chore(deps): update ghcr.io/gethomepage/homepage docker tag to v1.12.1

2026-03-29 00:35:29 +00:00
622 changed files with 6599 additions and 7905 deletions
--- a/.DS_Store
+++ b/.DS_Store
--- a/.gitea/workflows/lint-test-helm.yaml
+++ b/.gitea/workflows/lint-test-helm.yaml
@@ -16,8 +16,8 @@ on:
 env:
  CLUSTER: cl01tl
  BASE_BRANCH: "origin/${{ github.base_ref }}"
  # renovate: datasource=github-releases depName=yannh/kubeconform
  KUBECONFORM_VERSION: "v0.6.7"
  ARGOCD_VERSION: "v3.3.6"
 jobs:
  lint-helm:
@@ -102,7 +102,7 @@ jobs:
            echo ""
            echo "${CHANGED_CHARTS}"
-            CHANGED_CHARTS_CSV=$(echo "${CHANGED_CHARTS}" | paste -sd ',' -)
+            CHANGED_CHARTS_CSV=$(echo "$CHANGED_CHARTS" | paste -sd ',' -)
            echo ""
            echo "----"
@@ -236,17 +236,7 @@ jobs:
        with:
          fetch-depth: 0
      - name: Cache Kubeconform
        id: cache-kubeconform
        uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5
        with:
          path: /usr/local/bin/kubeconform
          key: ${{ runner.os }}-kubeconform-${{ env.KUBECONFORM_VERSION }}
          restore-keys: |
            ${{ runner.os }}-kubeconform-
      - name: Install Kubeconform
        if: steps.cache-kubeconform.outputs.cache-hit != 'true'
        run: |
          echo ">> Downloading Kubeconform ${{ env.KUBECONFORM_VERSION }} ..."
          wget -q https://github.com/yannh/kubeconform/releases/download/${{ env.KUBECONFORM_VERSION }}/kubeconform-linux-amd64.tar.gz
@@ -259,8 +249,6 @@ jobs:
          echo ">> Installing Kubeconform ..."
          sudo mv kubeconform /usr/local/bin/
      - name: Verify installation
        run: |
          echo ""
          echo ">> Verifying installation ..."
          kubeconform -v
@@ -336,7 +324,7 @@ jobs:
            helm dependency build "${CHART_PATH}" --skip-refresh
-            if ! helm template "${DIR}" "${CHART_PATH}" --include-crds --namespace default --api-versions "gateway.networking.k8s.io/v1/HTTPRoute,monitoring.coreos.com/v1,monitoring.coreos.com/v1/ServiceMonitor" | \
+            if ! helm template "${DIR}" "${CHART_PATH}" --include-crds --namespace default --api-versions "gateway.networking.k8s.io/v1/HTTPRoute" | \
              kubeconform \
                ${SCHEMA_LOCATIONS} \
                -ignore-missing-schemas \
@@ -377,243 +365,3 @@ jobs:
          icon: 'https://cdn.jsdelivr.net/gh/selfhst/icons/png/gitea.png'
          actions: '[{"action": "view", "label": "View Run", "url": "${{ vars.USER_URL }}/${{ github.repository }}/actions/runs/${{ github.run_id }}", "clear": true}]'
          image: true
  # argo-diff:
  #   needs: lint-helm
  #   runs-on: ubuntu-js
  #   if: |
  #     needs.lint-helm.result == 'success' &&
  #     needs.lint-helm.outputs.changes-detected == 'true' &&
  #     github.event_name == 'pull_request'
  #   steps:
  #     - name: Checkout
  #       uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
  #       with:
  #         fetch-depth: 0
  #     - name: Cache ArgoCD CLI
  #       id: cache-argocd
  #       uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5
  #       with:
  #         path: /usr/local/bin/argocd
  #         key: ${{ runner.os }}-argocd-${{ env.ARGOCD_VERSION }}
  #         restore-keys: |
  #           ${{ runner.os }}-argocd-
  #     - name: Install ArgoCD CLI
  #       if: steps.cache-argocd.outputs.cache-hit != 'true'
  #       run: |
  #         echo ">> Downloading ArgoCD CLI, version: ${{ env.ARGOCD_VERSION }} ..."
  #         curl -sSL -o argocd-linux-amd64 https://github.com/argoproj/argo-cd/releases/download/${{ env.ARGOCD_VERSION }}/argocd-linux-amd64
  #         echo ""
  #         echo ">> Installing ArgoCD CLI ..."
  #         sudo install -m 555 argocd-linux-amd64 /usr/local/bin/argocd
  #         echo ""
  #         echo "----"
  #     - name: Verify installation
  #       run: |
  #         echo ""
  #         echo ">> Verifying installation ..."
  #         argocd version --client
  #         echo ""
  #         echo "----"
  #     - name: Set Up Helm
  #       uses: azure/setup-helm@dda3372f752e03dde6b3237bc9431cdc2f7a02a2 # v5
  #       with:
  #         token: ${{ secrets.GITEA_TOKEN }}
  #         # renovate: datasource=github-releases depName=helm/helm
  #         version: v4.1.3
  #         cache: true
  #     - name: Cache Helm Dependencies
  #       uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5
  #       with:
  #         path: |
  #           ~/.cache/helm
  #           ~/.config/helm
  #         key: helm-cache-${{ runner.os }}-${{ hashFiles('infrastructure/clusters/cl01tl/helm/**/Chart.yaml', 'infrastructure/clusters/cl01tl/helm/**/Chart.lock') }}
  #         restore-keys: |
  #           helm-cache-${{ runner.os }}-
  #     - name: Add Repositories
  #       env:
  #         CHANGED_CHARTS: ${{ needs.lint-helm.outputs.chart-dir }}
  #       run: |
  #         echo ">> Adding repositories for chart dependencies ..."
  #         echo ""
  #         for DIR in ${CHANGED_CHARTS}; do
  #           helm dependency list --max-col-width 120 clusters/${CLUSTER}/helm/${DIR} 2> /dev/null \
  #             | tail -n +2 \
  #             | awk 'NF > 0 { print $1, $3 }' \
  #             | while read -r REPO_NAME REPO_URL; do
  #               if [[ "${REPO_URL}" == oci://* ]]; then
  #                 echo ">> Ignoring OCI repo: ${REPO_URL}"
  #               elif [[ -n "${REPO_NAME}" && -n "${REPO_URL}" ]]; then
  #                 helm repo add "${REPO_NAME}" "${REPO_URL}"
  #               fi
  #             done || true
  #         done
  #         if helm repo list > /dev/null 2>&1; then
  #           echo ""
  #           echo ">> Update repository cache ..."
  #           helm repo update
  #         fi
  #         echo ""
  #         echo "----"
  #     - name: Render Templates
  #       id: render
  #       env:
  #         CHANGED_CHARTS: ${{ needs.lint-helm.outputs.chart-dir }}
  #       run: |
  #         for APP_NAME in ${CHANGED_CHARTS}; do
  #           echo ">> Render templates for ${APP_NAME} ..."
  #           CHART_PATH="clusters/${CLUSTER}/helm/${APP_NAME}"
  #           OUTPUT_FOLDER="clusters/${CLUSTER}/manifests/${APP_NAME}/"
  #           mkdir -p "${OUTPUT_FOLDER}"
  #           helm dependency build "${CHART_PATH}" --skip-refresh
  #           NAMESPACE="${APP_NAME}"
  #           case "${APP_NAME}" in
  #             "stack")
  #               NAMESPACE="argocd"
  #               echo ">> Special Rendering into 'argocd' namespace ..."
  #               ;;
  #             "cilium" | "coredns" | "metrics-server")
  #               NAMESPACE="kube-system"
  #               echo ">> Special Rendering for ${APP_NAME} into 'kube-system' namespace ..."
  #               ;;
  #             *)
  #               echo ">> Standard Rendering ..."
  #           esac
  #           TEMPLATE=$(helm template "${APP_NAME}" "${CHART_PATH}" --include-crds --namespace "${NAMESPACE}" --api-versions "gateway.networking.k8s.io/v1/HTTPRoute,monitoring.coreos.com/v1,monitoring.coreos.com/v1/ServiceMonitor")
  #           # Format and split rendered template
  #           echo "${TEMPLATE}" | yq '... comments=""' | yq 'select(. != null)' | yq -s '"'"${OUTPUT_FOLDER}"'" + .kind + "-" + .metadata.name + ".yaml"'
