use service

add service
remove vue
2025-12-20 17:38:28 -06:00 · 2025-12-20 17:29:28 -06:00 · 2025-12-20 16:41:41 -06:00 · 2025-12-20 16:34:21 -06:00 · 2025-12-20 16:33:52 -06:00 · 2025-12-20 16:32:15 -06:00
47 changed files with 1028 additions and 242 deletions
--- a/clusters/cl01tl/helm/blocky/values.yaml
+++ b/clusters/cl01tl/helm/blocky/values.yaml
@@ -129,7 +129,6 @@ blocky:
              huntarr                         IN      CNAME   traefik-cl01tl
              immich                          IN      CNAME   traefik-cl01tl
              jellyfin                        IN      CNAME   traefik-cl01tl
-              jellyfin-vue                    IN      CNAME   traefik-cl01tl
              jellystat                       IN      CNAME   traefik-cl01tl
              kiwix                           IN      CNAME   traefik-cl01tl
              komodo                          IN      CNAME   traefik-cl01tl
--- a/clusters/cl01tl/helm/booklore/values.yaml
+++ b/clusters/cl01tl/helm/booklore/values.yaml
@@ -9,7 +9,7 @@ booklore:
        main:
          image:
            repository: ghcr.io/booklore-app/booklore
-            tag: v1.14.1
+            tag: v1.15.0
            pullPolicy: IfNotPresent
          env:
            - name: TZ
--- a/clusters/cl01tl/helm/coredns/values.yaml
+++ b/clusters/cl01tl/helm/coredns/values.yaml
@@ -1,7 +1,7 @@
 coredns:
  image:
    repository: registry.k8s.io/coredns/coredns
-    tag: v1.13.1
+    tag: v1.13.2
  replicaCount: 3
  resources:
    requests:
--- a/clusters/cl01tl/helm/external-secrets/Chart.lock
+++ b/clusters/cl01tl/helm/external-secrets/Chart.lock
@@ -1,6 +1,6 @@
 dependencies:
 - name: external-secrets
  repository: https://charts.external-secrets.io
-  version: 1.1.1
-digest: sha256:d346563864c95c4ca3fe5f04f6b292e417069d171f5866b5af0fe84277481493
-generated: "2025-12-06T18:01:23.564488208Z"
+  version: 1.2.0
+digest: sha256:6e713c4b50c14d9daf1758d9f169d10a8c7274d2c42490846817b6fb1a3ce558
+generated: "2025-12-20T01:04:35.136580598Z"
--- a/clusters/cl01tl/helm/external-secrets/Chart.yaml
+++ b/clusters/cl01tl/helm/external-secrets/Chart.yaml
@@ -12,7 +12,7 @@ sources:
  - https://github.com/external-secrets/external-secrets/tree/main/deploy/charts/external-secrets
 dependencies:
  - name: external-secrets
-    version: 1.1.1
+    version: 1.2.0
    repository: https://charts.external-secrets.io
 icon: https://avatars.githubusercontent.com/u/68335991?s=48&v=4
 appVersion: v1.1.1
--- a/clusters/cl01tl/helm/gatus/values.yaml
+++ b/clusters/cl01tl/helm/gatus/values.yaml
@@ -122,9 +122,6 @@ gatus:
      - name: jellyfin
        url: https://jellyfin.alexlebens.net
        <<: *defaults
-      - name: jellyfin-vue
-        url: https://jellyfin-vue.alexlebens.net
-        <<: *defaults
      - name: overseerr
        url: https://overseerr.alexlebens.net
        <<: *defaults
--- a/clusters/cl01tl/helm/headlamp/Chart.lock
+++ b/clusters/cl01tl/helm/headlamp/Chart.lock
@@ -1,6 +1,6 @@
 dependencies:
 - name: headlamp
  repository: https://kubernetes-sigs.github.io/headlamp/
-  version: 0.38.0
-digest: sha256:3f4c6bb308a1e5e757368ea9eee902d5ade7d33881c0f6c8402d6ed41641e260
-generated: "2025-12-01T19:55:48.64361-06:00"
+  version: 0.39.0
+digest: sha256:870e456773199684c150585c12c2e18b3f0895ee8cc73481a53b23c8e94560b1
+generated: "2025-12-20T00:03:40.10414707Z"
--- a/clusters/cl01tl/helm/headlamp/Chart.yaml
+++ b/clusters/cl01tl/helm/headlamp/Chart.yaml
@@ -14,7 +14,7 @@ maintainers:
  - name: alexlebens
 dependencies:
  - name: headlamp
-    version: 0.38.0
+    version: 0.39.0
    repository: https://kubernetes-sigs.github.io/headlamp/
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/headlamp.png
 appVersion: 0.38.0
--- a/clusters/cl01tl/helm/home-assistant/values.yaml
+++ b/clusters/cl01tl/helm/home-assistant/values.yaml
@@ -9,7 +9,7 @@ home-assistant:
        main:
          image:
            repository: ghcr.io/home-assistant/home-assistant
-            tag: 2025.12.3
+            tag: 2025.12.4
            pullPolicy: IfNotPresent
          env:
            - name: TZ
--- a/clusters/cl01tl/helm/homepage/values.yaml
+++ b/clusters/cl01tl/helm/homepage/values.yaml
@@ -141,12 +141,6 @@ homepage:
                  href: https://jellyfin.alexlebens.net
                  siteMonitor: http://jellyfin.jellyfin:80
                  statusStyle: dot
-              - Jellyfin (Alt):
-                  icon: sh-jellyfin.webp
-                  description: Media server (Alternate UI)
-                  href: https://jellyfin-vue.alexlebens.net
-                  siteMonitor: http://jellyfin-vue.jellyfin:80
-                  statusStyle: dot
              - Media Requests:
                  icon: sh-overseerr.webp
                  description: Overseerr
--- a/clusters/cl01tl/helm/immich/values.yaml
+++ b/clusters/cl01tl/helm/immich/values.yaml
@@ -9,7 +9,7 @@ immich:
        main:
          image:
            repository: ghcr.io/immich-app/immich-server
-            tag: v2.3.1
+            tag: v2.4.1
            pullPolicy: IfNotPresent
          env:
            - name: TZ
--- a/clusters/cl01tl/helm/jellyfin/templates/http-route.yaml
+++ b/clusters/cl01tl/helm/jellyfin/templates/http-route.yaml
@@ -26,33 +26,3 @@ spec:
          name: jellyfin
          port: 80
          weight: 100
-
---
-apiVersion: gateway.networking.k8s.io/v1
-kind: HTTPRoute
-metadata:
-  name: http-route-jellyfin-vue
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: http-route-jellyfin-vue
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  parentRefs:
-    - group: gateway.networking.k8s.io
-      kind: Gateway
-      name: traefik-gateway
-      namespace: traefik
-  hostnames:
-    - jellyfin-vue.alexlebens.net
-  rules:
-    - matches:
-      - path:
-          type: PathPrefix
-          value: /
-      backendRefs:
-        - group: ''
-          kind: Service
-          name: jellyfin-vue
-          port: 80
-          weight: 100
--- a/clusters/cl01tl/helm/jellyfin/values.yaml
+++ b/clusters/cl01tl/helm/jellyfin/values.yaml
@@ -25,22 +25,6 @@ jellyfin:
              gpu.intel.com/i915: 1
              cpu: 1
              memory: 2Gi
-    vue:
-      type: deployment
-      replicas: 1
-      strategy: Recreate
-      revisionHistoryLimit: 3
-      containers:
-        main:
-          image:
-            repository: ghcr.io/jellyfin/jellyfin-vue
-            tag: unstable@sha256:e73edd4dfc2e4028e83a0638cf6cf207a8edbdb4ec8d1231f7efef08658a6fd7
-            pullPolicy: IfNotPresent
-          env:
-            - name: DEFAULT_SERVERS
-              value: https://jellyfin.alexlebens.net
-            - name: DISABLE_SERVER_SELECTION
-              value: true
  service:
    main:
      forceRename: jellyfin
@@ -50,13 +34,6 @@ jellyfin:
          port: 80
          targetPort: 8096
          protocol: HTTP
-    vue:
-      controller: vue
-      ports:
-        http:
-          port: 80
-          targetPort: 80
-          protocol: HTTP
  persistence:
    config:
      forceRename: jellyfin-config
--- a/clusters/cl01tl/helm/kube-prometheus-stack/Chart.lock
