chore(deps): update tdarr to v2.69.01

2026-04-16 12:05:16 +00:00
105 changed files with 510 additions and 801 deletions
--- a/.gitea/workflows/renovate.yaml
+++ b/.gitea/workflows/renovate.yaml
@@ -13,7 +13,7 @@ on:
 jobs:
  renovate:
    runs-on: ubuntu-latest
-    container: ghcr.io/renovatebot/renovate:43.132.1@sha256:2ccc5b1f0340593c40e1598547aa98feee4e521a0906a423fe0be0431a733dfa
+    container: ghcr.io/renovatebot/renovate:43.123.4@sha256:118803cb3c32cdc39ff654c18baabf30f214d4158873277a154ec815d85ceb1d
    steps:
      - name: Checkout
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
--- a/clusters/cl01tl/helm/actual/Chart.lock
+++ b/clusters/cl01tl/helm/actual/Chart.lock
@@ -2,5 +2,8 @@ dependencies:
 - name: app-template
  repository: https://bjw-s-labs.github.io/helm-charts/
  version: 4.6.2
-digest: sha256:1c04c187e6cf768117f7f91f3a3b082937ad5854c1cf6a681ad7c02687cd543d
+- name: volsync-target
-generated: "2026-04-18T20:15:22.778699-05:00"
+  repository: oci://harbor.alexlebens.net/helm-charts
  version: 0.8.0
 digest: sha256:ff81b3d8fc831e4b8048f646fffcf597aa7410e52ecf27690eab8104047dbe6f
 generated: "2026-03-06T01:04:41.514235218Z"
--- a/clusters/cl01tl/helm/actual/Chart.yaml
+++ b/clusters/cl01tl/helm/actual/Chart.yaml
@@ -18,10 +18,10 @@ dependencies:
    alias: actual
    repository: https://bjw-s-labs.github.io/helm-charts/
    version: 4.6.2
-  # - name: volsync-target
+  - name: volsync-target
-  #   alias: volsync-target-data
+    alias: volsync-target-data
-  #   version: 0.8.0
+    version: 0.8.0
-  #   repository: oci://harbor.alexlebens.net/helm-charts
+    repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/actual-budget.png
 # renovate: datasource=github-releases depName=actualbudget/actual
 appVersion: 26.4.0
--- a/clusters/cl01tl/helm/argocd/Chart.lock
+++ b/clusters/cl01tl/helm/argocd/Chart.lock
@@ -1,6 +1,6 @@
 dependencies:
 - name: argo-cd
  repository: https://argoproj.github.io/argo-helm
-  version: 9.5.2
+  version: 9.5.0
-digest: sha256:5d9e6405ee944bf94df6af247164ebb9b8899144853b9a7eafabe8606affe84e
+digest: sha256:69daada0822f796cd49eeda2d9e39dd5c0c42bb61b6898af68123c8c49f25fa1
-generated: "2026-04-19T19:53:40.43789-05:00"
+generated: "2026-04-08T22:05:49.003208408Z"
--- a/clusters/cl01tl/helm/argocd/Chart.yaml
+++ b/clusters/cl01tl/helm/argocd/Chart.yaml
@@ -13,8 +13,8 @@ maintainers:
  - name: alexlebens
 dependencies:
  - name: argo-cd
-    version: 9.5.2
+    version: 9.5.0
    repository: https://argoproj.github.io/argo-helm
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/argo-cd.png
 # renovate: datasource=github-releases depName=argoproj/argo-cd
-appVersion: v3.3.7
+appVersion: v3.3.6
--- a/clusters/cl01tl/helm/argocd/templates/_helpers.tpl
+++ b/clusters/cl01tl/helm/argocd/templates/_helpers.tpl
@@ -1,14 +0,0 @@
 {{/*
 Common labels
 */}}
 {{- define "argocd.labels" -}}
 {{ include "argocd.selectorLabels" $ }}
 {{- end }}
 {{/*
 Selector labels
 */}}
 {{- define "argocd.selectorLabels" -}}
 app.kubernetes.io/instance: {{ .Release.Name }}
 app.kubernetes.io/part-of: {{ .Release.Name }}
 {{- end }}
--- a/clusters/cl01tl/helm/argocd/templates/external-secret.yaml
+++ b/clusters/cl01tl/helm/argocd/templates/external-secret.yaml
@@ -1,40 +1,70 @@
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
-  name: argocd-oidc-authentik
+  name: argocd-oidc-secret
  namespace: {{ .Release.Namespace }}
  labels:
-    app.kubernetes.io/name: argocd-oidc-authentik
+    app.kubernetes.io/name: argocd-oidc-secret
-    {{- include "argocd.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
-    name: openbao
+    name: vault
  data:
    - secretKey: secret
      remoteRef:
-        key: /cl01tl/authentik/oidc/argocd
+        key: /authentik/oidc/argocd
        property: secret
    - secretKey: client
      remoteRef:
-        key: /cl01tk/authentik/oidc/argocd
+        key: /authentik/oidc/argocd
        property: client
 ---
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
-  name: argocd-notifications-ntfy
+  name: argocd-notifications-secret
  namespace: {{ .Release.Namespace }}
  labels:
-    app.kubernetes.io/name: argocd-notifications-ntfy
+    app.kubernetes.io/name: argocd-notifications-secret
-    {{- include "argocd.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
-    name: openbao
+    name: vault
  data:
    - secretKey: ntfy-token
      remoteRef:
-        key: /cl01tl/ntfy/users/cl01tl
+        key: /ntfy/user/cl01tl
        property: token
 ---
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
  name: argocd-gitea-repo-infrastructure-secret
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: argocd-gitea-repo-infrastructure-secret
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: vault
  data:
    - secretKey: type
      remoteRef:
        key: /cl01tl/argocd/credentials/repo/infrastructure
        property: type
    - secretKey: url
      remoteRef:
        key: /cl01tl/argocd/credentials/repo/infrastructure
        property: url
    - secretKey: sshPrivateKey
      remoteRef:
        key: /cl01tl/argocd/credentials/repo/infrastructure
        property: sshPrivateKey
--- a/clusters/cl01tl/helm/argocd/values.yaml
+++ b/clusters/cl01tl/helm/argocd/values.yaml
@@ -13,8 +13,8 @@ argo-cd:
        connectors:
        - config:
            issuer: https://authentik.alexlebens.net/application/o/argocd/
-            clientID: $argocd-oidc-authentik:client
+            clientID: $argocd-oidc-secret:client
-            clientSecret: $argocd-oidc-authentik:secret
+            clientSecret: $argocd-oidc-secret:secret
            insecureEnableGroups: true
            scopes:
              - openid
@@ -205,7 +205,7 @@ argo-cd:
    argocdUrl: https://argocd.alexlebens.net
    secret:
      create: false
-      name: argocd-notifications-ntfy
+      name: argocd-notifications-secret
    metrics:
      enabled: true
      serviceMonitor:
--- a/clusters/cl01tl/helm/audiobookshelf/Chart.yaml
+++ b/clusters/cl01tl/helm/audiobookshelf/Chart.yaml
@@ -32,4 +32,4 @@ dependencies:
    repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/audiobookshelf.png
 # renovate: datasource=github-releases depName=advplyr/audiobookshelf
-appVersion: 2.33.2
+appVersion: 2.33.1
--- a/clusters/cl01tl/helm/audiobookshelf/templates/_helpers.tpl
+++ b/clusters/cl01tl/helm/audiobookshelf/templates/_helpers.tpl
@@ -1,27 +0,0 @@
 {{/*
 Common labels
 */}}
 {{- define "audiobookshelf.labels" -}}
 {{ include "audiobookshelf.selectorLabels" $ }}
 {{- end }}
 {{/*
 Selector labels
 */}}
 {{- define "audiobookshelf.selectorLabels" -}}
 app.kubernetes.io/instance: {{ .Release.Name }}
 app.kubernetes.io/part-of: {{ .Release.Name }}
 {{- end }}
 {{/*
 NFS names
 */}}
 {{- define "audiobookshelf.booksNfsName" -}}
 audiobookshelf-books-nfs-storage
 {{- end -}}
 {{- define "audiobookshelf.audiobooksNfsName" -}}
 audiobookshelf-audiobooks-nfs-storage
 {{- end -}}
 {{- define "audiobookshelf.podcastsNfsName" -}}
 audiobookshelf-podcasts-nfs-storage
 {{- end -}}
--- a/clusters/cl01tl/helm/audiobookshelf/templates/external-secret.yaml
+++ b/clusters/cl01tl/helm/audiobookshelf/templates/external-secret.yaml
@@ -1,23 +1,18 @@
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
-  name: audiobookshelf-config-apprise
+  name: audiobookshelf-apprise-config
  namespace: {{ .Release.Namespace }}
  labels:
-    app.kubernetes.io/name: audiobookshelf-config-apprise
+    app.kubernetes.io/name: audiobookshelf-apprise-config
-    {{- include "audiobookshelf.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
-    name: openbao
+    name: vault
  target:
    template:
      mergePolicy: Merge
      engineVersion: v2
      data:
        ntfy-url: "{{ `{{ .internal-endpoint-credential }}` }}/audiobookshelf"
  data:
-    - secretKey: internal-endpoint-credential
+    - secretKey: ntfy-url
      remoteRef:
-        key: /cl01tl/ntfy/users/cl01tl
+        key: /cl01tl/audiobookshelf/apprise
-        property: internal-endpoint-credential
+        property: ntfy-url
--- a/clusters/cl01tl/helm/audiobookshelf/templates/persistent-volume-claim.yaml
+++ b/clusters/cl01tl/helm/audiobookshelf/templates/persistent-volume-claim.yaml
@@ -1,13 +1,14 @@
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
-  name: {{- include "audiobookshelf.booksNfsName" . }}
+  name: audiobookshelf-books-nfs-storage
  namespace: {{ .Release.Namespace }}
  labels:
-    app.kubernetes.io/name: {{- include "audiobookshelf.booksNfsName" . }}
+    app.kubernetes.io/name: audiobookshelf-books-nfs-storage
-    {{- include "audiobookshelf.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
-  volumeName: {{- include "audiobookshelf.booksNfsName" . }}
+  volumeName: audiobookshelf-books-nfs-storage
  storageClassName: nfs-client
  accessModes:
    - ReadWriteMany
@@ -19,13 +20,14 @@ spec:
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
-  name: {{- include "audiobookshelf.audiobooksNfsName" . }}
+  name: audiobookshelf-audiobooks-nfs-storage
  namespace: {{ .Release.Namespace }}
  labels:
-    app.kubernetes.io/name: {{- include "audiobookshelf.audiobooksNfsName" . }}
+    app.kubernetes.io/name: audiobookshelf-audiobooks-nfs-storage
-    {{- include "audiobookshelf.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
-  volumeName: {{- include "audiobookshelf.audiobooksNfsName" . }}
+  volumeName: audiobookshelf-audiobooks-nfs-storage
  storageClassName: nfs-client
  accessModes:
    - ReadWriteMany
@@ -37,13 +39,14 @@ spec:
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
-  name: {{- include "audiobookshelf.podcastsNfsName" . }}
+  name: audiobookshelf-podcasts-nfs-storage
  namespace: {{ .Release.Namespace }}
  labels:
-    app.kubernetes.io/name: {{- include "audiobookshelf.podcastsNfsName" . }}
+    app.kubernetes.io/name: audiobookshelf-podcasts-nfs-storage
-    {{- include "audiobookshelf.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
-  volumeName: {{- include "audiobookshelf.podcastsNfsName" . }}
+  volumeName: audiobookshelf-podcasts-nfs-storage
  storageClassName: nfs-client
  accessModes:
    - ReadWriteMany
--- a/clusters/cl01tl/helm/audiobookshelf/templates/persistent-volume.yaml
+++ b/clusters/cl01tl/helm/audiobookshelf/templates/persistent-volume.yaml
@@ -1,11 +1,12 @@
 apiVersion: v1
 kind: PersistentVolume
 metadata:
-  name: {{- include "audiobookshelf.booksNfsName" . }}
+  name: audiobookshelf-books-nfs-storage
  namespace: {{ .Release.Namespace }}
  labels:
-    app.kubernetes.io/name: {{- include "audiobookshelf.booksNfsName" . }}
+    app.kubernetes.io/name: audiobookshelf-books-nfs-storage
-    {{- include "audiobookshelf.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  persistentVolumeReclaimPolicy: Retain
  storageClassName: nfs-client
@@ -25,11 +26,12 @@ spec:
 apiVersion: v1
 kind: PersistentVolume
 metadata:
-  name: {{- include "audiobookshelf.audiobooksNfsName" . }}
+  name: audiobookshelf-audiobooks-nfs-storage
  namespace: {{ .Release.Namespace }}
  labels:
-    app.kubernetes.io/name: {{- include "audiobookshelf.audiobooksNfsName" . }}
+    app.kubernetes.io/name: audiobookshelf-audiobooks-nfs-storage
-    {{- include "audiobookshelf.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  persistentVolumeReclaimPolicy: Retain
  storageClassName: nfs-client
@@ -49,11 +51,12 @@ spec:
 apiVersion: v1
 kind: PersistentVolume
 metadata:
-  name: {{- include "audiobookshelf.podcastsNfsName" . }}
+  name: audiobookshelf-podcasts-nfs-storage
  namespace: {{ .Release.Namespace }}
  labels:
-    app.kubernetes.io/name: {{- include "audiobookshelf.podcastsNfsName" . }}
+    app.kubernetes.io/name: audiobookshelf-podcasts-nfs-storage
-    {{- include "audiobookshelf.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  persistentVolumeReclaimPolicy: Retain
  storageClassName: nfs-client
--- a/clusters/cl01tl/helm/audiobookshelf/values.yaml
+++ b/clusters/cl01tl/helm/audiobookshelf/values.yaml
@@ -12,7 +12,7 @@ audiobookshelf:
        main:
          image:
            repository: ghcr.io/advplyr/audiobookshelf
-            tag: 2.33.2@sha256:a44ed89b3e845faa1f7d353f2cc89b2fcd8011737dd14075fa963cf9468da3a5
+            tag: 2.33.1@sha256:a4a5841bba093d81e5f4ad1eaedb4da3fda6dbb2528c552349da50ad1f7ae708
          env:
            - name: TZ
              value: America/Chicago
@@ -40,7 +40,7 @@ audiobookshelf:
            - name: APPRISE_STATELESS_URLS
              valueFrom:
                secretKeyRef:
-                  name: audiobookshelf-config-apprise
+                  name: audiobookshelf-apprise-config
                  key: ntfy-url
  service:
    main:
--- a/clusters/cl01tl/helm/authentik/templates/_helpers.tpl
+++ b/clusters/cl01tl/helm/authentik/templates/_helpers.tpl
@@ -1,14 +0,0 @@
 {{/*
 Common labels
 */}}
 {{- define "authentik.labels" -}}
 {{ include "authentik.selectorLabels" $ }}
 {{- end }}
 {{/*
 Selector labels
 */}}
 {{- define "authentik.selectorLabels" -}}
 app.kubernetes.io/instance: {{ .Release.Name }}
 app.kubernetes.io/part-of: {{ .Release.Name }}
 {{- end }}
--- a/clusters/cl01tl/helm/authentik/templates/external-secret.yaml
+++ b/clusters/cl01tl/helm/authentik/templates/external-secret.yaml
@@ -1,15 +1,16 @@
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
-  name: authentik-key
+  name: authentik-key-secret
  namespace: {{ .Release.Namespace }}
  labels:
-    app.kubernetes.io/name: authentik-key
+    app.kubernetes.io/name: authentik-key-secret
-    {{- include "authentik.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
-    name: openbao
+    name: vault
  data:
    - secretKey: key
      remoteRef:
--- a/clusters/cl01tl/helm/authentik/templates/ingress.yaml
+++ b/clusters/cl01tl/helm/authentik/templates/ingress.yaml
@@ -1,12 +1,13 @@
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
-  name: {{ .Release.Name }}-tailscale
+  name: authentik-tailscale
  namespace: {{ .Release.Namespace }}
  labels:
-    app.kubernetes.io/name: {{ .Release.Name }}-tailscale
+    app.kubernetes.io/name: authentik-tailscale
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
    tailscale.com/proxy-class: no-metrics
    {{- include "authentik.labels" . | nindent 4 }}
  annotations:
    tailscale.com/experimental-forward-cluster-traffic-via-ingress: "true"
 spec:
--- a/clusters/cl01tl/helm/authentik/templates/reference-grant.yaml
+++ b/clusters/cl01tl/helm/authentik/templates/reference-grant.yaml
@@ -5,7 +5,8 @@ metadata:
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: allow-outpost-cross-namespace-access
-    {{- include "authentik.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  from:
    - group: gateway.networking.k8s.io
--- a/clusters/cl01tl/helm/authentik/values.yaml
+++ b/clusters/cl01tl/helm/authentik/values.yaml
@@ -4,7 +4,7 @@ authentik:
      - name: AUTHENTIK_SECRET_KEY
        valueFrom:
          secretKeyRef:
-            name: authentik-key
+            name: authentik-key-secret
            key: key
      - name: AUTHENTIK_POSTGRESQL__HOST
        valueFrom:
--- a/clusters/cl01tl/helm/backrest/templates/_helpers.tpl
+++ b/clusters/cl01tl/helm/backrest/templates/_helpers.tpl
@@ -1,24 +0,0 @@
 {{/*
 Common labels
 */}}
 {{- define "backrest.labels" -}}
 {{ include "backrest.selectorLabels" $ }}
 {{- end }}
 {{/*
 Selector labels
 */}}
 {{- define "backrest.selectorLabels" -}}
 app.kubernetes.io/instance: {{ .Release.Name }}
 app.kubernetes.io/part-of: {{ .Release.Name }}
 {{- end }}
 {{/*
 NFS names
 */}}
 {{- define "backrest.storageNfsName" -}}
 backrest-nfs-storage
 {{- end -}}
 {{- define "backrest.shareNfsName" -}}
 backrest-nfs-share
 {{- end -}}
--- a/clusters/cl01tl/helm/backrest/templates/persistent-volume-claim.yaml
+++ b/clusters/cl01tl/helm/backrest/templates/persistent-volume-claim.yaml
@@ -1,13 +1,14 @@
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
-  name: {{- include "backrest.storageNfsName" . }}
+  name: backrest-nfs-storage
  namespace: {{ .Release.Namespace }}
  labels:
-    app.kubernetes.io/name: {{- include "backrest.storageNfsName" . }}
+    app.kubernetes.io/name: backrest-nfs-storage
-    {{- include "backrest.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
-  volumeName: {{- include "backrest.storageNfsName" . }}
+  volumeName: backrest-nfs-storage
  storageClassName: nfs-client
  accessModes:
    - ReadWriteMany
@@ -19,13 +20,14 @@ spec:
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
-  name: {{- include "backrest.shareNfsName" . }}
+  name: backrest-nfs-share
  namespace: {{ .Release.Namespace }}
  labels:
-    app.kubernetes.io/name: {{- include "backrest.shareNfsName" . }}
+    app.kubernetes.io/name: backrest-nfs-share
-    {{- include "backrest.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
-  volumeName: {{- include "backrest.shareNfsName" . }}
+  volumeName: backrest-nfs-share
  storageClassName: nfs-client
  accessModes:
    - ReadWriteMany
--- a/clusters/cl01tl/helm/backrest/templates/persistent-volume.yaml
+++ b/clusters/cl01tl/helm/backrest/templates/persistent-volume.yaml
@@ -1,11 +1,12 @@
 apiVersion: v1
 kind: PersistentVolume
 metadata:
-  name: {{- include "backrest.storageNfsName" . }}
+  name: backrest-nfs-storage
  namespace: {{ .Release.Namespace }}
  labels:
-    app.kubernetes.io/name: {{- include "backrest.storageNfsName" . }}
+    app.kubernetes.io/name: backrest-nfs-storage
-    {{- include "backrest.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  persistentVolumeReclaimPolicy: Retain
  storageClassName: nfs-client
@@ -25,11 +26,12 @@ spec:
 apiVersion: v1
 kind: PersistentVolume
 metadata:
-  name: {{- include "backrest.shareNfsName" . }}
+  name: backrest-nfs-share
  namespace: {{ .Release.Namespace }}
  labels:
-    app.kubernetes.io/name: {{- include "backrest.shareNfsName" . }}
+    app.kubernetes.io/name: backrest-nfs-share
-    {{- include "backrest.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  persistentVolumeReclaimPolicy: Retain
  storageClassName: nfs-client
--- a/clusters/cl01tl/helm/bazarr/templates/_helpers.tpl
+++ b/clusters/cl01tl/helm/bazarr/templates/_helpers.tpl
@@ -1,21 +0,0 @@
 {{/*
 Common labels
 */}}
 {{- define "bazarr.labels" -}}
 {{ include "bazarr.selectorLabels" $ }}
 {{- end }}
 {{/*
 Selector labels
 */}}
 {{- define "bazarr.selectorLabels" -}}
 app.kubernetes.io/instance: {{ .Release.Name }}
 app.kubernetes.io/part-of: {{ .Release.Name }}
 {{- end }}
 {{/*
 NFS names
 */}}
 {{- define "bazarr.storageNfsName" -}}
 bazarr-nfs-storage
 {{- end -}}
--- a/clusters/cl01tl/helm/bazarr/templates/external-secret.yaml
+++ b/clusters/cl01tl/helm/bazarr/templates/external-secret.yaml
@@ -1,15 +1,16 @@
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
-  name: bazarr-key
+  name: bazarr-key-secret
  namespace: {{ .Release.Namespace }}
  labels:
-    app.kubernetes.io/name: bazarr-key
+    app.kubernetes.io/name: bazarr-key-secret
-    {{- include "bazarr.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
-    name: openbao
+    name: vault
  data:
    - secretKey: key
      remoteRef:
--- a/clusters/cl01tl/helm/bazarr/templates/persistent-volume-claim.yaml
+++ b/clusters/cl01tl/helm/bazarr/templates/persistent-volume-claim.yaml
@@ -1,13 +1,14 @@
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
-  name: {{- include "bazarr.storageNfsName" . }}
+  name: bazarr-nfs-storage
  namespace: {{ .Release.Namespace }}
  labels:
-    app.kubernetes.io/name: {{- include "bazarr.storageNfsName" . }}
+    app.kubernetes.io/name: bazarr-nfs-storage
-    {{- include "bazarr.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
-  volumeName: {{ .Template.Name }}
+  volumeName: bazarr-nfs-storage
  storageClassName: nfs-client
  accessModes:
    - ReadWriteMany
--- a/clusters/cl01tl/helm/bazarr/templates/persistent-volume.yaml
+++ b/clusters/cl01tl/helm/bazarr/templates/persistent-volume.yaml
@@ -1,11 +1,12 @@
 apiVersion: v1
 kind: PersistentVolume
 metadata:
-  name: {{- include "bazarr.storageNfsName" . }}
+  name: bazarr-nfs-storage
  namespace: {{ .Release.Namespace }}
  labels:
-    app.kubernetes.io/name: {{- include "bazarr.storageNfsName" . }}
+    app.kubernetes.io/name: bazarr-nfs-storage
-    {{- include "bazarr.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  persistentVolumeReclaimPolicy: Retain
  storageClassName: nfs-client
--- a/clusters/cl01tl/helm/bazarr/values.yaml
+++ b/clusters/cl01tl/helm/bazarr/values.yaml
@@ -39,7 +39,7 @@ bazarr:
            - name: APIKEY
              valueFrom:
                secretKeyRef:
-                  name: bazarr-key
+                  name: bazarr-key-secret
                  key: key
            - name: ENABLE_ADDITIONAL_METRICS
              value: false
--- a/clusters/cl01tl/helm/cert-manager/templates/_helpers.tpl
+++ b/clusters/cl01tl/helm/cert-manager/templates/_helpers.tpl
@@ -1,24 +0,0 @@
 {{/*
 Common labels
 */}}
 {{- define "cert-manager.labels" -}}
 {{ include "cert-manager.selectorLabels" $ }}
 {{- end }}
 {{/*
 Selector labels
 */}}
 {{- define "cert-manager.selectorLabels" -}}
 app.kubernetes.io/instance: {{ .Release.Name }}
 app.kubernetes.io/part-of: {{ .Release.Name }}
 {{- end }}
 {{/*
 NFS names
 */}}
 {{- define "cert-manager.cloudflareSecretName" -}}
 cert-manager-cloudflare-api-token
 {{- end -}}
 {{- define "cert-manager.cloudflareSecretKey" -}}
 api-token
 {{- end -}}
--- a/clusters/cl01tl/helm/cert-manager/templates/cluster-issuer.yaml
+++ b/clusters/cl01tl/helm/cert-manager/templates/cluster-issuer.yaml
@@ -5,7 +5,8 @@ metadata:
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: letsencrypt-issuer
-    {{- include "cert-manager.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  acme:
    email: alexanderlebens@gmail.com
@@ -21,5 +22,5 @@ spec:
          cloudflare:
            email: alexanderlebens@gmail.com
            apiTokenSecretRef:
-              name: {{- include "cert-manager.cloudflareSecretName" . }}
+              name: cloudflare-api-token
-              key: {{- include "cert-manager.cloudflareSecretKey" . }}
+              key: api-token
--- a/clusters/cl01tl/helm/cert-manager/templates/external-secret.yaml
+++ b/clusters/cl01tl/helm/cert-manager/templates/external-secret.yaml
@@ -1,17 +1,18 @@
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
-  name: {{- include "cert-manager.cloudflareSecretName" . }}
+  name: cloudflare-api-token
  namespace: {{ .Release.Namespace }}
  labels:
-    app.kubernetes.io/name: {{- include "cert-manager.cloudflareSecretName" . }}
+    app.kubernetes.io/name: cloudflare-api-token
-    {{- include "cert-manager.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
-    name: openbao
+    name: vault
  data:
-    - secretKey: {{- include "cert-manager.cloudflareSecretKey" . }}
+    - secretKey: api-token
      remoteRef:
-        key: /cloudflare/alexlebens.net/cl01tl-issuer-certificate
+        key: /cloudflare/alexlebens.net/clusterissuer
        property: token
--- a/clusters/cl01tl/helm/cilium/templates/_helpers.tpl
+++ b/clusters/cl01tl/helm/cilium/templates/_helpers.tpl
@@ -1,14 +0,0 @@
 {{/*
 Common labels
 */}}
 {{- define "cilium.labels" -}}
 {{ include "cilium.selectorLabels" $ }}
 {{- end }}
 {{/*
 Selector labels
 */}}
 {{- define "cilium.selectorLabels" -}}
 app.kubernetes.io/instance: {{ .Release.Name }}
 app.kubernetes.io/part-of: {{ .Release.Name }}
 {{- end }}
--- a/clusters/cl01tl/helm/cilium/templates/cilium-bgp-advertisement.yaml
+++ b/clusters/cl01tl/helm/cilium/templates/cilium-bgp-advertisement.yaml
@@ -0,0 +1,19 @@
 # apiVersion: cilium.io/v2
 # kind: CiliumBGPAdvertisement
 # metadata:
 #   name: cilium-bgp-advertisements
 #   namespace: {{ .Release.Namespace }}
 #   labels:
 #     app.kubernetes.io/name: cilium-bgp-advertisements
 #     app.kubernetes.io/instance: {{ .Release.Name }}
 #     app.kubernetes.io/part-of: {{ .Release.Name }}
 # spec:
 #   advertisements:
 #     - advertisementType: "Service"
 #       service:
 #         addresses:
 #           - ExternalIP
 #           - LoadBalancerIP
 #       selector:
 #         matchExpressions:
 #          - {key: somekey, operator: NotIn, values: ['never-used-value']}
--- a/clusters/cl01tl/helm/cilium/templates/cilium-bgp-cluster-config.yaml
+++ b/clusters/cl01tl/helm/cilium/templates/cilium-bgp-cluster-config.yaml
@@ -0,0 +1,22 @@
 # apiVersion: cilium.io/v2
 # kind: CiliumBGPClusterConfig
 # metadata:
 #   name: cilium-bgp
 #   namespace: {{ .Release.Namespace }}
 #   labels:
 #     app.kubernetes.io/name: cilium-bgp
 #     app.kubernetes.io/instance: {{ .Release.Name }}
 #     app.kubernetes.io/part-of: {{ .Release.Name }}
 # spec:
 #   nodeSelector:
 #     matchLabels:
 #       node-role.kubernetes.io/bgp: "65020"
 #   bgpInstances:
 #     - name: "65020"
 #       localASN: 65020
 #       peers:
 #         - name: "udm-65000"
 #           peerASN: 65000
 #           peerAddress: 192.168.1.1
 #           peerConfigRef:
 #             name: "cilium-peer"
--- a/clusters/cl01tl/helm/cilium/templates/cilium-bgp-peer-config.yaml
+++ b/clusters/cl01tl/helm/cilium/templates/cilium-bgp-peer-config.yaml
@@ -0,0 +1,23 @@
 # apiVersion: cilium.io/v2
 # kind: CiliumBGPPeerConfig
 # metadata:
 #   name: cilium-peer
 #   namespace: {{ .Release.Namespace }}
 #   labels:
 #     app.kubernetes.io/name: cilium-peer
 #     app.kubernetes.io/instance: {{ .Release.Name }}
 #     app.kubernetes.io/part-of: {{ .Release.Name }}
 # spec:
 #   timers:
 #     holdTimeSeconds: 9
 #     keepAliveTimeSeconds: 3
 #   ebgpMultihop: 4
 #   gracefulRestart:
 #     enabled: true
 #     restartTimeSeconds: 15
 #   families:
 #     - afi: ipv4
 #       safi: unicast
 #       advertisements:
 #         matchLabels:
 #           app.kubernetes.io/name: cilium-bgp-advertisements
--- a/clusters/cl01tl/helm/cilium/templates/cilium-load-balancer-ip-pool.yaml
+++ b/clusters/cl01tl/helm/cilium/templates/cilium-load-balancer-ip-pool.yaml
@@ -5,7 +5,8 @@ metadata:
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: default-ip-pool
-    {{- include "cilium.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  blocks:
    - start: "10.232.1.21"
@@ -19,7 +20,8 @@ metadata:
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: bgp-ip-pool
-    {{- include "cilium.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  blocks:
    - start: "10.232.2.100"
--- a/clusters/cl01tl/helm/cilium/templates/gateway.yaml
+++ b/clusters/cl01tl/helm/cilium/templates/gateway.yaml
@@ -0,0 +1,45 @@
 # apiVersion: gateway.networking.k8s.io/v1
 # kind: Gateway
 # metadata:
 #   name: cilium-tls-gateway
 #   namespace: {{ .Release.Namespace }}
 #   labels:
 #     app.kubernetes.io/name: cilium-tls-gateway
 #     app.kubernetes.io/instance: {{ .Release.Name }}
 #     app.kubernetes.io/part-of: {{ .Release.Name }}
 #   annotations:
 #     cert-manager.io/cluster-issuer: letsencrypt-issuer
 # spec:
 #   addresses:
 #     - type: IPAddress
 #       value: 10.232.1.23
 #   gatewayClassName: cilium
 #   listeners:
 #     - allowedRoutes:
 #         namespaces:
 #           from: All
 #       hostname: '*.alexlebens.net'
 #       name: https
 #       port: 443
 #       protocol: HTTPS
 #       tls:
 #         certificateRefs:
 #           - group: ''
 #             kind: Secret
 #             name: https-gateway-cert
 #             namespace: kube-system
 #         mode: Terminate
 #     - allowedRoutes:
 #         namespaces:
 #           from: All
 #       hostname: 'alexlebens.net'
 #       name: https-domain
 #       port: 443
 #       protocol: HTTPS
 #       tls:
 #         certificateRefs:
 #           - group: ''
 #             kind: Secret
 #             name: https-gateway-cert
 #             namespace: kube-system
 #         mode: Terminate
--- a/clusters/cl01tl/helm/cilium/templates/http-route.yaml
+++ b/clusters/cl01tl/helm/cilium/templates/http-route.yaml
@@ -5,7 +5,8 @@ metadata:
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: hubble
-    {{- include "cilium.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  parentRefs:
    - group: gateway.networking.k8s.io
--- a/clusters/cl01tl/helm/dawarich/templates/_helpers.tpl
+++ b/clusters/cl01tl/helm/dawarich/templates/_helpers.tpl
@@ -1,14 +0,0 @@
 {{/*
 Common labels
 */}}
 {{- define "dawarich.labels" -}}
 {{ include "dawarich.selectorLabels" $ }}
 {{- end }}
 {{/*
 Selector labels
 */}}
 {{- define "dawarich.selectorLabels" -}}
 app.kubernetes.io/instance: {{ .Release.Name }}
 app.kubernetes.io/part-of: {{ .Release.Name }}
 {{- end }}
--- a/clusters/cl01tl/helm/dawarich/templates/external-secret.yaml
+++ b/clusters/cl01tl/helm/dawarich/templates/external-secret.yaml
@@ -1,15 +1,16 @@
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
-  name: dawarich-key
+  name: dawarich-key-secret
  namespace: {{ .Release.Namespace }}
  labels:
-    app.kubernetes.io/name: dawarich-key
+    app.kubernetes.io/name: dawarich-key-secret
-    {{- include "dawarich.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
-    name: openbao
+    name: vault
  data:
    - secretKey: key
      remoteRef:
@@ -20,21 +21,22 @@ spec:
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
-  name: dawarich-oidc-authentik
+  name: dawarich-oidc-secret
  namespace: {{ .Release.Namespace }}
  labels:
-    app.kubernetes.io/name: dawarich-oidc-authentik
+    app.kubernetes.io/name: dawarich-oidc-secret
-    {{- include "dawarich.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
-    name: openbao
+    name: vault
  data:
    - secretKey: client
      remoteRef:
-        key: /cl01tl/authentik/oidc/dawarich
+        key: /authentik/oidc/dawarich
        property: client
    - secretKey: secret
      remoteRef:
-        key: /cl01tl/authentik/oidc/dawarich
+        key: /authentik/oidc/dawarich
        property: secret
--- a/clusters/cl01tl/helm/dawarich/values.yaml
+++ b/clusters/cl01tl/helm/dawarich/values.yaml
@@ -61,12 +61,12 @@ dawarich:
            - name: OIDC_CLIENT_ID
              valueFrom:
                secretKeyRef:
-                  name: dawarich-oidc-authentik
+                  name: dawarich-oidc-secret
                  key: client
            - name: OIDC_CLIENT_SECRET
              valueFrom:
                secretKeyRef:
-                  name: dawarich-oidc-authentik
+                  name: dawarich-oidc-secret
                  key: secret
            - name: OIDC_PROVIDER_NAME
              value: Authentik
@@ -81,7 +81,7 @@ dawarich:
            - name: SECRET_KEY_BASE
              valueFrom:
                secretKeyRef:
-                  name: dawarich-key
+                  name: dawarich-key-secret
                  key: key
            - name: RAILS_LOG_TO_STDOUT
              value: true
--- a/clusters/cl01tl/helm/external-secrets/Chart.yaml
+++ b/clusters/cl01tl/helm/external-secrets/Chart.yaml
@@ -18,4 +18,4 @@ dependencies:
    repository: https://charts.external-secrets.io
 icon: https://raw.githubusercontent.com/external-secrets/external-secrets/refs/heads/main/assets/eso-logo-large.png
 # renovate: datasource=github-releases depName=external-secrets/external-secrets
-appVersion: v2.3.0
+appVersion: vv2.3.0
--- a/clusters/cl01tl/helm/external-secrets/templates/cluster-role-binding.yaml
+++ b/clusters/cl01tl/helm/external-secrets/templates/cluster-role-binding.yaml
@@ -1,17 +0,0 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
  name: external-secrets
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: external-secrets
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: system:auth-delegator
 subjects:
  - kind: ServiceAccount
    name: external-secrets
    namespace: {{ .Release.Namespace }}
--- a/clusters/cl01tl/helm/external-secrets/templates/cluster-secret-store.yaml
+++ b/clusters/cl01tl/helm/external-secrets/templates/cluster-secret-store.yaml
@@ -17,29 +17,3 @@ spec:
          namespace: vault
          name: vault-token
          key: token
 ---
 apiVersion: external-secrets.io/v1
 kind: ClusterSecretStore
 metadata:
  name: openbao
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: openbao
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  provider:
    vault:
      server: http://openbao-internal.openbao:8200
      path: secret
      version: v2
      auth:
        kubernetes:
          mountPath: kubernetes
          role: external-secrets
          serviceAccountRef:
            name: external-secrets
            namespace: {{ .Release.Name }}
            audiences:
              - openbao
--- a/clusters/cl01tl/helm/foldergram/values.yaml
+++ b/clusters/cl01tl/helm/foldergram/values.yaml
@@ -70,7 +70,7 @@ foldergram:
      forceRename: foldergram-data
      storageClass: synology-iscsi-delete
      accessMode: ReadWriteOnce
-      size: 250Gi
+      size: 150Gi
      advancedMounts:
        main:
          main:
--- a/clusters/cl01tl/helm/garage/Chart.yaml
+++ b/clusters/cl01tl/helm/garage/Chart.yaml
@@ -21,4 +21,4 @@ dependencies:
    version: 4.6.2
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons@main/png/garage.png
 # renovate: datasource=docker depName=dxflrs/garage
-appVersion: v2.3.0
+appVersion: v2.2.0
--- a/clusters/cl01tl/helm/garage/values.yaml
+++ b/clusters/cl01tl/helm/garage/values.yaml
@@ -21,7 +21,7 @@ garage:
        main:
          image:
            repository: dxflrs/garage
-            tag: v2.3.0@sha256:866bd13ed2038ba7e7190e840482bc27234c4afaf77be8cfa439ae088c1e4690
+            tag: v2.2.0@sha256:45a61ce3f7c9c24fc23d9ed2b09b27ed560ab87b34605d175d5c588f539c24e4
          envFrom:
            - secretRef:
                name: garage-token-secret
@@ -50,7 +50,7 @@ garage:
        main:
          image:
            repository: dxflrs/garage
-            tag: v2.3.0@sha256:866bd13ed2038ba7e7190e840482bc27234c4afaf77be8cfa439ae088c1e4690
+            tag: v2.2.0@sha256:45a61ce3f7c9c24fc23d9ed2b09b27ed560ab87b34605d175d5c588f539c24e4
          envFrom:
            - secretRef:
                name: garage-token-secret
@@ -79,7 +79,7 @@ garage:
        main:
          image:
            repository: dxflrs/garage
-            tag: v2.3.0@sha256:866bd13ed2038ba7e7190e840482bc27234c4afaf77be8cfa439ae088c1e4690
+            tag: v2.2.0@sha256:45a61ce3f7c9c24fc23d9ed2b09b27ed560ab87b34605d175d5c588f539c24e4
          envFrom:
            - secretRef:
                name: garage-token-secret
--- a/clusters/cl01tl/helm/gitea/Chart.lock
+++ b/clusters/cl01tl/helm/gitea/Chart.lock
@@ -4,10 +4,10 @@ dependencies:
  version: 12.5.3
 - name: actions
  repository: https://dl.gitea.com/charts/
-  version: 0.1.0
+  version: 0.0.5
 - name: meilisearch
  repository: https://meilisearch.github.io/meilisearch-kubernetes
-  version: 0.32.0
+  version: 0.31.0
 - name: cloudflared
  repository: oci://harbor.alexlebens.net/helm-charts
  version: 2.5.0
@@ -23,5 +23,5 @@ dependencies:
 - name: volsync-target
  repository: oci://harbor.alexlebens.net/helm-charts
  version: 0.8.0
-digest: sha256:2144d55ea34ba25bd81c1e479ee5cd27097fafb5676b96e63aa0e32ad2868925
+digest: sha256:3b2cd7914718ca5857531c466deb3b7f88a49ce4d67484efcffac7e5accf5263
-generated: "2026-04-16T20:09:26.031592859Z"
+generated: "2026-04-15T18:58:48.48174558Z"
--- a/clusters/cl01tl/helm/gitea/Chart.yaml
+++ b/clusters/cl01tl/helm/gitea/Chart.yaml
@@ -31,9 +31,9 @@ dependencies:
  - name: actions
    alias: gitea-actions
    repository: https://dl.gitea.com/charts/
-    version: 0.1.0
+    version: 0.0.5
  - name: meilisearch
-    version: 0.32.0
+    version: 0.31.0
    repository: https://meilisearch.github.io/meilisearch-kubernetes
  - name: cloudflared
    repository: oci://harbor.alexlebens.net/helm-charts
@@ -56,4 +56,4 @@ dependencies:
    repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons@main/png/gitea.png
 # renovate: datasource=github-releases depName=go-gitea/gitea
-appVersion: 1.26.0
+appVersion: 1.25.5
--- a/clusters/cl01tl/helm/gitea/values.yaml
+++ b/clusters/cl01tl/helm/gitea/values.yaml
@@ -194,7 +194,7 @@ gitea-actions:
      registry: docker.io
      repository: gitea/act_runner
      # renovate: datasource=docker depName=gitea/act_runner
-      tag: 0.4.1@sha256:696a59b51ad3d149521e3beb0229d5fb88f87295e1616f940199793274415b56
+      tag: 0.3.1@sha256:c2a169c5e99864c25e32527cef3d82203225e09558773022bf3dc164a2e6d762
      extraVolumeMounts:
        - name: workspace-vol
          mountPath: /workspace
--- a/clusters/cl01tl/helm/home-assistant/Chart.yaml
+++ b/clusters/cl01tl/helm/home-assistant/Chart.yaml
@@ -24,4 +24,4 @@ dependencies:
    repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/home-assistant.png
 # renovate: datasource=github-releases depName=home-assistant/core
-appVersion: 2026.4.3
+appVersion: 2026.4.2
--- a/clusters/cl01tl/helm/home-assistant/values.yaml
+++ b/clusters/cl01tl/helm/home-assistant/values.yaml
@@ -12,7 +12,7 @@ home-assistant:
        main:
          image:
            repository: ghcr.io/home-assistant/home-assistant
-            tag: 2026.4.3@sha256:ae0800c81fea16bc1241ce03bddb9c6260566e90f58b09d3e5a629e4f68bdc0b
+            tag: 2026.4.2@sha256:4c940155cfd5b0187a6faee2db5d52b98bb573edc1aeee95d0818bb17b6534d7
          env:
            - name: TZ
              value: America/Chicago
@@ -23,7 +23,7 @@ home-assistant:
        code-server:
          image:
            repository: ghcr.io/linuxserver/code-server
-            tag: 4.116.0-ls333@sha256:4620adace18935dd6ca79d77e3bc1c379e21875392192f970cf5d6b0fb4aefcd
+            tag: 4.115.0-ls331@sha256:308f49acac8734542560f797d79b15e4c872c4d3f97d1b22862633fcce2af62a
          env:
            - name: TZ
              value: America/Chicago
--- a/clusters/cl01tl/helm/houndarr/Chart.yaml
+++ b/clusters/cl01tl/helm/houndarr/Chart.yaml
@@ -25,4 +25,4 @@ dependencies:
    repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons@main/png/houndarr.png
 # renovate: datasource=github-releases depName=av1155/houndarr
-appVersion: v1.9.0
+appVersion: v1.7.0
--- a/clusters/cl01tl/helm/houndarr/values.yaml
+++ b/clusters/cl01tl/helm/houndarr/values.yaml
@@ -8,7 +8,7 @@ houndarr:
        main:
          image:
            repository: ghcr.io/av1155/houndarr
-            tag: v1.9.0@sha256:2a9c9e0de43412f683f00cce6f5d0f3e059b27e50350434ae4029ade720e85a0
+            tag: v1.7.0@sha256:8ae2a8b86497cbc54d11591c12220f3be3319039c2bdd0c8b041b2b7c2fd7943
          env:
            - name: TZ
              value: America/Chicago
--- a/clusters/cl01tl/helm/jellyfin/Chart.lock
+++ b/clusters/cl01tl/helm/jellyfin/Chart.lock
@@ -4,9 +4,9 @@ dependencies:
  version: 4.6.2
 - name: meilisearch
  repository: https://meilisearch.github.io/meilisearch-kubernetes
-  version: 0.32.0
+  version: 0.31.0
 - name: volsync-target
  repository: oci://harbor.alexlebens.net/helm-charts
  version: 0.8.0
-digest: sha256:09e0de3cf33b4b463b07237d547172ad72fcc77c0fcb8e5ed7542f9ee3b1df3a
+digest: sha256:ea0f20c4c1b5566288185283141ece9938f8bbce246e27ec464cb1e6fd376fba
-generated: "2026-04-16T14:10:45.330521031Z"
+generated: "2026-04-14T17:48:23.813297015Z"
--- a/clusters/cl01tl/helm/jellyfin/Chart.yaml
+++ b/clusters/cl01tl/helm/jellyfin/Chart.yaml
@@ -22,7 +22,7 @@ dependencies:
    repository: https://bjw-s-labs.github.io/helm-charts/
    version: 4.6.2
  - name: meilisearch
-    version: 0.32.0
+    version: 0.31.0
    repository: https://meilisearch.github.io/meilisearch-kubernetes
  - name: volsync-target
    alias: volsync-target-config
--- a/clusters/cl01tl/helm/jellystat/Chart.yaml
+++ b/clusters/cl01tl/helm/jellystat/Chart.yaml
@@ -29,4 +29,4 @@ dependencies:
    repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/jellystat.png
 # renovate: datasource=github-releases depName=CyferShepard/Jellystat
-appVersion: 1.1.10
+appVersion: 1.1.9
--- a/clusters/cl01tl/helm/jellystat/values.yaml
+++ b/clusters/cl01tl/helm/jellystat/values.yaml
@@ -8,7 +8,7 @@ jellystat:
        main:
          image:
            repository: ghcr.io/cyfershepard/jellystat
-            tag: 1.1.10@sha256:bb7ebe42424dedeff52d8da4130232d67e3fdd6dc2dd4a66091e32ddd835ea42
+            tag: 1.1.9@sha256:f7f56aabad139faa996b8bb21a36dd3e65f7c87e10408921815b95a28a4efbaf
          env:
            - name: TZ
              value: America/Chicago
--- a/clusters/cl01tl/helm/karakeep/Chart.lock
+++ b/clusters/cl01tl/helm/karakeep/Chart.lock
@@ -4,12 +4,12 @@ dependencies:
  version: 4.6.2
 - name: meilisearch
  repository: https://meilisearch.github.io/meilisearch-kubernetes
-  version: 0.32.0
+  version: 0.31.0
 - name: cloudflared
  repository: oci://harbor.alexlebens.net/helm-charts
  version: 2.5.0
 - name: volsync-target
  repository: oci://harbor.alexlebens.net/helm-charts
  version: 0.8.0
-digest: sha256:a5074b9aa3d0ad4e8e3f0d5d10e92e7112bf1fd263d6bade8ae47e36d544cb6d
+digest: sha256:f0f26138eeca6430c2b9ad7dc6d6ad8467b0db2a5660015b2755efc802e8ac84
-generated: "2026-04-16T14:11:10.620563905Z"
+generated: "2026-04-14T17:48:43.81459819Z"
--- a/clusters/cl01tl/helm/karakeep/Chart.yaml
+++ b/clusters/cl01tl/helm/karakeep/Chart.yaml
@@ -23,7 +23,7 @@ dependencies:
    repository: https://bjw-s-labs.github.io/helm-charts/
    version: 4.6.2
  - name: meilisearch
-    version: 0.32.0
+    version: 0.31.0
    repository: https://meilisearch.github.io/meilisearch-kubernetes
  - name: cloudflared
    repository: oci://harbor.alexlebens.net/helm-charts
--- a/clusters/cl01tl/helm/kube-prometheus-stack/Chart.lock
+++ b/clusters/cl01tl/helm/kube-prometheus-stack/Chart.lock
@@ -1,7 +1,7 @@
 dependencies:
 - name: kube-prometheus-stack
  repository: oci://ghcr.io/prometheus-community/charts
-  version: 83.6.0
+  version: 83.4.3
 - name: prometheus-operator-crds
  repository: oci://ghcr.io/prometheus-community/charts
  version: 28.0.1
@@ -11,5 +11,5 @@ dependencies:
 - name: valkey
  repository: oci://harbor.alexlebens.net/helm-charts
  version: 0.6.1
-digest: sha256:f80cb9a91bb13c3538ffdf4bc95b0750202a76167b05a3958f5aff2220484b0c
+digest: sha256:3396044aeb04c8a204c50941528e7292ece35349445cb86632eac5dcb2200447
-generated: "2026-04-17T16:10:54.211656328Z"
+generated: "2026-04-15T18:45:01.915091109Z"
--- a/clusters/cl01tl/helm/kube-prometheus-stack/Chart.yaml
+++ b/clusters/cl01tl/helm/kube-prometheus-stack/Chart.yaml
@@ -20,7 +20,7 @@ maintainers:
  - name: alexlebens
 dependencies:
  - name: kube-prometheus-stack
-    version: 83.6.0
+    version: 83.4.3
    repository: oci://ghcr.io/prometheus-community/charts
  - name: prometheus-operator-crds
    version: 28.0.1
--- a/clusters/cl01tl/helm/libation/Chart.yaml
+++ b/clusters/cl01tl/helm/libation/Chart.yaml
@@ -26,4 +26,4 @@ dependencies:
    repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/libation.png
 # renovate: datasource=github-releases depName=rmcrackan/Libation
-appVersion: 13.3.4
+appVersion: 13.3.3
--- a/clusters/cl01tl/helm/libation/values.yaml
+++ b/clusters/cl01tl/helm/libation/values.yaml
@@ -12,7 +12,7 @@ libation:
        main:
          image:
            repository: rmcrackan/libation
-            tag: 13.3.4@sha256:eb0357e8a880ed0049dffd2a99a9d2eda322ed33b3b9e16f4fb93eb15275f396
+            tag: 13.3.3@sha256:fbeb84916c81b654412801367b7e96796ffdba83d987a1ed5fed9896cf7cabee
          env:
            - name: SLEEP_TIME
              value: "-1"
--- a/clusters/cl01tl/helm/matrix-synapse/values.yaml
+++ b/clusters/cl01tl/helm/matrix-synapse/values.yaml
@@ -332,7 +332,7 @@ mautrix-whatsapp:
        main:
          image:
            repository: dock.mau.dev/mautrix/whatsapp
-            tag: v0.2604.0@sha256:9f28c04c746af9fe8e93163489dae0f4191626e2ca02a9302df62afbeefc9eba
+            tag: v0.2603.0@sha256:b49009312361d9ea0d7090716fd09f2323f477b32bd119648c6ca2d558a3e236
          resources:
            requests:
              cpu: 1m
--- a/clusters/cl01tl/helm/music-grabber/Chart.yaml
+++ b/clusters/cl01tl/helm/music-grabber/Chart.yaml
@@ -24,4 +24,4 @@ dependencies:
    repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons@main/png/music-grabber.png
 # renovate: datasource=docker depName=g33kphr33k/musicgrabber
-appVersion: 2.6.5
+appVersion: 2.6.3
--- a/clusters/cl01tl/helm/music-grabber/values.yaml
+++ b/clusters/cl01tl/helm/music-grabber/values.yaml
@@ -12,7 +12,7 @@ music-grabber:
        main:
          image:
            repository: g33kphr33k/musicgrabber
-            tag: 2.6.5@sha256:5d276415a764a56955207ae41fe2df3341a152812fdf8a87e7c0b7e4e1fb681d
+            tag: 2.6.3@sha256:33ccf823b27387c5080da6df7e1b22f1e6443f878cfbf14fb06a6abcef79991d
          env:
            - name: MUSIC_DIR
              value: /mnt/store/Music Grabber/
--- a/clusters/cl01tl/helm/ollama/Chart.yaml
+++ b/clusters/cl01tl/helm/ollama/Chart.yaml
@@ -31,4 +31,4 @@ dependencies:
    repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/ollama.png
 # renovate: datasource=github-releases depName=ollama/ollama
-appVersion: 0.21.0
+appVersion: 0.20.7
--- a/clusters/cl01tl/helm/ollama/values.yaml
+++ b/clusters/cl01tl/helm/ollama/values.yaml
@@ -21,7 +21,7 @@ ollama:
        main:
          image:
            repository: ollama/ollama
-            tag: 0.21.0@sha256:d3d553bdfbcc7f55dd5ddf42c4cbe3a927aa9bb1802710d35e94656ca5aea02b
+            tag: 0.20.7@sha256:487324a9312240e3e122446f351b1f1e3f68d884ef854c246db2e08792440d94
          env:
            - name: OLLAMA_KEEP_ALIVE
              value: 24h
@@ -55,7 +55,7 @@ ollama:
        main:
          image:
            repository: ollama/ollama
-            tag: 0.21.0@sha256:d3d553bdfbcc7f55dd5ddf42c4cbe3a927aa9bb1802710d35e94656ca5aea02b
+            tag: 0.20.7@sha256:487324a9312240e3e122446f351b1f1e3f68d884ef854c246db2e08792440d94
          env:
            - name: OLLAMA_KEEP_ALIVE
              value: 24h
@@ -89,7 +89,7 @@ ollama:
        main:
          image:
            repository: ollama/ollama
-            tag: 0.21.0@sha256:d3d553bdfbcc7f55dd5ddf42c4cbe3a927aa9bb1802710d35e94656ca5aea02b
+            tag: 0.20.7@sha256:487324a9312240e3e122446f351b1f1e3f68d884ef854c246db2e08792440d94
          env:
            - name: OLLAMA_KEEP_ALIVE
              value: 24h
--- a/clusters/cl01tl/helm/openbao/values.yaml
+++ b/clusters/cl01tl/helm/openbao/values.yaml
@@ -25,15 +25,6 @@ openbao:
            kind: Gateway
            name: traefik-gateway
            namespace: traefik
      httpRoute:
        enabled: true
        hosts:
          - bao.alexlebens.net
        parentRefs:
          - group: gateway.networking.k8s.io
            kind: Gateway
            name: traefik-gateway
            namespace: traefik
    authDelegator:
      enabled: true
    livenessProbe:
@@ -77,13 +68,6 @@ openbao:
            }
          }
          audit "file" "to-stdout" {
            options {
              file_path = "/openbao/audit/openbao_audit.log"
              log_raw = "true"
            }
          }
          service_registration "kubernetes" {}
          telemetry {
@@ -95,7 +79,7 @@ openbao:
    image:
      registry: quay.io
      repository: openbao/openbao-csi-provider
-      tag: 2.0.2@sha256:3cb312e88c62c926caec03bf69497a16805a29daabb5ad2c7a236ab43bb241db
+      tag: 2.0.1@sha256:a3bd5e8183da778b5dc79ee1a3d7313ac77dc599b623b4106a91b19362674f27
    resources:
      requests:
        cpu: 50m
@@ -141,7 +125,7 @@ openbao:
      s3Bucket: openbao-backups
      s3Uri: s3://openbao-backups
      s3ExpireDays: "30"
-      s3cmdExtraFlag: "-v --no-ssl"
+      s3cmdExtraFlag: "-v"
      baoAuthPath: kubernetes
      baoRole: bao-snapshot
 unseal:
--- a/clusters/cl01tl/helm/paperless-ngx/values.yaml
+++ b/clusters/cl01tl/helm/paperless-ngx/values.yaml
@@ -86,7 +86,7 @@ paperless-ngx:
        gotenberg:
          image:
            repository: gotenberg/gotenberg
-            tag: 8.31.0@sha256:f0d86e8a1dbc7b33a5a65cb251d02bb271a48ffa989da3feb5ed7d954fe4d4b3
+            tag: 8.30.1@sha256:206a6c708fc6d05257367d9ac902d6c56c50d2e3284d0596ea000814ef97f22c
  service:
    main:
      controller: main
--- a/clusters/cl01tl/helm/qbittorrent/values.yaml
+++ b/clusters/cl01tl/helm/qbittorrent/values.yaml
@@ -208,7 +208,7 @@ qbittorrent:
        qui:
          image:
            repository: ghcr.io/autobrr/qui
-            tag: v1.17.0@sha256:fb3832e68f66b056e1b049d16c40732661e7b73999bc642d4b11469a3ebbabd3
+            tag: v1.16.1@sha256:07b6ea9572e52e8b5f70f8fb15a7c688d8d754a7616242d3ad0b21dbd5c05836
          env:
            - name: QUI__METRICS_ENABLED
              value: true
--- a/clusters/cl01tl/helm/radarr-4k/Chart.yaml
+++ b/clusters/cl01tl/helm/radarr-4k/Chart.yaml
@@ -33,4 +33,4 @@ dependencies:
    repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/radarr-4k.png
 # renovate: datasource=github-releases depName=linuxserver/docker-radarr
-appVersion: 6.1.1.10360-ls300
+appVersion: 6.1.1.10360-ls299
--- a/clusters/cl01tl/helm/radarr-4k/values.yaml
+++ b/clusters/cl01tl/helm/radarr-4k/values.yaml
@@ -14,7 +14,7 @@ radarr-4k:
        main:
          image:
            repository: ghcr.io/linuxserver/radarr
-            tag: 6.1.1.10360-ls300@sha256:b01097ad2d948c9f5eca39eb60bb529e2e55b0738c4bf7db09383bef0abab59d
+            tag: 6.1.1.10360-ls299@sha256:6f1dda18354ea7f28cead8f6d099fc8222498c3ae165f567d504ed04d70980d7
          env:
            - name: TZ
              value: America/Chicago
--- a/clusters/cl01tl/helm/radarr-anime/Chart.yaml
+++ b/clusters/cl01tl/helm/radarr-anime/Chart.yaml
@@ -33,4 +33,4 @@ dependencies:
    repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/radarr-anime.png
 # renovate: datasource=github-releases depName=linuxserver/docker-radarr
-appVersion: 6.1.1.10360-ls300
+appVersion: 6.1.1.10360-ls299
--- a/clusters/cl01tl/helm/radarr-anime/values.yaml
+++ b/clusters/cl01tl/helm/radarr-anime/values.yaml
@@ -14,7 +14,7 @@ radarr-anime:
        main:
          image:
            repository: ghcr.io/linuxserver/radarr
-            tag: 6.1.1.10360-ls300@sha256:b01097ad2d948c9f5eca39eb60bb529e2e55b0738c4bf7db09383bef0abab59d
+            tag: 6.1.1.10360-ls299@sha256:6f1dda18354ea7f28cead8f6d099fc8222498c3ae165f567d504ed04d70980d7
          env:
            - name: TZ
              value: America/Chicago
--- a/clusters/cl01tl/helm/radarr-standup/Chart.yaml
+++ b/clusters/cl01tl/helm/radarr-standup/Chart.yaml
@@ -33,4 +33,4 @@ dependencies:
    repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/radarr.png
 # renovate: datasource=github-releases depName=linuxserver/docker-radarr
-appVersion: 6.1.1.10360-ls300
+appVersion: 6.1.1.10360-ls299
--- a/clusters/cl01tl/helm/radarr-standup/values.yaml
+++ b/clusters/cl01tl/helm/radarr-standup/values.yaml
@@ -14,7 +14,7 @@ radarr-standup:
        main:
          image:
            repository: ghcr.io/linuxserver/radarr
-            tag: 6.1.1.10360-ls300@sha256:b01097ad2d948c9f5eca39eb60bb529e2e55b0738c4bf7db09383bef0abab59d
+            tag: 6.1.1.10360-ls299@sha256:6f1dda18354ea7f28cead8f6d099fc8222498c3ae165f567d504ed04d70980d7
          env:
            - name: TZ
              value: America/Chicago
--- a/clusters/cl01tl/helm/radarr/Chart.yaml
+++ b/clusters/cl01tl/helm/radarr/Chart.yaml
@@ -33,4 +33,4 @@ dependencies:
    repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/radarr.png
 # renovate: datasource=github-releases depName=linuxserver/docker-radarr
-appVersion: 6.1.1.10360-ls300
+appVersion: 6.1.1.10360-ls299
--- a/clusters/cl01tl/helm/radarr/values.yaml
+++ b/clusters/cl01tl/helm/radarr/values.yaml
@@ -14,7 +14,7 @@ radarr:
        main:
          image:
            repository: ghcr.io/linuxserver/radarr
-            tag: 6.1.1.10360-ls300@sha256:b01097ad2d948c9f5eca39eb60bb529e2e55b0738c4bf7db09383bef0abab59d
+            tag: 6.1.1.10360-ls299@sha256:6f1dda18354ea7f28cead8f6d099fc8222498c3ae165f567d504ed04d70980d7
          env:
            - name: TZ
              value: America/Chicago
--- a/clusters/cl01tl/helm/rclone/Chart.yaml
+++ b/clusters/cl01tl/helm/rclone/Chart.yaml
@@ -20,4 +20,4 @@ dependencies:
    version: 4.6.2
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons@main/png/rclone.png
 # renovate: datasource=github-releases depName=rclone/rclone
-appVersion: v1.73.5
+appVersion: v1.73.4
--- a/clusters/cl01tl/helm/rclone/templates/external-secret.yaml
+++ b/clusters/cl01tl/helm/rclone/templates/external-secret.yaml
@@ -14,23 +14,38 @@ spec:
  data:
    - secretKey: ACCESS_KEY_ID
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /garage/home-infra/directus-assets
        metadataPolicy: None
        property: ACCESS_KEY_ID
    - secretKey: ACCESS_REGION
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /garage/home-infra/directus-assets
        metadataPolicy: None
        property: ACCESS_REGION
    - secretKey: ACCESS_SECRET_KEY
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /garage/home-infra/directus-assets
        metadataPolicy: None
        property: ACCESS_SECRET_KEY
    - secretKey: SRC_ENDPOINT
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /garage/config/local
        metadataPolicy: None
        property: ENDPOINT
    - secretKey: DEST_ENDPOINT
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /garage/config/remote
        metadataPolicy: None
        property: ENDPOINT
 ---
@@ -50,23 +65,38 @@ spec:
  data:
    - secretKey: ACCESS_KEY_ID
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /garage/home-infra/karakeep-assets
        metadataPolicy: None
        property: ACCESS_KEY_ID
    - secretKey: ACCESS_REGION
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /garage/home-infra/karakeep-assets
        metadataPolicy: None
        property: ACCESS_REGION
    - secretKey: ACCESS_SECRET_KEY
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /garage/home-infra/karakeep-assets
        metadataPolicy: None
        property: ACCESS_SECRET_KEY
    - secretKey: SRC_ENDPOINT
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /garage/config/local
        metadataPolicy: None
        property: ENDPOINT
    - secretKey: DEST_ENDPOINT
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /garage/config/remote
        metadataPolicy: None
        property: ENDPOINT
 ---
@@ -86,23 +116,38 @@ spec:
  data:
    - secretKey: ACCESS_KEY_ID
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /garage/home-infra/talos-backups
        metadataPolicy: None
        property: ACCESS_KEY_ID
    - secretKey: ACCESS_REGION
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /garage/home-infra/talos-backups
        metadataPolicy: None
        property: ACCESS_REGION
    - secretKey: ACCESS_SECRET_KEY
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /garage/home-infra/talos-backups
        metadataPolicy: None
        property: ACCESS_SECRET_KEY
    - secretKey: SRC_ENDPOINT
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /garage/config/local
        metadataPolicy: None
        property: ENDPOINT
    - secretKey: DEST_ENDPOINT
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /garage/config/remote
        metadataPolicy: None
        property: ENDPOINT
 ---
@@ -122,23 +167,38 @@ spec:
  data:
    - secretKey: ACCESS_KEY_ID
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /garage/home-infra/web-assets
        metadataPolicy: None
        property: ACCESS_KEY_ID
    - secretKey: ACCESS_REGION
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /garage/home-infra/web-assets
        metadataPolicy: None
        property: ACCESS_REGION
    - secretKey: ACCESS_SECRET_KEY
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /garage/home-infra/web-assets
        metadataPolicy: None
        property: ACCESS_SECRET_KEY
    - secretKey: SRC_ENDPOINT
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /garage/config/local
        metadataPolicy: None
        property: ENDPOINT
    - secretKey: DEST_ENDPOINT
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /garage/config/remote
        metadataPolicy: None
        property: ENDPOINT
 ---
@@ -158,23 +218,38 @@ spec:
  data:
    - secretKey: ACCESS_KEY_ID
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /garage/home-infra/postgres-backups
        metadataPolicy: None
        property: ACCESS_KEY_ID
    - secretKey: ACCESS_REGION
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /garage/home-infra/postgres-backups
        metadataPolicy: None
        property: ACCESS_REGION
    - secretKey: ACCESS_SECRET_KEY
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /garage/home-infra/postgres-backups
        metadataPolicy: None
        property: ACCESS_SECRET_KEY
    - secretKey: SRC_ENDPOINT
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /garage/config/local
        metadataPolicy: None
        property: ENDPOINT
    - secretKey: DEST_ENDPOINT
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /garage/config/remote
        metadataPolicy: None
        property: ENDPOINT
 ---
@@ -194,89 +269,36 @@ spec:
  data:
    - secretKey: ACCESS_KEY_ID
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /garage/home-infra/ntfy-attachments
        metadataPolicy: None
        property: ACCESS_KEY_ID
    - secretKey: ACCESS_REGION
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /garage/home-infra/ntfy-attachments
        metadataPolicy: None
        property: ACCESS_REGION
    - secretKey: ACCESS_SECRET_KEY
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /garage/home-infra/ntfy-attachments
        metadataPolicy: None
        property: ACCESS_SECRET_KEY
    - secretKey: SRC_ENDPOINT
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /garage/config/local
        metadataPolicy: None
        property: ENDPOINT
    - secretKey: DEST_ENDPOINT
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /garage/config/remote
-        property: ENDPOINT
+        metadataPolicy: None
 ---
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
  name: garage-openbao-backups-secret
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: garage-openbao-backups-secret
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: openbao
  data:
    - secretKey: ACCESS_KEY_ID
      remoteRef:
        key: /garage/home-infra/openbao-backups
        property: ACCESS_KEY_ID
    - secretKey: ACCESS_REGION
      remoteRef:
        key: /garage/home-infra/openbao-backups
        property: ACCESS_REGION
    - secretKey: ACCESS_SECRET_KEY
      remoteRef:
        key: /garage/home-infra/openbao-backups
        property: ACCESS_SECRET_KEY
    - secretKey: ENDPOINT_LOCAL
      remoteRef:
        key: /garage/home-infra/openbao-backups
        property: ENDPOINT_LOCAL
    - secretKey: ENDPOINT_REMOTE
      remoteRef:
        key: /garage/home-infra/openbao-backups
        property: ENDPOINT_REMOTE
 ---
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
  name: external-openbao-backups-secret
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: external-openbao-backups-secret
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: openbao
  data:
    - secretKey: ACCESS_KEY_ID
      remoteRef:
        key: /digital-ocean/home-infra/openbao-backups
        property: ACCESS_KEY_ID
    - secretKey: ACCESS_REGION
      remoteRef:
        key: /digital-ocean/home-infra/openbao-backups
        property: ACCESS_REGION
    - secretKey: ACCESS_SECRET_KEY
      remoteRef:
        key: /digital-ocean/home-infra/openbao-backups
        property: ACCESS_SECRET_KEY
    - secretKey: ENDPOINT
      remoteRef:
        key: /digital-ocean/home-infra/openbao-backups
        property: ENDPOINT
--- a/clusters/cl01tl/helm/rclone/values.yaml
+++ b/clusters/cl01tl/helm/rclone/values.yaml
@@ -12,7 +12,7 @@ rclone:
        sync:
          image:
            repository: rclone/rclone
-            tag: 1.73.5@sha256:1619a625f845e169c34b952cf40c483c0392965b821c5155cde8cbfd35254a96
+            tag: 1.73.4@sha256:654f6517c7aaec7e377690b2caf7c272dbe5f3b8200afbc14a00df6b4a9aa6ef
          args:
            - sync
            - src:directus-assets
@@ -90,7 +90,7 @@ rclone:
        sync:
          image:
            repository: rclone/rclone
-            tag: 1.73.5@sha256:1619a625f845e169c34b952cf40c483c0392965b821c5155cde8cbfd35254a96
+            tag: 1.73.4@sha256:654f6517c7aaec7e377690b2caf7c272dbe5f3b8200afbc14a00df6b4a9aa6ef
          args:
            - sync
            - src:karakeep-assets
@@ -168,7 +168,7 @@ rclone:
        sync:
          image:
            repository: rclone/rclone
-            tag: 1.73.5@sha256:1619a625f845e169c34b952cf40c483c0392965b821c5155cde8cbfd35254a96
+            tag: 1.73.4@sha256:654f6517c7aaec7e377690b2caf7c272dbe5f3b8200afbc14a00df6b4a9aa6ef
          args:
            - sync
            - src:talos-backups
@@ -239,7 +239,7 @@ rclone:
        prune:
          image:
            repository: rclone/rclone
-            tag: 1.73.5@sha256:1619a625f845e169c34b952cf40c483c0392965b821c5155cde8cbfd35254a96
+            tag: 1.73.4@sha256:654f6517c7aaec7e377690b2caf7c272dbe5f3b8200afbc14a00df6b4a9aa6ef
          args:
            - delete
            - dest:talos-backups
@@ -287,7 +287,7 @@ rclone:
        sync:
          image:
            repository: rclone/rclone
-            tag: 1.73.5@sha256:1619a625f845e169c34b952cf40c483c0392965b821c5155cde8cbfd35254a96
+            tag: 1.73.4@sha256:654f6517c7aaec7e377690b2caf7c272dbe5f3b8200afbc14a00df6b4a9aa6ef
          args:
            - sync
            - src:web-assets
@@ -365,7 +365,7 @@ rclone:
        sync:
          image:
            repository: rclone/rclone
-            tag: 1.73.5@sha256:1619a625f845e169c34b952cf40c483c0392965b821c5155cde8cbfd35254a96
+            tag: 1.73.4@sha256:654f6517c7aaec7e377690b2caf7c272dbe5f3b8200afbc14a00df6b4a9aa6ef
          args:
            - sync
            - src:postgres-backups
@@ -440,7 +440,7 @@ rclone:
        prune:
          image:
            repository: rclone/rclone
-            tag: 1.73.5@sha256:1619a625f845e169c34b952cf40c483c0392965b821c5155cde8cbfd35254a96
+            tag: 1.73.4@sha256:654f6517c7aaec7e377690b2caf7c272dbe5f3b8200afbc14a00df6b4a9aa6ef
          args:
            - delete
            - dest:postgres-backups
@@ -488,7 +488,7 @@ rclone:
        sync:
          image:
            repository: rclone/rclone
-            tag: 1.73.5@sha256:1619a625f845e169c34b952cf40c483c0392965b821c5155cde8cbfd35254a96
+            tag: 1.73.4@sha256:654f6517c7aaec7e377690b2caf7c272dbe5f3b8200afbc14a00df6b4a9aa6ef
          args:
            - sync
            - src:ntfy-attachments
@@ -554,241 +554,3 @@ rclone:
                  key: DEST_ENDPOINT
            - name: RCLONE_CONFIG_SRC_DEST_FORCE_PATH_STYLE
              value: true
    openbao-backups-remote:
      type: cronjob
      cronjob:
        suspend: false
        timeZone: America/Chicago
        schedule: 0 1 * * *
        backoffLimit: 3
        parallelism: 1
      containers:
        sync:
          image:
            repository: rclone/rclone
            tag: 1.73.5@sha256:1619a625f845e169c34b952cf40c483c0392965b821c5155cde8cbfd35254a96
          args:
            - sync
            - src:openbao-backups
            - dest:openbao-backups
            - --s3-no-check-bucket
            - --max-age
            - 90d
            - --verbose
          env:
            - name: RCLONE_S3_PROVIDER
              value: Other
            - name: RCLONE_CONFIG_SRC_TYPE
              value: s3
            - name: RCLONE_CONFIG_SRC_PROVIDER
              value: Other
            - name: RCLONE_CONFIG_SRC_ENV_AUTH
              value: false
            - name: RCLONE_CONFIG_SRC_ACCESS_KEY_ID
              valueFrom:
                secretKeyRef:
                  name: garage-openbao-backups-secret
                  key: ACCESS_KEY_ID
            - name: RCLONE_CONFIG_SRC_SECRET_ACCESS_KEY
              valueFrom:
                secretKeyRef:
                  name: garage-openbao-backups-secret
                  key: ACCESS_SECRET_KEY
            - name: RCLONE_CONFIG_SRC_REGION
              valueFrom:
                secretKeyRef:
                  name: garage-openbao-backups-secret
                  key: ACCESS_REGION
            - name: RCLONE_CONFIG_SRC_ENDPOINT
              valueFrom:
                secretKeyRef:
                  name: garage-openbao-backups-secret
                  key: ENDPOINT_LOCAL
            - name: RCLONE_CONFIG_SRC_S3_FORCE_PATH_STYLE
              value: true
            - name: RCLONE_CONFIG_DEST_TYPE
              value: s3
            - name: RCLONE_CONFIG_DEST_PROVIDER
              value: Other
            - name: RCLONE_CONFIG_DEST_ENV_AUTH
              value: false
            - name: RCLONE_CONFIG_DEST_ACCESS_KEY_ID
              valueFrom:
                secretKeyRef:
                  name: garage-openbao-backups-secret
                  key: ACCESS_KEY_ID
            - name: RCLONE_CONFIG_DEST_SECRET_ACCESS_KEY
              valueFrom:
                secretKeyRef:
                  name: garage-openbao-backups-secret
                  key: ACCESS_SECRET_KEY
            - name: RCLONE_CONFIG_DEST_REGION
              valueFrom:
                secretKeyRef:
                  name: garage-openbao-backups-secret
                  key: ACCESS_REGION
            - name: RCLONE_CONFIG_DEST_ENDPOINT
              valueFrom:
                secretKeyRef:
                  name: garage-openbao-backups-secret
                  key: ENDPOINT_REMOTE
            - name: RCLONE_CONFIG_SRC_DEST_FORCE_PATH_STYLE
              value: true
        prune:
          image:
            repository: rclone/rclone
            tag: 1.73.5@sha256:1619a625f845e169c34b952cf40c483c0392965b821c5155cde8cbfd35254a96
          args:
            - delete
            - dest:openbao-backups
            - --min-age
            - 90d
            - --verbose
          env:
            - name: RCLONE_CONFIG_DEST_TYPE
              value: s3
            - name: RCLONE_CONFIG_DEST_PROVIDER
              value: Other
            - name: RCLONE_CONFIG_DEST_ENV_AUTH
              value: false
            - name: RCLONE_CONFIG_DEST_ACCESS_KEY_ID
              valueFrom:
                secretKeyRef:
                  name: garage-openbao-backups-secret
                  key: ACCESS_KEY_ID
            - name: RCLONE_CONFIG_DEST_SECRET_ACCESS_KEY
              valueFrom:
                secretKeyRef:
                  name: garage-openbao-backups-secret
                  key: ACCESS_SECRET_KEY
            - name: RCLONE_CONFIG_DEST_REGION
              valueFrom:
                secretKeyRef:
                  name: garage-openbao-backups-secret
                  key: ACCESS_REGION
            - name: RCLONE_CONFIG_DEST_ENDPOINT
              valueFrom:
                secretKeyRef:
                  name: garage-openbao-backups-secret
                  key: ENDPOINT_REMOTE
            - name: RCLONE_CONFIG_SRC_S3_FORCE_PATH_STYLE
              value: true
    openbao-backups-external:
      type: cronjob
      cronjob:
        suspend: false
        timeZone: America/Chicago
        schedule: 10 1 * * *
        backoffLimit: 3
        parallelism: 1
      containers:
        sync:
          image:
            repository: rclone/rclone
            tag: 1.73.5@sha256:1619a625f845e169c34b952cf40c483c0392965b821c5155cde8cbfd35254a96
          args:
            - sync
            - src:openbao-backups
            - dest:openbao-backups-6e088aad5fad110b
            - --s3-no-check-bucket
            - --max-age
            - 90d
            - --verbose
          env:
            - name: RCLONE_S3_PROVIDER
              value: Other
            - name: RCLONE_CONFIG_SRC_TYPE
              value: s3
            - name: RCLONE_CONFIG_SRC_PROVIDER
              value: Other
            - name: RCLONE_CONFIG_SRC_ENV_AUTH
              value: false
            - name: RCLONE_CONFIG_SRC_ACCESS_KEY_ID
              valueFrom:
                secretKeyRef:
                  name: garage-openbao-backups-secret
                  key: ACCESS_KEY_ID
            - name: RCLONE_CONFIG_SRC_SECRET_ACCESS_KEY
              valueFrom:
                secretKeyRef:
                  name: garage-openbao-backups-secret
                  key: ACCESS_SECRET_KEY
            - name: RCLONE_CONFIG_SRC_REGION
              valueFrom:
                secretKeyRef:
                  name: garage-openbao-backups-secret
                  key: ACCESS_REGION
            - name: RCLONE_CONFIG_SRC_ENDPOINT
              valueFrom:
                secretKeyRef:
                  name: garage-openbao-backups-secret
                  key: ENDPOINT_LOCAL
            - name: RCLONE_CONFIG_SRC_S3_FORCE_PATH_STYLE
              value: true
            - name: RCLONE_CONFIG_DEST_TYPE
              value: s3
            - name: RCLONE_CONFIG_DEST_PROVIDER
              value: DigitalOcean
            - name: RCLONE_CONFIG_DEST_ENV_AUTH
              value: false
            - name: RCLONE_CONFIG_DEST_ACCESS_KEY_ID
              valueFrom:
                secretKeyRef:
                  name: external-openbao-backups-secret
                  key: ACCESS_KEY_ID
            - name: RCLONE_CONFIG_DEST_SECRET_ACCESS_KEY
              valueFrom:
                secretKeyRef:
                  name: external-openbao-backups-secret
                  key: ACCESS_SECRET_KEY
            - name: RCLONE_CONFIG_DEST_REGION
              valueFrom:
                secretKeyRef:
                  name: external-openbao-backups-secret
                  key: ACCESS_REGION
            - name: RCLONE_CONFIG_DEST_ENDPOINT
              valueFrom:
                secretKeyRef:
                  name: external-openbao-backups-secret
                  key: ENDPOINT
            - name: RCLONE_CONFIG_DEST_S3_FORCE_PATH_STYLE
              value: true
        prune:
          image:
            repository: rclone/rclone
            tag: 1.73.5@sha256:1619a625f845e169c34b952cf40c483c0392965b821c5155cde8cbfd35254a96
          args:
            - delete
            - dest:openbao-backups-6e088aad5fad110b
            - --min-age
            - 90d
            - --verbose
          env:
            - name: RCLONE_CONFIG_DEST_TYPE
              value: s3
            - name: RCLONE_CONFIG_DEST_PROVIDER
              value: DigitalOcean
            - name: RCLONE_CONFIG_DEST_ENV_AUTH
              value: false
            - name: RCLONE_CONFIG_DEST_ACCESS_KEY_ID
              valueFrom:
                secretKeyRef:
                  name: external-openbao-backups-secret
                  key: ACCESS_KEY_ID
            - name: RCLONE_CONFIG_DEST_SECRET_ACCESS_KEY
              valueFrom:
                secretKeyRef:
                  name: external-openbao-backups-secret
                  key: ACCESS_SECRET_KEY
            - name: RCLONE_CONFIG_DEST_REGION
              valueFrom:
                secretKeyRef:
                  name: external-openbao-backups-secret
                  key: ACCESS_REGION
            - name: RCLONE_CONFIG_DEST_ENDPOINT
              valueFrom:
                secretKeyRef:
                  name: external-openbao-backups-secret
                  key: ENDPOINT
            - name: RCLONE_CONFIG_DEST_S3_FORCE_PATH_STYLE
              value: true
--- a/clusters/cl01tl/helm/searxng/values.yaml
+++ b/clusters/cl01tl/helm/searxng/values.yaml
@@ -8,7 +8,7 @@ searxng:
        main:
          image:
            repository: searxng/searxng
-            tag: latest@sha256:0bbe85fb9bebe413a26c0e385c76309d15c91fdb9dc8a6bf01b35b714d0ece43
+            tag: latest@sha256:4c6b4f3e1fc10a907a40b7eaaf5b92d50f5b4097d6fb5b02041c0f9926233b36
          env:
            - name: SEARXNG_BASE_URL
              value: http://searxng-api.searxng:8080
@@ -36,7 +36,7 @@ searxng:
        main:
          image:
            repository: searxng/searxng
-            tag: latest@sha256:0bbe85fb9bebe413a26c0e385c76309d15c91fdb9dc8a6bf01b35b714d0ece43
+            tag: latest@sha256:4c6b4f3e1fc10a907a40b7eaaf5b92d50f5b4097d6fb5b02041c0f9926233b36
          env:
            - name: SEARXNG_BASE_URL
              value: https://searxng.alexlebens.net/
--- a/clusters/cl01tl/helm/secrets-store-csi-driver/Chart.yaml
+++ b/clusters/cl01tl/helm/secrets-store-csi-driver/Chart.yaml
@@ -21,4 +21,4 @@ dependencies:
    repository: https://kubernetes-sigs.github.io/secrets-store-csi-driver/charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/kubernetes.png
 # renovate: datasource=github-releases depName=kubernetes-sigs/secrets-store-csi-driver
-appVersion: v1.5.6
+appVersion: 0.8.1
--- a/clusters/cl01tl/helm/seerr/Chart.lock
+++ b/clusters/cl01tl/helm/seerr/Chart.lock
@@ -1,9 +1,9 @@
 dependencies:
 - name: seerr-chart
  repository: oci://ghcr.io/seerr-team/seerr
-  version: 3.5.1
+  version: 3.4.2
 - name: volsync-target
  repository: oci://harbor.alexlebens.net/helm-charts
  version: 0.8.0
-digest: sha256:84f0e23ceedb5b4eedbad1de94ea4e18785360d2125d465ed6f2bcccd7e38e5d
+digest: sha256:f9f2649fcd5ae23d2e8bedc81c8dec7c65464328901c4fd4e47b00549e315514
-generated: "2026-04-16T14:11:50.866475988Z"
+generated: "2026-04-13T18:43:39.927316242Z"
--- a/clusters/cl01tl/helm/seerr/Chart.yaml
+++ b/clusters/cl01tl/helm/seerr/Chart.yaml
@@ -17,7 +17,7 @@ maintainers:
 dependencies:
  - name: seerr-chart
    repository: oci://ghcr.io/seerr-team/seerr
-    version: 3.5.1
+    version: 3.4.2
  - name: volsync-target
    alias: volsync-target-config
    version: 0.8.0
--- a/clusters/cl01tl/helm/site-documentation/values.yaml
+++ b/clusters/cl01tl/helm/site-documentation/values.yaml
@@ -10,7 +10,7 @@ site-documentation:
        main:
          image:
            repository: harbor.alexlebens.net/images/site-documentation
-            tag: 0.27.0@sha256:dafa3c8aa9401009c299bb274d140acc10d8531dd40c8253783b1f8ed8519d76
+            tag: 0.25.0@sha256:1509b20e703617ce8e6fc78fa599a56c09be178541adc82da406632f9af15d97
          resources:
            requests:
              cpu: 10m
--- a/clusters/cl01tl/helm/site-profile/values.yaml
+++ b/clusters/cl01tl/helm/site-profile/values.yaml
@@ -10,7 +10,7 @@ site-profile:
        main:
          image:
            repository: harbor.alexlebens.net/images/site-profile
-            tag: 3.18.5@sha256:2ad5cbbdbf1011f74c5fa804584236ffea266c37f046f837625af79a97bc0b56
+            tag: 3.18.1@sha256:94c120ecd381b4e1568e1fe6619b3472d58870a5a5c5da4bc4b40e0e6b6cbfb1
          resources:
            requests:
              cpu: 10m
--- a/clusters/cl01tl/helm/slskd/Chart.yaml
+++ b/clusters/cl01tl/helm/slskd/Chart.yaml
@@ -22,4 +22,4 @@ dependencies:
    version: 4.6.2
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/slskd.png
 # renovate: datasource=github-releases depName=slskd/slskd
-appVersion: 0.25.0
+appVersion: 0.24.5
--- a/clusters/cl01tl/helm/slskd/templates/external-secret.yaml
+++ b/clusters/cl01tl/helm/slskd/templates/external-secret.yaml
@@ -1,66 +1,51 @@
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
-  name: airvpn-wireguard-conf
+  name: slskd-config-secret
  namespace: {{ .Release.Namespace }}
  labels:
-    app.kubernetes.io/name: airvpn-wireguard-conf
+    app.kubernetes.io/name: slskd-config-secret
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
-    name: openbao
+    name: vault
  data:
-    - secretKey: conf
+    - secretKey: slskd.yml
      remoteRef:
-        key: /airvpn/config
+        key: /cl01tl/slskd/config
-        property: conf
+
-    - secretKey: private-key
+        property: slskd.yml
      remoteRef:
        key: /airvpn/config
        property: private-key
    - secretKey: preshared-key
      remoteRef:
        key: /airvpn/config
        property: preshared-key
    - secretKey: addresses
      remoteRef:
        key: /airvpn/config
        property: addresses
    - secretKey: input-ports
      remoteRef:
        key: /airvpn/config
        property: input-ports
 ---
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
-  name: protonvpn-wireguard-conf
+  name: slskd-wireguard-conf
  namespace: {{ .Release.Namespace }}
  labels:
-    app.kubernetes.io/name: protonvpn-wireguard-conf
+    app.kubernetes.io/name: slskd-wireguard-conf
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
-    name: openbao
+    name: vault
  data:
    - secretKey: conf
      remoteRef:
        key: /protonvpn/config
        property: conf
    - secretKey: email
      remoteRef:
        key: /protonvpn/config
        property: email
    - secretKey: password
      remoteRef:
        key: /protonvpn/config
        property: password
    - secretKey: private-key
      remoteRef:
-        key: /protonvpn/config
+        key: /airvpn/conf/cl01tl
        property: private-key
    - secretKey: preshared-key
      remoteRef:
        key: /airvpn/conf/cl01tl
        property: preshared-key
    - secretKey: addresses
      remoteRef:
        key: /airvpn/conf/cl01tl
        property: addresses
    - secretKey: input-ports
      remoteRef:
        key: /airvpn/conf/cl01tl
        property: input-ports
--- a/clusters/cl01tl/helm/slskd/templates/secret-provider-class.yaml
+++ b/clusters/cl01tl/helm/slskd/templates/secret-provider-class.yaml
@@ -1,19 +0,0 @@
 apiVersion: secrets-store.csi.x-k8s.io/v1
 kind: SecretProviderClass
 metadata:
  name: slskd-config-secret
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: slskd-config-secret
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  provider: openbao
  parameters:
    baoAddress: "http://openbao-internal.openbao:8200"
    roleName: slskd
    objects: |
      - objectName: slskd.yml
        fileName: slskd.yml
        secretPath: secret/data/cl01tl/slskd/config
        secretKey: slskd.yml
--- a/clusters/cl01tl/helm/slskd/values.yaml
+++ b/clusters/cl01tl/helm/slskd/values.yaml
@@ -4,8 +4,6 @@ slskd:
      type: deployment
      replicas: 1
      strategy: Recreate
      serviceAccount:
        name: slskd
      pod:
        securityContext:
          fsGroup: 1000
@@ -38,7 +36,7 @@ slskd:
        main:
          image:
            repository: slskd/slskd
-            tag: 0.25.0@sha256:6a91991c05b7cbbe4e3dcc1f5e10f88d00a68f7ad2ef8a820b79496441b9b78c
+            tag: 0.24.5@sha256:17ef977563be206f3b5932080b1e23883b2cb39dc9010640f6f39b4eaec887e3
          env:
            - name: TZ
              value: America/Chicago
@@ -48,8 +46,6 @@ slskd:
              value: 1000
            - name: SLSKD_UMASK
              value: 000
            - name: SLSKD_CONFIG
              value: /config/slskd.yml
          resources:
            requests:
              cpu: 100m
@@ -64,14 +60,29 @@ slskd:
                command: ["/bin/sh", "-c", "(ip rule del table 51820; ip -6 rule del table 51820) || true"]
          env:
            - name: VPN_SERVICE_PROVIDER
-              value: protonvpn
+              value: airvpn
            - name: VPN_TYPE
              value: wireguard
            - name: WIREGUARD_PRIVATE_KEY
              valueFrom:
                secretKeyRef:
-                  name: protonvpn-wireguard-conf
+                  name: slskd-wireguard-conf
                  key: private-key
            - name: WIREGUARD_PRESHARED_KEY
              valueFrom:
                secretKeyRef:
                  name: slskd-wireguard-conf
                  key: preshared-key
            - name: WIREGUARD_ADDRESSES
              valueFrom:
                secretKeyRef:
                  name: slskd-wireguard-conf
                  key: addresses
            - name: FIREWALL_VPN_INPUT_PORTS
              valueFrom:
                secretKeyRef:
                  name: slskd-wireguard-conf
                  key: input-ports
            - name: FIREWALL_OUTBOUND_SUBNETS
              value: 192.168.1.0/24,10.244.0.0/16
            - name: FIREWALL_INPUT_PORTS
@@ -148,17 +159,13 @@ slskd:
                value: /
  persistence:
    slskd-config:
-      type: custom
+      enabled: true
-      volumeSpec:
+      type: secret
-        csi:
+      name: slskd-config-secret
          driver: secrets-store.csi.k8s.io
          readOnly: true
          volumeAttributes:
            secretProviderClass: slskd-config-secret
      advancedMounts:
        main:
          main:
-            - path: /config/slskd.yml
+            - path: /app/slskd.yml
              readOnly: true
              mountPropagation: None
              subPath: slskd.yml
--- a/clusters/cl01tl/helm/sonarr-4k/Chart.yaml
+++ b/clusters/cl01tl/helm/sonarr-4k/Chart.yaml
@@ -33,4 +33,4 @@ dependencies:
    repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/sonarr.png
 # renovate: datasource=github-releases depName=linuxserver/docker-sonarr
-appVersion: 4.0.17.2952-ls308
+appVersion: 4.0.17.2952-ls307
--- a/clusters/cl01tl/helm/sonarr-4k/values.yaml
+++ b/clusters/cl01tl/helm/sonarr-4k/values.yaml
@@ -13,7 +13,7 @@ sonarr-4k:
        main:
          image:
            repository: ghcr.io/linuxserver/sonarr
-            tag: 4.0.17.2952-ls308@sha256:e6c9a091735fede0c2a205c69e7d4c2f0188eaf2bec7e42d8a26c017e5f2a910
+            tag: 4.0.17.2952-ls307@sha256:6854df9de20b8c82e1982604f39473d64dbb4c4584b1013f18f9ade1ee92af13
          env:
            - name: TZ
              value: America/Chicago
--- a/clusters/cl01tl/helm/sonarr-anime/Chart.yaml
+++ b/clusters/cl01tl/helm/sonarr-anime/Chart.yaml
@@ -33,4 +33,4 @@ dependencies:
    repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/sonarr.png
 # renovate: datasource=github-releases depName=linuxserver/docker-sonarr
-appVersion: 4.0.17.2952-ls308
+appVersion: 4.0.17.2952-ls307
--- a/clusters/cl01tl/helm/sonarr-anime/values.yaml
+++ b/clusters/cl01tl/helm/sonarr-anime/values.yaml
@@ -13,7 +13,7 @@ sonarr-anime:
        main:
          image:
            repository: ghcr.io/linuxserver/sonarr
-            tag: 4.0.17.2952-ls308@sha256:e6c9a091735fede0c2a205c69e7d4c2f0188eaf2bec7e42d8a26c017e5f2a910
+            tag: 4.0.17.2952-ls307@sha256:6854df9de20b8c82e1982604f39473d64dbb4c4584b1013f18f9ade1ee92af13
          env:
            - name: TZ
              value: America/Chicago
--- a/clusters/cl01tl/helm/sonarr/Chart.yaml
+++ b/clusters/cl01tl/helm/sonarr/Chart.yaml
@@ -33,4 +33,4 @@ dependencies:
    repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/sonarr.png
 # renovate: datasource=github-releases depName=linuxserver/docker-sonarr
-appVersion: 4.0.17.2952-ls308
+appVersion: 4.0.17.2952-ls307
--- a/clusters/cl01tl/helm/sonarr/values.yaml
+++ b/clusters/cl01tl/helm/sonarr/values.yaml
@@ -12,7 +12,7 @@ sonarr:
        main:
          image:
            repository: ghcr.io/linuxserver/sonarr
-            tag: 4.0.17.2952-ls308@sha256:e6c9a091735fede0c2a205c69e7d4c2f0188eaf2bec7e42d8a26c017e5f2a910
+            tag: 4.0.17.2952-ls307@sha256:6854df9de20b8c82e1982604f39473d64dbb4c4584b1013f18f9ade1ee92af13
          env:
            - name: TZ
              value: America/Chicago
--- a/clusters/cl01tl/helm/sparkyfitness/values.yaml
+++ b/clusters/cl01tl/helm/sparkyfitness/values.yaml
@@ -20,7 +20,7 @@ sparkyfitness:
  server:
    image:
      repository: ghcr.io/codewithcj/sparkyfitness-server
-      tag: v0.16.5.8@sha256:55e5444a74dde388fa7e54121185c41b2130ffd9d12ad38e9e31765019a5c44b
+      tag: v0.16.5.7@sha256:7cdb8cb3ae7f90c7590dac3b92cea3a8e24d51b28eb836a1f6d5201cd45bc080
    resources:
      requests:
        cpu: 100m
@@ -45,7 +45,7 @@ sparkyfitness:
  frontend:
    image:
      repository: ghcr.io/codewithcj/sparkyfitness-frontend
-      tag: v0.16.5.8@sha256:aaf810547097007f6d0b3c90af65f8ce89d9b899a6e3035299caffef830736dc
+      tag: v0.16.5.7@sha256:c57a0a07b3470bd0c280d63d02b45adfe7360441b396e9bd445d7b0d22823356
    resources:
      requests:
        cpu: 10m
--- a/clusters/cl01tl/helm/traefik/Chart.lock
+++ b/clusters/cl01tl/helm/traefik/Chart.lock
@@ -1,9 +1,9 @@
 dependencies:
 - name: traefik
  repository: https://traefik.github.io/charts
-  version: 39.0.8
+  version: 39.0.7
 - name: traefik-crds
  repository: https://traefik.github.io/charts
  version: 1.16.0
-digest: sha256:e63ea5a588f53e421e33372390b0755609974029827762aa17ff5caec3ddd90c
+digest: sha256:42a2f2844385eb79724b6d7b49ed8adfd4f8237ee63ea55aa6ec7b3b3636dd3e
-generated: "2026-04-17T16:08:27.772737904Z"
+generated: "2026-03-31T21:37:50.410289754Z"
--- a/Show More
+++ b/Show More