Update rmcrackan/libation Docker tag to v12.2.0

.gitea/workflows/lint-test.yaml

@@ -0,0 +1,37 @@
+name: lint-and-test-charts
+
+on: pull_request
+
+jobs:
+  lint-test:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Set up Helm
+        uses: azure/setup-helm@v4
+        with:
+          version: latest
+
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.13"
+          check-latest: true
+
+      - name: Set up chart-testing
+        uses: helm/chart-testing-action@v2.7.0
+
+      - name: Run chart-testing (list-changed)
+        id: list-changed
+        run: |
+          changed=$(ct list-changed --target-branch ${{ github.event.repository.default_branch }})
+          if [[ -n "$changed" ]]; then
+            echo "changed=true" >> "$GITHUB_OUTPUT"
+          fi
+
+      - name: Run chart-testing (lint)
+        if: steps.list-changed.outputs.changed == 'true'
+        run: ct lint --target-branch ${{ github.event.repository.default_branch }}

.gitignore

@@ -1,4 +0,0 @@
-.gitignore
-/**/archive/
-/**/charts/
-/**/helm/

.pre-commit-config.yaml

@@ -0,0 +1,15 @@
+repos:
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v2.3.0
+    hooks:
+      - id: end-of-file-fixer
+      - id: trailing-whitespace
+      - id: check-added-large-files
+      - id: check-yaml
+        exclude: '^.*\/templates\/.*$'
+        args:
+          - --multi
+  - repo: https://github.com/IamTheFij/docker-pre-commit
+    rev: v2.0.0
+    hooks:
+      - id: docker-compose-check

LICENSE

@@ -0,0 +1,201 @@
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright [yyyy] [name of copyright owner]
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.

README.md

@@ -0,0 +1,7 @@
+# alexlebens.net
+
+GitOps definied infrastrucutre for the alexlebens.net domain.
+
+## License
+
+This project is licensed under the terms of the Apache 2.0 License license.

clusters/cl01tl/applications/audiobookshelf/Chart.yaml

@@ -0,0 +1,23 @@
+apiVersion: v2
+name: audiobookshelf
+version: 1.0.0
+description: Audiobookshelf
+keywords:
+  - audiobookshelf
+  - books
+  - podcasts
+  - audiobooks
+home: https://wiki.alexlebens.dev/doc/audiobookshelf-uNciuFjzDw
+sources:
+  - https://github.com/advplyr/audiobookshelf
+  - https://github.com/advplyr/audiobookshelf/pkgs/container/audiobookshelf
+  - https://github.com/bjw-s/helm-charts/tree/main/charts/other/app-template
+maintainers:
+  - name: alexlebens
+dependencies:
+  - name: app-template
+    alias: audiobookshelf
+    repository: https://bjw-s.github.io/helm-charts/
+    version: 3.7.3
+icon: https://raw.githubusercontent.com/walkxcode/dashboard-icons/main/png/audiobookshelf.png
+appVersion: 2.17.5

clusters/cl01tl/applications/audiobookshelf/templates/external-secret.yaml

@@ -0,0 +1,116 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: audiobookshelf-config-backup-secret
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: audiobookshelf-config-backup-secret
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: backup
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  target:
+    template:
+      mergePolicy: Merge
+      engineVersion: v2
+      data:
+        RESTIC_REPOSITORY: "{{ `{{ .BUCKET_ENDPOINT }}` }}/audiobookshelf/audiobookshelf-config"
+  data:
+    - secretKey: BUCKET_ENDPOINT
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cl01tl/volsync/restic/config
+        metadataPolicy: None
+        property: S3_BUCKET_ENDPOINT
+    - secretKey: RESTIC_PASSWORD
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cl01tl/volsync/restic/config
+        metadataPolicy: None
+        property: RESTIC_PASSWORD
+    - secretKey: AWS_DEFAULT_REGION
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cl01tl/volsync/restic/config
+        metadataPolicy: None
+        property: AWS_DEFAULT_REGION
+    - secretKey: AWS_ACCESS_KEY_ID
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /digital-ocean/home-infra/volsync-backups
+        metadataPolicy: None
+        property: access_key
+    - secretKey: AWS_SECRET_ACCESS_KEY
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /digital-ocean/home-infra/volsync-backups
+        metadataPolicy: None
+        property: secret_key
+
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: audiobookshelf-metadata-backup-secret
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: audiobookshelf-metadata-backup-secret
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: backup
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  target:
+    template:
+      mergePolicy: Merge
+      engineVersion: v2
+      data:
+        RESTIC_REPOSITORY: "{{ `{{ .BUCKET_ENDPOINT }}` }}/audiobookshelf/audiobookshelf-metadata"
+  data:
+    - secretKey: BUCKET_ENDPOINT
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cl01tl/volsync/restic/config
+        metadataPolicy: None
+        property: S3_BUCKET_ENDPOINT
+    - secretKey: RESTIC_PASSWORD
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cl01tl/volsync/restic/config
+        metadataPolicy: None
+        property: RESTIC_PASSWORD
+    - secretKey: AWS_DEFAULT_REGION
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cl01tl/volsync/restic/config
+        metadataPolicy: None
+        property: AWS_DEFAULT_REGION
+    - secretKey: AWS_ACCESS_KEY_ID
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /digital-ocean/home-infra/volsync-backups
+        metadataPolicy: None
+        property: access_key
+    - secretKey: AWS_SECRET_ACCESS_KEY
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /digital-ocean/home-infra/volsync-backups
+        metadataPolicy: None
+        property: secret_key

clusters/cl01tl/applications/audiobookshelf/templates/http-route.yaml

@@ -0,0 +1,30 @@
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: http-route-audiobookshelf
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: http-route-audiobookshelf
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: web
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  parentRefs:
+    - group: gateway.networking.k8s.io
+      kind: Gateway
+      name: traefik-gateway
+      namespace: traefik
+  hostnames:
+    - audiobookshelf.alexlebens.net
+  rules:
+    - matches:
+      - path:
+          type: PathPrefix
+          value: /
+      backendRefs:
+        - group: ''
+          kind: Service
+          name: audiobookshelf
+          port: 80
+          weight: 100

clusters/cl01tl/applications/audiobookshelf/templates/persistent-volume-claim.yaml

@@ -0,0 +1,40 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: audiobookshelf-nfs-storage-backup
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: audiobookshelf-nfs-storage-backup
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: storage
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  volumeMode: Filesystem
+  storageClassName: nfs-client
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 1Gi
+
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: audiobookshelf-nfs-storage
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: audiobookshelf-nfs-storage
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: storage
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  volumeName: audiobookshelf-nfs-storage
+  storageClassName: nfs-client
+  accessModes:
+    - ReadWriteMany
+  resources:
+    requests:
+      storage: 1Gi

clusters/cl01tl/applications/audiobookshelf/templates/persistent-volume.yaml

@@ -2,11 +2,13 @@ apiVersion: v1
 kind: PersistentVolume
 metadata:
   name: audiobookshelf-nfs-storage
-  namespace: audiobookshelf
+  namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: audiobookshelf-nfs-storage
-    app.kubernetes.io/instance: audiobookshelf
+    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: audiobookshelf
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: storage
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   persistentVolumeReclaimPolicy: Retain
   storageClassName: nfs-client

clusters/cl01tl/applications/audiobookshelf/templates/replication-source.yaml

@@ -0,0 +1,56 @@
+apiVersion: volsync.backube/v1alpha1
+kind: ReplicationSource
+metadata:
+  name: audiobookshelf-config-backup-source
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: audiobookshelf-config-backup-source
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: backup
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  sourcePVC: audiobookshelf-config
+  trigger:
+    schedule: 0 4 * * *
+  restic:
+    pruneIntervalDays: 7
+    repository: audiobookshelf-config-backup-secret
+    retain:
+      hourly: 1
+      daily: 3
+      weekly: 2
+      monthly: 2
+      yearly: 4
+    copyMethod: Snapshot
+    storageClassName: ceph-block
+    volumeSnapshotClassName: ceph-blockpool-snapshot
+
+---
+apiVersion: volsync.backube/v1alpha1
+kind: ReplicationSource
+metadata:
+  name: audiobookshelf-metadata-backup-source
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: audiobookshelf-metadata-backup-source
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: backup
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  sourcePVC: audiobookshelf-metadata
+  trigger:
+    schedule: 0 4 * * *
+  restic:
+    pruneIntervalDays: 7
+    repository: audiobookshelf-metadata-backup-secret
+    retain:
+      hourly: 1
+      daily: 3
+      weekly: 2
+      monthly: 2
+      yearly: 4
+    copyMethod: Snapshot
+    storageClassName: ceph-block
+    volumeSnapshotClassName: ceph-blockpool-snapshot

clusters/cl01tl/applications/audiobookshelf/values.yaml

@@ -0,0 +1,65 @@
+audiobookshelf:
+  controllers:
+    main:
+      type: deployment
+      replicas: 1
+      strategy: Recreate
+      revisionHistoryLimit: 3
+      containers:
+        main:
+          image:
+            repository: ghcr.io/advplyr/audiobookshelf
+            tag: 2.20.0
+            pullPolicy: IfNotPresent
+          env:
+            - name: TZ
+              value: US/Central
+          resources:
+            requests:
+              cpu: 10m
+              memory: 128Mi
+  serviceAccount:
+    create: true
+  service:
+    main:
+      controller: main
+      ports:
+        http:
+          port: 80
+          targetPort: 80
+          protocol: HTTP
+  persistence:
+    config:
+      storageClass: ceph-block
+      accessMode: ReadWriteOnce
+      size: 2Gi
+      retain: true
+      advancedMounts:
+        main:
+          main:
+            - path: /config
+              readOnly: false
+    metadata:
+      storageClass: ceph-block
+      accessMode: ReadWriteOnce
+      size: 10Gi
+      retain: true
+      advancedMounts:
+        main:
+          main:
+            - path: /metadata
+              readOnly: false
+    backup:
+      existingClaim: audiobookshelf-nfs-storage-backup
+      advancedMounts:
+        main:
+          main:
+            - path: /metadata/backups
+              readOnly: false
+    audiobooks:
+      existingClaim: audiobookshelf-nfs-storage
+      advancedMounts:
+        main:
+          main:
+            - path: /mnt/store/
+              readOnly: false

clusters/cl01tl/applications/calibre-web-automated/Chart.yaml

@@ -0,0 +1,21 @@
+apiVersion: v2
+name: calibre-web-automated
+version: 1.0.0
+description: Calibre Web Automated
+keywords:
+  - calibre-web-automated
+  - books
+home: https://wiki.alexlebens.dev/doc/calibre-web-automated-1SMf1jPFsb
+sources:
+  - https://github.com/crocodilestick/Calibre-Web-Automator
+  - https://hub.docker.com/r/crocodilestick/calibre-web-automated
+  - https://github.com/bjw-s/helm-charts/tree/main/charts/other/app-template
+maintainers:
+  - name: alexlebens
+dependencies:
+  - name: app-template
+    alias: calibre-web-automated
+    repository: https://bjw-s.github.io/helm-charts/
+    version: 3.7.3
+icon: https://raw.githubusercontent.com/walkxcode/dashboard-icons/main/png/calibre-web.png
+appVersion: V2.1.2

clusters/cl01tl/applications/calibre-web-automated/templates/external-secret.yaml

@@ -0,0 +1,82 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: calibre-web-automated-gmail-config
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: calibre-web-automated-gmail-config
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: web
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  data:
+    - secretKey: gmail.json
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cl01tl/calibre-web/gmail
+        metadataPolicy: None
+        property: gmail.json
+
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: calibre-web-automated-config-backup-secret
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: calibre-web-automated-config-backup-secret
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: backup
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  target:
+    template:
+      mergePolicy: Merge
+      engineVersion: v2
+      data:
+        RESTIC_REPOSITORY: "{{ `{{ .BUCKET_ENDPOINT }}` }}/calibre-web-automated/calibre-web-automated-config"
+  data:
+    - secretKey: BUCKET_ENDPOINT
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cl01tl/volsync/restic/config
+        metadataPolicy: None
+        property: S3_BUCKET_ENDPOINT
+    - secretKey: RESTIC_PASSWORD
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cl01tl/volsync/restic/config
+        metadataPolicy: None
+        property: RESTIC_PASSWORD
+    - secretKey: AWS_DEFAULT_REGION
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cl01tl/volsync/restic/config
+        metadataPolicy: None
+        property: AWS_DEFAULT_REGION
+    - secretKey: AWS_ACCESS_KEY_ID
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /digital-ocean/home-infra/volsync-backups
+        metadataPolicy: None
+        property: access_key
+    - secretKey: AWS_SECRET_ACCESS_KEY
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /digital-ocean/home-infra/volsync-backups
+        metadataPolicy: None
+        property: secret_key

clusters/cl01tl/applications/calibre-web-automated/templates/http-route.yaml

@@ -0,0 +1,62 @@
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: http-route-calibre
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: http-route-calibre
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: web
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  parentRefs:
+    - group: gateway.networking.k8s.io
+      kind: Gateway
+      name: traefik-gateway
+      namespace: traefik
+  hostnames:
+    - calibre.alexlebens.net
+  rules:
+    - matches:
+      - path:
+          type: PathPrefix
+          value: /
+      backendRefs:
+        - group: ''
+          kind: Service
+          name: calibre-web-automated-main
+          port: 8083
+          weight: 100
+
+---
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: http-route-calibre-downloader
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: http-route-calibre-downloader
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: web
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  parentRefs:
+    - group: gateway.networking.k8s.io
+      kind: Gateway
+      name: traefik-gateway
+      namespace: traefik
+  hostnames:
+    - calibre-downloader.alexlebens.net
+  rules:
+    - matches:
+      - path:
+          type: PathPrefix
+          value: /
+      backendRefs:
+        - group: ''
+          kind: Service
+          name: calibre-web-automated-downloader
+          port: 8084
+          weight: 100

clusters/cl01tl/applications/calibre-web-automated/templates/persistent-volume-claim.yaml

@@ -0,0 +1,40 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: calibre-web-automated-nfs-storage
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: calibre-web-automated-nfs-storage
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: storage
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  volumeName: calibre-web-automated-nfs-storage
+  storageClassName: nfs-client
+  accessModes:
+    - ReadWriteMany
+  resources:
+    requests:
+      storage: 1Gi
+
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: calibre-web-automated-ingest-nfs-storage
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: calibre-web-automated-ingest-nfs-storage
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: storage
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  volumeName: calibre-web-automated-ingest-nfs-storage
+  storageClassName: nfs-client
+  accessModes:
+    - ReadWriteMany
+  resources:
+    requests:
+      storage: 1Gi

clusters/cl01tl/applications/calibre-web-automated/templates/persistent-volume.yaml

@@ -0,0 +1,52 @@
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: calibre-web-automated-nfs-storage
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: calibre-web-automated-nfs-storage
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: storage
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  persistentVolumeReclaimPolicy: Retain
+  storageClassName: nfs-client
+  capacity:
+    storage: 1Gi
+  accessModes:
+    - ReadWriteMany
+  nfs:
+    path: /volume2/Storage/Calibre
+    server: synologybond.alexlebens.net
+  mountOptions:
+    - vers=4
+    - minorversion=1
+    - noac
+
+---
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: calibre-web-automated-ingest-nfs-storage
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: calibre-web-automated-ingest-nfs-storage
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: storage
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  persistentVolumeReclaimPolicy: Retain
+  storageClassName: nfs-client
+  capacity:
+    storage: 1Gi
+  accessModes:
+    - ReadWriteMany
+  nfs:
+    path: /volume2/Storage/Calibre Import
+    server: synologybond.alexlebens.net
+  mountOptions:
+    - vers=4
+    - minorversion=1
+    - noac

clusters/cl01tl/applications/calibre-web-automated/templates/replication-source.yaml

@@ -0,0 +1,30 @@
+apiVersion: volsync.backube/v1alpha1
+kind: ReplicationSource
+metadata:
+  name: calibre-web-automated-config-backup-source
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: calibre-web-automated-config-backup-source
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: backup
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  sourcePVC: calibre-web-automated-config
+  trigger:
+    schedule: 0 4 * * *
+  restic:
+    pruneIntervalDays: 7
+    repository: calibre-web-automated-config-backup-secret
+    retain:
+      hourly: 1
+      daily: 3
+      weekly: 2
+      monthly: 2
+      yearly: 4
+    moverSecurityContext:
+      runAsUser: 1000
+      runAsGroup: 100
+    copyMethod: Snapshot
+    storageClassName: ceph-block
+    volumeSnapshotClassName: ceph-blockpool-snapshot

clusters/cl01tl/applications/calibre-web-automated/values.yaml

@@ -0,0 +1,120 @@
+calibre-web-automated:
+  controllers:
+    main:
+      type: deployment
+      replicas: 1
+      strategy: Recreate
+      revisionHistoryLimit: 3
+      containers:
+        main:
+          image:
+            repository: crocodilestick/calibre-web-automated
+            tag: V3.0.4
+            pullPolicy: IfNotPresent
+          env:
+            - name: TZ
+              value: US/Central
+            - name: PUID
+              value: 1000
+            - name: PGID
+              value: 100
+          resources:
+            requests:
+              cpu: 100m
+              memory: 256Mi
+    downloader:
+      type: deployment
+      replicas: 1
+      strategy: Recreate
+      revisionHistoryLimit: 3
+      containers:
+        main:
+          image:
+            repository: ghcr.io/calibrain/calibre-web-automated-book-downloader
+            tag: latest@sha256:e4c205932b0ece06d76de09ba8569d5aa30768cc46d04beb3a24ddc0106043d6
+            pullPolicy: IfNotPresent
+          env:
+            - name: FLASK_PORT
+              value: 8084
+            - name: UID
+              value: 1000
+            - name: GID
+              value: 100
+            - name: USE_CF_BYPASS
+              value: true
+            - name: CLOUDFLARE_PROXY_URL
+              value: http://localhost:8000
+            - name: INGEST_DIR
+              value: /cwa-book-ingest
+            - name: BOOK_LANGUAGE
+              value: end
+          resources:
+            requests:
+              cpu: 10m
+              memory: 256Mi
+        bypass:
+          image:
+            repository: ghcr.io/sarperavci/cloudflarebypassforscraping
+            tag: latest@sha256:8e99847ae05bce24fe8a400bb9b30990a4cec32853f3975905eab95e05febefa
+            pullPolicy: IfNotPresent
+          resources:
+            requests:
+              cpu: 10m
+              memory: 128Mi
+  serviceAccount:
+    create: true
+  service:
+    main:
+      controller: main
+      ports:
+        http:
+          port: 8083
+          targetPort: 8083
+          protocol: HTTP
+    downloader:
+      controller: downloader
+      ports:
+        http:
+          port: 8084
+          targetPort: 8084
+          protocol: HTTP
+  persistence:
+    config:
+      storageClass: ceph-block
+      accessMode: ReadWriteOnce
+      size: 5Gi
+      retain: true
+      advancedMounts:
+        main:
+          main:
+            - path: /config
+              readOnly: false
+    gmail:
+      enabled: true
+      type: secret
+      name: calibre-web-automated-gmail-config
+      advancedMounts:
+        main:
+          main:
+            - path: /app/calibre-web/gmail.json
+              readOnly: true
+              mountPropagation: None
+              subPath: gmail.json
+    books:
+      existingClaim: calibre-web-automated-nfs-storage
+      advancedMounts:
+        main:
+          main:
+            - path: /calibre-library
+              readOnly: false
+    ingest:
+      existingClaim: calibre-web-automated-ingest-nfs-storage
+      advancedMounts:
+        main:
+          main:
+            - path: /cwa-book-ingest
+              readOnly: false
+        downloader:
+          main:
+            - path: /cwa-book-ingest
+              readOnly: false

