Merge branch 'manifests' into auto/update-manifests

Merge pull request 'Automated Manifest Update - Automerge' (#2573 ) from auto/update-manifests-automerge-20251216002123 into manifests
chore: Update manifests after automerge
2025-12-16 00:22:25 +00:00 · 2025-12-16 00:21:38 +00:00 · 2025-12-16 00:21:27 +00:00 · 2025-12-16 00:19:38 +00:00 · 2025-12-15 23:46:22 +00:00 · 2025-12-15 22:12:00 +00:00
2686 changed files with 375049 additions and 34391 deletions
--- a/.DS_Store
+++ b/.DS_Store
--- a/.gitea/workflows/lint-test-docker.yaml
+++ b/.gitea/workflows/lint-test-docker.yaml
@@ -1,134 +0,0 @@
-name: lint-test-docker
-
-on:
-  pull_request:
-    branches:
-      - main
-    paths:
-      - 'hosts/**'
-
-  push:
-    branches:
-      - main
-    paths:
-      - 'hosts/**'
-
-env:
-  BASE_BRANCH: "origin/${{ github.base_ref }}"
-
-jobs:
-  lint-docker-compose:
-    runs-on: ubuntu-js
-    steps:
-      - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
-        with:
-          fetch-depth: 0
-
-      - name: Check Branch Exists
-        id: check-branch-exists
-        if: github.event_name == 'pull_request'
-        uses: GuillaumeFalourd/branch-exists@650358876c774d6ccbd581b5553eb636dab79a97 # v1.2
-        with:
-          branch: "${{ github.base_ref }}"
-
-      - name: Report Branch Exists
-        id: branch-exists
-        if: github.event_name == 'push' || steps.check-branch-exists.outputs.exists == 'true' && github.event_name == 'pull_request'
-        run: |
-          if [ "${{ github.event_name }}" == "push" ]; then
-            echo ">> Action is from a push event, will continue with linting"
-
-          else
-            echo ">> Branch ${{ github.base_ref }} exists, will continue with linting"
-
-          fi
-
-          echo ""
-          echo "----"
-
-          echo "exists=true" >> $GITHUB_OUTPUT
-
-      - name: Set Up Node.js
-        if: steps.branch-exists.outputs.exists == 'true'
-        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
-        with:
-          node-version: '24'
-
-      - name: Check Directories for Changes
-        id: check-dir-changes
-        if: steps.branch-exists.outputs.exists == 'true'
-        run: |
-          echo ">> Target branch for diff is: ${BASE_BRANCH}"
-
-          if [ "${{ github.event_name }}" == "pull_request" ]; then
-            DIFF_TARGET="${BASE_BRANCH}"
-            echo ""
-            echo ">> Checking for changes in a pull request ..."
-
-          else
-            DIFF_TARGET="${{ github.event.before }}..HEAD"
-            echo ""
-            echo ">> Checking for changes from a push ..."
-
-          fi
-
-          CHANGED_COMPOSE=$(git diff --name-only "${DIFF_TARGET}" | grep -E "^hosts/[^/]+/[^/]+/" | cut -d/ -f1,2,3 | sort -u || true)
-
-          if [ -n "${CHANGED_COMPOSE}" ]; then
-            echo ""
-            echo ">> Compose to Lint:"
-            echo ""
-            echo "${CHANGED_COMPOSE}"
-
-            CHANGED_COMPOSE_CSV=$(echo "$CHANGED_COMPOSE" | paste -sd ',' -)
-
-            echo ""
-            echo "----"
-
-            echo "changes-detected=true" >> $GITHUB_OUTPUT
-            echo "compose-dir-csv=${CHANGED_COMPOSE_CSV}" >> $GITHUB_OUTPUT
-            echo "compose-dir<<EOF" >> $GITHUB_OUTPUT
-            echo "${CHANGED_COMPOSE}" >> $GITHUB_OUTPUT
-            echo "EOF" >> $GITHUB_OUTPUT
-
-          else
-            echo ""
-            echo ">> Did not find any docker compose files to lint"
-
-            echo ""
-            echo "----"
-
-            echo "changes-detected=false" >> $GITHUB_OUTPUT
-
-          fi
-
-      - name: Lint Docker Compose
-        if: steps.check-dir-changes.outputs.changes-detected == 'true'
-        env:
-          CHANGED_COMPOSE: ${{ steps.check-dir-changes.outputs.compose-dir }}
-        run: |
-          echo ">> Running dclint on changed compose files ..."
-
-          for COMPOSE in $CHANGED_COMPOSE; do
-            echo ">> Linting ${COMPOSE} ..."
-            npx dclint ${COMPOSE}
-
-          done
-
-          echo ""
-          echo "----"
-
-      - name: ntfy Failed
-        uses: niniyas/ntfy-action@96acac57fdc91d4c4f50b78486c1ed6f03f9f61c # master
-        if: failure()
-        with:
-          url: '${{ secrets.NTFY_URL }}'
-          topic: '${{ secrets.NTFY_TOPIC }}'
-          title: 'Docker Compose Test Failure'
-          priority: 3
-          headers: '{"Authorization": "Bearer ${{ secrets.NTFY_CRED }}"}'
-          tags: action,failed
-          details: "Docker linting for compose dirs: ${{ steps.check-dir-changes.outputs.compose-dir-csv }}"
-          icon: 'https://cdn.jsdelivr.net/gh/selfhst/icons/png/gitea.png'
-          actions: '[{"action": "view", "label": "View Logs", "url": "${{ vars.USER_URL }}/${{ github.repository }}/actions/runs/${{ github.run_id }}", "clear": true}]'
--- a/.gitea/workflows/lint-test-helm.yaml
+++ b/.gitea/workflows/lint-test-helm.yaml
@@ -1,631 +0,0 @@
-name: lint-test-helm
-
-on:
-  pull_request:
-    branches:
-      - main
-    paths:
-      - 'clusters/cl01tl/helm/**'
-
-  push:
-    branches:
-      - main
-    paths:
-      - 'clusters/cl01tl/helm/**'
-
-env:
-  CLUSTER: cl01tl
-  BASE_BRANCH: "origin/${{ github.base_ref }}"
-  KUBECONFORM_VERSION: "v0.6.7"
-  ARGOCD_VERSION: "v3.3.6"
-
-jobs:
-  lint-helm:
-    runs-on: ubuntu-js
-    outputs:
-      chart-dir: ${{ steps.check-dir-changes.outputs.chart-dir }}
-      chart-dir-csv: ${{ steps.check-dir-changes.outputs.chart-dir-csv }}
-      changes-detected: ${{ steps.check-dir-changes.outputs.changes-detected }}
-    steps:
-      - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
-        with:
-          fetch-depth: 0
-
-      - name: Check Branch Exists
-        id: check-branch-exists
-        if: github.event_name == 'pull_request'
-        uses: GuillaumeFalourd/branch-exists@650358876c774d6ccbd581b5553eb636dab79a97 # v1.2
-        with:
-          branch: ${{ github.base_ref }}
-
-      - name: Report Branch Exists
-        id: branch-exists
-        if: github.event_name == 'push' || steps.check-branch-exists.outputs.exists == 'true' && github.event_name == 'pull_request'
-        run: |
-          if [ "${{ github.event_name }}" == "push" ]; then
-            echo ">> Action is from a push event, will continue with linting"
-
-          else
-            echo ">> Branch ${{ github.base_ref }} exists, will continue with linting"
-
-          fi
-
-          echo ""
-          echo "----"
-
-          echo "exists=true" >> $GITHUB_OUTPUT
-
-      - name: Set Up Helm
-        if: steps.branch-exists.outputs.exists == 'true'
-        uses: azure/setup-helm@dda3372f752e03dde6b3237bc9431cdc2f7a02a2 # v5
-        with:
-          token: ${{ secrets.GITEA_TOKEN }}
-          # renovate: datasource=github-releases depName=helm/helm
-          version: v4.1.3
-          cache: true
-
-      - name: Cache Helm Dependencies
-        if: steps.branch-exists.outputs.exists == 'true'
-        uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5
-        with:
-          path: |
-            ~/.cache/helm
-            ~/.config/helm
-          key: helm-cache-${{ runner.os }}-${{ hashFiles('infrastructure/clusters/cl01tl/helm/**/Chart.yaml', 'infrastructure/clusters/cl01tl/helm/**/Chart.lock') }}
-          restore-keys: |
-            helm-cache-${{ runner.os }}-
-
-      - name: Check Directories for Changes
-        id: check-dir-changes
-        if: steps.branch-exists.outputs.exists == 'true'
-        run: |
-          echo ">> Target branch for diff is: ${BASE_BRANCH}"
-
-          if [ "${{ github.event_name }}" == "pull_request" ]; then
-            DIFF_TARGET="${BASE_BRANCH}"
-            echo ""
-            echo ">> Checking for changes in a pull request ..."
-
-          else
-            DIFF_TARGET="${{ github.event.before }}..HEAD"
-            echo ""
-            echo ">> Checking for changes from a push ..."
-
-          fi
-
-          CHANGED_CHARTS=$(git diff --name-only "${DIFF_TARGET}" | grep -E "^clusters/${CLUSTER}/helm/" | awk -F '/' '{print $4}' | sort -u || true)
-
-          if [ -n "${CHANGED_CHARTS}" ]; then
-            echo ""
-            echo ">> Chart to Lint:"
-            echo ""
-            echo "${CHANGED_CHARTS}"
-
-            CHANGED_CHARTS_CSV=$(echo "${CHANGED_CHARTS}" | paste -sd ',' -)
-
-            echo ""
-            echo "----"
-
-            echo "changes-detected=true" >> $GITHUB_OUTPUT
-            echo "chart-dir-csv=${CHANGED_CHARTS_CSV}" >> $GITHUB_OUTPUT
-            echo "chart-dir<<EOF" >> $GITHUB_OUTPUT
-            echo "${CHANGED_CHARTS}" >> $GITHUB_OUTPUT
-            echo "EOF" >> $GITHUB_OUTPUT
-
-          else
-            echo ""
-            echo ">> Did not find any helm charts files to lint"
-
-            echo ""
-            echo "----"
-
-            echo "changes-detected=false" >> $GITHUB_OUTPUT
-
-          fi
-
-      - name: Add Repositories
-        if: steps.check-dir-changes.outputs.changes-detected == 'true'
-        env:
-          CHANGED_CHARTS: ${{ steps.check-dir-changes.outputs.chart-dir }}
-        run: |
-          echo ">> Adding repositories for chart dependencies ..."
-          echo ""
-
-          for DIR in ${CHANGED_CHARTS}; do
-            helm dependency list --max-col-width 120 clusters/${CLUSTER}/helm/${DIR} 2> /dev/null \
-              | tail -n +2 \
-              | awk 'NF > 0 { print $1, $3 }' \
-              | while read -r REPO_NAME REPO_URL; do
-                if [[ "${REPO_URL}" == oci://* ]]; then
-                  echo ">> Ignoring OCI repo: ${REPO_URL}"
-
-                elif [[ -n "${REPO_NAME}" && -n "${REPO_URL}" ]]; then
-                  helm repo add "${REPO_NAME}" "${REPO_URL}"
-
-                fi
-
-              done || true
-          done
-
-          if helm repo list > /dev/null 2>&1; then
-            echo ""
-            echo ">> Update repository cache ..."
-            helm repo update
-
-          fi
-
-          echo ""
-          echo "----"
-
-      - name: Lint Helm Chart
-        id: lint
-        if: steps.check-dir-changes.outputs.changes-detected == 'true'
-        env:
-          CHANGED_CHARTS: ${{ steps.check-dir-changes.outputs.chart-dir }}
-        run: |
-          EXIT_CODE=0
-          FAILED_CHARTS=""
-
-          echo ">> Running linting on changed charts ..."
-
-          lint_chart() {
-            local DIR="$1"
-            local CHART_PATH="clusters/${CLUSTER}/helm/${DIR}"
-            local CHART_NAME=$(basename "${CHART_PATH}")
-
-            if [ -f "${CHART_PATH}/Chart.yaml" ]; then
-              echo ""
-              echo ">> Building helm dependency for ${CHART_NAME} ..."
-              helm dependency build "${CHART_PATH}" --skip-refresh
-
-              echo ""
-              echo ">> Linting helm chart ${CHART_NAME} ..."
-
-              if ! helm lint "${CHART_PATH}" --namespace "default"; then
-                echo "${DIR}" > ".failed_chart_${CHART_NAME}"
-                return 1
-              fi
-
-            else
-              echo ""
-              echo ">> Directory ${CHART_PATH} does not contain a Chart.yaml. Skipping ..."
-
-            fi
-          }
-
-          export -f lint_chart
-          export CLUSTER
-
-          for DIR in ${CHANGED_CHARTS}; do
-            echo "${DIR}"
-          done | xargs -P 4 -I {} bash -c 'OUT=$(lint_chart "$@" 2>&1); printf "%s\n" "$OUT"' _ {}
-
-          if ls .failed_chart_* 1> /dev/null 2>&1; then
-            EXIT_CODE=1
-            FAILED_CHARTS=$(cat .failed_chart_* | paste -sd ',' - | sed 's/,/, /g')
-            rm -f .failed_chart_*
-          fi
-
-          echo ""
-          echo "----"
-
-          echo "failed-charts=${FAILED_CHARTS}" >> "$GITHUB_OUTPUT"
-
-          exit $EXIT_CODE
-
-      - name: ntfy Failed
-        uses: niniyas/ntfy-action@96acac57fdc91d4c4f50b78486c1ed6f03f9f61c # master
-        if: failure()
-        with:
-          url: '${{ secrets.NTFY_URL }}'
-          topic: '${{ secrets.NTFY_TOPIC }}'
-          title: 'Helm Test Failure'
-          priority: 3
-          headers: '{"Authorization": "Bearer ${{ secrets.NTFY_CRED }}"}'
-          tags: action,failed
-          details: "Helm linting for cluster '${{ env.CLUSTER }}' failed on charts: ${{ steps.lint.outputs.failed-charts }}"
-          icon: 'https://cdn.jsdelivr.net/gh/selfhst/icons/png/gitea.png'
-          actions: '[{"action": "view", "label": "View Run", "url": "${{ vars.USER_URL }}/${{ github.repository }}/actions/runs/${{ github.run_id }}", "clear": true}]'
-          image: true
-
-  validate-kubeconform:
-    needs: lint-helm
-    runs-on: ubuntu-js
-    if: |
-      needs.lint-helm.result == 'success' &&
-      needs.lint-helm.outputs.changes-detected == 'true' &&
-      github.event_name == 'pull_request'
-    steps:
-      - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
-        with:
-          fetch-depth: 0
-
-      - name: Cache Kubeconform
-        id: cache-kubeconform
-        uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5
-        with:
-          path: /usr/local/bin/kubeconform
-          key: ${{ runner.os }}-kubeconform-${{ env.KUBECONFORM_VERSION }}
-          restore-keys: |
-            ${{ runner.os }}-kubeconform-
-
-      - name: Install Kubeconform
-        if: steps.cache-kubeconform.outputs.cache-hit != 'true'
-        run: |
-          echo ">> Downloading Kubeconform ${{ env.KUBECONFORM_VERSION }} ..."
-          wget -q https://github.com/yannh/kubeconform/releases/download/${{ env.KUBECONFORM_VERSION }}/kubeconform-linux-amd64.tar.gz
-
-          echo ""
-          echo ">> Extracting Kubeconform ..."
-          tar xf kubeconform-linux-amd64.tar.gz
-
-          echo ""
-          echo ">> Installing Kubeconform ..."
-          sudo mv kubeconform /usr/local/bin/
-
-      - name: Verify installation
-        run: |
-          echo ""
-          echo ">> Verifying installation ..."
-          kubeconform -v
-
-          echo ""
-          echo "----"
-
-      - name: Set Up Helm
-        uses: azure/setup-helm@dda3372f752e03dde6b3237bc9431cdc2f7a02a2 # v5
-        with:
-          token: ${{ secrets.GITEA_TOKEN }}
-          # renovate: datasource=github-releases depName=helm/helm
-          version: v4.1.3
-          cache: true
-
-      - name: Cache Helm Dependencies
-        uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5
-        with:
-          path: |
-            ~/.cache/helm
-            ~/.config/helm
-          key: helm-cache-${{ runner.os }}-${{ hashFiles('infrastructure/clusters/cl01tl/helm/**/Chart.yaml', 'infrastructure/clusters/cl01tl/helm/**/Chart.lock') }}
-          restore-keys: |
-            helm-cache-${{ runner.os }}-
-
-      - name: Add Repositories
-        env:
-          CHANGED_CHARTS: ${{ needs.lint-helm.outputs.chart-dir }}
-        run: |
-          echo ">> Adding repositories for chart dependencies ..."
-          echo ""
-
-          for DIR in ${CHANGED_CHARTS}; do
-            helm dependency list --max-col-width 120 clusters/${CLUSTER}/helm/${DIR} 2> /dev/null \
-              | tail -n +2 \
-              | awk 'NF > 0 { print $1, $3 }' \
-              | while read -r REPO_NAME REPO_URL; do
-                if [[ "${REPO_URL}" == oci://* ]]; then
-                  echo ">> Ignoring OCI repo: ${REPO_URL}"
-
-                elif [[ -n "${REPO_NAME}" && -n "${REPO_URL}" ]]; then
-                  helm repo add "${REPO_NAME}" "${REPO_URL}"
-
-                fi
-
-              done || true
-          done
-
-          if helm repo list > /dev/null 2>&1; then
-            echo ""
-            echo ">> Update repository cache ..."
-            helm repo update
-
-          fi
-
-          echo ""
-          echo "----"
-
-      - name: Validate Rendered Templates
-        id: validate
-        env:
-          CHANGED_CHARTS: ${{ needs.lint-helm.outputs.chart-dir }}
-        run: |
-          SCHEMA_LOCATIONS="-schema-location default -schema-location https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/{{.Group}}/{{.ResourceKind}}_{{.ResourceAPIVersion}}.json"
-
-          EXIT_CODE=0
-          FAILED_CHARTS=""
-
-          validate_chart() {
-            local DIR="$1"
-            local CHART_PATH="clusters/${CLUSTER}/helm/${DIR}"
-            echo ""
-            echo ">> Validating: ${DIR}"
-
-            helm dependency build "${CHART_PATH}" --skip-refresh
-
-            if ! helm template "${DIR}" "${CHART_PATH}" --include-crds --namespace default --api-versions "gateway.networking.k8s.io/v1/HTTPRoute,monitoring.coreos.com/v1,monitoring.coreos.com/v1/ServiceMonitor" | \
-              kubeconform \
-                ${SCHEMA_LOCATIONS} \
-                -ignore-missing-schemas \
-                -strict \
-                -summary; then
-
-              echo "${DIR}" > ".failed_chart_${DIR}"
-              return 1
-            fi
-          }
-
-          export -f validate_chart
-          export CLUSTER SCHEMA_LOCATIONS
-
-          for DIR in ${CHANGED_CHARTS}; do
-            echo "${DIR}"
-          done | xargs -P 4 -I {} bash -c 'OUT=$(validate_chart "$@" 2>&1); printf "%s\n" "$OUT"' _ {}
-
-          if ls .failed_chart_* 1> /dev/null 2>&1; then
-            EXIT_CODE=1
-            FAILED_CHARTS=$(cat .failed_chart_* | paste -sd ',' - | sed 's/,/, /g')
-            rm -f .failed_chart_*
-          fi
-
-          echo ""
-          echo "----"
-
-          echo "failed-charts=${FAILED_CHARTS}" >> "$GITHUB_OUTPUT"
-
-          exit $EXIT_CODE
-
-      - name: ntfy Failed
-        uses: niniyas/ntfy-action@96acac57fdc91d4c4f50b78486c1ed6f03f9f61c # master
-        if: failure()
-        with:
-          url: '${{ secrets.NTFY_URL }}'
-          topic: '${{ secrets.NTFY_TOPIC }}'
-          title: 'Kubeconform Test Failure'
-          priority: 3
-          headers: '{"Authorization": "Bearer ${{ secrets.NTFY_CRED }}"}'
-          tags: action,failed
-          details: "Kubeconform for cluster '${{ env.CLUSTER }}' failed on charts: ${{ steps.validate.outputs.failed-charts }}"
-          icon: 'https://cdn.jsdelivr.net/gh/selfhst/icons/png/gitea.png'
-          actions: '[{"action": "view", "label": "View Run", "url": "${{ vars.USER_URL }}/${{ github.repository }}/actions/runs/${{ github.run_id }}", "clear": true}]'
-          image: true
-
-  # argo-diff:
-  #   needs: lint-helm
-  #   runs-on: ubuntu-js
-  #   if: |
-  #     needs.lint-helm.result == 'success' &&
-  #     needs.lint-helm.outputs.changes-detected == 'true' &&
-  #     github.event_name == 'pull_request'
-  #   steps:
-  #     - name: Checkout
-  #       uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
-  #       with:
-  #         fetch-depth: 0
-
-  #     - name: Cache ArgoCD CLI
-  #       id: cache-argocd
-  #       uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5
-  #       with:
-  #         path: /usr/local/bin/argocd
-  #         key: ${{ runner.os }}-argocd-${{ env.ARGOCD_VERSION }}
-  #         restore-keys: |
-  #           ${{ runner.os }}-argocd-
-
-  #     - name: Install ArgoCD CLI
-  #       if: steps.cache-argocd.outputs.cache-hit != 'true'
-  #       run: |
-  #         echo ">> Downloading ArgoCD CLI, version: ${{ env.ARGOCD_VERSION }} ..."
-  #         curl -sSL -o argocd-linux-amd64 https://github.com/argoproj/argo-cd/releases/download/${{ env.ARGOCD_VERSION }}/argocd-linux-amd64
-
-  #         echo ""
-  #         echo ">> Installing ArgoCD CLI ..."
-  #         sudo install -m 555 argocd-linux-amd64 /usr/local/bin/argocd
-
-  #         echo ""
-  #         echo "----"
-
-  #     - name: Verify installation
-  #       run: |
-  #         echo ""
-  #         echo ">> Verifying installation ..."
-  #         argocd version --client
-
-  #         echo ""
-  #         echo "----"
-
-  #     - name: Set Up Helm
-  #       uses: azure/setup-helm@dda3372f752e03dde6b3237bc9431cdc2f7a02a2 # v5
-  #       with:
-  #         token: ${{ secrets.GITEA_TOKEN }}
-  #         # renovate: datasource=github-releases depName=helm/helm
-  #         version: v4.1.3
-  #         cache: true
-
-  #     - name: Cache Helm Dependencies
-  #       uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5
-  #       with:
-  #         path: |
-  #           ~/.cache/helm
-  #           ~/.config/helm
-  #         key: helm-cache-${{ runner.os }}-${{ hashFiles('infrastructure/clusters/cl01tl/helm/**/Chart.yaml', 'infrastructure/clusters/cl01tl/helm/**/Chart.lock') }}
-  #         restore-keys: |
-  #           helm-cache-${{ runner.os }}-
-
-  #     - name: Add Repositories
-  #       env:
-  #         CHANGED_CHARTS: ${{ needs.lint-helm.outputs.chart-dir }}
-  #       run: |
-  #         echo ">> Adding repositories for chart dependencies ..."
-  #         echo ""
-
-  #         for DIR in ${CHANGED_CHARTS}; do
-  #           helm dependency list --max-col-width 120 clusters/${CLUSTER}/helm/${DIR} 2> /dev/null \
-  #             | tail -n +2 \
-  #             | awk 'NF > 0 { print $1, $3 }' \
-  #             | while read -r REPO_NAME REPO_URL; do
-  #               if [[ "${REPO_URL}" == oci://* ]]; then
-  #                 echo ">> Ignoring OCI repo: ${REPO_URL}"
-
-  #               elif [[ -n "${REPO_NAME}" && -n "${REPO_URL}" ]]; then
-  #                 helm repo add "${REPO_NAME}" "${REPO_URL}"
-
-  #               fi
-
-  #             done || true
-  #         done
-
-  #         if helm repo list > /dev/null 2>&1; then
-  #           echo ""
-  #           echo ">> Update repository cache ..."
-  #           helm repo update
-
-  #         fi
-
-  #         echo ""
-  #         echo "----"
-
-  #     - name: Render Templates
-  #       id: render
-  #       env:
-  #         CHANGED_CHARTS: ${{ needs.lint-helm.outputs.chart-dir }}
-  #       run: |
-  #         for APP_NAME in ${CHANGED_CHARTS}; do
-  #           echo ">> Render templates for ${APP_NAME} ..."
-  #           CHART_PATH="clusters/${CLUSTER}/helm/${APP_NAME}"
-  #           OUTPUT_FOLDER="clusters/${CLUSTER}/manifests/${APP_NAME}/"
-  #           mkdir -p "${OUTPUT_FOLDER}"
-
-  #           helm dependency build "${CHART_PATH}" --skip-refresh
-
-  #           NAMESPACE="${APP_NAME}"
-  #           case "${APP_NAME}" in
-  #             "stack")
-  #               NAMESPACE="argocd"
-  #               echo ">> Special Rendering into 'argocd' namespace ..."
-  #               ;;
-  #             "cilium" | "coredns" | "metrics-server")
-  #               NAMESPACE="kube-system"
-  #               echo ">> Special Rendering for ${APP_NAME} into 'kube-system' namespace ..."
-  #               ;;
-  #             *)
-  #               echo ">> Standard Rendering ..."
-  #           esac
-
-  #           TEMPLATE=$(helm template "${APP_NAME}" "${CHART_PATH}" --include-crds --namespace "${NAMESPACE}" --api-versions "gateway.networking.k8s.io/v1/HTTPRoute,monitoring.coreos.com/v1,monitoring.coreos.com/v1/ServiceMonitor")
-
-  #           # Format and split rendered template
-  #           echo "${TEMPLATE}" | yq '... comments=""' | yq 'select(. != null)' | yq -s '"'"${OUTPUT_FOLDER}"'" + .kind + "-" + .metadata.name + ".yaml"'
-
-  #           # Strip comments again to ensure formatting correctness
-  #           for file in "$OUTPUT_FOLDER"/*; do
-  #             yq -i '... comments=""' $file
-
-  #           done
-
-  #           echo ""
-  #           echo ">> Templates in output folder: ${OUTPUT_FOLDER}"
-  #           ls ${OUTPUT_FOLDER}
-  #         done
-
-  #         echo "----"
-
-  #     - name: Run App Diff
-  #       id: diff
-  #       env:
-  #         ARGOCD_SERVER: ${{ secrets.ARGOCD_SERVER }}
-  #         ARGOCD_AUTH_TOKEN: ${{ secrets.ARGOCD_AUTH_TOKEN }}
-  #         CHANGED_CHARTS: ${{ needs.lint-helm.outputs.chart-dir }}
-  #       run: |
-  #         FAILED_CHARTS=""
-  #         DIFF_FOUND="false"
-  #         EXIT_CODE=0
-
-  #         for APP_NAME in ${CHANGED_CHARTS}; do
-  #           echo ">> Running argocd app diff for ${APP_NAME} ..."
-  #           if ! argocd app diff "${APP_NAME}" \
-  #             --server "${ARGOCD_SERVER}" \
-  #             --auth-token "${ARGOCD_AUTH_TOKEN}" \
-  #             --revision ${{ github.sha }} \
-  #             --local "clusters/${CLUSTER}/manifests/${APP_NAME}" \
-  #             --local-repo-root "." \
-  #             --grpc-web > "diff_output_${APP_NAME}.txt" 2>&1; then
-
-  #             # ArgoCD diff returns non-zero on diff or error.
-  #             # Let's capture if it actually generated a diff output to post.
-  #             DIFF_FOUND="true"
-
-  #             # Check if the output contains validation/connection errors
-  #             if grep -iE 'error|failed|connection refused|timeout' "diff_output_${APP_NAME}.txt"; then
-  #                echo ">> ArgoCD encountered an error validating ${APP_NAME}!"
-  #                EXIT_CODE=1
-  #                FAILED_CHARTS="${FAILED_CHARTS} ${APP_NAME}"
-  #             fi
-  #           fi
-
-  #           if [ -s "diff_output_${APP_NAME}.txt" ]; then
-  #             echo ">> Argo diff or errors:"
-  #             echo ""
-  #             cat diff_output_${APP_NAME}.txt
-  #             echo ""
-  #           else
-  #             echo ">> No Argo diff found for ${APP_NAME}"
-  #             rm "diff_output_${APP_NAME}.txt"
-  #           fi
-  #         done
-
-  #         echo "----"
-  #         echo "diff-detected=${DIFF_FOUND}" >> "$GITHUB_OUTPUT"
-  #         echo "failed-charts=${FAILED_CHARTS}" >> "$GITHUB_OUTPUT"
-
-  #         exit $EXIT_CODE
-
-  #     - name: Post Diff
-  #       if: |
-  #         always() &&
-  #         steps.diff.outputs.diff-detected == 'true' &&
-  #         github.event.pull_request.number != null
-  #       env:
-  #         GITEA_TOKEN: ${{ secrets.GITEA_TOKEN }}
-  #       run: |
-  #         COMMENT_BODY="### ArgoCD Diff Results
-  #         "
-
-  #         for f in diff_output_*.txt; do
-  #           APP_NAME=$(echo $f | sed 's/diff_output_//;s/.txt//')
-  #           DIFF_CONTENT=$(cat "$f")
-
-  #           COMMENT_BODY="${COMMENT_BODY}
-  #         #### App: ${APP_NAME}
-  #         "
-
-  #           if [ -z "$DIFF_CONTENT" ]; then
-  #             COMMENT_BODY="${COMMENT_BODY} No changes detected."
-  #           else
-  #             COMMENT_BODY="${COMMENT_BODY}
-  #         \`\`\`diff
-  #         ${DIFF_CONTENT}
-  #         \`\`\`"
-  #           fi
-  #         done
-
-  #         curl -X 'POST' \
-  #           "${{ github.server_url }}/api/v1/repos/${{ github.repository }}/issues/${{ github.event.pull_request.number }}/comments" \
-  #           -H "Authorization: token ${GITEA_TOKEN}" \
-  #           -H "Content-Type: application/json" \
-  #           -d "$(jq -n --arg body "$COMMENT_BODY" '{body: $body}')"
-
-  #     - name: ntfy Failed
-  #       uses: niniyas/ntfy-action@96acac57fdc91d4c4f50b78486c1ed6f03f9f61c # master
-  #       if: failure()
-  #       with:
-  #         url: '${{ secrets.NTFY_URL }}'
-  #         topic: '${{ secrets.NTFY_TOPIC }}'
-  #         title: 'ArgoCD Diff Failure'
-  #         priority: 3
-  #         headers: '{"Authorization": "Bearer ${{ secrets.NTFY_CRED }}"}'
-  #         tags: action,failed
-  #         details: "ArgoCD diff for cluster '${{ env.CLUSTER }}' failed on charts: ${{ steps.diff.outputs.failed-charts }}"
-  #         icon: 'https://cdn.jsdelivr.net/gh/selfhst/icons/png/gitea.png'
-  #         actions: '[{"action": "view", "label": "View Run", "url": "${{ vars.USER_URL }}/${{ github.repository }}/actions/runs/${{ github.run_id }}", "clear": true}]'
-  #         image: true
--- a/.gitea/workflows/render-manifests.yaml
+++ b/.gitea/workflows/render-manifests.yaml
@@ -1,624 +0,0 @@
-name: render-manifests
-
-on:
-  schedule:
-    - cron: '0 15 * * *'
-
-  workflow_dispatch:
-
-  pull_request:
-    branches:
-      - main
-    paths:
-      - 'clusters/cl01tl/helm/**'
-    types:
-      - closed
-
-env:
-  CLUSTER: cl01tl
-  BASE_BRANCH: manifests
-  BRANCH_NAME_BASE: auto/update-manifests
-  ASSIGNEE: alexlebens
-  MAIN_DIR: /workspace/alexlebens/infrastructure/infrastructure
-  MANIFEST_DIR: /workspace/alexlebens/infrastructure/infrastructure-manifests
-
-jobs:
-  render-manifests:
-    runs-on: ubuntu-js
-    if: >-
-      github.event_name == 'schedule' ||
-      github.event_name == 'workflow_dispatch' ||
-      (github.event_name == 'pull_request' && github.event.pull_request.merged == true)
-    steps:
-      - name: Checkout Main
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
-        with:
-          path: infrastructure
-          fetch-depth: 0
-
-      - name: Checkout Manifests
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
-        with:
-          ref: manifests
-          path: infrastructure-manifests
-
-      - name: Set Up Helm
-        uses: azure/setup-helm@dda3372f752e03dde6b3237bc9431cdc2f7a02a2 # v5
-        with:
-          token: ${{ secrets.GITEA_TOKEN }}
-          version: v3.17.2 # Pending https://github.com/helm/helm/pull/30743
-          cache: true
-
-      - name: Configure Kubeconfig
-        uses: azure/k8s-set-context@89b837d75b40a7bd2ddafde837473c212db8b313 # v5
-        with:
-          method: kubeconfig
-          kubeconfig: ${{ secrets.KUBECONFIG }}
-
-      - name: Cache Helm Dependencies
-        uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5
-        with:
-          path: |
-            ~/.cache/helm
-            ~/.config/helm
-          key: helm-cache-${{ runner.os }}-${{ hashFiles('infrastructure/clusters/cl01tl/helm/**/Chart.yaml', 'infrastructure/clusters/cl01tl/helm/**/Chart.lock') }}
-          restore-keys: |
-            helm-cache-${{ runner.os }}-
-
-      - name: Determine Workflow Mode
-        id: mode
-        run: |
-          IS_AUTOMERGE="false"
-          RENDER_ALL="false"
-          DIFF_TARGET=""
-
-          if [[ "${{ github.event_name }}" == "schedule" || "${{ github.event_name }}" == "workflow_dispatch" ]]; then
-            echo ">> Mode: Dispatch/Schedule (Render All)"
-            RENDER_ALL="true"
-
-          elif [[ "${{ github.event_name }}" == "pull_request" ]]; then
-            if [[ "${{ contains(github.event.pull_request.labels.*.name, 'automerge') }}" == "true" ]]; then
-              echo ">> Mode: PR Merged (Automerge)"
-              IS_AUTOMERGE="true"
-
-            else
-              echo ">> Mode: PR Merged (Standard)"
-
-            fi
-
-            DIFF_TARGET="HEAD^..HEAD"
-
-          fi
-
-          echo ""
-          echo "----"
-
-          echo "is-automerge=${IS_AUTOMERGE}" >> "$GITHUB_OUTPUT"
-          echo "render-all=${RENDER_ALL}" >> "$GITHUB_OUTPUT"
-          echo "diff-target=${DIFF_TARGET}" >> "$GITHUB_OUTPUT"
-
-      - name: Prepare Manifest Branch
-        id: prepare-manifest-branch
-        env:
-          PR_NUMBER: ${{ github.event.pull_request.number }}
-          IS_AUTOMERGE: ${{ steps.mode.outputs.is-automerge }}
-        run: |
-          cd "${MANIFEST_DIR}"
-
-          echo ">> Configure git to use gitea-bot as user ..."
-          git config user.name "gitea-bot"
-          git config user.email "gitea-bot@alexlebens.net"
-
-          if [[ "$IS_AUTOMERGE" == "true" ]]; then
-            BRANCH_NAME="${BRANCH_NAME_BASE}-automerge-${PR_NUMBER}"
-            echo ""
-            echo ">> Creating branch ${BRANCH_NAME} ..."
-            git checkout -B "$BRANCH_NAME"
-
-          else
-            echo ""
-            echo ">> Checking if PR branch exists ..."
-            BRANCH_NAME="${BRANCH_NAME_BASE}"
-
-            if git ls-remote --exit-code --heads origin "${BRANCH_NAME}" > /dev/null 2>&1; then
-              echo ""
-              echo ">> Branch '${BRANCH_NAME}' exists, pulling changes ..."
-              git fetch origin "${BRANCH_NAME}"
-              git checkout "${BRANCH_NAME}"
-              git pull --rebase
-
-            else
-              echo ""
-              echo ">> Branch '${BRANCH_NAME}' does not exist, creating ..."
-              git checkout -b "${BRANCH_NAME}"
-
-            fi
-          fi
-
-          echo ""
-          echo "----"
-
-          echo "branch-name=${BRANCH_NAME}" >> "$GITHUB_OUTPUT"
-
-      - name: Check Which Directories Have Changes
-        id: check-dir-changes
-        env:
-          RENDER_ALL: ${{ steps.mode.outputs.render-all }}
-          DIFF_TARGET: ${{ steps.mode.outputs.diff-target }}
-        run: |
-          cd "${MAIN_DIR}"
-
-          if [[ "$RENDER_ALL" == "true" ]]; then
-            echo ">> Triggered on dispatch, will check all paths ..."
-            RENDER_DIR=$(find "clusters/${CLUSTER}/helm" -mindepth 1 -maxdepth 1 -type d -exec basename {} \; | sort -u)
-
-          else
-            echo ">> Checking for changes from ${DIFF_TARGET} ..."
-            RENDER_DIR=$(git diff --name-only "${DIFF_TARGET}" | grep -E "^clusters/${CLUSTER}/helm/" | awk -F '/' '{print $4}' | sort -u || true)
-
-          fi
-
-          if [ -n "${RENDER_DIR}" ]; then
-            echo ""
-            echo ">> Directories to Render:"
-            echo ""
-            echo "${RENDER_DIR}"
-
-            echo ""
-            echo "----"
-
-            echo "changes-detected=true" >> "$GITHUB_OUTPUT"
-            echo "render-dir<<EOF" >> "$GITHUB_OUTPUT"
-            echo "${RENDER_DIR}" >> "$GITHUB_OUTPUT"
-            echo "EOF" >> "$GITHUB_OUTPUT"
-
-          else
-            echo ""
-            echo ">> No chart changes detected"
-
-            echo ""
-            echo "----"
-
-            echo "changes-detected=false" >> "$GITHUB_OUTPUT"
-
-          fi
-
-      - name: Add Repositories
-        if: steps.check-dir-changes.outputs.changes-detected == 'true'
-        env:
-          RENDER_DIR: ${{ steps.check-dir-changes.outputs.render-dir }}
-        run: |
-          cd "${MAIN_DIR}"
-
-          echo ">> Adding repositories for chart dependencies ..."
-          echo ""
-
-          for DIR in ${RENDER_DIR}; do
-            helm dependency list --max-col-width 120 "${MAIN_DIR}/clusters/${CLUSTER}/helm/${DIR}" 2> /dev/null \
-              | tail -n +2 \
-              | awk 'NF > 0 { print $1, $3 }' \
-              | while read -r REPO_NAME REPO_URL; do
-                if [[ "${REPO_URL}" == oci://* ]]; then
-                  echo ">> Ignoring OCI repo: ${REPO_URL}"
-
-                elif [[ -n "${REPO_NAME}" && -n "${REPO_URL}" ]]; then
-                  helm repo add "${REPO_NAME}" "${REPO_URL}"
-
-                fi
-
-              done || true
-          done
-
-          if helm repo list > /dev/null 2>&1; then
-            echo ""
-            echo ">> Update repository cache ..."
-            helm repo update
-
-          fi
-
-          echo ""
-          echo "----"
-
-      - name: Remove Changed Manifest Files
-        if: steps.check-dir-changes.outputs.changes-detected == 'true'
-        env:
-          RENDER_DIR: ${{ steps.check-dir-changes.outputs.render-dir }}
-        run: |
-          cd "${MANIFEST_DIR}"
-
-          echo ">> Remove manifest files and rebuild from source ..."
-          echo ""
-
-          for DIR in ${RENDER_DIR}; do
-            CHART_PATH="${MANIFEST_DIR}/clusters/${CLUSTER}/manifests/${DIR}"
-
-            echo "${CHART_PATH}"
-            rm -rf "${CHART_PATH}"/*
-
-          done
-
-          echo ""
-          echo "----"
-
-      - name: Render Helm Manifests
-        id: render-manifests
-        if: steps.check-dir-changes.outputs.changes-detected == 'true'
-        env:
-          RENDER_DIR: ${{ steps.check-dir-changes.outputs.render-dir }}
-        run: |
-          cd "${MAIN_DIR}"
-
-          echo ">> Rendering Manifests ..."
-
-          render_chart() {
-            local DIR="$1"
-            local CHART_PATH="${MAIN_DIR}/clusters/${CLUSTER}/helm/${DIR}"
-            local CHART_NAME=$(basename "${CHART_PATH}")
-
-            echo ""
-            echo ">> Rendering chart: ${CHART_NAME}"
-
-            if [ -f "${CHART_PATH}/Chart.yaml" ]; then
-              local OUTPUT_FOLDER="${MANIFEST_DIR}/clusters/${CLUSTER}/manifests/${CHART_NAME}/"
-
-              mkdir -p "${OUTPUT_FOLDER}"
-              cd "${CHART_PATH}"
-
-              helm dependency update --skip-refresh > /dev/null
-              helm lint --namespace "${CHART_NAME}" --quiet
-
-              local NAMESPACE="${CHART_NAME}"
-              case "${CHART_NAME}" in
-                "stack")
-                  NAMESPACE="argocd"
-                  echo ">> Special Rendering into 'argocd' namespace ..."
-                  ;;
-                "cilium" | "coredns" | "metrics-server")
-                  NAMESPACE="kube-system"
-                  echo ">> Special Rendering for ${CHART_NAME} into 'kube-system' namespace ..."
-                  ;;
-                *)
-                  echo ">> Standard Rendering ..."
-              esac
-
-              echo ">> Formating rendered template ..."
-              local TEMPLATE
-              TEMPLATE=$(helm template "${CHART_NAME}" ./ --namespace "${NAMESPACE}" --include-crds --dry-run=server --api-versions "gateway.networking.k8s.io/v1/HTTPRoute,monitoring.coreos.com/v1,monitoring.coreos.com/v1/ServiceMonitor")
-
-              # Format and split rendered template
-              echo "${TEMPLATE}" | yq '... comments=""' | yq 'select(. != null)' | yq -s '"'"${OUTPUT_FOLDER}"'" + .kind + "-" + .metadata.name + ".yaml"'
-
-              # Strip comments again to ensure formatting correctness
-              for file in "$OUTPUT_FOLDER"/*; do
-                yq -i '... comments=""' $file
-
-              done
-
-              echo ">> Manifests for ${CHART_NAME} rendered successfully to $OUTPUT_FOLDER:"
-              echo ""
-              ls $OUTPUT_FOLDER
-              echo ""
-
-            else
-              echo ""
-              echo ">> Directory ${CHART_PATH} does not contain a Chart.yaml. Skipping ..."
-
-            fi
-
-          }
-
-          export -f render_chart
-          export MAIN_DIR CLUSTER MANIFEST_DIR
-
-          # Run rendering in parallel
-          for DIR in ${RENDER_DIR}; do
-            echo "${DIR}"
-
-          done | xargs -P 5 -I {} bash -c 'OUT=$(render_chart "$@" 2>&1); printf "%s\n" "$OUT"' _ {}
-
-          echo ""
-          echo "----"
-
-      - name: Check for Changes
-        id: check-changes
-        if: steps.check-dir-changes.outputs.changes-detected == 'true'
-        run: |
-          cd "${MANIFEST_DIR}"
-
-          GIT_CHANGES=$(git status --porcelain)
-
-          if [ -n "${GIT_CHANGES}" ]; then
-            echo ">> Changes detected"
-            git status --porcelain
-
-            CHANGED_CHARTS=$(echo "$GIT_CHANGES" | grep -oE "clusters/${CLUSTER}/manifests/[^/]+" | awk -F '/' '{print $4}' | sort -u | paste -sd ',' -)
-
-            echo ""
-            echo "----"
-
-            echo "changes-detected=true" >> "$GITHUB_OUTPUT"
-            echo "changed-charts-csv=${CHANGED_CHARTS}" >> "$GITHUB_OUTPUT"
-
-          else
-            echo ">> No changes detected, skipping PR creation"
-
-            echo ""
-            echo "----"
-
-          fi
-
-      - name: Commit and Push Changes
-        id: commit-push
-        if: steps.check-changes.outputs.changes-detected == 'true'
-        env:
-          BRANCH_NAME: ${{ steps.prepare-manifest-branch.outputs.branch-name }}
-          IS_AUTOMERGE: ${{ steps.mode.outputs.is-automerge }}
-        run: |
-          cd "${MANIFEST_DIR}"
-
-          MSG="chore: Update manifests after change"
-
-          if [[ "$IS_AUTOMERGE" == "true" ]]; then
-            MSG="chore: Update manifests after automerge"
-
-          fi
-
-          echo ">> Commiting changes to ${BRANCH_NAME} ..."
-          git add .
-          git commit -m "${MSG}"
-
-          REPO_URL="${{ secrets.REPO_URL }}/${{ gitea.repository }}"
-
-          echo ""
-          echo ">> Pushing changes to ${REPO_URL} ..."
-
-          git push -u "https://oauth2:${{ secrets.BOT_TOKEN }}@${REPO_URL#*://}" "${BRANCH_NAME}"
-
-          echo ""
-          echo "----"
-
-          echo "push=true" >> "$GITHUB_OUTPUT"
-          echo "head-branch=${BRANCH_NAME}" >> "$GITHUB_OUTPUT"
-
-      - name: Check for Pull Request
-        id: check-for-pull-request
-        if: steps.commit-push.outputs.push == 'true' && steps.mode.outputs.is-automerge == 'false'
-        env:
-          GITEA_TOKEN: ${{ secrets.BOT_TOKEN }}
-          GITEA_URL: ${{ secrets.REPO_URL }}
-          HEAD_BRANCH: ${{ steps.commit-push.outputs.head-branch }}
-        run: |
-          cd "${MANIFEST_DIR}"
-
-          API_ENDPOINT="${GITEA_URL}/api/v1/repos/${{ gitea.repository }}/pulls?base_branch=${BASE_BRANCH}&state=open&page=1"
-
-          echo ">> Checking if PR from branch ${HEAD_BRANCH} into ${BASE_BRANCH}"
-          echo ">> With Endpoint of:"
-          echo "$API_ENDPOINT"
-
-          HTTP_STATUS=$(curl -X GET -s -w '%{http_code}' -o response_body.json -H "Authorization: token ${GITEA_TOKEN}" -H "Content-Type: application/json" "$API_ENDPOINT")
-
-          if [ "$HTTP_STATUS" == "200" ] && [ "$(cat response_body.json | jq -r .[0].state)" == "open" ]; then
-            echo ""
-            echo ">> Pull Request has been found open, will update"
-
-            echo ""
-            echo "----"
-
-            echo "pull-request-exists=$(cat response_body.json | jq -r .[0].number)" >> "$GITHUB_OUTPUT"
-
-          else
-            echo ""
-            echo ">> Pull Request not found"
-
-            echo ""
-            echo "----"
-
-            echo "pull-request-exists=false" >> "$GITHUB_OUTPUT"
-
-          fi
-
-      - name: Create Pull Request
-        id: create-pull-request
-        if: steps.commit-push.outputs.push == 'true' && (steps.mode.outputs.is-automerge == 'true' || steps.check-for-pull-request.outputs.pull-request-exists == 'false')
-        env:
-          IS_AUTOMERGE: ${{ steps.mode.outputs.is-automerge }}
-          GITEA_TOKEN: ${{ secrets.BOT_TOKEN }}
-          GITEA_URL: ${{ secrets.REPO_URL }}
-          HEAD_BRANCH: ${{ steps.commit-push.outputs.head-branch }}
-          CHARTS: ${{ steps.check-changes.outputs.changed-charts-csv }}
-          EVENT_NAME: ${{ github.event_name }}
-          ACTOR: ${{ github.actor }}
-          SHA: ${{ github.sha }}
-          REF: ${{ github.ref_name }}
-        run: |
-          cd "${MANIFEST_DIR}"
-
-          API_ENDPOINT="${GITEA_URL}/api/v1/repos/${{ gitea.repository }}/pulls"
-
-          BODY=$(printf "This PR contains newly rendered Kubernetes manifests automatically generated by the CI workflow.\n\n### Details\n- **Trigger**: \`%s\` by \`@%s\`\n- **Commit**: \`%s\` (on \`%s\`)\n- **Charts Updated**: \`%s\`" "${EVENT_NAME}" "${ACTOR}" "${SHA:0:7}" "${REF}" "${CHARTS}")
-
-          if [[ "$IS_AUTOMERGE" == "true" ]]; then
-            TITLE="Automated Manifest Update - Automerge"
-            BODY=$(printf "%s\n\n_This PR is expected to be automerged._" "${BODY}")
-
-          else
-            TITLE="Automated Manifest Update"
-
-          fi
-
-          PAYLOAD=$(jq -n --arg head "${HEAD_BRANCH}" --arg base "${BASE_BRANCH}" --arg assignee "${ASSIGNEE}" --arg title "${TITLE}" --arg body "${BODY}" '{head: $head, base: $base, assignee: $assignee, title: $title, body: $body}')
-
-          HTTP_STATUS=$(curl -X POST -s -w '%{http_code}' -o response_body.json --data "$PAYLOAD" -H "Authorization: token ${GITEA_TOKEN}" -H "Content-Type: application/json" "$API_ENDPOINT")
-
-          if [ "$HTTP_STATUS" == "201" ]; then
-            echo ">> Pull Request created successfully!"
-
-            echo ""
-            echo "----"
-
-            echo "pull-request-id=$(jq -r .id response_body.json)" >> "$GITHUB_OUTPUT"
-            echo "pull-request-number=$(jq -r .number response_body.json)" >> "$GITHUB_OUTPUT"
-            echo "pull-request-operation=created" >> "$GITHUB_OUTPUT"
-
-          elif [[ "$HTTP_STATUS" == "422" || "$HTTP_STATUS" == "409" ]]; then
-            echo ""
-            echo ">> Failed to create PR (Already exists)"
-
-            echo ""
-            echo "----"
-
-          else
-            echo ""
-            echo ">> Failed to create PR, HTTP status code: $HTTP_STATUS"
-
-            echo ""
-            echo "----"
-
-            exit 1
-
-          fi
-
-      - name: Update Pull Request
-        id: update-pull-request
-        if: steps.commit-push.outputs.push == 'true' && steps.check-for-pull-request.outputs.pull-request-exists != 'false' && steps.mode.outputs.is-automerge == 'false'
-        env:
-          GITEA_TOKEN: ${{ secrets.BOT_TOKEN }}
-          GITEA_URL: ${{ secrets.REPO_URL }}
-          PR_NUMBER: ${{ steps.check-for-pull-request.outputs.pull-request-exists }}
-          CHARTS: ${{ steps.check-changes.outputs.changed-charts-csv }}
-          EVENT_NAME: ${{ github.event_name }}
-          ACTOR: ${{ github.actor }}
-          SHA: ${{ github.sha }}
-          REF: ${{ github.ref_name }}
-        run: |
-          cd "${MANIFEST_DIR}"
-
-          API_ENDPOINT="${GITEA_URL}/api/v1/repos/${{ gitea.repository }}/pulls/${PR_NUMBER}"
-
-          EXISTING_BODY=$(jq -r '.[0].body' response_body.json)
-
-          NEW_DETAILS=$(printf "### Update Details (%s)\n- **Trigger**: \`%s\` by \`@%s\`\n- **Commit**: \`%s\` (on \`%s\`)\n- **Charts Updated**: \`%s\`" "$(date -u +'%Y-%m-%d %H:%M UTC')" "${EVENT_NAME}" "${ACTOR}" "${SHA:0:7}" "${REF}" "${CHARTS}")
-
-          UPDATED_BODY=$(printf "%s\n\n%s" "${EXISTING_BODY}" "${NEW_DETAILS}")
-
-          PAYLOAD=$(jq -n --arg body "${UPDATED_BODY}" '{body: $body}')
-
-          HTTP_STATUS=$(curl -X PATCH -s -w '%{http_code}' -o update_response.json --data "$PAYLOAD" -H "Authorization: token ${GITEA_TOKEN}" -H "Content-Type: application/json" "$API_ENDPOINT")
-
-          if [ "$HTTP_STATUS" == "201" ] || [ "$HTTP_STATUS" == "200" ]; then
-            echo ">> Pull Request updated successfully!"
-
-            echo ""
-            echo "----"
-
-            echo "pull-request-operation=updated" >> "$GITHUB_OUTPUT"
-
-          else
-            echo ">> Failed to update PR, HTTP status code: $HTTP_STATUS"; exit 1
-
-            echo ""
-            echo "----"
-
-          fi
-
-      - name: Merge Changes
-        id: merge-changes
-        if: steps.commit-push.outputs.push == 'true' && steps.mode.outputs.is-automerge == 'true'
-        env:
-          GITEA_TOKEN: ${{ secrets.BOT_TOKEN }}
-          GITEA_URL: ${{ secrets.REPO_URL }}
-          PR_NUMBER: ${{ steps.create-pull-request.outputs.pull-request-number }}
-        run: |
-          cd "${MANIFEST_DIR}"
-
-          API_ENDPOINT="${GITEA_URL}/api/v1/repos/${{ gitea.repository }}/pulls/${PR_NUMBER}/merge"
-
-          PAYLOAD=$(jq -n --arg Do "merge" '{Do: $Do}')
-
-          HTTP_STATUS=$(curl -X POST -s -w '%{http_code}' -o response_body.json --data "$PAYLOAD" -H "Authorization: token ${GITEA_TOKEN}" -H "Content-Type: application/json" "$API_ENDPOINT")
-
-          if [ "$HTTP_STATUS" == "200" ]; then
-            echo ">> Pull Request merged successfully!"
-
-            echo ""
-            echo "----"
-
-            echo "pull-request-operation=merged" >> "$GITHUB_OUTPUT"
-
-          else
-            echo ">> Failed to merge PR, HTTP status code: $HTTP_STATUS"; exit 1
-
-            echo ""
-            echo "----"
-
-          fi
-
-      - name: Cleanup Branch
-        if: failure() && steps.mode.outputs.is-automerge == 'true'
-        env:
-          BRANCH_NAME: ${{ steps.prepare-manifest-branch.outputs.branch-name }}
-        run: |
-          cd "${MANIFEST_DIR}"
-
-          echo ">> Removing branch: ${BRANCH_NAME}"
-          git push origin --delete "${BRANCH_NAME}" || true
-
-          echo ""
-          echo "----"
-
-      - name: ntfy Created
-        uses: niniyas/ntfy-action@96acac57fdc91d4c4f50b78486c1ed6f03f9f61c # master
-        if: steps.create-pull-request.outputs.pull-request-operation == 'created' && steps.mode.outputs.is-automerge == 'false'
-        with:
-          url: "${{ secrets.NTFY_URL }}"
-          topic: "${{ secrets.NTFY_TOPIC }}"
-          title: "Manifest Render - Open PR"
-          priority: 3
-          headers: '{"Authorization": "Bearer ${{ secrets.NTFY_CRED }}"}'
-          tags: action,successfully,completed
-          details: "Created renderd manifests for cluster '${{ env.CLUSTER }}' with charts: ${{ steps.check-changes.outputs.changed-charts-csv }}"
-          icon: "https://cdn.jsdelivr.net/gh/selfhst/icons/png/gitea.png"
-          actions: '[{"action": "view", "label": "View PR", "url": "${{ vars.USER_URL }}/${{ github.repository }}/pulls/${{ steps.create-pull-request.outputs.pull-request-number }}", "clear": true}]'
-
-      - name: ntfy Updated
-        uses: niniyas/ntfy-action@96acac57fdc91d4c4f50b78486c1ed6f03f9f61c # master
-        if: steps.commit-push.outputs.push == 'true' && steps.check-for-pull-request.outputs.pull-request-exists != 'false' && steps.mode.outputs.is-automerge == 'false'
-        with:
-          url: "${{ secrets.NTFY_URL }}"
-          topic: "${{ secrets.NTFY_TOPIC }}"
-          title: "Manifest Render - PR Updated"
-          priority: 3
-          headers: '{"Authorization": "Bearer ${{ secrets.NTFY_CRED }}"}'
-          tags: action,successfully,completed
-          details: "Updated rendered manifests PR for cluster '${{ env.CLUSTER }}' with charts: ${{ steps.check-changes.outputs.changed-charts-csv }}"
-          icon: "https://cdn.jsdelivr.net/gh/selfhst/icons/png/gitea.png"
-          actions: '[{"action": "view", "label": "View PR", "url": "${{ vars.USER_URL }}/${{ github.repository }}/pulls/${{ steps.create-pull-request.outputs.pull-request-number }}", "clear": true}]'
-
-      - name: ntfy Merged
-        uses: niniyas/ntfy-action@96acac57fdc91d4c4f50b78486c1ed6f03f9f61c # master
-        if: steps.merge-changes.outputs.pull-request-operation == 'merged'
-        with:
-          url: "${{ secrets.NTFY_URL }}"
-          topic: "${{ secrets.NTFY_TOPIC }}"
-          title: "Manifest Render - Automerged"
-          priority: 3
-          headers: '{"Authorization": "Bearer ${{ secrets.NTFY_CRED }}"}'
-          tags: action,successfully,completed
-          details: "Automerged manifest rendering for cluster '${{ env.CLUSTER }}' with charts: ${{ steps.check-changes.outputs.changed-charts-csv }}"
-          icon: "https://cdn.jsdelivr.net/gh/selfhst/icons/png/gitea.png"
-          actions: '[{"action": "view", "label": "View PR", "url": "${{ vars.USER_URL }}/${{ github.repository }}/pulls/${{ steps.create-pull-request.outputs.pull-request-number }}", "clear": true}]'
-
-      - name: ntfy Failed
-        uses: niniyas/ntfy-action@96acac57fdc91d4c4f50b78486c1ed6f03f9f61c # master
-        if: failure()
-        with:
-          url: "${{ secrets.NTFY_URL }}"
-          topic: "${{ secrets.NTFY_TOPIC }}"
-          title: "Manifest Render Failure"
-          priority: 4
-          headers: '{"Authorization": "Bearer ${{ secrets.NTFY_CRED }}"}'
-          tags: action,failed
-          details: "Manifest rendering for Infrastructure has failed!"
-          icon: "https://cdn.jsdelivr.net/gh/selfhst/icons/png/gitea.png"
-          actions: '[{"action": "view", "label": "View Logs", "url": "${{ vars.USER_URL }}/${{ github.repository }}/actions/runs/${{ github.run_id }}", "clear": true}]'
--- a/.gitea/workflows/renovate.yaml
+++ b/.gitea/workflows/renovate.yaml
@@ -1,32 +0,0 @@
-name: renovate
-
-on:
-  schedule:
-    - cron: "@hourly"
-
-  push:
-    branches:
-      - main
-
-  workflow_dispatch:
-
-jobs:
-  renovate:
-    runs-on: ubuntu-js
-    container: ghcr.io/renovatebot/renovate:43.160.0@sha256:28d6d66ffe2f4fd86bb29c9e9b5cae7215ada90b17605a45e35fa8d4a73159ac
-    steps:
-      - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
-
-      - name: Renovate
-        run: renovate
-        env:
-          RENOVATE_PLATFORM: gitea
-          RENOVATE_ENDPOINT: ${{ vars.INSTANCE_URL }}
-          RENOVATE_REPOSITORIES: alexlebens/infrastructure
-          RENOVATE_GIT_AUTHOR: Renovate Bot <renovate-bot@alexlebens.net>
-          LOG_LEVEL: debug
-          RENOVATE_TOKEN: ${{ secrets.RENOVATE_TOKEN }}
-          RENOVATE_GIT_PRIVATE_KEY: ${{ secrets.RENOVATE_GIT_PRIVATE_KEY }}
-          RENOVATE_GITHUB_COM_TOKEN: ${{ secrets.RENOVATE_GITHUB_COM_TOKEN }}
-          RENOVATE_REDIS_URL: ${{ vars.RENOVATE_REDIS_URL }}
--- a/.gitignore
+++ b/.gitignore
@@ -1,4 +1,4 @@
+.gitignore
 /**/archive/
 /**/charts/
-/**/manifests/
-/**/tmpcharts*/
+/**/helm/
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -1,17 +0,0 @@
-repos:
-  - repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v6.0.0
-    hooks:
-      - id: end-of-file-fixer
-      - id: trailing-whitespace
-      - id: check-added-large-files
-      - id: check-yaml
-        exclude: '^.*\/templates\/.*$'
-        args:
-          - --multi
-      - id: check-merge-conflict
-      - id: check-json
-  - repo: https://github.com/IamTheFij/docker-pre-commit
-    rev: v3.0.1
-    hooks:
-      - id: docker-compose-check
--- a/201
+++ b/201
@@ -1,201 +0,0 @@
-                                 Apache License
-                           Version 2.0, January 2004
-                        http://www.apache.org/licenses/
-
-   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
-
-   1. Definitions.
-
-      "License" shall mean the terms and conditions for use, reproduction,
-      and distribution as defined by Sections 1 through 9 of this document.
-
-      "Licensor" shall mean the copyright owner or entity authorized by
-      the copyright owner that is granting the License.
-
-      "Legal Entity" shall mean the union of the acting entity and all
-      other entities that control, are controlled by, or are under common
-      control with that entity. For the purposes of this definition,
-      "control" means (i) the power, direct or indirect, to cause the
-      direction or management of such entity, whether by contract or
-      otherwise, or (ii) ownership of fifty percent (50%) or more of the
-      outstanding shares, or (iii) beneficial ownership of such entity.
-
-      "You" (or "Your") shall mean an individual or Legal Entity
-      exercising permissions granted by this License.
-
-      "Source" form shall mean the preferred form for making modifications,
-      including but not limited to software source code, documentation
-      source, and configuration files.
-
-      "Object" form shall mean any form resulting from mechanical
-      transformation or translation of a Source form, including but
-      not limited to compiled object code, generated documentation,
-      and conversions to other media types.
-
-      "Work" shall mean the work of authorship, whether in Source or
-      Object form, made available under the License, as indicated by a
-      copyright notice that is included in or attached to the work
-      (an example is provided in the Appendix below).
-
-      "Derivative Works" shall mean any work, whether in Source or Object
-      form, that is based on (or derived from) the Work and for which the
-      editorial revisions, annotations, elaborations, or other modifications
-      represent, as a whole, an original work of authorship. For the purposes
-      of this License, Derivative Works shall not include works that remain
-      separable from, or merely link (or bind by name) to the interfaces of,
-      the Work and Derivative Works thereof.
-
-      "Contribution" shall mean any work of authorship, including
-      the original version of the Work and any modifications or additions
-      to that Work or Derivative Works thereof, that is intentionally
-      submitted to Licensor for inclusion in the Work by the copyright owner
-      or by an individual or Legal Entity authorized to submit on behalf of
-      the copyright owner. For the purposes of this definition, "submitted"
-      means any form of electronic, verbal, or written communication sent
-      to the Licensor or its representatives, including but not limited to
-      communication on electronic mailing lists, source code control systems,
-      and issue tracking systems that are managed by, or on behalf of, the
-      Licensor for the purpose of discussing and improving the Work, but
-      excluding communication that is conspicuously marked or otherwise
-      designated in writing by the copyright owner as "Not a Contribution."
-
-      "Contributor" shall mean Licensor and any individual or Legal Entity
-      on behalf of whom a Contribution has been received by Licensor and
-      subsequently incorporated within the Work.
-
-   2. Grant of Copyright License. Subject to the terms and conditions of
-      this License, each Contributor hereby grants to You a perpetual,
-      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
-      copyright license to reproduce, prepare Derivative Works of,
-      publicly display, publicly perform, sublicense, and distribute the
-      Work and such Derivative Works in Source or Object form.
-
-   3. Grant of Patent License. Subject to the terms and conditions of
-      this License, each Contributor hereby grants to You a perpetual,
-      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
-      (except as stated in this section) patent license to make, have made,
-      use, offer to sell, sell, import, and otherwise transfer the Work,
-      where such license applies only to those patent claims licensable
-      by such Contributor that are necessarily infringed by their
-      Contribution(s) alone or by combination of their Contribution(s)
-      with the Work to which such Contribution(s) was submitted. If You
-      institute patent litigation against any entity (including a
-      cross-claim or counterclaim in a lawsuit) alleging that the Work
-      or a Contribution incorporated within the Work constitutes direct
-      or contributory patent infringement, then any patent licenses
-      granted to You under this License for that Work shall terminate
-      as of the date such litigation is filed.
-
-   4. Redistribution. You may reproduce and distribute copies of the
-      Work or Derivative Works thereof in any medium, with or without
-      modifications, and in Source or Object form, provided that You
-      meet the following conditions:
-
-      (a) You must give any other recipients of the Work or
-          Derivative Works a copy of this License; and
-
-      (b) You must cause any modified files to carry prominent notices
-          stating that You changed the files; and
-
-      (c) You must retain, in the Source form of any Derivative Works
-          that You distribute, all copyright, patent, trademark, and
-          attribution notices from the Source form of the Work,
-          excluding those notices that do not pertain to any part of
-          the Derivative Works; and
-
-      (d) If the Work includes a "NOTICE" text file as part of its
-          distribution, then any Derivative Works that You distribute must
-          include a readable copy of the attribution notices contained
-          within such NOTICE file, excluding those notices that do not
-          pertain to any part of the Derivative Works, in at least one
-          of the following places: within a NOTICE text file distributed
-          as part of the Derivative Works; within the Source form or
-          documentation, if provided along with the Derivative Works; or,
-          within a display generated by the Derivative Works, if and
-          wherever such third-party notices normally appear. The contents
-          of the NOTICE file are for informational purposes only and
-          do not modify the License. You may add Your own attribution
-          notices within Derivative Works that You distribute, alongside
-          or as an addendum to the NOTICE text from the Work, provided
-          that such additional attribution notices cannot be construed
-          as modifying the License.
-
-      You may add Your own copyright statement to Your modifications and
-      may provide additional or different license terms and conditions
-      for use, reproduction, or distribution of Your modifications, or
-      for any such Derivative Works as a whole, provided Your use,
-      reproduction, and distribution of the Work otherwise complies with
-      the conditions stated in this License.
-
-   5. Submission of Contributions. Unless You explicitly state otherwise,
-      any Contribution intentionally submitted for inclusion in the Work
-      by You to the Licensor shall be under the terms and conditions of
-      this License, without any additional terms or conditions.
-      Notwithstanding the above, nothing herein shall supersede or modify
-      the terms of any separate license agreement you may have executed
-      with Licensor regarding such Contributions.
-
-   6. Trademarks. This License does not grant permission to use the trade
-      names, trademarks, service marks, or product names of the Licensor,
-      except as required for reasonable and customary use in describing the
-      origin of the Work and reproducing the content of the NOTICE file.
-
-   7. Disclaimer of Warranty. Unless required by applicable law or
-      agreed to in writing, Licensor provides the Work (and each
-      Contributor provides its Contributions) on an "AS IS" BASIS,
-      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
-      implied, including, without limitation, any warranties or conditions
-      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
-      PARTICULAR PURPOSE. You are solely responsible for determining the
-      appropriateness of using or redistributing the Work and assume any
-      risks associated with Your exercise of permissions under this License.
-
-   8. Limitation of Liability. In no event and under no legal theory,
-      whether in tort (including negligence), contract, or otherwise,
-      unless required by applicable law (such as deliberate and grossly
-      negligent acts) or agreed to in writing, shall any Contributor be
-      liable to You for damages, including any direct, indirect, special,
-      incidental, or consequential damages of any character arising as a
-      result of this License or out of the use or inability to use the
-      Work (including but not limited to damages for loss of goodwill,
-      work stoppage, computer failure or malfunction, or any and all
-      other commercial damages or losses), even if such Contributor
-      has been advised of the possibility of such damages.
-
-   9. Accepting Warranty or Additional Liability. While redistributing
-      the Work or Derivative Works thereof, You may choose to offer,
-      and charge a fee for, acceptance of support, warranty, indemnity,
-      or other liability obligations and/or rights consistent with this
-      License. However, in accepting such obligations, You may act only
-      on Your own behalf and on Your sole responsibility, not on behalf
-      of any other Contributor, and only if You agree to indemnify,
-      defend, and hold each Contributor harmless for any liability
-      incurred by, or claims asserted against, such Contributor by reason
-      of your accepting any such warranty or additional liability.
-
-   END OF TERMS AND CONDITIONS
-
-   APPENDIX: How to apply the Apache License to your work.
-
-      To apply the Apache License to your work, attach the following
-      boilerplate notice, with the fields enclosed by brackets "[]"
-      replaced with your own identifying information. (Don't include
-      the brackets!)  The text should be enclosed in the appropriate
-      comment syntax for the file format. We also recommend that a
-      file or class name and description of purpose be included on the
-      same "printed page" as the copyright notice for easier
-      identification within third-party archives.
-
-   Copyright [yyyy] [name of copyright owner]
-
-   Licensed under the Apache License, Version 2.0 (the "License");
-   you may not use this file except in compliance with the License.
-   You may obtain a copy of the License at
-
-       http://www.apache.org/licenses/LICENSE-2.0
-
-   Unless required by applicable law or agreed to in writing, software
-   distributed under the License is distributed on an "AS IS" BASIS,
-   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-   See the License for the specific language governing permissions and
-   limitations under the License.
--- a/README.md
+++ b/README.md
@@ -1,13 +0,0 @@
-# alexlebens.net
-
-GitOps definied infrastrucutre for the alexlebens.net domain.
-
-## Stack-cl01tl
-
-https://argocd.alexlebens.net/api/badge?name=stack-cl01tl&revision=true&showAppName=true
-
-App-of-Apps Application for cl01tl
-
-## License
-
-This project is licensed under the terms of the Apache 2.0 License license.
--- a/clusters/cl01tl/helm/actual/Chart.lock
+++ b/clusters/cl01tl/helm/actual/Chart.lock
@@ -1,9 +0,0 @@
-dependencies:
- name: app-template
-  repository: https://bjw-s-labs.github.io/helm-charts/
-  version: 4.6.2
- name: volsync-target
-  repository: oci://harbor.alexlebens.net/helm-charts
-  version: 1.1.1
-digest: sha256:e472c85ad45c6071ccc3a23047927aba42814a931865736e40ad5c16d597ea53
-generated: "2026-04-28T23:30:55.463292642Z"
--- a/clusters/cl01tl/helm/actual/Chart.yaml
+++ b/clusters/cl01tl/helm/actual/Chart.yaml
@@ -1,27 +0,0 @@
-apiVersion: v2
-name: actual
-version: 1.0.0
-description: Actual
-keywords:
-  - actual
-  - budget
-home: https://docs.alexlebens.dev/applications/actual/
-sources:
-  - https://github.com/actualbudget/actual
-  - https://github.com/actualbudget/actual/pkgs/container/actual
-  - https://github.com/bjw-s-labs/helm-charts/tree/main/charts/other/app-template
-  - https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/volsync-target
-maintainers:
-  - name: alexlebens
-dependencies:
-  - name: app-template
-    alias: actual
-    repository: https://bjw-s-labs.github.io/helm-charts/
-    version: 4.6.2
-  - name: volsync-target
-    alias: volsync-target-data
-    version: 1.1.1
-    repository: oci://harbor.alexlebens.net/helm-charts
-icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/actual-budget.png
-# renovate: datasource=github-releases depName=actualbudget/actual
-appVersion: 26.4.0
--- a/clusters/cl01tl/helm/actual/templates/_helpers.tpl
+++ b/clusters/cl01tl/helm/actual/templates/_helpers.tpl
@@ -1,14 +0,0 @@
-{{/*
-Common labels
-*/}}
-{{- define "custom.labels" -}}
-{{ include "custom.selectorLabels" $ }}
-{{- end }}
-
-{{/*
-Selector labels
-*/}}
-{{- define "custom.selectorLabels" -}}
-app.kubernetes.io/instance: {{ .Release.Name }}
-app.kubernetes.io/part-of: {{ .Release.Name }}
-{{- end }}
--- a/clusters/cl01tl/helm/actual/values.yaml
+++ b/clusters/cl01tl/helm/actual/values.yaml
@@ -1,81 +0,0 @@
-actual:
-  controllers:
-    main:
-      type: deployment
-      replicas: 1
-      strategy: Recreate
-      containers:
-        main:
-          image:
-            repository: ghcr.io/actualbudget/actual
-            tag: 26.4.0@sha256:b0e732e2c41b3dc468a71548e88ef76d3f0c157fc43d15fa05d14ec1c5747e1e
-          env:
-            - name: ACTUAL_PORT
-              value: 5006
-          resources:
-            requests:
-              cpu: 10m
-              memory: 50Mi
-          probes:
-            liveness:
-              enabled: true
-              custom: true
-              spec:
-                exec:
-                  command:
-                  - /usr/bin/env
-                  - bash
-                  - -c
-                  - node src/scripts/health-check.js
-                failureThreshold: 5
-                initialDelaySeconds: 60
-                periodSeconds: 10
-                successThreshold: 1
-                timeoutSeconds: 10
-  service:
-    main:
-      controller: main
-      ports:
-        http:
-          port: 80
-          targetPort: 5006
-  route:
-    main:
-      kind: HTTPRoute
-      parentRefs:
-        - group: gateway.networking.k8s.io
-          kind: Gateway
-          name: traefik-gateway
-          namespace: traefik
-      hostnames:
-        - actual.alexlebens.net
-      rules:
-        - backendRefs:
-            - name: actual
-              port: 80
-          matches:
-            - path:
-                type: PathPrefix
-                value: /
-  persistence:
-    data:
-      forceRename: actual-data
-      storageClass: ceph-block
-      accessMode: ReadWriteOnce
-      size: 2Gi
-      advancedMounts:
-        main:
-          main:
-            - path: /data
-              readOnly: false
-volsync-target-data:
-  pvcTarget: actual-data
-  local:
-    enabled: true
-    schedule: 0 8 * * *
-  remote:
-    enabled: true
-    schedule: 0 9 * * *
-  external:
-    enabled: true
-    schedule: 0 10 * * *
--- a/clusters/cl01tl/helm/argocd/Chart.lock
+++ b/clusters/cl01tl/helm/argocd/Chart.lock
@@ -1,6 +0,0 @@
-dependencies:
- name: argo-cd
-  repository: https://argoproj.github.io/argo-helm
-  version: 9.5.6
-digest: sha256:81edcf69a6e3d7c8a567984024ed0c3a1ccf7db284f547492dcce9af1b4ecbfa
-generated: "2026-04-28T18:24:45.609699191Z"
--- a/clusters/cl01tl/helm/argocd/Chart.yaml
+++ b/clusters/cl01tl/helm/argocd/Chart.yaml
@@ -1,20 +0,0 @@
-apiVersion: v2
-name: argocd
-version: 1.0.0
-description: Argo CD
-keywords:
-  - argo-cd
-  - deployment
-home: https://docs.alexlebens.dev/applications/argo-cd/
-sources:
-  - https://github.com/argoproj/argo-cd
-  - https://github.com/argoproj/argo-helm/tree/main/charts/argo-cd
-maintainers:
-  - name: alexlebens
-dependencies:
-  - name: argo-cd
-    version: 9.5.6
-    repository: https://argoproj.github.io/argo-helm
-icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/argo-cd.png
-# renovate: datasource=github-releases depName=argoproj/argo-cd
-appVersion: v3.3.8
--- a/clusters/cl01tl/helm/argocd/templates/_helpers.tpl
+++ b/clusters/cl01tl/helm/argocd/templates/_helpers.tpl
@@ -1,14 +0,0 @@
-{{/*
-Common labels
-*/}}
-{{- define "custom.labels" -}}
-{{ include "custom.selectorLabels" $ }}
-{{- end }}
-
-{{/*
-Selector labels
-*/}}
-{{- define "custom.selectorLabels" -}}
-app.kubernetes.io/instance: {{ .Release.Name }}
-app.kubernetes.io/part-of: {{ .Release.Name }}
-{{- end }}
--- a/clusters/cl01tl/helm/argocd/templates/external-secret.yaml
+++ b/clusters/cl01tl/helm/argocd/templates/external-secret.yaml
@@ -1,40 +0,0 @@
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: argocd-oidc-authentik
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: argocd-oidc-authentik
-    {{- include "custom.labels" . | nindent 4 }}
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: openbao
-  data:
-    - secretKey: secret
-      remoteRef:
-        key: /cl01tl/authentik/oidc/argocd
-        property: secret
-    - secretKey: client
-      remoteRef:
-        key: /cl01tl/authentik/oidc/argocd
-        property: client
-
---
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: argocd-notifications-ntfy
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: argocd-notifications-ntfy
-    {{- include "custom.labels" . | nindent 4 }}
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: openbao
-  data:
-    - secretKey: ntfy-token
-      remoteRef:
-        key: /cl01tl/ntfy/users/cl01tl
-        property: token
--- a/clusters/cl01tl/helm/argocd/templates/prometheus-rule.yaml
+++ b/clusters/cl01tl/helm/argocd/templates/prometheus-rule.yaml
@@ -1,108 +0,0 @@
-apiVersion: monitoring.coreos.com/v1
-kind: PrometheusRule
-metadata:
-  name: haproxy
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: haproxy
-    {{- include "custom.labels" . | nindent 4 }}
-spec:
-  groups:
-    - name: EmbeddedExporter
-      rules:
-        - alert: HAProxyHighHTTP4xxErrorRateBackend
-          expr: ((sum by (proxy) (rate(haproxy_server_http_responses_total{code="4xx"}[1m])) / sum by (proxy) (rate(haproxy_server_http_responses_total[1m]))) * 100) > 5 and sum by (proxy) (rate(haproxy_server_http_responses_total[1m])) > 0
-          for: 1m
-          labels:
-            severity: critical
-          annotations:
-            summary: HAProxy high HTTP 4xx error rate backend (instance {{ `{{ $labels.instance }}` }})
-            description: "Too many HTTP requests with status 4xx (> 5%) on backend {{ `{{ $labels.proxy }}` }}\n  VALUE = {{ `{{ $value }}` }}\n  LABELS = {{ `{{ $labels }}` }}"
-        - alert: HAProxyHighHTTP5xxErrorRateBackend
-          expr: ((sum by (proxy) (rate(haproxy_server_http_responses_total{code="5xx"}[1m])) / sum by (proxy) (rate(haproxy_server_http_responses_total[1m]))) * 100) > 5 and sum by (proxy) (rate(haproxy_server_http_responses_total[1m])) > 0
-          for: 1m
-          labels:
-            severity: critical
-          annotations:
-            summary: HAProxy high HTTP 5xx error rate backend (instance {{ `{{ $labels.instance }}` }})
-            description: "Too many HTTP requests with status 5xx (> 5%) on backend {{ `{{ $labels.proxy }}` }}\n  VALUE = {{ `{{ $value }}` }}\n  LABELS = {{ `{{ $labels }}` }}"
-        - alert: HAProxyHighHTTP4xxErrorRateServer
-          expr: ((sum by (server) (rate(haproxy_server_http_responses_total{code="4xx"}[1m])) / sum by (server) (rate(haproxy_server_http_responses_total[1m]))) * 100) > 5 and sum by (server) (rate(haproxy_server_http_responses_total[1m])) > 0
-          for: 1m
-          labels:
-            severity: critical
-          annotations:
-            summary: HAProxy high HTTP 4xx error rate server (instance {{ `{{ $labels.instance }}` }})
-            description: "Too many HTTP requests with status 4xx (> 5%) on server {{ `{{ $labels.server }}` }}\n  VALUE = {{ `{{ $value }}` }}\n  LABELS = {{ `{{ $labels }}` }}"
-        - alert: HAProxyHighHTTP5xxErrorRateServer
-          expr: ((sum by (server) (rate(haproxy_server_http_responses_total{code="5xx"}[1m])) / sum by (server) (rate(haproxy_server_http_responses_total[1m]))) * 100) > 5 and sum by (server) (rate(haproxy_server_http_responses_total[1m])) > 0
-          for: 1m
-          labels:
-            severity: critical
-          annotations:
-            summary: HAProxy high HTTP 5xx error rate server (instance {{ `{{ $labels.instance }}` }})
-            description: "Too many HTTP requests with status 5xx (> 5%) on server {{ `{{ $labels.server }}` }}\n  VALUE = {{ `{{ $value }}` }}\n  LABELS = {{ `{{ $labels }}` }}"
-        - alert: HAProxyServerResponseErrors
-          expr: (sum by (server) (rate(haproxy_server_response_errors_total[1m])) / sum by (server) (rate(haproxy_server_http_responses_total[1m]))) * 100 > 5 and sum by (server) (rate(haproxy_server_http_responses_total[1m])) > 0
-          for: 1m
-          labels:
-            severity: critical
-          annotations:
-            summary: HAProxy server response errors (instance {{ `{{ $labels.instance }}` }})
-            description: "Too many response errors to {{ `{{ $labels.server }}` }} server (> 5%).\n  VALUE = {{ `{{ $value }}` }}\n  LABELS = {{ `{{ $labels }}` }}"
-        - alert: HAProxyBackendConnectionErrors
-          expr: (sum by (proxy) (rate(haproxy_backend_connection_errors_total[1m]))) > 100
-          for: 1m
-          labels:
-            severity: critical
-          annotations:
-            summary: HAProxy backend connection errors (instance {{ `{{ $labels.instance }}` }})
-            description: "Too many connection errors to {{ `{{ $labels.proxy }}` }} backend (> 100 req/s). Request throughput may be too high.\n  VALUE = {{ `{{ $value }}` }}\n  LABELS = {{ `{{ $labels }}` }}"
-        - alert: HAProxyServerConnectionErrors
-          expr: (sum by (proxy) (rate(haproxy_server_connection_errors_total[1m]))) > 100
-          for: 0m
-          labels:
-            severity: critical
-          annotations:
-            summary: HAProxy server connection errors (instance {{ `{{ $labels.instance }}` }})
-            description: "Too many connection errors to {{ `{{ $labels.proxy }}` }} (> 100 req/s). Request throughput may be too high.\n  VALUE = {{ `{{ $value }}` }}\n  LABELS = {{ `{{ $labels }}` }}"
-        - alert: HAProxyBackendMaxActiveSession>80%
-          expr: (haproxy_backend_current_sessions / haproxy_backend_limit_sessions * 100) > 80 and haproxy_backend_limit_sessions > 0
-          for: 2m
-          labels:
-            severity: warning
-          annotations:
-            summary: HAProxy backend max active session > 80% (instance {{ `{{ $labels.instance }}` }})
-            description: "Session limit from backend {{ `{{ $labels.proxy }}` }} reached 80% of limit - {{ `{{ $value | printf \"%.2f\"}}` }}%\n  VALUE = {{ `{{ $value }}` }}\n  LABELS = {{ `{{ $labels }}` }}"
-        - alert: HAProxyPendingRequests
-          expr: sum by (proxy) (haproxy_backend_current_queue) > 0
-          for: 2m
-          labels:
-            severity: warning
-          annotations:
-            summary: HAProxy pending requests (instance {{ `{{ $labels.instance }}` }})
-            description: "Some HAProxy requests are pending on {{ `{{ $labels.proxy }}` }} - {{ `{{ $value | printf \"%.2f\"}}` }}\n  VALUE = {{ `{{ $value }}` }}\n  LABELS = {{ `{{ $labels }}` }}"
-        - alert: HAProxyRetryHigh
-          expr: sum by (proxy) (rate(haproxy_backend_retry_warnings_total[1m])) > 10
-          for: 2m
-          labels:
-            severity: warning
-          annotations:
-            summary: HAProxy retry high (instance {{ `{{ $labels.instance }}` }})
-            description: "High rate of retry on {{ `{{ $labels.proxy }}` }} - {{ `{{ $value | printf \"%.2f\"}}` }}\n  VALUE = {{ `{{ $value }}` }}\n  LABELS = {{ `{{ $labels }}` }}"
-        - alert: HAProxyFrontendSecurityBlockedRequests
-          expr: sum by (proxy) (rate(haproxy_frontend_denied_connections_total[2m])) > 10
-          for: 2m
-          labels:
-            severity: warning
-          annotations:
-            summary: HAProxy frontend security blocked requests (instance {{ `{{ $labels.instance }}` }})
-            description: "HAProxy is blocking requests for security reason\n  VALUE = {{ `{{ $value }}` }}\n  LABELS = {{ `{{ $labels }}` }}"
-        - alert: HAProxyServerHealthcheckFailure
-          expr: increase(haproxy_server_check_failures_total[1m]) > 2
-          for: 0m
-          labels:
-            severity: warning
-          annotations:
-            summary: HAProxy server healthcheck failure (instance {{ `{{ $labels.instance }}` }})
-            description: "Some server healthcheck are failing on {{ `{{ $labels.server }}` }} ({{ `{{ $value }}` }} in the last 1m)\n  VALUE = {{ `{{ $value }}` }}\n  LABELS = {{ `{{ $labels }}` }}"
--- a/clusters/cl01tl/helm/argocd/values.yaml
+++ b/clusters/cl01tl/helm/argocd/values.yaml
@@ -1,387 +0,0 @@
-argo-cd:
-  crds:
-    install: true
-    keep: true
-  configs:
-    cm:
-      admin.enabled: true
-      accounts.homepage: apiKey
-      url: https://argocd.alexlebens.net
-      statusbadge.url: https://argocd.alexlebens.net/
-      statusbadge.enabled: true
-      dex.config: |
-        connectors:
-        - config:
-            issuer: https://authentik.alexlebens.net/application/o/argocd/
-            clientID: $argocd-oidc-authentik:client
-            clientSecret: $argocd-oidc-authentik:secret
-            insecureEnableGroups: true
-            scopes:
-              - openid
-              - profile
-              - email
-          name: authentik
-          type: oidc
-          id: authentik
-    params:
-      server.insecure: true
-      controller.diff.server.side: true
-    rbac:
-      policy.csv: |
-        g, ArgoCD Admins, role:admin
-        g, homepage, role:readonly
-  controller:
-    replicas: 1
-    resources:
-      requests:
-        cpu: 100m
-        memory: 1Gi
-    readinessProbe:
-      failureThreshold: 3
-      initialDelaySeconds: 60
-      periodSeconds: 30
-      successThreshold: 1
-      timeoutSeconds: 5
-    metrics:
-      enabled: true
-      serviceMonitor:
-        enabled: true
-      rules:
-        enabled: true
-        spec:
-          - alert: ArgoAppMissing
-            expr: |
-              absent(argocd_app_info) == 1
-            for: 15m
-            labels:
-              severity: critical
-            annotations:
-              summary: "[Argo CD] No reported applications"
-              description: >
-                Argo CD has not reported any applications data for the past 15 minutes which
-                means that it must be down or not functioning properly.  This needs to be
-                resolved for this cloud to continue to maintain state.
-          - alert: ArgoAppNotSynced
-            expr: |
-              argocd_app_info{sync_status!="Synced"} == 1
-            for: 12h
-            labels:
-              severity: warning
-            annotations:
-              summary: "[{{`{{$labels.name}}`}}] Application not synchronized"
-              description: >
-                The application [{{`{{$labels.name}}`}} has not been synchronized for over
-                12 hours which means that the state of this cloud has drifted away from the
-                state inside Git.
-  dex:
-    enabled: true
-    resources:
-      requests:
-        cpu: 1m
-        memory: 64Mi
-    metrics:
-      enabled: true
-      serviceMonitor:
-        enabled: true
-    livenessProbe:
-      enabled: true
-    readinessProbe:
-      enabled: true
-  redis-ha:
-    enabled: true
-    image:
-      repository: redis
-      tag: 8.6.2-alpine@sha256:81b6f81d6a6c5b9019231a2e8eb10085e3a139a34f833dcc965a8a959b040b72
-    persistentVolume:
-      enabled: true
-    redis:
-      resources:
-        requests:
-          cpu: 1000m
-          memory: 50Mi
-    haproxy:
-      enabled: true
-      image:
-        repository: haproxy
-        tag: 3.3.7-alpine@sha256:2afa53c856e4e9fcc7dfb35b807fcb189896d7e62b38d363f9bedea92bce7f9a
-      resources:
-        requests:
-          cpu: 5m
-          memory: 90Mi
-      metrics:
-        enabled: true
-        serviceMonitor:
-          enabled: true
-    exporter:
-      enabled: true
-      image: ghcr.io/oliver006/redis_exporter
-      tag: v1.82.0@sha256:6a97d4dd743b533e1f950c677b87d880e44df363c61af3f406fc9e53ed65ee03
-      serviceMonitor:
-        enabled: true
-    prometheusRule:
-      enabled: true
-      interval: 30s
-      rules:
-        - alert: RedisPodDown
-          expr: |
-            redis_up{job="{{ include "redis-ha.fullname" . }}"} == 0
-          for: 5m
-          labels:
-            severity: critical
-          annotations:
-            description: Redis pod {{ "{{ $labels.pod }}" }} is down
-            summary: Redis pod {{ "{{ $labels.pod }}" }} is down
-    auth: false
-  redisSecretInit:
-    enabled: false
-  server:
-    replicas: 2
-    resources:
-     requests:
-       cpu: 20m
-       memory: 80Mi
-    metrics:
-      enabled: true
-      serviceMonitor:
-        enabled: true
-    httproute:
-      enabled: true
-      parentRefs:
-        - group: gateway.networking.k8s.io
-          kind: Gateway
-          name: traefik-gateway
-          namespace: traefik
-      hostnames:
-        - argocd.alexlebens.net
-  repoServer:
-    replicas: 2
-    resources:
-      requests:
-        cpu: 1m
-        memory: 50Mi
-    readinessProbe:
-      enabled: true
-      failureThreshold: 3
-      initialDelaySeconds: 60
-      periodSeconds: 30
-      successThreshold: 1
-      timeoutSeconds: 5
-    livenessProbe:
-      enabled: true
-      failureThreshold: 3
-      initialDelaySeconds: 60
-      periodSeconds: 30
-      successThreshold: 1
-      timeoutSeconds: 5
-    metrics:
-      enabled: true
-      serviceMonitor:
-        enabled: true
-  applicationSet:
-    replicas: 2
-    resources:
-      requests:
-        cpu: 10m
-        memory: 50Mi
-    metrics:
-      enabled: true
-      serviceMonitor:
-        enabled: true
-    readinessProbe:
-      enabled: true
-      failureThreshold: 3
-      initialDelaySeconds: 60
-      periodSeconds: 30
-      successThreshold: 1
-      timeoutSeconds: 5
-    livenessProbe:
-      enabled: true
-      failureThreshold: 3
-      initialDelaySeconds: 60
-      periodSeconds: 30
-      successThreshold: 1
-      timeoutSeconds: 5
-  notifications:
-    argocdUrl: https://argocd.alexlebens.net
-    secret:
-      create: false
-      name: argocd-notifications-ntfy
-    metrics:
-      enabled: true
-      serviceMonitor:
-        enabled: true
-    notifiers:
-      service.webhook.ntfy: |
-        url: http://ntfy.ntfy/
-        headers:
-          - name: Authorization
-            value: Bearer $ntfy-token
-    resources:
-      requests:
-        cpu: 2m
-        memory: 50Mi
-    livenessProbe:
-      enabled: true
-    readinessProbe:
-      enabled: true
-    subscriptions:
-      - recipients:
-          - ntfy
-        triggers:
-          - on-created
-          - on-deleted
-          - on-deployed
-          - on-health-degraded
-          - on-sync-failed
-          - on-sync-running
-          - on-sync-status-unknown
-          - on-sync-succeeded
-    templates:
-      template.app-created: |
-        webhook:
-          ntfy:
-            method: POST
-            body: |
-              {
-                "topic": "argocd",
-                "message": "{{.app.metadata.name}} has been created.",
-                "title": "Created: {{.app.metadata.name}}",
-                "tags": ["building_construction"],
-                "priority": 4,
-                "click": "{{.context.argocdUrl}}/applications/argocd/{{.app.metadata.name}}"
-              }
-      template.app-deleted: |
-        webhook:
-          ntfy:
-            method: POST
-            body: |
-              {
-                "topic": "argocd",
-                "message": "{{.app.metadata.name}} has been deleted",
-                "title": "Deleted: {{.app.metadata.name}}",
-                "tags": ["warning"],
-                "priority": 4,
-                "click": "{{.context.argocdUrl}}"
-              }
-      template.app-deployed: |
-        webhook:
-          ntfy:
-            method: POST
-            body: |
-              {
-                "topic": "argocd",
-                "message": "{{.app.metadata.name}} is now running new version of deployments manifests",
-                "title": "Deployed: {{.app.metadata.name}}",
-                "tags": ["+1"],
-                "priority": 3,
-                "click": "{{.context.argocdUrl}}/applications/argocd/{{.app.metadata.name}}"
-              }
-      template.app-health-degraded: |
-        webhook:
-          ntfy:
-            method: POST
-            body: |
-              {
-                "topic": "argocd",
-                "message": "{{.app.metadata.name}} health has degraded",
-                "title": "Degraded: {{.app.metadata.name}}",
-                "tags": ["rotating_light"],
-                "priority": 4,
-                "click": "{{.context.argocdUrl}}/applications/argocd/{{.app.metadata.name}}"
-              }
-      template.app-sync-failed: |
-        webhook:
-          ntfy:
-            method: POST
-            body: |
-              {
-                "topic": "argocd",
-                "message": "{{.app.metadata.name}} sync has failed at {{.app.status.operationState.finishedAt}} with the following error: {{.app.status.operationState.message}}",
-                "title": "Sync Failed: {{.app.metadata.name}}",
-                "tags": ["rotating_light"],
-                "priority": 4,
-                "click": "{{.context.argocdUrl}}/applications/{{.app.metadata.name}}?operation=true"
-              }
-      template.app-sync-running: |
-        webhook:
-          ntfy:
-            method: POST
-            body: |
-              {
-                "topic": "argocd",
-                "message": "{{.app.metadata.name}} sync has started at {{.app.status.operationState.startedAt}}",
-                "title": "Sync Running: {{.app.metadata.name}}",
-                "tags": ["runner"],
-                "priority": 3,
-                "click": "{{.context.argocdUrl}}/applications/{{.app.metadata.name}}?operation=true"
-              }
-      template.app-sync-status-unknown: |
-        webhook:
-          ntfy:
-            method: POST
-            body: |
-              {
-                "topic": "argocd",
-                "message": "{{.app.metadata.name}} sync status is unknown",
-                "title": "Sync Unknown: {{.app.metadata.name}}",
-                "tags": ["question"],
-                "priority": 3,
-                "click": "{{.context.argocdUrl}}/applications/{{.app.metadata.name}}"
-              }
-      template.app-sync-succeeded: |
-        webhook:
-          ntfy:
-            method: POST
-            body: |
-              {
-                "topic": "argocd",
-                "message": "{{.app.metadata.name}} has been successfully synced at {{.app.status.operationState.finishedAt}}",
-                "title": "Sync Succeeded: {{.app.metadata.name}}",
-                "tags": ["+1"],
-                "priority": 3,
-                "click": "{{.context.argocdUrl}}/applications/{{.app.metadata.name}}?operation=true"
-              }
-    triggers:
-      trigger.on-created: |
-        - description: Application {{.app.metadata.name}} has been created.
-          oncePer: app.metadata.name
-          send:
-            - app-created
-          when: "true"
-      trigger.on-deleted: |
-        - description: Application {{.app.metadata.name}} has been deleted.
-          oncePer: app.metadata.name
-          send:
-            - app-deleted
-          when: app.metadata.deletionTimestamp != nil
-      trigger.on-deployed: |
-        - description: Application is synced and healthy. Triggered once per commit.
-          oncePer: app.status.operationState.syncResult.revision
-          send:
-            - app-deployed
-          when: app.status.operationState.phase in ['Succeeded'] and app.status.health.status == 'Healthy'
-      trigger.on-health-degraded: |
-        - description: Application has degraded
-          send:
-            - app-health-degraded
-          when: app.status.health.status == 'Degraded'
-      trigger.on-sync-failed: |
-        - description: Application syncing has failed
-          send:
-            - app-sync-failed
-          when: app.status.operationState.phase in ['Error', 'Failed']
-      trigger.on-sync-running: |
-        - description: Application is being synced
-          send:
-           - app-sync-running
-          when: app.status.operationState.phase in ['Running']
-      trigger.on-sync-status-unknown: |
-        - description: Application status is 'Unknown'
-          send:
-            - app-sync-status-unknown
-          when: app.status.sync.status == 'Unknown'
-      trigger.on-sync-succeeded: |
-        - description: Application syncing has succeeded
-          send:
-            - app-sync-succeeded
-          when: app.status.operationState.phase in ['Succeeded']
--- a/clusters/cl01tl/helm/audiobookshelf/Chart.lock
+++ b/clusters/cl01tl/helm/audiobookshelf/Chart.lock
@@ -1,12 +0,0 @@
-dependencies:
- name: app-template
-  repository: https://bjw-s-labs.github.io/helm-charts/
-  version: 4.6.2
- name: volsync-target
-  repository: oci://harbor.alexlebens.net/helm-charts
-  version: 1.1.1
- name: volsync-target
-  repository: oci://harbor.alexlebens.net/helm-charts
-  version: 1.1.1
-digest: sha256:2275b211b02253019e5830e0258f936f1494380cc50cea03bc31d75281365dcc
-generated: "2026-04-28T17:54:10.288277-05:00"
--- a/clusters/cl01tl/helm/audiobookshelf/Chart.yaml
+++ b/clusters/cl01tl/helm/audiobookshelf/Chart.yaml
@@ -1,35 +0,0 @@
-apiVersion: v2
-name: audiobookshelf
-version: 1.0.0
-description: Audiobookshelf
-keywords:
-  - audiobookshelf
-  - books
-  - podcasts
-  - audiobooks
-home: https://docs.alexlebens.dev/applications/audiobookshelf/
-sources:
-  - https://github.com/advplyr/audiobookshelf
-  - https://github.com/caronc/apprise
-  - https://github.com/advplyr/audiobookshelf/pkgs/container/audiobookshelf
-  - https://github.com/caronc/apprise-api/pkgs/container/apprise
-  - https://github.com/bjw-s-labs/helm-charts/tree/main/charts/other/app-template
-  - https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/volsync-target
-maintainers:
-  - name: alexlebens
-dependencies:
-  - name: app-template
-    alias: audiobookshelf
-    repository: https://bjw-s-labs.github.io/helm-charts/
-    version: 4.6.2
-  - name: volsync-target
-    alias: volsync-target-config
-    version: 1.1.1
-    repository: oci://harbor.alexlebens.net/helm-charts
-  - name: volsync-target
-    alias: volsync-target-metadata
-    version: 1.1.1
-    repository: oci://harbor.alexlebens.net/helm-charts
-icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/audiobookshelf.png
-# renovate: datasource=github-releases depName=advplyr/audiobookshelf
-appVersion: 2.34.0
--- a/clusters/cl01tl/helm/audiobookshelf/templates/_helpers.tpl
+++ b/clusters/cl01tl/helm/audiobookshelf/templates/_helpers.tpl
@@ -1,27 +0,0 @@
-{{/*
-Common labels
-*/}}
-{{- define "custom.labels" -}}
-{{ include "custom.selectorLabels" $ }}
-{{- end }}
-
-{{/*
-Selector labels
-*/}}
-{{- define "custom.selectorLabels" -}}
-app.kubernetes.io/instance: {{ .Release.Name }}
-app.kubernetes.io/part-of: {{ .Release.Name }}
-{{- end }}
-
-{{/*
-NFS names
-*/}}
-{{- define "custom.booksNfsName" -}}
-audiobookshelf-books-nfs-storage
-{{- end -}}
-{{- define "custom.audiobooksNfsName" -}}
-audiobookshelf-audiobooks-nfs-storage
-{{- end -}}
-{{- define "custom.podcastsNfsName" -}}
-audiobookshelf-podcasts-nfs-storage
-{{- end -}}
--- a/clusters/cl01tl/helm/audiobookshelf/templates/external-secret.yaml
+++ b/clusters/cl01tl/helm/audiobookshelf/templates/external-secret.yaml
@@ -1,27 +0,0 @@
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: audiobookshelf-config-apprise
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: audiobookshelf-config-apprise
-    {{- include "custom.labels" . | nindent 4 }}
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: openbao
-  target:
-    template:
-      mergePolicy: Merge
-      engineVersion: v2
-      data:
-        ntfy-url: "{{ `{{ .endpoint }}` }}/{{ `{{ .topic }}` }}"
-  data:
-    - secretKey: endpoint
-      remoteRef:
-        key: /cl01tl/ntfy/users/cl01tl
-        property: internal-endpoint-credential
-    - secretKey: topic
-      remoteRef:
-        key: /cl01tl/ntfy/topics
-        property: audiobookshelf
--- a/clusters/cl01tl/helm/audiobookshelf/templates/persistent-volume-claim.yaml
+++ b/clusters/cl01tl/helm/audiobookshelf/templates/persistent-volume-claim.yaml
@@ -1,52 +0,0 @@
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  name: {{ include "custom.booksNfsName" . }}
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: {{ include "custom.booksNfsName" . }}
-    {{ include "custom.labels" . | nindent 4 }}
-spec:
-  volumeName: {{ include "custom.booksNfsName" . }}
-  storageClassName: nfs-client
-  accessModes:
-    - ReadWriteMany
-  resources:
-    requests:
-      storage: 1Gi
-
---
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  name: {{ include "custom.audiobooksNfsName" . }}
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: {{ include "custom.audiobooksNfsName" . }}
-    {{- include "custom.labels" . | nindent 4 }}
-spec:
-  volumeName: {{ include "custom.audiobooksNfsName" . }}
-  storageClassName: nfs-client
-  accessModes:
-    - ReadWriteMany
-  resources:
-    requests:
-      storage: 1Gi
-
---
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  name: {{ include "custom.podcastsNfsName" . }}
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: {{ include "custom.podcastsNfsName" . }}
-    {{- include "custom.labels" . | nindent 4 }}
-spec:
-  volumeName: {{ include "custom.podcastsNfsName" . }}
-  storageClassName: nfs-client
-  accessModes:
-    - ReadWriteMany
-  resources:
-    requests:
-      storage: 1Gi
--- a/clusters/cl01tl/helm/audiobookshelf/templates/persistent-volume.yaml
+++ b/clusters/cl01tl/helm/audiobookshelf/templates/persistent-volume.yaml
@@ -1,70 +0,0 @@
-apiVersion: v1
-kind: PersistentVolume
-metadata:
-  name: {{ include "custom.booksNfsName" . }}
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: {{ include "custom.booksNfsName" . }}
-    {{- include "custom.labels" . | nindent 4 }}
-spec:
-  persistentVolumeReclaimPolicy: Retain
-  storageClassName: nfs-client
-  capacity:
-    storage: 1Gi
-  accessModes:
-    - ReadWriteMany
-  nfs:
-    path: /volume2/Storage/Books
-    server: synologybond.alexlebens.net
-  mountOptions:
-    - vers=4
-    - minorversion=1
-    - noac
-
---
-apiVersion: v1
-kind: PersistentVolume
-metadata:
-  name: {{ include "custom.audiobooksNfsName" . }}
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: {{ include "custom.audiobooksNfsName" . }}
-    {{- include "custom.labels" . | nindent 4 }}
-spec:
-  persistentVolumeReclaimPolicy: Retain
-  storageClassName: nfs-client
-  capacity:
-    storage: 1Gi
-  accessModes:
-    - ReadWriteMany
-  nfs:
-    path: /volume2/Storage/Audiobooks
-    server: synologybond.alexlebens.net
-  mountOptions:
-    - vers=4
-    - minorversion=1
-    - noac
-
---
-apiVersion: v1
-kind: PersistentVolume
-metadata:
-  name: {{ include "custom.podcastsNfsName" . }}
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: {{ include "custom.podcastsNfsName" . }}
-    {{- include "custom.labels" . | nindent 4 }}
-spec:
-  persistentVolumeReclaimPolicy: Retain
-  storageClassName: nfs-client
-  capacity:
-    storage: 1Gi
-  accessModes:
-    - ReadWriteMany
-  nfs:
-    path: /volume2/Storage/Podcasts
-    server: synologybond.alexlebens.net
-  mountOptions:
-    - vers=4
-    - minorversion=1
-    - noac
--- a/clusters/cl01tl/helm/audiobookshelf/values.yaml
+++ b/clusters/cl01tl/helm/audiobookshelf/values.yaml
@@ -1,149 +0,0 @@
-audiobookshelf:
-  controllers:
-    main:
-      type: deployment
-      replicas: 1
-      strategy: Recreate
-      pod:
-        securityContext:
-          fsGroup: 1000
-          fsGroupChangePolicy: OnRootMismatch
-      containers:
-        main:
-          image:
-            repository: ghcr.io/advplyr/audiobookshelf
-            tag: 2.34.0@sha256:4143292c530f6ac6700afd13360c04f477e4f1a81c1c97c4224b1c7e4330c5c4
-          env:
-            - name: TZ
-              value: America/Chicago
-          resources:
-            requests:
-              cpu: 1m
-              memory: 200Mi
-        apprise-api:
-          image:
-            repository: ghcr.io/caronc/apprise
-            tag: v1.4.0@sha256:9d97a6b9b42cf6afdf3b5466dbed2a59cd42a4bb777ec6aa57b5f2ee623569eb
-          env:
-            - name: TZ
-              value: America/Chicago
-            - name: PGID
-              value: "1000"
-            - name: PUID
-              value: "1000"
-            - name: APPRISE_STORAGE_MODE
-              value: memory
-            - name: APPRISE_STATEFUL_MODE
-              value: disabled
-            - name: APPRISE_WORKER_COUNT
-              value: 1
-            - name: APPRISE_STATELESS_URLS
-              valueFrom:
-                secretKeyRef:
-                  name: audiobookshelf-config-apprise
-                  key: ntfy-url
-  service:
-    main:
-      controller: main
-      ports:
-        http:
-          port: 80
-          targetPort: 80
-        apprise:
-          port: 8000
-          targetPort: 8000
-  serviceMonitor:
-    main:
-      selector:
-        matchLabels:
-          app.kubernetes.io/name: audiobookshelf
-          app.kubernetes.io/instance: audiobookshelf
-      serviceName: '{{ include "bjw-s.common.lib.chart.names.fullname" $ }}'
-      endpoints:
-        - port: apprise
-          scheme: http
-          path: /metrics
-          interval: 30s
-          scrapeTimeout: 15s
-  route:
-    main:
-      kind: HTTPRoute
-      parentRefs:
-        - group: gateway.networking.k8s.io
-          kind: Gateway
-          name: traefik-gateway
-          namespace: traefik
-      hostnames:
-        - audiobookshelf.alexlebens.net
-      rules:
-        - backendRefs:
-            - name: audiobookshelf
-              port: 80
-          matches:
-            - path:
-                type: PathPrefix
-                value: /
-  persistence:
-    config:
-      forceRename: audiobookshelf-config
-      storageClass: ceph-block
-      accessMode: ReadWriteOnce
-      size: 2Gi
-      advancedMounts:
-        main:
-          main:
-            - path: /config
-              readOnly: false
-    metadata:
-      forceRename: audiobookshelf-metadata
-      storageClass: ceph-block
-      accessMode: ReadWriteOnce
-      size: 10Gi
-      advancedMounts:
-        main:
-          main:
-            - path: /metadata
-              readOnly: false
-    books:
-      existingClaim: audiobookshelf-books-nfs-storage
-      advancedMounts:
-        main:
-          main:
-            - path: /mnt/store/Books
-              readOnly: false
-    audiobooks:
-      existingClaim: audiobookshelf-audiobooks-nfs-storage
-      advancedMounts:
-        main:
-          main:
-            - path: /mnt/store/Audiobooks
-              readOnly: false
-    podcasts:
-      existingClaim: audiobookshelf-podcasts-nfs-storage
-      advancedMounts:
-        main:
-          main:
-            - path: /mnt/store/Podcasts
-              readOnly: false
-volsync-target-config:
-  pvcTarget: audiobookshelf-config
-  local:
-    enabled: true
-    schedule: 2 8 * * *
-  remote:
-    enabled: true
-    schedule: 2 9 * * *
-  external:
-    enabled: true
-    schedule: 2 10 * * *
-volsync-target-metadata:
-  pvcTarget: audiobookshelf-metadata
-  local:
-    enabled: true
-    schedule: 4 8 * * *
-  remote:
-    enabled: true
-    schedule: 4 9 * * *
-  external:
-    enabled: true
-    schedule: 4 10 * * *
--- a/clusters/cl01tl/helm/authentik/Chart.lock
+++ b/clusters/cl01tl/helm/authentik/Chart.lock
@@ -1,15 +0,0 @@
-dependencies:
- name: authentik
-  repository: https://charts.goauthentik.io/
-  version: 2026.2.2
- name: cloudflared
-  repository: oci://harbor.alexlebens.net/helm-charts
-  version: 2.6.0
- name: postgres-cluster
-  repository: oci://harbor.alexlebens.net/helm-charts
-  version: 7.12.1
- name: valkey
-  repository: oci://harbor.alexlebens.net/helm-charts
-  version: 0.6.1
-digest: sha256:d1dbca83e5b63a58a9bf9f2903d1b45bbadca3e8599541367bc61ef2ce938cdb
-generated: "2026-04-24T21:50:21.398658595Z"
--- a/clusters/cl01tl/helm/authentik/Chart.yaml
+++ b/clusters/cl01tl/helm/authentik/Chart.yaml
@@ -1,36 +0,0 @@
-apiVersion: v2
-name: authentik
-version: 1.0.0
-description: Authentik
-keywords:
-  - authentik
-  - sso
-  - oidc
-  - authentication
-home: https://docs.alexlebens.dev/applications/authentik/
-sources:
-  - https://github.com/goauthentik/authentik
-  - https://github.com/goauthentik/helm
-  - https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/cloudflared
-  - https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/postgres-cluster
-  - https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/valkey
-maintainers:
-  - name: alexlebens
-dependencies:
-  - name: authentik
-    version: 2026.2.2
-    repository: https://charts.goauthentik.io/
-  - name: cloudflared
-    repository: oci://harbor.alexlebens.net/helm-charts
-    version: 2.6.0
-  - name: postgres-cluster
-    alias: postgres-18-cluster
-    version: 7.12.1
-    repository: oci://harbor.alexlebens.net/helm-charts
-  - name: valkey
-    alias: valkey
-    version: 0.6.1
-    repository: oci://harbor.alexlebens.net/helm-charts
-icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/authentik.png
-# renovate: datasource=github-releases depName=goauthentik/authentik
-appVersion: 2025.10.2
--- a/clusters/cl01tl/helm/authentik/templates/_helpers.tpl
+++ b/clusters/cl01tl/helm/authentik/templates/_helpers.tpl
@@ -1,14 +0,0 @@
-{{/*
-Common labels
-*/}}
-{{- define "custom.labels" -}}
-{{ include "custom.selectorLabels" $ }}
-{{- end }}
-
-{{/*
-Selector labels
-*/}}
-{{- define "custom.selectorLabels" -}}
-app.kubernetes.io/instance: {{ .Release.Name }}
-app.kubernetes.io/part-of: {{ .Release.Name }}
-{{- end }}
--- a/clusters/cl01tl/helm/authentik/templates/external-secret.yaml
+++ b/clusters/cl01tl/helm/authentik/templates/external-secret.yaml
@@ -1,17 +0,0 @@
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: authentik-key
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: authentik-key
-    {{- include "custom.labels" . | nindent 4 }}
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: openbao
-  data:
-    - secretKey: key
-      remoteRef:
-        key: /cl01tl/authentik/key
-        property: key
--- a/clusters/cl01tl/helm/authentik/templates/ingress.yaml
+++ b/clusters/cl01tl/helm/authentik/templates/ingress.yaml
@@ -1,28 +0,0 @@
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  name: {{ .Release.Name }}-tailscale
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: {{ .Release.Name }}-tailscale
-    {{- include "custom.labels" . | nindent 4 }}
-    tailscale.com/proxy-class: no-metrics
-  annotations:
-    tailscale.com/experimental-forward-cluster-traffic-via-ingress: "true"
-spec:
-  ingressClassName: tailscale
-  tls:
-    - hosts:
-        - auth-cl01tl
-      secretName: auth-cl01tl
-  rules:
-    - host: auth-cl01tl
-      http:
-        paths:
-          - path: /
-            pathType: Prefix
-            backend:
-              service:
-                name: authentik-server
-                port:
-                  name: http
--- a/clusters/cl01tl/helm/authentik/templates/reference-grant.yaml
+++ b/clusters/cl01tl/helm/authentik/templates/reference-grant.yaml
@@ -1,38 +0,0 @@
-apiVersion: gateway.networking.k8s.io/v1beta1
-kind: ReferenceGrant
-metadata:
-  name: allow-outpost-cross-namespace-access
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: allow-outpost-cross-namespace-access
-    {{- include "custom.labels" . | nindent 4 }}
-spec:
-  from:
-    - group: gateway.networking.k8s.io
-      kind: HTTPRoute
-      namespace: lidarr
-    - group: gateway.networking.k8s.io
-      kind: HTTPRoute
-      namespace: radarr
-    - group: gateway.networking.k8s.io
-      kind: HTTPRoute
-      namespace: radarr-4k
-    - group: gateway.networking.k8s.io
-      kind: HTTPRoute
-      namespace: radarr-anime
-    - group: gateway.networking.k8s.io
-      kind: HTTPRoute
-      namespace: radarr-standup
-    - group: gateway.networking.k8s.io
-      kind: HTTPRoute
-      namespace: sonarr
-    - group: gateway.networking.k8s.io
-      kind: HTTPRoute
-      namespace: sonarr-4k
-    - group: gateway.networking.k8s.io
-      kind: HTTPRoute
-      namespace: sonarr-anime
-  to:
-    - group: ""
-      kind: Service
-      name: ak-outpost-traefik-proxy-auth
--- a/clusters/cl01tl/helm/authentik/values.yaml
+++ b/clusters/cl01tl/helm/authentik/values.yaml
@@ -1,100 +0,0 @@
-authentik:
-  global:
-    env:
-      - name: AUTHENTIK_SECRET_KEY
-        valueFrom:
-          secretKeyRef:
-            name: authentik-key
-            key: key
-      - name: AUTHENTIK_POSTGRESQL__HOST
-        valueFrom:
-          secretKeyRef:
-            name: authentik-postgresql-18-cluster-app
-            key: host
-      - name: AUTHENTIK_POSTGRESQL__NAME
-        valueFrom:
-          secretKeyRef:
-            name: authentik-postgresql-18-cluster-app
-            key: dbname
-      - name: AUTHENTIK_POSTGRESQL__USER
-        valueFrom:
-          secretKeyRef:
-            name: authentik-postgresql-18-cluster-app
-            key: user
-      - name: AUTHENTIK_POSTGRESQL__PASSWORD
-        valueFrom:
-          secretKeyRef:
-            name: authentik-postgresql-18-cluster-app
-            key: password
-  authentik:
-    redis:
-      host: authentik-valkey
-  server:
-    replicas: 2
-    resources:
-      requests:
-        cpu: 20m
-        memory: 700Mi
-    livenessProbe:
-      failureThreshold: 3
-      initialDelaySeconds: 15
-      periodSeconds: 10
-      successThreshold: 1
-      timeoutSeconds: 5
-    readinessProbe:
-      failureThreshold: 3
-      initialDelaySeconds: 15
-      periodSeconds: 10
-      successThreshold: 1
-      timeoutSeconds: 5
-    metrics:
-      enabled: true
-      serviceMonitor:
-        enabled: true
-    route:
-      main:
-        enabled: true
-        hostnames:
-          - authentik.alexlebens.net
-        parentRefs:
-          - group: gateway.networking.k8s.io
-            kind: Gateway
-            name: traefik-gateway
-            namespace: traefik
-  worker:
-    name: worker
-    replicas: 2
-    resources:
-      requests:
-        cpu: 80m
-        memory: 650Mi
-    metrics:
-      enabled: true
-      serviceMonitor:
-        enabled: true
-  prometheus:
-    rules:
-      enabled: true
-postgres-18-cluster:
-  mode: recovery
-  cluster:
-    resources:
-      requests:
-        memory: 150Mi
-  recovery:
-    method: objectStore
-    objectStore:
-      index: 2
-  backup:
-    objectStore:
-      - name: garage-local
-        index: 2
-        destinationBucket: postgres-backups
-        externalSecretCredentialPath: /garage/home-infra/postgres-backups
-        isWALArchiver: true
-    scheduledBackups:
-      - name: live-backup
-        suspend: false
-        immediate: true
-        schedule: "0 5 14 * * *"
-        backupName: garage-local
--- a/clusters/cl01tl/helm/backrest/Chart.lock
+++ b/clusters/cl01tl/helm/backrest/Chart.lock
@@ -1,12 +0,0 @@
-dependencies:
- name: app-template
-  repository: https://bjw-s-labs.github.io/helm-charts/
-  version: 4.6.2
- name: volsync-target
-  repository: oci://harbor.alexlebens.net/helm-charts
-  version: 1.1.1
- name: volsync-target
-  repository: oci://harbor.alexlebens.net/helm-charts
-  version: 1.1.1
-digest: sha256:82e85dc79199cc8b75dde412d595621817b3fa2c073c131162d0079a0b63f369
-generated: "2026-04-28T23:31:05.864191451Z"
--- a/clusters/cl01tl/helm/backrest/Chart.yaml
+++ b/clusters/cl01tl/helm/backrest/Chart.yaml
@@ -1,31 +0,0 @@
-apiVersion: v2
-name: backrest
-version: 1.0.0
-description: backrest
-keywords:
-  - backrest
-  - backup
-home: https://docs.alexlebens.dev/applications/backrest/
-sources:
-  - https://github.com/garethgeorge/backrest
-  - https://github.com/garethgeorge/backrest/pkgs/container/backrest
-  - https://github.com/bjw-s-labs/helm-charts/tree/main/charts/other/app-template
-  - https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/volsync-target
-maintainers:
-  - name: alexlebens
-dependencies:
-  - name: app-template
-    alias: backrest
-    repository: https://bjw-s-labs.github.io/helm-charts/
-    version: 4.6.2
-  - name: volsync-target
-    alias: volsync-target-config
-    version: 1.1.1
-    repository: oci://harbor.alexlebens.net/helm-charts
-  - name: volsync-target
-    alias: volsync-target-data
-    version: 1.1.1
-    repository: oci://harbor.alexlebens.net/helm-charts
-icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/backrest.png
-# renovate: datasource=github-releases depName=garethgeorge/backrest
-appVersion: v1.12.1
--- a/clusters/cl01tl/helm/backrest/templates/_helpers.tpl
+++ b/clusters/cl01tl/helm/backrest/templates/_helpers.tpl
@@ -1,24 +0,0 @@
-{{/*
-Common labels
-*/}}
-{{- define "custom.labels" -}}
-{{ include "custom.selectorLabels" $ }}
-{{- end }}
-
-{{/*
-Selector labels
-*/}}
-{{- define "custom.selectorLabels" -}}
-app.kubernetes.io/instance: {{ .Release.Name }}
-app.kubernetes.io/part-of: {{ .Release.Name }}
-{{- end }}
-
-{{/*
-NFS names
-*/}}
-{{- define "custom.storageNfsName" -}}
-backrest-nfs-storage
-{{- end -}}
-{{- define "custom.shareNfsName" -}}
-backrest-nfs-share
-{{- end -}}
--- a/clusters/cl01tl/helm/backrest/templates/persistent-volume-claim.yaml
+++ b/clusters/cl01tl/helm/backrest/templates/persistent-volume-claim.yaml
@@ -1,34 +0,0 @@
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  name: {{ include "custom.storageNfsName" . }}
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: {{ include "custom.storageNfsName" . }}
-    {{- include "custom.labels" . | nindent 4 }}
-spec:
-  volumeName: {{ include "custom.storageNfsName" . }}
-  storageClassName: nfs-client
-  accessModes:
-    - ReadWriteMany
-  resources:
-    requests:
-      storage: 1Gi
-
---
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  name: {{ include "custom.shareNfsName" . }}
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: {{ include "custom.shareNfsName" . }}
-    {{- include "custom.labels" . | nindent 4 }}
-spec:
-  volumeName: {{ include "custom.shareNfsName" . }}
-  storageClassName: nfs-client
-  accessModes:
-    - ReadWriteMany
-  resources:
-    requests:
-      storage: 1Gi
--- a/clusters/cl01tl/helm/backrest/templates/persistent-volume.yaml
+++ b/clusters/cl01tl/helm/backrest/templates/persistent-volume.yaml
@@ -1,46 +0,0 @@
-apiVersion: v1
-kind: PersistentVolume
-metadata:
-  name: {{ include "custom.storageNfsName" . }}
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: {{ include "custom.storageNfsName" . }}
-    {{- include "custom.labels" . | nindent 4 }}
-spec:
-  persistentVolumeReclaimPolicy: Retain
-  storageClassName: nfs-client
-  capacity:
-    storage: 1Gi
-  accessModes:
-    - ReadWriteMany
-  nfs:
-    path: /volume2/Storage
-    server: synologybond.alexlebens.net
-  mountOptions:
-    - vers=4
-    - minorversion=1
-    - noac
-
---
-apiVersion: v1
-kind: PersistentVolume
-metadata:
-  name: {{ include "custom.shareNfsName" . }}
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: {{ include "custom.shareNfsName" . }}
-    {{- include "custom.labels" . | nindent 4 }}
-spec:
-  persistentVolumeReclaimPolicy: Retain
-  storageClassName: nfs-client
-  capacity:
-    storage: 1Gi
-  accessModes:
-    - ReadWriteMany
-  nfs:
-    path: /volume2/Share
-    server: synologybond.alexlebens.net
-  mountOptions:
-    - vers=4
-    - minorversion=1
-    - noac
--- a/clusters/cl01tl/helm/backrest/values.yaml
+++ b/clusters/cl01tl/helm/backrest/values.yaml
@@ -1,135 +0,0 @@
-backrest:
-  controllers:
-    main:
-      type: deployment
-      replicas: 1
-      strategy: Recreate
-      containers:
-        main:
-          image:
-            repository: ghcr.io/garethgeorge/backrest
-            tag: v1.12.1@sha256:f4d34bd6fa985d13bdb6c01c5d8727e07708899afa9567d800808357d77b9fb0
-          env:
-            - name: TZ
-              value: America/Chicago
-            - name: BACKREST_DATA
-              value: /data
-            - name: BACKREST_CONFIG
-              value: /config/config.json
-            - name: XDG_CACHE_HOME
-              value: /cache
-            - name: TMPDIR
-              value: /tmp
-          resources:
-            requests:
-              cpu: 1m
-              memory: 30Mi
-  service:
-    main:
-      controller: main
-      ports:
-        http:
-          port: 80
-          targetPort: 9898
-  serviceMonitor:
-    main:
-      selector:
-        matchLabels:
-          app.kubernetes.io/name: backrest
-          app.kubernetes.io/instance: backrest
-      serviceName: '{{ include "bjw-s.common.lib.chart.names.fullname" $ }}'
-      endpoints:
-        - port: http
-          scheme: http
-          path: /metrics
-          interval: 300s
-          scrapeTimeout: 15s
-  route:
-    main:
-      kind: HTTPRoute
-      parentRefs:
-        - group: gateway.networking.k8s.io
-          kind: Gateway
-          name: traefik-gateway
-          namespace: traefik
-      hostnames:
-        - backrest.alexlebens.net
-      rules:
-        - backendRefs:
-            - name: backrest
-              port: 80
-          matches:
-            - path:
-                type: PathPrefix
-                value: /
-  persistence:
-    data:
-      forceRename: backrest-data
-      storageClass: ceph-block
-      accessMode: ReadWriteOnce
-      size: 10Gi
-      advancedMounts:
-        main:
-          main:
-            - path: /data
-              readOnly: false
-    config:
-      forceRename: backrest-config
-      storageClass: ceph-block
-      accessMode: ReadWriteOnce
-      size: 1Gi
-      advancedMounts:
-        main:
-          main:
-            - path: /config
-              readOnly: false
-    cache:
-      type: emptyDir
-      advancedMounts:
-        main:
-          main:
-            - path: /cache
-              readOnly: false
-    tmp:
-      type: emptyDir
-      advancedMounts:
-        main:
-          main:
-            - path: /tmp
-              readOnly: false
-    storage:
-      existingClaim: backrest-nfs-storage
-      advancedMounts:
-        main:
-          main:
-            - path: /mnt/storage
-              readOnly: true
-    share:
-      existingClaim: backrest-nfs-share
-      advancedMounts:
-        main:
-          main:
-            - path: /mnt/share
-              readOnly: true
-volsync-target-data:
-  pvcTarget: backrest-data
-  local:
-    enabled: true
-    schedule: 6 8 * * *
-  remote:
-    enabled: true
-    schedule: 6 9 * * *
-  external:
-    enabled: true
-    schedule: 6 10 * * *
-volsync-target-config:
-  pvcTarget: backrest-config
-  local:
-    enabled: true
-    schedule: 8 8 * * *
-  remote:
-    enabled: true
-    schedule: 8 9 * * *
-  external:
-    enabled: true
-    schedule: 8 10 * * *
--- a/clusters/cl01tl/helm/bazarr/Chart.lock
+++ b/clusters/cl01tl/helm/bazarr/Chart.lock
@@ -1,9 +0,0 @@
-dependencies:
- name: app-template
-  repository: https://bjw-s-labs.github.io/helm-charts/
-  version: 4.6.2
- name: volsync-target
-  repository: oci://harbor.alexlebens.net/helm-charts
-  version: 1.1.1
-digest: sha256:9228c387a1b50545d8b348c94ae55b17952d32652ca48d0329c65f4ee651706e
-generated: "2026-04-28T23:31:15.743170757Z"
--- a/clusters/cl01tl/helm/bazarr/Chart.yaml
+++ b/clusters/cl01tl/helm/bazarr/Chart.yaml
@@ -1,31 +0,0 @@
-apiVersion: v2
-name: bazarr
-version: 1.0.0
-description: Bazarr
-keywords:
-  - bazarr
-  - subtitles
-  - servarr
-home: https://docs.alexlebens.dev/applications/bazarr/
-sources:
-  - https://github.com/morpheus65535/bazarr
-  - https://github.com/linuxserver/docker-bazarr
-  - https://github.com/onedr0p/exportarr
-  - https://github.com/linuxserver/docker-bazarr/pkgs/container/bazarr
-  - https://github.com/onedr0p/exportarr/pkgs/container/exportarr
-  - https://github.com/bjw-s-labs/helm-charts/tree/main/charts/other/app-template
-  - https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/volsync-target
-maintainers:
-  - name: alexlebens
-dependencies:
-  - name: app-template
-    alias: bazarr
-    repository: https://bjw-s-labs.github.io/helm-charts/
-    version: 4.6.2
-  - name: volsync-target
-    alias: volsync-target-config
-    version: 1.1.1
-    repository: oci://harbor.alexlebens.net/helm-charts
-icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/bazarr.png
-# renovate: datasource=github-releases depName=linuxserver/docker-bazarr
-appVersion: v1.5.6-ls342
--- a/clusters/cl01tl/helm/bazarr/templates/_helpers.tpl
+++ b/clusters/cl01tl/helm/bazarr/templates/_helpers.tpl
@@ -1,21 +0,0 @@
-{{/*
-Common labels
-*/}}
-{{- define "custom.labels" -}}
-{{ include "custom.selectorLabels" $ }}
-{{- end }}
-
-{{/*
-Selector labels
-*/}}
-{{- define "custom.selectorLabels" -}}
-app.kubernetes.io/instance: {{ .Release.Name }}
-app.kubernetes.io/part-of: {{ .Release.Name }}
-{{- end }}
-
-{{/*
-NFS names
-*/}}
-{{- define "custom.storageNfsName" -}}
-bazarr-nfs-storage
-{{- end -}}
--- a/clusters/cl01tl/helm/bazarr/templates/external-secret.yaml
+++ b/clusters/cl01tl/helm/bazarr/templates/external-secret.yaml
@@ -1,17 +0,0 @@
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: bazarr-key
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: bazarr-key
-    {{- include "custom.labels" . | nindent 4 }}
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: openbao
-  data:
-    - secretKey: key
-      remoteRef:
-        key: /cl01tl/bazarr/key
-        property: key
--- a/clusters/cl01tl/helm/bazarr/templates/persistent-volume-claim.yaml
+++ b/clusters/cl01tl/helm/bazarr/templates/persistent-volume-claim.yaml
@@ -1,16 +0,0 @@
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  name: {{ include "custom.storageNfsName" . }}
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: {{ include "custom.storageNfsName" . }}
-    {{- include "custom.labels" . | nindent 4 }}
-spec:
-  volumeName: {{ include "custom.storageNfsName" . }}
-  storageClassName: nfs-client
-  accessModes:
-    - ReadWriteMany
-  resources:
-    requests:
-      storage: 1Gi
--- a/clusters/cl01tl/helm/bazarr/templates/persistent-volume.yaml
+++ b/clusters/cl01tl/helm/bazarr/templates/persistent-volume.yaml
@@ -1,22 +0,0 @@
-apiVersion: v1
-kind: PersistentVolume
-metadata:
-  name: {{ include "custom.storageNfsName" . }}
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: {{ include "custom.storageNfsName" . }}
-    {{- include "custom.labels" . | nindent 4 }}
-spec:
-  persistentVolumeReclaimPolicy: Retain
-  storageClassName: nfs-client
-  capacity:
-    storage: 1Gi
-  accessModes:
-    - ReadWriteMany
-  nfs:
-    path: /volume2/Storage
-    server: synologybond.alexlebens.net
-  mountOptions:
-    - vers=4
-    - minorversion=1
-    - noac
--- a/clusters/cl01tl/helm/bazarr/values.yaml
+++ b/clusters/cl01tl/helm/bazarr/values.yaml
@@ -1,121 +0,0 @@
-bazarr:
-  controllers:
-    main:
-      type: deployment
-      replicas: 1
-      strategy: Recreate
-      pod:
-        securityContext:
-          runAsUser: 1000
-          runAsGroup: 1000
-          fsGroup: 1000
-          fsGroupChangePolicy: OnRootMismatch
-      containers:
-        main:
-          image:
-            repository: ghcr.io/linuxserver/bazarr
-            tag: v1.5.6-ls342@sha256:9a631194c0dee21c85b5bff59e23610e1ae2f54594e922973949d271102e585e
-          env:
-            - name: TZ
-              value: America/Chicago
-            - name: PUID
-              value: 1000
-            - name: PGID
-              value: 1000
-          resources:
-            requests:
-              cpu: 10m
-              memory: 250Mi
-        metrics:
-          image:
-            repository: ghcr.io/onedr0p/exportarr
-            tag: v2.3.0@sha256:af535d94061cf97a52e1661945ffba78c03f9443eae7c0da1a80a5a4be56b520
-          args: ["bazarr"]
-          env:
-            - name: URL
-              value: http://localhost:6767
-            - name: PORT
-              value: 9792
-            - name: APIKEY
-              valueFrom:
-                secretKeyRef:
-                  name: bazarr-key
-                  key: key
-            - name: ENABLE_ADDITIONAL_METRICS
-              value: false
-            - name: ENABLE_UNKNOWN_QUEUE_ITEMS
-              value: false
-  service:
-    main:
-      controller: main
-      ports:
-        http:
-          port: 80
-          targetPort: 6767
-        metrics:
-          port: 9792
-          targetPort: 9792
-  serviceMonitor:
-    main:
-      selector:
-        matchLabels:
-          app.kubernetes.io/name: bazarr
-          app.kubernetes.io/instance: bazarr
-      serviceName: '{{ include "bjw-s.common.lib.chart.names.fullname" $ }}'
-      endpoints:
-        - port: metrics
-          interval: 3m
-          scrapeTimeout: 1m
-          path: /metrics
-  route:
-    main:
-      kind: HTTPRoute
-      parentRefs:
-        - group: gateway.networking.k8s.io
-          kind: Gateway
-          name: traefik-gateway
-          namespace: traefik
-      hostnames:
-        - bazarr.alexlebens.net
-      rules:
-        - backendRefs:
-            - name: bazarr
-              port: 80
-          matches:
-            - path:
-                type: PathPrefix
-                value: /
-  persistence:
-    config:
-      forceRename: bazarr-config
-      storageClass: ceph-block
-      accessMode: ReadWriteOnce
-      size: 5Gi
-      advancedMounts:
-        main:
-          main:
-            - path: /config
-              readOnly: false
-    media:
-      existingClaim: bazarr-nfs-storage
-      advancedMounts:
-        main:
-          main:
-            - path: /mnt/store
-              readOnly: false
-volsync-target-config:
-  pvcTarget: bazarr-config
-  moverSecurityContext:
-    runAsUser: 1000
-    runAsGroup: 1000
-    fsGroup: 1000
-    fsGroupChangePolicy: OnRootMismatch
-  local:
-    enabled: true
-    schedule: 10 8 * * *
-  remote:
-    enabled: true
-    schedule: 10 9 * * *
-  external:
-    enabled: true
-    schedule: 10 10 * * *
--- a/clusters/cl01tl/helm/blocky/Chart.lock
+++ b/clusters/cl01tl/helm/blocky/Chart.lock
@@ -1,9 +0,0 @@
-dependencies:
- name: app-template
-  repository: https://bjw-s-labs.github.io/helm-charts/
-  version: 4.6.2
- name: valkey
-  repository: oci://harbor.alexlebens.net/helm-charts
-  version: 0.6.1
-digest: sha256:6ed3a7587906fbda581d0091ff2c29a1816b8b0b8ae40add9885e6a68b2b82ae
-generated: "2026-04-13T20:32:34.844998902Z"
--- a/clusters/cl01tl/helm/blocky/Chart.yaml
+++ b/clusters/cl01tl/helm/blocky/Chart.yaml
@@ -1,27 +0,0 @@
-apiVersion: v2
-name: blocky
-version: 1.0.0
-description: Blocky
-keywords:
-  - blocky
-  - dns
-home: https://docs.alexlebens.dev/applications/blocky/
-sources:
-  - https://github.com/0xERR0R/blocky
-  - https://github.com/0xERR0R/blocky/pkgs/container/blocky
-  - https://github.com/bjw-s-labs/helm-charts/tree/main/charts/other/app-template
-  - https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/valkey
-maintainers:
-  - name: alexlebens
-dependencies:
-  - name: app-template
-    alias: blocky
-    repository: https://bjw-s-labs.github.io/helm-charts/
-    version: 4.6.2
-  - name: valkey
-    alias: valkey
-    version: 0.6.1
-    repository: oci://harbor.alexlebens.net/helm-charts
-icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/blocky.png
-# renovate: datasource=github-releases depName=0xerr0r/blocky
-appVersion: v0.29.0
--- a/clusters/cl01tl/helm/blocky/templates/_helpers.tpl
+++ b/clusters/cl01tl/helm/blocky/templates/_helpers.tpl
@@ -1,14 +0,0 @@
-{{/*
-Common labels
-*/}}
-{{- define "custom.labels" -}}
-{{ include "custom.selectorLabels" $ }}
-{{- end }}
-
-{{/*
-Selector labels
-*/}}
-{{- define "custom.selectorLabels" -}}
-app.kubernetes.io/instance: {{ .Release.Name }}
-app.kubernetes.io/part-of: {{ .Release.Name }}
-{{- end }}
--- a/clusters/cl01tl/helm/blocky/values.yaml
+++ b/clusters/cl01tl/helm/blocky/values.yaml
@@ -1,337 +0,0 @@
-blocky:
-  controllers:
-    main:
-      type: deployment
-      replicas: 3
-      strategy: RollingUpdate
-      containers:
-        main:
-          image:
-            repository: ghcr.io/0xerr0r/blocky
-            tag: v0.29.0@sha256:a6d99f323d3036a99a3767a52ad612f4d8f3f31167492bfc14d4ea57b24cdfd0
-          env:
-            - name: TZ
-              value: America/Chicago
-          resources:
-            requests:
-              cpu: 10m
-              memory: 100Mi
-  configMaps:
-    config:
-      enabled: true
-      data:
-        config.yml: |
-          upstreams:
-            init:
-              strategy: fast
-            groups:
-              default:
-                - tcp-tls:1.1.1.1:853
-                - tcp-tls:1.0.0.1:853
-            strategy: parallel_best
-            timeout: 2s
-
-          connectIPVersion: v4
-
-          customDNS:
-            filterUnmappedTypes: false
-            zone: |
-              $ORIGIN alexlebens.net.
-              $TTL 86400
-
-              ;; Name Server
-                                              IN      NS      patryk.ns.cloudflare.com.
-                                              IN      NS      veda.ns.cloudflare.com.
-                                              IN      NS      dns1.
-                                              IN      NS      dns2.
-                                              IN      NS      dns3.
-
-              dns1                            IN      A       10.232.1.22
-              dns2                            IN      A       10.232.1.51
-              dns3                            IN      A       10.232.1.52
-
-
-              ;; Computer Names
-              nw01un                          IN      A       192.168.1.1   ; Unifi Gateway
-
-              ps08rp                          IN      A       10.232.1.51   ; DNS
-              ps09rp                          IN      A       10.232.1.52   ; DNS
-              ps02sn                          IN      A       10.232.1.61   ; Synology Web
-              ps02sn-bond                     IN      A       10.232.1.64   ; Synology Bond for Storage
-
-              pd05wd                          IN      A       10.230.0.115  ; Desktop
-              pl02mc                          IN      A       10.230.0.105  ; Laptop
-
-              dv01hr                          IN      A       10.232.1.72   ; HD Homerun
-              dv02kv                          IN      A       10.232.1.71   ; Pi KVM
-
-              it01ag                          IN      A       10.232.1.83   ; Airgradient
-              it02ph                          IN      A       10.232.1.85   ; Phillips Hue
-              it03tb                          IN      A       10.232.1.81   ; TubesZB ZigBee
-              it04tb                          IN      A       10.232.1.82   ; TubesZB Z-Wave
-              it05sp                          IN      A       10.230.0.100  ; Shelly Plug
-
-
-              ;; Common Names
-              synology                        IN      CNAME   ps02sn
-              synologybond                    IN      CNAME   ps02sn-bond
-              unifi                           IN      CNAME   nw01un
-              airgradient                     IN      CNAME   it01ag
-              hdhr                            IN      CNAME   dv01hr
-              pikvm                           IN      CNAME   dv02kv
-
-
-              ;; Service Names
-              cl01tl                          IN      A       10.232.1.11
-              cl01tl                          IN      A       10.232.1.12
-              cl01tl                          IN      A       10.232.1.13
-
-              cl01tl-api                      IN      A       10.232.1.11
-              cl01tl-api                      IN      A       10.232.1.12
-              cl01tl-api                      IN      A       10.232.1.13
-
-              cl01tl-endpoint                 IN      A       10.232.1.21
-              cl01tl-endpoint                 IN      A       10.232.1.22
-              cl01tl-endpoint                 IN      A       10.232.1.23
-
-              traefik-cl01tl                  IN      A       10.232.1.21
-              blocky                          IN      A       10.232.1.22
-              plex-lb                         IN      A       10.232.1.23
-
-
-              ;; Application Names
-              actual                          IN      CNAME   traefik-cl01tl
-              alertmanager                    IN      CNAME   traefik-cl01tl
-              argocd                          IN      CNAME   traefik-cl01tl
-              audiobookshelf                  IN      CNAME   traefik-cl01tl
-              authentik                       IN      CNAME   traefik-cl01tl
-              backrest                        IN      CNAME   traefik-cl01tl
-              bao                             IN      CNAME   traefik-cl01tl
-              bazarr                          IN      CNAME   traefik-cl01tl
-              ceph                            IN      CNAME   traefik-cl01tl
-              dawarich                        IN      CNAME   traefik-cl01tl
-              directus                        IN      CNAME   traefik-cl01tl
-              excalidraw                      IN      CNAME   traefik-cl01tl
-              feishin                         IN      CNAME   traefik-cl01tl
-              foldergram                      IN      CNAME   traefik-cl01tl
-              garage-s3                       IN      CNAME   traefik-cl01tl
-              garage-webui                    IN      CNAME   traefik-cl01tl
-              gatus                           IN      CNAME   traefik-cl01tl
-              gitea                           IN      CNAME   traefik-cl01tl
-              grafana                         IN      CNAME   traefik-cl01tl
-              grimmory                        IN      CNAME   traefik-cl01tl
-              harbor                          IN      CNAME   traefik-cl01tl
-              headlamp                        IN      CNAME   traefik-cl01tl
-              home                            IN      CNAME   traefik-cl01tl
-              home-assistant                  IN      CNAME   traefik-cl01tl
-              home-assistant-code-server      IN      CNAME   traefik-cl01tl
-              houndarr                        IN      CNAME   traefik-cl01tl
-              hubble                          IN      CNAME   traefik-cl01tl
-              immich                          IN      CNAME   traefik-cl01tl
-              jellyfin                        IN      CNAME   traefik-cl01tl
-              jellystat                       IN      CNAME   traefik-cl01tl
-              kiwix                           IN      CNAME   traefik-cl01tl
-              komodo                          IN      CNAME   traefik-cl01tl
-              languagetool                    IN      CNAME   traefik-cl01tl
-              lidarr                          IN      CNAME   traefik-cl01tl
-              mail                            IN      CNAME   traefik-cl01tl
-              medialyze                       IN      CNAME   traefik-cl01tl
-              music-grabber                   IN      CNAME   traefik-cl01tl
-              navidrome                       IN      CNAME   traefik-cl01tl
-              ntfy                            IN      CNAME   traefik-cl01tl
-              objects                         IN      CNAME   traefik-cl01tl
-              ollama                          IN      CNAME   traefik-cl01tl
-              omni-tools                      IN      CNAME   traefik-cl01tl
-              paperless-ngx                   IN      CNAME   traefik-cl01tl
-              plex                            IN      CNAME   traefik-cl01tl
-              postiz-spotlight                IN      CNAME   traefik-cl01tl
-              postiz-temporal                 IN      CNAME   traefik-cl01tl
-              prometheus                      IN      CNAME   traefik-cl01tl
-              prowlarr                        IN      CNAME   traefik-cl01tl
-              qbittorrent                     IN      CNAME   traefik-cl01tl
-              qui                             IN      CNAME   traefik-cl01tl
-              radarr                          IN      CNAME   traefik-cl01tl
-              radarr-4k                       IN      CNAME   traefik-cl01tl
-              radarr-anime                    IN      CNAME   traefik-cl01tl
-              radarr-standup                  IN      CNAME   traefik-cl01tl
-              searxng                         IN      CNAME   traefik-cl01tl
-              seerr                           IN      CNAME   traefik-cl01tl
-              shelfmark                       IN      CNAME   traefik-cl01tl
-              slskd                           IN      CNAME   traefik-cl01tl
-              sonarr                          IN      CNAME   traefik-cl01tl
-              sonarr-4k                       IN      CNAME   traefik-cl01tl
-              sonarr-anime                    IN      CNAME   traefik-cl01tl
-              sparkyfitness                   IN      CNAME   traefik-cl01tl
-              stalwart                        IN      CNAME   traefik-cl01tl
-              tdarr                           IN      CNAME   traefik-cl01tl
-              tubearchivist                   IN      CNAME   traefik-cl01tl
-              vault                           IN      CNAME   traefik-cl01tl
-              whodb                           IN      CNAME   traefik-cl01tl
-              yamtrack                        IN      CNAME   traefik-cl01tl
-              yubal                           IN      CNAME   traefik-cl01tl
-
-          blocking:
-            denylists:
-              sus:
-                - https://v.firebog.net/hosts/static/w3kbl.txt
-              ads:
-                - https://v.firebog.net/hosts/AdguardDNS.txt
-                - https://v.firebog.net/hosts/Admiral.txt
-                - https://v.firebog.net/hosts/Easylist.txt
-                - https://adaway.org/hosts.txt
-              priv:
-                - https://v.firebog.net/hosts/Easyprivacy.txt
-                - https://v.firebog.net/hosts/Prigent-Ads.txt
-              mal:
-                - https://v.firebog.net/hosts/Prigent-Crypto.txt
-              pro:
-                - https://raw.githubusercontent.com/hagezi/dns-blocklists/main/wildcard/pro.plus.txt
-              oisd:
-                - https://big.oisd.nl/domainswild
-            allowlists:
-              sus:
-                - |
-                  *.alexlebens.net
-                  *.alexlebens.dev
-                  *.boreal-beaufort.ts.net
-                  *.discord.com
-                  cdn.trackjs.com
-              ads:
-                - |
-                  *.alexlebens.net
-                  *.alexlebens.dev
-                  *.boreal-beaufort.ts.net
-                  *.discord.com
-                  cdn.trackjs.com
-              priv:
-                - |
-                  *.alexlebens.net
-                  *.alexlebens.dev
-                  *.boreal-beaufort.ts.net
-                  *.discord.com
-                  cdn.trackjs.com
-              mal:
-                - |
-                  *.alexlebens.net
-                  *.alexlebens.dev
-                  *.boreal-beaufort.ts.net
-                  *.discord.com
-                  cdn.trackjs.com
-              pro:
-                - |
-                  *.alexlebens.net
-                  *.alexlebens.dev
-                  *.boreal-beaufort.ts.net
-                  *.discord.com
-                  cdn.trackjs.com
-              oisd:
-                - |
-                  *.alexlebens.net
-                  *.alexlebens.dev
-                  *.boreal-beaufort.ts.net
-                  *.discord.com
-                  cdn.trackjs.com
-            clientGroupsBlock:
-              default:
-                - sus
-                - ads
-                - priv
-                - mal
-                - pro
-                - oisd
-            blockType: zeroIp
-            blockTTL: 1m
-            loading:
-              refreshPeriod: 24h
-              downloads:
-                timeout: 60s
-                attempts: 5
-                cooldown: 10s
-              concurrency: 16
-              strategy: fast
-              maxErrorsPerSource: 5
-
-          caching:
-            minTime: 5m
-            maxTime: 30m
-            maxItemsCount: 0
-            prefetching: true
-            prefetchExpires: 2h
-            prefetchThreshold: 5
-            prefetchMaxItemsCount: 0
-            cacheTimeNegative: 30m
-
-          redis:
-            address: blocky-valkey.blocky:6379
-            required: true
-
-          prometheus:
-            enable: true
-            path: /metrics
-
-          queryLog:
-            type: console
-            logRetentionDays: 7
-            creationAttempts: 1
-            creationCooldown: 2s
-            flushInterval: 30s
-
-          minTlsServeVersion: 1.3
-
-          ports:
-            dns: 53
-            http: 4000
-
-          log:
-            level: info
-            format: text
-            timestamp: true
-            privacy: false
-
-  service:
-    dns-external:
-      controller: main
-      type: LoadBalancer
-      annotations:
-        tailscale.com/expose: "true"
-      ports:
-        tcp:
-          port: 53
-          targetPort: 53
-          protocol: TCP
-        udp:
-          port: 53
-          targetPort: 53
-          protocol: UDP
-    metrics:
-      controller: main
-      ports:
-        metrics:
-          port: 4000
-          targetPort: 4000
-          protocol: TCP
-  serviceMonitor:
-    main:
-      selector:
-        matchLabels:
-          app.kubernetes.io/name: blocky
-          app.kubernetes.io/instance: blocky
-      serviceName: '{{ include "bjw-s.common.lib.chart.names.fullname" $ }}'
-      endpoints:
-        - port: metrics
-          scheme: http
-          path: /metrics
-          interval: 30s
-          scrapeTimeout: 10s
-  persistence:
-    config:
-      enabled: true
-      type: configMap
-      name: blocky
-      advancedMounts:
-        main:
-          main:
-            - path: /app/config.yml
-              readOnly: true
-              mountPropagation: None
-              subPath: config.yml
--- a/clusters/cl01tl/helm/cert-manager/Chart.lock
+++ b/clusters/cl01tl/helm/cert-manager/Chart.lock
@@ -1,6 +0,0 @@
-dependencies:
- name: cert-manager
-  repository: https://charts.jetstack.io
-  version: v1.20.2
-digest: sha256:f218239b4538c64d57e098a56c69dcbc4e076ffcc3d320c5a5fef1e6309e38cf
-generated: "2026-04-13T23:02:59.380767677Z"
--- a/clusters/cl01tl/helm/cert-manager/Chart.yaml
+++ b/clusters/cl01tl/helm/cert-manager/Chart.yaml
@@ -1,20 +0,0 @@
-apiVersion: v2
-name: cert-manager
-version: 1.0.0
-description: Cert Manager
-keywords:
-  - cert-manager
-  - certificates
-home: https://docs.alexlebens.dev/applications/cert-manager/
-sources:
-  - https://github.com/cert-manager/cert-manager
-  - https://github.com/cert-manager/cert-manager/tree/master/deploy/charts/cert-manager
-maintainers:
-  - name: alexlebens
-dependencies:
-  - name: cert-manager
-    version: v1.20.2
-    repository: https://charts.jetstack.io
-icon: https://raw.githubusercontent.com/cert-manager/cert-manager/refs/heads/master/logo/logo.png
-# renovate: datasource=github-releases depName=cert-manager/cert-manager
-appVersion: v1.20.2
--- a/clusters/cl01tl/helm/cert-manager/templates/_helpers.tpl
+++ b/clusters/cl01tl/helm/cert-manager/templates/_helpers.tpl
@@ -1,24 +0,0 @@
-{{/*
-Common labels
-*/}}
-{{- define "custom.labels" -}}
-{{ include "custom.selectorLabels" $ }}
-{{- end }}
-
-{{/*
-Selector labels
-*/}}
-{{- define "custom.selectorLabels" -}}
-app.kubernetes.io/instance: {{ .Release.Name }}
-app.kubernetes.io/part-of: {{ .Release.Name }}
-{{- end }}
-
-{{/*
-NFS names
-*/}}
-{{- define "custom.cloudflareSecretName" -}}
-cert-manager-cloudflare-api-token
-{{- end -}}
-{{- define "custom.cloudflareSecretKey" -}}
-api-token
-{{- end -}}
--- a/clusters/cl01tl/helm/cert-manager/templates/cluster-issuer.yaml
+++ b/clusters/cl01tl/helm/cert-manager/templates/cluster-issuer.yaml
@@ -1,25 +0,0 @@
-apiVersion: cert-manager.io/v1
-kind: ClusterIssuer
-metadata:
-  name: letsencrypt-issuer
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: letsencrypt-issuer
-    {{- include "custom.labels" . | nindent 4 }}
-spec:
-  acme:
-    email: alexanderlebens@gmail.com
-    server: https://acme-v02.api.letsencrypt.org/directory
-    privateKeySecretRef:
-      name: letsencrypt-issuer-account-key
-    solvers:
-      - selector:
-          dnsZones:
-            - "alexlebens.net"
-            - "*.alexlebens.net"
-        dns01:
-          cloudflare:
-            email: alexanderlebens@gmail.com
-            apiTokenSecretRef:
-              name: {{ include "custom.cloudflareSecretName" . }}
-              key: {{ include "custom.cloudflareSecretKey" . }}
--- a/clusters/cl01tl/helm/cert-manager/templates/external-secret.yaml
+++ b/clusters/cl01tl/helm/cert-manager/templates/external-secret.yaml
@@ -1,17 +0,0 @@
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: {{ include "custom.cloudflareSecretName" . }}
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: {{ include "custom.cloudflareSecretName" . }}
-    {{- include "custom.labels" . | nindent 4 }}
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: openbao
-  data:
-    - secretKey: {{ include "custom.cloudflareSecretKey" . }}
-      remoteRef:
-        key: /cloudflare/alexlebens.net/cl01tl-issuer-certificate
-        property: token
--- a/clusters/cl01tl/helm/cert-manager/templates/prometheus-rule.yaml
+++ b/clusters/cl01tl/helm/cert-manager/templates/prometheus-rule.yaml
@@ -1,44 +0,0 @@
-apiVersion: monitoring.coreos.com/v1
-kind: PrometheusRule
-metadata:
-  name: cert-manager
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: cert-manager
-    {{- include "custom.labels" . | nindent 4 }}
-spec:
-  groups:
-    - name: EmbeddedExporter
-      rules:
-        - alert: Cert-ManagerAbsent
-          expr: absent(up{job="cert-manager"})
-          for: 10m
-          labels:
-            severity: critical
-          annotations:
-            summary: Cert-Manager absent (instance {{ `{{ $labels.instance }}` }})
-            description: "Cert-Manager has disappeared from Prometheus service discovery. New certificates will not be able to be minted, and existing ones can't be renewed until cert-manager is back.\n  VALUE = {{ `{{ $value }}` }}\n  LABELS = {{ `{{ $labels }}` }}"
-        - alert: Cert-ManagerCertificateExpiringSoon
-          expr: avg by (exported_namespace, namespace, name) (certmanager_certificate_expiration_timestamp_seconds - time()) < (21 * 24 * 3600)
-          for: 1h
-          labels:
-            severity: warning
-          annotations:
-            summary: Cert-Manager certificate expiring soon (instance {{ `{{ $labels.instance }}` }})
-            description: "The certificate {{ `{{ $labels.name }}` }} is expiring in less than 21 days.\n  VALUE = {{ `{{ $value }}` }}\n  LABELS = {{ `{{ $labels }}` }}"
-        - alert: Cert-ManagerCertificateNotReady
-          expr: max by (name, exported_namespace, namespace, condition) (certmanager_certificate_ready_status{condition!="True"} == 1)
-          for: 10m
-          labels:
-            severity: critical
-          annotations:
-            summary: Cert-Manager certificate not ready (instance {{ `{{ $labels.instance }}` }})
-            description: "The certificate {{ `{{ $labels.name }}` }} in namespace {{ `{{ $labels.exported_namespace }}` }} is not ready to serve traffic.\n  VALUE = {{ `{{ $value }}` }}\n  LABELS = {{ `{{ $labels }}` }}"
-        - alert: Cert-ManagerHittingACMERateLimits
-          expr: sum by (host) (rate(certmanager_acme_client_request_count{status="429"}[5m])) > 0
-          for: 5m
-          labels:
-            severity: critical
-          annotations:
-            summary: Cert-Manager hitting ACME rate limits (instance {{ `{{ $labels.instance }}` }})
-            description: "Cert-Manager is being rate-limited by the ACME provider. Certificate issuance and renewal may be blocked for up to a week.\n  VALUE = {{ `{{ $value }}` }}\n  LABELS = {{ `{{ $labels }}` }}"
--- a/clusters/cl01tl/helm/cert-manager/values.yaml
+++ b/clusters/cl01tl/helm/cert-manager/values.yaml
@@ -1,21 +0,0 @@
-cert-manager:
-  crds:
-    enabled: true
-    keep: true
-  replicaCount: 2
-  podDisruptionBudget:
-    enabled: true
-    minAvailable: 1
-  extraArgs:
-    - --enable-gateway-api
-  resources:
-    requests:
-      cpu: 10m
-      memory: 64Mi
-  prometheus:
-    servicemonitor:
-      enabled: true
-      honorLabels: true
-  cainjector:
-    enabled: true
-    replicaCount: 2
--- a/clusters/cl01tl/helm/cilium/Chart.lock
+++ b/clusters/cl01tl/helm/cilium/Chart.lock
@@ -1,6 +0,0 @@
-dependencies:
- name: cilium
-  repository: https://helm.cilium.io/
-  version: 1.18.6
-digest: sha256:8ea328ac238524b5b423e6289f5e25d05ef64e6aa19cfd5de238f1d5dd533e9b
-generated: "2026-02-05T12:00:20.15778-06:00"
--- a/clusters/cl01tl/helm/cilium/Chart.yaml
+++ b/clusters/cl01tl/helm/cilium/Chart.yaml
@@ -1,21 +0,0 @@
-apiVersion: v2
-name: cilium
-version: 1.0.0
-description: Cilium
-keywords:
-  - cilium
-  - operator
-  - network
-home: https://docs.alexlebens.dev/applications/cilium/
-sources:
-  - https://github.com/cilium/cilium
-  - https://github.com/cilium/cilium/tree/main/install/kubernetes/cilium
-maintainers:
-  - name: alexlebens
-dependencies:
-  - name: cilium
-    version: 1.18.6
-    repository: https://helm.cilium.io/
-icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/cilium.png
-# renovate: datasource=github-releases depName=cilium/cilium
-appVersion: 1.18.6
--- a/clusters/cl01tl/helm/cilium/templates/_helpers.tpl
+++ b/clusters/cl01tl/helm/cilium/templates/_helpers.tpl
@@ -1,14 +0,0 @@
-{{/*
-Common labels
-*/}}
-{{- define "custom.labels" -}}
-{{ include "custom.selectorLabels" $ }}
-{{- end }}
-
-{{/*
-Selector labels
-*/}}
-{{- define "custom.selectorLabels" -}}
-app.kubernetes.io/instance: {{ .Release.Name }}
-app.kubernetes.io/part-of: {{ .Release.Name }}
-{{- end }}
--- a/clusters/cl01tl/helm/cilium/templates/cilium-load-balancer-ip-pool.yaml
+++ b/clusters/cl01tl/helm/cilium/templates/cilium-load-balancer-ip-pool.yaml
@@ -1,27 +0,0 @@
-apiVersion: cilium.io/v2
-kind: CiliumLoadBalancerIPPool
-metadata:
-  name: default-ip-pool
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: default-ip-pool
-    {{- include "custom.labels" . | nindent 4 }}
-spec:
-  blocks:
-    - start: "10.232.1.21"
-      stop: "10.232.1.23"
-
---
-apiVersion: cilium.io/v2
-kind: CiliumLoadBalancerIPPool
-metadata:
-  name: bgp-ip-pool
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: bgp-ip-pool
-    {{- include "custom.labels" . | nindent 4 }}
-spec:
-  blocks:
-    - start: "10.232.2.100"
-      stop: "10.232.2.200"
-  disabled: true
--- a/clusters/cl01tl/helm/cilium/templates/http-route.yaml
+++ b/clusters/cl01tl/helm/cilium/templates/http-route.yaml
@@ -1,25 +0,0 @@
-apiVersion: gateway.networking.k8s.io/v1
-kind: HTTPRoute
-metadata:
-  name: hubble
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: hubble
-    {{- include "custom.labels" . | nindent 4 }}
-spec:
-  parentRefs:
-    - group: gateway.networking.k8s.io
-      kind: Gateway
-      name: traefik-gateway
-      namespace: traefik
-  hostnames:
-    - hubble.alexlebens.net
-  rules:
-    - matches:
-      - path:
-          type: PathPrefix
-          value: /
-      backendRefs:
-        - kind: Service
-          name: hubble-ui
-          port: 80
--- a/clusters/cl01tl/helm/cilium/values.yaml
+++ b/clusters/cl01tl/helm/cilium/values.yaml
@@ -1,92 +0,0 @@
-cilium:
-  k8sServiceHost: "localhost"
-  k8sServicePort: "7445"
-  k8sClientRateLimit:
-    qps: 50
-    burst: 100
-  rollOutCiliumPods: true
-  securityContext:
-    capabilities:
-      ciliumAgent:
-        - CHOWN
-        - KILL
-        - NET_ADMIN
-        - NET_RAW
-        - IPC_LOCK
-        - SYS_ADMIN
-        - SYS_RESOURCE
-        - DAC_OVERRIDE
-        - FOWNER
-        - SETGID
-        - SETUID
-        - PERFMON
-        - BPF
-      cleanCiliumState:
-        - NET_ADMIN
-        - SYS_ADMIN
-        - SYS_RESOURCE
-  bgpControlPlane:
-    enabled: false
-  bpf:
-    hostLegacyRouting: true
-  devices: end0 enp6s0
-  ciliumEndpointSlice:
-    enabled: true
-  gatewayAPI:
-    enabled: true
-    enableAppProtocol: true
-    enableAlpn: true
-    secretsNamespace:
-      create: false
-      name: kube-system
-  socketLB:
-    enabled: true
-    hostNamespaceOnly: true
-  hubble:
-    metrics:
-      serviceMonitor:
-        enabled: true
-    tls:
-      auto:
-        method: cronJob
-    relay:
-      enabled: true
-      prometheus:
-        serviceMonitor:
-          enabled: true
-    ui:
-      enabled: true
-  ipam:
-    mode: "kubernetes"
-  ipv4:
-    enabled: true
-  ipv6:
-    enabled: false
-  kubeProxyReplacement: true
-  prometheus:
-    enabled: true
-    serviceMonitor:
-      enabled: true
-      trustCRDsExist: true
-  envoy:
-    enabled: true
-    securityContext:
-      capabilities:
-        keepCapNetBindService: true
-        envoy:
-          - NET_ADMIN
-          - NET_BIND_SERVICE
-          - PERFMON
-          - BPF
-    prometheus:
-      serviceMonitor:
-        enabled: true
-  operator:
-    rollOutPods: true
-    prometheus:
-      serviceMonitor:
-        enabled: true
-  cgroup:
-    autoMount:
-      enabled: false
-    hostRoot: /sys/fs/cgroup
--- a/clusters/cl01tl/helm/cloudnative-pg/Chart.lock
+++ b/clusters/cl01tl/helm/cloudnative-pg/Chart.lock
@@ -1,15 +0,0 @@
-dependencies:
- name: cloudnative-pg
-  repository: https://cloudnative-pg.io/charts/
-  version: 0.28.0
- name: plugin-barman-cloud
-  repository: https://cloudnative-pg.io/charts/
-  version: 0.6.0
- name: rclone-bucket
-  repository: oci://harbor.alexlebens.net/helm-charts
-  version: 0.4.3
- name: rclone-bucket
-  repository: oci://harbor.alexlebens.net/helm-charts
-  version: 0.4.3
-digest: sha256:75d7078b7009082521a1bb8b49141e20b442343dabe7f76f5e7a16a352cfe205
-generated: "2026-04-26T15:36:31.678086-05:00"
--- a/clusters/cl01tl/helm/cloudnative-pg/Chart.yaml
+++ b/clusters/cl01tl/helm/cloudnative-pg/Chart.yaml
@@ -1,36 +0,0 @@
-apiVersion: v2
-name: cloudnative-pg
-version: 1.0.0
-description: Cloudnative PG
-keywords:
-  - cloudnative-pg
-  - operator
-  - postgresql
-home: https://docs.alexlebens.dev/applications/cloudnative-pg/
-sources:
-  - https://github.com/cloudnative-pg/cloudnative-pg
-  - https://github.com/cloudnative-pg/plugin-barman-cloud
-  - https://github.com/cloudnative-pg/postgres-containers/pkgs/container/postgresql
-  - https://github.com/cloudnative-pg/charts/tree/main/charts/cloudnative-pg
-  - https://github.com/cloudnative-pg/charts/tree/main/charts/plugin-barman-cloud
-  - https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/rclone-bucket
-maintainers:
-  - name: alexlebens
-dependencies:
-  - name: cloudnative-pg
-    version: 0.28.0
-    repository: https://cloudnative-pg.io/charts/
-  - name: plugin-barman-cloud
-    version: 0.6.0
-    repository: https://cloudnative-pg.io/charts/
-  - name: rclone-bucket
-    alias: rclone-postgres-backups-remote
-    repository: oci://harbor.alexlebens.net/helm-charts
-    version: 0.4.3
-  - name: rclone-bucket
-    alias: rclone-postgres-backups-external
-    repository: oci://harbor.alexlebens.net/helm-charts
-    version: 0.4.3
-icon: https://raw.githubusercontent.com/cloudnative-pg/cloudnative-pg.github.io/refs/heads/main/assets/images/hero_image.png
-# renovate: datasource=github-releases depName=cloudnative-pg/cloudnative-pg
-appVersion: 1.29.0
--- a/clusters/cl01tl/helm/cloudnative-pg/templates/_helpers.tpl
+++ b/clusters/cl01tl/helm/cloudnative-pg/templates/_helpers.tpl
@@ -1,14 +0,0 @@
-{{/*
-Common labels
-*/}}
-{{- define "custom.labels" -}}
-{{ include "custom.selectorLabels" $ }}
-{{- end }}
-
-{{/*
-Selector labels
-*/}}
-{{- define "custom.selectorLabels" -}}
-app.kubernetes.io/instance: {{ .Release.Name }}
-app.kubernetes.io/part-of: {{ .Release.Name }}
-{{- end }}
--- a/clusters/cl01tl/helm/cloudnative-pg/values.yaml
+++ b/clusters/cl01tl/helm/cloudnative-pg/values.yaml
@@ -1,75 +0,0 @@
-cloudnative-pg:
-  replicaCount: 2
-  resources:
-    requests:
-      cpu: 10m
-      memory: 100Mi
-  monitoring:
-    podMonitorEnabled: true
-plugin-barman-cloud:
-  replicaCount: 1
-  crds:
-    create: true
-  resources:
-    requests:
-      cpu: 1m
-      memory: 20Mi
-rclone-postgres-backups-remote:
-  nameOverride: postgres-backups-remote-rclone
-  cronJob:
-    suspend: false
-    schedule: 0 6 * * 6
-  rclone:
-    source:
-      bucketName: postgres-backups
-    destination:
-      bucketName: postgres-backups
-  prune:
-    enabled: true
-    ageToPrune: 45d
-    include: "/cl01tl/*/*/*/base/**"
-    exclude: "**/walls/**"
-  secret:
-    externalSecret:
-      source:
-        credentials:
-          path: /garage/home-infra/postgres-backups
-        config:
-          path: /garage/config
-      destination:
-        credentials:
-          path: /garage/home-infra/postgres-backups
-        config:
-          path: /garage/config
-rclone-postgres-backups-external:
-  nameOverride: postgres-backups-external-rclone
-  cronJob:
-    suspend: true
-    schedule: 0 6 * * 6
-  rclone:
-    source:
-      bucketName: openbao-backups
-    destination:
-      bucketName: postgres-backups-ecc1010276b61716
-      providerType: DigitalOcean
-  prune:
-    enabled: true
-    ageToPrune: 45d
-    include: "/cl01tl/*/*/*/base/**"
-    exclude: "**/walls/**"
-  secret:
-    externalSecret:
-      source:
-        credentials:
-          path: /garage/home-infra/postgres-backups
-        config:
-          path: /garage/config
-      destination:
-        credentials:
-          path: /digital-ocean/home-infra/postgres-backups
-          keyIdProperty: AWS_ACCESS_KEY_ID
-          secretKeyProperty: AWS_SECRET_ACCESS_KEY
-          regionProperty: AWS_REGION
-        config:
-          path: /digital-ocean/config
-          endpointProperty: ENDPOINT
--- a/clusters/cl01tl/helm/coredns/Chart.lock
+++ b/clusters/cl01tl/helm/coredns/Chart.lock
@@ -1,6 +0,0 @@
-dependencies:
- name: coredns
-  repository: https://coredns.github.io/helm
-  version: 1.45.2
-digest: sha256:36ed42e4273536b6548426b4e0f51b0816d9e8fe52333bce4c61acd8ade607e8
-generated: "2026-01-24T08:01:31.043488615Z"
--- a/clusters/cl01tl/helm/coredns/Chart.yaml
+++ b/clusters/cl01tl/helm/coredns/Chart.yaml
@@ -1,21 +0,0 @@
-apiVersion: v2
-name: coredns
-version: 1.0.0
-description: CoreDNS
-keywords:
-  - coredns
-  - dns
-home: https://docs.alexlebens.dev/applications/coredns/
-sources:
-  - https://github.com/coredns/coredns
-  - https://explore.ggcr.dev/?repo=registry.k8s.io%2Fcoredns%2Fcoredns
-  - https://github.com/coredns/helm
-maintainers:
-  - name: alexlebens
-dependencies:
-  - name: coredns
-    version: 1.45.2
-    repository: https://coredns.github.io/helm
-icon: https://raw.githubusercontent.com/coredns/coredns.io/refs/heads/master/static/images/favicon.png
-# renovate: datasource=github-releases depName=coredns/coredns
-appVersion: v1.14.3
--- a/clusters/cl01tl/helm/coredns/templates/_helpers.tpl
+++ b/clusters/cl01tl/helm/coredns/templates/_helpers.tpl
@@ -1,14 +0,0 @@
-{{/*
-Common labels
-*/}}
-{{- define "custom.labels" -}}
-{{ include "custom.selectorLabels" $ }}
-{{- end }}
-
-{{/*
-Selector labels
-*/}}
-{{- define "custom.selectorLabels" -}}
-app.kubernetes.io/instance: {{ .Release.Name }}
-app.kubernetes.io/part-of: {{ .Release.Name }}
-{{- end }}
--- a/clusters/cl01tl/helm/coredns/values.yaml
+++ b/clusters/cl01tl/helm/coredns/values.yaml
@@ -1,91 +0,0 @@
-coredns:
-  image:
-    repository: registry.k8s.io/coredns/coredns
-    tag: v1.14.2@sha256:e7e6440cfd1e919280958f5b5a6ab2b184d385bba774c12ad2a9e1e4183f90d9
-  replicaCount: 3
-  resources:
-    limits:
-      cpu: null
-      memory: null
-    requests:
-      cpu: 30m
-      memory: 30Mi
-  prometheus:
-    service:
-      enabled: true
-    monitor:
-      enabled: true
-      namespace: kube-system
-  service:
-    clusterIP: 10.96.0.10
-    clusterIPs:
-      - 10.96.0.10
-    name: kube-dns
-  serviceAccount:
-    create: true
-    name: coredns
-  priorityClassName: system-cluster-critical
-  servers:
-    - zones:
-        - zone: .
-          scheme: dns://
-          use_tcp: true
-      port: 53
-      plugins:
-        - name: errors
-        - name: health
-          configBlock: |-
-            lameduck 5s
-        - name: ready
-        - name: kubernetes
-          parameters: cluster.local in-addr.arpa ip6.arpa
-          configBlock: |-
-            pods insecure
-            fallthrough in-addr.arpa ip6.arpa
-            ttl 30
-        - name: prometheus
-          parameters: :9153
-        - name: forward
-          parameters: . /etc/resolv.conf
-        - name: cache
-          parameters: 30
-        - name: loop
-        - name: reload
-        - name: loadbalance
-    - zones:
-        - zone: alexlebens.net
-          scheme: dns://
-          use_tcp: true
-      port: 53
-      plugins:
-        - name: errors
-        - name: cache
-          parameters: 30
-        - name: prometheus
-          parameters: :9153
-        - name: forward
-          parameters: . 10.111.232.172
-    - zones:
-        - zone: ts.net
-          scheme: dns://
-          use_tcp: true
-      port: 53
-      plugins:
-        - name: errors
-        - name: cache
-          parameters: 30
-        - name: prometheus
-          parameters: :9153
-        - name: forward
-          parameters: . 10.97.20.219
-  nodeSelector:
-    kubernetes.io/os: linux
-  tolerations:
-    - key: node-role.kubernetes.io/control-plane
-      operator: Exists
-      effect: NoSchedule
-    - key: node.cloudprovider.kubernetes.io/uninitialized
-      operator: Exists
-      effect: NoSchedule
-  deployment:
-    name: coredns
--- a/clusters/cl01tl/helm/dawarich/Chart.lock
+++ b/clusters/cl01tl/helm/dawarich/Chart.lock
@@ -1,21 +0,0 @@
-dependencies:
- name: app-template
-  repository: https://bjw-s-labs.github.io/helm-charts/
-  version: 4.6.2
- name: postgres-cluster
-  repository: oci://harbor.alexlebens.net/helm-charts
-  version: 7.12.1
- name: valkey
-  repository: oci://harbor.alexlebens.net/helm-charts
-  version: 0.6.1
- name: volsync-target
-  repository: oci://harbor.alexlebens.net/helm-charts
-  version: 1.1.1
- name: volsync-target
-  repository: oci://harbor.alexlebens.net/helm-charts
-  version: 1.1.1
- name: volsync-target
-  repository: oci://harbor.alexlebens.net/helm-charts
-  version: 1.1.1
-digest: sha256:b18a6f20fd00a3477ef296e9a72256f2d6d50fc7710f577f89c06c18f990b6ef
-generated: "2026-04-28T23:31:26.580250793Z"
--- a/clusters/cl01tl/helm/dawarich/Chart.yaml
+++ b/clusters/cl01tl/helm/dawarich/Chart.yaml
@@ -1,45 +0,0 @@
-apiVersion: v2
-name: dawarich
-version: 1.0.0
-description: Dawarich
-keywords:
-  - dawarich
-  - location
-home: https://docs.alexlebens.dev/applications/dawarich/
-sources:
-  - https://github.com/Freika/dawarich
-  - https://hub.docker.com/r/freikin/dawarich
-  - https://github.com/bjw-s-labs/helm-charts/tree/main/charts/other/app-template
-  - https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/postgres-cluster
-  - https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/valkey
-  - https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/volsync-target
-maintainers:
-  - name: alexlebens
-dependencies:
-  - name: app-template
-    alias: dawarich
-    repository: https://bjw-s-labs.github.io/helm-charts/
-    version: 4.6.2
-  - name: postgres-cluster
-    alias: postgres-18-cluster
-    version: 7.12.1
-    repository: oci://harbor.alexlebens.net/helm-charts
-  - name: valkey
-    alias: valkey
-    version: 0.6.1
-    repository: oci://harbor.alexlebens.net/helm-charts
-  - name: volsync-target
-    alias: volsync-target-storage
-    version: 1.1.1
-    repository: oci://harbor.alexlebens.net/helm-charts
-  - name: volsync-target
-    alias: volsync-target-public
-    version: 1.1.1
-    repository: oci://harbor.alexlebens.net/helm-charts
-  - name: volsync-target
-    alias: volsync-target-watched
-    version: 1.1.1
-    repository: oci://harbor.alexlebens.net/helm-charts
-icon: https://cdn.jsdelivr.net/gh/selfhst/icons@main/png/dawarich.png
-# renovate: datasource=github-releases depName=Freika/dawarich
-appVersion: 1.7.0
--- a/clusters/cl01tl/helm/dawarich/templates/_helpers.tpl
+++ b/clusters/cl01tl/helm/dawarich/templates/_helpers.tpl
@@ -1,14 +0,0 @@
-{{/*
-Common labels
-*/}}
-{{- define "custom.labels" -}}
-{{ include "custom.selectorLabels" $ }}
-{{- end }}
-
-{{/*
-Selector labels
-*/}}
-{{- define "custom.selectorLabels" -}}
-app.kubernetes.io/instance: {{ .Release.Name }}
-app.kubernetes.io/part-of: {{ .Release.Name }}
-{{- end }}
--- a/clusters/cl01tl/helm/dawarich/templates/external-secret.yaml
+++ b/clusters/cl01tl/helm/dawarich/templates/external-secret.yaml
@@ -1,52 +0,0 @@
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: dawarich-key
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: dawarich-key
-    {{- include "custom.labels" . | nindent 4 }}
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: openbao
-  data:
-    - secretKey: key
-      remoteRef:
-        key: /cl01tl/dawarich/key
-        property: key
-    - secretKey: otp-primary-key
-      remoteRef:
-        key: /cl01tl/dawarich/key
-        property: otp-primary-key
-    - secretKey: otp-deterministic-key
-      remoteRef:
-        key: /cl01tl/dawarich/key
-        property: otp-deterministic-key
-    - secretKey: otp-derivation-salt
-      remoteRef:
-        key: /cl01tl/dawarich/key
-        property: otp-derivation-salt
-
---
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: dawarich-oidc-authentik
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: dawarich-oidc-authentik
-    {{- include "custom.labels" . | nindent 4 }}
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: openbao
-  data:
-    - secretKey: client
-      remoteRef:
-        key: /cl01tl/authentik/oidc/dawarich
-        property: client
-    - secretKey: secret
-      remoteRef:
-        key: /cl01tl/authentik/oidc/dawarich
-        property: secret
--- a/clusters/cl01tl/helm/dawarich/values.yaml
+++ b/clusters/cl01tl/helm/dawarich/values.yaml
@@ -1,378 +0,0 @@
-dawarich:
-  controllers:
-    main:
-      type: deployment
-      replicas: 1
-      strategy: Recreate
-      containers:
-        main:
-          image:
-            repository: freikin/dawarich
-            tag: 1.7.0@sha256:7d5f99c61121fcfa4cbdd6a153392630d9f059ffb0156759278d3e049085ec62
-          command:
-            - "web-entrypoint.sh"
-          args:
-            - "bin/rails"
-            - "server"
-            - "-p"
-            - "3000"
-            - "-b"
-            - "::"
-          env:
-            - name: RAILS_ENV
-              value: production
-            - name: REDIS_URL
-              value: redis://dawarich-valkey.dawarich:6379
-            - name: DATABASE_HOST
-              valueFrom:
-                secretKeyRef:
-                  name: dawarich-postgresql-18-cluster-app
-                  key: host
-            - name: DATABASE_PORT
-              valueFrom:
-                secretKeyRef:
-                  name: dawarich-postgresql-18-cluster-app
-                  key: port
-            - name: DATABASE_USERNAME
-              valueFrom:
-                secretKeyRef:
-                  name: dawarich-postgresql-18-cluster-app
-                  key: user
-            - name: DATABASE_PASSWORD
-              valueFrom:
-                secretKeyRef:
-                  name: dawarich-postgresql-18-cluster-app
-                  key: password
-            - name: DATABASE_NAME
-              valueFrom:
-                secretKeyRef:
-                  name: dawarich-postgresql-18-cluster-app
-                  key: dbname
-            - name: APPLICATION_HOSTS
-              value: dawarich.alexlebens.net,dawarich.dawarich,localhost,::1,127.0.0.1
-            - name: TIME_ZONE
-              value: America/Chicago
-            - name: APPLICATION_PROTOCOL
-              value: http
-            - name: OIDC_ISSUER
-              value: https://authentik.alexlebens.net/application/o/darwich/
-            - name: OIDC_REDIRECT_URI
-              value: https://dawarich.alexlebens.net/users/auth/openid_connect/callback
-            - name: OIDC_CLIENT_ID
-              valueFrom:
-                secretKeyRef:
-                  name: dawarich-oidc-authentik
-                  key: client
-            - name: OIDC_CLIENT_SECRET
-              valueFrom:
-                secretKeyRef:
-                  name: dawarich-oidc-authentik
-                  key: secret
-            - name: OIDC_PROVIDER_NAME
-              value: Authentik
-            - name: OIDC_AUTO_REGISTER
-              value: true
-            - name: PROMETHEUS_EXPORTER_ENABLED
-              value: true
-            - name: PROMETHEUS_EXPORTER_HOST
-              value: 0.0.0.0
-            - name: PROMETHEUS_EXPORTER_PORT
-              value: 9394
-            - name: SECRET_KEY_BASE
-              valueFrom:
-                secretKeyRef:
-                  name: dawarich-key
-                  key: key
-            - name: OTP_ENCRYPTION_PRIMARY_KEY
-              valueFrom:
-                secretKeyRef:
-                  name: dawarich-key
-                  key: otp-primary-key
-            - name: OTP_ENCRYPTION_DETERMINISTIC_KEY
-              valueFrom:
-                secretKeyRef:
-                  name: dawarich-key
-                  key: otp-deterministic-key
-            - name: OTP_ENCRYPTION_KEY_DERIVATION_SALT
-              valueFrom:
-                secretKeyRef:
-                  name: dawarich-key
-                  key: otp-derivation-salt
-            - name: RAILS_LOG_TO_STDOUT
-              value: true
-            - name: SELF_HOSTED
-              value: true
-            - name: STORE_GEODATA
-              value: true
-          probes:
-            liveness:
-              enabled: true
-              custom: true
-              spec:
-                exec:
-                  command:
-                    - /bin/sh
-                    - -c
-                    - "wget -qO - http://127.0.0.1:3000/api/v1/health | grep -q '\"status\"\\s*:\\s*\"ok\"'"
-                failureThreshold: 5
-                initialDelaySeconds: 60
-                periodSeconds: 10
-                successThreshold: 1
-                timeoutSeconds: 10
-          resources:
-            requests:
-              cpu: 20m
-              memory: 750Mi
-        sidekiq:
-          image:
-            repository: freikin/dawarich
-            tag: 1.7.0@sha256:7d5f99c61121fcfa4cbdd6a153392630d9f059ffb0156759278d3e049085ec62
-          command:
-            - "sidekiq-entrypoint.sh"
-          args:
-            - "sidekiq"
-          env:
-            - name: RAILS_ENV
-              value: production
-            - name: REDIS_URL
-              value: redis://dawarich-valkey.dawarich:6379
-            - name: DATABASE_HOST
-              valueFrom:
-                secretKeyRef:
-                  name: dawarich-postgresql-18-cluster-app
-                  key: host
-            - name: DATABASE_PORT
-              valueFrom:
-                secretKeyRef:
-                  name: dawarich-postgresql-18-cluster-app
-                  key: port
-            - name: DATABASE_USERNAME
-              valueFrom:
-                secretKeyRef:
-                  name: dawarich-postgresql-18-cluster-app
-                  key: user
-            - name: DATABASE_PASSWORD
-              valueFrom:
-                secretKeyRef:
-                  name: dawarich-postgresql-18-cluster-app
-                  key: password
-            - name: DATABASE_NAME
-              valueFrom:
-                secretKeyRef:
-                  name: dawarich-postgresql-18-cluster-app
-                  key: dbname
-            - name: APPLICATION_HOSTS
-              value: dawarich.alexlebens.net,dawarich.dawarich,localhost,::1,127.0.0.1
-            - name: TIME_ZONE
-              value: America/Chicago
-            - name: APPLICATION_PROTOCOL
-              value: http
-            - name: DISTANCE_UNIT
-              value: mi
-            - name: OIDC_ISSUER
-              value: https://authentik.alexlebens.net/application/o/darwich/
-            - name: OIDC_REDIRECT_URI
-              value: https://dawarich.alexlebens.net/users/auth/openid_connect/callback
-            - name: OIDC_CLIENT_ID
-              valueFrom:
-                secretKeyRef:
-                  name: dawarich-oidc-authentik
-                  key: client
-            - name: OIDC_CLIENT_SECRET
-              valueFrom:
-                secretKeyRef:
-                  name: dawarich-oidc-authentik
-                  key: secret
-            - name: OIDC_PROVIDER_NAME
-              value: Authentik
-            - name: OIDC_AUTO_REGISTER
-              value: true
-            - name: PROMETHEUS_EXPORTER_ENABLED
-              value: true
-            - name: PROMETHEUS_EXPORTER_HOST
-              value: 0.0.0.0
-            - name: PROMETHEUS_EXPORTER_PORT
-              value: 9394
-            - name: SECRET_KEY_BASE
-              valueFrom:
-                secretKeyRef:
-                  name: dawarich-key
-                  key: key
-            - name: OTP_ENCRYPTION_PRIMARY_KEY
-              valueFrom:
-                secretKeyRef:
-                  name: dawarich-key
-                  key: otp-primary-key
-            - name: OTP_ENCRYPTION_DETERMINISTIC_KEY
-              valueFrom:
-                secretKeyRef:
-                  name: dawarich-key
-                  key: otp-deterministic-key
-            - name: OTP_ENCRYPTION_KEY_DERIVATION_SALT
-              valueFrom:
-                secretKeyRef:
-                  name: dawarich-key
-                  key: otp-derivation-salt
-            - name: RAILS_LOG_TO_STDOUT
-              value: true
-            - name: SELF_HOSTED
-              value: true
-            - name: STORE_GEODATA
-              value: true
-          probes:
-            liveness:
-              enabled: true
-              custom: true
-              spec:
-                exec:
-                  command:
-                    - pgrep
-                    - -f
-                    - sidekiq
-                failureThreshold: 5
-                initialDelaySeconds: 60
-                periodSeconds: 10
-                successThreshold: 1
-                timeoutSeconds: 10
-  service:
-    main:
-      controller: main
-      ports:
-        http:
-          port: 80
-          targetPort: 3000
-        metrics:
-          port: 9394
-          targetPort: 9394
-  serviceMonitor:
-    main:
-      selector:
-        matchLabels:
-          app.kubernetes.io/name: dawarich
-          app.kubernetes.io/instance: dawarich
-      serviceName: '{{ include "bjw-s.common.lib.chart.names.fullname" $ }}'
-      endpoints:
-        - port: metrics
-          interval: 30s
-          scrapeTimeout: 15s
-          path: /metrics
-  route:
-    main:
-      kind: HTTPRoute
-      parentRefs:
-        - group: gateway.networking.k8s.io
-          kind: Gateway
-          name: traefik-gateway
-          namespace: traefik
-      hostnames:
-        - dawarich.alexlebens.net
-      rules:
-        - backendRefs:
-            - name: dawarich
-              port: 80
-          matches:
-            - path:
-                type: PathPrefix
-                value: /
-  persistence:
-    storage:
-      forceRename: dawarich-storage
-      storageClass: ceph-block
-      accessMode: ReadWriteOnce
-      size: 5Gi
-      advancedMounts:
-        main:
-          main:
-            - path: /var/app/storage
-              readOnly: false
-          sidekiq:
-            - path: /var/app/storage
-              readOnly: false
-    public:
-      forceRename: dawarich-public
-      storageClass: ceph-block
-      accessMode: ReadWriteOnce
-      size: 5Gi
-      advancedMounts:
-        main:
-          main:
-            - path: /var/app/public
-              readOnly: false
-          sidekiq:
-            - path: /var/app/public
-              readOnly: false
-    watched:
-      forceRename: dawarich-watched
-      storageClass: ceph-block
-      accessMode: ReadWriteOnce
-      size: 1Gi
-      advancedMounts:
-        main:
-          main:
-            - path: /var/app/tmp/imports/watched
-              readOnly: false
-          sidekiq:
-            - path: /var/app/tmp/imports/watched
-              readOnly: false
-postgres-18-cluster:
-  mode: recovery
-  cluster:
-    image:
-      repository: ghcr.io/cloudnative-pg/postgis
-      tag: 18-3-system-trixie
-    initdb:
-      postInitTemplateSQL:
-        - CREATE EXTENSION postgis;
-        - CREATE EXTENSION postgis_topology;
-        - CREATE EXTENSION fuzzystrmatch;
-        - CREATE EXTENSION postgis_tiger_geocoder;
-  recovery:
-    method: objectStore
-    objectStore:
-      index: 1
-  backup:
-    objectStore:
-      - name: garage-local
-        index: 1
-        destinationBucket: postgres-backups
-        externalSecretCredentialPath: /garage/home-infra/postgres-backups
-        isWALArchiver: true
-    scheduledBackups:
-      - name: live-backup
-        suspend: false
-        immediate: true
-        schedule: "0 10 14 * * *"
-        backupName: garage-local
-volsync-target-storage:
-  pvcTarget: dawarich-storage
-  local:
-    enabled: true
-    schedule: 6 8 * * *
-  remote:
-    enabled: true
-    schedule: 6 9 * * *
-  external:
-    enabled: true
-    schedule: 6 10 * * *
-volsync-target-public:
-  pvcTarget: dawarich-public
-  local:
-    enabled: true
-    schedule: 8 8 * * *
-  remote:
-    enabled: true
-    schedule: 8 9 * * *
-  external:
-    enabled: true
-    schedule: 8 10 * * *
-volsync-target-watched:
-  pvcTarget: dawarich-watched
-  local:
-    enabled: true
-    schedule: 8 8 * * *
-  remote:
-    enabled: true
-    schedule: 8 9 * * *
-  external:
-    enabled: true
-    schedule: 8 10 * * *
--- a/clusters/cl01tl/helm/democratic-csi-synology-iscsi/Chart.lock
+++ b/clusters/cl01tl/helm/democratic-csi-synology-iscsi/Chart.lock
@@ -1,6 +0,0 @@
-dependencies:
- name: democratic-csi
-  repository: https://democratic-csi.github.io/charts/
-  version: 0.15.1
-digest: sha256:e07d76a67023fb523e7d49730330995d0028faba9a4c7c3a6b87c5828921b3c3
-generated: "2026-01-08T20:33:17.610556446Z"
--- a/clusters/cl01tl/helm/democratic-csi-synology-iscsi/Chart.yaml
+++ b/clusters/cl01tl/helm/democratic-csi-synology-iscsi/Chart.yaml
@@ -1,20 +0,0 @@
-apiVersion: v2
-name: democratic-csi-synology-iscsi
-version: 1.0.0
-description: Democratic CSI
-keywords:
-  - democratic-csi-synology-iscsi
-  - iscsi
-home: https://docs.alexlebens.dev/applications/democratic-csi-synology-iscsi/
-sources:
-  - https://github.com/democratic-csi/democratic-csi
-  - https://github.com/democratic-csi/charts/tree/master/stable/democratic-csi
-maintainers:
-  - name: alexlebens
-dependencies:
-  - name: democratic-csi
-    repository: https://democratic-csi.github.io/charts/
-    version: 0.15.1
-icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/kubernetes.png
-# renovate: datasource=github-releases depName=democratic-csi/democratic-csi
-appVersion: v1.9.4
--- a/clusters/cl01tl/helm/democratic-csi-synology-iscsi/templates/_helpers.tpl
+++ b/clusters/cl01tl/helm/democratic-csi-synology-iscsi/templates/_helpers.tpl
@@ -1,14 +0,0 @@
-{{/*
-Common labels
-*/}}
-{{- define "custom.labels" -}}
-{{ include "custom.selectorLabels" $ }}
-{{- end }}
-
-{{/*
-Selector labels
-*/}}
-{{- define "custom.selectorLabels" -}}
-app.kubernetes.io/instance: {{ .Release.Name }}
-app.kubernetes.io/part-of: {{ .Release.Name }}
-{{- end }}
--- a/clusters/cl01tl/helm/democratic-csi-synology-iscsi/templates/external-secret.yaml
+++ b/clusters/cl01tl/helm/democratic-csi-synology-iscsi/templates/external-secret.yaml
@@ -1,17 +0,0 @@
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: synology-iscsi-config
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: synology-iscsi-config
-    {{- include "custom.labels" . | nindent 4 }}
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: openbao
-  data:
-    - secretKey: driver-config-file.yaml
-      remoteRef:
-        key: /cl01tl/democratic-csi-synology-iscsi/config
-        property: driver-config-file.yaml
--- a/clusters/cl01tl/helm/democratic-csi-synology-iscsi/templates/namespace.yaml
+++ b/clusters/cl01tl/helm/democratic-csi-synology-iscsi/templates/namespace.yaml
@@ -1,10 +0,0 @@
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: {{ .Release.Namespace }}
-    {{- include "custom.labels" . | nindent 4 }}
-    pod-security.kubernetes.io/audit: privileged
-    pod-security.kubernetes.io/enforce: privileged
-    pod-security.kubernetes.io/warn: privileged
--- a/clusters/cl01tl/helm/democratic-csi-synology-iscsi/values.yaml
+++ b/clusters/cl01tl/helm/democratic-csi-synology-iscsi/values.yaml
@@ -1,63 +0,0 @@
-democratic-csi:
-  driver:
-    image:
-      registry: ghcr.io/democratic-csi/democratic-csi
-      tag: v1.9.5@@sha256:fc3b7d7ed3a616714139525075312758e23a5d425ffb539ad12c9bd20fb6001f
-    existingConfigSecret: synology-iscsi-config
-    config:
-      driver: synology-iscsi
-    resources:
-      requests:
-        cpu: 1m
-        memory: 128Mi
-  csiDriver:
-    name: "org.democratic-csi.iscsi-synology"
-  controller:
-    replicaCount: 3
-    externalAttacher:
-      image:
-        registry: registry.k8s.io/sig-storage/csi-attacher
-        tag: v4.11.0@sha256:b74b05b39501565022883fc128002b4cb857a7bb6c858606bcb3fdedba0b0b80
-    externalProvisioner:
-      image:
-        registry: registry.k8s.io/sig-storage/csi-provisioner
-        tag: v3.6.4@sha256:e7ad666f1d9b0caa077c7f0c157c9f87d1e73858390732496f66dcc716ff10c5
-    externalResizer:
-      image:
-        registry: registry.k8s.io/sig-storage/csi-resizer
-        tag: v1.9.4@sha256:522911ef68bd2c5c17d90fb2a6d2b2fb72ae790f2c1463a466b4262a07fdbf5a
-    externalSnapshotter:
-      image:
-        registry: registry.k8s.io/sig-storage/csi-snapshotter
-        tag: v8.5.0@sha256:da081c27e8a6d91f36042c1942362d0515ced8d06e18c11b8f893e58c4d6d797
-  storageClasses:
-    - name: synology-iscsi-delete
-      defaultClass: false
-      reclaimPolicy: Delete
-      volumeBindingMode: Immediate
-      allowVolumeExpansion: true
-      parameters:
-        fsType: ext4
-    - name: synology-iscsi-retain
-      defaultClass: false
-      reclaimPolicy: Retain
-      volumeBindingMode: Immediate
-      allowVolumeExpansion: true
-      parameters:
-        fsType: ext4
-  node:
-    hostPID: true
-    rbac:
-      enabled: true
-    driver:
-      extraEnv:
-        - name: ISCSIADM_HOST_STRATEGY
-          value: nsenter
-        - name: ISCSIADM_HOST_PATH
-          value: /usr/local/sbin/iscsiadm
-      iscsiDirHostPath: /var/iscsi
-      iscsiDirHostPathType: ""
-  driverRegistrar:
-    image:
-      registry: registry.k8s.io/sig-storage/csi-node-driver-registrar
-      tag: v2.16.0@sha256:ab482308a4921e28a6df09a16ab99a457e9af9641ff44fb1be1a690d07ce8b70
--- a/clusters/cl01tl/helm/descheduler/Chart.lock
+++ b/clusters/cl01tl/helm/descheduler/Chart.lock
@@ -1,6 +0,0 @@
-dependencies:
- name: descheduler
-  repository: https://kubernetes-sigs.github.io/descheduler/
-  version: 0.35.1
-digest: sha256:ed7cc8068b83ac483fda3a781227b35e12a34abdca214b5490e7036c89db1a95
-generated: "2026-03-09T21:21:45.788316167Z"
--- a/clusters/cl01tl/helm/descheduler/Chart.yaml
+++ b/clusters/cl01tl/helm/descheduler/Chart.yaml
@@ -1,21 +0,0 @@
-apiVersion: v2
-name: descheduler
-version: 1.0.0
-description: Descheduler
-keywords:
-  - descheduler
-  - kube-scheduler
-home: https://docs.alexlebens.dev/applications/descheduler/
-sources:
-  - https://github.com/kubernetes-sigs/descheduler
-  - https://explore.ggcr.dev/?repo=registry.k8s.io%2Fdescheduler%2Fdescheduler
-  - https://github.com/kubernetes-sigs/descheduler/tree/master/charts/descheduler
-maintainers:
-  - name: alexlebens
-dependencies:
-  - name: descheduler
-    version: 0.35.1
-    repository: https://kubernetes-sigs.github.io/descheduler/
-icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/kubernetes.png
-# renovate: datasource=github-releases depName=kubernetes-sigs/descheduler
-appVersion: v0.35.1
--- a/clusters/cl01tl/helm/descheduler/templates/_helpers.tpl
+++ b/clusters/cl01tl/helm/descheduler/templates/_helpers.tpl
@@ -1,14 +0,0 @@
-{{/*
-Common labels
-*/}}
-{{- define "custom.labels" -}}
-{{ include "custom.selectorLabels" $ }}
-{{- end }}
-
-{{/*
-Selector labels
-*/}}
-{{- define "custom.selectorLabels" -}}
-app.kubernetes.io/instance: {{ .Release.Name }}
-app.kubernetes.io/part-of: {{ .Release.Name }}
-{{- end }}
--- a/clusters/cl01tl/helm/descheduler/values.yaml
+++ b/clusters/cl01tl/helm/descheduler/values.yaml
@@ -1,79 +0,0 @@
-descheduler:
-  image:
-    repository: registry.k8s.io/descheduler/descheduler
-    tag: v0.35.1@sha256:871d3b804390b0b8c7cb09d4e9b7856cf30e31f9e9e3d29562b0301a10453bb1
-  kind: Deployment
-  resources:
-    limits:
-      cpu: null
-      memory: null
-    requests:
-      cpu: 10m
-      memory: 50Mi
-  deschedulingInterval: 5m
-  replicas: 3
-  leaderElection:
-    enabled: true
-    leaseDuration: 15s
-    renewDeadline: 10s
-    retryPeriod: 2s
-    resourceLock: "leases"
-    resourceName: "descheduler"
-    resourceNamespace: "descheduler"
-  deschedulerPolicy:
-    profiles:
-      - name: default
-        pluginConfig:
-          - name: DefaultEvictor
-            args:
-              ignorePvcPods: true
-              evictLocalStoragePods: false
-              evictDaemonSetPods: false
-          - name: RemoveDuplicates
-          - name: RemovePodsViolatingNodeAffinity
-            args:
-              nodeAffinityType:
-              - requiredDuringSchedulingIgnoredDuringExecution
-          - name: RemovePodsViolatingNodeTaints
-          - name: RemovePodsViolatingInterPodAntiAffinity
-          - name: RemovePodsViolatingTopologySpreadConstraint
-          - name: "HighNodeUtilization"
-            args:
-              thresholds:
-                cpu : 80
-                memory: 80
-                pods: 90
-              evictableNamespaces:
-                exclude:
-                  - "kube-system"
-              evictionModes:
-                - "OnlyThresholdingResources"
-          - name: LowNodeUtilization
-            args:
-              thresholds:
-                cpu: 20
-                memory: 20
-                pods: 20
-              targetThresholds:
-                cpu: 50
-                memory: 50
-                pods: 60
-        plugins:
-          balance:
-            enabled:
-              - RemoveDuplicates
-              - RemovePodsViolatingTopologySpreadConstraint
-              - LowNodeUtilization
-          deschedule:
-            enabled:
-              - RemovePodsViolatingNodeTaints
-              - RemovePodsViolatingNodeAffinity
-              - RemovePodsViolatingInterPodAntiAffinity
-  rbac:
-    create: true
-  serviceAccount:
-    create: true
-  service:
-    enabled: true
-  serviceMonitor:
-    enabled: true
--- a/clusters/cl01tl/helm/directus/Chart.lock
+++ b/clusters/cl01tl/helm/directus/Chart.lock
@@ -1,15 +0,0 @@
-dependencies:
- name: app-template
-  repository: https://bjw-s-labs.github.io/helm-charts/
-  version: 4.6.2
- name: postgres-cluster
-  repository: oci://harbor.alexlebens.net/helm-charts
-  version: 7.12.1
- name: valkey
-  repository: oci://harbor.alexlebens.net/helm-charts
-  version: 0.6.1
- name: rclone-bucket
-  repository: oci://harbor.alexlebens.net/helm-charts
-  version: 0.4.3
-digest: sha256:df3b79c6b8868d749d98d232741fef4a26b73894bce3bf4588581340c15fc3da
-generated: "2026-04-26T21:06:27.85398357Z"
--- a/clusters/cl01tl/helm/directus/Chart.yaml
+++ b/clusters/cl01tl/helm/directus/Chart.yaml
@@ -1,37 +0,0 @@
-apiVersion: v2
-name: directus
-version: 1.0.0
-description: Directus
-keywords:
-  - directus
-  - content-management-system
-home: https://docs.alexlebens.dev/applications/directus/
-sources:
-  - https://github.com/directus/directus
-  - https://github.com/directus/directus/pkgs/container/directus
-  - https://github.com/bjw-s-labs/helm-charts/tree/main/charts/other/app-template
-  - https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/postgres-cluster
-  - https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/valkey
-  - https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/rclone-bucket
-maintainers:
-  - name: alexlebens
-dependencies:
-  - name: app-template
-    alias: directus
-    repository: https://bjw-s-labs.github.io/helm-charts/
-    version: 4.6.2
-  - name: postgres-cluster
-    alias: postgres-18-cluster
-    version: 7.12.1
-    repository: oci://harbor.alexlebens.net/helm-charts
-  - name: valkey
-    alias: valkey
-    version: 0.6.1
-    repository: oci://harbor.alexlebens.net/helm-charts
-  - name: rclone-bucket
-    alias: rclone-directus-assets-remote
-    repository: oci://harbor.alexlebens.net/helm-charts
-    version: 0.4.3
-icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/directus.png
-# renovate: datasource=github-releases depName=directus/directus
-appVersion: 11.17.3
--- a/clusters/cl01tl/helm/directus/templates/_helpers.tpl
+++ b/clusters/cl01tl/helm/directus/templates/_helpers.tpl
@@ -1,14 +0,0 @@
-{{/*
-Common labels
-*/}}
-{{- define "custom.labels" -}}
-{{ include "custom.selectorLabels" $ }}
-{{- end }}
-
-{{/*
-Selector labels
-*/}}
-{{- define "custom.selectorLabels" -}}
-app.kubernetes.io/instance: {{ .Release.Name }}
-app.kubernetes.io/part-of: {{ .Release.Name }}
-{{- end }}
--- a/clusters/cl01tl/helm/directus/templates/external-secret.yaml
+++ b/clusters/cl01tl/helm/directus/templates/external-secret.yaml
@@ -1,125 +0,0 @@
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: directus-config
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: directus-config
-    {{- include "custom.labels" . | nindent 4 }}
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: openbao
-  data:
-    - secretKey: key
-      remoteRef:
-        key: /cl01tl/directus/key
-        property: key
-    - secretKey: secret
-      remoteRef:
-        key: /cl01tl/directus/key
-        property: secret
-    - secretKey: admin-email
-      remoteRef:
-        key: /cl01tl/directus/config
-        property: admin-email
-    - secretKey: admin-password
-      remoteRef:
-        key: /cl01tl/directus/config
-        property: admin-password
-
---
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: directus-metric-token
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: directus-metric-token
-    {{- include "custom.labels" . | nindent 4 }}
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: openbao
-  data:
-    - secretKey: metric-token
-      remoteRef:
-        key: /cl01tl/directus/metrics
-        property: metric-token
-
---
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: directus-valkey-config
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: directus-valkey-config
-    {{- include "custom.labels" . | nindent 4 }}
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: openbao
-  data:
-    - secretKey: user
-      remoteRef:
-        key: /cl01tl/directus/valkey
-        property: user
-    - secretKey: password
-      remoteRef:
-        key: /cl01tl/directus/valkey
-        property: password
-    - secretKey: default
-      remoteRef:
-        key: /cl01tl/directus/valkey
-        property: password
-
---
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: directus-oidc-authentik
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: directus-oidc-authentik
-    {{- include "custom.labels" . | nindent 4 }}
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: openbao
-  data:
-    - secretKey: OIDC_CLIENT_ID
-      remoteRef:
-        key: /cl01tl/authentik/oidc/directus
-        property: client
-    - secretKey: OIDC_CLIENT_SECRET
-      remoteRef:
-        key: /cl01tl/authentik/oidc/directus
-        property: secret
-
---
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: directus-bucket-garage
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: directus-bucket-garage
-    {{- include "custom.labels" . | nindent 4 }}
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: openbao
-  data:
-    - secretKey: ACCESS_KEY_ID
-      remoteRef:
-        key: /garage/home-infra/directus-assets
-        property: ACCESS_KEY_ID
-    - secretKey: ACCESS_SECRET_KEY
-      remoteRef:
-        key: /garage/home-infra/directus-assets
-        property: ACCESS_SECRET_KEY
-    - secretKey: ACCESS_REGION
-      remoteRef:
-        key: /garage/home-infra/directus-assets
-        property: ACCESS_REGION
--- a/clusters/cl01tl/helm/directus/values.yaml
+++ b/clusters/cl01tl/helm/directus/values.yaml
@@ -1,237 +0,0 @@
-directus:
-  controllers:
-    main:
-      type: deployment
-      replicas: 1
-      strategy: Recreate
-      containers:
-        main:
-          image:
-            repository: ghcr.io/directus/directus
-            tag: 11.17.3@sha256:ae6ab737fd04077d295bbefa545cc4aefccc206e3d0120c83812f9b482a8c9a5
-          env:
-            - name: PUBLIC_URL
-              value: https://directus.alexlebens.net
-            - name: WEBSOCKETS_ENABLED
-              value: true
-            - name: ADMIN_EMAIL
-              valueFrom:
-                secretKeyRef:
-                  name: directus-config
-                  key: admin-email
-            - name: ADMIN_PASSWORD
-              valueFrom:
-                secretKeyRef:
-                  name: directus-config
-                  key: admin-password
-            - name: SECRET
-              valueFrom:
-                secretKeyRef:
-                  name: directus-config
-                  key: secret
-            - name: KEY
-              valueFrom:
-                secretKeyRef:
-                  name: directus-config
-                  key: key
-            - name: DB_CLIENT
-              value: postgres
-            - name: DB_HOST
-              valueFrom:
-                secretKeyRef:
-                  name: directus-postgresql-18-cluster-app
-                  key: host
-            - name: DB_DATABASE
-              valueFrom:
-                secretKeyRef:
-                  name: directus-postgresql-18-cluster-app
-                  key: dbname
-            - name: DB_PORT
-              valueFrom:
-                secretKeyRef:
-                  name: directus-postgresql-18-cluster-app
-                  key: port
-            - name: DB_USER
-              valueFrom:
-                secretKeyRef:
-                  name: directus-postgresql-18-cluster-app
-                  key: user
-            - name: DB_PASSWORD
-              valueFrom:
-                secretKeyRef:
-                  name: directus-postgresql-18-cluster-app
-                  key: password
-            - name: SYNCHRONIZATION_STORE
-              value: redis
-            - name: CACHE_ENABLED
-              value: true
-            - name: CACHE_STORE
-              value: redis
-            - name: REDIS_ENABLED
-              value: true
-            - name: REDIS_HOST
-              value: directus-valkey
-            - name: REDIS_USERNAME
-              valueFrom:
-                secretKeyRef:
-                  name: directus-valkey-config
-                  key: user
-            - name: REDIS_PASSWORD
-              valueFrom:
-                secretKeyRef:
-                  name: directus-valkey-config
-                  key: password
-            - name: STORAGE_LOCATIONS
-              value: s3
-            - name: STORAGE_S3_DRIVER
-              value: s3
-            - name: STORAGE_S3_KEY
-              valueFrom:
-                secretKeyRef:
-                  name: directus-bucket-garage
-                  key: ACCESS_KEY_ID
-            - name: STORAGE_S3_SECRET
-              valueFrom:
-                secretKeyRef:
-                  name: directus-bucket-garage
-                  key: ACCESS_SECRET_KEY
-            - name: STORAGE_S3_REGION
-              valueFrom:
-                secretKeyRef:
-                  name: directus-bucket-garage
-                  key: ACCESS_REGION
-            - name: STORAGE_S3_BUCKET
-              value: directus-assets
-            - name: STORAGE_S3_ENDPOINT
-              value: http://garage-main.garage:3900
-            - name: STORAGE_S3_FORCE_PATH_STYLE
-              value: true
-            - name: AUTH_PROVIDERS
-              value: AUTHENTIK
-            - name: AUTH_AUTHENTIK_DRIVER
-              value: openid
-            - name: AUTH_AUTHENTIK_CLIENT_ID
-              valueFrom:
-                secretKeyRef:
-                  name: directus-oidc-authentik
-                  key: OIDC_CLIENT_ID
-            - name: AUTH_AUTHENTIK_CLIENT_SECRET
-              valueFrom:
-                secretKeyRef:
-                  name: directus-oidc-authentik
-                  key: OIDC_CLIENT_SECRET
-            - name: AUTH_AUTHENTIK_SCOPE
-              value: openid profile email
-            - name: AUTH_AUTHENTIK_ISSUER_URL
-              value: https://authentik.alexlebens.net/application/o/directus/.well-known/openid-configuration
-            - name: AUTH_AUTHENTIK_IDENTIFIER_KEY
-              value: email
-            - name: AUTH_AUTHENTIK_ALLOW_PUBLIC_REGISTRATION
-              value: true
-            - name: AUTH_AUTHENTIK_LABEL
-              value: Authentik
-            - name: TELEMETRY
-              value: false
-            - name: METRICS_ENABLED
-              value: true
-            - name: METRICS_TOKENS
-              valueFrom:
-                secretKeyRef:
-                  name: directus-metric-token
-                  key: metric-token
-          resources:
-            requests:
-              cpu: 10m
-              memory: 300Mi
-  service:
-    main:
-      controller: main
-      ports:
-        http:
-          port: 80
-          targetPort: 8055
-  serviceMonitor:
-    main:
-      selector:
-        matchLabels:
-          app.kubernetes.io/name: directus
-          app.kubernetes.io/instance: directus
-      serviceName: '{{ include "bjw-s.common.lib.chart.names.fullname" $ }}'
-      endpoints:
-        - port: http
-          interval: 30s
-          scrapeTimeout: 15s
-          path: /metrics
-          bearerTokenSecret:
-            name: directus-metric-token
-            key: metric-token
-  route:
-    main:
-      kind: HTTPRoute
-      parentRefs:
-        - group: gateway.networking.k8s.io
-          kind: Gateway
-          name: traefik-gateway
-          namespace: traefik
-      hostnames:
-        - directus.alexlebens.net
-      rules:
-        - backendRefs:
-            - name: directus
-              port: 80
-          matches:
-            - path:
-                type: PathPrefix
-                value: /
-postgres-18-cluster:
-  mode: recovery
-  recovery:
-    method: objectStore
-    objectStore:
-      index: 1
-  backup:
-    objectStore:
-      - name: garage-local
-        index: 1
-        destinationBucket: postgres-backups
-        externalSecretCredentialPath: /garage/home-infra/postgres-backups
-        isWALArchiver: true
-    scheduledBackups:
-      - name: live-backup
-        suspend: false
-        immediate: true
-        schedule: "0 15 14 * * *"
-        backupName: garage-local
-valkey:
-  valkey:
-    auth:
-      enabled: true
-      usersExistingSecret: directus-valkey-config
-      aclUsers:
-        default:
-          permissions: "~* &* +@all"
-    # No option to configure metrics when auth is enabled
-    # https://github.com/valkey-io/valkey-helm/issues/135
-    metrics:
-      enabled: false
-rclone-directus-assets-remote:
-  cronJob:
-    suspend: false
-    schedule: 0 0 * * *
-  rclone:
-    source:
-      bucketName: directus-assets
-    destination:
-      bucketName: directus-assets
-  secret:
-    externalSecret:
-      source:
-        credentials:
-          path: /garage/home-infra/directus-assets
-        config:
-          path: /garage/config
-      destination:
-        credentials:
-          path: /garage/home-infra/directus-assets
-        config:
-          path: /garage/config
--- a/clusters/cl01tl/helm/elastic-operator/Chart.lock
+++ b/clusters/cl01tl/helm/elastic-operator/Chart.lock
@@ -1,6 +0,0 @@
-dependencies:
- name: eck-operator
-  repository: https://helm.elastic.co
-  version: 3.3.2
-digest: sha256:ac7a849a6d8244ef56c11f18438c4c76133f92d245228c5a1c8369d42562c177
-generated: "2026-04-01T21:30:02.975920565Z"
--- a/clusters/cl01tl/helm/elastic-operator/Chart.yaml
+++ b/clusters/cl01tl/helm/elastic-operator/Chart.yaml
@@ -1,21 +0,0 @@
-apiVersion: v2
-name: elastic-operator
-version: 1.0.0
-description: Elastic Cloud on Kubernetes
-keywords:
-  - elastic-operator
-  - operator
-  - elastic-search
-home: https://docs.alexlebens.dev/applications/elastic-operator/
-sources:
-  - https://github.com/elastic/cloud-on-k8s
-  - https://github.com/elastic/cloud-on-k8s/tree/main/deploy/eck-operator
-maintainers:
-  - name: alexlebens
-dependencies:
-  - name: eck-operator
-    version: 3.3.2
-    repository: https://helm.elastic.co
-icon: https://cdn.jsdelivr.net/gh/selfhst/icons@main/png/elastic.png
-# renovate: datasource=github-releases depName=elastic/cloud-on-k8s
-appVersion: v3.3.2
--- a/clusters/cl01tl/helm/elastic-operator/templates/_helpers.tpl
+++ b/clusters/cl01tl/helm/elastic-operator/templates/_helpers.tpl
@@ -1,14 +0,0 @@
-{{/*
-Common labels
-*/}}
-{{- define "custom.labels" -}}
-{{ include "custom.selectorLabels" $ }}
-{{- end }}
-
-{{/*
-Selector labels
-*/}}
-{{- define "custom.selectorLabels" -}}
-app.kubernetes.io/instance: {{ .Release.Name }}
-app.kubernetes.io/part-of: {{ .Release.Name }}
-{{- end }}
--- a/clusters/cl01tl/helm/elastic-operator/values.yaml
+++ b/clusters/cl01tl/helm/elastic-operator/values.yaml
@@ -1,21 +0,0 @@
-eck-operator:
-  managedNamespaces:
-    - stalwart
-    - tubearchivist
-  installCRDs: true
-  replicaCount: 2
-  resources:
-    limits:
-      cpu: null
-      memory: null
-    requests:
-      cpu: 2m
-      memory: 50Mi
-  telemetry:
-    disabled: true
-  config:
-    logVerbosity: "0"
-    metrics:
-      port: "9000"
-  podMonitor:
-    enabled: true
--- a/clusters/cl01tl/helm/element-web/Chart.lock
+++ b/clusters/cl01tl/helm/element-web/Chart.lock
@@ -1,9 +0,0 @@
-dependencies:
- name: element-web
-  repository: https://ananace.gitlab.io/charts
-  version: 1.4.34
- name: cloudflared
-  repository: oci://harbor.alexlebens.net/helm-charts
-  version: 2.6.0
-digest: sha256:e988be9f997351a8f658bf5151ec4fb04ae7d877389c9bf01b7331e1a58005ef
-generated: "2026-04-24T21:06:15.882448748Z"
--- a/clusters/cl01tl/helm/element-web/Chart.yaml
+++ b/clusters/cl01tl/helm/element-web/Chart.yaml
@@ -1,25 +0,0 @@
-apiVersion: v2
-name: element-web
-version: 1.0.0
-description: Element Web
-keywords:
-  - element-web
-  - matrix-chat
-home: https://docs.alexlebens.dev/applications/element-web/
-sources:
-  - https://github.com/element-hq/element-web
-  - https://github.com/element-hq/element-web/pkgs/container/element-web
-  - https://gitlab.com/ananace/charts/-/tree/master/charts/element-web
-  - https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/cloudflared
-maintainers:
-  - name: alexlebens
-dependencies:
-  - name: element-web
-    version: 1.4.34
-    repository: https://ananace.gitlab.io/charts
-  - name: cloudflared
-    repository: oci://harbor.alexlebens.net/helm-charts
-    version: 2.6.0
-icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/element.png
-# renovate: datasource=github-releases depName=element-hq/element-web
-appVersion: v1.12.15
--- a/clusters/cl01tl/helm/element-web/templates/_helpers.tpl
+++ b/clusters/cl01tl/helm/element-web/templates/_helpers.tpl
@@ -1,14 +0,0 @@
-{{/*
-Common labels
-*/}}
-{{- define "custom.labels" -}}
-{{ include "custom.selectorLabels" $ }}
-{{- end }}
-
-{{/*
-Selector labels
-*/}}
-{{- define "custom.selectorLabels" -}}
-app.kubernetes.io/instance: {{ .Release.Name }}
-app.kubernetes.io/part-of: {{ .Release.Name }}
-{{- end }}
--- a/clusters/cl01tl/helm/element-web/values.yaml
+++ b/clusters/cl01tl/helm/element-web/values.yaml
@@ -1,23 +0,0 @@
-element-web:
-  replicaCount: 1
-  image:
-    repository: ghcr.io/element-hq/element-web
-    tag: v1.12.15@sha256:c7fa40b5ba3891f8af3ce63da0818f457c1802a9ee4d2f5e46a9df36a2388eed
-  defaultServer:
-    url: https://matrix.alexlebens.dev
-    name: alexlebens.dev
-    identity_url: https://alexlebens.dev
-  config:
-    disable_3pid_login: true
-    brand: "Alex Lebens"
-    branding:
-      welcome_background_url: https://web-assets-3bfcb5585cbd63dc365d32a3.nyc3.cdn.digitaloceanspaces.com/alexlebens-net/background.jpg
-      auth_header_logo_url: https://web-assets-3bfcb5585cbd63dc365d32a3.nyc3.cdn.digitaloceanspaces.com/alexlebens-net/logo-new-round.png
-    sso_redirect_options:
-      immediate: true
-    default_theme: dark
-    default_country_code: US
-  resources:
-    requests:
-      cpu: 1m
-      memory: 10Mi
--- a/clusters/cl01tl/helm/eraser/Chart.lock
+++ b/clusters/cl01tl/helm/eraser/Chart.lock
@@ -1,9 +0,0 @@
-dependencies:
- name: eraser
-  repository: https://eraser-dev.github.io/eraser/charts
-  version: 1.4.1
- name: app-template
-  repository: https://bjw-s-labs.github.io/helm-charts/
-  version: 4.6.2
-digest: sha256:8414813d3d9d195b16ef7ebf814f7095a16413f4b0e579fcb37738000624f68c
-generated: "2026-04-08T21:39:05.689756-05:00"
--- a/Show More
+++ b/Show More