Update roundcube/roundcubemail Docker tag to v1.6.12 (#2589)

This PR contains the following updates:

| Package | Update | Change |
|---|---|---|
| [redis-replication](https://github.com/OT-CONTAINER-KIT/redis-operator) | minor | `0.4.0` -> `0.5.0` |

---

### Release Notes

<details>
<summary>OT-CONTAINER-KIT/redis-operator (redis-replication)</summary>

### [`v0.5.0`](https://github.com/OT-CONTAINER-KIT/redis-operator/blob/HEAD/CHANGELOG.md#v050)

[Compare Source](https://github.com/OT-CONTAINER-KIT/redis-operator/compare/v0.4.0...v0.5.0)

##### May 1, 2021

##### 🎉 Features

- Added support for recovering redis nodes from failover
- Added toleration support for redis statefuls
- Added capability to use existing secret created inside K8s

##### 🪲 Bug Fixes

- Fixed logic for service and statefulset comparison in K8s

</details>

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box

---

This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0Mi4zOS4xIiwidXBkYXRlZEluVmVyIjoiNDIuMzkuMSIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiaW1hZ2UiXX0=-->

Reviewed-on: #2563
Co-authored-by: Renovate Bot <renovate-bot@alexlebens.net>
Co-committed-by: Renovate Bot <renovate-bot@alexlebens.net>

.gitea/workflows/lint-test-helm.yaml

@@ -84,7 +84,7 @@ jobs:
                 echo ""
                 echo ">> Adding path: $path"
                 CHANGED_CHARTS+=$(echo "$path" | awk -F '/' '{print $4}')
-                CHANGED_CHARTS+=$(echo " ")
+                CHANGED_CHARTS+=$(echo "\n")
               fi
             done
 
@@ -124,7 +124,14 @@ jobs:
             helm dependency list --max-col-width 120 clusters/${CLUSTER}/helm/$dir 2> /dev/null \
               | tail +2 | head -n -1 \
               | awk '{ print "helm repo add " $1 " " $3 }' \
-              | while read cmd; do echo "$cmd" | sh; done || true
+              | while read cmd; do
+                if [[ "$cmd" == "*oci://*" ]]; then
+                  echo ">> Ignoring OCI repo"
+                else
+                  echo ">> Command: $cmd"
+                  echo "$cmd" | sh;
+                fi
+              done || true
           done
 
           if helm repo list | tail +2 | read -r; then

.gitea/workflows/render-manifests-automerge.yaml

@@ -106,7 +106,13 @@ jobs:
             helm dependency list --max-col-width 120 ${MAIN_DIR}/clusters/${CLUSTER}/helm/$dir 2> /dev/null \
               | tail +2 | head -n -1 \
               | awk '{ print "helm repo add " $1 " " $3 }' \
-              | while read cmd; do echo "$cmd" | sh; done || true
+              | while read cmd; do
+                if [[ "$cmd" == "*oci://*" ]]; then
+                  echo ">> Ignoring OCI repo"
+                else
+                  echo "$cmd" | sh;
+                fi
+              done || true
           done
 
           if helm repo list | tail +2 | read -r; then

.gitea/workflows/render-manifests-dispatch.yaml

@@ -91,7 +91,13 @@ jobs:
             helm dependency list --max-col-width 120 ${MAIN_DIR}/clusters/${CLUSTER}/helm/$dir 2> /dev/null \
               | tail +2 | head -n -1 \
               | awk '{ print "helm repo add " $1 " " $3 }' \
-              | while read cmd; do echo "$cmd" | sh; done || true
+              | while read cmd; do
+                if [[ "$cmd" == "*oci://*" ]]; then
+                  echo ">> Ignoring OCI repo"
+                else
+                  echo "$cmd" | sh;
+                fi
+              done || true
           done
 
           if helm repo list | tail +2 | read -r; then

.gitea/workflows/render-manifests-merge.yaml

@@ -111,7 +111,13 @@ jobs:
             helm dependency list --max-col-width 120 ${MAIN_DIR}/clusters/${CLUSTER}/helm/$dir 2> /dev/null \
               | tail +2 | head -n -1 \
               | awk '{ print "helm repo add " $1 " " $3 }' \
-              | while read cmd; do echo "$cmd" | sh; done || true
+              | while read cmd; do
+                if [[ "$cmd" == "*oci://*" ]]; then
+                  echo ">> Ignoring OCI repo"
+                else
+                  echo "$cmd" | sh;
+                fi
+              done || true
           done
 
           if helm repo list | tail +2 | read -r; then

.gitea/workflows/render-manifests-push.yaml

@@ -109,7 +109,13 @@ jobs:
             helm dependency list --max-col-width 120 ${MAIN_DIR}/clusters/${CLUSTER}/helm/$dir 2> /dev/null \
               | tail +2 | head -n -1 \
               | awk '{ print "helm repo add " $1 " " $3 }' \
-              | while read cmd; do echo "$cmd" | sh; done || true
+              | while read cmd; do
+                if [[ "$cmd" == "*oci://*" ]]; then
+                  echo ">> Ignoring OCI repo"
+                else
+                  echo "$cmd" | sh;
+                fi
+              done || true
           done
 
           if helm repo list | tail +2 | read -r; then

clusters/cl01tl/helm/actual/Chart.lock

@@ -2,5 +2,8 @@ dependencies:
 - name: app-template
   repository: https://bjw-s-labs.github.io/helm-charts/
   version: 4.5.0
-digest: sha256:926b8da839684072fd79954aff0c9852c2ff3b618b0fa35177bdec8e2dff4986
+- name: volsync-target
-generated: "2025-12-05T17:02:01.15162583Z"
+  repository: oci://harbor.alexlebens.net/helm-charts
+  version: 0.3.0
+digest: sha256:3763d6c5c0b45219235229aa1d72bfa426abd29aa8d92c1b1ca958b6afb3bfc8
+generated: "2025-12-15T17:43:51.908308-06:00"

clusters/cl01tl/helm/actual/Chart.yaml

@@ -17,5 +17,9 @@ dependencies:
     alias: actual
     repository: https://bjw-s-labs.github.io/helm-charts/
     version: 4.5.0
+  - name: volsync-target
+    alias: volsync-target-data
+    version: 0.3.0
+    repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/actual-budget.png
 appVersion: 25.12.0

clusters/cl01tl/helm/actual/templates/external-secret.yaml

@@ -1,55 +0,0 @@
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: actual-data-backup-secret
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: actual-data-backup-secret
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: vault
-  target:
-    template:
-      mergePolicy: Merge
-      engineVersion: v2
-      data:
-        RESTIC_REPOSITORY: "{{ `{{ .BUCKET_ENDPOINT }}` }}/actual/actual-data"
-  data:
-    - secretKey: BUCKET_ENDPOINT
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /cl01tl/volsync/restic/config
-        metadataPolicy: None
-        property: S3_BUCKET_ENDPOINT
-    - secretKey: RESTIC_PASSWORD
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /cl01tl/volsync/restic/config
-        metadataPolicy: None
-        property: RESTIC_PASSWORD
-    - secretKey: AWS_DEFAULT_REGION
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /cl01tl/volsync/restic/config
-        metadataPolicy: None
-        property: AWS_DEFAULT_REGION
-    - secretKey: AWS_ACCESS_KEY_ID
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /digital-ocean/home-infra/volsync-backups
-        metadataPolicy: None
-        property: access_key
-    - secretKey: AWS_SECRET_ACCESS_KEY
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /digital-ocean/home-infra/volsync-backups
-        metadataPolicy: None
-        property: secret_key

clusters/cl01tl/helm/actual/templates/replication-source.yaml

@@ -1,25 +0,0 @@
-apiVersion: volsync.backube/v1alpha1
-kind: ReplicationSource
-metadata:
-  name: actual-data-backup-source
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: actual-data-backup-source
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  sourcePVC: actual-data
-  trigger:
-    schedule: 0 4 * * *
-  restic:
-    pruneIntervalDays: 7
-    repository: actual-data-backup-secret
-    retain:
-      hourly: 1
-      daily: 3
-      weekly: 2
-      monthly: 2
-      yearly: 4
-    copyMethod: Snapshot
-    storageClassName: ceph-block
-    volumeSnapshotClassName: ceph-blockpool-snapshot

clusters/cl01tl/helm/actual/values.yaml

@@ -54,3 +54,5 @@ actual:
           main:
             - path: /data
               readOnly: false
+volsync-target-data:
+  pvcTarget: actual-data

clusters/cl01tl/helm/argo-workflows/Chart.lock

@@ -7,6 +7,6 @@ dependencies:
   version: 2.4.19
 - name: postgres-cluster
   repository: oci://harbor.alexlebens.net/helm-charts
-  version: 6.16.1
+  version: 7.1.1
-digest: sha256:40a93dfcabbc5746682bac631e9a620588cf0cb6fdf79a42446a823e93a531c8
+digest: sha256:796a0f9ae054268c9a4e2752f29004b6547e5ee41e623b8506b531f6836b7313
-generated: "2025-12-11T15:49:57.970719-06:00"
+generated: "2025-12-15T14:27:02.068848-06:00"

clusters/cl01tl/helm/argo-workflows/Chart.yaml

@@ -25,7 +25,7 @@ dependencies:
     repository: https://argoproj.github.io/argo-helm
   - name: postgres-cluster
     alias: postgres-18-cluster
-    version: 6.16.1
+    version: 7.1.1
     repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/argo-cd.png
 appVersion: v3.7.6

clusters/cl01tl/helm/argo-workflows/values.yaml

@@ -78,17 +78,10 @@ argo-events:
 postgres-18-cluster:
   mode: recovery
   cluster:
-    image:
-      repository: ghcr.io/cloudnative-pg/postgresql
-      tag: 18.1-standard-trixie
     storage:
       storageClass: local-path
     walStorage:
       storageClass: local-path
-    monitoring:
-      enabled: true
-      prometheusRule:
-        enabled: true
   recovery:
     method: objectStore
     objectStore:
@@ -98,11 +91,6 @@ postgres-18-cluster:
       endpointCredentials: argo-workflows-postgresql-18-cluster-backup-secret-garage
   backup:
     objectStore:
-      - name: external
-        destinationPath: s3://postgres-backups-ce540ddf106d186bbddca68a/cl01tl/argo-workflows/argo-workflows-postgresql-18-cluster
-        index: 1
-        retentionPolicy: "30d"
-        isWALArchiver: false
       - name: garage-local
         destinationPath: s3://postgres-backups/cl01tl/argo-workflows/argo-workflows-postgresql-18-cluster
         index: 1
@@ -111,6 +99,11 @@ postgres-18-cluster:
         endpointCredentialsIncludeRegion: true
         retentionPolicy: "3d"
         isWALArchiver: true
+      # - name: external
+      #   destinationPath: s3://postgres-backups-ce540ddf106d186bbddca68a/cl01tl/argo-workflows/argo-workflows-postgresql-18-cluster
+      #   index: 1
+      #   retentionPolicy: "30d"
+      #   isWALArchiver: false
       # - name: garage-remote
       #   destinationPath: s3://postgres-backups/cl01tl/argo-workflows/argo-workflows-postgresql-18-cluster
       #   index: 1
@@ -121,16 +114,16 @@ postgres-18-cluster:
       #   data:
       #     compression: bzip2
     scheduledBackups:
-      - name: daily-backup
-        suspend: false
-        immediate: true
-        schedule: "0 0 0 * * *"
-        backupName: external
       - name: live-backup
         suspend: false
         immediate: true
         schedule: "0 0 0 * * *"
         backupName: garage-local
+      # - name: daily-backup
+      #   suspend: false
+      #   immediate: true
+      #   schedule: "0 0 0 * * *"
+      #   backupName: external
       # - name: weekly-backup
       #   suspend: true
       #   immediate: true

clusters/cl01tl/helm/audiobookshelf/Chart.lock

@@ -2,5 +2,11 @@ dependencies:
 - name: app-template
   repository: https://bjw-s-labs.github.io/helm-charts/
   version: 4.5.0
-digest: sha256:977ed15091e9ed30d647a626214701d22f3a8a5232a900e33f753cc7e090042f
+- name: volsync-target
-generated: "2025-12-05T17:02:13.674405673Z"
+  repository: oci://harbor.alexlebens.net/helm-charts
+  version: 0.3.0
+- name: volsync-target
+  repository: oci://harbor.alexlebens.net/helm-charts
+  version: 0.3.0
+digest: sha256:88e0d8008795451a64f3a2e4fa4fc120d48cef4badb4305e8e60afbb494352c5
+generated: "2025-12-15T18:19:02.989735-06:00"

clusters/cl01tl/helm/audiobookshelf/Chart.yaml

@@ -19,5 +19,13 @@ dependencies:
     alias: audiobookshelf
     repository: https://bjw-s-labs.github.io/helm-charts/
     version: 4.5.0
+  - name: volsync-target
+    alias: volsync-target-config
+    version: 0.3.0
+    repository: oci://harbor.alexlebens.net/helm-charts
+  - name: volsync-target
+    alias: volsync-target-metadata
+    version: 0.3.0
+    repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/audiobookshelf.png
 appVersion: 2.31.0