  #           # Strip comments again to ensure formatting correctness
  #           for file in "$OUTPUT_FOLDER"/*; do
  #             yq -i '... comments=""' $file
  #           done
  #           echo ""
  #           echo ">> Templates in output folder: ${OUTPUT_FOLDER}"
  #           ls ${OUTPUT_FOLDER}
  #         done
  #         echo "----"
  #     - name: Run App Diff
  #       id: diff
  #       env:
  #         ARGOCD_SERVER: ${{ secrets.ARGOCD_SERVER }}
  #         ARGOCD_AUTH_TOKEN: ${{ secrets.ARGOCD_AUTH_TOKEN }}
  #         CHANGED_CHARTS: ${{ needs.lint-helm.outputs.chart-dir }}
  #       run: |
  #         FAILED_CHARTS=""
  #         DIFF_FOUND="false"
  #         EXIT_CODE=0
  #         for APP_NAME in ${CHANGED_CHARTS}; do
  #           echo ">> Running argocd app diff for ${APP_NAME} ..."
  #           if ! argocd app diff "${APP_NAME}" \
  #             --server "${ARGOCD_SERVER}" \
  #             --auth-token "${ARGOCD_AUTH_TOKEN}" \
  #             --revision ${{ github.sha }} \
  #             --local "clusters/${CLUSTER}/manifests/${APP_NAME}" \
  #             --local-repo-root "." \
  #             --grpc-web > "diff_output_${APP_NAME}.txt" 2>&1; then
  #             # ArgoCD diff returns non-zero on diff or error.
  #             # Let's capture if it actually generated a diff output to post.
  #             DIFF_FOUND="true"
  #             # Check if the output contains validation/connection errors
  #             if grep -iE 'error|failed|connection refused|timeout' "diff_output_${APP_NAME}.txt"; then
  #                echo ">> ArgoCD encountered an error validating ${APP_NAME}!"
  #                EXIT_CODE=1
  #                FAILED_CHARTS="${FAILED_CHARTS} ${APP_NAME}"
  #             fi
  #           fi
  #           if [ -s "diff_output_${APP_NAME}.txt" ]; then
  #             echo ">> Argo diff or errors:"
  #             echo ""
  #             cat diff_output_${APP_NAME}.txt
  #             echo ""
  #           else
  #             echo ">> No Argo diff found for ${APP_NAME}"
  #             rm "diff_output_${APP_NAME}.txt"
  #           fi
  #         done
  #         echo "----"
  #         echo "diff-detected=${DIFF_FOUND}" >> "$GITHUB_OUTPUT"
  #         echo "failed-charts=${FAILED_CHARTS}" >> "$GITHUB_OUTPUT"
  #         exit $EXIT_CODE
  #     - name: Post Diff
  #       if: |
  #         always() &&
  #         steps.diff.outputs.diff-detected == 'true' &&
  #         github.event.pull_request.number != null
  #       env:
  #         GITEA_TOKEN: ${{ secrets.GITEA_TOKEN }}
  #       run: |
  #         COMMENT_BODY="### ArgoCD Diff Results
  #         "
  #         for f in diff_output_*.txt; do
  #           APP_NAME=$(echo $f | sed 's/diff_output_//;s/.txt//')
  #           DIFF_CONTENT=$(cat "$f")
  #           COMMENT_BODY="${COMMENT_BODY}
  #         #### App: ${APP_NAME}
  #         "
  #           if [ -z "$DIFF_CONTENT" ]; then
  #             COMMENT_BODY="${COMMENT_BODY} No changes detected."
  #           else
  #             COMMENT_BODY="${COMMENT_BODY}
  #         \`\`\`diff
  #         ${DIFF_CONTENT}
  #         \`\`\`"
  #           fi
  #         done
  #         curl -X 'POST' \
  #           "${{ github.server_url }}/api/v1/repos/${{ github.repository }}/issues/${{ github.event.pull_request.number }}/comments" \
  #           -H "Authorization: token ${GITEA_TOKEN}" \
  #           -H "Content-Type: application/json" \
  #           -d "$(jq -n --arg body "$COMMENT_BODY" '{body: $body}')"
  #     - name: ntfy Failed
  #       uses: niniyas/ntfy-action@96acac57fdc91d4c4f50b78486c1ed6f03f9f61c # master
  #       if: failure()
  #       with:
  #         url: '${{ secrets.NTFY_URL }}'
  #         topic: '${{ secrets.NTFY_TOPIC }}'
  #         title: 'ArgoCD Diff Failure'
  #         priority: 3
  #         headers: '{"Authorization": "Bearer ${{ secrets.NTFY_CRED }}"}'
  #         tags: action,failed
  #         details: "ArgoCD diff for cluster '${{ env.CLUSTER }}' failed on charts: ${{ steps.diff.outputs.failed-charts }}"
  #         icon: 'https://cdn.jsdelivr.net/gh/selfhst/icons/png/gitea.png'
  #         actions: '[{"action": "view", "label": "View Run", "url": "${{ vars.USER_URL }}/${{ github.repository }}/actions/runs/${{ github.run_id }}", "clear": true}]'
  #         image: true
--- a/.gitea/workflows/render-manifests.yaml
+++ b/.gitea/workflows/render-manifests.yaml
@@ -50,7 +50,7 @@ jobs:
          cache: true
      - name: Configure Kubeconfig
-        uses: azure/k8s-set-context@89b837d75b40a7bd2ddafde837473c212db8b313 # v5
+        uses: azure/k8s-set-context@ae59a723ba9abe7a9655538854a025448dbab4aa # v4
        with:
          method: kubeconfig
          kubeconfig: ${{ secrets.KUBECONFIG }}
@@ -273,7 +273,7 @@ jobs:
                  NAMESPACE="argocd"
                  echo ">> Special Rendering into 'argocd' namespace ..."
                  ;;
-                "cilium" | "coredns" | "metrics-server")
+                "cilium" | "coredns" | "metrics-server" | "prometheus-operator-crds")
                  NAMESPACE="kube-system"
                  echo ">> Special Rendering for ${CHART_NAME} into 'kube-system' namespace ..."
                  ;;
@@ -283,7 +283,7 @@ jobs:
              echo ">> Formating rendered template ..."
              local TEMPLATE
-              TEMPLATE=$(helm template "${CHART_NAME}" ./ --namespace "${NAMESPACE}" --include-crds --dry-run=server --api-versions "gateway.networking.k8s.io/v1/HTTPRoute,monitoring.coreos.com/v1,monitoring.coreos.com/v1/ServiceMonitor")
+              TEMPLATE=$(helm template "${CHART_NAME}" ./ --namespace "${NAMESPACE}" --include-crds --dry-run=server --api-versions "gateway.networking.k8s.io/v1/HTTPRoute")
              # Format and split rendered template
              echo "${TEMPLATE}" | yq '... comments=""' | yq 'select(. != null)' | yq -s '"'"${OUTPUT_FOLDER}"'" + .kind + "-" + .metadata.name + ".yaml"'
@@ -314,7 +314,7 @@ jobs:
          for DIR in ${RENDER_DIR}; do
            echo "${DIR}"
-          done | xargs -P 5 -I {} bash -c 'OUT=$(render_chart "$@" 2>&1); printf "%s\n" "$OUT"' _ {}
+          done | xargs -P 4 -I {} bash -c 'OUT=$(render_chart "$@" 2>&1); printf "%s\n" "$OUT"' _ {}
          echo ""
          echo "----"
--- a/.gitea/workflows/renovate.yaml
+++ b/.gitea/workflows/renovate.yaml
@@ -13,7 +13,7 @@ on:
 jobs:
  renovate:
    runs-on: ubuntu-latest
-    container: ghcr.io/renovatebot/renovate:43.138.2@sha256:79765b2442117d5c87e17456aa79ae54b4e0e2a4d9212a10508e233706375556
+    container: ghcr.io/renovatebot/renovate:43.99.0@sha256:aae697086b93427dcde46eb92e08e334b018946ce19339bf044ce971ca1626e2
    steps:
      - name: Checkout
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
--- a/clusters/cl01tl/helm/actual/Chart.lock
+++ b/clusters/cl01tl/helm/actual/Chart.lock
@@ -2,5 +2,8 @@ dependencies:
 - name: app-template
  repository: https://bjw-s-labs.github.io/helm-charts/
  version: 4.6.2
-digest: sha256:1c04c187e6cf768117f7f91f3a3b082937ad5854c1cf6a681ad7c02687cd543d
+- name: volsync-target
-generated: "2026-04-18T20:15:22.778699-05:00"
+  repository: oci://harbor.alexlebens.net/helm-charts
  version: 0.8.0
 digest: sha256:ff81b3d8fc831e4b8048f646fffcf597aa7410e52ecf27690eab8104047dbe6f
 generated: "2026-03-06T01:04:41.514235218Z"
--- a/clusters/cl01tl/helm/actual/Chart.yaml
+++ b/clusters/cl01tl/helm/actual/Chart.yaml
@@ -18,10 +18,10 @@ dependencies:
    alias: actual
    repository: https://bjw-s-labs.github.io/helm-charts/
    version: 4.6.2
-  # - name: volsync-target
+  - name: volsync-target
-  #   alias: volsync-target-data
+    alias: volsync-target-data
-  #   version: 0.8.0
+    version: 0.8.0
-  #   repository: oci://harbor.alexlebens.net/helm-charts
+    repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/actual-budget.png
 # renovate: datasource=github-releases depName=actualbudget/actual
-appVersion: 26.4.0
+appVersion: 26.3.0
--- a/clusters/cl01tl/helm/actual/templates/_helpers.tpl
+++ b/clusters/cl01tl/helm/actual/templates/_helpers.tpl
@@ -1,14 +0,0 @@
 {{/*
 Common labels
 */}}
 {{- define "custom.labels" -}}
 {{ include "custom.selectorLabels" $ }}
 {{- end }}
 {{/*
 Selector labels
 */}}
 {{- define "custom.selectorLabels" -}}
 app.kubernetes.io/instance: {{ .Release.Name }}
 app.kubernetes.io/part-of: {{ .Release.Name }}
 {{- end }}
--- a/clusters/cl01tl/helm/actual/values.yaml
+++ b/clusters/cl01tl/helm/actual/values.yaml
@@ -8,7 +8,7 @@ actual:
        main:
          image:
            repository: ghcr.io/actualbudget/actual
-            tag: 26.4.0@sha256:b0e732e2c41b3dc468a71548e88ef76d3f0c157fc43d15fa05d14ec1c5747e1e
+            tag: 26.3.0@sha256:eb8bc26f53025e07e464594c12d77c52c4b95840c8dadd9b95c4f0c4660f8ad2
          env:
            - name: ACTUAL_PORT
              value: 5006
@@ -39,6 +39,7 @@ actual:
        http:
          port: 80
          targetPort: 5006
          protocol: HTTP
  route:
    main:
      kind: HTTPRoute
--- a/clusters/cl01tl/helm/argo-workflows/Chart.lock
+++ b/clusters/cl01tl/helm/argo-workflows/Chart.lock
@@ -0,0 +1,12 @@
 dependencies:
 - name: argo-workflows
  repository: https://argoproj.github.io/argo-helm
  version: 1.0.6
 - name: argo-events
  repository: https://argoproj.github.io/argo-helm
  version: 2.4.21
 - name: postgres-cluster
  repository: oci://harbor.alexlebens.net/helm-charts
  version: 7.10.0
 digest: sha256:5635bfe609d8a901df257ef3e6cb469396a21bdd4c6f96e7e33f84036019c52b
 generated: "2026-03-24T16:59:01.228848139Z"
--- a/clusters/cl01tl/helm/argo-workflows/Chart.yaml
+++ b/clusters/cl01tl/helm/argo-workflows/Chart.yaml
@@ -0,0 +1,32 @@
 apiVersion: v2
 name: argo-workflows
 version: 1.0.0
 description: Argo Workflows
 keywords:
  - argo-workflows
  - argo-events
  - workflows
  - events
 home: https://docs.alexlebens.dev/applications/argo-workflows/
 sources:
  - https://github.com/argoproj/argo-workflows
  - https://github.com/argoproj/argo-events
