chore(deps): update postgres-cluster docker tag to v7.11.2

.gitea/workflows/render-manifests.yaml

@@ -283,7 +283,7 @@ jobs:
 
               echo ">> Formating rendered template ..."
               local TEMPLATE
-              TEMPLATE=$(helm template "${CHART_NAME}" ./ --namespace "${NAMESPACE}" --include-crds --dry-run=server --api-versions "gateway.networking.k8s.io/v1,monitoring.coreos.com/v1")
+              TEMPLATE=$(helm template "${CHART_NAME}" ./ --namespace "${NAMESPACE}" --include-crds --dry-run=server --api-versions "gateway.networking.k8s.io/v1/HTTPRoute")
 
               # Format and split rendered template
               echo "${TEMPLATE}" | yq '... comments=""' | yq 'select(. != null)' | yq -s '"'"${OUTPUT_FOLDER}"'" + .kind + "-" + .metadata.name + ".yaml"'
@@ -314,7 +314,7 @@ jobs:
           for DIR in ${RENDER_DIR}; do
             echo "${DIR}"
 
-          done | xargs -P 5 -I {} bash -c 'OUT=$(render_chart "$@" 2>&1); printf "%s\n" "$OUT"' _ {}
+          done | xargs -P 4 -I {} bash -c 'OUT=$(render_chart "$@" 2>&1); printf "%s\n" "$OUT"' _ {}
 
           echo ""
           echo "----"

.gitea/workflows/renovate.yaml

@@ -13,7 +13,7 @@ on:
 jobs:
   renovate:
     runs-on: ubuntu-latest
-    container: ghcr.io/renovatebot/renovate:43.110.4@sha256:7ad99abc53b30d3f6e34df88b3e2b2b75436bba9b290e90d367356526034496f
+    container: ghcr.io/renovatebot/renovate:43.109.1@sha256:3dc6493fd5846ee486ca26531db8b8dd2c028bc8e4c5b3464514f5f6b3e065d8
     steps:
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6

clusters/cl01tl/helm/argocd/Chart.lock

@@ -1,6 +1,6 @@
 dependencies:
 - name: argo-cd
   repository: https://argoproj.github.io/argo-helm
-  version: 9.5.0
+  version: 9.4.17
-digest: sha256:69daada0822f796cd49eeda2d9e39dd5c0c42bb61b6898af68123c8c49f25fa1
+digest: sha256:17752dbf03861cf70ee31c9a17373a5175656a2edd00ba5fcd3988a195147da8
-generated: "2026-04-08T22:05:49.003208408Z"
+generated: "2026-03-28T01:51:34.832601868Z"

clusters/cl01tl/helm/argocd/Chart.yaml

@@ -13,7 +13,7 @@ maintainers:
   - name: alexlebens
 dependencies:
   - name: argo-cd
-    version: 9.5.0
+    version: 9.4.17
     repository: https://argoproj.github.io/argo-helm
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/argo-cd.png
 # renovate: datasource=github-releases depName=argoproj/argo-cd

clusters/cl01tl/helm/argocd/values.yaml

@@ -48,31 +48,31 @@ argo-cd:
         enabled: true
       rules:
         enabled: true
-        spec:
+      spec:
-          - alert: ArgoAppMissing
+        - alert: ArgoAppMissing
-            expr: |
+          expr: |
-              absent(argocd_app_info) == 1
+            absent(argocd_app_info) == 1
-            for: 15m
+          for: 15m
-            labels:
+          labels:
-              severity: critical
+            severity: critical
-            annotations:
+          annotations:
-              summary: "[Argo CD] No reported applications"
+            summary: "[Argo CD] No reported applications"
-              description: >
+            description: >
-                Argo CD has not reported any applications data for the past 15 minutes which
+              Argo CD has not reported any applications data for the past 15 minutes which
-                means that it must be down or not functioning properly.  This needs to be
+              means that it must be down or not functioning properly.  This needs to be
-                resolved for this cloud to continue to maintain state.
+              resolved for this cloud to continue to maintain state.
-          - alert: ArgoAppNotSynced
+        - alert: ArgoAppNotSynced
-            expr: |
+          expr: |
-              argocd_app_info{sync_status!="Synced"} == 1
+            argocd_app_info{sync_status!="Synced"} == 1
-            for: 12h
+          for: 12h
-            labels:
+          labels:
-              severity: warning
+            severity: warning
-            annotations:
+          annotations:
-              summary: "[{{`{{$labels.name}}`}}] Application not synchronized"
+            summary: "[{{`{{$labels.name}}`}}] Application not synchronized"
-              description: >
+            description: >
-                The application [{{`{{$labels.name}}`}} has not been synchronized for over
+              The application [{{`{{$labels.name}}`}} has not been synchronized for over
-                12 hours which means that the state of this cloud has drifted away from the
+              12 hours which means that the state of this cloud has drifted away from the
-                state inside Git.
+              state inside Git.
   dex:
     enabled: true
     resources:

clusters/cl01tl/helm/authentik/Chart.lock

@@ -1,7 +1,7 @@
 dependencies:
 - name: authentik
   repository: https://charts.goauthentik.io/
-  version: 2026.2.2
+  version: 2026.2.1
 - name: cloudflared
   repository: oci://harbor.alexlebens.net/helm-charts
   version: 2.4.0
@@ -11,5 +11,5 @@ dependencies:
 - name: valkey
   repository: oci://harbor.alexlebens.net/helm-charts
   version: 0.5.0
-digest: sha256:86950b83ac8a4da2a89bb826616857fd5eca017c813d8def0eb905025a6e7687
+digest: sha256:7302a85008aee7950aa345aa7d64563c1b0da8f07e348ec9709f9438503a41ff
-generated: "2026-04-08T02:23:25.175388081Z"
+generated: "2026-04-04T21:00:59.689114-05:00"

clusters/cl01tl/helm/authentik/Chart.yaml

@@ -18,7 +18,7 @@ maintainers:
   - name: alexlebens
 dependencies:
   - name: authentik
-    version: 2026.2.2
+    version: 2026.2.1
     repository: https://charts.goauthentik.io/
   - name: cloudflared
     repository: oci://harbor.alexlebens.net/helm-charts

clusters/cl01tl/helm/blocky/values.yaml

@@ -109,6 +109,7 @@ blocky:
               bazarr                          IN      CNAME   traefik-cl01tl
               ceph                            IN      CNAME   traefik-cl01tl
               dawarich                        IN      CNAME   traefik-cl01tl
+              dependency-track                IN      CNAME   traefik-cl01tl
               directus                        IN      CNAME   traefik-cl01tl
               excalidraw                      IN      CNAME   traefik-cl01tl
               feishin                         IN      CNAME   traefik-cl01tl
@@ -131,7 +132,6 @@ blocky:
               jellystat                       IN      CNAME   traefik-cl01tl
               kiwix                           IN      CNAME   traefik-cl01tl
               komodo                          IN      CNAME   traefik-cl01tl
-              kyoo                            IN      CNAME   traefik-cl01tl
               languagetool                    IN      CNAME   traefik-cl01tl
               lidarr                          IN      CNAME   traefik-cl01tl
               mail                            IN      CNAME   traefik-cl01tl

clusters/cl01tl/helm/dependency-track/Chart.lock

@@ -0,0 +1,9 @@
+dependencies:
+- name: dependency-track
+  repository: https://dependencytrack.github.io/helm-charts
+  version: 0.44.0
+- name: postgres-cluster
+  repository: oci://harbor.alexlebens.net/helm-charts
+  version: 7.11.2
+digest: sha256:6ea7e8066cce675a02ce76393ee2b0e23300d2f5c72ae64946ae667fc12fde1f
+generated: "2026-04-05T17:32:11.221935-05:00"

clusters/cl01tl/helm/dependency-track/Chart.yaml

@@ -0,0 +1,27 @@
+apiVersion: v2
+name: dependency-track
+version: 1.0.0
+description: Dependency Track
+keywords:
+  - dependency-track
+  - vulnerability-scanner
+home: https://docs.alexlebens.dev/applications/dependency-track/
+sources:
+  - https://github.com/DependencyTrack/dependency-track
+  - https://hub.docker.com/r/dependencytrack/apiserver
+  - https://hub.docker.com/r/dependencytrack/frontend
+  - https://github.com/DependencyTrack/helm-charts/tree/main/charts/dependency-track
+  - https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/postgres-cluster
+maintainers:
+  - name: alexlebens
+dependencies:
+  - name: dependency-track
+    version: 0.44.0
+    repository: https://dependencytrack.github.io/helm-charts
+  - name: postgres-cluster
+    alias: postgres-18-cluster
+    version: 7.11.2
+    repository: oci://harbor.alexlebens.net/helm-charts
+icon: https://avatars.githubusercontent.com/u/40258585
+# renovate: datasource=github-releases depName=DependencyTrack/dependency-track
+appVersion: 4.14.1

clusters/cl01tl/helm/dependency-track/templates/external-secret.yaml

@@ -1,10 +1,10 @@
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
-  name: kyoo-key-secret
+  name: dependency-track-key-secret
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: kyoo-key-secret
+    app.kubernetes.io/name: dependency-track-key-secret
     app.kubernetes.io/instance: {{ .Release.Name }}
     app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
@@ -12,31 +12,19 @@ spec:
     kind: ClusterSecretStore
     name: vault
   data:
-    - secretKey: rsa-private
+    - secretKey: secret.key
       remoteRef:
-        key: /cl01tl/kyoo/key
+        key: /cl01tl/dependency-track/key
-        property: rsa-private
+        property: key
-    - secretKey: scanner-apikey
-      remoteRef:
-        key: /cl01tl/kyoo/key
-        property: scanner
-    - secretKey: tmdb-apikey
-      remoteRef:
-        key: /tmdb/alexlebens
-        property: api-key
-    - secretKey: tvdb-apikey
-      remoteRef:
-        key: /tvdb/alexlebens
-        property: api-key
 