+++ b/clusters/cl01tl/helm/kube-prometheus-stack/Chart.lock
@@ -1,12 +1,12 @@
 dependencies:
 - name: kube-prometheus-stack
  repository: oci://ghcr.io/prometheus-community/charts
-  version: 80.4.2
+  version: 80.6.0
 - name: app-template
  repository: https://bjw-s-labs.github.io/helm-charts/
  version: 4.5.0
 - name: redis-replication
  repository: oci://harbor.alexlebens.net/helm-charts
  version: 0.5.0
-digest: sha256:e167d9dd4f23c5c590d3e44c89e8f76860a1cc5c8acd4b7939fcd3a8cd7d24b4
-generated: "2025-12-17T16:26:22.948236914Z"
+digest: sha256:6f046a936f1d732a44113eb0b7e54330a4261042179f37f4c94fccc9f20ee511
+generated: "2025-12-20T01:04:57.413744271Z"
--- a/clusters/cl01tl/helm/kube-prometheus-stack/Chart.yaml
+++ b/clusters/cl01tl/helm/kube-prometheus-stack/Chart.yaml
@@ -20,7 +20,7 @@ maintainers:
  - name: alexlebens
 dependencies:
  - name: kube-prometheus-stack
-    version: 80.4.2
+    version: 80.6.0
    repository: oci://ghcr.io/prometheus-community/charts
  - name: app-template
    alias: ntfy-alertmanager
--- a/clusters/cl01tl/helm/qbittorrent/templates/config-map.yaml
+++ b/clusters/cl01tl/helm/qbittorrent/templates/config-map.yaml
@@ -9,19 +9,57 @@ metadata:
    app.kubernetes.io/part-of: {{ .Release.Name }}
 data:
  update.sh: |
-    if ! command -v curl 2>&1 >/dev/null
-    then
-        echo "curl could not be found, installing";
-        apk add curl;
-    fi;
-
-    if ! command -v jq 2>&1 >/dev/null
-    then
-        echo "jq could not be found, installing";
-        apk add jq;
-    fi;
-
    API_ENDPOINT="http://localhost:8080/api/v2";
+    MAX_RETRIES=5
+    SUCCESS=false
+
+    echo " "
+    echo ">> Running Update Port Script ..."
+
+    echo " "
+    echo ">> Verifying required commands ..."
+    echo " "
+
+    for i in $(seq 1 "$MAX_RETRIES"); do
+        if apk update 2>&1 >/dev/null; then
+            echo ">> Attempt $i: Repositories are reachable"
+            SUCCESS=true
+            break
+        else
+            echo ">> Attempt $i: Connection failed, retrying in 5 seconds ..."
+            sleep 5
+        fi
+    done
+
+    if [ "$SUCCESS" = false ]; then
+        echo ">> ERROR: Could not connect to apk repositories after $MAX_RETRIES attempts, exiting ..."
+        exit 1
+    fi
+
+    if ! command -v curl 2>&1 >/dev/null; then
+        echo ">> Command curl could not be found, installing";
+        apk add --no-cache -q curl;
+        if [ $? -eq 0 ]; then
+            echo ">> Installation successful"
+        else
+            echo ">> Installation failed with exit code $?"
+            exit 1
+        fi
+    fi;
+
+    if ! command -v jq 2>&1 >/dev/null; then
+        echo " "
+        echo ">> Command jq could not be found, installing";
+        apk add --no-cache -q jq;
+        if [ $? -eq 0 ]; then
+            echo " "
+            echo ">> Installation successful"
+        else
+            echo " "
+            echo ">> Installation failed with exit code $?"
+            exit 1
+        fi
+    fi;

    # echo " ";
    # echo ">> Authentication ...";
--- a/clusters/cl01tl/helm/qbittorrent/values.yaml
+++ b/clusters/cl01tl/helm/qbittorrent/values.yaml
@@ -198,7 +198,7 @@ qbittorrent:
        qui:
          image:
            repository: ghcr.io/autobrr/qui
-            tag: v1.10.0
+            tag: v1.11.0
            pullPolicy: IfNotPresent
          env:
            - name: QUI__METRICS_ENABLED
--- a/clusters/cl01tl/helm/shelly-plug/values.yaml
+++ b/clusters/cl01tl/helm/shelly-plug/values.yaml
@@ -36,7 +36,7 @@ shelly-plug:
        main:
          image:
            repository: php
-            tag: 8.5.0-apache-bookworm
+            tag: 8.5.1-apache-bookworm
            pullPolicy: IfNotPresent
          env:
            - name: SHELLY_HOSTNAME
--- a/clusters/cl01tl/helm/sonarr-4k/values.yaml
+++ b/clusters/cl01tl/helm/sonarr-4k/values.yaml
@@ -13,7 +13,7 @@ sonarr-4k:
        main:
          image:
            repository: ghcr.io/linuxserver/sonarr
-            tag: 4.0.16@sha256:60e5edcac39172294ad22d55d1b08c2c0a9fe658cad2f2c4d742ae017d7874de
+            tag: 4.0.16@sha256:8b9f2138ec50fc9e521960868f79d2ad0d529bc610aef19031ea8ff80b54c5e0
            pullPolicy: IfNotPresent
          env:
            - name: TZ
--- a/clusters/cl01tl/helm/sonarr-anime/values.yaml
+++ b/clusters/cl01tl/helm/sonarr-anime/values.yaml
@@ -13,7 +13,7 @@ sonarr-anime:
        main:
          image:
            repository: ghcr.io/linuxserver/sonarr
-            tag: 4.0.16@sha256:60e5edcac39172294ad22d55d1b08c2c0a9fe658cad2f2c4d742ae017d7874de
+            tag: 4.0.16@sha256:8b9f2138ec50fc9e521960868f79d2ad0d529bc610aef19031ea8ff80b54c5e0
            pullPolicy: IfNotPresent
          env:
            - name: TZ
--- a/clusters/cl01tl/helm/sonarr/values.yaml
+++ b/clusters/cl01tl/helm/sonarr/values.yaml
@@ -13,7 +13,7 @@ sonarr:
        main:
          image:
            repository: ghcr.io/linuxserver/sonarr
-            tag: 4.0.16@sha256:60e5edcac39172294ad22d55d1b08c2c0a9fe658cad2f2c4d742ae017d7874de
+            tag: 4.0.16@sha256:8b9f2138ec50fc9e521960868f79d2ad0d529bc610aef19031ea8ff80b54c5e0
            pullPolicy: IfNotPresent
          env:
            - name: TZ
--- a/clusters/cl01tl/helm/tailscale-operator/Chart.lock
+++ b/clusters/cl01tl/helm/tailscale-operator/Chart.lock
@@ -1,6 +1,6 @@
 dependencies:
 - name: tailscale-operator
  repository: https://pkgs.tailscale.com/helmcharts
-  version: 1.92.3
-digest: sha256:ba5cfb295ce1eb41bf01090747bdc43c9f6ca7126f06f8800f9b22a467276113
-generated: "2025-12-17T16:30:37.349972443Z"
+  version: 1.92.4
+digest: sha256:e883577bd0b7f676ce3ec97468321c5956b476e4c9f81c4e99b261a3a0b90641
+generated: "2025-12-20T00:12:07.547753923Z"
--- a/clusters/cl01tl/helm/tailscale-operator/Chart.yaml
+++ b/clusters/cl01tl/helm/tailscale-operator/Chart.yaml
@@ -17,7 +17,7 @@ maintainers:
  - name: alexlebens
 dependencies:
  - name: tailscale-operator
-    version: 1.90.9
+    version: 1.92.4
    repository: https://pkgs.tailscale.com/helmcharts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/tailscale-light.png
 appVersion: v1.90.9
--- a/clusters/cl01tl/helm/talos/templates/config.yaml
+++ b/clusters/cl01tl/helm/talos/templates/config.yaml
@@ -0,0 +1,98 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: talos-prune-script
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: talos-prune-script
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+data:
+  prune.sh: |
+    DATE_RANGE=$(date -d @$(( $(date +%s) - $DATE_RANGE_SECONDS )) +%Y-%m-%dT%H:%M:%SZ);
+    FILE_MATCH="${BUCKET}/cl01tl/etcd/cl01tl-${DATE_RANGE}.snap.age";
+    ERROR=false;
+
+    echo " ";
+    echo ">> Running S3 prune for Talos backup repository ${TARGET} ...";
+
+    echo " ";
+    echo ">> Configured Date Range is $(date -u -d @${DATE_RANGE_SECONDS} +"%j days, %H hours, %M minutes")";
+    echo ">> Backups prior to '$DATE_RANGE' will be removed";
+    FILES=$(s3cmd ls --no-check-certificate ${BUCKET}/cl01tl/etcd/ |
+        awk -v file_match="$FILE_MATCH" '$4 < file_match {print $4}');
+
+    if [ -n "${FILES}" ]; then
+        echo " ";
+        echo ">> Backups to be removed:";
