
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  selector:
-    matchLabels:
-      app.kubernetes.io/name: directus
-      app.kubernetes.io/instance: {{ .Release.Name }}
-  endpoints:
-    - port: http
-      interval: 30s
-      scrapeTimeout: 15s
-      path: /metrics
-      bearerTokenSecret:
-        name: directus-metric-token
-        key: metric-token
-
----
-apiVersion: monitoring.coreos.com/v1
-kind: ServiceMonitor
-metadata:
-  name: redis-replication-directus
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: redis-replication-directus
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-    redis-operator: "true"
-    env: production
-spec:
-  selector:
-    matchLabels:
-      redis_setup_type: replication
-  endpoints:
-    - port: redis-exporter
-      interval: 30s
-      scrapeTimeout: 10s

clusters/cl01tl/applications/directus/values.yaml

@@ -1,214 +0,0 @@
-directus:
-  controllers:
-    main:
-      type: deployment
-      replicas: 1
-      strategy: Recreate
-      revisionHistoryLimit: 3
-      containers:
-        main:
-          image:
-            repository: directus/directus
-            tag: 11.13.4
-            pullPolicy: IfNotPresent
-          env:
-            - name: PUBLIC_URL
-              value: https://directus.alexlebens.dev
-            - name: WEBSOCKETS_ENABLED
-              value: true
-            - name: ADMIN_EMAIL
-              valueFrom:
-                secretKeyRef:
-                  name: directus-config
-                  key: admin-email
-            - name: ADMIN_PASSWORD
-              valueFrom:
-                secretKeyRef:
-                  name: directus-config
-                  key: admin-password
-            - name: SECRET
-              valueFrom:
-                secretKeyRef:
-                  name: directus-config
-                  key: secret
-            - name: KEY
-              valueFrom:
-                secretKeyRef:
-                  name: directus-config
-                  key: key
-            - name: DB_CLIENT
-              value: postgres
-            - name: DB_HOST
-              valueFrom:
-                secretKeyRef:
-                  name: directus-postgresql-17-cluster-app
-                  key: host
-            - name: DB_DATABASE
-              valueFrom:
-                secretKeyRef:
-                  name: directus-postgresql-17-cluster-app
-                  key: dbname
-            - name: DB_PORT
-              valueFrom:
-                secretKeyRef:
-                  name: directus-postgresql-17-cluster-app
-                  key: port
-            - name: DB_USER
-              valueFrom:
-                secretKeyRef:
-                  name: directus-postgresql-17-cluster-app
-                  key: user
-            - name: DB_PASSWORD
-              valueFrom:
-                secretKeyRef:
-                  name: directus-postgresql-17-cluster-app
-                  key: password
-            - name: SYNCHRONIZATION_STORE
-              value: redis
-            - name: CACHE_ENABLED
-              value: true
-            - name: CACHE_STORE
-              value: redis
-            - name: REDIS_ENABLED
-              value: true
-            - name: REDIS_HOST
-              value: redis-replication-directus-master
-            - name: REDIS_USERNAME
-              valueFrom:
-                secretKeyRef:
-                  name: directus-redis-config
-                  key: user
-            - name: REDIS_PASSWORD
-              valueFrom:
-                secretKeyRef:
-                  name: directus-redis-config
-                  key: password
-            - name: STORAGE_LOCATIONS
-              value: s3
-            - name: STORAGE_S3_DRIVER
-              value: s3
-            - name: STORAGE_S3_KEY
-              valueFrom:
-                secretKeyRef:
-                  name: ceph-bucket-directus
-                  key: AWS_ACCESS_KEY_ID
-            - name: STORAGE_S3_SECRET
-              valueFrom:
-                secretKeyRef:
-                  name: ceph-bucket-directus
-                  key: AWS_SECRET_ACCESS_KEY
-            - name: STORAGE_S3_BUCKET
-              valueFrom:
-                configMapKeyRef:
-                  name: ceph-bucket-directus
-                  key: BUCKET_NAME
-            - name: STORAGE_S3_REGION
-              value: us-east-1
-            - name: STORAGE_S3_ENDPOINT
-              value: http://rook-ceph-rgw-ceph-objectstore.rook-ceph.svc:80
-            - name: STORAGE_S3_FORCE_PATH_STYLE
-              value: true
-            - name: AUTH_PROVIDERS
-              value: AUTHENTIK
-            - name: AUTH_AUTHENTIK_DRIVER
-              value: openid
-            - name: AUTH_AUTHENTIK_CLIENT_ID
-              valueFrom:
-                secretKeyRef:
-                  name: directus-oidc-secret
-                  key: OIDC_CLIENT_ID
-            - name: AUTH_AUTHENTIK_CLIENT_SECRET
-              valueFrom:
-                secretKeyRef:
-                  name: directus-oidc-secret
-                  key: OIDC_CLIENT_SECRET
-            - name: AUTH_AUTHENTIK_SCOPE
-              value: openid profile email
-            - name: AUTH_AUTHENTIK_ISSUER_URL
-              value: https://auth.alexlebens.dev/application/o/directus/.well-known/openid-configuration
-            - name: AUTH_AUTHENTIK_IDENTIFIER_KEY
-              value: email
-            - name: AUTH_AUTHENTIK_ALLOW_PUBLIC_REGISTRATION
-              value: true
-            - name: AUTH_AUTHENTIK_LABEL
-              value: Authentik
-            - name: TELEMETRY
-              value: false
-            - name: METRICS_ENABLED
-              value: true
-            - name: METRICS_TOKENS
-              valueFrom:
-                secretKeyRef:
-                  name: directus-metric-token
-                  key: metric-token
-          resources:
-            requests:
-              cpu: 10m
-              memory: 256Mi
-  service:
-    main:
-      controller: main
-      ports:
-        http:
-          port: 80
-          targetPort: 8055
-          protocol: TCP
-cloudflared-directus:
-  name: cloudflared-directus
-  existingSecretName: directus-cloudflared-secret
-postgres-17-cluster:
-  mode: recovery
-  cluster:
-    storage:
-      storageClass: local-path
-    walStorage:
-      storageClass: local-path
-    monitoring:
-      enabled: true
-      prometheusRule:
-        enabled: true
-  recovery:
-    method: objectStore
-    objectStore:
-      destinationPath: s3://postgres-backups/cl01tl/directus/directus-postgresql-17-cluster
-      endpointURL: http://garage-main.garage:3900
-      index: 1
-      endpointCredentials: directus-postgresql-17-cluster-backup-secret-garage
-  backup:
-    objectStore:
-      - name: external
-        destinationPath: s3://postgres-backups-ce540ddf106d186bbddca68a/cl01tl/directus/directus-postgresql-17-cluster
-        index: 1
-        retentionPolicy: "30d"
-        isWALArchiver: false
-      - name: garage-local
-        destinationPath: s3://postgres-backups/cl01tl/directus/directus-postgresql-17-cluster
-        index: 1
-        endpointURL: http://garage-main.garage:3900
-        endpointCredentials: directus-postgresql-17-cluster-backup-secret-garage
-        endpointCredentialsIncludeRegion: true
-        retentionPolicy: "3d"
-        isWALArchiver: true
-      # - name: garage-remote
-      #   destinationPath: s3://postgres-backups/cl01tl/directus/directus-postgresql-17-cluster
-      #   index: 1
-      #   endpointURL: https://garage-ps10rp.boreal-beaufort.ts.net:3900
-      #   endpointCredentials: directus-postgresql-17-cluster-backup-secret-garage
-      #   retentionPolicy: "30d"
-      #   data:
-      #     compression: bzip2
-      #     jobs: 2
-    scheduledBackups:
-      - name: daily-backup
-        suspend: false
-        schedule: "0 0 0 * * *"
-        backupName: external
-      - name: live-backup
-        suspend: false
-        immediate: true
-        schedule: "0 0 0 * * *"
-        backupName: garage-local
-      # - name: weekly-backup
-      #   suspend: false
-      #   schedule: "0 0 4 * * SAT"
-      #   backupName: garage-remote

clusters/cl01tl/applications/element-web/Chart.yaml

@@ -1,27 +0,0 @@
-apiVersion: v2
-name: element-web
-version: 1.0.0
-description: Element Web
-keywords:
-  - element-web
-  - chat
-  - matrix
-home: https://wiki.alexlebens.dev/s/e3b03481-1a1d-4b56-8cd9-e75a8dcc0f6c
-sources:
-  - https://github.com/element-hq/element-web
-  - https://github.com/cloudflare/cloudflared
-  - https://hub.docker.com/r/vectorim/element-web
-  - https://gitlab.com/ananace/charts/-/tree/master/charts/element-web
-  - https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/cloudflared
-maintainers:
-  - name: alexlebens
-dependencies:
-  - name: element-web
-    version: 1.4.24
-    repository: https://ananace.gitlab.io/charts
-  - name: cloudflared
-    alias: cloudflared
-    repository: oci://harbor.alexlebens.net/helm-charts
-    version: 1.23.0
-icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/element.png
-appVersion: v1.11.100

clusters/cl01tl/applications/element-web/templates/external-secret.yaml

@@ -1,21 +0,0 @@
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: element-web-cloudflared-secret
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: element-web-cloudflared-secret
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: vault
-  data:
-    - secretKey: cf-tunnel-token
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /cloudflare/tunnels/element
-        metadataPolicy: None
-        property: token

clusters/cl01tl/applications/element-web/values.yaml

@@ -1,28 +0,0 @@
-element-web:
-  replicaCount: 1
-  image:
-    repository: vectorim/element-web
-    tag: v1.12.4
-    pullPolicy: IfNotPresent
-  defaultServer:
-    url: https://matrix.alexlebens.dev
-    name: alexlebens.dev
-    identity_url: https://alexlebens.dev
-  config:
-    disable_3pid_login: true
-    brand: "Alex Lebens"
-    branding:
-      welcome_background_url: https://web-assets-3bfcb5585cbd63dc365d32a3.nyc3.cdn.digitaloceanspaces.com/alexlebens-net/background.jpg
-      auth_header_logo_url: https://web-assets-3bfcb5585cbd63dc365d32a3.nyc3.cdn.digitaloceanspaces.com/alexlebens-net/logo-new-round.png
-    sso_redirect_options:
-      immediate: true
-    default_theme: dark
-    default_country_code: US
-  ingress:
-    enabled: false
-  resources:
-    requests:
-      cpu: 10m
-      memory: 128Mi
-cloudflared:
-  existingSecretName: element-web-cloudflared-secret

clusters/cl01tl/applications/ephemera/Chart.yaml

@@ -1,23 +0,0 @@
-apiVersion: v2
-name: ephemera
-version: 1.0.0
-description: ephemera
-keywords:
-  - ephemera
-  - books
-home: https://wiki.alexlebens.dev/
-sources:
-  - https://github.com/OrwellianEpilogue/ephemera
-  - https://github.com/FlareSolverr/FlareSolverr
-  - https://github.com/orwellianepilogue/ephemera/pkgs/container/ephemera
-  - https://github.com/flaresolverr/FlareSolverr/pkgs/container/flaresolverr
-  - https://github.com/bjw-s-labs/helm-charts/tree/main/charts/other/app-template
-maintainers:
-  - name: alexlebens
-dependencies:
-  - name: app-template
-    alias: ephemera
-    repository: https://bjw-s-labs.github.io/helm-charts/
-    version: 4.4.0
-icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/ephemera.png
-appVersion: 1.3.1

clusters/cl01tl/applications/ephemera/templates/external-secret.yaml

@@ -1,101 +0,0 @@
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: ephemera-key-secret
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: ephemera-key-secret
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: vault
-  data:
-    - secretKey: key
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /cl01tl/ephemera/config
-        metadataPolicy: None
-        property: key
-
----
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: ephemera-apprise-config
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: ephemera-apprise-config
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: vault
-  data:
-    - secretKey: ntfy-url
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /cl01tl/ephemera/config
-        metadataPolicy: None
-        property: ntfy-url
-
----
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: ephemera-config-backup-secret
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: ephemera-config-backup-secret
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: vault
-  target:
-    template:
-      mergePolicy: Merge
-      engineVersion: v2
-      data:
-        RESTIC_REPOSITORY: "{{ `{{ .BUCKET_ENDPOINT }}` }}/ephemera/ephemera-config"
-  data:
-    - secretKey: BUCKET_ENDPOINT
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /cl01tl/volsync/restic/config
-        metadataPolicy: None
-        property: S3_BUCKET_ENDPOINT
-    - secretKey: RESTIC_PASSWORD
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /cl01tl/volsync/restic/config
-        metadataPolicy: None
-        property: RESTIC_PASSWORD
-    - secretKey: AWS_DEFAULT_REGION
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /cl01tl/volsync/restic/config
-        metadataPolicy: None
-        property: AWS_DEFAULT_REGION
-    - secretKey: AWS_ACCESS_KEY_ID
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /digital-ocean/home-infra/volsync-backups
-        metadataPolicy: None
-        property: access_key
-    - secretKey: AWS_SECRET_ACCESS_KEY
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /digital-ocean/home-infra/volsync-backups
-        metadataPolicy: None
-        property: secret_key

