feat: add matrix synapse

Reviewed-on: #6130

.gitea/workflows/lint-test-helm.yaml

@@ -482,6 +482,7 @@ jobs:
   #           echo ">> Render templates for ${APP_NAME} ..."
   #           CHART_PATH="clusters/${CLUSTER}/helm/${APP_NAME}"
   #           OUTPUT_FOLDER="clusters/${CLUSTER}/manifests/${APP_NAME}/"
+  #           mkdir -p "${OUTPUT_FOLDER}"
 
   #           helm dependency build "${CHART_PATH}" --skip-refresh
 
@@ -499,7 +500,7 @@ jobs:
   #               echo ">> Standard Rendering ..."
   #           esac
 
-  #           TEMPLATE=$(helm template "${APP_NAME}" "${CHART_PATH}" --include-crds --namespace "${NAMESPACE}" --include-crds --api-versions "gateway.networking.k8s.io/v1/HTTPRoute,monitoring.coreos.com/v1,monitoring.coreos.com/v1/ServiceMonitor")
+  #           TEMPLATE=$(helm template "${APP_NAME}" "${CHART_PATH}" --include-crds --namespace "${NAMESPACE}" --api-versions "gateway.networking.k8s.io/v1/HTTPRoute,monitoring.coreos.com/v1,monitoring.coreos.com/v1/ServiceMonitor")
 
   #           # Format and split rendered template
   #           echo "${TEMPLATE}" | yq '... comments=""' | yq 'select(. != null)' | yq -s '"'"${OUTPUT_FOLDER}"'" + .kind + "-" + .metadata.name + ".yaml"'
@@ -526,29 +527,38 @@ jobs:
   #       run: |
   #         FAILED_CHARTS=""
   #         DIFF_FOUND="false"
+  #         EXIT_CODE=0
 
   #         for APP_NAME in ${CHANGED_CHARTS}; do
   #           echo ">> Running argocd app diff for ${APP_NAME} ..."
-  #           argocd app diff "${APP_NAME}" \
+  #           if ! argocd app diff "${APP_NAME}" \
   #             --server "${ARGOCD_SERVER}" \
-  #             --revision ${{ gitea.sha }} \
+  #             --auth-token "${ARGOCD_AUTH_TOKEN}" \
-  #             --diff-exit-code 0 \
+  #             --revision ${{ github.sha }} \
   #             --local "clusters/${CLUSTER}/manifests/${APP_NAME}" \
   #             --local-repo-root "." \
-  #             --grpc-web > "diff_output_${APP_NAME}.txt"
+  #             --grpc-web > "diff_output_${APP_NAME}.txt" 2>&1; then
+
+  #             # ArgoCD diff returns non-zero on diff or error.
+  #             # Let's capture if it actually generated a diff output to post.
+  #             DIFF_FOUND="true"
+
+  #             # Check if the output contains validation/connection errors
+  #             if grep -iE 'error|failed|connection refused|timeout' "diff_output_${APP_NAME}.txt"; then
+  #                echo ">> ArgoCD encountered an error validating ${APP_NAME}!"
+  #                EXIT_CODE=1
+  #                FAILED_CHARTS="${FAILED_CHARTS} ${APP_NAME}"
+  #             fi
+  #           fi
 
   #           if [ -s "diff_output_${APP_NAME}.txt" ]; then
-  #             echo ">> Argo diff:"
+  #             echo ">> Argo diff or errors:"
   #             echo ""
   #             cat diff_output_${APP_NAME}.txt
   #             echo ""
-
-  #             DIFF_FOUND="true"
-
   #           else
   #             echo ">> No Argo diff found for ${APP_NAME}"
   #             rm "diff_output_${APP_NAME}.txt"
-
   #           fi
   #         done
 
@@ -556,13 +566,13 @@ jobs:
   #         echo "diff-detected=${DIFF_FOUND}" >> "$GITHUB_OUTPUT"
   #         echo "failed-charts=${FAILED_CHARTS}" >> "$GITHUB_OUTPUT"
 
-  #         exit $OVERALL_EXIT_CODE
+  #         exit $EXIT_CODE
 
   #     - name: Post Diff
   #       if: |
   #         always() &&
   #         steps.diff.outputs.diff-detected == 'true' &&
-  #         gitea.event.pull_request.number != null
+  #         github.event.pull_request.number != null
   #       env:
   #         GITEA_TOKEN: ${{ secrets.GITEA_TOKEN }}
   #       run: |
@@ -588,7 +598,7 @@ jobs:
   #         done
 
   #         curl -X 'POST' \
-  #           "${{ gitea.server_url }}/api/v1/repos/${{ gitea.repository }}/issues/${{ gitea.event.pull_request.number }}/comments" \
+  #           "${{ github.server_url }}/api/v1/repos/${{ github.repository }}/issues/${{ github.event.pull_request.number }}/comments" \
   #           -H "Authorization: token ${GITEA_TOKEN}" \
   #           -H "Content-Type: application/json" \
   #           -d "$(jq -n --arg body "$COMMENT_BODY" '{body: $body}')"

.gitea/workflows/renovate.yaml

@@ -13,7 +13,7 @@ on:
 jobs:
   renovate:
     runs-on: ubuntu-latest
-    container: ghcr.io/renovatebot/renovate:43.113.0@sha256:9dd3f426078a6ce9461c87264e4bcd1853698dc5ebb594fe5fab1f0afd25ef9b
+    container: ghcr.io/renovatebot/renovate:43.138.2@sha256:79765b2442117d5c87e17456aa79ae54b4e0e2a4d9212a10508e233706375556
     steps:
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6

clusters/cl01tl/helm/actual/Chart.lock

@@ -2,8 +2,5 @@ dependencies:
 - name: app-template
   repository: https://bjw-s-labs.github.io/helm-charts/
   version: 4.6.2
-- name: volsync-target
+digest: sha256:1c04c187e6cf768117f7f91f3a3b082937ad5854c1cf6a681ad7c02687cd543d
-  repository: oci://harbor.alexlebens.net/helm-charts
+generated: "2026-04-18T20:15:22.778699-05:00"
-  version: 0.8.0
-digest: sha256:ff81b3d8fc831e4b8048f646fffcf597aa7410e52ecf27690eab8104047dbe6f
-generated: "2026-03-06T01:04:41.514235218Z"

clusters/cl01tl/helm/actual/Chart.yaml

@@ -18,10 +18,10 @@ dependencies:
     alias: actual
     repository: https://bjw-s-labs.github.io/helm-charts/
     version: 4.6.2
-  - name: volsync-target
+  # - name: volsync-target
-    alias: volsync-target-data
+  #   alias: volsync-target-data
-    version: 0.8.0
+  #   version: 0.8.0
-    repository: oci://harbor.alexlebens.net/helm-charts
+  #   repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/actual-budget.png
 # renovate: datasource=github-releases depName=actualbudget/actual
 appVersion: 26.4.0

clusters/cl01tl/helm/actual/templates/_helpers.tpl

@@ -0,0 +1,14 @@
+{{/*
+Common labels
+*/}}
+{{- define "custom.labels" -}}
+{{ include "custom.selectorLabels" $ }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "custom.selectorLabels" -}}
+app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/part-of: {{ .Release.Name }}
+{{- end }}

clusters/cl01tl/helm/argocd/Chart.lock

@@ -1,6 +1,6 @@
 dependencies:
 - name: argo-cd
   repository: https://argoproj.github.io/argo-helm
-  version: 9.5.0
+  version: 9.5.2
-digest: sha256:69daada0822f796cd49eeda2d9e39dd5c0c42bb61b6898af68123c8c49f25fa1
+digest: sha256:5d9e6405ee944bf94df6af247164ebb9b8899144853b9a7eafabe8606affe84e
-generated: "2026-04-08T22:05:49.003208408Z"
+generated: "2026-04-19T19:53:40.43789-05:00"

clusters/cl01tl/helm/argocd/Chart.yaml

@@ -13,8 +13,8 @@ maintainers:
   - name: alexlebens
 dependencies:
   - name: argo-cd
-    version: 9.5.0
+    version: 9.5.2
     repository: https://argoproj.github.io/argo-helm
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/argo-cd.png
 # renovate: datasource=github-releases depName=argoproj/argo-cd
-appVersion: v3.3.6
+appVersion: v3.3.7

clusters/cl01tl/helm/argocd/templates/_helpers.tpl

@@ -0,0 +1,14 @@
+{{/*
+Common labels
+*/}}
+{{- define "custom.labels" -}}
+{{ include "custom.selectorLabels" $ }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "custom.selectorLabels" -}}
+app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/part-of: {{ .Release.Name }}
+{{- end }}

clusters/cl01tl/helm/argocd/templates/external-secret.yaml

@@ -1,70 +1,40 @@
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
-  name: argocd-oidc-secret
+  name: argocd-oidc-authentik
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: argocd-oidc-secret
+    app.kubernetes.io/name: argocd-oidc-authentik
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   secretStoreRef:
     kind: ClusterSecretStore
-    name: vault
+    name: openbao
   data:
     - secretKey: secret
       remoteRef:
-        key: /authentik/oidc/argocd
+        key: /cl01tl/authentik/oidc/argocd
         property: secret
     - secretKey: client
       remoteRef:
-        key: /authentik/oidc/argocd
+        key: /cl01tl/authentik/oidc/argocd
         property: client
 