clusters/cl01tl/applications/code-server/Chart.yaml

@@ -0,0 +1,28 @@
+apiVersion: v2
+name: code-server
+version: 1.0.0
+description: Code Server
+keywords:
+  - code-server
+  - code
+  - ide
+home: https://wiki.alexlebens.dev/doc/code-server-1WziinqCFS
+sources:
+  - https://github.com/coder/code-server
+  - https://github.com/cloudflare/cloudflared
+  - https://hub.docker.com/r/linuxserver/code-server
+  - https://github.com/bjw-s/helm-charts/tree/main/charts/other/app-template
+  - https://github.com/alexlebens/helm-charts/tree/main/charts/cloudflared
+maintainers:
+  - name: alexlebens
+dependencies:
+  - name: app-template
+    alias: code-server
+    repository: https://bjw-s.github.io/helm-charts/
+    version: 3.7.3
+  - name: cloudflared
+    alias: cloudflared
+    repository: https://gitea.alexlebens.dev/api/packages/alexlebens/helm
+    version: 1.14.3
+icon: https://raw.githubusercontent.com/walkxcode/dashboard-icons/main/png/code-server.png
+appVersion: 4.96.1

clusters/cl01tl/applications/code-server/templates/external-secret.yaml

@@ -0,0 +1,55 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: codeserver-password-secret
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: codeserver-password-secret
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: web
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  data:
+    - secretKey: PASSWORD
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cl01tl/code-server/auth
+        metadataPolicy: None
+        property: PASSWORD
+    - secretKey: SUDO_PASSWORD
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cl01tl/code-server/auth
+        metadataPolicy: None
+        property: SUDO_PASSWORD
+
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: code-server-cloudflared-secret
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: code-server-cloudflared-secret
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: web
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  data:
+    - secretKey: cf-tunnel-token
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cloudflare/tunnels/codeserver
+        metadataPolicy: None
+        property: token

clusters/cl01tl/applications/code-server/templates/http-route.yaml

@@ -0,0 +1,30 @@
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: http-route-code-server
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: http-route-code-server
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: web
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  parentRefs:
+    - group: gateway.networking.k8s.io
+      kind: Gateway
+      name: traefik-gateway
+      namespace: traefik
+  hostnames:
+    - code-server.alexlebens.net
+  rules:
+    - matches:
+      - path:
+          type: PathPrefix
+          value: /
+      backendRefs:
+        - group: ''
+          kind: Service
+          name: code-server
+          port: 8443
+          weight: 100

clusters/cl01tl/applications/code-server/templates/persistent-volume-claim.yaml

@@ -0,0 +1,19 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: code-server-nfs-storage
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: code-server-nfs-storage
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: storage
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  volumeMode: Filesystem
+  storageClassName: nfs-client
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 1Gi

clusters/cl01tl/applications/code-server/values.yaml

@@ -0,0 +1,49 @@
+code-server:
+  controllers:
+    main:
+      type: deployment
+      replicas: 1
+      strategy: Recreate
+      revisionHistoryLimit: 3
+      containers:
+        main:
+          image:
+            repository: ghcr.io/linuxserver/code-server
+            tag: 4.98.2@sha256:87fbf594ae4a6494d0623967fc4c7a42774945c9cf032b55c57128ca675f2221
+            pullPolicy: IfNotPresent
+          env:
+            - name: TZ
+              value: US/Central
+            - name: PUID
+              value: 1000
+            - name: PGID
+              value: 1000
+            - name: DEFAULT_WORKSPACE
+              value: /config
+          envFrom:
+            - secretRef:
+                name: codeserver-password-secret
+          resources:
+            requests:
+              cpu: 10m
+              memory: 128Mi
+  serviceAccount:
+    create: true
+  service:
+    main:
+      controller: main
+      ports:
+        http:
+          port: 8443
+          targetPort: 8443
+          protocol: HTTP
+  persistence:
+    config:
+      existingClaim: code-server-nfs-storage
+      advancedMounts:
+        main:
+          main:
+            - path: /config
+              readOnly: false
+cloudflared:
+  existingSecretName: code-server-cloudflared-secret

clusters/cl01tl/applications/directus/Chart.yaml

@@ -0,0 +1,44 @@
+apiVersion: v2
+name: directus
+version: 1.0.0
+description: Directus
+keywords:
+  - directus
+  - cms
+home: https://wiki.alexlebens.dev/doc/directus-EvV9wese9H
+sources:
+  - https://github.com/directus/directus
+  - https://github.com/minio/operator
+  - https://github.com/valkey-io/valkey
+  - https://github.com/cloudflare/cloudflared
+  - https://github.com/cloudnative-pg/cloudnative-pg
+  - https://hub.docker.com/r/directus/directus
+  - https://github.com/bjw-s/helm-charts/tree/main/charts/other/app-template
+  - https://github.com/minio/operator/tree/master/helm/tenant
+  - https://github.com/bitnami/charts/tree/main/bitnami/valkey
+  - https://github.com/alexlebens/helm-charts/charts/cloudflared
+  - https://github.com/alexlebens/helm-charts/charts/postgres-cluster
+maintainers:
+  - name: alexlebens
+dependencies:
+  - name: app-template
+    alias: directus
+    repository: https://bjw-s.github.io/helm-charts/
+    version: 3.7.3
+  - name: tenant
+    alias: minio
+    version: 7.0.1
+    repository: https://operator.min.io/
+  - name: valkey
+    version: 2.4.6
+    repository: oci://harbor.alexlebens.net/proxy-registry-1.docker.io/bitnamicharts
+  - name: cloudflared
+    alias: cloudflared-directus
+    repository: https://gitea.alexlebens.dev/api/packages/alexlebens/helm
+    version: 1.14.3
+  - name: postgres-cluster
+    alias: postgres-17-cluster
+    version: 4.2.1
+    repository: https://gitea.alexlebens.dev/api/packages/alexlebens/helm
+icon: https://raw.githubusercontent.com/walkxcode/dashboard-icons/main/png/directus.png
+appVersion: 11.3.2

clusters/cl01tl/applications/directus/templates/external-secret.yaml

@@ -0,0 +1,247 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: directus-config
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: directus-config
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: web
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  data:
+    - secretKey: admin-email
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cl01tl/directus/config
+        metadataPolicy: None
+        property: admin-email
+    - secretKey: admin-password
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cl01tl/directus/config
+        metadataPolicy: None
+        property: admin-password
+    - secretKey: secret
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cl01tl/directus/config
+        metadataPolicy: None
+        property: secret
+    - secretKey: key
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cl01tl/directus/config
+        metadataPolicy: None
+        property: key
+
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: directus-valkey-config
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: directus-valkey-config
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: web
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  data:
+    - secretKey: user
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cl01tl/directus/valkey
+        metadataPolicy: None
+        property: user
+    - secretKey: password
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cl01tl/directus/valkey
+        metadataPolicy: None
+        property: password
+
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: directus-oidc-secret
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: directus-oidc-secret
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: web
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  data:
+    - secretKey: OIDC_CLIENT_ID
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /authentik/oidc/directus
+        metadataPolicy: None
+        property: client
+    - secretKey: OIDC_CLIENT_SECRET
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /authentik/oidc/directus
+        metadataPolicy: None
+        property: secret
+
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: directus-minio-user-secret
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: directus-minio-user-secret
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: database
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  data:
+    - secretKey: AWS_ACCESS_KEY_ID
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cl01tl/directus/minio/auth
+        metadataPolicy: None
+        property: AWS_ACCESS_KEY_ID
+    - secretKey: AWS_SECRET_ACCESS_KEY
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cl01tl/directus/minio/auth
+        metadataPolicy: None
+        property: AWS_SECRET_ACCESS_KEY
+
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: directus-minio-root-secret
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: directus-minio-root-secret
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: database
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  data:
+    - secretKey: config.env
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cl01tl/directus/minio/config
+        metadataPolicy: None
+        property: root-config.env
+
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: directus-minio-config-secret
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: directus-minio-config-secret
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: database
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  data:
+    - secretKey: config.env
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cl01tl/directus/minio/config
+        metadataPolicy: None
+        property: config.env
+
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: directus-cloudflared-secret
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: directus-cloudflared-secret
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: web
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  data:
+    - secretKey: cf-tunnel-token
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cloudflare/tunnels/directus
+        metadataPolicy: None
+        property: token
+
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: directus-postgresql-17-cluster-backup-secret
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: directus-postgresql-17-cluster-backup-secret
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: database
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  data:
+    - secretKey: ACCESS_KEY_ID
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /digital-ocean/home-infra/postgres-backups
+        metadataPolicy: None
+        property: access
+    - secretKey: ACCESS_SECRET_KEY
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /digital-ocean/home-infra/postgres-backups
+        metadataPolicy: None
+        property: secret

clusters/cl01tl/applications/directus/templates/http-route.yaml

@@ -0,0 +1,30 @@
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: http-route-directus-minio
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: http-route-directus-minio
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: web
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  parentRefs:
+    - group: gateway.networking.k8s.io
+      kind: Gateway
+      name: traefik-gateway
+      namespace: traefik
+  hostnames:
+    - minio-directus.alexlebens.net
+  rules:
+    - matches:
+      - path:
+          type: PathPrefix
+          value: /
+      backendRefs:
+        - group: ''
+          kind: Service
+          name: minio-directus-console
+          port: 9090
+          weight: 100

clusters/cl01tl/applications/directus/values.yaml

@@ -1,111 +1,84 @@
-apiVersion: apps/v1
+directus:
-kind: Deployment
+  controllers:
-metadata:
+    main:
-  name: directus
+      type: deployment
-  labels:
+      replicas: 1
-    app.kubernetes.io/controller: main
+      strategy: Recreate
-    app.kubernetes.io/instance: directus
+      revisionHistoryLimit: 3
-    app.kubernetes.io/managed-by: Helm
-    app.kubernetes.io/name: directus
-    helm.sh/chart: directus-4.6.2
-  namespace: directus
-spec:
-  revisionHistoryLimit: 3
-  replicas: 1
-  strategy:
-    type: Recreate
-  selector:
-    matchLabels:
-      app.kubernetes.io/controller: main
-      app.kubernetes.io/name: directus
-      app.kubernetes.io/instance: directus
-  template:
-    metadata:
-      labels:
-        app.kubernetes.io/controller: main
-        app.kubernetes.io/instance: directus
-        app.kubernetes.io/name: directus
-    spec:
-      enableServiceLinks: false
-      serviceAccountName: default
-      automountServiceAccountToken: true
-      hostIPC: false
-      hostNetwork: false
-      hostPID: false
-      dnsPolicy: ClusterFirst
       containers:
-        - env:
+        main:
+          image:
+            repository: directus/directus
+            tag: 11.5.1
+            pullPolicy: IfNotPresent
+          env:
             - name: PUBLIC_URL
               value: https://directus.alexlebens.dev
             - name: WEBSOCKETS_ENABLED
-              value: "true"
+              value: true
             - name: ADMIN_EMAIL
               valueFrom:
                 secretKeyRef:
-                  key: admin-email
                   name: directus-config
+                  key: admin-email
             - name: ADMIN_PASSWORD
               valueFrom:
                 secretKeyRef:
-                  key: admin-password
                   name: directus-config
+                  key: admin-password
             - name: SECRET
               valueFrom:
                 secretKeyRef:
-                  key: secret
                   name: directus-config
+                  key: secret
             - name: KEY
               valueFrom:
                 secretKeyRef:
-                  key: key
                   name: directus-config
+                  key: key
             - name: DB_CLIENT
               value: postgres
             - name: DB_HOST
               valueFrom:
                 secretKeyRef:
+                  name: directus-postgresql-17-cluster-app
                   key: host
-                  name: directus-postgresql-18-cluster-app
             - name: DB_DATABASE
               valueFrom:
                 secretKeyRef:
+                  name: directus-postgresql-17-cluster-app
                   key: dbname
-                  name: directus-postgresql-18-cluster-app
             - name: DB_PORT
               valueFrom:
                 secretKeyRef:
+                  name: directus-postgresql-17-cluster-app
                   key: port
-                  name: directus-postgresql-18-cluster-app
             - name: DB_USER
               valueFrom:
                 secretKeyRef:
+                  name: directus-postgresql-17-cluster-app
                   key: user
-                  name: directus-postgresql-18-cluster-app
             - name: DB_PASSWORD
               valueFrom:
                 secretKeyRef:
+                  name: directus-postgresql-17-cluster-app
                   key: password
-                  name: directus-postgresql-18-cluster-app
-            - name: SYNCHRONIZATION_STORE
-              value: redis
-            - name: CACHE_ENABLED
-              value: "true"
-            - name: CACHE_STORE
-              value: redis
             - name: REDIS_ENABLED
-              value: "true"
+              value: true
             - name: REDIS_HOST
-              value: redis-replication-directus-master
+              value: directus-valkey-primary
+            - name: REDIS_PORT
+              value: 6379
             - name: REDIS_USERNAME
               valueFrom:
                 secretKeyRef:
+                  name: directus-valkey-config
                   key: user
-                  name: directus-redis-config
             - name: REDIS_PASSWORD
               valueFrom:
                 secretKeyRef:
+                  name: directus-valkey-config
                   key: password
-                  name: directus-redis-config
             - name: STORAGE_LOCATIONS
               value: s3
             - name: STORAGE_S3_DRIVER
@@ -113,22 +86,19 @@ spec:
             - name: STORAGE_S3_KEY
               valueFrom:
                 secretKeyRef:
+                  name: directus-minio-user-secret
                   key: AWS_ACCESS_KEY_ID
-                  name: ceph-bucket-directus
             - name: STORAGE_S3_SECRET
               valueFrom:
                 secretKeyRef:
+                  name: directus-minio-user-secret
                   key: AWS_SECRET_ACCESS_KEY
-                  name: ceph-bucket-directus
             - name: STORAGE_S3_BUCKET
-              valueFrom:
+              value: directus
-                configMapKeyRef:
-                  key: BUCKET_NAME
-                  name: ceph-bucket-directus
             - name: STORAGE_S3_REGION
               value: us-east-1
             - name: STORAGE_S3_ENDPOINT
-              value: http://rook-ceph-rgw-ceph-objectstore.rook-ceph.svc:80
+              value: http://minio.directus:80
             - name: STORAGE_S3_FORCE_PATH_STYLE
               value: "true"
             - name: AUTH_PROVIDERS
@@ -138,13 +108,13 @@ spec:
             - name: AUTH_AUTHENTIK_CLIENT_ID
               valueFrom:
                 secretKeyRef:
-                  key: OIDC_CLIENT_ID
                   name: directus-oidc-secret
+                  key: OIDC_CLIENT_ID
             - name: AUTH_AUTHENTIK_CLIENT_SECRET
               valueFrom:
                 secretKeyRef:
-                  key: OIDC_CLIENT_SECRET
                   name: directus-oidc-secret
+                  key: OIDC_CLIENT_SECRET
             - name: AUTH_AUTHENTIK_SCOPE
               value: openid profile email
             - name: AUTH_AUTHENTIK_ISSUER_URL
@@ -152,22 +122,77 @@ spec:
             - name: AUTH_AUTHENTIK_IDENTIFIER_KEY
               value: email
             - name: AUTH_AUTHENTIK_ALLOW_PUBLIC_REGISTRATION
-              value: "true"
+              value: true
             - name: AUTH_AUTHENTIK_LABEL
               value: Authentik
             - name: TELEMETRY
-              value: "false"
+              value: false
-            - name: METRICS_ENABLED
-              value: "true"
-            - name: METRICS_TOKENS
-              valueFrom:
-                secretKeyRef:
-                  key: metric-token
-                  name: directus-metric-token
-          image: directus/directus:11.14.1
-          imagePullPolicy: IfNotPresent
-          name: main
           resources:
             requests:
               cpu: 10m
               memory: 256Mi
+  serviceAccount:
+    create: true
+  service:
+    main:
+      controller: main
+      ports:
+        http:
+          port: 80
+          targetPort: 8055
+          protocol: TCP
+minio:
+  existingSecret:
+    name: directus-minio-root-secret
+  tenant:
+    name: minio-directus
+    configuration:
+      name: directus-minio-config-secret
+    pools:
+      - servers: 3
+        name: pool
+        volumesPerServer: 2
+        size: 10Gi
+        storageClassName: ceph-block
+    mountPath: /export
+    subPath: /data
+    metrics:
+      enabled: true
+      port: 9000
+      protocol: http
+    certificate:
+      requestAutoCert: false
+  ingress:
+    console:
+      enabled: false
+valkey:
+  architecture: standalone
+  auth:
+    enabled: true
+    existingSecret: directus-valkey-config
+    existingSecretPasswordKey: password
+    usePasswordFiles: false
+  primary:
+    persistence:
+      enabled: false
+  replica:
+    persistence:
+      enabled: false
+cloudflared-directus:
+  name: cloudflared-directus
+  existingSecretName: directus-cloudflared-secret
+postgres-17-cluster:
+  mode: standalone
+  cluster:
+    walStorage:
+      storageClass: local-path
+    storage:
+      storageClass: local-path
+    monitoring:
+      enabled: true
+  backup:
+    enabled: true
+    endpointURL: https://nyc3.digitaloceanspaces.com
+    destinationPath: s3://postgres-backups-ce540ddf106d186bbddca68a/cl01tl/directus/directus-postgresql-17-cluster
+    endpointCredentials: directus-postgresql-17-cluster-backup-secret
+    backupIndex: 2

clusters/cl01tl/applications/element-web/Chart.yaml

@@ -0,0 +1,27 @@
+apiVersion: v2
+name: element-web
+version: 1.0.0
+description: Element Web
+keywords:
+  - element-web
+  - chat
+  - matrix
+home: https://wiki.alexlebens.dev/doc/element-web-R4dzXXspgr
+sources:
+  - https://github.com/element-hq/element-web
+  - https://github.com/cloudflare/cloudflared
+  - https://hub.docker.com/r/vectorim/element-web
+  - https://gitlab.com/ananace/charts/-/tree/master/charts/element-web
+  - https://github.com/alexlebens/helm-charts/tree/main/charts/cloudflared
+maintainers:
+  - name: alexlebens
+dependencies:
+  - name: element-web
+    version: 1.4.5
+    repository: https://ananace.gitlab.io/charts
+  - name: cloudflared
+    alias: cloudflared
+    repository: https://gitea.alexlebens.dev/api/packages/alexlebens/helm
+    version: 1.14.3
+icon: https://raw.githubusercontent.com/walkxcode/dashboard-icons/main/png/element.png
+appVersion: v1.11.88

clusters/cl01tl/applications/element-web/templates/external-secret.yaml

@@ -1,15 +1,14 @@
-apiVersion: external-secrets.io/v1
+apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
   name: element-web-cloudflared-secret
-  namespace: element-web
+  namespace: {{ .Release.Namespace }}
   labels:
-    helm.sh/chart: cloudflared-2.1.9
-    app.kubernetes.io/instance: element-web
-    app.kubernetes.io/part-of: element-web
-    app.kubernetes.io/version: "2.1.9"
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: element-web-cloudflared-secret
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: web
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   secretStoreRef:
     kind: ClusterSecretStore
@@ -19,6 +18,6 @@ spec:
       remoteRef:
         conversionStrategy: Default
         decodingStrategy: None
-        key: /cloudflare/tunnels/element-web
+        key: /cloudflare/tunnels/element
         metadataPolicy: None
         property: token