clusters/cl01tl/applications/ephemera/templates/http-route.yaml

@@ -1,28 +0,0 @@
-apiVersion: gateway.networking.k8s.io/v1
-kind: HTTPRoute
-metadata:
-  name: http-route-ephemera
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: http-route-ephemera
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  parentRefs:
-    - group: gateway.networking.k8s.io
-      kind: Gateway
-      name: traefik-gateway
-      namespace: traefik
-  hostnames:
-    - ephemera.alexlebens.net
-  rules:
-    - matches:
-      - path:
-          type: PathPrefix
-          value: /
-      backendRefs:
-        - group: ''
-          kind: Service
-          name: ephemera
-          port: 80
-          weight: 100

clusters/cl01tl/applications/ephemera/templates/persistent-volume-claim.yaml

@@ -1,17 +0,0 @@
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  name: ephemera-import-nfs-storage
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: ephemera-import-nfs-storage
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  volumeName: ephemera-import-nfs-storage
-  storageClassName: nfs-client
-  accessModes:
-    - ReadWriteMany
-  resources:
-    requests:
-      storage: 1Gi

clusters/cl01tl/applications/ephemera/templates/persistent-volume.yaml

@@ -1,23 +0,0 @@
-apiVersion: v1
-kind: PersistentVolume
-metadata:
-  name: ephemera-import-nfs-storage
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: ephemera-import-nfs-storage
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  persistentVolumeReclaimPolicy: Retain
-  storageClassName: nfs-client
-  capacity:
-    storage: 1Gi
-  accessModes:
-    - ReadWriteMany
-  nfs:
-    path: /volume2/Storage/Books Import
-    server: synologybond.alexlebens.net
-  mountOptions:
-    - vers=4
-    - minorversion=1
-    - noac

clusters/cl01tl/applications/ephemera/templates/replication-source.yaml

@@ -1,26 +0,0 @@
-apiVersion: volsync.backube/v1alpha1
-kind: ReplicationSource
-metadata:
-  name: ephemera-config-backup-source
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: ephemera-config-backup-source
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  sourcePVC: ephemera-config
-  trigger:
-    schedule: 0 4 * * *
-  restic:
-    pruneIntervalDays: 7
-    repository: ephemera-config-backup-secret
-    retain:
-      hourly: 1
-      daily: 3
-      weekly: 2
-      monthly: 2
-      yearly: 4
-    copyMethod: Snapshot
-    storageClassName: ceph-block
-    volumeSnapshotClassName: ceph-blockpool-snapshot
-    cacheCapacity: 10Gi

clusters/cl01tl/applications/ephemera/values.yaml

@@ -1,107 +0,0 @@
-ephemera:
-  controllers:
-    main:
-      type: deployment
-      replicas: 1
-      strategy: Recreate
-      revisionHistoryLimit: 3
-      containers:
-        main:
-          image:
-            repository: ghcr.io/orwellianepilogue/ephemera
-            tag: 1.3.1
-            pullPolicy: IfNotPresent
-          env:
-            - name: AA_BASE_URL
-              value: https://annas-archive.org
-            # - name: AA_API_KEY
-            #   valueFrom:
-            #     secretKeyRef:
-            #       name: ephemera-key-secret
-            #       key: key
-            - name: FLARESOLVERR_URL
-              value: http://127.0.0.1:8191
-            - name: LG_BASE_URL
-              value: https://gen.com
-            - name: PUID
-              value: 0
-            - name: PGID
-              value: 0
-          resources:
-            requests:
-              cpu: 50m
-              memory: 128Mi
-        flaresolverr:
-          image:
-            repository: ghcr.io/flaresolverr/flaresolverr
-            tag: v3.4.5
-            pullPolicy: IfNotPresent
-          env:
-            - name: LOG_LEVEL
-              value: info
-            - name: LOG_HTML
-              value: false
-            - name: CAPTCHA_SOLVER
-              value: none
-            - name: TZ
-              value: America/Chicago
-          resources:
-            requests:
-              cpu: 10m
-              memory: 128Mi
-        apprise-api:
-          image:
-            repository: caronc/apprise
-            tag: 1.2.6
-            pullPolicy: IfNotPresent
-          env:
-            - name: TZ
-              value: US/Central
-            - name: APPRISE_STORAGE_MODE
-              value: memory
-            - name: APPRISE_STATEFUL_MODE
-              value: disabled
-            - name: APPRISE_WORKER_COUNT
-              value: 1
-            - name: APPRISE_STATELESS_URLS
-              valueFrom:
-                secretKeyRef:
-                  name: ephemera-apprise-config
-                  key: ntfy-url
-          resources:
-            requests:
-              cpu: 10m
-              memory: 128Mi
-  service:
-    main:
-      controller: main
-      ports:
-        http:
-          port: 80
-          targetPort: 8286
-          protocol: HTTP
-  persistence:
-    config:
-      storageClass: ceph-block
-      accessMode: ReadWriteOnce
-      size: 5Gi
-      retain: true
-      advancedMounts:
-        main:
-          main:
-            - path: /app/data
-              readOnly: false
-    cache:
-      type: emptyDir
-      advancedMounts:
-        main:
-          main:
-            - path: /app/downloads
-              readOnly: false
-    ingest:
-      existingClaim: ephemera-import-nfs-storage
-      advancedMounts:
-        main:
-          main:
-            - path: /app/ingest
-              readOnly: false

clusters/cl01tl/applications/freshrss/Chart.yaml

@@ -1,33 +0,0 @@
-apiVersion: v2
-name: freshrss
-version: 1.0.0
-description: FreshRSS
-keywords:
-  - freshrss
-  - rss
-home: https://wiki.alexlebens.dev/s/251cb7cb-2797-4bbb-8597-32757aa96391
-sources:
-  - https://github.com/FreshRSS/FreshRSS
-  - https://github.com/cloudflare/cloudflared
-  - https://github.com/cloudnative-pg/cloudnative-pg
-  - https://hub.docker.com/r/freshrss/freshrss
-  - https://github.com/bjw-s-labs/helm-charts/tree/main/charts/other/app-template
-  - https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/cloudflared
-  - https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/postgres-cluster
-maintainers:
-  - name: alexlebens
-dependencies:
-  - name: app-template
-    alias: freshrss
-    repository: https://bjw-s-labs.github.io/helm-charts/
-    version: 4.4.0
-  - name: cloudflared
-    alias: cloudflared
-    repository: oci://harbor.alexlebens.net/helm-charts
-    version: 1.23.0
-  - name: postgres-cluster
-    alias: postgres-17-cluster
-    version: 6.16.0
-    repository: oci://harbor.alexlebens.net/helm-charts
-icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/freshrss.png
-appVersion: 1.26.2

clusters/cl01tl/applications/freshrss/templates/external-secret.yaml

@@ -1,219 +0,0 @@
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: freshrss-install-secret
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: freshrss-install-secret
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: vault
-  data:
-    - secretKey: ADMIN_EMAIL
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /cl01tl/freshrss/config
-        metadataPolicy: None
-        property: ADMIN_EMAIL
-    - secretKey: ADMIN_PASSWORD
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /cl01tl/freshrss/config
-        metadataPolicy: None
-        property: ADMIN_PASSWORD
-    - secretKey: ADMIN_API_PASSWORD
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /cl01tl/freshrss/config
-        metadataPolicy: None
-        property: ADMIN_API_PASSWORD
-
----
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: freshrss-oidc-secret
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: freshrss-oidc-secret
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: vault
-  data:
-    - secretKey: OIDC_CLIENT_ID
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /authentik/oidc/freshrss
-        metadataPolicy: None
-        property: client
-    - secretKey: OIDC_CLIENT_SECRET
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /authentik/oidc/freshrss
-        metadataPolicy: None
-        property: secret
-    - secretKey: OIDC_CLIENT_CRYPTO_KEY
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /authentik/oidc/freshrss
-        metadataPolicy: None
-        property: crypto-key
-
----
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: freshrss-cloudflared-secret
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: freshrss-cloudflared-secret
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: vault
-  data:
-    - secretKey: cf-tunnel-token
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /cloudflare/tunnels/freshrss
-        metadataPolicy: None
-        property: token
-
----
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: freshrss-data-backup-secret
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: freshrss-data-backup-secret
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: vault
-  target:
-    template:
-      mergePolicy: Merge
-      engineVersion: v2
-      data:
-        RESTIC_REPOSITORY: "{{ `{{ .BUCKET_ENDPOINT }}` }}/freshrss/freshrss-data"
-  data:
-    - secretKey: BUCKET_ENDPOINT
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /cl01tl/volsync/restic/config
-        metadataPolicy: None
-        property: S3_BUCKET_ENDPOINT
-    - secretKey: RESTIC_PASSWORD
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /cl01tl/volsync/restic/config
-        metadataPolicy: None
-        property: RESTIC_PASSWORD
-    - secretKey: AWS_DEFAULT_REGION
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /cl01tl/volsync/restic/config
-        metadataPolicy: None
-        property: AWS_DEFAULT_REGION
-    - secretKey: AWS_ACCESS_KEY_ID
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /digital-ocean/home-infra/volsync-backups
-        metadataPolicy: None
-        property: access_key
-    - secretKey: AWS_SECRET_ACCESS_KEY
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /digital-ocean/home-infra/volsync-backups
-        metadataPolicy: None
-        property: secret_key
-
----
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: freshrss-postgresql-17-cluster-backup-secret
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: freshrss-postgresql-17-cluster-backup-secret
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: vault
-  data:
-    - secretKey: ACCESS_KEY_ID
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /digital-ocean/home-infra/postgres-backups
-        metadataPolicy: None
-        property: access
-    - secretKey: ACCESS_SECRET_KEY
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /digital-ocean/home-infra/postgres-backups
-        metadataPolicy: None
-        property: secret
-
----
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: freshrss-postgresql-17-cluster-backup-secret-garage
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: freshrss-postgresql-17-cluster-backup-secret-garage
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: vault
-  data:
-    - secretKey: ACCESS_KEY_ID
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /garage/home-infra/postgres-backups
-        metadataPolicy: None
-        property: ACCESS_KEY_ID
-    - secretKey: ACCESS_SECRET_KEY
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /garage/home-infra/postgres-backups
-        metadataPolicy: None
-        property: ACCESS_SECRET_KEY
-    - secretKey: ACCESS_REGION
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /garage/home-infra/postgres-backups
-        metadataPolicy: None
-        property: ACCESS_REGION

clusters/cl01tl/applications/freshrss/templates/replication-source.yaml

@@ -1,35 +0,0 @@
-apiVersion: volsync.backube/v1alpha1
-kind: ReplicationSource
-metadata:
-  name: freshrss-data-backup-source
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: freshrss-data-backup-source
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  sourcePVC: freshrss-data
-  trigger:
-    schedule: 0 4 * * *
-  restic:
-    pruneIntervalDays: 7
-    repository: freshrss-data-backup-secret
-    retain:
-      hourly: 1
-      daily: 3
-      weekly: 2
-      monthly: 2
-      yearly: 4
-    moverSecurityContext:
-      runAsUser: 568
-      runAsGroup: 568
-      fsGroup: 568
-      fsGroupChangePolicy: OnRootMismatch
-      supplementalGroups:
-        - 44
-        - 100
-        - 109
-        - 65539
-    copyMethod: Snapshot
-    storageClassName: ceph-block
-    volumeSnapshotClassName: ceph-blockpool-snapshot