  - https://github.com/argoproj/argo-helm/tree/main/charts/argo-workflows
  - https://github.com/argoproj/argo-helm/tree/main/charts/argo-events
  - https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/postgres-cluster
 maintainers:
  - name: alexlebens
 dependencies:
  - name: argo-workflows
    version: 1.0.6
    repository: https://argoproj.github.io/argo-helm
  - name: argo-events
    version: 2.4.21
    repository: https://argoproj.github.io/argo-helm
  - name: postgres-cluster
    alias: postgres-18-cluster
    version: 7.10.0
    repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/argo-cd.png
 # renovate: datasource=github-releases depName=argoproj/argo-workflows
 appVersion: v4.0.3
--- a/clusters/cl01tl/helm/argo-workflows/templates/external-secret.yaml
+++ b/clusters/cl01tl/helm/argo-workflows/templates/external-secret.yaml
@@ -0,0 +1,22 @@
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
  name: argo-workflows-oidc-secret
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: argo-workflows-oidc-secret
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: vault
  data:
    - secretKey: secret
      remoteRef:
        key: /authentik/oidc/argo-workflows
        property: secret
    - secretKey: client
      remoteRef:
        key: /authentik/oidc/argo-workflows
        property: client
--- a/clusters/cl01tl/helm/argo-workflows/values.yaml
+++ b/clusters/cl01tl/helm/argo-workflows/values.yaml
@@ -0,0 +1,109 @@
 argo-workflows:
  crds:
    install: true
    keep: true
    full: true
    upgradeJob:
      image:
        repository: registry.k8s.io/kubectl
        tag: v1.35.3
  controller:
    metricsConfig:
      enabled: true
    persistence:
      postgresql:
        host: argo-workflows-postgresql-18-cluster-rw
        port: 5432
        database: app
        tableName: app
        userNameSecret:
          name: argo-workflows-postgresql-18-cluster-app
          key: username
        passwordSecret:
          name: argo-workflows-postgresql-18-cluster-app
          key: password
        ssl: false
        sslMode: disable
    workflowWorkers: 2
    workflowTTLWorkers: 2
    podCleanupWorkers: 2
    cronWorkflowWorkers: 2
    resources:
      requests:
        cpu: 1m
        memory: 20Mi
    serviceMonitor:
      enabled: true
    workflowNamespaces:
      - argo-workflows
  server:
    authModes:
      - sso
    httproute:
      enabled: true
      parentRefs:
        - group: gateway.networking.k8s.io
          kind: Gateway
          name: traefik-gateway
          namespace: traefik
      hostnames:
        - argo-workflows.alexlebens.net
      rules:
        - matches:
            - path:
                type: PathPrefix
                value: /
    sso:
      enabled: true
      issuer: https://authentik.alexlebens.net/application/o/argo-workflows/
      clientId:
        name: argo-workflows-oidc-secret
        key: client
      clientSecret:
        name: argo-workflows-oidc-secret
        key: secret
      redirectUrl: https://argo-workflows.alexlebens.net/oauth2/callback
      rbac:
        enabled: false
      scopes:
        - openid
        - email
        - profile
 argo-events:
  crds:
    install: true
    keep: true
  controller:
    resources:
      requests:
        cpu: 1m
        memory: 32Mi
    metrics:
      enabled: true
      serviceMonitor:
        enabled: true
  webhook:
    enabled: true
    resources:
      requests:
        cpu: 1m
        memory: 20Mi
 postgres-18-cluster:
  mode: recovery
  recovery:
    method: objectStore
    objectStore:
      index: 1
  backup:
    objectStore:
      - name: garage-local
        index: 1
        destinationBucket: postgres-backups
        externalSecretCredentialPath: /garage/home-infra/postgres-backups
        isWALArchiver: true
    scheduledBackups:
      - name: live-backup
        suspend: false
        immediate: true
        schedule: "0 0 14 * * *"
        backupName: garage-local
--- a/clusters/cl01tl/helm/argocd/Chart.lock
+++ b/clusters/cl01tl/helm/argocd/Chart.lock
@@ -1,6 +1,6 @@
 dependencies:
 - name: argo-cd
  repository: https://argoproj.github.io/argo-helm
-  version: 9.5.2
+  version: 9.4.17
-digest: sha256:5d9e6405ee944bf94df6af247164ebb9b8899144853b9a7eafabe8606affe84e
+digest: sha256:17752dbf03861cf70ee31c9a17373a5175656a2edd00ba5fcd3988a195147da8
-generated: "2026-04-19T19:53:40.43789-05:00"
+generated: "2026-03-28T01:51:34.832601868Z"
--- a/clusters/cl01tl/helm/argocd/Chart.yaml
+++ b/clusters/cl01tl/helm/argocd/Chart.yaml
@@ -13,8 +13,8 @@ maintainers:
  - name: alexlebens
 dependencies:
  - name: argo-cd
-    version: 9.5.2
+    version: 9.4.17
    repository: https://argoproj.github.io/argo-helm
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/argo-cd.png
 # renovate: datasource=github-releases depName=argoproj/argo-cd
-appVersion: v3.3.7
+appVersion: v3.3.6
--- a/clusters/cl01tl/helm/argocd/templates/_helpers.tpl
+++ b/clusters/cl01tl/helm/argocd/templates/_helpers.tpl
@@ -1,14 +0,0 @@
 {{/*
 Common labels
 */}}
 {{- define "custom.labels" -}}
 {{ include "custom.selectorLabels" $ }}
 {{- end }}
 {{/*
 Selector labels
 */}}
 {{- define "custom.selectorLabels" -}}
 app.kubernetes.io/instance: {{ .Release.Name }}
 app.kubernetes.io/part-of: {{ .Release.Name }}
 {{- end }}
--- a/clusters/cl01tl/helm/argocd/templates/external-secret.yaml
+++ b/clusters/cl01tl/helm/argocd/templates/external-secret.yaml
@@ -1,40 +1,70 @@
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
-  name: argocd-oidc-authentik
+  name: argocd-oidc-secret
  namespace: {{ .Release.Namespace }}
  labels:
-    app.kubernetes.io/name: argocd-oidc-authentik
+    app.kubernetes.io/name: argocd-oidc-secret
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
-    name: openbao
+    name: vault
  data:
    - secretKey: secret
      remoteRef:
-        key: /cl01tl/authentik/oidc/argocd
+        key: /authentik/oidc/argocd
        property: secret
    - secretKey: client
      remoteRef:
-        key: /cl01tl/authentik/oidc/argocd
+        key: /authentik/oidc/argocd
        property: client
 ---
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
-  name: argocd-notifications-ntfy
+  name: argocd-notifications-secret
  namespace: {{ .Release.Namespace }}
  labels:
-    app.kubernetes.io/name: argocd-notifications-ntfy
+    app.kubernetes.io/name: argocd-notifications-secret
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
-    name: openbao
+    name: vault
  data:
    - secretKey: ntfy-token
      remoteRef:
-        key: /cl01tl/ntfy/users/cl01tl
+        key: /ntfy/user/cl01tl
        property: token
 ---
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
  name: argocd-gitea-repo-infrastructure-secret
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: argocd-gitea-repo-infrastructure-secret
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: vault
  data:
    - secretKey: type
      remoteRef:
        key: /cl01tl/argocd/credentials/repo/infrastructure
        property: type
    - secretKey: url
      remoteRef:
        key: /cl01tl/argocd/credentials/repo/infrastructure
        property: url
    - secretKey: sshPrivateKey
      remoteRef:
        key: /cl01tl/argocd/credentials/repo/infrastructure
        property: sshPrivateKey
--- a/clusters/cl01tl/helm/argocd/values.yaml
+++ b/clusters/cl01tl/helm/argocd/values.yaml
@@ -13,8 +13,8 @@ argo-cd:
        connectors:
        - config:
            issuer: https://authentik.alexlebens.net/application/o/argocd/
-            clientID: $argocd-oidc-authentik:client
+            clientID: $argocd-oidc-secret:client
-            clientSecret: $argocd-oidc-authentik:secret
+            clientSecret: $argocd-oidc-secret:secret
            insecureEnableGroups: true
            scopes:
              - openid
@@ -48,31 +48,31 @@ argo-cd:
        enabled: true
      rules:
        enabled: true
-        spec:
+      spec:
-          - alert: ArgoAppMissing
+        - alert: ArgoAppMissing
-            expr: |
+          expr: |
-              absent(argocd_app_info) == 1
+            absent(argocd_app_info) == 1
-            for: 15m
+          for: 15m
-            labels:
+          labels:
-              severity: critical
+            severity: critical
-            annotations:
+          annotations:
-              summary: "[Argo CD] No reported applications"
+            summary: "[Argo CD] No reported applications"
-              description: >
+            description: >
-                Argo CD has not reported any applications data for the past 15 minutes which
+              Argo CD has not reported any applications data for the past 15 minutes which
-                means that it must be down or not functioning properly.  This needs to be
+              means that it must be down or not functioning properly.  This needs to be
-                resolved for this cloud to continue to maintain state.
+              resolved for this cloud to continue to maintain state.
-          - alert: ArgoAppNotSynced
+        - alert: ArgoAppNotSynced
-            expr: |
+          expr: |
-              argocd_app_info{sync_status!="Synced"} == 1
+            argocd_app_info{sync_status!="Synced"} == 1
-            for: 12h
+          for: 12h
-            labels:
+          labels:
-              severity: warning
+            severity: warning
-            annotations:
+          annotations:
-              summary: "[{{`{{$labels.name}}`}}] Application not synchronized"
+            summary: "[{{`{{$labels.name}}`}}] Application not synchronized"
-              description: >
+            description: >
-                The application [{{`{{$labels.name}}`}} has not been synchronized for over
+              The application [{{`{{$labels.name}}`}} has not been synchronized for over
-                12 hours which means that the state of this cloud has drifted away from the
+              12 hours which means that the state of this cloud has drifted away from the
-                state inside Git.