 ---
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
-  name: argocd-notifications-secret
+  name: argocd-notifications-ntfy
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: argocd-notifications-secret
+    app.kubernetes.io/name: argocd-notifications-ntfy
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   secretStoreRef:
     kind: ClusterSecretStore
-    name: vault
+    name: openbao
   data:
     - secretKey: ntfy-token
       remoteRef:
-        key: /ntfy/user/cl01tl
+        key: /cl01tl/ntfy/users/cl01tl
         property: token
-
----
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: argocd-gitea-repo-infrastructure-secret
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: argocd-gitea-repo-infrastructure-secret
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: vault
-  data:
-    - secretKey: type
-      remoteRef:
-        key: /cl01tl/argocd/credentials/repo/infrastructure
-        property: type
-    - secretKey: url
-      remoteRef:
-        key: /cl01tl/argocd/credentials/repo/infrastructure
-        property: url
-    - secretKey: sshPrivateKey
-      remoteRef:
-        key: /cl01tl/argocd/credentials/repo/infrastructure
-        property: sshPrivateKey

clusters/cl01tl/helm/argocd/values.yaml

@@ -13,8 +13,8 @@ argo-cd:
         connectors:
         - config:
             issuer: https://authentik.alexlebens.net/application/o/argocd/
-            clientID: $argocd-oidc-secret:client
+            clientID: $argocd-oidc-authentik:client
-            clientSecret: $argocd-oidc-secret:secret
+            clientSecret: $argocd-oidc-authentik:secret
             insecureEnableGroups: true
             scopes:
               - openid
@@ -205,7 +205,7 @@ argo-cd:
     argocdUrl: https://argocd.alexlebens.net
     secret:
       create: false
-      name: argocd-notifications-secret
+      name: argocd-notifications-ntfy
     metrics:
       enabled: true
       serviceMonitor:

clusters/cl01tl/helm/audiobookshelf/Chart.yaml

@@ -32,4 +32,4 @@ dependencies:
     repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/audiobookshelf.png
 # renovate: datasource=github-releases depName=advplyr/audiobookshelf
-appVersion: 2.33.1
+appVersion: 2.33.2

clusters/cl01tl/helm/audiobookshelf/templates/_helpers.tpl

@@ -0,0 +1,27 @@
+{{/*
+Common labels
+*/}}
+{{- define "custom.labels" -}}
+{{ include "custom.selectorLabels" $ }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "custom.selectorLabels" -}}
+app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/part-of: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+NFS names
+*/}}
+{{- define "custom.booksNfsName" -}}
+audiobookshelf-books-nfs-storage
+{{- end -}}
+{{- define "custom.audiobooksNfsName" -}}
+audiobookshelf-audiobooks-nfs-storage
+{{- end -}}
+{{- define "custom.podcastsNfsName" -}}
+audiobookshelf-podcasts-nfs-storage
+{{- end -}}

clusters/cl01tl/helm/audiobookshelf/templates/external-secret.yaml

@@ -1,18 +1,23 @@
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
-  name: audiobookshelf-apprise-config
+  name: audiobookshelf-config-apprise
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: audiobookshelf-apprise-config
+    app.kubernetes.io/name: audiobookshelf-config-apprise
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   secretStoreRef:
     kind: ClusterSecretStore
-    name: vault
+    name: openbao
+  target:
+    template:
+      mergePolicy: Merge
+      engineVersion: v2
       data:
-    - secretKey: ntfy-url
+        ntfy-url: "{{ `{{ .endpoint }}` }}/audiobookshelf"
+  data:
+    - secretKey: endpoint
       remoteRef:
-        key: /cl01tl/audiobookshelf/apprise
+        key: /cl01tl/ntfy/users/cl01tl
-        property: ntfy-url
+        property: internal-endpoint-credential

clusters/cl01tl/helm/audiobookshelf/templates/persistent-volume-claim.yaml

@@ -1,14 +1,13 @@
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
-  name: audiobookshelf-books-nfs-storage
+  name: {{ include "custom.booksNfsName" . }}
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: audiobookshelf-books-nfs-storage
+    app.kubernetes.io/name: {{ include "custom.booksNfsName" . }}
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{ include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
-  volumeName: audiobookshelf-books-nfs-storage
+  volumeName: {{ include "custom.booksNfsName" . }}
   storageClassName: nfs-client
   accessModes:
     - ReadWriteMany
@@ -20,14 +19,13 @@ spec:
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
-  name: audiobookshelf-audiobooks-nfs-storage
+  name: {{ include "custom.audiobooksNfsName" . }}
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: audiobookshelf-audiobooks-nfs-storage
+    app.kubernetes.io/name: {{ include "custom.audiobooksNfsName" . }}
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
-  volumeName: audiobookshelf-audiobooks-nfs-storage
+  volumeName: {{ include "custom.audiobooksNfsName" . }}
   storageClassName: nfs-client
   accessModes:
     - ReadWriteMany
@@ -39,14 +37,13 @@ spec:
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
-  name: audiobookshelf-podcasts-nfs-storage
+  name: {{ include "custom.podcastsNfsName" . }}
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: audiobookshelf-podcasts-nfs-storage
+    app.kubernetes.io/name: {{ include "custom.podcastsNfsName" . }}
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
-  volumeName: audiobookshelf-podcasts-nfs-storage
+  volumeName: {{ include "custom.podcastsNfsName" . }}
   storageClassName: nfs-client
   accessModes:
     - ReadWriteMany

clusters/cl01tl/helm/audiobookshelf/templates/persistent-volume.yaml

@@ -1,12 +1,11 @@
 apiVersion: v1
 kind: PersistentVolume
 metadata:
-  name: audiobookshelf-books-nfs-storage
+  name: {{ include "custom.booksNfsName" . }}
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: audiobookshelf-books-nfs-storage
+    app.kubernetes.io/name: {{ include "custom.booksNfsName" . }}
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   persistentVolumeReclaimPolicy: Retain
   storageClassName: nfs-client
@@ -26,12 +25,11 @@ spec:
 apiVersion: v1
 kind: PersistentVolume
 metadata:
-  name: audiobookshelf-audiobooks-nfs-storage
+  name: {{ include "custom.audiobooksNfsName" . }}
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: audiobookshelf-audiobooks-nfs-storage
+    app.kubernetes.io/name: {{ include "custom.audiobooksNfsName" . }}
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   persistentVolumeReclaimPolicy: Retain
   storageClassName: nfs-client
@@ -51,12 +49,11 @@ spec:
 apiVersion: v1
 kind: PersistentVolume
 metadata:
-  name: audiobookshelf-podcasts-nfs-storage
+  name: {{ include "custom.podcastsNfsName" . }}
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: audiobookshelf-podcasts-nfs-storage
+    app.kubernetes.io/name: {{ include "custom.podcastsNfsName" . }}
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   persistentVolumeReclaimPolicy: Retain
   storageClassName: nfs-client

clusters/cl01tl/helm/audiobookshelf/values.yaml

@@ -12,7 +12,7 @@ audiobookshelf:
         main:
           image:
             repository: ghcr.io/advplyr/audiobookshelf
-            tag: 2.33.1@sha256:a4a5841bba093d81e5f4ad1eaedb4da3fda6dbb2528c552349da50ad1f7ae708
+            tag: 2.33.2@sha256:a44ed89b3e845faa1f7d353f2cc89b2fcd8011737dd14075fa963cf9468da3a5
           env:
             - name: TZ
               value: America/Chicago
@@ -40,7 +40,7 @@ audiobookshelf:
             - name: APPRISE_STATELESS_URLS
               valueFrom:
                 secretKeyRef:
-                  name: audiobookshelf-apprise-config
+                  name: audiobookshelf-config-apprise
                   key: ntfy-url
   service:
     main:

clusters/cl01tl/helm/authentik/templates/_helpers.tpl

@@ -0,0 +1,14 @@
+{{/*
+Common labels
+*/}}
+{{- define "custom.labels" -}}
+{{ include "custom.selectorLabels" $ }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "custom.selectorLabels" -}}
+app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/part-of: {{ .Release.Name }}
+{{- end }}

clusters/cl01tl/helm/authentik/templates/external-secret.yaml

@@ -1,16 +1,15 @@
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
-  name: authentik-key-secret
+  name: authentik-key
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: authentik-key-secret
+    app.kubernetes.io/name: authentik-key
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   secretStoreRef:
     kind: ClusterSecretStore
-    name: vault
+    name: openbao
   data:
     - secretKey: key
       remoteRef:

clusters/cl01tl/helm/authentik/templates/ingress.yaml

@@ -1,12 +1,11 @@
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
-  name: authentik-tailscale
+  name: {{ .Release.Name }}-tailscale
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: authentik-tailscale
+    app.kubernetes.io/name: {{ .Release.Name }}-tailscale
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
     tailscale.com/proxy-class: no-metrics
   annotations:
     tailscale.com/experimental-forward-cluster-traffic-via-ingress: "true"
@@ -26,4 +25,4 @@ spec:
               service:
                 name: authentik-server
                 port:
-                  number: 80
+                  name: http

clusters/cl01tl/helm/authentik/templates/reference-grant.yaml

@@ -5,8 +5,7 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: allow-outpost-cross-namespace-access
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   from:
     - group: gateway.networking.k8s.io

clusters/cl01tl/helm/authentik/values.yaml

@@ -4,7 +4,7 @@ authentik:
       - name: AUTHENTIK_SECRET_KEY
         valueFrom:
           secretKeyRef:
-            name: authentik-key-secret
+            name: authentik-key
             key: key
       - name: AUTHENTIK_POSTGRESQL__HOST
         valueFrom:

clusters/cl01tl/helm/backrest/templates/_helpers.tpl

@@ -0,0 +1,24 @@
+{{/*
+Common labels
+*/}}
+{{- define "custom.labels" -}}
+{{ include "custom.selectorLabels" $ }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "custom.selectorLabels" -}}
+app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/part-of: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+NFS names
+*/}}
+{{- define "custom.storageNfsName" -}}
+backrest-nfs-storage
+{{- end -}}
+{{- define "custom.shareNfsName" -}}
+backrest-nfs-share
+{{- end -}}

clusters/cl01tl/helm/backrest/templates/persistent-volume-claim.yaml

@@ -1,14 +1,13 @@
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
-  name: backrest-nfs-storage
+  name: {{ include "custom.storageNfsName" . }}
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: backrest-nfs-storage
+    app.kubernetes.io/name: {{ include "custom.storageNfsName" . }}
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
-  volumeName: backrest-nfs-storage
+  volumeName: {{ include "custom.storageNfsName" . }}
   storageClassName: nfs-client
   accessModes:
     - ReadWriteMany
@@ -20,14 +19,13 @@ spec:
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
-  name: backrest-nfs-share
+  name: {{ include "custom.shareNfsName" . }}
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: backrest-nfs-share
+    app.kubernetes.io/name: {{ include "custom.shareNfsName" . }}
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
-  volumeName: backrest-nfs-share
+  volumeName: {{ include "custom.shareNfsName" . }}
   storageClassName: nfs-client
   accessModes:
     - ReadWriteMany

clusters/cl01tl/helm/backrest/templates/persistent-volume.yaml

@@ -1,12 +1,11 @@
 apiVersion: v1
 kind: PersistentVolume
 metadata:
-  name: backrest-nfs-storage
+  name: {{ include "custom.storageNfsName" . }}
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: backrest-nfs-storage
+    app.kubernetes.io/name: {{ include "custom.storageNfsName" . }}
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   persistentVolumeReclaimPolicy: Retain
   storageClassName: nfs-client
@@ -26,12 +25,11 @@ spec:
 apiVersion: v1
 kind: PersistentVolume
 metadata:
-  name: backrest-nfs-share
+  name: {{ include "custom.shareNfsName" . }}
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: backrest-nfs-share
+    app.kubernetes.io/name: {{ include "custom.shareNfsName" . }}
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   persistentVolumeReclaimPolicy: Retain
   storageClassName: nfs-client

clusters/cl01tl/helm/bazarr/templates/_helpers.tpl

@@ -0,0 +1,21 @@
+{{/*
+Common labels
+*/}}
+{{- define "custom.labels" -}}
+{{ include "custom.selectorLabels" $ }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "custom.selectorLabels" -}}
+app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/part-of: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+NFS names
+*/}}
+{{- define "custom.storageNfsName" -}}
+bazarr-nfs-storage
+{{- end -}}

clusters/cl01tl/helm/bazarr/templates/external-secret.yaml

@@ -1,16 +1,15 @@
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
-  name: bazarr-key-secret
+  name: bazarr-key
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: bazarr-key-secret
+    app.kubernetes.io/name: bazarr-key
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   secretStoreRef:
     kind: ClusterSecretStore
-    name: vault
+    name: openbao
   data:
     - secretKey: key
       remoteRef:

clusters/cl01tl/helm/bazarr/templates/persistent-volume-claim.yaml

@@ -1,14 +1,13 @@
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
-  name: bazarr-nfs-storage
+  name: {{ include "custom.storageNfsName" . }}
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: bazarr-nfs-storage
+    app.kubernetes.io/name: {{ include "custom.storageNfsName" . }}
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
-  volumeName: bazarr-nfs-storage
+  volumeName: {{ include "custom.storageNfsName" . }}
   storageClassName: nfs-client
   accessModes:
     - ReadWriteMany

clusters/cl01tl/helm/bazarr/templates/persistent-volume.yaml

@@ -1,12 +1,11 @@
 apiVersion: v1
 kind: PersistentVolume
 metadata:
-  name: bazarr-nfs-storage
+  name: {{ include "custom.storageNfsName" . }}
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: bazarr-nfs-storage
+    app.kubernetes.io/name: {{ include "custom.storageNfsName" . }}
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   persistentVolumeReclaimPolicy: Retain
   storageClassName: nfs-client

clusters/cl01tl/helm/bazarr/values.yaml

@@ -39,7 +39,7 @@ bazarr:
             - name: APIKEY
               valueFrom:
                 secretKeyRef:
-                  name: bazarr-key-secret
+                  name: bazarr-key
                   key: key
             - name: ENABLE_ADDITIONAL_METRICS
               value: false

clusters/cl01tl/helm/blocky/templates/_helpers.tpl

@@ -0,0 +1,14 @@
+{{/*
+Common labels
+*/}}
+{{- define "custom.labels" -}}
+{{ include "custom.selectorLabels" $ }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "custom.selectorLabels" -}}
+app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/part-of: {{ .Release.Name }}
+{{- end }}

clusters/cl01tl/helm/blocky/values.yaml

@@ -106,6 +106,7 @@ blocky:
               audiobookshelf                  IN      CNAME   traefik-cl01tl
               authentik                       IN      CNAME   traefik-cl01tl
               backrest                        IN      CNAME   traefik-cl01tl
+              bao                             IN      CNAME   traefik-cl01tl
               bazarr                          IN      CNAME   traefik-cl01tl
               ceph                            IN      CNAME   traefik-cl01tl
               dawarich                        IN      CNAME   traefik-cl01tl

clusters/cl01tl/helm/cert-manager/templates/_helpers.tpl

@@ -0,0 +1,24 @@
+{{/*
+Common labels
+*/}}
+{{- define "custom.labels" -}}
+{{ include "custom.selectorLabels" $ }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "custom.selectorLabels" -}}
+app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/part-of: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+NFS names
+*/}}
+{{- define "custom.cloudflareSecretName" -}}
+cert-manager-cloudflare-api-token
+{{- end -}}
+{{- define "custom.cloudflareSecretKey" -}}
+api-token
+{{- end -}}

clusters/cl01tl/helm/cert-manager/templates/cluster-issuer.yaml

@@ -5,8 +5,7 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: letsencrypt-issuer
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   acme:
     email: alexanderlebens@gmail.com
@@ -22,5 +21,5 @@ spec:
           cloudflare:
             email: alexanderlebens@gmail.com
             apiTokenSecretRef:
-              name: cloudflare-api-token
+              name: {{ include "custom.cloudflareSecretName" . }}
-              key: api-token
+              key: {{ include "custom.cloudflareSecretKey" . }}

clusters/cl01tl/helm/cert-manager/templates/external-secret.yaml

@@ -1,18 +1,17 @@
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
-  name: cloudflare-api-token
+  name: {{ include "custom.cloudflareSecretName" . }}
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: cloudflare-api-token
+    app.kubernetes.io/name: {{ include "custom.cloudflareSecretName" . }}
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   secretStoreRef:
     kind: ClusterSecretStore
-    name: vault
+    name: openbao
   data:
-    - secretKey: api-token
+    - secretKey: {{ include "custom.cloudflareSecretKey" . }}
       remoteRef:
-        key: /cloudflare/alexlebens.net/clusterissuer
+        key: /cloudflare/alexlebens.net/cl01tl-issuer-certificate
         property: token

clusters/cl01tl/helm/cilium/templates/_helpers.tpl

@@ -0,0 +1,14 @@
+{{/*
+Common labels
+*/}}
+{{- define "custom.labels" -}}
+{{ include "custom.selectorLabels" $ }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "custom.selectorLabels" -}}
+app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/part-of: {{ .Release.Name }}
+{{- end }}