+        echo "$FILES"
+        echo " ";
+        echo ">> Deleting ...";
+        $FILES | while read file; do
+            s3cmd del --no-check-certificate -v "$file";
+            if [ $? -ne 0 ]; then
+                ERROR=true;
+                echo ">> Detected error, will send message to ntfy";
+            fi;
+        done;
+    else
+        echo " ";
+        echo ">> No backups to remove";
+    fi;
+
+    if [ "$ERROR" = "true" ]; then
+
+        MAX_RETRIES=5;
+        SUCCESS=false;
+
+        echo " ";
+        echo ">> Sending message to ntfy using curl ...";
+
+        echo " ";
+        echo ">> Verifying required commands ...";
+
+        for i in $(seq 1 "$MAX_RETRIES"); do
+            if apk update 2>&1 >/dev/null; then
+                echo ">> Attempt $i: Repositories are reachable";
+                SUCCESS=true;
+                break;
+            else
+                echo ">> Attempt $i: Connection failed, retrying in 5 seconds ...";
+                sleep 5;
+            fi;
+        done;
+
+        if [ "$SUCCESS" = false ]; then
+            echo ">> ERROR: Could not connect to apk repositories after $MAX_RETRIES attempts, exiting ...";
+            exit 1;
+        fi
+
+        if ! command -v curl 2>&1 >/dev/null; then
+            echo ">> Command curl could not be found, installing";
+            apk add --no-cache -q curl;
+            if [ $? -eq 0 ]; then
+                echo ">> Installation successful";
+            else
+                echo ">> Installation failed with exit code $?";
+                exit 1;
+            fi;
+        fi;
+
+        echo " ";
+        echo ">> Sending to NTFY ...";
+        HTTP_STATUS=$(curl \
+            --silent \
+            --write-out '%{http_code}' \
+            -H "Authorization: Bearer ${NTFY_TOKEN}" \
+            -H "X-Priority: 5" \
+            -H "X-Tags: warning" \
+            -H "X-Title: Talos Backup Failed for ${TARGET}" \
+            -d "$MESSAGE" \
+            ${NTFY_ENDPOINT}/${NTFY_TOPIC}
+        );
+        echo ">> HTTP Status Code: $HTTP_STATUS";
+
+    fi;
+
+    echo " ";
+    echo ">> Completed S3 prune for Talos backup repository ${TARGET}";
--- a/clusters/cl01tl/helm/talos/templates/external-secret.yaml
+++ b/clusters/cl01tl/helm/talos/templates/external-secret.yaml
@@ -1,14 +1,114 @@
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
-  name: talos-etcd-backup-secret
+  name: talos-etcd-backup-local-secret
  namespace: {{ .Release.Namespace }}
  labels:
-    app.kubernetes.io/name: talos-etcd-backup-secret
+    app.kubernetes.io/name: talos-etcd-backup-local-secret
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  data:
+    - secretKey: AWS_ACCESS_KEY_ID
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /garage/home-infra/talos-backups
+        metadataPolicy: None
+        property: ACCESS_KEY_ID
+    - secretKey: AWS_SECRET_ACCESS_KEY
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /garage/home-infra/talos-backups
+        metadataPolicy: None
+        property: ACCESS_SECRET_KEY
+    - secretKey: .s3cfg
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /garage/home-infra/talos-backups
+        metadataPolicy: None
+        property: s3cfg-local
+    - secretKey: BUCKET
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /garage/home-infra/talos-backups
+        metadataPolicy: None
+        property: BUCKET
+    - secretKey: AGE_X25519_PUBLIC_KEY
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cl01tl/talos/etcd-backup
+        metadataPolicy: None
+        property: AGE_X25519_PUBLIC_KEY
+
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: talos-etcd-backup-remote-secret
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: talos-etcd-backup-remote-secret
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  data:
+    - secretKey: AWS_ACCESS_KEY_ID
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /garage/home-infra/talos-backups
+        metadataPolicy: None
+        property: ACCESS_KEY_ID
+    - secretKey: AWS_SECRET_ACCESS_KEY
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /garage/home-infra/talos-backups
+        metadataPolicy: None
+        property: ACCESS_SECRET_KEY
+    - secretKey: .s3cfg
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /garage/home-infra/talos-backups
+        metadataPolicy: None
+        property: s3cfg-remote
+    - secretKey: BUCKET
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /garage/home-infra/talos-backups
+        metadataPolicy: None
+        property: BUCKET
+    - secretKey: AGE_X25519_PUBLIC_KEY
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cl01tl/talos/etcd-backup
+        metadataPolicy: None
+        property: AGE_X25519_PUBLIC_KEY
+
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: talos-etcd-backup-external-secret
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: talos-etcd-backup-external-secret
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
-  annotations:
-    kubernetes.io/service-account.name: talos-backup-secrets
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
@@ -50,6 +150,43 @@ spec:
        metadataPolicy: None
        property: AGE_X25519_PUBLIC_KEY

+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: talos-backup-ntfy-secret
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: talos-backup-ntfy-secret
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  data:
+    - secretKey: NTFY_TOKEN
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /ntfy/user/cl01tl
+        metadataPolicy: None
+        property: token
+    - secretKey: NTFY_ENDPOINT
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /ntfy/user/cl01tl
+        metadataPolicy: None
+        property: endpoint
+    - secretKey: NTFY_TOPIC
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cl01tl/talos/etcd-backup
+        metadataPolicy: None
+        property: NTFY_TOPIC
+
 ---
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
--- a/clusters/cl01tl/helm/talos/templates/service.yaml
+++ b/clusters/cl01tl/helm/talos/templates/service.yaml
@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: garage-ps10rp
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: garage-ps10rp
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+  annotations:
+    tailscale.com/tailnet-fqdn: garage-ps10rp.boreal-beaufort.ts.net
+spec:
+  externalName: placeholder
+  type: ExternalName
--- a/clusters/cl01tl/helm/talos/values.yaml
+++ b/clusters/cl01tl/helm/talos/values.yaml
@@ -1,6 +1,6 @@
 etcd-backup:
  controllers:
-    main:
+    local:
      type: cronjob
      pod:
        nodeSelector:
@@ -20,7 +20,7 @@ etcd-backup:
        backoffLimit: 3
        parallelism: 1
      containers:
-        main:
+        backup:
          image:
            repository: ghcr.io/siderolabs/talos-backup
            tag: v0.1.0-beta.3@sha256:05c86663b251a407551dc948097e32e163a345818117eb52c573b0447bd0c7a7
@@ -42,12 +42,184 @@ etcd-backup:
            - name: AWS_ACCESS_KEY_ID
              valueFrom:
                secretKeyRef:
-                  name: talos-etcd-backup-secret