+              state inside Git.
  dex:
    enabled: true
    resources:
@@ -205,7 +205,7 @@ argo-cd:
    argocdUrl: https://argocd.alexlebens.net
    secret:
      create: false
-      name: argocd-notifications-ntfy
+      name: argocd-notifications-secret
    metrics:
      enabled: true
      serviceMonitor:
--- a/clusters/cl01tl/helm/audiobookshelf/Chart.yaml
+++ b/clusters/cl01tl/helm/audiobookshelf/Chart.yaml
@@ -32,4 +32,4 @@ dependencies:
    repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/audiobookshelf.png
 # renovate: datasource=github-releases depName=advplyr/audiobookshelf
-appVersion: 2.33.2
+appVersion: 2.33.1
--- a/clusters/cl01tl/helm/audiobookshelf/templates/_helpers.tpl
+++ b/clusters/cl01tl/helm/audiobookshelf/templates/_helpers.tpl
@@ -1,27 +0,0 @@
 {{/*
 Common labels
 */}}
 {{- define "custom.labels" -}}
 {{ include "custom.selectorLabels" $ }}
 {{- end }}
 {{/*
 Selector labels
 */}}
 {{- define "custom.selectorLabels" -}}
 app.kubernetes.io/instance: {{ .Release.Name }}
 app.kubernetes.io/part-of: {{ .Release.Name }}
 {{- end }}
 {{/*
 NFS names
 */}}
 {{- define "custom.booksNfsName" -}}
 audiobookshelf-books-nfs-storage
 {{- end -}}
 {{- define "custom.audiobooksNfsName" -}}
 audiobookshelf-audiobooks-nfs-storage
 {{- end -}}
 {{- define "custom.podcastsNfsName" -}}
 audiobookshelf-podcasts-nfs-storage
 {{- end -}}
--- a/clusters/cl01tl/helm/audiobookshelf/templates/external-secret.yaml
+++ b/clusters/cl01tl/helm/audiobookshelf/templates/external-secret.yaml
@@ -1,23 +1,18 @@
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
-  name: audiobookshelf-config-apprise
+  name: audiobookshelf-apprise-config
  namespace: {{ .Release.Namespace }}
  labels:
-    app.kubernetes.io/name: audiobookshelf-config-apprise
+    app.kubernetes.io/name: audiobookshelf-apprise-config
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
-    name: openbao
+    name: vault
  target:
    template:
      mergePolicy: Merge
      engineVersion: v2
      data:
        ntfy-url: "{{ `{{ .endpoint }}` }}/audiobookshelf"
  data:
-    - secretKey: endpoint
+    - secretKey: ntfy-url
      remoteRef:
-        key: /cl01tl/ntfy/users/cl01tl
+        key: /cl01tl/audiobookshelf/apprise
-        property: internal-endpoint-credential
+        property: ntfy-url
--- a/clusters/cl01tl/helm/audiobookshelf/templates/persistent-volume-claim.yaml
+++ b/clusters/cl01tl/helm/audiobookshelf/templates/persistent-volume-claim.yaml
@@ -1,13 +1,14 @@
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
-  name: {{ include "custom.booksNfsName" . }}
+  name: audiobookshelf-books-nfs-storage
  namespace: {{ .Release.Namespace }}
  labels:
-    app.kubernetes.io/name: {{ include "custom.booksNfsName" . }}
+    app.kubernetes.io/name: audiobookshelf-books-nfs-storage
-    {{ include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
-  volumeName: {{ include "custom.booksNfsName" . }}
+  volumeName: audiobookshelf-books-nfs-storage
  storageClassName: nfs-client
  accessModes:
    - ReadWriteMany
@@ -19,13 +20,14 @@ spec:
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
-  name: {{ include "custom.audiobooksNfsName" . }}
+  name: audiobookshelf-audiobooks-nfs-storage
  namespace: {{ .Release.Namespace }}
  labels:
-    app.kubernetes.io/name: {{ include "custom.audiobooksNfsName" . }}
+    app.kubernetes.io/name: audiobookshelf-audiobooks-nfs-storage
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
-  volumeName: {{ include "custom.audiobooksNfsName" . }}
+  volumeName: audiobookshelf-audiobooks-nfs-storage
  storageClassName: nfs-client
  accessModes:
    - ReadWriteMany
@@ -37,13 +39,14 @@ spec:
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
-  name: {{ include "custom.podcastsNfsName" . }}
+  name: audiobookshelf-podcasts-nfs-storage
  namespace: {{ .Release.Namespace }}
  labels:
-    app.kubernetes.io/name: {{ include "custom.podcastsNfsName" . }}
+    app.kubernetes.io/name: audiobookshelf-podcasts-nfs-storage
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
-  volumeName: {{ include "custom.podcastsNfsName" . }}
+  volumeName: audiobookshelf-podcasts-nfs-storage
  storageClassName: nfs-client
  accessModes:
    - ReadWriteMany
--- a/clusters/cl01tl/helm/audiobookshelf/templates/persistent-volume.yaml
+++ b/clusters/cl01tl/helm/audiobookshelf/templates/persistent-volume.yaml
@@ -1,11 +1,12 @@
 apiVersion: v1
 kind: PersistentVolume
 metadata:
-  name: {{ include "custom.booksNfsName" . }}
+  name: audiobookshelf-books-nfs-storage
  namespace: {{ .Release.Namespace }}
  labels:
-    app.kubernetes.io/name: {{ include "custom.booksNfsName" . }}
+    app.kubernetes.io/name: audiobookshelf-books-nfs-storage
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  persistentVolumeReclaimPolicy: Retain
  storageClassName: nfs-client
@@ -25,11 +26,12 @@ spec:
 apiVersion: v1
 kind: PersistentVolume
 metadata:
-  name: {{ include "custom.audiobooksNfsName" . }}
+  name: audiobookshelf-audiobooks-nfs-storage
  namespace: {{ .Release.Namespace }}
  labels:
-    app.kubernetes.io/name: {{ include "custom.audiobooksNfsName" . }}
+    app.kubernetes.io/name: audiobookshelf-audiobooks-nfs-storage
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  persistentVolumeReclaimPolicy: Retain
  storageClassName: nfs-client
@@ -49,11 +51,12 @@ spec:
 apiVersion: v1
 kind: PersistentVolume
 metadata:
-  name: {{ include "custom.podcastsNfsName" . }}
+  name: audiobookshelf-podcasts-nfs-storage
  namespace: {{ .Release.Namespace }}
  labels:
-    app.kubernetes.io/name: {{ include "custom.podcastsNfsName" . }}
+    app.kubernetes.io/name: audiobookshelf-podcasts-nfs-storage
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  persistentVolumeReclaimPolicy: Retain
  storageClassName: nfs-client
--- a/clusters/cl01tl/helm/audiobookshelf/values.yaml
+++ b/clusters/cl01tl/helm/audiobookshelf/values.yaml
@@ -12,7 +12,7 @@ audiobookshelf:
        main:
          image:
            repository: ghcr.io/advplyr/audiobookshelf
-            tag: 2.33.2@sha256:a44ed89b3e845faa1f7d353f2cc89b2fcd8011737dd14075fa963cf9468da3a5
+            tag: 2.33.1@sha256:a4a5841bba093d81e5f4ad1eaedb4da3fda6dbb2528c552349da50ad1f7ae708
          env:
            - name: TZ
              value: America/Chicago
@@ -40,7 +40,7 @@ audiobookshelf:
            - name: APPRISE_STATELESS_URLS
              valueFrom:
                secretKeyRef:
-                  name: audiobookshelf-config-apprise
+                  name: audiobookshelf-apprise-config
                  key: ntfy-url
  service:
    main:
@@ -49,9 +49,11 @@ audiobookshelf:
        http:
          port: 80
          targetPort: 80
          protocol: HTTP
        apprise:
          port: 8000
          targetPort: 8000
          protocol: HTTP
  serviceMonitor:
    main:
      selector:
--- a/clusters/cl01tl/helm/authentik/Chart.lock
+++ b/clusters/cl01tl/helm/authentik/Chart.lock
@@ -1,15 +1,15 @@
 dependencies:
 - name: authentik
  repository: https://charts.goauthentik.io/
-  version: 2026.2.2
+  version: 2026.2.1
 - name: cloudflared
  repository: oci://harbor.alexlebens.net/helm-charts
-  version: 2.5.0
+  version: 2.4.0
 - name: postgres-cluster
  repository: oci://harbor.alexlebens.net/helm-charts
-  version: 7.11.2
+  version: 7.10.0
 - name: valkey
  repository: oci://harbor.alexlebens.net/helm-charts
-  version: 0.6.1
+  version: 0.4.0
-digest: sha256:22fe4d9ec592aa74cbff5596e8d900f607bd68ea14c7df70a94b4ef76727614d
+digest: sha256:8c353c5dad4c3d04d518c1445497f0d1cb64261a4201ae17a2c0874454b807a7
-generated: "2026-04-13T20:32:12.748342469Z"
+generated: "2026-03-15T20:04:35.99407071Z"
--- a/clusters/cl01tl/helm/authentik/Chart.yaml
+++ b/clusters/cl01tl/helm/authentik/Chart.yaml
@@ -18,18 +18,18 @@ maintainers:
  - name: alexlebens
 dependencies:
  - name: authentik
-    version: 2026.2.2
+    version: 2026.2.1
    repository: https://charts.goauthentik.io/
  - name: cloudflared
    repository: oci://harbor.alexlebens.net/helm-charts
-    version: 2.5.0
+    version: 2.4.0
  - name: postgres-cluster
    alias: postgres-18-cluster
-    version: 7.11.2
+    version: 7.10.0
    repository: oci://harbor.alexlebens.net/helm-charts
  - name: valkey
    alias: valkey
-    version: 0.6.1
+    version: 0.4.0
    repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/authentik.png
 # renovate: datasource=github-releases depName=goauthentik/authentik
--- a/clusters/cl01tl/helm/authentik/templates/_helpers.tpl
+++ b/clusters/cl01tl/helm/authentik/templates/_helpers.tpl
@@ -1,14 +0,0 @@
 {{/*
 Common labels
 */}}
 {{- define "custom.labels" -}}
 {{ include "custom.selectorLabels" $ }}
 {{- end }}
 {{/*
 Selector labels
 */}}
 {{- define "custom.selectorLabels" -}}
 app.kubernetes.io/instance: {{ .Release.Name }}
 app.kubernetes.io/part-of: {{ .Release.Name }}
 {{- end }}
--- a/clusters/cl01tl/helm/authentik/templates/external-secret.yaml
+++ b/clusters/cl01tl/helm/authentik/templates/external-secret.yaml
@@ -1,15 +1,16 @@
