Merge branch 'manifests' into auto/update-manifests

Merge pull request 'Automated Manifest Update - Automerge' (#2573 ) from auto/update-manifests-automerge-20251216002123 into manifests
chore: Update manifests after automerge
2025-12-16 00:22:25 +00:00 · 2025-12-16 00:21:38 +00:00 · 2025-12-16 00:21:27 +00:00 · 2025-12-16 00:19:38 +00:00 · 2025-12-15 23:46:22 +00:00 · 2025-12-15 22:12:00 +00:00
2686 changed files with 375049 additions and 34391 deletions
--- a/.DS_Store
+++ b/.DS_Store
--- a/.gitea/workflows/lint-test-docker.yaml
+++ b/.gitea/workflows/lint-test-docker.yaml
@@ -1,134 +0,0 @@
 name: lint-test-docker
 on:
  pull_request:
    branches:
      - main
    paths:
      - 'hosts/**'
  push:
    branches:
      - main
    paths:
      - 'hosts/**'
 env:
  BASE_BRANCH: "origin/${{ github.base_ref }}"
 jobs:
  lint-docker-compose:
    runs-on: ubuntu-js
    steps:
      - name: Checkout
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
        with:
          fetch-depth: 0
      - name: Check Branch Exists
        id: check-branch-exists
        if: github.event_name == 'pull_request'
        uses: GuillaumeFalourd/branch-exists@650358876c774d6ccbd581b5553eb636dab79a97 # v1.2
        with:
          branch: "${{ github.base_ref }}"
      - name: Report Branch Exists
        id: branch-exists
        if: github.event_name == 'push' || steps.check-branch-exists.outputs.exists == 'true' && github.event_name == 'pull_request'
        run: |
          if [ "${{ github.event_name }}" == "push" ]; then
            echo ">> Action is from a push event, will continue with linting"
          else
            echo ">> Branch ${{ github.base_ref }} exists, will continue with linting"
          fi
          echo ""
          echo "----"
          echo "exists=true" >> $GITHUB_OUTPUT
      - name: Set Up Node.js
        if: steps.branch-exists.outputs.exists == 'true'
        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
        with:
          node-version: '24'
      - name: Check Directories for Changes
        id: check-dir-changes
        if: steps.branch-exists.outputs.exists == 'true'
        run: |
          echo ">> Target branch for diff is: ${BASE_BRANCH}"
          if [ "${{ github.event_name }}" == "pull_request" ]; then
            DIFF_TARGET="${BASE_BRANCH}"
            echo ""
            echo ">> Checking for changes in a pull request ..."
          else
            DIFF_TARGET="${{ github.event.before }}..HEAD"
            echo ""
            echo ">> Checking for changes from a push ..."
          fi
          CHANGED_COMPOSE=$(git diff --name-only "${DIFF_TARGET}" | grep -E "^hosts/[^/]+/[^/]+/" | cut -d/ -f1,2,3 | sort -u || true)
          if [ -n "${CHANGED_COMPOSE}" ]; then
            echo ""
            echo ">> Compose to Lint:"
            echo ""
            echo "${CHANGED_COMPOSE}"
            CHANGED_COMPOSE_CSV=$(echo "$CHANGED_COMPOSE" | paste -sd ',' -)
            echo ""
            echo "----"
            echo "changes-detected=true" >> $GITHUB_OUTPUT
            echo "compose-dir-csv=${CHANGED_COMPOSE_CSV}" >> $GITHUB_OUTPUT
            echo "compose-dir<<EOF" >> $GITHUB_OUTPUT
            echo "${CHANGED_COMPOSE}" >> $GITHUB_OUTPUT
            echo "EOF" >> $GITHUB_OUTPUT
          else
            echo ""
            echo ">> Did not find any docker compose files to lint"
            echo ""
            echo "----"
            echo "changes-detected=false" >> $GITHUB_OUTPUT
          fi
      - name: Lint Docker Compose
        if: steps.check-dir-changes.outputs.changes-detected == 'true'
        env:
          CHANGED_COMPOSE: ${{ steps.check-dir-changes.outputs.compose-dir }}
        run: |
          echo ">> Running dclint on changed compose files ..."
          for COMPOSE in $CHANGED_COMPOSE; do
            echo ">> Linting ${COMPOSE} ..."
            npx dclint ${COMPOSE}
          done
          echo ""
          echo "----"
      - name: ntfy Failed
        uses: niniyas/ntfy-action@96acac57fdc91d4c4f50b78486c1ed6f03f9f61c # master
        if: failure()
        with:
          url: '${{ secrets.NTFY_URL }}'
          topic: '${{ secrets.NTFY_TOPIC }}'
          title: 'Docker Compose Test Failure'
          priority: 3
          headers: '{"Authorization": "Bearer ${{ secrets.NTFY_CRED }}"}'
          tags: action,failed
          details: "Docker linting for compose dirs: ${{ steps.check-dir-changes.outputs.compose-dir-csv }}"
          icon: 'https://cdn.jsdelivr.net/gh/selfhst/icons/png/gitea.png'
          actions: '[{"action": "view", "label": "View Logs", "url": "${{ vars.USER_URL }}/${{ github.repository }}/actions/runs/${{ github.run_id }}", "clear": true}]'
--- a/.gitea/workflows/lint-test-helm.yaml
+++ b/.gitea/workflows/lint-test-helm.yaml
@@ -1,631 +0,0 @@
 name: lint-test-helm
 on:
  pull_request:
    branches:
      - main
    paths:
      - 'clusters/cl01tl/helm/**'
  push:
    branches:
      - main
    paths:
      - 'clusters/cl01tl/helm/**'
 env:
  CLUSTER: cl01tl
  BASE_BRANCH: "origin/${{ github.base_ref }}"
  KUBECONFORM_VERSION: "v0.6.7"
  ARGOCD_VERSION: "v3.3.6"
 jobs:
  lint-helm:
    runs-on: ubuntu-js
    outputs:
      chart-dir: ${{ steps.check-dir-changes.outputs.chart-dir }}
      chart-dir-csv: ${{ steps.check-dir-changes.outputs.chart-dir-csv }}
      changes-detected: ${{ steps.check-dir-changes.outputs.changes-detected }}
    steps:
      - name: Checkout
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
        with:
          fetch-depth: 0
      - name: Check Branch Exists
        id: check-branch-exists
        if: github.event_name == 'pull_request'
        uses: GuillaumeFalourd/branch-exists@650358876c774d6ccbd581b5553eb636dab79a97 # v1.2
        with:
          branch: ${{ github.base_ref }}
      - name: Report Branch Exists
        id: branch-exists
        if: github.event_name == 'push' || steps.check-branch-exists.outputs.exists == 'true' && github.event_name == 'pull_request'
        run: |
          if [ "${{ github.event_name }}" == "push" ]; then
            echo ">> Action is from a push event, will continue with linting"
          else
            echo ">> Branch ${{ github.base_ref }} exists, will continue with linting"
          fi
          echo ""
          echo "----"
          echo "exists=true" >> $GITHUB_OUTPUT
      - name: Set Up Helm
        if: steps.branch-exists.outputs.exists == 'true'
        uses: azure/setup-helm@dda3372f752e03dde6b3237bc9431cdc2f7a02a2 # v5
        with:
          token: ${{ secrets.GITEA_TOKEN }}
          # renovate: datasource=github-releases depName=helm/helm
          version: v4.1.3
          cache: true
      - name: Cache Helm Dependencies
        if: steps.branch-exists.outputs.exists == 'true'
        uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5
        with:
          path: |
            ~/.cache/helm
            ~/.config/helm
          key: helm-cache-${{ runner.os }}-${{ hashFiles('infrastructure/clusters/cl01tl/helm/**/Chart.yaml', 'infrastructure/clusters/cl01tl/helm/**/Chart.lock') }}
          restore-keys: |
            helm-cache-${{ runner.os }}-
      - name: Check Directories for Changes
        id: check-dir-changes
        if: steps.branch-exists.outputs.exists == 'true'
        run: |
          echo ">> Target branch for diff is: ${BASE_BRANCH}"
          if [ "${{ github.event_name }}" == "pull_request" ]; then
            DIFF_TARGET="${BASE_BRANCH}"
            echo ""
            echo ">> Checking for changes in a pull request ..."
          else
            DIFF_TARGET="${{ github.event.before }}..HEAD"
            echo ""
            echo ">> Checking for changes from a push ..."
          fi
          CHANGED_CHARTS=$(git diff --name-only "${DIFF_TARGET}" | grep -E "^clusters/${CLUSTER}/helm/" | awk -F '/' '{print $4}' | sort -u || true)
          if [ -n "${CHANGED_CHARTS}" ]; then
            echo ""
            echo ">> Chart to Lint:"
            echo ""
            echo "${CHANGED_CHARTS}"
            CHANGED_CHARTS_CSV=$(echo "${CHANGED_CHARTS}" | paste -sd ',' -)
            echo ""
            echo "----"
            echo "changes-detected=true" >> $GITHUB_OUTPUT
            echo "chart-dir-csv=${CHANGED_CHARTS_CSV}" >> $GITHUB_OUTPUT
            echo "chart-dir<<EOF" >> $GITHUB_OUTPUT
            echo "${CHANGED_CHARTS}" >> $GITHUB_OUTPUT
            echo "EOF" >> $GITHUB_OUTPUT
          else
            echo ""
            echo ">> Did not find any helm charts files to lint"
            echo ""
            echo "----"
            echo "changes-detected=false" >> $GITHUB_OUTPUT
          fi
      - name: Add Repositories
        if: steps.check-dir-changes.outputs.changes-detected == 'true'
        env:
          CHANGED_CHARTS: ${{ steps.check-dir-changes.outputs.chart-dir }}
        run: |
          echo ">> Adding repositories for chart dependencies ..."
          echo ""
          for DIR in ${CHANGED_CHARTS}; do
            helm dependency list --max-col-width 120 clusters/${CLUSTER}/helm/${DIR} 2> /dev/null \
              | tail -n +2 \
              | awk 'NF > 0 { print $1, $3 }' \
              | while read -r REPO_NAME REPO_URL; do
                if [[ "${REPO_URL}" == oci://* ]]; then
                  echo ">> Ignoring OCI repo: ${REPO_URL}"
                elif [[ -n "${REPO_NAME}" && -n "${REPO_URL}" ]]; then
                  helm repo add "${REPO_NAME}" "${REPO_URL}"
                fi
              done || true
          done
          if helm repo list > /dev/null 2>&1; then
            echo ""
            echo ">> Update repository cache ..."
            helm repo update
          fi
          echo ""
          echo "----"
      - name: Lint Helm Chart
        id: lint
        if: steps.check-dir-changes.outputs.changes-detected == 'true'
        env:
          CHANGED_CHARTS: ${{ steps.check-dir-changes.outputs.chart-dir }}
        run: |
          EXIT_CODE=0
          FAILED_CHARTS=""
          echo ">> Running linting on changed charts ..."
          lint_chart() {
            local DIR="$1"
            local CHART_PATH="clusters/${CLUSTER}/helm/${DIR}"
            local CHART_NAME=$(basename "${CHART_PATH}")
            if [ -f "${CHART_PATH}/Chart.yaml" ]; then
              echo ""
              echo ">> Building helm dependency for ${CHART_NAME} ..."
              helm dependency build "${CHART_PATH}" --skip-refresh
              echo ""
              echo ">> Linting helm chart ${CHART_NAME} ..."
              if ! helm lint "${CHART_PATH}" --namespace "default"; then
                echo "${DIR}" > ".failed_chart_${CHART_NAME}"
                return 1
              fi
            else
              echo ""
              echo ">> Directory ${CHART_PATH} does not contain a Chart.yaml. Skipping ..."
            fi
          }
          export -f lint_chart
          export CLUSTER
          for DIR in ${CHANGED_CHARTS}; do
            echo "${DIR}"
          done | xargs -P 4 -I {} bash -c 'OUT=$(lint_chart "$@" 2>&1); printf "%s\n" "$OUT"' _ {}
          if ls .failed_chart_* 1> /dev/null 2>&1; then
            EXIT_CODE=1
            FAILED_CHARTS=$(cat .failed_chart_* | paste -sd ',' - | sed 's/,/, /g')
            rm -f .failed_chart_*
          fi
          echo ""
          echo "----"
          echo "failed-charts=${FAILED_CHARTS}" >> "$GITHUB_OUTPUT"
          exit $EXIT_CODE
      - name: ntfy Failed
        uses: niniyas/ntfy-action@96acac57fdc91d4c4f50b78486c1ed6f03f9f61c # master
        if: failure()
        with:
          url: '${{ secrets.NTFY_URL }}'
          topic: '${{ secrets.NTFY_TOPIC }}'
          title: 'Helm Test Failure'
          priority: 3
          headers: '{"Authorization": "Bearer ${{ secrets.NTFY_CRED }}"}'
          tags: action,failed
          details: "Helm linting for cluster '${{ env.CLUSTER }}' failed on charts: ${{ steps.lint.outputs.failed-charts }}"
          icon: 'https://cdn.jsdelivr.net/gh/selfhst/icons/png/gitea.png'
          actions: '[{"action": "view", "label": "View Run", "url": "${{ vars.USER_URL }}/${{ github.repository }}/actions/runs/${{ github.run_id }}", "clear": true}]'
          image: true
  validate-kubeconform:
    needs: lint-helm
    runs-on: ubuntu-js
    if: |
      needs.lint-helm.result == 'success' &&
      needs.lint-helm.outputs.changes-detected == 'true' &&
      github.event_name == 'pull_request'
    steps:
      - name: Checkout
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
        with:
          fetch-depth: 0
      - name: Cache Kubeconform
        id: cache-kubeconform
        uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5
        with:
          path: /usr/local/bin/kubeconform
          key: ${{ runner.os }}-kubeconform-${{ env.KUBECONFORM_VERSION }}
          restore-keys: |
            ${{ runner.os }}-kubeconform-
      - name: Install Kubeconform
        if: steps.cache-kubeconform.outputs.cache-hit != 'true'
        run: |
          echo ">> Downloading Kubeconform ${{ env.KUBECONFORM_VERSION }} ..."
          wget -q https://github.com/yannh/kubeconform/releases/download/${{ env.KUBECONFORM_VERSION }}/kubeconform-linux-amd64.tar.gz
          echo ""
          echo ">> Extracting Kubeconform ..."
          tar xf kubeconform-linux-amd64.tar.gz
          echo ""
          echo ">> Installing Kubeconform ..."
          sudo mv kubeconform /usr/local/bin/
      - name: Verify installation
        run: |
          echo ""
          echo ">> Verifying installation ..."
          kubeconform -v
          echo ""
          echo "----"
      - name: Set Up Helm
        uses: azure/setup-helm@dda3372f752e03dde6b3237bc9431cdc2f7a02a2 # v5
        with:
          token: ${{ secrets.GITEA_TOKEN }}
          # renovate: datasource=github-releases depName=helm/helm
          version: v4.1.3
          cache: true
      - name: Cache Helm Dependencies
        uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5
        with:
          path: |
            ~/.cache/helm
            ~/.config/helm
          key: helm-cache-${{ runner.os }}-${{ hashFiles('infrastructure/clusters/cl01tl/helm/**/Chart.yaml', 'infrastructure/clusters/cl01tl/helm/**/Chart.lock') }}
          restore-keys: |
            helm-cache-${{ runner.os }}-
      - name: Add Repositories
        env:
          CHANGED_CHARTS: ${{ needs.lint-helm.outputs.chart-dir }}
        run: |
          echo ">> Adding repositories for chart dependencies ..."
          echo ""
          for DIR in ${CHANGED_CHARTS}; do
            helm dependency list --max-col-width 120 clusters/${CLUSTER}/helm/${DIR} 2> /dev/null \
              | tail -n +2 \
              | awk 'NF > 0 { print $1, $3 }' \
              | while read -r REPO_NAME REPO_URL; do
                if [[ "${REPO_URL}" == oci://* ]]; then
                  echo ">> Ignoring OCI repo: ${REPO_URL}"
                elif [[ -n "${REPO_NAME}" && -n "${REPO_URL}" ]]; then
                  helm repo add "${REPO_NAME}" "${REPO_URL}"
                fi
              done || true
          done
          if helm repo list > /dev/null 2>&1; then
            echo ""
            echo ">> Update repository cache ..."
            helm repo update
          fi
          echo ""
          echo "----"
      - name: Validate Rendered Templates
        id: validate
        env:
          CHANGED_CHARTS: ${{ needs.lint-helm.outputs.chart-dir }}
        run: |
          SCHEMA_LOCATIONS="-schema-location default -schema-location https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/{{.Group}}/{{.ResourceKind}}_{{.ResourceAPIVersion}}.json"
          EXIT_CODE=0
          FAILED_CHARTS=""
          validate_chart() {
            local DIR="$1"
            local CHART_PATH="clusters/${CLUSTER}/helm/${DIR}"
            echo ""
            echo ">> Validating: ${DIR}"
            helm dependency build "${CHART_PATH}" --skip-refresh
            if ! helm template "${DIR}" "${CHART_PATH}" --include-crds --namespace default --api-versions "gateway.networking.k8s.io/v1/HTTPRoute,monitoring.coreos.com/v1,monitoring.coreos.com/v1/ServiceMonitor" | \
              kubeconform \
                ${SCHEMA_LOCATIONS} \
                -ignore-missing-schemas \
                -strict \
                -summary; then
              echo "${DIR}" > ".failed_chart_${DIR}"
              return 1
            fi
          }
          export -f validate_chart
          export CLUSTER SCHEMA_LOCATIONS
          for DIR in ${CHANGED_CHARTS}; do
            echo "${DIR}"
          done | xargs -P 4 -I {} bash -c 'OUT=$(validate_chart "$@" 2>&1); printf "%s\n" "$OUT"' _ {}
          if ls .failed_chart_* 1> /dev/null 2>&1; then
            EXIT_CODE=1
            FAILED_CHARTS=$(cat .failed_chart_* | paste -sd ',' - | sed 's/,/, /g')
            rm -f .failed_chart_*
          fi
          echo ""
          echo "----"
          echo "failed-charts=${FAILED_CHARTS}" >> "$GITHUB_OUTPUT"
          exit $EXIT_CODE
      - name: ntfy Failed
        uses: niniyas/ntfy-action@96acac57fdc91d4c4f50b78486c1ed6f03f9f61c # master
        if: failure()
        with:
          url: '${{ secrets.NTFY_URL }}'
          topic: '${{ secrets.NTFY_TOPIC }}'
          title: 'Kubeconform Test Failure'
          priority: 3
          headers: '{"Authorization": "Bearer ${{ secrets.NTFY_CRED }}"}'
          tags: action,failed
          details: "Kubeconform for cluster '${{ env.CLUSTER }}' failed on charts: ${{ steps.validate.outputs.failed-charts }}"
          icon: 'https://cdn.jsdelivr.net/gh/selfhst/icons/png/gitea.png'
          actions: '[{"action": "view", "label": "View Run", "url": "${{ vars.USER_URL }}/${{ github.repository }}/actions/runs/${{ github.run_id }}", "clear": true}]'
          image: true
  # argo-diff:
  #   needs: lint-helm
  #   runs-on: ubuntu-js
  #   if: |
  #     needs.lint-helm.result == 'success' &&
  #     needs.lint-helm.outputs.changes-detected == 'true' &&
  #     github.event_name == 'pull_request'
  #   steps:
  #     - name: Checkout
  #       uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
  #       with:
  #         fetch-depth: 0
  #     - name: Cache ArgoCD CLI
  #       id: cache-argocd
  #       uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5
  #       with:
  #         path: /usr/local/bin/argocd
  #         key: ${{ runner.os }}-argocd-${{ env.ARGOCD_VERSION }}
  #         restore-keys: |
  #           ${{ runner.os }}-argocd-
  #     - name: Install ArgoCD CLI
  #       if: steps.cache-argocd.outputs.cache-hit != 'true'
  #       run: |
  #         echo ">> Downloading ArgoCD CLI, version: ${{ env.ARGOCD_VERSION }} ..."
  #         curl -sSL -o argocd-linux-amd64 https://github.com/argoproj/argo-cd/releases/download/${{ env.ARGOCD_VERSION }}/argocd-linux-amd64
  #         echo ""
  #         echo ">> Installing ArgoCD CLI ..."
  #         sudo install -m 555 argocd-linux-amd64 /usr/local/bin/argocd
  #         echo ""
  #         echo "----"
  #     - name: Verify installation
  #       run: |
  #         echo ""
  #         echo ">> Verifying installation ..."
  #         argocd version --client
  #         echo ""
  #         echo "----"
  #     - name: Set Up Helm
  #       uses: azure/setup-helm@dda3372f752e03dde6b3237bc9431cdc2f7a02a2 # v5
  #       with:
  #         token: ${{ secrets.GITEA_TOKEN }}
  #         # renovate: datasource=github-releases depName=helm/helm
  #         version: v4.1.3
  #         cache: true
  #     - name: Cache Helm Dependencies
  #       uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5
  #       with:
  #         path: |
  #           ~/.cache/helm
  #           ~/.config/helm
  #         key: helm-cache-${{ runner.os }}-${{ hashFiles('infrastructure/clusters/cl01tl/helm/**/Chart.yaml', 'infrastructure/clusters/cl01tl/helm/**/Chart.lock') }}
  #         restore-keys: |
  #           helm-cache-${{ runner.os }}-
  #     - name: Add Repositories
  #       env:
  #         CHANGED_CHARTS: ${{ needs.lint-helm.outputs.chart-dir }}
  #       run: |
  #         echo ">> Adding repositories for chart dependencies ..."
  #         echo ""
  #         for DIR in ${CHANGED_CHARTS}; do
  #           helm dependency list --max-col-width 120 clusters/${CLUSTER}/helm/${DIR} 2> /dev/null \
  #             | tail -n +2 \
  #             | awk 'NF > 0 { print $1, $3 }' \
  #             | while read -r REPO_NAME REPO_URL; do
  #               if [[ "${REPO_URL}" == oci://* ]]; then
  #                 echo ">> Ignoring OCI repo: ${REPO_URL}"
  #               elif [[ -n "${REPO_NAME}" && -n "${REPO_URL}" ]]; then
  #                 helm repo add "${REPO_NAME}" "${REPO_URL}"
  #               fi
  #             done || true
  #         done
  #         if helm repo list > /dev/null 2>&1; then
  #           echo ""
  #           echo ">> Update repository cache ..."
  #           helm repo update
  #         fi
  #         echo ""
  #         echo "----"
  #     - name: Render Templates
  #       id: render
  #       env:
  #         CHANGED_CHARTS: ${{ needs.lint-helm.outputs.chart-dir }}
  #       run: |
  #         for APP_NAME in ${CHANGED_CHARTS}; do
  #           echo ">> Render templates for ${APP_NAME} ..."
  #           CHART_PATH="clusters/${CLUSTER}/helm/${APP_NAME}"
  #           OUTPUT_FOLDER="clusters/${CLUSTER}/manifests/${APP_NAME}/"
  #           mkdir -p "${OUTPUT_FOLDER}"
  #           helm dependency build "${CHART_PATH}" --skip-refresh
  #           NAMESPACE="${APP_NAME}"
  #           case "${APP_NAME}" in
  #             "stack")
  #               NAMESPACE="argocd"
  #               echo ">> Special Rendering into 'argocd' namespace ..."
  #               ;;
  #             "cilium" | "coredns" | "metrics-server")
  #               NAMESPACE="kube-system"
  #               echo ">> Special Rendering for ${APP_NAME} into 'kube-system' namespace ..."
  #               ;;
  #             *)
  #               echo ">> Standard Rendering ..."
  #           esac
  #           TEMPLATE=$(helm template "${APP_NAME}" "${CHART_PATH}" --include-crds --namespace "${NAMESPACE}" --api-versions "gateway.networking.k8s.io/v1/HTTPRoute,monitoring.coreos.com/v1,monitoring.coreos.com/v1/ServiceMonitor")
  #           # Format and split rendered template
  #           echo "${TEMPLATE}" | yq '... comments=""' | yq 'select(. != null)' | yq -s '"'"${OUTPUT_FOLDER}"'" + .kind + "-" + .metadata.name + ".yaml"'