clusters/cl01tl/applications/element-web/values.yaml

@@ -0,0 +1,28 @@
+element-web:
+  replicaCount: 1
+  image:
+    repository: vectorim/element-web
+    tag: v1.11.95
+    pullPolicy: IfNotPresent
+  defaultServer:
+    url: https://matrix.alexlebens.dev
+    name: alexlebens.dev
+    identity_url: https://alexlebens.dev
+  config:
+    disable_3pid_login: true
+    brand: "Alex Lebens"
+    branding:
+      welcome_background_url: https://web-assets-3bfcb5585cbd63dc365d32a3.nyc3.cdn.digitaloceanspaces.com/alexlebens-net/background-4.jpg
+      auth_header_logo_url: https://web-assets-3bfcb5585cbd63dc365d32a3.nyc3.cdn.digitaloceanspaces.com/alexlebens-net/icon_white.png
+    sso_redirect_options:
+      immediate: true
+    default_theme: dark
+    default_country_code: US
+  ingress:
+    enabled: false
+  resources:
+    requests:
+      cpu: 10m
+      memory: 128Mi
+cloudflared:
+  existingSecretName: element-web-cloudflared-secret

clusters/cl01tl/applications/freshrss/Chart.yaml

@@ -0,0 +1,33 @@
+apiVersion: v2
+name: freshrss
+version: 1.0.0
+description: FreshRSS
+keywords:
+  - freshrss
+  - rss
+home: https://wiki.alexlebens.dev/doc/freshrss-W6nFVTmKJw
+sources:
+  - https://github.com/FreshRSS/FreshRSS
+  - https://github.com/cloudflare/cloudflared
+  - https://github.com/cloudnative-pg/cloudnative-pg
+  - https://hub.docker.com/r/freshrss/freshrss
+  - https://github.com/bjw-s/helm-charts/tree/main/charts/other/app-template
+  - https://github.com/alexlebens/helm-charts/tree/main/charts/cloudflared
+  - https://github.com/alexlebens/helm-charts/tree/main/charts/postgres-cluster
+maintainers:
+  - name: alexlebens
+dependencies:
+  - name: app-template
+    alias: freshrss
+    repository: https://bjw-s.github.io/helm-charts/
+    version: 3.7.3
+  - name: cloudflared
+    alias: cloudflared
+    repository: https://gitea.alexlebens.dev/api/packages/alexlebens/helm
+    version: 1.14.3
+  - name: postgres-cluster
+    alias: postgres-17-cluster
+    version: 4.2.1
+    repository: https://gitea.alexlebens.dev/api/packages/alexlebens/helm
+icon: https://raw.githubusercontent.com/walkxcode/dashboard-icons/main/png/freshrss.png
+appVersion: 1.24.3

clusters/cl01tl/applications/freshrss/templates/external-secret.yaml

@@ -0,0 +1,192 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: freshrss-install-secret
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: freshrss-install-secret
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: web
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  data:
+    - secretKey: ADMIN_EMAIL
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cl01tl/freshrss/config
+        metadataPolicy: None
+        property: ADMIN_EMAIL
+    - secretKey: ADMIN_PASSWORD
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cl01tl/freshrss/config
+        metadataPolicy: None
+        property: ADMIN_PASSWORD
+    - secretKey: ADMIN_API_PASSWORD
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cl01tl/freshrss/config
+        metadataPolicy: None
+        property: ADMIN_API_PASSWORD
+
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: freshrss-oidc-secret
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: {{ .Release.Name }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: web
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  data:
+    - secretKey: OIDC_CLIENT_ID
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /authentik/oidc/freshrss
+        metadataPolicy: None
+        property: client
+    - secretKey: OIDC_CLIENT_SECRET
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /authentik/oidc/freshrss
+        metadataPolicy: None
+        property: secret
+    - secretKey: OIDC_CLIENT_CRYPTO_KEY
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /authentik/oidc/freshrss
+        metadataPolicy: None
+        property: crypto-key
+
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: freshrss-cloudflared-secret
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: freshrss-cloudflared-secret
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: web
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  data:
+    - secretKey: cf-tunnel-token
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cloudflare/tunnels/freshrss
+        metadataPolicy: None
+        property: token
+
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: freshrss-data-backup-secret
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: freshrss-data-backup-secret
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: backup
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  target:
+    template:
+      mergePolicy: Merge
+      engineVersion: v2
+      data:
+        RESTIC_REPOSITORY: "{{ `{{ .BUCKET_ENDPOINT }}` }}/freshrss/freshrss-data"
+  data:
+    - secretKey: BUCKET_ENDPOINT
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cl01tl/volsync/restic/config
+        metadataPolicy: None
+        property: S3_BUCKET_ENDPOINT
+    - secretKey: RESTIC_PASSWORD
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cl01tl/volsync/restic/config
+        metadataPolicy: None
+        property: RESTIC_PASSWORD
+    - secretKey: AWS_DEFAULT_REGION
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cl01tl/volsync/restic/config
+        metadataPolicy: None
+        property: AWS_DEFAULT_REGION
+    - secretKey: AWS_ACCESS_KEY_ID
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /digital-ocean/home-infra/volsync-backups
+        metadataPolicy: None
+        property: access_key
+    - secretKey: AWS_SECRET_ACCESS_KEY
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /digital-ocean/home-infra/volsync-backups
+        metadataPolicy: None
+        property: secret_key
+
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: freshrss-postgresql-17-cluster-backup-secret
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: freshrss-postgresql-17-cluster-backup-secret
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: database
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  data:
+    - secretKey: ACCESS_KEY_ID
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /digital-ocean/home-infra/postgres-backups
+        metadataPolicy: None
+        property: access
+    - secretKey: ACCESS_SECRET_KEY
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /digital-ocean/home-infra/postgres-backups
+        metadataPolicy: None
+        property: secret

clusters/cl01tl/applications/freshrss/templates/replication-source.yaml

@@ -1,33 +1,32 @@
 apiVersion: volsync.backube/v1alpha1
 kind: ReplicationSource
 metadata:
-  name: freshrss-data-backup-source-local
+  name: freshrss-data-backup-source
-  namespace: freshrss
+  namespace: {{ .Release.Namespace }}
   labels:
-    helm.sh/chart: volsync-target-data-0.7.0
+    app.kubernetes.io/name: freshrss-data-backup-source
-    app.kubernetes.io/instance: freshrss
+    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: freshrss
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
-    app.kubernetes.io/version: "0.7.0"
+    app.kubernetes.io/component: backup
-    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/part-of: {{ .Release.Name }}
-    app.kubernetes.io/name: freshrss-data-backup
 spec:
   sourcePVC: freshrss-data
   trigger:
-    schedule: 18 8 * * *
+    schedule: 0 4 * * *
   restic:
     pruneIntervalDays: 7
-    repository: freshrss-data-backup-secret-local
+    repository: freshrss-data-backup-secret
     retain:
-      daily: 7
+      hourly: 1
-      hourly: 0
+      daily: 3
-      monthly: 3
+      weekly: 2
-      weekly: 4
+      monthly: 2
-      yearly: 1
+      yearly: 4
     moverSecurityContext:
+      runAsUser: 568
+      runAsGroup: 568
       fsGroup: 568
       fsGroupChangePolicy: OnRootMismatch
-      runAsGroup: 568
-      runAsUser: 568
       supplementalGroups:
         - 44
         - 100
@@ -36,4 +35,3 @@ spec:
     copyMethod: Snapshot
     storageClassName: ceph-block
     volumeSnapshotClassName: ceph-blockpool-snapshot
-    cacheCapacity: 1Gi

clusters/cl01tl/applications/freshrss/values.yaml

@@ -1,40 +1,19 @@
-apiVersion: apps/v1
+freshrss:
-kind: Deployment
+  controllers:
-metadata:
+    main:
-  name: freshrss
+      type: deployment
-  labels:
+      replicas: 1
-    app.kubernetes.io/controller: main
+      strategy: Recreate
-    app.kubernetes.io/instance: freshrss
+      revisionHistoryLimit: 3
-    app.kubernetes.io/managed-by: Helm
-    app.kubernetes.io/name: freshrss
-    helm.sh/chart: freshrss-4.6.2
-  namespace: freshrss
-spec:
-  revisionHistoryLimit: 3
-  replicas: 1
-  strategy:
-    type: Recreate
-  selector:
-    matchLabels:
-      app.kubernetes.io/controller: main
-      app.kubernetes.io/name: freshrss
-      app.kubernetes.io/instance: freshrss
-  template:
-    metadata:
-      labels:
-        app.kubernetes.io/controller: main
-        app.kubernetes.io/instance: freshrss
-        app.kubernetes.io/name: freshrss
-    spec:
-      enableServiceLinks: false
-      serviceAccountName: default
-      automountServiceAccountToken: true
-      hostIPC: false
-      hostNetwork: false
-      hostPID: false
-      dnsPolicy: ClusterFirst
       initContainers:
-        - command:
+        init-download-extension-1:
+          securityContext:
+            runAsUser: 0
+          image:
+            repository: alpine
+            tag: 3.21.3
+            pullPolicy: IfNotPresent
+          command:
             - /bin/sh
             - -ec
             - |
@@ -47,19 +26,18 @@ spec:
               rm -rf /var/www/FreshRSS/extensions/xExtension-YouTubeChannel2RssFeed
               cp -r xExtension-YouTubeChannel2RssFeed /var/www/FreshRSS/extensions
               chown -R 568:568 /var/www/FreshRSS/extensions/xExtension-YouTubeChannel2RssFeed
-          image: alpine:3.23.2
-          imagePullPolicy: IfNotPresent
-          name: init-download-extension-1
           resources:
             requests:
-              cpu: 10m
+              cpu: 100m
               memory: 128Mi
+        init-download-extension-2:
           securityContext:
             runAsUser: 0
-          volumeMounts:
+          image:
-            - mountPath: /var/www/FreshRSS/extensions
+            repository: alpine
-              name: extensions
+            tag: 3.21.3
-        - command:
+            pullPolicy: IfNotPresent
+          command:
             - /bin/sh
             - -ec
             - |
@@ -71,44 +49,18 @@ spec:
               git checkout;
               rm -rf /var/www/FreshRSS/extensions/xExtension-ImageProxy
               cp -r xExtension-ImageProxy /var/www/FreshRSS/extensions
-              chown -R 568:568 /var/www/FreshRSS/extensions/xExtension-ImageProxy
+              chown -R 568:568 /var/www/FreshRSS/extensions/xExtension-YouTubeChannel2RssFeed
-          image: alpine:3.23.2
-          imagePullPolicy: IfNotPresent
-          name: init-download-extension-2
           resources:
             requests:
-              cpu: 10m
+              cpu: 100m
               memory: 128Mi
-          securityContext:
-            runAsUser: 0
-          volumeMounts:
-            - mountPath: /var/www/FreshRSS/extensions
-              name: extensions
-        - command:
-            - /bin/sh
-            - -ec
-            - |
-              cd /tmp;
-              wget https://github.com/zimmra/xExtension-karakeep-button/archive/refs/tags/v1.1.tar.gz;
-              tar -xvzf *.tar.gz;
-              rm -rf /var/www/FreshRSS/extensions/xExtension-karakeep-button
-              mkdir /var/www/FreshRSS/extensions/xExtension-karakeep-button
-              cp -r /tmp/xExtension-karakeep-button-*/* /var/www/FreshRSS/extensions/xExtension-karakeep-button
-              chown -R 568:568 /var/www/FreshRSS/extensions/xExtension-karakeep-button
-          image: alpine:3.23.2
-          imagePullPolicy: IfNotPresent
-          name: init-download-extension-3
-          resources:
-            requests:
-              cpu: 10m
-              memory: 128Mi
-          securityContext:
-            runAsUser: 0
-          volumeMounts:
-            - mountPath: /var/www/FreshRSS/extensions
-              name: extensions
       containers:
-        - env:
+        main:
+          image:
+            repository: freshrss/freshrss
+            tag: 1.26.1
+            pullPolicy: IfNotPresent
+          env:
             - name: PGID
               value: "568"
             - name: PUID
@@ -124,23 +76,23 @@ spec:
             - name: DB_HOST
               valueFrom:
                 secretKeyRef:
+                  name: freshrss-postgresql-17-cluster-app
                   key: host
-                  name: freshrss-postgresql-18-cluster-app
             - name: DB_BASE
               valueFrom:
                 secretKeyRef:
+                  name: freshrss-postgresql-17-cluster-app
                   key: dbname
-                  name: freshrss-postgresql-18-cluster-app
             - name: DB_USER
               valueFrom:
                 secretKeyRef:
+                  name: freshrss-postgresql-17-cluster-app
                   key: user
-                  name: freshrss-postgresql-18-cluster-app
             - name: DB_PASSWORD
               valueFrom:
                 secretKeyRef:
+                  name: freshrss-postgresql-17-cluster-app
                   key: password
-                  name: freshrss-postgresql-18-cluster-app
             - name: FRESHRSS_INSTALL
               value: |
                 --api-enabled
@@ -161,7 +113,7 @@ spec:
                 --password $(ADMIN_PASSWORD)
                 --user admin
             - name: OIDC_ENABLED
-              value: "1"
+              value: 1
             - name: OIDC_PROVIDER_METADATA_URL
               value: https://auth.alexlebens.dev/application/o/freshrss/.well-known/openid-configuration
             - name: OIDC_X_FORWARDED_HEADERS
@@ -175,22 +127,61 @@ spec:
                 name: freshrss-oidc-secret
             - secretRef:
                 name: freshrss-install-secret
-          image: freshrss/freshrss:1.28.0
-          imagePullPolicy: IfNotPresent
-          name: main
           resources:
             requests:
               cpu: 10m
               memory: 128Mi
-          volumeMounts:
+  serviceAccount:
-            - mountPath: /var/www/FreshRSS/data
+    create: true
-              name: data
+  service:
-            - mountPath: /var/www/FreshRSS/extensions
+    main:
-              name: extensions
+      controller: main
-      volumes:
+      ports:
-        - name: data
+        http:
-          persistentVolumeClaim:
+          port: 80
-            claimName: freshrss-data
+          targetPort: 80
-        - name: extensions
+          protocol: HTTP
-          persistentVolumeClaim:
+  persistence:
-            claimName: freshrss-extensions
+    data:
+      storageClass: ceph-block
+      accessMode: ReadWriteOnce
+      size: 5Gi
+      retain: true
+      advancedMounts:
+        main:
+          main:
+            - path: /var/www/FreshRSS/data
+              readOnly: false
+    extensions:
+      storageClass: ceph-block
+      accessMode: ReadWriteOnce
+      size: 1Gi
+      retain: true
+      advancedMounts:
+        main:
+          init-download-extension-1:
+            - path: /var/www/FreshRSS/extensions
+              readOnly: false
+          init-download-extension-2:
+            - path: /var/www/FreshRSS/extensions
+              readOnly: false
+          main:
+            - path: /var/www/FreshRSS/extensions
+              readOnly: false
+cloudflared:
+  existingSecretName: freshrss-cloudflared-secret
+postgres-17-cluster:
+  mode: standalone
+  cluster:
+    walStorage:
+      storageClass: local-path
+    storage:
+      storageClass: local-path
+    monitoring:
+      enabled: true
+  backup:
+    enabled: true
+    endpointURL: https://nyc3.digitaloceanspaces.com
+    destinationPath: s3://postgres-backups-ce540ddf106d186bbddca68a/cl01tl/freshrss/freshrss-postgresql-17-cluster
+    endpointCredentials: freshrss-postgresql-17-cluster-backup-secret
+    backupIndex: 3

clusters/cl01tl/applications/hoarder/Chart.yaml

@@ -0,0 +1,32 @@
+apiVersion: v2
+name: hoarder
+version: 1.0.0
+description: Hoarder
+keywords:
+  - hoarder
+  - bookmarks
+home: https://wiki.alexlebens.dev/doc/hoarder-
+sources:
+  - https://github.com/hoarder-app/hoarder
+  - https://github.com/cloudflare/cloudflared
+  - https://github.com/meilisearch/meilisearch
+  - https://github.com/hoarder-app/hoarder/pkgs/container/hoarder
+  - https://github.com/bjw-s/helm-charts/tree/main/charts/other/app-template
+  - https://github.com/alexlebens/helm-charts/tree/main/charts/cloudflared
+  - https://github.com/meilisearch/meilisearch-kubernetes/tree/main/charts/meilisearch
+maintainers:
+  - name: alexlebens
+dependencies:
+  - name: app-template
+    alias: hoarder
+    repository: https://bjw-s.github.io/helm-charts/
+    version: 3.7.3
+  - name: meilisearch
+    version: 0.12.0
+    repository: https://meilisearch.github.io/meilisearch-kubernetes
+  - name: cloudflared
+    alias: cloudflared
+    repository: https://gitea.alexlebens.dev/api/packages/alexlebens/helm
+    version: 1.14.3
+icon: https://cdn.jsdelivr.net/gh/selfhst/icons/svg/hoarder.svg
+appVersion: 0.19.0

clusters/cl01tl/applications/hoarder/templates/external-secret.yaml

@@ -0,0 +1,164 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: hoarder-key-secret
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: hoarder-key-secret
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: web
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  data:
+    - secretKey: key
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cl01tl/hoarder/key
+        metadataPolicy: None
+        property: key
+
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: hoarder-oidc-secret
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: hoarder-oidc-secret
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: web
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  data:
+    - secretKey: AUTHENTIK_CLIENT_ID
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /authentik/oidc/hoarder
+        metadataPolicy: None
+        property: client
+    - secretKey: AUTHENTIK_CLIENT_SECRET
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /authentik/oidc/hoarder
+        metadataPolicy: None
+        property: secret
+
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: hoarder-meilisearch-master-key-secret
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: hoarder-meilisearch-master-key-secret
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: meilisearch
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  data:
+    - secretKey: MEILI_MASTER_KEY
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cl01tl/hoarder/meilisearch
+        metadataPolicy: None
+        property: MEILI_MASTER_KEY
+
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: hoarder-cloudflared-secret
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: hoarder-cloudflared-secret
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: web
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  data:
+    - secretKey: cf-tunnel-token
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cloudflare/tunnels/hoarder
+        metadataPolicy: None
+        property: token
+
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: hoarder-data-backup-secret
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: hoarder-data-backup-secret
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: backup
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  target:
+    template:
+      mergePolicy: Merge
+      engineVersion: v2
+      data:
+        RESTIC_REPOSITORY: "{{ `{{ .BUCKET_ENDPOINT }}` }}/hoarder/hoarder-data"
+  data:
+    - secretKey: BUCKET_ENDPOINT
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cl01tl/volsync/restic/config
+        metadataPolicy: None
+        property: S3_BUCKET_ENDPOINT
+    - secretKey: RESTIC_PASSWORD
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cl01tl/volsync/restic/config
+        metadataPolicy: None
+        property: RESTIC_PASSWORD
+    - secretKey: AWS_DEFAULT_REGION
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cl01tl/volsync/restic/config
+        metadataPolicy: None
+        property: AWS_DEFAULT_REGION
+    - secretKey: AWS_ACCESS_KEY_ID
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /digital-ocean/home-infra/volsync-backups
+        metadataPolicy: None
+        property: access_key
+    - secretKey: AWS_SECRET_ACCESS_KEY
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /digital-ocean/home-infra/volsync-backups
+        metadataPolicy: None
+        property: secret_key

