chore(deps): update dependency goharbor/harbor to v2.15.0

.gitea/workflows/lint-test-docker.yaml

@@ -21,14 +21,14 @@ jobs:
     runs-on: ubuntu-js
     steps:
       - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        uses: actions/checkout@v6
         with:
           fetch-depth: 0
 
       - name: Check Branch Exists
         id: check-branch-exists
         if: github.event_name == 'pull_request'
-        uses: GuillaumeFalourd/branch-exists@650358876c774d6ccbd581b5553eb636dab79a97 # v1.2
+        uses: GuillaumeFalourd/branch-exists@v1.1
         with:
           branch: "${{ github.base_ref }}"
 
@@ -51,7 +51,7 @@ jobs:
 
       - name: Set Up Node.js
         if: steps.branch-exists.outputs.exists == 'true'
-        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
+        uses: actions/setup-node@v6
         with:
           node-version: '24'
 
@@ -120,7 +120,7 @@ jobs:
           echo "----"
 
       - name: ntfy Failed
-        uses: niniyas/ntfy-action@96acac57fdc91d4c4f50b78486c1ed6f03f9f61c # master
+        uses: niniyas/ntfy-action@master
         if: failure()
         with:
           url: '${{ secrets.NTFY_URL }}'

.gitea/workflows/lint-test-helm.yaml

@@ -16,8 +16,8 @@ on:
 env:
   CLUSTER: cl01tl
   BASE_BRANCH: "origin/${{ github.base_ref }}"
+  # renovate: datasource=github-releases depName=yannh/kubeconform
   KUBECONFORM_VERSION: "v0.6.7"
-  ARGOCD_VERSION: "v3.3.6"
 
 jobs:
   lint-helm:
@@ -28,14 +28,14 @@ jobs:
       changes-detected: ${{ steps.check-dir-changes.outputs.changes-detected }}
     steps:
       - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        uses: actions/checkout@v6
         with:
           fetch-depth: 0
 
       - name: Check Branch Exists
         id: check-branch-exists
         if: github.event_name == 'pull_request'
-        uses: GuillaumeFalourd/branch-exists@650358876c774d6ccbd581b5553eb636dab79a97 # v1.2
+        uses: GuillaumeFalourd/branch-exists@v1.1
         with:
           branch: ${{ github.base_ref }}
 
@@ -58,7 +58,7 @@ jobs:
 
       - name: Set Up Helm
         if: steps.branch-exists.outputs.exists == 'true'
-        uses: azure/setup-helm@dda3372f752e03dde6b3237bc9431cdc2f7a02a2 # v5
+        uses: azure/setup-helm@v4
         with:
           token: ${{ secrets.GITEA_TOKEN }}
           # renovate: datasource=github-releases depName=helm/helm
@@ -67,7 +67,7 @@ jobs:
 
       - name: Cache Helm Dependencies
         if: steps.branch-exists.outputs.exists == 'true'
-        uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5
+        uses: actions/cache@v5
         with:
           path: |
             ~/.cache/helm
@@ -102,7 +102,7 @@ jobs:
             echo ""
             echo "${CHANGED_CHARTS}"
 
-            CHANGED_CHARTS_CSV=$(echo "${CHANGED_CHARTS}" | paste -sd ',' -)
+            CHANGED_CHARTS_CSV=$(echo "$CHANGED_CHARTS" | paste -sd ',' -)
 
             echo ""
             echo "----"
@@ -209,7 +209,7 @@ jobs:
           exit $EXIT_CODE
 
       - name: ntfy Failed
-        uses: niniyas/ntfy-action@96acac57fdc91d4c4f50b78486c1ed6f03f9f61c # master
+        uses: niniyas/ntfy-action@master
         if: failure()
         with:
           url: '${{ secrets.NTFY_URL }}'
@@ -232,21 +232,11 @@ jobs:
       github.event_name == 'pull_request'
     steps:
       - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        uses: actions/checkout@v6
         with:
           fetch-depth: 0
 
-      - name: Cache Kubeconform
-        id: cache-kubeconform
-        uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5
-        with:
-          path: /usr/local/bin/kubeconform
-          key: ${{ runner.os }}-kubeconform-${{ env.KUBECONFORM_VERSION }}
-          restore-keys: |
-            ${{ runner.os }}-kubeconform-
-
       - name: Install Kubeconform
-        if: steps.cache-kubeconform.outputs.cache-hit != 'true'
         run: |
           echo ">> Downloading Kubeconform ${{ env.KUBECONFORM_VERSION }} ..."
           wget -q https://github.com/yannh/kubeconform/releases/download/${{ env.KUBECONFORM_VERSION }}/kubeconform-linux-amd64.tar.gz
@@ -259,8 +249,6 @@ jobs:
           echo ">> Installing Kubeconform ..."
           sudo mv kubeconform /usr/local/bin/
 
-      - name: Verify installation
-        run: |
           echo ""
           echo ">> Verifying installation ..."
           kubeconform -v
@@ -269,7 +257,7 @@ jobs:
           echo "----"
 
       - name: Set Up Helm
-        uses: azure/setup-helm@dda3372f752e03dde6b3237bc9431cdc2f7a02a2 # v5
+        uses: azure/setup-helm@v4
         with:
           token: ${{ secrets.GITEA_TOKEN }}
           # renovate: datasource=github-releases depName=helm/helm
@@ -277,7 +265,7 @@ jobs:
           cache: true
 
       - name: Cache Helm Dependencies
-        uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5
+        uses: actions/cache@v5
         with:
           path: |
             ~/.cache/helm
@@ -336,7 +324,7 @@ jobs:
 
             helm dependency build "${CHART_PATH}" --skip-refresh
 
-            if ! helm template "${DIR}" "${CHART_PATH}" --include-crds --namespace default --api-versions "gateway.networking.k8s.io/v1/HTTPRoute,monitoring.coreos.com/v1,monitoring.coreos.com/v1/ServiceMonitor" | \
+            if ! helm template "${DIR}" "${CHART_PATH}" --include-crds --namespace default --api-versions "gateway.networking.k8s.io/v1/HTTPRoute" | \
               kubeconform \
                 ${SCHEMA_LOCATIONS} \
                 -ignore-missing-schemas \
@@ -364,7 +352,7 @@ jobs:
           exit $EXIT_CODE
 
       - name: ntfy Failed
-        uses: niniyas/ntfy-action@96acac57fdc91d4c4f50b78486c1ed6f03f9f61c # master
+        uses: niniyas/ntfy-action@master
         if: failure()
         with:
           url: '${{ secrets.NTFY_URL }}'
@@ -377,243 +365,3 @@ jobs:
           icon: 'https://cdn.jsdelivr.net/gh/selfhst/icons/png/gitea.png'
           actions: '[{"action": "view", "label": "View Run", "url": "${{ vars.USER_URL }}/${{ github.repository }}/actions/runs/${{ github.run_id }}", "clear": true}]'
           image: true
-
-  # argo-diff:
-  #   needs: lint-helm
-  #   runs-on: ubuntu-js
-  #   if: |
-  #     needs.lint-helm.result == 'success' &&
-  #     needs.lint-helm.outputs.changes-detected == 'true' &&
-  #     github.event_name == 'pull_request'
-  #   steps:
-  #     - name: Checkout
-  #       uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
-  #       with:
-  #         fetch-depth: 0
-
-  #     - name: Cache ArgoCD CLI
-  #       id: cache-argocd
-  #       uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5
-  #       with:
-  #         path: /usr/local/bin/argocd
-  #         key: ${{ runner.os }}-argocd-${{ env.ARGOCD_VERSION }}
-  #         restore-keys: |
-  #           ${{ runner.os }}-argocd-
-
-  #     - name: Install ArgoCD CLI
-  #       if: steps.cache-argocd.outputs.cache-hit != 'true'
-  #       run: |
-  #         echo ">> Downloading ArgoCD CLI, version: ${{ env.ARGOCD_VERSION }} ..."
-  #         curl -sSL -o argocd-linux-amd64 https://github.com/argoproj/argo-cd/releases/download/${{ env.ARGOCD_VERSION }}/argocd-linux-amd64
-
-  #         echo ""
-  #         echo ">> Installing ArgoCD CLI ..."
-  #         sudo install -m 555 argocd-linux-amd64 /usr/local/bin/argocd
-
-  #         echo ""
-  #         echo "----"
-
-  #     - name: Verify installation
-  #       run: |
-  #         echo ""
-  #         echo ">> Verifying installation ..."
-  #         argocd version --client
-
-  #         echo ""
-  #         echo "----"
-
-  #     - name: Set Up Helm
-  #       uses: azure/setup-helm@dda3372f752e03dde6b3237bc9431cdc2f7a02a2 # v5
-  #       with:
-  #         token: ${{ secrets.GITEA_TOKEN }}
-  #         # renovate: datasource=github-releases depName=helm/helm
-  #         version: v4.1.3
-  #         cache: true
-
-  #     - name: Cache Helm Dependencies
-  #       uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5
-  #       with:
-  #         path: |
-  #           ~/.cache/helm
-  #           ~/.config/helm
-  #         key: helm-cache-${{ runner.os }}-${{ hashFiles('infrastructure/clusters/cl01tl/helm/**/Chart.yaml', 'infrastructure/clusters/cl01tl/helm/**/Chart.lock') }}
-  #         restore-keys: |
-  #           helm-cache-${{ runner.os }}-
-
-  #     - name: Add Repositories
-  #       env:
-  #         CHANGED_CHARTS: ${{ needs.lint-helm.outputs.chart-dir }}
-  #       run: |
-  #         echo ">> Adding repositories for chart dependencies ..."
-  #         echo ""
-
-  #         for DIR in ${CHANGED_CHARTS}; do
-  #           helm dependency list --max-col-width 120 clusters/${CLUSTER}/helm/${DIR} 2> /dev/null \
-  #             | tail -n +2 \
-  #             | awk 'NF > 0 { print $1, $3 }' \
-  #             | while read -r REPO_NAME REPO_URL; do
-  #               if [[ "${REPO_URL}" == oci://* ]]; then
-  #                 echo ">> Ignoring OCI repo: ${REPO_URL}"
-
-  #               elif [[ -n "${REPO_NAME}" && -n "${REPO_URL}" ]]; then
-  #                 helm repo add "${REPO_NAME}" "${REPO_URL}"
-
-  #               fi
-
-  #             done || true
-  #         done
-
-  #         if helm repo list > /dev/null 2>&1; then
-  #           echo ""
-  #           echo ">> Update repository cache ..."
-  #           helm repo update
-
-  #         fi
-
-  #         echo ""
-  #         echo "----"
-
-  #     - name: Render Templates
-  #       id: render
-  #       env:
-  #         CHANGED_CHARTS: ${{ needs.lint-helm.outputs.chart-dir }}
-  #       run: |
-  #         for APP_NAME in ${CHANGED_CHARTS}; do
-  #           echo ">> Render templates for ${APP_NAME} ..."
-  #           CHART_PATH="clusters/${CLUSTER}/helm/${APP_NAME}"
-  #           OUTPUT_FOLDER="clusters/${CLUSTER}/manifests/${APP_NAME}/"
-  #           mkdir -p "${OUTPUT_FOLDER}"
-
-  #           helm dependency build "${CHART_PATH}" --skip-refresh
-
-  #           NAMESPACE="${APP_NAME}"
-  #           case "${APP_NAME}" in
-  #             "stack")
-  #               NAMESPACE="argocd"
-  #               echo ">> Special Rendering into 'argocd' namespace ..."
-  #               ;;
-  #             "cilium" | "coredns" | "metrics-server")
-  #               NAMESPACE="kube-system"
-  #               echo ">> Special Rendering for ${APP_NAME} into 'kube-system' namespace ..."
-  #               ;;
-  #             *)
-  #               echo ">> Standard Rendering ..."
-  #           esac
-
-  #           TEMPLATE=$(helm template "${APP_NAME}" "${CHART_PATH}" --include-crds --namespace "${NAMESPACE}" --api-versions "gateway.networking.k8s.io/v1/HTTPRoute,monitoring.coreos.com/v1,monitoring.coreos.com/v1/ServiceMonitor")
-
-  #           # Format and split rendered template
-  #           echo "${TEMPLATE}" | yq '... comments=""' | yq 'select(. != null)' | yq -s '"'"${OUTPUT_FOLDER}"'" + .kind + "-" + .metadata.name + ".yaml"'
-
-  #           # Strip comments again to ensure formatting correctness
-  #           for file in "$OUTPUT_FOLDER"/*; do
-  #             yq -i '... comments=""' $file
-
-  #           done
-
-  #           echo ""
-  #           echo ">> Templates in output folder: ${OUTPUT_FOLDER}"
-  #           ls ${OUTPUT_FOLDER}
-  #         done
-
-  #         echo "----"
-
-  #     - name: Run App Diff
-  #       id: diff
-  #       env:
-  #         ARGOCD_SERVER: ${{ secrets.ARGOCD_SERVER }}
-  #         ARGOCD_AUTH_TOKEN: ${{ secrets.ARGOCD_AUTH_TOKEN }}
-  #         CHANGED_CHARTS: ${{ needs.lint-helm.outputs.chart-dir }}
-  #       run: |
-  #         FAILED_CHARTS=""
-  #         DIFF_FOUND="false"
-  #         EXIT_CODE=0
-
-  #         for APP_NAME in ${CHANGED_CHARTS}; do
-  #           echo ">> Running argocd app diff for ${APP_NAME} ..."
-  #           if ! argocd app diff "${APP_NAME}" \
-  #             --server "${ARGOCD_SERVER}" \
-  #             --auth-token "${ARGOCD_AUTH_TOKEN}" \
-  #             --revision ${{ github.sha }} \
-  #             --local "clusters/${CLUSTER}/manifests/${APP_NAME}" \
-  #             --local-repo-root "." \
-  #             --grpc-web > "diff_output_${APP_NAME}.txt" 2>&1; then
-
-  #             # ArgoCD diff returns non-zero on diff or error.
-  #             # Let's capture if it actually generated a diff output to post.
-  #             DIFF_FOUND="true"
-
-  #             # Check if the output contains validation/connection errors
-  #             if grep -iE 'error|failed|connection refused|timeout' "diff_output_${APP_NAME}.txt"; then
-  #                echo ">> ArgoCD encountered an error validating ${APP_NAME}!"
-  #                EXIT_CODE=1
-  #                FAILED_CHARTS="${FAILED_CHARTS} ${APP_NAME}"
-  #             fi
-  #           fi
-
-  #           if [ -s "diff_output_${APP_NAME}.txt" ]; then
-  #             echo ">> Argo diff or errors:"
-  #             echo ""
-  #             cat diff_output_${APP_NAME}.txt
-  #             echo ""
-  #           else
-  #             echo ">> No Argo diff found for ${APP_NAME}"
-  #             rm "diff_output_${APP_NAME}.txt"
-  #           fi
-  #         done
-
-  #         echo "----"
-  #         echo "diff-detected=${DIFF_FOUND}" >> "$GITHUB_OUTPUT"
-  #         echo "failed-charts=${FAILED_CHARTS}" >> "$GITHUB_OUTPUT"
-
-  #         exit $EXIT_CODE
-
-  #     - name: Post Diff
-  #       if: |
-  #         always() &&
-  #         steps.diff.outputs.diff-detected == 'true' &&
-  #         github.event.pull_request.number != null
-  #       env:
-  #         GITEA_TOKEN: ${{ secrets.GITEA_TOKEN }}
-  #       run: |
-  #         COMMENT_BODY="### ArgoCD Diff Results
-  #         "
-
-  #         for f in diff_output_*.txt; do
-  #           APP_NAME=$(echo $f | sed 's/diff_output_//;s/.txt//')
-  #           DIFF_CONTENT=$(cat "$f")
-
-  #           COMMENT_BODY="${COMMENT_BODY}
-  #         #### App: ${APP_NAME}
-  #         "
-
-  #           if [ -z "$DIFF_CONTENT" ]; then
-  #             COMMENT_BODY="${COMMENT_BODY} No changes detected."
-  #           else
-  #             COMMENT_BODY="${COMMENT_BODY}
-  #         \`\`\`diff
-  #         ${DIFF_CONTENT}
-  #         \`\`\`"
-  #           fi
-  #         done
-
-  #         curl -X 'POST' \
-  #           "${{ github.server_url }}/api/v1/repos/${{ github.repository }}/issues/${{ github.event.pull_request.number }}/comments" \
-  #           -H "Authorization: token ${GITEA_TOKEN}" \
-  #           -H "Content-Type: application/json" \
-  #           -d "$(jq -n --arg body "$COMMENT_BODY" '{body: $body}')"
-
-  #     - name: ntfy Failed
-  #       uses: niniyas/ntfy-action@96acac57fdc91d4c4f50b78486c1ed6f03f9f61c # master
-  #       if: failure()
-  #       with:
-  #         url: '${{ secrets.NTFY_URL }}'
-  #         topic: '${{ secrets.NTFY_TOPIC }}'
-  #         title: 'ArgoCD Diff Failure'
-  #         priority: 3
-  #         headers: '{"Authorization": "Bearer ${{ secrets.NTFY_CRED }}"}'
-  #         tags: action,failed
-  #         details: "ArgoCD diff for cluster '${{ env.CLUSTER }}' failed on charts: ${{ steps.diff.outputs.failed-charts }}"
-  #         icon: 'https://cdn.jsdelivr.net/gh/selfhst/icons/png/gitea.png'
-  #         actions: '[{"action": "view", "label": "View Run", "url": "${{ vars.USER_URL }}/${{ github.repository }}/actions/runs/${{ github.run_id }}", "clear": true}]'
-  #         image: true

.gitea/workflows/render-manifests.yaml

@@ -31,32 +31,32 @@ jobs:
       (github.event_name == 'pull_request' && github.event.pull_request.merged == true)
     steps:
       - name: Checkout Main
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        uses: actions/checkout@v6
         with:
           path: infrastructure
           fetch-depth: 0
 
       - name: Checkout Manifests
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        uses: actions/checkout@v6
         with:
           ref: manifests
           path: infrastructure-manifests
 
       - name: Set Up Helm
-        uses: azure/setup-helm@dda3372f752e03dde6b3237bc9431cdc2f7a02a2 # v5
+        uses: azure/setup-helm@v4
         with:
           token: ${{ secrets.GITEA_TOKEN }}
           version: v3.17.2 # Pending https://github.com/helm/helm/pull/30743
           cache: true
 
       - name: Configure Kubeconfig
-        uses: azure/k8s-set-context@89b837d75b40a7bd2ddafde837473c212db8b313 # v5
+        uses: azure/k8s-set-context@v4
         with:
           method: kubeconfig
           kubeconfig: ${{ secrets.KUBECONFIG }}
 