  #           # Strip comments again to ensure formatting correctness
  #           for file in "$OUTPUT_FOLDER"/*; do
  #             yq -i '... comments=""' $file
  #           done
  #           echo ""
  #           echo ">> Templates in output folder: ${OUTPUT_FOLDER}"
  #           ls ${OUTPUT_FOLDER}
  #         done
  #         echo "----"
  #     - name: Run App Diff
  #       id: diff
  #       env:
  #         ARGOCD_SERVER: ${{ secrets.ARGOCD_SERVER }}
  #         ARGOCD_AUTH_TOKEN: ${{ secrets.ARGOCD_AUTH_TOKEN }}
  #         CHANGED_CHARTS: ${{ needs.lint-helm.outputs.chart-dir }}
  #       run: |
  #         FAILED_CHARTS=""
  #         DIFF_FOUND="false"
  #         EXIT_CODE=0
  #         for APP_NAME in ${CHANGED_CHARTS}; do
  #           echo ">> Running argocd app diff for ${APP_NAME} ..."
  #           if ! argocd app diff "${APP_NAME}" \
  #             --server "${ARGOCD_SERVER}" \
  #             --auth-token "${ARGOCD_AUTH_TOKEN}" \
  #             --revision ${{ github.sha }} \
  #             --local "clusters/${CLUSTER}/manifests/${APP_NAME}" \
  #             --local-repo-root "." \
  #             --grpc-web > "diff_output_${APP_NAME}.txt" 2>&1; then
  #             # ArgoCD diff returns non-zero on diff or error.
  #             # Let's capture if it actually generated a diff output to post.
  #             DIFF_FOUND="true"
  #             # Check if the output contains validation/connection errors
  #             if grep -iE 'error|failed|connection refused|timeout' "diff_output_${APP_NAME}.txt"; then
  #                echo ">> ArgoCD encountered an error validating ${APP_NAME}!"
  #                EXIT_CODE=1
  #                FAILED_CHARTS="${FAILED_CHARTS} ${APP_NAME}"
  #             fi
  #           fi
  #           if [ -s "diff_output_${APP_NAME}.txt" ]; then
  #             echo ">> Argo diff or errors:"
  #             echo ""
  #             cat diff_output_${APP_NAME}.txt
  #             echo ""
  #           else
  #             echo ">> No Argo diff found for ${APP_NAME}"
  #             rm "diff_output_${APP_NAME}.txt"
  #           fi
  #         done
  #         echo "----"
  #         echo "diff-detected=${DIFF_FOUND}" >> "$GITHUB_OUTPUT"
  #         echo "failed-charts=${FAILED_CHARTS}" >> "$GITHUB_OUTPUT"
  #         exit $EXIT_CODE
  #     - name: Post Diff
  #       if: |
  #         always() &&
  #         steps.diff.outputs.diff-detected == 'true' &&
  #         github.event.pull_request.number != null
  #       env:
  #         GITEA_TOKEN: ${{ secrets.GITEA_TOKEN }}
  #       run: |
  #         COMMENT_BODY="### ArgoCD Diff Results
  #         "
  #         for f in diff_output_*.txt; do
  #           APP_NAME=$(echo $f | sed 's/diff_output_//;s/.txt//')
  #           DIFF_CONTENT=$(cat "$f")
  #           COMMENT_BODY="${COMMENT_BODY}
  #         #### App: ${APP_NAME}
  #         "
  #           if [ -z "$DIFF_CONTENT" ]; then
  #             COMMENT_BODY="${COMMENT_BODY} No changes detected."
  #           else
  #             COMMENT_BODY="${COMMENT_BODY}
  #         \`\`\`diff
  #         ${DIFF_CONTENT}
  #         \`\`\`"
  #           fi
  #         done
  #         curl -X 'POST' \
  #           "${{ github.server_url }}/api/v1/repos/${{ github.repository }}/issues/${{ github.event.pull_request.number }}/comments" \
  #           -H "Authorization: token ${GITEA_TOKEN}" \
  #           -H "Content-Type: application/json" \
  #           -d "$(jq -n --arg body "$COMMENT_BODY" '{body: $body}')"
  #     - name: ntfy Failed
  #       uses: niniyas/ntfy-action@96acac57fdc91d4c4f50b78486c1ed6f03f9f61c # master
  #       if: failure()
  #       with:
  #         url: '${{ secrets.NTFY_URL }}'
  #         topic: '${{ secrets.NTFY_TOPIC }}'
  #         title: 'ArgoCD Diff Failure'
  #         priority: 3
  #         headers: '{"Authorization": "Bearer ${{ secrets.NTFY_CRED }}"}'
  #         tags: action,failed
  #         details: "ArgoCD diff for cluster '${{ env.CLUSTER }}' failed on charts: ${{ steps.diff.outputs.failed-charts }}"
  #         icon: 'https://cdn.jsdelivr.net/gh/selfhst/icons/png/gitea.png'
  #         actions: '[{"action": "view", "label": "View Run", "url": "${{ vars.USER_URL }}/${{ github.repository }}/actions/runs/${{ github.run_id }}", "clear": true}]'
  #         image: true
--- a/.gitea/workflows/render-manifests.yaml
+++ b/.gitea/workflows/render-manifests.yaml
@@ -1,624 +0,0 @@
 name: render-manifests
 on:
  schedule:
    - cron: '0 15 * * *'
  workflow_dispatch:
  pull_request:
    branches:
      - main
    paths:
      - 'clusters/cl01tl/helm/**'
    types:
      - closed
 env:
  CLUSTER: cl01tl
  BASE_BRANCH: manifests
  BRANCH_NAME_BASE: auto/update-manifests
  ASSIGNEE: alexlebens
  MAIN_DIR: /workspace/alexlebens/infrastructure/infrastructure
  MANIFEST_DIR: /workspace/alexlebens/infrastructure/infrastructure-manifests
 jobs:
  render-manifests:
    runs-on: ubuntu-js
    if: >-
      github.event_name == 'schedule' ||
      github.event_name == 'workflow_dispatch' ||
      (github.event_name == 'pull_request' && github.event.pull_request.merged == true)
    steps:
      - name: Checkout Main
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
        with:
          path: infrastructure
          fetch-depth: 0
      - name: Checkout Manifests
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
        with:
          ref: manifests
          path: infrastructure-manifests
      - name: Set Up Helm
        uses: azure/setup-helm@dda3372f752e03dde6b3237bc9431cdc2f7a02a2 # v5
        with:
          token: ${{ secrets.GITEA_TOKEN }}
          version: v3.17.2 # Pending https://github.com/helm/helm/pull/30743
          cache: true
      - name: Configure Kubeconfig
        uses: azure/k8s-set-context@89b837d75b40a7bd2ddafde837473c212db8b313 # v5
        with:
          method: kubeconfig
          kubeconfig: ${{ secrets.KUBECONFIG }}
      - name: Cache Helm Dependencies
        uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5
        with:
          path: |
            ~/.cache/helm
            ~/.config/helm
          key: helm-cache-${{ runner.os }}-${{ hashFiles('infrastructure/clusters/cl01tl/helm/**/Chart.yaml', 'infrastructure/clusters/cl01tl/helm/**/Chart.lock') }}
          restore-keys: |
            helm-cache-${{ runner.os }}-
      - name: Determine Workflow Mode
        id: mode
        run: |
          IS_AUTOMERGE="false"
          RENDER_ALL="false"
          DIFF_TARGET=""
          if [[ "${{ github.event_name }}" == "schedule" || "${{ github.event_name }}" == "workflow_dispatch" ]]; then
            echo ">> Mode: Dispatch/Schedule (Render All)"
            RENDER_ALL="true"
          elif [[ "${{ github.event_name }}" == "pull_request" ]]; then
            if [[ "${{ contains(github.event.pull_request.labels.*.name, 'automerge') }}" == "true" ]]; then
              echo ">> Mode: PR Merged (Automerge)"
              IS_AUTOMERGE="true"
            else
              echo ">> Mode: PR Merged (Standard)"
            fi
            DIFF_TARGET="HEAD^..HEAD"
          fi
          echo ""
          echo "----"
          echo "is-automerge=${IS_AUTOMERGE}" >> "$GITHUB_OUTPUT"
          echo "render-all=${RENDER_ALL}" >> "$GITHUB_OUTPUT"
          echo "diff-target=${DIFF_TARGET}" >> "$GITHUB_OUTPUT"
      - name: Prepare Manifest Branch
        id: prepare-manifest-branch
        env:
          PR_NUMBER: ${{ github.event.pull_request.number }}
          IS_AUTOMERGE: ${{ steps.mode.outputs.is-automerge }}
        run: |
          cd "${MANIFEST_DIR}"
          echo ">> Configure git to use gitea-bot as user ..."
          git config user.name "gitea-bot"
          git config user.email "gitea-bot@alexlebens.net"
          if [[ "$IS_AUTOMERGE" == "true" ]]; then
            BRANCH_NAME="${BRANCH_NAME_BASE}-automerge-${PR_NUMBER}"
            echo ""
            echo ">> Creating branch ${BRANCH_NAME} ..."
            git checkout -B "$BRANCH_NAME"
          else
            echo ""
            echo ">> Checking if PR branch exists ..."
            BRANCH_NAME="${BRANCH_NAME_BASE}"
            if git ls-remote --exit-code --heads origin "${BRANCH_NAME}" > /dev/null 2>&1; then
              echo ""
              echo ">> Branch '${BRANCH_NAME}' exists, pulling changes ..."
              git fetch origin "${BRANCH_NAME}"
              git checkout "${BRANCH_NAME}"
              git pull --rebase
            else
              echo ""
              echo ">> Branch '${BRANCH_NAME}' does not exist, creating ..."
              git checkout -b "${BRANCH_NAME}"
            fi
          fi
          echo ""
          echo "----"
          echo "branch-name=${BRANCH_NAME}" >> "$GITHUB_OUTPUT"
      - name: Check Which Directories Have Changes
        id: check-dir-changes
        env:
          RENDER_ALL: ${{ steps.mode.outputs.render-all }}
          DIFF_TARGET: ${{ steps.mode.outputs.diff-target }}
        run: |
          cd "${MAIN_DIR}"
          if [[ "$RENDER_ALL" == "true" ]]; then
            echo ">> Triggered on dispatch, will check all paths ..."
            RENDER_DIR=$(find "clusters/${CLUSTER}/helm" -mindepth 1 -maxdepth 1 -type d -exec basename {} \; | sort -u)
          else
            echo ">> Checking for changes from ${DIFF_TARGET} ..."
            RENDER_DIR=$(git diff --name-only "${DIFF_TARGET}" | grep -E "^clusters/${CLUSTER}/helm/" | awk -F '/' '{print $4}' | sort -u || true)
          fi
          if [ -n "${RENDER_DIR}" ]; then
            echo ""
            echo ">> Directories to Render:"
            echo ""
            echo "${RENDER_DIR}"
            echo ""
            echo "----"
            echo "changes-detected=true" >> "$GITHUB_OUTPUT"
            echo "render-dir<<EOF" >> "$GITHUB_OUTPUT"
            echo "${RENDER_DIR}" >> "$GITHUB_OUTPUT"
            echo "EOF" >> "$GITHUB_OUTPUT"
          else
            echo ""
            echo ">> No chart changes detected"
            echo ""
            echo "----"
            echo "changes-detected=false" >> "$GITHUB_OUTPUT"
          fi
      - name: Add Repositories
        if: steps.check-dir-changes.outputs.changes-detected == 'true'
        env:
          RENDER_DIR: ${{ steps.check-dir-changes.outputs.render-dir }}
        run: |
          cd "${MAIN_DIR}"
          echo ">> Adding repositories for chart dependencies ..."
          echo ""
          for DIR in ${RENDER_DIR}; do
            helm dependency list --max-col-width 120 "${MAIN_DIR}/clusters/${CLUSTER}/helm/${DIR}" 2> /dev/null \
              | tail -n +2 \
              | awk 'NF > 0 { print $1, $3 }' \
              | while read -r REPO_NAME REPO_URL; do
                if [[ "${REPO_URL}" == oci://* ]]; then
                  echo ">> Ignoring OCI repo: ${REPO_URL}"
                elif [[ -n "${REPO_NAME}" && -n "${REPO_URL}" ]]; then
                  helm repo add "${REPO_NAME}" "${REPO_URL}"
                fi
              done || true
          done
          if helm repo list > /dev/null 2>&1; then
            echo ""
            echo ">> Update repository cache ..."
            helm repo update
          fi
          echo ""
          echo "----"
      - name: Remove Changed Manifest Files
        if: steps.check-dir-changes.outputs.changes-detected == 'true'
        env:
          RENDER_DIR: ${{ steps.check-dir-changes.outputs.render-dir }}
        run: |
          cd "${MANIFEST_DIR}"
          echo ">> Remove manifest files and rebuild from source ..."
          echo ""
          for DIR in ${RENDER_DIR}; do
            CHART_PATH="${MANIFEST_DIR}/clusters/${CLUSTER}/manifests/${DIR}"
            echo "${CHART_PATH}"
            rm -rf "${CHART_PATH}"/*
          done
          echo ""
          echo "----"
      - name: Render Helm Manifests
        id: render-manifests
        if: steps.check-dir-changes.outputs.changes-detected == 'true'
        env:
          RENDER_DIR: ${{ steps.check-dir-changes.outputs.render-dir }}
        run: |
          cd "${MAIN_DIR}"
          echo ">> Rendering Manifests ..."
          render_chart() {
            local DIR="$1"
            local CHART_PATH="${MAIN_DIR}/clusters/${CLUSTER}/helm/${DIR}"
            local CHART_NAME=$(basename "${CHART_PATH}")
            echo ""
            echo ">> Rendering chart: ${CHART_NAME}"
            if [ -f "${CHART_PATH}/Chart.yaml" ]; then
              local OUTPUT_FOLDER="${MANIFEST_DIR}/clusters/${CLUSTER}/manifests/${CHART_NAME}/"
              mkdir -p "${OUTPUT_FOLDER}"
              cd "${CHART_PATH}"
              helm dependency update --skip-refresh > /dev/null
              helm lint --namespace "${CHART_NAME}" --quiet
              local NAMESPACE="${CHART_NAME}"
              case "${CHART_NAME}" in
                "stack")
                  NAMESPACE="argocd"
                  echo ">> Special Rendering into 'argocd' namespace ..."
                  ;;
                "cilium" | "coredns" | "metrics-server")
                  NAMESPACE="kube-system"
                  echo ">> Special Rendering for ${CHART_NAME} into 'kube-system' namespace ..."
                  ;;
                *)
                  echo ">> Standard Rendering ..."
              esac
              echo ">> Formating rendered template ..."
              local TEMPLATE
              TEMPLATE=$(helm template "${CHART_NAME}" ./ --namespace "${NAMESPACE}" --include-crds --dry-run=server --api-versions "gateway.networking.k8s.io/v1/HTTPRoute,monitoring.coreos.com/v1,monitoring.coreos.com/v1/ServiceMonitor")
              # Format and split rendered template
              echo "${TEMPLATE}" | yq '... comments=""' | yq 'select(. != null)' | yq -s '"'"${OUTPUT_FOLDER}"'" + .kind + "-" + .metadata.name + ".yaml"'
              # Strip comments again to ensure formatting correctness
              for file in "$OUTPUT_FOLDER"/*; do
                yq -i '... comments=""' $file
              done
              echo ">> Manifests for ${CHART_NAME} rendered successfully to $OUTPUT_FOLDER:"
              echo ""
              ls $OUTPUT_FOLDER
              echo ""
            else
              echo ""
              echo ">> Directory ${CHART_PATH} does not contain a Chart.yaml. Skipping ..."
            fi
          }
          export -f render_chart
          export MAIN_DIR CLUSTER MANIFEST_DIR
          # Run rendering in parallel
          for DIR in ${RENDER_DIR}; do
            echo "${DIR}"
          done | xargs -P 5 -I {} bash -c 'OUT=$(render_chart "$@" 2>&1); printf "%s\n" "$OUT"' _ {}
          echo ""
          echo "----"
      - name: Check for Changes
        id: check-changes
        if: steps.check-dir-changes.outputs.changes-detected == 'true'
        run: |
          cd "${MANIFEST_DIR}"
          GIT_CHANGES=$(git status --porcelain)
          if [ -n "${GIT_CHANGES}" ]; then
            echo ">> Changes detected"
            git status --porcelain
            CHANGED_CHARTS=$(echo "$GIT_CHANGES" | grep -oE "clusters/${CLUSTER}/manifests/[^/]+" | awk -F '/' '{print $4}' | sort -u | paste -sd ',' -)
            echo ""
            echo "----"
            echo "changes-detected=true" >> "$GITHUB_OUTPUT"
            echo "changed-charts-csv=${CHANGED_CHARTS}" >> "$GITHUB_OUTPUT"
          else
            echo ">> No changes detected, skipping PR creation"
            echo ""
            echo "----"
          fi
      - name: Commit and Push Changes
        id: commit-push
        if: steps.check-changes.outputs.changes-detected == 'true'
        env:
          BRANCH_NAME: ${{ steps.prepare-manifest-branch.outputs.branch-name }}
          IS_AUTOMERGE: ${{ steps.mode.outputs.is-automerge }}
        run: |
          cd "${MANIFEST_DIR}"
          MSG="chore: Update manifests after change"
          if [[ "$IS_AUTOMERGE" == "true" ]]; then
            MSG="chore: Update manifests after automerge"
          fi
          echo ">> Commiting changes to ${BRANCH_NAME} ..."
          git add .
          git commit -m "${MSG}"
          REPO_URL="${{ secrets.REPO_URL }}/${{ gitea.repository }}"
          echo ""
          echo ">> Pushing changes to ${REPO_URL} ..."
          git push -u "https://oauth2:${{ secrets.BOT_TOKEN }}@${REPO_URL#*://}" "${BRANCH_NAME}"
          echo ""
          echo "----"
          echo "push=true" >> "$GITHUB_OUTPUT"
          echo "head-branch=${BRANCH_NAME}" >> "$GITHUB_OUTPUT"
      - name: Check for Pull Request
        id: check-for-pull-request
        if: steps.commit-push.outputs.push == 'true' && steps.mode.outputs.is-automerge == 'false'
        env:
          GITEA_TOKEN: ${{ secrets.BOT_TOKEN }}
          GITEA_URL: ${{ secrets.REPO_URL }}
          HEAD_BRANCH: ${{ steps.commit-push.outputs.head-branch }}
        run: |
          cd "${MANIFEST_DIR}"
          API_ENDPOINT="${GITEA_URL}/api/v1/repos/${{ gitea.repository }}/pulls?base_branch=${BASE_BRANCH}&state=open&page=1"
          echo ">> Checking if PR from branch ${HEAD_BRANCH} into ${BASE_BRANCH}"
          echo ">> With Endpoint of:"
          echo "$API_ENDPOINT"
          HTTP_STATUS=$(curl -X GET -s -w '%{http_code}' -o response_body.json -H "Authorization: token ${GITEA_TOKEN}" -H "Content-Type: application/json" "$API_ENDPOINT")
          if [ "$HTTP_STATUS" == "200" ] && [ "$(cat response_body.json | jq -r .[0].state)" == "open" ]; then
            echo ""
            echo ">> Pull Request has been found open, will update"
            echo ""
            echo "----"
            echo "pull-request-exists=$(cat response_body.json | jq -r .[0].number)" >> "$GITHUB_OUTPUT"
          else
            echo ""
            echo ">> Pull Request not found"
            echo ""
            echo "----"
            echo "pull-request-exists=false" >> "$GITHUB_OUTPUT"
          fi
      - name: Create Pull Request
        id: create-pull-request
        if: steps.commit-push.outputs.push == 'true' && (steps.mode.outputs.is-automerge == 'true' || steps.check-for-pull-request.outputs.pull-request-exists == 'false')
        env:
          IS_AUTOMERGE: ${{ steps.mode.outputs.is-automerge }}
          GITEA_TOKEN: ${{ secrets.BOT_TOKEN }}
          GITEA_URL: ${{ secrets.REPO_URL }}
          HEAD_BRANCH: ${{ steps.commit-push.outputs.head-branch }}
          CHARTS: ${{ steps.check-changes.outputs.changed-charts-csv }}
          EVENT_NAME: ${{ github.event_name }}
          ACTOR: ${{ github.actor }}
          SHA: ${{ github.sha }}
          REF: ${{ github.ref_name }}
        run: |
          cd "${MANIFEST_DIR}"
          API_ENDPOINT="${GITEA_URL}/api/v1/repos/${{ gitea.repository }}/pulls"
          BODY=$(printf "This PR contains newly rendered Kubernetes manifests automatically generated by the CI workflow.\n\n### Details\n- **Trigger**: \`%s\` by \`@%s\`\n- **Commit**: \`%s\` (on \`%s\`)\n- **Charts Updated**: \`%s\`" "${EVENT_NAME}" "${ACTOR}" "${SHA:0:7}" "${REF}" "${CHARTS}")
          if [[ "$IS_AUTOMERGE" == "true" ]]; then
            TITLE="Automated Manifest Update - Automerge"
            BODY=$(printf "%s\n\n_This PR is expected to be automerged._" "${BODY}")
          else
            TITLE="Automated Manifest Update"
          fi
          PAYLOAD=$(jq -n --arg head "${HEAD_BRANCH}" --arg base "${BASE_BRANCH}" --arg assignee "${ASSIGNEE}" --arg title "${TITLE}" --arg body "${BODY}" '{head: $head, base: $base, assignee: $assignee, title: $title, body: $body}')
          HTTP_STATUS=$(curl -X POST -s -w '%{http_code}' -o response_body.json --data "$PAYLOAD" -H "Authorization: token ${GITEA_TOKEN}" -H "Content-Type: application/json" "$API_ENDPOINT")
          if [ "$HTTP_STATUS" == "201" ]; then
            echo ">> Pull Request created successfully!"
            echo ""
            echo "----"
            echo "pull-request-id=$(jq -r .id response_body.json)" >> "$GITHUB_OUTPUT"
            echo "pull-request-number=$(jq -r .number response_body.json)" >> "$GITHUB_OUTPUT"
            echo "pull-request-operation=created" >> "$GITHUB_OUTPUT"
          elif [[ "$HTTP_STATUS" == "422" || "$HTTP_STATUS" == "409" ]]; then
            echo ""
            echo ">> Failed to create PR (Already exists)"
            echo ""
            echo "----"
          else
            echo ""
            echo ">> Failed to create PR, HTTP status code: $HTTP_STATUS"
            echo ""
            echo "----"
            exit 1
          fi
      - name: Update Pull Request
        id: update-pull-request
        if: steps.commit-push.outputs.push == 'true' && steps.check-for-pull-request.outputs.pull-request-exists != 'false' && steps.mode.outputs.is-automerge == 'false'
        env:
          GITEA_TOKEN: ${{ secrets.BOT_TOKEN }}
          GITEA_URL: ${{ secrets.REPO_URL }}
          PR_NUMBER: ${{ steps.check-for-pull-request.outputs.pull-request-exists }}
          CHARTS: ${{ steps.check-changes.outputs.changed-charts-csv }}
          EVENT_NAME: ${{ github.event_name }}
          ACTOR: ${{ github.actor }}
          SHA: ${{ github.sha }}
          REF: ${{ github.ref_name }}
        run: |
          cd "${MANIFEST_DIR}"
          API_ENDPOINT="${GITEA_URL}/api/v1/repos/${{ gitea.repository }}/pulls/${PR_NUMBER}"
          EXISTING_BODY=$(jq -r '.[0].body' response_body.json)
          NEW_DETAILS=$(printf "### Update Details (%s)\n- **Trigger**: \`%s\` by \`@%s\`\n- **Commit**: \`%s\` (on \`%s\`)\n- **Charts Updated**: \`%s\`" "$(date -u +'%Y-%m-%d %H:%M UTC')" "${EVENT_NAME}" "${ACTOR}" "${SHA:0:7}" "${REF}" "${CHARTS}")
          UPDATED_BODY=$(printf "%s\n\n%s" "${EXISTING_BODY}" "${NEW_DETAILS}")
          PAYLOAD=$(jq -n --arg body "${UPDATED_BODY}" '{body: $body}')
          HTTP_STATUS=$(curl -X PATCH -s -w '%{http_code}' -o update_response.json --data "$PAYLOAD" -H "Authorization: token ${GITEA_TOKEN}" -H "Content-Type: application/json" "$API_ENDPOINT")
          if [ "$HTTP_STATUS" == "201" ] || [ "$HTTP_STATUS" == "200" ]; then
            echo ">> Pull Request updated successfully!"
            echo ""
            echo "----"
            echo "pull-request-operation=updated" >> "$GITHUB_OUTPUT"
          else
            echo ">> Failed to update PR, HTTP status code: $HTTP_STATUS"; exit 1
            echo ""
            echo "----"
          fi
      - name: Merge Changes
        id: merge-changes
        if: steps.commit-push.outputs.push == 'true' && steps.mode.outputs.is-automerge == 'true'
        env:
          GITEA_TOKEN: ${{ secrets.BOT_TOKEN }}
          GITEA_URL: ${{ secrets.REPO_URL }}
          PR_NUMBER: ${{ steps.create-pull-request.outputs.pull-request-number }}
        run: |
          cd "${MANIFEST_DIR}"
          API_ENDPOINT="${GITEA_URL}/api/v1/repos/${{ gitea.repository }}/pulls/${PR_NUMBER}/merge"
          PAYLOAD=$(jq -n --arg Do "merge" '{Do: $Do}')
          HTTP_STATUS=$(curl -X POST -s -w '%{http_code}' -o response_body.json --data "$PAYLOAD" -H "Authorization: token ${GITEA_TOKEN}" -H "Content-Type: application/json" "$API_ENDPOINT")
          if [ "$HTTP_STATUS" == "200" ]; then
            echo ">> Pull Request merged successfully!"