clusters/cl01tl/helm/audiobookshelf/templates/external-secret.yaml

@@ -19,117 +19,3 @@ spec:
         key: /cl01tl/audiobookshelf/apprise
         metadataPolicy: None
         property: ntfy-url
-
----
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: audiobookshelf-config-backup-secret
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: audiobookshelf-config-backup-secret
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: vault
-  target:
-    template:
-      mergePolicy: Merge
-      engineVersion: v2
-      data:
-        RESTIC_REPOSITORY: "{{ `{{ .BUCKET_ENDPOINT }}` }}/audiobookshelf/audiobookshelf-config"
-  data:
-    - secretKey: BUCKET_ENDPOINT
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /cl01tl/volsync/restic/config
-        metadataPolicy: None
-        property: S3_BUCKET_ENDPOINT
-    - secretKey: RESTIC_PASSWORD
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /cl01tl/volsync/restic/config
-        metadataPolicy: None
-        property: RESTIC_PASSWORD
-    - secretKey: AWS_DEFAULT_REGION
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /cl01tl/volsync/restic/config
-        metadataPolicy: None
-        property: AWS_DEFAULT_REGION
-    - secretKey: AWS_ACCESS_KEY_ID
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /digital-ocean/home-infra/volsync-backups
-        metadataPolicy: None
-        property: access_key
-    - secretKey: AWS_SECRET_ACCESS_KEY
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /digital-ocean/home-infra/volsync-backups
-        metadataPolicy: None
-        property: secret_key
-
----
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: audiobookshelf-metadata-backup-secret
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: audiobookshelf-metadata-backup-secret
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: vault
-  target:
-    template:
-      mergePolicy: Merge
-      engineVersion: v2
-      data:
-        RESTIC_REPOSITORY: "{{ `{{ .BUCKET_ENDPOINT }}` }}/audiobookshelf/audiobookshelf-metadata"
-  data:
-    - secretKey: BUCKET_ENDPOINT
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /cl01tl/volsync/restic/config
-        metadataPolicy: None
-        property: S3_BUCKET_ENDPOINT
-    - secretKey: RESTIC_PASSWORD
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /cl01tl/volsync/restic/config
-        metadataPolicy: None
-        property: RESTIC_PASSWORD
-    - secretKey: AWS_DEFAULT_REGION
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /cl01tl/volsync/restic/config
-        metadataPolicy: None
-        property: AWS_DEFAULT_REGION
-    - secretKey: AWS_ACCESS_KEY_ID
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /digital-ocean/home-infra/volsync-backups
-        metadataPolicy: None
-        property: access_key
-    - secretKey: AWS_SECRET_ACCESS_KEY
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /digital-ocean/home-infra/volsync-backups
-        metadataPolicy: None
-        property: secret_key

clusters/cl01tl/helm/audiobookshelf/templates/persistent-volume-claim.yaml

@@ -1,24 +1,5 @@
 apiVersion: v1
 kind: PersistentVolumeClaim
-metadata:
-  name: audiobookshelf-nfs-storage-backup
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: audiobookshelf-nfs-storage-backup
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  volumeMode: Filesystem
-  storageClassName: nfs-client
-  accessModes:
-    - ReadWriteOnce
-  resources:
-    requests:
-      storage: 1Gi
-
----
-apiVersion: v1
-kind: PersistentVolumeClaim
 metadata:
   name: audiobookshelf-nfs-storage
   namespace: {{ .Release.Namespace }}

clusters/cl01tl/helm/audiobookshelf/templates/replication-source.yaml

@@ -1,52 +0,0 @@
-apiVersion: volsync.backube/v1alpha1
-kind: ReplicationSource
-metadata:
-  name: audiobookshelf-config-backup-source
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: audiobookshelf-config-backup-source
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  sourcePVC: audiobookshelf-config
-  trigger:
-    schedule: 0 4 * * *
-  restic:
-    pruneIntervalDays: 7
-    repository: audiobookshelf-config-backup-secret
-    retain:
-      hourly: 1
-      daily: 3
-      weekly: 2
-      monthly: 2
-      yearly: 4
-    copyMethod: Snapshot
-    storageClassName: ceph-block
-    volumeSnapshotClassName: ceph-blockpool-snapshot
-
----
-apiVersion: volsync.backube/v1alpha1
-kind: ReplicationSource
-metadata:
-  name: audiobookshelf-metadata-backup-source
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: audiobookshelf-metadata-backup-source
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  sourcePVC: audiobookshelf-metadata
-  trigger:
-    schedule: 0 4 * * *
-  restic:
-    pruneIntervalDays: 7
-    repository: audiobookshelf-metadata-backup-secret
-    retain:
-      hourly: 1
-      daily: 3
-      weekly: 2
-      monthly: 2
-      yearly: 4
-    copyMethod: Snapshot
-    storageClassName: ceph-block
-    volumeSnapshotClassName: ceph-blockpool-snapshot

clusters/cl01tl/helm/audiobookshelf/values.yaml

@@ -21,7 +21,7 @@ audiobookshelf:
         apprise-api:
           image:
             repository: caronc/apprise
-            tag: 1.2.6
+            tag: 1.3.0
             pullPolicy: IfNotPresent
           env:
             - name: TZ
@@ -59,6 +59,7 @@ audiobookshelf:
           protocol: HTTP
   persistence:
     config:
+      forceRename: audiobookshelf-config
       storageClass: ceph-block
       accessMode: ReadWriteOnce
       size: 2Gi
@@ -69,6 +70,7 @@ audiobookshelf:
             - path: /config
               readOnly: false
     metadata:
+      forceRename: audiobookshelf-metadata
       storageClass: ceph-block
       accessMode: ReadWriteOnce
       size: 10Gi
@@ -78,13 +80,6 @@ audiobookshelf:
           main:
             - path: /metadata
               readOnly: false
-    backup:
-      existingClaim: audiobookshelf-nfs-storage-backup
-      advancedMounts:
-        main:
-          main:
-            - path: /metadata/backups
-              readOnly: false
     audiobooks:
       existingClaim: audiobookshelf-nfs-storage
       advancedMounts:
@@ -92,3 +87,7 @@ audiobookshelf:
           main:
             - path: /mnt/store/
               readOnly: false
+volsync-target-config:
+  pvcTarget: audiobookshelf-config
+volsync-target-metadata:
+  pvcTarget: audiobookshelf-metadata

clusters/cl01tl/helm/authentik/Chart.lock

@@ -7,6 +7,9 @@ dependencies:
   version: 1.23.2
 - name: postgres-cluster
   repository: oci://harbor.alexlebens.net/helm-charts
-  version: 6.16.1
+  version: 7.1.1
-digest: sha256:fdd5cc597cf958ca0f6f43dd403915c89c45718eff80920c2d322264dc8b09e1
+- name: redis-replication
-generated: "2025-12-11T16:14:14.729827-06:00"
+  repository: oci://harbor.alexlebens.net/helm-charts
+  version: 0.5.0
+digest: sha256:e593d25ebf07b1274768045f028e1ceeccbcdc1c8e35414d6bbd9a8d09086991
+generated: "2025-12-15T14:36:33.783343-06:00"

clusters/cl01tl/helm/authentik/Chart.yaml

@@ -29,7 +29,10 @@ dependencies:
     version: 1.23.2
   - name: postgres-cluster
     alias: postgres-18-cluster
-    version: 6.16.1
+    version: 7.1.1
+    repository: oci://harbor.alexlebens.net/helm-charts
+  - name: redis-replication
+    version: 0.5.0
     repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/authentik.png
 appVersion: 2025.10.2

clusters/cl01tl/helm/authentik/templates/redis-replication.yaml

@@ -1,32 +0,0 @@
-apiVersion: redis.redis.opstreelabs.in/v1beta2
-kind: RedisReplication
-metadata:
-  name: redis-replication-authentik
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: redis-replication-authentik
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  clusterSize: 3
-  podSecurityContext:
-    runAsUser: 1000
-    fsGroup: 1000
-  kubernetesConfig:
-    image: quay.io/opstree/redis:v8.4.0
-    imagePullPolicy: IfNotPresent
-    resources:
-      requests:
-        cpu: 50m
-        memory: 128Mi
-  storage:
-    volumeClaimTemplate:
-      spec:
-        storageClassName: ceph-block
-        accessModes: ["ReadWriteOnce"]
-        resources:
-          requests:
-            storage: 1Gi
-  redisExporter:
-    enabled: true
-    image: quay.io/opstree/redis-exporter:v1.80.1

clusters/cl01tl/helm/authentik/templates/service-monitor.yaml

@@ -1,19 +0,0 @@
-apiVersion: monitoring.coreos.com/v1
-kind: ServiceMonitor
-metadata:
-  name: redis-replication-authentik
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: redis-replication-authentik
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-    redis-operator: "true"
-    env: production
-spec:
-  selector:
-    matchLabels:
-      redis_setup_type: replication
-  endpoints:
-    - port: redis-exporter
-      interval: 30s
-      scrapeTimeout: 10s

clusters/cl01tl/helm/authentik/values.yaml

@@ -53,17 +53,10 @@ cloudflared:
 postgres-18-cluster:
   mode: recovery
   cluster:
-    image:
-      repository: ghcr.io/cloudnative-pg/postgresql
-      tag: 18.1-standard-trixie
     storage:
       storageClass: local-path
     walStorage:
       storageClass: local-path
-    monitoring:
-      enabled: true
-      prometheusRule:
-        enabled: true
   recovery:
     method: objectStore
     objectStore:
@@ -73,11 +66,6 @@ postgres-18-cluster:
       endpointCredentials: authentik-postgresql-18-cluster-backup-secret-garage
   backup:
     objectStore:
-      - name: external
-        destinationPath: s3://postgres-backups-ce540ddf106d186bbddca68a/cl01tl/authentik/authentik-postgresql-18-cluster
-        index: 1
-        retentionPolicy: "30d"
-        isWALArchiver: false
       - name: garage-local
         destinationPath: s3://postgres-backups/cl01tl/authentik/authentik-postgresql-18-cluster
         index: 1
@@ -86,6 +74,11 @@ postgres-18-cluster:
         endpointCredentialsIncludeRegion: true
         retentionPolicy: "3d"
         isWALArchiver: true
+      # - name: external
+      #   destinationPath: s3://postgres-backups-ce540ddf106d186bbddca68a/cl01tl/authentik/authentik-postgresql-18-cluster
+      #   index: 1
+      #   retentionPolicy: "30d"
+      #   isWALArchiver: false
       # - name: garage-remote
       #   destinationPath: s3://postgres-backups/cl01tl/authentik/authentik-postgresql-18-cluster
       #   index: 1
@@ -96,18 +89,26 @@ postgres-18-cluster:
       #     compression: bzip2
       #     jobs: 2
     scheduledBackups:
-      - name: daily-backup
-        suspend: false
-        immediate: true
-        schedule: "0 0 0 * * *"
-        backupName: external
       - name: live-backup
         suspend: false
         immediate: true
         schedule: "0 0 0 * * *"
         backupName: garage-local
+      # - name: daily-backup
+      #   suspend: false
+      #   immediate: true
+      #   schedule: "0 0 0 * * *"
+      #   backupName: external
       # - name: weekly-backup
       #   suspend: false
       #   immediate: true
       #   schedule: "0 0 4 * * SAT"
       #   backupName: garage-remote
+redis-replication:
+  existingSecret:
+    enabled: false
+  redisReplication:
+    clusterSize: 3
+  redisSentinel:
+    enabled: true
+    clusterSize: 3

clusters/cl01tl/helm/backrest/Chart.lock

@@ -2,5 +2,11 @@ dependencies:
 - name: app-template
   repository: https://bjw-s-labs.github.io/helm-charts/
   version: 4.5.0
-digest: sha256:6e6f20320a485b57288a6febae1b7623076059c370f88b7fbe92460fc4047db3
+- name: volsync-target
-generated: "2025-12-05T17:02:26.599646463Z"
+  repository: oci://harbor.alexlebens.net/helm-charts
+  version: 0.3.0
+- name: volsync-target
+  repository: oci://harbor.alexlebens.net/helm-charts
+  version: 0.3.0
+digest: sha256:13c950ad5cd6accd192e6768557c0df74af2cd767d2372dc38c1cdb7e1563399
+generated: "2025-12-15T18:33:59.961957-06:00"

clusters/cl01tl/helm/backrest/Chart.yaml

@@ -17,5 +17,13 @@ dependencies:
     alias: backrest
     repository: https://bjw-s-labs.github.io/helm-charts/
     version: 4.5.0
+  - name: volsync-target
+    alias: volsync-target-config
+    version: 0.3.0
+    repository: oci://harbor.alexlebens.net/helm-charts
+  - name: volsync-target
+    alias: volsync-target-data
+    version: 0.3.0
+    repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/backrest.png
 appVersion: v1.10.1

clusters/cl01tl/helm/backrest/values.yaml

@@ -35,6 +35,7 @@ backrest:
           protocol: TCP
   persistence:
     data:
+      forceRename: backrest-data
       storageClass: ceph-block
       accessMode: ReadWriteOnce
       size: 10Gi
@@ -45,6 +46,7 @@ backrest:
             - path: /data
               readOnly: false
     config:
+      forceRename: backrest-config
       storageClass: ceph-block
       accessMode: ReadWriteOnce
       size: 1Gi
@@ -82,3 +84,7 @@ backrest:
           main:
             - path: /mnt/share
               readOnly: true
+volsync-target-data:
+  pvcTarget: backrest-data
+volsync-target-config:
+  pvcTarget: backrest-config

clusters/cl01tl/helm/bazarr/Chart.lock

@@ -2,5 +2,8 @@ dependencies:
 - name: app-template
   repository: https://bjw-s-labs.github.io/helm-charts/
   version: 4.5.0
-digest: sha256:54c88d51b4067dec5b22623957970b64092bf3f417fabb58277f6bc3e01eca20
+- name: volsync-target
-generated: "2025-12-05T17:02:40.843820962Z"
+  repository: oci://harbor.alexlebens.net/helm-charts
+  version: 0.5.0
+digest: sha256:cb702f316026bdb487ace1abec56cc3c505376cf14a45528e3e593e4cc7effab
+generated: "2025-12-15T19:04:05.574701-06:00"

clusters/cl01tl/helm/bazarr/Chart.yaml

@@ -19,5 +19,9 @@ dependencies:
     alias: bazarr
     repository: https://bjw-s-labs.github.io/helm-charts/
     version: 4.5.0
+  - name: volsync-target
+    alias: volsync-target-config
+    version: 0.5.0
+    repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/bazarr.png
 appVersion: 1.5.3

