chore(deps): update gitea to v1.26.0

2026-04-19 15:54:47 +00:00
387 changed files with 2303 additions and 3581 deletions
--- a/.gitea/workflows/lint-test-helm.yaml
+++ b/.gitea/workflows/lint-test-helm.yaml
@@ -482,7 +482,6 @@ jobs:
  #           echo ">> Render templates for ${APP_NAME} ..."
  #           CHART_PATH="clusters/${CLUSTER}/helm/${APP_NAME}"
  #           OUTPUT_FOLDER="clusters/${CLUSTER}/manifests/${APP_NAME}/"
-  #           mkdir -p "${OUTPUT_FOLDER}"

  #           helm dependency build "${CHART_PATH}" --skip-refresh

@@ -500,7 +499,7 @@ jobs:
  #               echo ">> Standard Rendering ..."
  #           esac

-  #           TEMPLATE=$(helm template "${APP_NAME}" "${CHART_PATH}" --include-crds --namespace "${NAMESPACE}" --api-versions "gateway.networking.k8s.io/v1/HTTPRoute,monitoring.coreos.com/v1,monitoring.coreos.com/v1/ServiceMonitor")
+  #           TEMPLATE=$(helm template "${APP_NAME}" "${CHART_PATH}" --include-crds --namespace "${NAMESPACE}" --include-crds --api-versions "gateway.networking.k8s.io/v1/HTTPRoute,monitoring.coreos.com/v1,monitoring.coreos.com/v1/ServiceMonitor")

  #           # Format and split rendered template
  #           echo "${TEMPLATE}" | yq '... comments=""' | yq 'select(. != null)' | yq -s '"'"${OUTPUT_FOLDER}"'" + .kind + "-" + .metadata.name + ".yaml"'
@@ -527,38 +526,29 @@ jobs:
  #       run: |
  #         FAILED_CHARTS=""
  #         DIFF_FOUND="false"
-  #         EXIT_CODE=0

  #         for APP_NAME in ${CHANGED_CHARTS}; do
  #           echo ">> Running argocd app diff for ${APP_NAME} ..."
-  #           if ! argocd app diff "${APP_NAME}" \
+  #           argocd app diff "${APP_NAME}" \
  #             --server "${ARGOCD_SERVER}" \
-  #             --auth-token "${ARGOCD_AUTH_TOKEN}" \
-  #             --revision ${{ github.sha }} \
+  #             --revision ${{ gitea.sha }} \
+  #             --diff-exit-code 0 \
  #             --local "clusters/${CLUSTER}/manifests/${APP_NAME}" \
  #             --local-repo-root "." \
-  #             --grpc-web > "diff_output_${APP_NAME}.txt" 2>&1; then
-
-  #             # ArgoCD diff returns non-zero on diff or error.
-  #             # Let's capture if it actually generated a diff output to post.
-  #             DIFF_FOUND="true"
-
-  #             # Check if the output contains validation/connection errors
-  #             if grep -iE 'error|failed|connection refused|timeout' "diff_output_${APP_NAME}.txt"; then
-  #                echo ">> ArgoCD encountered an error validating ${APP_NAME}!"
-  #                EXIT_CODE=1
-  #                FAILED_CHARTS="${FAILED_CHARTS} ${APP_NAME}"
-  #             fi
-  #           fi
+  #             --grpc-web > "diff_output_${APP_NAME}.txt"

  #           if [ -s "diff_output_${APP_NAME}.txt" ]; then
-  #             echo ">> Argo diff or errors:"
+  #             echo ">> Argo diff:"
  #             echo ""
  #             cat diff_output_${APP_NAME}.txt
  #             echo ""
+
+  #             DIFF_FOUND="true"
+
  #           else
  #             echo ">> No Argo diff found for ${APP_NAME}"
  #             rm "diff_output_${APP_NAME}.txt"
+
  #           fi
  #         done

@@ -566,13 +556,13 @@ jobs:
  #         echo "diff-detected=${DIFF_FOUND}" >> "$GITHUB_OUTPUT"
  #         echo "failed-charts=${FAILED_CHARTS}" >> "$GITHUB_OUTPUT"

-  #         exit $EXIT_CODE
+  #         exit $OVERALL_EXIT_CODE

  #     - name: Post Diff
  #       if: |
  #         always() &&
  #         steps.diff.outputs.diff-detected == 'true' &&
-  #         github.event.pull_request.number != null
+  #         gitea.event.pull_request.number != null
  #       env:
  #         GITEA_TOKEN: ${{ secrets.GITEA_TOKEN }}
  #       run: |
@@ -598,7 +588,7 @@ jobs:
  #         done

  #         curl -X 'POST' \
-  #           "${{ github.server_url }}/api/v1/repos/${{ github.repository }}/issues/${{ github.event.pull_request.number }}/comments" \
+  #           "${{ gitea.server_url }}/api/v1/repos/${{ gitea.repository }}/issues/${{ gitea.event.pull_request.number }}/comments" \
  #           -H "Authorization: token ${GITEA_TOKEN}" \
  #           -H "Content-Type: application/json" \
  #           -d "$(jq -n --arg body "$COMMENT_BODY" '{body: $body}')"
--- a/.gitea/workflows/renovate.yaml
+++ b/.gitea/workflows/renovate.yaml
@@ -13,7 +13,7 @@ on:
 jobs:
  renovate:
    runs-on: ubuntu-latest
-    container: ghcr.io/renovatebot/renovate:43.138.2@sha256:79765b2442117d5c87e17456aa79ae54b4e0e2a4d9212a10508e233706375556
+    container: ghcr.io/renovatebot/renovate:43.132.0@sha256:fc54bbc724d1924fa72c331729eefb5acd1385a9ce30617b0264a7fb4b8878da
    steps:
      - name: Checkout
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
--- a/clusters/cl01tl/helm/actual/templates/_helpers.tpl
+++ b/clusters/cl01tl/helm/actual/templates/_helpers.tpl
@@ -1,14 +0,0 @@
-{{/*
-Common labels
-*/}}
-{{- define "custom.labels" -}}
-{{ include "custom.selectorLabels" $ }}
-{{- end }}
-
-{{/*
-Selector labels
-*/}}
-{{- define "custom.selectorLabels" -}}
-app.kubernetes.io/instance: {{ .Release.Name }}
-app.kubernetes.io/part-of: {{ .Release.Name }}
-{{- end }}
--- a/clusters/cl01tl/helm/argocd/Chart.lock
+++ b/clusters/cl01tl/helm/argocd/Chart.lock
@@ -1,6 +1,6 @@
 dependencies:
 - name: argo-cd
  repository: https://argoproj.github.io/argo-helm
-  version: 9.5.2
-digest: sha256:5d9e6405ee944bf94df6af247164ebb9b8899144853b9a7eafabe8606affe84e
-generated: "2026-04-19T19:53:40.43789-05:00"
+  version: 9.5.1
+digest: sha256:52a9bcfdc287dac30b8833cd34654b7e62c864aa3d23bda7644a8acf5f75eb78
+generated: "2026-04-16T15:57:15.168206017Z"
--- a/clusters/cl01tl/helm/argocd/templates/_helpers.tpl
+++ b/clusters/cl01tl/helm/argocd/templates/_helpers.tpl
@@ -1,14 +0,0 @@
-{{/*
-Common labels
-*/}}
-{{- define "custom.labels" -}}
-{{ include "custom.selectorLabels" $ }}
-{{- end }}
-
-{{/*
-Selector labels
-*/}}
-{{- define "custom.selectorLabels" -}}
-app.kubernetes.io/instance: {{ .Release.Name }}
-app.kubernetes.io/part-of: {{ .Release.Name }}
-{{- end }}
--- a/clusters/cl01tl/helm/argocd/templates/external-secret.yaml
+++ b/clusters/cl01tl/helm/argocd/templates/external-secret.yaml
@@ -1,40 +1,70 @@
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
-  name: argocd-oidc-authentik
+  name: argocd-oidc-secret
  namespace: {{ .Release.Namespace }}
  labels:
-    app.kubernetes.io/name: argocd-oidc-authentik
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/name: argocd-oidc-secret
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
-    name: openbao
+    name: vault
  data:
    - secretKey: secret
      remoteRef:
-        key: /cl01tl/authentik/oidc/argocd
+        key: /authentik/oidc/argocd
        property: secret
    - secretKey: client
      remoteRef:
-        key: /cl01tl/authentik/oidc/argocd
+        key: /authentik/oidc/argocd
        property: client