            echo ""
            echo "----"
            echo "pull-request-operation=merged" >> "$GITHUB_OUTPUT"
          else
            echo ">> Failed to merge PR, HTTP status code: $HTTP_STATUS"; exit 1
            echo ""
            echo "----"
          fi
      - name: Cleanup Branch
        if: failure() && steps.mode.outputs.is-automerge == 'true'
        env:
          BRANCH_NAME: ${{ steps.prepare-manifest-branch.outputs.branch-name }}
        run: |
          cd "${MANIFEST_DIR}"
          echo ">> Removing branch: ${BRANCH_NAME}"
          git push origin --delete "${BRANCH_NAME}" || true
          echo ""
          echo "----"
      - name: ntfy Created
        uses: niniyas/ntfy-action@96acac57fdc91d4c4f50b78486c1ed6f03f9f61c # master
        if: steps.create-pull-request.outputs.pull-request-operation == 'created' && steps.mode.outputs.is-automerge == 'false'
        with:
          url: "${{ secrets.NTFY_URL }}"
          topic: "${{ secrets.NTFY_TOPIC }}"
          title: "Manifest Render - Open PR"
          priority: 3
          headers: '{"Authorization": "Bearer ${{ secrets.NTFY_CRED }}"}'
          tags: action,successfully,completed
          details: "Created renderd manifests for cluster '${{ env.CLUSTER }}' with charts: ${{ steps.check-changes.outputs.changed-charts-csv }}"
          icon: "https://cdn.jsdelivr.net/gh/selfhst/icons/png/gitea.png"
          actions: '[{"action": "view", "label": "View PR", "url": "${{ vars.USER_URL }}/${{ github.repository }}/pulls/${{ steps.create-pull-request.outputs.pull-request-number }}", "clear": true}]'
      - name: ntfy Updated
        uses: niniyas/ntfy-action@96acac57fdc91d4c4f50b78486c1ed6f03f9f61c # master
        if: steps.commit-push.outputs.push == 'true' && steps.check-for-pull-request.outputs.pull-request-exists != 'false' && steps.mode.outputs.is-automerge == 'false'
        with:
          url: "${{ secrets.NTFY_URL }}"
          topic: "${{ secrets.NTFY_TOPIC }}"
          title: "Manifest Render - PR Updated"
          priority: 3
          headers: '{"Authorization": "Bearer ${{ secrets.NTFY_CRED }}"}'
          tags: action,successfully,completed
          details: "Updated rendered manifests PR for cluster '${{ env.CLUSTER }}' with charts: ${{ steps.check-changes.outputs.changed-charts-csv }}"
          icon: "https://cdn.jsdelivr.net/gh/selfhst/icons/png/gitea.png"
          actions: '[{"action": "view", "label": "View PR", "url": "${{ vars.USER_URL }}/${{ github.repository }}/pulls/${{ steps.create-pull-request.outputs.pull-request-number }}", "clear": true}]'
      - name: ntfy Merged
        uses: niniyas/ntfy-action@96acac57fdc91d4c4f50b78486c1ed6f03f9f61c # master
        if: steps.merge-changes.outputs.pull-request-operation == 'merged'
        with:
          url: "${{ secrets.NTFY_URL }}"
          topic: "${{ secrets.NTFY_TOPIC }}"
          title: "Manifest Render - Automerged"
          priority: 3
          headers: '{"Authorization": "Bearer ${{ secrets.NTFY_CRED }}"}'
          tags: action,successfully,completed
          details: "Automerged manifest rendering for cluster '${{ env.CLUSTER }}' with charts: ${{ steps.check-changes.outputs.changed-charts-csv }}"
          icon: "https://cdn.jsdelivr.net/gh/selfhst/icons/png/gitea.png"
          actions: '[{"action": "view", "label": "View PR", "url": "${{ vars.USER_URL }}/${{ github.repository }}/pulls/${{ steps.create-pull-request.outputs.pull-request-number }}", "clear": true}]'
      - name: ntfy Failed
        uses: niniyas/ntfy-action@96acac57fdc91d4c4f50b78486c1ed6f03f9f61c # master
        if: failure()
        with:
          url: "${{ secrets.NTFY_URL }}"
          topic: "${{ secrets.NTFY_TOPIC }}"
          title: "Manifest Render Failure"
          priority: 4
          headers: '{"Authorization": "Bearer ${{ secrets.NTFY_CRED }}"}'
          tags: action,failed
          details: "Manifest rendering for Infrastructure has failed!"
          icon: "https://cdn.jsdelivr.net/gh/selfhst/icons/png/gitea.png"
          actions: '[{"action": "view", "label": "View Logs", "url": "${{ vars.USER_URL }}/${{ github.repository }}/actions/runs/${{ github.run_id }}", "clear": true}]'
--- a/.gitea/workflows/renovate.yaml
+++ b/.gitea/workflows/renovate.yaml
@@ -1,32 +0,0 @@
 name: renovate
 on:
  schedule:
    - cron: "@hourly"
  push:
    branches:
      - main
  workflow_dispatch:
 jobs:
  renovate:
    runs-on: ubuntu-js
    container: ghcr.io/renovatebot/renovate:43.159.0@sha256:c80842690cf53b7c2191235f3107cb63e2e3c85a63d51ae64f0f42b440c31f05
    steps:
      - name: Checkout
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
      - name: Renovate
        run: renovate
        env:
          RENOVATE_PLATFORM: gitea
          RENOVATE_ENDPOINT: ${{ vars.INSTANCE_URL }}
          RENOVATE_REPOSITORIES: alexlebens/infrastructure
          RENOVATE_GIT_AUTHOR: Renovate Bot <renovate-bot@alexlebens.net>
          LOG_LEVEL: debug
          RENOVATE_TOKEN: ${{ secrets.RENOVATE_TOKEN }}
          RENOVATE_GIT_PRIVATE_KEY: ${{ secrets.RENOVATE_GIT_PRIVATE_KEY }}
          RENOVATE_GITHUB_COM_TOKEN: ${{ secrets.RENOVATE_GITHUB_COM_TOKEN }}
          RENOVATE_REDIS_URL: ${{ vars.RENOVATE_REDIS_URL }}
--- a/.gitignore
+++ b/.gitignore
@@ -1,4 +1,4 @@
 .gitignore
 /**/archive/
 /**/charts/
-/**/manifests/
+/**/helm/
 /**/tmpcharts*/
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -1,17 +0,0 @@
 repos:
  - repo: https://github.com/pre-commit/pre-commit-hooks
    rev: v6.0.0
    hooks:
      - id: end-of-file-fixer
      - id: trailing-whitespace
      - id: check-added-large-files
      - id: check-yaml
        exclude: '^.*\/templates\/.*$'
        args:
          - --multi
      - id: check-merge-conflict
      - id: check-json
  - repo: https://github.com/IamTheFij/docker-pre-commit
    rev: v3.0.1
    hooks:
      - id: docker-compose-check
--- a/201
+++ b/201
@@ -1,201 +0,0 @@
                                 Apache License
                           Version 2.0, January 2004
                        http://www.apache.org/licenses/
   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
   1. Definitions.
      "License" shall mean the terms and conditions for use, reproduction,
      and distribution as defined by Sections 1 through 9 of this document.
      "Licensor" shall mean the copyright owner or entity authorized by
      the copyright owner that is granting the License.
      "Legal Entity" shall mean the union of the acting entity and all
      other entities that control, are controlled by, or are under common
      control with that entity. For the purposes of this definition,
      "control" means (i) the power, direct or indirect, to cause the
      direction or management of such entity, whether by contract or
      otherwise, or (ii) ownership of fifty percent (50%) or more of the
      outstanding shares, or (iii) beneficial ownership of such entity.
      "You" (or "Your") shall mean an individual or Legal Entity
      exercising permissions granted by this License.
      "Source" form shall mean the preferred form for making modifications,
      including but not limited to software source code, documentation
      source, and configuration files.
      "Object" form shall mean any form resulting from mechanical
      transformation or translation of a Source form, including but
      not limited to compiled object code, generated documentation,
      and conversions to other media types.
      "Work" shall mean the work of authorship, whether in Source or
      Object form, made available under the License, as indicated by a
      copyright notice that is included in or attached to the work
      (an example is provided in the Appendix below).
      "Derivative Works" shall mean any work, whether in Source or Object
      form, that is based on (or derived from) the Work and for which the
      editorial revisions, annotations, elaborations, or other modifications
      represent, as a whole, an original work of authorship. For the purposes
      of this License, Derivative Works shall not include works that remain
      separable from, or merely link (or bind by name) to the interfaces of,
      the Work and Derivative Works thereof.
      "Contribution" shall mean any work of authorship, including
      the original version of the Work and any modifications or additions
      to that Work or Derivative Works thereof, that is intentionally
      submitted to Licensor for inclusion in the Work by the copyright owner
      or by an individual or Legal Entity authorized to submit on behalf of
      the copyright owner. For the purposes of this definition, "submitted"
      means any form of electronic, verbal, or written communication sent
      to the Licensor or its representatives, including but not limited to
      communication on electronic mailing lists, source code control systems,
      and issue tracking systems that are managed by, or on behalf of, the
      Licensor for the purpose of discussing and improving the Work, but
      excluding communication that is conspicuously marked or otherwise
      designated in writing by the copyright owner as "Not a Contribution."
      "Contributor" shall mean Licensor and any individual or Legal Entity
      on behalf of whom a Contribution has been received by Licensor and
      subsequently incorporated within the Work.
   2. Grant of Copyright License. Subject to the terms and conditions of
      this License, each Contributor hereby grants to You a perpetual,
      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
      copyright license to reproduce, prepare Derivative Works of,
      publicly display, publicly perform, sublicense, and distribute the
      Work and such Derivative Works in Source or Object form.
   3. Grant of Patent License. Subject to the terms and conditions of
      this License, each Contributor hereby grants to You a perpetual,
      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
      (except as stated in this section) patent license to make, have made,
      use, offer to sell, sell, import, and otherwise transfer the Work,
      where such license applies only to those patent claims licensable
      by such Contributor that are necessarily infringed by their
      Contribution(s) alone or by combination of their Contribution(s)
      with the Work to which such Contribution(s) was submitted. If You
      institute patent litigation against any entity (including a
      cross-claim or counterclaim in a lawsuit) alleging that the Work
      or a Contribution incorporated within the Work constitutes direct
      or contributory patent infringement, then any patent licenses
      granted to You under this License for that Work shall terminate
      as of the date such litigation is filed.
   4. Redistribution. You may reproduce and distribute copies of the
      Work or Derivative Works thereof in any medium, with or without
      modifications, and in Source or Object form, provided that You
      meet the following conditions:
      (a) You must give any other recipients of the Work or
          Derivative Works a copy of this License; and
      (b) You must cause any modified files to carry prominent notices
          stating that You changed the files; and
      (c) You must retain, in the Source form of any Derivative Works
          that You distribute, all copyright, patent, trademark, and
          attribution notices from the Source form of the Work,
          excluding those notices that do not pertain to any part of
          the Derivative Works; and
      (d) If the Work includes a "NOTICE" text file as part of its
          distribution, then any Derivative Works that You distribute must
          include a readable copy of the attribution notices contained
          within such NOTICE file, excluding those notices that do not
          pertain to any part of the Derivative Works, in at least one
          of the following places: within a NOTICE text file distributed
          as part of the Derivative Works; within the Source form or
          documentation, if provided along with the Derivative Works; or,
          within a display generated by the Derivative Works, if and
          wherever such third-party notices normally appear. The contents
          of the NOTICE file are for informational purposes only and
          do not modify the License. You may add Your own attribution
          notices within Derivative Works that You distribute, alongside
          or as an addendum to the NOTICE text from the Work, provided
          that such additional attribution notices cannot be construed
          as modifying the License.
      You may add Your own copyright statement to Your modifications and
      may provide additional or different license terms and conditions
      for use, reproduction, or distribution of Your modifications, or
      for any such Derivative Works as a whole, provided Your use,
      reproduction, and distribution of the Work otherwise complies with
      the conditions stated in this License.
   5. Submission of Contributions. Unless You explicitly state otherwise,
      any Contribution intentionally submitted for inclusion in the Work
      by You to the Licensor shall be under the terms and conditions of
      this License, without any additional terms or conditions.
      Notwithstanding the above, nothing herein shall supersede or modify
      the terms of any separate license agreement you may have executed
      with Licensor regarding such Contributions.
   6. Trademarks. This License does not grant permission to use the trade
      names, trademarks, service marks, or product names of the Licensor,
      except as required for reasonable and customary use in describing the
      origin of the Work and reproducing the content of the NOTICE file.
   7. Disclaimer of Warranty. Unless required by applicable law or
      agreed to in writing, Licensor provides the Work (and each
      Contributor provides its Contributions) on an "AS IS" BASIS,
      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
      implied, including, without limitation, any warranties or conditions
      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
      PARTICULAR PURPOSE. You are solely responsible for determining the
      appropriateness of using or redistributing the Work and assume any
      risks associated with Your exercise of permissions under this License.
   8. Limitation of Liability. In no event and under no legal theory,
      whether in tort (including negligence), contract, or otherwise,
      unless required by applicable law (such as deliberate and grossly
      negligent acts) or agreed to in writing, shall any Contributor be
      liable to You for damages, including any direct, indirect, special,
      incidental, or consequential damages of any character arising as a
      result of this License or out of the use or inability to use the
      Work (including but not limited to damages for loss of goodwill,
      work stoppage, computer failure or malfunction, or any and all
      other commercial damages or losses), even if such Contributor
      has been advised of the possibility of such damages.
   9. Accepting Warranty or Additional Liability. While redistributing
      the Work or Derivative Works thereof, You may choose to offer,
      and charge a fee for, acceptance of support, warranty, indemnity,
      or other liability obligations and/or rights consistent with this
      License. However, in accepting such obligations, You may act only
      on Your own behalf and on Your sole responsibility, not on behalf
      of any other Contributor, and only if You agree to indemnify,
      defend, and hold each Contributor harmless for any liability
      incurred by, or claims asserted against, such Contributor by reason
      of your accepting any such warranty or additional liability.
   END OF TERMS AND CONDITIONS
   APPENDIX: How to apply the Apache License to your work.
      To apply the Apache License to your work, attach the following
      boilerplate notice, with the fields enclosed by brackets "[]"
      replaced with your own identifying information. (Don't include
      the brackets!)  The text should be enclosed in the appropriate
      comment syntax for the file format. We also recommend that a
      file or class name and description of purpose be included on the
      same "printed page" as the copyright notice for easier
      identification within third-party archives.
   Copyright [yyyy] [name of copyright owner]
   Licensed under the Apache License, Version 2.0 (the "License");
   you may not use this file except in compliance with the License.
   You may obtain a copy of the License at
       http://www.apache.org/licenses/LICENSE-2.0
   Unless required by applicable law or agreed to in writing, software
   distributed under the License is distributed on an "AS IS" BASIS,
   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
   See the License for the specific language governing permissions and
   limitations under the License.
--- a/README.md
+++ b/README.md
@@ -1,13 +0,0 @@
 # alexlebens.net
 GitOps definied infrastrucutre for the alexlebens.net domain.
 ## Stack-cl01tl
 https://argocd.alexlebens.net/api/badge?name=stack-cl01tl&revision=true&showAppName=true
 App-of-Apps Application for cl01tl
 ## License
 This project is licensed under the terms of the Apache 2.0 License license.
--- a/clusters/cl01tl/helm/actual/Chart.lock
+++ b/clusters/cl01tl/helm/actual/Chart.lock
@@ -1,9 +0,0 @@
 dependencies:
 - name: app-template
  repository: https://bjw-s-labs.github.io/helm-charts/
  version: 4.6.2
 - name: volsync-target
  repository: oci://harbor.alexlebens.net/helm-charts
  version: 1.1.1
 digest: sha256:e472c85ad45c6071ccc3a23047927aba42814a931865736e40ad5c16d597ea53
 generated: "2026-04-28T23:30:55.463292642Z"
--- a/clusters/cl01tl/helm/actual/Chart.yaml
+++ b/clusters/cl01tl/helm/actual/Chart.yaml
@@ -1,27 +0,0 @@
 apiVersion: v2
 name: actual
 version: 1.0.0
 description: Actual
 keywords:
  - actual
  - budget
 home: https://docs.alexlebens.dev/applications/actual/
 sources:
  - https://github.com/actualbudget/actual
  - https://github.com/actualbudget/actual/pkgs/container/actual
  - https://github.com/bjw-s-labs/helm-charts/tree/main/charts/other/app-template
  - https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/volsync-target
 maintainers:
  - name: alexlebens
 dependencies:
  - name: app-template
    alias: actual
    repository: https://bjw-s-labs.github.io/helm-charts/
    version: 4.6.2
  - name: volsync-target
    alias: volsync-target-data
    version: 1.1.1
    repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/actual-budget.png
 # renovate: datasource=github-releases depName=actualbudget/actual
 appVersion: 26.4.0
--- a/clusters/cl01tl/helm/actual/templates/_helpers.tpl
+++ b/clusters/cl01tl/helm/actual/templates/_helpers.tpl
@@ -1,14 +0,0 @@
 {{/*
 Common labels
 */}}
 {{- define "custom.labels" -}}
 {{ include "custom.selectorLabels" $ }}
 {{- end }}
 {{/*
 Selector labels
 */}}
 {{- define "custom.selectorLabels" -}}
 app.kubernetes.io/instance: {{ .Release.Name }}
 app.kubernetes.io/part-of: {{ .Release.Name }}
 {{- end }}
--- a/clusters/cl01tl/helm/actual/values.yaml
+++ b/clusters/cl01tl/helm/actual/values.yaml
@@ -1,81 +0,0 @@
 actual:
  controllers:
    main:
      type: deployment
      replicas: 1
      strategy: Recreate
      containers:
        main:
          image:
            repository: ghcr.io/actualbudget/actual
            tag: 26.4.0@sha256:b0e732e2c41b3dc468a71548e88ef76d3f0c157fc43d15fa05d14ec1c5747e1e
          env:
            - name: ACTUAL_PORT
              value: 5006
          resources:
            requests:
              cpu: 10m
              memory: 50Mi
          probes:
            liveness:
              enabled: true
              custom: true
              spec:
                exec:
                  command:
                  - /usr/bin/env
                  - bash
                  - -c
                  - node src/scripts/health-check.js
                failureThreshold: 5
                initialDelaySeconds: 60
                periodSeconds: 10
                successThreshold: 1
                timeoutSeconds: 10
  service:
    main:
      controller: main
      ports:
        http:
          port: 80
          targetPort: 5006
  route:
    main:
      kind: HTTPRoute
      parentRefs:
        - group: gateway.networking.k8s.io
          kind: Gateway
          name: traefik-gateway
          namespace: traefik
      hostnames:
        - actual.alexlebens.net
      rules:
        - backendRefs:
            - name: actual
              port: 80
          matches:
            - path:
                type: PathPrefix
                value: /
  persistence:
    data:
      forceRename: actual-data
      storageClass: ceph-block
      accessMode: ReadWriteOnce
      size: 2Gi
      advancedMounts:
        main:
          main:
            - path: /data
              readOnly: false
 volsync-target-data:
  pvcTarget: actual-data
  local:
    enabled: true
    schedule: 0 8 * * *
  remote:
    enabled: true
    schedule: 0 9 * * *
  external:
    enabled: true
    schedule: 0 10 * * *
--- a/clusters/cl01tl/helm/argocd/Chart.lock
+++ b/clusters/cl01tl/helm/argocd/Chart.lock
@@ -1,6 +0,0 @@
 dependencies:
 - name: argo-cd
  repository: https://argoproj.github.io/argo-helm
  version: 9.5.6
 digest: sha256:81edcf69a6e3d7c8a567984024ed0c3a1ccf7db284f547492dcce9af1b4ecbfa
 generated: "2026-04-28T18:24:45.609699191Z"
--- a/clusters/cl01tl/helm/argocd/Chart.yaml
+++ b/clusters/cl01tl/helm/argocd/Chart.yaml
@@ -1,20 +0,0 @@
 apiVersion: v2
 name: argocd
 version: 1.0.0
 description: Argo CD
 keywords:
  - argo-cd
  - deployment
 home: https://docs.alexlebens.dev/applications/argo-cd/
 sources:
  - https://github.com/argoproj/argo-cd
  - https://github.com/argoproj/argo-helm/tree/main/charts/argo-cd
 maintainers:
  - name: alexlebens
 dependencies:
  - name: argo-cd
    version: 9.5.6
    repository: https://argoproj.github.io/argo-helm
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/argo-cd.png
 # renovate: datasource=github-releases depName=argoproj/argo-cd
 appVersion: v3.3.8
--- a/clusters/cl01tl/helm/argocd/templates/_helpers.tpl
+++ b/clusters/cl01tl/helm/argocd/templates/_helpers.tpl
@@ -1,14 +0,0 @@
 {{/*
 Common labels
 */}}
 {{- define "custom.labels" -}}
 {{ include "custom.selectorLabels" $ }}
 {{- end }}
 {{/*
 Selector labels
 */}}
 {{- define "custom.selectorLabels" -}}
 app.kubernetes.io/instance: {{ .Release.Name }}
 app.kubernetes.io/part-of: {{ .Release.Name }}
 {{- end }}
--- a/clusters/cl01tl/helm/argocd/templates/external-secret.yaml
+++ b/clusters/cl01tl/helm/argocd/templates/external-secret.yaml
@@ -1,40 +0,0 @@
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
  name: argocd-oidc-authentik
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: argocd-oidc-authentik
    {{- include "custom.labels" . | nindent 4 }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: openbao
  data:
    - secretKey: secret
      remoteRef:
        key: /cl01tl/authentik/oidc/argocd
        property: secret
    - secretKey: client
      remoteRef:
        key: /cl01tl/authentik/oidc/argocd
        property: client
 ---
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
  name: argocd-notifications-ntfy
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: argocd-notifications-ntfy
    {{- include "custom.labels" . | nindent 4 }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: openbao
  data:
    - secretKey: ntfy-token
      remoteRef:
        key: /cl01tl/ntfy/users/cl01tl
        property: token
--- a/clusters/cl01tl/helm/argocd/templates/prometheus-rule.yaml
+++ b/clusters/cl01tl/helm/argocd/templates/prometheus-rule.yaml
@@ -1,108 +0,0 @@
 apiVersion: monitoring.coreos.com/v1
 kind: PrometheusRule
 metadata:
  name: haproxy
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: haproxy
    {{- include "custom.labels" . | nindent 4 }}
 spec:
  groups:
    - name: EmbeddedExporter
      rules:
        - alert: HAProxyHighHTTP4xxErrorRateBackend
          expr: ((sum by (proxy) (rate(haproxy_server_http_responses_total{code="4xx"}[1m])) / sum by (proxy) (rate(haproxy_server_http_responses_total[1m]))) * 100) > 5 and sum by (proxy) (rate(haproxy_server_http_responses_total[1m])) > 0
          for: 1m
          labels:
            severity: critical
          annotations:
            summary: HAProxy high HTTP 4xx error rate backend (instance {{ `{{ $labels.instance }}` }})
            description: "Too many HTTP requests with status 4xx (> 5%) on backend {{ `{{ $labels.proxy }}` }}\n  VALUE = {{ `{{ $value }}` }}\n  LABELS = {{ `{{ $labels }}` }}"
        - alert: HAProxyHighHTTP5xxErrorRateBackend
          expr: ((sum by (proxy) (rate(haproxy_server_http_responses_total{code="5xx"}[1m])) / sum by (proxy) (rate(haproxy_server_http_responses_total[1m]))) * 100) > 5 and sum by (proxy) (rate(haproxy_server_http_responses_total[1m])) > 0
          for: 1m
          labels:
            severity: critical
          annotations:
            summary: HAProxy high HTTP 5xx error rate backend (instance {{ `{{ $labels.instance }}` }})
            description: "Too many HTTP requests with status 5xx (> 5%) on backend {{ `{{ $labels.proxy }}` }}\n  VALUE = {{ `{{ $value }}` }}\n  LABELS = {{ `{{ $labels }}` }}"
        - alert: HAProxyHighHTTP4xxErrorRateServer
          expr: ((sum by (server) (rate(haproxy_server_http_responses_total{code="4xx"}[1m])) / sum by (server) (rate(haproxy_server_http_responses_total[1m]))) * 100) > 5 and sum by (server) (rate(haproxy_server_http_responses_total[1m])) > 0
          for: 1m
          labels:
            severity: critical
          annotations:
            summary: HAProxy high HTTP 4xx error rate server (instance {{ `{{ $labels.instance }}` }})
            description: "Too many HTTP requests with status 4xx (> 5%) on server {{ `{{ $labels.server }}` }}\n  VALUE = {{ `{{ $value }}` }}\n  LABELS = {{ `{{ $labels }}` }}"
        - alert: HAProxyHighHTTP5xxErrorRateServer
          expr: ((sum by (server) (rate(haproxy_server_http_responses_total{code="5xx"}[1m])) / sum by (server) (rate(haproxy_server_http_responses_total[1m]))) * 100) > 5 and sum by (server) (rate(haproxy_server_http_responses_total[1m])) > 0
          for: 1m
          labels:
            severity: critical
          annotations:
            summary: HAProxy high HTTP 5xx error rate server (instance {{ `{{ $labels.instance }}` }})
            description: "Too many HTTP requests with status 5xx (> 5%) on server {{ `{{ $labels.server }}` }}\n  VALUE = {{ `{{ $value }}` }}\n  LABELS = {{ `{{ $labels }}` }}"
        - alert: HAProxyServerResponseErrors
          expr: (sum by (server) (rate(haproxy_server_response_errors_total[1m])) / sum by (server) (rate(haproxy_server_http_responses_total[1m]))) * 100 > 5 and sum by (server) (rate(haproxy_server_http_responses_total[1m])) > 0
          for: 1m
          labels:
            severity: critical
          annotations:
            summary: HAProxy server response errors (instance {{ `{{ $labels.instance }}` }})
            description: "Too many response errors to {{ `{{ $labels.server }}` }} server (> 5%).\n  VALUE = {{ `{{ $value }}` }}\n  LABELS = {{ `{{ $labels }}` }}"
        - alert: HAProxyBackendConnectionErrors
          expr: (sum by (proxy) (rate(haproxy_backend_connection_errors_total[1m]))) > 100
          for: 1m
          labels:
            severity: critical
          annotations:
            summary: HAProxy backend connection errors (instance {{ `{{ $labels.instance }}` }})
            description: "Too many connection errors to {{ `{{ $labels.proxy }}` }} backend (> 100 req/s). Request throughput may be too high.\n  VALUE = {{ `{{ $value }}` }}\n  LABELS = {{ `{{ $labels }}` }}"
        - alert: HAProxyServerConnectionErrors
          expr: (sum by (proxy) (rate(haproxy_server_connection_errors_total[1m]))) > 100
          for: 0m
          labels:
            severity: critical
          annotations:
            summary: HAProxy server connection errors (instance {{ `{{ $labels.instance }}` }})
            description: "Too many connection errors to {{ `{{ $labels.proxy }}` }} (> 100 req/s). Request throughput may be too high.\n  VALUE = {{ `{{ $value }}` }}\n  LABELS = {{ `{{ $labels }}` }}"
        - alert: HAProxyBackendMaxActiveSession>80%
          expr: (haproxy_backend_current_sessions / haproxy_backend_limit_sessions * 100) > 80 and haproxy_backend_limit_sessions > 0
          for: 2m
          labels:
            severity: warning
          annotations:
            summary: HAProxy backend max active session > 80% (instance {{ `{{ $labels.instance }}` }})
            description: "Session limit from backend {{ `{{ $labels.proxy }}` }} reached 80% of limit - {{ `{{ $value | printf \"%.2f\"}}` }}%\n  VALUE = {{ `{{ $value }}` }}\n  LABELS = {{ `{{ $labels }}` }}"
        - alert: HAProxyPendingRequests
          expr: sum by (proxy) (haproxy_backend_current_queue) > 0
          for: 2m
          labels:
            severity: warning
          annotations:
            summary: HAProxy pending requests (instance {{ `{{ $labels.instance }}` }})
            description: "Some HAProxy requests are pending on {{ `{{ $labels.proxy }}` }} - {{ `{{ $value | printf \"%.2f\"}}` }}\n  VALUE = {{ `{{ $value }}` }}\n  LABELS = {{ `{{ $labels }}` }}"
        - alert: HAProxyRetryHigh
          expr: sum by (proxy) (rate(haproxy_backend_retry_warnings_total[1m])) > 10
          for: 2m
          labels:
            severity: warning
          annotations:
            summary: HAProxy retry high (instance {{ `{{ $labels.instance }}` }})
            description: "High rate of retry on {{ `{{ $labels.proxy }}` }} - {{ `{{ $value | printf \"%.2f\"}}` }}\n  VALUE = {{ `{{ $value }}` }}\n  LABELS = {{ `{{ $labels }}` }}"
        - alert: HAProxyFrontendSecurityBlockedRequests
          expr: sum by (proxy) (rate(haproxy_frontend_denied_connections_total[2m])) > 10
          for: 2m
          labels:
            severity: warning
          annotations:
            summary: HAProxy frontend security blocked requests (instance {{ `{{ $labels.instance }}` }})
            description: "HAProxy is blocking requests for security reason\n  VALUE = {{ `{{ $value }}` }}\n  LABELS = {{ `{{ $labels }}` }}"
        - alert: HAProxyServerHealthcheckFailure
          expr: increase(haproxy_server_check_failures_total[1m]) > 2
          for: 0m
          labels:
            severity: warning
          annotations:
            summary: HAProxy server healthcheck failure (instance {{ `{{ $labels.instance }}` }})
            description: "Some server healthcheck are failing on {{ `{{ $labels.server }}` }} ({{ `{{ $value }}` }} in the last 1m)\n  VALUE = {{ `{{ $value }}` }}\n  LABELS = {{ `{{ $labels }}` }}"
--- a/clusters/cl01tl/helm/argocd/values.yaml
+++ b/clusters/cl01tl/helm/argocd/values.yaml
@@ -1,387 +0,0 @@
 argo-cd:
  crds:
    install: true
    keep: true
  configs:
    cm:
      admin.enabled: true
      accounts.homepage: apiKey
      url: https://argocd.alexlebens.net
      statusbadge.url: https://argocd.alexlebens.net/
      statusbadge.enabled: true
      dex.config: |
        connectors:
        - config:
            issuer: https://authentik.alexlebens.net/application/o/argocd/
            clientID: $argocd-oidc-authentik:client
            clientSecret: $argocd-oidc-authentik:secret
            insecureEnableGroups: true
            scopes:
              - openid
              - profile
              - email
          name: authentik
          type: oidc
          id: authentik
    params:
      server.insecure: true
      controller.diff.server.side: true
    rbac:
      policy.csv: |
        g, ArgoCD Admins, role:admin
        g, homepage, role:readonly
  controller:
    replicas: 1
    resources:
      requests:
        cpu: 100m
        memory: 1Gi
    readinessProbe:
      failureThreshold: 3
      initialDelaySeconds: 60
      periodSeconds: 30
      successThreshold: 1
      timeoutSeconds: 5
    metrics:
      enabled: true
      serviceMonitor:
        enabled: true
      rules:
        enabled: true
        spec:
          - alert: ArgoAppMissing
            expr: |
              absent(argocd_app_info) == 1
            for: 15m
            labels:
              severity: critical
            annotations:
              summary: "[Argo CD] No reported applications"
              description: >
                Argo CD has not reported any applications data for the past 15 minutes which
                means that it must be down or not functioning properly.  This needs to be
                resolved for this cloud to continue to maintain state.