clusters/cl01tl/applications/freshrss/values.yaml

@@ -1,251 +0,0 @@
-freshrss:
-  controllers:
-    main:
-      type: deployment
-      replicas: 1
-      strategy: Recreate
-      revisionHistoryLimit: 3
-      initContainers:
-        init-download-extension-1:
-          securityContext:
-            runAsUser: 0
-          image:
-            repository: alpine
-            tag: 3.22.2
-            pullPolicy: IfNotPresent
-          command:
-            - /bin/sh
-            - -ec
-            - |
-              apk add --no-cache git;
-              cd /tmp;
-              git clone -n --depth=1 --filter=tree:0 https://github.com/cn-tools/cntools_FreshRssExtensions.git;
-              cd cntools_FreshRssExtensions;
-              git sparse-checkout set --no-cone /xExtension-YouTubeChannel2RssFeed;
-              git checkout;
-              rm -rf /var/www/FreshRSS/extensions/xExtension-YouTubeChannel2RssFeed
-              cp -r xExtension-YouTubeChannel2RssFeed /var/www/FreshRSS/extensions
-              chown -R 568:568 /var/www/FreshRSS/extensions/xExtension-YouTubeChannel2RssFeed
-          resources:
-            requests:
-              cpu: 10m
-              memory: 128Mi
-        init-download-extension-2:
-          securityContext:
-            runAsUser: 0
-          image:
-            repository: alpine
-            tag: 3.22.2
-            pullPolicy: IfNotPresent
-          command:
-            - /bin/sh
-            - -ec
-            - |
-              apk add --no-cache git;
-              cd /tmp;
-              git clone -n --depth=1 --filter=tree:0 https://github.com/FreshRSS/Extensions.git;
-              cd Extensions;
-              git sparse-checkout set --no-cone /xExtension-ImageProxy;
-              git checkout;
-              rm -rf /var/www/FreshRSS/extensions/xExtension-ImageProxy
-              cp -r xExtension-ImageProxy /var/www/FreshRSS/extensions
-              chown -R 568:568 /var/www/FreshRSS/extensions/xExtension-ImageProxy
-          resources:
-            requests:
-              cpu: 10m
-              memory: 128Mi
-        init-download-extension-3:
-          securityContext:
-            runAsUser: 0
-          image:
-            repository: alpine
-            tag: 3.22.2
-            pullPolicy: IfNotPresent
-          command:
-            - /bin/sh
-            - -ec
-            - |
-              cd /tmp;
-              wget https://github.com/zimmra/xExtension-karakeep-button/archive/refs/tags/v1.1.tar.gz;
-              tar -xvzf *.tar.gz;
-              rm -rf /var/www/FreshRSS/extensions/xExtension-karakeep-button
-              mkdir /var/www/FreshRSS/extensions/xExtension-karakeep-button
-              cp -r /tmp/xExtension-karakeep-button-*/* /var/www/FreshRSS/extensions/xExtension-karakeep-button
-              chown -R 568:568 /var/www/FreshRSS/extensions/xExtension-karakeep-button
-          resources:
-            requests:
-              cpu: 10m
-              memory: 128Mi
-      containers:
-        main:
-          image:
-            repository: freshrss/freshrss
-            tag: 1.27.1
-            pullPolicy: IfNotPresent
-          env:
-            - name: PGID
-              value: "568"
-            - name: PUID
-              value: "568"
-            - name: TZ
-              value: US/Central
-            - name: FRESHRSS_ENV
-              value: production
-            - name: CRON_MIN
-              value: 13,43
-            - name: BASE_URL
-              value: https://rss.alexlebens.dev
-            - name: DB_HOST
-              valueFrom:
-                secretKeyRef:
-                  name: freshrss-postgresql-17-cluster-app
-                  key: host
-            - name: DB_BASE
-              valueFrom:
-                secretKeyRef:
-                  name: freshrss-postgresql-17-cluster-app
-                  key: dbname
-            - name: DB_USER
-              valueFrom:
-                secretKeyRef:
-                  name: freshrss-postgresql-17-cluster-app
-                  key: user
-            - name: DB_PASSWORD
-              valueFrom:
-                secretKeyRef:
-                  name: freshrss-postgresql-17-cluster-app
-                  key: password
-            - name: FRESHRSS_INSTALL
-              value: |
-                --api-enabled
-                --base-url $(BASE_URL)
-                --db-base $(DB_BASE)
-                --db-host $(DB_HOST)
-                --db-password $(DB_PASSWORD)
-                --db-type pgsql
-                --db-user $(DB_USER)
-                --auth-type http_auth
-                --default-user admin
-                --language en
-            - name: FRESHRSS_USER
-              value: |
-                --api-password $(ADMIN_API_PASSWORD)
-                --email $(ADMIN_EMAIL)
-                --language en
-                --password $(ADMIN_PASSWORD)
-                --user admin
-            - name: OIDC_ENABLED
-              value: 1
-            - name: OIDC_PROVIDER_METADATA_URL
-              value: https://auth.alexlebens.dev/application/o/freshrss/.well-known/openid-configuration
-            - name: OIDC_X_FORWARDED_HEADERS
-              value: X-Forwarded-Port X-Forwarded-Proto X-Forwarded-Host
-            - name: OIDC_SCOPES
-              value: openid email profile
-            - name: OIDC_REMOTE_USER_CLAIM
-              value: preferred_username
-          envFrom:
-            - secretRef:
-                name: freshrss-oidc-secret
-            - secretRef:
-                name: freshrss-install-secret
-          resources:
-            requests:
-              cpu: 10m
-              memory: 128Mi
-  service:
-    main:
-      controller: main
-      ports:
-        http:
-          port: 80
-          targetPort: 80
-          protocol: HTTP
-  persistence:
-    data:
-      storageClass: ceph-block
-      accessMode: ReadWriteOnce
-      size: 5Gi
-      retain: true
-      advancedMounts:
-        main:
-          main:
-            - path: /var/www/FreshRSS/data
-              readOnly: false
-    extensions:
-      storageClass: ceph-block
-      accessMode: ReadWriteOnce
-      size: 1Gi
-      retain: true
-      advancedMounts:
-        main:
-          init-download-extension-1:
-            - path: /var/www/FreshRSS/extensions
-              readOnly: false
-          init-download-extension-2:
-            - path: /var/www/FreshRSS/extensions
-              readOnly: false
-          init-download-extension-3:
-            - path: /var/www/FreshRSS/extensions
-              readOnly: false
-          main:
-            - path: /var/www/FreshRSS/extensions
-              readOnly: false
-cloudflared:
-  existingSecretName: freshrss-cloudflared-secret
-postgres-17-cluster:
-  mode: recovery
-  cluster:
-    storage:
-      storageClass: local-path
-    walStorage:
-      storageClass: local-path
-    monitoring:
-      enabled: true
-      prometheusRule:
-        enabled: true
-  recovery:
-    method: objectStore
-    objectStore:
-      destinationPath: s3://postgres-backups/cl01tl/freshrss/freshrss-postgresql-17-cluster
-      endpointURL: http://garage-main.garage:3900
-      index: 1
-      endpointCredentials: freshrss-postgresql-17-cluster-backup-secret-garage
-  backup:
-    objectStore:
-      - name: external
-        destinationPath: s3://postgres-backups-ce540ddf106d186bbddca68a/cl01tl/freshrss/freshrss-postgresql-17-cluster
-        index: 1
-        retentionPolicy: "30d"
-        isWALArchiver: false
-      - name: garage-local
-        destinationPath: s3://postgres-backups/cl01tl/freshrss/freshrss-postgresql-17-cluster
-        index: 1
-        endpointURL: http://garage-main.garage:3900
-        endpointCredentials: freshrss-postgresql-17-cluster-backup-secret-garage
-        endpointCredentialsIncludeRegion: true
-        retentionPolicy: "3d"
-        isWALArchiver: true
-      # - name: garage-remote
-      #   destinationPath: s3://postgres-backups/cl01tl/freshrss/freshrss-postgresql-17-cluster
-      #   index: 1
-      #   endpointURL: https://garage-ps10rp.boreal-beaufort.ts.net:3900
-      #   endpointCredentials: freshrss-postgresql-17-cluster-backup-secret-garage
-      #   retentionPolicy: "30d"
-      #   data:
-      #     compression: bzip2
-      #     jobs: 2
-    scheduledBackups:
-      - name: daily-backup
-        suspend: false
-        schedule: "0 0 0 * * *"
-        backupName: external
-      - name: live-backup
-        suspend: false
-        immediate: true
-        schedule: "0 0 0 * * *"
-        backupName: garage-local
-      # - name: weekly-backup
-      #   suspend: false
-      #   schedule: "0 2 4 * * SAT"
-      #   backupName: garage-remote

clusters/cl01tl/applications/home-assistant/Chart.yaml

@@ -1,23 +0,0 @@
-apiVersion: v2
-name: home-assistant
-version: 1.0.0
-description: Home Assistant
-keywords:
-  - home-assistant
-  - home
-  - automation
-home: https://wiki.alexlebens.dev/s/5462c17e-cd39-4082-ad01-94545a2fa3ca
-sources:
-  - https://www.home-assistant.io/
-  - https://github.com/home-assistant/core
-  - https://github.com/home-assistant/core/pkgs/container/home-assistant
-  - https://github.com/bjw-s-labs/helm-charts/tree/main/charts/other/app-template
-maintainers:
-  - name: alexlebens
-dependencies:
-  - name: app-template
-    alias: home-assistant
-    repository: https://bjw-s-labs.github.io/helm-charts/
-    version: 4.4.0
-icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/home-assistant.png
-appVersion: 2025.5.2

clusters/cl01tl/applications/home-assistant/templates/external-secret.yaml

@@ -1,51 +0,0 @@
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: home-assistant-code-server-password-secret
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: home-assistant-code-server-password-secret
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: vault
-  data:
-    - secretKey: PASSWORD
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /cl01tl/home-assistant/code-server/auth
-        metadataPolicy: None
-        property: PASSWORD
-    - secretKey: SUDO_PASSWORD
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /cl01tl/home-assistant/code-server/auth
-        metadataPolicy: None
-        property: SUDO_PASSWORD
-
----
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: home-assistant-token-secret
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: home-assistant-token-secret
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: vault
-  data:
-    - secretKey: bearer-token
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /cl01tl/home-assistant/auth
-        metadataPolicy: None
-        property: bearer-token

clusters/cl01tl/applications/home-assistant/templates/http-route.yaml

@@ -1,58 +0,0 @@
-apiVersion: gateway.networking.k8s.io/v1
-kind: HTTPRoute
-metadata:
-  name: http-route-home-assistant
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: http-route-home-assistant
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  parentRefs:
-    - group: gateway.networking.k8s.io
-      kind: Gateway
-      name: traefik-gateway
-      namespace: traefik
-  hostnames:
-    - home-assistant.alexlebens.net
-  rules:
-    - matches:
-      - path:
-          type: PathPrefix
-          value: /
-      backendRefs:
-        - group: ''
-          kind: Service
-          name: home-assistant-main
-          port: 80
-          weight: 100
-
----
-apiVersion: gateway.networking.k8s.io/v1
-kind: HTTPRoute
-metadata:
-  name: http-route-home-assistant-code-server
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: http-route-home-assistant-code-server
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  parentRefs:
-    - group: gateway.networking.k8s.io
-      kind: Gateway
-      name: traefik-gateway
-      namespace: traefik
-  hostnames:
-    - home-assistant-code-server.alexlebens.net
-  rules:
-    - matches:
-      - path:
-          type: PathPrefix
-          value: /
-      backendRefs:
-        - group: ''
-          kind: Service
-          name: home-assistant-code-server
-          port: 8443
-          weight: 100

clusters/cl01tl/applications/home-assistant/templates/service-monitor.yaml

@@ -1,23 +0,0 @@
-apiVersion: monitoring.coreos.com/v1
-kind: ServiceMonitor
-metadata:
-  name: home-assistant
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: home-assistant
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  selector:
-    matchLabels:
-      app.kubernetes.io/name: home-assistant
-      app.kubernetes.io/service: home-assistant-main
-      app.kubernetes.io/instance: {{ .Release.Name }}
-  endpoints:
-    - port: http
-      interval: 3m
-      scrapeTimeout: 1m
-      path: /api/prometheus
-      bearerTokenSecret:
-        name: home-assistant-token-secret
-        key: bearer-token

clusters/cl01tl/applications/home-assistant/values.yaml

@@ -1,70 +0,0 @@
-home-assistant:
-  controllers:
-    main:
-      type: deployment
-      replicas: 1
-      strategy: Recreate
-      revisionHistoryLimit: 3
-      containers:
-        main:
-          image:
-            repository: ghcr.io/home-assistant/home-assistant
-            tag: 2025.11.3
-            pullPolicy: IfNotPresent
-          env:
-            - name: TZ
-              value: US/Central
-          resources:
-            requests:
-              cpu: 50m
-              memory: 512Mi
-        code-server:
-          image:
-            repository: ghcr.io/linuxserver/code-server
-            tag: 4.106.2@sha256:a98afdbcb59559f11e5e8df284062e55da1076b2e470e13db4aae133ea82bad0
-            pullPolicy: IfNotPresent
-          env:
-            - name: TZ
-              value: US/Central
-            - name: PUID
-              value: 1000
-            - name: PGID
-              value: 1000
-            - name: DEFAULT_WORKSPACE
-              value: /config
-          envFrom:
-            - secretRef:
-                name: home-assistant-code-server-password-secret
-          resources:
-            requests:
-              cpu: 10m
-              memory: 128Mi
-  service:
-    main:
-      controller: main
-      ports:
-        http:
-          port: 80
-          targetPort: 8123
-          protocol: TCP
-    code-server:
-      controller: main
-      ports:
-        http:
-          port: 8443
-          targetPort: 8443
-          protocol: HTTP
-  persistence:
-    config:
-      forceRename: home-assistant-config
-      storageClass: ceph-block
-      accessMode: ReadWriteOnce
-      size: 5Gi
-      advancedMounts:
-        main:
-          main:
-            - path: /config
-              readOnly: false
-          code-server:
-            - path: /config/home-assistant
-              readOnly: false

clusters/cl01tl/applications/homepage-dev/Chart.yaml

@@ -1,27 +0,0 @@
-apiVersion: v2
-name: homepage
-version: 1.0.0
-description: Homepage
-keywords:
-  - homepage
-  - dashboard
-home: https://wiki.alexlebens.dev/s/a5fabd91-3d89-4e2b-9417-06111aedaeaa
-sources:
-  - https://github.com/gethomepage/homepage
-  - https://github.com/cloudflare/cloudflared
-  - https://github.com/gethomepage/homepage/pkgs/container/homepage
-  - https://github.com/bjw-s-labs/helm-charts/tree/main/charts/other/app-template
-  - https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/cloudflared
-maintainers:
-  - name: alexlebens
-dependencies:
-  - name: app-template
-    alias: homepage
-    repository: https://bjw-s-labs.github.io/helm-charts/
-    version: 4.4.0
-  - name: cloudflared
-    alias: cloudflared
-    repository: oci://harbor.alexlebens.net/helm-charts
-    version: 1.23.0
-icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/homepage.png
-appVersion: v1.2.0