+                  name: talos-etcd-backup-local-secret
                  key: AWS_ACCESS_KEY_ID
            - name: AWS_SECRET_ACCESS_KEY
              valueFrom:
                secretKeyRef:
-                  name: talos-etcd-backup-secret
+                  name: talos-etcd-backup-local-secret
+                  key: AWS_SECRET_ACCESS_KEY
+            - name: AWS_REGION
+              value: us-east-1
+            - name: CUSTOM_S3_ENDPOINT
+              value: http://garage-main.garage:3900
+            - name: BUCKET
+              value: talos-backups
+            - name: S3_PREFIX
+              value: "cl01tl/etcd"
+            - name: CLUSTER_NAME
+              value: "cl01tl"
+            - name: AGE_X25519_PUBLIC_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: talos-etcd-backup-local-secret
+                  key: AGE_X25519_PUBLIC_KEY
+            - name: USE_PATH_STYLE
+              value: "false"
+        s3-prune:
+          image:
+            repository: d3fk/s3cmd
+            tag: latest@sha256:ed348a0fae5723d2e62636c175baf4dfaf732a790179ca675d1f24f863d0d68f
+            pullPolicy: IfNotPresent
+          command:
+            - /bin/sh
+          args:
+            - -ec
+            - /scripts/prune.sh
+          envFrom:
+            - secretRef:
+                name: talos-etcd-backup-local-secret
+            - secretRef:
+                name: talos-backup-ntfy-secret
+          env:
+            - name: TARGET
+              value: Local
+            - name: DATE_RANGE_SECONDS
+              value: "2419200"
+    remote:
+      type: cronjob
+      pod:
+        nodeSelector:
+          node-role.kubernetes.io/control-plane: ""
+        tolerations:
+          - key: node-role.kubernetes.io/control-plane
+            operator: Exists
+            effect: NoSchedule
+      cronjob:
+        suspend: false
+        concurrencyPolicy: Forbid
+        timeZone: US/Central
+        schedule: "0 3 * * *"
+        startingDeadlineSeconds: 90
+        successfulJobsHistory: 1
+        failedJobsHistory: 1
+        backoffLimit: 3
+        parallelism: 1
+      containers:
+        backup:
+          image:
+            repository: ghcr.io/siderolabs/talos-backup
+            tag: v0.1.0-beta.3@sha256:05c86663b251a407551dc948097e32e163a345818117eb52c573b0447bd0c7a7
+            pullPolicy: IfNotPresent
+          command:
+            - /talos-backup
+          workingDir: /tmp
+          securityContext:
+            runAsUser: 1000
+            runAsGroup: 1000
+            allowPrivilegeEscalation: false
+            runAsNonRoot: true
+            capabilities:
+              drop:
+                - ALL
+            seccompProfile:
+              type: RuntimeDefault
+          env:
+            - name: AWS_ACCESS_KEY_ID
+              valueFrom:
+                secretKeyRef:
+                  name: talos-etcd-backup-remote-secret
+                  key: AWS_ACCESS_KEY_ID
+            - name: AWS_SECRET_ACCESS_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: talos-etcd-backup-remote-secret
+                  key: AWS_SECRET_ACCESS_KEY
+            - name: AWS_REGION
+              value: us-east-1
+            - name: CUSTOM_S3_ENDPOINT
+              value: http://garage-ps10rp.talos:3900
+            - name: BUCKET
+              value: talos-backups
+            - name: S3_PREFIX
+              value: "cl01tl/etcd"
+            - name: CLUSTER_NAME
+              value: "cl01tl"
+            - name: AGE_X25519_PUBLIC_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: talos-etcd-backup-remote-secret
+                  key: AGE_X25519_PUBLIC_KEY
+            - name: USE_PATH_STYLE
+              value: "false"
+        s3-prune:
+          image:
+            repository: d3fk/s3cmd
+            tag: latest@sha256:ed348a0fae5723d2e62636c175baf4dfaf732a790179ca675d1f24f863d0d68f
+            pullPolicy: IfNotPresent
+          command:
+            - /bin/sh
+          args:
+            - -ec
+            - /scripts/prune.sh
+          envFrom:
+            - secretRef:
+                name: talos-etcd-backup-remote-secret
+            - secretRef:
+                name: talos-backup-ntfy-secret
+          env:
+            - name: TARGET
+              value: Remote
+            - name: DATE_RANGE_SECONDS
+              value: "2419200"
+    external:
+      type: cronjob
+      pod:
+        nodeSelector:
+          node-role.kubernetes.io/control-plane: ""
+        tolerations:
+          - key: node-role.kubernetes.io/control-plane
+            operator: Exists
+            effect: NoSchedule
+      cronjob:
+        suspend: false
+        concurrencyPolicy: Forbid
+        timeZone: US/Central
+        schedule: "0 4 * * *"
+        startingDeadlineSeconds: 90
+        successfulJobsHistory: 1
+        failedJobsHistory: 1
+        backoffLimit: 3
+        parallelism: 1
+      containers:
+        backup:
+          image:
+            repository: ghcr.io/siderolabs/talos-backup
+            tag: v0.1.0-beta.3-5-g07d09ec@sha256:96054af026b6255ec14d198f2f10ad6c813b335a2e21a76804365c053dd4ba7b
+            pullPolicy: IfNotPresent
+          command:
+            - /talos-backup
+          workingDir: /tmp
+          securityContext:
+            runAsUser: 1000
+            runAsGroup: 1000
+            allowPrivilegeEscalation: false
+            runAsNonRoot: true
+            capabilities:
+              drop:
+                - ALL
+            seccompProfile:
+              type: RuntimeDefault
+          env:
+            - name: AWS_ACCESS_KEY_ID
+              valueFrom:
+                secretKeyRef:
+                  name: talos-etcd-backup-external-secret
+                  key: AWS_ACCESS_KEY_ID
+            - name: AWS_SECRET_ACCESS_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: talos-etcd-backup-external-secret
                  key: AWS_SECRET_ACCESS_KEY
            - name: AWS_REGION
              value: nyc3
@@ -62,14 +234,10 @@ etcd-backup:
            - name: AGE_X25519_PUBLIC_KEY
              valueFrom:
                secretKeyRef:
-                  name: talos-etcd-backup-secret
+                  name: talos-etcd-backup-external-secret
                  key: AGE_X25519_PUBLIC_KEY
            - name: USE_PATH_STYLE
              value: "false"
-          resources:
-            requests:
-              cpu: 100m
-              memory: 128Mi
        s3-prune:
          image:
            repository: d3fk/s3cmd
@@ -79,69 +247,137 @@ etcd-backup:
            - /bin/sh
          args:
            - -ec
-            - |
-              export DATE_RANGE=$(date -d @$(( $(date +%s) - 1209600 )) +%Y-%m-%dT%H:%M:%SZ);
-              export FILE_MATCH="$BUCKET/cl01tl/etcd/cl01tl-$DATE_RANGE.snap.age"
-              echo ">> Running S3 prune for Talos backup repository"
-              echo ">> Backups prior to '$DATE_RANGE' will be removed"
-              echo ">> Backups to be removed:"
-              s3cmd ls ${BUCKET}/cl01tl/etcd/ |
-                awk -v file_match="$FILE_MATCH" '$4 < file_match {print $4}'
-              echo ">> Deleting ..."