          - alert: ArgoAppNotSynced
            expr: |
              argocd_app_info{sync_status!="Synced"} == 1
            for: 12h
            labels:
              severity: warning
            annotations:
              summary: "[{{`{{$labels.name}}`}}] Application not synchronized"
              description: >
                The application [{{`{{$labels.name}}`}} has not been synchronized for over
                12 hours which means that the state of this cloud has drifted away from the
                state inside Git.
  dex:
    enabled: true
    resources:
      requests:
        cpu: 1m
        memory: 64Mi
    metrics:
      enabled: true
      serviceMonitor:
        enabled: true
    livenessProbe:
      enabled: true
    readinessProbe:
      enabled: true
  redis-ha:
    enabled: true
    image:
      repository: redis
      tag: 8.6.2-alpine@sha256:81b6f81d6a6c5b9019231a2e8eb10085e3a139a34f833dcc965a8a959b040b72
    persistentVolume:
      enabled: true
    redis:
      resources:
        requests:
          cpu: 1000m
          memory: 50Mi
    haproxy:
      enabled: true
      image:
        repository: haproxy
        tag: 3.3.7-alpine@sha256:2afa53c856e4e9fcc7dfb35b807fcb189896d7e62b38d363f9bedea92bce7f9a
      resources:
        requests:
          cpu: 5m
          memory: 90Mi
      metrics:
        enabled: true
        serviceMonitor:
          enabled: true
    exporter:
      enabled: true
      image: ghcr.io/oliver006/redis_exporter
      tag: v1.82.0@sha256:6a97d4dd743b533e1f950c677b87d880e44df363c61af3f406fc9e53ed65ee03
      serviceMonitor:
        enabled: true
    prometheusRule:
      enabled: true
      interval: 30s
      rules:
        - alert: RedisPodDown
          expr: |
            redis_up{job="{{ include "redis-ha.fullname" . }}"} == 0
          for: 5m
          labels:
            severity: critical
          annotations:
            description: Redis pod {{ "{{ $labels.pod }}" }} is down
            summary: Redis pod {{ "{{ $labels.pod }}" }} is down
    auth: false
  redisSecretInit:
    enabled: false
  server:
    replicas: 2
    resources:
     requests:
       cpu: 20m
       memory: 80Mi
    metrics:
      enabled: true
      serviceMonitor:
        enabled: true
    httproute:
      enabled: true
      parentRefs:
        - group: gateway.networking.k8s.io
          kind: Gateway
          name: traefik-gateway
          namespace: traefik
      hostnames:
        - argocd.alexlebens.net
  repoServer:
    replicas: 2
    resources:
      requests:
        cpu: 1m
        memory: 50Mi
    readinessProbe:
      enabled: true
      failureThreshold: 3
      initialDelaySeconds: 60
      periodSeconds: 30
      successThreshold: 1
      timeoutSeconds: 5
    livenessProbe:
      enabled: true
      failureThreshold: 3
      initialDelaySeconds: 60
      periodSeconds: 30
      successThreshold: 1
      timeoutSeconds: 5
    metrics:
      enabled: true
      serviceMonitor:
        enabled: true
  applicationSet:
    replicas: 2
    resources:
      requests:
        cpu: 10m
        memory: 50Mi
    metrics:
      enabled: true
      serviceMonitor:
        enabled: true
    readinessProbe:
      enabled: true
      failureThreshold: 3
      initialDelaySeconds: 60
      periodSeconds: 30
      successThreshold: 1
      timeoutSeconds: 5
    livenessProbe:
      enabled: true
      failureThreshold: 3
      initialDelaySeconds: 60
      periodSeconds: 30
      successThreshold: 1
      timeoutSeconds: 5
  notifications:
    argocdUrl: https://argocd.alexlebens.net
    secret:
      create: false
      name: argocd-notifications-ntfy
    metrics:
      enabled: true
      serviceMonitor:
        enabled: true
    notifiers:
      service.webhook.ntfy: |
        url: http://ntfy.ntfy/
        headers:
          - name: Authorization
            value: Bearer $ntfy-token
    resources:
      requests:
        cpu: 2m
        memory: 50Mi
    livenessProbe:
      enabled: true
    readinessProbe:
      enabled: true
    subscriptions:
      - recipients:
          - ntfy
        triggers:
          - on-created
          - on-deleted
          - on-deployed
          - on-health-degraded
          - on-sync-failed
          - on-sync-running
          - on-sync-status-unknown
          - on-sync-succeeded
    templates:
      template.app-created: |
        webhook:
          ntfy:
            method: POST
            body: |
              {
                "topic": "argocd",
                "message": "{{.app.metadata.name}} has been created.",
                "title": "Created: {{.app.metadata.name}}",
                "tags": ["building_construction"],
                "priority": 4,
                "click": "{{.context.argocdUrl}}/applications/argocd/{{.app.metadata.name}}"
              }
      template.app-deleted: |
        webhook:
          ntfy:
            method: POST
            body: |
              {
                "topic": "argocd",
                "message": "{{.app.metadata.name}} has been deleted",
                "title": "Deleted: {{.app.metadata.name}}",
                "tags": ["warning"],
                "priority": 4,
                "click": "{{.context.argocdUrl}}"
              }
      template.app-deployed: |
        webhook:
          ntfy:
            method: POST
            body: |
              {
                "topic": "argocd",
                "message": "{{.app.metadata.name}} is now running new version of deployments manifests",
                "title": "Deployed: {{.app.metadata.name}}",
                "tags": ["+1"],
                "priority": 3,
                "click": "{{.context.argocdUrl}}/applications/argocd/{{.app.metadata.name}}"
              }
      template.app-health-degraded: |
        webhook:
          ntfy:
            method: POST
            body: |
              {
                "topic": "argocd",
                "message": "{{.app.metadata.name}} health has degraded",
                "title": "Degraded: {{.app.metadata.name}}",
                "tags": ["rotating_light"],
                "priority": 4,
                "click": "{{.context.argocdUrl}}/applications/argocd/{{.app.metadata.name}}"
              }
      template.app-sync-failed: |
        webhook:
          ntfy:
            method: POST
            body: |
              {
                "topic": "argocd",
                "message": "{{.app.metadata.name}} sync has failed at {{.app.status.operationState.finishedAt}} with the following error: {{.app.status.operationState.message}}",
                "title": "Sync Failed: {{.app.metadata.name}}",
                "tags": ["rotating_light"],
                "priority": 4,
                "click": "{{.context.argocdUrl}}/applications/{{.app.metadata.name}}?operation=true"
              }
      template.app-sync-running: |
        webhook:
          ntfy:
            method: POST
            body: |
              {
                "topic": "argocd",
                "message": "{{.app.metadata.name}} sync has started at {{.app.status.operationState.startedAt}}",
                "title": "Sync Running: {{.app.metadata.name}}",
                "tags": ["runner"],
                "priority": 3,
                "click": "{{.context.argocdUrl}}/applications/{{.app.metadata.name}}?operation=true"
              }
      template.app-sync-status-unknown: |
        webhook:
          ntfy:
            method: POST
            body: |
              {
                "topic": "argocd",
                "message": "{{.app.metadata.name}} sync status is unknown",
                "title": "Sync Unknown: {{.app.metadata.name}}",
                "tags": ["question"],
                "priority": 3,
                "click": "{{.context.argocdUrl}}/applications/{{.app.metadata.name}}"
              }
      template.app-sync-succeeded: |
        webhook:
          ntfy:
            method: POST
            body: |
              {
                "topic": "argocd",
                "message": "{{.app.metadata.name}} has been successfully synced at {{.app.status.operationState.finishedAt}}",
                "title": "Sync Succeeded: {{.app.metadata.name}}",
                "tags": ["+1"],
                "priority": 3,
                "click": "{{.context.argocdUrl}}/applications/{{.app.metadata.name}}?operation=true"
              }
    triggers:
      trigger.on-created: |
        - description: Application {{.app.metadata.name}} has been created.
          oncePer: app.metadata.name
          send:
            - app-created
          when: "true"
      trigger.on-deleted: |
        - description: Application {{.app.metadata.name}} has been deleted.
          oncePer: app.metadata.name
          send:
            - app-deleted
          when: app.metadata.deletionTimestamp != nil
      trigger.on-deployed: |
        - description: Application is synced and healthy. Triggered once per commit.
          oncePer: app.status.operationState.syncResult.revision
          send:
            - app-deployed
          when: app.status.operationState.phase in ['Succeeded'] and app.status.health.status == 'Healthy'
      trigger.on-health-degraded: |
        - description: Application has degraded
          send:
            - app-health-degraded
          when: app.status.health.status == 'Degraded'
      trigger.on-sync-failed: |
        - description: Application syncing has failed
          send:
            - app-sync-failed
          when: app.status.operationState.phase in ['Error', 'Failed']
      trigger.on-sync-running: |
        - description: Application is being synced
          send:
           - app-sync-running
          when: app.status.operationState.phase in ['Running']
      trigger.on-sync-status-unknown: |
        - description: Application status is 'Unknown'
          send:
            - app-sync-status-unknown
          when: app.status.sync.status == 'Unknown'
      trigger.on-sync-succeeded: |
        - description: Application syncing has succeeded
          send:
            - app-sync-succeeded
          when: app.status.operationState.phase in ['Succeeded']
--- a/clusters/cl01tl/helm/audiobookshelf/Chart.lock
+++ b/clusters/cl01tl/helm/audiobookshelf/Chart.lock
@@ -1,12 +0,0 @@
 dependencies:
 - name: app-template
  repository: https://bjw-s-labs.github.io/helm-charts/
  version: 4.6.2
 - name: volsync-target
  repository: oci://harbor.alexlebens.net/helm-charts
  version: 1.1.1
 - name: volsync-target
  repository: oci://harbor.alexlebens.net/helm-charts
  version: 1.1.1
 digest: sha256:2275b211b02253019e5830e0258f936f1494380cc50cea03bc31d75281365dcc
 generated: "2026-04-28T17:54:10.288277-05:00"
--- a/clusters/cl01tl/helm/audiobookshelf/Chart.yaml
+++ b/clusters/cl01tl/helm/audiobookshelf/Chart.yaml
@@ -1,35 +0,0 @@
 apiVersion: v2
 name: audiobookshelf
 version: 1.0.0
 description: Audiobookshelf
 keywords:
  - audiobookshelf
  - books
  - podcasts
  - audiobooks
 home: https://docs.alexlebens.dev/applications/audiobookshelf/
 sources:
  - https://github.com/advplyr/audiobookshelf
  - https://github.com/caronc/apprise
  - https://github.com/advplyr/audiobookshelf/pkgs/container/audiobookshelf
  - https://github.com/caronc/apprise-api/pkgs/container/apprise
  - https://github.com/bjw-s-labs/helm-charts/tree/main/charts/other/app-template
  - https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/volsync-target
 maintainers:
  - name: alexlebens
 dependencies:
  - name: app-template
    alias: audiobookshelf
    repository: https://bjw-s-labs.github.io/helm-charts/
    version: 4.6.2
  - name: volsync-target
    alias: volsync-target-config
    version: 1.1.1
    repository: oci://harbor.alexlebens.net/helm-charts
  - name: volsync-target
    alias: volsync-target-metadata
    version: 1.1.1
    repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/audiobookshelf.png
 # renovate: datasource=github-releases depName=advplyr/audiobookshelf
 appVersion: 2.34.0
--- a/clusters/cl01tl/helm/audiobookshelf/templates/_helpers.tpl
+++ b/clusters/cl01tl/helm/audiobookshelf/templates/_helpers.tpl
@@ -1,27 +0,0 @@
 {{/*
 Common labels
 */}}
 {{- define "custom.labels" -}}
 {{ include "custom.selectorLabels" $ }}
 {{- end }}
 {{/*
 Selector labels
 */}}
 {{- define "custom.selectorLabels" -}}
 app.kubernetes.io/instance: {{ .Release.Name }}
 app.kubernetes.io/part-of: {{ .Release.Name }}
 {{- end }}
 {{/*
 NFS names
 */}}
 {{- define "custom.booksNfsName" -}}
 audiobookshelf-books-nfs-storage
 {{- end -}}
 {{- define "custom.audiobooksNfsName" -}}
 audiobookshelf-audiobooks-nfs-storage
 {{- end -}}
 {{- define "custom.podcastsNfsName" -}}
 audiobookshelf-podcasts-nfs-storage
 {{- end -}}
--- a/clusters/cl01tl/helm/audiobookshelf/templates/external-secret.yaml
+++ b/clusters/cl01tl/helm/audiobookshelf/templates/external-secret.yaml
@@ -1,27 +0,0 @@
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
  name: audiobookshelf-config-apprise
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: audiobookshelf-config-apprise
    {{- include "custom.labels" . | nindent 4 }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: openbao
  target:
    template:
      mergePolicy: Merge
      engineVersion: v2
      data:
        ntfy-url: "{{ `{{ .endpoint }}` }}/{{ `{{ .topic }}` }}"
  data:
    - secretKey: endpoint
      remoteRef:
        key: /cl01tl/ntfy/users/cl01tl
        property: internal-endpoint-credential
    - secretKey: topic
      remoteRef:
        key: /cl01tl/ntfy/topics
        property: audiobookshelf
--- a/clusters/cl01tl/helm/audiobookshelf/templates/persistent-volume-claim.yaml
+++ b/clusters/cl01tl/helm/audiobookshelf/templates/persistent-volume-claim.yaml
@@ -1,52 +0,0 @@
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
  name: {{ include "custom.booksNfsName" . }}
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: {{ include "custom.booksNfsName" . }}
    {{ include "custom.labels" . | nindent 4 }}
 spec:
  volumeName: {{ include "custom.booksNfsName" . }}
  storageClassName: nfs-client
  accessModes:
    - ReadWriteMany
  resources:
    requests:
      storage: 1Gi
 ---
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
  name: {{ include "custom.audiobooksNfsName" . }}
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: {{ include "custom.audiobooksNfsName" . }}
    {{- include "custom.labels" . | nindent 4 }}
 spec:
  volumeName: {{ include "custom.audiobooksNfsName" . }}
  storageClassName: nfs-client
  accessModes:
    - ReadWriteMany
  resources:
    requests:
      storage: 1Gi
 ---
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
  name: {{ include "custom.podcastsNfsName" . }}
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: {{ include "custom.podcastsNfsName" . }}
    {{- include "custom.labels" . | nindent 4 }}
 spec:
  volumeName: {{ include "custom.podcastsNfsName" . }}
  storageClassName: nfs-client
  accessModes:
    - ReadWriteMany
  resources:
    requests:
      storage: 1Gi
--- a/clusters/cl01tl/helm/audiobookshelf/templates/persistent-volume.yaml
+++ b/clusters/cl01tl/helm/audiobookshelf/templates/persistent-volume.yaml
@@ -1,70 +0,0 @@
 apiVersion: v1
 kind: PersistentVolume
 metadata:
  name: {{ include "custom.booksNfsName" . }}
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: {{ include "custom.booksNfsName" . }}
    {{- include "custom.labels" . | nindent 4 }}
 spec:
  persistentVolumeReclaimPolicy: Retain
  storageClassName: nfs-client
  capacity:
    storage: 1Gi
  accessModes:
    - ReadWriteMany
  nfs:
    path: /volume2/Storage/Books
    server: synologybond.alexlebens.net
  mountOptions:
    - vers=4
    - minorversion=1
    - noac
 ---
 apiVersion: v1
 kind: PersistentVolume
 metadata:
  name: {{ include "custom.audiobooksNfsName" . }}
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: {{ include "custom.audiobooksNfsName" . }}
    {{- include "custom.labels" . | nindent 4 }}
 spec:
  persistentVolumeReclaimPolicy: Retain
  storageClassName: nfs-client
  capacity:
    storage: 1Gi
  accessModes:
    - ReadWriteMany
  nfs:
    path: /volume2/Storage/Audiobooks
    server: synologybond.alexlebens.net
  mountOptions:
    - vers=4
    - minorversion=1
    - noac
 ---
 apiVersion: v1
 kind: PersistentVolume
 metadata:
  name: {{ include "custom.podcastsNfsName" . }}
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: {{ include "custom.podcastsNfsName" . }}
    {{- include "custom.labels" . | nindent 4 }}
 spec:
  persistentVolumeReclaimPolicy: Retain
  storageClassName: nfs-client
  capacity:
    storage: 1Gi
  accessModes:
    - ReadWriteMany
  nfs:
    path: /volume2/Storage/Podcasts
    server: synologybond.alexlebens.net
  mountOptions:
    - vers=4
    - minorversion=1
    - noac
--- a/clusters/cl01tl/helm/audiobookshelf/values.yaml
+++ b/clusters/cl01tl/helm/audiobookshelf/values.yaml
@@ -1,149 +0,0 @@
 audiobookshelf:
  controllers:
    main:
      type: deployment
      replicas: 1
      strategy: Recreate
      pod:
        securityContext:
          fsGroup: 1000
          fsGroupChangePolicy: OnRootMismatch
      containers:
        main:
          image:
            repository: ghcr.io/advplyr/audiobookshelf
            tag: 2.34.0@sha256:4143292c530f6ac6700afd13360c04f477e4f1a81c1c97c4224b1c7e4330c5c4
          env:
            - name: TZ
              value: America/Chicago
          resources:
            requests:
              cpu: 1m
              memory: 200Mi
        apprise-api:
          image:
            repository: ghcr.io/caronc/apprise
            tag: v1.4.0@sha256:9d97a6b9b42cf6afdf3b5466dbed2a59cd42a4bb777ec6aa57b5f2ee623569eb
          env:
            - name: TZ
              value: America/Chicago
            - name: PGID
              value: "1000"
            - name: PUID
              value: "1000"
            - name: APPRISE_STORAGE_MODE
              value: memory
            - name: APPRISE_STATEFUL_MODE
              value: disabled
            - name: APPRISE_WORKER_COUNT
              value: 1
            - name: APPRISE_STATELESS_URLS
              valueFrom:
                secretKeyRef:
                  name: audiobookshelf-config-apprise
                  key: ntfy-url
  service:
    main:
      controller: main
      ports:
        http:
          port: 80
          targetPort: 80
        apprise:
          port: 8000
          targetPort: 8000
  serviceMonitor:
    main:
      selector:
        matchLabels:
          app.kubernetes.io/name: audiobookshelf
          app.kubernetes.io/instance: audiobookshelf
      serviceName: '{{ include "bjw-s.common.lib.chart.names.fullname" $ }}'
      endpoints:
        - port: apprise
          scheme: http
          path: /metrics
          interval: 30s
          scrapeTimeout: 15s
  route:
    main:
      kind: HTTPRoute
      parentRefs:
        - group: gateway.networking.k8s.io
          kind: Gateway
          name: traefik-gateway
          namespace: traefik
      hostnames:
        - audiobookshelf.alexlebens.net
      rules:
        - backendRefs:
            - name: audiobookshelf
              port: 80
          matches:
            - path:
                type: PathPrefix
                value: /
  persistence:
    config:
      forceRename: audiobookshelf-config
      storageClass: ceph-block
      accessMode: ReadWriteOnce
      size: 2Gi
      advancedMounts:
        main:
          main:
            - path: /config
              readOnly: false
    metadata:
      forceRename: audiobookshelf-metadata
      storageClass: ceph-block
      accessMode: ReadWriteOnce
      size: 10Gi
      advancedMounts:
        main:
          main:
            - path: /metadata
              readOnly: false
    books:
      existingClaim: audiobookshelf-books-nfs-storage
      advancedMounts:
        main:
          main:
            - path: /mnt/store/Books
              readOnly: false
    audiobooks:
      existingClaim: audiobookshelf-audiobooks-nfs-storage
      advancedMounts:
        main:
          main:
            - path: /mnt/store/Audiobooks
              readOnly: false
    podcasts:
      existingClaim: audiobookshelf-podcasts-nfs-storage
      advancedMounts:
        main:
          main:
            - path: /mnt/store/Podcasts
              readOnly: false
 volsync-target-config:
  pvcTarget: audiobookshelf-config
  local:
    enabled: true
    schedule: 2 8 * * *
  remote:
    enabled: true
    schedule: 2 9 * * *
  external:
    enabled: true
    schedule: 2 10 * * *
 volsync-target-metadata:
  pvcTarget: audiobookshelf-metadata
  local:
    enabled: true
    schedule: 4 8 * * *
  remote:
    enabled: true
    schedule: 4 9 * * *
  external:
    enabled: true
    schedule: 4 10 * * *
--- a/clusters/cl01tl/helm/authentik/Chart.lock
+++ b/clusters/cl01tl/helm/authentik/Chart.lock
@@ -1,15 +0,0 @@
 dependencies:
 - name: authentik
  repository: https://charts.goauthentik.io/
  version: 2026.2.2
 - name: cloudflared
  repository: oci://harbor.alexlebens.net/helm-charts
  version: 2.6.0
 - name: postgres-cluster
  repository: oci://harbor.alexlebens.net/helm-charts
  version: 7.12.1
 - name: valkey
  repository: oci://harbor.alexlebens.net/helm-charts
  version: 0.6.1
 digest: sha256:d1dbca83e5b63a58a9bf9f2903d1b45bbadca3e8599541367bc61ef2ce938cdb
 generated: "2026-04-24T21:50:21.398658595Z"
--- a/clusters/cl01tl/helm/authentik/Chart.yaml
+++ b/clusters/cl01tl/helm/authentik/Chart.yaml
@@ -1,36 +0,0 @@
 apiVersion: v2
 name: authentik
 version: 1.0.0
 description: Authentik
 keywords:
  - authentik
  - sso
  - oidc
  - authentication
 home: https://docs.alexlebens.dev/applications/authentik/
 sources:
  - https://github.com/goauthentik/authentik
  - https://github.com/goauthentik/helm
  - https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/cloudflared
  - https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/postgres-cluster
  - https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/valkey
 maintainers:
  - name: alexlebens
 dependencies:
  - name: authentik
    version: 2026.2.2
    repository: https://charts.goauthentik.io/
  - name: cloudflared
    repository: oci://harbor.alexlebens.net/helm-charts
    version: 2.6.0
  - name: postgres-cluster
    alias: postgres-18-cluster
    version: 7.12.1
    repository: oci://harbor.alexlebens.net/helm-charts
  - name: valkey
    alias: valkey
    version: 0.6.1
    repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/authentik.png
 # renovate: datasource=github-releases depName=goauthentik/authentik
 appVersion: 2025.10.2
--- a/clusters/cl01tl/helm/authentik/templates/_helpers.tpl
+++ b/clusters/cl01tl/helm/authentik/templates/_helpers.tpl
@@ -1,14 +0,0 @@
 {{/*