clusters/cl01tl/helm/bazarr/templates/external-secret.yaml

@@ -1,55 +0,0 @@
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: bazarr-config-backup-secret
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: bazarr-config-backup-secret
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: vault
-  target:
-    template:
-      mergePolicy: Merge
-      engineVersion: v2
-      data:
-        RESTIC_REPOSITORY: "{{ `{{ .BUCKET_ENDPOINT }}` }}/bazarr/bazarr-config"
-  data:
-    - secretKey: BUCKET_ENDPOINT
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /cl01tl/volsync/restic/config
-        metadataPolicy: None
-        property: S3_BUCKET_ENDPOINT
-    - secretKey: RESTIC_PASSWORD
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /cl01tl/volsync/restic/config
-        metadataPolicy: None
-        property: RESTIC_PASSWORD
-    - secretKey: AWS_DEFAULT_REGION
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /cl01tl/volsync/restic/config
-        metadataPolicy: None
-        property: AWS_DEFAULT_REGION
-    - secretKey: AWS_ACCESS_KEY_ID
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /digital-ocean/home-infra/volsync-backups
-        metadataPolicy: None
-        property: access_key
-    - secretKey: AWS_SECRET_ACCESS_KEY
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /digital-ocean/home-infra/volsync-backups
-        metadataPolicy: None
-        property: secret_key

clusters/cl01tl/helm/bazarr/templates/replication-source.yaml

@@ -1,30 +0,0 @@
-apiVersion: volsync.backube/v1alpha1
-kind: ReplicationSource
-metadata:
-  name: bazarr-config-backup-source
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: bazarr-config-backup-source
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  sourcePVC: bazarr-config
-  trigger:
-    schedule: 0 4 * * *
-  restic:
-    pruneIntervalDays: 7
-    repository: bazarr-config-backup-secret
-    retain:
-      hourly: 1
-      daily: 3
-      weekly: 2
-      monthly: 2
-      yearly: 4
-    moverSecurityContext:
-      runAsUser: 1000
-      runAsGroup: 1000
-      fsGroup: 1000
-      fsGroupChangePolicy: OnRootMismatch
-    copyMethod: Snapshot
-    storageClassName: ceph-block
-    volumeSnapshotClassName: ceph-blockpool-snapshot

clusters/cl01tl/helm/bazarr/values.yaml

@@ -55,3 +55,10 @@ bazarr:
           main:
             - path: /mnt/store
               readOnly: false
+volsync-target-config:
+  pvcTarget: bazarr-config
+  moverSecurityContext:
+    runAsUser: 1000
+    runAsGroup: 1000
+    fsGroup: 1000
+    fsGroupChangePolicy: OnRootMismatch

clusters/cl01tl/helm/blocky/Chart.lock

@@ -2,5 +2,8 @@ dependencies:
 - name: app-template
   repository: https://bjw-s-labs.github.io/helm-charts/
   version: 4.5.0
-digest: sha256:b8516161886b87344848ad2b3bdafbd66da61ca8ffc5e9a5ebed462f205c9912
+- name: redis-replication
-generated: "2025-12-05T17:02:59.562863413Z"
+  repository: oci://harbor.alexlebens.net/helm-charts
+  version: 0.5.0
+digest: sha256:a7840240d52d7c66aa2e542132e32907dd0c48d3051eb15190a209215cbd4dce
+generated: "2025-12-15T20:06:31.995318697Z"

clusters/cl01tl/helm/blocky/Chart.yaml

@@ -17,5 +17,8 @@ dependencies:
     alias: blocky
     repository: https://bjw-s-labs.github.io/helm-charts/
     version: 4.5.0
+  - name: redis-replication
+    version: 0.5.0
+    repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/blocky.png
 appVersion: v0.28.2

clusters/cl01tl/helm/blocky/templates/redis-replication.yaml

@@ -1,32 +0,0 @@
-apiVersion: redis.redis.opstreelabs.in/v1beta2
-kind: RedisReplication
-metadata:
-  name: redis-replication-blocky
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: redis-replication-blocky
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  clusterSize: 3
-  podSecurityContext:
-    runAsUser: 1000
-    fsGroup: 1000
-  kubernetesConfig:
-    image: quay.io/opstree/redis:v8.4.0
-    imagePullPolicy: IfNotPresent
-    resources:
-      requests:
-        cpu: 50m
-        memory: 128Mi
-  storage:
-    volumeClaimTemplate:
-      spec:
-        storageClassName: ceph-block
-        accessModes: ["ReadWriteOnce"]
-        resources:
-          requests:
-            storage: 1Gi
-  redisExporter:
-    enabled: true
-    image: quay.io/opstree/redis-exporter:v1.80.1

clusters/cl01tl/helm/blocky/templates/service-monitor.yaml

@@ -17,24 +17,3 @@ spec:
       interval: 30s
       scrapeTimeout: 10s
       path: /metrics
-
----
-apiVersion: monitoring.coreos.com/v1
-kind: ServiceMonitor
-metadata:
-  name: redis-replication-blocky
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: redis-replication-blocky
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-    redis-operator: "true"
-    env: production
-spec:
-  selector:
-    matchLabels:
-      redis_setup_type: replication
-  endpoints:
-    - port: redis-exporter
-      interval: 30s
-      scrapeTimeout: 10s

clusters/cl01tl/helm/blocky/values.yaml

@@ -129,10 +129,10 @@ blocky:
               huntarr                         IN      CNAME   traefik-cl01tl
               immich                          IN      CNAME   traefik-cl01tl
               jellyfin                        IN      CNAME   traefik-cl01tl
+              jellyfin-vue                    IN      CNAME   traefik-cl01tl
               jellystat                       IN      CNAME   traefik-cl01tl
               kiwix                           IN      CNAME   traefik-cl01tl
               komodo                          IN      CNAME   traefik-cl01tl
-              kronic                          IN      CNAME   traefik-cl01tl
               lidarr                          IN      CNAME   traefik-cl01tl
               lidatube                        IN      CNAME   traefik-cl01tl
               listenarr                       IN      CNAME   traefik-cl01tl
@@ -143,7 +143,6 @@ blocky:
               ollama                          IN      CNAME   traefik-cl01tl
               omni-tools                      IN      CNAME   traefik-cl01tl
               overseerr                       IN      CNAME   traefik-cl01tl
-              pgadmin                         IN      CNAME   traefik-cl01tl
               photoview                       IN      CNAME   traefik-cl01tl
               plex                            IN      CNAME   traefik-cl01tl
               postiz                          IN      CNAME   traefik-cl01tl
@@ -302,3 +301,10 @@ blocky:
               readOnly: true
               mountPropagation: None
               subPath: config.yml
+redis-replication:
+  existingSecret:
+    enabled: false
+  redisReplication:
+    clusterSize: 3
+  redisSentinel:
+    enabled: false

clusters/cl01tl/helm/booklore/Chart.lock

@@ -5,5 +5,11 @@ dependencies:
 - name: mariadb-cluster
   repository: https://helm.mariadb.com/mariadb-operator
   version: 25.10.2
-digest: sha256:58d978bd46c61285b06acc6d9a40404d8059f2df7b953dea13c528b35350d0a8
+- name: volsync-target
-generated: "2025-12-05T17:03:15.7199669Z"
+  repository: oci://harbor.alexlebens.net/helm-charts
+  version: 0.5.0
+- name: volsync-target
+  repository: oci://harbor.alexlebens.net/helm-charts
+  version: 0.5.0
+digest: sha256:6981b2c060c19bac6517578bd9b5b11a300a4deb431110bf90da317237a4a252
+generated: "2025-12-15T19:15:49.886575-06:00"

clusters/cl01tl/helm/booklore/Chart.yaml

@@ -20,5 +20,13 @@ dependencies:
   - name: mariadb-cluster
     version: 25.10.2
     repository: https://helm.mariadb.com/mariadb-operator
+  - name: volsync-target
+    alias: volsync-target-config
+    version: 0.5.0
+    repository: oci://harbor.alexlebens.net/helm-charts
+  - name: volsync-target
+    alias: volsync-target-data
+    version: 0.5.0
+    repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/booklore.png
 appVersion: v1.13.2

clusters/cl01tl/helm/booklore/templates/external-secret.yaml

@@ -43,234 +43,6 @@ spec:
         metadataPolicy: None
         property: psk.txt
 
----
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: booklore-config-backup-secret
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: booklore-config-backup-secret
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: vault
-  target:
-    template:
-      mergePolicy: Merge
-      engineVersion: v2
-      data:
-        RESTIC_REPOSITORY: "{{ `{{ .BUCKET_ENDPOINT }}` }}/booklore/booklore-config"
-  data:
-    - secretKey: BUCKET_ENDPOINT
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /volsync/restic/digital-ocean
-        metadataPolicy: None
-        property: BUCKET_ENDPOINT
-    - secretKey: RESTIC_PASSWORD
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /volsync/restic/digital-ocean
-        metadataPolicy: None
-        property: RESTIC_PASSWORD
-    - secretKey: AWS_DEFAULT_REGION
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /digital-ocean/home-infra/volsync-backups
-        metadataPolicy: None
-        property: AWS_DEFAULT_REGION
-    - secretKey: AWS_ACCESS_KEY_ID
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /digital-ocean/home-infra/volsync-backups
-        metadataPolicy: None
-        property: AWS_ACCESS_KEY_ID
-    - secretKey: AWS_SECRET_ACCESS_KEY
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /digital-ocean/home-infra/volsync-backups
-        metadataPolicy: None
-        property: AWS_SECRET_ACCESS_KEY
-
----
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: booklore-data-backup-secret-local
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: booklore-data-backup-secret-local
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: vault
-  target:
-    template:
-      mergePolicy: Merge
-      engineVersion: v2
-      data:
-        RESTIC_REPOSITORY: "{{ `{{ .BUCKET_ENDPOINT }}` }}/booklore/booklore-data"
-  data:
-    - secretKey: BUCKET_ENDPOINT
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /volsync/restic/garage-local
-        metadataPolicy: None
-        property: BUCKET_ENDPOINT
-    - secretKey: RESTIC_PASSWORD
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /volsync/restic/garage-local
-        metadataPolicy: None
-        property: RESTIC_PASSWORD
-    - secretKey: AWS_DEFAULT_REGION
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /garage/home-infra/volsync-backups
-        metadataPolicy: None
-        property: ACCESS_REGION
-    - secretKey: AWS_ACCESS_KEY_ID
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /garage/home-infra/volsync-backups
-        metadataPolicy: None
-        property: ACCESS_KEY_ID
-    - secretKey: AWS_SECRET_ACCESS_KEY
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /garage/home-infra/volsync-backups
-        metadataPolicy: None
-        property: ACCESS_SECRET_KEY
-
----
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: booklore-data-backup-secret-remote
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: booklore-data-backup-secret-remote
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: vault
-  target:
-    template:
-      mergePolicy: Merge
-      engineVersion: v2
-      data:
-        RESTIC_REPOSITORY: "{{ `{{ .BUCKET_ENDPOINT }}` }}/booklore/booklore-data"
-  data:
-    - secretKey: BUCKET_ENDPOINT
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /volsync/restic/garage-remote
-        metadataPolicy: None
-        property: BUCKET_ENDPOINT
-    - secretKey: RESTIC_PASSWORD
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /volsync/restic/garage-remote
-        metadataPolicy: None
-        property: RESTIC_PASSWORD
-    - secretKey: AWS_DEFAULT_REGION
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /garage/home-infra/volsync-backups
-        metadataPolicy: None
-        property: ACCESS_REGION
-    - secretKey: AWS_ACCESS_KEY_ID
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /garage/home-infra/volsync-backups
-        metadataPolicy: None
-        property: ACCESS_KEY_ID
-    - secretKey: AWS_SECRET_ACCESS_KEY
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /garage/home-infra/volsync-backups
-        metadataPolicy: None
-        property: ACCESS_SECRET_KEY
-
----
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: booklore-data-backup-secret-external
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: booklore-data-backup-secret-external
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: vault
-  target:
-    template:
-      mergePolicy: Merge
-      engineVersion: v2
-      data:
-        RESTIC_REPOSITORY: "{{ `{{ .BUCKET_ENDPOINT }}` }}/booklore/booklore-data"
-  data:
-    - secretKey: BUCKET_ENDPOINT
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /volsync/restic/digital-ocean
-        metadataPolicy: None
-        property: BUCKET_ENDPOINT
-    - secretKey: RESTIC_PASSWORD
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /volsync/restic/digital-ocean
-        metadataPolicy: None
-        property: RESTIC_PASSWORD
-    - secretKey: AWS_DEFAULT_REGION
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /digital-ocean/home-infra/volsync-backups
-        metadataPolicy: None
-        property: AWS_DEFAULT_REGION
-    - secretKey: AWS_ACCESS_KEY_ID
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /digital-ocean/home-infra/volsync-backups
-        metadataPolicy: None
-        property: AWS_ACCESS_KEY_ID
-    - secretKey: AWS_SECRET_ACCESS_KEY
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /digital-ocean/home-infra/volsync-backups
-        metadataPolicy: None
-        property: AWS_SECRET_ACCESS_KEY
-
 ---
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret

clusters/cl01tl/helm/booklore/templates/replication-source.yaml

@@ -15,115 +15,3 @@ spec:
     keySecret: booklore-data-replication-secret
     address: volsync-rsync-tls-dst-booklore-data-replication-destination
     copyMethod: Snapshot
-
----
-apiVersion: volsync.backube/v1alpha1
-kind: ReplicationSource
-metadata:
-  name: booklore-config-backup-source
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: booklore-config-backup-source
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  sourcePVC: booklore-config
-  trigger:
-    schedule: 0 4 * * *
-  restic:
-    pruneIntervalDays: 7
-    repository: booklore-config-backup-secret
-    retain:
-      hourly: 1
-      daily: 3
-      weekly: 2
-      monthly: 2
-      yearly: 4
-    copyMethod: Snapshot
-    storageClassName: ceph-block
-    volumeSnapshotClassName: ceph-blockpool-snapshot
-    cacheCapacity: 10Gi
-
----
-apiVersion: volsync.backube/v1alpha1
-kind: ReplicationSource
-metadata:
-  name: booklore-data-backup-source-local
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: booklore-data-backup-source-local
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  sourcePVC: booklore-data
-  trigger:
-    schedule: 0 2 * * *
-  restic:
-    pruneIntervalDays: 7
-    repository: booklore-data-backup-secret-local
-    retain:
-      hourly: 1
-      daily: 3
-      weekly: 2
-      monthly: 2
-      yearly: 4
-    copyMethod: Snapshot
-    storageClassName: ceph-block
-    volumeSnapshotClassName: ceph-blockpool-snapshot
-    cacheCapacity: 10Gi
-
----
-apiVersion: volsync.backube/v1alpha1
-kind: ReplicationSource
-metadata:
-  name: booklore-data-backup-source-remote
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: booklore-data-backup-source-remote
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  sourcePVC: booklore-data
-  trigger:
-    schedule: 0 3 * * *
-  restic:
-    pruneIntervalDays: 7
-    repository: booklore-data-backup-secret-remote
-    retain:
-      hourly: 1
-      daily: 3
-      weekly: 2
-      monthly: 2
-      yearly: 4
-    copyMethod: Snapshot
-    storageClassName: ceph-block
-    volumeSnapshotClassName: ceph-blockpool-snapshot
-    cacheCapacity: 10Gi
-
----
-apiVersion: volsync.backube/v1alpha1
-kind: ReplicationSource
-metadata:
-  name: booklore-data-backup-source-external
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: booklore-data-backup-source-external
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  sourcePVC: booklore-data
-  trigger:
-    schedule: 0 4 * * *
-  restic:
-    pruneIntervalDays: 7
-    repository: booklore-data-backup-secret-external
-    retain:
-      hourly: 1
-      daily: 3
-      weekly: 2
-      monthly: 2
-      yearly: 4
-    copyMethod: Snapshot
-    storageClassName: ceph-block
-    volumeSnapshotClassName: ceph-blockpool-snapshot
-    cacheCapacity: 10Gi

clusters/cl01tl/helm/booklore/values.yaml

@@ -41,6 +41,7 @@ booklore:
           protocol: HTTP
   persistence:
     config:
+      forceRename: booklore-config
       storageClass: ceph-block
       accessMode: ReadWriteOnce
       size: 5Gi
@@ -51,6 +52,7 @@ booklore:
             - path: /app/data
               readOnly: false
     data:
+      forceRename: booklore-data
       storageClass: ceph-block
       accessMode: ReadWriteOnce
       size: 10Gi
@@ -119,7 +121,8 @@ mariadb-cluster:
         suspend: false
         immediate: true
       compression: gzip
-      maxRetention: 720h
+      maxRetention: 2160h
+      successfulJobsHistoryLimit: 1
       storage:
         s3:
           bucket: mariadb-backups-b230a2f5aecf080a4b372c08
@@ -134,6 +137,28 @@ mariadb-cluster:
             key: secret
           tls:
             enabled: true
+    - name: backup-remote
+      schedule:
+        cron: "0 0 * * 0"
+        suspend: false
+        immediate: true
+      compression: gzip
+      maxRetention: 2160h
+      successfulJobsHistoryLimit: 1
+      storage:
+        s3:
+          bucket: mariadb-backups
+          prefix: cl01tl/booklore
+          endpoint: garage-ps10rp.boreal-beaufort.ts.net:3900
+          region: us-east-1
+          accessKeyIdSecretKeyRef:
+            name: booklore-mariadb-cluster-backup-secret-garage
+            key: access
+          secretAccessKeySecretKeyRef:
+            name: booklore-mariadb-cluster-backup-secret-garage
+            key: secret
+          tls:
+            enabled: true
     - name: backup-garage
       schedule:
         cron: "0 0 * * *"
@@ -141,6 +166,7 @@ mariadb-cluster:
         immediate: true
       compression: gzip
       maxRetention: 360h
+      successfulJobsHistoryLimit: 1
       storage:
         s3:
           bucket: mariadb-backups
@@ -153,3 +179,16 @@ mariadb-cluster:
           secretAccessKeySecretKeyRef:
             name: booklore-mariadb-cluster-backup-secret-garage
             key: secret
+volsync-target-config:
+  pvcTarget: booklore-config
+volsync-target-data:
+  pvcTarget: booklore-data
+  local:
+    restic:
+      cacheCapacity: 10Gi
+  remote:
+    restic:
+      cacheCapacity: 10Gi
+  external:
+    restic:
+      cacheCapacity: 10Gi

clusters/cl01tl/helm/code-server/Chart.lock

@@ -5,5 +5,8 @@ dependencies:
 - name: cloudflared
   repository: oci://harbor.alexlebens.net/helm-charts
   version: 1.23.2
-digest: sha256:3cf78630cd7670e1157a87fc7ccbeca248ef4ced8a3170e69140ea3e1b0ff564
+- name: volsync-target
-generated: "2025-12-07T02:54:11.675097664Z"
+  repository: oci://harbor.alexlebens.net/helm-charts
+  version: 0.5.0
+digest: sha256:bd1cbd66ccb360978a342ee218bfb01006a486fb85c5714acd593b9e1389b151
+generated: "2025-12-15T21:50:58.968382-06:00"

clusters/cl01tl/helm/code-server/Chart.yaml

@@ -24,5 +24,9 @@ dependencies:
     alias: cloudflared
     repository: oci://harbor.alexlebens.net/helm-charts
     version: 1.23.2
+  - name: volsync-target
+    alias: volsync-target-config
+    version: 0.5.0
+    repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/visual-studio-code.png
 appVersion: 4.106.3

clusters/cl01tl/helm/code-server/templates/persistent-volume-claim.yaml

@@ -1,17 +0,0 @@
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  name: code-server-nfs-storage
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: code-server-nfs-storage
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  volumeMode: Filesystem
-  storageClassName: nfs-client
-  accessModes:
-    - ReadWriteOnce
-  resources:
-    requests:
-      storage: 1Gi

clusters/cl01tl/helm/code-server/values.yaml

@@ -9,7 +9,7 @@ code-server:
         main:
           image:
             repository: ghcr.io/linuxserver/code-server
-            tag: 4.106.3@sha256:aab9520fe923b2d93dccc2c806f3dc60649c2f4a2847fcd40c942227d0f1ae8f
+            tag: 4.106.3@sha256:83793e4460090d6c46f4842ff6ab8aa26ad8a567885112bbe754b45c61935055
             pullPolicy: IfNotPresent
           env:
             - name: TZ
@@ -37,7 +37,11 @@ code-server:
           protocol: HTTP
   persistence:
     config:
-      existingClaim: code-server-nfs-storage
+      forceRename: code-server-config
+      storageClass: ceph-block
+      accessMode: ReadWriteOnce
+      size: 2Gi
+      retain: true
       advancedMounts:
         main:
           main:
@@ -45,3 +49,10 @@ code-server:
               readOnly: false
 cloudflared:
   existingSecretName: code-server-cloudflared-secret
+volsync-target-config:
+  pvcTarget: code-server-config
+  moverSecurityContext:
+    runAsUser: 1000
+    runAsGroup: 1000
+    fsGroup: 1000
+    fsGroupChangePolicy: OnRootMismatch

clusters/cl01tl/helm/directus/Chart.lock

@@ -7,6 +7,9 @@ dependencies:
   version: 1.23.2
 - name: postgres-cluster
   repository: oci://harbor.alexlebens.net/helm-charts
-  version: 6.16.1
+  version: 7.1.1
-digest: sha256:636b200b79efdd6ea36afdf29a5e85f3741b362dfcbf2af47c7aff9e55f02812
+- name: redis-replication
-generated: "2025-12-11T16:47:16.317535-06:00"
+  repository: oci://harbor.alexlebens.net/helm-charts
+  version: 0.5.0
+digest: sha256:1035fe225f5439c73fdc8b498c2164bad362e0198bc2ad40eab6b5d0bae9f86d
+generated: "2025-12-15T14:37:45.474556-06:00"

clusters/cl01tl/helm/directus/Chart.yaml

@@ -27,7 +27,10 @@ dependencies:
     version: 1.23.2
   - name: postgres-cluster
     alias: postgres-18-cluster
-    version: 6.16.1
+    version: 7.1.1
+    repository: oci://harbor.alexlebens.net/helm-charts
+  - name: redis-replication
+    version: 0.5.0
     repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/directus.png
 appVersion: 11.14.0

clusters/cl01tl/helm/directus/templates/redis-replication.yaml

@@ -1,35 +0,0 @@
-apiVersion: redis.redis.opstreelabs.in/v1beta2
-kind: RedisReplication
-metadata:
-  name: redis-replication-directus
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: redis-replication-directus
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  clusterSize: 3
-  podSecurityContext:
-    runAsUser: 1000
-    fsGroup: 1000
-  kubernetesConfig:
-    image: quay.io/opstree/redis:v8.4.0
-    imagePullPolicy: IfNotPresent
-    redisSecret:
-      name: directus-redis-config
-      key: password
-    resources:
-      requests:
-        cpu: 50m
-        memory: 128Mi
-  storage:
-    volumeClaimTemplate:
-      spec:
-        storageClassName: ceph-block
-        accessModes: ["ReadWriteOnce"]
-        resources:
-          requests:
-            storage: 1Gi
-  redisExporter:
-    enabled: true
-    image: quay.io/opstree/redis-exporter:v1.80.1

clusters/cl01tl/helm/directus/templates/redis-sentinel.yaml

@@ -1,30 +0,0 @@
-apiVersion: redis.redis.opstreelabs.in/v1beta2
-kind: RedisSentinel
-metadata:
-  name: redis-sentinel-directus
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: redis-sentinel-directus
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  clusterSize: 3
-  podSecurityContext:
-    runAsUser: 1000
-    fsGroup: 1000
-  redisSentinelConfig:
-    redisReplicationName: redis-replication-directus
-    redisReplicationPassword:
-      secretKeyRef:
-        name: directus-redis-config
-        key: password
-  kubernetesConfig:
-    image: quay.io/opstree/redis-sentinel:v8.4.0
-    imagePullPolicy: IfNotPresent
-    redisSecret:
-      name: directus-redis-config
-      key: password
-    resources:
-      requests:
-        cpu: 10m
-        memory: 128Mi

clusters/cl01tl/helm/directus/templates/service-monitor.yaml

@@ -20,24 +20,3 @@ spec:
       bearerTokenSecret:
         name: directus-metric-token
         key: metric-token
-
----
-apiVersion: monitoring.coreos.com/v1
-kind: ServiceMonitor
-metadata:
-  name: redis-replication-directus
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: redis-replication-directus
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-    redis-operator: "true"
-    env: production
-spec:
-  selector:
-    matchLabels:
-      redis_setup_type: replication
-  endpoints:
-    - port: redis-exporter
-      interval: 30s
-      scrapeTimeout: 10s

clusters/cl01tl/helm/directus/values.yaml

@@ -159,17 +159,10 @@ cloudflared-directus:
 postgres-18-cluster:
   mode: recovery
   cluster:
-    image:
-      repository: ghcr.io/cloudnative-pg/postgresql
-      tag: 18.1-standard-trixie
     storage:
       storageClass: local-path
     walStorage:
       storageClass: local-path
-    monitoring:
-      enabled: true
-      prometheusRule:
-        enabled: true
   recovery:
     method: objectStore
     objectStore:
@@ -179,11 +172,6 @@ postgres-18-cluster:
       endpointCredentials: directus-postgresql-18-cluster-backup-secret-garage
   backup:
     objectStore:
-      - name: external
-        destinationPath: s3://postgres-backups-ce540ddf106d186bbddca68a/cl01tl/directus/directus-postgresql-18-cluster
-        index: 1
-        retentionPolicy: "30d"
-        isWALArchiver: false
       - name: garage-local
         destinationPath: s3://postgres-backups/cl01tl/directus/directus-postgresql-18-cluster
         index: 1
@@ -192,6 +180,11 @@ postgres-18-cluster:
         endpointCredentialsIncludeRegion: true
         retentionPolicy: "3d"
         isWALArchiver: true
+      # - name: external
+      #   destinationPath: s3://postgres-backups-ce540ddf106d186bbddca68a/cl01tl/directus/directus-postgresql-18-cluster
+      #   index: 1
+      #   retentionPolicy: "30d"
+      #   isWALArchiver: false
       # - name: garage-remote
       #   destinationPath: s3://postgres-backups/cl01tl/directus/directus-postgresql-18-cluster
       #   index: 1
@@ -202,18 +195,28 @@ postgres-18-cluster:
       #     compression: bzip2
       #     jobs: 2
     scheduledBackups:
-      - name: daily-backup
-        suspend: false
-        immediate: true
-        schedule: "0 0 0 * * *"
-        backupName: external
       - name: live-backup
         suspend: false
         immediate: true
         schedule: "0 0 0 * * *"
         backupName: garage-local
+      # - name: daily-backup
+      #   suspend: false
+      #   immediate: true
+      #   schedule: "0 0 0 * * *"
+      #   backupName: external
       # - name: weekly-backup
       #   suspend: false
       #   immediate: true
       #   schedule: "0 0 4 * * SAT"
       #   backupName: garage-remote
+redis-replication:
+  existingSecret:
+    enabled: true
+    name: directus-redis-config
+    key: password
+  redisReplication:
+    clusterSize: 3
+  redisSentinel:
+    enabled: true
+    clusterSize: 3

clusters/cl01tl/helm/ephemera/Chart.lock

@@ -2,5 +2,8 @@ dependencies:
 - name: app-template
   repository: https://bjw-s-labs.github.io/helm-charts/
   version: 4.5.0
-digest: sha256:b08b2d3923734ba8844754727803a4b4e1de2ad418c3f755ccd64927266c1b5c
+- name: volsync-target
-generated: "2025-12-05T17:04:04.30013278Z"
+  repository: oci://harbor.alexlebens.net/helm-charts
+  version: 0.3.0
+digest: sha256:476021b852fbbd829570bcb88309eea92bd096cb4ec79efe2d895ee0c46f1c49
+generated: "2025-12-15T21:43:24.262051-06:00"