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
-  name: authentik-key
+  name: authentik-key-secret
  namespace: {{ .Release.Namespace }}
  labels:
-    app.kubernetes.io/name: authentik-key
+    app.kubernetes.io/name: authentik-key-secret
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
-    name: openbao
+    name: vault
  data:
    - secretKey: key
      remoteRef:
--- a/clusters/cl01tl/helm/authentik/templates/ingress.yaml
+++ b/clusters/cl01tl/helm/authentik/templates/ingress.yaml
@@ -1,11 +1,12 @@
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
-  name: {{ .Release.Name }}-tailscale
+  name: authentik-tailscale
  namespace: {{ .Release.Namespace }}
  labels:
-    app.kubernetes.io/name: {{ .Release.Name }}-tailscale
+    app.kubernetes.io/name: authentik-tailscale
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
    tailscale.com/proxy-class: no-metrics
  annotations:
    tailscale.com/experimental-forward-cluster-traffic-via-ingress: "true"
@@ -25,4 +26,4 @@ spec:
              service:
                name: authentik-server
                port:
-                  name: http
+                  number: 80
--- a/clusters/cl01tl/helm/authentik/templates/reference-grant.yaml
+++ b/clusters/cl01tl/helm/authentik/templates/reference-grant.yaml
@@ -5,7 +5,8 @@ metadata:
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: allow-outpost-cross-namespace-access
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  from:
    - group: gateway.networking.k8s.io
--- a/clusters/cl01tl/helm/authentik/values.yaml
+++ b/clusters/cl01tl/helm/authentik/values.yaml
@@ -4,7 +4,7 @@ authentik:
      - name: AUTHENTIK_SECRET_KEY
        valueFrom:
          secretKeyRef:
-            name: authentik-key
+            name: authentik-key-secret
            key: key
      - name: AUTHENTIK_POSTGRESQL__HOST
        valueFrom:
@@ -77,10 +77,6 @@ authentik:
      enabled: true
 postgres-18-cluster:
  mode: recovery
  cluster:
    resources:
      requests:
        memory: 150Mi
  recovery:
    method: objectStore
    objectStore:
--- a/clusters/cl01tl/helm/backrest/templates/_helpers.tpl
+++ b/clusters/cl01tl/helm/backrest/templates/_helpers.tpl
@@ -1,24 +0,0 @@
 {{/*
 Common labels
 */}}
 {{- define "custom.labels" -}}
 {{ include "custom.selectorLabels" $ }}
 {{- end }}
 {{/*
 Selector labels
 */}}
 {{- define "custom.selectorLabels" -}}
 app.kubernetes.io/instance: {{ .Release.Name }}
 app.kubernetes.io/part-of: {{ .Release.Name }}
 {{- end }}
 {{/*
 NFS names
 */}}
 {{- define "custom.storageNfsName" -}}
 backrest-nfs-storage
 {{- end -}}
 {{- define "custom.shareNfsName" -}}
 backrest-nfs-share
 {{- end -}}
--- a/clusters/cl01tl/helm/backrest/templates/persistent-volume-claim.yaml
+++ b/clusters/cl01tl/helm/backrest/templates/persistent-volume-claim.yaml
@@ -1,13 +1,14 @@
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
-  name: {{ include "custom.storageNfsName" . }}
+  name: backrest-nfs-storage
  namespace: {{ .Release.Namespace }}
  labels:
-    app.kubernetes.io/name: {{ include "custom.storageNfsName" . }}
+    app.kubernetes.io/name: backrest-nfs-storage
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
-  volumeName: {{ include "custom.storageNfsName" . }}
+  volumeName: backrest-nfs-storage
  storageClassName: nfs-client
  accessModes:
    - ReadWriteMany
@@ -19,13 +20,14 @@ spec:
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
-  name: {{ include "custom.shareNfsName" . }}
+  name: backrest-nfs-share
  namespace: {{ .Release.Namespace }}
  labels:
-    app.kubernetes.io/name: {{ include "custom.shareNfsName" . }}
+    app.kubernetes.io/name: backrest-nfs-share
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
-  volumeName: {{ include "custom.shareNfsName" . }}
+  volumeName: backrest-nfs-share
  storageClassName: nfs-client
  accessModes:
    - ReadWriteMany
--- a/clusters/cl01tl/helm/backrest/templates/persistent-volume.yaml
+++ b/clusters/cl01tl/helm/backrest/templates/persistent-volume.yaml
@@ -1,11 +1,12 @@
 apiVersion: v1
 kind: PersistentVolume
 metadata:
-  name: {{ include "custom.storageNfsName" . }}
+  name: backrest-nfs-storage
  namespace: {{ .Release.Namespace }}
  labels:
-    app.kubernetes.io/name: {{ include "custom.storageNfsName" . }}
+    app.kubernetes.io/name: backrest-nfs-storage
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  persistentVolumeReclaimPolicy: Retain
  storageClassName: nfs-client
@@ -25,11 +26,12 @@ spec:
 apiVersion: v1
 kind: PersistentVolume
 metadata:
-  name: {{ include "custom.shareNfsName" . }}
+  name: backrest-nfs-share
  namespace: {{ .Release.Namespace }}
  labels:
-    app.kubernetes.io/name: {{ include "custom.shareNfsName" . }}
+    app.kubernetes.io/name: backrest-nfs-share
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  persistentVolumeReclaimPolicy: Retain
  storageClassName: nfs-client
--- a/clusters/cl01tl/helm/backrest/values.yaml
+++ b/clusters/cl01tl/helm/backrest/values.yaml
@@ -31,6 +31,7 @@ backrest:
        http:
          port: 80
          targetPort: 9898
          protocol: TCP
  serviceMonitor:
    main:
      selector:
--- a/clusters/cl01tl/helm/bazarr/Chart.yaml
+++ b/clusters/cl01tl/helm/bazarr/Chart.yaml
@@ -5,14 +5,11 @@ description: Bazarr
 keywords:
  - bazarr
  - subtitles
  - servarr
 home: https://docs.alexlebens.dev/applications/bazarr/
 sources:
  - https://github.com/morpheus65535/bazarr
  - https://github.com/linuxserver/docker-bazarr
  - https://github.com/onedr0p/exportarr
  - https://github.com/linuxserver/docker-bazarr/pkgs/container/bazarr
  - https://github.com/onedr0p/exportarr/pkgs/container/exportarr
  - https://github.com/bjw-s-labs/helm-charts/tree/main/charts/other/app-template
  - https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/volsync-target
 maintainers:
@@ -27,5 +24,5 @@ dependencies:
    version: 0.8.0
    repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/bazarr.png
-# renovate: datasource=github-releases depName=linuxserver/docker-bazarr
+# renovate: datasource=github-releases depName=morpheus65535/bazarr
-appVersion: v1.5.6-ls342
+appVersion: 1.5.6
--- a/clusters/cl01tl/helm/bazarr/templates/_helpers.tpl
+++ b/clusters/cl01tl/helm/bazarr/templates/_helpers.tpl
@@ -1,21 +0,0 @@
 {{/*
 Common labels
 */}}
 {{- define "custom.labels" -}}
 {{ include "custom.selectorLabels" $ }}
 {{- end }}
 {{/*
 Selector labels
 */}}
 {{- define "custom.selectorLabels" -}}
 app.kubernetes.io/instance: {{ .Release.Name }}
 app.kubernetes.io/part-of: {{ .Release.Name }}
 {{- end }}
 {{/*
 NFS names
 */}}
 {{- define "custom.storageNfsName" -}}
 bazarr-nfs-storage
 {{- end -}}
--- a/clusters/cl01tl/helm/bazarr/templates/external-secret.yaml
+++ b/clusters/cl01tl/helm/bazarr/templates/external-secret.yaml
@@ -1,17 +0,0 @@
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
  name: bazarr-key
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: bazarr-key
    {{- include "custom.labels" . | nindent 4 }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: openbao
  data:
    - secretKey: key
      remoteRef:
        key: /cl01tl/bazarr/key
        property: key
--- a/clusters/cl01tl/helm/bazarr/templates/persistent-volume-claim.yaml
+++ b/clusters/cl01tl/helm/bazarr/templates/persistent-volume-claim.yaml
@@ -1,13 +1,14 @@
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
-  name: {{ include "custom.storageNfsName" . }}
+  name: bazarr-nfs-storage
  namespace: {{ .Release.Namespace }}
  labels:
-    app.kubernetes.io/name: {{ include "custom.storageNfsName" . }}
+    app.kubernetes.io/name: bazarr-nfs-storage
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
-  volumeName: {{ include "custom.storageNfsName" . }}
+  volumeName: bazarr-nfs-storage
  storageClassName: nfs-client
  accessModes:
    - ReadWriteMany
--- a/clusters/cl01tl/helm/bazarr/templates/persistent-volume.yaml
+++ b/clusters/cl01tl/helm/bazarr/templates/persistent-volume.yaml
@@ -1,11 +1,12 @@
 apiVersion: v1
 kind: PersistentVolume
 metadata:
-  name: {{ include "custom.storageNfsName" . }}
+  name: bazarr-nfs-storage
  namespace: {{ .Release.Namespace }}
  labels:
-    app.kubernetes.io/name: {{ include "custom.storageNfsName" . }}
+    app.kubernetes.io/name: bazarr-nfs-storage
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  persistentVolumeReclaimPolicy: Retain
  storageClassName: nfs-client
--- a/clusters/cl01tl/helm/bazarr/values.yaml
+++ b/clusters/cl01tl/helm/bazarr/values.yaml
@@ -23,28 +23,11 @@ bazarr:
            - name: PGID
              value: 1000
          resources:
            limits:
              cpu: 100m
            requests:
-              cpu: 10m
+              cpu: 1m
              memory: 250Mi
        metrics:
          image:
            repository: ghcr.io/onedr0p/exportarr
            tag: v2.3.0@sha256:af535d94061cf97a52e1661945ffba78c03f9443eae7c0da1a80a5a4be56b520
          args: ["bazarr"]
          env:
            - name: URL
              value: http://localhost:6767
            - name: PORT
              value: 9792