 Common labels
 */}}
 {{- define "custom.labels" -}}
 {{ include "custom.selectorLabels" $ }}
 {{- end }}
 {{/*
 Selector labels
 */}}
 {{- define "custom.selectorLabels" -}}
 app.kubernetes.io/instance: {{ .Release.Name }}
 app.kubernetes.io/part-of: {{ .Release.Name }}
 {{- end }}
--- a/clusters/cl01tl/helm/authentik/templates/external-secret.yaml
+++ b/clusters/cl01tl/helm/authentik/templates/external-secret.yaml
@@ -1,17 +0,0 @@
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
  name: authentik-key
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: authentik-key
    {{- include "custom.labels" . | nindent 4 }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: openbao
  data:
    - secretKey: key
      remoteRef:
        key: /cl01tl/authentik/key
        property: key
--- a/clusters/cl01tl/helm/authentik/templates/ingress.yaml
+++ b/clusters/cl01tl/helm/authentik/templates/ingress.yaml
@@ -1,28 +0,0 @@
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
  name: {{ .Release.Name }}-tailscale
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: {{ .Release.Name }}-tailscale
    {{- include "custom.labels" . | nindent 4 }}
    tailscale.com/proxy-class: no-metrics
  annotations:
    tailscale.com/experimental-forward-cluster-traffic-via-ingress: "true"
 spec:
  ingressClassName: tailscale
  tls:
    - hosts:
        - auth-cl01tl
      secretName: auth-cl01tl
  rules:
    - host: auth-cl01tl
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: authentik-server
                port:
                  name: http
--- a/clusters/cl01tl/helm/authentik/templates/reference-grant.yaml
+++ b/clusters/cl01tl/helm/authentik/templates/reference-grant.yaml
@@ -1,38 +0,0 @@
 apiVersion: gateway.networking.k8s.io/v1beta1
 kind: ReferenceGrant
 metadata:
  name: allow-outpost-cross-namespace-access
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: allow-outpost-cross-namespace-access
    {{- include "custom.labels" . | nindent 4 }}
 spec:
  from:
    - group: gateway.networking.k8s.io
      kind: HTTPRoute
      namespace: lidarr
    - group: gateway.networking.k8s.io
      kind: HTTPRoute
      namespace: radarr
    - group: gateway.networking.k8s.io
      kind: HTTPRoute
      namespace: radarr-4k
    - group: gateway.networking.k8s.io
      kind: HTTPRoute
      namespace: radarr-anime
    - group: gateway.networking.k8s.io
      kind: HTTPRoute
      namespace: radarr-standup
    - group: gateway.networking.k8s.io
      kind: HTTPRoute
      namespace: sonarr
    - group: gateway.networking.k8s.io
      kind: HTTPRoute
      namespace: sonarr-4k
    - group: gateway.networking.k8s.io
      kind: HTTPRoute
      namespace: sonarr-anime
  to:
    - group: ""
      kind: Service
      name: ak-outpost-traefik-proxy-auth
--- a/clusters/cl01tl/helm/authentik/values.yaml
+++ b/clusters/cl01tl/helm/authentik/values.yaml
@@ -1,100 +0,0 @@
 authentik:
  global:
    env:
      - name: AUTHENTIK_SECRET_KEY
        valueFrom:
          secretKeyRef:
            name: authentik-key
            key: key
      - name: AUTHENTIK_POSTGRESQL__HOST
        valueFrom:
          secretKeyRef:
            name: authentik-postgresql-18-cluster-app
            key: host
      - name: AUTHENTIK_POSTGRESQL__NAME
        valueFrom:
          secretKeyRef:
            name: authentik-postgresql-18-cluster-app
            key: dbname
      - name: AUTHENTIK_POSTGRESQL__USER
        valueFrom:
          secretKeyRef:
            name: authentik-postgresql-18-cluster-app
            key: user
      - name: AUTHENTIK_POSTGRESQL__PASSWORD
        valueFrom:
          secretKeyRef:
            name: authentik-postgresql-18-cluster-app
            key: password
  authentik:
    redis:
      host: authentik-valkey
  server:
    replicas: 2
    resources:
      requests:
        cpu: 20m
        memory: 700Mi
    livenessProbe:
      failureThreshold: 3
      initialDelaySeconds: 15
      periodSeconds: 10
      successThreshold: 1
      timeoutSeconds: 5
    readinessProbe:
      failureThreshold: 3
      initialDelaySeconds: 15
      periodSeconds: 10
      successThreshold: 1
      timeoutSeconds: 5
    metrics:
      enabled: true
      serviceMonitor:
        enabled: true
    route:
      main:
        enabled: true
        hostnames:
          - authentik.alexlebens.net
        parentRefs:
          - group: gateway.networking.k8s.io
            kind: Gateway
            name: traefik-gateway
            namespace: traefik
  worker:
    name: worker
    replicas: 2
    resources:
      requests:
        cpu: 80m
        memory: 650Mi
    metrics:
      enabled: true
      serviceMonitor:
        enabled: true
  prometheus:
    rules:
      enabled: true
 postgres-18-cluster:
  mode: recovery
  cluster:
    resources:
      requests:
        memory: 150Mi
  recovery:
    method: objectStore
    objectStore:
      index: 2
  backup:
    objectStore:
      - name: garage-local
        index: 2
        destinationBucket: postgres-backups
        externalSecretCredentialPath: /garage/home-infra/postgres-backups
        isWALArchiver: true
    scheduledBackups:
      - name: live-backup
        suspend: false
        immediate: true
        schedule: "0 5 14 * * *"
        backupName: garage-local
--- a/clusters/cl01tl/helm/backrest/Chart.lock
+++ b/clusters/cl01tl/helm/backrest/Chart.lock
@@ -1,12 +0,0 @@
 dependencies:
 - name: app-template
  repository: https://bjw-s-labs.github.io/helm-charts/
  version: 4.6.2
 - name: volsync-target
  repository: oci://harbor.alexlebens.net/helm-charts
  version: 1.1.1
 - name: volsync-target
  repository: oci://harbor.alexlebens.net/helm-charts
  version: 1.1.1
 digest: sha256:82e85dc79199cc8b75dde412d595621817b3fa2c073c131162d0079a0b63f369
 generated: "2026-04-28T23:31:05.864191451Z"
--- a/clusters/cl01tl/helm/backrest/Chart.yaml
+++ b/clusters/cl01tl/helm/backrest/Chart.yaml
@@ -1,31 +0,0 @@
 apiVersion: v2
 name: backrest
 version: 1.0.0
 description: backrest
 keywords:
  - backrest
  - backup
 home: https://docs.alexlebens.dev/applications/backrest/
 sources:
  - https://github.com/garethgeorge/backrest
  - https://github.com/garethgeorge/backrest/pkgs/container/backrest
  - https://github.com/bjw-s-labs/helm-charts/tree/main/charts/other/app-template
  - https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/volsync-target
 maintainers:
  - name: alexlebens
 dependencies:
  - name: app-template
    alias: backrest
    repository: https://bjw-s-labs.github.io/helm-charts/
    version: 4.6.2
  - name: volsync-target
    alias: volsync-target-config
    version: 1.1.1
    repository: oci://harbor.alexlebens.net/helm-charts
  - name: volsync-target
    alias: volsync-target-data
    version: 1.1.1
    repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/backrest.png
 # renovate: datasource=github-releases depName=garethgeorge/backrest
 appVersion: v1.12.1
--- a/clusters/cl01tl/helm/backrest/templates/_helpers.tpl
+++ b/clusters/cl01tl/helm/backrest/templates/_helpers.tpl
@@ -1,24 +0,0 @@
 {{/*
 Common labels
 */}}
 {{- define "custom.labels" -}}
 {{ include "custom.selectorLabels" $ }}
 {{- end }}
 {{/*
 Selector labels
 */}}
 {{- define "custom.selectorLabels" -}}
 app.kubernetes.io/instance: {{ .Release.Name }}
 app.kubernetes.io/part-of: {{ .Release.Name }}
 {{- end }}
 {{/*
 NFS names
 */}}
 {{- define "custom.storageNfsName" -}}
 backrest-nfs-storage
 {{- end -}}
 {{- define "custom.shareNfsName" -}}
 backrest-nfs-share
 {{- end -}}
--- a/clusters/cl01tl/helm/backrest/templates/persistent-volume-claim.yaml
+++ b/clusters/cl01tl/helm/backrest/templates/persistent-volume-claim.yaml
@@ -1,34 +0,0 @@
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
  name: {{ include "custom.storageNfsName" . }}
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: {{ include "custom.storageNfsName" . }}
    {{- include "custom.labels" . | nindent 4 }}
 spec:
  volumeName: {{ include "custom.storageNfsName" . }}
  storageClassName: nfs-client
  accessModes:
    - ReadWriteMany
  resources:
    requests:
      storage: 1Gi
 ---
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
  name: {{ include "custom.shareNfsName" . }}
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: {{ include "custom.shareNfsName" . }}
    {{- include "custom.labels" . | nindent 4 }}
 spec:
  volumeName: {{ include "custom.shareNfsName" . }}
  storageClassName: nfs-client
  accessModes:
    - ReadWriteMany
  resources:
    requests:
      storage: 1Gi
--- a/clusters/cl01tl/helm/backrest/templates/persistent-volume.yaml
+++ b/clusters/cl01tl/helm/backrest/templates/persistent-volume.yaml
@@ -1,46 +0,0 @@
 apiVersion: v1
 kind: PersistentVolume
 metadata:
  name: {{ include "custom.storageNfsName" . }}
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: {{ include "custom.storageNfsName" . }}
    {{- include "custom.labels" . | nindent 4 }}
 spec:
  persistentVolumeReclaimPolicy: Retain
  storageClassName: nfs-client
  capacity:
    storage: 1Gi
  accessModes:
    - ReadWriteMany
  nfs:
    path: /volume2/Storage
    server: synologybond.alexlebens.net
  mountOptions:
    - vers=4
    - minorversion=1
    - noac
 ---
 apiVersion: v1
 kind: PersistentVolume
 metadata:
  name: {{ include "custom.shareNfsName" . }}
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: {{ include "custom.shareNfsName" . }}
    {{- include "custom.labels" . | nindent 4 }}
 spec:
  persistentVolumeReclaimPolicy: Retain
  storageClassName: nfs-client
  capacity:
    storage: 1Gi
  accessModes:
    - ReadWriteMany
  nfs:
    path: /volume2/Share
    server: synologybond.alexlebens.net
  mountOptions:
    - vers=4
    - minorversion=1
    - noac
--- a/clusters/cl01tl/helm/backrest/values.yaml
+++ b/clusters/cl01tl/helm/backrest/values.yaml
@@ -1,135 +0,0 @@
 backrest:
  controllers:
    main:
      type: deployment
      replicas: 1
      strategy: Recreate
      containers:
        main:
          image:
            repository: ghcr.io/garethgeorge/backrest
            tag: v1.12.1@sha256:f4d34bd6fa985d13bdb6c01c5d8727e07708899afa9567d800808357d77b9fb0
          env:
            - name: TZ
              value: America/Chicago
            - name: BACKREST_DATA
              value: /data
            - name: BACKREST_CONFIG
              value: /config/config.json
            - name: XDG_CACHE_HOME
              value: /cache
            - name: TMPDIR
              value: /tmp
          resources:
            requests:
              cpu: 1m
              memory: 30Mi
  service:
    main:
      controller: main
      ports:
        http:
          port: 80
          targetPort: 9898
  serviceMonitor:
    main:
      selector:
        matchLabels:
          app.kubernetes.io/name: backrest
          app.kubernetes.io/instance: backrest
      serviceName: '{{ include "bjw-s.common.lib.chart.names.fullname" $ }}'
      endpoints:
        - port: http
          scheme: http
          path: /metrics
          interval: 300s
          scrapeTimeout: 15s
  route:
    main:
      kind: HTTPRoute
      parentRefs:
        - group: gateway.networking.k8s.io
          kind: Gateway
          name: traefik-gateway
          namespace: traefik
      hostnames:
        - backrest.alexlebens.net
      rules:
        - backendRefs:
            - name: backrest
              port: 80
          matches:
            - path:
                type: PathPrefix
                value: /
  persistence:
    data:
      forceRename: backrest-data
      storageClass: ceph-block
      accessMode: ReadWriteOnce
      size: 10Gi
      advancedMounts:
        main:
          main:
            - path: /data
              readOnly: false
    config:
      forceRename: backrest-config
      storageClass: ceph-block
      accessMode: ReadWriteOnce
      size: 1Gi
      advancedMounts:
        main:
          main:
            - path: /config
              readOnly: false
    cache:
      type: emptyDir
      advancedMounts:
        main:
          main:
            - path: /cache
              readOnly: false
    tmp:
      type: emptyDir
      advancedMounts:
        main:
          main:
            - path: /tmp
              readOnly: false
    storage:
      existingClaim: backrest-nfs-storage
      advancedMounts:
        main:
          main:
            - path: /mnt/storage
              readOnly: true
    share:
      existingClaim: backrest-nfs-share
      advancedMounts:
        main:
          main:
            - path: /mnt/share
              readOnly: true
 volsync-target-data:
  pvcTarget: backrest-data
  local:
    enabled: true
    schedule: 6 8 * * *
  remote:
    enabled: true
    schedule: 6 9 * * *
  external:
    enabled: true
    schedule: 6 10 * * *
 volsync-target-config:
  pvcTarget: backrest-config
  local:
    enabled: true
    schedule: 8 8 * * *
  remote:
    enabled: true
    schedule: 8 9 * * *
  external:
    enabled: true
    schedule: 8 10 * * *
--- a/clusters/cl01tl/helm/bazarr/Chart.lock
+++ b/clusters/cl01tl/helm/bazarr/Chart.lock
@@ -1,9 +0,0 @@
 dependencies:
 - name: app-template
  repository: https://bjw-s-labs.github.io/helm-charts/
  version: 4.6.2
 - name: volsync-target
  repository: oci://harbor.alexlebens.net/helm-charts
  version: 1.1.1
 digest: sha256:9228c387a1b50545d8b348c94ae55b17952d32652ca48d0329c65f4ee651706e
 generated: "2026-04-28T23:31:15.743170757Z"
--- a/clusters/cl01tl/helm/bazarr/Chart.yaml
+++ b/clusters/cl01tl/helm/bazarr/Chart.yaml
@@ -1,31 +0,0 @@
 apiVersion: v2
 name: bazarr
 version: 1.0.0
 description: Bazarr
 keywords:
  - bazarr
  - subtitles
  - servarr
 home: https://docs.alexlebens.dev/applications/bazarr/
 sources:
  - https://github.com/morpheus65535/bazarr
  - https://github.com/linuxserver/docker-bazarr
  - https://github.com/onedr0p/exportarr
  - https://github.com/linuxserver/docker-bazarr/pkgs/container/bazarr
  - https://github.com/onedr0p/exportarr/pkgs/container/exportarr
  - https://github.com/bjw-s-labs/helm-charts/tree/main/charts/other/app-template
  - https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/volsync-target
 maintainers:
  - name: alexlebens
 dependencies:
  - name: app-template
    alias: bazarr
    repository: https://bjw-s-labs.github.io/helm-charts/
    version: 4.6.2
  - name: volsync-target
    alias: volsync-target-config
    version: 1.1.1
    repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/bazarr.png
 # renovate: datasource=github-releases depName=linuxserver/docker-bazarr
 appVersion: v1.5.6-ls342
--- a/clusters/cl01tl/helm/bazarr/templates/_helpers.tpl
+++ b/clusters/cl01tl/helm/bazarr/templates/_helpers.tpl
@@ -1,21 +0,0 @@
 {{/*
 Common labels
 */}}
 {{- define "custom.labels" -}}
 {{ include "custom.selectorLabels" $ }}
 {{- end }}
 {{/*
 Selector labels
 */}}
 {{- define "custom.selectorLabels" -}}
 app.kubernetes.io/instance: {{ .Release.Name }}
 app.kubernetes.io/part-of: {{ .Release.Name }}
 {{- end }}
 {{/*
 NFS names
 */}}
 {{- define "custom.storageNfsName" -}}
 bazarr-nfs-storage
 {{- end -}}
--- a/clusters/cl01tl/helm/bazarr/templates/external-secret.yaml
+++ b/clusters/cl01tl/helm/bazarr/templates/external-secret.yaml
@@ -1,17 +0,0 @@
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
  name: bazarr-key
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: bazarr-key
    {{- include "custom.labels" . | nindent 4 }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: openbao
  data:
    - secretKey: key
      remoteRef:
        key: /cl01tl/bazarr/key
        property: key
--- a/clusters/cl01tl/helm/bazarr/templates/persistent-volume-claim.yaml
+++ b/clusters/cl01tl/helm/bazarr/templates/persistent-volume-claim.yaml
@@ -1,16 +0,0 @@
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
  name: {{ include "custom.storageNfsName" . }}
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: {{ include "custom.storageNfsName" . }}
    {{- include "custom.labels" . | nindent 4 }}
 spec:
  volumeName: {{ include "custom.storageNfsName" . }}
  storageClassName: nfs-client
  accessModes:
    - ReadWriteMany
  resources:
    requests:
      storage: 1Gi
--- a/clusters/cl01tl/helm/bazarr/templates/persistent-volume.yaml
+++ b/clusters/cl01tl/helm/bazarr/templates/persistent-volume.yaml
@@ -1,22 +0,0 @@
 apiVersion: v1
 kind: PersistentVolume
 metadata:
  name: {{ include "custom.storageNfsName" . }}
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: {{ include "custom.storageNfsName" . }}
    {{- include "custom.labels" . | nindent 4 }}
 spec:
  persistentVolumeReclaimPolicy: Retain
  storageClassName: nfs-client
  capacity:
    storage: 1Gi
  accessModes:
    - ReadWriteMany
  nfs:
    path: /volume2/Storage
    server: synologybond.alexlebens.net
  mountOptions:
    - vers=4
    - minorversion=1
    - noac
--- a/clusters/cl01tl/helm/bazarr/values.yaml
+++ b/clusters/cl01tl/helm/bazarr/values.yaml
@@ -1,121 +0,0 @@
 bazarr:
  controllers:
    main:
      type: deployment
      replicas: 1
      strategy: Recreate
      pod:
        securityContext:
          runAsUser: 1000
          runAsGroup: 1000
          fsGroup: 1000
          fsGroupChangePolicy: OnRootMismatch
      containers:
        main:
          image:
            repository: ghcr.io/linuxserver/bazarr
            tag: v1.5.6-ls342@sha256:9a631194c0dee21c85b5bff59e23610e1ae2f54594e922973949d271102e585e
          env:
            - name: TZ
              value: America/Chicago
            - name: PUID
              value: 1000
            - name: PGID
              value: 1000
          resources:
            requests:
              cpu: 10m
              memory: 250Mi
        metrics:
          image:
            repository: ghcr.io/onedr0p/exportarr
            tag: v2.3.0@sha256:af535d94061cf97a52e1661945ffba78c03f9443eae7c0da1a80a5a4be56b520
          args: ["bazarr"]
          env:
            - name: URL
              value: http://localhost:6767
            - name: PORT
              value: 9792
            - name: APIKEY
              valueFrom:
                secretKeyRef:
                  name: bazarr-key
                  key: key
            - name: ENABLE_ADDITIONAL_METRICS
              value: false
            - name: ENABLE_UNKNOWN_QUEUE_ITEMS
              value: false
  service:
    main:
      controller: main
      ports:
        http:
          port: 80
          targetPort: 6767
        metrics:
          port: 9792
          targetPort: 9792
  serviceMonitor:
    main:
      selector:
        matchLabels:
          app.kubernetes.io/name: bazarr
          app.kubernetes.io/instance: bazarr
      serviceName: '{{ include "bjw-s.common.lib.chart.names.fullname" $ }}'
      endpoints:
        - port: metrics
          interval: 3m
          scrapeTimeout: 1m
          path: /metrics
  route:
    main:
      kind: HTTPRoute
      parentRefs:
        - group: gateway.networking.k8s.io
          kind: Gateway
          name: traefik-gateway
          namespace: traefik
      hostnames:
        - bazarr.alexlebens.net
      rules:
        - backendRefs:
            - name: bazarr
              port: 80
          matches:
            - path:
                type: PathPrefix
                value: /
  persistence:
    config:
      forceRename: bazarr-config
      storageClass: ceph-block
      accessMode: ReadWriteOnce
      size: 5Gi
      advancedMounts:
        main:
          main:
            - path: /config
              readOnly: false
    media:
      existingClaim: bazarr-nfs-storage
      advancedMounts:
        main:
          main:
            - path: /mnt/store
              readOnly: false
 volsync-target-config:
  pvcTarget: bazarr-config
  moverSecurityContext:
    runAsUser: 1000
    runAsGroup: 1000
    fsGroup: 1000
    fsGroupChangePolicy: OnRootMismatch
  local:
    enabled: true
    schedule: 10 8 * * *
  remote:
    enabled: true
    schedule: 10 9 * * *
  external:
    enabled: true
    schedule: 10 10 * * *
--- a/clusters/cl01tl/helm/blocky/Chart.lock
+++ b/clusters/cl01tl/helm/blocky/Chart.lock
@@ -1,9 +0,0 @@
 dependencies:
 - name: app-template
  repository: https://bjw-s-labs.github.io/helm-charts/
  version: 4.6.2
 - name: valkey
  repository: oci://harbor.alexlebens.net/helm-charts
  version: 0.6.1
 digest: sha256:6ed3a7587906fbda581d0091ff2c29a1816b8b0b8ae40add9885e6a68b2b82ae
 generated: "2026-04-13T20:32:34.844998902Z"
--- a/clusters/cl01tl/helm/blocky/Chart.yaml
+++ b/clusters/cl01tl/helm/blocky/Chart.yaml
@@ -1,27 +0,0 @@
 apiVersion: v2
 name: blocky
 version: 1.0.0
 description: Blocky
 keywords:
  - blocky
  - dns
 home: https://docs.alexlebens.dev/applications/blocky/
 sources:
  - https://github.com/0xERR0R/blocky
  - https://github.com/0xERR0R/blocky/pkgs/container/blocky
  - https://github.com/bjw-s-labs/helm-charts/tree/main/charts/other/app-template
  - https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/valkey
 maintainers:
  - name: alexlebens
 dependencies:
  - name: app-template
    alias: blocky
    repository: https://bjw-s-labs.github.io/helm-charts/
    version: 4.6.2
  - name: valkey
    alias: valkey
    version: 0.6.1
    repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/blocky.png
 # renovate: datasource=github-releases depName=0xerr0r/blocky
 appVersion: v0.29.0
--- a/clusters/cl01tl/helm/blocky/templates/_helpers.tpl
+++ b/clusters/cl01tl/helm/blocky/templates/_helpers.tpl
@@ -1,14 +0,0 @@
 {{/*
 Common labels
 */}}
 {{- define "custom.labels" -}}
 {{ include "custom.selectorLabels" $ }}
 {{- end }}
 {{/*
 Selector labels
 */}}
 {{- define "custom.selectorLabels" -}}
 app.kubernetes.io/instance: {{ .Release.Name }}
 app.kubernetes.io/part-of: {{ .Release.Name }}
 {{- end }}
--- a/clusters/cl01tl/helm/blocky/values.yaml
+++ b/clusters/cl01tl/helm/blocky/values.yaml
@@ -1,337 +0,0 @@
 blocky:
  controllers:
    main:
      type: deployment
      replicas: 3
      strategy: RollingUpdate
      containers:
        main:
          image:
            repository: ghcr.io/0xerr0r/blocky
            tag: v0.29.0@sha256:a6d99f323d3036a99a3767a52ad612f4d8f3f31167492bfc14d4ea57b24cdfd0
          env:
            - name: TZ
              value: America/Chicago
          resources:
            requests:
              cpu: 10m
              memory: 100Mi
  configMaps:
    config:
      enabled: true
      data:
        config.yml: |
          upstreams:
            init:
              strategy: fast
            groups:
              default:
                - tcp-tls:1.1.1.1:853
                - tcp-tls:1.0.0.1:853
            strategy: parallel_best
            timeout: 2s
          connectIPVersion: v4
          customDNS:
            filterUnmappedTypes: false
            zone: |
              $ORIGIN alexlebens.net.
