chore(deps): update immich to v2.7.5

.gitea/workflows/lint-test-helm.yaml

@@ -169,10 +169,9 @@ jobs:
 
           echo ">> Running linting on changed charts ..."
 
-          lint_chart() {
+          for DIR in ${CHANGED_CHARTS}; do
-            local DIR="$1"
+            CHART_PATH="clusters/${CLUSTER}/helm/${DIR}"
-            local CHART_PATH="clusters/${CLUSTER}/helm/${DIR}"
+            CHART_NAME=$(basename "${CHART_PATH}")
-            local CHART_NAME=$(basename "${CHART_PATH}")
 
             if [ -f "${CHART_PATH}/Chart.yaml" ]; then
               echo ""
@@ -183,8 +182,15 @@ jobs:
               echo ">> Linting helm chart ${CHART_NAME} ..."
 
               if ! helm lint "${CHART_PATH}" --namespace "default"; then
-                echo "${DIR}" > ".failed_chart_${CHART_NAME}"
+                EXIT_CODE=1
-                return 1
+
+                if [ -z "${FAILED_CHARTS}" ]; then
+                  FAILED_CHARTS="${DIR}"
+
+                else
+                  FAILED_CHARTS="${FAILED_CHARTS}, ${DIR}"
+
+                fi
               fi
 
             else
@@ -192,20 +198,8 @@ jobs:
               echo ">> Directory ${CHART_PATH} does not contain a Chart.yaml. Skipping ..."
 
             fi
-          }
 
-          export -f lint_chart
+          done
-          export CLUSTER
-
-          for DIR in ${CHANGED_CHARTS}; do
-            echo "${DIR}"
-          done | xargs -P 4 -I {} bash -c 'OUT=$(lint_chart "$@" 2>&1); printf "%s\n" "$OUT"' _ {}
-
-          if ls .failed_chart_* 1> /dev/null 2>&1; then
-            EXIT_CODE=1
-            FAILED_CHARTS=$(cat .failed_chart_* | paste -sd ',' - | sed 's/,/, /g')
-            rm -f .failed_chart_*
-          fi
 
           echo ""
           echo "----"
@@ -335,9 +329,8 @@ jobs:
           EXIT_CODE=0
           FAILED_CHARTS=""
 
-          validate_chart() {
+          for DIR in ${CHANGED_CHARTS}; do
-            local DIR="$1"
+            CHART_PATH="clusters/${CLUSTER}/helm/${DIR}"
-            local CHART_PATH="clusters/${CLUSTER}/helm/${DIR}"
             echo ""
             echo ">> Validating: ${DIR}"
 
@@ -350,23 +343,18 @@ jobs:
                 -strict \
                 -summary; then
 
-              echo "${DIR}" > ".failed_chart_${DIR}"
+              EXIT_CODE=1
-              return 1
+
+              if [ -z "${FAILED_CHARTS}" ]; then
+                FAILED_CHARTS="${DIR}"
+
+              else
+                FAILED_CHARTS="${FAILED_CHARTS}, ${DIR}"
+
+              fi
             fi
-          }
 
-          export -f validate_chart
+          done
-          export CLUSTER SCHEMA_LOCATIONS
-
-          for DIR in ${CHANGED_CHARTS}; do
-            echo "${DIR}"
-          done | xargs -P 4 -I {} bash -c 'OUT=$(validate_chart "$@" 2>&1); printf "%s\n" "$OUT"' _ {}
-
-          if ls .failed_chart_* 1> /dev/null 2>&1; then
-            EXIT_CODE=1
-            FAILED_CHARTS=$(cat .failed_chart_* | paste -sd ',' - | sed 's/,/, /g')
-            rm -f .failed_chart_*
-          fi
 
           echo ""
           echo "----"
@@ -494,7 +482,6 @@ jobs:
   #           echo ">> Render templates for ${APP_NAME} ..."
   #           CHART_PATH="clusters/${CLUSTER}/helm/${APP_NAME}"
   #           OUTPUT_FOLDER="clusters/${CLUSTER}/manifests/${APP_NAME}/"
-  #           mkdir -p "${OUTPUT_FOLDER}"
 
   #           helm dependency build "${CHART_PATH}" --skip-refresh
 
@@ -512,7 +499,7 @@ jobs:
   #               echo ">> Standard Rendering ..."
   #           esac
 
-  #           TEMPLATE=$(helm template "${APP_NAME}" "${CHART_PATH}" --include-crds --namespace "${NAMESPACE}" --api-versions "gateway.networking.k8s.io/v1/HTTPRoute,monitoring.coreos.com/v1,monitoring.coreos.com/v1/ServiceMonitor")
+  #           TEMPLATE=$(helm template "${APP_NAME}" "${CHART_PATH}" --include-crds --namespace "${NAMESPACE}" --include-crds --api-versions "gateway.networking.k8s.io/v1/HTTPRoute,monitoring.coreos.com/v1,monitoring.coreos.com/v1/ServiceMonitor")
 
   #           # Format and split rendered template
   #           echo "${TEMPLATE}" | yq '... comments=""' | yq 'select(. != null)' | yq -s '"'"${OUTPUT_FOLDER}"'" + .kind + "-" + .metadata.name + ".yaml"'
@@ -539,38 +526,29 @@ jobs:
   #       run: |
   #         FAILED_CHARTS=""
   #         DIFF_FOUND="false"
-  #         EXIT_CODE=0
 
   #         for APP_NAME in ${CHANGED_CHARTS}; do
   #           echo ">> Running argocd app diff for ${APP_NAME} ..."
-  #           if ! argocd app diff "${APP_NAME}" \
+  #           argocd app diff "${APP_NAME}" \
   #             --server "${ARGOCD_SERVER}" \
-  #             --auth-token "${ARGOCD_AUTH_TOKEN}" \
+  #             --revision ${{ gitea.sha }} \
-  #             --revision ${{ github.sha }} \
+  #             --diff-exit-code 0 \
   #             --local "clusters/${CLUSTER}/manifests/${APP_NAME}" \
   #             --local-repo-root "." \
-  #             --grpc-web > "diff_output_${APP_NAME}.txt" 2>&1; then
+  #             --grpc-web > "diff_output_${APP_NAME}.txt"
-
-  #             # ArgoCD diff returns non-zero on diff or error.
-  #             # Let's capture if it actually generated a diff output to post.
-  #             DIFF_FOUND="true"
-
-  #             # Check if the output contains validation/connection errors
-  #             if grep -iE 'error|failed|connection refused|timeout' "diff_output_${APP_NAME}.txt"; then
-  #                echo ">> ArgoCD encountered an error validating ${APP_NAME}!"
-  #                EXIT_CODE=1
-  #                FAILED_CHARTS="${FAILED_CHARTS} ${APP_NAME}"
-  #             fi
-  #           fi
 
   #           if [ -s "diff_output_${APP_NAME}.txt" ]; then
-  #             echo ">> Argo diff or errors:"
+  #             echo ">> Argo diff:"
   #             echo ""
   #             cat diff_output_${APP_NAME}.txt
   #             echo ""
+
+  #             DIFF_FOUND="true"
+
   #           else
   #             echo ">> No Argo diff found for ${APP_NAME}"
   #             rm "diff_output_${APP_NAME}.txt"
+
   #           fi
   #         done
 
@@ -578,13 +556,13 @@ jobs:
   #         echo "diff-detected=${DIFF_FOUND}" >> "$GITHUB_OUTPUT"
   #         echo "failed-charts=${FAILED_CHARTS}" >> "$GITHUB_OUTPUT"
 
-  #         exit $EXIT_CODE
+  #         exit $OVERALL_EXIT_CODE
 
   #     - name: Post Diff
   #       if: |
   #         always() &&
   #         steps.diff.outputs.diff-detected == 'true' &&
-  #         github.event.pull_request.number != null
+  #         gitea.event.pull_request.number != null
   #       env:
   #         GITEA_TOKEN: ${{ secrets.GITEA_TOKEN }}
   #       run: |
@@ -610,7 +588,7 @@ jobs:
   #         done
 
   #         curl -X 'POST' \
-  #           "${{ github.server_url }}/api/v1/repos/${{ github.repository }}/issues/${{ github.event.pull_request.number }}/comments" \
+  #           "${{ gitea.server_url }}/api/v1/repos/${{ gitea.repository }}/issues/${{ gitea.event.pull_request.number }}/comments" \
   #           -H "Authorization: token ${GITEA_TOKEN}" \
   #           -H "Content-Type: application/json" \
   #           -d "$(jq -n --arg body "$COMMENT_BODY" '{body: $body}')"

.gitea/workflows/renovate.yaml

@@ -12,8 +12,8 @@ on:
 
 jobs:
   renovate:
-    runs-on: ubuntu-js
+    runs-on: ubuntu-latest
-    container: ghcr.io/renovatebot/renovate:43.181.1@sha256:1fe2e881665aa6f33670d0f78e70113e3b5e924e573da9c003827acb0990159c
+    container: ghcr.io/renovatebot/renovate:43.113.0@sha256:9dd3f426078a6ce9461c87264e4bcd1853698dc5ebb594fe5fab1f0afd25ef9b
     steps:
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6

clusters/cl01tl/helm/actual/Chart.lock

@@ -1,9 +1,9 @@
 dependencies:
 - name: app-template
   repository: https://bjw-s-labs.github.io/helm-charts/
-  version: 5.0.1
+  version: 4.6.2
 - name: volsync-target
   repository: oci://harbor.alexlebens.net/helm-charts
-  version: 2.0.0
+  version: 0.8.0
-digest: sha256:cefbc682239406e67d7f05887c9155742d7566f1ebe0b303dd3b160f1b28aa49
+digest: sha256:ff81b3d8fc831e4b8048f646fffcf597aa7410e52ecf27690eab8104047dbe6f
-generated: "2026-05-15T00:28:22.250508809Z"
+generated: "2026-03-06T01:04:41.514235218Z"

clusters/cl01tl/helm/actual/Chart.yaml

@@ -17,11 +17,11 @@ dependencies:
   - name: app-template
     alias: actual
     repository: https://bjw-s-labs.github.io/helm-charts/
-    version: 5.0.1
+    version: 4.6.2
   - name: volsync-target
     alias: volsync-target-data
-    version: 2.0.0
+    version: 0.8.0
     repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/actual-budget.png
 # renovate: datasource=github-releases depName=actualbudget/actual
-appVersion: 26.5.2
+appVersion: 26.4.0

clusters/cl01tl/helm/actual/templates/_helpers.tpl

@@ -1,14 +0,0 @@
-{{/*
-Common labels
-*/}}
-{{- define "custom.labels" -}}
-{{ include "custom.selectorLabels" $ }}
-{{- end }}
-
-{{/*
-Selector labels
-*/}}
-{{- define "custom.selectorLabels" -}}
-app.kubernetes.io/instance: {{ .Release.Name }}
-app.kubernetes.io/part-of: {{ .Release.Name }}
-{{- end }}

clusters/cl01tl/helm/actual/values.yaml

@@ -8,7 +8,7 @@ actual:
         main:
           image:
             repository: ghcr.io/actualbudget/actual
-            tag: 26.5.2@sha256:1aeeb3985db55556e716dec25e08f6ce09308c2571b65cddbc6746ee6d5e0d45
+            tag: 26.4.0@sha256:b0e732e2c41b3dc468a71548e88ef76d3f0c157fc43d15fa05d14ec1c5747e1e
           env:
             - name: ACTUAL_PORT
               value: 5006
@@ -75,7 +75,7 @@ volsync-target-data:
     schedule: 0 8 * * *
   remote:
     enabled: true
-    schedule: 0 10 * * 0
+    schedule: 0 9 * * *
   external:
     enabled: true
-    schedule: 0 9 * * 0
+    schedule: 0 10 * * *

clusters/cl01tl/helm/argocd/Chart.lock

@@ -1,6 +1,6 @@
 dependencies:
 - name: argo-cd
   repository: https://argoproj.github.io/argo-helm
-  version: 9.5.14
+  version: 9.5.0
-digest: sha256:5cae964bb988089467bc5c46badbe33b67f64abd039f5961e66e412a5c7004a7
+digest: sha256:69daada0822f796cd49eeda2d9e39dd5c0c42bb61b6898af68123c8c49f25fa1
-generated: "2026-05-13T17:58:34.736881783Z"
+generated: "2026-04-08T22:05:49.003208408Z"

clusters/cl01tl/helm/argocd/Chart.yaml

@@ -13,8 +13,8 @@ maintainers:
   - name: alexlebens
 dependencies:
   - name: argo-cd
-    version: 9.5.14
+    version: 9.5.0
     repository: https://argoproj.github.io/argo-helm
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/argo-cd.png
 # renovate: datasource=github-releases depName=argoproj/argo-cd
-appVersion: v3.4.2
+appVersion: v3.3.6

clusters/cl01tl/helm/argocd/templates/_helpers.tpl

@@ -1,14 +0,0 @@
-{{/*
-Common labels
-*/}}
-{{- define "custom.labels" -}}
-{{ include "custom.selectorLabels" $ }}
-{{- end }}
-
-{{/*
-Selector labels
-*/}}
-{{- define "custom.selectorLabels" -}}
-app.kubernetes.io/instance: {{ .Release.Name }}
-app.kubernetes.io/part-of: {{ .Release.Name }}
-{{- end }}

clusters/cl01tl/helm/argocd/templates/external-secret.yaml

@@ -1,40 +1,70 @@
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
-  name: argocd-oidc-authentik
+  name: argocd-oidc-secret
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: argocd-oidc-authentik
+    app.kubernetes.io/name: argocd-oidc-secret
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   secretStoreRef:
     kind: ClusterSecretStore
-    name: openbao
+    name: vault
   data:
     - secretKey: secret
       remoteRef:
-        key: /cl01tl/authentik/oidc/argocd
+        key: /authentik/oidc/argocd
         property: secret
     - secretKey: client
       remoteRef:
-        key: /cl01tl/authentik/oidc/argocd
+        key: /authentik/oidc/argocd
         property: client
 