       - name: Cache Helm Dependencies
-        uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5
+        uses: actions/cache@v5
         with:
           path: |
             ~/.cache/helm
@@ -273,7 +273,7 @@ jobs:
                   NAMESPACE="argocd"
                   echo ">> Special Rendering into 'argocd' namespace ..."
                   ;;
-                "cilium" | "coredns" | "metrics-server")
+                "cilium" | "coredns" | "metrics-server" | "prometheus-operator-crds")
                   NAMESPACE="kube-system"
                   echo ">> Special Rendering for ${CHART_NAME} into 'kube-system' namespace ..."
                   ;;
@@ -283,7 +283,7 @@ jobs:
 
               echo ">> Formating rendered template ..."
               local TEMPLATE
-              TEMPLATE=$(helm template "${CHART_NAME}" ./ --namespace "${NAMESPACE}" --include-crds --dry-run=server --api-versions "gateway.networking.k8s.io/v1/HTTPRoute,monitoring.coreos.com/v1,monitoring.coreos.com/v1/ServiceMonitor")
+              TEMPLATE=$(helm template "${CHART_NAME}" ./ --namespace "${NAMESPACE}" --include-crds --dry-run=server --api-versions "gateway.networking.k8s.io/v1/HTTPRoute")
 
               # Format and split rendered template
               echo "${TEMPLATE}" | yq '... comments=""' | yq 'select(. != null)' | yq -s '"'"${OUTPUT_FOLDER}"'" + .kind + "-" + .metadata.name + ".yaml"'
@@ -314,7 +314,7 @@ jobs:
           for DIR in ${RENDER_DIR}; do
             echo "${DIR}"
 
-          done | xargs -P 5 -I {} bash -c 'OUT=$(render_chart "$@" 2>&1); printf "%s\n" "$OUT"' _ {}
+          done | xargs -P 4 -I {} bash -c 'OUT=$(render_chart "$@" 2>&1); printf "%s\n" "$OUT"' _ {}
 
           echo ""
           echo "----"
@@ -568,7 +568,7 @@ jobs:
           echo "----"
 
       - name: ntfy Created
-        uses: niniyas/ntfy-action@96acac57fdc91d4c4f50b78486c1ed6f03f9f61c # master
+        uses: niniyas/ntfy-action@master
         if: steps.create-pull-request.outputs.pull-request-operation == 'created' && steps.mode.outputs.is-automerge == 'false'
         with:
           url: "${{ secrets.NTFY_URL }}"
@@ -582,7 +582,7 @@ jobs:
           actions: '[{"action": "view", "label": "View PR", "url": "${{ vars.USER_URL }}/${{ github.repository }}/pulls/${{ steps.create-pull-request.outputs.pull-request-number }}", "clear": true}]'
 
       - name: ntfy Updated
-        uses: niniyas/ntfy-action@96acac57fdc91d4c4f50b78486c1ed6f03f9f61c # master
+        uses: niniyas/ntfy-action@master
         if: steps.commit-push.outputs.push == 'true' && steps.check-for-pull-request.outputs.pull-request-exists != 'false' && steps.mode.outputs.is-automerge == 'false'
         with:
           url: "${{ secrets.NTFY_URL }}"
@@ -596,7 +596,7 @@ jobs:
           actions: '[{"action": "view", "label": "View PR", "url": "${{ vars.USER_URL }}/${{ github.repository }}/pulls/${{ steps.create-pull-request.outputs.pull-request-number }}", "clear": true}]'
 
       - name: ntfy Merged
-        uses: niniyas/ntfy-action@96acac57fdc91d4c4f50b78486c1ed6f03f9f61c # master
+        uses: niniyas/ntfy-action@master
         if: steps.merge-changes.outputs.pull-request-operation == 'merged'
         with:
           url: "${{ secrets.NTFY_URL }}"
@@ -610,7 +610,7 @@ jobs:
           actions: '[{"action": "view", "label": "View PR", "url": "${{ vars.USER_URL }}/${{ github.repository }}/pulls/${{ steps.create-pull-request.outputs.pull-request-number }}", "clear": true}]'
 
       - name: ntfy Failed
-        uses: niniyas/ntfy-action@96acac57fdc91d4c4f50b78486c1ed6f03f9f61c # master
+        uses: niniyas/ntfy-action@master
         if: failure()
         with:
           url: "${{ secrets.NTFY_URL }}"

.gitea/workflows/renovate.yaml

@@ -13,10 +13,10 @@ on:
 jobs:
   renovate:
     runs-on: ubuntu-latest
-    container: ghcr.io/renovatebot/renovate:43.136.0@sha256:b8dd2bc412bcabfe641377548863d46d13ac36adaf12103ecb0420c4a1e23261
+    container: ghcr.io/renovatebot/renovate:43
     steps:
       - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        uses: actions/checkout@v6
 
       - name: Renovate
         run: renovate
@@ -25,7 +25,7 @@ jobs:
           RENOVATE_ENDPOINT: ${{ vars.INSTANCE_URL }}
           RENOVATE_REPOSITORIES: alexlebens/infrastructure
           RENOVATE_GIT_AUTHOR: Renovate Bot <renovate-bot@alexlebens.net>
-          LOG_LEVEL: debug
+          LOG_LEVEL: info
           RENOVATE_TOKEN: ${{ secrets.RENOVATE_TOKEN }}
           RENOVATE_GIT_PRIVATE_KEY: ${{ secrets.RENOVATE_GIT_PRIVATE_KEY }}
           RENOVATE_GITHUB_COM_TOKEN: ${{ secrets.RENOVATE_GITHUB_COM_TOKEN }}

clusters/cl01tl/helm/actual/Chart.lock

@@ -2,5 +2,8 @@ dependencies:
 - name: app-template
   repository: https://bjw-s-labs.github.io/helm-charts/
   version: 4.6.2
-digest: sha256:1c04c187e6cf768117f7f91f3a3b082937ad5854c1cf6a681ad7c02687cd543d
+- name: volsync-target
-generated: "2026-04-18T20:15:22.778699-05:00"
+  repository: oci://harbor.alexlebens.net/helm-charts
+  version: 0.8.0
+digest: sha256:ff81b3d8fc831e4b8048f646fffcf597aa7410e52ecf27690eab8104047dbe6f
+generated: "2026-03-06T01:04:41.514235218Z"

clusters/cl01tl/helm/actual/Chart.yaml

@@ -5,12 +5,11 @@ description: Actual
 keywords:
   - actual
   - budget
-home: https://docs.alexlebens.dev/applications/actual/
+home: https://wiki.alexlebens.dev/s/86192f45-94b7-45de-872c-6ef3fec7df5e
 sources:
   - https://github.com/actualbudget/actual
   - https://github.com/actualbudget/actual/pkgs/container/actual
   - https://github.com/bjw-s-labs/helm-charts/tree/main/charts/other/app-template
-  - https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/volsync-target
 maintainers:
   - name: alexlebens
 dependencies:
@@ -18,10 +17,10 @@ dependencies:
     alias: actual
     repository: https://bjw-s-labs.github.io/helm-charts/
     version: 4.6.2
-  # - name: volsync-target
+  - name: volsync-target
-  #   alias: volsync-target-data
+    alias: volsync-target-data
-  #   version: 0.8.0
+    version: 0.8.0
-  #   repository: oci://harbor.alexlebens.net/helm-charts
+    repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/actual-budget.png
 # renovate: datasource=github-releases depName=actualbudget/actual
-appVersion: 26.4.0
+appVersion: 26.3.0

clusters/cl01tl/helm/actual/values.yaml

@@ -4,18 +4,20 @@ actual:
       type: deployment
       replicas: 1
       strategy: Recreate
+      revisionHistoryLimit: 3
       containers:
         main:
           image:
             repository: ghcr.io/actualbudget/actual
-            tag: 26.4.0@sha256:b0e732e2c41b3dc468a71548e88ef76d3f0c157fc43d15fa05d14ec1c5747e1e
+            tag: 26.3.0
+            pullPolicy: IfNotPresent
           env:
-            - name: ACTUAL_PORT
+            - name: TZ
-              value: 5006
+              value: US/Central
           resources:
             requests:
               cpu: 10m
-              memory: 50Mi
+              memory: 128Mi
           probes:
             liveness:
               enabled: true
@@ -39,6 +41,7 @@ actual:
         http:
           port: 80
           targetPort: 5006
+          protocol: HTTP
   route:
     main:
       kind: HTTPRoute
@@ -51,8 +54,11 @@ actual:
         - actual.alexlebens.net
       rules:
         - backendRefs:
-            - name: actual
+            - group: ''
+              kind: Service
+              name: actual
               port: 80
+              weight: 100
           matches:
             - path:
                 type: PathPrefix
@@ -63,6 +69,7 @@ actual:
       storageClass: ceph-block
       accessMode: ReadWriteOnce
       size: 2Gi
+      retain: true
       advancedMounts:
         main:
           main:

clusters/cl01tl/helm/argo-workflows/Chart.lock

@@ -0,0 +1,12 @@
+dependencies:
+- name: argo-workflows
+  repository: https://argoproj.github.io/argo-helm
+  version: 1.0.2
+- name: argo-events
+  repository: https://argoproj.github.io/argo-helm
+  version: 2.4.20
+- name: postgres-cluster
+  repository: oci://harbor.alexlebens.net/helm-charts
+  version: 7.10.0
+digest: sha256:8d1c2dd011a360d930ed5ff186462f163407077d36ae633898ec5d6ba30a4e8d
+generated: "2026-03-15T20:04:18.080966008Z"

clusters/cl01tl/helm/argo-workflows/Chart.yaml

@@ -0,0 +1,32 @@
+apiVersion: v2
+name: argo-workflows
+version: 1.0.0
+description: Argo Workflows
+keywords:
+  - argo-workflows
+  - argo-events
+  - workflows
+  - events
+home: https://wiki.alexlebens.dev/s/a268508f-d81d-4b4b-8bd5-9058edaea635
+sources:
+  - https://github.com/argoproj/argo-workflows
+  - https://github.com/argoproj/argo-events
+  - https://github.com/cloudnative-pg/cloudnative-pg
+  - https://github.com/argoproj/argo-helm/tree/main/charts
+  - https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/postgres-cluster
+maintainers:
+  - name: alexlebens
+dependencies:
+  - name: argo-workflows
+    version: 1.0.2
+    repository: https://argoproj.github.io/argo-helm
+  - name: argo-events
+    version: 2.4.20
+    repository: https://argoproj.github.io/argo-helm
+  - name: postgres-cluster
+    alias: postgres-18-cluster
+    version: 7.10.0
+    repository: oci://harbor.alexlebens.net/helm-charts
+icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/argo-cd.png
+# renovate: datasource=github-releases depName=argoproj/argo-workflows
+appVersion: v4.0.2

clusters/cl01tl/helm/argo-workflows/templates/external-secret.yaml

@@ -0,0 +1,28 @@
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: argo-workflows-oidc-secret
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: argo-workflows-oidc-secret
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  data:
+    - secretKey: secret
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /authentik/oidc/argo-workflows
+        metadataPolicy: None
+        property: secret
+    - secretKey: client
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /authentik/oidc/argo-workflows
+        metadataPolicy: None
+        property: client

clusters/cl01tl/helm/argo-workflows/templates/http-route.yaml

@@ -0,0 +1,28 @@
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: argo-workflows
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: argo-workflows
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  parentRefs:
+    - group: gateway.networking.k8s.io
+      kind: Gateway
+      name: traefik-gateway
+      namespace: traefik
+  hostnames:
+    - argo-workflows.alexlebens.net
+  rules:
+    - matches:
+      - path:
+          type: PathPrefix
+          value: /
+      backendRefs:
+        - group: ''
+          kind: Service
+          name: argo-workflows-server
+          port: 2746
+          weight: 100

clusters/cl01tl/helm/argo-workflows/values.yaml

@@ -0,0 +1,129 @@
+argo-workflows:
+  crds:
+    install: true
+    keep: true
+    # -- Use full CRDs with complete OpenAPI schemas. When false, uses minified CRDs with x-kubernetes-preserve-unknown-fields.
+    # Full CRDs are very large and are installed via a pre-install/pre-upgrade hook Job that uses server-side apply.
+    full: true
+    upgradeJob:
+      image:
+        repository: registry.k8s.io/kubectl
+        tag: v1.35.2
+  controller:
+    metricsConfig:
+      enabled: true
+    persistence:
+      connectionPool:
+        maxIdleConns: 100
+        maxOpenConns: 0
+      nodeStatusOffLoad: true
+      archive: true
+      postgresql:
+        host: argo-workflows-postgresql-18-cluster-rw
+        port: 5432
+        database: app
+        tableName: app
+        userNameSecret:
+          name: argo-workflows-postgresql-18-cluster-app
+          key: username
+        passwordSecret:
+          name: argo-workflows-postgresql-18-cluster-app
+          key: password
+        ssl: false
+        sslMode: disable
+    workflowWorkers: 2
+    workflowTTLWorkers: 1
+    podCleanupWorkers: 1
+    cronWorkflowWorkers: 1
+    resources:
+      requests:
+        cpu: 10m
+        memory: 128Mi
+    serviceMonitor:
+      enabled: true
+    name: workflow-controller
+    workflowNamespaces:
+      - argocd
+      - argo-workflows
+  server:
+    authModes:
+      - sso
+    ingress:
+      enabled: false
+    sso:
+      enabled: true
+      issuer: https://authentik.alexlebens.net/application/o/argo-workflows/
+      clientId:
+        name: argo-workflows-oidc-secret
+        key: client
+      clientSecret:
+        name: argo-workflows-oidc-secret
+        key: secret
+      redirectUrl: https://argo-workflows.alexlebens.net/oauth2/callback
+      rbac:
+        enabled: false
+      scopes:
+        - openid
+        - email
+        - profile
+  useStaticCredentials: true
+  artifactRepository:
+    archiveLogs: false
+argo-events:
+  controller:
+    resources:
+      requests:
+        cpu: 10m
+        memory: 128Mi
+    metrics:
+      enabled: true
+      serviceMonitor:
+        enabled: true
+  webhook:
+    enabled: true
+    resources:
+      requests:
+        cpu: 10m
+        memory: 128Mi
+postgres-18-cluster:
+  mode: recovery
+  recovery:
+    method: objectStore
+    objectStore:
+      index: 1
+  backup:
+    objectStore:
+      - name: garage-local
+        index: 1
+        destinationBucket: postgres-backups
+        externalSecretCredentialPath: /garage/home-infra/postgres-backups
+        isWALArchiver: true
+      # - name: garage-remote
+      #   index: 1
+      #   destinationBucket: postgres-backups
+      #   externalSecretCredentialPath: /garage/home-infra/postgres-backups
+      #   retentionPolicy: "90d"
+      #   data:
+      #     compression: bzip2
+      # - name: external
+      #   index: 1
+      #   endpointURL: https://nyc3.digitaloceanspaces.com
+      #   destinationBucket: postgres-backups-ce540ddf106d186bbddca68a
+      #   externalSecretCredentialPath: /garage/home-infra/postgres-backups
+      #   isWALArchiver: false
+    scheduledBackups:
+      - name: live-backup
+        suspend: false
+        immediate: true
+        schedule: "0 0 14 * * *"
+        backupName: garage-local
+      # - name: weekly-backup
+      #   suspend: true
+      #   immediate: true
+      #   schedule: "0 0 4 * * SAT"
+      #   backupName: garage-remote
+      # - name: daily-backup
+      #   suspend: true
+      #   immediate: true
+      #   schedule: "0 0 0 * * *"
+      #   backupName: external

clusters/cl01tl/helm/argocd/Chart.lock

@@ -1,6 +1,6 @@
 dependencies:
 - name: argo-cd
   repository: https://argoproj.github.io/argo-helm
-  version: 9.5.2
+  version: 9.4.10
-digest: sha256:5d9e6405ee944bf94df6af247164ebb9b8899144853b9a7eafabe8606affe84e
+digest: sha256:795aad956acef3f5efb8160390caf9b9792b7b4150d3a7984f1c5edbad92dfaa
-generated: "2026-04-19T19:53:40.43789-05:00"
+generated: "2026-03-10T18:58:35.720448421Z"

clusters/cl01tl/helm/argocd/Chart.yaml

@@ -4,8 +4,10 @@ version: 1.0.0
 description: Argo CD
 keywords:
   - argo-cd
+  - delivery
   - deployment
-home: https://docs.alexlebens.dev/applications/argo-cd/
+  - gitops
+home: https://wiki.alexlebens.dev/s/8a75cf26-b9df-437e-9cc5-2ef47e871a5f
 sources:
   - https://github.com/argoproj/argo-cd
   - https://github.com/argoproj/argo-helm/tree/main/charts/argo-cd
@@ -13,8 +15,8 @@ maintainers:
   - name: alexlebens
 dependencies:
   - name: argo-cd
-    version: 9.5.2
+    version: 9.4.10
     repository: https://argoproj.github.io/argo-helm
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/argo-cd.png
 # renovate: datasource=github-releases depName=argoproj/argo-cd
-appVersion: v3.3.7
+appVersion: v3.3.3

clusters/cl01tl/helm/argocd/templates/_helpers.tpl

@@ -1,14 +0,0 @@
-{{/*
-Common labels
-*/}}
-{{- define "custom.labels" -}}
-{{ include "custom.selectorLabels" $ }}
-{{- end }}
-
-{{/*
-Selector labels
-*/}}
-{{- define "custom.selectorLabels" -}}
-app.kubernetes.io/instance: {{ .Release.Name }}
-app.kubernetes.io/part-of: {{ .Release.Name }}
-{{- end }}

clusters/cl01tl/helm/argocd/templates/external-secret.yaml

@@ -1,40 +1,88 @@
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
-  name: argocd-oidc-authentik
+  name: argocd-oidc-secret
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: argocd-oidc-authentik
+    app.kubernetes.io/name: argocd-oidc-secret
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   secretStoreRef:
     kind: ClusterSecretStore
-    name: openbao
+    name: vault
   data:
     - secretKey: secret
       remoteRef:
-        key: /cl01tl/authentik/oidc/argocd
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /authentik/oidc/argocd
+        metadataPolicy: None
         property: secret
     - secretKey: client
       remoteRef:
-        key: /cl01tl/authentik/oidc/argocd
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /authentik/oidc/argocd
+        metadataPolicy: None
         property: client
 