              $TTL 86400
              ;; Name Server
                                              IN      NS      patryk.ns.cloudflare.com.
                                              IN      NS      veda.ns.cloudflare.com.
                                              IN      NS      dns1.
                                              IN      NS      dns2.
                                              IN      NS      dns3.
              dns1                            IN      A       10.232.1.22
              dns2                            IN      A       10.232.1.51
              dns3                            IN      A       10.232.1.52
              ;; Computer Names
              nw01un                          IN      A       192.168.1.1   ; Unifi Gateway
              ps08rp                          IN      A       10.232.1.51   ; DNS
              ps09rp                          IN      A       10.232.1.52   ; DNS
              ps02sn                          IN      A       10.232.1.61   ; Synology Web
              ps02sn-bond                     IN      A       10.232.1.64   ; Synology Bond for Storage
              pd05wd                          IN      A       10.230.0.115  ; Desktop
              pl02mc                          IN      A       10.230.0.105  ; Laptop
              dv01hr                          IN      A       10.232.1.72   ; HD Homerun
              dv02kv                          IN      A       10.232.1.71   ; Pi KVM
              it01ag                          IN      A       10.232.1.83   ; Airgradient
              it02ph                          IN      A       10.232.1.85   ; Phillips Hue
              it03tb                          IN      A       10.232.1.81   ; TubesZB ZigBee
              it04tb                          IN      A       10.232.1.82   ; TubesZB Z-Wave
              it05sp                          IN      A       10.230.0.100  ; Shelly Plug
              ;; Common Names
              synology                        IN      CNAME   ps02sn
              synologybond                    IN      CNAME   ps02sn-bond
              unifi                           IN      CNAME   nw01un
              airgradient                     IN      CNAME   it01ag
              hdhr                            IN      CNAME   dv01hr
              pikvm                           IN      CNAME   dv02kv
              ;; Service Names
              cl01tl                          IN      A       10.232.1.11
              cl01tl                          IN      A       10.232.1.12
              cl01tl                          IN      A       10.232.1.13
              cl01tl-api                      IN      A       10.232.1.11
              cl01tl-api                      IN      A       10.232.1.12
              cl01tl-api                      IN      A       10.232.1.13
              cl01tl-endpoint                 IN      A       10.232.1.21
              cl01tl-endpoint                 IN      A       10.232.1.22
              cl01tl-endpoint                 IN      A       10.232.1.23
              traefik-cl01tl                  IN      A       10.232.1.21
              blocky                          IN      A       10.232.1.22
              plex-lb                         IN      A       10.232.1.23
              ;; Application Names
              actual                          IN      CNAME   traefik-cl01tl
              alertmanager                    IN      CNAME   traefik-cl01tl
              argocd                          IN      CNAME   traefik-cl01tl
              audiobookshelf                  IN      CNAME   traefik-cl01tl
              authentik                       IN      CNAME   traefik-cl01tl
              backrest                        IN      CNAME   traefik-cl01tl
              bao                             IN      CNAME   traefik-cl01tl
              bazarr                          IN      CNAME   traefik-cl01tl
              ceph                            IN      CNAME   traefik-cl01tl
              dawarich                        IN      CNAME   traefik-cl01tl
              directus                        IN      CNAME   traefik-cl01tl
              excalidraw                      IN      CNAME   traefik-cl01tl
              feishin                         IN      CNAME   traefik-cl01tl
              foldergram                      IN      CNAME   traefik-cl01tl
              garage-s3                       IN      CNAME   traefik-cl01tl
              garage-webui                    IN      CNAME   traefik-cl01tl
              gatus                           IN      CNAME   traefik-cl01tl
              gitea                           IN      CNAME   traefik-cl01tl
              grafana                         IN      CNAME   traefik-cl01tl
              grimmory                        IN      CNAME   traefik-cl01tl
              harbor                          IN      CNAME   traefik-cl01tl
              headlamp                        IN      CNAME   traefik-cl01tl
              home                            IN      CNAME   traefik-cl01tl
              home-assistant                  IN      CNAME   traefik-cl01tl
              home-assistant-code-server      IN      CNAME   traefik-cl01tl
              houndarr                        IN      CNAME   traefik-cl01tl
              hubble                          IN      CNAME   traefik-cl01tl
              immich                          IN      CNAME   traefik-cl01tl
              jellyfin                        IN      CNAME   traefik-cl01tl
              jellystat                       IN      CNAME   traefik-cl01tl
              kiwix                           IN      CNAME   traefik-cl01tl
              komodo                          IN      CNAME   traefik-cl01tl
              languagetool                    IN      CNAME   traefik-cl01tl
              lidarr                          IN      CNAME   traefik-cl01tl
              mail                            IN      CNAME   traefik-cl01tl
              medialyze                       IN      CNAME   traefik-cl01tl
              music-grabber                   IN      CNAME   traefik-cl01tl
              navidrome                       IN      CNAME   traefik-cl01tl
              ntfy                            IN      CNAME   traefik-cl01tl
              objects                         IN      CNAME   traefik-cl01tl
              ollama                          IN      CNAME   traefik-cl01tl
              omni-tools                      IN      CNAME   traefik-cl01tl
              paperless-ngx                   IN      CNAME   traefik-cl01tl
              plex                            IN      CNAME   traefik-cl01tl
              postiz-spotlight                IN      CNAME   traefik-cl01tl
              postiz-temporal                 IN      CNAME   traefik-cl01tl
              prometheus                      IN      CNAME   traefik-cl01tl
              prowlarr                        IN      CNAME   traefik-cl01tl
              qbittorrent                     IN      CNAME   traefik-cl01tl
              qui                             IN      CNAME   traefik-cl01tl
              radarr                          IN      CNAME   traefik-cl01tl
              radarr-4k                       IN      CNAME   traefik-cl01tl
              radarr-anime                    IN      CNAME   traefik-cl01tl
              radarr-standup                  IN      CNAME   traefik-cl01tl
              searxng                         IN      CNAME   traefik-cl01tl
              seerr                           IN      CNAME   traefik-cl01tl
              shelfmark                       IN      CNAME   traefik-cl01tl
              slskd                           IN      CNAME   traefik-cl01tl
              sonarr                          IN      CNAME   traefik-cl01tl
              sonarr-4k                       IN      CNAME   traefik-cl01tl
              sonarr-anime                    IN      CNAME   traefik-cl01tl
              sparkyfitness                   IN      CNAME   traefik-cl01tl
              stalwart                        IN      CNAME   traefik-cl01tl
              tdarr                           IN      CNAME   traefik-cl01tl
              tubearchivist                   IN      CNAME   traefik-cl01tl
              vault                           IN      CNAME   traefik-cl01tl
              whodb                           IN      CNAME   traefik-cl01tl
              yamtrack                        IN      CNAME   traefik-cl01tl
              yubal                           IN      CNAME   traefik-cl01tl
          blocking:
            denylists:
              sus:
                - https://v.firebog.net/hosts/static/w3kbl.txt
              ads:
                - https://v.firebog.net/hosts/AdguardDNS.txt
                - https://v.firebog.net/hosts/Admiral.txt
                - https://v.firebog.net/hosts/Easylist.txt
                - https://adaway.org/hosts.txt
              priv:
                - https://v.firebog.net/hosts/Easyprivacy.txt
                - https://v.firebog.net/hosts/Prigent-Ads.txt
              mal:
                - https://v.firebog.net/hosts/Prigent-Crypto.txt
              pro:
                - https://raw.githubusercontent.com/hagezi/dns-blocklists/main/wildcard/pro.plus.txt
              oisd:
                - https://big.oisd.nl/domainswild
            allowlists:
              sus:
                - |
                  *.alexlebens.net
                  *.alexlebens.dev
                  *.boreal-beaufort.ts.net
                  *.discord.com
                  cdn.trackjs.com
              ads:
                - |
                  *.alexlebens.net
                  *.alexlebens.dev
                  *.boreal-beaufort.ts.net
                  *.discord.com
                  cdn.trackjs.com
              priv:
                - |
                  *.alexlebens.net
                  *.alexlebens.dev
                  *.boreal-beaufort.ts.net
                  *.discord.com
                  cdn.trackjs.com
              mal:
                - |
                  *.alexlebens.net
                  *.alexlebens.dev
                  *.boreal-beaufort.ts.net
                  *.discord.com
                  cdn.trackjs.com
              pro:
                - |
                  *.alexlebens.net
                  *.alexlebens.dev
                  *.boreal-beaufort.ts.net
                  *.discord.com
                  cdn.trackjs.com
              oisd:
                - |
                  *.alexlebens.net
                  *.alexlebens.dev
                  *.boreal-beaufort.ts.net
                  *.discord.com
                  cdn.trackjs.com
            clientGroupsBlock:
              default:
                - sus
                - ads
                - priv
                - mal
                - pro
                - oisd
            blockType: zeroIp
            blockTTL: 1m
            loading:
              refreshPeriod: 24h
              downloads:
                timeout: 60s
                attempts: 5
                cooldown: 10s
              concurrency: 16
              strategy: fast
              maxErrorsPerSource: 5
          caching:
            minTime: 5m
            maxTime: 30m
            maxItemsCount: 0
            prefetching: true
            prefetchExpires: 2h
            prefetchThreshold: 5
            prefetchMaxItemsCount: 0
            cacheTimeNegative: 30m
          redis:
            address: blocky-valkey.blocky:6379
            required: true
          prometheus:
            enable: true
            path: /metrics
          queryLog:
            type: console
            logRetentionDays: 7
            creationAttempts: 1
            creationCooldown: 2s
            flushInterval: 30s
          minTlsServeVersion: 1.3
          ports:
            dns: 53
            http: 4000
          log:
            level: info
            format: text
            timestamp: true
            privacy: false
  service:
    dns-external:
      controller: main
      type: LoadBalancer
      annotations:
        tailscale.com/expose: "true"
      ports:
        tcp:
          port: 53
          targetPort: 53
          protocol: TCP
        udp:
          port: 53
          targetPort: 53
          protocol: UDP
    metrics:
      controller: main
      ports:
        metrics:
          port: 4000
          targetPort: 4000
          protocol: TCP
  serviceMonitor:
    main:
      selector:
        matchLabels:
          app.kubernetes.io/name: blocky
          app.kubernetes.io/instance: blocky
      serviceName: '{{ include "bjw-s.common.lib.chart.names.fullname" $ }}'
      endpoints:
        - port: metrics
          scheme: http
          path: /metrics
          interval: 30s
          scrapeTimeout: 10s
  persistence:
    config:
      enabled: true
      type: configMap
      name: blocky
      advancedMounts:
        main:
          main:
            - path: /app/config.yml
              readOnly: true
              mountPropagation: None
              subPath: config.yml
--- a/clusters/cl01tl/helm/cert-manager/Chart.lock
+++ b/clusters/cl01tl/helm/cert-manager/Chart.lock
@@ -1,6 +0,0 @@
 dependencies:
 - name: cert-manager
  repository: https://charts.jetstack.io
  version: v1.20.2
 digest: sha256:f218239b4538c64d57e098a56c69dcbc4e076ffcc3d320c5a5fef1e6309e38cf
 generated: "2026-04-13T23:02:59.380767677Z"
--- a/clusters/cl01tl/helm/cert-manager/Chart.yaml
+++ b/clusters/cl01tl/helm/cert-manager/Chart.yaml
@@ -1,20 +0,0 @@
 apiVersion: v2
 name: cert-manager
 version: 1.0.0
 description: Cert Manager
 keywords:
  - cert-manager
  - certificates
 home: https://docs.alexlebens.dev/applications/cert-manager/
 sources:
  - https://github.com/cert-manager/cert-manager
  - https://github.com/cert-manager/cert-manager/tree/master/deploy/charts/cert-manager
 maintainers:
  - name: alexlebens
 dependencies:
  - name: cert-manager
    version: v1.20.2
    repository: https://charts.jetstack.io
 icon: https://raw.githubusercontent.com/cert-manager/cert-manager/refs/heads/master/logo/logo.png
 # renovate: datasource=github-releases depName=cert-manager/cert-manager
 appVersion: v1.20.2
--- a/clusters/cl01tl/helm/cert-manager/templates/_helpers.tpl
+++ b/clusters/cl01tl/helm/cert-manager/templates/_helpers.tpl
@@ -1,24 +0,0 @@
 {{/*
 Common labels
 */}}
 {{- define "custom.labels" -}}
 {{ include "custom.selectorLabels" $ }}
 {{- end }}
 {{/*
 Selector labels
 */}}
 {{- define "custom.selectorLabels" -}}
 app.kubernetes.io/instance: {{ .Release.Name }}
 app.kubernetes.io/part-of: {{ .Release.Name }}
 {{- end }}
 {{/*
 NFS names
 */}}
 {{- define "custom.cloudflareSecretName" -}}
 cert-manager-cloudflare-api-token
 {{- end -}}
 {{- define "custom.cloudflareSecretKey" -}}
 api-token
 {{- end -}}
--- a/clusters/cl01tl/helm/cert-manager/templates/cluster-issuer.yaml
+++ b/clusters/cl01tl/helm/cert-manager/templates/cluster-issuer.yaml
@@ -1,25 +0,0 @@
 apiVersion: cert-manager.io/v1
 kind: ClusterIssuer
 metadata:
  name: letsencrypt-issuer
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: letsencrypt-issuer
    {{- include "custom.labels" . | nindent 4 }}
 spec:
  acme:
    email: alexanderlebens@gmail.com
    server: https://acme-v02.api.letsencrypt.org/directory
    privateKeySecretRef:
      name: letsencrypt-issuer-account-key
    solvers:
      - selector:
          dnsZones:
            - "alexlebens.net"
            - "*.alexlebens.net"
        dns01:
          cloudflare:
            email: alexanderlebens@gmail.com
            apiTokenSecretRef:
              name: {{ include "custom.cloudflareSecretName" . }}
              key: {{ include "custom.cloudflareSecretKey" . }}
--- a/clusters/cl01tl/helm/cert-manager/templates/external-secret.yaml
+++ b/clusters/cl01tl/helm/cert-manager/templates/external-secret.yaml
@@ -1,17 +0,0 @@
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
  name: {{ include "custom.cloudflareSecretName" . }}
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: {{ include "custom.cloudflareSecretName" . }}
    {{- include "custom.labels" . | nindent 4 }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: openbao
  data:
    - secretKey: {{ include "custom.cloudflareSecretKey" . }}
      remoteRef:
        key: /cloudflare/alexlebens.net/cl01tl-issuer-certificate
        property: token
--- a/clusters/cl01tl/helm/cert-manager/templates/prometheus-rule.yaml
+++ b/clusters/cl01tl/helm/cert-manager/templates/prometheus-rule.yaml
@@ -1,44 +0,0 @@
 apiVersion: monitoring.coreos.com/v1
 kind: PrometheusRule
 metadata:
  name: cert-manager
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: cert-manager
    {{- include "custom.labels" . | nindent 4 }}
 spec:
  groups:
    - name: EmbeddedExporter
      rules:
        - alert: Cert-ManagerAbsent
          expr: absent(up{job="cert-manager"})
          for: 10m
          labels:
            severity: critical
          annotations:
            summary: Cert-Manager absent (instance {{ `{{ $labels.instance }}` }})
            description: "Cert-Manager has disappeared from Prometheus service discovery. New certificates will not be able to be minted, and existing ones can't be renewed until cert-manager is back.\n  VALUE = {{ `{{ $value }}` }}\n  LABELS = {{ `{{ $labels }}` }}"
        - alert: Cert-ManagerCertificateExpiringSoon
          expr: avg by (exported_namespace, namespace, name) (certmanager_certificate_expiration_timestamp_seconds - time()) < (21 * 24 * 3600)
          for: 1h
          labels:
            severity: warning
          annotations:
            summary: Cert-Manager certificate expiring soon (instance {{ `{{ $labels.instance }}` }})
            description: "The certificate {{ `{{ $labels.name }}` }} is expiring in less than 21 days.\n  VALUE = {{ `{{ $value }}` }}\n  LABELS = {{ `{{ $labels }}` }}"
        - alert: Cert-ManagerCertificateNotReady
          expr: max by (name, exported_namespace, namespace, condition) (certmanager_certificate_ready_status{condition!="True"} == 1)
          for: 10m
          labels:
            severity: critical
          annotations:
            summary: Cert-Manager certificate not ready (instance {{ `{{ $labels.instance }}` }})
            description: "The certificate {{ `{{ $labels.name }}` }} in namespace {{ `{{ $labels.exported_namespace }}` }} is not ready to serve traffic.\n  VALUE = {{ `{{ $value }}` }}\n  LABELS = {{ `{{ $labels }}` }}"
        - alert: Cert-ManagerHittingACMERateLimits
          expr: sum by (host) (rate(certmanager_acme_client_request_count{status="429"}[5m])) > 0
          for: 5m
          labels:
            severity: critical
          annotations:
            summary: Cert-Manager hitting ACME rate limits (instance {{ `{{ $labels.instance }}` }})
            description: "Cert-Manager is being rate-limited by the ACME provider. Certificate issuance and renewal may be blocked for up to a week.\n  VALUE = {{ `{{ $value }}` }}\n  LABELS = {{ `{{ $labels }}` }}"
--- a/clusters/cl01tl/helm/cert-manager/values.yaml
+++ b/clusters/cl01tl/helm/cert-manager/values.yaml
@@ -1,21 +0,0 @@
 cert-manager:
  crds:
    enabled: true
    keep: true
  replicaCount: 2
  podDisruptionBudget:
    enabled: true
    minAvailable: 1
  extraArgs:
    - --enable-gateway-api
  resources:
    requests:
      cpu: 10m
      memory: 64Mi
  prometheus:
    servicemonitor:
      enabled: true
      honorLabels: true
  cainjector:
    enabled: true
    replicaCount: 2
--- a/clusters/cl01tl/helm/cilium/Chart.lock
+++ b/clusters/cl01tl/helm/cilium/Chart.lock
@@ -1,6 +0,0 @@
 dependencies:
 - name: cilium
  repository: https://helm.cilium.io/
  version: 1.18.6
 digest: sha256:8ea328ac238524b5b423e6289f5e25d05ef64e6aa19cfd5de238f1d5dd533e9b
 generated: "2026-02-05T12:00:20.15778-06:00"
--- a/clusters/cl01tl/helm/cilium/Chart.yaml
+++ b/clusters/cl01tl/helm/cilium/Chart.yaml
@@ -1,21 +0,0 @@
 apiVersion: v2
 name: cilium
 version: 1.0.0
 description: Cilium
 keywords:
  - cilium
  - operator
  - network
 home: https://docs.alexlebens.dev/applications/cilium/
 sources:
  - https://github.com/cilium/cilium
  - https://github.com/cilium/cilium/tree/main/install/kubernetes/cilium
 maintainers:
  - name: alexlebens
 dependencies:
  - name: cilium
    version: 1.18.6
    repository: https://helm.cilium.io/
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/cilium.png
 # renovate: datasource=github-releases depName=cilium/cilium
 appVersion: 1.18.6
--- a/clusters/cl01tl/helm/cilium/templates/_helpers.tpl
+++ b/clusters/cl01tl/helm/cilium/templates/_helpers.tpl
@@ -1,14 +0,0 @@
 {{/*
 Common labels
 */}}
 {{- define "custom.labels" -}}
 {{ include "custom.selectorLabels" $ }}
 {{- end }}
 {{/*
 Selector labels
 */}}
 {{- define "custom.selectorLabels" -}}
 app.kubernetes.io/instance: {{ .Release.Name }}
 app.kubernetes.io/part-of: {{ .Release.Name }}
 {{- end }}
--- a/clusters/cl01tl/helm/cilium/templates/cilium-load-balancer-ip-pool.yaml
+++ b/clusters/cl01tl/helm/cilium/templates/cilium-load-balancer-ip-pool.yaml
@@ -1,27 +0,0 @@
 apiVersion: cilium.io/v2
 kind: CiliumLoadBalancerIPPool
 metadata:
  name: default-ip-pool
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: default-ip-pool
    {{- include "custom.labels" . | nindent 4 }}
 spec:
  blocks:
    - start: "10.232.1.21"
      stop: "10.232.1.23"
 ---
 apiVersion: cilium.io/v2
 kind: CiliumLoadBalancerIPPool
 metadata:
  name: bgp-ip-pool
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: bgp-ip-pool
    {{- include "custom.labels" . | nindent 4 }}
 spec:
  blocks:
    - start: "10.232.2.100"
      stop: "10.232.2.200"
  disabled: true
--- a/clusters/cl01tl/helm/cilium/templates/http-route.yaml
+++ b/clusters/cl01tl/helm/cilium/templates/http-route.yaml
@@ -1,25 +0,0 @@
 apiVersion: gateway.networking.k8s.io/v1
 kind: HTTPRoute
 metadata:
  name: hubble
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: hubble
    {{- include "custom.labels" . | nindent 4 }}
 spec:
  parentRefs:
    - group: gateway.networking.k8s.io
      kind: Gateway
      name: traefik-gateway
      namespace: traefik
  hostnames:
    - hubble.alexlebens.net
  rules:
    - matches:
      - path:
          type: PathPrefix
          value: /
      backendRefs:
        - kind: Service
          name: hubble-ui
          port: 80
--- a/clusters/cl01tl/helm/cilium/values.yaml
+++ b/clusters/cl01tl/helm/cilium/values.yaml
@@ -1,92 +0,0 @@
 cilium:
  k8sServiceHost: "localhost"
  k8sServicePort: "7445"
  k8sClientRateLimit:
    qps: 50
    burst: 100
  rollOutCiliumPods: true
  securityContext:
    capabilities:
      ciliumAgent:
        - CHOWN
        - KILL
        - NET_ADMIN
        - NET_RAW
        - IPC_LOCK
        - SYS_ADMIN
        - SYS_RESOURCE
        - DAC_OVERRIDE
        - FOWNER
        - SETGID
        - SETUID
        - PERFMON
        - BPF
      cleanCiliumState:
        - NET_ADMIN
        - SYS_ADMIN
        - SYS_RESOURCE
  bgpControlPlane:
    enabled: false
  bpf:
    hostLegacyRouting: true
  devices: end0 enp6s0
  ciliumEndpointSlice:
    enabled: true
  gatewayAPI:
    enabled: true
    enableAppProtocol: true
    enableAlpn: true
    secretsNamespace:
      create: false
      name: kube-system
  socketLB:
    enabled: true
    hostNamespaceOnly: true
  hubble:
    metrics:
      serviceMonitor:
        enabled: true
    tls:
      auto:
        method: cronJob
    relay:
      enabled: true
      prometheus:
        serviceMonitor:
          enabled: true
    ui:
      enabled: true
  ipam:
    mode: "kubernetes"
  ipv4:
    enabled: true
  ipv6:
    enabled: false
  kubeProxyReplacement: true
  prometheus:
    enabled: true
    serviceMonitor:
      enabled: true
      trustCRDsExist: true
  envoy:
    enabled: true
    securityContext:
      capabilities:
        keepCapNetBindService: true
        envoy:
          - NET_ADMIN
          - NET_BIND_SERVICE
          - PERFMON
          - BPF
    prometheus:
      serviceMonitor:
        enabled: true
  operator:
    rollOutPods: true
    prometheus:
      serviceMonitor:
        enabled: true
  cgroup:
    autoMount:
      enabled: false
    hostRoot: /sys/fs/cgroup
--- a/clusters/cl01tl/helm/cloudnative-pg/Chart.lock
+++ b/clusters/cl01tl/helm/cloudnative-pg/Chart.lock
@@ -1,15 +0,0 @@
 dependencies:
 - name: cloudnative-pg
  repository: https://cloudnative-pg.io/charts/
  version: 0.28.0
 - name: plugin-barman-cloud
  repository: https://cloudnative-pg.io/charts/
  version: 0.6.0
 - name: rclone-bucket
  repository: oci://harbor.alexlebens.net/helm-charts
  version: 0.4.3
 - name: rclone-bucket
  repository: oci://harbor.alexlebens.net/helm-charts
  version: 0.4.3
 digest: sha256:75d7078b7009082521a1bb8b49141e20b442343dabe7f76f5e7a16a352cfe205
 generated: "2026-04-26T15:36:31.678086-05:00"
--- a/clusters/cl01tl/helm/cloudnative-pg/Chart.yaml
+++ b/clusters/cl01tl/helm/cloudnative-pg/Chart.yaml
@@ -1,36 +0,0 @@
 apiVersion: v2
 name: cloudnative-pg
 version: 1.0.0
 description: Cloudnative PG
 keywords:
  - cloudnative-pg
  - operator
  - postgresql
 home: https://docs.alexlebens.dev/applications/cloudnative-pg/
 sources:
  - https://github.com/cloudnative-pg/cloudnative-pg
  - https://github.com/cloudnative-pg/plugin-barman-cloud
  - https://github.com/cloudnative-pg/postgres-containers/pkgs/container/postgresql
  - https://github.com/cloudnative-pg/charts/tree/main/charts/cloudnative-pg
  - https://github.com/cloudnative-pg/charts/tree/main/charts/plugin-barman-cloud
  - https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/rclone-bucket
 maintainers:
  - name: alexlebens
 dependencies:
  - name: cloudnative-pg
    version: 0.28.0
    repository: https://cloudnative-pg.io/charts/
  - name: plugin-barman-cloud
    version: 0.6.0
    repository: https://cloudnative-pg.io/charts/
  - name: rclone-bucket
    alias: rclone-postgres-backups-remote
    repository: oci://harbor.alexlebens.net/helm-charts
    version: 0.4.3
  - name: rclone-bucket
    alias: rclone-postgres-backups-external
    repository: oci://harbor.alexlebens.net/helm-charts
    version: 0.4.3
 icon: https://raw.githubusercontent.com/cloudnative-pg/cloudnative-pg.github.io/refs/heads/main/assets/images/hero_image.png
 # renovate: datasource=github-releases depName=cloudnative-pg/cloudnative-pg
 appVersion: 1.29.0
--- a/clusters/cl01tl/helm/cloudnative-pg/templates/_helpers.tpl
+++ b/clusters/cl01tl/helm/cloudnative-pg/templates/_helpers.tpl
@@ -1,14 +0,0 @@
 {{/*
 Common labels
 */}}
 {{- define "custom.labels" -}}
 {{ include "custom.selectorLabels" $ }}
 {{- end }}
 {{/*
 Selector labels
 */}}
 {{- define "custom.selectorLabels" -}}
 app.kubernetes.io/instance: {{ .Release.Name }}
 app.kubernetes.io/part-of: {{ .Release.Name }}
 {{- end }}
--- a/clusters/cl01tl/helm/cloudnative-pg/values.yaml
+++ b/clusters/cl01tl/helm/cloudnative-pg/values.yaml
@@ -1,75 +0,0 @@
 cloudnative-pg:
  replicaCount: 2
  resources:
    requests:
      cpu: 10m
      memory: 100Mi
  monitoring:
    podMonitorEnabled: true
 plugin-barman-cloud:
  replicaCount: 1
  crds:
    create: true
  resources:
    requests:
      cpu: 1m
      memory: 20Mi
 rclone-postgres-backups-remote:
  nameOverride: postgres-backups-remote-rclone
  cronJob:
    suspend: false
    schedule: 0 6 * * 6
  rclone:
    source:
      bucketName: postgres-backups
    destination:
      bucketName: postgres-backups
  prune:
    enabled: true
    ageToPrune: 45d
    include: "/cl01tl/*/*/*/base/**"
    exclude: "**/walls/**"
  secret:
    externalSecret:
      source:
        credentials:
          path: /garage/home-infra/postgres-backups
        config:
          path: /garage/config
      destination:
        credentials:
          path: /garage/home-infra/postgres-backups
        config:
          path: /garage/config
 rclone-postgres-backups-external:
  nameOverride: postgres-backups-external-rclone
  cronJob:
    suspend: true
    schedule: 0 6 * * 6
  rclone:
    source:
      bucketName: openbao-backups
    destination:
      bucketName: postgres-backups-ecc1010276b61716
      providerType: DigitalOcean
  prune:
    enabled: true
    ageToPrune: 45d
    include: "/cl01tl/*/*/*/base/**"
    exclude: "**/walls/**"
  secret:
    externalSecret:
      source:
        credentials:
          path: /garage/home-infra/postgres-backups
        config:
          path: /garage/config
      destination:
        credentials:
          path: /digital-ocean/home-infra/postgres-backups
          keyIdProperty: AWS_ACCESS_KEY_ID
          secretKeyProperty: AWS_SECRET_ACCESS_KEY
          regionProperty: AWS_REGION
        config:
          path: /digital-ocean/config
          endpointProperty: ENDPOINT
--- a/clusters/cl01tl/helm/coredns/Chart.lock
+++ b/clusters/cl01tl/helm/coredns/Chart.lock
@@ -1,6 +0,0 @@
 dependencies:
 - name: coredns
  repository: https://coredns.github.io/helm
  version: 1.45.2
 digest: sha256:36ed42e4273536b6548426b4e0f51b0816d9e8fe52333bce4c61acd8ade607e8
 generated: "2026-01-24T08:01:31.043488615Z"
--- a/clusters/cl01tl/helm/coredns/Chart.yaml
+++ b/clusters/cl01tl/helm/coredns/Chart.yaml
@@ -1,21 +0,0 @@
 apiVersion: v2
 name: coredns
 version: 1.0.0
 description: CoreDNS
 keywords:
  - coredns
  - dns
 home: https://docs.alexlebens.dev/applications/coredns/
 sources:
  - https://github.com/coredns/coredns
  - https://explore.ggcr.dev/?repo=registry.k8s.io%2Fcoredns%2Fcoredns
  - https://github.com/coredns/helm
 maintainers:
  - name: alexlebens
 dependencies:
  - name: coredns
    version: 1.45.2
    repository: https://coredns.github.io/helm
 icon: https://raw.githubusercontent.com/coredns/coredns.io/refs/heads/master/static/images/favicon.png
 # renovate: datasource=github-releases depName=coredns/coredns
 appVersion: v1.14.3
--- a/clusters/cl01tl/helm/coredns/templates/_helpers.tpl
+++ b/clusters/cl01tl/helm/coredns/templates/_helpers.tpl
@@ -1,14 +0,0 @@
 {{/*
 Common labels
 */}}
 {{- define "custom.labels" -}}
 {{ include "custom.selectorLabels" $ }}
 {{- end }}
 {{/*
 Selector labels
 */}}
 {{- define "custom.selectorLabels" -}}
 app.kubernetes.io/instance: {{ .Release.Name }}
 app.kubernetes.io/part-of: {{ .Release.Name }}
 {{- end }}
--- a/clusters/cl01tl/helm/coredns/values.yaml
+++ b/clusters/cl01tl/helm/coredns/values.yaml
@@ -1,91 +0,0 @@
 coredns:
  image:
    repository: registry.k8s.io/coredns/coredns
    tag: v1.14.2@sha256:e7e6440cfd1e919280958f5b5a6ab2b184d385bba774c12ad2a9e1e4183f90d9
  replicaCount: 3
  resources:
    limits:
      cpu: null
      memory: null
    requests:
      cpu: 30m
      memory: 30Mi
  prometheus:
    service:
      enabled: true
    monitor:
      enabled: true
      namespace: kube-system
  service:
    clusterIP: 10.96.0.10
    clusterIPs:
      - 10.96.0.10
    name: kube-dns
  serviceAccount:
    create: true
    name: coredns
  priorityClassName: system-cluster-critical
  servers:
    - zones:
        - zone: .