clusters/cl01tl/helm/ephemera/Chart.yaml

@@ -19,5 +19,9 @@ dependencies:
     alias: ephemera
     repository: https://bjw-s-labs.github.io/helm-charts/
     version: 4.5.0
+  - name: volsync-target
+    alias: volsync-target-config
+    version: 0.3.0
+    repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/ephemera.png
 appVersion: 1.3.1

clusters/cl01tl/helm/ephemera/templates/external-secret.yaml

@@ -42,60 +42,3 @@ spec:
         key: /cl01tl/ephemera/config
         metadataPolicy: None
         property: ntfy-url
-
----
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: ephemera-config-backup-secret
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: ephemera-config-backup-secret
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: vault
-  target:
-    template:
-      mergePolicy: Merge
-      engineVersion: v2
-      data:
-        RESTIC_REPOSITORY: "{{ `{{ .BUCKET_ENDPOINT }}` }}/ephemera/ephemera-config"
-  data:
-    - secretKey: BUCKET_ENDPOINT
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /cl01tl/volsync/restic/config
-        metadataPolicy: None
-        property: S3_BUCKET_ENDPOINT
-    - secretKey: RESTIC_PASSWORD
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /cl01tl/volsync/restic/config
-        metadataPolicy: None
-        property: RESTIC_PASSWORD
-    - secretKey: AWS_DEFAULT_REGION
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /cl01tl/volsync/restic/config
-        metadataPolicy: None
-        property: AWS_DEFAULT_REGION
-    - secretKey: AWS_ACCESS_KEY_ID
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /digital-ocean/home-infra/volsync-backups
-        metadataPolicy: None
-        property: access_key
-    - secretKey: AWS_SECRET_ACCESS_KEY
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /digital-ocean/home-infra/volsync-backups
-        metadataPolicy: None
-        property: secret_key

clusters/cl01tl/helm/ephemera/templates/replication-source.yaml

@@ -1,26 +0,0 @@
-apiVersion: volsync.backube/v1alpha1
-kind: ReplicationSource
-metadata:
-  name: ephemera-config-backup-source
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: ephemera-config-backup-source
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  sourcePVC: ephemera
-  trigger:
-    schedule: 0 4 * * *
-  restic:
-    pruneIntervalDays: 7
-    repository: ephemera-config-backup-secret
-    retain:
-      hourly: 1
-      daily: 3
-      weekly: 2
-      monthly: 2
-      yearly: 4
-    copyMethod: Snapshot
-    storageClassName: ceph-block
-    volumeSnapshotClassName: ceph-blockpool-snapshot
-    cacheCapacity: 10Gi

clusters/cl01tl/helm/ephemera/values.yaml

@@ -52,7 +52,7 @@ ephemera:
         apprise-api:
           image:
             repository: caronc/apprise
-            tag: 1.2.6
+            tag: 1.3.0
             pullPolicy: IfNotPresent
           env:
             - name: TZ
@@ -82,6 +82,7 @@ ephemera:
           protocol: HTTP
   persistence:
     config:
+      forceRename: ephemera
       storageClass: ceph-block
       accessMode: ReadWriteOnce
       size: 5Gi
@@ -105,3 +106,5 @@ ephemera:
           main:
             - path: /app/ingest
               readOnly: false
+volsync-target-config:
+  pvcTarget: ephemera

clusters/cl01tl/helm/freshrss/Chart.lock

@@ -7,6 +7,9 @@ dependencies:
   version: 1.23.2
 - name: postgres-cluster
   repository: oci://harbor.alexlebens.net/helm-charts
-  version: 6.16.1
+  version: 7.1.1
-digest: sha256:dc8829a1f2cea88033bfda5d412dee8124154e26bfbe9e1bd67b8bb351ad7904
+- name: volsync-target
-generated: "2025-12-11T17:07:50.35548-06:00"
+  repository: oci://harbor.alexlebens.net/helm-charts
+  version: 0.5.0
+digest: sha256:80a27ffb18fd1a635f16e70b90c2395f2de300ed50d072a8b87353f1ec3304cb
+generated: "2025-12-15T21:47:10.578165-06:00"

clusters/cl01tl/helm/freshrss/Chart.yaml

@@ -27,7 +27,11 @@ dependencies:
     version: 1.23.2
   - name: postgres-cluster
     alias: postgres-18-cluster
-    version: 6.16.1
+    version: 7.1.1
+    repository: oci://harbor.alexlebens.net/helm-charts
+  - name: volsync-target
+    alias: volsync-target-data
+    version: 0.5.0
     repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/freshrss.png
 appVersion: 1.27.1

clusters/cl01tl/helm/freshrss/templates/external-secret.yaml

@@ -94,63 +94,6 @@ spec:
         metadataPolicy: None
         property: token
 
----
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: freshrss-data-backup-secret
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: freshrss-data-backup-secret
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: vault
-  target:
-    template:
-      mergePolicy: Merge
-      engineVersion: v2
-      data:
-        RESTIC_REPOSITORY: "{{ `{{ .BUCKET_ENDPOINT }}` }}/freshrss/freshrss-data"
-  data:
-    - secretKey: BUCKET_ENDPOINT
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /cl01tl/volsync/restic/config
-        metadataPolicy: None
-        property: S3_BUCKET_ENDPOINT
-    - secretKey: RESTIC_PASSWORD
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /cl01tl/volsync/restic/config
-        metadataPolicy: None
-        property: RESTIC_PASSWORD
-    - secretKey: AWS_DEFAULT_REGION
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /cl01tl/volsync/restic/config
-        metadataPolicy: None
-        property: AWS_DEFAULT_REGION
-    - secretKey: AWS_ACCESS_KEY_ID
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /digital-ocean/home-infra/volsync-backups
-        metadataPolicy: None
-        property: access_key
-    - secretKey: AWS_SECRET_ACCESS_KEY
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /digital-ocean/home-infra/volsync-backups
-        metadataPolicy: None
-        property: secret_key
-
 ---
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret

clusters/cl01tl/helm/freshrss/templates/replication-source.yaml

@@ -1,35 +0,0 @@
-apiVersion: volsync.backube/v1alpha1
-kind: ReplicationSource
-metadata:
-  name: freshrss-data-backup-source
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: freshrss-data-backup-source
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  sourcePVC: freshrss-data
-  trigger:
-    schedule: 0 4 * * *
-  restic:
-    pruneIntervalDays: 7
-    repository: freshrss-data-backup-secret
-    retain:
-      hourly: 1
-      daily: 3
-      weekly: 2
-      monthly: 2
-      yearly: 4
-    moverSecurityContext:
-      runAsUser: 568
-      runAsGroup: 568
-      fsGroup: 568
-      fsGroupChangePolicy: OnRootMismatch
-      supplementalGroups:
-        - 44
-        - 100
-        - 109
-        - 65539
-    copyMethod: Snapshot
-    storageClassName: ceph-block
-    volumeSnapshotClassName: ceph-blockpool-snapshot

clusters/cl01tl/helm/freshrss/values.yaml

@@ -163,6 +163,7 @@ freshrss:
           protocol: HTTP
   persistence:
     data:
+      forceRename: freshrss-data
       storageClass: ceph-block
       accessMode: ReadWriteOnce
       size: 5Gi
@@ -196,17 +197,10 @@ cloudflared:
 postgres-18-cluster:
   mode: recovery
   cluster:
-    image:
-      repository: ghcr.io/cloudnative-pg/postgresql
-      tag: 18.1-standard-trixie
     storage:
       storageClass: local-path
     walStorage:
       storageClass: local-path
-    monitoring:
-      enabled: true
-      prometheusRule:
-        enabled: true
   recovery:
     method: objectStore
     objectStore:
@@ -216,11 +210,6 @@ postgres-18-cluster:
       endpointCredentials: freshrss-postgresql-18-cluster-backup-secret-garage
   backup:
     objectStore:
-      - name: external
-        destinationPath: s3://postgres-backups-ce540ddf106d186bbddca68a/cl01tl/freshrss/freshrss-postgresql-18-cluster
-        index: 1
-        retentionPolicy: "30d"
-        isWALArchiver: false
       - name: garage-local
         destinationPath: s3://postgres-backups/cl01tl/freshrss/freshrss-postgresql-18-cluster
         index: 1
@@ -229,6 +218,11 @@ postgres-18-cluster:
         endpointCredentialsIncludeRegion: true
         retentionPolicy: "3d"
         isWALArchiver: true
+      # - name: external
+      #   destinationPath: s3://postgres-backups-ce540ddf106d186bbddca68a/cl01tl/freshrss/freshrss-postgresql-18-cluster
+      #   index: 1
+      #   retentionPolicy: "30d"
+      #   isWALArchiver: false
       # - name: garage-remote
       #   destinationPath: s3://postgres-backups/cl01tl/freshrss/freshrss-postgresql-18-cluster
       #   index: 1
@@ -239,18 +233,30 @@ postgres-18-cluster:
       #     compression: bzip2
       #     jobs: 2
     scheduledBackups:
-      - name: daily-backup
-        suspend: false
-        immediate: true
-        schedule: "0 0 0 * * *"
-        backupName: external
       - name: live-backup
         suspend: false
         immediate: true
         schedule: "0 0 0 * * *"
         backupName: garage-local
-      # - name: weekly-backup
+      # - name: daily-backup
       #   suspend: false
       #   immediate: true
-      #   schedule: "0 2 4 * * SAT"
+      #   schedule: "0 0 0 * * *"
+      #   backupName: external
+      # - name: weekly-backup
+      #   suspend: true
+      #   immediate: true
+      #   schedule: "0 0 4 * * SAT"
       #   backupName: garage-remote
+volsync-target-data:
+  pvcTarget: freshrss-data
+  moverSecurityContext:
+    runAsUser: 568
+    runAsGroup: 568
+    fsGroup: 568
+    fsGroupChangePolicy: OnRootMismatch
+    supplementalGroups:
+      - 44
+      - 100
+      - 109
+      - 65539

clusters/cl01tl/helm/garage/Chart.lock

@@ -2,5 +2,8 @@ dependencies:
 - name: app-template
   repository: https://bjw-s-labs.github.io/helm-charts/
   version: 4.5.0
-digest: sha256:36e920ce6efee3b33b40641652f814c888ae3c50272895ef286fb8236a010924
+- name: volsync-target
-generated: "2025-12-05T17:04:29.153093714Z"
+  repository: oci://harbor.alexlebens.net/helm-charts
+  version: 0.5.0
+digest: sha256:3d3469c5177b9501cbb34a5faf376fbe4d9b98bd033ad51ee51487a1c2f28d4e
+generated: "2025-12-15T22:10:00.495878-06:00"

clusters/cl01tl/helm/garage/Chart.yaml

@@ -18,5 +18,9 @@ dependencies:
     alias: garage
     repository: https://bjw-s-labs.github.io/helm-charts/
     version: 4.5.0
+  - name: volsync-target
+    alias: volsync-target-db
+    version: 0.5.0
+    repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/kubernetes.png
 appVersion: v2.1.0

clusters/cl01tl/helm/garage/values.yaml

@@ -123,9 +123,10 @@ garage:
               mountPropagation: None
               subPath: garage.toml
     db:
+      forceRename: garage-db
       storageClass: ceph-block
       accessMode: ReadWriteOnce
-      size: 10Gi
+      size: 50Gi
       retain: true
       advancedMounts:
         main:
@@ -152,3 +153,12 @@ garage:
           main:
             - path: /var/lib/garage/snapshots
               readOnly: false
+volsync-target-db:
+  pvcTarget: garage-db
+  local:
+    enabled: false
+  remote:
+    restic:
+      cacheCapacity: 10Gi
+  external:
+    enabled: false

clusters/cl01tl/helm/gatus/Chart.lock

@@ -4,6 +4,9 @@ dependencies:
   version: 1.4.4
 - name: postgres-cluster
   repository: oci://harbor.alexlebens.net/helm-charts
-  version: 6.16.1
+  version: 7.1.1
-digest: sha256:11d46f37e9f98a5562239e1b827a4caccc0ca14dc738681465e27ef5c5edd6d0
+- name: volsync-target
-generated: "2025-12-11T17:23:01.072262-06:00"
+  repository: oci://harbor.alexlebens.net/helm-charts
+  version: 0.5.0
+digest: sha256:367bfee3e6811bfd4591cf76f09a419f312007d797b83311e76c8d01318e73fe
+generated: "2025-12-15T22:11:48.014486-06:00"

clusters/cl01tl/helm/gatus/Chart.yaml

@@ -22,7 +22,11 @@ dependencies:
     version: 1.4.4
   - name: postgres-cluster
     alias: postgres-18-cluster
-    version: 6.16.1
+    version: 7.1.1
+    repository: oci://harbor.alexlebens.net/helm-charts
+  - name: volsync-target
+    alias: volsync-target-data
+    version: 0.5.0
     repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/gatus.png
 appVersion: v5.33.0