 ---
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
-  name: argocd-notifications-ntfy
+  name: argocd-notifications-secret
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: argocd-notifications-ntfy
+    app.kubernetes.io/name: argocd-notifications-secret
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   secretStoreRef:
     kind: ClusterSecretStore
-    name: openbao
+    name: vault
   data:
     - secretKey: ntfy-token
       remoteRef:
-        key: /cl01tl/ntfy/users/cl01tl
+        key: /ntfy/user/cl01tl
         property: token
+
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: argocd-gitea-repo-infrastructure-secret
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: argocd-gitea-repo-infrastructure-secret
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  data:
+    - secretKey: type
+      remoteRef:
+        key: /cl01tl/argocd/credentials/repo/infrastructure
+        property: type
+    - secretKey: url
+      remoteRef:
+        key: /cl01tl/argocd/credentials/repo/infrastructure
+        property: url
+    - secretKey: sshPrivateKey
+      remoteRef:
+        key: /cl01tl/argocd/credentials/repo/infrastructure
+        property: sshPrivateKey

clusters/cl01tl/helm/argocd/templates/prometheus-rule.yaml

@@ -1,108 +0,0 @@
-apiVersion: monitoring.coreos.com/v1
-kind: PrometheusRule
-metadata:
-  name: haproxy
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: haproxy
-    {{- include "custom.labels" . | nindent 4 }}
-spec:
-  groups:
-    - name: EmbeddedExporter
-      rules:
-        - alert: HAProxyHighHTTP4xxErrorRateBackend
-          expr: ((sum by (proxy) (rate(haproxy_server_http_responses_total{code="4xx"}[1m])) / sum by (proxy) (rate(haproxy_server_http_responses_total[1m]))) * 100) > 5 and sum by (proxy) (rate(haproxy_server_http_responses_total[1m])) > 0
-          for: 1m
-          labels:
-            severity: critical
-          annotations:
-            summary: HAProxy high HTTP 4xx error rate backend (instance {{ `{{ $labels.instance }}` }})
-            description: "Too many HTTP requests with status 4xx (> 5%) on backend {{ `{{ $labels.proxy }}` }}\n  VALUE = {{ `{{ $value }}` }}\n  LABELS = {{ `{{ $labels }}` }}"
-        - alert: HAProxyHighHTTP5xxErrorRateBackend
-          expr: ((sum by (proxy) (rate(haproxy_server_http_responses_total{code="5xx"}[1m])) / sum by (proxy) (rate(haproxy_server_http_responses_total[1m]))) * 100) > 5 and sum by (proxy) (rate(haproxy_server_http_responses_total[1m])) > 0
-          for: 1m
-          labels:
-            severity: critical
-          annotations:
-            summary: HAProxy high HTTP 5xx error rate backend (instance {{ `{{ $labels.instance }}` }})
-            description: "Too many HTTP requests with status 5xx (> 5%) on backend {{ `{{ $labels.proxy }}` }}\n  VALUE = {{ `{{ $value }}` }}\n  LABELS = {{ `{{ $labels }}` }}"
-        - alert: HAProxyHighHTTP4xxErrorRateServer
-          expr: ((sum by (server) (rate(haproxy_server_http_responses_total{code="4xx"}[1m])) / sum by (server) (rate(haproxy_server_http_responses_total[1m]))) * 100) > 5 and sum by (server) (rate(haproxy_server_http_responses_total[1m])) > 0
-          for: 1m
-          labels:
-            severity: critical
-          annotations:
-            summary: HAProxy high HTTP 4xx error rate server (instance {{ `{{ $labels.instance }}` }})
-            description: "Too many HTTP requests with status 4xx (> 5%) on server {{ `{{ $labels.server }}` }}\n  VALUE = {{ `{{ $value }}` }}\n  LABELS = {{ `{{ $labels }}` }}"
-        - alert: HAProxyHighHTTP5xxErrorRateServer
-          expr: ((sum by (server) (rate(haproxy_server_http_responses_total{code="5xx"}[1m])) / sum by (server) (rate(haproxy_server_http_responses_total[1m]))) * 100) > 5 and sum by (server) (rate(haproxy_server_http_responses_total[1m])) > 0
-          for: 1m
-          labels:
-            severity: critical
-          annotations:
-            summary: HAProxy high HTTP 5xx error rate server (instance {{ `{{ $labels.instance }}` }})
-            description: "Too many HTTP requests with status 5xx (> 5%) on server {{ `{{ $labels.server }}` }}\n  VALUE = {{ `{{ $value }}` }}\n  LABELS = {{ `{{ $labels }}` }}"
-        - alert: HAProxyServerResponseErrors
-          expr: (sum by (server) (rate(haproxy_server_response_errors_total[1m])) / sum by (server) (rate(haproxy_server_http_responses_total[1m]))) * 100 > 5 and sum by (server) (rate(haproxy_server_http_responses_total[1m])) > 0
-          for: 1m
-          labels:
-            severity: critical
-          annotations:
-            summary: HAProxy server response errors (instance {{ `{{ $labels.instance }}` }})
-            description: "Too many response errors to {{ `{{ $labels.server }}` }} server (> 5%).\n  VALUE = {{ `{{ $value }}` }}\n  LABELS = {{ `{{ $labels }}` }}"
-        - alert: HAProxyBackendConnectionErrors
-          expr: (sum by (proxy) (rate(haproxy_backend_connection_errors_total[1m]))) > 100
-          for: 1m
-          labels:
-            severity: critical
-          annotations:
-            summary: HAProxy backend connection errors (instance {{ `{{ $labels.instance }}` }})
-            description: "Too many connection errors to {{ `{{ $labels.proxy }}` }} backend (> 100 req/s). Request throughput may be too high.\n  VALUE = {{ `{{ $value }}` }}\n  LABELS = {{ `{{ $labels }}` }}"
-        - alert: HAProxyServerConnectionErrors
-          expr: (sum by (proxy) (rate(haproxy_server_connection_errors_total[1m]))) > 100
-          for: 0m
-          labels:
-            severity: critical
-          annotations:
-            summary: HAProxy server connection errors (instance {{ `{{ $labels.instance }}` }})
-            description: "Too many connection errors to {{ `{{ $labels.proxy }}` }} (> 100 req/s). Request throughput may be too high.\n  VALUE = {{ `{{ $value }}` }}\n  LABELS = {{ `{{ $labels }}` }}"
-        - alert: HAProxyBackendMaxActiveSession>80%
-          expr: (haproxy_backend_current_sessions / haproxy_backend_limit_sessions * 100) > 80 and haproxy_backend_limit_sessions > 0
-          for: 2m
-          labels:
-            severity: warning
-          annotations:
-            summary: HAProxy backend max active session > 80% (instance {{ `{{ $labels.instance }}` }})
-            description: "Session limit from backend {{ `{{ $labels.proxy }}` }} reached 80% of limit - {{ `{{ $value | printf \"%.2f\"}}` }}%\n  VALUE = {{ `{{ $value }}` }}\n  LABELS = {{ `{{ $labels }}` }}"
-        - alert: HAProxyPendingRequests
-          expr: sum by (proxy) (haproxy_backend_current_queue) > 0
-          for: 2m
-          labels:
-            severity: warning
-          annotations:
-            summary: HAProxy pending requests (instance {{ `{{ $labels.instance }}` }})
-            description: "Some HAProxy requests are pending on {{ `{{ $labels.proxy }}` }} - {{ `{{ $value | printf \"%.2f\"}}` }}\n  VALUE = {{ `{{ $value }}` }}\n  LABELS = {{ `{{ $labels }}` }}"
-        - alert: HAProxyRetryHigh
-          expr: sum by (proxy) (rate(haproxy_backend_retry_warnings_total[1m])) > 10
-          for: 2m
-          labels:
-            severity: warning
-          annotations:
-            summary: HAProxy retry high (instance {{ `{{ $labels.instance }}` }})
-            description: "High rate of retry on {{ `{{ $labels.proxy }}` }} - {{ `{{ $value | printf \"%.2f\"}}` }}\n  VALUE = {{ `{{ $value }}` }}\n  LABELS = {{ `{{ $labels }}` }}"
-        - alert: HAProxyFrontendSecurityBlockedRequests
-          expr: sum by (proxy) (rate(haproxy_frontend_denied_connections_total[2m])) > 10
-          for: 2m
-          labels:
-            severity: warning
-          annotations:
-            summary: HAProxy frontend security blocked requests (instance {{ `{{ $labels.instance }}` }})
-            description: "HAProxy is blocking requests for security reason\n  VALUE = {{ `{{ $value }}` }}\n  LABELS = {{ `{{ $labels }}` }}"
-        - alert: HAProxyServerHealthcheckFailure
-          expr: increase(haproxy_server_check_failures_total[1m]) > 2
-          for: 0m
-          labels:
-            severity: warning
-          annotations:
-            summary: HAProxy server healthcheck failure (instance {{ `{{ $labels.instance }}` }})
-            description: "Some server healthcheck are failing on {{ `{{ $labels.server }}` }} ({{ `{{ $value }}` }} in the last 1m)\n  VALUE = {{ `{{ $value }}` }}\n  LABELS = {{ `{{ $labels }}` }}"

clusters/cl01tl/helm/argocd/values.yaml

@@ -13,8 +13,8 @@ argo-cd:
         connectors:
         - config:
             issuer: https://authentik.alexlebens.net/application/o/argocd/
-            clientID: $argocd-oidc-authentik:client
+            clientID: $argocd-oidc-secret:client
-            clientSecret: $argocd-oidc-authentik:secret
+            clientSecret: $argocd-oidc-secret:secret
             insecureEnableGroups: true
             scopes:
               - openid
@@ -91,7 +91,7 @@ argo-cd:
     enabled: true
     image:
       repository: redis
-      tag: 8.6.3-alpine@sha256:69f2c586c8a7e9cce4ae1ee9bbaf60bc4bb5f4bb3880e4ed022b1fd758a7cab9
+      tag: 8.6.2-alpine@sha256:81b6f81d6a6c5b9019231a2e8eb10085e3a139a34f833dcc965a8a959b040b72
     persistentVolume:
       enabled: true
     redis:
@@ -103,7 +103,7 @@ argo-cd:
       enabled: true
       image:
         repository: haproxy
-        tag: 3.3.10-alpine@sha256:3201152205e9d02557ab3c8ecfcf0d378126eec0a5d1b0950ea22af31ee10bf2
+        tag: 3.3.6-alpine@sha256:744be2dca649a44d490a4c565d36968d19482dd387f1bdd44c168f4322bc6b1e
       resources:
         requests:
           cpu: 5m
@@ -205,7 +205,7 @@ argo-cd:
     argocdUrl: https://argocd.alexlebens.net
     secret:
       create: false
-      name: argocd-notifications-ntfy
+      name: argocd-notifications-secret
     metrics:
       enabled: true
       serviceMonitor:

clusters/cl01tl/helm/audiobookshelf/Chart.lock

@@ -1,12 +1,12 @@
 dependencies:
 - name: app-template
   repository: https://bjw-s-labs.github.io/helm-charts/
-  version: 5.0.1
+  version: 4.6.2
 - name: volsync-target
   repository: oci://harbor.alexlebens.net/helm-charts
-  version: 2.0.0
+  version: 0.8.0
 - name: volsync-target
   repository: oci://harbor.alexlebens.net/helm-charts
-  version: 2.0.0
+  version: 0.8.0
-digest: sha256:1301152734c6f4df67089c4076875022ecafc466c308dc994f4333917c3d8622
+digest: sha256:7ee4cfdf7f908401c39b3cda0cf8783b25dcb9cf93e7c911609bab9e303ec5bf
-generated: "2026-05-15T00:28:34.959229494Z"
+generated: "2026-03-06T01:05:03.534042627Z"

clusters/cl01tl/helm/audiobookshelf/Chart.yaml

@@ -21,15 +21,15 @@ dependencies:
   - name: app-template
     alias: audiobookshelf
     repository: https://bjw-s-labs.github.io/helm-charts/
-    version: 5.0.1
+    version: 4.6.2
   - name: volsync-target
     alias: volsync-target-config
-    version: 2.0.0
+    version: 0.8.0
     repository: oci://harbor.alexlebens.net/helm-charts
   - name: volsync-target
     alias: volsync-target-metadata
-    version: 2.0.0
+    version: 0.8.0
     repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/audiobookshelf.png
 # renovate: datasource=github-releases depName=advplyr/audiobookshelf
-appVersion: 2.34.0
+appVersion: 2.33.1