clusters/cl01tl/helm/cilium/templates/cilium-bgp-advertisement.yaml

@@ -1,19 +0,0 @@
-# apiVersion: cilium.io/v2
-# kind: CiliumBGPAdvertisement
-# metadata:
-#   name: cilium-bgp-advertisements
-#   namespace: {{ .Release.Namespace }}
-#   labels:
-#     app.kubernetes.io/name: cilium-bgp-advertisements
-#     app.kubernetes.io/instance: {{ .Release.Name }}
-#     app.kubernetes.io/part-of: {{ .Release.Name }}
-# spec:
-#   advertisements:
-#     - advertisementType: "Service"
-#       service:
-#         addresses:
-#           - ExternalIP
-#           - LoadBalancerIP
-#       selector:
-#         matchExpressions:
-#          - {key: somekey, operator: NotIn, values: ['never-used-value']}

clusters/cl01tl/helm/cilium/templates/cilium-bgp-cluster-config.yaml

@@ -1,22 +0,0 @@
-# apiVersion: cilium.io/v2
-# kind: CiliumBGPClusterConfig
-# metadata:
-#   name: cilium-bgp
-#   namespace: {{ .Release.Namespace }}
-#   labels:
-#     app.kubernetes.io/name: cilium-bgp
-#     app.kubernetes.io/instance: {{ .Release.Name }}
-#     app.kubernetes.io/part-of: {{ .Release.Name }}
-# spec:
-#   nodeSelector:
-#     matchLabels:
-#       node-role.kubernetes.io/bgp: "65020"
-#   bgpInstances:
-#     - name: "65020"
-#       localASN: 65020
-#       peers:
-#         - name: "udm-65000"
-#           peerASN: 65000
-#           peerAddress: 192.168.1.1
-#           peerConfigRef:
-#             name: "cilium-peer"

clusters/cl01tl/helm/cilium/templates/cilium-bgp-peer-config.yaml

@@ -1,23 +0,0 @@
-# apiVersion: cilium.io/v2
-# kind: CiliumBGPPeerConfig
-# metadata:
-#   name: cilium-peer
-#   namespace: {{ .Release.Namespace }}
-#   labels:
-#     app.kubernetes.io/name: cilium-peer
-#     app.kubernetes.io/instance: {{ .Release.Name }}
-#     app.kubernetes.io/part-of: {{ .Release.Name }}
-# spec:
-#   timers:
-#     holdTimeSeconds: 9
-#     keepAliveTimeSeconds: 3
-#   ebgpMultihop: 4
-#   gracefulRestart:
-#     enabled: true
-#     restartTimeSeconds: 15
-#   families:
-#     - afi: ipv4
-#       safi: unicast
-#       advertisements:
-#         matchLabels:
-#           app.kubernetes.io/name: cilium-bgp-advertisements

clusters/cl01tl/helm/cilium/templates/cilium-load-balancer-ip-pool.yaml

@@ -5,8 +5,7 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: default-ip-pool
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   blocks:
     - start: "10.232.1.21"
@@ -20,8 +19,7 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: bgp-ip-pool
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   blocks:
     - start: "10.232.2.100"

clusters/cl01tl/helm/cilium/templates/gateway.yaml

@@ -1,45 +0,0 @@
-# apiVersion: gateway.networking.k8s.io/v1
-# kind: Gateway
-# metadata:
-#   name: cilium-tls-gateway
-#   namespace: {{ .Release.Namespace }}
-#   labels:
-#     app.kubernetes.io/name: cilium-tls-gateway
-#     app.kubernetes.io/instance: {{ .Release.Name }}
-#     app.kubernetes.io/part-of: {{ .Release.Name }}
-#   annotations:
-#     cert-manager.io/cluster-issuer: letsencrypt-issuer
-# spec:
-#   addresses:
-#     - type: IPAddress
-#       value: 10.232.1.23
-#   gatewayClassName: cilium
-#   listeners:
-#     - allowedRoutes:
-#         namespaces:
-#           from: All
-#       hostname: '*.alexlebens.net'
-#       name: https
-#       port: 443
-#       protocol: HTTPS
-#       tls:
-#         certificateRefs:
-#           - group: ''
-#             kind: Secret
-#             name: https-gateway-cert
-#             namespace: kube-system
-#         mode: Terminate
-#     - allowedRoutes:
-#         namespaces:
-#           from: All
-#       hostname: 'alexlebens.net'
-#       name: https-domain
-#       port: 443
-#       protocol: HTTPS
-#       tls:
-#         certificateRefs:
-#           - group: ''
-#             kind: Secret
-#             name: https-gateway-cert
-#             namespace: kube-system
-#         mode: Terminate

clusters/cl01tl/helm/cilium/templates/http-route.yaml

@@ -5,8 +5,7 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: hubble
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   parentRefs:
     - group: gateway.networking.k8s.io
@@ -21,8 +20,6 @@ spec:
           type: PathPrefix
           value: /
       backendRefs:
-        - group: ''
+        - kind: Service
-          kind: Service
           name: hubble-ui
           port: 80
-          weight: 100

clusters/cl01tl/helm/cloudnative-pg/Chart.lock

@@ -4,6 +4,6 @@ dependencies:
   version: 0.28.0
 - name: plugin-barman-cloud
   repository: https://cloudnative-pg.io/charts/
-  version: 0.5.0
+  version: 0.6.0
-digest: sha256:3e9b26d00fdb61af60f003bcb327e05d02799eb6088e30aaabd01c49c6021aac
+digest: sha256:48241acb753e635a01b306b90cfbce13ed3c0105a33ec7d36f159e3a7fe607f3
-generated: "2026-04-01T20:05:40.198140255Z"
+generated: "2026-04-14T09:03:10.332065288Z"

clusters/cl01tl/helm/cloudnative-pg/Chart.yaml

@@ -20,7 +20,7 @@ dependencies:
     version: 0.28.0
     repository: https://cloudnative-pg.io/charts/
   - name: plugin-barman-cloud
-    version: 0.5.0
+    version: 0.6.0
     repository: https://cloudnative-pg.io/charts/
 icon: https://raw.githubusercontent.com/cloudnative-pg/cloudnative-pg.github.io/refs/heads/main/assets/images/hero_image.png
 # renovate: datasource=github-releases depName=cloudnative-pg/cloudnative-pg

clusters/cl01tl/helm/cloudnative-pg/templates/_helpers.tpl

@@ -0,0 +1,14 @@
+{{/*
+Common labels
+*/}}
+{{- define "custom.labels" -}}
+{{ include "custom.selectorLabels" $ }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "custom.selectorLabels" -}}
+app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/part-of: {{ .Release.Name }}
+{{- end }}

clusters/cl01tl/helm/coredns/templates/_helpers.tpl

@@ -0,0 +1,14 @@
+{{/*
+Common labels
+*/}}
+{{- define "custom.labels" -}}
+{{ include "custom.selectorLabels" $ }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "custom.selectorLabels" -}}
+app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/part-of: {{ .Release.Name }}
+{{- end }}

clusters/cl01tl/helm/dawarich/templates/_helpers.tpl

@@ -0,0 +1,14 @@
+{{/*
+Common labels
+*/}}
+{{- define "custom.labels" -}}
+{{ include "custom.selectorLabels" $ }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "custom.selectorLabels" -}}
+app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/part-of: {{ .Release.Name }}
+{{- end }}

clusters/cl01tl/helm/dawarich/templates/external-secret.yaml

@@ -1,16 +1,15 @@
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
-  name: dawarich-key-secret
+  name: dawarich-key
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: dawarich-key-secret
+    app.kubernetes.io/name: dawarich-key
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   secretStoreRef:
     kind: ClusterSecretStore
-    name: vault
+    name: openbao
   data:
     - secretKey: key
       remoteRef:
@@ -21,22 +20,21 @@ spec:
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
-  name: dawarich-oidc-secret
+  name: dawarich-oidc-authentik
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: dawarich-oidc-secret
+    app.kubernetes.io/name: dawarich-oidc-authentik
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   secretStoreRef:
     kind: ClusterSecretStore
-    name: vault
+    name: openbao
   data:
     - secretKey: client
       remoteRef:
-        key: /authentik/oidc/dawarich
+        key: /cl01tl/authentik/oidc/dawarich
         property: client
     - secretKey: secret
       remoteRef:
-        key: /authentik/oidc/dawarich
+        key: /cl01tl/authentik/oidc/dawarich
         property: secret

clusters/cl01tl/helm/dawarich/values.yaml

@@ -61,12 +61,12 @@ dawarich:
             - name: OIDC_CLIENT_ID
               valueFrom:
                 secretKeyRef:
-                  name: dawarich-oidc-secret
+                  name: dawarich-oidc-authentik
                   key: client
             - name: OIDC_CLIENT_SECRET
               valueFrom:
                 secretKeyRef:
-                  name: dawarich-oidc-secret
+                  name: dawarich-oidc-authentik
                   key: secret
             - name: OIDC_PROVIDER_NAME
               value: Authentik
@@ -81,7 +81,7 @@ dawarich:
             - name: SECRET_KEY_BASE
               valueFrom:
                 secretKeyRef:
-                  name: dawarich-key-secret
+                  name: dawarich-key
                   key: key
             - name: RAILS_LOG_TO_STDOUT
               value: true

clusters/cl01tl/helm/democratic-csi-synology-iscsi/templates/_helpers.tpl

@@ -0,0 +1,14 @@
+{{/*
+Common labels
+*/}}
+{{- define "custom.labels" -}}
+{{ include "custom.selectorLabels" $ }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "custom.selectorLabels" -}}
+app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/part-of: {{ .Release.Name }}
+{{- end }}

clusters/cl01tl/helm/democratic-csi-synology-iscsi/templates/external-secret.yaml