clusters/cl01tl/applications/homepage-dev/templates/external-secret.yaml

@@ -1,21 +0,0 @@
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: homepage-dev-cloudflared-secret
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: homepage-dev-cloudflared-secret
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: vault
-  data:
-    - secretKey: cf-tunnel-token
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /cloudflare/tunnels/homepage-dev
-        metadataPolicy: None
-        property: token

clusters/cl01tl/applications/homepage-dev/values.yaml

@@ -1,167 +0,0 @@
-homepage:
-  global:
-    nameOverride: homepage
-  controllers:
-    main:
-      type: deployment
-      annotations:
-        reloader.stakater.com/auto: "true"
-      strategy: Recreate
-      containers:
-        main:
-          image:
-            repository: ghcr.io/gethomepage/homepage
-            tag: v1.7.0
-            pullPolicy: IfNotPresent
-          env:
-            - name: HOMEPAGE_ALLOWED_HOSTS
-              value: home.alexlebens.dev
-          resources:
-            requests:
-              cpu: 10m
-              memory: 128Mi
-  configMaps:
-    config:
-      enabled: true
-      data:
-        docker.yaml: ""
-        kubernetes.yaml: ""
-        settings.yaml: |
-          favicon: https://web-assets-3bfcb5585cbd63dc365d32a3.nyc3.cdn.digitaloceanspaces.com/alexlebens-net/logo-new-round.svg
-          headerStyle: clean
-          hideVersion: true
-          color: zinc
-          background:
-            image: https://web-assets-3bfcb5585cbd63dc365d32a3.nyc3.cdn.digitaloceanspaces.com/alexlebens-net/background.jpg
-            brightness: 50
-          theme: dark
-          disableCollapse: true
-        widgets.yaml: |
-          - logo:
-              icon: https://web-assets-3bfcb5585cbd63dc365d32a3.nyc3.cdn.digitaloceanspaces.com/alexlebens-net/logo-new-round.png
-          - datetime:
-              text_size: xl
-              format:
-                dateStyle: long
-                timeStyle: short
-                hour12: false
-          - openmeteo:
-              label: St. Paul
-              latitude: 44.954445
-              longitude: -93.091301
-              timezone: America/Chicago
-              units: metric
-              cache: 5
-              format:
-                maximumFractionDigits: 0
-        services.yaml: |
-          - Applications:
-              - Auth:
-                  icon: sh-authentik.webp
-                  description: Authentik
-                  href: https://auth.alexlebens.dev
-                  siteMonitor: https://auth.alexlebens.dev
-                  statusStyle: dot
-              - Gitea:
-                  icon: sh-gitea.webp
-                  description: Gitea
-                  href: https://gitea.alexlebens.dev
-                  siteMonitor: https://gitea.alexlebens.dev
-                  statusStyle: dot
-              - Code:
-                  icon: sh-visual-studio-code.webp
-                  description: VS Code
-                  href: https://codeserver.alexlebens.dev
-                  siteMonitor: https://codeserver.alexlebens.dev
-                  statusStyle: dot
-              - Site:
-                  icon: https://web-assets-3bfcb5585cbd63dc365d32a3.nyc3.cdn.digitaloceanspaces.com/alexlebens-net/logo-new-round.png
-                  description: Profile Website
-                  href: https://www.alexlebens.dev
-                  siteMonitor: https://www.alexlebens.dev
-                  statusStyle: dot
-              - Content Management:
-                  icon: directus.png
-                  description: Directus
-                  href: https://directus.alexlebens.dev
-                  siteMonitor: https://directus.alexlebens.dev
-                  statusStyle: dot
-              - Social Media Management:
-                  icon: sh-postiz.webp
-                  description: Postiz
-                  href: https://postiz.alexlebens.dev
-                  siteMonitor: https://postiz.alexlebens.dev
-                  statusStyle: dot
-              - Chat:
-                  icon: sh-element.webp
-                  description: Matrix
-                  href: https://chat.alexlebens.dev
-                  siteMonitor: https://chat.alexlebens.dev
-                  statusStyle: dot
-              - Wiki:
-                  icon: sh-outline.webp
-                  description: Outline
-                  href: https://wiki.alexlebens.dev
-                  siteMonitor: https://wiki.alexlebens.dev
-                  statusStyle: dot
-              - Passwords:
-                  icon: sh-vaultwarden-light.webp
-                  description: Vaultwarden
-                  href: https://passwords.alexlebens.dev
-                  siteMonitor: https://passwords.alexlebens.dev
-                  statusStyle: dot
-              - Bookmarks:
-                  icon: sh-karakeep-light.webp
-                  description: Karakeep
-                  href: https://karakeep.alexlebens.dev
-                  siteMonitor: https://karakeep.alexlebens.dev
-                  statusStyle: dot
-              - RSS:
-                  icon: sh-freshrss.webp
-                  description: FreshRSS
-                  href: https://rss.alexlebens.dev
-                  siteMonitor: https://rss.alexlebens.dev
-                  statusStyle: dot
-        bookmarks.yaml: ""
-  service:
-    http:
-      controller: main
-      ports:
-        http:
-          port: 80
-          targetPort: 3000
-          protocol: HTTP
-  persistence:
-    config:
-      enabled: true
-      type: configMap
-      name: homepage-dev
-      advancedMounts:
-        main:
-          main:
-            - path: /app/config/bookmarks.yaml
-              readOnly: true
-              mountPropagation: None
-              subPath: bookmarks.yaml
-            - path: /app/config/docker.yaml
-              readOnly: true
-              mountPropagation: None
-              subPath: docker.yaml
-            - path: /app/config/kubernetes.yaml
-              readOnly: true
-              mountPropagation: None
-              subPath: kubernetes.yaml
-            - path: /app/config/services.yaml
-              readOnly: true
-              mountPropagation: None
-              subPath: services.yaml
-            - path: /app/config/settings.yaml
-              readOnly: true
-              mountPropagation: None
-              subPath: settings.yaml
-            - path: /app/config/widgets.yaml
-              readOnly: true
-              mountPropagation: None
-              subPath: widgets.yaml
-cloudflared:
-  existingSecretName: homepage-dev-cloudflared-secret

clusters/cl01tl/applications/homepage/Chart.yaml

@@ -1,21 +0,0 @@
-apiVersion: v2
-name: homepage
-version: 1.0.0
-description: Homepage
-keywords:
-  - homepage
-  - dashboard
-home: https://wiki.alexlebens.dev/s/a5fabd91-3d89-4e2b-9417-06111aedaeaa
-sources:
-  - https://github.com/gethomepage/homepage
-  - https://github.com/gethomepage/homepage/pkgs/container/homepage
-  - https://github.com/bjw-s-labs/helm-charts/tree/main/charts/other/app-template
-maintainers:
-  - name: alexlebens
-dependencies:
-  - name: app-template
-    alias: homepage
-    repository: https://bjw-s-labs.github.io/helm-charts/
-    version: 4.4.0
-icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/homepage.png
-appVersion: v1.2.0

clusters/cl01tl/applications/homepage/templates/cluster-role-binding.yaml

@@ -1,17 +0,0 @@
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: homepage
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: homepage
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: homepage
-subjects:
-  - kind: ServiceAccount
-    name: homepage
-    namespace: {{ .Release.Namespace }}

clusters/cl01tl/applications/homepage/templates/cluster-role.yaml

@@ -1,50 +0,0 @@
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: homepage
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: homepage
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-rules:
-  - apiGroups:
-      - ""
-    resources:
-      - namespaces
-      - pods
-      - nodes
-    verbs:
-      - get
-      - list
-  - apiGroups:
-      - extensions
-      - networking.k8s.io
-    resources:
-      - ingresses
-    verbs:
-      - get
-      - list
-  - apiGroups:
-      - traefik.io
-    resources:
-      - ingressroutes
-    verbs:
-      - get
-      - list
-  - apiGroups:
-      - gateway.networking.k8s.io
-    resources:
-      - httproutes
-      - gateways
-    verbs:
-      - get
-      - list
-  - apiGroups:
-      - metrics.k8s.io
-    resources:
-      - nodes
-      - pods
-    verbs:
-      - get
-      - list

clusters/cl01tl/applications/homepage/templates/external-secret.yaml

@@ -1,105 +0,0 @@
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: homepage-keys-secret
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: homepage-keys-secret
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: vault
-  data:
-    - secretKey: HOMEPAGE_VAR_SYNOLOGY_USER
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /synology/auth/cl01tl
-        metadataPolicy: None
-        property: user
-    - secretKey: HOMEPAGE_VAR_SYNOLOGY_PASSWORD
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /synology/auth/cl01tl
-        metadataPolicy: None
-        property: password
-    - secretKey: HOMEPAGE_VAR_UNIFI_USER
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /unifi/auth/cl01tl
-        metadataPolicy: None
-        property: user
-    - secretKey: HOMEPAGE_VAR_UNIFI_PASSWORD
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /unifi/auth/cl01tl
-        metadataPolicy: None
-        property: password
-    - secretKey: HOMEPAGE_VAR_SONARR_KEY
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /cl01tl/sonarr4/key
-        metadataPolicy: None
-        property: key
-    - secretKey: HOMEPAGE_VAR_SONARR4K_KEY
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /cl01tl/sonarr4-4k/key
-        metadataPolicy: None
-        property: key
-    - secretKey: HOMEPAGE_VAR_SONARRANIME_KEY
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /cl01tl/sonarr4-anime/key
-        metadataPolicy: None
-        property: key
-    - secretKey: HOMEPAGE_VAR_RADARR_KEY
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /cl01tl/radarr5/key
-        metadataPolicy: None
-        property: key
-    - secretKey: HOMEPAGE_VAR_RADARR4K_KEY
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /cl01tl/radarr5-4k/key
-        metadataPolicy: None
-        property: key
-    - secretKey: HOMEPAGE_VAR_RADARRANIME_KEY
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /cl01tl/radarr5-anime/key
-        metadataPolicy: None
-        property: key
-    - secretKey: HOMEPAGE_VAR_RADARRSTANDUP_KEY
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /cl01tl/radarr5-standup/key
-        metadataPolicy: None
-        property: key
-    - secretKey: HOMEPAGE_VAR_LIDARR_KEY
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /cl01tl/lidarr2/key
-        metadataPolicy: None
-        property: key
-    - secretKey: HOMEPAGE_VAR_PROWLARR_KEY
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /cl01tl/prowlarr/key
-        metadataPolicy: None
-        property: key

clusters/cl01tl/applications/homepage/templates/http-route.yaml

@@ -1,28 +0,0 @@
-apiVersion: gateway.networking.k8s.io/v1
-kind: HTTPRoute
-metadata:
-  name: http-route-homepage
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: http-route-homepage
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  parentRefs:
-    - group: gateway.networking.k8s.io
-      kind: Gateway
-      name: traefik-gateway
-      namespace: traefik
-  hostnames:
-    - home.alexlebens.net
-  rules:
-    - matches:
-      - path:
-          type: PathPrefix
-          value: /
-      backendRefs:
-        - group: ''
-          kind: Service
-          name: homepage
-          port: 80
-          weight: 100

clusters/cl01tl/applications/homepage/templates/service.yaml

@@ -1,46 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
-  name: gitea-ps10rp
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: gitea-ps10rp
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-  annotations:
-    tailscale.com/tailnet-fqdn: gitea-ps10rp.boreal-beaufort.ts.net
-spec:
-  externalName: placeholder
-  type: ExternalName
-
----
-apiVersion: v1
-kind: Service
-metadata:
-  name: home-ps10rp
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: home-ps10rp
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-  annotations:
-    tailscale.com/tailnet-fqdn: home-ps10rp.boreal-beaufort.ts.net
-spec:
-  externalName: placeholder
-  type: ExternalName
-
----
-apiVersion: v1
-kind: Service
-metadata:
-  name: garage-ui-ps10rp
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: garage-ps10rp
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-  annotations:
-    tailscale.com/tailnet-fqdn: garage-ui-ps10rp.boreal-beaufort.ts.net
-spec:
-  externalName: placeholder
-  type: ExternalName