-              s3cmd ls ${BUCKET}/cl01tl/etcd/ |
-                awk -v file_match="$FILE_MATCH" '$4 < file_match {print $4}' |
-                while read file; do
-                  s3cmd del "$file";
-                done;
-              echo ">> Completed S3 prune for Talos backup repository"
+            - /scripts/prune.sh
+          envFrom:
+            - secretRef:
+                name: talos-etcd-backup-external-secret
+            - secretRef:
+                name: talos-backup-ntfy-secret
          env:
-            - name: BUCKET
-              valueFrom:
-                secretKeyRef:
-                  name: talos-etcd-backup-secret
-                  key: BUCKET
-          resources:
-            requests:
-              cpu: 100m
-              memory: 128Mi
+            - name: TARGET
+              value: External
+            - name: DATE_RANGE_SECONDS
+              value: "1209600"
  persistence:
-    tmp:
-      type: emptyDir
-      medium: Memory
-      advancedMounts:
-        main:
-          main:
-            - path: /tmp
-              readOnly: false
-    talos:
-      type: emptyDir
-      medium: Memory
-      advancedMounts:
-        main:
-          main:
-            - path: /.talos
-              readOnly: false
    secret:
      enabled: true
      type: secret
      name: talos-backup-secrets
      advancedMounts:
-        main:
-          main:
+        local:
+          backup:
            - path: /var/run/secrets/talos.dev
              readOnly: true
              mountPropagation: None
-    s3cmd-config:
+        remote:
+          backup:
+            - path: /var/run/secrets/talos.dev
+              readOnly: true
+              mountPropagation: None
+        external:
+          backup:
+            - path: /var/run/secrets/talos.dev
+              readOnly: true
+              mountPropagation: None
+    prune-script:
+      enabled: true
+      type: configMap
+      name: talos-prune-script
+      defaultMode: 0755
+      advancedMounts:
+        local:
+          s3-prune:
+            - path: /scripts/prune.sh
+              subPath: prune.sh
+        remote:
+          s3-prune:
+            - path: /scripts/prune.sh
+              subPath: prune.sh
+        external:
+          s3-prune:
+            - path: /scripts/prune.sh
+              subPath: prune.sh
+    s3cmd-config-local:
      enabled: true
      type: secret
-      name: talos-etcd-backup-secret
+      name: talos-etcd-backup-local-secret
      advancedMounts:
-        main:
+        local:
          s3-prune:
            - path: /root/.s3cfg
              readOnly: true
              mountPropagation: None
              subPath: .s3cfg
+    s3cmd-config-remote:
+      enabled: true
+      type: secret
+      name: talos-etcd-backup-remote-secret
+      advancedMounts:
+        remote:
+          s3-prune:
+            - path: /root/.s3cfg
+              readOnly: true
+              mountPropagation: None
+              subPath: .s3cfg
+    s3cmd-config-external:
+      enabled: true
+      type: secret
+      name: talos-etcd-backup-external-secret
+      advancedMounts:
+        external:
+          s3-prune:
+            - path: /root/.s3cfg
+              readOnly: true
+              mountPropagation: None
+              subPath: .s3cfg
+    tmp-local:
+      type: emptyDir
+      medium: Memory
+      advancedMounts:
+        local:
+          backup:
+            - path: /tmp
+              readOnly: false
+    tmp-remote:
+      type: emptyDir
+      medium: Memory
+      advancedMounts:
+        remote:
+          backup:
+            - path: /tmp
+              readOnly: false
+    tmp-external:
+      type: emptyDir
+      medium: Memory
+      advancedMounts:
+        external:
+          backup:
+            - path: /tmp
+              readOnly: false
+    talos-local:
+      type: emptyDir
+      medium: Memory
+      advancedMounts:
+        local:
+          backup:
+            - path: /.talos
+              readOnly: false
+    talos-remote:
+      type: emptyDir
+      medium: Memory
+      advancedMounts:
+        remote:
+          backup:
+            - path: /.talos
+              readOnly: false
+    talos-external:
+      type: emptyDir
+      medium: Memory
+      advancedMounts:
+        external:
+          backup:
+            - path: /.talos
+              readOnly: false
 etcd-defrag:
  global:
    fullnameOverride: etcd-defrag
@@ -179,10 +415,6 @@ etcd-defrag:
          env:
            - name: TALOSCONFIG
              value: /tmp/.talos/config
-          resources:
-            requests:
-              cpu: 100m
-              memory: 128Mi
    defrag-2:
      type: cronjob
      pod:
@@ -216,10 +448,6 @@ etcd-defrag:
          env:
            - name: TALOSCONFIG
              value: /tmp/.talos/config
-          resources:
-            requests:
-              cpu: 100m
-              memory: 128Mi
    defrag-3:
      type: cronjob
      pod:
@@ -253,10 +481,6 @@ etcd-defrag:
          env:
            - name: TALOSCONFIG
              value: /tmp/.talos/config
-          resources:
-            requests:
-              cpu: 100m
-              memory: 128Mi
  persistence:
    talos-config-1:
      enabled: true
--- a/clusters/cl01tl/helm/traefik/Chart.lock
+++ b/clusters/cl01tl/helm/traefik/Chart.lock
@@ -1,9 +1,9 @@
 dependencies:
 - name: traefik
  repository: https://traefik.github.io/charts
-  version: 37.4.0
+  version: 38.0.1
 - name: traefik-crds
  repository: https://traefik.github.io/charts
-  version: 1.12.0
-digest: sha256:68267043bdc2c60346e196e1c1d0cef62884bb3dc2ff26ff4a273ccf27edf738
-generated: "2025-12-14T21:03:44.140099-06:00"
+  version: 1.13.0
+digest: sha256:0caf1c25f7bca77f070a3ba490f0d0370f7583370dfeeb2a726023ff567c208e
+generated: "2025-12-19T18:45:42.696331-06:00"
--- a/clusters/cl01tl/helm/traefik/Chart.yaml
+++ b/clusters/cl01tl/helm/traefik/Chart.yaml
@@ -15,10 +15,10 @@ maintainers:
  - name: alexlebens
 dependencies:
  - name: traefik
-    version: 37.4.0
+    version: 38.0.1