          scheme: dns://
          use_tcp: true
      port: 53
      plugins:
        - name: errors
        - name: health
          configBlock: |-
            lameduck 5s
        - name: ready
        - name: kubernetes
          parameters: cluster.local in-addr.arpa ip6.arpa
          configBlock: |-
            pods insecure
            fallthrough in-addr.arpa ip6.arpa
            ttl 30
        - name: prometheus
          parameters: :9153
        - name: forward
          parameters: . /etc/resolv.conf
        - name: cache
          parameters: 30
        - name: loop
        - name: reload
        - name: loadbalance
    - zones:
        - zone: alexlebens.net
          scheme: dns://
          use_tcp: true
      port: 53
      plugins:
        - name: errors
        - name: cache
          parameters: 30
        - name: prometheus
          parameters: :9153
        - name: forward
          parameters: . 10.111.232.172
    - zones:
        - zone: ts.net
          scheme: dns://
          use_tcp: true
      port: 53
      plugins:
        - name: errors
        - name: cache
          parameters: 30
        - name: prometheus
          parameters: :9153
        - name: forward
          parameters: . 10.97.20.219
  nodeSelector:
    kubernetes.io/os: linux
  tolerations:
    - key: node-role.kubernetes.io/control-plane
      operator: Exists
      effect: NoSchedule
    - key: node.cloudprovider.kubernetes.io/uninitialized
      operator: Exists
      effect: NoSchedule
  deployment:
    name: coredns
--- a/clusters/cl01tl/helm/dawarich/Chart.lock
+++ b/clusters/cl01tl/helm/dawarich/Chart.lock
@@ -1,21 +0,0 @@
 dependencies:
 - name: app-template
  repository: https://bjw-s-labs.github.io/helm-charts/
  version: 4.6.2
 - name: postgres-cluster
  repository: oci://harbor.alexlebens.net/helm-charts
  version: 7.12.1
 - name: valkey
  repository: oci://harbor.alexlebens.net/helm-charts
  version: 0.6.1
 - name: volsync-target
  repository: oci://harbor.alexlebens.net/helm-charts
  version: 1.1.1
 - name: volsync-target
  repository: oci://harbor.alexlebens.net/helm-charts
  version: 1.1.1
 - name: volsync-target
  repository: oci://harbor.alexlebens.net/helm-charts
  version: 1.1.1
 digest: sha256:b18a6f20fd00a3477ef296e9a72256f2d6d50fc7710f577f89c06c18f990b6ef
 generated: "2026-04-28T23:31:26.580250793Z"
--- a/clusters/cl01tl/helm/dawarich/Chart.yaml
+++ b/clusters/cl01tl/helm/dawarich/Chart.yaml
@@ -1,45 +0,0 @@
 apiVersion: v2
 name: dawarich
 version: 1.0.0
 description: Dawarich
 keywords:
  - dawarich
  - location
 home: https://docs.alexlebens.dev/applications/dawarich/
 sources:
  - https://github.com/Freika/dawarich
  - https://hub.docker.com/r/freikin/dawarich
  - https://github.com/bjw-s-labs/helm-charts/tree/main/charts/other/app-template
  - https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/postgres-cluster
  - https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/valkey
  - https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/volsync-target
 maintainers:
  - name: alexlebens
 dependencies:
  - name: app-template
    alias: dawarich
    repository: https://bjw-s-labs.github.io/helm-charts/
    version: 4.6.2
  - name: postgres-cluster
    alias: postgres-18-cluster
    version: 7.12.1
    repository: oci://harbor.alexlebens.net/helm-charts
  - name: valkey
    alias: valkey
    version: 0.6.1
    repository: oci://harbor.alexlebens.net/helm-charts
  - name: volsync-target
    alias: volsync-target-storage
    version: 1.1.1
    repository: oci://harbor.alexlebens.net/helm-charts
  - name: volsync-target
    alias: volsync-target-public
    version: 1.1.1
    repository: oci://harbor.alexlebens.net/helm-charts
  - name: volsync-target
    alias: volsync-target-watched
    version: 1.1.1
    repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons@main/png/dawarich.png
 # renovate: datasource=github-releases depName=Freika/dawarich
 appVersion: 1.7.0
--- a/clusters/cl01tl/helm/dawarich/templates/_helpers.tpl
+++ b/clusters/cl01tl/helm/dawarich/templates/_helpers.tpl
@@ -1,14 +0,0 @@
 {{/*
 Common labels
 */}}
 {{- define "custom.labels" -}}
 {{ include "custom.selectorLabels" $ }}
 {{- end }}
 {{/*
 Selector labels
 */}}
 {{- define "custom.selectorLabels" -}}
 app.kubernetes.io/instance: {{ .Release.Name }}
 app.kubernetes.io/part-of: {{ .Release.Name }}
 {{- end }}
--- a/clusters/cl01tl/helm/dawarich/templates/external-secret.yaml
+++ b/clusters/cl01tl/helm/dawarich/templates/external-secret.yaml
@@ -1,52 +0,0 @@
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
  name: dawarich-key
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: dawarich-key
    {{- include "custom.labels" . | nindent 4 }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: openbao
  data:
    - secretKey: key
      remoteRef:
        key: /cl01tl/dawarich/key
        property: key
    - secretKey: otp-primary-key
      remoteRef:
        key: /cl01tl/dawarich/key
        property: otp-primary-key
    - secretKey: otp-deterministic-key
      remoteRef:
        key: /cl01tl/dawarich/key
        property: otp-deterministic-key
    - secretKey: otp-derivation-salt
      remoteRef:
        key: /cl01tl/dawarich/key
        property: otp-derivation-salt
 ---
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
  name: dawarich-oidc-authentik
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: dawarich-oidc-authentik
    {{- include "custom.labels" . | nindent 4 }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: openbao
  data:
    - secretKey: client
      remoteRef:
        key: /cl01tl/authentik/oidc/dawarich
        property: client
    - secretKey: secret
      remoteRef:
        key: /cl01tl/authentik/oidc/dawarich
        property: secret
--- a/clusters/cl01tl/helm/dawarich/values.yaml
+++ b/clusters/cl01tl/helm/dawarich/values.yaml
@@ -1,378 +0,0 @@
 dawarich:
  controllers:
    main:
      type: deployment
      replicas: 1
      strategy: Recreate
      containers:
        main:
          image:
            repository: freikin/dawarich
            tag: 1.7.0@sha256:7d5f99c61121fcfa4cbdd6a153392630d9f059ffb0156759278d3e049085ec62
          command:
            - "web-entrypoint.sh"
          args:
            - "bin/rails"
            - "server"
            - "-p"
            - "3000"
            - "-b"
            - "::"
          env:
            - name: RAILS_ENV
              value: production
            - name: REDIS_URL
              value: redis://dawarich-valkey.dawarich:6379
            - name: DATABASE_HOST
              valueFrom:
                secretKeyRef:
                  name: dawarich-postgresql-18-cluster-app
                  key: host
            - name: DATABASE_PORT
              valueFrom:
                secretKeyRef:
                  name: dawarich-postgresql-18-cluster-app
                  key: port
            - name: DATABASE_USERNAME
              valueFrom:
                secretKeyRef:
                  name: dawarich-postgresql-18-cluster-app
                  key: user
            - name: DATABASE_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: dawarich-postgresql-18-cluster-app
                  key: password
            - name: DATABASE_NAME
              valueFrom:
                secretKeyRef:
                  name: dawarich-postgresql-18-cluster-app
                  key: dbname
            - name: APPLICATION_HOSTS
              value: dawarich.alexlebens.net,dawarich.dawarich,localhost,::1,127.0.0.1
            - name: TIME_ZONE
              value: America/Chicago
            - name: APPLICATION_PROTOCOL
              value: http
            - name: OIDC_ISSUER
              value: https://authentik.alexlebens.net/application/o/darwich/
            - name: OIDC_REDIRECT_URI
              value: https://dawarich.alexlebens.net/users/auth/openid_connect/callback
            - name: OIDC_CLIENT_ID
              valueFrom:
                secretKeyRef:
                  name: dawarich-oidc-authentik
                  key: client
            - name: OIDC_CLIENT_SECRET
              valueFrom:
                secretKeyRef:
                  name: dawarich-oidc-authentik
                  key: secret
            - name: OIDC_PROVIDER_NAME
              value: Authentik
            - name: OIDC_AUTO_REGISTER
              value: true
            - name: PROMETHEUS_EXPORTER_ENABLED
              value: true
            - name: PROMETHEUS_EXPORTER_HOST
              value: 0.0.0.0
            - name: PROMETHEUS_EXPORTER_PORT
              value: 9394
            - name: SECRET_KEY_BASE
              valueFrom:
                secretKeyRef:
                  name: dawarich-key
                  key: key
            - name: OTP_ENCRYPTION_PRIMARY_KEY
              valueFrom:
                secretKeyRef:
                  name: dawarich-key
                  key: otp-primary-key
            - name: OTP_ENCRYPTION_DETERMINISTIC_KEY
              valueFrom:
                secretKeyRef:
                  name: dawarich-key
                  key: otp-deterministic-key
            - name: OTP_ENCRYPTION_KEY_DERIVATION_SALT
              valueFrom:
                secretKeyRef:
                  name: dawarich-key
                  key: otp-derivation-salt
            - name: RAILS_LOG_TO_STDOUT
              value: true
            - name: SELF_HOSTED
              value: true
            - name: STORE_GEODATA
              value: true
          probes:
            liveness:
              enabled: true
              custom: true
              spec:
                exec:
                  command:
                    - /bin/sh
                    - -c
                    - "wget -qO - http://127.0.0.1:3000/api/v1/health | grep -q '\"status\"\\s*:\\s*\"ok\"'"
                failureThreshold: 5
                initialDelaySeconds: 60
                periodSeconds: 10
                successThreshold: 1
                timeoutSeconds: 10
          resources:
            requests:
              cpu: 20m
              memory: 750Mi
        sidekiq:
          image:
            repository: freikin/dawarich
            tag: 1.7.0@sha256:7d5f99c61121fcfa4cbdd6a153392630d9f059ffb0156759278d3e049085ec62
          command:
            - "sidekiq-entrypoint.sh"
          args:
            - "sidekiq"
          env:
            - name: RAILS_ENV
              value: production
            - name: REDIS_URL
              value: redis://dawarich-valkey.dawarich:6379
            - name: DATABASE_HOST
              valueFrom:
                secretKeyRef:
                  name: dawarich-postgresql-18-cluster-app
                  key: host
            - name: DATABASE_PORT
              valueFrom:
                secretKeyRef:
                  name: dawarich-postgresql-18-cluster-app
                  key: port
            - name: DATABASE_USERNAME
              valueFrom:
                secretKeyRef:
                  name: dawarich-postgresql-18-cluster-app
                  key: user
            - name: DATABASE_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: dawarich-postgresql-18-cluster-app
                  key: password
            - name: DATABASE_NAME
              valueFrom:
                secretKeyRef:
                  name: dawarich-postgresql-18-cluster-app
                  key: dbname
            - name: APPLICATION_HOSTS
              value: dawarich.alexlebens.net,dawarich.dawarich,localhost,::1,127.0.0.1
            - name: TIME_ZONE
              value: America/Chicago
            - name: APPLICATION_PROTOCOL
              value: http
            - name: DISTANCE_UNIT
              value: mi
            - name: OIDC_ISSUER
              value: https://authentik.alexlebens.net/application/o/darwich/
            - name: OIDC_REDIRECT_URI
              value: https://dawarich.alexlebens.net/users/auth/openid_connect/callback
            - name: OIDC_CLIENT_ID
              valueFrom:
                secretKeyRef:
                  name: dawarich-oidc-authentik
                  key: client
            - name: OIDC_CLIENT_SECRET
              valueFrom:
                secretKeyRef:
                  name: dawarich-oidc-authentik
                  key: secret
            - name: OIDC_PROVIDER_NAME
              value: Authentik
            - name: OIDC_AUTO_REGISTER
              value: true
            - name: PROMETHEUS_EXPORTER_ENABLED
              value: true
            - name: PROMETHEUS_EXPORTER_HOST
              value: 0.0.0.0
            - name: PROMETHEUS_EXPORTER_PORT
              value: 9394
            - name: SECRET_KEY_BASE
              valueFrom:
                secretKeyRef:
                  name: dawarich-key
                  key: key
            - name: OTP_ENCRYPTION_PRIMARY_KEY
              valueFrom:
                secretKeyRef:
                  name: dawarich-key
                  key: otp-primary-key
            - name: OTP_ENCRYPTION_DETERMINISTIC_KEY
              valueFrom:
                secretKeyRef:
                  name: dawarich-key
                  key: otp-deterministic-key
            - name: OTP_ENCRYPTION_KEY_DERIVATION_SALT
              valueFrom:
                secretKeyRef:
                  name: dawarich-key
                  key: otp-derivation-salt
            - name: RAILS_LOG_TO_STDOUT
              value: true
            - name: SELF_HOSTED
              value: true
            - name: STORE_GEODATA
              value: true
          probes:
            liveness:
              enabled: true
              custom: true
              spec:
                exec:
                  command:
                    - pgrep
                    - -f
                    - sidekiq
                failureThreshold: 5
                initialDelaySeconds: 60
                periodSeconds: 10
                successThreshold: 1
                timeoutSeconds: 10
  service:
    main:
      controller: main
      ports:
        http:
          port: 80
          targetPort: 3000
        metrics:
          port: 9394
          targetPort: 9394
  serviceMonitor:
    main:
      selector:
        matchLabels:
          app.kubernetes.io/name: dawarich
          app.kubernetes.io/instance: dawarich
      serviceName: '{{ include "bjw-s.common.lib.chart.names.fullname" $ }}'
      endpoints:
        - port: metrics
          interval: 30s
          scrapeTimeout: 15s
          path: /metrics
  route:
    main:
      kind: HTTPRoute
      parentRefs:
        - group: gateway.networking.k8s.io
          kind: Gateway
          name: traefik-gateway
          namespace: traefik
      hostnames:
        - dawarich.alexlebens.net
      rules:
        - backendRefs:
            - name: dawarich
              port: 80
          matches:
            - path:
                type: PathPrefix
                value: /
  persistence:
    storage:
      forceRename: dawarich-storage
      storageClass: ceph-block
      accessMode: ReadWriteOnce
      size: 5Gi
      advancedMounts:
        main:
          main:
            - path: /var/app/storage
              readOnly: false
          sidekiq:
            - path: /var/app/storage
              readOnly: false
    public:
      forceRename: dawarich-public
      storageClass: ceph-block
      accessMode: ReadWriteOnce
      size: 5Gi
      advancedMounts:
        main:
          main:
            - path: /var/app/public
              readOnly: false
          sidekiq:
            - path: /var/app/public
              readOnly: false
    watched:
      forceRename: dawarich-watched
      storageClass: ceph-block
      accessMode: ReadWriteOnce
      size: 1Gi
      advancedMounts:
        main:
          main:
            - path: /var/app/tmp/imports/watched
              readOnly: false
          sidekiq:
            - path: /var/app/tmp/imports/watched
              readOnly: false
 postgres-18-cluster:
  mode: recovery
  cluster:
    image:
      repository: ghcr.io/cloudnative-pg/postgis
      tag: 18-3-system-trixie
    initdb:
      postInitTemplateSQL:
        - CREATE EXTENSION postgis;
        - CREATE EXTENSION postgis_topology;
        - CREATE EXTENSION fuzzystrmatch;
        - CREATE EXTENSION postgis_tiger_geocoder;
  recovery:
    method: objectStore
    objectStore:
      index: 1
  backup:
    objectStore:
      - name: garage-local
        index: 1
        destinationBucket: postgres-backups
        externalSecretCredentialPath: /garage/home-infra/postgres-backups
        isWALArchiver: true
    scheduledBackups:
      - name: live-backup
        suspend: false
        immediate: true
        schedule: "0 10 14 * * *"
        backupName: garage-local
 volsync-target-storage:
  pvcTarget: dawarich-storage
  local:
    enabled: true
    schedule: 6 8 * * *
  remote:
    enabled: true
    schedule: 6 9 * * *
  external:
    enabled: true
    schedule: 6 10 * * *
 volsync-target-public:
  pvcTarget: dawarich-public
  local:
    enabled: true
    schedule: 8 8 * * *
  remote:
    enabled: true
    schedule: 8 9 * * *
  external:
    enabled: true
    schedule: 8 10 * * *
 volsync-target-watched:
  pvcTarget: dawarich-watched
  local:
    enabled: true
    schedule: 8 8 * * *
  remote:
    enabled: true
    schedule: 8 9 * * *
  external:
    enabled: true
    schedule: 8 10 * * *
--- a/clusters/cl01tl/helm/democratic-csi-synology-iscsi/Chart.lock
+++ b/clusters/cl01tl/helm/democratic-csi-synology-iscsi/Chart.lock
@@ -1,6 +0,0 @@
 dependencies:
 - name: democratic-csi
  repository: https://democratic-csi.github.io/charts/
  version: 0.15.1
 digest: sha256:e07d76a67023fb523e7d49730330995d0028faba9a4c7c3a6b87c5828921b3c3
 generated: "2026-01-08T20:33:17.610556446Z"
--- a/clusters/cl01tl/helm/democratic-csi-synology-iscsi/Chart.yaml
+++ b/clusters/cl01tl/helm/democratic-csi-synology-iscsi/Chart.yaml
@@ -1,20 +0,0 @@
 apiVersion: v2
 name: democratic-csi-synology-iscsi
 version: 1.0.0
 description: Democratic CSI
 keywords:
  - democratic-csi-synology-iscsi
  - iscsi
 home: https://docs.alexlebens.dev/applications/democratic-csi-synology-iscsi/
 sources:
  - https://github.com/democratic-csi/democratic-csi
  - https://github.com/democratic-csi/charts/tree/master/stable/democratic-csi
 maintainers:
  - name: alexlebens
 dependencies:
  - name: democratic-csi
    repository: https://democratic-csi.github.io/charts/
    version: 0.15.1
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/kubernetes.png
 # renovate: datasource=github-releases depName=democratic-csi/democratic-csi
 appVersion: v1.9.4
--- a/clusters/cl01tl/helm/democratic-csi-synology-iscsi/templates/_helpers.tpl
+++ b/clusters/cl01tl/helm/democratic-csi-synology-iscsi/templates/_helpers.tpl
@@ -1,14 +0,0 @@
 {{/*
 Common labels
 */}}
 {{- define "custom.labels" -}}
 {{ include "custom.selectorLabels" $ }}
 {{- end }}
 {{/*
 Selector labels
 */}}
 {{- define "custom.selectorLabels" -}}
 app.kubernetes.io/instance: {{ .Release.Name }}
 app.kubernetes.io/part-of: {{ .Release.Name }}
 {{- end }}
--- a/clusters/cl01tl/helm/democratic-csi-synology-iscsi/templates/external-secret.yaml
+++ b/clusters/cl01tl/helm/democratic-csi-synology-iscsi/templates/external-secret.yaml
@@ -1,17 +0,0 @@
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
  name: synology-iscsi-config
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: synology-iscsi-config
    {{- include "custom.labels" . | nindent 4 }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: openbao
  data:
    - secretKey: driver-config-file.yaml
      remoteRef:
        key: /cl01tl/democratic-csi-synology-iscsi/config
        property: driver-config-file.yaml
--- a/clusters/cl01tl/helm/democratic-csi-synology-iscsi/templates/namespace.yaml
+++ b/clusters/cl01tl/helm/democratic-csi-synology-iscsi/templates/namespace.yaml
@@ -1,10 +0,0 @@
 apiVersion: v1
 kind: Namespace
 metadata:
  name: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: {{ .Release.Namespace }}
    {{- include "custom.labels" . | nindent 4 }}
    pod-security.kubernetes.io/audit: privileged
    pod-security.kubernetes.io/enforce: privileged
    pod-security.kubernetes.io/warn: privileged
--- a/clusters/cl01tl/helm/democratic-csi-synology-iscsi/values.yaml
+++ b/clusters/cl01tl/helm/democratic-csi-synology-iscsi/values.yaml
@@ -1,63 +0,0 @@
 democratic-csi:
  driver:
    image:
      registry: ghcr.io/democratic-csi/democratic-csi
      tag: v1.9.5@@sha256:fc3b7d7ed3a616714139525075312758e23a5d425ffb539ad12c9bd20fb6001f
    existingConfigSecret: synology-iscsi-config
    config:
      driver: synology-iscsi
    resources:
      requests:
        cpu: 1m
        memory: 128Mi
  csiDriver:
    name: "org.democratic-csi.iscsi-synology"
  controller:
    replicaCount: 3
    externalAttacher:
      image:
        registry: registry.k8s.io/sig-storage/csi-attacher
        tag: v4.11.0@sha256:b74b05b39501565022883fc128002b4cb857a7bb6c858606bcb3fdedba0b0b80
    externalProvisioner:
      image:
        registry: registry.k8s.io/sig-storage/csi-provisioner
        tag: v3.6.4@sha256:e7ad666f1d9b0caa077c7f0c157c9f87d1e73858390732496f66dcc716ff10c5
    externalResizer:
      image:
        registry: registry.k8s.io/sig-storage/csi-resizer
        tag: v1.9.4@sha256:522911ef68bd2c5c17d90fb2a6d2b2fb72ae790f2c1463a466b4262a07fdbf5a
    externalSnapshotter:
      image:
        registry: registry.k8s.io/sig-storage/csi-snapshotter
        tag: v8.5.0@sha256:da081c27e8a6d91f36042c1942362d0515ced8d06e18c11b8f893e58c4d6d797
  storageClasses:
    - name: synology-iscsi-delete
      defaultClass: false
      reclaimPolicy: Delete
      volumeBindingMode: Immediate
      allowVolumeExpansion: true
      parameters:
        fsType: ext4
    - name: synology-iscsi-retain
      defaultClass: false
      reclaimPolicy: Retain
      volumeBindingMode: Immediate
      allowVolumeExpansion: true
      parameters:
        fsType: ext4
  node:
    hostPID: true
    rbac:
      enabled: true
    driver:
      extraEnv:
        - name: ISCSIADM_HOST_STRATEGY
          value: nsenter
        - name: ISCSIADM_HOST_PATH
          value: /usr/local/sbin/iscsiadm
      iscsiDirHostPath: /var/iscsi