clusters/cl01tl/helm/gatus/values.yaml

@@ -122,6 +122,9 @@ gatus:
       - name: jellyfin
         url: https://jellyfin.alexlebens.net
         <<: *defaults
+      - name: jellyfin-vue
+        url: https://jellyfin-vue.alexlebens.net
+        <<: *defaults
       - name: overseerr
         url: https://overseerr.alexlebens.net
         <<: *defaults
@@ -182,11 +185,6 @@ gatus:
       - name: n8n
         url: https://n8n.alexlebens.net
         <<: *defaults
-      - name: kronic
-        url: https://kronic.alexlebens.net
-        <<: *defaults
-        conditions:
-          - "[STATUS] == 401"
       - name: omni-tools
         url: https://omni-tools.alexlebens.net
         <<: *defaults
@@ -259,9 +257,6 @@ gatus:
       - name: garage
         url: https://garage-webui.alexlebens.net
         <<: *defaults
-      - name: pgadmin
-        url: https://pgadmin.alexlebens.net
-        <<: *defaults
       - name: whodb
         url: https://whodb.alexlebens.net
         <<: *defaults
@@ -381,17 +376,10 @@ gatus:
 postgres-18-cluster:
   mode: recovery
   cluster:
-    image:
-      repository: ghcr.io/cloudnative-pg/postgresql
-      tag: 18.1-standard-trixie
     storage:
       storageClass: local-path
     walStorage:
       storageClass: local-path
-    monitoring:
-      enabled: true
-      prometheusRule:
-        enabled: true
   recovery:
     method: objectStore
     objectStore:
@@ -401,19 +389,19 @@ postgres-18-cluster:
       endpointCredentials: gatus-postgresql-18-cluster-backup-secret-garage
   backup:
     objectStore:
-      - name: external
-        destinationPath: s3://postgres-backups-ce540ddf106d186bbddca68a/cl01tl/gatus/gatus-postgresql-18-cluster
-        index: 2
-        retentionPolicy: "30d"
-        isWALArchiver: false
       - name: garage-local
         destinationPath: s3://postgres-backups/cl01tl/gatus/gatus-postgresql-18-cluster
         index: 1
         endpointURL: http://garage-main.garage:3900
-        endpointCredentials: gatus-postgresql-17-cluster-backup-secret-garage
+        endpointCredentials: gatus-postgresql-18-cluster-backup-secret-garage
         endpointCredentialsIncludeRegion: true
         retentionPolicy: "3d"
         isWALArchiver: true
+      # - name: external
+      #   destinationPath: s3://postgres-backups-ce540ddf106d186bbddca68a/cl01tl/gatus/gatus-postgresql-18-cluster
+      #   index: 1
+      #   retentionPolicy: "30d"
+      #   isWALArchiver: false
       # - name: garage-remote
       #   destinationPath: s3://postgres-backups/cl01tl/gatus/gatus-postgresql-18-cluster
       #   index: 1
@@ -424,18 +412,20 @@ postgres-18-cluster:
       #     compression: bzip2
       #     jobs: 2
     scheduledBackups:
-      - name: daily-backup
-        suspend: false
-        immediate: true
-        schedule: "0 0 0 * * *"
-        backupName: external
       - name: live-backup
         suspend: false
         immediate: true
         schedule: "0 0 0 * * *"
         backupName: garage-local
-      # - name: weekly-backup
+      # - name: daily-backup
       #   suspend: false
       #   immediate: true
+      #   schedule: "0 0 0 * * *"
+      #   backupName: external
+      # - name: weekly-backup
+      #   suspend: true
+      #   immediate: true
       #   schedule: "0 0 4 * * SAT"
       #   backupName: garage-remote
+volsync-target-data:
+  pvcTarget: gatus

clusters/cl01tl/helm/generic-device-plugin/Chart.lock

@@ -1,6 +1,6 @@
 dependencies:
 - name: generic-device-plugin
   repository: https://gitea.alexlebens.dev/api/packages/alexlebens/helm
-  version: 0.20.5
+  version: 0.20.7
-digest: sha256:329b2d00301ab1467a8654dd92febfd7078db121c00c0960548010c01dee66b6
+digest: sha256:62b0fc210d0c87dd396b7b12df9221d1a0351d605ea0cfab995ada58ff26a7bb
-generated: "2025-12-08T03:02:06.697075532Z"
+generated: "2025-12-16T00:20:50.401681968Z"

clusters/cl01tl/helm/generic-device-plugin/Chart.yaml

@@ -15,6 +15,6 @@ maintainers:
 dependencies:
   - name: generic-device-plugin
     repository: https://gitea.alexlebens.dev/api/packages/alexlebens/helm
-    version: 0.20.5
+    version: 0.20.7
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/kubernetes.png
 appVersion: 1.0.0

clusters/cl01tl/helm/gitea/Chart.lock

@@ -5,17 +5,20 @@ dependencies:
 - name: gitea-actions
   repository: oci://harbor.alexlebens.net/helm-charts
   version: 0.2.1
-- name: app-template
-  repository: https://bjw-s-labs.github.io/helm-charts/
-  version: 4.5.0
 - name: meilisearch
   repository: https://meilisearch.github.io/meilisearch-kubernetes
-  version: 0.17.2
+  version: 0.18.0
 - name: cloudflared
   repository: oci://harbor.alexlebens.net/helm-charts
   version: 1.23.2
 - name: postgres-cluster
   repository: oci://harbor.alexlebens.net/helm-charts
-  version: 6.16.1
+  version: 7.1.1
-digest: sha256:ecb6e0283b564f37b5d60bb64860b71c3b68acc2835364c0488fd7a9e932b941
+- name: redis-replication
-generated: "2025-12-11T17:38:49.087683-06:00"
+  repository: oci://harbor.alexlebens.net/helm-charts
+  version: 0.5.0
+- name: redis-replication
+  repository: oci://harbor.alexlebens.net/helm-charts
+  version: 0.5.0
+digest: sha256:6ba40bb2558ce298d05c6330d3eb34a6beae2b22f9c100649d6bba11efc5092d
+generated: "2025-12-15T23:46:50.99338-06:00"

clusters/cl01tl/helm/gitea/Chart.yaml

@@ -31,12 +31,8 @@ dependencies:
   - name: gitea-actions
     repository: oci://harbor.alexlebens.net/helm-charts
     version: 0.2.1
-  - name: app-template
-    alias: backup
-    repository: https://bjw-s-labs.github.io/helm-charts/
-    version: 4.5.0
   - name: meilisearch
-    version: 0.17.2
+    version: 0.18.0
     repository: https://meilisearch.github.io/meilisearch-kubernetes
   - name: cloudflared
     alias: cloudflared
@@ -44,7 +40,19 @@ dependencies:
     version: 1.23.2
   - name: postgres-cluster
     alias: postgres-18-cluster
-    version: 6.16.1
+    version: 7.1.1
     repository: oci://harbor.alexlebens.net/helm-charts
+  - name: redis-replication
+    alias: redis-replication-gitea
+    version: 0.5.0
+    repository: oci://harbor.alexlebens.net/helm-charts
+  - name: redis-replication
+    alias: redis-replication-renovate
+    version: 0.5.0
+    repository: oci://harbor.alexlebens.net/helm-charts
+  # - name: volsync-target
+  #   alias: volsync-target-storage
+  #   version: 0.5.0
+  #   repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://raw.githubusercontent.com/walkxcode/dashboard-icons/main/png/gitea.png
 appVersion: 1.25.2

clusters/cl01tl/helm/gitea/templates/external-secret.yaml

@@ -168,36 +168,6 @@ spec:
         metadataPolicy: None
         property: id_rsa.pub
 
----
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: gitea-s3cmd-config
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: gitea-s3cmd-config
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: vault
-  data:
-    - secretKey: .s3cfg
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /digital-ocean/home-infra/gitea-backup
-        metadataPolicy: None
-        property: s3cfg
-    - secretKey: BUCKET
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /digital-ocean/home-infra/gitea-backup
-        metadataPolicy: None
-        property: BUCKET
-
 ---
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret

clusters/cl01tl/helm/gitea/templates/persistent-volume-claim.yaml

@@ -1,24 +1,5 @@
 apiVersion: v1
 kind: PersistentVolumeClaim
-metadata:
-  name: gitea-nfs-storage-backup
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: gitea-nfs-storage-backup
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  volumeMode: Filesystem
-  storageClassName: nfs-client
-  accessModes:
-    - ReadWriteOnce
-  resources:
-    requests:
-      storage: 1Gi
-
----
-apiVersion: v1
-kind: PersistentVolumeClaim
 metadata:
   name: gitea-themes-storage
   namespace: {{ .Release.Namespace }}
@@ -28,9 +9,9 @@ metadata:
     app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   volumeMode: Filesystem
-  storageClassName: nfs-client
+  storageClassName: ceph-filesystem
   accessModes:
-    - ReadWriteOnce
+    - ReadWriteMany
   resources:
     requests:
       storage: 1Gi

clusters/cl01tl/helm/gitea/templates/redis-replication.yaml

@@ -1,66 +0,0 @@
-apiVersion: redis.redis.opstreelabs.in/v1beta2
-kind: RedisReplication
-metadata:
-  name: redis-replication-gitea
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: redis-replication-gitea
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  clusterSize: 3
-  podSecurityContext:
-    runAsUser: 1000
-    fsGroup: 1000
-  kubernetesConfig:
-    image: quay.io/opstree/redis:v8.4.0
-    imagePullPolicy: IfNotPresent
-    resources:
-      requests:
-        cpu: 50m
-        memory: 128Mi
-  storage:
-    volumeClaimTemplate:
-      spec:
-        storageClassName: ceph-block
-        accessModes: ["ReadWriteOnce"]
-        resources:
-          requests:
-            storage: 10Gi
-  redisExporter:
-    enabled: true
-    image: quay.io/opstree/redis-exporter:v1.80.1
-
----
-apiVersion: redis.redis.opstreelabs.in/v1beta2
-kind: RedisReplication
-metadata:
-  name: redis-replication-renovate
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: redis-replication-renovate
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  clusterSize: 3
-  podSecurityContext:
-    runAsUser: 1000
-    fsGroup: 1000
-  kubernetesConfig:
-    image: quay.io/opstree/redis:v8.4.0
-    imagePullPolicy: IfNotPresent
-    resources:
-      requests:
-        cpu: 50m
-        memory: 128Mi
-  storage:
-    volumeClaimTemplate:
-      spec:
-        storageClassName: ceph-block
-        accessModes: ["ReadWriteOnce"]
-        resources:
-          requests:
-            storage: 1Gi
-  redisExporter:
-    enabled: true
-    image: quay.io/opstree/redis-exporter:v1.80.1

clusters/cl01tl/helm/gitea/templates/redis-sentinel.yaml

@@ -1,23 +0,0 @@
-apiVersion: redis.redis.opstreelabs.in/v1beta2
-kind: RedisSentinel
-metadata:
-  name: redis-sentinel-gitea
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: redis-sentinel-gitea
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  clusterSize: 3
-  podSecurityContext:
-    runAsUser: 1000
-    fsGroup: 1000
-  redisSentinelConfig:
-    redisReplicationName: redis-replication-gitea
-  kubernetesConfig:
-    image: quay.io/opstree/redis-sentinel:v8.4.0
-    imagePullPolicy: IfNotPresent
-    resources:
-      requests:
-        cpu: 10m
-        memory: 128Mi

clusters/cl01tl/helm/gitea/templates/role-binding.yaml

@@ -1,17 +0,0 @@
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: gitea-backup
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: gitea-backup
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: gitea-backup
-subjects:
-  - kind: ServiceAccount
-    name: gitea-backup
-    namespace: {{ .Release.Namespace }}

clusters/cl01tl/helm/gitea/templates/role.yaml

@@ -1,25 +0,0 @@
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: gitea-backup
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: gitea-backup
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-rules:
-  - apiGroups:
-      - ""
-    resources:
-      - pods
-      - pods/exec
-    verbs:
-      - create
-      - list
-  - apiGroups:
-      - apps
-    resources:
-      - deployments
-    verbs:
-      - get
-      - list

clusters/cl01tl/helm/gitea/templates/service-monitor.yaml

@@ -14,24 +14,3 @@ spec:
       app.kubernetes.io/instance: {{ .Release.Name }}
   endpoints:
     - port: http
-
----
-apiVersion: monitoring.coreos.com/v1
-kind: ServiceMonitor
-metadata:
-  name: redis-replication-gitea
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: redis-replication-gitea
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-    redis-operator: "true"
-    env: production
-spec:
-  selector:
-    matchLabels:
-      redis_setup_type: replication
-  endpoints:
-    - port: redis-exporter
-      interval: 30s
-      scrapeTimeout: 10s