 ---
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
-  name: argocd-notifications-ntfy
+  name: argocd-notifications-secret
  namespace: {{ .Release.Namespace }}
  labels:
-    app.kubernetes.io/name: argocd-notifications-ntfy
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/name: argocd-notifications-secret
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
-    name: openbao
+    name: vault
  data:
    - secretKey: ntfy-token
      remoteRef:
-        key: /cl01tl/ntfy/users/cl01tl
+        key: /ntfy/user/cl01tl
        property: token
+
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: argocd-gitea-repo-infrastructure-secret
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: argocd-gitea-repo-infrastructure-secret
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  data:
+    - secretKey: type
+      remoteRef:
+        key: /cl01tl/argocd/credentials/repo/infrastructure
+        property: type
+    - secretKey: url
+      remoteRef:
+        key: /cl01tl/argocd/credentials/repo/infrastructure
+        property: url
+    - secretKey: sshPrivateKey
+      remoteRef:
+        key: /cl01tl/argocd/credentials/repo/infrastructure
+        property: sshPrivateKey
--- a/clusters/cl01tl/helm/argocd/values.yaml
+++ b/clusters/cl01tl/helm/argocd/values.yaml
@@ -13,8 +13,8 @@ argo-cd:
        connectors:
        - config:
            issuer: https://authentik.alexlebens.net/application/o/argocd/
-            clientID: $argocd-oidc-authentik:client
-            clientSecret: $argocd-oidc-authentik:secret
+            clientID: $argocd-oidc-secret:client
+            clientSecret: $argocd-oidc-secret:secret
            insecureEnableGroups: true
            scopes:
              - openid
@@ -205,7 +205,7 @@ argo-cd:
    argocdUrl: https://argocd.alexlebens.net
    secret:
      create: false
-      name: argocd-notifications-ntfy
+      name: argocd-notifications-secret
    metrics:
      enabled: true
      serviceMonitor:
--- a/clusters/cl01tl/helm/audiobookshelf/Chart.yaml
+++ b/clusters/cl01tl/helm/audiobookshelf/Chart.yaml
@@ -32,4 +32,4 @@ dependencies:
    repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/audiobookshelf.png
 # renovate: datasource=github-releases depName=advplyr/audiobookshelf
-appVersion: 2.33.2
+appVersion: 2.33.1
--- a/clusters/cl01tl/helm/audiobookshelf/templates/_helpers.tpl
+++ b/clusters/cl01tl/helm/audiobookshelf/templates/_helpers.tpl
@@ -1,27 +0,0 @@
-{{/*
-Common labels
-*/}}
-{{- define "custom.labels" -}}
-{{ include "custom.selectorLabels" $ }}
-{{- end }}
-
-{{/*
-Selector labels
-*/}}
-{{- define "custom.selectorLabels" -}}
-app.kubernetes.io/instance: {{ .Release.Name }}
-app.kubernetes.io/part-of: {{ .Release.Name }}
-{{- end }}
-
-{{/*
-NFS names
-*/}}
-{{- define "custom.booksNfsName" -}}
-audiobookshelf-books-nfs-storage
-{{- end -}}
-{{- define "custom.audiobooksNfsName" -}}
-audiobookshelf-audiobooks-nfs-storage
-{{- end -}}
-{{- define "custom.podcastsNfsName" -}}
-audiobookshelf-podcasts-nfs-storage
-{{- end -}}
--- a/clusters/cl01tl/helm/audiobookshelf/templates/external-secret.yaml
+++ b/clusters/cl01tl/helm/audiobookshelf/templates/external-secret.yaml
@@ -1,23 +1,18 @@
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
-  name: audiobookshelf-config-apprise
+  name: audiobookshelf-apprise-config
  namespace: {{ .Release.Namespace }}
  labels:
-    app.kubernetes.io/name: audiobookshelf-config-apprise
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/name: audiobookshelf-apprise-config
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
-    name: openbao
-  target:
-    template:
-      mergePolicy: Merge
-      engineVersion: v2
-      data:
-        ntfy-url: "{{ `{{ .endpoint }}` }}/audiobookshelf"
+    name: vault
  data:
-    - secretKey: endpoint
+    - secretKey: ntfy-url
      remoteRef:
-        key: /cl01tl/ntfy/users/cl01tl
-        property: internal-endpoint-credential
+        key: /cl01tl/audiobookshelf/apprise
+        property: ntfy-url
--- a/clusters/cl01tl/helm/audiobookshelf/templates/persistent-volume-claim.yaml
+++ b/clusters/cl01tl/helm/audiobookshelf/templates/persistent-volume-claim.yaml
@@ -1,13 +1,14 @@
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
-  name: {{ include "custom.booksNfsName" . }}
+  name: audiobookshelf-books-nfs-storage
  namespace: {{ .Release.Namespace }}
  labels:
-    app.kubernetes.io/name: {{ include "custom.booksNfsName" . }}
-    {{ include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/name: audiobookshelf-books-nfs-storage
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
-  volumeName: {{ include "custom.booksNfsName" . }}
+  volumeName: audiobookshelf-books-nfs-storage
  storageClassName: nfs-client
  accessModes:
    - ReadWriteMany
@@ -19,13 +20,14 @@ spec:
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
-  name: {{ include "custom.audiobooksNfsName" . }}
+  name: audiobookshelf-audiobooks-nfs-storage
  namespace: {{ .Release.Namespace }}
  labels:
-    app.kubernetes.io/name: {{ include "custom.audiobooksNfsName" . }}
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/name: audiobookshelf-audiobooks-nfs-storage
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
-  volumeName: {{ include "custom.audiobooksNfsName" . }}
+  volumeName: audiobookshelf-audiobooks-nfs-storage
  storageClassName: nfs-client
  accessModes:
    - ReadWriteMany
@@ -37,13 +39,14 @@ spec:
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
-  name: {{ include "custom.podcastsNfsName" . }}
+  name: audiobookshelf-podcasts-nfs-storage
  namespace: {{ .Release.Namespace }}
  labels:
-    app.kubernetes.io/name: {{ include "custom.podcastsNfsName" . }}
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/name: audiobookshelf-podcasts-nfs-storage
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
-  volumeName: {{ include "custom.podcastsNfsName" . }}
+  volumeName: audiobookshelf-podcasts-nfs-storage
  storageClassName: nfs-client
  accessModes:
    - ReadWriteMany
--- a/clusters/cl01tl/helm/audiobookshelf/templates/persistent-volume.yaml
+++ b/clusters/cl01tl/helm/audiobookshelf/templates/persistent-volume.yaml
@@ -1,11 +1,12 @@
 apiVersion: v1
 kind: PersistentVolume
 metadata:
-  name: {{ include "custom.booksNfsName" . }}
+  name: audiobookshelf-books-nfs-storage
  namespace: {{ .Release.Namespace }}
  labels:
-    app.kubernetes.io/name: {{ include "custom.booksNfsName" . }}
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/name: audiobookshelf-books-nfs-storage
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  persistentVolumeReclaimPolicy: Retain
  storageClassName: nfs-client
@@ -25,11 +26,12 @@ spec:
 apiVersion: v1
 kind: PersistentVolume
 metadata:
-  name: {{ include "custom.audiobooksNfsName" . }}
+  name: audiobookshelf-audiobooks-nfs-storage
  namespace: {{ .Release.Namespace }}
  labels:
-    app.kubernetes.io/name: {{ include "custom.audiobooksNfsName" . }}
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/name: audiobookshelf-audiobooks-nfs-storage
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  persistentVolumeReclaimPolicy: Retain
  storageClassName: nfs-client
@@ -49,11 +51,12 @@ spec:
 apiVersion: v1
 kind: PersistentVolume
 metadata:
-  name: {{ include "custom.podcastsNfsName" . }}
+  name: audiobookshelf-podcasts-nfs-storage
  namespace: {{ .Release.Namespace }}
  labels:
-    app.kubernetes.io/name: {{ include "custom.podcastsNfsName" . }}
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/name: audiobookshelf-podcasts-nfs-storage
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  persistentVolumeReclaimPolicy: Retain
  storageClassName: nfs-client
--- a/clusters/cl01tl/helm/audiobookshelf/values.yaml
+++ b/clusters/cl01tl/helm/audiobookshelf/values.yaml
@@ -12,7 +12,7 @@ audiobookshelf:
        main:
          image:
            repository: ghcr.io/advplyr/audiobookshelf
-            tag: 2.33.2@sha256:a44ed89b3e845faa1f7d353f2cc89b2fcd8011737dd14075fa963cf9468da3a5
+            tag: 2.33.1@sha256:a4a5841bba093d81e5f4ad1eaedb4da3fda6dbb2528c552349da50ad1f7ae708
          env:
            - name: TZ
              value: America/Chicago
@@ -40,7 +40,7 @@ audiobookshelf:
            - name: APPRISE_STATELESS_URLS
              valueFrom:
                secretKeyRef:
-                  name: audiobookshelf-config-apprise
+                  name: audiobookshelf-apprise-config
                  key: ntfy-url
  service:
    main:
--- a/clusters/cl01tl/helm/authentik/templates/_helpers.tpl
+++ b/clusters/cl01tl/helm/authentik/templates/_helpers.tpl
@@ -1,14 +0,0 @@
-{{/*
-Common labels
-*/}}
-{{- define "custom.labels" -}}
-{{ include "custom.selectorLabels" $ }}
-{{- end }}
-
-{{/*
-Selector labels
-*/}}
-{{- define "custom.selectorLabels" -}}
-app.kubernetes.io/instance: {{ .Release.Name }}
-app.kubernetes.io/part-of: {{ .Release.Name }}
-{{- end }}
--- a/clusters/cl01tl/helm/authentik/templates/external-secret.yaml
+++ b/clusters/cl01tl/helm/authentik/templates/external-secret.yaml
@@ -1,15 +1,16 @@
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
-  name: authentik-key
+  name: authentik-key-secret
  namespace: {{ .Release.Namespace }}
  labels:
-    app.kubernetes.io/name: authentik-key
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/name: authentik-key-secret
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
-    name: openbao
+    name: vault
  data:
    - secretKey: key
      remoteRef:
--- a/clusters/cl01tl/helm/authentik/templates/ingress.yaml
+++ b/clusters/cl01tl/helm/authentik/templates/ingress.yaml
@@ -1,11 +1,12 @@
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
-  name: {{ .Release.Name }}-tailscale
+  name: authentik-tailscale
  namespace: {{ .Release.Namespace }}
  labels:
-    app.kubernetes.io/name: {{ .Release.Name }}-tailscale
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/name: authentik-tailscale
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
    tailscale.com/proxy-class: no-metrics
  annotations:
    tailscale.com/experimental-forward-cluster-traffic-via-ingress: "true"
@@ -25,4 +26,4 @@ spec:
              service:
                name: authentik-server
                port:
-                  name: http
+                  number: 80
--- a/clusters/cl01tl/helm/authentik/templates/reference-grant.yaml
+++ b/clusters/cl01tl/helm/authentik/templates/reference-grant.yaml
@@ -5,7 +5,8 @@ metadata:
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: allow-outpost-cross-namespace-access
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  from:
    - group: gateway.networking.k8s.io
--- a/clusters/cl01tl/helm/authentik/values.yaml
+++ b/clusters/cl01tl/helm/authentik/values.yaml
@@ -4,7 +4,7 @@ authentik:
      - name: AUTHENTIK_SECRET_KEY
        valueFrom:
          secretKeyRef:
-            name: authentik-key
+            name: authentik-key-secret
            key: key
      - name: AUTHENTIK_POSTGRESQL__HOST
        valueFrom:
--- a/clusters/cl01tl/helm/backrest/templates/_helpers.tpl
+++ b/clusters/cl01tl/helm/backrest/templates/_helpers.tpl
@@ -1,24 +0,0 @@
-{{/*
-Common labels
-*/}}
-{{- define "custom.labels" -}}
-{{ include "custom.selectorLabels" $ }}
-{{- end }}
-
-{{/*
-Selector labels
-*/}}
-{{- define "custom.selectorLabels" -}}
-app.kubernetes.io/instance: {{ .Release.Name }}
-app.kubernetes.io/part-of: {{ .Release.Name }}
-{{- end }}
-
-{{/*
-NFS names
-*/}}
-{{- define "custom.storageNfsName" -}}
-backrest-nfs-storage
-{{- end -}}
-{{- define "custom.shareNfsName" -}}
-backrest-nfs-share
-{{- end -}}
--- a/clusters/cl01tl/helm/backrest/templates/persistent-volume-claim.yaml
+++ b/clusters/cl01tl/helm/backrest/templates/persistent-volume-claim.yaml
@@ -1,13 +1,14 @@
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
-  name: {{ include "custom.storageNfsName" . }}
+  name: backrest-nfs-storage
  namespace: {{ .Release.Namespace }}
  labels:
-    app.kubernetes.io/name: {{ include "custom.storageNfsName" . }}
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/name: backrest-nfs-storage
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
-  volumeName: {{ include "custom.storageNfsName" . }}
+  volumeName: backrest-nfs-storage
  storageClassName: nfs-client
  accessModes:
    - ReadWriteMany
@@ -19,13 +20,14 @@ spec:
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
-  name: {{ include "custom.shareNfsName" . }}
+  name: backrest-nfs-share
  namespace: {{ .Release.Namespace }}
  labels:
-    app.kubernetes.io/name: {{ include "custom.shareNfsName" . }}
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/name: backrest-nfs-share
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
-  volumeName: {{ include "custom.shareNfsName" . }}
+  volumeName: backrest-nfs-share
  storageClassName: nfs-client
  accessModes:
    - ReadWriteMany
--- a/clusters/cl01tl/helm/backrest/templates/persistent-volume.yaml
+++ b/clusters/cl01tl/helm/backrest/templates/persistent-volume.yaml
@@ -1,11 +1,12 @@
 apiVersion: v1
 kind: PersistentVolume
 metadata:
-  name: {{ include "custom.storageNfsName" . }}
+  name: backrest-nfs-storage
  namespace: {{ .Release.Namespace }}
  labels:
-    app.kubernetes.io/name: {{ include "custom.storageNfsName" . }}
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/name: backrest-nfs-storage
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  persistentVolumeReclaimPolicy: Retain
  storageClassName: nfs-client
@@ -25,11 +26,12 @@ spec:
 apiVersion: v1
 kind: PersistentVolume
 metadata:
-  name: {{ include "custom.shareNfsName" . }}
+  name: backrest-nfs-share
  namespace: {{ .Release.Namespace }}
  labels:
-    app.kubernetes.io/name: {{ include "custom.shareNfsName" . }}
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/name: backrest-nfs-share
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  persistentVolumeReclaimPolicy: Retain
  storageClassName: nfs-client
--- a/clusters/cl01tl/helm/bazarr/templates/_helpers.tpl
+++ b/clusters/cl01tl/helm/bazarr/templates/_helpers.tpl
@@ -1,21 +0,0 @@
-{{/*
-Common labels
-*/}}
-{{- define "custom.labels" -}}
-{{ include "custom.selectorLabels" $ }}
-{{- end }}
-
-{{/*
-Selector labels
-*/}}
-{{- define "custom.selectorLabels" -}}
-app.kubernetes.io/instance: {{ .Release.Name }}
-app.kubernetes.io/part-of: {{ .Release.Name }}
-{{- end }}
-
-{{/*
-NFS names
-*/}}
-{{- define "custom.storageNfsName" -}}
-bazarr-nfs-storage
-{{- end -}}
--- a/clusters/cl01tl/helm/bazarr/templates/external-secret.yaml
+++ b/clusters/cl01tl/helm/bazarr/templates/external-secret.yaml
@@ -1,15 +1,16 @@
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
-  name: bazarr-key
+  name: bazarr-key-secret
  namespace: {{ .Release.Namespace }}
  labels:
-    app.kubernetes.io/name: bazarr-key
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/name: bazarr-key-secret
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
-    name: openbao
+    name: vault
  data:
    - secretKey: key
      remoteRef:
--- a/clusters/cl01tl/helm/bazarr/templates/persistent-volume-claim.yaml
+++ b/clusters/cl01tl/helm/bazarr/templates/persistent-volume-claim.yaml
@@ -1,13 +1,14 @@
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
-  name: {{ include "custom.storageNfsName" . }}
+  name: bazarr-nfs-storage
  namespace: {{ .Release.Namespace }}
  labels:
-    app.kubernetes.io/name: {{ include "custom.storageNfsName" . }}
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/name: bazarr-nfs-storage
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
-  volumeName: {{ include "custom.storageNfsName" . }}
+  volumeName: bazarr-nfs-storage
  storageClassName: nfs-client
  accessModes:
    - ReadWriteMany
--- a/clusters/cl01tl/helm/bazarr/templates/persistent-volume.yaml
+++ b/clusters/cl01tl/helm/bazarr/templates/persistent-volume.yaml
@@ -1,11 +1,12 @@
 apiVersion: v1
 kind: PersistentVolume
 metadata:
-  name: {{ include "custom.storageNfsName" . }}
+  name: bazarr-nfs-storage
  namespace: {{ .Release.Namespace }}
  labels:
-    app.kubernetes.io/name: {{ include "custom.storageNfsName" . }}
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/name: bazarr-nfs-storage
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  persistentVolumeReclaimPolicy: Retain
  storageClassName: nfs-client
--- a/clusters/cl01tl/helm/bazarr/values.yaml
+++ b/clusters/cl01tl/helm/bazarr/values.yaml
@@ -39,7 +39,7 @@ bazarr:
            - name: APIKEY
              valueFrom:
                secretKeyRef:
-                  name: bazarr-key
+                  name: bazarr-key-secret
                  key: key
            - name: ENABLE_ADDITIONAL_METRICS
              value: false
--- a/clusters/cl01tl/helm/blocky/templates/_helpers.tpl
+++ b/clusters/cl01tl/helm/blocky/templates/_helpers.tpl
@@ -1,14 +0,0 @@
-{{/*
-Common labels
-*/}}
-{{- define "custom.labels" -}}
-{{ include "custom.selectorLabels" $ }}
-{{- end }}
-
-{{/*
-Selector labels
-*/}}
-{{- define "custom.selectorLabels" -}}
-app.kubernetes.io/instance: {{ .Release.Name }}
-app.kubernetes.io/part-of: {{ .Release.Name }}
-{{- end }}
--- a/clusters/cl01tl/helm/cert-manager/templates/_helpers.tpl
+++ b/clusters/cl01tl/helm/cert-manager/templates/_helpers.tpl
@@ -1,24 +0,0 @@
-{{/*
-Common labels
-*/}}
-{{- define "custom.labels" -}}
-{{ include "custom.selectorLabels" $ }}
-{{- end }}
-
-{{/*
-Selector labels
-*/}}
-{{- define "custom.selectorLabels" -}}
-app.kubernetes.io/instance: {{ .Release.Name }}
-app.kubernetes.io/part-of: {{ .Release.Name }}
-{{- end }}
-
-{{/*
-NFS names
-*/}}
-{{- define "custom.cloudflareSecretName" -}}
-cert-manager-cloudflare-api-token
-{{- end -}}
-{{- define "custom.cloudflareSecretKey" -}}
-api-token
-{{- end -}}
--- a/clusters/cl01tl/helm/cert-manager/templates/cluster-issuer.yaml
+++ b/clusters/cl01tl/helm/cert-manager/templates/cluster-issuer.yaml
@@ -5,7 +5,8 @@ metadata:
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: letsencrypt-issuer
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  acme:
    email: alexanderlebens@gmail.com
@@ -21,5 +22,5 @@ spec:
          cloudflare:
            email: alexanderlebens@gmail.com
            apiTokenSecretRef:
-              name: {{ include "custom.cloudflareSecretName" . }}
-              key: {{ include "custom.cloudflareSecretKey" . }}
+              name: cloudflare-api-token
+              key: api-token
--- a/clusters/cl01tl/helm/cert-manager/templates/external-secret.yaml
+++ b/clusters/cl01tl/helm/cert-manager/templates/external-secret.yaml
@@ -1,17 +1,18 @@
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
-  name: {{ include "custom.cloudflareSecretName" . }}
+  name: cloudflare-api-token
  namespace: {{ .Release.Namespace }}
  labels:
-    app.kubernetes.io/name: {{ include "custom.cloudflareSecretName" . }}
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/name: cloudflare-api-token
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
-    name: openbao
+    name: vault
  data:
-    - secretKey: {{ include "custom.cloudflareSecretKey" . }}
+    - secretKey: api-token
      remoteRef:
-        key: /cloudflare/alexlebens.net/cl01tl-issuer-certificate
+        key: /cloudflare/alexlebens.net/clusterissuer
        property: token
--- a/clusters/cl01tl/helm/cilium/templates/_helpers.tpl
+++ b/clusters/cl01tl/helm/cilium/templates/_helpers.tpl
@@ -1,14 +0,0 @@
-{{/*
-Common labels
-*/}}
-{{- define "custom.labels" -}}
-{{ include "custom.selectorLabels" $ }}
-{{- end }}
-
-{{/*
-Selector labels
-*/}}
-{{- define "custom.selectorLabels" -}}
-app.kubernetes.io/instance: {{ .Release.Name }}
-app.kubernetes.io/part-of: {{ .Release.Name }}
-{{- end }}
--- a/clusters/cl01tl/helm/cilium/templates/cilium-bgp-advertisement.yaml
+++ b/clusters/cl01tl/helm/cilium/templates/cilium-bgp-advertisement.yaml
@@ -0,0 +1,19 @@
+# apiVersion: cilium.io/v2
+# kind: CiliumBGPAdvertisement
+# metadata:
+#   name: cilium-bgp-advertisements
+#   namespace: {{ .Release.Namespace }}
+#   labels:
+#     app.kubernetes.io/name: cilium-bgp-advertisements
+#     app.kubernetes.io/instance: {{ .Release.Name }}
+#     app.kubernetes.io/part-of: {{ .Release.Name }}
+# spec:
+#   advertisements:
+#     - advertisementType: "Service"
+#       service:
+#         addresses:
+#           - ExternalIP
+#           - LoadBalancerIP
+#       selector:
+#         matchExpressions:
+#          - {key: somekey, operator: NotIn, values: ['never-used-value']}
--- a/clusters/cl01tl/helm/cilium/templates/cilium-bgp-cluster-config.yaml
+++ b/clusters/cl01tl/helm/cilium/templates/cilium-bgp-cluster-config.yaml
@@ -0,0 +1,22 @@
+# apiVersion: cilium.io/v2
+# kind: CiliumBGPClusterConfig
+# metadata:
+#   name: cilium-bgp
+#   namespace: {{ .Release.Namespace }}
+#   labels:
+#     app.kubernetes.io/name: cilium-bgp
+#     app.kubernetes.io/instance: {{ .Release.Name }}
+#     app.kubernetes.io/part-of: {{ .Release.Name }}
+# spec:
+#   nodeSelector:
+#     matchLabels:
+#       node-role.kubernetes.io/bgp: "65020"
+#   bgpInstances:
+#     - name: "65020"
+#       localASN: 65020
+#       peers:
+#         - name: "udm-65000"
+#           peerASN: 65000
+#           peerAddress: 192.168.1.1
+#           peerConfigRef:
+#             name: "cilium-peer"
--- a/clusters/cl01tl/helm/cilium/templates/cilium-bgp-peer-config.yaml
+++ b/clusters/cl01tl/helm/cilium/templates/cilium-bgp-peer-config.yaml
@@ -0,0 +1,23 @@
+# apiVersion: cilium.io/v2
+# kind: CiliumBGPPeerConfig
+# metadata:
+#   name: cilium-peer
+#   namespace: {{ .Release.Namespace }}
+#   labels:
+#     app.kubernetes.io/name: cilium-peer
+#     app.kubernetes.io/instance: {{ .Release.Name }}
+#     app.kubernetes.io/part-of: {{ .Release.Name }}
+# spec:
+#   timers:
+#     holdTimeSeconds: 9
+#     keepAliveTimeSeconds: 3
+#   ebgpMultihop: 4
+#   gracefulRestart:
+#     enabled: true
+#     restartTimeSeconds: 15
+#   families:
+#     - afi: ipv4
+#       safi: unicast
+#       advertisements:
+#         matchLabels:
+#           app.kubernetes.io/name: cilium-bgp-advertisements
--- a/clusters/cl01tl/helm/cilium/templates/cilium-load-balancer-ip-pool.yaml
+++ b/clusters/cl01tl/helm/cilium/templates/cilium-load-balancer-ip-pool.yaml
@@ -5,7 +5,8 @@ metadata:
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: default-ip-pool
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  blocks:
    - start: "10.232.1.21"
@@ -19,7 +20,8 @@ metadata:
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: bgp-ip-pool
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  blocks:
    - start: "10.232.2.100"
--- a/clusters/cl01tl/helm/cilium/templates/gateway.yaml
+++ b/clusters/cl01tl/helm/cilium/templates/gateway.yaml
@@ -0,0 +1,45 @@
+# apiVersion: gateway.networking.k8s.io/v1
+# kind: Gateway
+# metadata:
+#   name: cilium-tls-gateway
+#   namespace: {{ .Release.Namespace }}
+#   labels:
+#     app.kubernetes.io/name: cilium-tls-gateway
+#     app.kubernetes.io/instance: {{ .Release.Name }}
+#     app.kubernetes.io/part-of: {{ .Release.Name }}
+#   annotations:
+#     cert-manager.io/cluster-issuer: letsencrypt-issuer
+# spec:
+#   addresses:
+#     - type: IPAddress
+#       value: 10.232.1.23
+#   gatewayClassName: cilium
+#   listeners:
+#     - allowedRoutes:
+#         namespaces:
+#           from: All
+#       hostname: '*.alexlebens.net'
+#       name: https
+#       port: 443
+#       protocol: HTTPS
+#       tls:
+#         certificateRefs:
+#           - group: ''
+#             kind: Secret
+#             name: https-gateway-cert
+#             namespace: kube-system
+#         mode: Terminate
+#     - allowedRoutes:
+#         namespaces:
+#           from: All
+#       hostname: 'alexlebens.net'
+#       name: https-domain
+#       port: 443
+#       protocol: HTTPS
+#       tls:
+#         certificateRefs:
+#           - group: ''
+#             kind: Secret
+#             name: https-gateway-cert
+#             namespace: kube-system
+#         mode: Terminate
--- a/clusters/cl01tl/helm/cilium/templates/http-route.yaml
+++ b/clusters/cl01tl/helm/cilium/templates/http-route.yaml
@@ -5,7 +5,8 @@ metadata:
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: hubble
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  parentRefs:
    - group: gateway.networking.k8s.io
@@ -20,6 +21,8 @@ spec:
          type: PathPrefix
          value: /
      backendRefs:
-        - kind: Service
+        - group: ''
+          kind: Service
          name: hubble-ui
          port: 80
+          weight: 100
--- a/clusters/cl01tl/helm/cloudnative-pg/templates/_helpers.tpl
+++ b/clusters/cl01tl/helm/cloudnative-pg/templates/_helpers.tpl
@@ -1,14 +0,0 @@
-{{/*
-Common labels
-*/}}
-{{- define "custom.labels" -}}
-{{ include "custom.selectorLabels" $ }}
-{{- end }}
-
-{{/*
-Selector labels
-*/}}
-{{- define "custom.selectorLabels" -}}
-app.kubernetes.io/instance: {{ .Release.Name }}
-app.kubernetes.io/part-of: {{ .Release.Name }}
-{{- end }}
--- a/clusters/cl01tl/helm/coredns/templates/_helpers.tpl
+++ b/clusters/cl01tl/helm/coredns/templates/_helpers.tpl
@@ -1,14 +0,0 @@
-{{/*
-Common labels
-*/}}
-{{- define "custom.labels" -}}
-{{ include "custom.selectorLabels" $ }}
-{{- end }}
-
-{{/*
-Selector labels
-*/}}
-{{- define "custom.selectorLabels" -}}
-app.kubernetes.io/instance: {{ .Release.Name }}
-app.kubernetes.io/part-of: {{ .Release.Name }}
-{{- end }}
--- a/clusters/cl01tl/helm/dawarich/templates/_helpers.tpl
+++ b/clusters/cl01tl/helm/dawarich/templates/_helpers.tpl
@@ -1,14 +0,0 @@
-{{/*
-Common labels
-*/}}
-{{- define "custom.labels" -}}
-{{ include "custom.selectorLabels" $ }}
-{{- end }}
-
-{{/*
-Selector labels
-*/}}
-{{- define "custom.selectorLabels" -}}
-app.kubernetes.io/instance: {{ .Release.Name }}
-app.kubernetes.io/part-of: {{ .Release.Name }}
-{{- end }}
--- a/clusters/cl01tl/helm/dawarich/templates/external-secret.yaml
+++ b/clusters/cl01tl/helm/dawarich/templates/external-secret.yaml
@@ -1,15 +1,16 @@
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
-  name: dawarich-key
+  name: dawarich-key-secret
  namespace: {{ .Release.Namespace }}
  labels:
-    app.kubernetes.io/name: dawarich-key
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/name: dawarich-key-secret
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
-    name: openbao
+    name: vault
  data:
    - secretKey: key
      remoteRef:
@@ -20,21 +21,22 @@ spec:
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
-  name: dawarich-oidc-authentik
+  name: dawarich-oidc-secret
  namespace: {{ .Release.Namespace }}
  labels:
-    app.kubernetes.io/name: dawarich-oidc-authentik
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/name: dawarich-oidc-secret
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
-    name: openbao
+    name: vault
  data:
    - secretKey: client
      remoteRef:
-        key: /cl01tl/authentik/oidc/dawarich
+        key: /authentik/oidc/dawarich
        property: client
    - secretKey: secret
      remoteRef:
-        key: /cl01tl/authentik/oidc/dawarich
+        key: /authentik/oidc/dawarich
        property: secret
--- a/clusters/cl01tl/helm/dawarich/values.yaml
+++ b/clusters/cl01tl/helm/dawarich/values.yaml
@@ -61,12 +61,12 @@ dawarich:
            - name: OIDC_CLIENT_ID
              valueFrom:
                secretKeyRef:
-                  name: dawarich-oidc-authentik
+                  name: dawarich-oidc-secret
                  key: client
            - name: OIDC_CLIENT_SECRET
              valueFrom:
                secretKeyRef:
-                  name: dawarich-oidc-authentik
+                  name: dawarich-oidc-secret
                  key: secret
            - name: OIDC_PROVIDER_NAME
              value: Authentik
@@ -81,7 +81,7 @@ dawarich:
            - name: SECRET_KEY_BASE
              valueFrom:
                secretKeyRef:
-                  name: dawarich-key
+                  name: dawarich-key-secret
                  key: key
            - name: RAILS_LOG_TO_STDOUT
              value: true
--- a/clusters/cl01tl/helm/democratic-csi-synology-iscsi/templates/_helpers.tpl
+++ b/clusters/cl01tl/helm/democratic-csi-synology-iscsi/templates/_helpers.tpl
@@ -1,14 +0,0 @@
-{{/*
-Common labels
-*/}}
-{{- define "custom.labels" -}}
-{{ include "custom.selectorLabels" $ }}
-{{- end }}
-
-{{/*
-Selector labels
-*/}}
-{{- define "custom.selectorLabels" -}}
-app.kubernetes.io/instance: {{ .Release.Name }}
-app.kubernetes.io/part-of: {{ .Release.Name }}
-{{- end }}
--- a/clusters/cl01tl/helm/democratic-csi-synology-iscsi/templates/external-secret.yaml
+++ b/clusters/cl01tl/helm/democratic-csi-synology-iscsi/templates/external-secret.yaml
@@ -1,15 +1,16 @@
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
-  name: synology-iscsi-config
+  name: synology-iscsi-config-secret
  namespace: {{ .Release.Namespace }}
  labels:
-    app.kubernetes.io/name: synology-iscsi-config
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/name: synology-iscsi-config-secret
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
-    name: openbao
+    name: vault
  data:
    - secretKey: driver-config-file.yaml
      remoteRef:
--- a/clusters/cl01tl/helm/democratic-csi-synology-iscsi/templates/namespace.yaml
+++ b/clusters/cl01tl/helm/democratic-csi-synology-iscsi/templates/namespace.yaml
@@ -1,10 +1,11 @@
 apiVersion: v1
 kind: Namespace
 metadata:
-  name: {{ .Release.Namespace }}
+  name: democratic-csi-synology-iscsi
  labels:
-    app.kubernetes.io/name: {{ .Release.Namespace }}
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/name: democratic-csi-synology-iscsi
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
    pod-security.kubernetes.io/audit: privileged
    pod-security.kubernetes.io/enforce: privileged
    pod-security.kubernetes.io/warn: privileged
--- a/clusters/cl01tl/helm/democratic-csi-synology-iscsi/values.yaml
+++ b/clusters/cl01tl/helm/democratic-csi-synology-iscsi/values.yaml
@@ -3,7 +3,7 @@ democratic-csi:
    image:
      registry: ghcr.io/democratic-csi/democratic-csi
      tag: v1.9.5@@sha256:fc3b7d7ed3a616714139525075312758e23a5d425ffb539ad12c9bd20fb6001f
-    existingConfigSecret: synology-iscsi-config
+    existingConfigSecret: synology-iscsi-config-secret
    config:
      driver: synology-iscsi
    resources:
--- a/clusters/cl01tl/helm/descheduler/templates/_helpers.tpl
+++ b/clusters/cl01tl/helm/descheduler/templates/_helpers.tpl
@@ -1,14 +0,0 @@
-{{/*
-Common labels
-*/}}
-{{- define "custom.labels" -}}
-{{ include "custom.selectorLabels" $ }}
-{{- end }}
-
-{{/*
-Selector labels
-*/}}
-{{- define "custom.selectorLabels" -}}
-app.kubernetes.io/instance: {{ .Release.Name }}
-app.kubernetes.io/part-of: {{ .Release.Name }}
-{{- end }}
--- a/clusters/cl01tl/helm/directus/Chart.yaml
+++ b/clusters/cl01tl/helm/directus/Chart.yaml
@@ -5,7 +5,7 @@ description: Directus
 keywords:
  - directus
  - content-management-system
-home: https://docs.alexlebens.dev/applications/directus/
+home: https://docs.alexlebens.dev/applications/descheduler/
 sources:
  - https://github.com/directus/directus
  - https://github.com/directus/directus/pkgs/container/directus
--- a/clusters/cl01tl/helm/directus/templates/_helpers.tpl
+++ b/clusters/cl01tl/helm/directus/templates/_helpers.tpl
@@ -1,14 +0,0 @@
-{{/*
-Common labels
-*/}}
-{{- define "custom.labels" -}}
-{{ include "custom.selectorLabels" $ }}
-{{- end }}
-
-{{/*
-Selector labels
-*/}}
-{{- define "custom.selectorLabels" -}}
-app.kubernetes.io/instance: {{ .Release.Name }}
-app.kubernetes.io/part-of: {{ .Release.Name }}
-{{- end }}
--- a/clusters/cl01tl/helm/directus/templates/external-secret.yaml
+++ b/clusters/cl01tl/helm/directus/templates/external-secret.yaml
@@ -5,20 +5,13 @@ metadata:
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: directus-config
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
-    name: openbao
+    name: vault
  data:
-    - secretKey: key
-      remoteRef:
-        key: /cl01tl/directus/key
-        property: key
-    - secretKey: secret
-      remoteRef:
-        key: /cl01tl/directus/key
-        property: secret
    - secretKey: admin-email
      remoteRef:
        key: /cl01tl/directus/config
@@ -27,6 +20,38 @@ spec:
      remoteRef:
        key: /cl01tl/directus/config
        property: admin-password
+    - secretKey: secret
+      remoteRef:
+        key: /cl01tl/directus/config
+        property: secret
+    - secretKey: key
+      remoteRef:
+        key: /cl01tl/directus/config
+        property: key
+
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: directus-oidc-secret
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: directus-oidc-secret
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  data:
+    - secretKey: OIDC_CLIENT_ID
+      remoteRef:
+        key: /authentik/oidc/directus
+        property: client
+    - secretKey: OIDC_CLIENT_SECRET
+      remoteRef:
+        key: /authentik/oidc/directus
+        property: secret