      iscsiDirHostPathType: ""
  driverRegistrar:
    image:
      registry: registry.k8s.io/sig-storage/csi-node-driver-registrar
      tag: v2.16.0@sha256:ab482308a4921e28a6df09a16ab99a457e9af9641ff44fb1be1a690d07ce8b70
--- a/clusters/cl01tl/helm/descheduler/Chart.lock
+++ b/clusters/cl01tl/helm/descheduler/Chart.lock
@@ -1,6 +0,0 @@
 dependencies:
 - name: descheduler
  repository: https://kubernetes-sigs.github.io/descheduler/
  version: 0.35.1
 digest: sha256:ed7cc8068b83ac483fda3a781227b35e12a34abdca214b5490e7036c89db1a95
 generated: "2026-03-09T21:21:45.788316167Z"
--- a/clusters/cl01tl/helm/descheduler/Chart.yaml
+++ b/clusters/cl01tl/helm/descheduler/Chart.yaml
@@ -1,21 +0,0 @@
 apiVersion: v2
 name: descheduler
 version: 1.0.0
 description: Descheduler
 keywords:
  - descheduler
  - kube-scheduler
 home: https://docs.alexlebens.dev/applications/descheduler/
 sources:
  - https://github.com/kubernetes-sigs/descheduler
  - https://explore.ggcr.dev/?repo=registry.k8s.io%2Fdescheduler%2Fdescheduler
  - https://github.com/kubernetes-sigs/descheduler/tree/master/charts/descheduler
 maintainers:
  - name: alexlebens
 dependencies:
  - name: descheduler
    version: 0.35.1
    repository: https://kubernetes-sigs.github.io/descheduler/
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/kubernetes.png
 # renovate: datasource=github-releases depName=kubernetes-sigs/descheduler
 appVersion: v0.35.1
--- a/clusters/cl01tl/helm/descheduler/templates/_helpers.tpl
+++ b/clusters/cl01tl/helm/descheduler/templates/_helpers.tpl
@@ -1,14 +0,0 @@
 {{/*
 Common labels
 */}}
 {{- define "custom.labels" -}}
 {{ include "custom.selectorLabels" $ }}
 {{- end }}
 {{/*
 Selector labels
 */}}
 {{- define "custom.selectorLabels" -}}
 app.kubernetes.io/instance: {{ .Release.Name }}
 app.kubernetes.io/part-of: {{ .Release.Name }}
 {{- end }}
--- a/clusters/cl01tl/helm/descheduler/values.yaml
+++ b/clusters/cl01tl/helm/descheduler/values.yaml
@@ -1,79 +0,0 @@
 descheduler:
  image:
    repository: registry.k8s.io/descheduler/descheduler
    tag: v0.35.1@sha256:871d3b804390b0b8c7cb09d4e9b7856cf30e31f9e9e3d29562b0301a10453bb1
  kind: Deployment
  resources:
    limits:
      cpu: null
      memory: null
    requests:
      cpu: 10m
      memory: 50Mi
  deschedulingInterval: 5m
  replicas: 3
  leaderElection:
    enabled: true
    leaseDuration: 15s
    renewDeadline: 10s
    retryPeriod: 2s
    resourceLock: "leases"
    resourceName: "descheduler"
    resourceNamespace: "descheduler"
  deschedulerPolicy:
    profiles:
      - name: default
        pluginConfig:
          - name: DefaultEvictor
            args:
              ignorePvcPods: true
              evictLocalStoragePods: false
              evictDaemonSetPods: false
          - name: RemoveDuplicates
          - name: RemovePodsViolatingNodeAffinity
            args:
              nodeAffinityType:
              - requiredDuringSchedulingIgnoredDuringExecution
          - name: RemovePodsViolatingNodeTaints
          - name: RemovePodsViolatingInterPodAntiAffinity
          - name: RemovePodsViolatingTopologySpreadConstraint
          - name: "HighNodeUtilization"
            args:
              thresholds:
                cpu : 80
                memory: 80
                pods: 90
              evictableNamespaces:
                exclude:
                  - "kube-system"
              evictionModes:
                - "OnlyThresholdingResources"
          - name: LowNodeUtilization
            args:
              thresholds:
                cpu: 20
                memory: 20
                pods: 20
              targetThresholds:
                cpu: 50
                memory: 50
                pods: 60
        plugins:
          balance:
            enabled:
              - RemoveDuplicates
              - RemovePodsViolatingTopologySpreadConstraint
              - LowNodeUtilization
          deschedule:
            enabled:
              - RemovePodsViolatingNodeTaints
              - RemovePodsViolatingNodeAffinity
              - RemovePodsViolatingInterPodAntiAffinity
  rbac:
    create: true
  serviceAccount:
    create: true
  service:
    enabled: true
  serviceMonitor:
    enabled: true
--- a/clusters/cl01tl/helm/directus/Chart.lock
+++ b/clusters/cl01tl/helm/directus/Chart.lock
@@ -1,15 +0,0 @@
 dependencies:
 - name: app-template
  repository: https://bjw-s-labs.github.io/helm-charts/
  version: 4.6.2
 - name: postgres-cluster
  repository: oci://harbor.alexlebens.net/helm-charts
  version: 7.12.1
 - name: valkey
  repository: oci://harbor.alexlebens.net/helm-charts
  version: 0.6.1
 - name: rclone-bucket
  repository: oci://harbor.alexlebens.net/helm-charts
  version: 0.4.3
 digest: sha256:df3b79c6b8868d749d98d232741fef4a26b73894bce3bf4588581340c15fc3da
 generated: "2026-04-26T21:06:27.85398357Z"
--- a/clusters/cl01tl/helm/directus/Chart.yaml
+++ b/clusters/cl01tl/helm/directus/Chart.yaml
@@ -1,37 +0,0 @@
 apiVersion: v2
 name: directus
 version: 1.0.0
 description: Directus
 keywords:
  - directus
  - content-management-system
 home: https://docs.alexlebens.dev/applications/directus/
 sources:
  - https://github.com/directus/directus
  - https://github.com/directus/directus/pkgs/container/directus
  - https://github.com/bjw-s-labs/helm-charts/tree/main/charts/other/app-template
  - https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/postgres-cluster
  - https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/valkey
  - https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/rclone-bucket
 maintainers:
  - name: alexlebens
 dependencies:
  - name: app-template
    alias: directus
    repository: https://bjw-s-labs.github.io/helm-charts/
    version: 4.6.2
  - name: postgres-cluster
    alias: postgres-18-cluster
    version: 7.12.1
    repository: oci://harbor.alexlebens.net/helm-charts
  - name: valkey
    alias: valkey
    version: 0.6.1
    repository: oci://harbor.alexlebens.net/helm-charts
  - name: rclone-bucket
    alias: rclone-directus-assets-remote
    repository: oci://harbor.alexlebens.net/helm-charts
    version: 0.4.3
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/directus.png
 # renovate: datasource=github-releases depName=directus/directus
 appVersion: 11.17.3
--- a/clusters/cl01tl/helm/directus/templates/_helpers.tpl
+++ b/clusters/cl01tl/helm/directus/templates/_helpers.tpl
@@ -1,14 +0,0 @@
 {{/*
 Common labels
 */}}
 {{- define "custom.labels" -}}
 {{ include "custom.selectorLabels" $ }}
 {{- end }}
 {{/*
 Selector labels
 */}}
 {{- define "custom.selectorLabels" -}}
 app.kubernetes.io/instance: {{ .Release.Name }}
 app.kubernetes.io/part-of: {{ .Release.Name }}
 {{- end }}
--- a/clusters/cl01tl/helm/directus/templates/external-secret.yaml
+++ b/clusters/cl01tl/helm/directus/templates/external-secret.yaml
@@ -1,125 +0,0 @@
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
  name: directus-config
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: directus-config
    {{- include "custom.labels" . | nindent 4 }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: openbao
  data:
    - secretKey: key
      remoteRef:
        key: /cl01tl/directus/key
        property: key
    - secretKey: secret
      remoteRef:
        key: /cl01tl/directus/key
        property: secret
    - secretKey: admin-email
      remoteRef:
        key: /cl01tl/directus/config
        property: admin-email
    - secretKey: admin-password
      remoteRef:
        key: /cl01tl/directus/config
        property: admin-password
 ---
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
  name: directus-metric-token
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: directus-metric-token
    {{- include "custom.labels" . | nindent 4 }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: openbao
  data:
    - secretKey: metric-token
      remoteRef:
        key: /cl01tl/directus/metrics
        property: metric-token
 ---
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
  name: directus-valkey-config
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: directus-valkey-config
    {{- include "custom.labels" . | nindent 4 }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: openbao
  data:
    - secretKey: user
      remoteRef:
        key: /cl01tl/directus/valkey
        property: user
    - secretKey: password
      remoteRef:
        key: /cl01tl/directus/valkey
        property: password
    - secretKey: default
      remoteRef:
        key: /cl01tl/directus/valkey
        property: password
 ---
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
  name: directus-oidc-authentik
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: directus-oidc-authentik
    {{- include "custom.labels" . | nindent 4 }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: openbao
  data:
    - secretKey: OIDC_CLIENT_ID
      remoteRef:
        key: /cl01tl/authentik/oidc/directus
        property: client
    - secretKey: OIDC_CLIENT_SECRET
      remoteRef:
        key: /cl01tl/authentik/oidc/directus
        property: secret
 ---
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
  name: directus-bucket-garage
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: directus-bucket-garage
    {{- include "custom.labels" . | nindent 4 }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: openbao
  data:
    - secretKey: ACCESS_KEY_ID
      remoteRef:
        key: /garage/home-infra/directus-assets
        property: ACCESS_KEY_ID
    - secretKey: ACCESS_SECRET_KEY
      remoteRef:
        key: /garage/home-infra/directus-assets
        property: ACCESS_SECRET_KEY
    - secretKey: ACCESS_REGION
      remoteRef:
        key: /garage/home-infra/directus-assets
        property: ACCESS_REGION
--- a/clusters/cl01tl/helm/directus/values.yaml
+++ b/clusters/cl01tl/helm/directus/values.yaml
@@ -1,237 +0,0 @@
 directus:
  controllers:
    main:
      type: deployment
      replicas: 1
      strategy: Recreate
      containers:
        main:
          image:
            repository: ghcr.io/directus/directus
            tag: 11.17.3@sha256:ae6ab737fd04077d295bbefa545cc4aefccc206e3d0120c83812f9b482a8c9a5
          env:
            - name: PUBLIC_URL
              value: https://directus.alexlebens.net
            - name: WEBSOCKETS_ENABLED
              value: true
            - name: ADMIN_EMAIL
              valueFrom:
                secretKeyRef:
                  name: directus-config
                  key: admin-email
            - name: ADMIN_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: directus-config
                  key: admin-password
            - name: SECRET
              valueFrom:
                secretKeyRef:
                  name: directus-config
                  key: secret
            - name: KEY
              valueFrom:
                secretKeyRef:
                  name: directus-config
                  key: key
            - name: DB_CLIENT
              value: postgres
            - name: DB_HOST
              valueFrom:
                secretKeyRef:
                  name: directus-postgresql-18-cluster-app
                  key: host
            - name: DB_DATABASE
              valueFrom:
                secretKeyRef:
                  name: directus-postgresql-18-cluster-app
                  key: dbname
            - name: DB_PORT
              valueFrom:
                secretKeyRef:
                  name: directus-postgresql-18-cluster-app
                  key: port
            - name: DB_USER
              valueFrom:
                secretKeyRef:
                  name: directus-postgresql-18-cluster-app
                  key: user
            - name: DB_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: directus-postgresql-18-cluster-app
                  key: password
            - name: SYNCHRONIZATION_STORE
              value: redis
            - name: CACHE_ENABLED
              value: true
            - name: CACHE_STORE
              value: redis
            - name: REDIS_ENABLED
              value: true
            - name: REDIS_HOST
              value: directus-valkey
            - name: REDIS_USERNAME
              valueFrom:
                secretKeyRef:
                  name: directus-valkey-config
                  key: user
            - name: REDIS_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: directus-valkey-config
                  key: password
            - name: STORAGE_LOCATIONS
              value: s3
            - name: STORAGE_S3_DRIVER
              value: s3
            - name: STORAGE_S3_KEY
              valueFrom:
                secretKeyRef:
                  name: directus-bucket-garage
                  key: ACCESS_KEY_ID
            - name: STORAGE_S3_SECRET
              valueFrom:
                secretKeyRef:
                  name: directus-bucket-garage
                  key: ACCESS_SECRET_KEY
            - name: STORAGE_S3_REGION
              valueFrom:
                secretKeyRef:
                  name: directus-bucket-garage
                  key: ACCESS_REGION
            - name: STORAGE_S3_BUCKET
              value: directus-assets
            - name: STORAGE_S3_ENDPOINT
              value: http://garage-main.garage:3900
            - name: STORAGE_S3_FORCE_PATH_STYLE
              value: true
            - name: AUTH_PROVIDERS
              value: AUTHENTIK
            - name: AUTH_AUTHENTIK_DRIVER
              value: openid
            - name: AUTH_AUTHENTIK_CLIENT_ID
              valueFrom:
                secretKeyRef:
                  name: directus-oidc-authentik
                  key: OIDC_CLIENT_ID
            - name: AUTH_AUTHENTIK_CLIENT_SECRET
              valueFrom:
                secretKeyRef:
                  name: directus-oidc-authentik
                  key: OIDC_CLIENT_SECRET
            - name: AUTH_AUTHENTIK_SCOPE
              value: openid profile email
            - name: AUTH_AUTHENTIK_ISSUER_URL
              value: https://authentik.alexlebens.net/application/o/directus/.well-known/openid-configuration
            - name: AUTH_AUTHENTIK_IDENTIFIER_KEY
              value: email
            - name: AUTH_AUTHENTIK_ALLOW_PUBLIC_REGISTRATION
              value: true
            - name: AUTH_AUTHENTIK_LABEL
              value: Authentik
            - name: TELEMETRY
              value: false
            - name: METRICS_ENABLED
              value: true
            - name: METRICS_TOKENS
              valueFrom:
                secretKeyRef:
                  name: directus-metric-token
                  key: metric-token
          resources:
            requests:
              cpu: 10m
              memory: 300Mi
  service:
    main:
      controller: main
      ports:
        http:
          port: 80
          targetPort: 8055
  serviceMonitor:
    main:
      selector:
        matchLabels:
          app.kubernetes.io/name: directus
          app.kubernetes.io/instance: directus
      serviceName: '{{ include "bjw-s.common.lib.chart.names.fullname" $ }}'
      endpoints:
        - port: http
          interval: 30s
          scrapeTimeout: 15s
          path: /metrics
          bearerTokenSecret:
            name: directus-metric-token
            key: metric-token
  route:
    main:
      kind: HTTPRoute
      parentRefs:
        - group: gateway.networking.k8s.io
          kind: Gateway
          name: traefik-gateway
          namespace: traefik
      hostnames:
        - directus.alexlebens.net
      rules:
        - backendRefs:
            - name: directus
              port: 80
          matches:
            - path:
                type: PathPrefix
                value: /
 postgres-18-cluster:
  mode: recovery
  recovery:
    method: objectStore
    objectStore:
      index: 1
  backup:
    objectStore:
      - name: garage-local
        index: 1
        destinationBucket: postgres-backups
        externalSecretCredentialPath: /garage/home-infra/postgres-backups
        isWALArchiver: true
    scheduledBackups:
      - name: live-backup
        suspend: false
        immediate: true
        schedule: "0 15 14 * * *"
        backupName: garage-local
 valkey:
  valkey:
    auth:
      enabled: true
      usersExistingSecret: directus-valkey-config
      aclUsers:
        default:
          permissions: "~* &* +@all"
    # No option to configure metrics when auth is enabled
    # https://github.com/valkey-io/valkey-helm/issues/135
    metrics:
      enabled: false
 rclone-directus-assets-remote:
  cronJob:
    suspend: false
    schedule: 0 0 * * *
  rclone:
    source:
      bucketName: directus-assets
    destination:
      bucketName: directus-assets
  secret:
    externalSecret:
      source:
        credentials:
          path: /garage/home-infra/directus-assets
        config:
          path: /garage/config
      destination:
        credentials:
          path: /garage/home-infra/directus-assets
        config:
          path: /garage/config
--- a/clusters/cl01tl/helm/elastic-operator/Chart.lock
+++ b/clusters/cl01tl/helm/elastic-operator/Chart.lock
@@ -1,6 +0,0 @@
 dependencies:
 - name: eck-operator
  repository: https://helm.elastic.co
  version: 3.3.2
 digest: sha256:ac7a849a6d8244ef56c11f18438c4c76133f92d245228c5a1c8369d42562c177
 generated: "2026-04-01T21:30:02.975920565Z"
--- a/clusters/cl01tl/helm/elastic-operator/Chart.yaml
+++ b/clusters/cl01tl/helm/elastic-operator/Chart.yaml
@@ -1,21 +0,0 @@
 apiVersion: v2
 name: elastic-operator
 version: 1.0.0
 description: Elastic Cloud on Kubernetes
 keywords:
  - elastic-operator
  - operator
  - elastic-search
 home: https://docs.alexlebens.dev/applications/elastic-operator/
 sources:
  - https://github.com/elastic/cloud-on-k8s
  - https://github.com/elastic/cloud-on-k8s/tree/main/deploy/eck-operator
 maintainers:
  - name: alexlebens
 dependencies:
  - name: eck-operator
    version: 3.3.2
    repository: https://helm.elastic.co
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons@main/png/elastic.png
 # renovate: datasource=github-releases depName=elastic/cloud-on-k8s
 appVersion: v3.3.2
--- a/clusters/cl01tl/helm/elastic-operator/templates/_helpers.tpl
+++ b/clusters/cl01tl/helm/elastic-operator/templates/_helpers.tpl
@@ -1,14 +0,0 @@
 {{/*
 Common labels
 */}}
 {{- define "custom.labels" -}}
 {{ include "custom.selectorLabels" $ }}
 {{- end }}
 {{/*
 Selector labels
 */}}
 {{- define "custom.selectorLabels" -}}
 app.kubernetes.io/instance: {{ .Release.Name }}
 app.kubernetes.io/part-of: {{ .Release.Name }}
 {{- end }}
--- a/clusters/cl01tl/helm/elastic-operator/values.yaml
+++ b/clusters/cl01tl/helm/elastic-operator/values.yaml
@@ -1,21 +0,0 @@
 eck-operator:
  managedNamespaces:
    - stalwart
    - tubearchivist
  installCRDs: true
  replicaCount: 2
  resources:
    limits:
      cpu: null
      memory: null
    requests:
      cpu: 2m
      memory: 50Mi
  telemetry:
    disabled: true
  config:
    logVerbosity: "0"
    metrics:
      port: "9000"
  podMonitor:
    enabled: true
--- a/clusters/cl01tl/helm/element-web/Chart.lock
+++ b/clusters/cl01tl/helm/element-web/Chart.lock
@@ -1,9 +0,0 @@
 dependencies:
 - name: element-web
  repository: https://ananace.gitlab.io/charts
  version: 1.4.34
 - name: cloudflared
  repository: oci://harbor.alexlebens.net/helm-charts
  version: 2.6.0
 digest: sha256:e988be9f997351a8f658bf5151ec4fb04ae7d877389c9bf01b7331e1a58005ef
 generated: "2026-04-24T21:06:15.882448748Z"
--- a/clusters/cl01tl/helm/element-web/Chart.yaml
+++ b/clusters/cl01tl/helm/element-web/Chart.yaml
@@ -1,25 +0,0 @@
 apiVersion: v2
 name: element-web
 version: 1.0.0
 description: Element Web
 keywords:
  - element-web
  - matrix-chat
 home: https://docs.alexlebens.dev/applications/element-web/
 sources:
  - https://github.com/element-hq/element-web
  - https://github.com/element-hq/element-web/pkgs/container/element-web
  - https://gitlab.com/ananace/charts/-/tree/master/charts/element-web
  - https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/cloudflared
 maintainers:
  - name: alexlebens
 dependencies:
  - name: element-web
    version: 1.4.34
    repository: https://ananace.gitlab.io/charts
  - name: cloudflared
    repository: oci://harbor.alexlebens.net/helm-charts
    version: 2.6.0
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/element.png
 # renovate: datasource=github-releases depName=element-hq/element-web
 appVersion: v1.12.15
--- a/clusters/cl01tl/helm/element-web/templates/_helpers.tpl
+++ b/clusters/cl01tl/helm/element-web/templates/_helpers.tpl
@@ -1,14 +0,0 @@
 {{/*
 Common labels
 */}}
 {{- define "custom.labels" -}}
 {{ include "custom.selectorLabels" $ }}
 {{- end }}
 {{/*
 Selector labels
 */}}
 {{- define "custom.selectorLabels" -}}
 app.kubernetes.io/instance: {{ .Release.Name }}
 app.kubernetes.io/part-of: {{ .Release.Name }}
 {{- end }}
--- a/clusters/cl01tl/helm/element-web/values.yaml
+++ b/clusters/cl01tl/helm/element-web/values.yaml
@@ -1,23 +0,0 @@
 element-web:
  replicaCount: 1
  image:
    repository: ghcr.io/element-hq/element-web
    tag: v1.12.15@sha256:c7fa40b5ba3891f8af3ce63da0818f457c1802a9ee4d2f5e46a9df36a2388eed
  defaultServer:
    url: https://matrix.alexlebens.dev
    name: alexlebens.dev
    identity_url: https://alexlebens.dev
  config:
    disable_3pid_login: true
    brand: "Alex Lebens"
    branding:
      welcome_background_url: https://web-assets-3bfcb5585cbd63dc365d32a3.nyc3.cdn.digitaloceanspaces.com/alexlebens-net/background.jpg
      auth_header_logo_url: https://web-assets-3bfcb5585cbd63dc365d32a3.nyc3.cdn.digitaloceanspaces.com/alexlebens-net/logo-new-round.png
    sso_redirect_options:
      immediate: true
    default_theme: dark
    default_country_code: US
  resources:
    requests:
      cpu: 1m
      memory: 10Mi
--- a/clusters/cl01tl/helm/eraser/Chart.lock
+++ b/clusters/cl01tl/helm/eraser/Chart.lock
@@ -1,9 +0,0 @@
 dependencies:
 - name: eraser
  repository: https://eraser-dev.github.io/eraser/charts
  version: 1.4.1
 - name: app-template
  repository: https://bjw-s-labs.github.io/helm-charts/
  version: 4.6.2
 digest: sha256:8414813d3d9d195b16ef7ebf814f7095a16413f4b0e579fcb37738000624f68c
 generated: "2026-04-08T21:39:05.689756-05:00"
--- a/Show More
+++ b/Show More