@@ -1,16 +1,15 @@
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
-  name: synology-iscsi-config-secret
+  name: synology-iscsi-config
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: synology-iscsi-config-secret
+    app.kubernetes.io/name: synology-iscsi-config
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   secretStoreRef:
     kind: ClusterSecretStore
-    name: vault
+    name: openbao
   data:
     - secretKey: driver-config-file.yaml
       remoteRef:

clusters/cl01tl/helm/democratic-csi-synology-iscsi/templates/namespace.yaml

@@ -1,11 +1,10 @@
 apiVersion: v1
 kind: Namespace
 metadata:
-  name: democratic-csi-synology-iscsi
+  name: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: democratic-csi-synology-iscsi
+    app.kubernetes.io/name: {{ .Release.Namespace }}
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
     pod-security.kubernetes.io/audit: privileged
     pod-security.kubernetes.io/enforce: privileged
     pod-security.kubernetes.io/warn: privileged

clusters/cl01tl/helm/democratic-csi-synology-iscsi/values.yaml

@@ -3,7 +3,7 @@ democratic-csi:
     image:
       registry: ghcr.io/democratic-csi/democratic-csi
       tag: v1.9.5@@sha256:fc3b7d7ed3a616714139525075312758e23a5d425ffb539ad12c9bd20fb6001f
-    existingConfigSecret: synology-iscsi-config-secret
+    existingConfigSecret: synology-iscsi-config
     config:
       driver: synology-iscsi
     resources:

clusters/cl01tl/helm/descheduler/templates/_helpers.tpl

@@ -0,0 +1,14 @@
+{{/*
+Common labels
+*/}}
+{{- define "custom.labels" -}}
+{{ include "custom.selectorLabels" $ }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "custom.selectorLabels" -}}
+app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/part-of: {{ .Release.Name }}
+{{- end }}

clusters/cl01tl/helm/directus/Chart.yaml

@@ -5,7 +5,7 @@ description: Directus
 keywords:
   - directus
   - content-management-system
-home: https://docs.alexlebens.dev/applications/descheduler/
+home: https://docs.alexlebens.dev/applications/directus/
 sources:
   - https://github.com/directus/directus
   - https://github.com/directus/directus/pkgs/container/directus
@@ -29,4 +29,4 @@ dependencies:
     repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/directus.png
 # renovate: datasource=github-releases depName=directus/directus
-appVersion: 11.17.2
+appVersion: 11.17.3

clusters/cl01tl/helm/directus/templates/_helpers.tpl

@@ -0,0 +1,14 @@
+{{/*
+Common labels
+*/}}
+{{- define "custom.labels" -}}
+{{ include "custom.selectorLabels" $ }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "custom.selectorLabels" -}}
+app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/part-of: {{ .Release.Name }}
+{{- end }}

clusters/cl01tl/helm/directus/templates/external-secret.yaml

@@ -5,13 +5,20 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: directus-config
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   secretStoreRef:
     kind: ClusterSecretStore
-    name: vault
+    name: openbao
   data:
+    - secretKey: key
+      remoteRef:
+        key: /cl01tl/directus/key
+        property: key
+    - secretKey: secret
+      remoteRef:
+        key: /cl01tl/directus/key
+        property: secret
     - secretKey: admin-email
       remoteRef:
         key: /cl01tl/directus/config
@@ -20,38 +27,6 @@ spec:
       remoteRef:
         key: /cl01tl/directus/config
         property: admin-password
-    - secretKey: secret
-      remoteRef:
-        key: /cl01tl/directus/config
-        property: secret
-    - secretKey: key
-      remoteRef:
-        key: /cl01tl/directus/config
-        property: key
-
----
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: directus-oidc-secret
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: directus-oidc-secret
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: vault
-  data:
-    - secretKey: OIDC_CLIENT_ID
-      remoteRef:
-        key: /authentik/oidc/directus
-        property: client
-    - secretKey: OIDC_CLIENT_SECRET
-      remoteRef:
-        key: /authentik/oidc/directus
-        property: secret
 
 ---
 apiVersion: external-secrets.io/v1
@@ -61,18 +36,67 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: directus-metric-token
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   secretStoreRef:
     kind: ClusterSecretStore
-    name: vault
+    name: openbao
   data:
     - secretKey: metric-token
       remoteRef:
         key: /cl01tl/directus/metrics
         property: metric-token
 
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: directus-valkey-config
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: directus-valkey-config
+    {{- include "custom.labels" . | nindent 4 }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: openbao
+  data:
+    - secretKey: user
+      remoteRef:
+        key: /cl01tl/directus/valkey
+        property: user
+    - secretKey: password
+      remoteRef:
+        key: /cl01tl/directus/valkey
+        property: password
+    - secretKey: default
+      remoteRef:
+        key: /cl01tl/directus/valkey
+        property: password
+
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: directus-oidc-authentik
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: directus-oidc-authentik
+    {{- include "custom.labels" . | nindent 4 }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: openbao
+  data:
+    - secretKey: OIDC_CLIENT_ID
+      remoteRef:
+        key: /cl01tl/authentik/oidc/directus
+        property: client
+    - secretKey: OIDC_CLIENT_SECRET
+      remoteRef:
+        key: /cl01tl/authentik/oidc/directus
+        property: secret
+
 ---
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
@@ -81,12 +105,11 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: directus-bucket-garage
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   secretStoreRef:
     kind: ClusterSecretStore
-    name: vault
+    name: openbao
   data:
     - secretKey: ACCESS_KEY_ID
       remoteRef:
@@ -100,31 +123,3 @@ spec:
       remoteRef:
         key: /garage/home-infra/directus-assets
         property: ACCESS_REGION
-
----
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: directus-valkey-config
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: directus-valkey-config
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: vault
-  data:
-    - secretKey: default
-      remoteRef:
-        key: /cl01tl/directus/valkey
-        property: password
-    - secretKey: user
-      remoteRef:
-        key: /cl01tl/directus/valkey
-        property: user
-    - secretKey: password
-      remoteRef:
-        key: /cl01tl/directus/valkey
-        property: password

clusters/cl01tl/helm/directus/values.yaml

@@ -8,7 +8,7 @@ directus:
         main:
           image:
             repository: ghcr.io/directus/directus
-            tag: 11.17.2@sha256:5e5978377f1cc9820ffc5b92597da1573a1350ea57f8aba42efd999139993874
+            tag: 11.17.3@sha256:ae6ab737fd04077d295bbefa545cc4aefccc206e3d0120c83812f9b482a8c9a5
           env:
             - name: PUBLIC_URL
               value: https://directus.alexlebens.net
@@ -113,12 +113,12 @@ directus:
             - name: AUTH_AUTHENTIK_CLIENT_ID
               valueFrom:
                 secretKeyRef:
-                  name: directus-oidc-secret
+                  name: directus-oidc-authentik
                   key: OIDC_CLIENT_ID
             - name: AUTH_AUTHENTIK_CLIENT_SECRET
               valueFrom:
                 secretKeyRef:
-                  name: directus-oidc-secret
+                  name: directus-oidc-authentik
                   key: OIDC_CLIENT_SECRET
             - name: AUTH_AUTHENTIK_SCOPE
               value: openid profile email

clusters/cl01tl/helm/elastic-operator/templates/_helpers.tpl

@@ -0,0 +1,14 @@
+{{/*
+Common labels
+*/}}
+{{- define "custom.labels" -}}
+{{ include "custom.selectorLabels" $ }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "custom.selectorLabels" -}}
+app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/part-of: {{ .Release.Name }}
+{{- end }}

clusters/cl01tl/helm/element-web/templates/_helpers.tpl

@@ -0,0 +1,14 @@
+{{/*
+Common labels
+*/}}
+{{- define "custom.labels" -}}
+{{ include "custom.selectorLabels" $ }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "custom.selectorLabels" -}}
+app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/part-of: {{ .Release.Name }}
+{{- end }}

clusters/cl01tl/helm/eraser/templates/_helpers.tpl

@@ -0,0 +1,14 @@
+{{/*
+Common labels
+*/}}
+{{- define "custom.labels" -}}
+{{ include "custom.selectorLabels" $ }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "custom.selectorLabels" -}}
+app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/part-of: {{ .Release.Name }}
+{{- end }}

clusters/cl01tl/helm/excalidraw/Chart.yaml

@@ -5,7 +5,7 @@ description: Excalidraw
 keywords:
   - excalidraw
   - drawing
-home: https://docs.alexlebens.dev/applications/eraser/
+home: https://docs.alexlebens.dev/applications/excalidraw/
 sources:
   - https://github.com/excalidraw/excalidraw
   - https://hub.docker.com/r/excalidraw/excalidraw