clusters/cl01tl/applications/homepage/values.yaml

@@ -1,795 +0,0 @@
-homepage:
-  global:
-    nameOverride: homepage
-  controllers:
-    main:
-      type: deployment
-      annotations:
-        reloader.stakater.com/auto: "true"
-      strategy: Recreate
-      serviceAccount:
-        name: homepage
-      pod:
-        automountServiceAccountToken: true
-      containers:
-        main:
-          image:
-            repository: ghcr.io/gethomepage/homepage
-            tag: v1.7.0
-            pullPolicy: IfNotPresent
-          env:
-            - name: HOMEPAGE_ALLOWED_HOSTS
-              value: home.alexlebens.net
-          envFrom:
-            - secretRef:
-                name: homepage-keys-secret
-          resources:
-            requests:
-              cpu: 10m
-              memory: 256Mi
-  serviceAccount:
-    homepage:
-      enabled: true
-      staticToken: true
-  configMaps:
-    config:
-      enabled: true
-      data:
-        docker.yaml: ""
-        kubernetes.yaml: |
-          mode: cluster
-        settings.yaml: |
-          favicon: https://web-assets-3bfcb5585cbd63dc365d32a3.nyc3.cdn.digitaloceanspaces.com/alexlebens-net/logo-new-round.svg
-          headerStyle: clean
-          hideVersion: true
-          color: zinc
-          background:
-            image: https://web-assets-3bfcb5585cbd63dc365d32a3.nyc3.cdn.digitaloceanspaces.com/alexlebens-net/background.jpg
-            brightness: 50
-          theme: dark
-          disableCollapse: true
-          layout:
-            - Media:
-                tab: Applications
-                icon: mdi-multimedia-#ffffff
-            - Public:
-                tab: Applications
-                icon: mdi-earth-#ffffff
-            - Internal:
-                tab: Applications
-                icon: mdi-security-network-#ffffff
-            - Code:
-                tab: Tools
-                icon: mdi-code-block-braces-#ffffff
-            - Automation:
-                tab: Tools
-                icon: mdi-wrench-#ffffff
-            - Monitoring:
-                tab: Tools
-                icon: mdi-chart-line-#ffffff
-            - Services:
-                tab: Services
-                icon: mdi-toolbox-outline-#ffffff
-            - Hardware:
-                tab: Services
-                icon: mdi-server-network-#ffffff
-            - Storage:
-                tab: Services
-                icon: mdi-database-#ffffff
-            - Content:
-                tab: Services
-                icon: mdi-multimedia-#ffffff
-            - TV Shows:
-                tab: Content
-                icon: mdi-television-#ffffff
-            - Movies:
-                tab: Content
-                icon: mdi-filmstrip-#ffffff
-            - Music:
-                tab: Content
-                icon: mdi-music-box-multiple-#ffffff
-            - Books:
-                tab: Content
-                icon: mdi-book-open-variant-#ffffff
-            - External Services:
-                tab: Bookmarks
-                icon: mdi-cloud-#ffffff
-            - Other Homes:
-                tab: Bookmarks
-                icon: mdi-cloud-#ffffff
-            - Trackers:
-                tab: Bookmarks
-                icon: mdi-cloud-#ffffff
-        widgets.yaml: |
-          - logo:
-              icon: https://web-assets-3bfcb5585cbd63dc365d32a3.nyc3.cdn.digitaloceanspaces.com/alexlebens-net/logo-new-round.png
-          - kubernetes:
-              cluster:
-                show: true
-                cpu: true
-                memory: true
-                showLabel: false
-                label: "Cluster"
-              nodes:
-                show: false
-          - datetime:
-              text_size: xl
-              format:
-                dateStyle: long
-                timeStyle: short
-                hour12: false
-          - openmeteo:
-              label: St. Paul
-              latitude: 44.954445
-              longitude: -93.091301
-              timezone: America/Chicago
-              units: metric
-              cache: 5
-              format:
-                maximumFractionDigits: 0
-        services.yaml: |
-          - Media:
-              - Plex:
-                  icon: sh-plex.webp
-                  description: Media server
-                  href: https://plex.alexlebens.net
-                  siteMonitor: http://plex.plex:32400
-                  statusStyle: dot
-              - Jellyfin:
-                  icon: sh-jellyfin.webp
-                  description: Media server
-                  href: https://jellyfin.alexlebens.net
-                  siteMonitor: http://jellyfin.jellyfin:80
-                  statusStyle: dot
-              - Media Requests:
-                  icon: sh-overseerr.webp
-                  description: Overseer
-                  href: https://overseerr.alexlebens.net
-                  siteMonitor: http://overseerr.overseerr:80
-                  statusStyle: dot
-              - Media Tracking:
-                  icon: sh-yamtrack.webp
-                  description: Yamtrack
-                  href: https://yamtrack.alexlebens.net
-                  siteMonitor: http://yamtrack.yamtrack:80
-                  statusStyle: dot
-              - Youtube Archive:
-                  icon: sh-tube-archivist-light.webp
-                  description: TubeAchivist
-                  href: https://tubearchivist.alexlebens.net/login
-                  siteMonitor: http://tubearchivist.tubearchivist:80
-                  statusStyle: dot
-              - Photos:
-                  icon: sh-immich.webp
-                  description: Immich
-                  href: https://immich.alexlebens.net
-                  siteMonitor: http://immich-main.immich:2283
-                  statusStyle: dot
-              - Pictures:
-                  icon: sh-photoview.webp
-                  description: Photoview
-                  href: https://photoview.alexlebens.net
-                  siteMonitor: http://photoview.photoview:80
-                  statusStyle: dot
-              - Podcasts and Audiobooks:
-                  icon: sh-audiobookshelf.webp
-                  description: Audiobookshelf
-                  href: https://audiobookshelf.alexlebens.net
-                  siteMonitor: http://audiobookshelf.audiobookshelf:80
-                  statusStyle: dot
-              - Books:
-                  icon: sh-booklore.webp
-                  description: Booklore
-                  href: https://booklore.alexlebens.net
-                  siteMonitor: http://booklore.booklore:80
-                  statusStyle: dot
-          - Public:
-              - Site:
-                  icon: https://web-assets-3bfcb5585cbd63dc365d32a3.nyc3.cdn.digitaloceanspaces.com/alexlebens-net/logo-new-round.png
-                  description: Profile Website
-                  href: https://www.alexlebens.dev
-                  siteMonitor: https://www.alexlebens.dev
-                  statusStyle: dot
-              - Content Management:
-                  icon: directus.png
-                  description: Directus
-                  href: https://directus.alexlebens.dev
-                  siteMonitor: https://directus.alexlebens.dev
-                  statusStyle: dot
-              - Social Media Management:
-                  icon: sh-postiz.webp
-                  description: Postiz
-                  href: https://postiz.alexlebens.dev
-                  siteMonitor: https://postiz.alexlebens.dev
-                  statusStyle: dot
-              - Chat:
-                  icon: sh-element.webp
-                  description: Matrix
-                  href: https://chat.alexlebens.dev
-                  siteMonitor: https://chat.alexlebens.dev
-                  statusStyle: dot
-              - Wiki:
-                  icon: sh-outline.webp
-                  description: Outline
-                  href: https://wiki.alexlebens.dev
-                  siteMonitor: https://wiki.alexlebens.dev
-                  statusStyle: dot
-              - Passwords:
-                  icon: sh-vaultwarden-light.webp
-                  description: Vaultwarden
-                  href: https://passwords.alexlebens.dev
-                  siteMonitor: https://passwords.alexlebens.dev
-                  statusStyle: dot
-              - Bookmarks:
-                  icon: sh-karakeep-light.webp
-                  description: Karakeep
-                  href: https://karakeep.alexlebens.dev
-                  siteMonitor: https://karakeep.alexlebens.dev
-                  statusStyle: dot
-              - RSS:
-                  icon: sh-freshrss.webp
-                  description: FreshRSS
-                  href: https://rss.alexlebens.dev
-                  siteMonitor: https://rss.alexlebens.dev
-                  statusStyle: dot
-          - Internal:
-              - Home Automation:
-                  icon: sh-home-assistant.webp
-                  description: Home Assistant
-                  href: https://home-assistant.alexlebens.net
-                  siteMonitor: http://home-assistant-main.home-assistant:80
-                  statusStyle: dot
-              - Budgeting:
-                  icon: sh-actual-budget.webp
-                  description: Actual
-                  href: https://actual.alexlebens.net
-                  siteMonitor: http://actual.actual:80
-                  statusStyle: dot
-              - AI:
-                  icon: sh-ollama.webp
-                  description: Ollama
-                  href: https://ollama.alexlebens.net
-                  siteMonitor: http://ollama-web.ollama:80
-                  statusStyle: dot
-              - AI Image:
-                  icon: https://user-images.githubusercontent.com/36368048/196280761-1535f413-a91e-4b6a-af6a-b890f8ae204c.png
-                  description: Stable Diffusion
-                  href: https://stable-diffusion-pd05wd.boreal-beaufort.ts.net
-                  siteMonitor: https://stable-diffusion-pd05wd.boreal-beaufort.ts.net
-                  statusStyle: dot
-              - Search:
-                  icon: sh-searxng.webp
-                  description: Searxng
-                  href: https://searxng.alexlebens.net/
-                  siteMonitor: http://searxng-browser.searxng:80
-                  statusStyle: dot
-              - Email:
-                  icon: sh-roundcube.webp
-                  description: Roundcube
-                  href: https://mail.alexlebens.net
-                  siteMonitor: http://roundcube.roundcube:80
-                  statusStyle: dot
-              - Wiki:
-                  icon: sh-kiwix-light.webp
-                  description: Kiwix
-                  href: https://kiwix.alexlebens.net
-                  siteMonitor: http://kiwix.kiwix:80
-                  statusStyle: dot
-          - Code:
-              - Code (Public):
-                  icon: sh-gitea.webp
-                  description: Gitea
-                  href: https://gitea.alexlebens.dev
-                  siteMonitor: https://gitea.alexlebens.dev
-                  statusStyle: dot
-              - Code (Local):
-                  icon: sh-gitea.webp
-                  description: Gitea
-                  href: https://gitea.alexlebens.net
-                  siteMonitor: https://gitea.alexlebens.net
-                  statusStyle: dot
-              - Code (ps10rp):
-                  icon: sh-gitea.webp
-                  description: Gitea
-                  href: https://gitea-ps10rp.boreal-beaufort.ts.net
-                  siteMonitor: https://gitea-ps10rp.boreal-beaufort.ts.net
-                  statusStyle: dot
-              - IDE (Public):
-                  icon: sh-visual-studio-code.webp
-                  description: VS Code
-                  href: https://codeserver.alexlebens.dev
-                  siteMonitor: https://codeserver.alexlebens.dev
-                  statusStyle: dot
-              - IDE (Home Assistant):
-                  icon: sh-visual-studio-code.webp
-                  description: Edit config for Home Assistant
-                  href: https://home-assistant-code-server.alexlebens.net
-                  siteMonitor: http://home-assistant-code-server.home-assistant:8443
-                  statusStyle: dot
-              - Continuous Deployment:
-                  icon: sh-argo-cd.webp
-                  description: ArgoCD
-                  href: https://argocd.alexlebens.net
-                  siteMonitor: http://argocd-server.argocd:80
-                  statusStyle: dot
-              - Docker Deployment:
-                  icon: sh-komodo-light.webp
-                  description: Komodo
-                  href: https://komodo.alexlebens.net
-                  siteMonitor: http://komodo-main.komodo:80
-                  statusStyle: dot
-          - Automation:
-              - Deployment Workflows:
-                  icon: sh-argo-cd.webp
-                  description: Argo Workflows
-                  href: https://argo-workflows.alexlebens.net
-                  siteMonitor: http://argo-workflows-server.argo-workflows:2746
-                  statusStyle: dot
-              - API Workflows:
-                  icon: sh-n8n.webp
-                  description: n8n
-                  href: https://n8n.alexlebens.net
-                  siteMonitor: http://n8n-main.n8n:80
-                  statusStyle: dot
-              - Jobs:
-                  icon: https://raw.githubusercontent.com/mshade/kronic/main/static/android-chrome-192x192.png
-                  description: Kronic
-                  href: https://kronic.alexlebens.net
-                  siteMonitor: http://kronic.kronic:80
-                  statusStyle: dot
-              - Uptime:
-                  icon: sh-gatus.webp
-                  description: Gatus
-                  href: https://gatus.alexlebens.net
-                  siteMonitor: http://gatus.gatus:80
-                  statusStyle: dot
-              - Tools:
-                  icon: sh-omnitools.webp
-                  description: OmniTools
-                  href: https://omni-tools.alexlebens.net
-                  siteMonitor: http://omni-tools.omni-tools:80
-                  statusStyle: dot
-          - Monitoring:
-              - Kubernetes:
-                  icon: sh-headlamp.webp
-                  description: Headlamp
-                  href: https://headlamp.alexlebens.net
-                  siteMonitor: http://headlamp.headlamp:80
-                  statusStyle: dot
-              - Network Monitoring:
-                  icon: sh-cilium.webp
-                  description: Hubble for Cilium
-                  href: https://hubble.alexlebens.net
-                  siteMonitor: http://hubble-ui.kube-system:80
-                  statusStyle: dot
-              - Dashboard:
-                  icon: sh-grafana.webp
-                  description: Grafana
-                  href: https://grafana.alexlebens.net
-                  siteMonitor: http://grafana-main-service.grafana-operator:3000/api/health
-                  statusStyle: dot
-              - Metrics:
-                  icon: sh-prometheus.webp
-                  description: Prometheus
-                  href: https://prometheus.alexlebens.net
-                  siteMonitor: http://kube-prometheus-stack-prometheus.kube-prometheus-stack:9090
-                  statusStyle: dot
-                  widget:
-                    type: prometheus
-                    url: http://kube-prometheus-stack-prometheus.kube-prometheus-stack:9090
-              - Alerting:
-                  icon: sh-prometheus-light.webp
-                  description: Alertmanager
-                  href: https://alertmanager.alexlebens.net
-                  siteMonitor: http://kube-prometheus-stack-alertmanager.kube-prometheus-stack:9093
-                  statusStyle: dot
-                  widget:
-                    type: prometheusmetric
-                    url: http://kube-prometheus-stack-prometheus.kube-prometheus-stack:9090
-                    refreshInterval: 120s
-                    metrics:
-                      - label: Alerts Active
-                        query: alertmanager_alerts{state="active"}
-                      - label: Metric Database Size
-                        query: prometheus_tsdb_storage_blocks_bytes
-                        format:
-                          type: bytes
-              - Tautulli:
-                  icon: sh-tautulli.webp
-                  description: Plex Monitoring
-                  href: https://tautulli.alexlebens.net
-                  siteMonitor: http://tautulli.tautulli:80
-                  statusStyle: dot