 ---
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
-  name: kyoo-oidc-secret
+  name: dependency-track-oidc-secret
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: kyoo-oidc-secret
+    app.kubernetes.io/name: dependency-track-oidc-secret
     app.kubernetes.io/instance: {{ .Release.Name }}
     app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
@@ -46,9 +34,9 @@ spec:
   data:
     - secretKey: client
       remoteRef:
-        key: /authentik/oidc/kyoo
+        key: /authentik/oidc/dependency-track
         property: client
     - secretKey: secret
       remoteRef:
-        key: /authentik/oidc/kyoo
+        key: /authentik/oidc/dependency-track
         property: secret

clusters/cl01tl/helm/dependency-track/values.yaml

@@ -0,0 +1,114 @@
+dependency-track:
+  common:
+    secretKey:
+      createSecret: false
+      existingSecretName: dependency-track-key-secret
+  apiServer:
+    image:
+      repository: dependencytrack/apiserver
+      tag: 4.14.1@sha256:2d8813e1ba4ada4aa23087d908c1b5a3ffce39261ead5555c397a1d67c7cbe9d
+    resources:
+      requests:
+        cpu: 100m
+        memory: 100Mi
+      limits:
+        memory: null
+    persistentVolume:
+      enabled: true
+      className: ceph-block
+      size: 5Gi
+    extraEnv:
+      - name: ALPINE_DATABASE_MODE
+        value: external
+      - name: ALPINE_DATABASE_DRIVER
+        value: org.postgresql.Driver
+      - name: ALPINE_DATABASE_URL
+        valueFrom:
+          secretKeyRef:
+            name: dependency-track-postgresql-18-cluster-app
+            key: jdbc-uri
+      - name: ALPINE_DATABASE_USERNAME
+        valueFrom:
+          secretKeyRef:
+            name: dependency-track-postgresql-18-cluster-app
+            key: user
+      - name: ALPINE_DATABASE_PASSWORD
+        valueFrom:
+          secretKeyRef:
+            name: dependency-track-postgresql-18-cluster-app
+            key: password
+      - name: ALPINE_OIDC_ENABLED
+        value: "true"
+      - name: ALPINE_OIDC_CLIENT_ID
+        valueFrom:
+          secretKeyRef:
+            name: dependency-track-oidc-secret
+            key: client
+      - name: ALPINE_OIDC_ISSUER
+        value: https://authentik.alexlebens.net/application/o/dependency-track/
+      - name: ALPINE_OIDC_USERNAME_CLAIM
+        value: preferred_username
+      - name: ALPINE_OIDC_TEAMS_CLAIM
+        value: groups
+      - name: ALPINE_OIDC_USER_PROVISIONING
+        value: "true"
+      - name: ALPINE_OIDC_TEAM_SYNCHRONIZATION
+        value: "true"
+      - name: ALPINE_CORS_ENABLED
+        value: "false"
+      - name: ALPINE_CORS_ALLOW_ORIGIN
+        value: dependency-track.alexlebens.net dependency-track.dependency-track
+    serviceMonitor:
+      enabled: true
+      namespace: dependency-track
+  frontend:
+    image:
+      repository: dependencytrack/frontend
+      tag: 4.14.1@sha256:8217737050b26ea69a6ddd6fe2cb419531a0bae0b903a87a04077a2415fc9f35
+    resources:
+      requests:
+        cpu: 10m
+        memory: 60Mi
+      limits:
+        memory: null
+    extraEnv:
+      - name: OIDC_ISSUER
+        value: https://authentik.alexlebens.net/application/o/dependency-track/
+      - name: OIDC_FLOW
+        value: explicit
+      - name: OIDC_CLIENT_ID
+        valueFrom:
+          secretKeyRef:
+            name: dependency-track-oidc-secret
+            key: client
+      - name: OIDC_LOGIN_BUTTON_TEXT
+        value: Authentik
+    apiBaseUrl: dependency-track-api-server.dependency-track
+  httpRoute:
+    enabled: true
+    hostnames:
+      - dependency-track.alexlebens.net
+    parentRefs:
+      - group: gateway.networking.k8s.io
+        kind: Gateway
+        name: traefik-gateway
+        namespace: traefik
+postgres-18-cluster:
+  mode: standalone
+  recovery:
+    method: objectStore
+    objectStore:
+      index: 1
+  backup:
+    objectStore:
+      - name: garage-local
+        index: 1
+        destinationBucket: postgres-backups
+        externalSecretCredentialPath: /garage/home-infra/postgres-backups
+        isWALArchiver: true
+    scheduledBackups:
+      - name: live-backup
+        suspend: false
+        immediate: true
+        schedule: "0 10 14 * * *"
+        backupName: garage-local

clusters/cl01tl/helm/element-web/Chart.lock

@@ -1,9 +1,9 @@
 dependencies:
 - name: element-web
   repository: https://ananace.gitlab.io/charts
-  version: 1.4.34
+  version: 1.4.33
 - name: cloudflared
   repository: oci://harbor.alexlebens.net/helm-charts
   version: 2.4.0
-digest: sha256:376f1201085c5c93972d2286755dd8b530a4a88ad9fdaf4bfb50ec1f11c64df0
+digest: sha256:63b0e582d42fb42bcf4d96ba4b299e42c434c42f284208596808288543192fe0
-generated: "2026-04-08T17:57:31.040649797Z"
+generated: "2026-03-24T16:11:50.424321433Z"

clusters/cl01tl/helm/element-web/Chart.yaml

@@ -15,11 +15,11 @@ maintainers:
   - name: alexlebens
 dependencies:
   - name: element-web
-    version: 1.4.34
+    version: 1.4.33
     repository: https://ananace.gitlab.io/charts
   - name: cloudflared
     repository: oci://harbor.alexlebens.net/helm-charts
     version: 2.4.0
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/element.png
 # renovate: datasource=github-releases depName=element-hq/element-web
-appVersion: v1.12.15
+appVersion: v1.12.14

clusters/cl01tl/helm/element-web/values.yaml

@@ -2,7 +2,7 @@ element-web:
   replicaCount: 1
   image:
     repository: ghcr.io/element-hq/element-web
-    tag: v1.12.15@sha256:c7fa40b5ba3891f8af3ce63da0818f457c1802a9ee4d2f5e46a9df36a2388eed
+    tag: v1.12.14@sha256:13052614150733892ff06189f0f9baf098bc16092bffc0e0e18ccf2f257abe34
   defaultServer:
     url: https://matrix.alexlebens.dev
     name: alexlebens.dev

clusters/cl01tl/helm/eraser/Chart.lock

@@ -2,8 +2,5 @@ dependencies:
 - name: eraser
   repository: https://eraser-dev.github.io/eraser/charts
   version: 1.4.1
-- name: app-template
+digest: sha256:da828de684b0cd82e99994586f3db4f55c43c01607c4d8d0e70e204c7bbbbf5b
-  repository: https://bjw-s-labs.github.io/helm-charts/
+generated: "2025-12-03T22:53:20.200917773Z"
-  version: 4.6.2
-digest: sha256:8414813d3d9d195b16ef7ebf814f7095a16413f4b0e579fcb37738000624f68c
-generated: "2026-04-08T21:39:05.689756-05:00"

clusters/cl01tl/helm/eraser/Chart.yaml

@@ -9,19 +9,13 @@ home: https://docs.alexlebens.dev/applications/eraser/
 sources:
   - https://github.com/eraser-dev/eraser
   - https://github.com/eraser-dev/eraser/pkgs/container/eraser-manager
-  - https://github.com/open-telemetry/opentelemetry-collector-releases/pkgs/container/opentelemetry-collector-releases%2Fopentelemetry-collector
   - https://github.com/eraser-dev/eraser/tree/main/charts/eraser
-  - https://github.com/bjw-s-labs/helm-charts/tree/main/charts/other/app-template
 maintainers:
   - name: alexlebens
 dependencies:
   - name: eraser
     version: 1.4.1
     repository: https://eraser-dev.github.io/eraser/charts
-  - name: app-template
-    alias: eraser-metrics
-    repository: https://bjw-s-labs.github.io/helm-charts/
-    version: 4.6.2
 icon: https://raw.githubusercontent.com/eraser-dev/eraser/refs/heads/main/images/eraser-logo-color-1c.png
 # renovate: datasource=github-releases depName=eraser-dev/eraser
 appVersion: v1.4.1

clusters/cl01tl/helm/eraser/values.yaml

@@ -35,88 +35,3 @@ eraser:
       requests:
         cpu: 1m
         memory: 20Mi
-eraser-metrics:
-  global:
-    nameOverride: eraser-metrics
-    fullnameOverride: eraser-metrics
-  controllers:
-    main:
-      type: deployment
-      replicas: 1
-      strategy: Recreate
-      containers:
-        main:
-          image:
-            repository: ghcr.io/open-telemetry/opentelemetry-collector-releases/opentelemetry-collector
-            tag: 0.149.0@sha256:dd56aed607fd02f8ac01dddb27a859c0c2cc750539abce927803778fafc736ae
-          command:
-            - /otelcol
-            - --config=/conf/otel-collector-config.yaml
-          resources:
-            requests:
-              cpu: 10m
-              memory: 20Mi
-  configMaps:
-    config:
-      enabled: true
-      forceRename: eraser-config
-      data:
-        otel-collector-config.yaml: |
-          receivers:
-            otlp:
-              protocols:
-                http:
-
-          exporters:
-            logging:
-              loglevel: debug
-            prometheus:
-              endpoint: "0.0.0.0:8889"
-              send_timestamps: true
-              metric_expiration: 180m
-
-          service:
-            telemetry:
-              logs:
-                encoding: json
-            pipelines:
-              metrics:
-                receivers:
-                  - otlp
-                exporters:
-                  - logging
-                  - prometheus
-  service:
-    main:
-      controller: main
-      ports:
-        http:
-          port: 4318
-          targetPort: 4318
-        metrics:
-          port: 8889
-          targetPort: 8889
-  serviceMonitor:
-    main:
-      selector:
-        matchLabels:
-          app.kubernetes.io/name: eraser-metrics
-          app.kubernetes.io/instance: eraser-metrics
-      serviceName: '{{ include "bjw-s.common.lib.chart.names.fullname" $ }}'
-      endpoints:
-        - port: metrics
-          interval: 30s
-          scrapeTimeout: 15s
-          path: /metrics
-  persistence:
-    config:
-      enabled: true
-      type: configMap
-      name: eraser-config
-      advancedMounts:
-        main:
-          main:
-            - path: /conf/otel-collector-config.yaml
-              readOnly: true
-              mountPropagation: None
-              subPath: otel-collector-config.yaml