clusters/cl01tl/applications/hoarder/templates/replication-source.yaml

@@ -0,0 +1,27 @@
+apiVersion: volsync.backube/v1alpha1
+kind: ReplicationSource
+metadata:
+  name: hoarder-data-backup-source
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: hoarder-data-backup-source
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: backup
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  sourcePVC: hoarder-data
+  trigger:
+    schedule: 0 4 * * *
+  restic:
+    pruneIntervalDays: 7
+    repository: hoarder-data-backup-secret
+    retain:
+      hourly: 1
+      daily: 3
+      weekly: 2
+      monthly: 2
+      yearly: 4
+    copyMethod: Snapshot
+    storageClassName: ceph-block
+    volumeSnapshotClassName: ceph-blockpool-snapshot

clusters/cl01tl/applications/hoarder/values.yaml

@@ -0,0 +1,128 @@
+hoarder:
+  controllers:
+    main:
+      type: deployment
+      replicas: 1
+      strategy: Recreate
+      revisionHistoryLimit: 3
+      containers:
+        main:
+          image:
+            repository: ghcr.io/hoarder-app/hoarder
+            tag: 0.23.0
+            pullPolicy: IfNotPresent
+          env:
+            - name: DATA_DIR
+              value: /data
+            - name: NEXTAUTH_URL
+              value: https://hoarder.alexlebens.dev/
+            - name: NEXTAUTH_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: hoarder-key-secret
+                  key: key
+            - name: MEILI_ADDR
+              value: http://hoarder-meilisearch.hoarder:7700
+            - name: MEILI_MASTER_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: hoarder-meilisearch-master-key-secret
+                  key: MEILI_MASTER_KEY
+            - name: BROWSER_WEB_URL
+              value: http://hoarder.hoarder:9222
+            - name: DISABLE_SIGNUPS
+              value: false
+            - name: OAUTH_PROVIDER_NAME
+              value: "Authentik"
+            - name: OAUTH_WELLKNOWN_URL
+              value: https://auth.alexlebens.dev/application/o/hoarder/.well-known/openid-configuration
+            - name: OAUTH_SCOPE
+              value: "openid email profile"
+            - name: OAUTH_CLIENT_ID
+              valueFrom:
+                secretKeyRef:
+                  name: hoarder-oidc-secret
+                  key: AUTHENTIK_CLIENT_ID
+            - name: OAUTH_CLIENT_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: hoarder-oidc-secret
+                  key: AUTHENTIK_CLIENT_SECRET
+            - name: OLLAMA_BASE_URL
+              value: http://ollama-server-1.ollama:11434
+            - name: OLLAMA_KEEP_ALIVE
+              value: 5m
+            - name: INFERENCE_TEXT_MODEL
+              value: llama3.1:8b
+            - name: INFERENCE_IMAGE_MODEL
+              value: llama3.2-vision:11b
+            - name: EMBEDDING_TEXT_MODEL
+              value: mxbai-embed-large
+            - name: INFERENCE_JOB_TIMEOUT_SEC
+              value: 720
+          resources:
+            requests:
+              cpu: 10m
+              memory: 256Mi
+        chrome:
+          image:
+            repository: gcr.io/zenika-hub/alpine-chrome
+            tag: 124
+            pullPolicy: IfNotPresent
+          args:
+            - --no-sandbox
+            - --disable-gpu
+            - --disable-dev-shm-usage
+            - --remote-debugging-address=0.0.0.0
+            - --remote-debugging-port=9222
+            - --hide-scrollbars
+          resources:
+            requests:
+              cpu: 10m
+              memory: 128Mi
+  serviceAccount:
+    create: true
+  service:
+    main:
+      controller: main
+      ports:
+        http:
+          port: 3000
+          targetPort: 3000
+          protocol: HTTP
+        chrome:
+          port: 9222
+          targetPort: 9222
+          protocol: HTTP
+  persistence:
+    data:
+      storageClass: ceph-block
+      accessMode: ReadWriteOnce
+      size: 10Gi
+      retain: true
+      advancedMounts:
+        main:
+          main:
+            - path: /data
+              readOnly: false
+meilisearch:
+  environment:
+    MEILI_NO_ANALYTICS: true
+    MEILI_ENV: production
+  auth:
+    existingMasterKeySecret: hoarder-meilisearch-master-key-secret
+  service:
+    type: ClusterIP
+    port: 7700
+  persistence:
+    enabled: true
+    storageClass: ceph-block
+    size: 10Gi
+  resources:
+    requests:
+      cpu: 10m
+      memory: 128Mi
+  serviceMonitor:
+    enabled: true
+cloudflared:
+  existingSecretName: hoarder-cloudflared-secret

clusters/cl01tl/applications/home-assistant/Chart.yaml

@@ -0,0 +1,23 @@
+apiVersion: v2
+name: home-assistant
+version: 1.0.0
+description: Home Assistant
+keywords:
+  - home-assistant
+  - home
+  - automation
+home: https://wiki.alexlebens.dev/doc/home-assistant-
+sources:
+  - https://www.home-assistant.io/
+  - https://github.com/home-assistant/core
+  - https://github.com/home-assistant/core/pkgs/container/home-assistant
+  - https://github.com/bjw-s/helm-charts/tree/main/charts/other/app-template
+maintainers:
+  - name: alexlebens
+dependencies:
+  - name: app-template
+    alias: home-assistant
+    repository: https://bjw-s.github.io/helm-charts/
+    version: 3.7.3
+icon: https://cdn.jsdelivr.net/gh/selfhst/icons/webp/home-assistant.webp
+appVersion: 2025.3.1

clusters/cl01tl/applications/home-assistant/templates/external-secret.yaml

@@ -1,12 +1,14 @@
-apiVersion: external-secrets.io/v1
+apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
   name: home-assistant-code-server-password-secret
-  namespace: home-assistant
+  namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: home-assistant-code-server-password-secret
-    app.kubernetes.io/instance: home-assistant
+    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: home-assistant
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: web
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   secretStoreRef:
     kind: ClusterSecretStore

clusters/cl01tl/applications/home-assistant/templates/http-route.yaml

@@ -0,0 +1,62 @@
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: http-route-home-assistant
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: http-route-home-assistant
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: web
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  parentRefs:
+    - group: gateway.networking.k8s.io
+      kind: Gateway
+      name: traefik-gateway
+      namespace: traefik
+  hostnames:
+    - home-assistant.alexlebens.net
+  rules:
+    - matches:
+      - path:
+          type: PathPrefix
+          value: /
+      backendRefs:
+        - group: ''
+          kind: Service
+          name: home-assistant-main
+          port: 80
+          weight: 100
+
+---
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: http-route-home-assistant-code-server
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: http-route-home-assistant-code-server
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: web
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  parentRefs:
+    - group: gateway.networking.k8s.io
+      kind: Gateway
+      name: traefik-gateway
+      namespace: traefik
+  hostnames:
+    - home-assistant-code-server.alexlebens.net
+  rules:
+    - matches:
+      - path:
+          type: PathPrefix
+          value: /
+      backendRefs:
+        - group: ''
+          kind: Service
+          name: home-assistant-code-server
+          port: 8443
+          weight: 100

clusters/cl01tl/applications/home-assistant/templates/service-monitor.yaml

@@ -0,0 +1,24 @@
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: home-assistant
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: home-assistant
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: metrics
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: home-assistant
+      app.kubernetes.io/instance: {{ .Release.Name }}
+  endpoints:
+    - port: http
+      interval: 3m
+      scrapeTimeout: 1m
+      path: /api/prometheus
+      bearerTokenSecret:
+        name: secretName
+        key: secretKey

clusters/cl01tl/applications/home-assistant/values.yaml

@@ -0,0 +1,71 @@
+home-assistant:
+  controllers:
+    main:
+      type: deployment
+      replicas: 1
+      strategy: Recreate
+      revisionHistoryLimit: 3
+      containers:
+        main:
+          image:
+            repository: ghcr.io/home-assistant/home-assistant
+            tag: 2025.3.3
+            pullPolicy: IfNotPresent
+          env:
+            - name: TZ
+              value: US/Central
+          resources:
+            requests:
+              cpu: 1
+              memory: 2Gi
+        code-server:
+          image:
+            repository: ghcr.io/linuxserver/code-server
+            tag: 4.98.2@sha256:87fbf594ae4a6494d0623967fc4c7a42774945c9cf032b55c57128ca675f2221
+            pullPolicy: IfNotPresent
+          env:
+            - name: TZ
+              value: US/Central
+            - name: PUID
+              value: 1000
+            - name: PGID
+              value: 1000
+            - name: DEFAULT_WORKSPACE
+              value: /config
+          envFrom:
+            - secretRef:
+                name: home-assistant-code-server-password-secret
+          resources:
+            requests:
+              cpu: 10m
+              memory: 128Mi
+  serviceAccount:
+    create: true
+  service:
+    main:
+      controller: main
+      ports:
+        http:
+          port: 80
+          targetPort: 8123
+          protocol: TCP
+    code-server:
+      controller: main
+      ports:
+        http:
+          port: 8443
+          targetPort: 8443
+          protocol: HTTP
+  persistence:
+    config:
+      storageClass: ceph-block
+      accessMode: ReadWriteOnce
+      size: 5Gi
+      advancedMounts:
+        main:
+          main:
+            - path: /config
+              readOnly: false
+          code-server:
+            - path: /config/home-assistant
+              readOnly: false

clusters/cl01tl/applications/homepage-dev/Chart.yaml

@@ -0,0 +1,27 @@
+apiVersion: v2
+name: homepage
+version: 1.0.0
+description: Homepage
+keywords:
+  - homepage
+  - dashboard
+home: https://wiki.alexlebens.dev/doc/homepage-dev-crZPAd8FEj
+sources:
+  - https://github.com/gethomepage/homepage
+  - https://github.com/cloudflare/cloudflared
+  - https://github.com/gethomepage/homepage/pkgs/container/homepage
+  - https://github.com/bjw-s/helm-charts/tree/main/charts/other/app-template
+  - https://github.com/alexlebens/helm-charts/tree/main/charts/cloudflared
+maintainers:
+  - name: alexlebens
+dependencies:
+  - name: app-template
+    alias: homepage
+    repository: https://bjw-s.github.io/helm-charts/
+    version: 3.7.3
+  - name: cloudflared
+    alias: cloudflared
+    repository: https://gitea.alexlebens.dev/api/packages/alexlebens/helm
+    version: 1.14.3
+icon: https://raw.githubusercontent.com/walkxcode/dashboard-icons/main/png/homepage.png
+appVersion: v0.10.0

clusters/cl01tl/applications/homepage-dev/templates/external-secret.yaml

@@ -1,15 +1,14 @@
-apiVersion: external-secrets.io/v1
+apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
   name: homepage-dev-cloudflared-secret
-  namespace: homepage-dev
+  namespace: {{ .Release.Namespace }}
   labels:
-    helm.sh/chart: cloudflared-2.1.9
-    app.kubernetes.io/instance: homepage-dev
-    app.kubernetes.io/part-of: homepage-dev
-    app.kubernetes.io/version: "2.1.9"
-    app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: homepage-dev-cloudflared-secret
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: web
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   secretStoreRef:
     kind: ClusterSecretStore

clusters/cl01tl/applications/homepage-dev/values.yaml

@@ -0,0 +1,157 @@
+homepage:
+  global:
+    nameOverride: homepage
+  controllers:
+    main:
+      type: deployment
+      annotations:
+        reloader.stakater.com/auto: "true"
+      strategy: Recreate
+      containers:
+        main:
+          image:
+            repository: ghcr.io/gethomepage/homepage
+            tag: v1.0.4
+            pullPolicy: IfNotPresent
+          env:
+            - name: HOMEPAGE_ALLOWED_HOSTS
+              value: home.alexlebens.dev
+          resources:
+            requests:
+              cpu: 10m
+              memory: 128Mi
+  serviceAccount:
+    create: true
+  configMaps:
+    config:
+      enabled: true
+      data:
+        docker.yaml: ""
+        kubernetes.yaml: ""
+        settings.yaml: |
+          favicon: https://web-assets-3bfcb5585cbd63dc365d32a3.nyc3.cdn.digitaloceanspaces.com/alexlebens-net/icon_white.png
+          headerStyle: clean
+          hideVersion: true
+          color: zinc
+          background:
+            image: https://web-assets-3bfcb5585cbd63dc365d32a3.nyc3.cdn.digitaloceanspaces.com/alexlebens-net/background-4.jpg
+            brightness: 50
+          theme: dark
+          disableCollapse: true
+        widgets.yaml: |
+          - logo:
+              icon: https://web-assets-3bfcb5585cbd63dc365d32a3.nyc3.cdn.digitaloceanspaces.com/alexlebens-net/icon_white.png
+          - datetime:
+              text_size: xl
+              format:
+                dateStyle: long
+                timeStyle: short
+                hour12: false
+          - openmeteo:
+              label: St. Paul
+              latitude: 44.954445
+              longitude: -93.091301
+              timezone: America/Chicago
+              units: metric
+              cache: 5
+              format:
+                maximumFractionDigits: 0
+        services.yaml: |
+          - Applications:
+              - Auth:
+                  icon: sh-authentik.svg
+                  description: Authentik
+                  href: https://auth.alexlebens.dev
+                  siteMonitor: https://auth.alexlebens.dev
+                  statusStyle: dot
+              - Gitea:
+                  icon: sh-gitea.svg
+                  description: Gitea
+                  href: https://gitea.alexlebens.dev
+                  siteMonitor: https://gitea.alexlebens.dev
+                  statusStyle: dot
+              - Site:
+                  icon: https://d21zlbwtcn424f.cloudfront.net/icon_white.png
+                  description: Profile Website
+                  href: https://www.alexlebens.dev
+                  siteMonitor: https://www.alexlebens.dev
+                  statusStyle: dot
+              - Content Management:
+                  icon: directus.png
+                  description: Directus
+                  href: https://directus.alexlebens.dev
+                  siteMonitor: https://directus.alexlebens.dev
+                  statusStyle: dot
+              - Chat:
+                  icon: sh-element.svg
+                  description: Matrix
+                  href: https://chat.alexlebens.dev
+                  siteMonitor: https://chat.alexlebens.dev
+                  statusStyle: dot
+              - Wiki:
+                  icon: sh-outline.svg
+                  description: Outline
+                  href: https://wiki.alexlebens.dev
+                  siteMonitor: https://wiki.alexlebens.dev
+                  statusStyle: dot
+              - Passwords:
+                  icon: sh-vaultwarden-light.svg
+                  description: Vaultwarden
+                  href: https://passwords.alexlebens.dev
+                  siteMonitor: https://passwords.alexlebens.dev
+                  statusStyle: dot
+              - Bookmarks:
+                  icon: sh-hoarder-light.svg
+                  description: Hoader
+                  href: https://hoarder.alexlebens.dev
+                  siteMonitor: https://hoarder.alexlebens.dev
+                  statusStyle: dot
+              - RSS:
+                  icon: sh-freshrss.svg
+                  description: FreshRSS
+                  href: https://rss.alexlebens.dev
+                  siteMonitor: https://rss.alexlebens.dev
+                  statusStyle: dot
+        bookmarks.yaml: ""
+  service:
+    http:
+      controller: main
+      ports:
+        http:
+          port: 80
+          targetPort: 3000
+          protocol: HTTP
+  persistence:
+    config:
+      enabled: true
+      type: configMap
+      name: homepage-dev-config
+      advancedMounts:
+        main:
+          main:
+            - path: /app/config/bookmarks.yaml
+              readOnly: true
+              mountPropagation: None
+              subPath: bookmarks.yaml
+            - path: /app/config/docker.yaml
+              readOnly: true
+              mountPropagation: None
+              subPath: docker.yaml
+            - path: /app/config/kubernetes.yaml
+              readOnly: true
+              mountPropagation: None
+              subPath: kubernetes.yaml
+            - path: /app/config/services.yaml
+              readOnly: true
+              mountPropagation: None
+              subPath: services.yaml
+            - path: /app/config/settings.yaml
+              readOnly: true
+              mountPropagation: None
+              subPath: settings.yaml
+            - path: /app/config/widgets.yaml
+              readOnly: true
+              mountPropagation: None
+              subPath: widgets.yaml
+cloudflared:
+  existingSecretName: homepage-dev-cloudflared-secret

clusters/cl01tl/applications/homepage/Chart.yaml

@@ -0,0 +1,21 @@
+apiVersion: v2
+name: homepage
+version: 1.0.0
+description: Homepage
+keywords:
+  - homepage
+  - dashboard
+home: https://wiki.alexlebens.dev/doc/homepage-s2clWoI5EC
+sources:
+  - https://github.com/gethomepage/homepage
+  - https://github.com/gethomepage/homepage/pkgs/container/homepage
+  - https://github.com/bjw-s/helm-charts/tree/main/charts/other/app-template
+maintainers:
+  - name: alexlebens
+dependencies:
+  - name: app-template
+    alias: homepage
+    repository: https://bjw-s.github.io/helm-charts/
+    version: 3.7.3
+icon: https://raw.githubusercontent.com/walkxcode/dashboard-icons/main/png/homepage.png
+appVersion: v0.10.0

clusters/cl01tl/applications/homepage/templates/cluster-role-binding.yaml

@@ -2,11 +2,13 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   name: homepage
-  namespace: homepage
+  namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: homepage
-    app.kubernetes.io/instance: homepage
+    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: homepage
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: web
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
@@ -14,4 +16,4 @@ roleRef:
 subjects:
   - kind: ServiceAccount
     name: homepage
-    namespace: homepage
+    namespace: {{ .Release.Namespace }}

clusters/cl01tl/applications/homepage/templates/cluster-role.yaml

@@ -2,11 +2,13 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   name: homepage
-  namespace: homepage
+  namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: homepage
-    app.kubernetes.io/instance: homepage
+    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: homepage
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: web
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 rules:
   - apiGroups:
       - ""
@@ -26,20 +28,13 @@ rules:
       - get
       - list
   - apiGroups:
+      - traefik.containo.us
       - traefik.io
     resources:
       - ingressroutes
     verbs:
       - get
       - list
-  - apiGroups:
-      - gateway.networking.k8s.io
-    resources:
-      - httproutes
-      - gateways
-    verbs:
-      - get
-      - list
   - apiGroups:
       - metrics.k8s.io
     resources:
@@ -48,3 +43,9 @@ rules:
     verbs:
       - get
       - list
+  - apiGroups:
+      - apiextensions.k8s.io
+    resources:
+      - customresourcedefinitions/status
+    verbs:
+      - get

clusters/cl01tl/applications/homepage/templates/external-secret.yaml

@@ -1,12 +1,14 @@
-apiVersion: external-secrets.io/v1
+apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
   name: homepage-keys-secret
-  namespace: homepage
+  namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: homepage-keys-secret
-    app.kubernetes.io/instance: homepage
+    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: homepage
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: web
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   secretStoreRef:
     kind: ClusterSecretStore

clusters/cl01tl/applications/homepage/templates/http-route.yaml

@@ -0,0 +1,30 @@
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: http-route-homepage
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: http-route-homepage
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: web
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  parentRefs:
+    - group: gateway.networking.k8s.io
+      kind: Gateway
+      name: traefik-gateway
+      namespace: traefik
+  hostnames:
+    - home.alexlebens.net
+  rules:
+    - matches:
+      - path:
+          type: PathPrefix
+          value: /
+      backendRefs:
+        - group: ''
+          kind: Service
+          name: homepage
+          port: 80
+          weight: 100