    repository: https://traefik.github.io/charts
  - name: traefik-crds
-    version: 1.12.0
+    version: 1.13.0
    repository: https://traefik.github.io/charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/webp/traefik.webp
 appVersion: v3.6.4
--- a/clusters/cl01tl/helm/traefik/values.yaml
+++ b/clusters/cl01tl/helm/traefik/values.yaml
@@ -1,13 +1,8 @@
 traefik:
-  crds:
-    enabled: true
-    deleteOnUninstall: false
  deployment:
    kind: DaemonSet
  ingressClass:
    enabled: false
-  kubernetesGateway:
-    enabled: true
  gateway:
    enabled: true
    annotations:
@@ -95,6 +90,18 @@ traefik:
      expose:
        default: true
      exposedPort: 443
+      http:
+        # -- See
+        # -- [upstream documentation](https://doc.traefik.io/traefik/security/request-path/#encoded-character-filtering)
+        # -- [relevant issue] https://github.com/traefik/traefik/issues/12399
+        encodedCharacters:
+          allowEncodedSlash: true
+          allowEncodedBackSlash: true
+          allowEncodedNullCharacter: true
+          allowEncodedSemicolon: true
+          allowEncodedPercent: true
+          allowEncodedQuestionMark: true
+          allowEncodedHash: true
      forwardedHeaders:
        trustedIPs:
          - 10.0.0.0/8
@@ -143,6 +150,7 @@ traefik:
 traefik-crds:
  enabled: true
  traefik: true
-  gatewayAPI: true
+  gatewayAPI: false
+  gatewayAPIExperimental: true
  hub: false
  deleteOnUninstall: false
--- a/clusters/cl01tl/helm/vault/Chart.lock
+++ b/clusters/cl01tl/helm/vault/Chart.lock
@@ -9,4 +9,4 @@ dependencies:
  repository: https://bjw-s-labs.github.io/helm-charts/
  version: 4.5.0
 digest: sha256:01077322d1f106f1bb2834f2bc74f548084910af901a71e2892e05d3fb0d8c68
-generated: "2025-12-05T17:15:08.381024587Z"
+generated: "2025-12-19T22:52:58.599824-06:00"
--- a/clusters/cl01tl/helm/vault/templates/config-map.yaml
+++ b/clusters/cl01tl/helm/vault/templates/config-map.yaml
@@ -0,0 +1,153 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: vault-snapshot-script
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: vault-snapshot-script
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+data:
+  snapshot.sh: |
+    DATE=$(date +"%Y%m%d-%H-%M")
+    MAX_RETRIES=5
+    SUCCESS=false
+
+    echo " "
+    echo ">> Running Vault Snapshot Script ..."
+
+    echo " "
+    echo ">> Verifying required commands ..."
+    echo " "
+
+    for i in $(seq 1 "$MAX_RETRIES"); do
+        if apk update 2>&1 >/dev/null; then
+            echo ">> Attempt $i: Repositories are reachable";
+            SUCCESS=true;
+            break;
+        else
+            echo ">> Attempt $i: Connection failed, retrying in 5 seconds ...";
+            sleep 5;
+        fi;
+    done;
+
+    if [ "$SUCCESS" = false ]; then
+        echo ">> ERROR: Could not connect to apk repositories after $MAX_RETRIES attempts, exiting ...";
+        exit 1;
+    fi
+
+    echo " "
+
+    if ! command -v jq 2>&1 >/dev/null; then
+        echo ">> Command jq could not be found, installing";
+        apk add --no-cache -q jq;
+        if [ $? -eq 0 ]; then
+            echo ">> Installation successful";
+        else
+            echo ">> Installation failed with exit code $?";
+            exit 1;
+        fi;
+    fi;
+
+    echo " ";
+    echo ">> Fetching Vault token ...";
+    export VAULT_TOKEN=$(vault write auth/approle/login role_id=$VAULT_APPROLE_ROLE_ID secret_id=$VAULT_APPROLE_SECRET_ID -format=json | jq -r .auth.client_token);
+
+    echo " ";
+    echo ">> Taking Vault snapsot ...";
+    vault operator raft snapshot save /opt/backup/vault-snapshot-$DATE.snap
+
+    echo " ";
+    echo ">> Setting ownership of Vault snapsot ...";
+    chown 100:1000 /opt/backup/vault-snapshot-$DATE.snap
+
+    echo " ";
+    echo ">> Completed Vault snapshot";
+
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: vault-backup-script
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: vault-backup-script
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+data:
+  backup.sh: |
+    echo " ";
+    echo ">> Running S3 backup for Vault snapshot";
+    OUTPUT=$(s3cmd sync --no-check-certificate -v /opt/backup/* "${BUCKET}/cl01tl/cl01tl-vault-snapshots/" 2>&1)
+    STATUS=$?
+
+    if [ $STATUS -ne 0 ]; then
+        if echo "$OUTPUT" | grep -q "403 Forbidden"; then
+            MESSAGE="403 Authentication Error: Your keys are wrong or you don't have permission"
+        elif echo "$OUTPUT" | grep -q "404 Not Found"; then
+            MESSAGE="404 Error: The bucket or folder does not exist"
+        elif echo "$OUTPUT" | grep -q "Connection refused"; then
+            MESSAGE="Network Error: Cannot reach the S3 endpoint"
+        else
+            MESSAGE="Unknown Error"
+            echo " ";
+            echo ">> Unknown Error, output:"
+            echo " "
+            echo "$OUTPUT"
+        fi
+
+        MAX_RETRIES=5
+        SUCCESS=false
+
+        echo " "
+        echo ">> Sending message to ntfy using curl ..."
+
+        echo " "
+        echo ">> Verifying required commands ..."
+
+        for i in $(seq 1 "$MAX_RETRIES"); do
+            if apk update 2>&1 >/dev/null; then
+                echo ">> Attempt $i: Repositories are reachable";
+                SUCCESS=true;
+                break;
+            else
+                echo ">> Attempt $i: Connection failed, retrying in 5 seconds ...";
+                sleep 5;
+            fi;
+        done;
+
+        if [ "$SUCCESS" = false ]; then
+            echo ">> ERROR: Could not connect to apk repositories after $MAX_RETRIES attempts, exiting ...";
+            exit 1;
+        fi
+
+        if ! command -v curl 2>&1 >/dev/null; then
+            echo ">> Command curl could not be found, installing";
+            apk add --no-cache -q curl;
+            if [ $? -eq 0 ]; then
+                echo ">> Installation successful";
+            else
+                echo ">> Installation failed with exit code $?";
+                exit 1;
+            fi;
+        fi;
+
+        echo " "
+        echo ">> Sending to NTFY ..."