            - name: APIKEY
              valueFrom:
                secretKeyRef:
                  name: bazarr-key
                  key: key
            - name: ENABLE_ADDITIONAL_METRICS
              value: false
            - name: ENABLE_UNKNOWN_QUEUE_ITEMS
              value: false
  service:
    main:
      controller: main
@@ -52,21 +35,7 @@ bazarr:
        http:
          port: 80
          targetPort: 6767
-        metrics:
+          protocol: HTTP
          port: 9792
          targetPort: 9792
  serviceMonitor:
    main:
      selector:
        matchLabels:
          app.kubernetes.io/name: bazarr
          app.kubernetes.io/instance: bazarr
      serviceName: '{{ include "bjw-s.common.lib.chart.names.fullname" $ }}'
      endpoints:
        - port: metrics
          interval: 3m
          scrapeTimeout: 1m
          path: /metrics
  route:
    main:
      kind: HTTPRoute
--- a/clusters/cl01tl/helm/blocky/Chart.lock
+++ b/clusters/cl01tl/helm/blocky/Chart.lock
@@ -4,6 +4,6 @@ dependencies:
  version: 4.6.2
 - name: valkey
  repository: oci://harbor.alexlebens.net/helm-charts
-  version: 0.6.1
+  version: 0.4.0
-digest: sha256:6ed3a7587906fbda581d0091ff2c29a1816b8b0b8ae40add9885e6a68b2b82ae
+digest: sha256:a5b0099261d772b24a302a106d106cfa82ac07fa14564141e00cf107d708e859
-generated: "2026-04-13T20:32:34.844998902Z"
+generated: "2026-03-09T23:06:16.853255429Z"
--- a/clusters/cl01tl/helm/blocky/Chart.yaml
+++ b/clusters/cl01tl/helm/blocky/Chart.yaml
@@ -20,7 +20,7 @@ dependencies:
    version: 4.6.2
  - name: valkey
    alias: valkey
-    version: 0.6.1
+    version: 0.4.0
    repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/blocky.png
 # renovate: datasource=github-releases depName=0xerr0r/blocky
--- a/clusters/cl01tl/helm/blocky/templates/_helpers.tpl
+++ b/clusters/cl01tl/helm/blocky/templates/_helpers.tpl
@@ -1,14 +0,0 @@
 {{/*
 Common labels
 */}}
 {{- define "custom.labels" -}}
 {{ include "custom.selectorLabels" $ }}
 {{- end }}
 {{/*
 Selector labels
 */}}
 {{- define "custom.selectorLabels" -}}
 app.kubernetes.io/instance: {{ .Release.Name }}
 app.kubernetes.io/part-of: {{ .Release.Name }}
 {{- end }}
--- a/clusters/cl01tl/helm/blocky/values.yaml
+++ b/clusters/cl01tl/helm/blocky/values.yaml
@@ -102,13 +102,14 @@ blocky:
              ;; Application Names
              actual                          IN      CNAME   traefik-cl01tl
              alertmanager                    IN      CNAME   traefik-cl01tl
              argo-workflows                  IN      CNAME   traefik-cl01tl
              argocd                          IN      CNAME   traefik-cl01tl
              audiobookshelf                  IN      CNAME   traefik-cl01tl
              authentik                       IN      CNAME   traefik-cl01tl
              backrest                        IN      CNAME   traefik-cl01tl
              bao                             IN      CNAME   traefik-cl01tl
              bazarr                          IN      CNAME   traefik-cl01tl
              ceph                            IN      CNAME   traefik-cl01tl
              code-server                     IN      CNAME   traefik-cl01tl
              dawarich                        IN      CNAME   traefik-cl01tl
              directus                        IN      CNAME   traefik-cl01tl
              excalidraw                      IN      CNAME   traefik-cl01tl
@@ -136,16 +137,16 @@ blocky:
              lidarr                          IN      CNAME   traefik-cl01tl
              mail                            IN      CNAME   traefik-cl01tl
              medialyze                       IN      CNAME   traefik-cl01tl
              movie-roulette                  IN      CNAME   traefik-cl01tl
              music-grabber                   IN      CNAME   traefik-cl01tl
              navidrome                       IN      CNAME   traefik-cl01tl
              ntfy                            IN      CNAME   traefik-cl01tl
              objects                         IN      CNAME   traefik-cl01tl
              ollama                          IN      CNAME   traefik-cl01tl
              omni-tools                      IN      CNAME   traefik-cl01tl
-              paperless-ngx                   IN      CNAME   traefik-cl01tl
+              photoview                       IN      CNAME   traefik-cl01tl
              plex                            IN      CNAME   traefik-cl01tl
-              postiz-spotlight                IN      CNAME   traefik-cl01tl
+              postiz                          IN      CNAME   traefik-cl01tl
              postiz-temporal                 IN      CNAME   traefik-cl01tl
              prometheus                      IN      CNAME   traefik-cl01tl
              prowlarr                        IN      CNAME   traefik-cl01tl
              qbittorrent                     IN      CNAME   traefik-cl01tl
@@ -161,7 +162,6 @@ blocky:
              sonarr                          IN      CNAME   traefik-cl01tl
              sonarr-4k                       IN      CNAME   traefik-cl01tl
              sonarr-anime                    IN      CNAME   traefik-cl01tl
              sparkyfitness                   IN      CNAME   traefik-cl01tl
              stalwart                        IN      CNAME   traefik-cl01tl
              tdarr                           IN      CNAME   traefik-cl01tl
              tubearchivist                   IN      CNAME   traefik-cl01tl
--- a/clusters/cl01tl/helm/cert-manager/Chart.lock
+++ b/clusters/cl01tl/helm/cert-manager/Chart.lock
@@ -1,6 +1,6 @@
 dependencies:
 - name: cert-manager
  repository: https://charts.jetstack.io
-  version: v1.20.2
+  version: v1.20.1
-digest: sha256:f218239b4538c64d57e098a56c69dcbc4e076ffcc3d320c5a5fef1e6309e38cf
+digest: sha256:1bf36eba44cf096b40355a697b8cffb302f07f9135374222aabdf686f017b7a9
-generated: "2026-04-13T23:02:59.380767677Z"
+generated: "2026-03-28T01:35:24.542754563Z"
--- a/clusters/cl01tl/helm/cert-manager/Chart.yaml
+++ b/clusters/cl01tl/helm/cert-manager/Chart.yaml
@@ -13,8 +13,8 @@ maintainers:
  - name: alexlebens
 dependencies:
  - name: cert-manager
-    version: v1.20.2
+    version: v1.20.1
    repository: https://charts.jetstack.io
 icon: https://raw.githubusercontent.com/cert-manager/cert-manager/refs/heads/master/logo/logo.png
 # renovate: datasource=github-releases depName=cert-manager/cert-manager
-appVersion: v1.20.2
+appVersion: v1.20.1
--- a/clusters/cl01tl/helm/cert-manager/templates/_helpers.tpl
+++ b/clusters/cl01tl/helm/cert-manager/templates/_helpers.tpl
@@ -1,24 +0,0 @@
 {{/*
 Common labels
 */}}
 {{- define "custom.labels" -}}
 {{ include "custom.selectorLabels" $ }}
 {{- end }}
 {{/*
 Selector labels
 */}}
 {{- define "custom.selectorLabels" -}}
 app.kubernetes.io/instance: {{ .Release.Name }}
 app.kubernetes.io/part-of: {{ .Release.Name }}
 {{- end }}
 {{/*
 NFS names
 */}}
 {{- define "custom.cloudflareSecretName" -}}
 cert-manager-cloudflare-api-token
 {{- end -}}
 {{- define "custom.cloudflareSecretKey" -}}
 api-token
 {{- end -}}
--- a/clusters/cl01tl/helm/cert-manager/templates/cluster-issuer.yaml
+++ b/clusters/cl01tl/helm/cert-manager/templates/cluster-issuer.yaml
@@ -5,7 +5,8 @@ metadata:
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: letsencrypt-issuer
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  acme:
    email: alexanderlebens@gmail.com
@@ -21,5 +22,5 @@ spec:
          cloudflare:
            email: alexanderlebens@gmail.com
            apiTokenSecretRef:
-              name: {{ include "custom.cloudflareSecretName" . }}
+              name: cloudflare-api-token
-              key: {{ include "custom.cloudflareSecretKey" . }}
+              key: api-token
--- a/clusters/cl01tl/helm/cert-manager/templates/external-secret.yaml
+++ b/clusters/cl01tl/helm/cert-manager/templates/external-secret.yaml
@@ -1,17 +1,18 @@
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
-  name: {{ include "custom.cloudflareSecretName" . }}
+  name: cloudflare-api-token
  namespace: {{ .Release.Namespace }}
  labels:
-    app.kubernetes.io/name: {{ include "custom.cloudflareSecretName" . }}
+    app.kubernetes.io/name: cloudflare-api-token
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
-    name: openbao
+    name: vault
  data:
-    - secretKey: {{ include "custom.cloudflareSecretKey" . }}
+    - secretKey: api-token
      remoteRef:
-        key: /cloudflare/alexlebens.net/cl01tl-issuer-certificate
+        key: /cloudflare/alexlebens.net/clusterissuer
        property: token
--- a/clusters/cl01tl/helm/cilium/templates/_helpers.tpl
+++ b/clusters/cl01tl/helm/cilium/templates/_helpers.tpl
@@ -1,14 +0,0 @@
 {{/*
 Common labels
 */}}
 {{- define "custom.labels" -}}
 {{ include "custom.selectorLabels" $ }}
 {{- end }}
 {{/*
 Selector labels
 */}}
 {{- define "custom.selectorLabels" -}}
 app.kubernetes.io/instance: {{ .Release.Name }}
 app.kubernetes.io/part-of: {{ .Release.Name }}
 {{- end }}
--- a/clusters/cl01tl/helm/cilium/templates/cilium-bgp-advertisement.yaml