clusters/cl01tl/applications/homepage/templates/service.yaml

@@ -0,0 +1,34 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: gitea-ps10rp
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: gitea-ps10rp
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: tailscale
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+  annotations:
+    tailscale.com/tailnet-fqdn: gitea-ps10rp.boreal-beaufort.ts.net
+spec:
+  externalName: placeholder
+  type: ExternalName
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: home-ps10rp
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: home-ps10rp
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: tailscale
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+  annotations:
+    tailscale.com/tailnet-fqdn: home-ps10rp.boreal-beaufort.ts.net
+spec:
+  externalName: placeholder
+  type: ExternalName

clusters/cl01tl/applications/homepage/values.yaml

@@ -0,0 +1,687 @@
+homepage:
+  global:
+    nameOverride: homepage
+  controllers:
+    main:
+      type: deployment
+      annotations:
+        reloader.stakater.com/auto: "true"
+      strategy: Recreate
+      containers:
+        main:
+          image:
+            repository: ghcr.io/gethomepage/homepage
+            tag: v1.0.4
+            pullPolicy: IfNotPresent
+          env:
+            - name: HOMEPAGE_ALLOWED_HOSTS
+              value: home.alexlebens.net
+          envFrom:
+            - secretRef:
+                name: homepage-keys-secret
+          resources:
+            requests:
+              cpu: 10m
+              memory: 256Mi
+  serviceAccount:
+    create: true
+    name: homepage
+  configMaps:
+    config:
+      enabled: true
+      data:
+        docker.yaml: ""
+        kubernetes.yaml: |
+          mode: cluster
+        settings.yaml: |
+          favicon: https://web-assets-3bfcb5585cbd63dc365d32a3.nyc3.cdn.digitaloceanspaces.com/alexlebens-net/icon_white.png
+          headerStyle: clean
+          hideVersion: true
+          color: zinc
+          background:
+            image: https://web-assets-3bfcb5585cbd63dc365d32a3.nyc3.cdn.digitaloceanspaces.com/alexlebens-net/background-4.jpg
+            brightness: 50
+          theme: dark
+          disableCollapse: true
+          layout:
+            - Media:
+                tab: Applications
+                icon: mdi-multimedia-#ffffff
+            - Public:
+                tab: Applications
+                icon: mdi-earth-#ffffff
+            - Internal:
+                tab: Applications
+                icon: mdi-security-network-#ffffff
+            - Code:
+                tab: Tools
+                icon: mdi-code-block-braces-#ffffff
+            - Monitoring:
+                tab: Tools
+                icon: mdi-chart-line-#ffffff
+            - Services:
+                tab: Services
+                icon: mdi-toolbox-outline-#ffffff
+            - Hardware:
+                tab: Services
+                icon: mdi-server-network-#ffffff
+            - Storage:
+                tab: Services
+                icon: mdi-database-#ffffff
+            - TV Shows:
+                tab: Servarr
+                icon: mdi-television-#ffffff
+            - Movies:
+                tab: Servarr
+                icon: mdi-filmstrip-#ffffff
+            - Music:
+                tab: Servarr
+                icon: mdi-music-box-multiple-#ffffff
+            - Services (Servarr):
+                tab: Servarr
+                icon: mdi-radar-#ffffff
+            - External Services:
+                tab: Bookmarks
+                icon: mdi-cloud-#ffffff
+            - Other Homes:
+                tab: Bookmarks
+                icon: mdi-cloud-#ffffff
+            - Trackers:
+                tab: Bookmarks
+                icon: mdi-cloud-#ffffff
+        widgets.yaml: |
+          - logo:
+              icon: https://web-assets-3bfcb5585cbd63dc365d32a3.nyc3.cdn.digitaloceanspaces.com/alexlebens-net/icon_white.png
+          - kubernetes:
+              cluster:
+                show: true
+                cpu: true
+                memory: true
+                showLabel: false
+                label: "Cluster"
+              nodes:
+                show: false
+          - datetime:
+              text_size: xl
+              format:
+                dateStyle: long
+                timeStyle: short
+                hour12: false
+          - openmeteo:
+              label: St. Paul
+              latitude: 44.954445
+              longitude: -93.091301
+              timezone: America/Chicago
+              units: metric
+              cache: 5
+              format:
+                maximumFractionDigits: 0
+        services.yaml: |
+          - Media:
+              - Plex:
+                  icon: sh-plex.svg
+                  description: Media server
+                  href: https://plex.alexlebens.net
+                  siteMonitor: http://plex.plex:32400
+                  statusStyle: dot
+              - Media Requests:
+                  icon: sh-overseerr.svg
+                  description: Overseer
+                  href: https://overseerr.alexlebens.net
+                  siteMonitor: http://overseerr.overseerr:80
+                  statusStyle: dot
+              - Jellyfin:
+                  icon: sh-jellyfin.svg
+                  description: Media server
+                  href: https://jellyfin.alexlebens.net
+                  siteMonitor: http://jellyfin.jellyfin:80
+                  statusStyle: dot
+              - Youtube Archive:
+                  icon: sh-tube-archivist-light.png
+                  description: TubeAchivist
+                  href: https://tubearchivist.alexlebens.net/login
+                  siteMonitor: http://tubearchivist.tubearchivist:80
+                  statusStyle: dot
+              - Photos:
+                  icon: sh-immich.svg
+                  description: Immich
+                  href: https://immich.alexlebens.net
+                  siteMonitor: http://immich-main.immich:2283
+                  statusStyle: dot
+              - Podcasts and Audiobooks:
+                  icon: sh-audiobookshelf.svg
+                  description: Audiobookshelf
+                  href: https://audiobookshelf.alexlebens.net
+                  siteMonitor: http://audiobookshelf.audiobookshelf:80
+                  statusStyle: dot
+              - Books:
+                  icon: sh-calibre-web-light.svg
+                  description: Calibre Web Automated
+                  href: https://calibre.alexlebens.net
+                  siteMonitor: http://calibre-web-automated-main.calibre-web-automated:8083
+                  statusStyle: dot
+          - Public:
+              - Site:
+                  icon: https://web-assets-3bfcb5585cbd63dc365d32a3.nyc3.cdn.digitaloceanspaces.com/alexlebens-net/icon_white.png
+                  description: Profile Website
+                  href: https://www.alexlebens.dev
+                  siteMonitor: https://www.alexlebens.dev
+                  statusStyle: dot
+              - Content Management:
+                  icon: directus.png
+                  description: Directus
+                  href: https://directus.alexlebens.dev
+                  siteMonitor: https://directus.alexlebens.dev
+                  statusStyle: dot
+              - Chat:
+                  icon: sh-element.svg
+                  description: Matrix
+                  href: https://chat.alexlebens.dev
+                  siteMonitor: https://chat.alexlebens.dev
+                  statusStyle: dot
+              - Wiki:
+                  icon: sh-outline.svg
+                  description: Outline
+                  href: https://wiki.alexlebens.dev
+                  siteMonitor: https://wiki.alexlebens.dev
+                  statusStyle: dot
+              - Passwords:
+                  icon: sh-vaultwarden-light.svg
+                  description: Vaultwarden
+                  href: https://passwords.alexlebens.dev
+                  siteMonitor: https://passwords.alexlebens.dev
+                  statusStyle: dot
+              - Bookmarks:
+                  icon: sh-hoarder-light.svg
+                  description: Hoader
+                  href: https://hoarder.alexlebens.dev
+                  siteMonitor: https://hoarder.alexlebens.dev
+                  statusStyle: dot
+              - RSS:
+                  icon: sh-freshrss.svg
+                  description: FreshRSS
+                  href: https://rss.alexlebens.dev
+                  siteMonitor: https://rss.alexlebens.dev
+                  statusStyle: dot
+          - Internal:
+              - Home Automation:
+                  icon: sh-home-assistant.svg
+                  description: Home Assistant
+                  href: https://home-assistant.alexlebens.net
+                  siteMonitor: http://home-assistant-main.home-assistant:80
+                  statusStyle: dot
+              - AI:
+                  icon: sh-ollama-light.svg
+                  description: Ollama
+                  href: https://ollama.alexlebens.net
+                  siteMonitor: http://ollama-web.ollama:80
+                  statusStyle: dot
+              - AI Image:
+                  icon: https://user-images.githubusercontent.com/36368048/196280761-1535f413-a91e-4b6a-af6a-b890f8ae204c.png
+                  description: Stable Diffusion
+                  href: https://stable-diffusion-pd05wd.boreal-beaufort.ts.net
+                  siteMonitor: https://stable-diffusion-pd05wd.boreal-beaufort.ts.net
+                  statusStyle: dot
+              - Search:
+                  icon: sh-searxng.svg
+                  description: Searxng
+                  href: https://searxng.alexlebens.net/
+                  siteMonitor: http://searxng-browser.searxng:80
+                  statusStyle: dot
+              - Email:
+                  icon: sh-roundcube.svg
+                  description: Roundcube
+                  href: https://mail.alexlebens.net
+                  siteMonitor: http://roundcube.roundcube:80
+                  statusStyle: dot
+              - Wiki:
+                  icon: sh-kiwix-light.svg
+                  description: Kiwix
+                  href: https://kiwix.alexlebens.net
+                  siteMonitor: http://kiwix.kiwix:80
+                  statusStyle: dot
+              - Pictures:
+                  icon: sh-photoview.svg
+                  description: Photoview
+                  href: https://photoview.alexlebens.net
+                  siteMonitor: http://photoview.photoview:80
+                  statusStyle: dot
+          - Code:
+              - Code (Public):
+                  icon: sh-gitea.svg
+                  description: Gitea
+                  href: https://gitea.alexlebens.dev
+                  siteMonitor: https://gitea.alexlebens.dev
+                  statusStyle: dot
+              - Code (Local):
+                  icon: sh-gitea.svg
+                  description: Gitea
+                  href: https://gitea.alexlebens.net
+                  siteMonitor: https://gitea.alexlebens.net
+                  statusStyle: dot
+              - Code (ps10rp):
+                  icon: sh-gitea.svg
+                  description: Gitea
+                  href: https://gitea.lebens-home.net
+                  siteMonitor: https://gitea.lebens-home.net
+                  statusStyle: dot
+              - IDE (Public):
+                  icon: sh-visual-studio-code.svg
+                  description: VS Code
+                  href: https://codeserver.alexlebens.dev
+                  siteMonitor: https://codeserver.alexlebens.dev
+                  statusStyle: dot
+              - IDE (Home Assistant):
+                  icon: sh-visual-studio-code.svg
+                  description: Edit config for Home Assistant
+                  href: https://home-assistant-code-server.alexlebens.net
+                  siteMonitor: http://home-assistant-code-server.home-assistant:8443
+                  statusStyle: dot
+              - Continuous Deployment:
+                  icon: sh-argo-cd.svg
+                  description: ArgoCD
+                  href: https://argocd.alexlebens.net
+                  siteMonitor: http://argocd-server.argocd:80
+                  statusStyle: dot
+                  namespace: argocd
+              - Workflows:
+                  icon: sh-argo-cd.svg
+                  description: Argo Workflows
+                  href: https://argo-workflows.alexlebens.net
+                  siteMonitor: http://argo-workflows-server.argo-workflows:2746
+                  statusStyle: dot
+                  namespace: argocd
+              - Deployment:
+                  icon: sh-komodo-light.svg
+                  description: Komodo
+                  href: https://komodo.alexlebens.net
+                  siteMonitor: http://komodo.komodo:80
+                  statusStyle: dot
+                  namespace: komodo
+          - Monitoring:
+              - Kubernetes:
+                  icon: kubernetes.png
+                  description: Headlamp
+                  href: https://headlamp.alexlebens.net
+                  siteMonitor: http://headlamp.headlamp:80
+                  statusStyle: dot
+              - Network Monitoring:
+                  icon: cilium.png
+                  description: Hubble for Cilium
+                  href: https://hubble.alexlebens.net
+                  siteMonitor: http://hubble-ui.kube-system:80
+                  statusStyle: dot
+              - Dashboard:
+                  icon: sh-grafana.svg
+                  description: Grafana
+                  href: https://grafana.alexlebens.net
+                  siteMonitor: http://grafana.grafana:80/api/health
+                  statusStyle: dot
+              - Metrics:
+                  icon: sh-prometheus.svg
+                  description: Prometheus
+                  href: https://prometheus.alexlebens.net
+                  siteMonitor: http://kube-prometheus-stack-prometheus.kube-prometheus-stack:9090
+                  statusStyle: dot
+                  widget:
+                    type: prometheus
+                    url: http://kube-prometheus-stack-prometheus.kube-prometheus-stack:9090
+              - Tautulli:
+                  icon: sh-tautulli.svg
+                  description: Plex Monitoring
+                  href: https://tautulli.alexlebens.net
+                  siteMonitor: http://tautulli.tautulli:80
+                  statusStyle: dot
+              - Jellystat:
+                  icon: sh-jellystat.png
+                  description: Jellyfin Monitoring
+                  href: https://jellystat.alexlebens.net
+                  siteMonitor: http://jellystat.jellystat:80
+                  statusStyle: dot
+          - Services:
+              - Auth (Public):
+                  icon: sh-authentik.svg
+                  description: Authentik
+                  href: https://auth.alexlebens.dev
+                  siteMonitor: https://auth.alexlebens.dev
+                  statusStyle: dot
+              - Auth (Local):
+                  icon: sh-authentik.svg
+                  description: Authentik
+                  href: https://authentik.alexlebens.net
+                  siteMonitor: http://authentik-server.authentik:80
+                  statusStyle: dot
+              - Email:
+                  icon: sh-stalwart-mail-server.svg
+                  description: Stalwart
+                  href: https://stalwart.alexlebens.net
+                  siteMonitor: http://stalwart.stalwart:80
+                  statusStyle: dot
+              - Reverse Proxy:
+                  icon: sh-traefik.svg
+                  description: Traefik
+                  href: https://traefik-cl01tl.alexlebens.net/dashboard/#/
+                  siteMonitor: https://traefik-cl01tl.alexlebens.net/dashboard/#/
+                  statusStyle: dot
+                  widget:
+                    type: traefik
+                    url: https://traefik-cl01tl.alexlebens.net
+              - Image Cache:
+                  icon: sh-harbor.svg
+                  description: Harbor
+                  href: https://harbor.alexlebens.net
+                  siteMonitor: http://harbor-portal.harbor:80
+                  statusStyle: dot
+          - Hardware:
+              - Network Management (alexlebens.net):
+                  icon: sh-ubiquiti-unifi.svg
+                  description: Unifi
+                  href: https://unifi.alexlebens.net
+                  siteMonitor: https://unifi.alexlebens.net
+                  statusStyle: dot
+              - Network Attached Storage:
+                  icon: sh-synology-light.svg
+                  description: Synology
+                  href: https://synology.alexlebens.net
+                  siteMonitor: https://synology.alexlebens.net
+                  statusStyle: dot
+                  widget:
+                    type: diskstation
+                    url: https://synology.alexlebens.net
+                    username: {{ "{{HOMEPAGE_VAR_SYNOLOGY_USER}}" }}
+                    password: {{ "{{HOMEPAGE_VAR_SYNOLOGY_PASSWORD}}" }}
+                    volume: volume_2
+              - TV Tuner:
+                  icon: sh-hdhomerun.svg
+                  description: HD Homerun
+                  href: http://hdhr.alexlebens.net
+                  siteMonitor: http://hdhr.alexlebens.net
+                  statusStyle: dot
+                  widget:
+                    type: hdhomerun
+                    url: http://hdhr.alexlebens.net
+                    tuner: 0
+                    fields: ["channels", "hd"]
+              - KVM:
+                  icon: sh-pikvm-light.svg
+                  description: Pi KVM
+                  href: https://pikvm.alexlebens.net
+                  siteMonitor: https://pikvm.alexlebens.net
+                  statusStyle: dot
+          - Storage:
+              - Cluster Storage:
+                  icon: ceph.png
+                  description: Ceph
+                  href: https://ceph.alexlebens.net
+                  siteMonitor: http://rook-ceph-mgr-dashboard.rook-ceph:7000
+                  statusStyle: dot
+              - Database:
+                  icon: sh-pgadmin-light.svg
+                  description: PGAdmin
+                  href: https://pgadmin.alexlebens.net
+                  siteMonitor: http://pgadmin.pgadmin:80
+                  statusStyle: dot
+              - Secrets:
+                  icon: sh-hashicorp-vault.svg
+                  description: Vault
+                  href: https://vault.alexlebens.net
+                  siteMonitor: http://vault.vault:8200
+                  statusStyle: dot
+              - Object Storage (Outline):
+                  icon: sh-minio.svg
+                  description: Minio Tenant
+                  href: https://minio-outline.alexlebens.net
+                  siteMonitor: http://minio-outline-console.outline:9090
+                  statusStyle: dot
+              - Object Storage (Directus):
+                  icon: sh-minio.svg
+                  description: Minio Tenant
+                  href: https://minio-directus.alexlebens.net
+                  siteMonitor: http://minio-directus-console.directus:9090
+                  statusStyle: dot
+          - TV Shows:
+              - Sonarr:
+                  icon: sh-sonarr.svg
+                  description: TV Shows
+                  href: https://sonarr.alexlebens.net
+                  siteMonitor: http://sonarr.sonarr:80
+                  statusStyle: dot
+                  widget:
+                    type: sonarr
+                    url: http://sonarr.sonarr:80
+                    key: {{ "{{HOMEPAGE_VAR_SONARR_KEY}}" }}
+                    fields: ["wanted", "queued", "series"]
+                    enableQueue: false
+              - Sonarr 4K:
+                  icon: sh-sonarr.svg
+                  description: TV Shows 4K
+                  href: https://sonarr-4k.alexlebens.net
+                  siteMonitor: http://sonarr-4k.sonarr-4k:80
+                  statusStyle: dot
+                  widget:
+                    type: sonarr
+                    url: http://sonarr-4k.sonarr-4k:80
+                    key: {{ "{{HOMEPAGE_VAR_SONARR4K_KEY}}" }}
+                    fields: ["wanted", "queued", "series"]
+                    enableQueue: false
+              - Sonarr Anime:
+                  icon: sh-sonarr.svg
+                  description: Anime Shows
+                  href: https://sonarr-anime.alexlebens.net
+                  siteMonitor: http://sonarr-anime.sonarr-anime:80
+                  statusStyle: dot
+                  widget:
+                    type: sonarr
+                    url: http://sonarr-anime.sonarr-anime:80
+                    key: {{ "{{HOMEPAGE_VAR_SONARRANIME_KEY}}" }}
+                    fields: ["wanted", "queued", "series"]
+                    enableQueue: false
+          - Movies:
+              - Radarr:
+                  icon: sh-radarr.svg
+                  description: Movies
+                  href: https://radarr.alexlebens.net
+                  siteMonitor: http://radarr.radarr:80
+                  statusStyle: dot
+                  widget:
+                    type: radarr
+                    url: http://radarr.radarr:80
+                    key: {{ "{{HOMEPAGE_VAR_RADARR_KEY}}" }}
+                    fields: ["wanted", "queued", "movies"]
+                    enableQueue: false
+              - Radarr 4K:
+                  icon: sh-radarr.svg
+                  description: Movies 4K
+                  href: https://radarr-4k.alexlebens.net
+                  siteMonitor: http://radarr-4k.radarr-4k:80
+                  statusStyle: dot
+                  widget:
+                    type: radarr
+                    url: http://radarr-4k.radarr-4k:80
+                    key: {{ "{{HOMEPAGE_VAR_RADARR4K_KEY}}" }}
+                    fields: ["wanted", "queued", "movies"]
+                    enableQueue: false
+              - Radarr Anime:
+                  icon: sh-radarr.svg
+                  description: Anime Movies
+                  href: https://radarr-anime.alexlebens.net
+                  siteMonitor: http://radarr-anime.radarr-anime:80
+                  statusStyle: dot
+                  widget:
+                    type: radarr
+                    url: http://radarr-anime.radarr-anime:80
+                    key: {{ "{{HOMEPAGE_VAR_RADARRANIME_KEY}}" }}
+                    fields: ["wanted", "queued", "movies"]
+                    enableQueue: false
+              - Radarr Stand Up:
+                  icon: sh-radarr.svg
+                  description: Stand Up
+                  href: https://radarr-standup.alexlebens.net
+                  siteMonitor: http://radarr-standup.radarr-standup:80
+                  statusStyle: dot
+                  widget:
+                    type: radarr
+                    url: http://radarr-standup.radarr-standup:80
+                    key: {{ "{{HOMEPAGE_VAR_RADARRSTANDUP_KEY}}" }}
+                    fields: ["wanted", "queued", "movies"]
+                    enableQueue: false
+          - Music:
+              - Lidarr:
+                  icon: sh-lidarr.svg
+                  description: Music
+                  href: https://lidarr.alexlebens.net
+                  siteMonitor: http://lidarr.lidarr:80
+                  statusStyle: dot
+                  widget:
+                    type: lidarr
+                    url: http://lidarr.lidarr:80
+                    key: {{ "{{HOMEPAGE_VAR_LIDARR_KEY}}" }}
+                    fields: ["wanted", "queued", "artists"]
+              - LidaTube:
+                  icon: sh-lidatube.png
+                  description: Searches for Music
+                  href: https://lidatube.alexlebens.net
+                  siteMonitor: http://lidatube.lidatube:80
+                  statusStyle: dot
+          - Services (Servarr):
+              - qBittorrent:
+                  icon: sh-qbittorrent.svg
+                  description: P2P Downloads
+                  href: https://qbittorrent.alexlebens.net
+                  siteMonitor: http://qbittorrent.qbittorrent:8080
+                  statusStyle: dot
+                  widget:
+                    type: qbittorrent
+                    url: http://qbittorrent.qbittorrent:8080
+                    enableLeechProgress: true
+              - Prowlarr:
+                  icon: sh-prowlarr.svg
+                  description: Indexers
+                  href: https://prowlarr.alexlebens.net
+                  siteMonitor: http://prowlarr.prowlarr:80
+                  statusStyle: dot
+              - Soulseek:
+                  icon: sh-slskd.png
+                  description: slskd
+                  href: https://slskd.alexlebens.net
+                  siteMonitor: http://slskd.slskd:5030
+                  statusStyle: dot
+              - CWA Downloader:
+                  icon: sh-calibre.png
+                  description: Calibre Web Automated Book Downloader
+                  href: https://calibre-downloader.alexlebens.net
+                  siteMonitor: http://calibre-web-automated-downloader.calibre-web-automated:8084
+                  statusStyle: dot
+              - Tdarr:
+                  icon: sh-tdarr.png
+                  description: Media transcoding and health checks
+                  href: https://tdarr.alexlebens.net
+                  siteMonitor: http://tdarr-web.tdarr:8265
+                  statusStyle: dot
+                  widget:
+                    type: tdarr
+                    url: http://tdarr-web.tdarr:8265
+          - Other Homes:
+              - Dev:
+                  icon: sh-homepage.png
+                  description: Public Homepage
+                  href: https://home.alexlebens.dev
+                  siteMonitor: https://home.alexlebens.dev
+                  statusStyle: dot
+              - Lebens Home:
+                  icon: sh-homepage.png
+                  description: Lebens Homepage
+                  href: https://home-ps10rp.boreal-beaufort.ts.net
+                  siteMonitor: https://home-ps10rp.boreal-beaufort.ts.net
+                  statusStyle: dot
+        bookmarks.yaml: |
+          - External Services:
+              - Github:
+                  - abbr: GH
+                    href: https://github.com/alexlebens
+              - Renovate:
+                  - abbr: RN
+                    href: https://developer.mend.io/[platform]/alexlebens/infrastructure
+              - Digital Ocean:
+                  - abbr: DO
+                    href: https://www.digitalocean.com/
+              - AWS:
+                  - abbr: AW
+                    href: https://aws.amazon.com/console/
+              - Cloudflare:
+                  - abbr: CF
+                    href: https://dash.cloudflare.com/b76e303258b84076ee01fd0f515c0768
+              - Tailscale:
+                  - abbr: TS
+                    href: https://login.tailscale.com/admin/machines
+              - ProtonVPN:
+                  - abbr: PV
+                    href: https://account.protonvpn.com/
+              - Unifi:
+                  - abbr: UF
+                    href: https://unifi.ui.com/
+              - Pushover:
+                  - abbr: PO
+                    href: https://pushover.net
+              - ReCaptcha:
+                  - abbr: RC
+                    href: https://www.google.com/recaptcha/admin/site/698983587
+          - Trackers:
+              - Torrentleech:
+                  - abbr: TL
+                    href: https://www.torrentleech.org
+              - Avistaz:
+                  - abbr: AV
+                    href: https://avistaz.to
+              - Cinemaz:
+                  - abbr: CM
+                    href: https://cinemaz.to
+              - Cathode Ray Tube:
+                  - abbr: CRT
+                    href: https://www.cathode-ray.tube
+              - Alpha Ratio:
+                  - abbr: AL
+                    href: https://alpharatio.cc/
+              - MV Group:
+                  - abbr: MV
+                    href: https://forums.mvgroup.org
+  service:
+    http:
+      controller: main
+      ports:
+        http:
+          port: 80
+          targetPort: 3000
+          protocol: HTTP
+  persistence:
+    config:
+      enabled: true
+      type: configMap
+      name: homepage-config
+      advancedMounts:
+        main:
+          main:
+            - path: /app/config/bookmarks.yaml
+              readOnly: true
+              mountPropagation: None
+              subPath: bookmarks.yaml
+            - path: /app/config/docker.yaml
+              readOnly: true
+              mountPropagation: None
+              subPath: docker.yaml
+            - path: /app/config/kubernetes.yaml
+              readOnly: true
+              mountPropagation: None
+              subPath: kubernetes.yaml
+            - path: /app/config/services.yaml
+              readOnly: true
+              mountPropagation: None
+              subPath: services.yaml
+            - path: /app/config/settings.yaml
+              readOnly: true
+              mountPropagation: None
+              subPath: settings.yaml
+            - path: /app/config/widgets.yaml
+              readOnly: true
+              mountPropagation: None
+              subPath: widgets.yaml