-              - Jellystat:
-                  icon: sh-jellystat.webp
-                  description: Jellyfin Monitoring
-                  href: https://jellystat.alexlebens.net
-                  siteMonitor: http://jellystat.jellystat:80
-                  statusStyle: dot
-          - Services:
-              - Auth (Public):
-                  icon: sh-authentik.webp
-                  description: Authentik
-                  href: https://auth.alexlebens.dev
-                  siteMonitor: https://auth.alexlebens.dev
-                  statusStyle: dot
-              - Auth (Local):
-                  icon: sh-authentik.webp
-                  description: Authentik
-                  href: https://authentik.alexlebens.net
-                  siteMonitor: http://authentik-server.authentik:80
-                  statusStyle: dot
-              - Email:
-                  icon: sh-stalwart.webp
-                  description: Stalwart
-                  href: https://stalwart.alexlebens.net
-                  siteMonitor: http://stalwart.stalwart:80
-                  statusStyle: dot
-              - Notifications:
-                  icon: sh-ntfy.webp
-                  description: ntfy
-                  href: https://ntfy.alexlebens.net
-                  siteMonitor: http://ntfy.ntfy:80
-                  statusStyle: dot
-              - Reverse Proxy:
-                  icon: sh-traefik.webp
-                  description: Traefik
-                  href: https://traefik-cl01tl.alexlebens.net/dashboard/#/
-                  siteMonitor: https://traefik-cl01tl.alexlebens.net/dashboard/#/
-                  statusStyle: dot
-                  widget:
-                    type: traefik
-                    url: https://traefik-cl01tl.alexlebens.net
-              - Image Cache:
-                  icon: sh-harbor.webp
-                  description: Harbor
-                  href: https://harbor.alexlebens.net
-                  siteMonitor: http://harbor-portal.harbor:80
-                  statusStyle: dot
-          - Hardware:
-              - Network Management (alexlebens.net):
-                  icon: sh-ubiquiti-unifi.webp
-                  description: Unifi
-                  href: https://unifi.alexlebens.net
-                  siteMonitor: https://unifi.alexlebens.net
-                  statusStyle: dot
-              - Network Attached Storage:
-                  icon: sh-synology-light.webp
-                  description: Synology
-                  href: https://synology.alexlebens.net
-                  siteMonitor: https://synology.alexlebens.net
-                  statusStyle: dot
-                  widget:
-                    type: diskstation
-                    url: https://synology.alexlebens.net
-                    username: {{ "{{HOMEPAGE_VAR_SYNOLOGY_USER}}" }}
-                    password: {{ "{{HOMEPAGE_VAR_SYNOLOGY_PASSWORD}}" }}
-                    volume: volume_2
-              - TV Tuner:
-                  icon: sh-hdhomerun.webp
-                  description: HD Homerun
-                  href: http://hdhr.alexlebens.net
-                  siteMonitor: http://hdhr.alexlebens.net
-                  statusStyle: dot
-                  widget:
-                    type: hdhomerun
-                    url: http://hdhr.alexlebens.net
-                    tuner: 0
-                    fields: ["channels", "hd"]
-              - KVM:
-                  icon: sh-pikvm-light.webp
-                  description: Pi KVM
-                  href: https://pikvm.alexlebens.net
-                  siteMonitor: https://pikvm.alexlebens.net
-                  statusStyle: dot
-              - Server Plug:
-                  icon: sh-shelly.webp
-                  description: Shelly
-                  href: http://it05sp.alexlebens.net
-                  siteMonitor: http://it05sp.alexlebens.net
-                  statusStyle: dot
-          - Storage:
-              - Cluster Storage:
-                  icon: sh-ceph.webp
-                  description: Ceph
-                  href: https://ceph.alexlebens.net
-                  siteMonitor: http://rook-ceph-mgr-dashboard.rook-ceph:7000
-                  statusStyle: dot
-              - Object Storage (NAS):
-                  icon: sh-garage.webp
-                  description: Garage
-                  href: https://garage-webui.alexlebens.net
-                  siteMonitor: http://garage-webui.garage:3909
-                  statusStyle: dot
-              - Object Storage (ps10rp):
-                  icon: sh-garage.webp
-                  description: Garage
-                  href: https://garage-ui-ps10rp.boreal-beaufort.ts.net
-                  siteMonitor: https://garage-ui-ps10rp.boreal-beaufort.ts.net
-                  statusStyle: dot
-              - Database:
-                  icon: sh-pgadmin-light.webp
-                  description: PGAdmin
-                  href: https://pgadmin.alexlebens.net
-                  siteMonitor: http://pgadmin.pgadmin:80
-                  statusStyle: dot
-              - Database:
-                  icon: sh-whodb.webp
-                  description: WhoDB
-                  href: https://whodb.alexlebens.net
-                  siteMonitor: http://whodb.whodb:80
-                  statusStyle: dot
-              - Secrets:
-                  icon: sh-hashicorp-vault.webp
-                  description: Vault
-                  href: https://vault.alexlebens.net
-                  siteMonitor: http://vault.vault:8200
-                  statusStyle: dot
-              - Backups:
-                  icon: sh-backrest-light.webp
-                  description: Backrest
-                  href: https://backrest.alexlebens.net
-                  siteMonitor: http://backrest.backrest:80
-                  statusStyle: dot
-          - Content:
-              - qUI:
-                  icon: https://raw.githubusercontent.com/autobrr/qui/8487c818886df9abb2b1456f43b54e0ba180a2bd/web/public/icons.svg
-                  description: qbitorrent
-                  href: https://qui.alexlebens.net
-                  siteMonitor: http://qbittorrent-qui.qbittorrent:80
-                  statusStyle: dot
-                  widget:
-                    type: qbittorrent
-                    url: http://qbittorrent.qbittorrent:8080
-                    enableLeechProgress: true
-              - Prowlarr:
-                  icon: sh-prowlarr.webp
-                  description: Indexers
-                  href: https://prowlarr.alexlebens.net
-                  siteMonitor: http://prowlarr.prowlarr:80
-                  statusStyle: dot
-              - Huntarr:
-                  icon: https://raw.githubusercontent.com/plexguide/Huntarr.io/main/frontend/static/logo/128.png
-                  description: Content upgrader
-                  href: https://huntarr.alexlebens.net
-                  siteMonitor: http://huntarr.huntarr:80
-                  statusStyle: dot
-              - Bazarr:
-                  icon: sh-bazarr.webp
-                  description: Subtitles
-                  href: https://bazarr.alexlebens.net
-                  siteMonitor: http://bazarr.bazarr:80
-                  statusStyle: dot
-              - Tdarr:
-                  icon: sh-tdarr.webp
-                  description: Media transcoding and health checks
-                  href: https://tdarr.alexlebens.net
-                  siteMonitor: http://tdarr-web.tdarr:8265
-                  statusStyle: dot
-                  widget:
-                    type: tdarr
-                    url: http://tdarr-web.tdarr:8265
-          - TV Shows:
-              - Sonarr:
-                  icon: sh-sonarr.webp
-                  description: TV Shows
-                  href: https://sonarr.alexlebens.net
-                  siteMonitor: http://sonarr.sonarr:80
-                  statusStyle: dot
-                  widget:
-                    type: sonarr
-                    url: http://sonarr.sonarr:80
-                    key: {{ "{{HOMEPAGE_VAR_SONARR_KEY}}" }}
-                    fields: ["wanted", "queued", "series"]
-                    enableQueue: false
-              - Sonarr 4K:
-                  icon: sh-sonarr.webp
-                  description: TV Shows 4K
-                  href: https://sonarr-4k.alexlebens.net
-                  siteMonitor: http://sonarr-4k.sonarr-4k:80
-                  statusStyle: dot
-                  widget:
-                    type: sonarr
-                    url: http://sonarr-4k.sonarr-4k:80
-                    key: {{ "{{HOMEPAGE_VAR_SONARR4K_KEY}}" }}
-                    fields: ["wanted", "queued", "series"]
-                    enableQueue: false
-              - Sonarr Anime:
-                  icon: sh-sonarr.webp
-                  description: Anime Shows
-                  href: https://sonarr-anime.alexlebens.net
-                  siteMonitor: http://sonarr-anime.sonarr-anime:80
-                  statusStyle: dot
-                  widget:
-                    type: sonarr
-                    url: http://sonarr-anime.sonarr-anime:80
-                    key: {{ "{{HOMEPAGE_VAR_SONARRANIME_KEY}}" }}
-                    fields: ["wanted", "queued", "series"]
-                    enableQueue: false
-          - Movies:
-              - Radarr:
-                  icon: sh-radarr.webp
-                  description: Movies
-                  href: https://radarr.alexlebens.net
-                  siteMonitor: http://radarr.radarr:80
-                  statusStyle: dot
-                  widget:
-                    type: radarr
-                    url: http://radarr.radarr:80
-                    key: {{ "{{HOMEPAGE_VAR_RADARR_KEY}}" }}
-                    fields: ["wanted", "queued", "movies"]
-                    enableQueue: false
-              - Radarr 4K:
-                  icon: sh-radarr-4k.webp
-                  description: Movies 4K
-                  href: https://radarr-4k.alexlebens.net
-                  siteMonitor: http://radarr-4k.radarr-4k:80
-                  statusStyle: dot
-                  widget:
-                    type: radarr
-                    url: http://radarr-4k.radarr-4k:80
-                    key: {{ "{{HOMEPAGE_VAR_RADARR4K_KEY}}" }}
-                    fields: ["wanted", "queued", "movies"]
-                    enableQueue: false
-              - Radarr Anime:
-                  icon: sh-radarr-anime.webp
-                  description: Anime Movies
-                  href: https://radarr-anime.alexlebens.net
-                  siteMonitor: http://radarr-anime.radarr-anime:80
-                  statusStyle: dot
-                  widget:
-                    type: radarr
-                    url: http://radarr-anime.radarr-anime:80
-                    key: {{ "{{HOMEPAGE_VAR_RADARRANIME_KEY}}" }}
-                    fields: ["wanted", "queued", "movies"]
-                    enableQueue: false
-              - Radarr Stand Up:
-                  icon: sh-radarr-light-hybrid.webp
-                  description: Stand Up
-                  href: https://radarr-standup.alexlebens.net
-                  siteMonitor: http://radarr-standup.radarr-standup:80
-                  statusStyle: dot
-                  widget:
-                    type: radarr
-                    url: http://radarr-standup.radarr-standup:80
-                    key: {{ "{{HOMEPAGE_VAR_RADARRSTANDUP_KEY}}" }}
-                    fields: ["wanted", "queued", "movies"]
-                    enableQueue: false
-          - Music:
-              - Lidarr:
-                  icon: sh-lidarr.webp
-                  description: Music
-                  href: https://lidarr.alexlebens.net
-                  siteMonitor: http://lidarr.lidarr:80
-                  statusStyle: dot
-                  widget:
-                    type: lidarr
-                    url: http://lidarr.lidarr:80
-                    key: {{ "{{HOMEPAGE_VAR_LIDARR_KEY}}" }}
-                    fields: ["wanted", "queued", "artists"]
-              - LidaTube:
-                  icon: sh-lidatube.webp
-                  description: Searches for Music
-                  href: https://lidatube.alexlebens.net
-                  siteMonitor: http://lidatube.lidatube:80
-                  statusStyle: dot
-              - Soulseek:
-                  icon: sh-slskd.webp
-                  description: slskd
-                  href: https://slskd.alexlebens.net
-                  siteMonitor: http://slskd.slskd:5030
-                  statusStyle: dot
-          - Books:
-              - Ephemera:
-                  icon: sh-ephemera.webp
-                  description: Books
-                  href: https://ephemera.alexlebens.net
-                  siteMonitor: http://ephemera.ephemera:80
-                  statusStyle: dot
-              - Listenarr:
-                  icon: sh-audiobookrequest.webp
-                  description: Audiobooks
-                  href: https://listenarr.alexlebens.net
-                  siteMonitor: http://listenarr.listenarr:80
-                  statusStyle: dot
-          - Other Homes:
-              - Dev:
-                  icon: sh-homepage.webp
-                  description: Public Homepage
-                  href: https://home.alexlebens.dev
-                  siteMonitor: https://home.alexlebens.dev
-                  statusStyle: dot
-              - Lebens Home:
-                  icon: sh-homepage.webp
-                  description: Lebens Homepage
-                  href: https://home-ps10rp.boreal-beaufort.ts.net
-                  siteMonitor: https://home-ps10rp.boreal-beaufort.ts.net
-                  statusStyle: dot
-        bookmarks.yaml: |
-          - External Services:
-              - Github:
-                  - abbr: GH
-                    href: https://github.com/alexlebens
-              - Digital Ocean:
-                  - abbr: DO
-                    href: https://www.digitalocean.com/
-              - AWS:
-                  - abbr: AW
-                    href: https://aws.amazon.com/console/
-              - Cloudflare:
-                  - abbr: CF
-                    href: https://dash.cloudflare.com/b76e303258b84076ee01fd0f515c0768
-              - Tailscale:
-                  - abbr: TS
-                    href: https://login.tailscale.com/admin/machines
-              - ProtonVPN:
-                  - abbr: PV
-                    href: https://account.protonvpn.com/
-              - Unifi:
-                  - abbr: UF
-                    href: https://unifi.ui.com/
-              - Pushover:
-                  - abbr: PO
-                    href: https://pushover.net
-              - ReCaptcha:
-                  - abbr: RC
-                    href: https://www.google.com/recaptcha/admin/site/698983587
-          - Trackers:
-              - Torrentleech:
-                  - abbr: TL
-                    href: https://www.torrentleech.org
-              - Avistaz:
-                  - abbr: AV
-                    href: https://avistaz.to
-              - Cinemaz:
-                  - abbr: CM
-                    href: https://cinemaz.to
-              - Cathode Ray Tube:
-                  - abbr: CRT
-                    href: https://www.cathode-ray.tube
-              - Alpha Ratio:
-                  - abbr: AL
-                    href: https://alpharatio.cc/
-              - MV Group:
-                  - abbr: MV
-                    href: https://forums.mvgroup.org
-  service:
-    http:
-      controller: main
-      ports:
-        http:
-          port: 80
-          targetPort: 3000
-          protocol: HTTP
-  persistence:
-    config:
-      enabled: true
-      type: configMap
-      name: homepage
-      advancedMounts:
-        main:
-          main:
-            - path: /app/config/bookmarks.yaml
-              readOnly: true
-              mountPropagation: None
-              subPath: bookmarks.yaml
-            - path: /app/config/docker.yaml
-              readOnly: true
-              mountPropagation: None
-              subPath: docker.yaml
-            - path: /app/config/kubernetes.yaml
-              readOnly: true
-              mountPropagation: None
-              subPath: kubernetes.yaml
-            - path: /app/config/services.yaml
-              readOnly: true
-              mountPropagation: None
-              subPath: services.yaml
-            - path: /app/config/settings.yaml
-              readOnly: true
-              mountPropagation: None
-              subPath: settings.yaml
-            - path: /app/config/widgets.yaml
-              readOnly: true
-              mountPropagation: None
-              subPath: widgets.yaml