+        echo ">> Message: $MESSAGE"
+        HTTP_STATUS=$(curl \
+            --silent \
+            --write-out '%{http_code}' \
+            -H "Authorization: Bearer ${NTFY_TOKEN}" \
+            -H "X-Priority: 5" \
+            -H "X-Tags: warning" \
+            -H "X-Title: Vault Backup Failed for ${TARGET}" \
+            -d "$MESSAGE" \
+            ${NTFY_ENDPOINT}/${NTFY_TOPIC}
+        )
+        echo ">> HTTP Status Code: $HTTP_STATUS"
+
+    else
+        echo " ";
+        echo ">> S3 Sync succeeded"
+    fi
--- a/clusters/cl01tl/helm/vault/templates/external-secret.yaml
+++ b/clusters/cl01tl/helm/vault/templates/external-secret.yaml
@@ -31,10 +31,70 @@ spec:
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
-  name: vault-s3cmd-config
+  name: vault-s3cmd-local-config
  namespace: {{ .Release.Namespace }}
  labels:
-    app.kubernetes.io/name: vault-s3cmd-config
+    app.kubernetes.io/name: vault-s3cmd-local-config
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  data:
+    - secretKey: .s3cfg
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /garage/home-infra/vault-backups
+        metadataPolicy: None
+        property: s3cfg-local
+    - secretKey: BUCKET
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /garage/home-infra/vault-backups
+        metadataPolicy: None
+        property: BUCKET
+
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: vault-s3cmd-remote-config
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: vault-s3cmd-remote-config
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  data:
+    - secretKey: .s3cfg
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /garage/home-infra/vault-backups
+        metadataPolicy: None
+        property: s3cfg-remote
+    - secretKey: BUCKET
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /garage/home-infra/vault-backups
+        metadataPolicy: None
+        property: BUCKET
+
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: vault-s3cmd-external-config
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: vault-s3cmd-external-config
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
@@ -57,6 +117,43 @@ spec:
        metadataPolicy: None
        property: BUCKET

+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: vault-backup-ntfy-secret
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: vault-backup-ntfy-secret
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  data:
+    - secretKey: NTFY_TOKEN
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /ntfy/user/cl01tl
+        metadataPolicy: None
+        property: token
+    - secretKey: NTFY_ENDPOINT
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /ntfy/user/cl01tl
+        metadataPolicy: None
+        property: endpoint
+    - secretKey: NTFY_TOPIC
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cl01tl/vault/snapshot
+        metadataPolicy: None
+        property: NTFY_TOPIC
+
 ---
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
--- a/clusters/cl01tl/helm/vault/templates/persistent-volume-claim.yaml
+++ b/clusters/cl01tl/helm/vault/templates/persistent-volume-claim.yaml
@@ -1,17 +1,17 @@
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
-  name: vault-nfs-storage-backup
+  name: vault-storage-backup
  namespace: {{ .Release.Namespace }}
  labels:
-    app.kubernetes.io/name: vault-nfs-storage-backup
+    app.kubernetes.io/name: vault-storage-backup
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  volumeMode: Filesystem
-  storageClassName: nfs-client
+  storageClassName: ceph-filesystem
  accessModes:
-    - ReadWriteOnce
+    - ReadWriteMany
  resources:
    requests:
      storage: 1Gi
--- a/clusters/cl01tl/helm/vault/values.yaml
+++ b/clusters/cl01tl/helm/vault/values.yaml
@@ -32,12 +32,12 @@ vault:
    livenessProbe:
      enabled: false
    volumes:
-      - name: vault-nfs-storage-backup
+      - name: vault-storage-backup
        persistentVolumeClaim:
-          claimName: vault-nfs-storage-backup
+          claimName: vault-storage-backup
    volumeMounts:
      - mountPath: /opt/backups/
-        name: vault-nfs-storage-backup
+        name: vault-storage-backup
        readOnly: false
    affinity: |
      podAntiAffinity:
@@ -176,26 +176,15 @@ snapshot:
            - /bin/ash
          args:
            - -ec
-            - |
-              apk add --no-cache jq;
-              echo ">> Running Vault snapshot"
-              export VAULT_TOKEN=$(vault write auth/approle/login role_id=$VAULT_APPROLE_ROLE_ID secret_id=$VAULT_APPROLE_SECRET_ID -format=json | jq -r .auth.client_token);
-              vault operator raft snapshot save /opt/backup/vault-snapshot-latest.snap;
-              cp /opt/backup/vault-snapshot-latest.snap /opt/backup/vault-snapshot-$(date +"%Y%m%d-%H-%M").snap;
-              cp /opt/backup/vault-snapshot-latest.snap /opt/backup/vault-snapshot-s3.snap;
-              echo ">> Completed Vault snapshot"
+            - /scripts/snapshot.sh
          envFrom:
            - secretRef:
                name: vault-snapshot-agent-token
          env:
            - name: VAULT_ADDR
              value: http://vault-active.vault.svc.cluster.local:8200
-          resources:
-            requests:
-              cpu: 10m
-              memory: 64Mi
      containers:
-        s3-backup:
+        s3-backup-local:
          image:
            repository: d3fk/s3cmd
            tag: latest@sha256:ed348a0fae5723d2e62636c175baf4dfaf732a790179ca675d1f24f863d0d68f
@@ -204,43 +193,136 @@ snapshot:
            - /bin/sh
          args:
            - -ec
-            - |
-              echo ">> Running S3 backup for Vault snapshot"
-              s3cmd put --no-check-md5 --no-check-certificate -v /opt/backup/vault-snapshot-s3.snap ${BUCKET}/cl01tl/cl01tl-vault-snapshots/vault-snapshot-$(date +"%Y%m%d-%H-%M").snap;
-              rm -f /opt/backup/vault-snapshot-s3.snap;
-              echo ">> Completed S3 backup for Vault snapshot"
+            - /scripts/backup.sh
+          envFrom:
+            - secretRef:
+                name: vault-backup-ntfy-secret
          env:
            - name: BUCKET
              valueFrom:
                secretKeyRef:
-                  name: vault-s3cmd-config
+                  name: vault-s3cmd-local-config
                  key: BUCKET
-          resources:
-            requests:
-              cpu: 100m
-              memory: 128Mi
+            - name: TARGET
+              value: Local
+        s3-backup-remote:
+          image:
+            repository: d3fk/s3cmd
+            tag: latest@sha256:ed348a0fae5723d2e62636c175baf4dfaf732a790179ca675d1f24f863d0d68f
+            pullPolicy: IfNotPresent
+          command:
+            - /bin/sh
+          args:
+            - -ec
+            - /scripts/backup.sh
+          envFrom:
+            - secretRef:
+                name: vault-backup-ntfy-secret
+          env:
+            - name: BUCKET
+              valueFrom:
+                secretKeyRef:
+                  name: vault-s3cmd-remote-config
+                  key: BUCKET
+            - name: TARGET
+              value: Remote
+        s3-backup-external:
+          image:
+            repository: d3fk/s3cmd
+            tag: latest@sha256:ed348a0fae5723d2e62636c175baf4dfaf732a790179ca675d1f24f863d0d68f
+            pullPolicy: IfNotPresent
+          command:
+            - /bin/sh
+          args:
+            - -ec
+            - /scripts/backup.sh
+          envFrom:
+            - secretRef:
+                name: vault-backup-ntfy-secret
+          env:
+            - name: BUCKET
+              valueFrom:
+                secretKeyRef:
+                  name: vault-s3cmd-external-config
+                  key: BUCKET
+            - name: TARGET
+              value: External
  persistence:
-    config:
-      existingClaim: vault-nfs-storage-backup
+    snapshot-script:
+      enabled: true
+      type: configMap
+      name: vault-snapshot-script
+      defaultMode: 0755
+      advancedMounts:
+        snapshot:
+          snapshot:
+            - path: /scripts/snapshot.sh
+              subPath: snapshot.sh
+    backup-script:
+      enabled: true
+      type: configMap
+      name: vault-backup-script
+      defaultMode: 0755
+      advancedMounts:
+        snapshot:
+          s3-backup-local:
+            - path: /scripts/backup.sh
+              subPath: backup.sh
+          s3-backup-remote:
+            - path: /scripts/backup.sh
+              subPath: backup.sh
+          s3-backup-external:
+            - path: /scripts/backup.sh
+              subPath: backup.sh
+    s3cmd-local-config:
+      enabled: true
+      type: secret
+      name: vault-s3cmd-local-config
+      advancedMounts:
+        snapshot:
+          s3-backup-local:
+            - path: /root/.s3cfg
+              readOnly: true
+              mountPropagation: None
+              subPath: .s3cfg
+    s3cmd-remote-config:
+      enabled: true
+      type: secret
+      name: vault-s3cmd-remote-config
+      advancedMounts:
+        snapshot:
+          s3-backup-remote:
+            - path: /root/.s3cfg
+              readOnly: true
+              mountPropagation: None
+              subPath: .s3cfg
+    s3cmd-external-config:
+      enabled: true
+      type: secret
+      name: vault-s3cmd-external-config
+      advancedMounts:
+        snapshot:
+          s3-backup-external:
+            - path: /root/.s3cfg
+              readOnly: true
+              mountPropagation: None
+              subPath: .s3cfg
+    backup:
+      existingClaim: vault-storage-backup
      advancedMounts:
        snapshot:
          snapshot:
            - path: /opt/backup
              readOnly: false
-          s3-backup:
+          s3-backup-local:
+            - path: /opt/backup
+              readOnly: false
+          s3-backup-remote:
+            - path: /opt/backup
+              readOnly: false
+          s3-backup-external:
            - path: /opt/backup
              readOnly: false
-    s3cmd-config:
-      enabled: true
-      type: secret
-      name: vault-s3cmd-config
-      advancedMounts:
-        snapshot:
-          s3-backup:
-            - path: /root/.s3cfg
-              readOnly: true
-              mountPropagation: None
-              subPath: .s3cfg
 unseal:
  global:
    fullnameOverride: vault-unseal
--- a/clusters/cl01tl/helm/whodb/values.yaml
+++ b/clusters/cl01tl/helm/whodb/values.yaml
@@ -8,7 +8,7 @@ whodb:
        main:
          image:
            repository: clidey/whodb
-            tag: 0.85.0
+            tag: 0.86.0
            pullPolicy: IfNotPresent
          env:
            - name: WHODB_OLLAMA_HOST
--- a/hosts/ps08rp/blocky/compose.yaml
+++ b/hosts/ps08rp/blocky/compose.yaml
@@ -1,7 +1,7 @@
 ---
 services:
    tailscale-blocky:
-        image: ghcr.io/tailscale/tailscale:v1.92.3
+        image: ghcr.io/tailscale/tailscale:v1.92.4
        container_name: tailscale-blocky
        cap_add:
            - net_admin
--- a/hosts/ps08rp/blocky/config.yml
+++ b/hosts/ps08rp/blocky/config.yml
@@ -105,7 +105,6 @@ customDNS:
    huntarr                         IN      CNAME   traefik-cl01tl
    immich                          IN      CNAME   traefik-cl01tl
    jellyfin                        IN      CNAME   traefik-cl01tl
-    jellyfin-vue                    IN      CNAME   traefik-cl01tl
    jellystat                       IN      CNAME   traefik-cl01tl
    kiwix                           IN      CNAME   traefik-cl01tl
    komodo                          IN      CNAME   traefik-cl01tl
--- a/hosts/ps09rp/blocky/compose.yaml
+++ b/hosts/ps09rp/blocky/compose.yaml
@@ -1,7 +1,7 @@
 ---
 services:
    tailscale-blocky:
-        image: ghcr.io/tailscale/tailscale:v1.92.3
+        image: ghcr.io/tailscale/tailscale:v1.92.4
        container_name: tailscale-blocky
        cap_add:
            - net_admin
--- a/hosts/ps09rp/blocky/config.yml
+++ b/hosts/ps09rp/blocky/config.yml
@@ -105,7 +105,6 @@ customDNS:
    huntarr                         IN      CNAME   traefik-cl01tl
    immich                          IN      CNAME   traefik-cl01tl
    jellyfin                        IN      CNAME   traefik-cl01tl
-    jellyfin-vue                    IN      CNAME   traefik-cl01tl
    jellystat                       IN      CNAME   traefik-cl01tl
    kiwix                           IN      CNAME   traefik-cl01tl
    komodo                          IN      CNAME   traefik-cl01tl
--- a/hosts/ps10rp/blocky/compose.yaml
+++ b/hosts/ps10rp/blocky/compose.yaml
@@ -1,7 +1,7 @@
 ---
 services:
    tailscale-blocky:
-        image: ghcr.io/tailscale/tailscale:v1.92.3
+        image: ghcr.io/tailscale/tailscale:v1.92.4
        container_name: tailscale-blocky
        cap_add:
            - net_admin
--- a/hosts/ps10rp/garage/compose.yaml
+++ b/hosts/ps10rp/garage/compose.yaml
@@ -1,6 +1,6 @@
 services:
    tailscale-garage:
-        image: ghcr.io/tailscale/tailscale:v1.92.3
+        image: ghcr.io/tailscale/tailscale:v1.92.4
        container_name: tailscale-garage
        cap_add:
            - net_admin
@@ -20,7 +20,7 @@ services:
            - /dev/net/tun:/dev/net/tun

    tailscale-garage-ui:
-        image: ghcr.io/tailscale/tailscale:v1.92.3
+        image: ghcr.io/tailscale/tailscale:v1.92.4
        container_name: tailscale-garage-ui
        cap_add:
            - net_admin
--- a/hosts/ps10rp/gitea/compose.yaml
+++ b/hosts/ps10rp/gitea/compose.yaml
@@ -1,6 +1,6 @@
 services:
    tailscale-gitea:
-        image: ghcr.io/tailscale/tailscale:v1.92.3
+        image: ghcr.io/tailscale/tailscale:v1.92.4
        container_name: tailscale-gitea
        cap_add:
            - net_admin
--- a/hosts/ps10rp/homepage/compose.yaml
+++ b/hosts/ps10rp/homepage/compose.yaml
@@ -1,7 +1,7 @@
 ---
 services:
    tailscale-homepage:
-        image: ghcr.io/tailscale/tailscale:v1.92.3
+        image: ghcr.io/tailscale/tailscale:v1.92.4
        container_name: tailscale-homepage
        cap_add:
            - net_admin
--- a/hosts/ps10rp/node-exporter/compose.yaml
+++ b/hosts/ps10rp/node-exporter/compose.yaml
@@ -1,7 +1,7 @@
 ---
 services:
    tailscale-node-exporter:
-        image: ghcr.io/tailscale/tailscale:v1.92.3
+        image: ghcr.io/tailscale/tailscale:v1.92.4
        container_name: tailscale-node-exporter
        cap_add:
            - net_admin
--- a/hosts/ps10rp/tailscale-subnet/compose.yaml
+++ b/hosts/ps10rp/tailscale-subnet/compose.yaml
@@ -1,7 +1,7 @@
 ---
 services:
    tailscale:
-        image: ghcr.io/tailscale/tailscale:v1.92.3
+        image: ghcr.io/tailscale/tailscale:v1.92.4
        container_name: tailscale-subnet
        cap_add:
            - net_admin
--- a/hosts/ps10rp/traefik/compose.yaml
+++ b/hosts/ps10rp/traefik/compose.yaml
@@ -1,7 +1,7 @@
 ---
 services:
    tailscale-traefik:
-        image: ghcr.io/tailscale/tailscale:v1.92.3
+        image: ghcr.io/tailscale/tailscale:v1.92.4
        container_name: tailscale-traefik
        cap_add:
            - net_admin