clusters/cl01tl/applications/immich/Chart.yaml

@@ -0,0 +1,31 @@
+apiVersion: v2
+name: immich
+version: 1.0.0
+description: Immich
+keywords:
+  - immich
+  - photos
+home: https://wiki.alexlebens.dev/doc/immich-AVxvAWeWQ5
+sources:
+  - https://github.com/immich-app/immich
+  - https://github.com/valkey-io/valkey
+  - https://github.com/cloudnative-pg/cloudnative-pg
+  - https://github.com/bjw-s/helm-charts/tree/main/charts/other/app-template
+  - https://github.com/bitnami/charts/tree/main/bitnami/valkey
+  - https://github.com/alexlebens/helm-charts/charts/postgres-cluster
+maintainers:
+  - name: alexlebens
+dependencies:
+  - name: app-template
+    alias: immich
+    repository: https://bjw-s.github.io/helm-charts/
+    version: 3.7.3
+  - name: valkey
+    version: 2.4.6
+    repository: oci://harbor.alexlebens.net/proxy-registry-1.docker.io/bitnamicharts
+  - name: postgres-cluster
+    alias: postgres-16-cluster
+    version: 4.2.1
+    repository: https://gitea.alexlebens.dev/api/packages/alexlebens/helm
+icon: https://raw.githubusercontent.com/immich-app/immich/main/design/immich-logo.svg
+appVersion: v1.123.0

clusters/cl01tl/applications/immich/templates/external-secrets.yaml

@@ -0,0 +1,55 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: immich-config-secret
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: immich-config-secret
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: config
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  data:
+    - secretKey: immich.json
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cl01tl/immich/config
+        metadataPolicy: None
+        property: immich.json
+
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: immich-postgresql-16-cluster-backup-secret
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: immich-postgresql-16-cluster-backup-secret
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: database
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  data:
+    - secretKey: ACCESS_KEY_ID
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /digital-ocean/home-infra/postgres-backups
+        metadataPolicy: None
+        property: access
+    - secretKey: ACCESS_SECRET_KEY
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /digital-ocean/home-infra/postgres-backups
+        metadataPolicy: None
+        property: secret

clusters/cl01tl/applications/immich/templates/http-route.yaml

@@ -0,0 +1,30 @@
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: http-route-immich
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: http-route-immich
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: web
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  parentRefs:
+    - group: gateway.networking.k8s.io
+      kind: Gateway
+      name: traefik-gateway
+      namespace: traefik
+  hostnames:
+    - immich.alexlebens.net
+  rules:
+    - matches:
+      - path:
+          type: PathPrefix
+          value: /
+      backendRefs:
+        - group: ''
+          kind: Service
+          name: immich-main
+          port: 2283
+          weight: 100

clusters/cl01tl/applications/immich/templates/persistent-volume-claim.yaml

@@ -0,0 +1,19 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: immich-nfs-storage
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: immich-nfs-storage
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: storage
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  volumeName: immich-nfs-storage
+  storageClassName: nfs-client
+  accessModes:
+    - ReadWriteMany
+  resources:
+    requests:
+      storage: 1Gi

clusters/cl01tl/applications/immich/templates/persistent-volume.yaml

@@ -0,0 +1,25 @@
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: immich-nfs-storage
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: immich-nfs-storage
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: storage
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  persistentVolumeReclaimPolicy: Retain
+  storageClassName: nfs-client
+  capacity:
+    storage: 1Gi
+  accessModes:
+    - ReadWriteMany
+  nfs:
+    path: /volume2/Storage/Immich
+    server: synologybond.alexlebens.net
+  mountOptions:
+    - vers=4
+    - minorversion=1
+    - noac

clusters/cl01tl/applications/immich/templates/service-monitor.yaml

@@ -0,0 +1,25 @@
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: immich
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: immich
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: metrics
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: immich
+      app.kubernetes.io/instance: {{ .Release.Name }}
+  endpoints:
+    - port: metrics-api
+      interval: 3m
+      scrapeTimeout: 1m
+      path: /metrics
+    - port: metrics-ms
+      interval: 3m
+      scrapeTimeout: 1m
+      path: /metrics

clusters/cl01tl/applications/immich/values.yaml

@@ -0,0 +1,236 @@
+immich:
+  controllers:
+    main:
+      type: deployment
+      replicas: 1
+      strategy: Recreate
+      revisionHistoryLimit: 3
+      containers:
+        main:
+          image:
+            repository: ghcr.io/immich-app/immich-server
+            tag: v1.129.0
+            pullPolicy: IfNotPresent
+          env:
+            - name: TZ
+              value: US/Central
+            - name: IMMICH_TELEMETRY_INCLUDE
+              value: all
+            - name: IMMICH_CONFIG_FILE
+              value: /config/immich.json
+            - name: IMMICH_MACHINE_LEARNING_URL
+              value: http://immich-machine-learning.immich:3003
+            - name: REDIS_HOSTNAME
+              value: immich-valkey-primary
+            - name: DB_VECTOR_EXTENSION
+              value: pgvecto.rs
+            - name: DB_HOSTNAME
+              valueFrom:
+                secretKeyRef:
+                  name: immich-postgresql-16-cluster-app
+                  key: host
+            - name: DB_DATABASE_NAME
+              valueFrom:
+                secretKeyRef:
+                  name: immich-postgresql-16-cluster-app
+                  key: dbname
+            - name: DB_PORT
+              valueFrom:
+                secretKeyRef:
+                  name: immich-postgresql-16-cluster-app
+                  key: port
+            - name: DB_USERNAME
+              valueFrom:
+                secretKeyRef:
+                  name: immich-postgresql-16-cluster-app
+                  key: user
+            - name: DB_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: immich-postgresql-16-cluster-app
+                  key: password
+          probes:
+            liveness:
+              enabled: true
+              custom: true
+              spec:
+                httpGet:
+                  path: /api/server/ping
+                  port: 2283
+                initialDelaySeconds: 0
+                periodSeconds: 10
+                timeoutSeconds: 1
+                failureThreshold: 3
+            readiness:
+              enabled: true
+              custom: true
+              spec:
+                httpGet:
+                  path: /api/server/ping
+                  port: 2283
+                initialDelaySeconds: 0
+                periodSeconds: 10
+                timeoutSeconds: 1
+                failureThreshold: 3
+            startup:
+              enabled: true
+              custom: true
+              spec:
+                httpGet:
+                  path: /api/server/ping
+                  port: 2283
+                initialDelaySeconds: 0
+                periodSeconds: 10
+                timeoutSeconds: 1
+                failureThreshold: 30
+          resources:
+            requests:
+              gpu.intel.com/i915: 1
+              cpu: 10m
+              memory: 512Mi
+            limits:
+              gpu.intel.com/i915: 1
+              cpu: 2
+    machine-learning:
+      type: deployment
+      replicas: 1
+      strategy: Recreate
+      revisionHistoryLimit: 3
+      containers:
+        main:
+          image:
+            repository: ghcr.io/immich-app/immich-machine-learning
+            tag: v1.129.0
+            pullPolicy: IfNotPresent
+          env:
+            - name: TRANSFORMERS_CACHE
+              value: /cache
+          probes:
+            liveness:
+              enabled: true
+              custom: true
+              spec:
+                httpGet:
+                  path: /ping
+                  port: 3003
+                initialDelaySeconds: 0
+                periodSeconds: 10
+                timeoutSeconds: 1
+                failureThreshold: 3
+            readiness:
+              enabled: true
+              custom: true
+              spec:
+                httpGet:
+                  path: /ping
+                  port: 3003
+                initialDelaySeconds: 0
+                periodSeconds: 10
+                timeoutSeconds: 1
+                failureThreshold: 3
+            startup:
+              enabled: false
+          resources:
+            requests:
+              gpu.intel.com/i915: 1
+              cpu: 10m
+              memory: 256Mi
+            limits:
+              gpu.intel.com/i915: 1
+              cpu: 8
+              memory: 10Gi
+  serviceAccount:
+    create: true
+  service:
+    main:
+      controller: main
+      ports:
+        http:
+          port: 2283
+          targetPort: 2283
+          protocol: TCP
+        metrics-api:
+          port: 8081
+          targetPort: 8081
+          protocol: TCP
+        metrics-ms:
+          port: 8082
+          targetPort: 8082
+          protocol: TCP
+    machine-learning:
+      controller: machine-learning
+      ports:
+        http:
+          port: 3003
+          targetPort: 3003
+          protocol: TCP
+  persistence:
+    config:
+      enabled: true
+      type: secret
+      name: immich-config-secret
+      advancedMounts:
+        main:
+          main:
+            - path: /config/immich.json
+              readOnly: true
+              mountPropagation: None
+              subPath: immich.json
+    media:
+      existingClaim: immich-nfs-storage
+      advancedMounts:
+        main:
+          main:
+            - path: /usr/src/app/upload
+              readOnly: false
+    cache:
+      storageClass: ceph-block
+      accessMode: ReadWriteOnce
+      size: 10Gi
+      retain: true
+      advancedMounts:
+        machine-learning:
+          main:
+            - path: /cache
+              readOnly: false
+valkey:
+  architecture: standalone
+  auth:
+    enabled: false
+    usePasswordFiles: false
+  primary:
+    persistence:
+      enabled: false
+  replica:
+    persistence:
+      enabled: false
+postgres-16-cluster:
+  # Tensorchord
+  #--- https://github.com/immich-app/immich/discussions/9060
+  #--- https://docs.pgvecto.rs/admin/kubernetes.html
+  #--- https://github.com/tensorchord/cloudnative-pgvecto.rs
+  type: tensorchord
+  mode: standalone
+  cluster:
+    image:
+      repository: ghcr.io/tensorchord/cloudnative-pgvecto.rs
+      tag: 16.3-v0.2.1
+    walStorage:
+      storageClass: local-path
+    storage:
+      storageClass: local-path
+    resources:
+      requests:
+        memory: 384Mi
+        cpu: 200m
+    monitoring:
+      enabled: true
+    postgresql:
+      parameters:
+        shared_buffers: 256MB
+  backup:
+    enabled: true
+    endpointURL: https://nyc3.digitaloceanspaces.com
+    destinationPath: s3://postgres-backups-ce540ddf106d186bbddca68a/cl01tl/immich/immich-postgresql-16-cluster
+    endpointCredentials: immich-postgresql-16-cluster-backup-secret
+    backupIndex: 2

clusters/cl01tl/applications/jellyfin/Chart.yaml

@@ -0,0 +1,27 @@
+apiVersion: v2
+name: jellyfin
+version: 1.0.0
+description: Jellyfin
+keywords:
+  - jellyfin
+  - media
+  - movies
+  - tv shows
+  - books
+  - music
+home: https://wiki.alexlebens.dev/doc/jellyfin-li98lrEiuA
+sources:
+  - https://github.com/jellyfin/jellyfin
+  - https://github.com/jellyfin/jellyfin-vue
+  - https://hub.docker.com/r/jellyfin/jellyfin
+  - https://github.com/jellyfin/jellyfin-vue/pkgs/container/jellyfin-vue
+  - https://github.com/bjw-s/helm-charts/tree/main/charts/other/app-template
+maintainers:
+  - name: alexlebens
+dependencies:
+  - name: app-template
+    alias: jellyfin
+    repository: https://bjw-s.github.io/helm-charts/
+    version: 3.7.3
+icon: https://raw.githubusercontent.com/walkxcode/dashboard-icons/main/png/jellyfin.png
+appVersion: 10.10.3

clusters/cl01tl/applications/jellyfin/templates/external-secret.yaml

@@ -1,15 +1,14 @@
-apiVersion: external-secrets.io/v1
+apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
-  name: gatus-backup-secret-external
+  name: jellyfin-config-backup-secret
-  namespace: gatus
+  namespace: {{ .Release.Namespace }}
   labels:
-    helm.sh/chart: volsync-target-data-0.7.0
+    app.kubernetes.io/name: jellyfin-config-backup-secret
-    app.kubernetes.io/instance: gatus
+    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: gatus
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
-    app.kubernetes.io/version: "0.7.0"
+    app.kubernetes.io/component: backup
-    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/part-of: {{ .Release.Name }}
-    app.kubernetes.io/name: gatus-backup-secret-external
 spec:
   secretStoreRef:
     kind: ClusterSecretStore
@@ -19,27 +18,27 @@ spec:
       mergePolicy: Merge
       engineVersion: v2
       data:
-        RESTIC_REPOSITORY: "{{ .BUCKET_ENDPOINT }}/gatus/gatus"
+        RESTIC_REPOSITORY: "{{ `{{ .BUCKET_ENDPOINT }}` }}/jellyfin/jellyfin-config"
   data:
     - secretKey: BUCKET_ENDPOINT
       remoteRef:
         conversionStrategy: Default
         decodingStrategy: None
-        key: /volsync/restic/digital-ocean
+        key: /cl01tl/volsync/restic/config
         metadataPolicy: None
-        property: BUCKET_ENDPOINT
+        property: S3_BUCKET_ENDPOINT
     - secretKey: RESTIC_PASSWORD
       remoteRef:
         conversionStrategy: Default
         decodingStrategy: None
-        key: /volsync/restic/digital-ocean
+        key: /cl01tl/volsync/restic/config
         metadataPolicy: None
         property: RESTIC_PASSWORD
     - secretKey: AWS_DEFAULT_REGION
       remoteRef:
         conversionStrategy: Default
         decodingStrategy: None
-        key: /digital-ocean/home-infra/volsync-backups
+        key: /cl01tl/volsync/restic/config
         metadataPolicy: None
         property: AWS_DEFAULT_REGION
     - secretKey: AWS_ACCESS_KEY_ID
@@ -48,11 +47,11 @@ spec:
         decodingStrategy: None
         key: /digital-ocean/home-infra/volsync-backups
         metadataPolicy: None
-        property: AWS_ACCESS_KEY_ID
+        property: access_key
     - secretKey: AWS_SECRET_ACCESS_KEY
       remoteRef:
         conversionStrategy: Default
         decodingStrategy: None
         key: /digital-ocean/home-infra/volsync-backups
         metadataPolicy: None
-        property: AWS_SECRET_ACCESS_KEY
+        property: secret_key