+++ b/clusters/cl01tl/helm/cilium/templates/cilium-bgp-advertisement.yaml
@@ -0,0 +1,19 @@
 # apiVersion: cilium.io/v2
 # kind: CiliumBGPAdvertisement
 # metadata:
 #   name: cilium-bgp-advertisements
 #   namespace: {{ .Release.Namespace }}
 #   labels:
 #     app.kubernetes.io/name: cilium-bgp-advertisements
 #     app.kubernetes.io/instance: {{ .Release.Name }}
 #     app.kubernetes.io/part-of: {{ .Release.Name }}
 # spec:
 #   advertisements:
 #     - advertisementType: "Service"
 #       service:
 #         addresses:
 #           - ExternalIP
 #           - LoadBalancerIP
 #       selector:
 #         matchExpressions:
 #          - {key: somekey, operator: NotIn, values: ['never-used-value']}
--- a/clusters/cl01tl/helm/cilium/templates/cilium-bgp-cluster-config.yaml
+++ b/clusters/cl01tl/helm/cilium/templates/cilium-bgp-cluster-config.yaml
@@ -0,0 +1,22 @@
 # apiVersion: cilium.io/v2
 # kind: CiliumBGPClusterConfig
 # metadata:
 #   name: cilium-bgp
 #   namespace: {{ .Release.Namespace }}
 #   labels:
 #     app.kubernetes.io/name: cilium-bgp
 #     app.kubernetes.io/instance: {{ .Release.Name }}
 #     app.kubernetes.io/part-of: {{ .Release.Name }}
 # spec:
 #   nodeSelector:
 #     matchLabels:
 #       node-role.kubernetes.io/bgp: "65020"
 #   bgpInstances:
 #     - name: "65020"
 #       localASN: 65020
 #       peers:
 #         - name: "udm-65000"
 #           peerASN: 65000
 #           peerAddress: 192.168.1.1
 #           peerConfigRef:
 #             name: "cilium-peer"
--- a/clusters/cl01tl/helm/cilium/templates/cilium-bgp-peer-config.yaml
+++ b/clusters/cl01tl/helm/cilium/templates/cilium-bgp-peer-config.yaml
@@ -0,0 +1,23 @@
 # apiVersion: cilium.io/v2
 # kind: CiliumBGPPeerConfig
 # metadata:
 #   name: cilium-peer
 #   namespace: {{ .Release.Namespace }}
 #   labels:
 #     app.kubernetes.io/name: cilium-peer
 #     app.kubernetes.io/instance: {{ .Release.Name }}
 #     app.kubernetes.io/part-of: {{ .Release.Name }}
 # spec:
 #   timers:
 #     holdTimeSeconds: 9
 #     keepAliveTimeSeconds: 3
 #   ebgpMultihop: 4
 #   gracefulRestart:
 #     enabled: true
 #     restartTimeSeconds: 15
 #   families:
 #     - afi: ipv4
 #       safi: unicast
 #       advertisements:
 #         matchLabels:
 #           app.kubernetes.io/name: cilium-bgp-advertisements
--- a/clusters/cl01tl/helm/cilium/templates/cilium-load-balancer-ip-pool.yaml
+++ b/clusters/cl01tl/helm/cilium/templates/cilium-load-balancer-ip-pool.yaml
@@ -5,7 +5,8 @@ metadata:
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: default-ip-pool
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  blocks:
    - start: "10.232.1.21"
@@ -19,7 +20,8 @@ metadata:
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: bgp-ip-pool
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  blocks:
    - start: "10.232.2.100"
--- a/clusters/cl01tl/helm/cilium/templates/gateway.yaml
+++ b/clusters/cl01tl/helm/cilium/templates/gateway.yaml
@@ -0,0 +1,45 @@
 # apiVersion: gateway.networking.k8s.io/v1
 # kind: Gateway
 # metadata:
 #   name: cilium-tls-gateway
 #   namespace: {{ .Release.Namespace }}
 #   labels:
 #     app.kubernetes.io/name: cilium-tls-gateway
 #     app.kubernetes.io/instance: {{ .Release.Name }}
 #     app.kubernetes.io/part-of: {{ .Release.Name }}
 #   annotations:
 #     cert-manager.io/cluster-issuer: letsencrypt-issuer
 # spec:
 #   addresses:
 #     - type: IPAddress
 #       value: 10.232.1.23
 #   gatewayClassName: cilium
 #   listeners:
 #     - allowedRoutes:
 #         namespaces:
 #           from: All
 #       hostname: '*.alexlebens.net'
 #       name: https
 #       port: 443
 #       protocol: HTTPS
 #       tls:
 #         certificateRefs:
 #           - group: ''
 #             kind: Secret
 #             name: https-gateway-cert
 #             namespace: kube-system
 #         mode: Terminate
 #     - allowedRoutes:
 #         namespaces:
 #           from: All
 #       hostname: 'alexlebens.net'
 #       name: https-domain
 #       port: 443
 #       protocol: HTTPS
 #       tls:
 #         certificateRefs:
 #           - group: ''
 #             kind: Secret
 #             name: https-gateway-cert
 #             namespace: kube-system
 #         mode: Terminate
--- a/clusters/cl01tl/helm/cilium/templates/http-route.yaml
+++ b/clusters/cl01tl/helm/cilium/templates/http-route.yaml
@@ -5,7 +5,8 @@ metadata:
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: hubble
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  parentRefs:
    - group: gateway.networking.k8s.io
@@ -20,6 +21,8 @@ spec:
          type: PathPrefix
          value: /
      backendRefs:
-        - kind: Service
+        - group: ''
          kind: Service
          name: hubble-ui
          port: 80
          weight: 100
--- a/clusters/cl01tl/helm/cloudnative-pg/Chart.lock
+++ b/clusters/cl01tl/helm/cloudnative-pg/Chart.lock
@@ -1,9 +1,9 @@
 dependencies:
 - name: cloudnative-pg
  repository: https://cloudnative-pg.io/charts/
-  version: 0.28.0
+  version: 0.27.1
 - name: plugin-barman-cloud
  repository: https://cloudnative-pg.io/charts/
-  version: 0.6.0
+  version: 0.5.0
-digest: sha256:48241acb753e635a01b306b90cfbce13ed3c0105a33ec7d36f159e3a7fe607f3
+digest: sha256:e7089ffd089cae87529e28f0e71302b9fc4a869b389cbb6628f1c559644a3a10
-generated: "2026-04-14T09:03:10.332065288Z"
+generated: "2026-02-05T19:36:19.473447121Z"
--- a/clusters/cl01tl/helm/cloudnative-pg/Chart.yaml
+++ b/clusters/cl01tl/helm/cloudnative-pg/Chart.yaml
@@ -17,11 +17,11 @@ maintainers:
  - name: alexlebens
 dependencies:
  - name: cloudnative-pg
-    version: 0.28.0
+    version: 0.27.1
    repository: https://cloudnative-pg.io/charts/
  - name: plugin-barman-cloud
-    version: 0.6.0
+    version: 0.5.0
    repository: https://cloudnative-pg.io/charts/
 icon: https://raw.githubusercontent.com/cloudnative-pg/cloudnative-pg.github.io/refs/heads/main/assets/images/hero_image.png
 # renovate: datasource=github-releases depName=cloudnative-pg/cloudnative-pg
-appVersion: 1.29.0
+appVersion: 1.28.1
--- a/clusters/cl01tl/helm/cloudnative-pg/templates/_helpers.tpl
+++ b/clusters/cl01tl/helm/cloudnative-pg/templates/_helpers.tpl
@@ -1,14 +0,0 @@
 {{/*
 Common labels
 */}}
 {{- define "custom.labels" -}}
 {{ include "custom.selectorLabels" $ }}
 {{- end }}
 {{/*
 Selector labels
 */}}
 {{- define "custom.selectorLabels" -}}
 app.kubernetes.io/instance: {{ .Release.Name }}
 app.kubernetes.io/part-of: {{ .Release.Name }}
 {{- end }}
--- a/clusters/cl01tl/helm/code-server/Chart.lock
+++ b/clusters/cl01tl/helm/code-server/Chart.lock
@@ -0,0 +1,12 @@
 dependencies:
 - name: app-template
  repository: https://bjw-s-labs.github.io/helm-charts/
  version: 4.6.2
 - name: cloudflared
  repository: oci://harbor.alexlebens.net/helm-charts
  version: 2.4.0
 - name: volsync-target
  repository: oci://harbor.alexlebens.net/helm-charts
  version: 0.8.0
 digest: sha256:dee0f52096efc543f4db3a5dc2732fd37ae9b7950b264e399a6e74c2f3e7cee6
 generated: "2026-03-09T22:04:00.58415637Z"
--- a/clusters/cl01tl/helm/code-server/Chart.yaml
+++ b/clusters/cl01tl/helm/code-server/Chart.yaml
@@ -0,0 +1,32 @@
 apiVersion: v2
 name: code-server
 version: 1.0.0
 description: Code Server
 keywords:
  - code-server
  - code
 home: https://docs.alexlebens.dev/applications/code-server/
 sources:
  - https://github.com/coder/code-server
  - https://github.com/linuxserver/docker-code-server
  - https://github.com/linuxserver/docker-code-server/pkgs/container/code-server
  - https://github.com/bjw-s-labs/helm-charts/tree/main/charts/other/app-template
  - https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/cloudflared
  - https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/volsync-target
 maintainers:
  - name: alexlebens
 dependencies:
  - name: app-template
    alias: code-server
    repository: https://bjw-s-labs.github.io/helm-charts/
    version: 4.6.2
  - name: cloudflared
    repository: oci://harbor.alexlebens.net/helm-charts
    version: 2.4.0
  - name: volsync-target
    alias: volsync-target-config
    version: 0.8.0
    repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/visual-studio-code.png
 # renovate: datasource=github-releases depName=coder/code-server
 appVersion: 4.112.0
--- a/clusters/cl01tl/helm/code-server/templates/external-secret.yaml
+++ b/clusters/cl01tl/helm/code-server/templates/external-secret.yaml
@@ -0,0 +1,22 @@
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
  name: codeserver-password-secret
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: codeserver-password-secret
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: vault
  data:
    - secretKey: PASSWORD
      remoteRef:
        key: /cl01tl/code-server/auth
        property: PASSWORD
    - secretKey: SUDO_PASSWORD
      remoteRef:
        key: /cl01tl/code-server/auth
        property: SUDO_PASSWORD
--- a/clusters/cl01tl/helm/code-server/values.yaml
+++ b/clusters/cl01tl/helm/code-server/values.yaml
@@ -0,0 +1,84 @@