clusters/cl01tl/helm/excalidraw/templates/_helpers.tpl

@@ -0,0 +1,14 @@
+{{/*
+Common labels
+*/}}
+{{- define "custom.labels" -}}
+{{ include "custom.selectorLabels" $ }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "custom.selectorLabels" -}}
+app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/part-of: {{ .Release.Name }}
+{{- end }}

clusters/cl01tl/helm/excalidraw/values.yaml

@@ -8,7 +8,7 @@ excalidraw:
         main:
           image:
             repository: excalidraw/excalidraw
-            tag: latest@sha256:3c2513e830bb6e195147c05b34ecf8393d0ba2b1cc86e93b407a5777d6135c6c
+            tag: latest@sha256:20ffa04668e19616bb0c1b3632849e5cd96e0bc7a1336b73d9d072667f2c2854
           env:
             - name: NODE_ENV
               value: production

clusters/cl01tl/helm/external-dns/Chart.yaml

@@ -5,7 +5,7 @@ description: External DNS
 keywords:
   - external-dns
   - dns
-home: https://docs.alexlebens.dev/applications/eraser/
+home: https://docs.alexlebens.dev/applications/external-dns/
 sources:
   - https://github.com/kubernetes-sigs/external-dns
   - https://explore.ggcr.dev/?repo=registry.k8s.io%2Fexternal-dns%2Fexternal-dns

clusters/cl01tl/helm/external-dns/templates/_helpers.tpl

@@ -0,0 +1,14 @@
+{{/*
+Common labels
+*/}}
+{{- define "custom.labels" -}}
+{{ include "custom.selectorLabels" $ }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "custom.selectorLabels" -}}
+app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/part-of: {{ .Release.Name }}
+{{- end }}

clusters/cl01tl/helm/external-dns/templates/dns-endpoint.yaml

@@ -5,8 +5,7 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: external-device-names
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   endpoints:
     # Unifi UDM
@@ -48,8 +47,7 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: iot-device-names
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   endpoints:
     # Airgradient
@@ -82,6 +80,18 @@ spec:
       recordType: A
       targets:
         - 10.230.0.100
+    # HD Homerun
+    - dnsName: dv01hr.alexlebens.net
+      recordTTL: 180
+      recordType: A
+      targets:
+        - 10.232.1.72
+    # Pi KVM
+    - dnsName: dv02kv.alexlebens.net
+      recordTTL: 180
+      recordType: A
+      targets:
+        - 10.232.1.71
 
 ---
 apiVersion: externaldns.k8s.io/v1alpha1
@@ -91,8 +101,7 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: server-host-names
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   endpoints:
     # Unifi Gateway
@@ -125,6 +134,18 @@ spec:
       recordType: A
       targets:
         - 10.232.1.52
+    # Desktop
+    - dnsName: pd05wd.alexlebens.net
+      recordTTL: 180
+      recordType: A
+      targets:
+        - 10.230.0.115
+    # Laptop
+    - dnsName: pl02mc.alexlebens.net
+      recordTTL: 180
+      recordType: A
+      targets:
+        - 10.230.0.105
 
 ---
 apiVersion: externaldns.k8s.io/v1alpha1
@@ -134,8 +155,7 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: cluster-service-names
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   endpoints:
     # Treafik Proxy

clusters/cl01tl/helm/external-dns/templates/external-secret.yaml

@@ -5,12 +5,11 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: external-dns-unifi-secret
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   secretStoreRef:
     kind: ClusterSecretStore
-    name: vault
+    name: openbao
   data:
     - secretKey: api-key
       remoteRef:

clusters/cl01tl/helm/external-secrets/Chart.yaml

@@ -18,4 +18,4 @@ dependencies:
     repository: https://charts.external-secrets.io
 icon: https://raw.githubusercontent.com/external-secrets/external-secrets/refs/heads/main/assets/eso-logo-large.png
 # renovate: datasource=github-releases depName=external-secrets/external-secrets
-appVersion: vv2.3.0
+appVersion: v2.3.0

clusters/cl01tl/helm/external-secrets/templates/_helpers.tpl

@@ -0,0 +1,14 @@
+{{/*
+Common labels
+*/}}
+{{- define "custom.labels" -}}
+{{ include "custom.selectorLabels" $ }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "custom.selectorLabels" -}}
+app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/part-of: {{ .Release.Name }}
+{{- end }}

clusters/cl01tl/helm/external-secrets/templates/cluster-role-binding.yaml

@@ -0,0 +1,16 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: external-secrets
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: external-secrets
+    {{- include "custom.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:auth-delegator
+subjects:
+  - kind: ServiceAccount
+    name: {{ .Release.Name }}
+    namespace: {{ .Release.Namespace }}

clusters/cl01tl/helm/external-secrets/templates/cluster-secret-store.yaml

@@ -5,8 +5,7 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: vault
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   provider:
     vault:
@@ -17,3 +16,28 @@ spec:
           namespace: vault
           name: vault-token
           key: token
+
+---
+apiVersion: external-secrets.io/v1
+kind: ClusterSecretStore
+metadata:
+  name: openbao
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: openbao
+    {{- include "custom.labels" . | nindent 4 }}
+spec:
+  provider:
+    vault:
+      server: http://openbao-internal.openbao:8200
+      path: secret
+      version: v2
+      auth:
+        kubernetes:
+          mountPath: kubernetes
+          role: external-secrets
+          serviceAccountRef:
+            name: {{ .Release.Name }}
+            namespace: {{ .Release.Namespace }}
+            audiences:
+              - openbao

clusters/cl01tl/helm/foldergram/templates/_helpers.tpl

@@ -0,0 +1,21 @@
+{{/*
+Common labels
+*/}}
+{{- define "custom.labels" -}}
+{{ include "custom.selectorLabels" $ }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "custom.selectorLabels" -}}
+app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/part-of: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+NFS names
+*/}}
+{{- define "custom.storageNfsName" -}}
+foldergram-pictures-collections-nfs-storage
+{{- end -}}

clusters/cl01tl/helm/foldergram/templates/persistent-volume-claim.yaml

@@ -1,14 +1,13 @@
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
-  name: foldergram-pictures-collections-nfs-storage
+  name: {{ include "custom.storageNfsName" . }}
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: foldergram-pictures-collections-nfs-storage
+    app.kubernetes.io/name: {{ include "custom.storageNfsName" . }}
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
-  volumeName: foldergram-pictures-collections-nfs-storage
+  volumeName: {{ include "custom.storageNfsName" . }}
   storageClassName: nfs-client
   accessModes:
     - ReadWriteMany

clusters/cl01tl/helm/foldergram/templates/persistent-volume.yaml

@@ -1,12 +1,11 @@
 apiVersion: v1
 kind: PersistentVolume
 metadata:
-  name: foldergram-pictures-collections-nfs-storage
+  name: {{ include "custom.storageNfsName" . }}
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: foldergram-pictures-collections-nfs-storage
+    app.kubernetes.io/name: {{ include "custom.storageNfsName" . }}
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   persistentVolumeReclaimPolicy: Retain
   storageClassName: nfs-client

clusters/cl01tl/helm/foldergram/values.yaml

@@ -70,7 +70,7 @@ foldergram:
       forceRename: foldergram-data
       storageClass: synology-iscsi-delete
       accessMode: ReadWriteOnce
-      size: 100Gi
+      size: 250Gi
       advancedMounts:
         main:
           main:

clusters/cl01tl/helm/freshrss/templates/_helpers.tpl

@@ -0,0 +1,14 @@
+{{/*
+Common labels
+*/}}
+{{- define "custom.labels" -}}
+{{ include "custom.selectorLabels" $ }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "custom.selectorLabels" -}}
+app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/part-of: {{ .Release.Name }}
+{{- end }}

clusters/cl01tl/helm/freshrss/templates/external-secret.yaml

@@ -1,54 +1,52 @@
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
-  name: freshrss-install-secret
+  name: freshrss-install-config
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: freshrss-install-secret
+    app.kubernetes.io/name: freshrss-install-config
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   secretStoreRef:
     kind: ClusterSecretStore
-    name: vault
+    name: openbao
   data:
     - secretKey: ADMIN_EMAIL
       remoteRef:
         key: /cl01tl/freshrss/config
-        property: ADMIN_EMAIL
+        property: admin-email
     - secretKey: ADMIN_PASSWORD
       remoteRef:
         key: /cl01tl/freshrss/config
-        property: ADMIN_PASSWORD
+        property: admin-password
     - secretKey: ADMIN_API_PASSWORD
       remoteRef:
         key: /cl01tl/freshrss/config
-        property: ADMIN_API_PASSWORD
+        property: admin-api-password
 