clusters/cl01tl/applications/jellyfin/templates/http-route.yaml

@@ -0,0 +1,30 @@
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: http-route-jellyfin
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: http-route-jellyfin
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: web
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  parentRefs:
+    - group: gateway.networking.k8s.io
+      kind: Gateway
+      name: traefik-gateway
+      namespace: traefik
+  hostnames:
+    - jellyfin.alexlebens.net
+  rules:
+    - matches:
+      - path:
+          type: PathPrefix
+          value: /
+      backendRefs:
+        - group: ''
+          kind: Service
+          name: jellyfin
+          port: 80
+          weight: 100

clusters/cl01tl/applications/jellyfin/templates/persistent-volume-claim.yaml

@@ -0,0 +1,40 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: jellyfin-nfs-storage
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: jellyfin-nfs-storage
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: storage
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  volumeName: jellyfin-nfs-storage
+  storageClassName: nfs-client
+  accessModes:
+    - ReadWriteMany
+  resources:
+    requests:
+      storage: 1Gi
+
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: jellyfin-youtube-nfs-storage
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: jellyfin-youtube-nfs-storage
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: storage
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  volumeName: jellyfin-youtube-nfs-storage
+  storageClassName: nfs-client
+  accessModes:
+    - ReadOnlyMany
+  resources:
+    requests:
+      storage: 1Gi

clusters/cl01tl/applications/jellyfin/templates/persistent-volume.yaml

@@ -0,0 +1,52 @@
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: jellyfin-nfs-storage
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: jellyfin-nfs-storage
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: storage
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  persistentVolumeReclaimPolicy: Retain
+  storageClassName: nfs-client
+  capacity:
+    storage: 1Gi
+  accessModes:
+    - ReadWriteMany
+  nfs:
+    path: /volume2/Storage
+    server: synologybond.alexlebens.net
+  mountOptions:
+    - vers=4
+    - minorversion=1
+    - noac
+
+---
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: jellyfin-youtube-nfs-storage
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: jellyfin-youtube-nfs-storage
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: storage
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  persistentVolumeReclaimPolicy: Retain
+  storageClassName: nfs-client
+  capacity:
+    storage: 1Gi
+  accessModes:
+    - ReadOnlyMany
+  nfs:
+    path: /volume2/Storage/YouTube
+    server: synologybond.alexlebens.net
+  mountOptions:
+    - vers=4
+    - minorversion=1
+    - noac

clusters/cl01tl/applications/jellyfin/templates/replication-source.yaml

@@ -0,0 +1,27 @@
+apiVersion: volsync.backube/v1alpha1
+kind: ReplicationSource
+metadata:
+  name: jellyfin-config-backup-source
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: jellyfin-config-backup-source
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: backup
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  sourcePVC: jellyfin-config
+  trigger:
+    schedule: 0 4 * * *
+  restic:
+    pruneIntervalDays: 7
+    repository: jellyfin-config-backup-secret
+    retain:
+      hourly: 1
+      daily: 3
+      weekly: 2
+      monthly: 2
+      yearly: 4
+    copyMethod: Snapshot
+    storageClassName: ceph-block
+    volumeSnapshotClassName: ceph-blockpool-snapshot

clusters/cl01tl/applications/jellyfin/values.yaml

@@ -0,0 +1,70 @@
+jellyfin:
+  controllers:
+    main:
+      type: deployment
+      replicas: 1
+      strategy: Recreate
+      revisionHistoryLimit: 3
+      containers:
+        main:
+          image:
+            repository: ghcr.io/jellyfin/jellyfin
+            tag: 10.10.6
+            pullPolicy: IfNotPresent
+          env:
+            - name: TZ
+              value: US/Central
+            - name: JELLYFIN_hostwebclient
+              value: true
+            - name: JELLYFIN_PublishedServerUrl
+              value: https://jellyfin.alexlebens.net/
+          resources:
+            requests:
+              gpu.intel.com/i915: 1
+              cpu: 1
+              memory: 2Gi
+            limits:
+              gpu.intel.com/i915: 1
+              cpu: 4
+  serviceAccount:
+    create: true
+  service:
+    main:
+      controller: main
+      ports:
+        http:
+          port: 80
+          targetPort: 8096
+          protocol: HTTP
+  persistence:
+    config:
+      storageClass: ceph-block
+      accessMode: ReadWriteOnce
+      size: 60Gi
+      retain: true
+      advancedMounts:
+        main:
+          main:
+            - path: /config
+              readOnly: false
+    cache:
+      type: emptyDir
+      advancedMounts:
+        main:
+          main:
+            - path: /cache
+              readOnly: false
+    media:
+      existingClaim: jellyfin-nfs-storage
+      advancedMounts:
+        main:
+          main:
+            - path: /mnt/store
+              readOnly: false
+    youtube:
+      existingClaim: jellyfin-youtube-nfs-storage
+      advancedMounts:
+        main:
+          main:
+            - path: /mnt/youtube
+              readOnly: true

clusters/cl01tl/applications/jellystat/Chart.yaml

@@ -0,0 +1,27 @@
+apiVersion: v2
+name: jellystat
+version: 1.0.0
+description: Jellystat
+keywords:
+  - jellystat
+  - jellyfin
+home: https://wiki.alexlebens.dev/doc/jellystat-0FixP7GqGZ
+sources:
+  - https://github.com/CyferShepard/Jellystat
+  - https://github.com/cloudnative-pg/cloudnative-pg
+  - https://hub.docker.com/r/cyfershepard/jellystat
+  - https://github.com/bjw-s/helm-charts/tree/main/charts/other/app-template
+  - https://github.com/alexlebens/helm-charts/charts/postgres-cluster
+maintainers:
+  - name: alexlebens
+dependencies:
+  - name: app-template
+    alias: jellystat
+    repository: https://bjw-s.github.io/helm-charts/
+    version: 3.7.3
+  - name: postgres-cluster
+    alias: postgres-17-cluster
+    version: 4.2.1
+    repository: https://gitea.alexlebens.dev/api/packages/alexlebens/helm
+icon: https://raw.githubusercontent.com/walkxcode/dashboard-icons/main/png/jellystat.png
+appVersion: 1.1.1

clusters/cl01tl/applications/jellystat/templates/external-secret.yaml

@@ -0,0 +1,128 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: jellystat-secret
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: jellystat-secret
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: web
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  data:
+    - secretKey: secret-key
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cl01tl/jellystat/auth
+        metadataPolicy: None
+        property: secret-key
+    - secretKey: user
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cl01tl/jellystat/auth
+        metadataPolicy: None
+        property: user
+    - secretKey: password
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cl01tl/jellystat/auth
+        metadataPolicy: None
+        property: password
+
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: jellystat-data-backup-secret
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: jellystat-data-backup-secret
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: backup
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  target:
+    template:
+      mergePolicy: Merge
+      engineVersion: v2
+      data:
+        RESTIC_REPOSITORY: "{{ `{{ .BUCKET_ENDPOINT }}` }}/jellystat/jellystat-data"
+  data:
+    - secretKey: BUCKET_ENDPOINT
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cl01tl/volsync/restic/config
+        metadataPolicy: None
+        property: S3_BUCKET_ENDPOINT
+    - secretKey: RESTIC_PASSWORD
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cl01tl/volsync/restic/config
+        metadataPolicy: None
+        property: RESTIC_PASSWORD
+    - secretKey: AWS_DEFAULT_REGION
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cl01tl/volsync/restic/config
+        metadataPolicy: None
+        property: AWS_DEFAULT_REGION
+    - secretKey: AWS_ACCESS_KEY_ID
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /digital-ocean/home-infra/volsync-backups
+        metadataPolicy: None
+        property: access_key
+    - secretKey: AWS_SECRET_ACCESS_KEY
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /digital-ocean/home-infra/volsync-backups
+        metadataPolicy: None
+        property: secret_key
+
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: jellystat-postgresql-17-cluster-backup-secret
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: jellystat-postgresql-17-cluster-backup-secret
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: database
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  data:
+    - secretKey: ACCESS_KEY_ID
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /digital-ocean/home-infra/postgres-backups
+        metadataPolicy: None
+        property: access
+    - secretKey: ACCESS_SECRET_KEY
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /digital-ocean/home-infra/postgres-backups
+        metadataPolicy: None
+        property: secret

clusters/cl01tl/applications/jellystat/templates/http-route.yaml

@@ -0,0 +1,30 @@
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: http-route-jellystat
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: http-route-jellystat
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: web
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  parentRefs:
+    - group: gateway.networking.k8s.io
+      kind: Gateway
+      name: traefik-gateway
+      namespace: traefik
+  hostnames:
+    - jellystat.alexlebens.net
+  rules:
+    - matches:
+      - path:
+          type: PathPrefix
+          value: /
+      backendRefs:
+        - group: ''
+          kind: Service
+          name: jellystat
+          port: 80
+          weight: 100

clusters/cl01tl/applications/jellystat/templates/replication-source.yaml

@@ -0,0 +1,27 @@
+apiVersion: volsync.backube/v1alpha1
+kind: ReplicationSource
+metadata:
+  name: jellystat-data-backup-source
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: jellystat-data-backup-source
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: backup
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  sourcePVC: jellystat-data
+  trigger:
+    schedule: 0 4 * * *
+  restic:
+    pruneIntervalDays: 7
+    repository: jellystat-data-backup-secret
+    retain:
+      hourly: 1
+      daily: 3
+      weekly: 2
+      monthly: 2
+      yearly: 4
+    copyMethod: Snapshot
+    storageClassName: ceph-block
+    volumeSnapshotClassName: ceph-blockpool-snapshot

clusters/cl01tl/applications/jellystat/values.yaml

@@ -0,0 +1,97 @@
+jellystat:
+  controllers:
+    main:
+      type: deployment
+      replicas: 1
+      strategy: Recreate
+      revisionHistoryLimit: 3
+      containers:
+        main:
+          image:
+            repository: cyfershepard/jellystat
+            tag: 1.1.3
+            pullPolicy: IfNotPresent
+          env:
+            - name: TZ
+              value: US/Central
+            - name: JWT_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: jellystat-secret
+                  key: secret-key
+            - name: JS_USER
+              valueFrom:
+                secretKeyRef:
+                  name: jellystat-secret
+                  key: user
+            - name: JS_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: jellystat-secret
+                  key: password
+            - name: POSTGRES_USER
+              valueFrom:
+                secretKeyRef:
+                  name: jellystat-postgresql-17-cluster-app
+                  key: username
+            - name: POSTGRES_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: jellystat-postgresql-17-cluster-app
+                  key: password
+            - name: POSTGRES_DB
+              valueFrom:
+                secretKeyRef:
+                  name: jellystat-postgresql-17-cluster-app
+                  key: dbname
+            - name: POSTGRES_IP
+              valueFrom:
+                secretKeyRef:
+                  name: jellystat-postgresql-17-cluster-app
+                  key: host
+            - name: POSTGRES_PORT
+              valueFrom:
+                secretKeyRef:
+                  name: jellystat-postgresql-17-cluster-app
+                  key: port
+          resources:
+            requests:
+              cpu: 10m
+              memory: 256Mi
+  serviceAccount:
+    create: true
+  service:
+    main:
+      controller: main
+      ports:
+        http:
+          port: 80
+          targetPort: 3000
+          protocol: HTTP
+  persistence:
+    data:
+      storageClass: ceph-block
+      accessMode: ReadWriteOnce
+      size: 5Gi
+      retain: true
+      advancedMounts:
+        main:
+          main:
+            - path: /app/backend/backup-data
+              readOnly: false
+postgres-17-cluster:
+  mode: standalone
+  cluster:
+    walStorage:
+      storageClass: local-path
+    storage:
+      storageClass: local-path
+    monitoring:
+      enabled: true
+  backup:
+    enabled: true
+    endpointURL: https://nyc3.digitaloceanspaces.com
+    destinationPath: s3://postgres-backups-ce540ddf106d186bbddca68a/cl01tl/jellystat/jellystat-postgresql-17-cluster
+    endpointCredentials: jellystat-postgresql-17-cluster-backup-secret
+    backupIndex: 2
+    retentionPolicy: "7d"

clusters/cl01tl/applications/kiwix/Chart.yaml

@@ -0,0 +1,21 @@
+apiVersion: v2
+name: kiwix
+version: 1.0.0
+description: Kiwix
+keywords:
+  - kiwix
+  - wikipedia
+home: https://wiki.alexlebens.dev/doc/kiwix-
+sources:
+  - https://github.com/kiwix
+  - https://github.com/kiwix/kiwix-tools/pkgs/container/kiwix-serve
+  - https://github.com/bjw-s/helm-charts/tree/main/charts/other/app-template
+maintainers:
+  - name: alexlebens
+dependencies:
+  - name: app-template
+    alias: kiwix
+    repository: https://bjw-s.github.io/helm-charts/
+    version: 3.7.3
+icon: https://cdn.jsdelivr.net/gh/selfhst/icons/svg/kiwix-light.svg
+appVersion: 3.7.0

clusters/cl01tl/applications/kiwix/templates/http-route.yaml

@@ -0,0 +1,30 @@
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: http-route-kiwix
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: http-route-kiwix
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: web
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  parentRefs:
+    - group: gateway.networking.k8s.io
+      kind: Gateway
+      name: traefik-gateway
+      namespace: traefik
+  hostnames:
+    - kiwix.alexlebens.net
+  rules:
+    - matches:
+      - path:
+          type: PathPrefix
+          value: /
+      backendRefs:
+        - group: ''
+          kind: Service
+          name: kiwix
+          port: 80
+          weight: 100

clusters/cl01tl/applications/kiwix/templates/persistent-volume-claim.yaml

@@ -2,11 +2,13 @@ apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
   name: kiwix-nfs-storage
-  namespace: kiwix
+  namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: kiwix-nfs-storage
-    app.kubernetes.io/instance: kiwix
+    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: kiwix
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: storage
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   volumeName: kiwix-nfs-storage
   storageClassName: nfs-client

clusters/cl01tl/applications/kiwix/templates/persistent-volume.yaml

@@ -2,11 +2,13 @@ apiVersion: v1
 kind: PersistentVolume
 metadata:
   name: kiwix-nfs-storage
-  namespace: kiwix
+  namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: kiwix-nfs-storage
-    app.kubernetes.io/instance: kiwix
+    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: kiwix
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: storage
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   persistentVolumeReclaimPolicy: Retain
   storageClassName: nfs-client

clusters/cl01tl/applications/kiwix/values.yaml

@@ -0,0 +1,40 @@
+kiwix:
+  controllers:
+    main:
+      type: deployment
+      replicas: 1
+      strategy: Recreate
+      revisionHistoryLimit: 3
+      containers:
+        main:
+          image:
+            repository: ghcr.io/kiwix/kiwix-serve
+            tag: 3.7.0
+            pullPolicy: IfNotPresent
+          args:
+            - '*.zim'
+          env:
+            - name: PORT
+              value: 8080
+          resources:
+            requests:
+              cpu: 50m
+              memory: 512Mi
+  serviceAccount:
+    create: true
+  service:
+    main:
+      controller: main
+      ports:
+        http:
+          port: 80
+          targetPort: 8080
+          protocol: HTTP
+  persistence:
+    media:
+      existingClaim: kiwix-nfs-storage
+      advancedMounts:
+        main:
+          main:
+            - path: /data
+              readOnly: true

clusters/cl01tl/applications/libation/Chart.yaml

@@ -0,0 +1,22 @@
+apiVersion: v2
+name: libation
+version: 1.0.0
+description: Libation
+keywords:
+  - libation
+  - audiobooks
+  - audible
+home: https://wiki.alexlebens.dev/doc/libation-bbiuA1SKtu
+sources:
+  - https://github.com/rmcrackan/Libation
+  - https://hub.docker.com/r/rmcrackan/libation
+  - https://github.com/bjw-s/helm-charts/tree/main/charts/other/app-template
+maintainers:
+  - name: alexlebens
+dependencies:
+  - name: app-template
+    alias: libation
+    repository: https://bjw-s.github.io/helm-charts/
+    version: 3.7.3
+icon: https://getlibation.com/images/libation-logo.png
+appVersion: 11.6.3

clusters/cl01tl/applications/libation/templates/persistent-volume-claim.yaml

@@ -0,0 +1,40 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: libation-config
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: libation-config
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: storage
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  storageClassName: nfs-client
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 1Gi
+  volumeMode: Filesystem
+
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: libation-nfs-storage
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: libation-nfs-storage
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: storage
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  volumeName: libation-nfs-storage
+  storageClassName: nfs-client
+  accessModes:
+    - ReadWriteMany
+  resources:
+    requests:
+      storage: 1Gi

clusters/cl01tl/applications/libation/templates/persistent-volume.yaml

@@ -2,11 +2,13 @@ apiVersion: v1
 kind: PersistentVolume
 metadata:
   name: libation-nfs-storage
-  namespace: libation
+  namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: libation-nfs-storage
-    app.kubernetes.io/instance: libation
+    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: libation
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: storage
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   persistentVolumeReclaimPolicy: Retain
   storageClassName: nfs-client

clusters/cl01tl/applications/libation/values.yaml

@@ -0,0 +1,44 @@
+libation:
+  controllers:
+    main:
+      type: cronjob
+      cronjob:
+        suspend: false
+        concurrencyPolicy: Forbid
+        timeZone: US/Central
+        schedule: "0 * * * *"
+        startingDeadlineSeconds: 90
+        successfulJobsHistory: 3
+        failedJobsHistory: 3
+        backoffLimit: 3
+        parallelism: 1
+      containers:
+        main:
+          image:
+            repository: rmcrackan/libation
+            tag: 12.2.0
+            pullPolicy: IfNotPresent
+          env:
+            - name: SLEEP_TIME
+              value: "-1"
+          resources:
+            requests:
+              cpu: 10m
+              memory: 128Mi
+  serviceAccount:
+    create: true
+  persistence:
+    config:
+      existingClaim: libation-config
+      advancedMounts:
+        main:
+          main:
+            - path: /config
+              readOnly: false
+    data:
+      existingClaim: libation-nfs-storage
+      advancedMounts:
+        main:
+          main:
+            - path: /data
+              readOnly: false