clusters/cl01tl/applications/huntarr/Chart.yaml

@@ -1,21 +0,0 @@
-apiVersion: v2
-name: huntarr
-version: 1.0.0
-description: Huntarr
-keywords:
-  - huntarr
-  - servarr
-home: https://wiki.alexlebens.dev/s/831ca16e-d308-4d7b-9213-f841834c1181
-sources:
-  - https://github.com/plexguide/Huntarr.io
-  - https://hub.docker.com/r/huntarr/huntarr
-  - https://github.com/bjw-s-labs/helm-charts/tree/main/charts/other/app-template
-maintainers:
-  - name: alexlebens
-dependencies:
-  - name: app-template
-    alias: huntarr
-    repository: https://bjw-s-labs.github.io/helm-charts/
-    version: 4.4.0
-icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/huntarr.png
-appVersion: 7.0.0

clusters/cl01tl/applications/huntarr/templates/http-route.yaml

@@ -1,28 +0,0 @@
-apiVersion: gateway.networking.k8s.io/v1
-kind: HTTPRoute
-metadata:
-  name: http-route-huntarr
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: http-route-huntarr
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  parentRefs:
-    - group: gateway.networking.k8s.io
-      kind: Gateway
-      name: traefik-gateway
-      namespace: traefik
-  hostnames:
-    - huntarr.alexlebens.net
-  rules:
-    - matches:
-      - path:
-          type: PathPrefix
-          value: /
-      backendRefs:
-        - group: ''
-          kind: Service
-          name: huntarr
-          port: 80
-          weight: 100

clusters/cl01tl/applications/huntarr/values.yaml

@@ -1,39 +0,0 @@
-huntarr:
-  controllers:
-    main:
-      type: deployment
-      replicas: 1
-      strategy: Recreate
-      revisionHistoryLimit: 3
-      containers:
-        main:
-          image:
-            repository: ghcr.io/plexguide/huntarr
-            tag: 8.2.10
-            pullPolicy: IfNotPresent
-          env:
-            - name: TZ
-              value: US/Central
-          resources:
-            requests:
-              cpu: 100m
-              memory: 256Mi
-  service:
-    main:
-      controller: main
-      ports:
-        http:
-          port: 80
-          targetPort: 9705
-          protocol: HTTP
-  persistence:
-    config:
-      forceRename: huntarr-config
-      storageClass: ceph-block
-      accessMode: ReadWriteOnce
-      size: 5Gi
-      advancedMounts:
-        main:
-          main:
-            - path: /config
-              readOnly: false

clusters/cl01tl/applications/immich/Chart.yaml

@@ -1,26 +0,0 @@
-apiVersion: v2
-name: immich
-version: 1.0.0
-description: Immich
-keywords:
-  - immich
-  - photos
-home: https://wiki.alexlebens.dev/s/9377ae08-2041-4b6d-bc2b-61a4f5e8faae
-sources:
-  - https://github.com/immich-app/immich
-  - https://github.com/cloudnative-pg/cloudnative-pg
-  - https://github.com/bjw-s-labs/helm-charts/tree/main/charts/other/app-template
-  - https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/postgres-cluster
-maintainers:
-  - name: alexlebens
-dependencies:
-  - name: app-template
-    alias: immich
-    repository: https://bjw-s-labs.github.io/helm-charts/
-    version: 4.4.0
-  - name: postgres-cluster
-    alias: postgres-17-cluster
-    version: 6.16.0
-    repository: oci://harbor.alexlebens.net/helm-charts
-icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/immich.png
-appVersion: v2.0.1

clusters/cl01tl/applications/immich/templates/external-secrets.yaml

@@ -1,88 +0,0 @@
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: immich-config-secret
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: immich-config-secret
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: vault
-  data:
-    - secretKey: immich.json
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /cl01tl/immich/config
-        metadataPolicy: None
-        property: immich.json
-
----
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: immich-postgresql-17-cluster-backup-secret
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: immich-postgresql-17-cluster-backup-secret
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: vault
-  data:
-    - secretKey: ACCESS_KEY_ID
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /digital-ocean/home-infra/postgres-backups
-        metadataPolicy: None
-        property: access
-    - secretKey: ACCESS_SECRET_KEY
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /digital-ocean/home-infra/postgres-backups
-        metadataPolicy: None
-        property: secret
-
----
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: immich-postgresql-17-cluster-backup-secret-garage
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: immich-postgresql-17-cluster-backup-secret-garage
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: vault
-  data:
-    - secretKey: ACCESS_KEY_ID
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /garage/home-infra/postgres-backups
-        metadataPolicy: None
-        property: ACCESS_KEY_ID
-    - secretKey: ACCESS_SECRET_KEY
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /garage/home-infra/postgres-backups
-        metadataPolicy: None
-        property: ACCESS_SECRET_KEY
-    - secretKey: ACCESS_REGION
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /garage/home-infra/postgres-backups
-        metadataPolicy: None
-        property: ACCESS_REGION

clusters/cl01tl/applications/immich/templates/http-route.yaml

@@ -1,28 +0,0 @@
-apiVersion: gateway.networking.k8s.io/v1
-kind: HTTPRoute
-metadata:
-  name: http-route-immich
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: http-route-immich
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  parentRefs:
-    - group: gateway.networking.k8s.io
-      kind: Gateway
-      name: traefik-gateway
-      namespace: traefik
-  hostnames:
-    - immich.alexlebens.net
-  rules:
-    - matches:
-      - path:
-          type: PathPrefix
-          value: /
-      backendRefs:
-        - group: ''
-          kind: Service
-          name: immich-main
-          port: 2283
-          weight: 100

clusters/cl01tl/applications/immich/templates/persistent-volume-claim.yaml

@@ -1,17 +0,0 @@
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  name: immich-nfs-storage
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: immich-nfs-storage
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  volumeName: immich-nfs-storage
-  storageClassName: nfs-client
-  accessModes:
-    - ReadWriteMany
-  resources:
-    requests:
-      storage: 1Gi

clusters/cl01tl/applications/immich/templates/persistent-volume.yaml

@@ -1,23 +0,0 @@
-apiVersion: v1
-kind: PersistentVolume
-metadata:
-  name: immich-nfs-storage
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: immich-nfs-storage
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  persistentVolumeReclaimPolicy: Retain
-  storageClassName: nfs-client
-  capacity:
-    storage: 1Gi
-  accessModes:
-    - ReadWriteMany
-  nfs:
-    path: /volume2/Storage/Immich
-    server: synologybond.alexlebens.net
-  mountOptions:
-    - vers=4
-    - minorversion=1
-    - noac

clusters/cl01tl/applications/immich/templates/redis-replication.yaml

@@ -1,32 +0,0 @@
-apiVersion: redis.redis.opstreelabs.in/v1beta2
-kind: RedisReplication
-metadata:
-  name: redis-replication-immich
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: redis-replication-immich
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  clusterSize: 3
-  podSecurityContext:
-    runAsUser: 1000
-    fsGroup: 1000
-  kubernetesConfig:
-    image: quay.io/opstree/redis:v8.0.3
-    imagePullPolicy: IfNotPresent
-    resources:
-      requests:
-        cpu: 50m
-        memory: 128Mi
-  storage:
-    volumeClaimTemplate:
-      spec:
-        storageClassName: ceph-block
-        accessModes: ["ReadWriteOnce"]
-        resources:
-          requests:
-            storage: 1Gi
-  redisExporter:
-    enabled: true
-    image: quay.io/opstree/redis-exporter:v1.48.0

clusters/cl01tl/applications/immich/templates/service-monitor.yaml

@@ -1,44 +0,0 @@
-apiVersion: monitoring.coreos.com/v1
-kind: ServiceMonitor
-metadata:
-  name: immich
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: immich
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  selector:
-    matchLabels:
-      app.kubernetes.io/name: immich
-      app.kubernetes.io/instance: {{ .Release.Name }}
-  endpoints:
-    - port: metrics-api
-      interval: 3m
-      scrapeTimeout: 1m
-      path: /metrics
-    - port: metrics-ms
-      interval: 3m
-      scrapeTimeout: 1m
-      path: /metrics
-
----
-apiVersion: monitoring.coreos.com/v1
-kind: ServiceMonitor
-metadata:
-  name: redis-replication-immich
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: redis-replication-immich
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-    redis-operator: "true"
-    env: production
-spec:
-  selector:
-    matchLabels:
-      redis_setup_type: replication
-  endpoints:
-    - port: redis-exporter
-      interval: 30s
-      scrapeTimeout: 10s