 ---
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
-  name: freshrss-oidc-secret
+  name: freshrss-oidc-authentik
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: freshrss-oidc-secret
+    app.kubernetes.io/name: freshrss-oidc-authentik
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   secretStoreRef:
     kind: ClusterSecretStore
-    name: vault
+    name: openbao
   data:
     - secretKey: OIDC_CLIENT_ID
       remoteRef:
-        key: /authentik/oidc/freshrss
+        key: /cl01tl/authentik/oidc/freshrss
         property: client
     - secretKey: OIDC_CLIENT_SECRET
       remoteRef:
-        key: /authentik/oidc/freshrss
+        key: /cl01tl/authentik/oidc/freshrss
         property: secret
     - secretKey: OIDC_CLIENT_CRYPTO_KEY
       remoteRef:
-        key: /authentik/oidc/freshrss
+        key: /cl01tl/freshrss/key
-        property: crypto-key
+        property: oidc-client-crypto-key

clusters/cl01tl/helm/freshrss/values.yaml

@@ -73,9 +73,9 @@ freshrss:
               value: preferred_username
           envFrom:
             - secretRef:
-                name: freshrss-oidc-secret
+                name: freshrss-oidc-authentik
             - secretRef:
-                name: freshrss-install-secret
+                name: freshrss-install-config
           resources:
             requests:
               cpu: 1m

clusters/cl01tl/helm/garage/Chart.yaml

@@ -21,4 +21,4 @@ dependencies:
     version: 4.6.2
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons@main/png/garage.png
 # renovate: datasource=docker depName=dxflrs/garage
-appVersion: v2.2.0
+appVersion: v2.3.0

clusters/cl01tl/helm/garage/templates/_helpers.tpl

@@ -0,0 +1,14 @@
+{{/*
+Common labels
+*/}}
+{{- define "custom.labels" -}}
+{{ include "custom.selectorLabels" $ }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "custom.selectorLabels" -}}
+app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/part-of: {{ .Release.Name }}
+{{- end }}

clusters/cl01tl/helm/garage/templates/external-secret.yaml

@@ -1,26 +1,25 @@
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
-  name: garage-token-secret
+  name: garage-token
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: garage-token-secret
+    app.kubernetes.io/name: garage-token
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   secretStoreRef:
     kind: ClusterSecretStore
-    name: vault
+    name: openbao
   data:
     - secretKey: GARAGE_RPC_SECRET
       remoteRef:
-        key: /cl01tl/garage/token
+        key: /cl01tl/garage/config
-        property: rpc
+        property: rpc-secret
     - secretKey: GARAGE_ADMIN_TOKEN
       remoteRef:
-        key: /cl01tl/garage/token
+        key: /cl01tl/garage/config
-        property: admin
+        property: admin-token
     - secretKey: GARAGE_METRICS_TOKEN
       remoteRef:
-        key: /cl01tl/garage/token
+        key: /cl01tl/garage/config
-        property: metric
+        property: metrics-token

clusters/cl01tl/helm/garage/templates/service.yaml

@@ -6,8 +6,7 @@ metadata:
   labels:
     app.kubernetes.io/name: garage-main
     app.kubernetes.io/service: garage-main
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   ports:
     - name: admin
@@ -27,6 +26,6 @@ spec:
       protocol: TCP
       targetPort: 3902
   selector:
-    app.kubernetes.io/instance: garage
     app.kubernetes.io/name: garage
+    app.kubernetes.io/instance: garage
     garage-type: server

clusters/cl01tl/helm/garage/values.yaml

@@ -21,10 +21,10 @@ garage:
         main:
           image:
             repository: dxflrs/garage
-            tag: v2.2.0@sha256:45a61ce3f7c9c24fc23d9ed2b09b27ed560ab87b34605d175d5c588f539c24e4
+            tag: v2.3.0@sha256:866bd13ed2038ba7e7190e840482bc27234c4afaf77be8cfa439ae088c1e4690
           envFrom:
             - secretRef:
-                name: garage-token-secret
+                name: garage-token
           resources:
             requests:
               cpu: 10m
@@ -50,10 +50,10 @@ garage:
         main:
           image:
             repository: dxflrs/garage
-            tag: v2.2.0@sha256:45a61ce3f7c9c24fc23d9ed2b09b27ed560ab87b34605d175d5c588f539c24e4
+            tag: v2.3.0@sha256:866bd13ed2038ba7e7190e840482bc27234c4afaf77be8cfa439ae088c1e4690
           envFrom:
             - secretRef:
-                name: garage-token-secret
+                name: garage-token
           resources:
             requests:
               cpu: 10m
@@ -79,10 +79,10 @@ garage:
         main:
           image:
             repository: dxflrs/garage
-            tag: v2.2.0@sha256:45a61ce3f7c9c24fc23d9ed2b09b27ed560ab87b34605d175d5c588f539c24e4
+            tag: v2.3.0@sha256:866bd13ed2038ba7e7190e840482bc27234c4afaf77be8cfa439ae088c1e4690
           envFrom:
             - secretRef:
-                name: garage-token-secret
+                name: garage-token
           resources:
             requests:
               cpu: 10m
@@ -104,7 +104,7 @@ garage:
             - name: API_ADMIN_KEY
               valueFrom:
                 secretKeyRef:
-                  name: garage-token-secret
+                  name: garage-token
                   key: GARAGE_ADMIN_TOKEN
           resources:
             requests:
@@ -273,7 +273,7 @@ garage:
           scrapeTimeout: 2m
           path: /metrics
           bearerTokenSecret:
-            name: garage-token-secret
+            name: garage-token
             key: GARAGE_METRICS_TOKEN
   route:
     webui:

clusters/cl01tl/helm/gatus/templates/_helpers.tpl

@@ -0,0 +1,14 @@
+{{/*
+Common labels
+*/}}
+{{- define "custom.labels" -}}
+{{ include "custom.selectorLabels" $ }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "custom.selectorLabels" -}}
+app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/part-of: {{ .Release.Name }}
+{{- end }}

clusters/cl01tl/helm/gatus/templates/external-secret.yaml

@@ -1,42 +1,40 @@
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
-  name: gatus-config-secret
+  name: gatus-config
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: gatus-config-secret
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   secretStoreRef:
     kind: ClusterSecretStore
-    name: vault
+    name: openbao
   data:
     - secretKey: NTFY_TOKEN
       remoteRef:
-        key: /ntfy/user/cl01tl
+        key: /cl01tl/ntfy/users/cl01tl
         property: token
 
 ---
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
-  name: gatus-oidc-secret
+  name: gatus-oidc-authentik
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: gatus-oidc-secret
+    app.kubernetes.io/name: gatus-oidc-authentik
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   secretStoreRef:
     kind: ClusterSecretStore
-    name: vault
+    name: openbao
   data:
     - secretKey: OIDC_CLIENT_ID
       remoteRef:
-        key: /authentik/oidc/gatus
+        key: /cl01tl/authentik/oidc/gatus
         property: client
     - secretKey: OIDC_CLIENT_SECRET
       remoteRef:
-        key: /authentik/oidc/gatus
+        key: /cl01tl/authentik/oidc/gatus
         property: secret

clusters/cl01tl/helm/gatus/values.yaml

@@ -20,17 +20,17 @@ gatus:
     NTFY_TOKEN:
       valueFrom:
         secretKeyRef:
-          name: gatus-config-secret
+          name: gatus-config
           key: NTFY_TOKEN
     OIDC_CLIENT_ID:
       valueFrom:
         secretKeyRef:
-          name: gatus-oidc-secret
+          name: gatus-oidc-authentik
           key: OIDC_CLIENT_ID
     OIDC_CLIENT_SECRET:
       valueFrom:
         secretKeyRef:
-          name: gatus-oidc-secret
+          name: gatus-oidc-authentik
           key: OIDC_CLIENT_SECRET
     POSTGRES_USER:
       valueFrom:
@@ -266,6 +266,9 @@ gatus:
       - name: vault
         url: https://vault.alexlebens.net
         <<: *defaults
+      - name: openbao
+        url: https://bao.alexlebens.net
+        <<: *defaults
       - name: backrest
         url: https://backrest.alexlebens.net
         <<: *defaults

clusters/cl01tl/helm/generic-device-plugin/Chart.lock

@@ -1,6 +1,6 @@
 dependencies:
 - name: generic-device-plugin
   repository: https://gitea.alexlebens.dev/api/packages/alexlebens/helm
-  version: 0.20.30
+  version: 0.20.31
-digest: sha256:9bc92f3ced6f5bad9f656ce355f5a633c200183f1ab6fa26c897bea9f76054ee
+digest: sha256:2e073f735a5ff699844eb67715ab20d403261b3e9c035ebdc4292cee9666b4f4
-generated: "2026-04-14T00:59:53.650540444Z"
+generated: "2026-04-15T01:16:30.361061773Z"

clusters/cl01tl/helm/generic-device-plugin/Chart.yaml

@@ -14,6 +14,6 @@ maintainers:
 dependencies:
   - name: generic-device-plugin
     repository: https://gitea.alexlebens.dev/api/packages/alexlebens/helm
-    version: 0.20.30
+    version: 0.20.31
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/kubernetes.png
 appVersion: 1.0.0