 ---
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
-  name: argocd-notifications-ntfy
+  name: argocd-notifications-secret
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: argocd-notifications-ntfy
+    app.kubernetes.io/name: argocd-notifications-secret
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   secretStoreRef:
     kind: ClusterSecretStore
-    name: openbao
+    name: vault
   data:
     - secretKey: ntfy-token
       remoteRef:
-        key: /cl01tl/ntfy/users/cl01tl
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /ntfy/user/cl01tl
+        metadataPolicy: None
         property: token
+
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: argocd-gitea-repo-infrastructure-secret
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: argocd-gitea-repo-infrastructure-secret
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  data:
+    - secretKey: type
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cl01tl/argocd/credentials/repo/infrastructure
+        metadataPolicy: None
+        property: type
+    - secretKey: url
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cl01tl/argocd/credentials/repo/infrastructure
+        metadataPolicy: None
+        property: url
+    - secretKey: sshPrivateKey
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cl01tl/argocd/credentials/repo/infrastructure
+        metadataPolicy: None
+        property: sshPrivateKey

clusters/cl01tl/helm/argocd/values.yaml

@@ -1,11 +1,12 @@
 argo-cd:
   crds:
     install: true
-    keep: true
   configs:
     cm:
       admin.enabled: true
       accounts.homepage: apiKey
+      timeout.reconciliation: 100s
+      timeout.reconciliation.jitter: 60s
       url: https://argocd.alexlebens.net
       statusbadge.url: https://argocd.alexlebens.net/
       statusbadge.enabled: true
@@ -13,8 +14,8 @@ argo-cd:
         connectors:
         - config:
             issuer: https://authentik.alexlebens.net/application/o/argocd/
-            clientID: $argocd-oidc-authentik:client
+            clientID: $argocd-oidc-secret:client
-            clientSecret: $argocd-oidc-authentik:secret
+            clientSecret: $argocd-oidc-secret:secret
             insecureEnableGroups: true
             scopes:
               - openid
@@ -32,53 +33,12 @@ argo-cd:
         g, homepage, role:readonly
   controller:
     replicas: 1
-    resources:
-      requests:
-        cpu: 100m
-        memory: 1Gi
-    readinessProbe:
-      failureThreshold: 3
-      initialDelaySeconds: 60
-      periodSeconds: 30
-      successThreshold: 1
-      timeoutSeconds: 5
     metrics:
       enabled: true
       serviceMonitor:
         enabled: true
-      rules:
-        enabled: true
-        spec:
-          - alert: ArgoAppMissing
-            expr: |
-              absent(argocd_app_info) == 1
-            for: 15m
-            labels:
-              severity: critical
-            annotations:
-              summary: "[Argo CD] No reported applications"
-              description: >
-                Argo CD has not reported any applications data for the past 15 minutes which
-                means that it must be down or not functioning properly.  This needs to be
-                resolved for this cloud to continue to maintain state.
-          - alert: ArgoAppNotSynced
-            expr: |
-              argocd_app_info{sync_status!="Synced"} == 1
-            for: 12h
-            labels:
-              severity: warning
-            annotations:
-              summary: "[{{`{{$labels.name}}`}}] Application not synchronized"
-              description: >
-                The application [{{`{{$labels.name}}`}} has not been synchronized for over
-                12 hours which means that the state of this cloud has drifted away from the
-                state inside Git.
   dex:
     enabled: true
-    resources:
-      requests:
-        cpu: 1m
-        memory: 64Mi
     metrics:
       enabled: true
       serviceMonitor:
@@ -89,57 +49,20 @@ argo-cd:
       enabled: true
   redis-ha:
     enabled: true
-    image:
-      repository: redis
-      tag: 8.6.2-alpine@sha256:81b6f81d6a6c5b9019231a2e8eb10085e3a139a34f833dcc965a8a959b040b72
-    persistentVolume:
-      enabled: true
-    redis:
-      resources:
-        requests:
-          cpu: 1000m
-          memory: 50Mi
-    haproxy:
-      enabled: true
-      image:
-        repository: haproxy
-        tag: 3.3.6-alpine@sha256:744be2dca649a44d490a4c565d36968d19482dd387f1bdd44c168f4322bc6b1e
-      resources:
-        requests:
-          cpu: 5m
-          memory: 90Mi
-      metrics:
-        enabled: true
-        serviceMonitor:
-          enabled: true
-    exporter:
-      enabled: true
-      image: ghcr.io/oliver006/redis_exporter
-      tag: v1.82.0@sha256:6a97d4dd743b533e1f950c677b87d880e44df363c61af3f406fc9e53ed65ee03
-      serviceMonitor:
-        enabled: true
-    prometheusRule:
-      enabled: true
-      interval: 30s
-      rules:
-        - alert: RedisPodDown
-          expr: |
-            redis_up{job="{{ include "redis-ha.fullname" . }}"} == 0
-          for: 5m
-          labels:
-            severity: critical
-          annotations:
-            description: Redis pod {{ "{{ $labels.pod }}" }} is down
-            summary: Redis pod {{ "{{ $labels.pod }}" }} is down
     auth: false
   redisSecretInit:
     enabled: false
   server:
     replicas: 2
-    resources:
+    extensions:
-     requests:
+      enabled: true
-       cpu: 20m
+      extensionList:
-       memory: 80Mi
+        - name: extension-trivy
+          env:
+            - name: EXTENSION_URL
+              value: https://github.com/mziyabo/argocd-trivy-extension/releases/download/v0.2.0/extension-trivy.tar
+            - name: EXTENSION_CHECKSUM_URL
+              value: https://github.com/mziyabo/argocd-trivy-extension/releases/download/v0.2.0/extension-trivy_checksums.txt
     metrics:
       enabled: true
       serviceMonitor:
@@ -153,59 +76,34 @@ argo-cd:
           namespace: traefik
       hostnames:
         - argocd.alexlebens.net
+      rules:
+        - matches:
+            - path:
+                type: PathPrefix
+                value: /
   repoServer:
     replicas: 2
-    resources:
-      requests:
-        cpu: 1m
-        memory: 50Mi
-    readinessProbe:
-      enabled: true
-      failureThreshold: 3
-      initialDelaySeconds: 60
-      periodSeconds: 30
-      successThreshold: 1
-      timeoutSeconds: 5
-    livenessProbe:
-      enabled: true
-      failureThreshold: 3
-      initialDelaySeconds: 60
-      periodSeconds: 30
-      successThreshold: 1
-      timeoutSeconds: 5
     metrics:
       enabled: true
       serviceMonitor:
         enabled: true
   applicationSet:
     replicas: 2
-    resources:
-      requests:
-        cpu: 10m
-        memory: 50Mi
     metrics:
       enabled: true
       serviceMonitor:
         enabled: true
-    readinessProbe:
-      enabled: true
-      failureThreshold: 3
-      initialDelaySeconds: 60
-      periodSeconds: 30
-      successThreshold: 1
-      timeoutSeconds: 5
     livenessProbe:
       enabled: true
-      failureThreshold: 3
+    readinessProbe:
-      initialDelaySeconds: 60
+      enabled: true
-      periodSeconds: 30
-      successThreshold: 1
-      timeoutSeconds: 5
   notifications:
-    argocdUrl: https://argocd.alexlebens.net
+    enabled: true
+    context:
+      argocdUrl: https://argocd.alexlebens.net
     secret:
       create: false
-      name: argocd-notifications-ntfy
+      name: argocd-notifications-secret
     metrics:
       enabled: true
       serviceMonitor:
@@ -216,10 +114,6 @@ argo-cd:
         headers:
           - name: Authorization
             value: Bearer $ntfy-token
-    resources:
-      requests:
-        cpu: 2m
-        memory: 50Mi
     livenessProbe:
       enabled: true
     readinessProbe:

clusters/cl01tl/helm/audiobookshelf/Chart.yaml

@@ -7,14 +7,11 @@ keywords:
   - books
   - podcasts
   - audiobooks
-home: https://docs.alexlebens.dev/applications/audiobookshelf/
+home: https://wiki.alexlebens.dev/s/d4d6719f-cd1c-4b6e-b78e-2d2d7a5097d7
 sources:
   - https://github.com/advplyr/audiobookshelf
-  - https://github.com/caronc/apprise
   - https://github.com/advplyr/audiobookshelf/pkgs/container/audiobookshelf
-  - https://github.com/caronc/apprise-api/pkgs/container/apprise
   - https://github.com/bjw-s-labs/helm-charts/tree/main/charts/other/app-template
-  - https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/volsync-target
 maintainers:
   - name: alexlebens
 dependencies:
@@ -32,4 +29,4 @@ dependencies:
     repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/audiobookshelf.png
 # renovate: datasource=github-releases depName=advplyr/audiobookshelf
-appVersion: 2.33.2
+appVersion: 2.33.0

clusters/cl01tl/helm/audiobookshelf/templates/_helpers.tpl

@@ -1,27 +0,0 @@
-{{/*
-Common labels
-*/}}
-{{- define "custom.labels" -}}
-{{ include "custom.selectorLabels" $ }}
-{{- end }}
-
-{{/*
-Selector labels
-*/}}
-{{- define "custom.selectorLabels" -}}
-app.kubernetes.io/instance: {{ .Release.Name }}
-app.kubernetes.io/part-of: {{ .Release.Name }}
-{{- end }}
-
-{{/*
-NFS names
-*/}}
-{{- define "custom.booksNfsName" -}}
-audiobookshelf-books-nfs-storage
-{{- end -}}
-{{- define "custom.audiobooksNfsName" -}}
-audiobookshelf-audiobooks-nfs-storage
-{{- end -}}
-{{- define "custom.podcastsNfsName" -}}
-audiobookshelf-podcasts-nfs-storage
-{{- end -}}

clusters/cl01tl/helm/audiobookshelf/templates/external-secret.yaml

@@ -1,23 +1,21 @@
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
-  name: audiobookshelf-config-apprise
+  name: audiobookshelf-apprise-config
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: audiobookshelf-config-apprise
+    app.kubernetes.io/name: audiobookshelf-apprise-config
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   secretStoreRef:
     kind: ClusterSecretStore
-    name: openbao
+    name: vault
-  target:
-    template:
-      mergePolicy: Merge
-      engineVersion: v2
-      data:
-        ntfy-url: "{{ `{{ .endpoint }}` }}/audiobookshelf"
   data:
-    - secretKey: endpoint
+    - secretKey: ntfy-url
       remoteRef:
-        key: /cl01tl/ntfy/users/cl01tl
+        conversionStrategy: Default
-        property: internal-endpoint-credential
+        decodingStrategy: None
+        key: /cl01tl/audiobookshelf/apprise
+        metadataPolicy: None
+        property: ntfy-url

clusters/cl01tl/helm/audiobookshelf/templates/persistent-volume-claim.yaml

@@ -1,13 +1,14 @@
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
-  name: {{ include "custom.booksNfsName" . }}
+  name: audiobookshelf-books-nfs-storage
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: {{ include "custom.booksNfsName" . }}
+    app.kubernetes.io/name: audiobookshelf-books-nfs-storage
-    {{ include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
-  volumeName: {{ include "custom.booksNfsName" . }}
+  volumeName: audiobookshelf-books-nfs-storage
   storageClassName: nfs-client
   accessModes:
     - ReadWriteMany
@@ -19,13 +20,14 @@ spec:
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
-  name: {{ include "custom.audiobooksNfsName" . }}
+  name: audiobookshelf-audiobooks-nfs-storage
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: {{ include "custom.audiobooksNfsName" . }}
+    app.kubernetes.io/name: audiobookshelf-audiobooks-nfs-storage
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
-  volumeName: {{ include "custom.audiobooksNfsName" . }}
+  volumeName: audiobookshelf-audiobooks-nfs-storage
   storageClassName: nfs-client
   accessModes:
     - ReadWriteMany
@@ -37,13 +39,14 @@ spec:
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
-  name: {{ include "custom.podcastsNfsName" . }}
+  name: audiobookshelf-podcasts-nfs-storage
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: {{ include "custom.podcastsNfsName" . }}
+    app.kubernetes.io/name: audiobookshelf-podcasts-nfs-storage
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
-  volumeName: {{ include "custom.podcastsNfsName" . }}
+  volumeName: audiobookshelf-podcasts-nfs-storage
   storageClassName: nfs-client
   accessModes:
     - ReadWriteMany

clusters/cl01tl/helm/audiobookshelf/templates/persistent-volume.yaml

@@ -1,11 +1,12 @@
 apiVersion: v1
 kind: PersistentVolume
 metadata:
-  name: {{ include "custom.booksNfsName" . }}
+  name: audiobookshelf-books-nfs-storage
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: {{ include "custom.booksNfsName" . }}
+    app.kubernetes.io/name: audiobookshelf-books-nfs-storage
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   persistentVolumeReclaimPolicy: Retain
   storageClassName: nfs-client
@@ -25,11 +26,12 @@ spec:
 apiVersion: v1
 kind: PersistentVolume
 metadata:
-  name: {{ include "custom.audiobooksNfsName" . }}
+  name: audiobookshelf-audiobooks-nfs-storage
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: {{ include "custom.audiobooksNfsName" . }}
+    app.kubernetes.io/name: audiobookshelf-audiobooks-nfs-storage
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   persistentVolumeReclaimPolicy: Retain
   storageClassName: nfs-client
@@ -49,11 +51,12 @@ spec:
 apiVersion: v1
 kind: PersistentVolume
 metadata:
-  name: {{ include "custom.podcastsNfsName" . }}
+  name: audiobookshelf-podcasts-nfs-storage
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: {{ include "custom.podcastsNfsName" . }}
+    app.kubernetes.io/name: audiobookshelf-podcasts-nfs-storage
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   persistentVolumeReclaimPolicy: Retain
   storageClassName: nfs-client

clusters/cl01tl/helm/audiobookshelf/values.yaml

@@ -4,29 +4,28 @@ audiobookshelf:
       type: deployment
       replicas: 1
       strategy: Recreate
-      pod:
+      revisionHistoryLimit: 3
-        securityContext:
-          fsGroup: 1000
-          fsGroupChangePolicy: OnRootMismatch
       containers:
         main:
           image:
             repository: ghcr.io/advplyr/audiobookshelf
-            tag: 2.33.2@sha256:a44ed89b3e845faa1f7d353f2cc89b2fcd8011737dd14075fa963cf9468da3a5
+            tag: 2.33.0
+            pullPolicy: IfNotPresent
           env:
             - name: TZ
-              value: America/Chicago
+              value: US/Central
           resources:
             requests:
-              cpu: 1m
+              cpu: 10m
-              memory: 200Mi
+              memory: 128Mi
         apprise-api:
           image:
-            repository: ghcr.io/caronc/apprise
+            repository: caronc/apprise
-            tag: v1.3.3@sha256:4bfeac268ba87b8e08e308c9aa0182fe99e9501ec464027afc333d1634e65977
+            tag: v1.3.2
+            pullPolicy: IfNotPresent
           env:
             - name: TZ
-              value: America/Chicago
+              value: US/Central
             - name: PGID
               value: "1000"
             - name: PUID
@@ -40,8 +39,12 @@ audiobookshelf:
             - name: APPRISE_STATELESS_URLS
               valueFrom:
                 secretKeyRef:
-                  name: audiobookshelf-config-apprise
+                  name: audiobookshelf-apprise-config
                   key: ntfy-url
+          resources:
+            requests:
+              cpu: 10m
+              memory: 128Mi
   service:
     main:
       controller: main
@@ -49,9 +52,11 @@ audiobookshelf:
         http:
           port: 80
           targetPort: 80
+          protocol: HTTP
         apprise:
           port: 8000
           targetPort: 8000
+          protocol: HTTP
   serviceMonitor:
     main:
       selector:
@@ -77,8 +82,11 @@ audiobookshelf:
         - audiobookshelf.alexlebens.net
       rules:
         - backendRefs:
-            - name: audiobookshelf
+            - group: ''
+              kind: Service
+              name: audiobookshelf
               port: 80
+              weight: 100
           matches:
             - path:
                 type: PathPrefix
@@ -89,6 +97,7 @@ audiobookshelf:
       storageClass: ceph-block
       accessMode: ReadWriteOnce
       size: 2Gi
+      retain: true
       advancedMounts:
         main:
           main:
@@ -99,6 +108,7 @@ audiobookshelf:
       storageClass: ceph-block
       accessMode: ReadWriteOnce
       size: 10Gi
+      retain: true
       advancedMounts:
         main:
           main:

clusters/cl01tl/helm/authentik/Chart.lock

@@ -1,15 +1,15 @@
 dependencies:
 - name: authentik
   repository: https://charts.goauthentik.io/
-  version: 2026.2.2
+  version: 2026.2.1
 - name: cloudflared
   repository: oci://harbor.alexlebens.net/helm-charts
-  version: 2.5.0
+  version: 2.4.0
 - name: postgres-cluster
   repository: oci://harbor.alexlebens.net/helm-charts
-  version: 7.11.2
+  version: 7.10.0
 - name: valkey
   repository: oci://harbor.alexlebens.net/helm-charts
-  version: 0.6.1
+  version: 0.4.0
-digest: sha256:22fe4d9ec592aa74cbff5596e8d900f607bd68ea14c7df70a94b4ef76727614d
+digest: sha256:8c353c5dad4c3d04d518c1445497f0d1cb64261a4201ae17a2c0874454b807a7
-generated: "2026-04-13T20:32:12.748342469Z"
+generated: "2026-03-15T20:04:35.99407071Z"

clusters/cl01tl/helm/authentik/Chart.yaml

@@ -6,30 +6,33 @@ keywords:
   - authentik
   - sso
   - oidc
+  - ldap
+  - idp
   - authentication
-home: https://docs.alexlebens.dev/applications/authentik/
+home: https://wiki.alexlebens.dev/s/45ca5171-581f-41d2-b6fb-2b0915029a2d
 sources:
   - https://github.com/goauthentik/authentik
+  - https://github.com/cloudflare/cloudflared
+  - https://github.com/cloudnative-pg/cloudnative-pg
   - https://github.com/goauthentik/helm
   - https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/cloudflared
   - https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/postgres-cluster
-  - https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/valkey
 maintainers:
   - name: alexlebens
 dependencies:
   - name: authentik
-    version: 2026.2.2
+    version: 2026.2.1
     repository: https://charts.goauthentik.io/
   - name: cloudflared
     repository: oci://harbor.alexlebens.net/helm-charts
-    version: 2.5.0
+    version: 2.4.0
   - name: postgres-cluster
     alias: postgres-18-cluster
-    version: 7.11.2
+    version: 7.10.0
     repository: oci://harbor.alexlebens.net/helm-charts
   - name: valkey
     alias: valkey
-    version: 0.6.1
+    version: 0.4.0
     repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/authentik.png
 # renovate: datasource=github-releases depName=goauthentik/authentik