 ---
 apiVersion: external-secrets.io/v1
@@ -36,67 +61,18 @@ metadata:
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: directus-metric-token
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
-    name: openbao
+    name: vault
  data:
    - secretKey: metric-token
      remoteRef:
        key: /cl01tl/directus/metrics
        property: metric-token

---
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: directus-valkey-config
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: directus-valkey-config
-    {{- include "custom.labels" . | nindent 4 }}
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: openbao
-  data:
-    - secretKey: user
-      remoteRef:
-        key: /cl01tl/directus/valkey
-        property: user
-    - secretKey: password
-      remoteRef:
-        key: /cl01tl/directus/valkey
-        property: password
-    - secretKey: default
-      remoteRef:
-        key: /cl01tl/directus/valkey
-        property: password
-
---
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: directus-oidc-authentik
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: directus-oidc-authentik
-    {{- include "custom.labels" . | nindent 4 }}
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: openbao
-  data:
-    - secretKey: OIDC_CLIENT_ID
-      remoteRef:
-        key: /cl01tl/authentik/oidc/directus
-        property: client
-    - secretKey: OIDC_CLIENT_SECRET
-      remoteRef:
-        key: /cl01tl/authentik/oidc/directus
-        property: secret
-
 ---
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
@@ -105,11 +81,12 @@ metadata:
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: directus-bucket-garage
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
-    name: openbao
+    name: vault
  data:
    - secretKey: ACCESS_KEY_ID
      remoteRef:
@@ -123,3 +100,31 @@ spec:
      remoteRef:
        key: /garage/home-infra/directus-assets
        property: ACCESS_REGION
+
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: directus-valkey-config
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: directus-valkey-config
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  data:
+    - secretKey: default
+      remoteRef:
+        key: /cl01tl/directus/valkey
+        property: password
+    - secretKey: user
+      remoteRef:
+        key: /cl01tl/directus/valkey
+        property: user
+    - secretKey: password
+      remoteRef:
+        key: /cl01tl/directus/valkey
+        property: password
--- a/clusters/cl01tl/helm/directus/values.yaml
+++ b/clusters/cl01tl/helm/directus/values.yaml
@@ -113,12 +113,12 @@ directus:
            - name: AUTH_AUTHENTIK_CLIENT_ID
              valueFrom:
                secretKeyRef:
-                  name: directus-oidc-authentik
+                  name: directus-oidc-secret
                  key: OIDC_CLIENT_ID
            - name: AUTH_AUTHENTIK_CLIENT_SECRET
              valueFrom:
                secretKeyRef:
-                  name: directus-oidc-authentik
+                  name: directus-oidc-secret
                  key: OIDC_CLIENT_SECRET
            - name: AUTH_AUTHENTIK_SCOPE
              value: openid profile email
--- a/clusters/cl01tl/helm/elastic-operator/templates/_helpers.tpl
+++ b/clusters/cl01tl/helm/elastic-operator/templates/_helpers.tpl
@@ -1,14 +0,0 @@
-{{/*
-Common labels
-*/}}
-{{- define "custom.labels" -}}
-{{ include "custom.selectorLabels" $ }}
-{{- end }}
-
-{{/*
-Selector labels
-*/}}
-{{- define "custom.selectorLabels" -}}
-app.kubernetes.io/instance: {{ .Release.Name }}
-app.kubernetes.io/part-of: {{ .Release.Name }}
-{{- end }}
--- a/clusters/cl01tl/helm/element-web/templates/_helpers.tpl
+++ b/clusters/cl01tl/helm/element-web/templates/_helpers.tpl
@@ -1,14 +0,0 @@
-{{/*
-Common labels
-*/}}
-{{- define "custom.labels" -}}
-{{ include "custom.selectorLabels" $ }}
-{{- end }}
-
-{{/*
-Selector labels
-*/}}
-{{- define "custom.selectorLabels" -}}
-app.kubernetes.io/instance: {{ .Release.Name }}
-app.kubernetes.io/part-of: {{ .Release.Name }}
-{{- end }}
--- a/clusters/cl01tl/helm/eraser/templates/_helpers.tpl
+++ b/clusters/cl01tl/helm/eraser/templates/_helpers.tpl
@@ -1,14 +0,0 @@
-{{/*
-Common labels
-*/}}
-{{- define "custom.labels" -}}
-{{ include "custom.selectorLabels" $ }}
-{{- end }}
-
-{{/*
-Selector labels
-*/}}
-{{- define "custom.selectorLabels" -}}
-app.kubernetes.io/instance: {{ .Release.Name }}
-app.kubernetes.io/part-of: {{ .Release.Name }}
-{{- end }}
--- a/clusters/cl01tl/helm/excalidraw/Chart.yaml
+++ b/clusters/cl01tl/helm/excalidraw/Chart.yaml
@@ -5,7 +5,7 @@ description: Excalidraw
 keywords:
  - excalidraw
  - drawing
-home: https://docs.alexlebens.dev/applications/excalidraw/
+home: https://docs.alexlebens.dev/applications/eraser/
 sources:
  - https://github.com/excalidraw/excalidraw
  - https://hub.docker.com/r/excalidraw/excalidraw
--- a/clusters/cl01tl/helm/excalidraw/templates/_helpers.tpl
+++ b/clusters/cl01tl/helm/excalidraw/templates/_helpers.tpl
@@ -1,14 +0,0 @@
-{{/*
-Common labels
-*/}}
-{{- define "custom.labels" -}}
-{{ include "custom.selectorLabels" $ }}
-{{- end }}
-
-{{/*
-Selector labels
-*/}}
-{{- define "custom.selectorLabels" -}}
-app.kubernetes.io/instance: {{ .Release.Name }}
-app.kubernetes.io/part-of: {{ .Release.Name }}
-{{- end }}
--- a/clusters/cl01tl/helm/excalidraw/values.yaml
+++ b/clusters/cl01tl/helm/excalidraw/values.yaml
@@ -8,7 +8,7 @@ excalidraw:
        main:
          image:
            repository: excalidraw/excalidraw
-            tag: latest@sha256:20ffa04668e19616bb0c1b3632849e5cd96e0bc7a1336b73d9d072667f2c2854
+            tag: latest@sha256:3c2513e830bb6e195147c05b34ecf8393d0ba2b1cc86e93b407a5777d6135c6c
          env:
            - name: NODE_ENV
              value: production
--- a/clusters/cl01tl/helm/external-dns/Chart.yaml
+++ b/clusters/cl01tl/helm/external-dns/Chart.yaml
@@ -5,7 +5,7 @@ description: External DNS
 keywords:
  - external-dns
  - dns
-home: https://docs.alexlebens.dev/applications/external-dns/
+home: https://docs.alexlebens.dev/applications/eraser/
 sources:
  - https://github.com/kubernetes-sigs/external-dns
  - https://explore.ggcr.dev/?repo=registry.k8s.io%2Fexternal-dns%2Fexternal-dns
--- a/clusters/cl01tl/helm/external-dns/templates/_helpers.tpl
+++ b/clusters/cl01tl/helm/external-dns/templates/_helpers.tpl
@@ -1,14 +0,0 @@
-{{/*
-Common labels
-*/}}
-{{- define "custom.labels" -}}
-{{ include "custom.selectorLabels" $ }}
-{{- end }}
-
-{{/*
-Selector labels
-*/}}
-{{- define "custom.selectorLabels" -}}
-app.kubernetes.io/instance: {{ .Release.Name }}
-app.kubernetes.io/part-of: {{ .Release.Name }}
-{{- end }}
--- a/clusters/cl01tl/helm/external-dns/templates/dns-endpoint.yaml
+++ b/clusters/cl01tl/helm/external-dns/templates/dns-endpoint.yaml
@@ -5,7 +5,8 @@ metadata:
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: external-device-names
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  endpoints:
    # Unifi UDM
@@ -47,7 +48,8 @@ metadata:
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: iot-device-names
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  endpoints:
    # Airgradient
@@ -80,18 +82,6 @@ spec:
      recordType: A
      targets:
        - 10.230.0.100
-    # HD Homerun
-    - dnsName: dv01hr.alexlebens.net
-      recordTTL: 180
-      recordType: A
-      targets:
-        - 10.232.1.72
-    # Pi KVM
-    - dnsName: dv02kv.alexlebens.net
-      recordTTL: 180
-      recordType: A
-      targets:
-        - 10.232.1.71

 ---
 apiVersion: externaldns.k8s.io/v1alpha1
@@ -101,7 +91,8 @@ metadata:
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: server-host-names
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  endpoints:
    # Unifi Gateway
@@ -134,18 +125,6 @@ spec:
      recordType: A
      targets:
        - 10.232.1.52
-    # Desktop
-    - dnsName: pd05wd.alexlebens.net
-      recordTTL: 180
-      recordType: A
-      targets:
-        - 10.230.0.115
-    # Laptop
-    - dnsName: pl02mc.alexlebens.net
-      recordTTL: 180
-      recordType: A
-      targets:
-        - 10.230.0.105

 ---
 apiVersion: externaldns.k8s.io/v1alpha1
@@ -155,7 +134,8 @@ metadata:
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: cluster-service-names
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  endpoints:
    # Treafik Proxy
--- a/clusters/cl01tl/helm/external-dns/templates/external-secret.yaml
+++ b/clusters/cl01tl/helm/external-dns/templates/external-secret.yaml
@@ -5,11 +5,12 @@ metadata:
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: external-dns-unifi-secret
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
-    name: openbao
+    name: vault
  data:
    - secretKey: api-key
      remoteRef:
--- a/clusters/cl01tl/helm/external-secrets/templates/_helpers.tpl
+++ b/clusters/cl01tl/helm/external-secrets/templates/_helpers.tpl
@@ -1,14 +0,0 @@
-{{/*
-Common labels
-*/}}
-{{- define "custom.labels" -}}
-{{ include "custom.selectorLabels" $ }}
-{{- end }}
-
-{{/*
-Selector labels
-*/}}
-{{- define "custom.selectorLabels" -}}
-app.kubernetes.io/instance: {{ .Release.Name }}
-app.kubernetes.io/part-of: {{ .Release.Name }}
-{{- end }}
--- a/clusters/cl01tl/helm/external-secrets/templates/cluster-role-binding.yaml
+++ b/clusters/cl01tl/helm/external-secrets/templates/cluster-role-binding.yaml
@@ -5,12 +5,13 @@ metadata:
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: external-secrets
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: system:auth-delegator
 subjects:
  - kind: ServiceAccount
-    name: {{ .Release.Name }}
+    name: external-secrets
    namespace: {{ .Release.Namespace }}
--- a/clusters/cl01tl/helm/external-secrets/templates/cluster-secret-store.yaml
+++ b/clusters/cl01tl/helm/external-secrets/templates/cluster-secret-store.yaml
@@ -5,7 +5,8 @@ metadata:
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: vault
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  provider:
    vault:
@@ -25,7 +26,8 @@ metadata:
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: openbao
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  provider:
    vault:
@@ -37,7 +39,7 @@ spec:
          mountPath: kubernetes
          role: external-secrets
          serviceAccountRef:
-            name: {{ .Release.Name }}
-            namespace: {{ .Release.Namespace }}
+            name: external-secrets
+            namespace: {{ .Release.Name }}
            audiences:
              - openbao
--- a/clusters/cl01tl/helm/foldergram/templates/_helpers.tpl
+++ b/clusters/cl01tl/helm/foldergram/templates/_helpers.tpl
@@ -1,21 +0,0 @@
-{{/*
-Common labels
-*/}}
-{{- define "custom.labels" -}}
-{{ include "custom.selectorLabels" $ }}
-{{- end }}
-
-{{/*
-Selector labels
-*/}}
-{{- define "custom.selectorLabels" -}}
-app.kubernetes.io/instance: {{ .Release.Name }}
-app.kubernetes.io/part-of: {{ .Release.Name }}
-{{- end }}
-
-{{/*
-NFS names
-*/}}
-{{- define "custom.storageNfsName" -}}
-foldergram-pictures-collections-nfs-storage
-{{- end -}}
--- a/clusters/cl01tl/helm/foldergram/templates/persistent-volume-claim.yaml
+++ b/clusters/cl01tl/helm/foldergram/templates/persistent-volume-claim.yaml
@@ -1,13 +1,14 @@
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
-  name: {{ include "custom.storageNfsName" . }}
+  name: foldergram-pictures-collections-nfs-storage
  namespace: {{ .Release.Namespace }}
  labels:
-    app.kubernetes.io/name: {{ include "custom.storageNfsName" . }}
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/name: foldergram-pictures-collections-nfs-storage
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
-  volumeName: {{ include "custom.storageNfsName" . }}
+  volumeName: foldergram-pictures-collections-nfs-storage
  storageClassName: nfs-client
  accessModes:
    - ReadWriteMany
--- a/clusters/cl01tl/helm/foldergram/templates/persistent-volume.yaml
+++ b/clusters/cl01tl/helm/foldergram/templates/persistent-volume.yaml
@@ -1,11 +1,12 @@
 apiVersion: v1
 kind: PersistentVolume
 metadata:
-  name: {{ include "custom.storageNfsName" . }}
+  name: foldergram-pictures-collections-nfs-storage
  namespace: {{ .Release.Namespace }}
  labels:
-    app.kubernetes.io/name: {{ include "custom.storageNfsName" . }}
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/name: foldergram-pictures-collections-nfs-storage
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  persistentVolumeReclaimPolicy: Retain
  storageClassName: nfs-client
--- a/clusters/cl01tl/helm/freshrss/templates/_helpers.tpl
+++ b/clusters/cl01tl/helm/freshrss/templates/_helpers.tpl
@@ -1,14 +0,0 @@
-{{/*
-Common labels
-*/}}
-{{- define "custom.labels" -}}
-{{ include "custom.selectorLabels" $ }}
-{{- end }}
-
-{{/*
-Selector labels
-*/}}
-{{- define "custom.selectorLabels" -}}
-app.kubernetes.io/instance: {{ .Release.Name }}
-app.kubernetes.io/part-of: {{ .Release.Name }}
-{{- end }}
--- a/clusters/cl01tl/helm/freshrss/templates/external-secret.yaml
+++ b/clusters/cl01tl/helm/freshrss/templates/external-secret.yaml
@@ -1,52 +1,54 @@
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
-  name: freshrss-install-config
+  name: freshrss-install-secret
  namespace: {{ .Release.Namespace }}
  labels:
-    app.kubernetes.io/name: freshrss-install-config
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/name: freshrss-install-secret
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
-    name: openbao
+    name: vault
  data:
    - secretKey: ADMIN_EMAIL
      remoteRef:
        key: /cl01tl/freshrss/config
-        property: admin-email
+        property: ADMIN_EMAIL
    - secretKey: ADMIN_PASSWORD
      remoteRef:
        key: /cl01tl/freshrss/config
-        property: admin-password
+        property: ADMIN_PASSWORD
    - secretKey: ADMIN_API_PASSWORD
      remoteRef:
        key: /cl01tl/freshrss/config
-        property: admin-api-password
+        property: ADMIN_API_PASSWORD

 ---
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
-  name: freshrss-oidc-authentik
+  name: freshrss-oidc-secret
  namespace: {{ .Release.Namespace }}
  labels:
-    app.kubernetes.io/name: freshrss-oidc-authentik
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/name: freshrss-oidc-secret
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
-    name: openbao
+    name: vault
  data:
    - secretKey: OIDC_CLIENT_ID
      remoteRef:
-        key: /cl01tl/authentik/oidc/freshrss
+        key: /authentik/oidc/freshrss
        property: client
    - secretKey: OIDC_CLIENT_SECRET
      remoteRef:
-        key: /cl01tl/authentik/oidc/freshrss
+        key: /authentik/oidc/freshrss
        property: secret
    - secretKey: OIDC_CLIENT_CRYPTO_KEY
      remoteRef:
-        key: /cl01tl/freshrss/key
-        property: oidc-client-crypto-key
+        key: /authentik/oidc/freshrss
+        property: crypto-key
--- a/clusters/cl01tl/helm/freshrss/values.yaml
+++ b/clusters/cl01tl/helm/freshrss/values.yaml
@@ -73,9 +73,9 @@ freshrss:
              value: preferred_username
          envFrom:
            - secretRef:
-                name: freshrss-oidc-authentik
+                name: freshrss-oidc-secret
            - secretRef:
-                name: freshrss-install-config
+                name: freshrss-install-secret
          resources:
            requests:
              cpu: 1m
--- a/clusters/cl01tl/helm/garage/templates/_helpers.tpl
+++ b/clusters/cl01tl/helm/garage/templates/_helpers.tpl
@@ -1,14 +0,0 @@
-{{/*
-Common labels
-*/}}
-{{- define "custom.labels" -}}
-{{ include "custom.selectorLabels" $ }}
-{{- end }}
-
-{{/*
-Selector labels
-*/}}
-{{- define "custom.selectorLabels" -}}
-app.kubernetes.io/instance: {{ .Release.Name }}
-app.kubernetes.io/part-of: {{ .Release.Name }}
-{{- end }}
--- a/clusters/cl01tl/helm/garage/templates/external-secret.yaml
+++ b/clusters/cl01tl/helm/garage/templates/external-secret.yaml
@@ -1,25 +1,26 @@
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
-  name: garage-token
+  name: garage-token-secret
  namespace: {{ .Release.Namespace }}
  labels:
-    app.kubernetes.io/name: garage-token
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/name: garage-token-secret
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
-    name: openbao
+    name: vault
  data:
    - secretKey: GARAGE_RPC_SECRET
      remoteRef:
-        key: /cl01tl/garage/config
-        property: rpc-secret
+        key: /cl01tl/garage/token
+        property: rpc
    - secretKey: GARAGE_ADMIN_TOKEN
      remoteRef:
-        key: /cl01tl/garage/config
-        property: admin-token
+        key: /cl01tl/garage/token
+        property: admin
    - secretKey: GARAGE_METRICS_TOKEN
      remoteRef:
-        key: /cl01tl/garage/config
-        property: metrics-token
+        key: /cl01tl/garage/token
+        property: metric
--- a/clusters/cl01tl/helm/garage/templates/service.yaml
+++ b/clusters/cl01tl/helm/garage/templates/service.yaml
@@ -6,7 +6,8 @@ metadata:
  labels:
    app.kubernetes.io/name: garage-main
    app.kubernetes.io/service: garage-main
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  ports:
    - name: admin
@@ -26,6 +27,6 @@ spec:
      protocol: TCP
      targetPort: 3902
  selector:
-    app.kubernetes.io/name: garage
    app.kubernetes.io/instance: garage
+    app.kubernetes.io/name: garage
    garage-type: server
--- a/clusters/cl01tl/helm/garage/values.yaml
+++ b/clusters/cl01tl/helm/garage/values.yaml
@@ -24,7 +24,7 @@ garage:
            tag: v2.3.0@sha256:866bd13ed2038ba7e7190e840482bc27234c4afaf77be8cfa439ae088c1e4690
          envFrom:
            - secretRef:
-                name: garage-token
+                name: garage-token-secret
          resources:
            requests:
              cpu: 10m
@@ -53,7 +53,7 @@ garage:
            tag: v2.3.0@sha256:866bd13ed2038ba7e7190e840482bc27234c4afaf77be8cfa439ae088c1e4690
          envFrom:
            - secretRef:
-                name: garage-token
+                name: garage-token-secret
          resources:
            requests:
              cpu: 10m
@@ -82,7 +82,7 @@ garage:
            tag: v2.3.0@sha256:866bd13ed2038ba7e7190e840482bc27234c4afaf77be8cfa439ae088c1e4690
          envFrom:
            - secretRef:
-                name: garage-token
+                name: garage-token-secret
          resources:
            requests:
              cpu: 10m
@@ -104,7 +104,7 @@ garage:
            - name: API_ADMIN_KEY
              valueFrom:
                secretKeyRef:
-                  name: garage-token
+                  name: garage-token-secret
                  key: GARAGE_ADMIN_TOKEN
          resources:
            requests:
@@ -273,7 +273,7 @@ garage:
          scrapeTimeout: 2m
          path: /metrics
          bearerTokenSecret:
-            name: garage-token
+            name: garage-token-secret
            key: GARAGE_METRICS_TOKEN
  route:
    webui:
--- a/clusters/cl01tl/helm/gatus/templates/_helpers.tpl
+++ b/clusters/cl01tl/helm/gatus/templates/_helpers.tpl
@@ -1,14 +0,0 @@
-{{/*
-Common labels
-*/}}
-{{- define "custom.labels" -}}
-{{ include "custom.selectorLabels" $ }}
-{{- end }}
-
-{{/*
-Selector labels
-*/}}
-{{- define "custom.selectorLabels" -}}
-app.kubernetes.io/instance: {{ .Release.Name }}
-app.kubernetes.io/part-of: {{ .Release.Name }}
-{{- end }}
--- a/clusters/cl01tl/helm/gatus/templates/external-secret.yaml
+++ b/clusters/cl01tl/helm/gatus/templates/external-secret.yaml
@@ -1,40 +1,42 @@
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
-  name: gatus-config
+  name: gatus-config-secret
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: gatus-config-secret
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
-    name: openbao
+    name: vault
  data:
    - secretKey: NTFY_TOKEN
      remoteRef:
-        key: /cl01tl/ntfy/users/cl01tl
+        key: /ntfy/user/cl01tl
        property: token

 ---
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
-  name: gatus-oidc-authentik
+  name: gatus-oidc-secret
  namespace: {{ .Release.Namespace }}
  labels:
-    app.kubernetes.io/name: gatus-oidc-authentik
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/name: gatus-oidc-secret
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
-    name: openbao
+    name: vault
  data:
    - secretKey: OIDC_CLIENT_ID
      remoteRef:
-        key: /cl01tl/authentik/oidc/gatus
+        key: /authentik/oidc/gatus
        property: client
    - secretKey: OIDC_CLIENT_SECRET
      remoteRef:
-        key: /cl01tl/authentik/oidc/gatus
+        key: /authentik/oidc/gatus
        property: secret
--- a/clusters/cl01tl/helm/gatus/values.yaml
+++ b/clusters/cl01tl/helm/gatus/values.yaml
@@ -20,17 +20,17 @@ gatus:
    NTFY_TOKEN:
      valueFrom:
        secretKeyRef:
-          name: gatus-config
+          name: gatus-config-secret
          key: NTFY_TOKEN
    OIDC_CLIENT_ID:
      valueFrom:
        secretKeyRef:
-          name: gatus-oidc-authentik
+          name: gatus-oidc-secret
          key: OIDC_CLIENT_ID
    OIDC_CLIENT_SECRET:
      valueFrom:
        secretKeyRef:
-          name: gatus-oidc-authentik
+          name: gatus-oidc-secret
          key: OIDC_CLIENT_SECRET
    POSTGRES_USER:
      valueFrom:
--- a/clusters/cl01tl/helm/generic-device-plugin/templates/_helpers.tpl
+++ b/clusters/cl01tl/helm/generic-device-plugin/templates/_helpers.tpl
@@ -1,14 +0,0 @@
-{{/*
-Common labels
-*/}}
-{{- define "custom.labels" -}}
-{{ include "custom.selectorLabels" $ }}
-{{- end }}
-
-{{/*
-Selector labels
-*/}}
-{{- define "custom.selectorLabels" -}}
-app.kubernetes.io/instance: {{ .Release.Name }}
-app.kubernetes.io/part-of: {{ .Release.Name }}
-{{- end }}
--- a/clusters/cl01tl/helm/generic-device-plugin/templates/namespace.yaml
+++ b/clusters/cl01tl/helm/generic-device-plugin/templates/namespace.yaml
@@ -1,10 +1,11 @@
 apiVersion: v1
 kind: Namespace
 metadata:
-  name: {{ .Release.Namespace }}
+  name: generic-device-plugin
  labels:
-    app.kubernetes.io/name: {{ .Release.Namespace }}
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/name: generic-device-plugin
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
    pod-security.kubernetes.io/audit: privileged
    pod-security.kubernetes.io/enforce: privileged
    pod-security.kubernetes.io/warn: privileged
--- a/clusters/cl01tl/helm/gitea/templates/_helpers.tpl
+++ b/clusters/cl01tl/helm/gitea/templates/_helpers.tpl
@@ -1,14 +0,0 @@
-{{/*
-Common labels
-*/}}
-{{- define "custom.labels" -}}
-{{ include "custom.selectorLabels" $ }}
-{{- end }}
-
-{{/*
-Selector labels
-*/}}
-{{- define "custom.selectorLabels" -}}
-app.kubernetes.io/instance: {{ .Release.Name }}
-app.kubernetes.io/part-of: {{ .Release.Name }}
-{{- end }}
--- a/clusters/cl01tl/helm/gitea/templates/config-map.yaml
+++ b/clusters/cl01tl/helm/gitea/templates/config-map.yaml
@@ -5,7 +5,8 @@ metadata:
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: gitea-custom-templates
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 data:
  header.tmpl: |
    <script defer src="https://rybbit.alexlebens.dev/api/script.js" data-site-id="b515c34a6dcc"></script>
--- a/clusters/cl01tl/helm/gitea/templates/external-secret.yaml
+++ b/clusters/cl01tl/helm/gitea/templates/external-secret.yaml
@@ -1,15 +1,64 @@
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
+metadata:
+  name: gitea-admin-secret
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: gitea-admin-secret
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  data:
+    - secretKey: username
+      remoteRef:
+        key: /cl01tl/gitea/auth/admin
+        property: username
+    - secretKey: password
+      remoteRef:
+        key: /cl01tl/gitea/auth/admin
+        property: password
+
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: gitea-oidc-secret
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: gitea-oidc-secret
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  data:
+    - secretKey: secret
+      remoteRef:
+        key: /authentik/oidc/gitea
+        property: secret
+    - secretKey: key
+      remoteRef:
+        key: /authentik/oidc/gitea
+        property: client
+
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
 metadata:
  name: gitea-runner-secret
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: gitea-runner-secret
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
-    name: openbao
+    name: vault
  data:
    - secretKey: token
      remoteRef:
@@ -20,15 +69,80 @@ spec:
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
-  name: gitea-meilisearch-key
+  name: gitea-renovate-secret
  namespace: {{ .Release.Namespace }}
  labels:
-    app.kubernetes.io/name: gitea-meilisearch-key
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/name: gitea-renovate-secret
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
-    name: openbao
+    name: vault
+  data:
+    - secretKey: RENOVATE_ENDPOINT
+      remoteRef:
+        key: /cl01tl/gitea/renovate
+        property: RENOVATE_ENDPOINT
+    - secretKey: RENOVATE_GIT_AUTHOR
+      remoteRef:
+        key: /cl01tl/gitea/renovate
+        property: RENOVATE_GIT_AUTHOR
+    - secretKey: RENOVATE_TOKEN
+      remoteRef:
+        key: /cl01tl/gitea/renovate
+        property: RENOVATE_TOKEN
+    - secretKey: RENOVATE_GIT_PRIVATE_KEY
+      remoteRef:
+        key: /cl01tl/gitea/renovate
+        property: id_rsa
+    - secretKey: RENOVATE_GITHUB_COM_TOKEN
+      remoteRef:
+        key: /github/gitea-cl01tl
+        property: token
+
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: gitea-renovate-ssh-secret
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: gitea-renovate-ssh-secret
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  data:
+    - secretKey: config
+      remoteRef:
+        key: /cl01tl/gitea/renovate
+        property: ssh_config
+    - secretKey: id_rsa
+      remoteRef:
+        key: /cl01tl/gitea/renovate
+        property: id_rsa
+    - secretKey: id_rsa.pub
+      remoteRef:
+        key: /cl01tl/gitea/renovate
+        property: id_rsa.pub
+
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: gitea-meilisearch-master-key-secret
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: gitea-meilisearch-master-key-secret
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
  target:
    template:
      mergePolicy: Merge
@@ -39,27 +153,4 @@ spec:
    - secretKey: MEILI_MASTER_KEY
      remoteRef:
        key: /cl01tl/gitea/meilisearch
-        property: master-key
-
---
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: gitea-oidc-authentik
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: gitea-oidc-authentik
-    {{- include "custom.labels" . | nindent 4 }}
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: openbao
-  data:
-    - secretKey: secret
-      remoteRef:
-        key: /cl01tl/authentik/oidc/gitea
-        property: secret
-    - secretKey: key
-      remoteRef:
-        key: /cl01tl/authentik/oidc/gitea
-        property: client
+        property: MEILI_MASTER_KEY
--- a/clusters/cl01tl/helm/gitea/templates/http-route.yaml
+++ b/clusters/cl01tl/helm/gitea/templates/http-route.yaml
@@ -5,7 +5,8 @@ metadata:
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: gitea
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  parentRefs:
    - group: gateway.networking.k8s.io
@@ -20,6 +21,8 @@ spec:
          type: PathPrefix
          value: /
      backendRefs:
-        - kind: Service
+        - group: ''
+          kind: Service
          name: gitea-http
          port: 3000
+          weight: 100
--- a/clusters/cl01tl/helm/gitea/templates/ingress.yaml
+++ b/clusters/cl01tl/helm/gitea/templates/ingress.yaml
@@ -1,11 +1,12 @@
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
-  name: {{ .Release.Name }}-tailscale
+  name: gitea-tailscale
  namespace: {{ .Release.Namespace }}
  labels:
-    app.kubernetes.io/name: {{ .Release.Name }}-tailscale
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/name: gitea-tailscale
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
    tailscale.com/proxy-class: no-metrics
  annotations:
    tailscale.com/experimental-forward-cluster-traffic-via-ingress: "true"
@@ -20,7 +21,7 @@ spec:
      http:
        paths:
          - path: /
-            pathType: Prefix
+            pathType: ImplementationSpecific
            backend:
              service:
                name: gitea-http
--- a/clusters/cl01tl/helm/gitea/templates/namespace.yaml
+++ b/clusters/cl01tl/helm/gitea/templates/namespace.yaml
@@ -1,10 +1,11 @@
 apiVersion: v1
 kind: Namespace
 metadata:
-  name: {{ .Release.Namespace }}
+  name: gitea
  labels:
-    app.kubernetes.io/name: {{ .Release.Namespace }}
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/name: gitea
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
    pod-security.kubernetes.io/audit: privileged
    pod-security.kubernetes.io/enforce: privileged
    pod-security.kubernetes.io/warn: privileged
--- a/clusters/cl01tl/helm/gitea/templates/persistent-volume-claim.yaml
+++ b/clusters/cl01tl/helm/gitea/templates/persistent-volume-claim.yaml
@@ -5,7 +5,8 @@ metadata:
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: gitea-themes-storage
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  volumeMode: Filesystem
  storageClassName: ceph-filesystem
--- a/clusters/cl01tl/helm/gitea/templates/service-monitor.yaml
+++ b/clusters/cl01tl/helm/gitea/templates/service-monitor.yaml
@@ -5,7 +5,8 @@ metadata:
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: gitea
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  selector:
    matchLabels:
--- a/clusters/cl01tl/helm/gitea/templates/tcp-route.yaml
+++ b/clusters/cl01tl/helm/gitea/templates/tcp-route.yaml
@@ -5,7 +5,8 @@ metadata:
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: gitea-ssh
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  parentRefs:
    - group: gateway.networking.k8s.io
@@ -15,6 +16,8 @@ spec:
      sectionName: ssh
  rules:
    - backendRefs:
-        - kind: Service
+        - group: ''
+          kind: Service
          name: gitea-ssh
          port: 22
+          weight: 100
--- a/clusters/cl01tl/helm/gitea/values.yaml
+++ b/clusters/cl01tl/helm/gitea/values.yaml
@@ -9,7 +9,7 @@ gitea:
      maxUnavailable: 1
  image:
    repository: gitea/gitea
-    tag: 1.25.5
+    tag: 1.26.0
  service:
    http:
      type: ClusterIP
@@ -59,7 +59,7 @@ gitea:
    oauth:
      - name: Authentik
        provider: openidConnect
-        existingSecret: gitea-oidc-authentik
+        existingSecret: gitea-oidc-secret
        autoDiscoverUrl: https://auth.alexlebens.dev/application/o/gitea/.well-known/openid-configuration
        iconUrl: https://goauthentik.io/img/icon.png
        scopes: "email profile"
@@ -137,7 +137,7 @@ gitea:
      - name: GITEA__INDEXER__ISSUE_INDEXER_CONN_STR
        valueFrom:
          secretKeyRef:
-            name: gitea-meilisearch-key
+            name: gitea-meilisearch-master-key-secret
            key: ISSUE_INDEXER_CONN_STR
  valkey-cluster:
    enabled: false
@@ -235,7 +235,7 @@ meilisearch:
    MEILI_ENV: production
    MEILI_EXPERIMENTAL_DUMPLESS_UPGRADE: true
  auth:
-    existingMasterKeySecret: gitea-meilisearch-key
+    existingMasterKeySecret: gitea-meilisearch-master-key-secret
  persistence:
    enabled: true
    storageClass: ceph-block
--- a/clusters/cl01tl/helm/grafana-operator/templates/_helpers.tpl
+++ b/clusters/cl01tl/helm/grafana-operator/templates/_helpers.tpl
@@ -1,14 +0,0 @@
-{{/*
-Common labels
-*/}}
-{{- define "custom.labels" -}}
-{{ include "custom.selectorLabels" $ }}
-{{- end }}
-
-{{/*
-Selector labels
-*/}}
-{{- define "custom.selectorLabels" -}}
-app.kubernetes.io/instance: {{ .Release.Name }}
-app.kubernetes.io/part-of: {{ .Release.Name }}
-{{- end }}
--- a/clusters/cl01tl/helm/grafana-operator/templates/external-secret.yaml
+++ b/clusters/cl01tl/helm/grafana-operator/templates/external-secret.yaml
@@ -1,44 +1,98 @@
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
-  name: grafana-config
+  name: grafana-auth-secret
  namespace: {{ .Release.Namespace }}
  labels:
-    app.kubernetes.io/name: grafana-config
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/name: grafana-auth-secret
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
-    name: openbao
+    name: vault
  data:
    - secretKey: admin-user
      remoteRef:
-        key: /cl01tl/grafana/config
+        key: /cl01tl/grafana/auth
        property: admin-user
    - secretKey: admin-password
      remoteRef:
-        key: /cl01tl/grafana/config
+        key: /cl01tl/grafana/auth
        property: admin-password

 ---
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
-  name: grafana-oidc-authentik
+  name: grafana-oauth-secret
  namespace: {{ .Release.Namespace }}
  labels:
-    app.kubernetes.io/name: grafana-oidc-authentik
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/name: grafana-oauth-secret
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
-    name: openbao
+    name: vault
  data:
    - secretKey: AUTH_CLIENT_ID
      remoteRef:
-        key: /cl01tl/authentik/oidc/grafana
+        key: /authentik/oidc/grafana
        property: client
    - secretKey: AUTH_CLIENT_SECRET
      remoteRef:
-        key: /cl01tl/authentik/oidc/grafana
+        key: /authentik/oidc/grafana
        property: secret
+
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: grafana-operator-postgresql-18-cluster-backup-secret
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: grafana-operator-postgresql-18-cluster-backup-secret
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  data:
+    - secretKey: ACCESS_KEY_ID
+      remoteRef:
+        key: /digital-ocean/home-infra/postgres-backups
+        property: access
+    - secretKey: ACCESS_SECRET_KEY
+      remoteRef:
+        key: /digital-ocean/home-infra/postgres-backups
+        property: secret
+
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: grafana-operator-postgresql-18-cluster-backup-secret-garage
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: grafana-operator-postgresql-18-cluster-backup-secret-garage
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  data:
+    - secretKey: ACCESS_KEY_ID
+      remoteRef:
+        key: /garage/home-infra/postgres-backups
+        property: ACCESS_KEY_ID
+    - secretKey: ACCESS_SECRET_KEY
+      remoteRef:
+        key: /garage/home-infra/postgres-backups
+        property: ACCESS_SECRET_KEY
+    - secretKey: ACCESS_REGION
+      remoteRef:
+        key: /garage/home-infra/postgres-backups
+        property: ACCESS_REGION
--- a/clusters/cl01tl/helm/grafana-operator/templates/grafana-dashboard.yaml
+++ b/clusters/cl01tl/helm/grafana-operator/templates/grafana-dashboard.yaml
@@ -5,7 +5,8 @@ metadata:
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: grafana-dashboard-ceph
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  instanceSelector:
    matchLabels:
@@ -23,7 +24,8 @@ metadata:
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: grafana-dashboard-coredns
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  instanceSelector:
    matchLabels:
@@ -41,7 +43,8 @@ metadata:
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: grafana-dashboard-etcd
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  instanceSelector:
    matchLabels:
@@ -59,7 +62,8 @@ metadata:
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: grafana-dashboard-garage
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  instanceSelector:
    matchLabels:
@@ -77,7 +81,8 @@ metadata:
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: grafana-dashboard-loki
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  instanceSelector:
    matchLabels:
@@ -95,7 +100,8 @@ metadata:
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: grafana-dashboard-node-full
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  instanceSelector:
    matchLabels:
@@ -113,7 +119,8 @@ metadata:
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: grafana-dashboard-node-short
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  instanceSelector:
    matchLabels:
@@ -131,7 +138,8 @@ metadata:
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: grafana-dashboard-pods
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  instanceSelector:
    matchLabels:
@@ -149,7 +157,8 @@ metadata:
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: grafana-dashboard-argocd
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  instanceSelector:
    matchLabels:
@@ -167,7 +176,8 @@ metadata:
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: grafana-dashboard-blocky
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  instanceSelector:
    matchLabels:
@@ -185,7 +195,8 @@ metadata:
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: grafana-dashboard-cert-manager
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  instanceSelector:
    matchLabels:
@@ -203,7 +214,8 @@ metadata:
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: grafana-dashboard-cloudnative-pg
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  instanceSelector:
    matchLabels:
@@ -221,7 +233,8 @@ metadata:
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: grafana-dashboard-descheduler
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  instanceSelector:
    matchLabels:
@@ -239,7 +252,8 @@ metadata:
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: grafana-dashboard-external-dns
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  instanceSelector:
    matchLabels:
@@ -257,7 +271,8 @@ metadata:
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: grafana-dashboard-external-secrets
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  instanceSelector:
    matchLabels:
@@ -275,7 +290,8 @@ metadata:
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: grafana-dashboard-gatus
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  instanceSelector:
    matchLabels:
@@ -293,7 +309,8 @@ metadata:
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: grafana-dashboard-operator
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  instanceSelector:
    matchLabels:
@@ -311,7 +328,8 @@ metadata:
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: grafana-dashboard-harbor
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  instanceSelector:
    matchLabels:
@@ -329,7 +347,8 @@ metadata:
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: grafana-dashboard-speedtest-exporter
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  instanceSelector:
    matchLabels:
@@ -347,7 +366,8 @@ metadata:
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: grafana-dashboard-spegel
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  instanceSelector:
    matchLabels:
@@ -365,7 +385,8 @@ metadata:
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: grafana-dashboard-traefik
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  instanceSelector:
    matchLabels:
@@ -383,7 +404,8 @@ metadata:
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: grafana-dashboard-tdarr
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  instanceSelector:
    matchLabels:
@@ -401,7 +423,8 @@ metadata:
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: grafana-dashboard-unpoller
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  instanceSelector:
    matchLabels:
@@ -419,7 +442,8 @@ metadata:
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: grafana-dashboard-version-checker-internal
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  instanceSelector:
    matchLabels:
@@ -437,7 +461,8 @@ metadata:
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: grafana-dashboard-version-checker
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  instanceSelector:
    matchLabels:
@@ -455,7 +480,8 @@ metadata:
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: grafana-dashboard-volsync
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  instanceSelector:
    matchLabels:
@@ -473,7 +499,8 @@ metadata:
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: grafana-dashboard-s3
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  instanceSelector:
    matchLabels:
@@ -491,7 +518,8 @@ metadata:
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: grafana-dashboard-authentik
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  instanceSelector:
    matchLabels:
@@ -509,7 +537,8 @@ metadata:
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: grafana-dashboard-gitea
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  instanceSelector:
    matchLabels:
@@ -527,7 +556,8 @@ metadata:
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: grafana-dashboard-ntfy
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  instanceSelector:
    matchLabels:
@@ -545,7 +575,8 @@ metadata:
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: grafana-dashboard-openbao
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  instanceSelector:
    matchLabels:
@@ -563,7 +594,8 @@ metadata:
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: grafana-dashboard-qbittorrent
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  instanceSelector:
    matchLabels:
@@ -581,7 +613,8 @@ metadata:
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: grafana-dashboard-vault
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  instanceSelector:
    matchLabels:
@@ -599,7 +632,8 @@ metadata:
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: grafana-dashboard-unpackerr
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  instanceSelector:
    matchLabels:
@@ -617,7 +651,8 @@ metadata:
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: grafana-dashboard-airgradient
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  instanceSelector:
    matchLabels:
@@ -635,7 +670,8 @@ metadata:
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: grafana-dashboard-server-power-consumption
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  instanceSelector:
    matchLabels:
@@ -653,7 +689,8 @@ metadata:
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: grafana-dashboard-immich
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  instanceSelector:
    matchLabels:
@@ -671,7 +708,8 @@ metadata:
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: grafana-dashboard-jellyfin
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  instanceSelector:
    matchLabels:
@@ -689,7 +727,8 @@ metadata:
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: grafana-dashboard-navidrome
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  instanceSelector:
    matchLabels:
@@ -707,7 +746,8 @@ metadata:
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: grafana-dashboard-radarr
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  instanceSelector:
    matchLabels:
@@ -725,7 +765,8 @@ metadata:
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: grafana-dashboard-servarr
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  instanceSelector:
    matchLabels:
@@ -743,7 +784,8 @@ metadata:
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: grafana-dashboard-sonarr
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  instanceSelector:
    matchLabels:
--- a/clusters/cl01tl/helm/grafana-operator/templates/grafana-datasource.yaml
+++ b/clusters/cl01tl/helm/grafana-operator/templates/grafana-datasource.yaml
@@ -5,7 +5,8 @@ metadata:
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: grafana-datasource-prometheus
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  datasource:
    name: Prometheus
@@ -32,7 +33,8 @@ metadata:
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: grafana-datasource-loki
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  datasource:
    name: Loki
--- a/clusters/cl01tl/helm/grafana-operator/templates/grafana-folder.yaml
+++ b/clusters/cl01tl/helm/grafana-operator/templates/grafana-folder.yaml
@@ -5,7 +5,8 @@ metadata:
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: grafana-folder-application
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  instanceSelector:
    matchLabels:
@@ -39,7 +40,8 @@ metadata:
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: grafana-folder-iot
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  instanceSelector:
    matchLabels:
@@ -73,7 +75,8 @@ metadata:
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: grafana-folder-platform
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  instanceSelector:
    matchLabels:
@@ -107,7 +110,8 @@ metadata:
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: grafana-folder-service
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  instanceSelector:
    matchLabels:
@@ -141,7 +145,8 @@ metadata:
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: grafana-folder-system
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  instanceSelector:
    matchLabels:
--- a/clusters/cl01tl/helm/grafana-operator/templates/grafana.yaml
+++ b/clusters/cl01tl/helm/grafana-operator/templates/grafana.yaml
@@ -5,7 +5,8 @@ metadata:
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: grafana-main
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
    app: grafana-main
 spec:
  config:
@@ -56,7 +57,7 @@ spec:
          containers:
            - name: grafana
              # renovate: datasource=docker depName=grafana/grafana
-              image: grafana/grafana:13.0.1@sha256:0f86bada30d65ef9d0183b90c1e2682ac92d53d95da8bed322b984ea78a4a73a
+              image: grafana/grafana:12.4.2@sha256:83749231c3835e390a3144e5e940203e42b9589761f20ef3169c716e734ad505
              resources:
                requests:
                  cpu: 20m
@@ -65,22 +66,22 @@ spec:
                - name: AUTH_CLIENT_ID
                  valueFrom:
                    secretKeyRef:
-                      name: grafana-oidc-authentik
+                      name: grafana-oauth-secret
                      key: AUTH_CLIENT_ID
                - name: AUTH_CLIENT_SECRET
                  valueFrom:
                    secretKeyRef:
-                      name: grafana-oidc-authentik
+                      name: grafana-oauth-secret
                      key: AUTH_CLIENT_SECRET
                - name: ADMIN_USER
                  valueFrom:
                    secretKeyRef:
-                      name: grafana-config
+                      name: grafana-auth-secret
                      key: admin-user
                - name: ADMIN_PASSWORD
                  valueFrom:
                    secretKeyRef:
-                      name: grafana-config
+                      name: grafana-auth-secret
                      key: admin-password
                - name: DB_HOST
                  valueFrom:
--- a/clusters/cl01tl/helm/grimmory/templates/_helpers.tpl
+++ b/clusters/cl01tl/helm/grimmory/templates/_helpers.tpl
@@ -1,24 +0,0 @@
-{{/*
-Common labels
-*/}}
-{{- define "custom.labels" -}}
-{{ include "custom.selectorLabels" $ }}
-{{- end }}
-
-{{/*
-Selector labels
-*/}}
-{{- define "custom.selectorLabels" -}}
-app.kubernetes.io/instance: {{ .Release.Name }}
-app.kubernetes.io/part-of: {{ .Release.Name }}
-{{- end }}
-
-{{/*
-NFS names
-*/}}
-{{- define "custom.booksNfsName" -}}
-grimmory-books-nfs-storage
-{{- end -}}
-{{- define "custom.booksImportNfsName" -}}
-grimmory-books-import-nfs-storage
-{{- end -}}
--- a/clusters/cl01tl/helm/grimmory/templates/external-secret.yaml
+++ b/clusters/cl01tl/helm/grimmory/templates/external-secret.yaml
@@ -1,21 +1,42 @@
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
-  name: grimmory-database-config
+  name: grimmory-database-secret
  namespace: {{ .Release.Namespace }}
  labels:
-    app.kubernetes.io/name: grimmory-database-config
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/name: grimmory-database-secret
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
-    name: openbao
+    name: vault
  data:
    - secretKey: password
      remoteRef:
        key: /cl01tl/grimmory/database
        property: password

+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: grimmory-data-replication-secret
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: grimmory-data-replication-secret
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  data:
+    - secretKey: psk.txt
+      remoteRef:
+        key: /cl01tl/grimmory/replication
+        property: psk.txt
+
 ---
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
@@ -24,11 +45,12 @@ metadata:
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: grimmory-mariadb-cluster-backup-secret-external
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
-    name: openbao
+    name: vault
  data:
    - secretKey: access
      remoteRef:
@@ -47,17 +69,18 @@ metadata:
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: grimmory-mariadb-cluster-backup-secret-garage
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
-    name: openbao
+    name: vault
  data:
    - secretKey: access
      remoteRef:
        key: /garage/home-infra/mariadb-backups
-        property: ACCESS_KEY_ID
+        property: access
    - secretKey: secret
      remoteRef:
        key: /garage/home-infra/mariadb-backups
-        property: ACCESS_SECRET_KEY
+        property: secret
--- a/clusters/cl01tl/helm/grimmory/templates/namespace.yaml
+++ b/clusters/cl01tl/helm/grimmory/templates/namespace.yaml
@@ -1,7 +1,13 @@
 apiVersion: v1
 kind: Namespace
 metadata:
-  name: {{ .Release.Namespace }}
+  name: grimmory
+  annotations:
+    volsync.backube/privileged-movers: "true"
  labels:
-    app.kubernetes.io/name: {{ .Release.Namespace }}
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/name: grimmory
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+    pod-security.kubernetes.io/audit: privileged
+    pod-security.kubernetes.io/enforce: privileged
+    pod-security.kubernetes.io/warn: privileged
--- a/clusters/cl01tl/helm/grimmory/templates/persistent-volume-claim.yaml
+++ b/clusters/cl01tl/helm/grimmory/templates/persistent-volume-claim.yaml
@@ -1,13 +1,14 @@
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
-  name: {{ include "custom.booksNfsName" . }}
+  name: grimmory-books-nfs-storage
  namespace: {{ .Release.Namespace }}
  labels:
-    app.kubernetes.io/name: {{ include "custom.booksNfsName" . }}
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/name: grimmory-books-nfs-storage
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
-  volumeName: {{ include "custom.booksNfsName" . }}
+  volumeName: grimmory-books-nfs-storage
  storageClassName: nfs-client
  accessModes:
    - ReadWriteMany
@@ -19,13 +20,14 @@ spec:
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
-  name: {{ include "custom.booksImportNfsName" . }}
+  name: grimmory-books-import-nfs-storage
  namespace: {{ .Release.Namespace }}
  labels:
-    app.kubernetes.io/name: {{ include "custom.booksImportNfsName" . }}
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/name: grimmory-books-import-nfs-storage
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
-  volumeName: {{ include "custom.booksImportNfsName" . }}
+  volumeName: grimmory-books-import-nfs-storage
  storageClassName: nfs-client
  accessModes:
    - ReadWriteMany
--- a/clusters/cl01tl/helm/grimmory/templates/persistent-volume.yaml
+++ b/clusters/cl01tl/helm/grimmory/templates/persistent-volume.yaml
@@ -1,11 +1,12 @@
 apiVersion: v1
 kind: PersistentVolume
 metadata:
-  name: {{ include "custom.booksNfsName" . }}
+  name: grimmory-books-nfs-storage
  namespace: {{ .Release.Namespace }}
  labels:
-    app.kubernetes.io/name: {{ include "custom.booksNfsName" . }}
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/name: grimmory-books-nfs-storage
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  persistentVolumeReclaimPolicy: Retain
  storageClassName: nfs-client
@@ -25,11 +26,12 @@ spec:
 apiVersion: v1
 kind: PersistentVolume
 metadata:
-  name: {{ include "custom.booksImportNfsName" . }}
+  name: grimmory-books-import-nfs-storage
  namespace: {{ .Release.Namespace }}
  labels:
-    app.kubernetes.io/name: {{ include "custom.booksImportNfsName" . }}
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/name: grimmory-books-import-nfs-storage
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  persistentVolumeReclaimPolicy: Retain
  storageClassName: nfs-client
@@ -38,7 +40,7 @@ spec:
  accessModes:
    - ReadWriteMany
  nfs:
-    path: '/volume2/Storage/Books Import'
+    path: /volume2/Storage/Books Import
    server: synologybond.alexlebens.net
  mountOptions:
    - vers=4
--- a/Show More
+++ b/Show More