clusters/cl01tl/helm/foldergram/values.yaml

@@ -58,7 +58,7 @@ foldergram:
       forceRename: foldergram-data
       storageClass: ceph-block
       accessMode: ReadWriteOnce
-      size: 20Gi
+      size: 10Gi
       advancedMounts:
         main:
           main:

clusters/cl01tl/helm/gatus/values.yaml

@@ -116,9 +116,6 @@ gatus:
       - name: jellyfin
         url: https://jellyfin.alexlebens.net
         <<: *defaults
-      - name: kyoo
-        url: https://kyoo.alexlebens.net
-        <<: *defaults
       - name: tubearchivist
         url: https://tubearchivist.alexlebens.net
         <<: *defaults
@@ -188,6 +185,9 @@ gatus:
       - name: komodo
         url: https://komodo.alexlebens.net
         <<: *defaults
+      - name: dependency-track
+        url: https://dependency-track.alexlebens.net
+        <<: *defaults
       - name: omni-tools
         url: https://omni-tools.alexlebens.net
         <<: *defaults

clusters/cl01tl/helm/home-assistant/values.yaml

@@ -23,7 +23,7 @@ home-assistant:
         code-server:
           image:
             repository: ghcr.io/linuxserver/code-server
-            tag: 4.115.0-ls331@sha256:308f49acac8734542560f797d79b15e4c872c4d3f97d1b22862633fcce2af62a
+            tag: 4.114.1-ls330@sha256:4dabed7dc766d3034778aa648ff6b89f0b04755a069fc1071ac0f22484b7c587
           env:
             - name: TZ
               value: America/Chicago

clusters/cl01tl/helm/homepage/values.yaml

@@ -151,12 +151,6 @@ homepage:
                   href: https://jellyfin.alexlebens.net
                   siteMonitor: http://jellyfin.jellyfin:80
                   statusStyle: dot
-              - Movies and TV:
-                  icon: sh-kyoo.webp
-                  description: Kyoo
-                  href: https://kyoo.alexlebens.net
-                  siteMonitor: http://front.kyoo:8901
-                  statusStyle: dot
               - Youtube Archive:
                   icon: sh-tube-archivist-light.webp
                   description: TubeArchivist
@@ -393,6 +387,12 @@ homepage:
                       secret: {{ "{{HOMEPAGE_VAR_KOMODO_API_SECRET}}" }}
                       showStacks: true
                       fields: ["running", "down", "unhealthy", "unknown"]
+              - Vulnerability Scanning:
+                  icon: https://raw.githubusercontent.com/DependencyTrack/branding/f77a4ad3b469ff656856ea225f26b1610b89a584/dt-logo-symbol.svg
+                  description: Dependency Track
+                  href: https://dependency-track.alexlebens.net
+                  siteMonitor: http://dependency-track-frontend.dependency-track:8080
+                  statusStyle: dot
               - Uptime:
                   icon: sh-gatus.webp
                   description: Gatus

clusters/cl01tl/helm/kube-prometheus-stack/Chart.lock

@@ -1,7 +1,7 @@
 dependencies:
 - name: kube-prometheus-stack
   repository: oci://ghcr.io/prometheus-community/charts
-  version: 83.2.0
+  version: 83.0.2
 - name: prometheus-operator-crds
   repository: oci://ghcr.io/prometheus-community/charts
   version: 28.0.1
@@ -11,5 +11,5 @@ dependencies:
 - name: valkey
   repository: oci://harbor.alexlebens.net/helm-charts
   version: 0.5.0
-digest: sha256:d0942cff6346335abc91f9ceb919c5a819543b9b8baed11f83de89486f4e874d
+digest: sha256:0675ee4a9de34b23c744f521be309f7ad6860af74f8e7faeaa44bf26fda72d08
-generated: "2026-04-08T19:03:59.676069331Z"
+generated: "2026-04-07T22:42:15.723825441Z"

clusters/cl01tl/helm/kube-prometheus-stack/Chart.yaml

@@ -20,7 +20,7 @@ maintainers:
   - name: alexlebens
 dependencies:
   - name: kube-prometheus-stack
-    version: 83.2.0
+    version: 83.0.2
     repository: oci://ghcr.io/prometheus-community/charts
   - name: prometheus-operator-crds
     version: 28.0.1

clusters/cl01tl/helm/kyoo/Chart.lock

@@ -1,12 +0,0 @@
-dependencies:
-- name: kyoo
-  repository: oci://ghcr.io/zoriya/helm-charts
-  version: 5.0.0
-- name: postgres-cluster
-  repository: oci://harbor.alexlebens.net/helm-charts
-  version: 7.11.2
-- name: volsync-target
-  repository: oci://harbor.alexlebens.net/helm-charts
-  version: 0.8.0
-digest: sha256:0a5ba08e137471d788da07502db63f5be535c2843f5bfda74fb873a997846ded
-generated: "2026-04-08T21:04:05.245024-05:00"

clusters/cl01tl/helm/kyoo/Chart.yaml

@@ -1,35 +0,0 @@
-apiVersion: v2
-name: kyoo
-version: 1.0.0
-description: Kyoo
-keywords:
-  - kyoo
-  - media
-home: https://docs.alexlebens.dev/applications/kyoo/
-sources:
-  - https://github.com/zoriya/Kyoo
-  - https://github.com/zoriya/Kyoo/pkgs/container/kyoo_api
-  - https://github.com/zoriya/Kyoo/pkgs/container/kyoo_auth
-  - https://github.com/zoriya/Kyoo/pkgs/container/kyoo_front
-  - https://github.com/zoriya/Kyoo/pkgs/container/kyoo_scanner
-  - https://github.com/zoriya/Kyoo/pkgs/container/kyoo_transcoder
-  - https://github.com/zoriya/Kyoo/tree/master/chart
-  - https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/postgres-cluster
-  - https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/volsync-target
-maintainers:
-  - name: alexlebens
-dependencies:
-  - name: kyoo
-    repository: oci://ghcr.io/zoriya/helm-charts
-    version: 5.0.0
-  - name: postgres-cluster
-    alias: postgres-18-cluster
-    version: 7.11.2
-    repository: oci://harbor.alexlebens.net/helm-charts
-  - name: volsync-target
-    alias: volsync-target-metadata
-    version: 0.8.0
-    repository: oci://harbor.alexlebens.net/helm-charts
-icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/kyoo.png
-# renovate: datasource=github-releases depName=zoriya/Kyoo
-appVersion: v5.0.0

clusters/cl01tl/helm/kyoo/templates/http-route.yaml

@@ -1,88 +0,0 @@
-apiVersion: gateway.networking.k8s.io/v1
-kind: HTTPRoute
-metadata:
-  name: kyoo
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: kyoo
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  parentRefs:
-    - group: gateway.networking.k8s.io
-      kind: Gateway
-      name: traefik-gateway
-      namespace: traefik
-  hostnames:
-    - kyoo.alexlebens.net
-  rules:
-    - matches:
-        - path:
-            type: PathPrefix
-            value: /
-      backendRefs:
-        - group: ''
-          kind: Service
-          name: kyoo-front
-          port: 8901
-          weight: 100
-    - matches:
-        - path:
-            type: PathPrefix
-            value: /video
-      backendRefs:
-        - group: ''
-          kind: Service
-          name: kyoo-transcoder
-          port: 7666
-          weight: 100
-    - matches:
-        - path:
-            type: PathPrefix
-            value: /auth/
-      backendRefs:
-        - group: ''
-          kind: Service
-          name: kyoo-auth
-          port: 4568
-          weight: 100
-    - matches:
-        - path:
-            type: PathPrefix
-            value: /.well-known/
-      backendRefs:
-        - group: ''
-          kind: Service
-          name: kyoo-auth
-          port: 4568
-          weight: 100
-    - matches:
-        - path:
-            type: PathPrefix
-            value: /api/
-      backendRefs:
-        - group: ''
-          kind: Service
-          name: kyoo-api
-          port: 3567
-          weight: 100
-    - matches:
-        - path:
-            type: PathPrefix
-            value: /swagger
-      backendRefs:
-        - group: ''
-          kind: Service
-          name: kyoo-api
-          port: 3567
-          weight: 100
-    - matches:
-        - path:
-            type: PathPrefix
-            value: /scanner/
-      backendRefs:
-        - group: ''
-          kind: Service
-          name: kyoo-scanner
-          port: 4389
-          weight: 100

clusters/cl01tl/helm/kyoo/templates/persistent-volume-claim.yaml

@@ -1,131 +0,0 @@
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  name: kyoo-media-anime-nfs-storage
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: kyoo-media-anime-nfs-storage
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  volumeName: kyoo-media-anime-nfs-storage
-  storageClassName: nfs-client
-  accessModes:
-    - ReadWriteMany
-  resources:
-    requests:
-      storage: 1Gi
-
----
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  name: kyoo-media-anime-movies-nfs-storage
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: kyoo-media-anime-movies-nfs-storage
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  volumeName: kyoo-media-anime-movies-nfs-storage
-  storageClassName: nfs-client
-  accessModes:
-    - ReadWriteMany
-  resources:
-    requests:
-      storage: 1Gi
-
----
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  name: kyoo-media-movies-nfs-storage
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: kyoo-media-movies-nfs-storage
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  volumeName: kyoo-media-movies-nfs-storage
-  storageClassName: nfs-client
-  accessModes:
-    - ReadWriteMany
-  resources:
-    requests:
-      storage: 1Gi
-
----
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  name: kyoo-media-movies-4k-nfs-storage
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: kyoo-media-movies-4k-nfs-storage
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  volumeName: kyoo-media-movies-4k-nfs-storage
-  storageClassName: nfs-client
-  accessModes:
-    - ReadWriteMany
-  resources:
-    requests:
-      storage: 1Gi
-
----
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  name: kyoo-media-standup-nfs-storage
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: kyoo-media-standup-nfs-storage
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  volumeName: kyoo-media-standup-nfs-storage
-  storageClassName: nfs-client
-  accessModes:
-    - ReadWriteMany
-  resources:
-    requests:
-      storage: 1Gi
-
----
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  name: kyoo-media-tvshows-nfs-storage
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: kyoo-media-tvshows-nfs-storage
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  volumeName: kyoo-media-tvshows-nfs-storage
-  storageClassName: nfs-client
-  accessModes:
-    - ReadWriteMany
-  resources:
-    requests:
-      storage: 1Gi
-
----
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  name: kyoo-media-tvshows-4k-nfs-storage
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: kyoo-media-tvshows-4k-nfs-storage
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  volumeName: kyoo-media-tvshows-4k-nfs-storage
-  storageClassName: nfs-client
-  accessModes:
-    - ReadWriteMany
-  resources:
-    requests:
-      storage: 1Gi