clusters/cl01tl/applications/lidarr/Chart.yaml

@@ -0,0 +1,30 @@
+apiVersion: v2
+name: lidarr
+version: 1.0.0
+description: Lidarr V2
+keywords:
+  - lidarr
+  - servarr
+  - music
+  - metrics
+home: https://wiki.alexlebens.dev/doc/lidarr-BIqpxux60p
+sources:
+  - https://github.com/Lidarr/Lidarr
+  - https://github.com/linuxserver/docker-lidarr
+  - https://github.com/cloudnative-pg/cloudnative-pg
+  - https://github.com/onedr0p/exportarr/pkgs/container/exportarr
+  - https://github.com/bjw-s/helm-charts/tree/main/charts/other/app-template
+  - https://github.com/alexlebens/helm-charts/charts/postgres-cluster
+maintainers:
+  - name: alexlebens
+dependencies:
+  - name: app-template
+    alias: lidarr
+    repository: https://bjw-s.github.io/helm-charts/
+    version: 3.7.3
+  - name: postgres-cluster
+    alias: postgres-17-cluster
+    version: 4.2.1
+    repository: https://gitea.alexlebens.dev/api/packages/alexlebens/helm
+icon: https://raw.githubusercontent.com/walkxcode/dashboard-icons/main/png/lidarr.png
+appVersion: 2.8.2

clusters/cl01tl/applications/lidarr/templates/external-secret.yaml

@@ -0,0 +1,89 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: lidarr-config-backup-secret
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: lidarr-config-backup-secret
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: backup
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  target:
+    template:
+      mergePolicy: Merge
+      engineVersion: v2
+      data:
+        RESTIC_REPOSITORY: "{{ `{{ .BUCKET_ENDPOINT }}` }}/lidarr2/lidarr2-config"
+  data:
+    - secretKey: BUCKET_ENDPOINT
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cl01tl/volsync/restic/config
+        metadataPolicy: None
+        property: S3_BUCKET_ENDPOINT
+    - secretKey: RESTIC_PASSWORD
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cl01tl/volsync/restic/config
+        metadataPolicy: None
+        property: RESTIC_PASSWORD
+    - secretKey: AWS_DEFAULT_REGION
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cl01tl/volsync/restic/config
+        metadataPolicy: None
+        property: AWS_DEFAULT_REGION
+    - secretKey: AWS_ACCESS_KEY_ID
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /digital-ocean/home-infra/volsync-backups
+        metadataPolicy: None
+        property: access_key
+    - secretKey: AWS_SECRET_ACCESS_KEY
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /digital-ocean/home-infra/volsync-backups
+        metadataPolicy: None
+        property: secret_key
+
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: lidarr-postgresql-17-cluster-backup-secret
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: lidarr-postgresql-17-cluster-backup-secret
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: database
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  data:
+    - secretKey: ACCESS_KEY_ID
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /digital-ocean/home-infra/postgres-backups
+        metadataPolicy: None
+        property: access
+    - secretKey: ACCESS_SECRET_KEY
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /digital-ocean/home-infra/postgres-backups
+        metadataPolicy: None
+        property: secret

clusters/cl01tl/applications/lidarr/templates/http-route.yaml

@@ -0,0 +1,30 @@
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: http-route-lidarr
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: http-route-lidarr
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: web
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  parentRefs:
+    - group: gateway.networking.k8s.io
+      kind: Gateway
+      name: traefik-gateway
+      namespace: traefik
+  hostnames:
+    - lidarr.alexlebens.net
+  rules:
+    - matches:
+      - path:
+          type: PathPrefix
+          value: /
+      backendRefs:
+        - group: ''
+          kind: Service
+          name: lidarr
+          port: 80
+          weight: 100

clusters/cl01tl/applications/lidarr/templates/persistent-volume-claim.yaml

@@ -2,11 +2,13 @@ apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
   name: lidarr-nfs-storage
-  namespace: lidarr
+  namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: lidarr-nfs-storage
-    app.kubernetes.io/instance: lidarr
+    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: lidarr
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: storage
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   volumeName: lidarr-nfs-storage
   storageClassName: nfs-client

clusters/cl01tl/applications/lidarr/templates/persistent-volume.yaml

@@ -2,11 +2,13 @@ apiVersion: v1
 kind: PersistentVolume
 metadata:
   name: lidarr-nfs-storage
-  namespace: lidarr
+  namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: lidarr-nfs-storage
-    app.kubernetes.io/instance: lidarr
+    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: lidarr
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: storage
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   persistentVolumeReclaimPolicy: Retain
   storageClassName: nfs-client

clusters/cl01tl/applications/lidarr/templates/prometheus-rule.yaml

@@ -2,18 +2,21 @@ apiVersion: monitoring.coreos.com/v1
 kind: PrometheusRule
 metadata:
   name: lidarr
-  namespace: lidarr
+  namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: lidarr
-    app.kubernetes.io/instance: lidarr
+    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: lidarr
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: metrics
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   groups:
     - name: lidarr
       rules:
         - alert: ExportarrAbsent
           annotations:
-            description: Lidarr Exportarr has disappeared from Prometheus service discovery.
+            description: Lidarr Exportarr has disappeared from Prometheus
+              service discovery.
             summary: Exportarr is down.
           expr: |
             absent(up{job=~".*lidarr.*"} == 1)

clusters/cl01tl/applications/lidarr/templates/replication-source.yaml

@@ -0,0 +1,30 @@
+apiVersion: volsync.backube/v1alpha1
+kind: ReplicationSource
+metadata:
+  name: lidarr-config-backup-source
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: lidarr-config-backup-source
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: backup
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  sourcePVC: lidarr-config
+  trigger:
+    schedule: 0 4 * * *
+  restic:
+    pruneIntervalDays: 7
+    repository: lidarr-config-backup-secret
+    retain:
+      hourly: 1
+      daily: 3
+      weekly: 2
+      monthly: 2
+      yearly: 4
+    moverSecurityContext:
+      runAsUser: 1000
+      runAsGroup: 1000
+    copyMethod: Snapshot
+    storageClassName: ceph-block
+    volumeSnapshotClassName: ceph-blockpool-snapshot

clusters/cl01tl/applications/lidarr/templates/service-monitor.yaml

@@ -0,0 +1,21 @@
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: lidarr
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: lidarr
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: metrics
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: lidarr
+      app.kubernetes.io/instance: {{ .Release.Name }}
+  endpoints:
+    - port: metrics
+      interval: 3m
+      scrapeTimeout: 1m
+      path: /metrics

clusters/cl01tl/applications/lidarr/values.yaml

@@ -0,0 +1,129 @@
+lidarr:
+  controllers:
+    main:
+      type: deployment
+      replicas: 1
+      strategy: Recreate
+      revisionHistoryLimit: 3
+      pod:
+        securityContext:
+          runAsUser: 1000
+          runAsGroup: 1000
+          fsGroup: 1000
+          fsGroupChangePolicy: OnRootMismatch
+      containers:
+        main:
+          image:
+            repository: ghcr.io/linuxserver/lidarr
+            tag: version-2.8.2.4493@sha256:108ecf0fcbd8f77b6e8a513be6f3446feb47666dd1b45ea360569e9aac0960e4
+            pullPolicy: IfNotPresent
+          env:
+            - name: TZ
+              value: US/Central
+            - name: PUID
+              value: 1000
+            - name: PGID
+              value: 1000
+          probes:
+            liveness:
+              enabled: true
+              custom: true
+              spec:
+                exec:
+                  command:
+                  - /usr/bin/env
+                  - bash
+                  - -c
+                  - curl --fail localhost:8686/api/v1/system/status?apiKey=`IFS=\> && while
+                    read -d \< E C; do if [[ $E = "ApiKey" ]]; then echo $C; fi; done < /config/config.xml`
+                failureThreshold: 5
+                initialDelaySeconds: 60
+                periodSeconds: 10
+                successThreshold: 1
+                timeoutSeconds: 10
+          resources:
+            requests:
+              cpu: 100m
+              memory: 256Mi
+        metrics:
+          image:
+            repository: ghcr.io/onedr0p/exportarr
+            tag: v2.0.1
+            pullPolicy: IfNotPresent
+          args: ["lidarr"]
+          env:
+            - name: URL
+              value: http://localhost
+            - name: CONFIG
+              value: /config/config.xml
+            - name: PORT
+              value: 9792
+            - name: ENABLE_ADDITIONAL_METRICS
+              value: false
+            - name: ENABLE_UNKNOWN_QUEUE_ITEMS
+              value: false
+          resources:
+            requests:
+              cpu: 100m
+              memory: 256Mi
+  serviceAccount:
+    create: true
+  service:
+    main:
+      controller: main
+      ports:
+        http:
+          port: 80
+          targetPort: 8686
+          protocol: HTTP
+        metrics:
+          port: 9792
+          targetPort: 9792
+          protocol: TCP
+  persistence:
+    config:
+      storageClass: ceph-block
+      accessMode: ReadWriteOnce
+      size: 10Gi
+      retain: true
+      advancedMounts:
+        main:
+          main:
+            - path: /config
+              readOnly: false
+          metrics:
+            - path: /config
+              readOnly: true
+    media:
+      existingClaim: lidarr-nfs-storage
+      advancedMounts:
+        main:
+          main:
+            - path: /mnt/store
+              readOnly: false
+postgres-17-cluster:
+  nameOverride: lidarr2-postgresql-17
+  mode: standalone
+  cluster:
+    walStorage:
+      storageClass: local-path
+    storage:
+      storageClass: local-path
+    resources:
+      requests:
+        memory: 1Gi
+        cpu: 200m
+    monitoring:
+      enabled: true
+  bootstrap:
+    initdb:
+      postInitSQL:
+        - CREATE DATABASE "lidarr-main" OWNER "app";
+        - CREATE DATABASE "lidarr-log" OWNER "app";
+  backup:
+    enabled: true
+    endpointURL: https://nyc3.digitaloceanspaces.com
+    destinationPath: s3://postgres-backups-ce540ddf106d186bbddca68a/cl01tl/lidarr2/lidarr2-postgresql-17-cluster
+    endpointCredentials: lidarr-postgresql-17-cluster-backup-secret
+    backupIndex: 3
+    retentionPolicy: "7d"

clusters/cl01tl/applications/lidatube/Chart.yaml

@@ -0,0 +1,22 @@
+apiVersion: v2
+name: lidatube
+version: 1.0.0
+description: LidaTube
+keywords:
+  - lidatube
+  - music
+  - yt-dlp
+home: https://wiki.alexlebens.dev/doc/lidatube-Rm5ioxwcaS
+sources:
+  - https://github.com/TheWicklowWolf/LidaTube
+  - https://registry.hub.docker.com/r/thewicklowwolf/lidatube
+  - https://github.com/bjw-s/helm-charts/tree/main/charts/other/app-template
+maintainers:
+  - name: alexlebens
+dependencies:
+  - name: app-template
+    alias: lidatube
+    repository: https://bjw-s.github.io/helm-charts/
+    version: 3.7.3
+icon: https://raw.githubusercontent.com/TheWicklowWolf/LidaTube/main/src/static/lidatube.png
+appVersion: 0.2.9

clusters/cl01tl/applications/lidatube/templates/external-secret.yaml

@@ -0,0 +1,23 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: lidatube-secret
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: lidatube-secret
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: web
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  data:
+    - secretKey: lidarr_api_key
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cl01tl/lidarr2/key
+        metadataPolicy: None
+        property: key

clusters/cl01tl/applications/lidatube/templates/http-route.yaml

@@ -0,0 +1,30 @@
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: http-route-lidatube
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: http-route-lidatube
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: web
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  parentRefs:
+    - group: gateway.networking.k8s.io
+      kind: Gateway
+      name: traefik-gateway
+      namespace: traefik
+  hostnames:
+    - lidatube.alexlebens.net
+  rules:
+    - matches:
+      - path:
+          type: PathPrefix
+          value: /
+      backendRefs:
+        - group: ''
+          kind: Service
+          name: lidatube
+          port: 80
+          weight: 100

clusters/cl01tl/applications/lidatube/templates/persistent-volume-claim.yaml

@@ -0,0 +1,19 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: lidatube-nfs-storage
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: lidatube-nfs-storage
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: storage
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  volumeName: lidatube-nfs-storage
+  storageClassName: nfs-client
+  accessModes:
+    - ReadWriteMany
+  resources:
+    requests:
+      storage: 1Gi

clusters/cl01tl/applications/lidatube/templates/persistent-volume.yaml

@@ -1,12 +1,14 @@
 apiVersion: v1
 kind: PersistentVolume
 metadata:
-  name: navidrome-music-nfs-storage
+  name: lidatube-nfs-storage
-  namespace: navidrome
+  namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: navidrome-music-nfs-storage
+    app.kubernetes.io/name: lidatube-nfs-storage
-    app.kubernetes.io/instance: navidrome
+    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: navidrome
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: storage
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   persistentVolumeReclaimPolicy: Retain
   storageClassName: nfs-client

clusters/cl01tl/applications/lidatube/values.yaml

@@ -0,0 +1,67 @@
+lidatube:
+  controllers:
+    main:
+      type: deployment
+      replicas: 1
+      strategy: Recreate
+      revisionHistoryLimit: 3
+      pod:
+        securityContext:
+          fsGroup: 1000
+          fsGroupChangePolicy: OnRootMismatch
+      containers:
+        main:
+          image:
+            repository: thewicklowwolf/lidatube
+            tag: 0.2.16
+            pullPolicy: IfNotPresent
+          env:
+            - name: PUID
+              value: 1000
+            - name: PGID
+              value: 1000
+            - name: lidarr_address
+              value: http://lidarr.lidarr:80
+            - name: lidarr_api_key
+              valueFrom:
+                secretKeyRef:
+                  name: lidatube-secret
+                  key: lidarr_api_key
+            - name: sleep_interval
+              value: 360
+            - name: sync_schedule
+              value: 4
+            - name: attempt_lidarr_import
+              value: true
+          resources:
+            requests:
+              cpu: 10m
+              memory: 128Mi
+  serviceAccount:
+    create: true
+  service:
+    main:
+      controller: main
+      ports:
+        http:
+          port: 80
+          targetPort: 5000
+          protocol: HTTP
+  persistence:
+    config:
+      storageClass: ceph-block
+      accessMode: ReadWriteOnce
+      size: 5Gi
+      retain: true
+      advancedMounts:
+        main:
+          main:
+            - path: /lidatube/config
+              readOnly: false
+    music:
+      existingClaim: lidatube-nfs-storage
+      advancedMounts:
+        main:
+          main:
+            - path: /lidatube/downloads
+              readOnly: false

clusters/cl01tl/applications/outline/Chart.yaml

@@ -0,0 +1,49 @@
+apiVersion: v2
+name: outline
+version: 1.0.0
+description: Outline
+keywords:
+  - outline
+  - wiki
+  - documentation
+home: https://wiki.alexlebens.dev/doc/outline-JOaS8Mn0Bt
+sources:
+  - https://github.com/outline/outline
+  - https://github.com/minio/operator
+  - https://github.com/valkey-io/valkey
+  - https://github.com/cloudflare/cloudflared
+  - https://github.com/cloudnative-pg/cloudnative-pg
+  - https://hub.docker.com/r/outlinewiki/outline
+  - https://github.com/bjw-s/helm-charts/tree/main/charts/other/app-template
+  - https://github.com/minio/operator/tree/master/helm/tenant
+  - https://github.com/bitnami/charts/tree/main/bitnami/valkey
+  - https://github.com/alexlebens/helm-charts/charts/cloudflared
+  - https://github.com/alexlebens/helm-charts/charts/postgres-cluster
+maintainers:
+  - name: alexlebens
+dependencies:
+  - name: app-template
+    alias: outline
+    repository: https://bjw-s.github.io/helm-charts/
+    version: 3.7.3
+  - name: tenant
+    alias: minio
+    version: 7.0.1
+    repository: https://operator.min.io/
+  - name: valkey
+    version: 2.4.6
+    repository: oci://harbor.alexlebens.net/proxy-registry-1.docker.io/bitnamicharts
+  - name: cloudflared
+    alias: cloudflared-outline
+    repository: https://gitea.alexlebens.dev/api/packages/alexlebens/helm
+    version: 1.14.3
+  - name: cloudflared
+    alias: cloudflared-minio
+    repository: https://gitea.alexlebens.dev/api/packages/alexlebens/helm
+    version: 1.14.3
+  - name: postgres-cluster
+    alias: postgres-17-cluster
+    version: 4.2.1
+    repository: https://gitea.alexlebens.dev/api/packages/alexlebens/helm
+icon: https://raw.githubusercontent.com/walkxcode/dashboard-icons/main/png/outline.png
+appVersion: 0.81.1

clusters/cl01tl/applications/outline/templates/external-secret.yaml

@@ -0,0 +1,226 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: outline-key-secret
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: outline-key-secret
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: web
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  data:
+    - secretKey: secret-key
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cl01tl/outline/key
+        metadataPolicy: None
+        property: secret-key
+    - secretKey: utils-key
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cl01tl/outline/key
+        metadataPolicy: None
+        property: utils-key
+
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: outline-oidc-secret
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: outline-oidc-secret
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: web
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  data:
+    - secretKey: client
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /authentik/oidc/outline
+        metadataPolicy: None
+        property: client
+    - secretKey: secret
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /authentik/oidc/outline
+        metadataPolicy: None
+        property: secret
+
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: outline-minio-user-secret
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: outline-minio-user-secret
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: database
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  data:
+    - secretKey: AWS_ACCESS_KEY_ID
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cl01tl/outline/minio/auth
+        metadataPolicy: None
+        property: AWS_ACCESS_KEY_ID
+    - secretKey: AWS_SECRET_ACCESS_KEY
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cl01tl/outline/minio/auth
+        metadataPolicy: None
+        property: AWS_SECRET_ACCESS_KEY
+
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: outline-minio-root-secret
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: outline-minio-root-secret
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: database
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  data:
+    - secretKey: config.env
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cl01tl/outline/minio/config
+        metadataPolicy: None
+        property: root-config.env
+
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: outline-minio-config-secret
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: outline-minio-config-secret
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: database
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  data:
+    - secretKey: config.env
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cl01tl/outline/minio/config
+        metadataPolicy: None
+        property: config.env
+
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: outline-cloudflared-secret
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: outline-cloudflared-secret
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: web
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  data:
+    - secretKey: cf-tunnel-token
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cloudflare/tunnels/outline
+        metadataPolicy: None
+        property: token
+
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: outline-minio-cloudflared-secret
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: outline-cloudflared-secret
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: web
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  data:
+    - secretKey: cf-tunnel-token
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cloudflare/tunnels/outline-minio
+        metadataPolicy: None
+        property: token
+
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: outline-postgresql-17-cluster-backup-secret
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: outline-postgresql-17-cluster-backup-secret
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: database
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  data:
+    - secretKey: ACCESS_KEY_ID
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /digital-ocean/home-infra/postgres-backups
+        metadataPolicy: None
+        property: access
+    - secretKey: ACCESS_SECRET_KEY
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /digital-ocean/home-infra/postgres-backups
+        metadataPolicy: None
+        property: secret

clusters/cl01tl/applications/outline/templates/http-route.yaml

@@ -0,0 +1,30 @@
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: http-route-outline-minio
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: http-route-outline-minio
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: web
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  parentRefs:
+    - group: gateway.networking.k8s.io
+      kind: Gateway
+      name: traefik-gateway
+      namespace: traefik
+  hostnames:
+    - minio-outline.alexlebens.net
+  rules:
+    - matches:
+      - path:
+          type: PathPrefix
+          value: /
+      backendRefs:
+        - group: ''
+          kind: Service
+          name: minio-outline-console
+          port: 9090
+          weight: 100