clusters/cl01tl/helm/audiobookshelf/templates/_helpers.tpl

@@ -1,27 +0,0 @@
-{{/*
-Common labels
-*/}}
-{{- define "custom.labels" -}}
-{{ include "custom.selectorLabels" $ }}
-{{- end }}
-
-{{/*
-Selector labels
-*/}}
-{{- define "custom.selectorLabels" -}}
-app.kubernetes.io/instance: {{ .Release.Name }}
-app.kubernetes.io/part-of: {{ .Release.Name }}
-{{- end }}
-
-{{/*
-NFS names
-*/}}
-{{- define "custom.booksNfsName" -}}
-audiobookshelf-books-nfs-storage
-{{- end -}}
-{{- define "custom.audiobooksNfsName" -}}
-audiobookshelf-audiobooks-nfs-storage
-{{- end -}}
-{{- define "custom.podcastsNfsName" -}}
-audiobookshelf-podcasts-nfs-storage
-{{- end -}}

clusters/cl01tl/helm/audiobookshelf/templates/external-secret.yaml

@@ -1,27 +1,18 @@
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
-  name: audiobookshelf-config-apprise
+  name: audiobookshelf-apprise-config
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: audiobookshelf-config-apprise
+    app.kubernetes.io/name: audiobookshelf-apprise-config
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   secretStoreRef:
     kind: ClusterSecretStore
-    name: openbao
+    name: vault
-  target:
-    template:
-      mergePolicy: Merge
-      engineVersion: v2
-      data:
-        ntfy-url: "{{ `{{ .endpoint }}` }}/{{ `{{ .topic }}` }}"
   data:
-    - secretKey: endpoint
+    - secretKey: ntfy-url
       remoteRef:
-        key: /cl01tl/ntfy/users/cl01tl
+        key: /cl01tl/audiobookshelf/apprise
-        property: internal-endpoint-credential
+        property: ntfy-url
-    - secretKey: topic
-      remoteRef:
-        key: /cl01tl/ntfy/topics
-        property: audiobookshelf

clusters/cl01tl/helm/audiobookshelf/templates/persistent-volume-claim.yaml

@@ -1,13 +1,14 @@
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
-  name: {{ include "custom.booksNfsName" . }}
+  name: audiobookshelf-books-nfs-storage
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: {{ include "custom.booksNfsName" . }}
+    app.kubernetes.io/name: audiobookshelf-books-nfs-storage
-    {{ include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
-  volumeName: {{ include "custom.booksNfsName" . }}
+  volumeName: audiobookshelf-books-nfs-storage
   storageClassName: nfs-client
   accessModes:
     - ReadWriteMany
@@ -19,13 +20,14 @@ spec:
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
-  name: {{ include "custom.audiobooksNfsName" . }}
+  name: audiobookshelf-audiobooks-nfs-storage
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: {{ include "custom.audiobooksNfsName" . }}
+    app.kubernetes.io/name: audiobookshelf-audiobooks-nfs-storage
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
-  volumeName: {{ include "custom.audiobooksNfsName" . }}
+  volumeName: audiobookshelf-audiobooks-nfs-storage
   storageClassName: nfs-client
   accessModes:
     - ReadWriteMany
@@ -37,13 +39,14 @@ spec:
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
-  name: {{ include "custom.podcastsNfsName" . }}
+  name: audiobookshelf-podcasts-nfs-storage
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: {{ include "custom.podcastsNfsName" . }}
+    app.kubernetes.io/name: audiobookshelf-podcasts-nfs-storage
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
-  volumeName: {{ include "custom.podcastsNfsName" . }}
+  volumeName: audiobookshelf-podcasts-nfs-storage
   storageClassName: nfs-client
   accessModes:
     - ReadWriteMany

clusters/cl01tl/helm/audiobookshelf/templates/persistent-volume.yaml

@@ -1,11 +1,12 @@
 apiVersion: v1
 kind: PersistentVolume
 metadata:
-  name: {{ include "custom.booksNfsName" . }}
+  name: audiobookshelf-books-nfs-storage
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: {{ include "custom.booksNfsName" . }}
+    app.kubernetes.io/name: audiobookshelf-books-nfs-storage
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   persistentVolumeReclaimPolicy: Retain
   storageClassName: nfs-client
@@ -25,11 +26,12 @@ spec:
 apiVersion: v1
 kind: PersistentVolume
 metadata:
-  name: {{ include "custom.audiobooksNfsName" . }}
+  name: audiobookshelf-audiobooks-nfs-storage
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: {{ include "custom.audiobooksNfsName" . }}
+    app.kubernetes.io/name: audiobookshelf-audiobooks-nfs-storage
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   persistentVolumeReclaimPolicy: Retain
   storageClassName: nfs-client
@@ -49,11 +51,12 @@ spec:
 apiVersion: v1
 kind: PersistentVolume
 metadata:
-  name: {{ include "custom.podcastsNfsName" . }}
+  name: audiobookshelf-podcasts-nfs-storage
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: {{ include "custom.podcastsNfsName" . }}
+    app.kubernetes.io/name: audiobookshelf-podcasts-nfs-storage
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   persistentVolumeReclaimPolicy: Retain
   storageClassName: nfs-client

clusters/cl01tl/helm/audiobookshelf/values.yaml

@@ -12,7 +12,7 @@ audiobookshelf:
         main:
           image:
             repository: ghcr.io/advplyr/audiobookshelf
-            tag: 2.34.0@sha256:4143292c530f6ac6700afd13360c04f477e4f1a81c1c97c4224b1c7e4330c5c4
+            tag: 2.33.1@sha256:a4a5841bba093d81e5f4ad1eaedb4da3fda6dbb2528c552349da50ad1f7ae708
           env:
             - name: TZ
               value: America/Chicago
@@ -23,7 +23,7 @@ audiobookshelf:
         apprise-api:
           image:
             repository: ghcr.io/caronc/apprise
-            tag: v1.4.1@sha256:25e0577915c2f06233ae1dce077f05c0fc9ba4f0ea89de5aee18a32b2ee9a75c
+            tag: v1.3.3@sha256:4bfeac268ba87b8e08e308c9aa0182fe99e9501ec464027afc333d1634e65977
           env:
             - name: TZ
               value: America/Chicago
@@ -40,7 +40,7 @@ audiobookshelf:
             - name: APPRISE_STATELESS_URLS
               valueFrom:
                 secretKeyRef:
-                  name: audiobookshelf-config-apprise
+                  name: audiobookshelf-apprise-config
                   key: ntfy-url
   service:
     main:
@@ -129,21 +129,21 @@ volsync-target-config:
   pvcTarget: audiobookshelf-config
   local:
     enabled: true
-    schedule: 5 8 * * *
+    schedule: 2 8 * * *
   remote:
     enabled: true
-    schedule: 5 10 * * 0
+    schedule: 2 9 * * *
   external:
     enabled: true
-    schedule: 5 9 * * 0
+    schedule: 2 10 * * *
 volsync-target-metadata:
   pvcTarget: audiobookshelf-metadata
   local:
     enabled: true
-    schedule: 10 8 * * *
+    schedule: 4 8 * * *
   remote:
     enabled: true
-    schedule: 10 10 * * 0
+    schedule: 4 9 * * *
   external:
     enabled: true
-    schedule: 10 9 * * 0
+    schedule: 4 10 * * *

clusters/cl01tl/helm/authentik/Chart.lock

@@ -1,15 +1,15 @@
 dependencies:
 - name: authentik
   repository: https://charts.goauthentik.io/
-  version: 2026.2.3
+  version: 2026.2.2
 - name: cloudflared
   repository: oci://harbor.alexlebens.net/helm-charts
-  version: 3.3.0
+  version: 2.5.0
 - name: postgres-cluster
   repository: oci://harbor.alexlebens.net/helm-charts
-  version: 7.12.1
+  version: 7.11.2
 - name: valkey
   repository: oci://harbor.alexlebens.net/helm-charts
-  version: 0.8.0
+  version: 0.6.1
-digest: sha256:cb3b3745cbfc4ef138a43fb617e27022a220acee177a30ca02e4f78509ca5c3f
+digest: sha256:22fe4d9ec592aa74cbff5596e8d900f607bd68ea14c7df70a94b4ef76727614d
-generated: "2026-05-14T14:04:28.583181759Z"
+generated: "2026-04-13T20:32:12.748342469Z"

clusters/cl01tl/helm/authentik/Chart.yaml

@@ -18,18 +18,18 @@ maintainers:
   - name: alexlebens
 dependencies:
   - name: authentik
-    version: 2026.2.3
+    version: 2026.2.2
     repository: https://charts.goauthentik.io/
   - name: cloudflared
     repository: oci://harbor.alexlebens.net/helm-charts
-    version: 3.3.0
+    version: 2.5.0
   - name: postgres-cluster
     alias: postgres-18-cluster
-    version: 7.12.1
+    version: 7.11.2
     repository: oci://harbor.alexlebens.net/helm-charts
   - name: valkey
     alias: valkey
-    version: 0.8.0
+    version: 0.6.1
     repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/authentik.png
 # renovate: datasource=github-releases depName=goauthentik/authentik

clusters/cl01tl/helm/authentik/templates/_helpers.tpl

@@ -1,14 +0,0 @@
-{{/*
-Common labels
-*/}}
-{{- define "custom.labels" -}}
-{{ include "custom.selectorLabels" $ }}
-{{- end }}
-
-{{/*
-Selector labels
-*/}}
-{{- define "custom.selectorLabels" -}}
-app.kubernetes.io/instance: {{ .Release.Name }}
-app.kubernetes.io/part-of: {{ .Release.Name }}
-{{- end }}

clusters/cl01tl/helm/authentik/templates/external-secret.yaml

@@ -1,15 +1,16 @@
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
-  name: authentik-key
+  name: authentik-key-secret
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: authentik-key
+    app.kubernetes.io/name: authentik-key-secret
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   secretStoreRef:
     kind: ClusterSecretStore
-    name: openbao
+    name: vault
   data:
     - secretKey: key
       remoteRef:

clusters/cl01tl/helm/authentik/templates/ingress.yaml

@@ -1,11 +1,12 @@
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
-  name: {{ .Release.Name }}-tailscale
+  name: authentik-tailscale
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: {{ .Release.Name }}-tailscale
+    app.kubernetes.io/name: authentik-tailscale
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
     tailscale.com/proxy-class: no-metrics
   annotations:
     tailscale.com/experimental-forward-cluster-traffic-via-ingress: "true"
@@ -25,4 +26,4 @@ spec:
               service:
                 name: authentik-server
                 port:
-                  name: http
+                  number: 80

clusters/cl01tl/helm/authentik/templates/reference-grant.yaml

@@ -5,7 +5,8 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: allow-outpost-cross-namespace-access
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   from:
     - group: gateway.networking.k8s.io

clusters/cl01tl/helm/authentik/values.yaml

@@ -4,7 +4,7 @@ authentik:
       - name: AUTHENTIK_SECRET_KEY
         valueFrom:
           secretKeyRef:
-            name: authentik-key
+            name: authentik-key-secret
             key: key
       - name: AUTHENTIK_POSTGRESQL__HOST
         valueFrom:

clusters/cl01tl/helm/backrest/Chart.lock

@@ -1,12 +1,12 @@
 dependencies:
 - name: app-template
   repository: https://bjw-s-labs.github.io/helm-charts/
-  version: 5.0.1
+  version: 4.6.2
 - name: volsync-target
   repository: oci://harbor.alexlebens.net/helm-charts
-  version: 2.0.0
+  version: 0.8.0
 - name: volsync-target
   repository: oci://harbor.alexlebens.net/helm-charts
-  version: 2.0.0
+  version: 0.8.0
-digest: sha256:099e7a9792fceb0cbce4c13e997c5029af39807da6e5c9825a1a042b785e0887
+digest: sha256:f203538010828e77336f3cf39451a1072c90aeb8ece7c173a3476c49883b46d1
-generated: "2026-05-15T00:28:48.302596135Z"
+generated: "2026-03-06T01:05:24.935421139Z"

clusters/cl01tl/helm/backrest/Chart.yaml

@@ -17,15 +17,15 @@ dependencies:
   - name: app-template
     alias: backrest
     repository: https://bjw-s-labs.github.io/helm-charts/
-    version: 5.0.1
+    version: 4.6.2
   - name: volsync-target
     alias: volsync-target-config
-    version: 2.0.0
+    version: 0.8.0
     repository: oci://harbor.alexlebens.net/helm-charts
   - name: volsync-target
     alias: volsync-target-data
-    version: 2.0.0
+    version: 0.8.0
     repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/backrest.png
 # renovate: datasource=github-releases depName=garethgeorge/backrest
-appVersion: v1.13.0
+appVersion: v1.12.1

clusters/cl01tl/helm/backrest/templates/_helpers.tpl

@@ -1,24 +0,0 @@
-{{/*
-Common labels
-*/}}
-{{- define "custom.labels" -}}
-{{ include "custom.selectorLabels" $ }}
-{{- end }}
-
-{{/*
-Selector labels
-*/}}
-{{- define "custom.selectorLabels" -}}
-app.kubernetes.io/instance: {{ .Release.Name }}
-app.kubernetes.io/part-of: {{ .Release.Name }}
-{{- end }}
-
-{{/*
-NFS names
-*/}}
-{{- define "custom.storageNfsName" -}}
-backrest-nfs-storage
-{{- end -}}
-{{- define "custom.shareNfsName" -}}
-backrest-nfs-share
-{{- end -}}

clusters/cl01tl/helm/backrest/templates/persistent-volume-claim.yaml

@@ -1,13 +1,14 @@
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
-  name: {{ include "custom.storageNfsName" . }}
+  name: backrest-nfs-storage
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: {{ include "custom.storageNfsName" . }}
+    app.kubernetes.io/name: backrest-nfs-storage
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
-  volumeName: {{ include "custom.storageNfsName" . }}
+  volumeName: backrest-nfs-storage
   storageClassName: nfs-client
   accessModes:
     - ReadWriteMany
@@ -19,13 +20,14 @@ spec:
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
-  name: {{ include "custom.shareNfsName" . }}
+  name: backrest-nfs-share
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: {{ include "custom.shareNfsName" . }}
+    app.kubernetes.io/name: backrest-nfs-share
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
-  volumeName: {{ include "custom.shareNfsName" . }}
+  volumeName: backrest-nfs-share
   storageClassName: nfs-client
   accessModes:
     - ReadWriteMany

clusters/cl01tl/helm/backrest/templates/persistent-volume.yaml

@@ -1,11 +1,12 @@
 apiVersion: v1
 kind: PersistentVolume
 metadata:
-  name: {{ include "custom.storageNfsName" . }}
+  name: backrest-nfs-storage
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: {{ include "custom.storageNfsName" . }}
+    app.kubernetes.io/name: backrest-nfs-storage
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   persistentVolumeReclaimPolicy: Retain
   storageClassName: nfs-client
@@ -25,11 +26,12 @@ spec:
 apiVersion: v1
 kind: PersistentVolume
 metadata:
-  name: {{ include "custom.shareNfsName" . }}
+  name: backrest-nfs-share
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: {{ include "custom.shareNfsName" . }}
+    app.kubernetes.io/name: backrest-nfs-share
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   persistentVolumeReclaimPolicy: Retain
   storageClassName: nfs-client

clusters/cl01tl/helm/backrest/values.yaml

@@ -8,7 +8,7 @@ backrest:
         main:
           image:
             repository: ghcr.io/garethgeorge/backrest
-            tag: v1.13.0@sha256:9c9966b5c285ec791a6b06cb4545fa0247424d05442e12f9558b4322d9f8a15f
+            tag: v1.12.1@sha256:f4d34bd6fa985d13bdb6c01c5d8727e07708899afa9567d800808357d77b9fb0
           env:
             - name: TZ
               value: America/Chicago
@@ -115,21 +115,21 @@ volsync-target-data:
   pvcTarget: backrest-data
   local:
     enabled: true
-    schedule: 15 8 * * *
+    schedule: 6 8 * * *
   remote:
     enabled: true
-    schedule: 15 10 * * 0
+    schedule: 6 9 * * *
   external:
     enabled: true
-    schedule: 15 9 * * 0
+    schedule: 6 10 * * *
 volsync-target-config:
   pvcTarget: backrest-config
   local:
     enabled: true
-    schedule: 20 8 * * *
+    schedule: 8 8 * * *
   remote:
     enabled: true
-    schedule: 20 10 * * 0
+    schedule: 8 9 * * *
   external:
     enabled: true
-    schedule: 20 9 * * 0
+    schedule: 8 10 * * *

clusters/cl01tl/helm/bazarr/Chart.lock

@@ -1,9 +1,9 @@
 dependencies:
 - name: app-template
   repository: https://bjw-s-labs.github.io/helm-charts/
-  version: 5.0.1
+  version: 4.6.2
 - name: volsync-target
   repository: oci://harbor.alexlebens.net/helm-charts
-  version: 2.0.0
+  version: 0.8.0
-digest: sha256:bcced6d5e69265581b976c3e0426cc1330e36109255ce34533ef0d9b991054a5
+digest: sha256:ce88e4cd451613c9dbc25d285700970789ff678452ef277f3c8465dbf6157f1f
-generated: "2026-05-15T00:29:00.968381514Z"
+generated: "2026-03-06T01:05:44.405374459Z"

clusters/cl01tl/helm/bazarr/Chart.yaml

@@ -21,10 +21,10 @@ dependencies:
   - name: app-template
     alias: bazarr
     repository: https://bjw-s-labs.github.io/helm-charts/
-    version: 5.0.1
+    version: 4.6.2
   - name: volsync-target
     alias: volsync-target-config
-    version: 2.0.0
+    version: 0.8.0
     repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/bazarr.png
 # renovate: datasource=github-releases depName=linuxserver/docker-bazarr

clusters/cl01tl/helm/bazarr/templates/_helpers.tpl

@@ -1,21 +0,0 @@
-{{/*
-Common labels
-*/}}
-{{- define "custom.labels" -}}
-{{ include "custom.selectorLabels" $ }}
-{{- end }}
-
-{{/*
-Selector labels
-*/}}
-{{- define "custom.selectorLabels" -}}
-app.kubernetes.io/instance: {{ .Release.Name }}
-app.kubernetes.io/part-of: {{ .Release.Name }}
-{{- end }}
-
-{{/*
-NFS names
-*/}}
-{{- define "custom.storageNfsName" -}}
-bazarr-nfs-storage
-{{- end -}}

clusters/cl01tl/helm/bazarr/templates/external-secret.yaml

@@ -1,15 +1,16 @@
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
-  name: bazarr-key
+  name: bazarr-key-secret
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: bazarr-key
+    app.kubernetes.io/name: bazarr-key-secret
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   secretStoreRef:
     kind: ClusterSecretStore
-    name: openbao
+    name: vault
   data:
     - secretKey: key
       remoteRef:

clusters/cl01tl/helm/bazarr/templates/persistent-volume-claim.yaml

@@ -1,13 +1,14 @@
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
-  name: {{ include "custom.storageNfsName" . }}
+  name: bazarr-nfs-storage
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: {{ include "custom.storageNfsName" . }}
+    app.kubernetes.io/name: bazarr-nfs-storage
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
-  volumeName: {{ include "custom.storageNfsName" . }}
+  volumeName: bazarr-nfs-storage
   storageClassName: nfs-client
   accessModes:
     - ReadWriteMany

clusters/cl01tl/helm/bazarr/templates/persistent-volume.yaml

@@ -1,11 +1,12 @@
 apiVersion: v1
 kind: PersistentVolume
 metadata:
-  name: {{ include "custom.storageNfsName" . }}
+  name: bazarr-nfs-storage
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: {{ include "custom.storageNfsName" . }}
+    app.kubernetes.io/name: bazarr-nfs-storage
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   persistentVolumeReclaimPolicy: Retain
   storageClassName: nfs-client

clusters/cl01tl/helm/bazarr/values.yaml

@@ -39,7 +39,7 @@ bazarr:
             - name: APIKEY
               valueFrom:
                 secretKeyRef:
-                  name: bazarr-key
+                  name: bazarr-key-secret
                   key: key
             - name: ENABLE_ADDITIONAL_METRICS
               value: false
@@ -112,10 +112,10 @@ volsync-target-config:
     fsGroupChangePolicy: OnRootMismatch
   local:
     enabled: true
-    schedule: 25 8 * * *
+    schedule: 10 8 * * *
   remote:
     enabled: true
-    schedule: 25 10 * * 0
+    schedule: 10 9 * * *
   external:
     enabled: true
-    schedule: 25 9 * * 0
+    schedule: 10 10 * * *

clusters/cl01tl/helm/blocky/Chart.lock

@@ -1,9 +1,9 @@
 dependencies:
 - name: app-template
   repository: https://bjw-s-labs.github.io/helm-charts/
-  version: 5.0.1
+  version: 4.6.2
 - name: valkey
   repository: oci://harbor.alexlebens.net/helm-charts
-  version: 0.8.0
+  version: 0.6.1
-digest: sha256:adbf5c062f0be520b579854a9ec75e6932b472508d9b1ec7277bacc3940c20e9
+digest: sha256:6ed3a7587906fbda581d0091ff2c29a1816b8b0b8ae40add9885e6a68b2b82ae
-generated: "2026-05-15T00:29:14.40707075Z"
+generated: "2026-04-13T20:32:34.844998902Z"

clusters/cl01tl/helm/blocky/Chart.yaml

@@ -17,10 +17,10 @@ dependencies:
   - name: app-template
     alias: blocky
     repository: https://bjw-s-labs.github.io/helm-charts/
-    version: 5.0.1
+    version: 4.6.2
   - name: valkey
     alias: valkey
-    version: 0.8.0
+    version: 0.6.1
     repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/blocky.png
 # renovate: datasource=github-releases depName=0xerr0r/blocky

clusters/cl01tl/helm/blocky/templates/_helpers.tpl

@@ -1,14 +0,0 @@
-{{/*
-Common labels
-*/}}
-{{- define "custom.labels" -}}
-{{ include "custom.selectorLabels" $ }}
-{{- end }}
-
-{{/*
-Selector labels
-*/}}
-{{- define "custom.selectorLabels" -}}
-app.kubernetes.io/instance: {{ .Release.Name }}
-app.kubernetes.io/part-of: {{ .Release.Name }}
-{{- end }}

clusters/cl01tl/helm/blocky/values.yaml

@@ -106,7 +106,6 @@ blocky:
               audiobookshelf                  IN      CNAME   traefik-cl01tl
               authentik                       IN      CNAME   traefik-cl01tl
               backrest                        IN      CNAME   traefik-cl01tl
-              bao                             IN      CNAME   traefik-cl01tl
               bazarr                          IN      CNAME   traefik-cl01tl
               ceph                            IN      CNAME   traefik-cl01tl
               dawarich                        IN      CNAME   traefik-cl01tl
@@ -134,7 +133,7 @@ blocky:
               komodo                          IN      CNAME   traefik-cl01tl
               languagetool                    IN      CNAME   traefik-cl01tl
               lidarr                          IN      CNAME   traefik-cl01tl
-              loki                            IN      CNAME   traefik-cl01tl
+              mail                            IN      CNAME   traefik-cl01tl
               medialyze                       IN      CNAME   traefik-cl01tl
               music-grabber                   IN      CNAME   traefik-cl01tl
               navidrome                       IN      CNAME   traefik-cl01tl
@@ -161,7 +160,7 @@ blocky:
               sonarr                          IN      CNAME   traefik-cl01tl
               sonarr-4k                       IN      CNAME   traefik-cl01tl
               sonarr-anime                    IN      CNAME   traefik-cl01tl
-              sparkyfitness                   IN      CNAME   traefik-cl01tl
+              stalwart                        IN      CNAME   traefik-cl01tl
               tdarr                           IN      CNAME   traefik-cl01tl
               tubearchivist                   IN      CNAME   traefik-cl01tl
               vault                           IN      CNAME   traefik-cl01tl

clusters/cl01tl/helm/cert-manager/Chart.lock

@@ -1,6 +1,6 @@
 dependencies:
 - name: cert-manager
   repository: https://charts.jetstack.io
-  version: v1.20.2
+  version: v1.20.1
-digest: sha256:f218239b4538c64d57e098a56c69dcbc4e076ffcc3d320c5a5fef1e6309e38cf
+digest: sha256:1bf36eba44cf096b40355a697b8cffb302f07f9135374222aabdf686f017b7a9
-generated: "2026-04-13T23:02:59.380767677Z"
+generated: "2026-03-28T01:35:24.542754563Z"

clusters/cl01tl/helm/cert-manager/Chart.yaml

@@ -13,8 +13,8 @@ maintainers:
   - name: alexlebens
 dependencies:
   - name: cert-manager
-    version: v1.20.2
+    version: v1.20.1
     repository: https://charts.jetstack.io
 icon: https://raw.githubusercontent.com/cert-manager/cert-manager/refs/heads/master/logo/logo.png
 # renovate: datasource=github-releases depName=cert-manager/cert-manager
-appVersion: v1.20.2
+appVersion: v1.20.1

clusters/cl01tl/helm/cert-manager/templates/_helpers.tpl

@@ -1,24 +0,0 @@
-{{/*
-Common labels
-*/}}
-{{- define "custom.labels" -}}
-{{ include "custom.selectorLabels" $ }}
-{{- end }}
-
-{{/*
-Selector labels
-*/}}
-{{- define "custom.selectorLabels" -}}
-app.kubernetes.io/instance: {{ .Release.Name }}
-app.kubernetes.io/part-of: {{ .Release.Name }}
-{{- end }}
-
-{{/*
-NFS names
-*/}}
-{{- define "custom.cloudflareSecretName" -}}
-cert-manager-cloudflare-api-token
-{{- end -}}
-{{- define "custom.cloudflareSecretKey" -}}
-api-token
-{{- end -}}

clusters/cl01tl/helm/cert-manager/templates/cluster-issuer.yaml

@@ -5,7 +5,8 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: letsencrypt-issuer
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   acme:
     email: alexanderlebens@gmail.com
@@ -21,5 +22,5 @@ spec:
           cloudflare:
             email: alexanderlebens@gmail.com
             apiTokenSecretRef:
-              name: {{ include "custom.cloudflareSecretName" . }}
+              name: cloudflare-api-token
-              key: {{ include "custom.cloudflareSecretKey" . }}
+              key: api-token

clusters/cl01tl/helm/cert-manager/templates/external-secret.yaml

@@ -1,17 +1,18 @@
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
-  name: {{ include "custom.cloudflareSecretName" . }}
+  name: cloudflare-api-token
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: {{ include "custom.cloudflareSecretName" . }}
+    app.kubernetes.io/name: cloudflare-api-token
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   secretStoreRef:
     kind: ClusterSecretStore
-    name: openbao
+    name: vault
   data:
-    - secretKey: {{ include "custom.cloudflareSecretKey" . }}
+    - secretKey: api-token
       remoteRef:
-        key: /cloudflare/alexlebens.net/cl01tl-issuer-certificate
+        key: /cloudflare/alexlebens.net/clusterissuer
         property: token

clusters/cl01tl/helm/cert-manager/templates/prometheus-rule.yaml

@@ -1,44 +0,0 @@
-apiVersion: monitoring.coreos.com/v1
-kind: PrometheusRule
-metadata:
-  name: cert-manager
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: cert-manager
-    {{- include "custom.labels" . | nindent 4 }}
-spec:
-  groups:
-    - name: EmbeddedExporter
-      rules:
-        - alert: Cert-ManagerAbsent
-          expr: absent(up{job="cert-manager"})
-          for: 10m
-          labels:
-            severity: critical
-          annotations:
-            summary: Cert-Manager absent (instance {{ `{{ $labels.instance }}` }})
-            description: "Cert-Manager has disappeared from Prometheus service discovery. New certificates will not be able to be minted, and existing ones can't be renewed until cert-manager is back.\n  VALUE = {{ `{{ $value }}` }}\n  LABELS = {{ `{{ $labels }}` }}"
-        - alert: Cert-ManagerCertificateExpiringSoon
-          expr: avg by (exported_namespace, namespace, name) (certmanager_certificate_expiration_timestamp_seconds - time()) < (21 * 24 * 3600)
-          for: 1h
-          labels:
-            severity: warning
-          annotations:
-            summary: Cert-Manager certificate expiring soon (instance {{ `{{ $labels.instance }}` }})
-            description: "The certificate {{ `{{ $labels.name }}` }} is expiring in less than 21 days.\n  VALUE = {{ `{{ $value }}` }}\n  LABELS = {{ `{{ $labels }}` }}"
-        - alert: Cert-ManagerCertificateNotReady
-          expr: max by (name, exported_namespace, namespace, condition) (certmanager_certificate_ready_status{condition!="True"} == 1)
-          for: 10m
-          labels:
-            severity: critical
-          annotations:
-            summary: Cert-Manager certificate not ready (instance {{ `{{ $labels.instance }}` }})
-            description: "The certificate {{ `{{ $labels.name }}` }} in namespace {{ `{{ $labels.exported_namespace }}` }} is not ready to serve traffic.\n  VALUE = {{ `{{ $value }}` }}\n  LABELS = {{ `{{ $labels }}` }}"
-        - alert: Cert-ManagerHittingACMERateLimits
-          expr: sum by (host) (rate(certmanager_acme_client_request_count{status="429"}[5m])) > 0
-          for: 5m
-          labels:
-            severity: critical
-          annotations:
-            summary: Cert-Manager hitting ACME rate limits (instance {{ `{{ $labels.instance }}` }})
-            description: "Cert-Manager is being rate-limited by the ACME provider. Certificate issuance and renewal may be blocked for up to a week.\n  VALUE = {{ `{{ $value }}` }}\n  LABELS = {{ `{{ $labels }}` }}"

clusters/cl01tl/helm/cilium/Chart.lock

@@ -1,6 +1,6 @@
 dependencies:
 - name: cilium
   repository: https://helm.cilium.io/
-  version: 1.19.4
+  version: 1.18.6
-digest: sha256:7148a1dffd924413b215cdd639a59eae1d8bcd51f3a3acba72adecb67d612c04
+digest: sha256:8ea328ac238524b5b423e6289f5e25d05ef64e6aa19cfd5de238f1d5dd533e9b
-generated: "2026-05-16T19:10:46.663316677Z"
+generated: "2026-02-05T12:00:20.15778-06:00"

clusters/cl01tl/helm/cilium/Chart.yaml

@@ -14,8 +14,8 @@ maintainers:
   - name: alexlebens
 dependencies:
   - name: cilium
-    version: 1.19.4
+    version: 1.18.6
     repository: https://helm.cilium.io/
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/cilium.png
 # renovate: datasource=github-releases depName=cilium/cilium
-appVersion: 1.19.4
+appVersion: 1.18.6

clusters/cl01tl/helm/cilium/templates/_helpers.tpl

@@ -1,14 +0,0 @@
-{{/*
-Common labels
-*/}}
-{{- define "custom.labels" -}}
-{{ include "custom.selectorLabels" $ }}
-{{- end }}
-
-{{/*
-Selector labels
-*/}}
-{{- define "custom.selectorLabels" -}}
-app.kubernetes.io/instance: {{ .Release.Name }}
-app.kubernetes.io/part-of: {{ .Release.Name }}
-{{- end }}

clusters/cl01tl/helm/cilium/templates/cilium-bgp-advertisement.yaml

@@ -0,0 +1,19 @@
+# apiVersion: cilium.io/v2
+# kind: CiliumBGPAdvertisement
+# metadata:
+#   name: cilium-bgp-advertisements
+#   namespace: {{ .Release.Namespace }}
+#   labels:
+#     app.kubernetes.io/name: cilium-bgp-advertisements
+#     app.kubernetes.io/instance: {{ .Release.Name }}
+#     app.kubernetes.io/part-of: {{ .Release.Name }}
+# spec:
+#   advertisements:
+#     - advertisementType: "Service"
+#       service:
+#         addresses:
+#           - ExternalIP
+#           - LoadBalancerIP
+#       selector:
+#         matchExpressions:
+#          - {key: somekey, operator: NotIn, values: ['never-used-value']}

clusters/cl01tl/helm/cilium/templates/cilium-bgp-cluster-config.yaml

@@ -0,0 +1,22 @@
+# apiVersion: cilium.io/v2
+# kind: CiliumBGPClusterConfig
+# metadata:
+#   name: cilium-bgp
+#   namespace: {{ .Release.Namespace }}
+#   labels:
+#     app.kubernetes.io/name: cilium-bgp
+#     app.kubernetes.io/instance: {{ .Release.Name }}
+#     app.kubernetes.io/part-of: {{ .Release.Name }}
+# spec:
+#   nodeSelector:
+#     matchLabels:
+#       node-role.kubernetes.io/bgp: "65020"
+#   bgpInstances:
+#     - name: "65020"
+#       localASN: 65020
+#       peers:
+#         - name: "udm-65000"
+#           peerASN: 65000
+#           peerAddress: 192.168.1.1
+#           peerConfigRef:
+#             name: "cilium-peer"

clusters/cl01tl/helm/cilium/templates/cilium-bgp-peer-config.yaml

@@ -0,0 +1,23 @@
+# apiVersion: cilium.io/v2
+# kind: CiliumBGPPeerConfig
+# metadata:
+#   name: cilium-peer
+#   namespace: {{ .Release.Namespace }}
+#   labels:
+#     app.kubernetes.io/name: cilium-peer
+#     app.kubernetes.io/instance: {{ .Release.Name }}
+#     app.kubernetes.io/part-of: {{ .Release.Name }}
+# spec:
+#   timers:
+#     holdTimeSeconds: 9
+#     keepAliveTimeSeconds: 3
+#   ebgpMultihop: 4
+#   gracefulRestart:
+#     enabled: true
+#     restartTimeSeconds: 15
+#   families:
+#     - afi: ipv4
+#       safi: unicast
+#       advertisements:
+#         matchLabels:
+#           app.kubernetes.io/name: cilium-bgp-advertisements

clusters/cl01tl/helm/cilium/templates/cilium-load-balancer-ip-pool.yaml

@@ -5,8 +5,25 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: default-ip-pool
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   blocks:
     - start: "10.232.1.21"
       stop: "10.232.1.23"
+
+---
+apiVersion: cilium.io/v2
+kind: CiliumLoadBalancerIPPool
+metadata:
+  name: bgp-ip-pool
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: bgp-ip-pool
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  blocks:
+    - start: "10.232.2.100"
+      stop: "10.232.2.200"
+  disabled: true

clusters/cl01tl/helm/cilium/templates/gateway.yaml

@@ -0,0 +1,45 @@
+# apiVersion: gateway.networking.k8s.io/v1
+# kind: Gateway
+# metadata:
+#   name: cilium-tls-gateway
+#   namespace: {{ .Release.Namespace }}
+#   labels:
+#     app.kubernetes.io/name: cilium-tls-gateway
+#     app.kubernetes.io/instance: {{ .Release.Name }}
+#     app.kubernetes.io/part-of: {{ .Release.Name }}
+#   annotations:
+#     cert-manager.io/cluster-issuer: letsencrypt-issuer
+# spec:
+#   addresses:
+#     - type: IPAddress
+#       value: 10.232.1.23
+#   gatewayClassName: cilium
+#   listeners:
+#     - allowedRoutes:
+#         namespaces:
+#           from: All
+#       hostname: '*.alexlebens.net'
+#       name: https
+#       port: 443
+#       protocol: HTTPS
+#       tls:
+#         certificateRefs:
+#           - group: ''
+#             kind: Secret
+#             name: https-gateway-cert
+#             namespace: kube-system
+#         mode: Terminate
+#     - allowedRoutes:
+#         namespaces:
+#           from: All
+#       hostname: 'alexlebens.net'
+#       name: https-domain
+#       port: 443
+#       protocol: HTTPS
+#       tls:
+#         certificateRefs:
+#           - group: ''
+#             kind: Secret
+#             name: https-gateway-cert
+#             namespace: kube-system
+#         mode: Terminate

clusters/cl01tl/helm/cilium/templates/http-route.yaml

@@ -5,7 +5,8 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: hubble
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   parentRefs:
     - group: gateway.networking.k8s.io
@@ -20,6 +21,8 @@ spec:
           type: PathPrefix
           value: /
       backendRefs:
-        - kind: Service
+        - group: ''
+          kind: Service
           name: hubble-ui
           port: 80
+          weight: 100

clusters/cl01tl/helm/cilium/values.yaml

@@ -25,14 +25,20 @@ cilium:
         - NET_ADMIN
         - SYS_ADMIN
         - SYS_RESOURCE
+  bgpControlPlane:
+    enabled: false
   bpf:
     hostLegacyRouting: true
-    masquerade: false
   devices: end0 enp6s0
   ciliumEndpointSlice:
     enabled: true
   gatewayAPI:
-    enabled: false
+    enabled: true
+    enableAppProtocol: true
+    enableAlpn: true
+    secretsNamespace:
+      create: false
+      name: kube-system
   socketLB:
     enabled: true
     hostNamespaceOnly: true

clusters/cl01tl/helm/cloudnative-pg/Chart.lock

@@ -1,15 +1,9 @@
 dependencies:
 - name: cloudnative-pg
   repository: https://cloudnative-pg.io/charts/
-  version: 0.28.2
+  version: 0.28.0
 - name: plugin-barman-cloud
   repository: https://cloudnative-pg.io/charts/
-  version: 0.6.0
+  version: 0.5.0
-- name: rclone-bucket
+digest: sha256:3e9b26d00fdb61af60f003bcb327e05d02799eb6088e30aaabd01c49c6021aac
-  repository: oci://harbor.alexlebens.net/helm-charts
+generated: "2026-04-01T20:05:40.198140255Z"
-  version: 0.11.3
-- name: rclone-bucket
-  repository: oci://harbor.alexlebens.net/helm-charts
-  version: 0.11.3
-digest: sha256:a08719a82de76d62cddfec163dbc9feecfbea83ab406f3750d25d4deaf586f0c
-generated: "2026-05-13T00:10:14.309341878Z"

clusters/cl01tl/helm/cloudnative-pg/Chart.yaml

@@ -13,24 +13,15 @@ sources:
   - https://github.com/cloudnative-pg/postgres-containers/pkgs/container/postgresql
   - https://github.com/cloudnative-pg/charts/tree/main/charts/cloudnative-pg
   - https://github.com/cloudnative-pg/charts/tree/main/charts/plugin-barman-cloud
-  - https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/rclone-bucket
 maintainers:
   - name: alexlebens
 dependencies:
   - name: cloudnative-pg
-    version: 0.28.2
+    version: 0.28.0
     repository: https://cloudnative-pg.io/charts/
   - name: plugin-barman-cloud
-    version: 0.6.0
+    version: 0.5.0
     repository: https://cloudnative-pg.io/charts/
-  - name: rclone-bucket
-    alias: rclone-postgres-backups-remote
-    repository: oci://harbor.alexlebens.net/helm-charts
-    version: 0.11.3
-  - name: rclone-bucket
-    alias: rclone-postgres-backups-external
-    repository: oci://harbor.alexlebens.net/helm-charts
-    version: 0.11.3
 icon: https://raw.githubusercontent.com/cloudnative-pg/cloudnative-pg.github.io/refs/heads/main/assets/images/hero_image.png
 # renovate: datasource=github-releases depName=cloudnative-pg/cloudnative-pg
-appVersion: 1.29.1
+appVersion: 1.29.0

clusters/cl01tl/helm/cloudnative-pg/templates/_helpers.tpl

@@ -1,14 +0,0 @@
-{{/*
-Common labels
-*/}}
-{{- define "custom.labels" -}}
-{{ include "custom.selectorLabels" $ }}
-{{- end }}
-
-{{/*
-Selector labels
-*/}}
-{{- define "custom.selectorLabels" -}}
-app.kubernetes.io/instance: {{ .Release.Name }}
-app.kubernetes.io/part-of: {{ .Release.Name }}
-{{- end }}

clusters/cl01tl/helm/cloudnative-pg/values.yaml

@@ -14,61 +14,3 @@ plugin-barman-cloud:
     requests:
       cpu: 1m
       memory: 20Mi
-rclone-postgres-backups-remote:
-  nameOverride: postgres-backups-remote-rclone
-  cronJob:
-    suspend: false
-    schedule: 30 6 * * 1
-  rclone:
-    source:
-      bucketName: postgres-backups
-    destination:
-      bucketName: postgres-backups
-  prune:
-    enabled: true
-    ageToPrune: 45d
-    include: "/cl01tl/*/*/*/base/**"
-    exclude: "**/walls/**"
-  secret:
-    externalSecret:
-      source:
-        credentials:
-          path: /garage/home-infra/postgres-backups
-        config:
-          path: /garage/config
-      destination:
-        credentials:
-          path: /garage/home-infra/postgres-backups
-        config:
-          path: /garage/config
-rclone-postgres-backups-external:
-  nameOverride: postgres-backups-external-rclone
-  cronJob:
-    suspend: false
-    schedule: 0 6 * * 1
-  rclone:
-    source:
-      bucketName: postgres-backups
-    destination:
-      bucketName: postgres-backups-775957147abfbc73
-  prune:
-    enabled: true
-    ageToPrune: 45d
-    include: "/cl01tl/*/*/*/base/**"
-    exclude: "**/walls/**"
-  secret:
-    externalSecret:
-      source:
-        credentials:
-          path: /garage/home-infra/postgres-backups
-        config:
-          path: /garage/config
-      destination:
-        credentials:
-          path: /backblaze/home-infra/postgres-backups
-          keyIdProperty: AWS_ACCESS_KEY_ID
-          secretKeyProperty: AWS_SECRET_ACCESS_KEY
-          regionProperty: AWS_REGION
-        config:
-          path: /backblaze/config
-          endpointProperty: ENDPOINT

clusters/cl01tl/helm/coredns/Chart.yaml

@@ -8,7 +8,6 @@ keywords:
 home: https://docs.alexlebens.dev/applications/coredns/
 sources:
   - https://github.com/coredns/coredns
-  - https://explore.ggcr.dev/?repo=registry.k8s.io%2Fcoredns%2Fcoredns
   - https://github.com/coredns/helm
 maintainers:
   - name: alexlebens
@@ -18,4 +17,4 @@ dependencies:
     repository: https://coredns.github.io/helm
 icon: https://raw.githubusercontent.com/coredns/coredns.io/refs/heads/master/static/images/favicon.png
 # renovate: datasource=github-releases depName=coredns/coredns
-appVersion: v1.14.3
+appVersion: v1.14.2

clusters/cl01tl/helm/coredns/templates/_helpers.tpl

@@ -1,14 +0,0 @@
-{{/*
-Common labels
-*/}}
-{{- define "custom.labels" -}}
-{{ include "custom.selectorLabels" $ }}
-{{- end }}
-
-{{/*
-Selector labels
-*/}}
-{{- define "custom.selectorLabels" -}}
-app.kubernetes.io/instance: {{ .Release.Name }}
-app.kubernetes.io/part-of: {{ .Release.Name }}
-{{- end }}

clusters/cl01tl/helm/coredns/values.yaml

@@ -1,7 +1,7 @@
 coredns:
   image:
-    repository: coredns/coredns
+    repository: registry.k8s.io/coredns/coredns
-    tag: 1.14.3@sha256:b21d26b915e10acb5bc78715c1e8b6047ab2675389b2bcc18b3a6499d90e74c0
+    tag: v1.14.2@sha256:e7e6440cfd1e919280958f5b5a6ab2b184d385bba774c12ad2a9e1e4183f90d9
   replicaCount: 3
   resources:
     limits:

clusters/cl01tl/helm/dawarich/Chart.lock

@@ -1,21 +1,21 @@
 dependencies:
 - name: app-template
   repository: https://bjw-s-labs.github.io/helm-charts/
-  version: 5.0.1
+  version: 4.6.2
 - name: postgres-cluster
   repository: oci://harbor.alexlebens.net/helm-charts
-  version: 7.12.1
+  version: 7.11.2
 - name: valkey
+  repository: oci://harbor.alexlebens.net/helm-charts
+  version: 0.6.1
+- name: volsync-target
   repository: oci://harbor.alexlebens.net/helm-charts
   version: 0.8.0
 - name: volsync-target
   repository: oci://harbor.alexlebens.net/helm-charts
-  version: 2.0.0
+  version: 0.8.0
 - name: volsync-target
   repository: oci://harbor.alexlebens.net/helm-charts
-  version: 2.0.0
+  version: 0.8.0
-- name: volsync-target
+digest: sha256:6ece439d5549b7d7ccd75053846bb9b2e8f9798a2e2163eac6f62bf5cf222587
-  repository: oci://harbor.alexlebens.net/helm-charts
+generated: "2026-04-13T20:32:54.380897459Z"
-  version: 2.0.0
-digest: sha256:9cee1f95659261182052fb1e48c74052cca5b346c39d61ca99c20eeb1e6ce8ae
-generated: "2026-05-15T00:29:26.90725275Z"

clusters/cl01tl/helm/dawarich/Chart.yaml

@@ -19,27 +19,27 @@ dependencies:
   - name: app-template
     alias: dawarich
     repository: https://bjw-s-labs.github.io/helm-charts/
-    version: 5.0.1
+    version: 4.6.2
   - name: postgres-cluster
     alias: postgres-18-cluster
-    version: 7.12.1
+    version: 7.11.2
     repository: oci://harbor.alexlebens.net/helm-charts
   - name: valkey
     alias: valkey
-    version: 0.8.0
+    version: 0.6.1
     repository: oci://harbor.alexlebens.net/helm-charts
   - name: volsync-target
     alias: volsync-target-storage
-    version: 2.0.0
+    version: 0.8.0
     repository: oci://harbor.alexlebens.net/helm-charts
   - name: volsync-target
     alias: volsync-target-public
-    version: 2.0.0
+    version: 0.8.0
     repository: oci://harbor.alexlebens.net/helm-charts
   - name: volsync-target
     alias: volsync-target-watched
-    version: 2.0.0
+    version: 0.8.0
     repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons@main/png/dawarich.png
 # renovate: datasource=github-releases depName=Freika/dawarich
-appVersion: 1.7.7
+appVersion: 1.6.1

clusters/cl01tl/helm/dawarich/templates/_helpers.tpl

@@ -1,14 +0,0 @@
-{{/*
-Common labels
-*/}}
-{{- define "custom.labels" -}}
-{{ include "custom.selectorLabels" $ }}
-{{- end }}
-
-{{/*
-Selector labels
-*/}}
-{{- define "custom.selectorLabels" -}}
-app.kubernetes.io/instance: {{ .Release.Name }}
-app.kubernetes.io/part-of: {{ .Release.Name }}
-{{- end }}

clusters/cl01tl/helm/dawarich/templates/external-secret.yaml

@@ -1,75 +1,42 @@
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
-  name: dawarich-key
+  name: dawarich-key-secret
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: dawarich-key
+    app.kubernetes.io/name: dawarich-key-secret
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   secretStoreRef:
     kind: ClusterSecretStore
-    name: openbao
+    name: vault
   data:
     - secretKey: key
       remoteRef:
         key: /cl01tl/dawarich/key
         property: key
-    - secretKey: otp-primary-key
-      remoteRef:
-        key: /cl01tl/dawarich/key
-        property: otp-primary-key
-    - secretKey: otp-deterministic-key
-      remoteRef:
-        key: /cl01tl/dawarich/key
-        property: otp-deterministic-key
-    - secretKey: otp-derivation-salt
-      remoteRef:
-        key: /cl01tl/dawarich/key
-        property: otp-derivation-salt
 
 ---
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
-  name: dawarich-oidc-authentik
+  name: dawarich-oidc-secret
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: dawarich-oidc-authentik
+    app.kubernetes.io/name: dawarich-oidc-secret
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   secretStoreRef:
     kind: ClusterSecretStore
-    name: openbao
+    name: vault
   data:
     - secretKey: client
       remoteRef:
-        key: /cl01tl/authentik/oidc/dawarich
+        key: /authentik/oidc/dawarich
         property: client
     - secretKey: secret
       remoteRef:
-        key: /cl01tl/authentik/oidc/dawarich
+        key: /authentik/oidc/dawarich
         property: secret
-
----
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: dawarich-metrics-credentials
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: dawarich-metrics-credentials
-    {{- include "custom.labels" . | nindent 4 }}
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: openbao
-  data:
-    - secretKey: user
-      remoteRef:
-        key: /cl01tl/dawarich/metrics
-        property: user
-    - secretKey: password
-      remoteRef:
-        key: /cl01tl/dawarich/metrics
-        property: password

clusters/cl01tl/helm/dawarich/values.yaml

@@ -8,7 +8,7 @@ dawarich:
         main:
           image:
             repository: freikin/dawarich
-            tag: 1.7.7@sha256:f7eea22def731ef98f0644b191c477917790bb0e5449b0014bac2f349ce178a7
+            tag: 1.6.1@sha256:a884f69f19ce0f66992f3872d24544d1e587e133b8a003e072711aafc1e02429
           command:
             - "web-entrypoint.sh"
           args:
@@ -61,12 +61,12 @@ dawarich:
             - name: OIDC_CLIENT_ID
               valueFrom:
                 secretKeyRef:
-                  name: dawarich-oidc-authentik
+                  name: dawarich-oidc-secret
                   key: client
             - name: OIDC_CLIENT_SECRET
               valueFrom:
                 secretKeyRef:
-                  name: dawarich-oidc-authentik
+                  name: dawarich-oidc-secret
                   key: secret
             - name: OIDC_PROVIDER_NAME
               value: Authentik
@@ -78,36 +78,11 @@ dawarich:
               value: 0.0.0.0
             - name: PROMETHEUS_EXPORTER_PORT
               value: 9394
-            - name: METRICS_USERNAME
-              valueFrom:
-                secretKeyRef:
-                  name: dawarich-metrics-credentials
-                  key: user
-            - name: METRICS_PASSWORD
-              valueFrom:
-                secretKeyRef:
-                  name: dawarich-metrics-credentials
-                  key: password
             - name: SECRET_KEY_BASE
               valueFrom:
                 secretKeyRef:
-                  name: dawarich-key
+                  name: dawarich-key-secret
                   key: key
-            - name: OTP_ENCRYPTION_PRIMARY_KEY
-              valueFrom:
-                secretKeyRef:
-                  name: dawarich-key
-                  key: otp-primary-key
-            - name: OTP_ENCRYPTION_DETERMINISTIC_KEY
-              valueFrom:
-                secretKeyRef:
-                  name: dawarich-key
-                  key: otp-deterministic-key
-            - name: OTP_ENCRYPTION_KEY_DERIVATION_SALT
-              valueFrom:
-                secretKeyRef:
-                  name: dawarich-key
-                  key: otp-derivation-salt
             - name: RAILS_LOG_TO_STDOUT
               value: true
             - name: SELF_HOSTED
@@ -136,7 +111,7 @@ dawarich:
         sidekiq:
           image:
             repository: freikin/dawarich
-            tag: 1.7.7@sha256:f7eea22def731ef98f0644b191c477917790bb0e5449b0014bac2f349ce178a7
+            tag: 1.6.1@sha256:a884f69f19ce0f66992f3872d24544d1e587e133b8a003e072711aafc1e02429
           command:
             - "sidekiq-entrypoint.sh"
           args:
@@ -186,12 +161,12 @@ dawarich:
             - name: OIDC_CLIENT_ID
               valueFrom:
                 secretKeyRef:
-                  name: dawarich-oidc-authentik
+                  name: dawarich-oidc-secret
                   key: client
             - name: OIDC_CLIENT_SECRET
               valueFrom:
                 secretKeyRef:
-                  name: dawarich-oidc-authentik
+                  name: dawarich-oidc-secret
                   key: secret
             - name: OIDC_PROVIDER_NAME
               value: Authentik
@@ -203,36 +178,11 @@ dawarich:
               value: 0.0.0.0
             - name: PROMETHEUS_EXPORTER_PORT
               value: 9394
-            - name: METRICS_USERNAME
-              valueFrom:
-                secretKeyRef:
-                  name: dawarich-metrics-credentials
-                  key: user
-            - name: METRICS_PASSWORD
-              valueFrom:
-                secretKeyRef:
-                  name: dawarich-metrics-credentials
-                  key: password
             - name: SECRET_KEY_BASE
               valueFrom:
                 secretKeyRef:
-                  name: dawarich-key
+                  name: dawarich-key-secret
                   key: key
-            - name: OTP_ENCRYPTION_PRIMARY_KEY
-              valueFrom:
-                secretKeyRef:
-                  name: dawarich-key
-                  key: otp-primary-key
-            - name: OTP_ENCRYPTION_DETERMINISTIC_KEY
-              valueFrom:
-                secretKeyRef:
-                  name: dawarich-key
-                  key: otp-deterministic-key
-            - name: OTP_ENCRYPTION_KEY_DERIVATION_SALT
-              valueFrom:
-                secretKeyRef:
-                  name: dawarich-key
-                  key: otp-derivation-salt
             - name: RAILS_LOG_TO_STDOUT
               value: true
             - name: SELF_HOSTED
@@ -276,13 +226,6 @@ dawarich:
           interval: 30s
           scrapeTimeout: 15s
           path: /metrics
-          basicAuth:
-            password:
-              name: dawarich-metrics-credentials
-              key: password
-            username:
-              name: dawarich-metrics-credentials
-              key: user
   route:
     main:
       kind: HTTPRoute
@@ -374,32 +317,32 @@ volsync-target-storage:
   pvcTarget: dawarich-storage
   local:
     enabled: true
-    schedule: 30 8 * * *
+    schedule: 6 8 * * *
   remote:
     enabled: true
-    schedule: 30 10 * * 0
+    schedule: 6 9 * * *
   external:
     enabled: true
-    schedule: 30 9 * * 0
+    schedule: 6 10 * * *
 volsync-target-public:
   pvcTarget: dawarich-public
   local:
     enabled: true
-    schedule: 35 8 * * *
+    schedule: 8 8 * * *
   remote:
     enabled: true
-    schedule: 35 10 * * 0
+    schedule: 8 9 * * *
   external:
     enabled: true
-    schedule: 35 9 * * 0
+    schedule: 8 10 * * *
 volsync-target-watched:
   pvcTarget: dawarich-watched
   local:
     enabled: true
-    schedule: 40 8 * * *
+    schedule: 8 8 * * *
   remote:
     enabled: true
-    schedule: 40 10 * * 0
+    schedule: 8 9 * * *
   external:
     enabled: true
-    schedule: 40 9 * * 0
+    schedule: 8 10 * * *

clusters/cl01tl/helm/democratic-csi-synology-iscsi/templates/_helpers.tpl

@@ -1,14 +0,0 @@
-{{/*
-Common labels
-*/}}
-{{- define "custom.labels" -}}
-{{ include "custom.selectorLabels" $ }}
-{{- end }}
-
-{{/*
-Selector labels
-*/}}
-{{- define "custom.selectorLabels" -}}
-app.kubernetes.io/instance: {{ .Release.Name }}
-app.kubernetes.io/part-of: {{ .Release.Name }}
-{{- end }}

clusters/cl01tl/helm/democratic-csi-synology-iscsi/templates/external-secret.yaml

@@ -1,15 +1,16 @@
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
-  name: synology-iscsi-config
+  name: synology-iscsi-config-secret
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: synology-iscsi-config
+    app.kubernetes.io/name: synology-iscsi-config-secret
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   secretStoreRef:
     kind: ClusterSecretStore
-    name: openbao
+    name: vault
   data:
     - secretKey: driver-config-file.yaml
       remoteRef:

clusters/cl01tl/helm/democratic-csi-synology-iscsi/templates/namespace.yaml

@@ -1,10 +1,11 @@
 apiVersion: v1
 kind: Namespace
 metadata:
-  name: {{ .Release.Namespace }}
+  name: democratic-csi-synology-iscsi
   labels:
-    app.kubernetes.io/name: {{ .Release.Namespace }}
+    app.kubernetes.io/name: democratic-csi-synology-iscsi
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
     pod-security.kubernetes.io/audit: privileged
     pod-security.kubernetes.io/enforce: privileged
     pod-security.kubernetes.io/warn: privileged

clusters/cl01tl/helm/democratic-csi-synology-iscsi/values.yaml

@@ -3,7 +3,7 @@ democratic-csi:
     image:
       registry: ghcr.io/democratic-csi/democratic-csi
       tag: v1.9.5@@sha256:fc3b7d7ed3a616714139525075312758e23a5d425ffb539ad12c9bd20fb6001f
-    existingConfigSecret: synology-iscsi-config
+    existingConfigSecret: synology-iscsi-config-secret
     config:
       driver: synology-iscsi
     resources:
@@ -47,8 +47,6 @@ democratic-csi:
         fsType: ext4
   node:
     hostPID: true
-    rbac:
-      enabled: true
     driver:
       extraEnv:
         - name: ISCSIADM_HOST_STRATEGY

clusters/cl01tl/helm/descheduler/templates/_helpers.tpl

@@ -1,14 +0,0 @@
-{{/*
-Common labels
-*/}}
-{{- define "custom.labels" -}}
-{{ include "custom.selectorLabels" $ }}
-{{- end }}
-
-{{/*
-Selector labels
-*/}}
-{{- define "custom.selectorLabels" -}}
-app.kubernetes.io/instance: {{ .Release.Name }}
-app.kubernetes.io/part-of: {{ .Release.Name }}
-{{- end }}

clusters/cl01tl/helm/descheduler/values.yaml

@@ -10,7 +10,7 @@ descheduler:
     requests:
       cpu: 10m
       memory: 50Mi
-  deschedulingInterval: 2m
+  deschedulingInterval: 5m
   replicas: 3
   leaderElection:
     enabled: true
@@ -51,13 +51,13 @@ descheduler:
           - name: LowNodeUtilization
             args:
               thresholds:
-                cpu: 30
+                cpu: 20
-                memory: 30
+                memory: 20
-                pods: 30
+                pods: 20
               targetThresholds:
-                cpu: 45
+                cpu: 50
-                memory: 45
+                memory: 50
-                pods: 45
+                pods: 60
         plugins:
           balance:
             enabled:

clusters/cl01tl/helm/directus/Chart.lock

@@ -1,18 +1,12 @@
 dependencies:
 - name: app-template
   repository: https://bjw-s-labs.github.io/helm-charts/
-  version: 5.0.1
+  version: 4.6.2
 - name: postgres-cluster
   repository: oci://harbor.alexlebens.net/helm-charts
-  version: 7.12.1
+  version: 7.11.2
 - name: valkey
   repository: oci://harbor.alexlebens.net/helm-charts
-  version: 0.8.0
+  version: 0.6.1
-- name: rclone-bucket
+digest: sha256:78f5065d1125792c88e4d24f5ac1ee3d6310b4997f552020c44d0615335ea329
-  repository: oci://harbor.alexlebens.net/helm-charts
+generated: "2026-04-13T20:33:13.909018545Z"
-  version: 0.11.3
-- name: rclone-bucket
-  repository: oci://harbor.alexlebens.net/helm-charts
-  version: 0.11.3
-digest: sha256:80a6b37486f2ac7f189cf41b08e731f8a34df37e1af916c3eb49a5dc68939df0
-generated: "2026-05-15T00:29:39.148310428Z"

clusters/cl01tl/helm/directus/Chart.yaml

@@ -5,37 +5,28 @@ description: Directus
 keywords:
   - directus
   - content-management-system
-home: https://docs.alexlebens.dev/applications/directus/
+home: https://docs.alexlebens.dev/applications/descheduler/
 sources:
   - https://github.com/directus/directus
   - https://github.com/directus/directus/pkgs/container/directus
   - https://github.com/bjw-s-labs/helm-charts/tree/main/charts/other/app-template
   - https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/postgres-cluster
   - https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/valkey
-  - https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/rclone-bucket
 maintainers:
   - name: alexlebens
 dependencies:
   - name: app-template
     alias: directus
     repository: https://bjw-s-labs.github.io/helm-charts/
-    version: 5.0.1
+    version: 4.6.2
   - name: postgres-cluster
     alias: postgres-18-cluster
-    version: 7.12.1
+    version: 7.11.2
     repository: oci://harbor.alexlebens.net/helm-charts
   - name: valkey
     alias: valkey
-    version: 0.8.0
+    version: 0.6.1
     repository: oci://harbor.alexlebens.net/helm-charts
-  - name: rclone-bucket
-    alias: rclone-directus-assets-remote
-    repository: oci://harbor.alexlebens.net/helm-charts
-    version: 0.11.3
-  - name: rclone-bucket
-    alias: rclone-directus-assets-external
-    repository: oci://harbor.alexlebens.net/helm-charts
-    version: 0.11.3
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/directus.png
 # renovate: datasource=github-releases depName=directus/directus
-appVersion: 11.17.4
+appVersion: 11.17.2

clusters/cl01tl/helm/directus/templates/_helpers.tpl

@@ -1,14 +0,0 @@
-{{/*
-Common labels
-*/}}
-{{- define "custom.labels" -}}
-{{ include "custom.selectorLabels" $ }}
-{{- end }}
-
-{{/*
-Selector labels
-*/}}
-{{- define "custom.selectorLabels" -}}
-app.kubernetes.io/instance: {{ .Release.Name }}
-app.kubernetes.io/part-of: {{ .Release.Name }}
-{{- end }}

clusters/cl01tl/helm/directus/templates/external-secret.yaml

@@ -5,20 +5,13 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: directus-config
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   secretStoreRef:
     kind: ClusterSecretStore
-    name: openbao
+    name: vault
   data:
-    - secretKey: key
-      remoteRef:
-        key: /cl01tl/directus/key
-        property: key
-    - secretKey: secret
-      remoteRef:
-        key: /cl01tl/directus/key
-        property: secret
     - secretKey: admin-email
       remoteRef:
         key: /cl01tl/directus/config
@@ -27,6 +20,38 @@ spec:
       remoteRef:
         key: /cl01tl/directus/config
         property: admin-password
+    - secretKey: secret
+      remoteRef:
+        key: /cl01tl/directus/config
+        property: secret
+    - secretKey: key
+      remoteRef:
+        key: /cl01tl/directus/config
+        property: key
+
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: directus-oidc-secret
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: directus-oidc-secret
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  data:
+    - secretKey: OIDC_CLIENT_ID
+      remoteRef:
+        key: /authentik/oidc/directus
+        property: client
+    - secretKey: OIDC_CLIENT_SECRET
+      remoteRef:
+        key: /authentik/oidc/directus
+        property: secret
 
 ---
 apiVersion: external-secrets.io/v1
@@ -36,67 +61,18 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: directus-metric-token
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   secretStoreRef:
     kind: ClusterSecretStore
-    name: openbao
+    name: vault
   data:
     - secretKey: metric-token
       remoteRef:
         key: /cl01tl/directus/metrics
         property: metric-token
 
----
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: directus-valkey-config
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: directus-valkey-config
-    {{- include "custom.labels" . | nindent 4 }}
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: openbao
-  data:
-    - secretKey: user
-      remoteRef:
-        key: /cl01tl/directus/valkey
-        property: user
-    - secretKey: password
-      remoteRef:
-        key: /cl01tl/directus/valkey
-        property: password
-    - secretKey: default
-      remoteRef:
-        key: /cl01tl/directus/valkey
-        property: password
-
----
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: directus-oidc-authentik
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: directus-oidc-authentik
-    {{- include "custom.labels" . | nindent 4 }}
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: openbao
-  data:
-    - secretKey: OIDC_CLIENT_ID
-      remoteRef:
-        key: /cl01tl/authentik/oidc/directus
-        property: client
-    - secretKey: OIDC_CLIENT_SECRET
-      remoteRef:
-        key: /cl01tl/authentik/oidc/directus
-        property: secret
-
 ---
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
@@ -105,11 +81,12 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: directus-bucket-garage
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   secretStoreRef:
     kind: ClusterSecretStore
-    name: openbao
+    name: vault
   data:
     - secretKey: ACCESS_KEY_ID
       remoteRef:
@@ -123,3 +100,31 @@ spec:
       remoteRef:
         key: /garage/home-infra/directus-assets
         property: ACCESS_REGION
+
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: directus-valkey-config
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: directus-valkey-config
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  data:
+    - secretKey: default
+      remoteRef:
+        key: /cl01tl/directus/valkey
+        property: password
+    - secretKey: user
+      remoteRef:
+        key: /cl01tl/directus/valkey
+        property: user
+    - secretKey: password
+      remoteRef:
+        key: /cl01tl/directus/valkey
+        property: password

clusters/cl01tl/helm/directus/values.yaml

@@ -8,7 +8,7 @@ directus:
         main:
           image:
             repository: ghcr.io/directus/directus
-            tag: 11.17.4@sha256:eb326f679ae847c0a776f93b972761dc2ebe84980e0b9d274a6bc31cd62809f7
+            tag: 11.17.2@sha256:5e5978377f1cc9820ffc5b92597da1573a1350ea57f8aba42efd999139993874
           env:
             - name: PUBLIC_URL
               value: https://directus.alexlebens.net
@@ -113,12 +113,12 @@ directus:
             - name: AUTH_AUTHENTIK_CLIENT_ID
               valueFrom:
                 secretKeyRef:
-                  name: directus-oidc-authentik
+                  name: directus-oidc-secret
                   key: OIDC_CLIENT_ID
             - name: AUTH_AUTHENTIK_CLIENT_SECRET
               valueFrom:
                 secretKeyRef:
-                  name: directus-oidc-authentik
+                  name: directus-oidc-secret
                   key: OIDC_CLIENT_SECRET
             - name: AUTH_AUTHENTIK_SCOPE
               value: openid profile email
@@ -210,48 +210,7 @@ valkey:
       aclUsers:
         default:
           permissions: "~* &* +@all"
-rclone-directus-assets-remote:
+    # No option to configure metrics when auth is enabled
-  nameOverride: directus-assets-remote-rclone
+    # https://github.com/valkey-io/valkey-helm/issues/135
-  cronJob:
+    metrics:
-    suspend: false
+      enabled: false
-    schedule: 30 6 * * 2
-  rclone:
-    source:
-      bucketName: directus-assets
-    destination:
-      bucketName: directus-assets
-  secret:
-    externalSecret:
-      source:
-        credentials:
-          path: /garage/home-infra/directus-assets
-        config:
-          path: /garage/config
-      destination:
-        credentials:
-          path: /garage/home-infra/directus-assets
-        config:
-          path: /garage/config
-rclone-directus-assets-external:
-  nameOverride: directus-assets-external-rclone
-  cronJob:
-    suspend: false
-    schedule: 0 6 * * 2
-  rclone:
-    source:
-      bucketName: directus-assets
-    destination:
-      bucketName: directus-assets-37363a16b71dc59b
-  secret:
-    externalSecret:
-      source:
-        credentials:
-          path: /garage/home-infra/directus-assets
-        config:
-          path: /garage/config
-      destination:
-        credentials:
-          path: /backblaze/home-infra/directus-assets
-        config:
-          path: /backblaze/config
-          endpointProperty: ENDPOINT

clusters/cl01tl/helm/elastic-operator/Chart.lock

@@ -1,6 +1,6 @@
 dependencies:
 - name: eck-operator
   repository: https://helm.elastic.co
-  version: 3.4.0
+  version: 3.3.2
-digest: sha256:b4787630154471f65ceeb12f65fa24616eab9470e61e089b8e656e42f05f74f1
+digest: sha256:ac7a849a6d8244ef56c11f18438c4c76133f92d245228c5a1c8369d42562c177
-generated: "2026-05-06T19:10:32.416627028Z"
+generated: "2026-04-01T21:30:02.975920565Z"

clusters/cl01tl/helm/elastic-operator/Chart.yaml

@@ -14,8 +14,8 @@ maintainers:
   - name: alexlebens
 dependencies:
   - name: eck-operator
-    version: 3.4.0
+    version: 3.3.2
     repository: https://helm.elastic.co
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons@main/png/elastic.png
 # renovate: datasource=github-releases depName=elastic/cloud-on-k8s
-appVersion: v3.4.0
+appVersion: v3.3.2

clusters/cl01tl/helm/elastic-operator/templates/_helpers.tpl

@@ -1,14 +0,0 @@
-{{/*
-Common labels
-*/}}
-{{- define "custom.labels" -}}
-{{ include "custom.selectorLabels" $ }}
-{{- end }}
-
-{{/*
-Selector labels
-*/}}
-{{- define "custom.selectorLabels" -}}
-app.kubernetes.io/instance: {{ .Release.Name }}
-app.kubernetes.io/part-of: {{ .Release.Name }}
-{{- end }}

clusters/cl01tl/helm/elastic-operator/values.yaml

@@ -1,5 +1,6 @@
 eck-operator:
   managedNamespaces:
+    - stalwart
     - tubearchivist
   installCRDs: true
   replicaCount: 2

clusters/cl01tl/helm/element-web/Chart.lock

@@ -1,9 +1,9 @@
 dependencies:
 - name: element-web
   repository: https://ananace.gitlab.io/charts
-  version: 1.4.36
+  version: 1.4.34
 - name: cloudflared
   repository: oci://harbor.alexlebens.net/helm-charts
-  version: 3.3.0
+  version: 2.5.0
-digest: sha256:ede4fbfd1808fcb8e6e8394ceb469603ada10d789b551e3b9885825244ee33d9
+digest: sha256:8640b8a250bdcd9e7561e3d28538ccf4644a7159a035ee0a5fdbcf71dc5b2bbe
-generated: "2026-05-14T14:04:44.871143485Z"
+generated: "2026-04-10T01:17:19.932208699Z"

clusters/cl01tl/helm/element-web/Chart.yaml

@@ -15,11 +15,11 @@ maintainers:
   - name: alexlebens
 dependencies:
   - name: element-web
-    version: 1.4.36
+    version: 1.4.34
     repository: https://ananace.gitlab.io/charts
   - name: cloudflared
     repository: oci://harbor.alexlebens.net/helm-charts
-    version: 3.3.0
+    version: 2.5.0
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/element.png
 # renovate: datasource=github-releases depName=element-hq/element-web
-appVersion: v1.12.18
+appVersion: v1.12.15

clusters/cl01tl/helm/element-web/templates/_helpers.tpl

@@ -1,14 +0,0 @@
-{{/*
-Common labels
-*/}}
-{{- define "custom.labels" -}}
-{{ include "custom.selectorLabels" $ }}
-{{- end }}
-
-{{/*
-Selector labels
-*/}}
-{{- define "custom.selectorLabels" -}}
-app.kubernetes.io/instance: {{ .Release.Name }}
-app.kubernetes.io/part-of: {{ .Release.Name }}
-{{- end }}

clusters/cl01tl/helm/element-web/values.yaml

@@ -2,7 +2,7 @@ element-web:
   replicaCount: 1
   image:
     repository: ghcr.io/element-hq/element-web
-    tag: v1.12.18@sha256:c21772a1eabeededa19be591343f548995e458ec34ba8f27425ae923c10af82e
+    tag: v1.12.15@sha256:c7fa40b5ba3891f8af3ce63da0818f457c1802a9ee4d2f5e46a9df36a2388eed
   defaultServer:
     url: https://matrix.alexlebens.dev
     name: alexlebens.dev

clusters/cl01tl/helm/eraser/Chart.lock

@@ -4,6 +4,6 @@ dependencies:
   version: 1.4.1
 - name: app-template
   repository: https://bjw-s-labs.github.io/helm-charts/
-  version: 5.0.1
+  version: 4.6.2
-digest: sha256:70822dce88f0eb843477b28caa6f738d38a6436e6e3a99b0003e3e1da69b8ed9
+digest: sha256:8414813d3d9d195b16ef7ebf814f7095a16413f4b0e579fcb37738000624f68c
-generated: "2026-05-15T00:29:53.572114523Z"
+generated: "2026-04-08T21:39:05.689756-05:00"

clusters/cl01tl/helm/eraser/Chart.yaml

@@ -21,7 +21,7 @@ dependencies:
   - name: app-template
     alias: eraser-metrics
     repository: https://bjw-s-labs.github.io/helm-charts/
-    version: 5.0.1
+    version: 4.6.2
 icon: https://raw.githubusercontent.com/eraser-dev/eraser/refs/heads/main/images/eraser-logo-color-1c.png
 # renovate: datasource=github-releases depName=eraser-dev/eraser
 appVersion: v1.4.1

clusters/cl01tl/helm/eraser/templates/_helpers.tpl

@@ -1,14 +0,0 @@
-{{/*
-Common labels
-*/}}
-{{- define "custom.labels" -}}
-{{ include "custom.selectorLabels" $ }}
-{{- end }}
-
-{{/*
-Selector labels
-*/}}
-{{- define "custom.selectorLabels" -}}
-app.kubernetes.io/instance: {{ .Release.Name }}
-app.kubernetes.io/part-of: {{ .Release.Name }}
-{{- end }}

clusters/cl01tl/helm/eraser/values.yaml

@@ -44,13 +44,11 @@ eraser-metrics:
       type: deployment
       replicas: 1
       strategy: Recreate
-      serviceAccount:
-        name: eraser-metrics
       containers:
         main:
           image:
             repository: ghcr.io/open-telemetry/opentelemetry-collector-releases/opentelemetry-collector
-            tag: 0.152.0@sha256:f358f8028c6eb44f765444de1c8899b4f97d7ba54be5264a8753f2c182bc5757
+            tag: 0.150.1@sha256:618f7867e49fdb173d9b46d535b01f82254b0b14beac6ab1f6f2eb8cf62c5d42
           command:
             - /otelcol
             - --config=/conf/otel-collector-config.yaml
@@ -85,9 +83,6 @@ eraser-metrics:
                   - otlp
                 exporters:
                   - prometheus
-  serviceAccount:
-    eraser:
-      enabled: true
   service:
     main:
       controller: main

clusters/cl01tl/helm/excalidraw/Chart.lock

@@ -1,6 +1,6 @@
 dependencies:
 - name: app-template
   repository: https://bjw-s-labs.github.io/helm-charts/
-  version: 5.0.1
+  version: 4.6.2
-digest: sha256:a8a769a74eddcce81dd9c5740ad124125ebfc1a291332c8ed10c0bdc5230a7b4
+digest: sha256:e05d84dd266b8b456a8bc7f9a2bb3ab01f4ac926efd1a58cf405b0cdab343d3f
-generated: "2026-05-15T00:30:12.00717252Z"
+generated: "2026-01-17T18:27:08.062835-06:00"

clusters/cl01tl/helm/excalidraw/Chart.yaml

@@ -5,7 +5,7 @@ description: Excalidraw
 keywords:
   - excalidraw
   - drawing
-home: https://docs.alexlebens.dev/applications/excalidraw/
+home: https://docs.alexlebens.dev/applications/eraser/
 sources:
   - https://github.com/excalidraw/excalidraw
   - https://hub.docker.com/r/excalidraw/excalidraw
@@ -16,7 +16,7 @@ dependencies:
   - name: app-template
     alias: excalidraw
     repository: https://bjw-s-labs.github.io/helm-charts/
-    version: 5.0.1
+    version: 4.6.2
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/excalidraw.png
 # renovate: datasource=github-releases depName=excalidraw/excalidraw
-appVersion: v0.18.1
+appVersion: v0.18.0

clusters/cl01tl/helm/excalidraw/templates/_helpers.tpl

@@ -1,14 +0,0 @@
-{{/*
-Common labels
-*/}}
-{{- define "custom.labels" -}}
-{{ include "custom.selectorLabels" $ }}
-{{- end }}
-
-{{/*
-Selector labels
-*/}}
-{{- define "custom.selectorLabels" -}}
-app.kubernetes.io/instance: {{ .Release.Name }}
-app.kubernetes.io/part-of: {{ .Release.Name }}
-{{- end }}

clusters/cl01tl/helm/excalidraw/values.yaml

@@ -8,7 +8,7 @@ excalidraw:
         main:
           image:
             repository: excalidraw/excalidraw
-            tag: latest@sha256:f7ee194addd607bf831d2af0f0a34463dd4225e426cf35199ef0b12a803398e9
+            tag: latest@sha256:3c2513e830bb6e195147c05b34ecf8393d0ba2b1cc86e93b407a5777d6135c6c
           env:
             - name: NODE_ENV
               value: production

clusters/cl01tl/helm/external-dns/Chart.lock

@@ -1,6 +1,6 @@
 dependencies:
 - name: external-dns
   repository: https://kubernetes-sigs.github.io/external-dns/
-  version: 1.21.1
+  version: 1.20.0
-digest: sha256:c0fc34e2a1fd5a100043c2e22130a3a7910019b655c5e69a50424562f4322f5d
+digest: sha256:0da4dec408239ea48de1d95fa8ad7701c4fdc0efe67baa8743507c75e62e2a47
-generated: "2026-05-01T02:29:38.018973854Z"
+generated: "2026-01-03T23:04:25.142170083Z"

clusters/cl01tl/helm/external-dns/Chart.yaml

@@ -5,7 +5,7 @@ description: External DNS
 keywords:
   - external-dns
   - dns
-home: https://docs.alexlebens.dev/applications/external-dns/
+home: https://docs.alexlebens.dev/applications/eraser/
 sources:
   - https://github.com/kubernetes-sigs/external-dns
   - https://explore.ggcr.dev/?repo=registry.k8s.io%2Fexternal-dns%2Fexternal-dns
@@ -16,7 +16,7 @@ maintainers:
 dependencies:
   - name: external-dns
     alias: external-dns-unifi
-    version: 1.21.1
+    version: 1.20.0
     repository: https://kubernetes-sigs.github.io/external-dns/
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/kubernetes.png
 # renovate: datasource=github-releases depName=kubernetes-sigs/external-dns