clusters/cl01tl/helm/authentik/templates/_helpers.tpl

@@ -1,14 +0,0 @@
-{{/*
-Common labels
-*/}}
-{{- define "custom.labels" -}}
-{{ include "custom.selectorLabels" $ }}
-{{- end }}
-
-{{/*
-Selector labels
-*/}}
-{{- define "custom.selectorLabels" -}}
-app.kubernetes.io/instance: {{ .Release.Name }}
-app.kubernetes.io/part-of: {{ .Release.Name }}
-{{- end }}

clusters/cl01tl/helm/authentik/templates/external-secret.yaml

@@ -1,17 +1,21 @@
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
-  name: authentik-key
+  name: authentik-key-secret
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: authentik-key
+    app.kubernetes.io/name: authentik-key-secret
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   secretStoreRef:
     kind: ClusterSecretStore
-    name: openbao
+    name: vault
   data:
     - secretKey: key
       remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
         key: /cl01tl/authentik/key
+        metadataPolicy: None
         property: key

clusters/cl01tl/helm/authentik/templates/ingress.yaml

@@ -1,12 +1,13 @@
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
-  name: {{ .Release.Name }}-tailscale
+  name: authentik-tailscale
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: {{ .Release.Name }}-tailscale
+    app.kubernetes.io/name: authentik-tailscale
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
     tailscale.com/proxy-class: no-metrics
-    {{- include "custom.labels" . | nindent 4 }}
   annotations:
     tailscale.com/experimental-forward-cluster-traffic-via-ingress: "true"
 spec:

clusters/cl01tl/helm/authentik/templates/reference-grant.yaml

@@ -5,7 +5,8 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: allow-outpost-cross-namespace-access
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   from:
     - group: gateway.networking.k8s.io

clusters/cl01tl/helm/authentik/values.yaml

@@ -4,7 +4,7 @@ authentik:
       - name: AUTHENTIK_SECRET_KEY
         valueFrom:
           secretKeyRef:
-            name: authentik-key
+            name: authentik-key-secret
             key: key
       - name: AUTHENTIK_POSTGRESQL__HOST
         valueFrom:
@@ -30,23 +30,8 @@ authentik:
     redis:
       host: authentik-valkey
   server:
-    replicas: 2
+    name: server
-    resources:
+    replicas: 1
-      requests:
-        cpu: 20m
-        memory: 700Mi
-    livenessProbe:
-      failureThreshold: 3
-      initialDelaySeconds: 15
-      periodSeconds: 10
-      successThreshold: 1
-      timeoutSeconds: 5
-    readinessProbe:
-      failureThreshold: 3
-      initialDelaySeconds: 15
-      periodSeconds: 10
-      successThreshold: 1
-      timeoutSeconds: 5
     metrics:
       enabled: true
       serviceMonitor:
@@ -54,6 +39,8 @@ authentik:
     route:
       main:
         enabled: true
+        apiVersion: gateway.networking.k8s.io/v1
+        kind: HTTPRoute
         hostnames:
           - authentik.alexlebens.net
         parentRefs:
@@ -61,26 +48,23 @@ authentik:
             kind: Gateway
             name: traefik-gateway
             namespace: traefik
+        httpsRedirect: false
+        matches:
+          - path:
+              type: PathPrefix
+              value: /
   worker:
     name: worker
-    replicas: 2
+    replicas: 1
-    resources:
-      requests:
-        cpu: 80m
-        memory: 650Mi
-    metrics:
-      enabled: true
-      serviceMonitor:
-        enabled: true
   prometheus:
     rules:
       enabled: true
+  postgresql:
+    enabled: false
+  redis:
+    enabled: false
 postgres-18-cluster:
   mode: recovery
-  cluster:
-    resources:
-      requests:
-        memory: 150Mi
   recovery:
     method: objectStore
     objectStore:
@@ -92,9 +76,32 @@ postgres-18-cluster:
         destinationBucket: postgres-backups
         externalSecretCredentialPath: /garage/home-infra/postgres-backups
         isWALArchiver: true
+      # - name: garage-remote
+      #   index: 1
+      #   destinationBucket: postgres-backups
+      #   externalSecretCredentialPath: /garage/home-infra/postgres-backups
+      #   retentionPolicy: "90d"
+      #   data:
+      #     compression: bzip2
+      # - name: external
+      #   index: 1
+      #   endpointURL: https://nyc3.digitaloceanspaces.com
+      #   destinationBucket: postgres-backups-ce540ddf106d186bbddca68a
+      #   externalSecretCredentialPath: /garage/home-infra/postgres-backups
+      #   isWALArchiver: false
     scheduledBackups:
       - name: live-backup
         suspend: false
         immediate: true
         schedule: "0 5 14 * * *"
         backupName: garage-local
+      # - name: weekly-backup
+      #   suspend: true
+      #   immediate: true
+      #   schedule: "0 0 4 * * SAT"
+      #   backupName: garage-remote
+      # - name: daily-backup
+      #   suspend: true
+      #   immediate: true
+      #   schedule: "0 0 0 * * *"
+      #   backupName: external

clusters/cl01tl/helm/backrest/Chart.yaml

@@ -5,12 +5,11 @@ description: backrest
 keywords:
   - backrest
   - backup
-home: https://docs.alexlebens.dev/applications/backrest/
+home: https://wiki.alexlebens.dev/
 sources:
   - https://github.com/garethgeorge/backrest
-  - https://github.com/garethgeorge/backrest/pkgs/container/backrest
+  - https://hub.docker.com/r/garethgeorge/backrest
   - https://github.com/bjw-s-labs/helm-charts/tree/main/charts/other/app-template
-  - https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/volsync-target
 maintainers:
   - name: alexlebens
 dependencies:

clusters/cl01tl/helm/backrest/templates/_helpers.tpl

@@ -1,24 +0,0 @@
-{{/*
-Common labels
-*/}}
-{{- define "custom.labels" -}}
-{{ include "custom.selectorLabels" $ }}
-{{- end }}
-
-{{/*
-Selector labels
-*/}}
-{{- define "custom.selectorLabels" -}}
-app.kubernetes.io/instance: {{ .Release.Name }}
-app.kubernetes.io/part-of: {{ .Release.Name }}
-{{- end }}
-
-{{/*
-NFS names
-*/}}
-{{- define "custom.storageNfsName" -}}
-backrest-nfs-storage
-{{- end -}}
-{{- define "custom.shareNfsName" -}}
-backrest-nfs-share
-{{- end -}}

clusters/cl01tl/helm/backrest/templates/persistent-volume-claim.yaml

@@ -1,13 +1,14 @@
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
-  name: {{ include "custom.storageNfsName" . }}
+  name: backrest-nfs-storage
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: {{ include "custom.storageNfsName" . }}
+    app.kubernetes.io/name: backrest-nfs-storage
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
-  volumeName: {{ include "custom.storageNfsName" . }}
+  volumeName: backrest-nfs-storage
   storageClassName: nfs-client
   accessModes:
     - ReadWriteMany
@@ -19,13 +20,14 @@ spec:
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
-  name: {{ include "custom.shareNfsName" . }}
+  name: backrest-nfs-share
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: {{ include "custom.shareNfsName" . }}
+    app.kubernetes.io/name: backrest-nfs-share
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
-  volumeName: {{ include "custom.shareNfsName" . }}
+  volumeName: backrest-nfs-share
   storageClassName: nfs-client
   accessModes:
     - ReadWriteMany

clusters/cl01tl/helm/backrest/templates/persistent-volume.yaml

@@ -1,11 +1,12 @@
 apiVersion: v1
 kind: PersistentVolume
 metadata:
-  name: {{ include "custom.storageNfsName" . }}
+  name: backrest-nfs-storage
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: {{ include "custom.storageNfsName" . }}
+    app.kubernetes.io/name: backrest-nfs-storage
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   persistentVolumeReclaimPolicy: Retain
   storageClassName: nfs-client
@@ -25,11 +26,12 @@ spec:
 apiVersion: v1
 kind: PersistentVolume
 metadata:
-  name: {{ include "custom.shareNfsName" . }}
+  name: backrest-nfs-share
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: {{ include "custom.shareNfsName" . }}
+    app.kubernetes.io/name: backrest-nfs-share
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   persistentVolumeReclaimPolicy: Retain
   storageClassName: nfs-client

clusters/cl01tl/helm/backrest/values.yaml

@@ -7,8 +7,9 @@ backrest:
       containers:
         main:
           image:
-            repository: ghcr.io/garethgeorge/backrest
+            repository: garethgeorge/backrest
-            tag: v1.12.1@sha256:f4d34bd6fa985d13bdb6c01c5d8727e07708899afa9567d800808357d77b9fb0
+            tag: v1.12.1
+            pullPolicy: IfNotPresent
           env:
             - name: TZ
               value: America/Chicago
@@ -22,8 +23,8 @@ backrest:
               value: /tmp
           resources:
             requests:
-              cpu: 1m
+              cpu: 10m
-              memory: 30Mi
+              memory: 256Mi
   service:
     main:
       controller: main
@@ -31,19 +32,7 @@ backrest:
         http:
           port: 80
           targetPort: 9898
-  serviceMonitor:
+          protocol: TCP
-    main:
-      selector:
-        matchLabels:
-          app.kubernetes.io/name: backrest
-          app.kubernetes.io/instance: backrest
-      serviceName: '{{ include "bjw-s.common.lib.chart.names.fullname" $ }}'
-      endpoints:
-        - port: http
-          scheme: http
-          path: /metrics
-          interval: 300s
-          scrapeTimeout: 15s
   route:
     main:
       kind: HTTPRoute
@@ -56,8 +45,11 @@ backrest:
         - backrest.alexlebens.net
       rules:
         - backendRefs:
-            - name: backrest
+            - group: ''
+              kind: Service
+              name: backrest
               port: 80
+              weight: 100
           matches:
             - path:
                 type: PathPrefix
@@ -68,6 +60,7 @@ backrest:
       storageClass: ceph-block
       accessMode: ReadWriteOnce
       size: 10Gi
+      retain: true
       advancedMounts:
         main:
           main:
@@ -78,6 +71,7 @@ backrest:
       storageClass: ceph-block
       accessMode: ReadWriteOnce
       size: 1Gi
+      retain: true
       advancedMounts:
         main:
           main:

clusters/cl01tl/helm/bazarr/Chart.yaml

@@ -4,17 +4,14 @@ version: 1.0.0
 description: Bazarr
 keywords:
   - bazarr
-  - subtitles
   - servarr
-home: https://docs.alexlebens.dev/applications/bazarr/
+  - subtitles
+home: https://wiki.alexlebens.dev/s/
 sources:
   - https://github.com/morpheus65535/bazarr
   - https://github.com/linuxserver/docker-bazarr
-  - https://github.com/onedr0p/exportarr
   - https://github.com/linuxserver/docker-bazarr/pkgs/container/bazarr
-  - https://github.com/onedr0p/exportarr/pkgs/container/exportarr
   - https://github.com/bjw-s-labs/helm-charts/tree/main/charts/other/app-template
-  - https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/volsync-target
 maintainers:
   - name: alexlebens
 dependencies:
@@ -27,5 +24,5 @@ dependencies:
     version: 0.8.0
     repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/bazarr.png
-# renovate: datasource=github-releases depName=linuxserver/docker-bazarr
+# renovate: datasource=github-releases depName=morpheus65535/bazarr
-appVersion: v1.5.6-ls342
+appVersion: 1.5.6

clusters/cl01tl/helm/bazarr/templates/_helpers.tpl

@@ -1,21 +0,0 @@
-{{/*
-Common labels
-*/}}
-{{- define "custom.labels" -}}
-{{ include "custom.selectorLabels" $ }}
-{{- end }}
-
-{{/*
-Selector labels
-*/}}
-{{- define "custom.selectorLabels" -}}
-app.kubernetes.io/instance: {{ .Release.Name }}
-app.kubernetes.io/part-of: {{ .Release.Name }}
-{{- end }}
-
-{{/*
-NFS names
-*/}}
-{{- define "custom.storageNfsName" -}}
-bazarr-nfs-storage
-{{- end -}}

clusters/cl01tl/helm/bazarr/templates/external-secret.yaml

@@ -1,17 +0,0 @@
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: bazarr-key
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: bazarr-key
-    {{- include "custom.labels" . | nindent 4 }}
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: openbao
-  data:
-    - secretKey: key
-      remoteRef:
-        key: /cl01tl/bazarr/key
-        property: key

clusters/cl01tl/helm/bazarr/templates/persistent-volume-claim.yaml

@@ -1,13 +1,14 @@
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
-  name: {{ include "custom.storageNfsName" . }}
+  name: bazarr-nfs-storage
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: {{ include "custom.storageNfsName" . }}
+    app.kubernetes.io/name: bazarr-nfs-storage
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
-  volumeName: {{ include "custom.storageNfsName" . }}
+  volumeName: bazarr-nfs-storage
   storageClassName: nfs-client
   accessModes:
     - ReadWriteMany

clusters/cl01tl/helm/bazarr/templates/persistent-volume.yaml

@@ -1,11 +1,12 @@
 apiVersion: v1
 kind: PersistentVolume
 metadata:
-  name: {{ include "custom.storageNfsName" . }}
+  name: bazarr-nfs-storage
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: {{ include "custom.storageNfsName" . }}
+    app.kubernetes.io/name: bazarr-nfs-storage
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   persistentVolumeReclaimPolicy: Retain
   storageClassName: nfs-client

clusters/cl01tl/helm/bazarr/values.yaml

@@ -4,6 +4,7 @@ bazarr:
       type: deployment
       replicas: 1
       strategy: Recreate
+      revisionHistoryLimit: 3
       pod:
         securityContext:
           runAsUser: 1000
@@ -14,10 +15,11 @@ bazarr:
         main:
           image:
             repository: ghcr.io/linuxserver/bazarr
-            tag: v1.5.6-ls342@sha256:9a631194c0dee21c85b5bff59e23610e1ae2f54594e922973949d271102e585e
+            tag: 1.5.6@sha256:05f9d5b24884f37120453dc1a008a47be244eebec32099ae1bd29032e75b67aa
+            pullPolicy: IfNotPresent
           env:
             - name: TZ
-              value: America/Chicago
+              value: US/Central
             - name: PUID
               value: 1000
             - name: PGID
@@ -25,26 +27,7 @@ bazarr:
           resources:
             requests:
               cpu: 10m
-              memory: 250Mi
+              memory: 256Mi
-        metrics:
-          image:
-            repository: ghcr.io/onedr0p/exportarr
-            tag: v2.3.0@sha256:af535d94061cf97a52e1661945ffba78c03f9443eae7c0da1a80a5a4be56b520
-          args: ["bazarr"]
-          env:
-            - name: URL
-              value: http://localhost:6767
-            - name: PORT
-              value: 9792
-            - name: APIKEY
-              valueFrom:
-                secretKeyRef:
-                  name: bazarr-key
-                  key: key
-            - name: ENABLE_ADDITIONAL_METRICS
-              value: false
-            - name: ENABLE_UNKNOWN_QUEUE_ITEMS
-              value: false
   service:
     main:
       controller: main
@@ -52,21 +35,7 @@ bazarr:
         http:
           port: 80
           targetPort: 6767
-        metrics:
+          protocol: HTTP
-          port: 9792
-          targetPort: 9792
-  serviceMonitor:
-    main:
-      selector:
-        matchLabels:
-          app.kubernetes.io/name: bazarr
-          app.kubernetes.io/instance: bazarr
-      serviceName: '{{ include "bjw-s.common.lib.chart.names.fullname" $ }}'
-      endpoints:
-        - port: metrics
-          interval: 3m
-          scrapeTimeout: 1m
-          path: /metrics
   route:
     main:
       kind: HTTPRoute
@@ -79,8 +48,11 @@ bazarr:
         - bazarr.alexlebens.net
       rules:
         - backendRefs:
-            - name: bazarr
+            - group: ''
+              kind: Service
+              name: bazarr
               port: 80
+              weight: 100
           matches:
             - path:
                 type: PathPrefix
@@ -91,6 +63,7 @@ bazarr:
       storageClass: ceph-block
       accessMode: ReadWriteOnce
       size: 5Gi
+      retain: true
       advancedMounts:
         main:
           main:

clusters/cl01tl/helm/blocky/Chart.lock

@@ -4,6 +4,6 @@ dependencies:
   version: 4.6.2
 - name: valkey
   repository: oci://harbor.alexlebens.net/helm-charts
-  version: 0.6.1
+  version: 0.4.0
-digest: sha256:6ed3a7587906fbda581d0091ff2c29a1816b8b0b8ae40add9885e6a68b2b82ae
+digest: sha256:a5b0099261d772b24a302a106d106cfa82ac07fa14564141e00cf107d708e859
-generated: "2026-04-13T20:32:34.844998902Z"
+generated: "2026-03-09T23:06:16.853255429Z"

clusters/cl01tl/helm/blocky/Chart.yaml

@@ -5,12 +5,11 @@ description: Blocky
 keywords:
   - blocky
   - dns
-home: https://docs.alexlebens.dev/applications/blocky/
+home: https://wiki.alexlebens.dev/s/cf70113d-20bc-48ad-afb8-1e22ed3fd62a
 sources:
   - https://github.com/0xERR0R/blocky
-  - https://github.com/0xERR0R/blocky/pkgs/container/blocky
+  - https://hub.docker.com/r/spx01/blocky
   - https://github.com/bjw-s-labs/helm-charts/tree/main/charts/other/app-template
-  - https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/valkey
 maintainers:
   - name: alexlebens
 dependencies:
@@ -20,7 +19,7 @@ dependencies:
     version: 4.6.2
   - name: valkey
     alias: valkey
-    version: 0.6.1
+    version: 0.4.0
     repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/blocky.png
 # renovate: datasource=github-releases depName=0xerr0r/blocky

clusters/cl01tl/helm/blocky/values.yaml

@@ -4,18 +4,20 @@ blocky:
       type: deployment
       replicas: 3
       strategy: RollingUpdate
+      revisionHistoryLimit: 3
       containers:
         main:
           image:
             repository: ghcr.io/0xerr0r/blocky
             tag: v0.29.0@sha256:a6d99f323d3036a99a3767a52ad612f4d8f3f31167492bfc14d4ea57b24cdfd0
+            pullPolicy: IfNotPresent
           env:
             - name: TZ
-              value: America/Chicago
+              value: US/Central
           resources:
             requests:
               cpu: 10m
-              memory: 100Mi
+              memory: 128Mi
   configMaps:
     config:
       enabled: true
@@ -96,56 +98,53 @@ blocky:
 
               traefik-cl01tl                  IN      A       10.232.1.21
               blocky                          IN      A       10.232.1.22
-              plex-lb                         IN      A       10.232.1.23
+              cilium-cl01tl                   IN      A       10.232.1.23
 