clusters/cl01tl/helm/kyoo/templates/persistent-volume.yaml

@@ -1,173 +0,0 @@
-apiVersion: v1
-kind: PersistentVolume
-metadata:
-  name: kyoo-media-anime-nfs-storage
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: kyoo-media-anime-nfs-storage
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  persistentVolumeReclaimPolicy: Retain
-  storageClassName: nfs-client
-  capacity:
-    storage: 1Gi
-  accessModes:
-    - ReadWriteMany
-  nfs:
-    path: /volume2/Storage/Anime
-    server: synologybond.alexlebens.net
-  mountOptions:
-    - vers=4
-    - minorversion=1
-    - noac
-
----
-apiVersion: v1
-kind: PersistentVolume
-metadata:
-  name: kyoo-media-anime-movies-nfs-storage
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: kyoo-media-anime-movies-nfs-storage
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  persistentVolumeReclaimPolicy: Retain
-  storageClassName: nfs-client
-  capacity:
-    storage: 1Gi
-  accessModes:
-    - ReadWriteMany
-  nfs:
-    path: /volume2/Storage/Anime Movies
-    server: synologybond.alexlebens.net
-  mountOptions:
-    - vers=4
-    - minorversion=1
-    - noac
-
----
-apiVersion: v1
-kind: PersistentVolume
-metadata:
-  name: kyoo-media-movies-nfs-storage
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: kyoo-media-movies-nfs-storage
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  persistentVolumeReclaimPolicy: Retain
-  storageClassName: nfs-client
-  capacity:
-    storage: 1Gi
-  accessModes:
-    - ReadWriteMany
-  nfs:
-    path: /volume2/Storage/Movies
-    server: synologybond.alexlebens.net
-  mountOptions:
-    - vers=4
-    - minorversion=1
-    - noac
-
----
-apiVersion: v1
-kind: PersistentVolume
-metadata:
-  name: kyoo-media-movies-4k-nfs-storage
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: kyoo-media-movies-4k-nfs-storage
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  persistentVolumeReclaimPolicy: Retain
-  storageClassName: nfs-client
-  capacity:
-    storage: 1Gi
-  accessModes:
-    - ReadWriteMany
-  nfs:
-    path: /volume2/Storage/Movies 4K
-    server: synologybond.alexlebens.net
-  mountOptions:
-    - vers=4
-    - minorversion=1
-    - noac
-
----
-apiVersion: v1
-kind: PersistentVolume
-metadata:
-  name: kyoo-media-standup-nfs-storage
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: kyoo-media-standup-nfs-storage
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  persistentVolumeReclaimPolicy: Retain
-  storageClassName: nfs-client
-  capacity:
-    storage: 1Gi
-  accessModes:
-    - ReadWriteMany
-  nfs:
-    path: /volume2/Storage/Stand Up
-    server: synologybond.alexlebens.net
-  mountOptions:
-    - vers=4
-    - minorversion=1
-    - noac
-
----
-apiVersion: v1
-kind: PersistentVolume
-metadata:
-  name: kyoo-media-tvshows-nfs-storage
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: kyoo-media-tvshows-nfs-storage
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  persistentVolumeReclaimPolicy: Retain
-  storageClassName: nfs-client
-  capacity:
-    storage: 1Gi
-  accessModes:
-    - ReadWriteMany
-  nfs:
-    path: /volume2/Storage/TV Shows
-    server: synologybond.alexlebens.net
-  mountOptions:
-    - vers=4
-    - minorversion=1
-    - noac
-
----
-apiVersion: v1
-kind: PersistentVolume
-metadata:
-  name: kyoo-media-tvshows-4k-nfs-storage
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: kyoo-media-tvshows-4k-nfs-storage
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  persistentVolumeReclaimPolicy: Retain
-  storageClassName: nfs-client
-  capacity:
-    storage: 1Gi
-  accessModes:
-    - ReadWriteMany
-  nfs:
-    path: /volume2/Storage/TV Shows
-    server: synologybond.alexlebens.net
-  mountOptions:
-    - vers=4
-    - minorversion=1
-    - noac

clusters/cl01tl/helm/kyoo/values.yaml

@@ -1,223 +0,0 @@
-kyoo:
-  global:
-    securityContext:
-      fsGroup: 1000
-      fsGroupChangePolicy: OnRootMismatch
-    postgres:
-      shared:
-        host: kyoo-postgresql-18-cluster-rw
-        port: 5432
-        existingSecret: kyoo-postgresql-18-cluster-app
-        userKey: user
-        passwordKey: password
-      kyoo_api:
-        database: kyoo_api
-        sslmode: disable
-        kyoo_api:
-          userKey: user
-          passwordKey: password
-          existingSecret: kyoo-postgresql-18-cluster-superuser
-      kyoo_auth:
-        database: kyoo_auth
-        sslmode: disable
-      kyoo_scanner:
-        database: kyoo_scanner
-        sslmode: disable
-      kyoo_transcoder:
-        database: kyoo_transcoder
-        sslmode: disable
-  kyoo:
-    address: https://kyoo.alexlebens.net
-    auth:
-      privatekey:
-        existingSecret: kyoo-key-secret
-        privatekeyKey: rsa-private
-      apikeys:
-        scanner:
-          existingSecret: kyoo-key-secret
-          apikeyKey: scanner-apikey
-    transcoderAcceleration: qsv
-    transcoderPreset: fast
-    oidc_providers:
-      - name: Authentik
-        existingSecret: kyoo-oidc-secret
-        clientIdKey: client
-        clientSecretKey: secret
-        logo: https://cdn.jsdelivr.net/gh/selfhst/icons@main/webp/authentik.webp
-        authorizationAddress: https://authentik.alexlebens.net/application/o/authorize/
-        tokenAddress: https://authentik.alexlebens.net/application/o/token/
-        profileAddress: https://authentik.alexlebens.net/application/o/userinfo/
-        scope: "email openid profile"
-        authMethod: ClientSecretBasic
-  media:
-    volumes:
-      - name: kyoo-media-anime-nfs-storage
-        persistentVolumeClaim:
-          claimName: kyoo-media-anime-nfs-storage
-      - name: kyoo-media-anime-movies-nfs-storage
-        persistentVolumeClaim:
-          claimName: kyoo-media-anime-movies-nfs-storage
-      - name: kyoo-media-movies-nfs-storage
-        persistentVolumeClaim:
-          claimName: kyoo-media-movies-nfs-storage
-      - name: kyoo-media-movies-4k-nfs-storage
-        persistentVolumeClaim:
-          claimName: kyoo-media-movies-4k-nfs-storage
-      - name: kyoo-media-standup-nfs-storage
-        persistentVolumeClaim:
-          claimName: kyoo-media-standup-nfs-storage
-      - name: kyoo-media-tvshows-nfs-storage
-        persistentVolumeClaim:
-          claimName: kyoo-media-tvshows-nfs-storage
-      - name: kyoo-media-tvshows-4k-nfs-storage
-        persistentVolumeClaim:
-          claimName: kyoo-media-tvshows-4k-nfs-storage
-    volumeMounts:
-      - mountPath: /media/anime
-        name: kyoo-media-anime-nfs-storage
-        readOnly: true
-      - mountPath: /media/anime-movies
-        name: kyoo-media-anime-movies-nfs-storage
-        readOnly: true
-      - mountPath: /media/movies
-        name: kyoo-media-movies-nfs-storage
-        readOnly: true
-      - mountPath: /media/movies-4k
-        name: kyoo-media-movies-4k-nfs-storage
-        readOnly: true
-      - mountPath: /media/standup
-        name: kyoo-media-standup-nfs-storage
-        readOnly: true
-      - mountPath: /media/tvshows
-        name: kyoo-media-tvshows-nfs-storage
-        readOnly: true
-      - mountPath: /media/tvshows-4k
-        name: kyoo-media-tvshows-4k-nfs-storage
-        readOnly: true
-    baseMountPath: /media
-  contentdatabase:
-    tmdb:
-      apikeyKey: tmdb-apikey
-      existingSecret: kyoo-key-secret
-    tvdb:
-      apikeyKey: tvdb-apikey
-      pinKey: tvdb-apikey
-      existingSecret: kyoo-key-secret
-  api:
-    kyoo_api:
-      resources:
-        requests:
-          cpu: 10m
-          memory: 100Mi
-      image:
-        repository: ghcr.io/zoriya/kyoo_api
-        tag: 5.0.0@sha256:dc0210f235e23ae616b0f5952af7867dcbc52e0354c2683ec3c4190fdcd17744
-    persistence:
-      enabled: true
-      size: 1Gi
-      storageClass: ceph-block
-      accessModes:
-        - ReadWriteOnce
-  auth:
-    kyoo_auth:
-      resources:
-        requests:
-          cpu: 10m
-          memory: 100Mi
-      image:
-        repository: ghcr.io/zoriya/kyoo_auth
-        tag: 5.0.0
-    persistence:
-      enabled: true
-      size: 500Mi
-      storageClass: ceph-block
-      accessModes:
-        - ReadWriteOnce
-  front:
-    kyoo_front:
-      resources:
-        requests:
-          cpu: 10m
-          memory: 100Mi
-      image:
-        repository: ghcr.io/zoriya/kyoo_front
-        tag: 5.0.0@sha256:985f892470b304f13ef1950fb5f7e9ef33ee39b71705c627cb045773e6dfb7b4
-  scanner:
-    kyoo_scanner:
-      resources:
-        requests:
-          cpu: 10m
-          memory: 100Mi
-      image:
-        repository: ghcr.io/zoriya/kyoo_scanner
-        tag: 5.0.0@sha256:fa972f3f1e534264f4de153e30fe9481839754a3e724cc2663524a2b30e82b46
-  transcoder:
-    kyoo_transcoder:
-      resources:
-        limits:
-          gpu.intel.com/i915: 1
-        requests:
-          gpu.intel.com/i915: 1
-          cpu: 1
-          memory: 1Gi
-      image:
-        repository: ghcr.io/zoriya/kyoo_transcoder
-        tag: 5.0.0@sha256:59974794f8a638175408fa20f023ba9598108b54ad8ed9a22ec87a1a211dfc43
-    replicaCount: 1
-    persistence:
-      enabled: true
-      size: 1Gi
-      storageClass: ceph-block
-      accessModes:
-        - ReadWriteOnce
-  ingress:
-    enabled: false
-  traefikproxy:
-    enabled: false
-  postgres:
-    enabled: false
-postgres-18-cluster:
-  mode: recovery
-  cluster:
-    enableSuperuserAccess: true
-  recovery:
-    method: objectStore
-    objectStore:
-      index: 1
-  backup:
-    objectStore:
-      - name: garage-local
-        index: 1
-        destinationBucket: postgres-backups
-        externalSecretCredentialPath: /garage/home-infra/postgres-backups
-        isWALArchiver: true
-    scheduledBackups:
-      - name: live-backup
-        suspend: false
-        immediate: true
-        schedule: "0 5 14 * * *"
-        backupName: garage-local
-  databases:
-    - name: kyoo_api
-      ensure: present
-      owner: app
-    - name: kyoo_auth
-      ensure: present
-      owner: app
-    - name: kyoo_scanner
-      ensure: present
-      owner: app
-    - name: kyoo_transcoder
-      ensure: present
-      owner: app
-volsync-target-metadata:
-  pvcTarget: kyoo-apimetadata
-  local:
-    enabled: true
-    schedule: 26 8 * * *
-  remote:
-    enabled: true
-    schedule: 26 9 * * *
-  external:
-    enabled: true
-    schedule: 26 10 * * *