clusters/cl01tl/helm/gitea/values.yaml

@@ -171,135 +171,6 @@ gitea-actions:
   existingSecret: gitea-runner-secret
   existingSecretKey: token
   giteaRootURL: http://gitea-http.gitea:3000
-backup:
-  global:
-    fullnameOverride: gitea-backup
-    labels:
-      app.kubernetes.io/instance: gitea-backup
-      app.kubernetes.io/name: gitea-backup
-  controllers:
-    backup:
-      type: cronjob
-      cronjob:
-        suspend: false
-        concurrencyPolicy: Forbid
-        timeZone: US/Central
-        schedule: 0 4 */2 * *
-        startingDeadlineSeconds: 90
-        successfulJobsHistory: 3
-        failedJobsHistory: 3
-        backoffLimit: 3
-        parallelism: 1
-      serviceAccount:
-        name: gitea-backup
-      pod:
-        automountServiceAccountToken: true
-        labels:
-          app.kubernetes.io/instance: gitea-backup
-          app.kubernetes.io/name: gitea-backup
-      initContainers:
-        backup:
-          image:
-            repository: bitnami/kubectl
-            tag: latest
-            pullPolicy: IfNotPresent
-          command:
-            - sh
-          args:
-            - -ec
-            - |
-              kubectl exec -it deploy/gitea -n gitea -- rm -f /opt/backup/gitea-backup.zip;
-              kubectl exec -it deploy/gitea -n gitea -- /app/gitea/gitea dump -c /data/gitea/conf/app.ini --file /opt/backup/gitea-backup.zip;
-          resources:
-            requests:
-              cpu: 100m
-              memory: 128Mi
-      containers:
-        s3-backup:
-          image:
-            repository: d3fk/s3cmd
-            tag: latest@sha256:a4ef406e37628ee56e608b1567aeb0345e51142f56741b715322111be3b6ebcc
-            pullPolicy: IfNotPresent
-          command:
-            - /bin/sh
-          args:
-            - -ec
-            - |
-              echo ">> Running S3 backup for Gitea"
-              s3cmd put --no-check-md5 --no-check-certificate -v /opt/backup/gitea-backup.zip ${BUCKET}/cl01tl/gitea-backup-$(date +"%Y%m%d-%H-%M").zip;
-              mv /opt/backup/gitea-backup.zip /opt/backup/gitea-backup-$(date +"%Y%m%d-%H-%M").zip;
-              echo ">> Completed S3 backup for Gitea"
-          env:
-            - name: BUCKET
-              valueFrom:
-                secretKeyRef:
-                  name: gitea-s3cmd-config
-                  key: BUCKET
-          resources:
-            requests:
-              cpu: 100m
-              memory: 128Mi
-        s3-prune:
-          image:
-            repository: d3fk/s3cmd
-            tag: latest@sha256:a4ef406e37628ee56e608b1567aeb0345e51142f56741b715322111be3b6ebcc
-            pullPolicy: IfNotPresent
-          command:
-            - /bin/sh
-          args:
-            - -ec
-            - |
-              export DATE_RANGE=$(date -d @$(( $(date +%s) - 604800 )) +%Y%m%d);
-              export FILE_MATCH="$BUCKET/cl01tl/gitea-backup-$DATE_RANGE-09-00.zip"
-              echo ">> Running S3 prune for Gitea backup repository"
-              echo ">> Backups prior to '$DATE_RANGE' will be removed"
-              echo ">> Backups to be removed:"
-              s3cmd ls ${BUCKET}/cl01tl/ |
-                awk -v file_match="$FILE_MATCH" '$4 < file_match {print $4}'
-              echo ">> Deleting ..."
-              s3cmd ls ${BUCKET}/cl01tl/ |
-                awk -v file_match="$FILE_MATCH" '$4 < file_match {print $4}' |
-                while read file; do
-                  s3cmd del "$file";
-                done;
-              echo ">> Completed S3 prune for Gitea backup repository"
-          env:
-            - name: BUCKET
-              valueFrom:
-                secretKeyRef:
-                  name: gitea-s3cmd-config
-                  key: BUCKET
-          resources:
-            requests:
-              cpu: 100m
-              memory: 128Mi
-  serviceAccount:
-    gitea-backup:
-      enabled: true
-  persistence:
-    config:
-      existingClaim: gitea-nfs-storage-backup
-      advancedMounts:
-        backup:
-          s3-backup:
-            - path: /opt/backup
-              readOnly: false
-    s3cmd-config:
-      enabled: true
-      type: secret
-      name: gitea-s3cmd-config
-      advancedMounts:
-        backup:
-          s3-backup:
-            - path: /root/.s3cfg
-              readOnly: true
-              mountPropagation: None
-              subPath: .s3cfg
-          s3-prune:
-            - path: /root/.s3cfg
-              readOnly: true
-              mountPropagation: None
-              subPath: .s3cfg
 meilisearch:
   environment:
     MEILI_NO_ANALYTICS: true
@@ -325,17 +196,10 @@ cloudflared:
 postgres-18-cluster:
   mode: recovery
   cluster:
-    image:
-      repository: ghcr.io/cloudnative-pg/postgresql
-      tag: 18.1-standard-trixie
     storage:
       storageClass: local-path
     walStorage:
       storageClass: local-path
-    monitoring:
-      enabled: true
-      prometheusRule:
-        enabled: true
     resources:
       requests:
         memory: 1Gi
@@ -349,11 +213,6 @@ postgres-18-cluster:
       endpointCredentials: gitea-postgresql-18-cluster-backup-secret-garage
   backup:
     objectStore:
-      - name: external
-        destinationPath: s3://postgres-backups-ce540ddf106d186bbddca68a/cl01tl/gitea/gitea-postgresql-18-cluster
-        index: 1
-        retentionPolicy: "30d"
-        isWALArchiver: false
       - name: garage-local
         destinationPath: s3://postgres-backups/cl01tl/gitea/gitea-postgresql-18-cluster
         index: 1
@@ -362,6 +221,11 @@ postgres-18-cluster:
         endpointCredentialsIncludeRegion: true
         retentionPolicy: "3d"
         isWALArchiver: true
+      # - name: external
+      #   destinationPath: s3://postgres-backups-ce540ddf106d186bbddca68a/cl01tl/gitea/gitea-postgresql-18-cluster
+      #   index: 1
+      #   retentionPolicy: "30d"
+      #   isWALArchiver: false
       # - name: garage-remote
       #   destinationPath: s3://postgres-backups/cl01tl/gitea/gitea-postgresql-18-cluster
       #   index: 1
@@ -372,18 +236,66 @@ postgres-18-cluster:
       #     compression: bzip2
       #     jobs: 2
     scheduledBackups:
-      - name: daily-backup
-        suspend: false
-        immediate: true
-        schedule: "0 0 0 * * *"
-        backupName: external
       - name: live-backup
         suspend: false
         immediate: true
         schedule: "0 0 0 * * *"
         backupName: garage-local
-      # - name: weekly-backup
+      # - name: daily-backup
       #   suspend: false
       #   immediate: true
+      #   schedule: "0 0 0 * * *"
+      #   backupName: external
+      # - name: weekly-backup
+      #   suspend: true
+      #   immediate: true
       #   schedule: "0 0 4 * * SAT"
       #   backupName: garage-remote
+redis-replication-gitea:
+  replicationNameOverride: redis-replication-gitea
+  sentinelNameOverride: redis-sentinel-gitea
+  existingSecret:
+    enabled: false
+  redisReplication:
+    clusterSize: 3
+    resources:
+      requests:
+        cpu: 20m
+        memory: 400Mi
+    volumeClaimTemplate:
+      spec:
+        resources:
+          requests:
+            storage: 10Gi
+  redisSentinel:
+    enabled: true
+    clusterSize: 3
+redis-replication-renovate:
+  replicationNameOverride: redis-replication-renovate
+  existingSecret:
+    enabled: false
+  redisReplication:
+    clusterSize: 1
+  redisSentinel:
+    enabled: false
+volsync-target-storage:
+  pvcTarget: gitea-shared-storage
+  local:
+    enabled: true
+    schedule: 0 0 0 * * *
+    restic:
+      pruneIntervalDays: 3
+      retain:
+        hourly: 1
+        daily: 1
+        weekly: 3
+        monthly: 0
+        yearly: 0
+      copyMethod: Snapshot
+      storageClassName: ceph-filesystem
+      volumeSnapshotClassName: ceph-filesystem
+      cacheCapacity: 40Gi
+  external:
+    enabled: false
+  remote:
+    enabled: false

clusters/cl01tl/helm/grafana-operator/Chart.lock

@@ -4,6 +4,12 @@ dependencies:
   version: v5.20.0
 - name: postgres-cluster
   repository: oci://harbor.alexlebens.net/helm-charts
-  version: 6.16.1
+  version: 7.1.1
-digest: sha256:9640766b4a15b50a759edbc8a2aad816f9240be72bf06364acb387464245d51a
+- name: redis-replication
-generated: "2025-12-11T19:19:12.375716-06:00"
+  repository: oci://harbor.alexlebens.net/helm-charts
+  version: 0.5.0
+- name: redis-replication
+  repository: oci://harbor.alexlebens.net/helm-charts
+  version: 0.5.0
+digest: sha256:7089382a69a87a15afef83277e5b59a59b192a734c402384a61e4c65319f4891
+generated: "2025-12-15T15:30:54.939003-06:00"

clusters/cl01tl/helm/grafana-operator/Chart.yaml

@@ -21,7 +21,15 @@ dependencies:
     repository: https://grafana.github.io/helm-charts
   - name: postgres-cluster
     alias: postgres-18-cluster
-    version: 6.16.1
+    version: 7.1.1
+    repository: oci://harbor.alexlebens.net/helm-charts
+  - name: redis-replication
+    alias: redis-replication-unified-alerting
+    version: 0.5.0
+    repository: oci://harbor.alexlebens.net/helm-charts
+  - name: redis-replication
+    alias: redis-replication-remote-cache
+    version: 0.5.0
     repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/grafana.png
 appVersion: v5.20.0

clusters/cl01tl/helm/grafana-operator/templates/redis-replication.yaml

@@ -1,66 +0,0 @@
-apiVersion: redis.redis.opstreelabs.in/v1beta2
-kind: RedisReplication
-metadata:
-  name: redis-replication-unified-alerting
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: redis-replication-unified-alerting
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  clusterSize: 3
-  podSecurityContext:
-    runAsUser: 1000
-    fsGroup: 1000
-  kubernetesConfig:
-    image: quay.io/opstree/redis:v8.4.0
-    imagePullPolicy: IfNotPresent
-    resources:
-      requests:
-        cpu: 50m
-        memory: 128Mi
-  storage:
-    volumeClaimTemplate:
-      spec:
-        storageClassName: ceph-block
-        accessModes: ["ReadWriteOnce"]
-        resources:
-          requests:
-            storage: 1Gi
-  redisExporter:
-    enabled: true
-    image: quay.io/opstree/redis-exporter:v1.80.1
-
----
-apiVersion: redis.redis.opstreelabs.in/v1beta2
-kind: RedisReplication
-metadata:
-  name: redis-replication-remote-cache
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: redis-replication-remote-cache
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  clusterSize: 3
-  podSecurityContext:
-    runAsUser: 1000
-    fsGroup: 1000
-  kubernetesConfig:
-    image: quay.io/opstree/redis:v8.4.0
-    imagePullPolicy: IfNotPresent
-    resources:
-      requests:
-        cpu: 50m
-        memory: 128Mi
-  storage:
-    volumeClaimTemplate:
-      spec:
-        storageClassName: ceph-block
-        accessModes: ["ReadWriteOnce"]
-        resources:
-          requests:
-            storage: 1Gi
-  redisExporter:
-    enabled: true
-    image: quay.io/opstree/redis-exporter:v1.80.1

clusters/cl01tl/helm/grafana-operator/templates/service-monitor.yaml

@@ -1,19 +0,0 @@
-apiVersion: monitoring.coreos.com/v1
-kind: ServiceMonitor
-metadata:
-  name: redis-replication-grafana-operator
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: redis-replication-grafana-operator
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-    redis-operator: "true"
-    env: production
-spec:
-  selector:
-    matchLabels:
-      redis_setup_type: replication
-  endpoints:
-    - port: redis-exporter
-      interval: 30s
-      scrapeTimeout: 10s

clusters/cl01tl/helm/grafana-operator/values.yaml

@@ -15,17 +15,10 @@ grafana-operator:
 postgres-18-cluster:
   mode: recovery
   cluster:
-    image:
-      repository: ghcr.io/cloudnative-pg/postgresql
-      tag: 18.1-standard-trixie
     storage:
       storageClass: local-path
     walStorage:
       storageClass: local-path
-    monitoring:
-      enabled: true
-      prometheusRule:
-        enabled: true
   recovery:
     method: objectStore
     objectStore:
@@ -35,11 +28,6 @@ postgres-18-cluster:
       endpointCredentials: grafana-operator-postgresql-18-cluster-backup-secret-garage
   backup:
     objectStore:
-      - name: external
-        destinationPath: s3://postgres-backups-ce540ddf106d186bbddca68a/cl01tl/grafana-operator/grafana-operator-postgresql-18-cluster
-        index: 1
-        retentionPolicy: "30d"
-        isWALArchiver: false
       - name: garage-local
         destinationPath: s3://postgres-backups/cl01tl/grafana-operator/grafana-operator-postgresql-18-cluster
         index: 1
@@ -48,6 +36,11 @@ postgres-18-cluster:
         endpointCredentialsIncludeRegion: true
         retentionPolicy: "3d"
         isWALArchiver: true
+      # - name: external
+      #   destinationPath: s3://postgres-backups-ce540ddf106d186bbddca68a/cl01tl/grafana-operator/grafana-operator-postgresql-18-cluster
+      #   index: 1
+      #   retentionPolicy: "30d"
+      #   isWALArchiver: false
       # - name: garage-remote
       #   destinationPath: s3://postgres-backups/cl01tl/grafana-operator/grafana-operator-postgresql-18-cluster
       #   index: 1
@@ -58,18 +51,36 @@ postgres-18-cluster:
       #     compression: bzip2
       #     jobs: 2
     scheduledBackups:
-      - name: daily-backup
-        suspend: false
-        immediate: true
-        schedule: "0 0 0 * * *"
-        backupName: external
       - name: live-backup
         suspend: false
         immediate: true
         schedule: "0 0 0 * * *"
         backupName: garage-local
-      # - name: weekly-backup
+      # - name: daily-backup
       #   suspend: false
       #   immediate: true
+      #   schedule: "0 0 0 * * *"
+      #   backupName: external
+      # - name: weekly-backup
+      #   suspend: true
+      #   immediate: true
       #   schedule: "0 0 4 * * SAT"
       #   backupName: garage-remote
+redis-replication-unified-alerting:
+  replicationNameOverride: redis-replication-unified-alerting
+  sentinelNameOverride: redis-sentinel-unified-alerting
+  existingSecret:
+    enabled: false
+  redisReplication:
+    clusterSize: 3
+  redisSentinel:
+    enabled: true
+    clusterSize: 3
+redis-replication-remote-cache:
+  replicationNameOverride: redis-replication-remote-cache
+  existingSecret:
+    enabled: false
+  redisReplication:
+    clusterSize: 1
+  redisSentinel:
+    enabled: false

clusters/cl01tl/helm/harbor/Chart.lock

@@ -4,6 +4,9 @@ dependencies:
   version: 1.18.1
 - name: postgres-cluster
   repository: https://gitea.alexlebens.net/api/packages/alexlebens/helm
-  version: 6.16.1
+  version: 7.1.1
-digest: sha256:a8f5d259fb93f933050c498d9271a5b8606594c968a360f8be151f47b3feb49d
+- name: redis-replication
-generated: "2025-12-11T20:49:18.650522-06:00"
+  repository: oci://harbor.alexlebens.net/helm-charts
+  version: 0.5.0
+digest: sha256:8bd072dc65397b6c1dc8ff319e87f8df1afd50cebcd3f8c46ed753e3dcdba13a
+generated: "2025-12-15T15:36:05.141898-06:00"

clusters/cl01tl/helm/harbor/Chart.yaml

@@ -21,7 +21,10 @@ dependencies:
     repository: https://helm.goharbor.io
   - name: postgres-cluster
     alias: postgres-18-cluster
-    version: 6.16.1
+    version: 7.1.1
     repository: https://gitea.alexlebens.net/api/packages/alexlebens/helm
+  - name: redis-replication
+    version: 0.5.0
+    repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/harbor.png
 appVersion: v2.14.1

clusters/cl01tl/helm/harbor/templates/redis-replication.yaml

@@ -1,32 +0,0 @@
-apiVersion: redis.redis.opstreelabs.in/v1beta2
-kind: RedisReplication
-metadata:
-  name: redis-replication-harbor
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: redis-replication-harbor
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  clusterSize: 3
-  podSecurityContext:
-    runAsUser: 1000
-    fsGroup: 1000
-  kubernetesConfig:
-    image: quay.io/opstree/redis:v8.4.0
-    imagePullPolicy: IfNotPresent
-    resources:
-      requests:
-        cpu: 50m
-        memory: 128Mi
-  storage:
-    volumeClaimTemplate:
-      spec:
-        storageClassName: ceph-block
-        accessModes: ["ReadWriteOnce"]
-        resources:
-          requests:
-            storage: 1Gi
-  redisExporter:
-    enabled: true
-    image: quay.io/opstree/redis-exporter:v1.80.1

clusters/cl01tl/helm/harbor/templates/redis-sentinel.yaml

@@ -1,23 +0,0 @@
-apiVersion: redis.redis.opstreelabs.in/v1beta2
-kind: RedisSentinel
-metadata:
-  name: redis-sentinel-harbor
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: redis-sentinel-harbor
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  clusterSize: 3
-  podSecurityContext:
-    runAsUser: 1000
-    fsGroup: 1000
-  redisSentinelConfig:
-    redisReplicationName: redis-replication-harbor
-  kubernetesConfig:
-    image: quay.io/opstree/redis-sentinel:v8.4.0
-    imagePullPolicy: IfNotPresent
-    resources:
-      requests:
-        cpu: 10m
-        memory: 128Mi

clusters/cl01tl/helm/harbor/templates/service-monitor.yaml

@@ -1,19 +0,0 @@
-apiVersion: monitoring.coreos.com/v1
-kind: ServiceMonitor
-metadata:
-  name: redis-replication-harbor
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: redis-replication-harbor
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-    redis-operator: "true"
-    env: production
-spec:
-  selector:
-    matchLabels:
-      redis_setup_type: replication
-  endpoints:
-    - port: redis-exporter
-      interval: 30s
-      scrapeTimeout: 10s

clusters/cl01tl/helm/harbor/values.yaml

@@ -99,17 +99,10 @@ harbor:
 postgres-18-cluster:
   mode: recovery
   cluster:
-    image:
-      repository: ghcr.io/cloudnative-pg/postgresql
-      tag: 18.1-standard-trixie
     storage:
       storageClass: local-path
     walStorage:
       storageClass: local-path
-    monitoring:
-      enabled: true
-      prometheusRule:
-        enabled: true
   recovery:
     method: objectStore
     objectStore:
@@ -119,11 +112,6 @@ postgres-18-cluster:
       endpointCredentials: harbor-postgresql-18-cluster-backup-secret-garage
   backup:
     objectStore:
-      - name: external
-        destinationPath: s3://postgres-backups-ce540ddf106d186bbddca68a/cl01tl/harbor/harbor-postgresql-18-cluster
-        index: 1
-        retentionPolicy: "30d"
-        isWALArchiver: false
       - name: garage-local
         destinationPath: s3://postgres-backups/cl01tl/harbor/harbor-postgresql-18-cluster
         index: 1
@@ -132,6 +120,11 @@ postgres-18-cluster:
         endpointCredentialsIncludeRegion: true
         retentionPolicy: "3d"
         isWALArchiver: true
+      # - name: external
+      #   destinationPath: s3://postgres-backups-ce540ddf106d186bbddca68a/cl01tl/harbor/harbor-postgresql-18-cluster
+      #   index: 1
+      #   retentionPolicy: "30d"
+      #   isWALArchiver: false
       # - name: garage-remote
       #   destinationPath: s3://postgres-backups/cl01tl/harbor/harbor-postgresql-18-cluster
       #   index: 1
@@ -142,18 +135,26 @@ postgres-18-cluster:
       #     compression: bzip2
       #     jobs: 2
     scheduledBackups:
-      - name: daily-backup
-        suspend: false
-        immediate: true
-        schedule: "0 0 0 * * *"
-        backupName: external
       - name: live-backup
         suspend: false
         immediate: true
         schedule: "0 0 0 * * *"
         backupName: garage-local
-      # - name: weekly-backup
+      # - name: daily-backup
       #   suspend: false
       #   immediate: true
+      #   schedule: "0 0 0 * * *"
+      #   backupName: external
+      # - name: weekly-backup
+      #   suspend: true
+      #   immediate: true
       #   schedule: "0 0 4 * * SAT"
       #   backupName: garage-remote
+redis-replication:
+  existingSecret:
+    enabled: false
+  redisReplication:
+    clusterSize: 3
+  redisSentinel:
+    enabled: true
+    clusterSize: 3

clusters/cl01tl/helm/home-assistant/values.yaml

@@ -21,7 +21,7 @@ home-assistant:
         code-server:
           image:
             repository: ghcr.io/linuxserver/code-server
-            tag: 4.106.3@sha256:aab9520fe923b2d93dccc2c806f3dc60649c2f4a2847fcd40c942227d0f1ae8f
+            tag: 4.106.3@sha256:83793e4460090d6c46f4842ff6ab8aa26ad8a567885112bbe754b45c61935055
             pullPolicy: IfNotPresent
           env:
             - name: TZ

clusters/cl01tl/helm/homepage/templates/service.yaml

@@ -36,7 +36,7 @@ metadata:
   name: garage-ui-ps10rp
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: garage-ps10rp
+    app.kubernetes.io/name: garage-ui-ps10rp
     app.kubernetes.io/instance: {{ .Release.Name }}
     app.kubernetes.io/part-of: {{ .Release.Name }}
   annotations:

clusters/cl01tl/helm/homepage/values.yaml

@@ -141,6 +141,12 @@ homepage:
                   href: https://jellyfin.alexlebens.net
                   siteMonitor: http://jellyfin.jellyfin:80
                   statusStyle: dot
+              - Jellyfin (Alt):
+                  icon: sh-jellyfin.webp
+                  description: Media server (Alternate UI)
+                  href: https://jellyfin-vue.alexlebens.net
+                  siteMonitor: http://jellyfin-vue.jellyfin:80
+                  statusStyle: dot
               - Media Requests:
                   icon: sh-overseerr.webp
                   description: Overseerr
@@ -337,12 +343,6 @@ homepage:
                   href: https://n8n.alexlebens.net
                   siteMonitor: http://n8n-main.n8n:80
                   statusStyle: dot
-              - Jobs:
-                  icon: https://raw.githubusercontent.com/mshade/kronic/main/static/android-chrome-192x192.png
-                  description: Kronic
-                  href: https://kronic.alexlebens.net
-                  siteMonitor: http://kronic.kronic:80
-                  statusStyle: dot
               - Uptime:
                   icon: sh-gatus.webp
                   description: Gatus
@@ -513,12 +513,6 @@ homepage:
                   href: https://garage-ui-ps10rp.boreal-beaufort.ts.net
                   siteMonitor: https://garage-ui-ps10rp.boreal-beaufort.ts.net
                   statusStyle: dot
-              - Database:
-                  icon: sh-pgadmin-light.webp
-                  description: PGAdmin
-                  href: https://pgadmin.alexlebens.net
-                  siteMonitor: http://pgadmin.pgadmin:80
-                  statusStyle: dot
               - Database:
                   icon: sh-whodb.webp
                   description: WhoDB

clusters/cl01tl/helm/immich/Chart.lock

@@ -4,6 +4,9 @@ dependencies:
   version: 4.5.0
 - name: postgres-cluster
   repository: oci://harbor.alexlebens.net/helm-charts
-  version: 6.16.1
+  version: 7.1.1
-digest: sha256:0efb7efad85276191f07755520291b6a549472af4bbd6ac32c58b29f36984e60
+- name: redis-replication
-generated: "2025-12-11T21:59:26.978234-06:00"
+  repository: oci://harbor.alexlebens.net/helm-charts
+  version: 0.5.0
+digest: sha256:f0fb98c302e8749494c4ebe612cd9ea69e9b11d062dc5a16710dffd13802f475
+generated: "2025-12-15T15:31:14.966284-06:00"

clusters/cl01tl/helm/immich/Chart.yaml

@@ -20,7 +20,10 @@ dependencies:
     version: 4.5.0
   - name: postgres-cluster
     alias: postgres-18-cluster
-    version: 6.16.1
+    version: 7.1.1
+    repository: oci://harbor.alexlebens.net/helm-charts
+  - name: redis-replication
+    version: 0.5.0
     repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/immich.png
 appVersion: v2.3.1

clusters/cl01tl/helm/immich/templates/redis-replication.yaml

@@ -1,32 +0,0 @@
-apiVersion: redis.redis.opstreelabs.in/v1beta2
-kind: RedisReplication
-metadata:
-  name: redis-replication-immich
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: redis-replication-immich
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  clusterSize: 3
-  podSecurityContext:
-    runAsUser: 1000
-    fsGroup: 1000
-  kubernetesConfig:
-    image: quay.io/opstree/redis:v8.4.0
-    imagePullPolicy: IfNotPresent
-    resources:
-      requests:
-        cpu: 50m
-        memory: 128Mi
-  storage:
-    volumeClaimTemplate:
-      spec:
-        storageClassName: ceph-block
-        accessModes: ["ReadWriteOnce"]
-        resources:
-          requests:
-            storage: 1Gi
-  redisExporter:
-    enabled: true
-    image: quay.io/opstree/redis-exporter:v1.80.1

clusters/cl01tl/helm/immich/templates/redis-sentinel.yaml

@@ -1,23 +0,0 @@
-apiVersion: redis.redis.opstreelabs.in/v1beta2
-kind: RedisSentinel
-metadata:
-  name: redis-sentinel-immich
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: redis-sentinel-immich
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  clusterSize: 3
-  podSecurityContext:
-    runAsUser: 1000
-    fsGroup: 1000
-  redisSentinelConfig:
-    redisReplicationName: redis-replication-immich
-  kubernetesConfig:
-    image: quay.io/opstree/redis-sentinel:v8.4.0
-    imagePullPolicy: IfNotPresent
-    resources:
-      requests:
-        cpu: 10m
-        memory: 128Mi

clusters/cl01tl/helm/immich/templates/service-monitor.yaml

@@ -21,24 +21,3 @@ spec:
       interval: 3m
       scrapeTimeout: 1m
       path: /metrics
-
----
-apiVersion: monitoring.coreos.com/v1
-kind: ServiceMonitor
-metadata:
-  name: redis-replication-immich
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: redis-replication-immich
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-    redis-operator: "true"
-    env: production
-spec:
-  selector:
-    matchLabels:
-      redis_setup_type: replication
-  endpoints:
-    - port: redis-exporter
-      interval: 30s
-      scrapeTimeout: 10s

clusters/cl01tl/helm/immich/values.yaml

@@ -136,10 +136,6 @@ postgres-18-cluster:
       storageClass: local-path
     walStorage:
       storageClass: local-path
-    monitoring:
-      enabled: true
-      prometheusRule:
-        enabled: true
     postgresql:
       parameters:
         shared_buffers: 256MB
@@ -160,11 +156,6 @@ postgres-18-cluster:
       endpointCredentials: immich-postgresql-18-cluster-backup-secret-garage
   backup:
     objectStore:
-      - name: external
-        destinationPath: s3://postgres-backups-ce540ddf106d186bbddca68a/cl01tl/immich/immich-postgresql-18-cluster
-        index: 1
-        retentionPolicy: "30d"
-        isWALArchiver: false
       - name: garage-local
         destinationPath: s3://postgres-backups/cl01tl/immich/immich-postgresql-18-cluster
         index: 1
@@ -173,6 +164,11 @@ postgres-18-cluster:
         endpointCredentialsIncludeRegion: true
         retentionPolicy: "3d"
         isWALArchiver: true
+      # - name: external
+      #   destinationPath: s3://postgres-backups-ce540ddf106d186bbddca68a/cl01tl/immich/immich-postgresql-18-cluster
+      #   index: 1
+      #   retentionPolicy: "30d"
+      #   isWALArchiver: false
       # - name: garage-remote
       #   destinationPath: s3://postgres-backups/cl01tl/immich/immich-postgresql-18-cluster
       #   index: 1
@@ -183,18 +179,26 @@ postgres-18-cluster:
       #     compression: bzip2
       #     jobs: 2
     scheduledBackups:
-      - name: daily-backup
-        suspend: false
-        immediate: true
-        schedule: "0 0 0 * * *"
-        backupName: external
       - name: live-backup
         suspend: false
         immediate: true
         schedule: "0 0 0 * * *"
         backupName: garage-local
-      # - name: weekly-backup
+      # - name: daily-backup
       #   suspend: false
       #   immediate: true
-      #   schedule: "0 4 4 * * SAT"
+      #   schedule: "0 0 0 * * *"
+      #   backupName: external
+      # - name: weekly-backup
+      #   suspend: true
+      #   immediate: true
+      #   schedule: "0 0 4 * * SAT"
       #   backupName: garage-remote
+redis-replication:
+  existingSecret:
+    enabled: false
+  redisReplication:
+    clusterSize: 3
+  redisSentinel:
+    enabled: true
+    clusterSize: 3