clusters/cl01tl/applications/immich/values.yaml

@@ -1,260 +0,0 @@
-immich:
-  controllers:
-    main:
-      type: deployment
-      replicas: 1
-      strategy: Recreate
-      revisionHistoryLimit: 3
-      containers:
-        main:
-          image:
-            repository: ghcr.io/immich-app/immich-server
-            tag: v2.3.1
-            pullPolicy: IfNotPresent
-          env:
-            - name: TZ
-              value: US/Central
-            - name: IMMICH_TELEMETRY_INCLUDE
-              value: all
-            - name: IMMICH_CONFIG_FILE
-              value: /config/immich.json
-            - name: IMMICH_MACHINE_LEARNING_URL
-              value: http://immich-machine-learning.immich:3003
-            - name: REDIS_HOSTNAME
-              value: redis-replication-immich-master
-            - name: DB_VECTOR_EXTENSION
-              value: vectorchord
-            - name: DB_HOSTNAME
-              valueFrom:
-                secretKeyRef:
-                  name: immich-postgresql-17-cluster-app
-                  key: host
-            - name: DB_DATABASE_NAME
-              valueFrom:
-                secretKeyRef:
-                  name: immich-postgresql-17-cluster-app
-                  key: dbname
-            - name: DB_PORT
-              valueFrom:
-                secretKeyRef:
-                  name: immich-postgresql-17-cluster-app
-                  key: port
-            - name: DB_USERNAME
-              valueFrom:
-                secretKeyRef:
-                  name: immich-postgresql-17-cluster-app
-                  key: user
-            - name: DB_PASSWORD
-              valueFrom:
-                secretKeyRef:
-                  name: immich-postgresql-17-cluster-app
-                  key: password
-          probes:
-            liveness:
-              enabled: true
-              custom: true
-              spec:
-                httpGet:
-                  path: /api/server/ping
-                  port: 2283
-                initialDelaySeconds: 0
-                periodSeconds: 10
-                timeoutSeconds: 1
-                failureThreshold: 3
-            readiness:
-              enabled: true
-              custom: true
-              spec:
-                httpGet:
-                  path: /api/server/ping
-                  port: 2283
-                initialDelaySeconds: 0
-                periodSeconds: 10
-                timeoutSeconds: 1
-                failureThreshold: 3
-            startup:
-              enabled: true
-              custom: true
-              spec:
-                httpGet:
-                  path: /api/server/ping
-                  port: 2283
-                initialDelaySeconds: 0
-                periodSeconds: 10
-                timeoutSeconds: 1
-                failureThreshold: 30
-          resources:
-            limits:
-              gpu.intel.com/i915: 1
-            requests:
-              gpu.intel.com/i915: 1
-              cpu: 10m
-              memory: 512Mi
-    machine-learning:
-      type: deployment
-      replicas: 1
-      strategy: Recreate
-      revisionHistoryLimit: 3
-      containers:
-        main:
-          image:
-            repository: ghcr.io/immich-app/immich-machine-learning
-            tag: v2.3.1
-            pullPolicy: IfNotPresent
-          env:
-            - name: TRANSFORMERS_CACHE
-              value: /cache
-          probes:
-            liveness:
-              enabled: true
-              custom: true
-              spec:
-                httpGet:
-                  path: /ping
-                  port: 3003
-                initialDelaySeconds: 0
-                periodSeconds: 10
-                timeoutSeconds: 1
-                failureThreshold: 3
-            readiness:
-              enabled: true
-              custom: true
-              spec:
-                httpGet:
-                  path: /ping
-                  port: 3003
-                initialDelaySeconds: 0
-                periodSeconds: 10
-                timeoutSeconds: 1
-                failureThreshold: 3
-            startup:
-              enabled: false
-          resources:
-            limits:
-              gpu.intel.com/i915: 1
-            requests:
-              gpu.intel.com/i915: 1
-              cpu: 10m
-              memory: 256Mi
-  service:
-    main:
-      controller: main
-      ports:
-        http:
-          port: 2283
-          targetPort: 2283
-          protocol: TCP
-        metrics-api:
-          port: 8081
-          targetPort: 8081
-          protocol: TCP
-        metrics-ms:
-          port: 8082
-          targetPort: 8082
-          protocol: TCP
-    machine-learning:
-      controller: machine-learning
-      ports:
-        http:
-          port: 3003
-          targetPort: 3003
-          protocol: TCP
-  persistence:
-    config:
-      enabled: true
-      type: secret
-      name: immich-config-secret
-      advancedMounts:
-        main:
-          main:
-            - path: /config/immich.json
-              readOnly: true
-              mountPropagation: None
-              subPath: immich.json
-    cache:
-      storageClass: ceph-block
-      accessMode: ReadWriteOnce
-      size: 10Gi
-      retain: true
-      advancedMounts:
-        machine-learning:
-          main:
-            - path: /cache
-              readOnly: false
-    media:
-      existingClaim: immich-nfs-storage
-      advancedMounts:
-        main:
-          main:
-            - path: /usr/src/app/upload
-              readOnly: false
-postgres-17-cluster:
-  mode: recovery
-  cluster:
-    image:
-      repository: ghcr.io/tensorchord/cloudnative-vectorchord
-      tag: 17.5-0.4.3
-    storage:
-      storageClass: local-path
-    walStorage:
-      storageClass: local-path
-    monitoring:
-      enabled: true
-      prometheusRule:
-        enabled: true
-    postgresql:
-      parameters:
-        shared_buffers: 256MB
-      shared_preload_libraries:
-        - "vchord.so"
-    initdb:
-      postInitSQL:
-        - CREATE EXTENSION IF NOT EXISTS "vector";
-        - CREATE EXTENSION IF NOT EXISTS "vchord" CASCADE;
-        - CREATE EXTENSION IF NOT EXISTS "cube" CASCADE;
-        - CREATE EXTENSION IF NOT EXISTS "earthdistance" CASCADE;
-  recovery:
-    method: objectStore
-    objectStore:
-      destinationPath: s3://postgres-backups/cl01tl/immich/immich-postgresql-17-cluster
-      endpointURL: http://garage-main.garage:3900
-      index: 1
-      endpointCredentials: immich-postgresql-17-cluster-backup-secret-garage
-  backup:
-    objectStore:
-      - name: external
-        destinationPath: s3://postgres-backups-ce540ddf106d186bbddca68a/cl01tl/immich/immich-postgresql-17-cluster
-        index: 2
-        retentionPolicy: "30d"
-        isWALArchiver: false
-      - name: garage-local
-        destinationPath: s3://postgres-backups/cl01tl/immich/immich-postgresql-17-cluster
-        index: 1
-        endpointURL: http://garage-main.garage:3900
-        endpointCredentials: immich-postgresql-17-cluster-backup-secret-garage
-        endpointCredentialsIncludeRegion: true
-        retentionPolicy: "3d"
-        isWALArchiver: true
-      # - name: garage-remote
-      #   destinationPath: s3://postgres-backups/cl01tl/immich/immich-postgresql-17-cluster
-      #   index: 1
-      #   endpointURL: https://garage-ps10rp.boreal-beaufort.ts.net:3900
-      #   endpointCredentials: immich-postgresql-17-cluster-backup-secret-garage
-      #   retentionPolicy: "30d"
-      #   data:
-      #     compression: bzip2
-      #     jobs: 2
-    scheduledBackups:
-      - name: daily-backup
-        suspend: false
-        schedule: "0 0 0 * * *"
-        backupName: external
-      - name: live-backup
-        suspend: false
-        immediate: true
-        schedule: "0 0 0 * * *"
-        backupName: garage-local
-      # - name: weekly-backup
-      #   suspend: false
-      #   schedule: "0 4 4 * * SAT"
-      #   backupName: garage-remote

clusters/cl01tl/applications/jellyfin/Chart.yaml

@@ -1,25 +0,0 @@
-apiVersion: v2
-name: jellyfin
-version: 1.0.0
-description: Jellyfin
-keywords:
-  - jellyfin
-  - media
-  - movies
-  - tv shows
-  - books
-  - music
-home: https://wiki.alexlebens.dev/s/a58be5b0-7935-458a-b990-b45223e39d68
-sources:
-  - https://github.com/jellyfin/jellyfin
-  - https://hub.docker.com/r/jellyfin/jellyfin
-  - https://github.com/bjw-s-labs/helm-charts/tree/main/charts/other/app-template
-maintainers:
-  - name: alexlebens
-dependencies:
-  - name: app-template
-    alias: jellyfin
-    repository: https://bjw-s-labs.github.io/helm-charts/
-    version: 4.4.0
-icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/jellyfin.png
-appVersion: 10.10.7

clusters/cl01tl/applications/jellyfin/templates/external-secret.yaml

@@ -1,55 +0,0 @@
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: jellyfin-config-backup-secret
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: jellyfin-config-backup-secret
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: vault
-  target:
-    template:
-      mergePolicy: Merge
-      engineVersion: v2
-      data:
-        RESTIC_REPOSITORY: "{{ `{{ .BUCKET_ENDPOINT }}` }}/jellyfin/jellyfin-config"
-  data:
-    - secretKey: BUCKET_ENDPOINT
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /cl01tl/volsync/restic/config
-        metadataPolicy: None
-        property: S3_BUCKET_ENDPOINT
-    - secretKey: RESTIC_PASSWORD
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /cl01tl/volsync/restic/config
-        metadataPolicy: None
-        property: RESTIC_PASSWORD
-    - secretKey: AWS_DEFAULT_REGION
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /cl01tl/volsync/restic/config
-        metadataPolicy: None
-        property: AWS_DEFAULT_REGION
-    - secretKey: AWS_ACCESS_KEY_ID
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /digital-ocean/home-infra/volsync-backups
-        metadataPolicy: None
-        property: access_key
-    - secretKey: AWS_SECRET_ACCESS_KEY
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /digital-ocean/home-infra/volsync-backups
-        metadataPolicy: None
-        property: secret_key

clusters/cl01tl/applications/jellyfin/templates/http-route.yaml

@@ -1,28 +0,0 @@
-apiVersion: gateway.networking.k8s.io/v1
-kind: HTTPRoute
-metadata:
-  name: http-route-jellyfin
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: http-route-jellyfin
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  parentRefs:
-    - group: gateway.networking.k8s.io
-      kind: Gateway
-      name: traefik-gateway
-      namespace: traefik
-  hostnames:
-    - jellyfin.alexlebens.net
-  rules:
-    - matches:
-      - path:
-          type: PathPrefix
-          value: /
-      backendRefs:
-        - group: ''
-          kind: Service
-          name: jellyfin
-          port: 80
-          weight: 100

clusters/cl01tl/applications/jellyfin/templates/persistent-volume-claim.yaml

@@ -1,36 +0,0 @@
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  name: jellyfin-nfs-storage
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: jellyfin-nfs-storage
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  volumeName: jellyfin-nfs-storage
-  storageClassName: nfs-client
-  accessModes:
-    - ReadWriteMany
-  resources:
-    requests:
-      storage: 1Gi
-
----
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  name: jellyfin-youtube-nfs-storage
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: jellyfin-youtube-nfs-storage
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  volumeName: jellyfin-youtube-nfs-storage
-  storageClassName: nfs-client
-  accessModes:
-    - ReadOnlyMany
-  resources:
-    requests:
-      storage: 1Gi

clusters/cl01tl/applications/jellyfin/templates/persistent-volume.yaml

@@ -1,48 +0,0 @@
-apiVersion: v1
-kind: PersistentVolume
-metadata:
-  name: jellyfin-nfs-storage
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: jellyfin-nfs-storage
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  persistentVolumeReclaimPolicy: Retain
-  storageClassName: nfs-client
-  capacity:
-    storage: 1Gi
-  accessModes:
-    - ReadWriteMany
-  nfs:
-    path: /volume2/Storage
-    server: synologybond.alexlebens.net
-  mountOptions:
-    - vers=4
-    - minorversion=1
-    - noac
-
----
-apiVersion: v1
-kind: PersistentVolume
-metadata:
-  name: jellyfin-youtube-nfs-storage
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: jellyfin-youtube-nfs-storage
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  persistentVolumeReclaimPolicy: Retain
-  storageClassName: nfs-client
-  capacity:
-    storage: 1Gi
-  accessModes:
-    - ReadOnlyMany
-  nfs:
-    path: /volume2/Storage/YouTube
-    server: synologybond.alexlebens.net
-  mountOptions:
-    - vers=4
-    - minorversion=1
-    - noac

clusters/cl01tl/applications/jellyfin/templates/replication-source.yaml

@@ -1,26 +0,0 @@
-apiVersion: volsync.backube/v1alpha1
-kind: ReplicationSource
-metadata:
-  name: jellyfin-config-backup-source
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: jellyfin-config-backup-source
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  sourcePVC: jellyfin-config
-  trigger:
-    schedule: 0 4 * * *
-  restic:
-    pruneIntervalDays: 7
-    repository: jellyfin-config-backup-secret
-    retain:
-      hourly: 1
-      daily: 3
-      weekly: 2
-      monthly: 2
-      yearly: 4
-    copyMethod: Snapshot
-    storageClassName: ceph-block
-    volumeSnapshotClassName: ceph-blockpool-snapshot
-    cacheCapacity: 10Gi

clusters/cl01tl/applications/jellyfin/values.yaml

@@ -1,68 +0,0 @@
-jellyfin:
-  controllers:
-    main:
-      type: deployment
-      replicas: 1
-      strategy: Recreate
-      revisionHistoryLimit: 3
-      containers:
-        main:
-          image:
-            repository: ghcr.io/jellyfin/jellyfin
-            tag: 10.11.3
-            pullPolicy: IfNotPresent
-          env:
-            - name: TZ
-              value: US/Central
-            - name: JELLYFIN_hostwebclient
-              value: true
-            - name: JELLYFIN_PublishedServerUrl
-              value: https://jellyfin.alexlebens.net/
-          resources:
-            limits:
-              gpu.intel.com/i915: 1
-            requests:
-              gpu.intel.com/i915: 1
-              cpu: 1
-              memory: 2Gi
-  service:
-    main:
-      controller: main
-      ports:
-        http:
-          port: 80
-          targetPort: 8096
-          protocol: HTTP
-  persistence:
-    config:
-      forceRename: jellyfin-config
-      storageClass: ceph-block
-      accessMode: ReadWriteOnce
-      size: 100Gi
-      retain: true
-      advancedMounts:
-        main:
-          main:
-            - path: /config
-              readOnly: false
-    cache:
-      type: emptyDir
-      advancedMounts:
-        main:
-          main:
-            - path: /cache
-              readOnly: false
-    media:
-      existingClaim: jellyfin-nfs-storage
-      advancedMounts:
-        main:
-          main:
-            - path: /mnt/store
-              readOnly: false
-    youtube:
-      existingClaim: jellyfin-youtube-nfs-storage
-      advancedMounts:
-        main:
-          main:
-            - path: /mnt/youtube
-              readOnly: true