clusters/cl01tl/helm/lidarr/values.yaml

@@ -14,7 +14,7 @@ lidarr:
         main:
           image:
             repository: ghcr.io/linuxserver/lidarr
-            tag: 3.1.2-nightly@sha256:2b602738585d64c62e119073c631e50872f07595d2d90936a9186f2989cb2eda
+            tag: 3.1.2-nightly@sha256:0fc8d169a0740a77e03ec0e5eaee1ce2db0d882fc0bb8d0a26fd77a8beaad8e9
           env:
             - name: TZ
               value: America/Chicago

clusters/cl01tl/helm/matrix-synapse/Chart.lock

@@ -1,7 +1,7 @@
 dependencies:
 - name: matrix-synapse
   repository: https://ananace.gitlab.io/charts
-  version: 3.12.25
+  version: 3.12.24
 - name: app-template
   repository: https://bjw-s-labs.github.io/helm-charts/
   version: 4.6.2
@@ -38,5 +38,5 @@ dependencies:
 - name: volsync-target
   repository: oci://harbor.alexlebens.net/helm-charts
   version: 0.8.0
-digest: sha256:937fe4fd8cd564a5f55a0f251a9b412eeeebe797f52d6769b18f6f6a28f6dd64
+digest: sha256:0e8b1b79a98952ed49c87c6da83dcc2eed2aabbd755d9ebf1bdd3090f3ccc44c
-generated: "2026-04-08T19:02:45.651984056Z"
+generated: "2026-04-04T21:03:48.737144-05:00"

clusters/cl01tl/helm/matrix-synapse/Chart.yaml

@@ -26,7 +26,7 @@ maintainers:
   - name: alexlebens
 dependencies:
   - name: matrix-synapse
-    version: 3.12.25
+    version: 3.12.24
     repository: https://ananace.gitlab.io/charts
   - name: app-template
     alias: matrix-hookshot

clusters/cl01tl/helm/matrix-synapse/values.yaml

@@ -1,7 +1,7 @@
 matrix-synapse:
   image:
     repository: ghcr.io/element-hq/synapse
-    tag: v1.151.0@sha256:184dc8757daef019b511e7f96fc6e5edfb880fd074d8cf702c7e3aa899d188c8
+    tag: v1.150.0@sha256:cba0969087ca70a3ec72ebcd1491a6c8391a7da2c0b92738231dd9c7ad55df4d
   serverName: alexlebens.dev
   publicServerName: matrix.alexlebens.dev
   argoCD: true

clusters/cl01tl/helm/ollama/Chart.yaml

@@ -31,4 +31,4 @@ dependencies:
     repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/ollama.png
 # renovate: datasource=github-releases depName=ollama/ollama
-appVersion: 0.20.4
+appVersion: 0.20.3

clusters/cl01tl/helm/paperless-ngx/Chart.lock

@@ -4,7 +4,7 @@ dependencies:
   version: 4.6.2
 - name: postgres-cluster
   repository: oci://harbor.alexlebens.net/helm-charts
-  version: 7.11.2
+  version: 7.11.0
 - name: valkey
   repository: oci://harbor.alexlebens.net/helm-charts
   version: 0.5.0
@@ -20,5 +20,5 @@ dependencies:
 - name: volsync-target
   repository: oci://harbor.alexlebens.net/helm-charts
   version: 0.8.0
-digest: sha256:ae3aa7bd167e216d79bfbb60770c9bc209a8a689685f6dff6be41d8952ac0f25
+digest: sha256:08acc0818deaede4bb7515be7cbb1253f30036b70af6038caa69e4bd3cc02412
-generated: "2026-04-08T17:24:02.420482074Z"
+generated: "2026-03-30T20:25:47.995874-05:00"

clusters/cl01tl/helm/paperless-ngx/Chart.yaml

@@ -24,7 +24,7 @@ dependencies:
     version: 4.6.2
   - name: postgres-cluster
     alias: postgres-18-cluster
-    version: 7.11.2
+    version: 7.11.0
     repository: oci://harbor.alexlebens.net/helm-charts
   - name: valkey
     alias: valkey

clusters/cl01tl/helm/plex/Chart.yaml

@@ -20,4 +20,4 @@ dependencies:
     version: 4.6.2
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/plex.png
 # renovate: datasource=github-releases depName=linuxserver/docker-plex
-appVersion: 1.43.1.10576-06378bdcd-ls300
+appVersion: 1.43.0.10492-121068a07-ls299

clusters/cl01tl/helm/plex/values.yaml

@@ -22,7 +22,7 @@ plex:
         main:
           image:
             repository: ghcr.io/linuxserver/plex
-            tag: 1.43.1.10576-06378bdcd-ls300@sha256:09fe33e5efd991681ea3cbd3e3cb262cd1ae26d4a0145a4141ead284d8f21de6
+            tag: 1.43.0.10492-121068a07-ls299@sha256:a21302c5297943e204e9b262f8c2eca3e0c7ddb52490bfb3f1db47f6103721ab
           env:
             - name: TZ
               value: America/Chicago

clusters/cl01tl/helm/postiz/Chart.lock

@@ -4,7 +4,7 @@ dependencies:
   version: 4.6.2
 - name: temporal
   repository: https://go.temporal.io/helm-charts
-  version: 1.0.0
+  version: 1.0.0-rc.3
 - name: cloudflared
   repository: oci://harbor.alexlebens.net/helm-charts
   version: 2.4.0
@@ -20,5 +20,5 @@ dependencies:
 - name: volsync-target
   repository: oci://harbor.alexlebens.net/helm-charts
   version: 0.8.0
-digest: sha256:dbb86231dcf341e73570b57a10aad6278989e0c50c6f5959a43439a8a9146bb9
+digest: sha256:a5d285d997702cefaac9808ac6556a566d7974773c7fb2c7a0defb8f64226443
-generated: "2026-04-08T19:03:28.347782848Z"
+generated: "2026-04-05T20:33:43.946895-05:00"

clusters/cl01tl/helm/postiz/Chart.yaml

@@ -29,7 +29,7 @@ dependencies:
     version: 4.6.2
   - name: temporal
     repository: https://go.temporal.io/helm-charts
-    version: 1.0.0
+    version: 1.0.0-rc.3
   - name: cloudflared
     repository: oci://harbor.alexlebens.net/helm-charts
     version: 2.4.0

clusters/cl01tl/helm/qbittorrent/values.yaml

@@ -208,7 +208,7 @@ qbittorrent:
         qui:
           image:
             repository: ghcr.io/autobrr/qui
-            tag: v1.16.1@sha256:07b6ea9572e52e8b5f70f8fb15a7c688d8d754a7616242d3ad0b21dbd5c05836
+            tag: v1.16.0@sha256:fcdced7cb8395ce039f2c5f920d890d4ad8bd849faec4c4df31701a8f13423cb
           env:
             - name: QUI__METRICS_ENABLED
               value: true

clusters/cl01tl/helm/rclone/Chart.yaml

@@ -20,4 +20,4 @@ dependencies:
     version: 4.6.2
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons@main/png/rclone.png
 # renovate: datasource=github-releases depName=rclone/rclone
-appVersion: v1.73.4
+appVersion: v1.73.3

clusters/cl01tl/helm/rclone/values.yaml

@@ -12,7 +12,7 @@ rclone:
         sync:
           image:
             repository: rclone/rclone
-            tag: 1.73.4@sha256:654f6517c7aaec7e377690b2caf7c272dbe5f3b8200afbc14a00df6b4a9aa6ef
+            tag: 1.73.3@sha256:66af24d7c8809af336dc16068149257cf447c80f8c60aa9f5679153f42017b85
           args:
             - sync
             - src:directus-assets
@@ -90,7 +90,7 @@ rclone:
         sync:
           image:
             repository: rclone/rclone
-            tag: 1.73.4@sha256:654f6517c7aaec7e377690b2caf7c272dbe5f3b8200afbc14a00df6b4a9aa6ef
+            tag: 1.73.3@sha256:66af24d7c8809af336dc16068149257cf447c80f8c60aa9f5679153f42017b85
           args:
             - sync
             - src:karakeep-assets
@@ -168,7 +168,7 @@ rclone:
         sync:
           image:
             repository: rclone/rclone
-            tag: 1.73.4@sha256:654f6517c7aaec7e377690b2caf7c272dbe5f3b8200afbc14a00df6b4a9aa6ef
+            tag: 1.73.3@sha256:66af24d7c8809af336dc16068149257cf447c80f8c60aa9f5679153f42017b85
           args:
             - sync
             - src:talos-backups
@@ -239,7 +239,7 @@ rclone:
         prune:
           image:
             repository: rclone/rclone
-            tag: 1.73.4@sha256:654f6517c7aaec7e377690b2caf7c272dbe5f3b8200afbc14a00df6b4a9aa6ef
+            tag: 1.73.3@sha256:66af24d7c8809af336dc16068149257cf447c80f8c60aa9f5679153f42017b85
           args:
             - delete
             - dest:talos-backups
@@ -287,7 +287,7 @@ rclone:
         sync:
           image:
             repository: rclone/rclone
-            tag: 1.73.4@sha256:654f6517c7aaec7e377690b2caf7c272dbe5f3b8200afbc14a00df6b4a9aa6ef
+            tag: 1.73.3@sha256:66af24d7c8809af336dc16068149257cf447c80f8c60aa9f5679153f42017b85
           args:
             - sync
             - src:web-assets
@@ -365,7 +365,7 @@ rclone:
         sync:
           image:
             repository: rclone/rclone
-            tag: 1.73.4@sha256:654f6517c7aaec7e377690b2caf7c272dbe5f3b8200afbc14a00df6b4a9aa6ef
+            tag: 1.73.3@sha256:66af24d7c8809af336dc16068149257cf447c80f8c60aa9f5679153f42017b85
           args:
             - sync
             - src:postgres-backups
@@ -440,7 +440,7 @@ rclone:
         prune:
           image:
             repository: rclone/rclone
-            tag: 1.73.4@sha256:654f6517c7aaec7e377690b2caf7c272dbe5f3b8200afbc14a00df6b4a9aa6ef
+            tag: 1.73.3@sha256:66af24d7c8809af336dc16068149257cf447c80f8c60aa9f5679153f42017b85
           args:
             - delete
             - dest:postgres-backups
@@ -488,7 +488,7 @@ rclone:
         sync:
           image:
             repository: rclone/rclone
-            tag: 1.73.4@sha256:654f6517c7aaec7e377690b2caf7c272dbe5f3b8200afbc14a00df6b4a9aa6ef
+            tag: 1.73.3@sha256:66af24d7c8809af336dc16068149257cf447c80f8c60aa9f5679153f42017b85
           args:
             - sync
             - src:ntfy-attachments

clusters/cl01tl/helm/searxng/values.yaml

@@ -57,7 +57,7 @@ searxng:
         valkey:
           image:
             repository: valkey/valkey
-            tag: 9.0.3-alpine@sha256:e1095c6c76ee982cb2d1e07edbb7fb2a53606630a1d810d5a47c9f646b708bf5
+            tag: 9.0.0-alpine@sha256:bef37d06d4856710973ee31dd1eac1482e4c8e6e7b847f999ad25433e646587b
   service:
     api:
       controller: api

clusters/cl01tl/helm/seerr/Chart.lock

@@ -1,9 +1,9 @@
 dependencies:
 - name: seerr-chart
   repository: oci://ghcr.io/seerr-team/seerr
-  version: 3.4.1
+  version: 3.4.0
 - name: volsync-target
   repository: oci://harbor.alexlebens.net/helm-charts
   version: 0.8.0
-digest: sha256:821fc73d7411c89f0eba2c35a7a455523dadaa4f9d5149b17b2c96cf594f5e1a
+digest: sha256:0ae90021bff10a9790f29f40f57607c9212e4e793078d62c9aeab833066b2d4e
-generated: "2026-04-08T17:24:50.724009386Z"
+generated: "2026-04-07T22:03:12.12671791Z"

clusters/cl01tl/helm/seerr/Chart.yaml

@@ -17,7 +17,7 @@ maintainers:
 dependencies:
   - name: seerr-chart
     repository: oci://ghcr.io/seerr-team/seerr
-    version: 3.4.1
+    version: 3.4.0
   - name: volsync-target
     alias: volsync-target-config
     version: 0.8.0

clusters/cl01tl/helm/site-documentation/values.yaml

@@ -10,7 +10,7 @@ site-documentation:
         main:
           image:
             repository: harbor.alexlebens.net/images/site-documentation
-            tag: 0.22.0@sha256:3310620f9bad0184d6ba6c786a3826ce53038c03cca345660a7e422276dbd478
+            tag: 0.21.0@sha256:556d92724306b0949c38185ffbaa7e3f05b9ba0d9b8dcfee0fc7a21985d10199
           resources:
             requests:
               cpu: 10m

clusters/cl01tl/helm/stalwart/templates/elasticsearch.yaml

@@ -9,7 +9,7 @@ metadata:
     app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   # renovate: datasource=docker depName=elasticsearch
-  version: 9.3.3
+  version: 8.19.13
   auth:
     fileRealm:
       - secretName: stalwart-elasticsearch-secret

clusters/cl01tl/helm/tdarr/values.yaml

@@ -12,7 +12,7 @@ tdarr:
         main:
           image:
             repository: ghcr.io/haveagitgat/tdarr
-            tag: 2.68.01@sha256:db9520315f83974cb5b8f2a8ed89a8a2be3d97d29575f54cbe4b5cc5e6daf5a5
+            tag: 2.67.01@sha256:048ae8ed4de8e9f0de51ad739b2105bee3e4d1a8575120df468cec5f6ef2b1da
           env:
             - name: TZ
               value: America/Chicago
@@ -68,7 +68,7 @@ tdarr:
         main:
           image:
             repository: ghcr.io/haveagitgat/tdarr_node
-            tag: 2.68.01@sha256:6359991d297ec23e2a5fe3a6b5b19c65d9eabdc63172d2cbe6aa576bbe5356c2
+            tag: 2.67.01@sha256:dc23becc667f77d2489b1042bd3af87fdd2fd85c2802e126928ef2ced9a8f560
           env:
             - name: TZ
               value: America/Chicago

clusters/cl01tl/helm/traefik/values.yaml

@@ -2,9 +2,12 @@ traefik:
   image:
     registry: docker.io
     repository: traefik
-    tag: v3.6.13@sha256:abb4f51887319c9b9d9cfe1d3cdf9379a771138003bf683f10e97697e148f95f
+    tag: v3.6.12@sha256:171c9c3565b29f6c133f1c1b43c5d4e5853415198e9e1078c001f8702ff66aec
   deployment:
     kind: DaemonSet
+  podDisruptionBudget:
+    enabled: true
+    minAvailable: 1
   ingressClass:
     enabled: false
   gateway:

clusters/cl01tl/helm/tubearchivist/templates/elasticsearch.yaml

@@ -9,7 +9,7 @@ metadata:
     app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   # renovate: datasource=docker depName=elasticsearch
-  version: 9.3.3
+  version: 8.19.13
   auth:
     fileRealm:
       - secretName: tubearchivist-elasticsearch-secret

clusters/cl01tl/helm/vault/values.yaml

@@ -10,12 +10,10 @@ vault:
       repository: hashicorp/vault
       tag: 1.21.4@sha256:4e33b126a59c0c333b76fb4e894722462659a6bec7c48c9ee8cea56fccfd2569
     updateStrategyType: RollingUpdate
-    logLevel: debug
-    logFormat: standard
     resources:
       requests:
         cpu: 50m
-        memory: 512Mi
+        memory: 90Mi
     authDelegator:
       enabled: false
     livenessProbe:
@@ -32,7 +30,7 @@ vault:
       size: 1Gi
       storageClass: ceph-block
     auditStorage:
-      enabled: false
+      enabled: true
       size: 5Gi
       storageClass: ceph-block
     standalone:

clusters/cl01tl/helm/vaultwarden/Chart.yaml

@@ -8,7 +8,7 @@ keywords:
 home: https://docs.alexlebens.dev/applications/vault/
 sources:
   - https://github.com/dani-garcia/vaultwarden
-  - https://github.com/dani-garcia/vaultwarden/pkgs/container/vaultwarden
+  - https://hub.docker.com/r/vaultwarden/server
   - https://github.com/bjw-s-labs/helm-charts/tree/main/charts/other/app-template
   - https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/cloudflared
   - https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/postgres-cluster

clusters/cl01tl/helm/vaultwarden/values.yaml

@@ -7,7 +7,7 @@ vaultwarden:
       containers:
         main:
           image:
-            repository: ghcr.io/dani-garcia/vaultwarden
+            repository: ghcr.io/vaultwarden/server
             tag: 1.35.4@sha256:43498a94b22f9563f2a94b53760ab3e710eefc0d0cac2efda4b12b9eb8690664
           env:
             - name: DOMAIN

clusters/cl01tl/helm/volsync/values.yaml

@@ -2,7 +2,7 @@ volsync:
   replicaCount: 2
   image:
     repository: quay.io/backube/volsync
-    tag: 0.15.0@sha256:4fedd41b3101dde090542009c4177f703d241bf4760d1767bd9df08fd8fd93a4
+    image: 0.15.0@sha256:4fedd41b3101dde090542009c4177f703d241bf4760d1767bd9df08fd8fd93a4
   manageCRDs: true
   metrics:
     disableAuth: true

clusters/cl01tl/helm/whodb/Chart.yaml

@@ -4,8 +4,9 @@ version: 1.0.0
 description: WhoDB
 keywords:
   - whodb
-  - database-dashboard
+  - postgresql
-home: https://docs.alexlebens.dev/applications/whodb/
+  - database
+home: https://wiki.alexlebens.dev/s/f329e026-7ade-4a3c-a5f1-1ac1492b9786
 sources:
   - https://github.com/clidey/whodb
   - https://hub.docker.com/r/clidey/whodb

clusters/cl01tl/helm/whodb/values.yaml

@@ -3,11 +3,13 @@ whodb:
     main:
       type: deployment
       replicas: 1
+      strategy: Recreate
       containers:
         main:
           image:
             repository: clidey/whodb
-            tag: 0.104.0@sha256:ab485c021b862aac50bb88658f3342ca01d3eba33e933353692bc9989b2912c4
+            tag: 0.104.0
+            pullPolicy: IfNotPresent
           env:
             - name: WHODB_OLLAMA_HOST
               value: ollama-server-2.ollama
@@ -15,8 +17,8 @@ whodb:
               value: 11434
           resources:
             requests:
-              cpu: 1m
+              cpu: 10m
-              memory: 20Mi
+              memory: 256Mi
   service:
     main:
       controller: main
@@ -24,6 +26,7 @@ whodb:
         http:
           port: 80
           targetPort: 8080
+          protocol: TCP
   route:
     main:
       kind: HTTPRoute
@@ -36,8 +39,11 @@ whodb:
         - whodb.alexlebens.net
       rules:
         - backendRefs:
-            - name: whodb
+            - group: ''
+              kind: Service
+              name: whodb
               port: 80
+              weight: 100
           matches:
             - path:
                 type: PathPrefix

clusters/cl01tl/helm/yamtrack/Chart.lock

@@ -7,6 +7,6 @@ dependencies:
   version: 7.11.2
 - name: valkey
   repository: oci://harbor.alexlebens.net/helm-charts
-  version: 0.5.0
+  version: 0.4.0
-digest: sha256:473de03f0404ca8c53e85ea2a22797a8ba040102c6dca977face60f81f3130e4
+digest: sha256:2d0dc9c81ac07ac67670396d9a2f619f7abc8c1311c6bf03e71377dc1354d642
-generated: "2026-04-07T20:57:56.63402-05:00"
+generated: "2026-04-08T02:08:29.676519559Z"

clusters/cl01tl/helm/yamtrack/Chart.yaml

@@ -4,14 +4,15 @@ version: 1.0.0
 description: Yamtrack
 keywords:
   - yamtrack
-  - media-tracking
+  - media
-home: https://docs.alexlebens.dev/applications/yamtrack/
+  - jellyfin
+home: https://wiki.alexlebens.dev/s/74f31779-734e-42d0-852e-efd57ebdc797
 sources:
   - https://github.com/FuzzyGrim/Yamtrack
+  - https://github.com/cloudnative-pg/cloudnative-pg
   - https://github.com/FuzzyGrim/Yamtrack/pkgs/container/yamtrack
   - https://github.com/bjw-s-labs/helm-charts/tree/main/charts/other/app-template
   - https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/postgres-cluster
-  - https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/valkey
 maintainers:
   - name: alexlebens
 dependencies:
@@ -25,7 +26,7 @@ dependencies:
     repository: oci://harbor.alexlebens.net/helm-charts
   - name: valkey
     alias: valkey
-    version: 0.5.0
+    version: 0.4.0
     repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/yamtrack.png
 # renovate: datasource=github-releases depName=FuzzyGrim/Yamtrack

clusters/cl01tl/helm/yamtrack/templates/external-secret.yaml

@@ -14,7 +14,10 @@ spec:
   data:
     - secretKey: SECRET
       remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
         key: /cl01tl/yamtrack/config
+        metadataPolicy: None
         property: SECRET
 
 ---
@@ -34,5 +37,8 @@ spec:
   data:
     - secretKey: SOCIALACCOUNT_PROVIDERS
       remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
         key: /authentik/oidc/yamtrack
+        metadataPolicy: None
         property: SOCIALACCOUNT_PROVIDERS

clusters/cl01tl/helm/yamtrack/values.yaml

@@ -4,14 +4,16 @@ yamtrack:
       type: deployment
       replicas: 1
       strategy: Recreate
+      revisionHistoryLimit: 3
       containers:
         main:
           image:
             repository: ghcr.io/fuzzygrim/yamtrack
-            tag: 0.25.0@sha256:df76008258452a6cda73d971dc4ffbcbca96c5220154a02c9b70bf0bb0e24931
+            tag: 0.25.0
+            pullPolicy: IfNotPresent
           env:
             - name: TZ
-              value: America/Chicago
+              value: US/Central
             - name: URLS
               value: https://yamtrack.alexlebens.net
             - name: REGISTRATION
@@ -58,7 +60,7 @@ yamtrack:
           resources:
             requests:
               cpu: 10m
-              memory: 380Mi
+              memory: 256Mi
   service:
     main:
       controller: main
@@ -66,6 +68,7 @@ yamtrack:
         http:
           port: 80
           targetPort: 8000
+          protocol: HTTP
   route:
     main:
       kind: HTTPRoute
@@ -78,8 +81,11 @@ yamtrack:
         - yamtrack.alexlebens.net
       rules:
         - backendRefs:
-            - name: yamtrack
+            - group: ''
+              kind: Service
+              name: yamtrack
               port: 80
+              weight: 100
           matches:
             - path:
                 type: PathPrefix
@@ -97,9 +103,32 @@ postgres-18-cluster:
         destinationBucket: postgres-backups
         externalSecretCredentialPath: /garage/home-infra/postgres-backups
         isWALArchiver: true
+      # - name: garage-remote
+      #   index: 1
+      #   destinationBucket: postgres-backups
+      #   externalSecretCredentialPath: /garage/home-infra/postgres-backups
+      #   retentionPolicy: "90d"
+      #   data:
+      #     compression: bzip2
+      # - name: external
+      #   index: 1
+      #   endpointURL: https://nyc3.digitaloceanspaces.com
+      #   destinationBucket: postgres-backups-ce540ddf106d186bbddca68a
+      #   externalSecretCredentialPath: /garage/home-infra/postgres-backups
+      #   isWALArchiver: false
     scheduledBackups:
       - name: live-backup
         suspend: false
         immediate: true
         schedule: "0 10 16 * * *"
         backupName: garage-local
+      # - name: weekly-backup
+      #   suspend: true
+      #   immediate: true
+      #   schedule: "0 0 4 * * SAT"
+      #   backupName: garage-remote
+      # - name: daily-backup
+      #   suspend: true
+      #   immediate: true
+      #   schedule: "0 0 0 * * *"
+      #   backupName: external

clusters/cl01tl/helm/yubal/Chart.yaml

@@ -5,11 +5,11 @@ description: yubal
 keywords:
   - yubal
   - music
-home: https://docs.alexlebens.dev/applications/yamtrack/
+  - youtube
+home: https://wiki.alexlebens.dev/s/
 sources:
   - https://github.com/guillevc/yubal
   - https://github.com/bjw-s-labs/helm-charts/tree/main/charts/other/app-template
-  - https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/volsync-target
 maintainers:
   - name: alexlebens
 dependencies:
@@ -21,6 +21,5 @@ dependencies:
     alias: volsync-target-config
     version: 0.8.0
     repository: oci://harbor.alexlebens.net/helm-charts
-icon: https://cdn.jsdelivr.net/gh/selfhst/icons@main/png/yubal.png
 # renovate: datasource=github-releases depName=guillevc/yubal
 appVersion: v0.7.2

clusters/cl01tl/helm/yubal/templates/external-secret.yaml

@@ -0,0 +1,42 @@
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: yubal-wireguard-conf
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: yubal-wireguard-conf
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  data:
+    - secretKey: private-key
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /airvpn/conf/cl01tl
+        metadataPolicy: None
+        property: private-key
+    - secretKey: preshared-key
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /airvpn/conf/cl01tl
+        metadataPolicy: None
+        property: preshared-key
+    - secretKey: addresses
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /airvpn/conf/cl01tl
+        metadataPolicy: None
+        property: addresses
+    - secretKey: input-ports
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /airvpn/conf/cl01tl
+        metadataPolicy: None
+        property: input-ports

clusters/cl01tl/helm/yubal/templates/namespace.yaml

@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: yubal
+  labels:
+    app.kubernetes.io/name: yubal
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+    pod-security.kubernetes.io/audit: privileged
+    pod-security.kubernetes.io/enforce: privileged
+    pod-security.kubernetes.io/warn: privileged

clusters/cl01tl/helm/yubal/values.yaml

@@ -4,17 +4,18 @@ yubal:
       type: deployment
       replicas: 1
       strategy: Recreate
+      revisionHistoryLimit: 3
       pod:
         securityContext:
           runAsUser: 1000
           runAsGroup: 1000
           fsGroup: 1000
-          fsGroupChangePolicy: OnRootMismatch
       containers:
         main:
           image:
             repository: ghcr.io/guillevc/yubal
             tag: 0.7.2@sha256:906b7c90b738e77ad140178f6a5145f98c12af36e8321d427148c092836c37be
+            pullPolicy: IfNotPresent
           env:
             - name: YUBAL_TZ
               value: America/Chicago
@@ -27,7 +28,7 @@ yubal:
           resources:
             requests:
               cpu: 10m
-              memory: 200Mi
+              memory: 128Mi
   service:
     main:
       controller: main
@@ -35,6 +36,7 @@ yubal:
         http:
           port: 80
           targetPort: 8000
+          protocol: HTTP
   route:
     main:
       kind: HTTPRoute
@@ -47,8 +49,11 @@ yubal:
         - yubal.alexlebens.net
       rules:
         - backendRefs:
-            - name: yubal
+            - group: ''
+              kind: Service
+              name: yubal
               port: 80
+              weight: 100
           matches:
             - path:
                 type: PathPrefix
@@ -59,6 +64,7 @@ yubal:
       storageClass: ceph-block
       accessMode: ReadWriteOnce
       size: 1Gi
+      retain: true
       advancedMounts:
         main:
           main:

hosts/ps08rp/blocky/compose.yaml

@@ -1,7 +1,7 @@
 ---
 services:
     tailscale-blocky:
-        image: ghcr.io/tailscale/tailscale:v1.96.5@sha256:dbeff02d2337344b351afac203427218c4d0a06c43fc10a865184063498472a6
+        image: ghcr.io/tailscale/tailscale:v1.94.2@sha256:95e528798bebe75f39b10e74e7051cf51188ee615934f232ba7ad06a3390ffa1
         container_name: tailscale-blocky
         cap_add:
             - net_admin

hosts/ps08rp/blocky/config.yml

@@ -86,6 +86,7 @@ customDNS:
     bazarr                          IN      CNAME   traefik-cl01tl
     ceph                            IN      CNAME   traefik-cl01tl
     dawarich                        IN      CNAME   traefik-cl01tl
+    dependency-track                IN      CNAME   traefik-cl01tl
     directus                        IN      CNAME   traefik-cl01tl
     excalidraw                      IN      CNAME   traefik-cl01tl
     feishin                         IN      CNAME   traefik-cl01tl
@@ -108,7 +109,6 @@ customDNS:
     jellystat                       IN      CNAME   traefik-cl01tl
     kiwix                           IN      CNAME   traefik-cl01tl
     komodo                          IN      CNAME   traefik-cl01tl
-    kyoo                            IN      CNAME   traefik-cl01tl
     languagetool                    IN      CNAME   traefik-cl01tl
     lidarr                          IN      CNAME   traefik-cl01tl
     mail                            IN      CNAME   traefik-cl01tl

hosts/ps08rp/traefik/compose.yaml

@@ -1,7 +1,7 @@
 ---
 services:
     traefik:
-        image: ghcr.io/traefik/traefik:v3.6.13@sha256:abb4f51887319c9b9d9cfe1d3cdf9379a771138003bf683f10e97697e148f95f
+        image: ghcr.io/traefik/traefik:v3.6.12@sha256:171c9c3565b29f6c133f1c1b43c5d4e5853415198e9e1078c001f8702ff66aec
         container_name: traefik
         command:
             - "--global.checkNewVersion=false"

hosts/ps09rp/blocky/compose.yaml

@@ -1,7 +1,7 @@
 ---
 services:
     tailscale-blocky:
-        image: ghcr.io/tailscale/tailscale:v1.96.5@sha256:dbeff02d2337344b351afac203427218c4d0a06c43fc10a865184063498472a6
+        image: ghcr.io/tailscale/tailscale:v1.94.2@sha256:95e528798bebe75f39b10e74e7051cf51188ee615934f232ba7ad06a3390ffa1
         container_name: tailscale-blocky
         cap_add:
             - net_admin

hosts/ps09rp/blocky/config.yml

@@ -107,6 +107,7 @@ customDNS:
     bazarr                          IN      CNAME   traefik-cl01tl
     ceph                            IN      CNAME   traefik-cl01tl
     dawarich                        IN      CNAME   traefik-cl01tl
+    dependency-track                IN      CNAME   traefik-cl01tl
     directus                        IN      CNAME   traefik-cl01tl
     excalidraw                      IN      CNAME   traefik-cl01tl
     feishin                         IN      CNAME   traefik-cl01tl
@@ -129,7 +130,6 @@ customDNS:
     jellystat                       IN      CNAME   traefik-cl01tl
     kiwix                           IN      CNAME   traefik-cl01tl
     komodo                          IN      CNAME   traefik-cl01tl
-    kyoo                            IN      CNAME   traefik-cl01tl
     languagetool                    IN      CNAME   traefik-cl01tl
     lidarr                          IN      CNAME   traefik-cl01tl
     mail                            IN      CNAME   traefik-cl01tl

hosts/ps09rp/traefik/compose.yaml

@@ -1,7 +1,7 @@
 ---
 services:
     traefik:
-        image: ghcr.io/traefik/traefik:v3.6.13@sha256:abb4f51887319c9b9d9cfe1d3cdf9379a771138003bf683f10e97697e148f95f
+        image: ghcr.io/traefik/traefik:v3.6.12@sha256:171c9c3565b29f6c133f1c1b43c5d4e5853415198e9e1078c001f8702ff66aec
         container_name: traefik
         command:
             - "--global.checkNewVersion=false"

hosts/ps10rp/blocky/compose.yaml

@@ -1,7 +1,7 @@
 ---
 services:
     tailscale-blocky:
-        image: ghcr.io/tailscale/tailscale:v1.96.5@sha256:dbeff02d2337344b351afac203427218c4d0a06c43fc10a865184063498472a6
+        image: ghcr.io/tailscale/tailscale:v1.94.2@sha256:95e528798bebe75f39b10e74e7051cf51188ee615934f232ba7ad06a3390ffa1
         container_name: tailscale-blocky
         cap_add:
             - net_admin

hosts/ps10rp/garage/compose.yaml

@@ -1,6 +1,6 @@
 services:
     tailscale-garage:
-        image: ghcr.io/tailscale/tailscale:v1.96.5@sha256:dbeff02d2337344b351afac203427218c4d0a06c43fc10a865184063498472a6
+        image: ghcr.io/tailscale/tailscale:v1.94.2@sha256:95e528798bebe75f39b10e74e7051cf51188ee615934f232ba7ad06a3390ffa1
         container_name: tailscale-garage
         cap_add:
             - net_admin
@@ -20,7 +20,7 @@ services:
             - /dev/net/tun:/dev/net/tun
 
     tailscale-garage-ui:
-        image: ghcr.io/tailscale/tailscale:v1.96.5@sha256:dbeff02d2337344b351afac203427218c4d0a06c43fc10a865184063498472a6
+        image: ghcr.io/tailscale/tailscale:v1.94.2@sha256:95e528798bebe75f39b10e74e7051cf51188ee615934f232ba7ad06a3390ffa1
         container_name: tailscale-garage-ui
         cap_add:
             - net_admin

hosts/ps10rp/gitea/compose.yaml

@@ -1,6 +1,6 @@
 services:
     tailscale-gitea:
-        image: ghcr.io/tailscale/tailscale:v1.96.5@sha256:dbeff02d2337344b351afac203427218c4d0a06c43fc10a865184063498472a6
+        image: ghcr.io/tailscale/tailscale:v1.94.2@sha256:95e528798bebe75f39b10e74e7051cf51188ee615934f232ba7ad06a3390ffa1
         container_name: tailscale-gitea
         cap_add:
             - net_admin

hosts/ps10rp/homepage/compose.yaml

@@ -1,7 +1,7 @@
 ---
 services:
     tailscale-homepage:
-        image: ghcr.io/tailscale/tailscale:v1.96.5@sha256:dbeff02d2337344b351afac203427218c4d0a06c43fc10a865184063498472a6
+        image: ghcr.io/tailscale/tailscale:v1.94.2@sha256:95e528798bebe75f39b10e74e7051cf51188ee615934f232ba7ad06a3390ffa1
         container_name: tailscale-homepage
         cap_add:
             - net_admin

hosts/ps10rp/komodo-periphery/compose.yaml

@@ -1,7 +1,7 @@
 ---
 services:
     tailscale-komodo-periphery:
-        image: ghcr.io/tailscale/tailscale:v1.96.5@sha256:dbeff02d2337344b351afac203427218c4d0a06c43fc10a865184063498472a6
+        image: ghcr.io/tailscale/tailscale:v1.94.2@sha256:95e528798bebe75f39b10e74e7051cf51188ee615934f232ba7ad06a3390ffa1
         container_name: tailscale-komodo-periphery
         cap_add:
             - net_admin

hosts/ps10rp/node-exporter/compose.yaml

@@ -1,7 +1,7 @@
 ---
 services:
     tailscale-node-exporter:
-        image: ghcr.io/tailscale/tailscale:v1.96.5@sha256:dbeff02d2337344b351afac203427218c4d0a06c43fc10a865184063498472a6
+        image: ghcr.io/tailscale/tailscale:v1.94.2@sha256:95e528798bebe75f39b10e74e7051cf51188ee615934f232ba7ad06a3390ffa1
         container_name: tailscale-node-exporter
         cap_add:
             - net_admin

hosts/ps10rp/tailscale-subnet/compose.yaml

@@ -1,7 +1,7 @@
 ---
 services:
     tailscale:
-        image: ghcr.io/tailscale/tailscale:v1.96.5@sha256:dbeff02d2337344b351afac203427218c4d0a06c43fc10a865184063498472a6
+        image: ghcr.io/tailscale/tailscale:v1.94.2@sha256:95e528798bebe75f39b10e74e7051cf51188ee615934f232ba7ad06a3390ffa1
         container_name: tailscale-subnet
         cap_add:
             - net_admin

hosts/ps10rp/traefik/compose.yaml

@@ -1,7 +1,7 @@
 ---
 services:
     tailscale-traefik:
-        image: ghcr.io/tailscale/tailscale:v1.96.5@sha256:dbeff02d2337344b351afac203427218c4d0a06c43fc10a865184063498472a6
+        image: ghcr.io/tailscale/tailscale:v1.94.2@sha256:95e528798bebe75f39b10e74e7051cf51188ee615934f232ba7ad06a3390ffa1
         container_name: tailscale-traefik
         cap_add:
             - net_admin
@@ -20,7 +20,7 @@ services:
             - /dev/net/tun:/dev/net/tun
 
     traefik:
-        image: ghcr.io/traefik/traefik:v3.6.13@sha256:abb4f51887319c9b9d9cfe1d3cdf9379a771138003bf683f10e97697e148f95f
+        image: ghcr.io/traefik/traefik:v3.6.12@sha256:171c9c3565b29f6c133f1c1b43c5d4e5853415198e9e1078c001f8702ff66aec
         container_name: traefik
         command:
             - "--global.checkNewVersion=false"

renovate.json

@@ -76,10 +76,10 @@
     {
       "description": "Specific app grouping overrides",
       "matchPackageNames": [
-        "/(^|/|-)(argo-cd|bazarr|cilium|dawarich|element-web|home-assistant|immich|komodo|kyoo|plex|postiz|rook-ceph|roundcube|rybbit|tdarr|traefik)/",
+        "/(^|/|-)(argo-cd|bazarr|cilium|dawarich|element-web|home-assistant|immich|komodo|plex|postiz|rook-ceph|roundcube|rybbit|tdarr|traefik)/",
         "/^rook(-ceph|/rook|/ceph)/"
       ],
-      "groupName": "{{#if packageName}}{{{replace '^.*(argo-cd|bazarr|cilium|dawarich|element-web|home-assistant|immich|komodo|kyoo|plex|postiz|rook-ceph|roundcube|rybbit|tdarr|traefik).*$' '$1' packageName}}}{{else}}{{{replace '^.*(argo-cd|bazarr|cilium|dawarich|element-web|home-assistant|immich|komodo|kyoo|plex|postiz|rook-ceph|roundcube|rybbit|tdarr|traefik).*$' '$1' depName}}}{{/if}}",
+      "groupName": "{{#if packageName}}{{{replace '^.*(argo-cd|bazarr|cilium|dawarich|element-web|home-assistant|immich|komodo|plex|postiz|rook-ceph|roundcube|rybbit|tdarr|traefik).*$' '$1' packageName}}}{{else}}{{{replace '^.*(argo-cd|bazarr|cilium|dawarich|element-web|home-assistant|immich|komodo|plex|postiz|rook-ceph|roundcube|rybbit|tdarr|traefik).*$' '$1' depName}}}{{/if}}",
       "groupSlug": "unified-{{{groupName}}}"
     },
     {