 
               ;; Application Names
               actual                          IN      CNAME   traefik-cl01tl
               alertmanager                    IN      CNAME   traefik-cl01tl
+              argo-workflows                  IN      CNAME   traefik-cl01tl
               argocd                          IN      CNAME   traefik-cl01tl
               audiobookshelf                  IN      CNAME   traefik-cl01tl
               authentik                       IN      CNAME   traefik-cl01tl
               backrest                        IN      CNAME   traefik-cl01tl
-              bao                             IN      CNAME   traefik-cl01tl
               bazarr                          IN      CNAME   traefik-cl01tl
+              booklore                        IN      CNAME   traefik-cl01tl
               ceph                            IN      CNAME   traefik-cl01tl
+              code-server                     IN      CNAME   traefik-cl01tl
               dawarich                        IN      CNAME   traefik-cl01tl
               directus                        IN      CNAME   traefik-cl01tl
               excalidraw                      IN      CNAME   traefik-cl01tl
               feishin                         IN      CNAME   traefik-cl01tl
-              foldergram                      IN      CNAME   traefik-cl01tl
               garage-s3                       IN      CNAME   traefik-cl01tl
               garage-webui                    IN      CNAME   traefik-cl01tl
               gatus                           IN      CNAME   traefik-cl01tl
               gitea                           IN      CNAME   traefik-cl01tl
               grafana                         IN      CNAME   traefik-cl01tl
-              grimmory                        IN      CNAME   traefik-cl01tl
               harbor                          IN      CNAME   traefik-cl01tl
               headlamp                        IN      CNAME   traefik-cl01tl
               home                            IN      CNAME   traefik-cl01tl
               home-assistant                  IN      CNAME   traefik-cl01tl
               home-assistant-code-server      IN      CNAME   traefik-cl01tl
-              houndarr                        IN      CNAME   traefik-cl01tl
               hubble                          IN      CNAME   traefik-cl01tl
               immich                          IN      CNAME   traefik-cl01tl
               jellyfin                        IN      CNAME   traefik-cl01tl
               jellystat                       IN      CNAME   traefik-cl01tl
               kiwix                           IN      CNAME   traefik-cl01tl
               komodo                          IN      CNAME   traefik-cl01tl
-              languagetool                    IN      CNAME   traefik-cl01tl
               lidarr                          IN      CNAME   traefik-cl01tl
               mail                            IN      CNAME   traefik-cl01tl
-              medialyze                       IN      CNAME   traefik-cl01tl
+              movie-roulette                  IN      CNAME   traefik-cl01tl
               music-grabber                   IN      CNAME   traefik-cl01tl
               navidrome                       IN      CNAME   traefik-cl01tl
               ntfy                            IN      CNAME   traefik-cl01tl
               objects                         IN      CNAME   traefik-cl01tl
               ollama                          IN      CNAME   traefik-cl01tl
               omni-tools                      IN      CNAME   traefik-cl01tl
-              paperless-ngx                   IN      CNAME   traefik-cl01tl
+              photoview                       IN      CNAME   traefik-cl01tl
               plex                            IN      CNAME   traefik-cl01tl
-              postiz-spotlight                IN      CNAME   traefik-cl01tl
+              postiz                          IN      CNAME   traefik-cl01tl
-              postiz-temporal                 IN      CNAME   traefik-cl01tl
               prometheus                      IN      CNAME   traefik-cl01tl
               prowlarr                        IN      CNAME   traefik-cl01tl
               qbittorrent                     IN      CNAME   traefik-cl01tl
@@ -161,7 +160,6 @@ blocky:
               sonarr                          IN      CNAME   traefik-cl01tl
               sonarr-4k                       IN      CNAME   traefik-cl01tl
               sonarr-anime                    IN      CNAME   traefik-cl01tl
-              sparkyfitness                   IN      CNAME   traefik-cl01tl
               stalwart                        IN      CNAME   traefik-cl01tl
               tdarr                           IN      CNAME   traefik-cl01tl
               tubearchivist                   IN      CNAME   traefik-cl01tl

clusters/cl01tl/helm/booklore/Chart.lock

@@ -8,5 +8,8 @@ dependencies:
 - name: volsync-target
   repository: oci://harbor.alexlebens.net/helm-charts
   version: 0.8.0
-digest: sha256:6ee403da03c1bcc0289a9abdef0508344072d51173da996eda69b8305d5feefa
+- name: volsync-target
-generated: "2026-03-23T20:35:19.743257-05:00"
+  repository: oci://harbor.alexlebens.net/helm-charts
+  version: 0.8.0
+digest: sha256:e65fa008c652092da5431e9780eb2a87c944298a12e58e432efad61c9e826da5
+generated: "2026-03-14T23:57:22.721295098Z"

clusters/cl01tl/helm/booklore/Chart.yaml

@@ -0,0 +1,33 @@
+apiVersion: v2
+name: booklore
+version: 1.0.0
+description: booklore
+keywords:
+  - booklore
+  - books
+home: https://wiki.alexlebens.dev/
+sources:
+  - https://github.com/booklore-app/BookLore
+  - https://github.com/booklore-app/booklore/pkgs/container/booklore
+  - https://github.com/bjw-s-labs/helm-charts/tree/main/charts/other/app-template
+maintainers:
+  - name: alexlebens
+dependencies:
+  - name: app-template
+    alias: booklore
+    repository: https://bjw-s-labs.github.io/helm-charts/
+    version: 4.6.2
+  - name: mariadb-cluster
+    version: 26.3.0
+    repository: https://helm.mariadb.com/mariadb-operator
+  - name: volsync-target
+    alias: volsync-target-config
+    version: 0.8.0
+    repository: oci://harbor.alexlebens.net/helm-charts
+  - name: volsync-target
+    alias: volsync-target-data
+    version: 0.8.0
+    repository: oci://harbor.alexlebens.net/helm-charts
+icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/booklore.png
+# renovate: datasource=github-releases depName=booklore-app/BookLore
+appVersion: v2.2.1

clusters/cl01tl/helm/booklore/templates/external-secret.yaml

@@ -1,10 +1,10 @@
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
-  name: grimmory-database-secret
+  name: booklore-database-secret
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: grimmory-database-secret
+    app.kubernetes.io/name: booklore-database-secret
     app.kubernetes.io/instance: {{ .Release.Name }}
     app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
@@ -14,17 +14,20 @@ spec:
   data:
     - secretKey: password
       remoteRef:
-        key: /cl01tl/grimmory/database
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cl01tl/booklore/database
+        metadataPolicy: None
         property: password
 
 ---
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
-  name: grimmory-data-replication-secret
+  name: booklore-data-replication-secret
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: grimmory-data-replication-secret
+    app.kubernetes.io/name: booklore-data-replication-secret
     app.kubernetes.io/instance: {{ .Release.Name }}
     app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
@@ -34,17 +37,20 @@ spec:
   data:
     - secretKey: psk.txt
       remoteRef:
-        key: /cl01tl/grimmory/replication
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cl01tl/booklore/replication
+        metadataPolicy: None
         property: psk.txt
 
 ---
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
-  name: grimmory-mariadb-cluster-backup-secret-external
+  name: booklore-mariadb-cluster-backup-secret-external
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: grimmory-mariadb-cluster-backup-secret-external
+    app.kubernetes.io/name: booklore-mariadb-cluster-backup-secret-external
     app.kubernetes.io/instance: {{ .Release.Name }}
     app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
@@ -54,21 +60,27 @@ spec:
   data:
     - secretKey: access
       remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
         key: /digital-ocean/home-infra/mariadb-backups
+        metadataPolicy: None
         property: access
     - secretKey: secret
       remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
         key: /digital-ocean/home-infra/mariadb-backups
+        metadataPolicy: None
         property: secret
 
 ---
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
-  name: grimmory-mariadb-cluster-backup-secret-garage
+  name: booklore-mariadb-cluster-backup-secret-garage
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: grimmory-mariadb-cluster-backup-secret-garage
+    app.kubernetes.io/name: booklore-mariadb-cluster-backup-secret-garage
     app.kubernetes.io/instance: {{ .Release.Name }}
     app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
@@ -78,9 +90,15 @@ spec:
   data:
     - secretKey: access
       remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
         key: /garage/home-infra/mariadb-backups
+        metadataPolicy: None
         property: access
     - secretKey: secret
       remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
         key: /garage/home-infra/mariadb-backups
+        metadataPolicy: None
         property: secret

clusters/cl01tl/helm/booklore/templates/namespace.yaml

@@ -1,11 +1,11 @@
 apiVersion: v1
 kind: Namespace
 metadata:
-  name: grimmory
+  name: booklore
   annotations:
     volsync.backube/privileged-movers: "true"
   labels:
-    app.kubernetes.io/name: grimmory
+    app.kubernetes.io/name: booklore
     app.kubernetes.io/instance: {{ .Release.Name }}
     app.kubernetes.io/part-of: {{ .Release.Name }}
     pod-security.kubernetes.io/audit: privileged

clusters/cl01tl/helm/booklore/templates/persistent-volume-claim.yaml

@@ -1,14 +1,14 @@
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
-  name: grimmory-books-nfs-storage
+  name: booklore-books-nfs-storage
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: grimmory-books-nfs-storage
+    app.kubernetes.io/name: booklore-books-nfs-storage
     app.kubernetes.io/instance: {{ .Release.Name }}
     app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
-  volumeName: grimmory-books-nfs-storage
+  volumeName: booklore-books-nfs-storage
   storageClassName: nfs-client
   accessModes:
     - ReadWriteMany
@@ -20,14 +20,14 @@ spec:
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
-  name: grimmory-books-import-nfs-storage
+  name: booklore-books-import-nfs-storage
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: grimmory-books-import-nfs-storage
+    app.kubernetes.io/name: booklore-books-import-nfs-storage
     app.kubernetes.io/instance: {{ .Release.Name }}
     app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
-  volumeName: grimmory-books-import-nfs-storage
+  volumeName: booklore-books-import-nfs-storage
   storageClassName: nfs-client
   accessModes:
     - ReadWriteMany

clusters/cl01tl/helm/booklore/templates/persistent-volume.yaml

@@ -1,10 +1,10 @@
 apiVersion: v1
 kind: PersistentVolume
 metadata:
-  name: grimmory-books-nfs-storage
+  name: booklore-books-nfs-storage
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: grimmory-books-nfs-storage
+    app.kubernetes.io/name: booklore-books-nfs-storage
     app.kubernetes.io/instance: {{ .Release.Name }}
     app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
@@ -26,10 +26,10 @@ spec:
 apiVersion: v1
 kind: PersistentVolume
 metadata:
-  name: grimmory-books-import-nfs-storage
+  name: booklore-books-import-nfs-storage
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: grimmory-books-import-nfs-storage
+    app.kubernetes.io/name: booklore-books-import-nfs-storage
     app.kubernetes.io/instance: {{ .Release.Name }}
     app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:

clusters/cl01tl/helm/booklore/values.yaml

@@ -1,18 +1,16 @@
-grimmory:
+booklore:
   controllers:
     main:
       type: deployment
       replicas: 1
       strategy: Recreate
-      pod:
+      revisionHistoryLimit: 3
-        securityContext:
-          fsGroup: 1000
-          fsGroupChangePolicy: OnRootMismatch
       containers:
         main:
           image:
-            repository: ghcr.io/grimmory-tools/grimmory
+            repository: ghcr.io/booklore-app/booklore
-            tag: v2.3.0@sha256:9014247f591074529894f81115ca40f899db697e89f72c2fe91ec530e3f19597
+            tag: v2.2.1
+            pullPolicy: IfNotPresent
           env:
             - name: TZ
               value: America/Chicago
@@ -21,22 +19,22 @@ grimmory:
             - name: GROUP_ID
               value: 1000
             - name: DATABASE_URL
-              value: jdbc:mariadb://grimmory-mariadb-cluster-primary.grimmory:3306/booklore
+              value: jdbc:mariadb://booklore-mariadb-cluster-primary.booklore:3306/booklore
             - name: DATABASE_USERNAME
-              value: grimmory
+              value: booklore
             - name: DATABASE_PASSWORD
               valueFrom:
                 secretKeyRef:
-                  name: grimmory-database-secret
+                  name: booklore-database-secret
                   key: password
-            - name: GRIMMORY_PORT
+            - name: BOOKLORE_PORT
               value: 6060
             - name: SWAGGER_ENABLED
               value: false
           resources:
             requests:
-              cpu: 10m
+              cpu: 50m
-              memory: 1Gi
+              memory: 128Mi
   service:
     main:
       controller: main
@@ -44,6 +42,7 @@ grimmory:
         http:
           port: 80
           targetPort: 6060
+          protocol: HTTP
   route:
     main:
       kind: HTTPRoute
@@ -53,26 +52,41 @@ grimmory:
           name: traefik-gateway
           namespace: traefik
       hostnames:
-        - grimmory.alexlebens.net
+        - booklore.alexlebens.net
       rules:
         - backendRefs:
-            - name: grimmory
+            - group: ''
+              kind: Service
+              name: booklore
               port: 80
+              weight: 100
           matches:
             - path:
                 type: PathPrefix
                 value: /
   persistence:
     config:
-      forceRename: grimmory-config
+      forceRename: booklore-config
       storageClass: ceph-block
       accessMode: ReadWriteOnce
       size: 5Gi
+      retain: true
       advancedMounts:
         main:
           main:
             - path: /app/data
               readOnly: false
+    data:
+      forceRename: booklore-data
+      storageClass: ceph-block
+      accessMode: ReadWriteOnce
+      size: 10Gi
+      retain: true
+      advancedMounts:
+        main:
+          main:
+            - path: /data
+              readOnly: false
     books-import:
       type: emptyDir
       advancedMounts:
@@ -80,15 +94,8 @@ grimmory:
           main:
             - path: /bookdrop
               readOnly: false
-    data:
-      existingClaim: grimmory-books-nfs-storage
-      advancedMounts:
-        main:
-          main:
-            - path: /data
-              readOnly: false
     ingest:
-      existingClaim: grimmory-books-import-nfs-storage
+      existingClaim: booklore-books-import-nfs-storage
       advancedMounts:
         main:
           main:
@@ -98,7 +105,7 @@ mariadb-cluster:
   mariadb:
     rootPasswordSecretKeyRef:
       generate: false
-      name: grimmory-database-secret
+      name: booklore-database-secret
       key: password
     storage:
       size: 5Gi
@@ -108,14 +115,14 @@ mariadb-cluster:
     bootstrapFrom:
       s3:
         bucket: mariadb-backups-b230a2f5aecf080a4b372c08
-        prefix: cl01tl/grimmory
+        prefix: cl01tl/booklore
         endpoint: nyc3.digitaloceanspaces.com
         region: us-east-1
         accessKeyIdSecretKeyRef:
-          name: grimmory-mariadb-cluster-backup-secret-external
+          name: booklore-mariadb-cluster-backup-secret-external
           key: access
         secretAccessKeySecretKeyRef:
-          name: grimmory-mariadb-cluster-backup-secret-external
+          name: booklore-mariadb-cluster-backup-secret-external
           key: secret
         tls:
           enabled: true
@@ -127,22 +134,21 @@ mariadb-cluster:
       cleanupPolicy: Delete
       requeueInterval: 10h
   users:
-    - name: grimmory
+    - name: booklore
       passwordSecretKeyRef:
-        name: grimmory-database-secret
+        name: booklore-database-secret
         key: password
       host: '%'
-      maxUserConnections: 100
       cleanupPolicy: Delete
       requeueInterval: 10h
       retryInterval: 30s
   grants:
-    - name: grimmory
+    - name: booklore
       privileges:
         - "ALL PRIVILEGES"
       database: "booklore"
       table: "*"
-      username: grimmory
+      username: booklore
       grantOption: true
       host: '%'
       cleanupPolicy: Delete
@@ -160,14 +166,14 @@ mariadb-cluster:
       storage:
         s3:
           bucket: mariadb-backups-b230a2f5aecf080a4b372c08
-          prefix: cl01tl/grimmory
+          prefix: cl01tl/booklore
           endpoint: nyc3.digitaloceanspaces.com
           region: us-east-1
           accessKeyIdSecretKeyRef:
-            name: grimmory-mariadb-cluster-backup-secret-external
+            name: booklore-mariadb-cluster-backup-secret-external
             key: access
           secretAccessKeySecretKeyRef:
-            name: grimmory-mariadb-cluster-backup-secret-external
+            name: booklore-mariadb-cluster-backup-secret-external
             key: secret
           tls:
             enabled: true
@@ -182,14 +188,14 @@ mariadb-cluster:
       storage:
         s3:
           bucket: mariadb-backups
-          prefix: cl01tl/grimmory
+          prefix: cl01tl/booklore
           endpoint: garage-ps10rp.boreal-beaufort.ts.net:3900
           region: us-east-1
           accessKeyIdSecretKeyRef:
-            name: grimmory-mariadb-cluster-backup-secret-garage
+            name: booklore-mariadb-cluster-backup-secret-garage
             key: access
           secretAccessKeySecretKeyRef:
-            name: grimmory-mariadb-cluster-backup-secret-garage
+            name: booklore-mariadb-cluster-backup-secret-garage
             key: secret
           tls:
             enabled: true
@@ -204,20 +210,17 @@ mariadb-cluster:
       storage:
         s3:
           bucket: mariadb-backups
-          prefix: cl01tl/grimmory
+          prefix: cl01tl/booklore
           endpoint: garage-main.garage:3900
           region: us-east-1
           accessKeyIdSecretKeyRef:
-            name: grimmory-mariadb-cluster-backup-secret-garage
+            name: booklore-mariadb-cluster-backup-secret-garage
             key: access
           secretAccessKeySecretKeyRef:
-            name: grimmory-mariadb-cluster-backup-secret-garage
+            name: booklore-mariadb-cluster-backup-secret-garage
             key: secret
 volsync-target-config:
-  pvcTarget: grimmory-config
+  pvcTarget: booklore-config
-  moverSecurityContext:
-    fsGroup: 1000
-    fsGroupChangePolicy: OnRootMismatch
   local:
     enabled: true
     schedule: 12 8 * * *
@@ -227,3 +230,20 @@ volsync-target-config:
   external:
     enabled: true
     schedule: 12 10 * * *
+volsync-target-data:
+  pvcTarget: booklore-data
+  local:
+    enabled: true
+    schedule: 14 8 * * *
+    restic:
+      cacheCapacity: 10Gi
+  remote:
+    enabled: true
+    schedule: 14 9 * * *
+    restic:
+      cacheCapacity: 10Gi
+  external:
+    enabled: true
+    schedule: 14 10 * * *
+    restic:
+      cacheCapacity: 10Gi

clusters/cl01tl/helm/cert-manager/Chart.lock

@@ -1,6 +1,6 @@
 dependencies:
 - name: cert-manager
   repository: https://charts.jetstack.io
-  version: v1.20.2
+  version: v1.20.0
-digest: sha256:f218239b4538c64d57e098a56c69dcbc4e076ffcc3d320c5a5fef1e6309e38cf
+digest: sha256:1543bd17649cb32982de3cce017fcbed1b44c41d50b76c6471b266f33e261c29
-generated: "2026-04-13T23:02:59.380767677Z"
+generated: "2026-03-10T16:06:49.332999536Z"

clusters/cl01tl/helm/cert-manager/Chart.yaml

@@ -5,7 +5,8 @@ description: Cert Manager
 keywords:
   - cert-manager
   - certificates
-home: https://docs.alexlebens.dev/applications/cert-manager/
+  - kubernetes
+home: https://wiki.alexlebens.dev/s/368fe718-eedb-40e0-a5a7-fad03cdc6b09
 sources:
   - https://github.com/cert-manager/cert-manager
   - https://github.com/cert-manager/cert-manager/tree/master/deploy/charts/cert-manager
@@ -13,8 +14,8 @@ maintainers:
   - name: alexlebens
 dependencies:
   - name: cert-manager
-    version: v1.20.2
+    version: v1.20.0
     repository: https://charts.jetstack.io
-icon: https://raw.githubusercontent.com/cert-manager/cert-manager/refs/heads/master/logo/logo.png
+icon: https://raw.githubusercontent.com/walkxcode/dashboard-icons/main/png/cert-manager.png
 # renovate: datasource=github-releases depName=cert-manager/cert-manager
-appVersion: v1.20.2
+appVersion: v1.20.0

clusters/cl01tl/helm/cert-manager/templates/_helpers.tpl

@@ -1,24 +0,0 @@
-{{/*
-Common labels
-*/}}
-{{- define "custom.labels" -}}
-{{ include "custom.selectorLabels" $ }}
-{{- end }}
-
-{{/*
-Selector labels
-*/}}
-{{- define "custom.selectorLabels" -}}
-app.kubernetes.io/instance: {{ .Release.Name }}
-app.kubernetes.io/part-of: {{ .Release.Name }}
-{{- end }}
-
-{{/*
-NFS names
-*/}}
-{{- define "custom.cloudflareSecretName" -}}
-cert-manager-cloudflare-api-token
-{{- end -}}
-{{- define "custom.cloudflareSecretKey" -}}
-api-token
-{{- end -}}

clusters/cl01tl/helm/cert-manager/templates/cluster-issuer.yaml

@@ -2,10 +2,6 @@ apiVersion: cert-manager.io/v1
 kind: ClusterIssuer
 metadata:
   name: letsencrypt-issuer
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: letsencrypt-issuer
-    {{- include "custom.labels" . | nindent 4 }}
 spec:
   acme:
     email: alexanderlebens@gmail.com
@@ -21,5 +17,5 @@ spec:
           cloudflare:
             email: alexanderlebens@gmail.com
             apiTokenSecretRef:
-              name: {{ include "custom.cloudflareSecretName" . }}
+              name: cloudflare-api-token
-              key: {{ include "custom.cloudflareSecretKey" . }}
+              key: api-token

clusters/cl01tl/helm/cert-manager/templates/external-secret.yaml

@@ -1,17 +1,21 @@
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
-  name: {{ include "custom.cloudflareSecretName" . }}
+  name: cloudflare-api-token
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: {{ include "custom.cloudflareSecretName" . }}
+    app.kubernetes.io/name: cloudflare-api-token
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   secretStoreRef:
     kind: ClusterSecretStore
-    name: openbao
+    name: vault
   data:
-    - secretKey: {{ include "custom.cloudflareSecretKey" . }}
+    - secretKey: api-token
       remoteRef:
-        key: /cloudflare/alexlebens.net/cl01tl-issuer-certificate
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cloudflare/alexlebens.net/clusterissuer
+        metadataPolicy: None
         property: token

clusters/cl01tl/helm/cert-manager/values.yaml

@@ -3,16 +3,10 @@ cert-manager:
     enabled: true
     keep: true
   replicaCount: 2
-  podDisruptionBudget:
-    enabled: true
-    minAvailable: 1
   extraArgs:
     - --enable-gateway-api
-  resources:
-    requests:
-      cpu: 10m
-      memory: 64Mi
   prometheus:
+    enabled: true
     servicemonitor:
       enabled: true
       honorLabels: true

clusters/cl01tl/helm/cilium/Chart.yaml

@@ -4,12 +4,13 @@ version: 1.0.0
 description: Cilium
 keywords:
   - cilium
-  - operator
+  - cni
   - network
-home: https://docs.alexlebens.dev/applications/cilium/
+  - kubernetes
+home: https://wiki.alexlebens.dev/s/9e6f5b17-e186-4af0-81cd-af647b162d3d
 sources:
   - https://github.com/cilium/cilium
-  - https://github.com/cilium/cilium/tree/main/install/kubernetes/cilium
+  - https://github.com/cilium/charts
 maintainers:
   - name: alexlebens
 dependencies:
@@ -18,4 +19,4 @@ dependencies:
     repository: https://helm.cilium.io/
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/cilium.png
 # renovate: datasource=github-releases depName=cilium/cilium
-appVersion: 1.18.6
+appVersion: 1.19.1

clusters/cl01tl/helm/cilium/templates/_helpers.tpl

@@ -1,14 +0,0 @@
-{{/*
-Common labels
-*/}}
-{{- define "custom.labels" -}}
-{{ include "custom.selectorLabels" $ }}
-{{- end }}
-
-{{/*
-Selector labels
-*/}}
-{{- define "custom.selectorLabels" -}}
-app.kubernetes.io/instance: {{ .Release.Name }}
-app.kubernetes.io/part-of: {{ .Release.Name }}
-{{- end }}

clusters/cl01tl/helm/cilium/templates/cilium-bgp-advertisement.yaml

@@ -0,0 +1,19 @@
+# apiVersion: cilium.io/v2
+# kind: CiliumBGPAdvertisement
+# metadata:
+#   name: cilium-bgp-advertisements
+#   namespace: {{ .Release.Namespace }}
+#   labels:
+#     app.kubernetes.io/name: cilium-bgp-advertisements
+#     app.kubernetes.io/instance: {{ .Release.Name }}
+#     app.kubernetes.io/part-of: {{ .Release.Name }}
+# spec:
+#   advertisements:
+#     - advertisementType: "Service"
+#       service:
+#         addresses:
+#           - ExternalIP
+#           - LoadBalancerIP
+#       selector:
+#         matchExpressions:
+#          - {key: somekey, operator: NotIn, values: ['never-used-value']}

clusters/cl01tl/helm/cilium/templates/cilium-bgp-cluster-config.yaml

@@ -0,0 +1,22 @@
+# apiVersion: cilium.io/v2
+# kind: CiliumBGPClusterConfig
+# metadata:
+#   name: cilium-bgp
+#   namespace: {{ .Release.Namespace }}
+#   labels:
+#     app.kubernetes.io/name: cilium-bgp
+#     app.kubernetes.io/instance: {{ .Release.Name }}
+#     app.kubernetes.io/part-of: {{ .Release.Name }}
+# spec:
+#   nodeSelector:
+#     matchLabels:
+#       node-role.kubernetes.io/bgp: "65020"
+#   bgpInstances:
+#     - name: "65020"
+#       localASN: 65020
+#       peers:
+#         - name: "udm-65000"
+#           peerASN: 65000
+#           peerAddress: 192.168.1.1
+#           peerConfigRef:
+#             name: "cilium-peer"

clusters/cl01tl/helm/cilium/templates/cilium-bgp-peer-config.yaml

@@ -0,0 +1,23 @@
+# apiVersion: cilium.io/v2
+# kind: CiliumBGPPeerConfig
+# metadata:
+#   name: cilium-peer
+#   namespace: {{ .Release.Namespace }}
+#   labels:
+#     app.kubernetes.io/name: cilium-peer
+#     app.kubernetes.io/instance: {{ .Release.Name }}
+#     app.kubernetes.io/part-of: {{ .Release.Name }}
+# spec:
+#   timers:
+#     holdTimeSeconds: 9
+#     keepAliveTimeSeconds: 3
+#   ebgpMultihop: 4
+#   gracefulRestart:
+#     enabled: true
+#     restartTimeSeconds: 15
+#   families:
+#     - afi: ipv4
+#       safi: unicast
+#       advertisements:
+#         matchLabels:
+#           app.kubernetes.io/name: cilium-bgp-advertisements

clusters/cl01tl/helm/cilium/templates/cilium-load-balancer-ip-pool.yaml

@@ -5,7 +5,8 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: default-ip-pool
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   blocks:
     - start: "10.232.1.21"
@@ -19,7 +20,8 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: bgp-ip-pool
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   blocks:
     - start: "10.232.2.100"

clusters/cl01tl/helm/cilium/templates/gateway.yaml

@@ -0,0 +1,45 @@
+# apiVersion: gateway.networking.k8s.io/v1
+# kind: Gateway
+# metadata:
+#   name: cilium-tls-gateway
+#   namespace: {{ .Release.Namespace }}
+#   labels:
+#     app.kubernetes.io/name: cilium-tls-gateway
+#     app.kubernetes.io/instance: {{ .Release.Name }}
+#     app.kubernetes.io/part-of: {{ .Release.Name }}
+#   annotations:
+#     cert-manager.io/cluster-issuer: letsencrypt-issuer
+# spec:
+#   addresses:
+#     - type: IPAddress
+#       value: 10.232.1.23
+#   gatewayClassName: cilium
+#   listeners:
+#     - allowedRoutes:
+#         namespaces:
+#           from: All
+#       hostname: '*.alexlebens.net'
+#       name: https
+#       port: 443
+#       protocol: HTTPS
+#       tls:
+#         certificateRefs:
+#           - group: ''
+#             kind: Secret
+#             name: https-gateway-cert
+#             namespace: kube-system
+#         mode: Terminate
+#     - allowedRoutes:
+#         namespaces:
+#           from: All
+#       hostname: 'alexlebens.net'
+#       name: https-domain
+#       port: 443
+#       protocol: HTTPS
+#       tls:
+#         certificateRefs:
+#           - group: ''
+#             kind: Secret
+#             name: https-gateway-cert
+#             namespace: kube-system
+#         mode: Terminate

clusters/cl01tl/helm/cilium/templates/http-route.yaml

@@ -5,7 +5,8 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: hubble
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   parentRefs:
     - group: gateway.networking.k8s.io

clusters/cl01tl/helm/cilium/values.yaml

@@ -25,24 +25,36 @@ cilium:
         - NET_ADMIN
         - SYS_ADMIN
         - SYS_RESOURCE
+  l2announcements:
+    enabled: false
   bgpControlPlane:
     enabled: false
+    secretsNamespace:
+      name: kube-system
+    statusReport:
+      enabled: true
+    routerIDAllocation:
+      mode: "default"
   bpf:
     hostLegacyRouting: true
   devices: end0 enp6s0
   ciliumEndpointSlice:
     enabled: true
+  ingressController:
+    enabled: false
   gatewayAPI:
     enabled: true
-    enableAppProtocol: true
     enableAlpn: true
-    secretsNamespace:
+    enableAppProtocol: true
-      create: false
+    gatewayClass:
-      name: kube-system
+      create: auto
+  externalIPs:
+    enabled: true
   socketLB:
     enabled: true
     hostNamespaceOnly: true
   hubble:
+    enabled: true
     metrics:
       serviceMonitor:
         enabled: true
@@ -56,6 +68,8 @@ cilium:
           enabled: true
     ui:
       enabled: true
+      ingress:
+        enabled: false
   ipam:
     mode: "kubernetes"
   ipv4:
@@ -63,11 +77,12 @@ cilium:
   ipv6:
     enabled: false
   kubeProxyReplacement: true
+  l7Proxy: true
   prometheus:
     enabled: true
     serviceMonitor:
-      enabled: true
       trustCRDsExist: true
+      enabled: true
   envoy:
     enabled: true
     securityContext:
@@ -79,11 +94,14 @@ cilium:
           - PERFMON
           - BPF
     prometheus:
+      enabled: true
       serviceMonitor:
         enabled: true
   operator:
+    enabled: true
     rollOutPods: true
     prometheus:
+      enabled: true
       serviceMonitor:
         enabled: true
   cgroup:

clusters/cl01tl/helm/cloudnative-pg/Chart.lock

@@ -1,9 +1,9 @@
 dependencies:
 - name: cloudnative-pg
   repository: https://cloudnative-pg.io/charts/
-  version: 0.28.0
+  version: 0.27.1
 - name: plugin-barman-cloud
   repository: https://cloudnative-pg.io/charts/
-  version: 0.6.0
+  version: 0.5.0
-digest: sha256:48241acb753e635a01b306b90cfbce13ed3c0105a33ec7d36f159e3a7fe607f3
+digest: sha256:e7089ffd089cae87529e28f0e71302b9fc4a869b389cbb6628f1c559644a3a10
-generated: "2026-04-14T09:03:10.332065288Z"
+generated: "2026-02-05T19:36:19.473447121Z"

clusters/cl01tl/helm/cloudnative-pg/Chart.yaml

@@ -6,22 +6,21 @@ keywords:
   - cloudnative-pg
   - operator
   - postgresql
-home: https://docs.alexlebens.dev/applications/cloudnative-pg/
+  - kubernetes
+home: https://wiki.alexlebens.dev/s/9fb10833-0278-4e64-a34c-d348d833839f
 sources:
   - https://github.com/cloudnative-pg/cloudnative-pg
-  - https://github.com/cloudnative-pg/plugin-barman-cloud
-  - https://github.com/cloudnative-pg/postgres-containers/pkgs/container/postgresql
   - https://github.com/cloudnative-pg/charts/tree/main/charts/cloudnative-pg
   - https://github.com/cloudnative-pg/charts/tree/main/charts/plugin-barman-cloud
 maintainers:
   - name: alexlebens
 dependencies:
   - name: cloudnative-pg
-    version: 0.28.0
+    version: 0.27.1
     repository: https://cloudnative-pg.io/charts/
   - name: plugin-barman-cloud
-    version: 0.6.0
+    version: 0.5.0
     repository: https://cloudnative-pg.io/charts/
-icon: https://raw.githubusercontent.com/cloudnative-pg/cloudnative-pg.github.io/refs/heads/main/assets/images/hero_image.png
+icon: https://avatars.githubusercontent.com/u/100373852?s=200&v=4
 # renovate: datasource=github-releases depName=cloudnative-pg/cloudnative-pg
-appVersion: 1.29.0
+appVersion: 1.28.1

clusters/cl01tl/helm/cloudnative-pg/values.yaml

@@ -1,16 +1,16 @@
 cloudnative-pg:
   replicaCount: 2
-  resources:
-    requests:
-      cpu: 10m
-      memory: 100Mi
   monitoring:
     podMonitorEnabled: true
 plugin-barman-cloud:
   replicaCount: 1
+  image:
+    registry: ghcr.io
+    repository: cloudnative-pg/plugin-barman-cloud
+    tag: v0.11.0
+  sidecarImage:
+    registry: ghcr.io
+    repository: cloudnative-pg/plugin-barman-cloud-sidecar
+    tag: v0.11.0
   crds:
     create: true
-  resources:
-    requests:
-      cpu: 1m
-      memory: 20Mi

clusters/cl01tl/helm/code-server/Chart.lock

@@ -4,9 +4,9 @@ dependencies:
   version: 4.6.2
 - name: cloudflared
   repository: oci://harbor.alexlebens.net/helm-charts
-  version: 2.5.0
+  version: 2.4.0
 - name: volsync-target
   repository: oci://harbor.alexlebens.net/helm-charts
   version: 0.8.0
-digest: sha256:06e321d19ffe0df94b3cd6bcc306804729710f74ca2f9962652628377836c33e
+digest: sha256:dee0f52096efc543f4db3a5dc2732fd37ae9b7950b264e399a6e74c2f3e7cee6
-generated: "2026-04-11T15:26:16.743784-05:00"
+generated: "2026-03-09T22:04:00.58415637Z"

clusters/cl01tl/helm/code-server/Chart.yaml

@@ -0,0 +1,32 @@
+apiVersion: v2
+name: code-server
+version: 1.0.0
+description: Code Server
+keywords:
+  - code-server
+  - code
+  - ide
+home: https://wiki.alexlebens.dev/s/233f96bb-db70-47e4-8b22-a8efcbb0f93d
+sources:
+  - https://github.com/coder/code-server
+  - https://github.com/cloudflare/cloudflared
+  - https://hub.docker.com/r/linuxserver/code-server
+  - https://github.com/bjw-s-labs/helm-charts/tree/main/charts/other/app-template
+  - https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/cloudflared
+maintainers:
+  - name: alexlebens
+dependencies:
+  - name: app-template
+    alias: code-server
+    repository: https://bjw-s-labs.github.io/helm-charts/
+    version: 4.6.2
+  - name: cloudflared
+    repository: oci://harbor.alexlebens.net/helm-charts
+    version: 2.4.0
+  - name: volsync-target
+    alias: volsync-target-config
+    version: 0.8.0
+    repository: oci://harbor.alexlebens.net/helm-charts
+icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/visual-studio-code.png
+# renovate: datasource=github-releases depName=linuxserver/docker-code-server
+appVersion: 4.108.1

clusters/cl01tl/helm/code-server/templates/external-secret.yaml

@@ -0,0 +1,28 @@
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: codeserver-password-secret
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: codeserver-password-secret
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  data:
+    - secretKey: PASSWORD
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cl01tl/code-server/auth
+        metadataPolicy: None
+        property: PASSWORD
+    - secretKey: SUDO_PASSWORD
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cl01tl/code-server/auth
+        metadataPolicy: None
+        property: SUDO_PASSWORD

clusters/cl01tl/helm/code-server/values.yaml

@@ -1,36 +1,40 @@
-houndarr:
+code-server:
   controllers:
     main:
       type: deployment
       replicas: 1
       strategy: Recreate
+      revisionHistoryLimit: 3
       containers:
         main:
           image:
-            repository: ghcr.io/av1155/houndarr
+            repository: ghcr.io/linuxserver/code-server
-            tag: v1.9.0@sha256:2a9c9e0de43412f683f00cce6f5d0f3e059b27e50350434ae4029ade720e85a0
+            tag: 4.111.0@sha256:12c04b41f601604795562ece2ac64cade7cfca632415f4bfb1742477e3226272
+            pullPolicy: IfNotPresent
           env:
             - name: TZ
-              value: America/Chicago
+              value: US/Central
             - name: PUID
               value: 1000
             - name: PGID
               value: 1000
-            - name: HOUNDARR_SECURE_COOKIES
+            - name: DEFAULT_WORKSPACE
-              value: true
+              value: /config
-            - name: HOUNDARR_TRUSTED_PROXIES
+          envFrom:
-              value: 10.96.0.0/12
+            - secretRef:
+                name: codeserver-password-secret
           resources:
             requests:
-              cpu: 1m
+              cpu: 10m
-              memory: 60Mi
+              memory: 128Mi
   service:
     main:
       controller: main
       ports:
         http:
-          port: 80
+          port: 8443
-          targetPort: 8877
+          targetPort: 8443
+          protocol: HTTP
   route:
     main:
       kind: HTTPRoute
@@ -40,28 +44,32 @@ houndarr:
           name: traefik-gateway
           namespace: traefik
       hostnames:
-        - houndarr.alexlebens.net
+        - code-server.alexlebens.net
       rules:
         - backendRefs:
-            - name: houndarr
+            - group: ''
-              port: 80
+              kind: Service
+              name: code-server
+              port: 8443
+              weight: 100
           matches:
             - path:
                 type: PathPrefix
                 value: /
   persistence:
-    data:
+    config:
-      forceRename: houndarr-data
+      forceRename: code-server-config
       storageClass: ceph-block
       accessMode: ReadWriteOnce
-      size: 1Gi
+      size: 2Gi
+      retain: true
       advancedMounts:
         main:
           main:
-            - path: /data
+            - path: /config
               readOnly: false
-volsync-target-data:
+volsync-target-config:
-  pvcTarget: houndarr-data
+  pvcTarget: code-server-config
   moverSecurityContext:
     runAsUser: 1000
     runAsGroup: 1000
@@ -69,10 +77,10 @@ volsync-target-data:
     fsGroupChangePolicy: OnRootMismatch
   local:
     enabled: true
-    schedule: 40 11 * * *
+    schedule: 16 8 * * *
   remote:
     enabled: true
-    schedule: 40 12 * * *
+    schedule: 16 9 * * *
   external:
     enabled: true
-    schedule: 40 14 * * *
+    schedule: 16 10 * * *

clusters/cl01tl/helm/coredns/Chart.yaml

@@ -5,7 +5,9 @@ description: CoreDNS
 keywords:
   - coredns
   - dns
-home: https://docs.alexlebens.dev/applications/coredns/
+  - network
+  - kubernetes
+home: https://wiki.alexlebens.dev/s/
 sources:
   - https://github.com/coredns/coredns
   - https://github.com/coredns/helm
@@ -15,6 +17,6 @@ dependencies:
   - name: coredns
     version: 1.45.2
     repository: https://coredns.github.io/helm
-icon: https://raw.githubusercontent.com/coredns/coredns.io/refs/heads/master/static/images/favicon.png
+icon: https://raw.githubusercontent.com/walkxcode/dashboard-icons/main/png/coredns.png
 # renovate: datasource=github-releases depName=coredns/coredns
 appVersion: v1.14.2

clusters/cl01tl/helm/coredns/values.yaml

@@ -1,18 +1,23 @@
 coredns:
   image:
     repository: registry.k8s.io/coredns/coredns
-    tag: v1.14.2@sha256:e7e6440cfd1e919280958f5b5a6ab2b184d385bba774c12ad2a9e1e4183f90d9
+    tag: v1.14.2
   replicaCount: 3
   resources:
-    limits:
-      cpu: null
-      memory: null
     requests:
-      cpu: 30m
+      cpu: 50m
-      memory: 30Mi
+      memory: 128Mi
+  rollingUpdate:
+    maxUnavailable: 1
+    maxSurge: 25%
+  terminationGracePeriodSeconds: 30
+  serviceType: "ClusterIP"
   prometheus:
     service:
       enabled: true
+      annotations:
+        prometheus.io/scrape: "true"
+        prometheus.io/port: "9153"
     monitor:
       enabled: true
       namespace: kube-system
@@ -24,7 +29,18 @@ coredns:
   serviceAccount:
     create: true
     name: coredns
+  rbac:
+    create: true
+  isClusterService: true
   priorityClassName: system-cluster-critical
+  securityContext:
+    capabilities:
+      add:
+        - NET_BIND_SERVICE
+      drop:
+        - ALL
+    readOnlyRootFilesystem: true
+    allowPrivilegeEscalation: false
   servers:
     - zones:
         - zone: .
@@ -61,8 +77,6 @@ coredns:
         - name: errors
         - name: cache
           parameters: 30
-        - name: prometheus
-          parameters: :9153
         - name: forward
           parameters: . 10.111.232.172
     - zones:
@@ -74,8 +88,6 @@ coredns:
         - name: errors
         - name: cache
           parameters: 30
-        - name: prometheus
-          parameters: :9153
         - name: forward
           parameters: . 10.97.20.219
   nodeSelector:
@@ -88,4 +100,6 @@ coredns:
       operator: Exists
       effect: NoSchedule
   deployment:
+    skipConfig: false
+    enabled: true
     name: coredns

clusters/cl01tl/helm/dawarich/Chart.lock

@@ -4,18 +4,9 @@ dependencies:
   version: 4.6.2
 - name: postgres-cluster
   repository: oci://harbor.alexlebens.net/helm-charts
-  version: 7.11.2
+  version: 7.10.0
 - name: valkey
   repository: oci://harbor.alexlebens.net/helm-charts
-  version: 0.6.1
+  version: 0.4.0
-- name: volsync-target
+digest: sha256:7584c2a1613454bbd83b66df46170fd0157df5186842844d483e2dd131398574
-  repository: oci://harbor.alexlebens.net/helm-charts
+generated: "2026-03-15T20:04:49.68456485Z"
-  version: 0.8.0
-- name: volsync-target
-  repository: oci://harbor.alexlebens.net/helm-charts
-  version: 0.8.0
-- name: volsync-target
-  repository: oci://harbor.alexlebens.net/helm-charts
-  version: 0.8.0
-digest: sha256:6ece439d5549b7d7ccd75053846bb9b2e8f9798a2e2163eac6f62bf5cf222587
-generated: "2026-04-13T20:32:54.380897459Z"

clusters/cl01tl/helm/dawarich/Chart.yaml

@@ -5,14 +5,10 @@ description: Dawarich
 keywords:
   - dawarich
   - location
-home: https://docs.alexlebens.dev/applications/dawarich/
+home: https://wiki.alexlebens.dev/s/
 sources:
   - https://github.com/Freika/dawarich
-  - https://hub.docker.com/r/freikin/dawarich
   - https://github.com/bjw-s-labs/helm-charts/tree/main/charts/other/app-template
-  - https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/postgres-cluster
-  - https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/valkey
-  - https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/volsync-target
 maintainers:
   - name: alexlebens
 dependencies:
@@ -22,24 +18,12 @@ dependencies:
     version: 4.6.2
   - name: postgres-cluster
     alias: postgres-18-cluster
-    version: 7.11.2
+    version: 7.10.0
     repository: oci://harbor.alexlebens.net/helm-charts
   - name: valkey
     alias: valkey
-    version: 0.6.1
+    version: 0.4.0
-    repository: oci://harbor.alexlebens.net/helm-charts
-  - name: volsync-target
-    alias: volsync-target-storage
-    version: 0.8.0
-    repository: oci://harbor.alexlebens.net/helm-charts
-  - name: volsync-target
-    alias: volsync-target-public
-    version: 0.8.0
-    repository: oci://harbor.alexlebens.net/helm-charts
-  - name: volsync-target
-    alias: volsync-target-watched
-    version: 0.8.0
     repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons@main/png/dawarich.png
 # renovate: datasource=github-releases depName=Freika/dawarich
-appVersion: 1.6.1
+appVersion: 1.3.4

clusters/cl01tl/helm/dawarich/templates/_helpers.tpl

@@ -1,14 +0,0 @@
-{{/*
-Common labels
-*/}}
-{{- define "custom.labels" -}}
-{{ include "custom.selectorLabels" $ }}
-{{- end }}
-
-{{/*
-Selector labels
-*/}}
-{{- define "custom.selectorLabels" -}}
-app.kubernetes.io/instance: {{ .Release.Name }}
-app.kubernetes.io/part-of: {{ .Release.Name }}
-{{- end }}

clusters/cl01tl/helm/dawarich/templates/external-secret.yaml

@@ -1,40 +1,51 @@
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
-  name: dawarich-key
+  name: dawarich-key-secret
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: dawarich-key
+    app.kubernetes.io/name: dawarich-key-secret
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   secretStoreRef:
     kind: ClusterSecretStore
-    name: openbao
+    name: vault
   data:
     - secretKey: key
       remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
         key: /cl01tl/dawarich/key
+        metadataPolicy: None
         property: key
 
 ---
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
-  name: dawarich-oidc-authentik
+  name: dawarich-oidc-secret
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: dawarich-oidc-authentik
+    app.kubernetes.io/name: dawarich-oidc-secret
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   secretStoreRef:
     kind: ClusterSecretStore
-    name: openbao
+    name: vault
   data:
     - secretKey: client
       remoteRef:
-        key: /cl01tl/authentik/oidc/dawarich
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /authentik/oidc/dawarich
+        metadataPolicy: None
         property: client
     - secretKey: secret
       remoteRef:
-        key: /cl01tl/authentik/oidc/dawarich
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /authentik/oidc/dawarich
+        metadataPolicy: None
         property: secret

clusters/cl01tl/helm/dawarich/values.yaml

@@ -4,20 +4,15 @@ dawarich:
       type: deployment
       replicas: 1
       strategy: Recreate
+      revisionHistoryLimit: 3
       containers:
         main:
           image:
             repository: freikin/dawarich
-            tag: 1.6.1@sha256:a884f69f19ce0f66992f3872d24544d1e587e133b8a003e072711aafc1e02429
+            tag: 1.3.4
-          command:
+            pullPolicy: IfNotPresent
-            - "web-entrypoint.sh"
+          command: ["web-entrypoint.sh"]
-          args:
+          args: ["bin/rails", "server", "-p", "3000", "-b", "::"]
-            - "bin/rails"
-            - "server"
-            - "-p"
-            - "3000"
-            - "-b"
-            - "::"
           env:
             - name: RAILS_ENV
               value: production
@@ -61,12 +56,12 @@ dawarich:
             - name: OIDC_CLIENT_ID
               valueFrom:
                 secretKeyRef:
-                  name: dawarich-oidc-authentik
+                  name: dawarich-oidc-secret
                   key: client
             - name: OIDC_CLIENT_SECRET
               valueFrom:
                 secretKeyRef:
-                  name: dawarich-oidc-authentik
+                  name: dawarich-oidc-secret
                   key: secret
             - name: OIDC_PROVIDER_NAME
               value: Authentik
@@ -81,7 +76,7 @@ dawarich:
             - name: SECRET_KEY_BASE
               valueFrom:
                 secretKeyRef:
-                  name: dawarich-key
+                  name: dawarich-key-secret
                   key: key
             - name: RAILS_LOG_TO_STDOUT
               value: true
@@ -91,14 +86,14 @@ dawarich:
               value: true
           probes:
             liveness:
-              enabled: true
+              enabled: false
               custom: true
               spec:
                 exec:
                   command:
                     - /bin/sh
                     - -c
-                    - "wget -qO - http://127.0.0.1:3000/api/v1/health | grep -q '\"status\"\\s*:\\s*\"ok\"'"
+                    - wget -qO - http://127.0.0.1:3000/api/v1/health | grep -Eq '\"status\"\\s*:\\s*\"ok\"'
                 failureThreshold: 5
                 initialDelaySeconds: 60
                 periodSeconds: 10
@@ -106,16 +101,15 @@ dawarich:
                 timeoutSeconds: 10
           resources:
             requests:
-              cpu: 20m
+              cpu: 10m
-              memory: 750Mi
+              memory: 128Mi
         sidekiq:
           image:
             repository: freikin/dawarich
-            tag: 1.6.1@sha256:a884f69f19ce0f66992f3872d24544d1e587e133b8a003e072711aafc1e02429
+            tag: 1.3.4
-          command:
+            pullPolicy: IfNotPresent
-            - "sidekiq-entrypoint.sh"
+          command: ["sidekiq-entrypoint.sh"]
-          args:
+          args: ["sidekiq"]
-            - "sidekiq"
           env:
             - name: RAILS_ENV
               value: production
@@ -191,19 +185,23 @@ dawarich:
               value: true
           probes:
             liveness:
-              enabled: true
+              enabled: false
               custom: true
               spec:
                 exec:
                   command:
-                    - pgrep
+                    - /bin/sh
-                    - -f
+                    - -c
-                    - sidekiq
+                    - pgrep -f sidekiq
                 failureThreshold: 5
                 initialDelaySeconds: 60
                 periodSeconds: 10
                 successThreshold: 1
                 timeoutSeconds: 10
+          resources:
+            requests:
+              cpu: 10m
+              memory: 128Mi
   service:
     main:
       controller: main
@@ -211,9 +209,11 @@ dawarich:
         http:
           port: 80
           targetPort: 3000
+          protocol: TCP
         metrics:
           port: 9394
           targetPort: 9394
+          protocol: TCP
   serviceMonitor:
     main:
       selector:
@@ -238,8 +238,11 @@ dawarich:
         - dawarich.alexlebens.net
       rules:
         - backendRefs:
-            - name: dawarich
+            - group: ""
+              kind: Service
+              name: dawarich
               port: 80
+              weight: 100
           matches:
             - path:
                 type: PathPrefix
@@ -250,6 +253,7 @@ dawarich:
       storageClass: ceph-block
       accessMode: ReadWriteOnce
       size: 5Gi
+      retain: true
       advancedMounts:
         main:
           main:
@@ -263,6 +267,7 @@ dawarich:
       storageClass: ceph-block
       accessMode: ReadWriteOnce
       size: 5Gi
+      retain: true
       advancedMounts:
         main:
           main:
@@ -276,6 +281,7 @@ dawarich:
       storageClass: ceph-block
       accessMode: ReadWriteOnce
       size: 1Gi
+      retain: true
       advancedMounts:
         main:
           main:
@@ -307,42 +313,32 @@ postgres-18-cluster:
         destinationBucket: postgres-backups
         externalSecretCredentialPath: /garage/home-infra/postgres-backups
         isWALArchiver: true
+      # - name: garage-remote
+      #   index: 1
+      #   destinationBucket: postgres-backups
+      #   externalSecretCredentialPath: /garage/home-infra/postgres-backups
+      #   retentionPolicy: "90d"
+      #   data:
+      #     compression: bzip2
+      # - name: external
+      #   index: 1
+      #   endpointURL: https://nyc3.digitaloceanspaces.com
+      #   destinationBucket: postgres-backups-ce540ddf106d186bbddca68a
+      #   externalSecretCredentialPath: /garage/home-infra/postgres-backups
+      #   isWALArchiver: false
     scheduledBackups:
       - name: live-backup
         suspend: false
         immediate: true
         schedule: "0 10 14 * * *"
         backupName: garage-local
-volsync-target-storage:
+      # - name: weekly-backup
-  pvcTarget: dawarich-storage
+      #   suspend: true
-  local:
+      #   immediate: true
-    enabled: true
+      #   schedule: "0 0 4 * * SAT"
-    schedule: 6 8 * * *
+      #   backupName: garage-remote
-  remote:
+      # - name: daily-backup
-    enabled: true
+      #   suspend: true
-    schedule: 6 9 * * *
+      #   immediate: true
-  external:
+      #   schedule: "0 0 0 * * *"
-    enabled: true
+      #   backupName: external
-    schedule: 6 10 * * *
-volsync-target-public:
-  pvcTarget: dawarich-public
-  local:
-    enabled: true
-    schedule: 8 8 * * *
-  remote:
-    enabled: true
-    schedule: 8 9 * * *
-  external:
-    enabled: true
-    schedule: 8 10 * * *
-volsync-target-watched:
-  pvcTarget: dawarich-watched
-  local:
-    enabled: true
-    schedule: 8 8 * * *
-  remote:
-    enabled: true
-    schedule: 8 9 * * *
-  external:
-    enabled: true
-    schedule: 8 10 * * *

clusters/cl01tl/helm/decluttarr/Chart.lock

@@ -0,0 +1,6 @@
+dependencies:
+- name: app-template
+  repository: https://bjw-s-labs.github.io/helm-charts/
+  version: 4.6.2
+digest: sha256:548ae1f8699100a2f6bac11a4a3137402b3eea340c7a3db4d9f1813ad6a11dca
+generated: "2026-02-23T22:08:42.516245-06:00"

clusters/cl01tl/helm/decluttarr/Chart.yaml

@@ -0,0 +1,20 @@
+apiVersion: v2
+name: decluttarr
+version: 1.0.0
+description: decluttarr
+keywords:
+  - decluttarr
+  - servarr
+home: https://wiki.alexlebens.dev/s/
+sources:
+  - https://github.com/ManiMatter/decluttarr
+  - https://github.com/bjw-s-labs/helm-charts/tree/main/charts/other/app-template
+maintainers:
+  - name: alexlebens
+dependencies:
+  - name: app-template
+    alias: decluttarr
+    repository: https://bjw-s-labs.github.io/helm-charts/
+    version: 4.6.2
+# renovate: datasource=github-releases depName=ManiMatter/decluttarr
+appVersion: v2.0.0

clusters/cl01tl/helm/decluttarr/templates/external-secret.yaml

@@ -1,10 +1,10 @@
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
-  name: ntfy-config-secret
+  name: decluttarr-config-secret
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: ntfy-config-secret
+    app.kubernetes.io/name: decluttarr-config-secret
     app.kubernetes.io/instance: {{ .Release.Name }}
     app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
@@ -12,7 +12,10 @@ spec:
     kind: ClusterSecretStore
     name: vault
   data:
-    - secretKey: attachment-cache-dir
+    - secretKey: config.yaml
       remoteRef:
-        key: /garage/home-infra/ntfy-attachments
+        conversionStrategy: Default
-        property: attachment-cache-dir
+        decodingStrategy: None
+        key: /cl01tl/decluttarr/config
+        metadataPolicy: None
+        property: config.yaml

clusters/cl01tl/helm/decluttarr/values.yaml

@@ -0,0 +1,32 @@
+decluttarr:
+  controllers:
+    main:
+      type: deployment
+      replicas: 1
+      strategy: Recreate
+      revisionHistoryLimit: 3
+      containers:
+        main:
+          image:
+            repository: ghcr.io/manimatter/decluttarr
+            tag: v2.0.0
+            pullPolicy: IfNotPresent
+          env:
+            - name: TZ
+              value: America/Chicago
+          resources:
+            requests:
+              cpu: 10m
+              memory: 128Mi
+  persistence:
+    config:
+      enabled: true
+      type: secret
+      name: decluttarr-config-secret
+      advancedMounts:
+        main:
+          main:
+            - path: /app/config/config.yaml
+              readOnly: true
+              mountPropagation: None
+              subPath: config.yaml

clusters/cl01tl/helm/democratic-csi-synology-iscsi/Chart.yaml

@@ -5,7 +5,8 @@ description: Democratic CSI
 keywords:
   - democratic-csi-synology-iscsi
   - iscsi
-home: https://docs.alexlebens.dev/applications/democratic-csi-synology-iscsi/
+  - kubernetes
+home: https://wiki.alexlebens.dev/s/0cc6ba65-024b-4489-952a-fc0f647fd099
 sources:
   - https://github.com/democratic-csi/democratic-csi
   - https://github.com/democratic-csi/charts/tree/master/stable/democratic-csi

clusters/cl01tl/helm/democratic-csi-synology-iscsi/templates/external-secret.yaml

@@ -14,5 +14,8 @@ spec:
   data:
     - secretKey: driver-config-file.yaml
       remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
         key: /cl01tl/democratic-csi-synology-iscsi/config
+        metadataPolicy: None
         property: driver-config-file.yaml

clusters/cl01tl/helm/democratic-csi-synology-iscsi/values.yaml

@@ -1,35 +1,15 @@
 democratic-csi:
   driver:
-    image:
-      registry: ghcr.io/democratic-csi/democratic-csi
-      tag: v1.9.5@@sha256:fc3b7d7ed3a616714139525075312758e23a5d425ffb539ad12c9bd20fb6001f
     existingConfigSecret: synology-iscsi-config-secret
     config:
       driver: synology-iscsi
-    resources:
-      requests:
-        cpu: 1m
-        memory: 128Mi
   csiDriver:
     name: "org.democratic-csi.iscsi-synology"
   controller:
-    replicaCount: 3
+    enabled: true
-    externalAttacher:
+    rbac:
-      image:
+      enabled: true
-        registry: registry.k8s.io/sig-storage/csi-attacher
+    replicaCount: 2
-        tag: v4.11.0@sha256:b74b05b39501565022883fc128002b4cb857a7bb6c858606bcb3fdedba0b0b80
-    externalProvisioner:
-      image:
-        registry: registry.k8s.io/sig-storage/csi-provisioner
-        tag: v3.6.4@sha256:e7ad666f1d9b0caa077c7f0c157c9f87d1e73858390732496f66dcc716ff10c5
-    externalResizer:
-      image:
-        registry: registry.k8s.io/sig-storage/csi-resizer
-        tag: v1.9.4@sha256:522911ef68bd2c5c17d90fb2a6d2b2fb72ae790f2c1463a466b4262a07fdbf5a
-    externalSnapshotter:
-      image:
-        registry: registry.k8s.io/sig-storage/csi-snapshotter
-        tag: v8.5.0@sha256:da081c27e8a6d91f36042c1942362d0515ced8d06e18c11b8f893e58c4d6d797
   storageClasses:
     - name: synology-iscsi-delete
       defaultClass: false
@@ -55,7 +35,3 @@ democratic-csi:
           value: /usr/local/sbin/iscsiadm
       iscsiDirHostPath: /var/iscsi
       iscsiDirHostPathType: ""
-  driverRegistrar:
-    image:
-      registry: registry.k8s.io/sig-storage/csi-node-driver-registrar
-      tag: v2.16.0@sha256:ab482308a4921e28a6df09a16ab99a457e9af9641ff44fb1be1a690d07ce8b70

clusters/cl01tl/helm/descheduler/Chart.yaml

@@ -5,10 +5,10 @@ description: Descheduler
 keywords:
   - descheduler
   - kube-scheduler
-home: https://docs.alexlebens.dev/applications/descheduler/
+  - kubernetes
+home: https://wiki.alexlebens.dev/s/0c38b7e4-4573-487c-82b0-4eeeb00e1276
 sources:
   - https://github.com/kubernetes-sigs/descheduler
-  - https://explore.ggcr.dev/?repo=registry.k8s.io%2Fdescheduler%2Fdescheduler
   - https://github.com/kubernetes-sigs/descheduler/tree/master/charts/descheduler
 maintainers:
   - name: alexlebens

clusters/cl01tl/helm/descheduler/values.yaml

@@ -1,25 +1,27 @@
 descheduler:
-  image:
-    repository: registry.k8s.io/descheduler/descheduler
-    tag: v0.35.1@sha256:871d3b804390b0b8c7cb09d4e9b7856cf30e31f9e9e3d29562b0301a10453bb1
   kind: Deployment
   resources:
-    limits:
-      cpu: null
-      memory: null
     requests:
       cpu: 10m
-      memory: 50Mi
+      memory: 64Mi
+  securityContext:
+    allowPrivilegeEscalation: false
+    capabilities:
+      drop:
+        - ALL
+    privileged: false
+    readOnlyRootFilesystem: true
+    runAsNonRoot: true
+    runAsUser: 1000
   deschedulingInterval: 5m
-  replicas: 3
+  replicas: 1
   leaderElection:
-    enabled: true
+    enabled: false
-    leaseDuration: 15s
+  command:
-    renewDeadline: 10s
+  - "/bin/descheduler"
-    retryPeriod: 2s
+  cmdOptions:
-    resourceLock: "leases"
+    v: 3
-    resourceName: "descheduler"
+  deschedulerPolicyAPIVersion: "descheduler/v1alpha2"
-    resourceNamespace: "descheduler"
   deschedulerPolicy:
     profiles:
       - name: default
@@ -51,13 +53,13 @@ descheduler:
           - name: LowNodeUtilization
             args:
               thresholds:
-                cpu: 20
+                cpu: 30
-                memory: 20
+                memory: 30
-                pods: 20
+                pods: 50
               targetThresholds:
-                cpu: 50
+                cpu: 60
-                memory: 50
+                memory: 40
-                pods: 60
+                pods: 80
         plugins:
           balance:
             enabled:

clusters/cl01tl/helm/directus/Chart.lock

@@ -4,9 +4,9 @@ dependencies:
   version: 4.6.2
 - name: postgres-cluster
   repository: oci://harbor.alexlebens.net/helm-charts
-  version: 7.11.2
+  version: 7.10.0
 - name: valkey
   repository: oci://harbor.alexlebens.net/helm-charts
-  version: 0.6.1
+  version: 0.4.0
-digest: sha256:78f5065d1125792c88e4d24f5ac1ee3d6310b4997f552020c44d0615335ea329
+digest: sha256:dfcb5d35e03ecdc4206227d206d36509319f0dcdaed54363840d71337debb3f7
-generated: "2026-04-13T20:33:13.909018545Z"
+generated: "2026-03-15T20:05:03.156596646Z"

clusters/cl01tl/helm/directus/Chart.yaml

@@ -4,14 +4,16 @@ version: 1.0.0
 description: Directus
 keywords:
   - directus
-  - content-management-system
+  - cms
-home: https://docs.alexlebens.dev/applications/descheduler/
+home: https://wiki.alexlebens.dev/s/c2d242de-dcaa-4801-86a2-c4761dc8bf9b
 sources:
   - https://github.com/directus/directus
-  - https://github.com/directus/directus/pkgs/container/directus
+  - https://github.com/cloudflare/cloudflared
+  - https://github.com/cloudnative-pg/cloudnative-pg
+  - https://hub.docker.com/r/directus/directus
   - https://github.com/bjw-s-labs/helm-charts/tree/main/charts/other/app-template
+  - https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/cloudflared
   - https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/postgres-cluster
-  - https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/valkey
 maintainers:
   - name: alexlebens
 dependencies:
@@ -21,12 +23,12 @@ dependencies:
     version: 4.6.2
   - name: postgres-cluster
     alias: postgres-18-cluster
-    version: 7.11.2
+    version: 7.10.0
     repository: oci://harbor.alexlebens.net/helm-charts
   - name: valkey
     alias: valkey
-    version: 0.6.1
+    version: 0.4.0
     repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/directus.png
 # renovate: datasource=github-releases depName=directus/directus
-appVersion: 11.17.3
+appVersion: 11.16.1

clusters/cl01tl/helm/directus/templates/external-secret.yaml

@@ -14,19 +14,31 @@ spec:
   data:
     - secretKey: admin-email
       remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
         key: /cl01tl/directus/config
+        metadataPolicy: None
         property: admin-email
     - secretKey: admin-password
       remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
         key: /cl01tl/directus/config
+        metadataPolicy: None
         property: admin-password
     - secretKey: secret
       remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
         key: /cl01tl/directus/config
+        metadataPolicy: None
         property: secret
     - secretKey: key
       remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
         key: /cl01tl/directus/config
+        metadataPolicy: None
         property: key
 
 ---
@@ -46,11 +58,17 @@ spec:
   data:
     - secretKey: OIDC_CLIENT_ID
       remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
         key: /authentik/oidc/directus
+        metadataPolicy: None
         property: client
     - secretKey: OIDC_CLIENT_SECRET
       remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
         key: /authentik/oidc/directus
+        metadataPolicy: None
         property: secret
 
 ---
@@ -70,7 +88,10 @@ spec:
   data:
     - secretKey: metric-token
       remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
         key: /cl01tl/directus/metrics
+        metadataPolicy: None
         property: metric-token
 
 ---
@@ -90,15 +111,24 @@ spec:
   data:
     - secretKey: ACCESS_KEY_ID
       remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
         key: /garage/home-infra/directus-assets
+        metadataPolicy: None
         property: ACCESS_KEY_ID
     - secretKey: ACCESS_SECRET_KEY
       remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
         key: /garage/home-infra/directus-assets
+        metadataPolicy: None
         property: ACCESS_SECRET_KEY
     - secretKey: ACCESS_REGION
       remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
         key: /garage/home-infra/directus-assets
+        metadataPolicy: None
         property: ACCESS_REGION
 
 ---
@@ -118,13 +148,22 @@ spec:
   data:
     - secretKey: default
       remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
         key: /cl01tl/directus/valkey
+        metadataPolicy: None
         property: password
     - secretKey: user
       remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
         key: /cl01tl/directus/valkey
+        metadataPolicy: None
         property: user
     - secretKey: password
       remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
         key: /cl01tl/directus/valkey
+        metadataPolicy: None
         property: password

clusters/cl01tl/helm/directus/values.yaml

@@ -4,11 +4,13 @@ directus:
       type: deployment
       replicas: 1
       strategy: Recreate
+      revisionHistoryLimit: 3
       containers:
         main:
           image:
-            repository: ghcr.io/directus/directus
+            repository: directus/directus
-            tag: 11.17.3@sha256:ae6ab737fd04077d295bbefa545cc4aefccc206e3d0120c83812f9b482a8c9a5
+            tag: 11.16.1
+            pullPolicy: IfNotPresent
           env:
             - name: PUBLIC_URL
               value: https://directus.alexlebens.net
@@ -142,7 +144,7 @@ directus:
           resources:
             requests:
               cpu: 10m
-              memory: 300Mi
+              memory: 256Mi
   service:
     main:
       controller: main
@@ -150,6 +152,7 @@ directus:
         http:
           port: 80
           targetPort: 8055
+          protocol: TCP
   serviceMonitor:
     main:
       selector:
@@ -177,8 +180,11 @@ directus:
         - directus.alexlebens.net
       rules:
         - backendRefs:
-            - name: directus
+            - group: ''
+              kind: Service
+              name: directus
               port: 80
+              weight: 100
           matches:
             - path:
                 type: PathPrefix
@@ -196,12 +202,35 @@ postgres-18-cluster:
         destinationBucket: postgres-backups
         externalSecretCredentialPath: /garage/home-infra/postgres-backups
         isWALArchiver: true
+      # - name: garage-remote
+      #   index: 1
+      #   destinationBucket: postgres-backups
+      #   externalSecretCredentialPath: /garage/home-infra/postgres-backups
+      #   retentionPolicy: "90d"
+      #   data:
+      #     compression: bzip2
+      # - name: external
+      #   index: 1
+      #   endpointURL: https://nyc3.digitaloceanspaces.com
+      #   destinationBucket: postgres-backups-ce540ddf106d186bbddca68a
+      #   externalSecretCredentialPath: /garage/home-infra/postgres-backups
+      #   isWALArchiver: false
     scheduledBackups:
       - name: live-backup
         suspend: false
         immediate: true
         schedule: "0 15 14 * * *"
         backupName: garage-local
+      # - name: weekly-backup
+      #   suspend: true
+      #   immediate: true
+      #   schedule: "0 0 4 * * SAT"
+      #   backupName: garage-remote
+      # - name: daily-backup
+      #   suspend: true
+      #   immediate: true
+      #   schedule: "0 0 0 * * *"
+      #   backupName: external
 valkey:
   valkey:
     auth:
@@ -210,7 +239,5 @@ valkey:
       aclUsers:
         default:
           permissions: "~* &* +@all"
-    # No option to configure metrics when auth is enabled
-    # https://github.com/valkey-io/valkey-helm/issues/135
     metrics:
       enabled: false

clusters/cl01tl/helm/elastic-operator/Chart.lock

@@ -1,6 +1,6 @@
 dependencies:
 - name: eck-operator
   repository: https://helm.elastic.co
-  version: 3.3.2
+  version: 3.3.1
-digest: sha256:ac7a849a6d8244ef56c11f18438c4c76133f92d245228c5a1c8369d42562c177
+digest: sha256:8585f3ea3e4cafc4ff2969ea7e797017b7cfe4becb3385f0b080725908c02f09
-generated: "2026-04-01T21:30:02.975920565Z"
+generated: "2026-02-25T18:48:55.77034549Z"

clusters/cl01tl/helm/elastic-operator/Chart.yaml

@@ -6,7 +6,8 @@ keywords:
   - elastic-operator
   - operator
   - elastic-search
-home: https://docs.alexlebens.dev/applications/elastic-operator/
+  - kubernetes
+home: https://wiki.alexlebens.dev/s/
 sources:
   - https://github.com/elastic/cloud-on-k8s
   - https://github.com/elastic/cloud-on-k8s/tree/main/deploy/eck-operator
@@ -14,8 +15,8 @@ maintainers:
   - name: alexlebens
 dependencies:
   - name: eck-operator
-    version: 3.3.2
+    version: 3.3.1
     repository: https://helm.elastic.co
-icon: https://cdn.jsdelivr.net/gh/selfhst/icons@main/png/elastic.png
+icon: https://helm.elastic.co/icons/eck.png
 # renovate: datasource=github-releases depName=elastic/cloud-on-k8s
-appVersion: v3.3.2
+appVersion: v3.3.1

clusters/cl01tl/helm/elastic-operator/values.yaml

@@ -1,16 +1,9 @@
 eck-operator:
   managedNamespaces:
-    - stalwart
     - tubearchivist
+    - stalwart
   installCRDs: true
   replicaCount: 2
-  resources:
-    limits:
-      cpu: null
-      memory: null
-    requests:
-      cpu: 2m
-      memory: 50Mi
   telemetry:
     disabled: true
   config:

clusters/cl01tl/helm/element-web/Chart.lock

@@ -1,9 +1,9 @@
 dependencies:
 - name: element-web
   repository: https://ananace.gitlab.io/charts
-  version: 1.4.34
+  version: 1.4.32
 - name: cloudflared
   repository: oci://harbor.alexlebens.net/helm-charts
-  version: 2.5.0
+  version: 2.4.0
-digest: sha256:8640b8a250bdcd9e7561e3d28538ccf4644a7159a035ee0a5fdbcf71dc5b2bbe
+digest: sha256:49d9dd45eff7cbbc11644e4a8bd3c9d3bf84716ed034a76f097f0ba1fea4c934
-generated: "2026-04-10T01:17:19.932208699Z"
+generated: "2026-03-11T16:04:17.556777286Z"

clusters/cl01tl/helm/element-web/Chart.yaml

@@ -4,22 +4,24 @@ version: 1.0.0
 description: Element Web
 keywords:
   - element-web
-  - matrix-chat
+  - chat
-home: https://docs.alexlebens.dev/applications/element-web/
+  - matrix
+home: https://wiki.alexlebens.dev/s/e3b03481-1a1d-4b56-8cd9-e75a8dcc0f6c
 sources:
   - https://github.com/element-hq/element-web
-  - https://github.com/element-hq/element-web/pkgs/container/element-web
+  - https://github.com/cloudflare/cloudflared
+  - https://hub.docker.com/r/vectorim/element-web
   - https://gitlab.com/ananace/charts/-/tree/master/charts/element-web
   - https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/cloudflared
 maintainers:
   - name: alexlebens
 dependencies:
   - name: element-web
-    version: 1.4.34
+    version: 1.4.32
     repository: https://ananace.gitlab.io/charts
   - name: cloudflared
     repository: oci://harbor.alexlebens.net/helm-charts
-    version: 2.5.0
+    version: 2.4.0
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/element.png
 # renovate: datasource=github-releases depName=element-hq/element-web
-appVersion: v1.12.15
+appVersion: v1.12.12

clusters/cl01tl/helm/element-web/values.yaml

@@ -1,8 +1,9 @@
 element-web:
   replicaCount: 1
   image:
-    repository: ghcr.io/element-hq/element-web
+    repository: vectorim/element-web
-    tag: v1.12.15@sha256:c7fa40b5ba3891f8af3ce63da0818f457c1802a9ee4d2f5e46a9df36a2388eed
+    tag: v1.12.12
+    pullPolicy: IfNotPresent
   defaultServer:
     url: https://matrix.alexlebens.dev
     name: alexlebens.dev
@@ -17,7 +18,9 @@ element-web:
       immediate: true
     default_theme: dark
     default_country_code: US
+  ingress:
+    enabled: false
   resources:
     requests:
-      cpu: 1m
+      cpu: 10m
-      memory: 10Mi
+      memory: 128Mi