clusters/cl01tl/helm/generic-device-plugin/templates/_helpers.tpl

@@ -0,0 +1,14 @@
+{{/*
+Common labels
+*/}}
+{{- define "custom.labels" -}}
+{{ include "custom.selectorLabels" $ }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "custom.selectorLabels" -}}
+app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/part-of: {{ .Release.Name }}
+{{- end }}

clusters/cl01tl/helm/generic-device-plugin/templates/namespace.yaml

@@ -1,11 +1,10 @@
 apiVersion: v1
 kind: Namespace
 metadata:
-  name: generic-device-plugin
+  name: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: generic-device-plugin
+    app.kubernetes.io/name: {{ .Release.Namespace }}
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
     pod-security.kubernetes.io/audit: privileged
     pod-security.kubernetes.io/enforce: privileged
     pod-security.kubernetes.io/warn: privileged

clusters/cl01tl/helm/gitea/Chart.lock

@@ -1,13 +1,13 @@
 dependencies:
 - name: gitea
   repository: https://dl.gitea.com/charts/
-  version: 12.5.0
+  version: 12.5.3
 - name: actions
   repository: https://dl.gitea.com/charts/
-  version: 0.0.5
+  version: 0.1.0
 - name: meilisearch
   repository: https://meilisearch.github.io/meilisearch-kubernetes
-  version: 0.30.0
+  version: 0.32.0
 - name: cloudflared
   repository: oci://harbor.alexlebens.net/helm-charts
   version: 2.5.0
@@ -23,5 +23,5 @@ dependencies:
 - name: volsync-target
   repository: oci://harbor.alexlebens.net/helm-charts
   version: 0.8.0
-digest: sha256:c2d6fcbbaffacda0598d81d7d3745e83040d59525ecaccd35d57dce773cf5309
+digest: sha256:2144d55ea34ba25bd81c1e479ee5cd27097fafb5676b96e63aa0e32ad2868925
-generated: "2026-04-13T20:33:29.673072156Z"
+generated: "2026-04-16T20:09:26.031592859Z"

clusters/cl01tl/helm/gitea/Chart.yaml

@@ -26,14 +26,14 @@ maintainers:
   - name: alexlebens
 dependencies:
   - name: gitea
-    version: 12.5.0
+    version: 12.5.3
     repository: https://dl.gitea.com/charts/
   - name: actions
     alias: gitea-actions
     repository: https://dl.gitea.com/charts/
-    version: 0.0.5
+    version: 0.1.0
   - name: meilisearch
-    version: 0.30.0
+    version: 0.32.0
     repository: https://meilisearch.github.io/meilisearch-kubernetes
   - name: cloudflared
     repository: oci://harbor.alexlebens.net/helm-charts
@@ -56,4 +56,4 @@ dependencies:
     repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons@main/png/gitea.png
 # renovate: datasource=github-releases depName=go-gitea/gitea
-appVersion: 1.25.5
+appVersion: 1.26.0

clusters/cl01tl/helm/gitea/templates/_helpers.tpl

@@ -0,0 +1,14 @@
+{{/*
+Common labels
+*/}}
+{{- define "custom.labels" -}}
+{{ include "custom.selectorLabels" $ }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "custom.selectorLabels" -}}
+app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/part-of: {{ .Release.Name }}
+{{- end }}

clusters/cl01tl/helm/gitea/templates/config-map.yaml

@@ -5,8 +5,7 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: gitea-custom-templates
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 data:
   header.tmpl: |
     <script defer src="https://rybbit.alexlebens.dev/api/script.js" data-site-id="b515c34a6dcc"></script>

clusters/cl01tl/helm/gitea/templates/external-secret.yaml

@@ -1,64 +1,15 @@
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
-metadata:
-  name: gitea-admin-secret
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: gitea-admin-secret
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: vault
-  data:
-    - secretKey: username
-      remoteRef:
-        key: /cl01tl/gitea/auth/admin
-        property: username
-    - secretKey: password
-      remoteRef:
-        key: /cl01tl/gitea/auth/admin
-        property: password
-
----
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: gitea-oidc-secret
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: gitea-oidc-secret
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: vault
-  data:
-    - secretKey: secret
-      remoteRef:
-        key: /authentik/oidc/gitea
-        property: secret
-    - secretKey: key
-      remoteRef:
-        key: /authentik/oidc/gitea
-        property: client
-
----
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
 metadata:
   name: gitea-runner-secret
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: gitea-runner-secret
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   secretStoreRef:
     kind: ClusterSecretStore
-    name: vault
+    name: openbao
   data:
     - secretKey: token
       remoteRef:
@@ -69,80 +20,15 @@ spec:
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
-  name: gitea-renovate-secret
+  name: gitea-meilisearch-key
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: gitea-renovate-secret
+    app.kubernetes.io/name: gitea-meilisearch-key
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   secretStoreRef:
     kind: ClusterSecretStore
-    name: vault
+    name: openbao
-  data:
-    - secretKey: RENOVATE_ENDPOINT
-      remoteRef:
-        key: /cl01tl/gitea/renovate
-        property: RENOVATE_ENDPOINT
-    - secretKey: RENOVATE_GIT_AUTHOR
-      remoteRef:
-        key: /cl01tl/gitea/renovate
-        property: RENOVATE_GIT_AUTHOR
-    - secretKey: RENOVATE_TOKEN
-      remoteRef:
-        key: /cl01tl/gitea/renovate
-        property: RENOVATE_TOKEN
-    - secretKey: RENOVATE_GIT_PRIVATE_KEY
-      remoteRef:
-        key: /cl01tl/gitea/renovate
-        property: id_rsa
-    - secretKey: RENOVATE_GITHUB_COM_TOKEN
-      remoteRef:
-        key: /github/gitea-cl01tl
-        property: token
-
----
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: gitea-renovate-ssh-secret
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: gitea-renovate-ssh-secret
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: vault
-  data:
-    - secretKey: config
-      remoteRef:
-        key: /cl01tl/gitea/renovate
-        property: ssh_config
-    - secretKey: id_rsa
-      remoteRef:
-        key: /cl01tl/gitea/renovate
-        property: id_rsa
-    - secretKey: id_rsa.pub
-      remoteRef:
-        key: /cl01tl/gitea/renovate
-        property: id_rsa.pub
-
----
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: gitea-meilisearch-master-key-secret
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: gitea-meilisearch-master-key-secret
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: vault
   target:
     template:
       mergePolicy: Merge
@@ -153,4 +39,27 @@ spec:
     - secretKey: MEILI_MASTER_KEY
       remoteRef:
         key: /cl01tl/gitea/meilisearch
-        property: MEILI_MASTER_KEY
+        property: master-key
+
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: gitea-oidc-authentik
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: gitea-oidc-authentik
+    {{- include "custom.labels" . | nindent 4 }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: openbao
+  data:
+    - secretKey: secret
+      remoteRef:
+        key: /cl01tl/authentik/oidc/gitea
+        property: secret
+    - secretKey: key
+      remoteRef:
+        key: /cl01tl/authentik/oidc/gitea
+        property: client

clusters/cl01tl/helm/gitea/templates/http-route.yaml

@@ -5,8 +5,7 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: gitea
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   parentRefs:
     - group: gateway.networking.k8s.io
@@ -21,8 +20,6 @@ spec:
           type: PathPrefix
           value: /
       backendRefs:
-        - group: ''
+        - kind: Service
-          kind: Service
           name: gitea-http
           port: 3000
-          weight: 100

clusters/cl01tl/helm/gitea/templates/ingress.yaml

@@ -1,12 +1,11 @@
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
-  name: gitea-tailscale
+  name: {{ .Release.Name }}-tailscale
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: gitea-tailscale
+    app.kubernetes.io/name: {{ .Release.Name }}-tailscale
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
     tailscale.com/proxy-class: no-metrics
   annotations:
     tailscale.com/experimental-forward-cluster-traffic-via-ingress: "true"
@@ -21,7 +20,7 @@ spec:
       http:
         paths:
           - path: /
-            pathType: ImplementationSpecific
+            pathType: Prefix
             backend:
               service:
                 name: gitea-http

clusters/cl01tl/helm/gitea/templates/namespace.yaml

@@ -1,11 +1,10 @@
 apiVersion: v1
 kind: Namespace
 metadata:
-  name: gitea
+  name: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: gitea
+    app.kubernetes.io/name: {{ .Release.Namespace }}
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
     pod-security.kubernetes.io/audit: privileged
     pod-security.kubernetes.io/enforce: privileged
     pod-security.kubernetes.io/warn: privileged

clusters/cl01tl/helm/gitea/templates/persistent-volume-claim.yaml

@@ -5,8 +5,7 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: gitea-themes-storage
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   volumeMode: Filesystem
   storageClassName: ceph-filesystem

clusters/cl01tl/helm/gitea/templates/service-monitor.yaml

@@ -5,8 +5,7 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: gitea
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   selector:
     matchLabels: