Update dpage/pgadmin4 Docker tag to v9.11

2025-12-12 21:02:59 +00:00
266 changed files with 3851 additions and 1921 deletions
--- a/.gitea/workflows/lint-test-helm.yaml
+++ b/.gitea/workflows/lint-test-helm.yaml
@@ -84,7 +84,7 @@ jobs:
                echo ""
                echo ">> Adding path: $path"
                CHANGED_CHARTS+=$(echo "$path" | awk -F '/' '{print $4}')
-                CHANGED_CHARTS+=$(echo "\n")
+                CHANGED_CHARTS+=$(echo " ")
              fi
            done
@@ -124,14 +124,7 @@ jobs:
            helm dependency list --max-col-width 120 clusters/${CLUSTER}/helm/$dir 2> /dev/null \
              | tail +2 | head -n -1 \
              | awk '{ print "helm repo add " $1 " " $3 }' \
-              | while read cmd; do
+              | while read cmd; do echo "$cmd" | sh; done || true
                if [[ "$cmd" == "*oci://*" ]]; then
                  echo ">> Ignoring OCI repo"
                else
                  echo ">> Command: $cmd"
                  echo "$cmd" | sh;
                fi
              done || true
          done
          if helm repo list | tail +2 | read -r; then
--- a/.gitea/workflows/render-manifests-automerge.yaml
+++ b/.gitea/workflows/render-manifests-automerge.yaml
@@ -106,13 +106,7 @@ jobs:
            helm dependency list --max-col-width 120 ${MAIN_DIR}/clusters/${CLUSTER}/helm/$dir 2> /dev/null \
              | tail +2 | head -n -1 \
              | awk '{ print "helm repo add " $1 " " $3 }' \
-              | while read cmd; do
+              | while read cmd; do echo "$cmd" | sh; done || true
                if [[ "$cmd" == "*oci://*" ]]; then
                  echo ">> Ignoring OCI repo"
                else
                  echo "$cmd" | sh;
                fi
              done || true
          done
          if helm repo list | tail +2 | read -r; then
--- a/.gitea/workflows/render-manifests-dispatch.yaml
+++ b/.gitea/workflows/render-manifests-dispatch.yaml
@@ -91,13 +91,7 @@ jobs:
            helm dependency list --max-col-width 120 ${MAIN_DIR}/clusters/${CLUSTER}/helm/$dir 2> /dev/null \
              | tail +2 | head -n -1 \
              | awk '{ print "helm repo add " $1 " " $3 }' \
-              | while read cmd; do
+              | while read cmd; do echo "$cmd" | sh; done || true
                if [[ "$cmd" == "*oci://*" ]]; then
                  echo ">> Ignoring OCI repo"
                else
                  echo "$cmd" | sh;
                fi
              done || true
          done
          if helm repo list | tail +2 | read -r; then
--- a/.gitea/workflows/render-manifests-merge.yaml
+++ b/.gitea/workflows/render-manifests-merge.yaml
@@ -111,13 +111,7 @@ jobs:
            helm dependency list --max-col-width 120 ${MAIN_DIR}/clusters/${CLUSTER}/helm/$dir 2> /dev/null \
              | tail +2 | head -n -1 \
              | awk '{ print "helm repo add " $1 " " $3 }' \
-              | while read cmd; do
+              | while read cmd; do echo "$cmd" | sh; done || true
                if [[ "$cmd" == "*oci://*" ]]; then
                  echo ">> Ignoring OCI repo"
                else
                  echo "$cmd" | sh;
                fi
              done || true
          done
          if helm repo list | tail +2 | read -r; then
--- a/.gitea/workflows/render-manifests-push.yaml
+++ b/.gitea/workflows/render-manifests-push.yaml
@@ -109,13 +109,7 @@ jobs:
            helm dependency list --max-col-width 120 ${MAIN_DIR}/clusters/${CLUSTER}/helm/$dir 2> /dev/null \
              | tail +2 | head -n -1 \
              | awk '{ print "helm repo add " $1 " " $3 }' \
-              | while read cmd; do
+              | while read cmd; do echo "$cmd" | sh; done || true
                if [[ "$cmd" == "*oci://*" ]]; then
                  echo ">> Ignoring OCI repo"
                else
                  echo "$cmd" | sh;
                fi
              done || true
          done
          if helm repo list | tail +2 | read -r; then
--- a/clusters/cl01tl/helm/actual/Chart.lock
+++ b/clusters/cl01tl/helm/actual/Chart.lock
@@ -2,8 +2,5 @@ dependencies:
 - name: app-template
  repository: https://bjw-s-labs.github.io/helm-charts/
  version: 4.5.0
- name: volsync-target
+digest: sha256:926b8da839684072fd79954aff0c9852c2ff3b618b0fa35177bdec8e2dff4986
-  repository: oci://harbor.alexlebens.net/helm-charts
+generated: "2025-12-05T17:02:01.15162583Z"
  version: 0.3.0
 digest: sha256:3763d6c5c0b45219235229aa1d72bfa426abd29aa8d92c1b1ca958b6afb3bfc8
 generated: "2025-12-15T17:43:51.908308-06:00"
--- a/clusters/cl01tl/helm/actual/Chart.yaml
+++ b/clusters/cl01tl/helm/actual/Chart.yaml
@@ -17,9 +17,5 @@ dependencies:
    alias: actual
    repository: https://bjw-s-labs.github.io/helm-charts/
    version: 4.5.0
  - name: volsync-target
    alias: volsync-target-data
    version: 0.3.0
    repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/actual-budget.png
 appVersion: 25.12.0
--- a/clusters/cl01tl/helm/actual/templates/external-secret.yaml
+++ b/clusters/cl01tl/helm/actual/templates/external-secret.yaml
@@ -0,0 +1,55 @@
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
  name: actual-data-backup-secret
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: actual-data-backup-secret
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: vault
  target:
    template:
      mergePolicy: Merge
      engineVersion: v2
      data:
        RESTIC_REPOSITORY: "{{ `{{ .BUCKET_ENDPOINT }}` }}/actual/actual-data"
  data:
    - secretKey: BUCKET_ENDPOINT
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /cl01tl/volsync/restic/config
        metadataPolicy: None
        property: S3_BUCKET_ENDPOINT
    - secretKey: RESTIC_PASSWORD
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /cl01tl/volsync/restic/config
        metadataPolicy: None
        property: RESTIC_PASSWORD
    - secretKey: AWS_DEFAULT_REGION
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /cl01tl/volsync/restic/config
        metadataPolicy: None
        property: AWS_DEFAULT_REGION
    - secretKey: AWS_ACCESS_KEY_ID
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /digital-ocean/home-infra/volsync-backups
        metadataPolicy: None
        property: access_key
    - secretKey: AWS_SECRET_ACCESS_KEY
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /digital-ocean/home-infra/volsync-backups
        metadataPolicy: None
        property: secret_key
--- a/clusters/cl01tl/helm/actual/templates/replication-source.yaml
+++ b/clusters/cl01tl/helm/actual/templates/replication-source.yaml
@@ -0,0 +1,25 @@
 apiVersion: volsync.backube/v1alpha1
 kind: ReplicationSource
 metadata:
  name: actual-data-backup-source
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: actual-data-backup-source
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  sourcePVC: actual-data
  trigger:
    schedule: 0 4 * * *
  restic:
    pruneIntervalDays: 7
    repository: actual-data-backup-secret
    retain:
      hourly: 1
      daily: 3
      weekly: 2
      monthly: 2
      yearly: 4
    copyMethod: Snapshot
    storageClassName: ceph-block
    volumeSnapshotClassName: ceph-blockpool-snapshot
--- a/clusters/cl01tl/helm/actual/values.yaml
+++ b/clusters/cl01tl/helm/actual/values.yaml
@@ -54,5 +54,3 @@ actual:
          main:
            - path: /data
              readOnly: false
 volsync-target-data:
  pvcTarget: actual-data
--- a/clusters/cl01tl/helm/argo-workflows/Chart.lock
+++ b/clusters/cl01tl/helm/argo-workflows/Chart.lock
@@ -7,6 +7,6 @@ dependencies:
  version: 2.4.19
 - name: postgres-cluster
  repository: oci://harbor.alexlebens.net/helm-charts
-  version: 7.1.1
+  version: 6.16.1
-digest: sha256:796a0f9ae054268c9a4e2752f29004b6547e5ee41e623b8506b531f6836b7313
+digest: sha256:40a93dfcabbc5746682bac631e9a620588cf0cb6fdf79a42446a823e93a531c8
-generated: "2025-12-15T14:27:02.068848-06:00"
+generated: "2025-12-11T15:49:57.970719-06:00"
--- a/clusters/cl01tl/helm/argo-workflows/Chart.yaml
+++ b/clusters/cl01tl/helm/argo-workflows/Chart.yaml
@@ -25,7 +25,7 @@ dependencies:
    repository: https://argoproj.github.io/argo-helm
  - name: postgres-cluster
    alias: postgres-18-cluster
-    version: 7.1.1
+    version: 6.16.1
    repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/argo-cd.png
 appVersion: v3.7.6
--- a/clusters/cl01tl/helm/tailscale-operator/templates/service.yaml
+++ b/clusters/cl01tl/helm/tailscale-operator/templates/service.yaml
--- a/clusters/cl01tl/helm/argo-workflows/values.yaml
+++ b/clusters/cl01tl/helm/argo-workflows/values.yaml
@@ -78,10 +78,17 @@ argo-events:
 postgres-18-cluster:
  mode: recovery
  cluster:
    image:
      repository: ghcr.io/cloudnative-pg/postgresql
      tag: 18.1-standard-trixie
    storage:
      storageClass: local-path
    walStorage:
      storageClass: local-path
    monitoring:
      enabled: true
      prometheusRule:
        enabled: true
  recovery:
    method: objectStore
    objectStore:
@@ -91,6 +98,11 @@ postgres-18-cluster:
      endpointCredentials: argo-workflows-postgresql-18-cluster-backup-secret-garage
  backup:
    objectStore:
      - name: external
        destinationPath: s3://postgres-backups-ce540ddf106d186bbddca68a/cl01tl/argo-workflows/argo-workflows-postgresql-18-cluster
        index: 1
        retentionPolicy: "30d"
        isWALArchiver: false
      - name: garage-local
        destinationPath: s3://postgres-backups/cl01tl/argo-workflows/argo-workflows-postgresql-18-cluster
        index: 1
@@ -99,11 +111,6 @@ postgres-18-cluster:
        endpointCredentialsIncludeRegion: true
        retentionPolicy: "3d"
        isWALArchiver: true
      # - name: external
      #   destinationPath: s3://postgres-backups-ce540ddf106d186bbddca68a/cl01tl/argo-workflows/argo-workflows-postgresql-18-cluster
      #   index: 1
      #   retentionPolicy: "30d"
      #   isWALArchiver: false
      # - name: garage-remote
      #   destinationPath: s3://postgres-backups/cl01tl/argo-workflows/argo-workflows-postgresql-18-cluster
      #   index: 1
@@ -114,16 +121,16 @@ postgres-18-cluster:
      #   data:
      #     compression: bzip2
    scheduledBackups:
      - name: daily-backup
        suspend: false
        immediate: true
        schedule: "0 0 0 * * *"
        backupName: external
      - name: live-backup
        suspend: false
        immediate: true
        schedule: "0 0 0 * * *"
        backupName: garage-local
      # - name: daily-backup
      #   suspend: false
      #   immediate: true
      #   schedule: "0 0 0 * * *"
      #   backupName: external
      # - name: weekly-backup
      #   suspend: true
      #   immediate: true
--- a/clusters/cl01tl/helm/audiobookshelf/Chart.lock
+++ b/clusters/cl01tl/helm/audiobookshelf/Chart.lock
@@ -2,11 +2,5 @@ dependencies:
 - name: app-template
  repository: https://bjw-s-labs.github.io/helm-charts/
  version: 4.5.0
- name: volsync-target
+digest: sha256:977ed15091e9ed30d647a626214701d22f3a8a5232a900e33f753cc7e090042f
-  repository: oci://harbor.alexlebens.net/helm-charts
+generated: "2025-12-05T17:02:13.674405673Z"
  version: 0.3.0
 - name: volsync-target
  repository: oci://harbor.alexlebens.net/helm-charts
  version: 0.3.0
 digest: sha256:88e0d8008795451a64f3a2e4fa4fc120d48cef4badb4305e8e60afbb494352c5
 generated: "2025-12-15T18:19:02.989735-06:00"
--- a/clusters/cl01tl/helm/audiobookshelf/Chart.yaml
+++ b/clusters/cl01tl/helm/audiobookshelf/Chart.yaml
@@ -19,13 +19,5 @@ dependencies:
    alias: audiobookshelf
    repository: https://bjw-s-labs.github.io/helm-charts/
    version: 4.5.0
  - name: volsync-target
    alias: volsync-target-config
    version: 0.3.0
    repository: oci://harbor.alexlebens.net/helm-charts
  - name: volsync-target
    alias: volsync-target-metadata
    version: 0.3.0
    repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/audiobookshelf.png
 appVersion: 2.31.0
--- a/clusters/cl01tl/helm/audiobookshelf/templates/external-secret.yaml
+++ b/clusters/cl01tl/helm/audiobookshelf/templates/external-secret.yaml
@@ -19,3 +19,117 @@ spec:
        key: /cl01tl/audiobookshelf/apprise
        metadataPolicy: None
        property: ntfy-url
 ---
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
  name: audiobookshelf-config-backup-secret
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: audiobookshelf-config-backup-secret
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: vault
  target:
    template:
      mergePolicy: Merge
      engineVersion: v2
      data:
        RESTIC_REPOSITORY: "{{ `{{ .BUCKET_ENDPOINT }}` }}/audiobookshelf/audiobookshelf-config"
  data:
    - secretKey: BUCKET_ENDPOINT
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /cl01tl/volsync/restic/config
        metadataPolicy: None
        property: S3_BUCKET_ENDPOINT
    - secretKey: RESTIC_PASSWORD
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /cl01tl/volsync/restic/config
        metadataPolicy: None
        property: RESTIC_PASSWORD
    - secretKey: AWS_DEFAULT_REGION
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /cl01tl/volsync/restic/config
        metadataPolicy: None
        property: AWS_DEFAULT_REGION
    - secretKey: AWS_ACCESS_KEY_ID
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /digital-ocean/home-infra/volsync-backups
        metadataPolicy: None
        property: access_key
    - secretKey: AWS_SECRET_ACCESS_KEY
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /digital-ocean/home-infra/volsync-backups
        metadataPolicy: None
        property: secret_key
 ---
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
  name: audiobookshelf-metadata-backup-secret
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: audiobookshelf-metadata-backup-secret
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: vault
  target:
    template:
      mergePolicy: Merge
      engineVersion: v2
      data:
        RESTIC_REPOSITORY: "{{ `{{ .BUCKET_ENDPOINT }}` }}/audiobookshelf/audiobookshelf-metadata"
  data:
    - secretKey: BUCKET_ENDPOINT
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /cl01tl/volsync/restic/config
        metadataPolicy: None
        property: S3_BUCKET_ENDPOINT
    - secretKey: RESTIC_PASSWORD
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /cl01tl/volsync/restic/config
        metadataPolicy: None
        property: RESTIC_PASSWORD
    - secretKey: AWS_DEFAULT_REGION
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /cl01tl/volsync/restic/config
        metadataPolicy: None
        property: AWS_DEFAULT_REGION
    - secretKey: AWS_ACCESS_KEY_ID
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /digital-ocean/home-infra/volsync-backups
        metadataPolicy: None
        property: access_key
    - secretKey: AWS_SECRET_ACCESS_KEY
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /digital-ocean/home-infra/volsync-backups
        metadataPolicy: None
        property: secret_key
--- a/clusters/cl01tl/helm/audiobookshelf/templates/persistent-volume-claim.yaml
+++ b/clusters/cl01tl/helm/audiobookshelf/templates/persistent-volume-claim.yaml
@@ -1,5 +1,24 @@
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
  name: audiobookshelf-nfs-storage-backup
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: audiobookshelf-nfs-storage-backup
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  volumeMode: Filesystem
  storageClassName: nfs-client
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 1Gi
 ---
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
  name: audiobookshelf-nfs-storage
  namespace: {{ .Release.Namespace }}
--- a/clusters/cl01tl/helm/audiobookshelf/templates/replication-source.yaml
+++ b/clusters/cl01tl/helm/audiobookshelf/templates/replication-source.yaml
@@ -0,0 +1,52 @@
 apiVersion: volsync.backube/v1alpha1
 kind: ReplicationSource
 metadata:
  name: audiobookshelf-config-backup-source
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: audiobookshelf-config-backup-source
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  sourcePVC: audiobookshelf-config
  trigger:
    schedule: 0 4 * * *
  restic:
    pruneIntervalDays: 7
    repository: audiobookshelf-config-backup-secret
    retain:
      hourly: 1
      daily: 3
      weekly: 2
      monthly: 2
      yearly: 4
    copyMethod: Snapshot
    storageClassName: ceph-block
    volumeSnapshotClassName: ceph-blockpool-snapshot
 ---
 apiVersion: volsync.backube/v1alpha1
 kind: ReplicationSource
 metadata:
  name: audiobookshelf-metadata-backup-source
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: audiobookshelf-metadata-backup-source
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  sourcePVC: audiobookshelf-metadata
  trigger:
    schedule: 0 4 * * *
  restic:
    pruneIntervalDays: 7
    repository: audiobookshelf-metadata-backup-secret
    retain:
      hourly: 1
      daily: 3
      weekly: 2
      monthly: 2
      yearly: 4
    copyMethod: Snapshot
    storageClassName: ceph-block
    volumeSnapshotClassName: ceph-blockpool-snapshot
--- a/clusters/cl01tl/helm/audiobookshelf/values.yaml
+++ b/clusters/cl01tl/helm/audiobookshelf/values.yaml
@@ -21,7 +21,7 @@ audiobookshelf:
        apprise-api:
          image:
            repository: caronc/apprise
-            tag: 1.3.0
+            tag: 1.2.6
            pullPolicy: IfNotPresent
          env:
            - name: TZ
@@ -59,7 +59,6 @@ audiobookshelf:
          protocol: HTTP
  persistence:
    config:
      forceRename: audiobookshelf-config
      storageClass: ceph-block
      accessMode: ReadWriteOnce
      size: 2Gi
@@ -70,7 +69,6 @@ audiobookshelf:
            - path: /config
              readOnly: false
    metadata:
      forceRename: audiobookshelf-metadata
      storageClass: ceph-block
      accessMode: ReadWriteOnce
      size: 10Gi
@@ -80,6 +78,13 @@ audiobookshelf:
          main:
            - path: /metadata
              readOnly: false
    backup:
      existingClaim: audiobookshelf-nfs-storage-backup
      advancedMounts:
        main:
          main:
            - path: /metadata/backups
              readOnly: false
    audiobooks:
      existingClaim: audiobookshelf-nfs-storage
      advancedMounts:
@@ -87,7 +92,3 @@ audiobookshelf:
          main:
            - path: /mnt/store/
              readOnly: false
 volsync-target-config:
  pvcTarget: audiobookshelf-config
 volsync-target-metadata:
  pvcTarget: audiobookshelf-metadata
--- a/clusters/cl01tl/helm/authentik/Chart.lock
+++ b/clusters/cl01tl/helm/authentik/Chart.lock
@@ -7,9 +7,6 @@ dependencies:
  version: 1.23.2
 - name: postgres-cluster
  repository: oci://harbor.alexlebens.net/helm-charts
-  version: 7.1.1
+  version: 6.16.1
- name: redis-replication
+digest: sha256:fdd5cc597cf958ca0f6f43dd403915c89c45718eff80920c2d322264dc8b09e1
-  repository: oci://harbor.alexlebens.net/helm-charts
+generated: "2025-12-11T16:14:14.729827-06:00"
  version: 0.5.0
 digest: sha256:e593d25ebf07b1274768045f028e1ceeccbcdc1c8e35414d6bbd9a8d09086991
 generated: "2025-12-15T14:36:33.783343-06:00"
--- a/clusters/cl01tl/helm/authentik/Chart.yaml
+++ b/clusters/cl01tl/helm/authentik/Chart.yaml
@@ -29,10 +29,7 @@ dependencies:
    version: 1.23.2
  - name: postgres-cluster
    alias: postgres-18-cluster
-    version: 7.1.1
+    version: 6.16.1
    repository: oci://harbor.alexlebens.net/helm-charts
  - name: redis-replication
    version: 0.5.0
    repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/authentik.png
 appVersion: 2025.10.2
--- a/clusters/cl01tl/helm/authentik/templates/redis-replication.yaml
+++ b/clusters/cl01tl/helm/authentik/templates/redis-replication.yaml
@@ -0,0 +1,32 @@
 apiVersion: redis.redis.opstreelabs.in/v1beta2
 kind: RedisReplication
 metadata:
  name: redis-replication-authentik
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: redis-replication-authentik
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  clusterSize: 3
  podSecurityContext:
    runAsUser: 1000
    fsGroup: 1000
  kubernetesConfig:
    image: quay.io/opstree/redis:v8.4.0
    imagePullPolicy: IfNotPresent
    resources:
      requests:
        cpu: 50m
        memory: 128Mi
  storage:
    volumeClaimTemplate:
      spec:
        storageClassName: ceph-block
        accessModes: ["ReadWriteOnce"]
        resources:
          requests:
            storage: 1Gi
  redisExporter:
    enabled: true
    image: quay.io/opstree/redis-exporter:v1.80.1
--- a/clusters/cl01tl/helm/authentik/templates/service-monitor.yaml
+++ b/clusters/cl01tl/helm/authentik/templates/service-monitor.yaml
@@ -0,0 +1,19 @@
 apiVersion: monitoring.coreos.com/v1
 kind: ServiceMonitor
 metadata:
  name: redis-replication-authentik
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: redis-replication-authentik
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
    redis-operator: "true"
    env: production
 spec:
  selector:
    matchLabels:
      redis_setup_type: replication
  endpoints:
    - port: redis-exporter
      interval: 30s
      scrapeTimeout: 10s
--- a/clusters/cl01tl/helm/authentik/values.yaml
+++ b/clusters/cl01tl/helm/authentik/values.yaml
@@ -53,10 +53,17 @@ cloudflared:
 postgres-18-cluster:
  mode: recovery
  cluster:
    image:
      repository: ghcr.io/cloudnative-pg/postgresql
      tag: 18.1-standard-trixie
    storage:
      storageClass: local-path
    walStorage:
      storageClass: local-path
    monitoring:
      enabled: true
      prometheusRule:
        enabled: true
  recovery:
    method: objectStore
    objectStore:
@@ -66,6 +73,11 @@ postgres-18-cluster:
      endpointCredentials: authentik-postgresql-18-cluster-backup-secret-garage
  backup:
    objectStore:
      - name: external
        destinationPath: s3://postgres-backups-ce540ddf106d186bbddca68a/cl01tl/authentik/authentik-postgresql-18-cluster
        index: 1
        retentionPolicy: "30d"
        isWALArchiver: false
      - name: garage-local
        destinationPath: s3://postgres-backups/cl01tl/authentik/authentik-postgresql-18-cluster
        index: 1
@@ -74,11 +86,6 @@ postgres-18-cluster:
        endpointCredentialsIncludeRegion: true
        retentionPolicy: "3d"
        isWALArchiver: true
      # - name: external
      #   destinationPath: s3://postgres-backups-ce540ddf106d186bbddca68a/cl01tl/authentik/authentik-postgresql-18-cluster
      #   index: 1
      #   retentionPolicy: "30d"
      #   isWALArchiver: false
      # - name: garage-remote
      #   destinationPath: s3://postgres-backups/cl01tl/authentik/authentik-postgresql-18-cluster
      #   index: 1
@@ -89,26 +96,18 @@ postgres-18-cluster:
      #     compression: bzip2
      #     jobs: 2
    scheduledBackups:
      - name: daily-backup
        suspend: false
        immediate: true
        schedule: "0 0 0 * * *"
        backupName: external
      - name: live-backup
        suspend: false
        immediate: true
        schedule: "0 0 0 * * *"
        backupName: garage-local
      # - name: daily-backup
      #   suspend: false
      #   immediate: true
      #   schedule: "0 0 0 * * *"
      #   backupName: external
      # - name: weekly-backup
      #   suspend: false
      #   immediate: true
      #   schedule: "0 0 4 * * SAT"
      #   backupName: garage-remote
 redis-replication:
  existingSecret:
    enabled: false
  redisReplication:
    clusterSize: 3
  redisSentinel:
    enabled: true
    clusterSize: 3
--- a/clusters/cl01tl/helm/backrest/Chart.lock
+++ b/clusters/cl01tl/helm/backrest/Chart.lock
@@ -2,11 +2,5 @@ dependencies:
 - name: app-template
  repository: https://bjw-s-labs.github.io/helm-charts/
  version: 4.5.0
- name: volsync-target
+digest: sha256:6e6f20320a485b57288a6febae1b7623076059c370f88b7fbe92460fc4047db3
-  repository: oci://harbor.alexlebens.net/helm-charts
+generated: "2025-12-05T17:02:26.599646463Z"
  version: 0.3.0
 - name: volsync-target
  repository: oci://harbor.alexlebens.net/helm-charts
  version: 0.3.0
 digest: sha256:13c950ad5cd6accd192e6768557c0df74af2cd767d2372dc38c1cdb7e1563399
 generated: "2025-12-15T18:33:59.961957-06:00"
--- a/clusters/cl01tl/helm/backrest/Chart.yaml
+++ b/clusters/cl01tl/helm/backrest/Chart.yaml
@@ -17,13 +17,5 @@ dependencies:
    alias: backrest
    repository: https://bjw-s-labs.github.io/helm-charts/
    version: 4.5.0
  - name: volsync-target
    alias: volsync-target-config
    version: 0.3.0
    repository: oci://harbor.alexlebens.net/helm-charts
  - name: volsync-target
    alias: volsync-target-data
    version: 0.3.0
    repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/backrest.png
 appVersion: v1.10.1
--- a/clusters/cl01tl/helm/backrest/values.yaml
+++ b/clusters/cl01tl/helm/backrest/values.yaml
@@ -35,7 +35,6 @@ backrest:
          protocol: TCP
  persistence:
    data:
      forceRename: backrest-data
      storageClass: ceph-block
      accessMode: ReadWriteOnce
      size: 10Gi
@@ -46,7 +45,6 @@ backrest:
            - path: /data
              readOnly: false
    config:
      forceRename: backrest-config
      storageClass: ceph-block
      accessMode: ReadWriteOnce
      size: 1Gi
@@ -84,7 +82,3 @@ backrest:
          main:
            - path: /mnt/share
              readOnly: true
 volsync-target-data:
  pvcTarget: backrest-data
 volsync-target-config:
  pvcTarget: backrest-config
--- a/clusters/cl01tl/helm/bazarr/Chart.lock
+++ b/clusters/cl01tl/helm/bazarr/Chart.lock
@@ -2,8 +2,5 @@ dependencies:
 - name: app-template
  repository: https://bjw-s-labs.github.io/helm-charts/
  version: 4.5.0
- name: volsync-target
+digest: sha256:54c88d51b4067dec5b22623957970b64092bf3f417fabb58277f6bc3e01eca20
-  repository: oci://harbor.alexlebens.net/helm-charts
+generated: "2025-12-05T17:02:40.843820962Z"
  version: 0.5.0
 digest: sha256:cb702f316026bdb487ace1abec56cc3c505376cf14a45528e3e593e4cc7effab
 generated: "2025-12-15T19:04:05.574701-06:00"
--- a/clusters/cl01tl/helm/bazarr/Chart.yaml
+++ b/clusters/cl01tl/helm/bazarr/Chart.yaml
@@ -19,9 +19,5 @@ dependencies:
    alias: bazarr
    repository: https://bjw-s-labs.github.io/helm-charts/
    version: 4.5.0
  - name: volsync-target
    alias: volsync-target-config
    version: 0.5.0
    repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/bazarr.png
 appVersion: 1.5.3
--- a/clusters/cl01tl/helm/bazarr/templates/external-secret.yaml
+++ b/clusters/cl01tl/helm/bazarr/templates/external-secret.yaml
@@ -0,0 +1,55 @@
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
  name: bazarr-config-backup-secret
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: bazarr-config-backup-secret
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: vault
  target:
    template:
      mergePolicy: Merge
      engineVersion: v2
      data:
        RESTIC_REPOSITORY: "{{ `{{ .BUCKET_ENDPOINT }}` }}/bazarr/bazarr-config"
  data:
    - secretKey: BUCKET_ENDPOINT
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /cl01tl/volsync/restic/config
        metadataPolicy: None
        property: S3_BUCKET_ENDPOINT
    - secretKey: RESTIC_PASSWORD
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /cl01tl/volsync/restic/config
        metadataPolicy: None
        property: RESTIC_PASSWORD
    - secretKey: AWS_DEFAULT_REGION
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /cl01tl/volsync/restic/config
        metadataPolicy: None
        property: AWS_DEFAULT_REGION
    - secretKey: AWS_ACCESS_KEY_ID
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /digital-ocean/home-infra/volsync-backups
        metadataPolicy: None
        property: access_key
    - secretKey: AWS_SECRET_ACCESS_KEY
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /digital-ocean/home-infra/volsync-backups
        metadataPolicy: None
        property: secret_key
--- a/clusters/cl01tl/helm/bazarr/templates/replication-source.yaml
+++ b/clusters/cl01tl/helm/bazarr/templates/replication-source.yaml
@@ -0,0 +1,30 @@
 apiVersion: volsync.backube/v1alpha1
 kind: ReplicationSource
 metadata:
  name: bazarr-config-backup-source
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: bazarr-config-backup-source
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  sourcePVC: bazarr-config
  trigger:
    schedule: 0 4 * * *
  restic:
    pruneIntervalDays: 7
    repository: bazarr-config-backup-secret
    retain:
      hourly: 1
      daily: 3
      weekly: 2
      monthly: 2
      yearly: 4
    moverSecurityContext:
      runAsUser: 1000
      runAsGroup: 1000
      fsGroup: 1000
      fsGroupChangePolicy: OnRootMismatch
    copyMethod: Snapshot
    storageClassName: ceph-block
    volumeSnapshotClassName: ceph-blockpool-snapshot
--- a/clusters/cl01tl/helm/bazarr/values.yaml
+++ b/clusters/cl01tl/helm/bazarr/values.yaml
@@ -55,10 +55,3 @@ bazarr:
          main:
            - path: /mnt/store
              readOnly: false
 volsync-target-config:
  pvcTarget: bazarr-config
  moverSecurityContext:
    runAsUser: 1000
    runAsGroup: 1000
    fsGroup: 1000
    fsGroupChangePolicy: OnRootMismatch
--- a/clusters/cl01tl/helm/blocky/Chart.lock
+++ b/clusters/cl01tl/helm/blocky/Chart.lock
@@ -2,8 +2,5 @@ dependencies:
 - name: app-template
  repository: https://bjw-s-labs.github.io/helm-charts/
  version: 4.5.0
- name: redis-replication
+digest: sha256:b8516161886b87344848ad2b3bdafbd66da61ca8ffc5e9a5ebed462f205c9912
-  repository: oci://harbor.alexlebens.net/helm-charts
+generated: "2025-12-05T17:02:59.562863413Z"
  version: 0.5.0
 digest: sha256:a7840240d52d7c66aa2e542132e32907dd0c48d3051eb15190a209215cbd4dce
 generated: "2025-12-15T20:06:31.995318697Z"
--- a/clusters/cl01tl/helm/blocky/Chart.yaml
+++ b/clusters/cl01tl/helm/blocky/Chart.yaml
@@ -17,8 +17,5 @@ dependencies:
    alias: blocky
    repository: https://bjw-s-labs.github.io/helm-charts/
    version: 4.5.0
  - name: redis-replication
    version: 0.5.0
    repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/blocky.png
 appVersion: v0.28.2
--- a/clusters/cl01tl/helm/blocky/templates/redis-replication.yaml
+++ b/clusters/cl01tl/helm/blocky/templates/redis-replication.yaml
@@ -0,0 +1,32 @@
 apiVersion: redis.redis.opstreelabs.in/v1beta2
 kind: RedisReplication
 metadata:
  name: redis-replication-blocky
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: redis-replication-blocky
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  clusterSize: 3
  podSecurityContext:
    runAsUser: 1000
    fsGroup: 1000
  kubernetesConfig:
    image: quay.io/opstree/redis:v8.4.0
    imagePullPolicy: IfNotPresent
    resources:
      requests:
        cpu: 50m
        memory: 128Mi
  storage:
    volumeClaimTemplate:
      spec:
        storageClassName: ceph-block
        accessModes: ["ReadWriteOnce"]
        resources:
          requests:
            storage: 1Gi
  redisExporter:
    enabled: true
    image: quay.io/opstree/redis-exporter:v1.80.1
--- a/clusters/cl01tl/helm/blocky/templates/service-monitor.yaml
+++ b/clusters/cl01tl/helm/blocky/templates/service-monitor.yaml
@@ -17,3 +17,24 @@ spec:
      interval: 30s
      scrapeTimeout: 10s
      path: /metrics
 ---
 apiVersion: monitoring.coreos.com/v1
 kind: ServiceMonitor
 metadata:
  name: redis-replication-blocky
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: redis-replication-blocky
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
    redis-operator: "true"
    env: production
 spec:
  selector:
    matchLabels:
      redis_setup_type: replication
  endpoints:
    - port: redis-exporter
      interval: 30s
      scrapeTimeout: 10s
--- a/clusters/cl01tl/helm/blocky/values.yaml
+++ b/clusters/cl01tl/helm/blocky/values.yaml
@@ -129,10 +129,10 @@ blocky:
              huntarr                         IN      CNAME   traefik-cl01tl
              immich                          IN      CNAME   traefik-cl01tl
              jellyfin                        IN      CNAME   traefik-cl01tl
              jellyfin-vue                    IN      CNAME   traefik-cl01tl
              jellystat                       IN      CNAME   traefik-cl01tl
              kiwix                           IN      CNAME   traefik-cl01tl
              komodo                          IN      CNAME   traefik-cl01tl
              kronic                          IN      CNAME   traefik-cl01tl
              lidarr                          IN      CNAME   traefik-cl01tl
              lidatube                        IN      CNAME   traefik-cl01tl
              listenarr                       IN      CNAME   traefik-cl01tl
@@ -143,6 +143,7 @@ blocky:
              ollama                          IN      CNAME   traefik-cl01tl
              omni-tools                      IN      CNAME   traefik-cl01tl
              overseerr                       IN      CNAME   traefik-cl01tl
              pgadmin                         IN      CNAME   traefik-cl01tl
              photoview                       IN      CNAME   traefik-cl01tl
              plex                            IN      CNAME   traefik-cl01tl
              postiz                          IN      CNAME   traefik-cl01tl
@@ -301,10 +302,3 @@ blocky:
              readOnly: true
              mountPropagation: None
              subPath: config.yml
 redis-replication:
  existingSecret:
    enabled: false
  redisReplication:
    clusterSize: 3
  redisSentinel:
    enabled: false
--- a/clusters/cl01tl/helm/booklore/Chart.lock
+++ b/clusters/cl01tl/helm/booklore/Chart.lock
@@ -5,11 +5,5 @@ dependencies:
 - name: mariadb-cluster
  repository: https://helm.mariadb.com/mariadb-operator
  version: 25.10.2
- name: volsync-target
+digest: sha256:58d978bd46c61285b06acc6d9a40404d8059f2df7b953dea13c528b35350d0a8
-  repository: oci://harbor.alexlebens.net/helm-charts
+generated: "2025-12-05T17:03:15.7199669Z"
  version: 0.5.0
 - name: volsync-target
  repository: oci://harbor.alexlebens.net/helm-charts
  version: 0.5.0
 digest: sha256:6981b2c060c19bac6517578bd9b5b11a300a4deb431110bf90da317237a4a252
 generated: "2025-12-15T19:15:49.886575-06:00"
--- a/clusters/cl01tl/helm/booklore/Chart.yaml
+++ b/clusters/cl01tl/helm/booklore/Chart.yaml
@@ -20,13 +20,5 @@ dependencies:
  - name: mariadb-cluster
    version: 25.10.2
    repository: https://helm.mariadb.com/mariadb-operator
  - name: volsync-target
    alias: volsync-target-config
    version: 0.5.0
    repository: oci://harbor.alexlebens.net/helm-charts
  - name: volsync-target
    alias: volsync-target-data
    version: 0.5.0
    repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/booklore.png
 appVersion: v1.13.2
--- a/clusters/cl01tl/helm/booklore/templates/external-secret.yaml
+++ b/clusters/cl01tl/helm/booklore/templates/external-secret.yaml
@@ -43,6 +43,234 @@ spec:
        metadataPolicy: None
        property: psk.txt
 ---
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
  name: booklore-config-backup-secret
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: booklore-config-backup-secret
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: vault
  target:
    template:
      mergePolicy: Merge
      engineVersion: v2
      data:
        RESTIC_REPOSITORY: "{{ `{{ .BUCKET_ENDPOINT }}` }}/booklore/booklore-config"
  data:
    - secretKey: BUCKET_ENDPOINT
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /volsync/restic/digital-ocean
        metadataPolicy: None
        property: BUCKET_ENDPOINT
    - secretKey: RESTIC_PASSWORD
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /volsync/restic/digital-ocean
        metadataPolicy: None
        property: RESTIC_PASSWORD
    - secretKey: AWS_DEFAULT_REGION
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /digital-ocean/home-infra/volsync-backups
        metadataPolicy: None
        property: AWS_DEFAULT_REGION
    - secretKey: AWS_ACCESS_KEY_ID
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /digital-ocean/home-infra/volsync-backups
        metadataPolicy: None
        property: AWS_ACCESS_KEY_ID
    - secretKey: AWS_SECRET_ACCESS_KEY
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /digital-ocean/home-infra/volsync-backups
        metadataPolicy: None
        property: AWS_SECRET_ACCESS_KEY
 ---
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
  name: booklore-data-backup-secret-local
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: booklore-data-backup-secret-local
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: vault
  target:
    template:
      mergePolicy: Merge
      engineVersion: v2
      data:
        RESTIC_REPOSITORY: "{{ `{{ .BUCKET_ENDPOINT }}` }}/booklore/booklore-data"
  data:
    - secretKey: BUCKET_ENDPOINT
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /volsync/restic/garage-local
        metadataPolicy: None
        property: BUCKET_ENDPOINT
    - secretKey: RESTIC_PASSWORD
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /volsync/restic/garage-local
        metadataPolicy: None
        property: RESTIC_PASSWORD
    - secretKey: AWS_DEFAULT_REGION
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /garage/home-infra/volsync-backups
        metadataPolicy: None
        property: ACCESS_REGION
    - secretKey: AWS_ACCESS_KEY_ID
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /garage/home-infra/volsync-backups
        metadataPolicy: None
        property: ACCESS_KEY_ID
    - secretKey: AWS_SECRET_ACCESS_KEY
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /garage/home-infra/volsync-backups
        metadataPolicy: None
        property: ACCESS_SECRET_KEY
 ---
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
  name: booklore-data-backup-secret-remote
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: booklore-data-backup-secret-remote
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: vault
  target:
    template:
      mergePolicy: Merge
      engineVersion: v2
      data:
        RESTIC_REPOSITORY: "{{ `{{ .BUCKET_ENDPOINT }}` }}/booklore/booklore-data"
  data:
    - secretKey: BUCKET_ENDPOINT
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /volsync/restic/garage-remote
        metadataPolicy: None
        property: BUCKET_ENDPOINT
    - secretKey: RESTIC_PASSWORD
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /volsync/restic/garage-remote
        metadataPolicy: None
        property: RESTIC_PASSWORD
    - secretKey: AWS_DEFAULT_REGION
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /garage/home-infra/volsync-backups
        metadataPolicy: None
        property: ACCESS_REGION
    - secretKey: AWS_ACCESS_KEY_ID
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /garage/home-infra/volsync-backups
        metadataPolicy: None
        property: ACCESS_KEY_ID
    - secretKey: AWS_SECRET_ACCESS_KEY
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /garage/home-infra/volsync-backups
        metadataPolicy: None
        property: ACCESS_SECRET_KEY
 ---
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
  name: booklore-data-backup-secret-external
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: booklore-data-backup-secret-external
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: vault
  target:
    template:
      mergePolicy: Merge
      engineVersion: v2
      data:
        RESTIC_REPOSITORY: "{{ `{{ .BUCKET_ENDPOINT }}` }}/booklore/booklore-data"
  data:
    - secretKey: BUCKET_ENDPOINT
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /volsync/restic/digital-ocean
        metadataPolicy: None
        property: BUCKET_ENDPOINT
    - secretKey: RESTIC_PASSWORD
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /volsync/restic/digital-ocean
        metadataPolicy: None
        property: RESTIC_PASSWORD
    - secretKey: AWS_DEFAULT_REGION
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /digital-ocean/home-infra/volsync-backups
        metadataPolicy: None
        property: AWS_DEFAULT_REGION
    - secretKey: AWS_ACCESS_KEY_ID
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /digital-ocean/home-infra/volsync-backups
        metadataPolicy: None
        property: AWS_ACCESS_KEY_ID
    - secretKey: AWS_SECRET_ACCESS_KEY
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /digital-ocean/home-infra/volsync-backups
        metadataPolicy: None
        property: AWS_SECRET_ACCESS_KEY
 ---
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
--- a/clusters/cl01tl/helm/booklore/templates/replication-source.yaml
+++ b/clusters/cl01tl/helm/booklore/templates/replication-source.yaml
@@ -15,3 +15,115 @@ spec:
    keySecret: booklore-data-replication-secret
    address: volsync-rsync-tls-dst-booklore-data-replication-destination
    copyMethod: Snapshot
 ---
 apiVersion: volsync.backube/v1alpha1
 kind: ReplicationSource
 metadata:
  name: booklore-config-backup-source
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: booklore-config-backup-source
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  sourcePVC: booklore-config
  trigger:
    schedule: 0 4 * * *
  restic:
    pruneIntervalDays: 7
    repository: booklore-config-backup-secret
    retain:
      hourly: 1
      daily: 3
      weekly: 2
      monthly: 2
      yearly: 4
    copyMethod: Snapshot
    storageClassName: ceph-block
    volumeSnapshotClassName: ceph-blockpool-snapshot
    cacheCapacity: 10Gi
 ---
 apiVersion: volsync.backube/v1alpha1
 kind: ReplicationSource
 metadata:
  name: booklore-data-backup-source-local
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: booklore-data-backup-source-local
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  sourcePVC: booklore-data
  trigger:
    schedule: 0 2 * * *
  restic:
    pruneIntervalDays: 7
    repository: booklore-data-backup-secret-local
    retain:
      hourly: 1
      daily: 3
      weekly: 2
      monthly: 2
      yearly: 4
    copyMethod: Snapshot
    storageClassName: ceph-block
    volumeSnapshotClassName: ceph-blockpool-snapshot
    cacheCapacity: 10Gi
 ---
 apiVersion: volsync.backube/v1alpha1
 kind: ReplicationSource
 metadata:
  name: booklore-data-backup-source-remote
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: booklore-data-backup-source-remote
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  sourcePVC: booklore-data
  trigger:
    schedule: 0 3 * * *
  restic:
    pruneIntervalDays: 7
    repository: booklore-data-backup-secret-remote
    retain:
      hourly: 1
      daily: 3
      weekly: 2
      monthly: 2
      yearly: 4
    copyMethod: Snapshot
    storageClassName: ceph-block
    volumeSnapshotClassName: ceph-blockpool-snapshot
    cacheCapacity: 10Gi
 ---
 apiVersion: volsync.backube/v1alpha1
 kind: ReplicationSource
 metadata:
  name: booklore-data-backup-source-external
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: booklore-data-backup-source-external
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  sourcePVC: booklore-data
  trigger:
    schedule: 0 4 * * *
  restic:
    pruneIntervalDays: 7
    repository: booklore-data-backup-secret-external
    retain:
      hourly: 1
      daily: 3
      weekly: 2
      monthly: 2
      yearly: 4
    copyMethod: Snapshot
    storageClassName: ceph-block
    volumeSnapshotClassName: ceph-blockpool-snapshot
    cacheCapacity: 10Gi
--- a/clusters/cl01tl/helm/booklore/values.yaml
+++ b/clusters/cl01tl/helm/booklore/values.yaml
@@ -41,7 +41,6 @@ booklore:
          protocol: HTTP
  persistence:
    config:
      forceRename: booklore-config
      storageClass: ceph-block
      accessMode: ReadWriteOnce
      size: 5Gi
@@ -52,7 +51,6 @@ booklore:
            - path: /app/data
              readOnly: false
    data:
      forceRename: booklore-data
      storageClass: ceph-block
      accessMode: ReadWriteOnce
      size: 10Gi
@@ -121,8 +119,7 @@ mariadb-cluster:
        suspend: false
        immediate: true
      compression: gzip
-      maxRetention: 2160h
+      maxRetention: 720h
      successfulJobsHistoryLimit: 1
      storage:
        s3:
          bucket: mariadb-backups-b230a2f5aecf080a4b372c08
@@ -137,28 +134,6 @@ mariadb-cluster:
            key: secret
          tls:
            enabled: true
    - name: backup-remote
      schedule:
        cron: "0 0 * * 0"
        suspend: false
        immediate: true
      compression: gzip
      maxRetention: 2160h
      successfulJobsHistoryLimit: 1
      storage:
        s3:
          bucket: mariadb-backups
          prefix: cl01tl/booklore
          endpoint: garage-ps10rp.boreal-beaufort.ts.net:3900
          region: us-east-1
          accessKeyIdSecretKeyRef:
            name: booklore-mariadb-cluster-backup-secret-garage
            key: access
          secretAccessKeySecretKeyRef:
            name: booklore-mariadb-cluster-backup-secret-garage
            key: secret
          tls:
            enabled: true
    - name: backup-garage
      schedule:
        cron: "0 0 * * *"
@@ -166,7 +141,6 @@ mariadb-cluster:
        immediate: true
      compression: gzip
      maxRetention: 360h
      successfulJobsHistoryLimit: 1
      storage:
        s3:
          bucket: mariadb-backups
@@ -179,16 +153,3 @@ mariadb-cluster:
          secretAccessKeySecretKeyRef:
            name: booklore-mariadb-cluster-backup-secret-garage
            key: secret
 volsync-target-config:
  pvcTarget: booklore-config
 volsync-target-data:
  pvcTarget: booklore-data
  local:
    restic:
      cacheCapacity: 10Gi
  remote:
    restic:
      cacheCapacity: 10Gi
  external:
    restic:
      cacheCapacity: 10Gi
--- a/clusters/cl01tl/helm/code-server/Chart.lock
+++ b/clusters/cl01tl/helm/code-server/Chart.lock
@@ -5,8 +5,5 @@ dependencies:
 - name: cloudflared
  repository: oci://harbor.alexlebens.net/helm-charts
  version: 1.23.2
- name: volsync-target
+digest: sha256:3cf78630cd7670e1157a87fc7ccbeca248ef4ced8a3170e69140ea3e1b0ff564
-  repository: oci://harbor.alexlebens.net/helm-charts
+generated: "2025-12-07T02:54:11.675097664Z"
  version: 0.5.0
 digest: sha256:bd1cbd66ccb360978a342ee218bfb01006a486fb85c5714acd593b9e1389b151
 generated: "2025-12-15T21:50:58.968382-06:00"
--- a/clusters/cl01tl/helm/code-server/Chart.yaml
+++ b/clusters/cl01tl/helm/code-server/Chart.yaml
@@ -24,9 +24,5 @@ dependencies:
    alias: cloudflared
    repository: oci://harbor.alexlebens.net/helm-charts
    version: 1.23.2
  - name: volsync-target
    alias: volsync-target-config
    version: 0.5.0
    repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/visual-studio-code.png
 appVersion: 4.106.3
--- a/clusters/cl01tl/helm/code-server/templates/persistent-volume-claim.yaml
+++ b/clusters/cl01tl/helm/code-server/templates/persistent-volume-claim.yaml
@@ -0,0 +1,17 @@
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
  name: code-server-nfs-storage
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: code-server-nfs-storage
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  volumeMode: Filesystem
  storageClassName: nfs-client
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 1Gi
--- a/clusters/cl01tl/helm/code-server/values.yaml
+++ b/clusters/cl01tl/helm/code-server/values.yaml
@@ -9,7 +9,7 @@ code-server:
        main:
          image:
            repository: ghcr.io/linuxserver/code-server
-            tag: 4.106.3@sha256:83793e4460090d6c46f4842ff6ab8aa26ad8a567885112bbe754b45c61935055
+            tag: 4.106.3@sha256:aab9520fe923b2d93dccc2c806f3dc60649c2f4a2847fcd40c942227d0f1ae8f
            pullPolicy: IfNotPresent
          env:
            - name: TZ
@@ -37,11 +37,7 @@ code-server:
          protocol: HTTP
  persistence:
    config:
-      forceRename: code-server-config
+      existingClaim: code-server-nfs-storage
      storageClass: ceph-block
      accessMode: ReadWriteOnce
      size: 2Gi
      retain: true
      advancedMounts:
        main:
          main:
@@ -49,10 +45,3 @@ code-server:
              readOnly: false
 cloudflared:
  existingSecretName: code-server-cloudflared-secret
 volsync-target-config:
  pvcTarget: code-server-config
  moverSecurityContext:
    runAsUser: 1000
    runAsGroup: 1000
    fsGroup: 1000
    fsGroupChangePolicy: OnRootMismatch
--- a/clusters/cl01tl/helm/directus/Chart.lock
+++ b/clusters/cl01tl/helm/directus/Chart.lock
@@ -7,9 +7,6 @@ dependencies:
  version: 1.23.2
 - name: postgres-cluster
  repository: oci://harbor.alexlebens.net/helm-charts
-  version: 7.1.1
+  version: 6.16.1
- name: redis-replication
+digest: sha256:636b200b79efdd6ea36afdf29a5e85f3741b362dfcbf2af47c7aff9e55f02812
-  repository: oci://harbor.alexlebens.net/helm-charts
+generated: "2025-12-11T16:47:16.317535-06:00"
  version: 0.5.0
 digest: sha256:1035fe225f5439c73fdc8b498c2164bad362e0198bc2ad40eab6b5d0bae9f86d
 generated: "2025-12-15T14:37:45.474556-06:00"
--- a/clusters/cl01tl/helm/directus/Chart.yaml
+++ b/clusters/cl01tl/helm/directus/Chart.yaml
@@ -27,10 +27,7 @@ dependencies:
    version: 1.23.2
  - name: postgres-cluster
    alias: postgres-18-cluster
-    version: 7.1.1
+    version: 6.16.1
    repository: oci://harbor.alexlebens.net/helm-charts
  - name: redis-replication
    version: 0.5.0
    repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/directus.png
 appVersion: 11.14.0
--- a/clusters/cl01tl/helm/directus/templates/redis-replication.yaml
+++ b/clusters/cl01tl/helm/directus/templates/redis-replication.yaml
@@ -0,0 +1,35 @@
 apiVersion: redis.redis.opstreelabs.in/v1beta2
 kind: RedisReplication
 metadata:
  name: redis-replication-directus
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: redis-replication-directus
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  clusterSize: 3
  podSecurityContext:
    runAsUser: 1000
    fsGroup: 1000
  kubernetesConfig:
    image: quay.io/opstree/redis:v8.4.0
    imagePullPolicy: IfNotPresent
    redisSecret:
      name: directus-redis-config
      key: password
    resources:
      requests:
        cpu: 50m
        memory: 128Mi
  storage:
    volumeClaimTemplate:
      spec:
        storageClassName: ceph-block
        accessModes: ["ReadWriteOnce"]
        resources:
          requests:
            storage: 1Gi
  redisExporter:
    enabled: true
    image: quay.io/opstree/redis-exporter:v1.80.1
--- a/clusters/cl01tl/helm/directus/templates/redis-sentinel.yaml
+++ b/clusters/cl01tl/helm/directus/templates/redis-sentinel.yaml
@@ -0,0 +1,30 @@
 apiVersion: redis.redis.opstreelabs.in/v1beta2
 kind: RedisSentinel
 metadata:
  name: redis-sentinel-directus
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: redis-sentinel-directus
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  clusterSize: 3
  podSecurityContext:
    runAsUser: 1000
    fsGroup: 1000
  redisSentinelConfig:
    redisReplicationName: redis-replication-directus
    redisReplicationPassword:
      secretKeyRef:
        name: directus-redis-config
        key: password
  kubernetesConfig:
    image: quay.io/opstree/redis-sentinel:v8.4.0
    imagePullPolicy: IfNotPresent
    redisSecret:
      name: directus-redis-config
      key: password
    resources:
      requests:
        cpu: 10m
        memory: 128Mi
--- a/clusters/cl01tl/helm/directus/templates/service-monitor.yaml
+++ b/clusters/cl01tl/helm/directus/templates/service-monitor.yaml
@@ -20,3 +20,24 @@ spec:
      bearerTokenSecret:
        name: directus-metric-token
        key: metric-token
 ---
 apiVersion: monitoring.coreos.com/v1
 kind: ServiceMonitor
 metadata:
  name: redis-replication-directus
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: redis-replication-directus
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
    redis-operator: "true"
    env: production
 spec:
  selector:
    matchLabels:
      redis_setup_type: replication
  endpoints:
    - port: redis-exporter
      interval: 30s
      scrapeTimeout: 10s
--- a/clusters/cl01tl/helm/directus/values.yaml
+++ b/clusters/cl01tl/helm/directus/values.yaml
@@ -159,10 +159,17 @@ cloudflared-directus:
 postgres-18-cluster:
  mode: recovery
  cluster:
    image:
      repository: ghcr.io/cloudnative-pg/postgresql
      tag: 18.1-standard-trixie
    storage:
      storageClass: local-path
    walStorage:
      storageClass: local-path
    monitoring:
      enabled: true
      prometheusRule:
        enabled: true
  recovery:
    method: objectStore
    objectStore:
@@ -172,6 +179,11 @@ postgres-18-cluster:
      endpointCredentials: directus-postgresql-18-cluster-backup-secret-garage
  backup:
    objectStore:
      - name: external
        destinationPath: s3://postgres-backups-ce540ddf106d186bbddca68a/cl01tl/directus/directus-postgresql-18-cluster
        index: 1
        retentionPolicy: "30d"
        isWALArchiver: false
      - name: garage-local
        destinationPath: s3://postgres-backups/cl01tl/directus/directus-postgresql-18-cluster
        index: 1
@@ -180,11 +192,6 @@ postgres-18-cluster:
        endpointCredentialsIncludeRegion: true
        retentionPolicy: "3d"
        isWALArchiver: true
      # - name: external
      #   destinationPath: s3://postgres-backups-ce540ddf106d186bbddca68a/cl01tl/directus/directus-postgresql-18-cluster
      #   index: 1
      #   retentionPolicy: "30d"
      #   isWALArchiver: false
      # - name: garage-remote
      #   destinationPath: s3://postgres-backups/cl01tl/directus/directus-postgresql-18-cluster
      #   index: 1
@@ -195,28 +202,18 @@ postgres-18-cluster:
      #     compression: bzip2
      #     jobs: 2
    scheduledBackups:
      - name: daily-backup
        suspend: false
        immediate: true
        schedule: "0 0 0 * * *"
        backupName: external
      - name: live-backup
        suspend: false
        immediate: true
        schedule: "0 0 0 * * *"
        backupName: garage-local
      # - name: daily-backup
      #   suspend: false
      #   immediate: true
      #   schedule: "0 0 0 * * *"
      #   backupName: external
      # - name: weekly-backup
      #   suspend: false
      #   immediate: true
      #   schedule: "0 0 4 * * SAT"
      #   backupName: garage-remote
 redis-replication:
  existingSecret:
    enabled: true
    name: directus-redis-config
    key: password
  redisReplication:
    clusterSize: 3
  redisSentinel:
    enabled: true
    clusterSize: 3
--- a/clusters/cl01tl/helm/ephemera/Chart.lock
+++ b/clusters/cl01tl/helm/ephemera/Chart.lock
@@ -2,8 +2,5 @@ dependencies:
 - name: app-template
  repository: https://bjw-s-labs.github.io/helm-charts/
  version: 4.5.0
- name: volsync-target
+digest: sha256:b08b2d3923734ba8844754727803a4b4e1de2ad418c3f755ccd64927266c1b5c
-  repository: oci://harbor.alexlebens.net/helm-charts
+generated: "2025-12-05T17:04:04.30013278Z"
  version: 0.3.0
 digest: sha256:476021b852fbbd829570bcb88309eea92bd096cb4ec79efe2d895ee0c46f1c49
 generated: "2025-12-15T21:43:24.262051-06:00"
--- a/clusters/cl01tl/helm/ephemera/Chart.yaml
+++ b/clusters/cl01tl/helm/ephemera/Chart.yaml
@@ -19,9 +19,5 @@ dependencies:
    alias: ephemera
    repository: https://bjw-s-labs.github.io/helm-charts/
    version: 4.5.0
  - name: volsync-target
    alias: volsync-target-config
    version: 0.3.0
    repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/ephemera.png
 appVersion: 1.3.1
--- a/clusters/cl01tl/helm/ephemera/templates/external-secret.yaml
+++ b/clusters/cl01tl/helm/ephemera/templates/external-secret.yaml
@@ -42,3 +42,60 @@ spec:
        key: /cl01tl/ephemera/config
        metadataPolicy: None
        property: ntfy-url
 ---
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
  name: ephemera-config-backup-secret
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: ephemera-config-backup-secret
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: vault
  target:
    template:
      mergePolicy: Merge
      engineVersion: v2
      data:
        RESTIC_REPOSITORY: "{{ `{{ .BUCKET_ENDPOINT }}` }}/ephemera/ephemera-config"
  data:
    - secretKey: BUCKET_ENDPOINT
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /cl01tl/volsync/restic/config
        metadataPolicy: None
        property: S3_BUCKET_ENDPOINT
    - secretKey: RESTIC_PASSWORD
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /cl01tl/volsync/restic/config
        metadataPolicy: None
        property: RESTIC_PASSWORD
    - secretKey: AWS_DEFAULT_REGION
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /cl01tl/volsync/restic/config
        metadataPolicy: None
        property: AWS_DEFAULT_REGION
    - secretKey: AWS_ACCESS_KEY_ID
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /digital-ocean/home-infra/volsync-backups
        metadataPolicy: None
        property: access_key
    - secretKey: AWS_SECRET_ACCESS_KEY
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /digital-ocean/home-infra/volsync-backups
        metadataPolicy: None
        property: secret_key
--- a/clusters/cl01tl/helm/ephemera/templates/replication-source.yaml
+++ b/clusters/cl01tl/helm/ephemera/templates/replication-source.yaml
@@ -0,0 +1,26 @@
 apiVersion: volsync.backube/v1alpha1
 kind: ReplicationSource
 metadata:
  name: ephemera-config-backup-source
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: ephemera-config-backup-source
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  sourcePVC: ephemera
  trigger:
    schedule: 0 4 * * *
  restic:
    pruneIntervalDays: 7
    repository: ephemera-config-backup-secret
    retain:
      hourly: 1
      daily: 3
      weekly: 2
      monthly: 2
      yearly: 4
    copyMethod: Snapshot
    storageClassName: ceph-block
    volumeSnapshotClassName: ceph-blockpool-snapshot
    cacheCapacity: 10Gi
--- a/clusters/cl01tl/helm/ephemera/values.yaml
+++ b/clusters/cl01tl/helm/ephemera/values.yaml
@@ -52,7 +52,7 @@ ephemera:
        apprise-api:
          image:
            repository: caronc/apprise
-            tag: 1.3.0
+            tag: 1.2.6
            pullPolicy: IfNotPresent
          env:
            - name: TZ
@@ -82,7 +82,6 @@ ephemera:
          protocol: HTTP
  persistence:
    config:
      forceRename: ephemera
      storageClass: ceph-block
      accessMode: ReadWriteOnce
      size: 5Gi
@@ -106,5 +105,3 @@ ephemera:
          main:
            - path: /app/ingest
              readOnly: false
 volsync-target-config:
  pvcTarget: ephemera
--- a/clusters/cl01tl/helm/freshrss/Chart.lock
+++ b/clusters/cl01tl/helm/freshrss/Chart.lock
@@ -7,9 +7,6 @@ dependencies:
  version: 1.23.2
 - name: postgres-cluster
  repository: oci://harbor.alexlebens.net/helm-charts
-  version: 7.1.1
+  version: 6.16.1
- name: volsync-target
+digest: sha256:dc8829a1f2cea88033bfda5d412dee8124154e26bfbe9e1bd67b8bb351ad7904
-  repository: oci://harbor.alexlebens.net/helm-charts
+generated: "2025-12-11T17:07:50.35548-06:00"
  version: 0.5.0
 digest: sha256:80a27ffb18fd1a635f16e70b90c2395f2de300ed50d072a8b87353f1ec3304cb
 generated: "2025-12-15T21:47:10.578165-06:00"
--- a/clusters/cl01tl/helm/freshrss/Chart.yaml
+++ b/clusters/cl01tl/helm/freshrss/Chart.yaml
@@ -27,11 +27,7 @@ dependencies:
    version: 1.23.2
  - name: postgres-cluster
    alias: postgres-18-cluster
-    version: 7.1.1
+    version: 6.16.1
    repository: oci://harbor.alexlebens.net/helm-charts
  - name: volsync-target
    alias: volsync-target-data
    version: 0.5.0
    repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/freshrss.png
 appVersion: 1.27.1
--- a/clusters/cl01tl/helm/freshrss/templates/external-secret.yaml
+++ b/clusters/cl01tl/helm/freshrss/templates/external-secret.yaml
@@ -94,6 +94,63 @@ spec:
        metadataPolicy: None
        property: token
 ---
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
  name: freshrss-data-backup-secret
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: freshrss-data-backup-secret
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: vault
  target:
    template:
      mergePolicy: Merge
      engineVersion: v2
      data:
        RESTIC_REPOSITORY: "{{ `{{ .BUCKET_ENDPOINT }}` }}/freshrss/freshrss-data"
  data:
    - secretKey: BUCKET_ENDPOINT
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /cl01tl/volsync/restic/config
        metadataPolicy: None
        property: S3_BUCKET_ENDPOINT
    - secretKey: RESTIC_PASSWORD
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /cl01tl/volsync/restic/config
        metadataPolicy: None
        property: RESTIC_PASSWORD
    - secretKey: AWS_DEFAULT_REGION
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /cl01tl/volsync/restic/config
        metadataPolicy: None
        property: AWS_DEFAULT_REGION
    - secretKey: AWS_ACCESS_KEY_ID
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /digital-ocean/home-infra/volsync-backups
        metadataPolicy: None
        property: access_key
    - secretKey: AWS_SECRET_ACCESS_KEY
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /digital-ocean/home-infra/volsync-backups
        metadataPolicy: None
        property: secret_key
 ---
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
--- a/clusters/cl01tl/helm/freshrss/templates/replication-source.yaml
+++ b/clusters/cl01tl/helm/freshrss/templates/replication-source.yaml
@@ -0,0 +1,35 @@
 apiVersion: volsync.backube/v1alpha1
 kind: ReplicationSource
 metadata:
  name: freshrss-data-backup-source
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: freshrss-data-backup-source
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  sourcePVC: freshrss-data
  trigger:
    schedule: 0 4 * * *
  restic:
    pruneIntervalDays: 7
    repository: freshrss-data-backup-secret
    retain:
      hourly: 1
      daily: 3
      weekly: 2
      monthly: 2
      yearly: 4
    moverSecurityContext:
      runAsUser: 568
      runAsGroup: 568
      fsGroup: 568
      fsGroupChangePolicy: OnRootMismatch
      supplementalGroups:
        - 44
        - 100
        - 109
        - 65539
    copyMethod: Snapshot
    storageClassName: ceph-block
    volumeSnapshotClassName: ceph-blockpool-snapshot
--- a/clusters/cl01tl/helm/freshrss/values.yaml
+++ b/clusters/cl01tl/helm/freshrss/values.yaml
@@ -163,7 +163,6 @@ freshrss:
          protocol: HTTP
  persistence:
    data:
      forceRename: freshrss-data
      storageClass: ceph-block
      accessMode: ReadWriteOnce
      size: 5Gi
@@ -197,10 +196,17 @@ cloudflared:
 postgres-18-cluster:
  mode: recovery
  cluster:
    image:
      repository: ghcr.io/cloudnative-pg/postgresql
      tag: 18.1-standard-trixie
    storage:
      storageClass: local-path
    walStorage:
      storageClass: local-path
    monitoring:
      enabled: true
      prometheusRule:
        enabled: true
  recovery:
    method: objectStore
    objectStore:
@@ -210,6 +216,11 @@ postgres-18-cluster:
      endpointCredentials: freshrss-postgresql-18-cluster-backup-secret-garage
  backup:
    objectStore:
      - name: external
        destinationPath: s3://postgres-backups-ce540ddf106d186bbddca68a/cl01tl/freshrss/freshrss-postgresql-18-cluster
        index: 1
        retentionPolicy: "30d"
        isWALArchiver: false
      - name: garage-local
        destinationPath: s3://postgres-backups/cl01tl/freshrss/freshrss-postgresql-18-cluster
        index: 1
@@ -218,11 +229,6 @@ postgres-18-cluster:
        endpointCredentialsIncludeRegion: true
        retentionPolicy: "3d"
        isWALArchiver: true
      # - name: external
      #   destinationPath: s3://postgres-backups-ce540ddf106d186bbddca68a/cl01tl/freshrss/freshrss-postgresql-18-cluster
      #   index: 1
      #   retentionPolicy: "30d"
      #   isWALArchiver: false
      # - name: garage-remote
      #   destinationPath: s3://postgres-backups/cl01tl/freshrss/freshrss-postgresql-18-cluster
      #   index: 1
@@ -233,30 +239,18 @@ postgres-18-cluster:
      #     compression: bzip2
      #     jobs: 2
    scheduledBackups:
      - name: daily-backup
        suspend: false
        immediate: true
        schedule: "0 0 0 * * *"
        backupName: external
      - name: live-backup
        suspend: false
        immediate: true
        schedule: "0 0 0 * * *"
        backupName: garage-local
-      # - name: daily-backup
+      # - name: weekly-backup
      #   suspend: false
      #   immediate: true
-      #   schedule: "0 0 0 * * *"
+      #   schedule: "0 2 4 * * SAT"
      #   backupName: external
      # - name: weekly-backup
      #   suspend: true
      #   immediate: true
      #   schedule: "0 0 4 * * SAT"
      #   backupName: garage-remote
 volsync-target-data:
  pvcTarget: freshrss-data
  moverSecurityContext:
    runAsUser: 568
    runAsGroup: 568
    fsGroup: 568
    fsGroupChangePolicy: OnRootMismatch
    supplementalGroups:
      - 44
      - 100
      - 109
      - 65539
--- a/clusters/cl01tl/helm/garage/Chart.lock
+++ b/clusters/cl01tl/helm/garage/Chart.lock
@@ -2,8 +2,5 @@ dependencies:
 - name: app-template
  repository: https://bjw-s-labs.github.io/helm-charts/
  version: 4.5.0
- name: volsync-target
+digest: sha256:36e920ce6efee3b33b40641652f814c888ae3c50272895ef286fb8236a010924
-  repository: oci://harbor.alexlebens.net/helm-charts
+generated: "2025-12-05T17:04:29.153093714Z"
  version: 0.5.0
 digest: sha256:3d3469c5177b9501cbb34a5faf376fbe4d9b98bd033ad51ee51487a1c2f28d4e
 generated: "2025-12-15T22:10:00.495878-06:00"
--- a/clusters/cl01tl/helm/garage/Chart.yaml
+++ b/clusters/cl01tl/helm/garage/Chart.yaml
@@ -18,9 +18,5 @@ dependencies:
    alias: garage
    repository: https://bjw-s-labs.github.io/helm-charts/
    version: 4.5.0
  - name: volsync-target
    alias: volsync-target-db
    version: 0.5.0
    repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/kubernetes.png
 appVersion: v2.1.0
--- a/clusters/cl01tl/helm/garage/values.yaml
+++ b/clusters/cl01tl/helm/garage/values.yaml
@@ -123,10 +123,9 @@ garage:
              mountPropagation: None
              subPath: garage.toml
    db:
      forceRename: garage-db
      storageClass: ceph-block
      accessMode: ReadWriteOnce
-      size: 50Gi
+      size: 10Gi
      retain: true
      advancedMounts:
        main:
@@ -153,12 +152,3 @@ garage:
          main:
            - path: /var/lib/garage/snapshots
              readOnly: false
 volsync-target-db:
  pvcTarget: garage-db
  local:
    enabled: false
  remote:
    restic:
      cacheCapacity: 10Gi
  external:
    enabled: false
--- a/clusters/cl01tl/helm/gatus/Chart.lock
+++ b/clusters/cl01tl/helm/gatus/Chart.lock
@@ -4,9 +4,6 @@ dependencies:
  version: 1.4.4
 - name: postgres-cluster
  repository: oci://harbor.alexlebens.net/helm-charts
-  version: 7.1.1
+  version: 6.16.1
- name: volsync-target
+digest: sha256:11d46f37e9f98a5562239e1b827a4caccc0ca14dc738681465e27ef5c5edd6d0
-  repository: oci://harbor.alexlebens.net/helm-charts
+generated: "2025-12-11T17:23:01.072262-06:00"
  version: 0.5.0
 digest: sha256:367bfee3e6811bfd4591cf76f09a419f312007d797b83311e76c8d01318e73fe
 generated: "2025-12-15T22:11:48.014486-06:00"
--- a/clusters/cl01tl/helm/gatus/Chart.yaml
+++ b/clusters/cl01tl/helm/gatus/Chart.yaml
@@ -22,11 +22,7 @@ dependencies:
    version: 1.4.4
  - name: postgres-cluster
    alias: postgres-18-cluster
-    version: 7.1.1
+    version: 6.16.1
    repository: oci://harbor.alexlebens.net/helm-charts
  - name: volsync-target
    alias: volsync-target-data
    version: 0.5.0
    repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/gatus.png
 appVersion: v5.33.0
--- a/clusters/cl01tl/helm/gatus/values.yaml
+++ b/clusters/cl01tl/helm/gatus/values.yaml
@@ -122,9 +122,6 @@ gatus:
      - name: jellyfin
        url: https://jellyfin.alexlebens.net
        <<: *defaults
      - name: jellyfin-vue
        url: https://jellyfin-vue.alexlebens.net
        <<: *defaults
      - name: overseerr
        url: https://overseerr.alexlebens.net
        <<: *defaults
@@ -185,6 +182,11 @@ gatus:
      - name: n8n
        url: https://n8n.alexlebens.net
        <<: *defaults
      - name: kronic
        url: https://kronic.alexlebens.net
        <<: *defaults
        conditions:
          - "[STATUS] == 401"
      - name: omni-tools
        url: https://omni-tools.alexlebens.net
        <<: *defaults
@@ -257,6 +259,9 @@ gatus:
      - name: garage
        url: https://garage-webui.alexlebens.net
        <<: *defaults
      - name: pgadmin
        url: https://pgadmin.alexlebens.net
        <<: *defaults
      - name: whodb
        url: https://whodb.alexlebens.net
        <<: *defaults
@@ -376,10 +381,17 @@ gatus:
 postgres-18-cluster:
  mode: recovery
  cluster:
    image:
      repository: ghcr.io/cloudnative-pg/postgresql
      tag: 18.1-standard-trixie
    storage:
      storageClass: local-path
    walStorage:
      storageClass: local-path
    monitoring:
      enabled: true
      prometheusRule:
        enabled: true
  recovery:
    method: objectStore
    objectStore:
@@ -389,19 +401,19 @@ postgres-18-cluster:
      endpointCredentials: gatus-postgresql-18-cluster-backup-secret-garage
  backup:
    objectStore:
      - name: external
        destinationPath: s3://postgres-backups-ce540ddf106d186bbddca68a/cl01tl/gatus/gatus-postgresql-18-cluster
        index: 2
        retentionPolicy: "30d"
        isWALArchiver: false
      - name: garage-local
        destinationPath: s3://postgres-backups/cl01tl/gatus/gatus-postgresql-18-cluster
        index: 1
        endpointURL: http://garage-main.garage:3900
-        endpointCredentials: gatus-postgresql-18-cluster-backup-secret-garage
+        endpointCredentials: gatus-postgresql-17-cluster-backup-secret-garage
        endpointCredentialsIncludeRegion: true
        retentionPolicy: "3d"
        isWALArchiver: true
      # - name: external
      #   destinationPath: s3://postgres-backups-ce540ddf106d186bbddca68a/cl01tl/gatus/gatus-postgresql-18-cluster
      #   index: 1
      #   retentionPolicy: "30d"
      #   isWALArchiver: false
      # - name: garage-remote
      #   destinationPath: s3://postgres-backups/cl01tl/gatus/gatus-postgresql-18-cluster
      #   index: 1
@@ -412,20 +424,18 @@ postgres-18-cluster:
      #     compression: bzip2
      #     jobs: 2
    scheduledBackups:
      - name: daily-backup
        suspend: false
        immediate: true
        schedule: "0 0 0 * * *"
        backupName: external
      - name: live-backup
        suspend: false
        immediate: true
        schedule: "0 0 0 * * *"
        backupName: garage-local
      # - name: daily-backup
      #   suspend: false
      #   immediate: true
      #   schedule: "0 0 0 * * *"
      #   backupName: external
      # - name: weekly-backup
-      #   suspend: true
+      #   suspend: false
      #   immediate: true
      #   schedule: "0 0 4 * * SAT"
      #   backupName: garage-remote
 volsync-target-data:
  pvcTarget: gatus
--- a/clusters/cl01tl/helm/generic-device-plugin/Chart.lock
+++ b/clusters/cl01tl/helm/generic-device-plugin/Chart.lock
@@ -1,6 +1,6 @@
 dependencies:
 - name: generic-device-plugin
  repository: https://gitea.alexlebens.dev/api/packages/alexlebens/helm
-  version: 0.20.8
+  version: 0.20.5
-digest: sha256:166bd29d6e7c70d6a5ffae32b6a140535bc08211140b40cadd93596aa8f4be5f
+digest: sha256:329b2d00301ab1467a8654dd92febfd7078db121c00c0960548010c01dee66b6
-generated: "2025-12-16T18:01:57.978660845Z"
+generated: "2025-12-08T03:02:06.697075532Z"
--- a/clusters/cl01tl/helm/generic-device-plugin/Chart.yaml
+++ b/clusters/cl01tl/helm/generic-device-plugin/Chart.yaml
@@ -15,6 +15,6 @@ maintainers:
 dependencies:
  - name: generic-device-plugin
    repository: https://gitea.alexlebens.dev/api/packages/alexlebens/helm
-    version: 0.20.8
+    version: 0.20.5
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/kubernetes.png
 appVersion: 1.0.0
--- a/clusters/cl01tl/helm/gitea/Chart.lock
+++ b/clusters/cl01tl/helm/gitea/Chart.lock
@@ -5,20 +5,17 @@ dependencies:
 - name: gitea-actions
  repository: oci://harbor.alexlebens.net/helm-charts
  version: 0.2.1
 - name: app-template
  repository: https://bjw-s-labs.github.io/helm-charts/
  version: 4.5.0
 - name: meilisearch
  repository: https://meilisearch.github.io/meilisearch-kubernetes
-  version: 0.18.0
+  version: 0.17.2
 - name: cloudflared
  repository: oci://harbor.alexlebens.net/helm-charts
  version: 1.23.2
 - name: postgres-cluster
  repository: oci://harbor.alexlebens.net/helm-charts
-  version: 7.1.1
+  version: 6.16.1
- name: redis-replication
+digest: sha256:ecb6e0283b564f37b5d60bb64860b71c3b68acc2835364c0488fd7a9e932b941
-  repository: oci://harbor.alexlebens.net/helm-charts
+generated: "2025-12-11T17:38:49.087683-06:00"
  version: 0.5.0
 - name: redis-replication
  repository: oci://harbor.alexlebens.net/helm-charts
  version: 0.5.0
 digest: sha256:6ba40bb2558ce298d05c6330d3eb34a6beae2b22f9c100649d6bba11efc5092d
 generated: "2025-12-15T23:46:50.99338-06:00"
--- a/clusters/cl01tl/helm/gitea/Chart.yaml
+++ b/clusters/cl01tl/helm/gitea/Chart.yaml
@@ -31,8 +31,12 @@ dependencies:
  - name: gitea-actions
    repository: oci://harbor.alexlebens.net/helm-charts
    version: 0.2.1
  - name: app-template
    alias: backup
    repository: https://bjw-s-labs.github.io/helm-charts/
    version: 4.5.0
  - name: meilisearch
-    version: 0.18.0
+    version: 0.17.2
    repository: https://meilisearch.github.io/meilisearch-kubernetes
  - name: cloudflared
    alias: cloudflared
@@ -40,19 +44,7 @@ dependencies:
    version: 1.23.2
  - name: postgres-cluster
    alias: postgres-18-cluster
-    version: 7.1.1
+    version: 6.16.1
    repository: oci://harbor.alexlebens.net/helm-charts
  - name: redis-replication
    alias: redis-replication-gitea
    version: 0.5.0
    repository: oci://harbor.alexlebens.net/helm-charts
  - name: redis-replication
    alias: redis-replication-renovate
    version: 0.5.0
    repository: oci://harbor.alexlebens.net/helm-charts
  # - name: volsync-target
  #   alias: volsync-target-storage
  #   version: 0.5.0
  #   repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://raw.githubusercontent.com/walkxcode/dashboard-icons/main/png/gitea.png
 appVersion: 1.25.2
--- a/clusters/cl01tl/helm/gitea/templates/external-secret.yaml
+++ b/clusters/cl01tl/helm/gitea/templates/external-secret.yaml
@@ -168,6 +168,36 @@ spec:
        metadataPolicy: None
        property: id_rsa.pub
 ---
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
  name: gitea-s3cmd-config
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: gitea-s3cmd-config
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: vault
  data:
    - secretKey: .s3cfg
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /digital-ocean/home-infra/gitea-backup
        metadataPolicy: None
        property: s3cfg
    - secretKey: BUCKET
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /digital-ocean/home-infra/gitea-backup
        metadataPolicy: None
        property: BUCKET
 ---
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
--- a/clusters/cl01tl/helm/gitea/templates/persistent-volume-claim.yaml
+++ b/clusters/cl01tl/helm/gitea/templates/persistent-volume-claim.yaml
@@ -1,5 +1,24 @@
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
  name: gitea-nfs-storage-backup
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: gitea-nfs-storage-backup
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  volumeMode: Filesystem
  storageClassName: nfs-client
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 1Gi
 ---
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
  name: gitea-themes-storage
  namespace: {{ .Release.Namespace }}
@@ -9,9 +28,9 @@ metadata:
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  volumeMode: Filesystem
-  storageClassName: ceph-filesystem
+  storageClassName: nfs-client
  accessModes:
-    - ReadWriteMany
+    - ReadWriteOnce
  resources:
    requests:
      storage: 1Gi
--- a/clusters/cl01tl/helm/gitea/templates/redis-replication.yaml
+++ b/clusters/cl01tl/helm/gitea/templates/redis-replication.yaml
@@ -0,0 +1,66 @@
 apiVersion: redis.redis.opstreelabs.in/v1beta2
 kind: RedisReplication
 metadata:
  name: redis-replication-gitea
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: redis-replication-gitea
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  clusterSize: 3
  podSecurityContext:
    runAsUser: 1000
    fsGroup: 1000
  kubernetesConfig:
    image: quay.io/opstree/redis:v8.4.0
    imagePullPolicy: IfNotPresent
    resources:
      requests:
        cpu: 50m
        memory: 128Mi
  storage:
    volumeClaimTemplate:
      spec:
        storageClassName: ceph-block
        accessModes: ["ReadWriteOnce"]
        resources:
          requests:
            storage: 10Gi
  redisExporter:
    enabled: true
    image: quay.io/opstree/redis-exporter:v1.80.1
 ---
 apiVersion: redis.redis.opstreelabs.in/v1beta2
 kind: RedisReplication
 metadata:
  name: redis-replication-renovate
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: redis-replication-renovate
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  clusterSize: 3
  podSecurityContext:
    runAsUser: 1000
    fsGroup: 1000
  kubernetesConfig:
    image: quay.io/opstree/redis:v8.4.0
    imagePullPolicy: IfNotPresent
    resources:
      requests:
        cpu: 50m
        memory: 128Mi
  storage:
    volumeClaimTemplate:
      spec:
        storageClassName: ceph-block
        accessModes: ["ReadWriteOnce"]
        resources:
          requests:
            storage: 1Gi
  redisExporter:
    enabled: true
    image: quay.io/opstree/redis-exporter:v1.80.1
--- a/clusters/cl01tl/helm/gitea/templates/redis-sentinel.yaml
+++ b/clusters/cl01tl/helm/gitea/templates/redis-sentinel.yaml
@@ -0,0 +1,23 @@
 apiVersion: redis.redis.opstreelabs.in/v1beta2
 kind: RedisSentinel
 metadata:
  name: redis-sentinel-gitea
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: redis-sentinel-gitea
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  clusterSize: 3
  podSecurityContext:
    runAsUser: 1000
    fsGroup: 1000
  redisSentinelConfig:
    redisReplicationName: redis-replication-gitea
  kubernetesConfig:
    image: quay.io/opstree/redis-sentinel:v8.4.0
    imagePullPolicy: IfNotPresent
    resources:
      requests:
        cpu: 10m
        memory: 128Mi
--- a/clusters/cl01tl/helm/gitea/templates/role-binding.yaml
+++ b/clusters/cl01tl/helm/gitea/templates/role-binding.yaml
@@ -0,0 +1,17 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
  name: gitea-backup
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: gitea-backup
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: gitea-backup
 subjects:
  - kind: ServiceAccount
    name: gitea-backup
    namespace: {{ .Release.Namespace }}
--- a/clusters/cl01tl/helm/gitea/templates/role.yaml
+++ b/clusters/cl01tl/helm/gitea/templates/role.yaml
@@ -0,0 +1,25 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
  name: gitea-backup
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: gitea-backup
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
 rules:
  - apiGroups:
      - ""
    resources:
      - pods
      - pods/exec
    verbs:
      - create
      - list
  - apiGroups:
      - apps
    resources:
      - deployments
    verbs:
      - get
      - list
--- a/clusters/cl01tl/helm/gitea/templates/service-monitor.yaml
+++ b/clusters/cl01tl/helm/gitea/templates/service-monitor.yaml
@@ -14,3 +14,24 @@ spec:
      app.kubernetes.io/instance: {{ .Release.Name }}
  endpoints:
    - port: http
 ---
 apiVersion: monitoring.coreos.com/v1
 kind: ServiceMonitor
 metadata:
  name: redis-replication-gitea
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: redis-replication-gitea
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
    redis-operator: "true"
    env: production
 spec:
  selector:
    matchLabels:
      redis_setup_type: replication
  endpoints:
    - port: redis-exporter
      interval: 30s
      scrapeTimeout: 10s
--- a/clusters/cl01tl/helm/gitea/values.yaml
+++ b/clusters/cl01tl/helm/gitea/values.yaml
@@ -171,6 +171,135 @@ gitea-actions:
  existingSecret: gitea-runner-secret
  existingSecretKey: token
  giteaRootURL: http://gitea-http.gitea:3000
 backup:
  global:
    fullnameOverride: gitea-backup
    labels:
      app.kubernetes.io/instance: gitea-backup
      app.kubernetes.io/name: gitea-backup
  controllers:
    backup:
      type: cronjob
      cronjob:
        suspend: false
        concurrencyPolicy: Forbid
        timeZone: US/Central
        schedule: 0 4 */2 * *
        startingDeadlineSeconds: 90
        successfulJobsHistory: 3
        failedJobsHistory: 3
        backoffLimit: 3
        parallelism: 1
      serviceAccount:
        name: gitea-backup
      pod:
        automountServiceAccountToken: true
        labels:
          app.kubernetes.io/instance: gitea-backup
          app.kubernetes.io/name: gitea-backup
      initContainers:
        backup:
          image:
            repository: bitnami/kubectl
            tag: latest
            pullPolicy: IfNotPresent
          command:
            - sh
          args:
            - -ec
            - |
              kubectl exec -it deploy/gitea -n gitea -- rm -f /opt/backup/gitea-backup.zip;
              kubectl exec -it deploy/gitea -n gitea -- /app/gitea/gitea dump -c /data/gitea/conf/app.ini --file /opt/backup/gitea-backup.zip;
          resources:
            requests:
              cpu: 100m
              memory: 128Mi
      containers:
        s3-backup:
          image:
            repository: d3fk/s3cmd
            tag: latest@sha256:a4ef406e37628ee56e608b1567aeb0345e51142f56741b715322111be3b6ebcc
            pullPolicy: IfNotPresent
          command:
            - /bin/sh
          args:
            - -ec
            - |
              echo ">> Running S3 backup for Gitea"
              s3cmd put --no-check-md5 --no-check-certificate -v /opt/backup/gitea-backup.zip ${BUCKET}/cl01tl/gitea-backup-$(date +"%Y%m%d-%H-%M").zip;
              mv /opt/backup/gitea-backup.zip /opt/backup/gitea-backup-$(date +"%Y%m%d-%H-%M").zip;
              echo ">> Completed S3 backup for Gitea"
          env:
            - name: BUCKET
              valueFrom:
                secretKeyRef:
                  name: gitea-s3cmd-config
                  key: BUCKET
          resources:
            requests:
              cpu: 100m
              memory: 128Mi
        s3-prune:
          image:
            repository: d3fk/s3cmd
            tag: latest@sha256:a4ef406e37628ee56e608b1567aeb0345e51142f56741b715322111be3b6ebcc
            pullPolicy: IfNotPresent
          command:
            - /bin/sh
          args:
            - -ec
            - |
              export DATE_RANGE=$(date -d @$(( $(date +%s) - 604800 )) +%Y%m%d);
              export FILE_MATCH="$BUCKET/cl01tl/gitea-backup-$DATE_RANGE-09-00.zip"
              echo ">> Running S3 prune for Gitea backup repository"
              echo ">> Backups prior to '$DATE_RANGE' will be removed"
              echo ">> Backups to be removed:"
              s3cmd ls ${BUCKET}/cl01tl/ |
                awk -v file_match="$FILE_MATCH" '$4 < file_match {print $4}'
              echo ">> Deleting ..."
              s3cmd ls ${BUCKET}/cl01tl/ |
                awk -v file_match="$FILE_MATCH" '$4 < file_match {print $4}' |
                while read file; do
                  s3cmd del "$file";
                done;
              echo ">> Completed S3 prune for Gitea backup repository"
          env:
            - name: BUCKET
              valueFrom:
                secretKeyRef:
                  name: gitea-s3cmd-config
                  key: BUCKET
          resources:
            requests:
              cpu: 100m
              memory: 128Mi
  serviceAccount:
    gitea-backup:
      enabled: true
  persistence:
    config:
      existingClaim: gitea-nfs-storage-backup
      advancedMounts:
        backup:
          s3-backup:
            - path: /opt/backup
              readOnly: false
    s3cmd-config:
      enabled: true
      type: secret
      name: gitea-s3cmd-config
      advancedMounts:
        backup:
          s3-backup:
            - path: /root/.s3cfg
              readOnly: true
              mountPropagation: None
              subPath: .s3cfg
          s3-prune:
            - path: /root/.s3cfg
              readOnly: true
              mountPropagation: None
              subPath: .s3cfg
 meilisearch:
  environment:
    MEILI_NO_ANALYTICS: true
@@ -196,10 +325,17 @@ cloudflared:
 postgres-18-cluster:
  mode: recovery
  cluster:
    image:
      repository: ghcr.io/cloudnative-pg/postgresql
      tag: 18.1-standard-trixie
    storage:
      storageClass: local-path
    walStorage:
      storageClass: local-path
    monitoring:
      enabled: true
      prometheusRule:
        enabled: true
    resources:
      requests:
        memory: 1Gi
@@ -213,6 +349,11 @@ postgres-18-cluster:
      endpointCredentials: gitea-postgresql-18-cluster-backup-secret-garage
  backup:
    objectStore:
      - name: external
        destinationPath: s3://postgres-backups-ce540ddf106d186bbddca68a/cl01tl/gitea/gitea-postgresql-18-cluster
        index: 1
        retentionPolicy: "30d"
        isWALArchiver: false
      - name: garage-local
        destinationPath: s3://postgres-backups/cl01tl/gitea/gitea-postgresql-18-cluster
        index: 1
@@ -221,11 +362,6 @@ postgres-18-cluster:
        endpointCredentialsIncludeRegion: true
        retentionPolicy: "3d"
        isWALArchiver: true
      # - name: external
      #   destinationPath: s3://postgres-backups-ce540ddf106d186bbddca68a/cl01tl/gitea/gitea-postgresql-18-cluster
      #   index: 1
      #   retentionPolicy: "30d"
      #   isWALArchiver: false
      # - name: garage-remote
      #   destinationPath: s3://postgres-backups/cl01tl/gitea/gitea-postgresql-18-cluster
      #   index: 1
@@ -236,66 +372,18 @@ postgres-18-cluster:
      #     compression: bzip2
      #     jobs: 2
    scheduledBackups:
      - name: daily-backup
        suspend: false
        immediate: true
        schedule: "0 0 0 * * *"
        backupName: external
      - name: live-backup
        suspend: false
        immediate: true
        schedule: "0 0 0 * * *"
        backupName: garage-local
      # - name: daily-backup
      #   suspend: false
      #   immediate: true
      #   schedule: "0 0 0 * * *"
      #   backupName: external
      # - name: weekly-backup
-      #   suspend: true
+      #   suspend: false
      #   immediate: true
      #   schedule: "0 0 4 * * SAT"
      #   backupName: garage-remote
 redis-replication-gitea:
  replicationNameOverride: redis-replication-gitea
  sentinelNameOverride: redis-sentinel-gitea
  existingSecret:
    enabled: false
  redisReplication:
    clusterSize: 3
    resources:
      requests:
        cpu: 20m
        memory: 400Mi
    volumeClaimTemplate:
      spec:
        resources:
          requests:
            storage: 10Gi
  redisSentinel:
    enabled: true
    clusterSize: 3
 redis-replication-renovate:
  replicationNameOverride: redis-replication-renovate
  existingSecret:
    enabled: false
  redisReplication:
    clusterSize: 1
  redisSentinel:
    enabled: false
 volsync-target-storage:
  pvcTarget: gitea-shared-storage
  local:
    enabled: true
    schedule: 0 0 0 * * *
    restic:
      pruneIntervalDays: 3
      retain:
        hourly: 1
        daily: 1
        weekly: 3
        monthly: 0
        yearly: 0
      copyMethod: Snapshot
      storageClassName: ceph-filesystem
      volumeSnapshotClassName: ceph-filesystem
      cacheCapacity: 40Gi
  external:
    enabled: false
  remote:
    enabled: false
--- a/clusters/cl01tl/helm/grafana-operator/Chart.lock
+++ b/clusters/cl01tl/helm/grafana-operator/Chart.lock
@@ -4,12 +4,6 @@ dependencies:
  version: v5.20.0
 - name: postgres-cluster
  repository: oci://harbor.alexlebens.net/helm-charts
-  version: 7.1.1
+  version: 6.16.1
- name: redis-replication
+digest: sha256:9640766b4a15b50a759edbc8a2aad816f9240be72bf06364acb387464245d51a
-  repository: oci://harbor.alexlebens.net/helm-charts
+generated: "2025-12-11T19:19:12.375716-06:00"
  version: 0.5.0
 - name: redis-replication
  repository: oci://harbor.alexlebens.net/helm-charts
  version: 0.5.0
 digest: sha256:7089382a69a87a15afef83277e5b59a59b192a734c402384a61e4c65319f4891
 generated: "2025-12-15T15:30:54.939003-06:00"
--- a/clusters/cl01tl/helm/grafana-operator/Chart.yaml
+++ b/clusters/cl01tl/helm/grafana-operator/Chart.yaml
@@ -21,15 +21,7 @@ dependencies:
    repository: https://grafana.github.io/helm-charts
  - name: postgres-cluster
    alias: postgres-18-cluster
-    version: 7.1.1
+    version: 6.16.1
    repository: oci://harbor.alexlebens.net/helm-charts
  - name: redis-replication
    alias: redis-replication-unified-alerting
    version: 0.5.0
    repository: oci://harbor.alexlebens.net/helm-charts
  - name: redis-replication
    alias: redis-replication-remote-cache
    version: 0.5.0
    repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/grafana.png
 appVersion: v5.20.0
--- a/clusters/cl01tl/helm/grafana-operator/templates/redis-replication.yaml
+++ b/clusters/cl01tl/helm/grafana-operator/templates/redis-replication.yaml
@@ -0,0 +1,66 @@
 apiVersion: redis.redis.opstreelabs.in/v1beta2
 kind: RedisReplication
 metadata:
  name: redis-replication-unified-alerting
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: redis-replication-unified-alerting
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  clusterSize: 3
  podSecurityContext:
    runAsUser: 1000
    fsGroup: 1000
  kubernetesConfig:
    image: quay.io/opstree/redis:v8.4.0
    imagePullPolicy: IfNotPresent
    resources:
      requests:
        cpu: 50m
        memory: 128Mi
  storage:
    volumeClaimTemplate:
      spec:
        storageClassName: ceph-block
        accessModes: ["ReadWriteOnce"]
        resources:
          requests:
            storage: 1Gi
  redisExporter:
    enabled: true
    image: quay.io/opstree/redis-exporter:v1.80.1
 ---
 apiVersion: redis.redis.opstreelabs.in/v1beta2
 kind: RedisReplication
 metadata:
  name: redis-replication-remote-cache
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: redis-replication-remote-cache
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  clusterSize: 3
  podSecurityContext:
    runAsUser: 1000
    fsGroup: 1000
  kubernetesConfig:
    image: quay.io/opstree/redis:v8.4.0
    imagePullPolicy: IfNotPresent
    resources:
      requests:
        cpu: 50m
        memory: 128Mi
  storage:
    volumeClaimTemplate:
      spec:
        storageClassName: ceph-block
        accessModes: ["ReadWriteOnce"]
        resources:
          requests:
            storage: 1Gi
  redisExporter:
    enabled: true
    image: quay.io/opstree/redis-exporter:v1.80.1
--- a/clusters/cl01tl/helm/grafana-operator/templates/service-monitor.yaml
+++ b/clusters/cl01tl/helm/grafana-operator/templates/service-monitor.yaml
@@ -0,0 +1,19 @@
 apiVersion: monitoring.coreos.com/v1
 kind: ServiceMonitor
 metadata:
  name: redis-replication-grafana-operator
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: redis-replication-grafana-operator
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
    redis-operator: "true"
    env: production
 spec:
  selector:
    matchLabels:
      redis_setup_type: replication
  endpoints:
    - port: redis-exporter
      interval: 30s
      scrapeTimeout: 10s
--- a/clusters/cl01tl/helm/grafana-operator/values.yaml
+++ b/clusters/cl01tl/helm/grafana-operator/values.yaml
@@ -15,10 +15,17 @@ grafana-operator:
 postgres-18-cluster:
  mode: recovery
  cluster:
    image:
      repository: ghcr.io/cloudnative-pg/postgresql
      tag: 18.1-standard-trixie
    storage:
      storageClass: local-path
    walStorage:
      storageClass: local-path
    monitoring:
      enabled: true
      prometheusRule:
        enabled: true
  recovery:
    method: objectStore
    objectStore:
@@ -28,6 +35,11 @@ postgres-18-cluster:
      endpointCredentials: grafana-operator-postgresql-18-cluster-backup-secret-garage
  backup:
    objectStore:
      - name: external
        destinationPath: s3://postgres-backups-ce540ddf106d186bbddca68a/cl01tl/grafana-operator/grafana-operator-postgresql-18-cluster
        index: 1
        retentionPolicy: "30d"
        isWALArchiver: false
      - name: garage-local
        destinationPath: s3://postgres-backups/cl01tl/grafana-operator/grafana-operator-postgresql-18-cluster
        index: 1
@@ -36,11 +48,6 @@ postgres-18-cluster:
        endpointCredentialsIncludeRegion: true
        retentionPolicy: "3d"
        isWALArchiver: true
      # - name: external
      #   destinationPath: s3://postgres-backups-ce540ddf106d186bbddca68a/cl01tl/grafana-operator/grafana-operator-postgresql-18-cluster
      #   index: 1
      #   retentionPolicy: "30d"
      #   isWALArchiver: false
      # - name: garage-remote
      #   destinationPath: s3://postgres-backups/cl01tl/grafana-operator/grafana-operator-postgresql-18-cluster
      #   index: 1
@@ -51,36 +58,18 @@ postgres-18-cluster:
      #     compression: bzip2
      #     jobs: 2
    scheduledBackups:
      - name: daily-backup
        suspend: false
        immediate: true
        schedule: "0 0 0 * * *"
        backupName: external
      - name: live-backup
        suspend: false
        immediate: true
        schedule: "0 0 0 * * *"
        backupName: garage-local
      # - name: daily-backup
      #   suspend: false
      #   immediate: true
      #   schedule: "0 0 0 * * *"
      #   backupName: external
      # - name: weekly-backup
-      #   suspend: true
+      #   suspend: false
      #   immediate: true
      #   schedule: "0 0 4 * * SAT"
      #   backupName: garage-remote
 redis-replication-unified-alerting:
  replicationNameOverride: redis-replication-unified-alerting
  sentinelNameOverride: redis-sentinel-unified-alerting
  existingSecret:
    enabled: false
  redisReplication:
    clusterSize: 3
  redisSentinel:
    enabled: true
    clusterSize: 3
 redis-replication-remote-cache:
  replicationNameOverride: redis-replication-remote-cache
  existingSecret:
    enabled: false
  redisReplication:
    clusterSize: 1
  redisSentinel:
    enabled: false
--- a/clusters/cl01tl/helm/harbor/Chart.lock
+++ b/clusters/cl01tl/helm/harbor/Chart.lock
@@ -4,9 +4,6 @@ dependencies:
  version: 1.18.1
 - name: postgres-cluster
  repository: https://gitea.alexlebens.net/api/packages/alexlebens/helm
-  version: 7.1.1
+  version: 6.16.1
- name: redis-replication
+digest: sha256:a8f5d259fb93f933050c498d9271a5b8606594c968a360f8be151f47b3feb49d
-  repository: oci://harbor.alexlebens.net/helm-charts
+generated: "2025-12-11T20:49:18.650522-06:00"
  version: 0.5.0
 digest: sha256:8bd072dc65397b6c1dc8ff319e87f8df1afd50cebcd3f8c46ed753e3dcdba13a
 generated: "2025-12-15T15:36:05.141898-06:00"
--- a/clusters/cl01tl/helm/harbor/Chart.yaml
+++ b/clusters/cl01tl/helm/harbor/Chart.yaml
@@ -21,10 +21,7 @@ dependencies:
    repository: https://helm.goharbor.io
  - name: postgres-cluster
    alias: postgres-18-cluster
-    version: 7.1.1
+    version: 6.16.1
    repository: https://gitea.alexlebens.net/api/packages/alexlebens/helm
  - name: redis-replication
    version: 0.5.0
    repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/harbor.png
 appVersion: v2.14.1
--- a/clusters/cl01tl/helm/harbor/templates/redis-replication.yaml
+++ b/clusters/cl01tl/helm/harbor/templates/redis-replication.yaml
@@ -0,0 +1,32 @@
 apiVersion: redis.redis.opstreelabs.in/v1beta2
 kind: RedisReplication
 metadata:
  name: redis-replication-harbor
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: redis-replication-harbor
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  clusterSize: 3
  podSecurityContext:
    runAsUser: 1000
    fsGroup: 1000
  kubernetesConfig:
    image: quay.io/opstree/redis:v8.4.0
    imagePullPolicy: IfNotPresent
    resources:
      requests:
        cpu: 50m
        memory: 128Mi
  storage:
    volumeClaimTemplate:
      spec:
        storageClassName: ceph-block
        accessModes: ["ReadWriteOnce"]
        resources:
          requests:
            storage: 1Gi
  redisExporter:
    enabled: true
    image: quay.io/opstree/redis-exporter:v1.80.1
--- a/clusters/cl01tl/helm/harbor/templates/redis-sentinel.yaml
+++ b/clusters/cl01tl/helm/harbor/templates/redis-sentinel.yaml
@@ -0,0 +1,23 @@
 apiVersion: redis.redis.opstreelabs.in/v1beta2
 kind: RedisSentinel
 metadata:
  name: redis-sentinel-harbor
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: redis-sentinel-harbor
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  clusterSize: 3
  podSecurityContext:
    runAsUser: 1000
    fsGroup: 1000
  redisSentinelConfig:
    redisReplicationName: redis-replication-harbor
  kubernetesConfig:
    image: quay.io/opstree/redis-sentinel:v8.4.0
    imagePullPolicy: IfNotPresent
    resources:
      requests:
        cpu: 10m
        memory: 128Mi
--- a/clusters/cl01tl/helm/harbor/templates/service-monitor.yaml
+++ b/clusters/cl01tl/helm/harbor/templates/service-monitor.yaml
@@ -0,0 +1,19 @@
 apiVersion: monitoring.coreos.com/v1
 kind: ServiceMonitor
 metadata:
  name: redis-replication-harbor
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: redis-replication-harbor
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
    redis-operator: "true"
    env: production
 spec:
  selector:
    matchLabels:
      redis_setup_type: replication
  endpoints:
    - port: redis-exporter
      interval: 30s
      scrapeTimeout: 10s
--- a/clusters/cl01tl/helm/harbor/values.yaml
+++ b/clusters/cl01tl/helm/harbor/values.yaml
@@ -99,10 +99,17 @@ harbor:
 postgres-18-cluster:
  mode: recovery
  cluster:
    image:
      repository: ghcr.io/cloudnative-pg/postgresql
      tag: 18.1-standard-trixie
    storage:
      storageClass: local-path
    walStorage:
      storageClass: local-path
    monitoring:
      enabled: true
      prometheusRule:
        enabled: true
  recovery:
    method: objectStore
    objectStore:
@@ -112,6 +119,11 @@ postgres-18-cluster:
      endpointCredentials: harbor-postgresql-18-cluster-backup-secret-garage
  backup:
    objectStore:
      - name: external
        destinationPath: s3://postgres-backups-ce540ddf106d186bbddca68a/cl01tl/harbor/harbor-postgresql-18-cluster
        index: 1
        retentionPolicy: "30d"
        isWALArchiver: false
      - name: garage-local
        destinationPath: s3://postgres-backups/cl01tl/harbor/harbor-postgresql-18-cluster
        index: 1
@@ -120,11 +132,6 @@ postgres-18-cluster:
        endpointCredentialsIncludeRegion: true
        retentionPolicy: "3d"
        isWALArchiver: true
      # - name: external
      #   destinationPath: s3://postgres-backups-ce540ddf106d186bbddca68a/cl01tl/harbor/harbor-postgresql-18-cluster
      #   index: 1
      #   retentionPolicy: "30d"
      #   isWALArchiver: false
      # - name: garage-remote
      #   destinationPath: s3://postgres-backups/cl01tl/harbor/harbor-postgresql-18-cluster
      #   index: 1
@@ -135,26 +142,18 @@ postgres-18-cluster:
      #     compression: bzip2
      #     jobs: 2
    scheduledBackups:
      - name: daily-backup
        suspend: false
        immediate: true
        schedule: "0 0 0 * * *"
        backupName: external
      - name: live-backup
        suspend: false
        immediate: true
        schedule: "0 0 0 * * *"
        backupName: garage-local
      # - name: daily-backup
      #   suspend: false
      #   immediate: true
      #   schedule: "0 0 0 * * *"
      #   backupName: external
      # - name: weekly-backup
-      #   suspend: true
+      #   suspend: false
      #   immediate: true
      #   schedule: "0 0 4 * * SAT"
      #   backupName: garage-remote
 redis-replication:
  existingSecret:
    enabled: false
  redisReplication:
    clusterSize: 3
  redisSentinel:
    enabled: true
    clusterSize: 3
--- a/clusters/cl01tl/helm/home-assistant/values.yaml
+++ b/clusters/cl01tl/helm/home-assistant/values.yaml
@@ -21,7 +21,7 @@ home-assistant:
        code-server:
          image:
            repository: ghcr.io/linuxserver/code-server
-            tag: 4.106.3@sha256:83793e4460090d6c46f4842ff6ab8aa26ad8a567885112bbe754b45c61935055
+            tag: 4.106.3@sha256:aab9520fe923b2d93dccc2c806f3dc60649c2f4a2847fcd40c942227d0f1ae8f
            pullPolicy: IfNotPresent
          env:
            - name: TZ
--- a/clusters/cl01tl/helm/homepage/templates/service.yaml
+++ b/clusters/cl01tl/helm/homepage/templates/service.yaml
@@ -36,7 +36,7 @@ metadata:
  name: garage-ui-ps10rp
  namespace: {{ .Release.Namespace }}
  labels:
-    app.kubernetes.io/name: garage-ui-ps10rp
+    app.kubernetes.io/name: garage-ps10rp
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
  annotations:
--- a/clusters/cl01tl/helm/homepage/values.yaml
+++ b/clusters/cl01tl/helm/homepage/values.yaml
@@ -141,12 +141,6 @@ homepage:
                  href: https://jellyfin.alexlebens.net
                  siteMonitor: http://jellyfin.jellyfin:80
                  statusStyle: dot
              - Jellyfin (Alt):
                  icon: sh-jellyfin.webp
                  description: Media server (Alternate UI)
                  href: https://jellyfin-vue.alexlebens.net
                  siteMonitor: http://jellyfin-vue.jellyfin:80
                  statusStyle: dot
              - Media Requests:
                  icon: sh-overseerr.webp
                  description: Overseerr
@@ -343,6 +337,12 @@ homepage:
                  href: https://n8n.alexlebens.net
                  siteMonitor: http://n8n-main.n8n:80
                  statusStyle: dot
              - Jobs:
                  icon: https://raw.githubusercontent.com/mshade/kronic/main/static/android-chrome-192x192.png
                  description: Kronic
                  href: https://kronic.alexlebens.net
                  siteMonitor: http://kronic.kronic:80
                  statusStyle: dot
              - Uptime:
                  icon: sh-gatus.webp
                  description: Gatus
@@ -513,6 +513,12 @@ homepage:
                  href: https://garage-ui-ps10rp.boreal-beaufort.ts.net
                  siteMonitor: https://garage-ui-ps10rp.boreal-beaufort.ts.net
                  statusStyle: dot
              - Database:
                  icon: sh-pgadmin-light.webp
                  description: PGAdmin
                  href: https://pgadmin.alexlebens.net
                  siteMonitor: http://pgadmin.pgadmin:80
                  statusStyle: dot
              - Database:
                  icon: sh-whodb.webp
                  description: WhoDB
--- a/clusters/cl01tl/helm/immich/Chart.lock
+++ b/clusters/cl01tl/helm/immich/Chart.lock
@@ -4,9 +4,6 @@ dependencies:
  version: 4.5.0
 - name: postgres-cluster
  repository: oci://harbor.alexlebens.net/helm-charts
-  version: 7.1.1
+  version: 6.16.1
- name: redis-replication
+digest: sha256:0efb7efad85276191f07755520291b6a549472af4bbd6ac32c58b29f36984e60
-  repository: oci://harbor.alexlebens.net/helm-charts
+generated: "2025-12-11T21:59:26.978234-06:00"
  version: 0.5.0
 digest: sha256:f0fb98c302e8749494c4ebe612cd9ea69e9b11d062dc5a16710dffd13802f475
 generated: "2025-12-15T15:31:14.966284-06:00"
--- a/clusters/cl01tl/helm/immich/Chart.yaml
+++ b/clusters/cl01tl/helm/immich/Chart.yaml
@@ -20,10 +20,7 @@ dependencies:
    version: 4.5.0
  - name: postgres-cluster
    alias: postgres-18-cluster
-    version: 7.1.1
+    version: 6.16.1
    repository: oci://harbor.alexlebens.net/helm-charts
  - name: redis-replication
    version: 0.5.0
    repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/immich.png
 appVersion: v2.3.1
--- a/clusters/cl01tl/helm/immich/templates/redis-replication.yaml
+++ b/clusters/cl01tl/helm/immich/templates/redis-replication.yaml
@@ -0,0 +1,32 @@
 apiVersion: redis.redis.opstreelabs.in/v1beta2
 kind: RedisReplication
 metadata:
  name: redis-replication-immich
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: redis-replication-immich
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  clusterSize: 3
  podSecurityContext:
    runAsUser: 1000
    fsGroup: 1000
  kubernetesConfig:
    image: quay.io/opstree/redis:v8.4.0
    imagePullPolicy: IfNotPresent
    resources:
      requests:
        cpu: 50m
        memory: 128Mi
  storage:
    volumeClaimTemplate:
      spec:
        storageClassName: ceph-block
        accessModes: ["ReadWriteOnce"]
        resources:
          requests:
            storage: 1Gi
  redisExporter:
    enabled: true
    image: quay.io/opstree/redis-exporter:v1.80.1
--- a/clusters/cl01tl/helm/immich/templates/redis-sentinel.yaml
+++ b/clusters/cl01tl/helm/immich/templates/redis-sentinel.yaml
@@ -0,0 +1,23 @@
 apiVersion: redis.redis.opstreelabs.in/v1beta2
 kind: RedisSentinel
 metadata:
  name: redis-sentinel-immich
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: redis-sentinel-immich
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  clusterSize: 3
  podSecurityContext:
    runAsUser: 1000
    fsGroup: 1000
  redisSentinelConfig:
    redisReplicationName: redis-replication-immich
  kubernetesConfig:
    image: quay.io/opstree/redis-sentinel:v8.4.0
    imagePullPolicy: IfNotPresent
    resources:
      requests:
        cpu: 10m
        memory: 128Mi
--- a/clusters/cl01tl/helm/immich/templates/service-monitor.yaml
+++ b/clusters/cl01tl/helm/immich/templates/service-monitor.yaml
@@ -21,3 +21,24 @@ spec:
      interval: 3m
      scrapeTimeout: 1m
      path: /metrics
 ---
 apiVersion: monitoring.coreos.com/v1
 kind: ServiceMonitor
 metadata:
  name: redis-replication-immich
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: redis-replication-immich
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
    redis-operator: "true"
    env: production
 spec:
  selector:
    matchLabels:
      redis_setup_type: replication
  endpoints:
    - port: redis-exporter
      interval: 30s
      scrapeTimeout: 10s
--- a/Show More
+++ b/Show More