 code-server:
  controllers:
    main:
      type: deployment
      replicas: 1
      strategy: Recreate
      pod:
        securityContext:
          fsGroup: 1000
          fsGroupChangePolicy: OnRootMismatch
      containers:
        main:
          image:
            repository: ghcr.io/linuxserver/code-server
            tag: 4.112.0@sha256:4bb5b8ad22268001687c047f0f04933799fb03df1eb0e1e266ba15ed2d9f4e8b
          env:
            - name: TZ
              value: America/Chicago
            - name: PUID
              value: 1000
            - name: PGID
              value: 1000
            - name: DEFAULT_WORKSPACE
              value: /config
          envFrom:
            - secretRef:
                name: codeserver-password-secret
          resources:
            requests:
              cpu: 1m
              memory: 50Mi
  service:
    main:
      controller: main
      ports:
        http:
          port: 8443
          targetPort: 8443
          protocol: HTTP
  route:
    main:
      kind: HTTPRoute
      parentRefs:
        - group: gateway.networking.k8s.io
          kind: Gateway
          name: traefik-gateway
          namespace: traefik
      hostnames:
        - code-server.alexlebens.net
      rules:
        - backendRefs:
            - name: code-server
              port: 8443
          matches:
            - path:
                type: PathPrefix
                value: /
  persistence:
    config:
      forceRename: code-server-config
      storageClass: ceph-block
      accessMode: ReadWriteOnce
      size: 2Gi
      advancedMounts:
        main:
          main:
            - path: /config
              readOnly: false
 volsync-target-config:
  pvcTarget: code-server-config
  moverSecurityContext:
    runAsUser: 1000
    runAsGroup: 1000
    fsGroup: 1000
    fsGroupChangePolicy: OnRootMismatch
  local:
    enabled: true
    schedule: 16 8 * * *
  remote:
    enabled: true
    schedule: 16 9 * * *
  external:
    enabled: true
    schedule: 16 10 * * *
--- a/clusters/cl01tl/helm/coredns/templates/_helpers.tpl
+++ b/clusters/cl01tl/helm/coredns/templates/_helpers.tpl
@@ -1,14 +0,0 @@
 {{/*
 Common labels
 */}}
 {{- define "custom.labels" -}}
 {{ include "custom.selectorLabels" $ }}
 {{- end }}
 {{/*
 Selector labels
 */}}
 {{- define "custom.selectorLabels" -}}
 app.kubernetes.io/instance: {{ .Release.Name }}
 app.kubernetes.io/part-of: {{ .Release.Name }}
 {{- end }}
--- a/clusters/cl01tl/helm/dawarich/Chart.lock
+++ b/clusters/cl01tl/helm/dawarich/Chart.lock
@@ -4,18 +4,9 @@ dependencies:
  version: 4.6.2
 - name: postgres-cluster
  repository: oci://harbor.alexlebens.net/helm-charts
-  version: 7.11.2
+  version: 7.10.0
 - name: valkey
  repository: oci://harbor.alexlebens.net/helm-charts
-  version: 0.6.1
+  version: 0.4.0
- name: volsync-target
+digest: sha256:7584c2a1613454bbd83b66df46170fd0157df5186842844d483e2dd131398574
-  repository: oci://harbor.alexlebens.net/helm-charts
+generated: "2026-03-15T20:04:49.68456485Z"
  version: 0.8.0
 - name: volsync-target
  repository: oci://harbor.alexlebens.net/helm-charts
  version: 0.8.0
 - name: volsync-target
  repository: oci://harbor.alexlebens.net/helm-charts
  version: 0.8.0
 digest: sha256:6ece439d5549b7d7ccd75053846bb9b2e8f9798a2e2163eac6f62bf5cf222587
 generated: "2026-04-13T20:32:54.380897459Z"
--- a/clusters/cl01tl/helm/dawarich/Chart.yaml
+++ b/clusters/cl01tl/helm/dawarich/Chart.yaml
@@ -12,7 +12,6 @@ sources:
  - https://github.com/bjw-s-labs/helm-charts/tree/main/charts/other/app-template
  - https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/postgres-cluster
  - https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/valkey
  - https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/volsync-target
 maintainers:
  - name: alexlebens
 dependencies:
@@ -22,24 +21,12 @@ dependencies:
    version: 4.6.2
  - name: postgres-cluster
    alias: postgres-18-cluster
-    version: 7.11.2
+    version: 7.10.0
    repository: oci://harbor.alexlebens.net/helm-charts
  - name: valkey
    alias: valkey
-    version: 0.6.1
+    version: 0.4.0
    repository: oci://harbor.alexlebens.net/helm-charts
  - name: volsync-target
    alias: volsync-target-storage
    version: 0.8.0
    repository: oci://harbor.alexlebens.net/helm-charts
  - name: volsync-target
    alias: volsync-target-public
    version: 0.8.0
    repository: oci://harbor.alexlebens.net/helm-charts
  - name: volsync-target
    alias: volsync-target-watched
    version: 0.8.0
    repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons@main/png/dawarich.png
 # renovate: datasource=github-releases depName=Freika/dawarich
-appVersion: 1.6.1
+appVersion: 1.4.0
--- a/clusters/cl01tl/helm/dawarich/templates/_helpers.tpl
+++ b/clusters/cl01tl/helm/dawarich/templates/_helpers.tpl
@@ -1,14 +0,0 @@
 {{/*
 Common labels
 */}}
 {{- define "custom.labels" -}}
 {{ include "custom.selectorLabels" $ }}
 {{- end }}
 {{/*
 Selector labels
 */}}
 {{- define "custom.selectorLabels" -}}
 app.kubernetes.io/instance: {{ .Release.Name }}
 app.kubernetes.io/part-of: {{ .Release.Name }}
 {{- end }}
--- a/clusters/cl01tl/helm/dawarich/templates/external-secret.yaml
+++ b/clusters/cl01tl/helm/dawarich/templates/external-secret.yaml
@@ -1,15 +1,16 @@
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
-  name: dawarich-key
+  name: dawarich-key-secret
  namespace: {{ .Release.Namespace }}
  labels:
-    app.kubernetes.io/name: dawarich-key
+    app.kubernetes.io/name: dawarich-key-secret
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
-    name: openbao
+    name: vault
  data:
    - secretKey: key
      remoteRef:
@@ -20,21 +21,22 @@ spec:
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
-  name: dawarich-oidc-authentik
+  name: dawarich-oidc-secret
  namespace: {{ .Release.Namespace }}
  labels:
-    app.kubernetes.io/name: dawarich-oidc-authentik
+    app.kubernetes.io/name: dawarich-oidc-secret
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
-    name: openbao
+    name: vault
  data:
    - secretKey: client
      remoteRef:
-        key: /cl01tl/authentik/oidc/dawarich
+        key: /authentik/oidc/dawarich
        property: client
    - secretKey: secret
      remoteRef:
-        key: /cl01tl/authentik/oidc/dawarich
+        key: /authentik/oidc/dawarich
        property: secret
--- a/clusters/cl01tl/helm/dawarich/values.yaml
+++ b/clusters/cl01tl/helm/dawarich/values.yaml
@@ -8,7 +8,7 @@ dawarich:
        main:
          image:
            repository: freikin/dawarich
-            tag: 1.6.1@sha256:a884f69f19ce0f66992f3872d24544d1e587e133b8a003e072711aafc1e02429
+            tag: 1.4.0@sha256:07adb7643b00d1d8f606c675931d3604317fa3851b91b74ec503df8d50734cb8
          command:
            - "web-entrypoint.sh"
          args:
@@ -61,12 +61,12 @@ dawarich:
            - name: OIDC_CLIENT_ID
              valueFrom:
                secretKeyRef:
-                  name: dawarich-oidc-authentik
+                  name: dawarich-oidc-secret
                  key: client
            - name: OIDC_CLIENT_SECRET
              valueFrom:
                secretKeyRef:
-                  name: dawarich-oidc-authentik
+                  name: dawarich-oidc-secret
                  key: secret
            - name: OIDC_PROVIDER_NAME
              value: Authentik
@@ -81,7 +81,7 @@ dawarich:
            - name: SECRET_KEY_BASE
              valueFrom:
                secretKeyRef:
-                  name: dawarich-key
+                  name: dawarich-key-secret
                  key: key
            - name: RAILS_LOG_TO_STDOUT
              value: true
@@ -111,7 +111,7 @@ dawarich:
        sidekiq:
          image:
            repository: freikin/dawarich
-            tag: 1.6.1@sha256:a884f69f19ce0f66992f3872d24544d1e587e133b8a003e072711aafc1e02429
+            tag: 1.4.0@sha256:07adb7643b00d1d8f606c675931d3604317fa3851b91b74ec503df8d50734cb8
          command:
            - "sidekiq-entrypoint.sh"
          args:
@@ -211,9 +211,11 @@ dawarich:
        http:
          port: 80
          targetPort: 3000
          protocol: TCP
        metrics:
          port: 9394
          targetPort: 9394
          protocol: TCP
  serviceMonitor:
    main:
      selector:
@@ -313,36 +315,3 @@ postgres-18-cluster:
        immediate: true
        schedule: "0 10 14 * * *"
        backupName: garage-local
 volsync-target-storage:
  pvcTarget: dawarich-storage
  local:
    enabled: true
    schedule: 6 8 * * *
  remote:
    enabled: true
    schedule: 6 9 * * *
  external:
    enabled: true
    schedule: 6 10 * * *
 volsync-target-public:
  pvcTarget: dawarich-public
  local:
    enabled: true
    schedule: 8 8 * * *
  remote:
    enabled: true
    schedule: 8 9 * * *
  external:
    enabled: true
    schedule: 8 10 * * *
 volsync-target-watched:
  pvcTarget: dawarich-watched
  local:
    enabled: true
    schedule: 8 8 * * *
  remote:
    enabled: true
    schedule: 8 9 * * *
  external:
    enabled: true
    schedule: 8 10 * * *
--- a/clusters/cl01tl/helm/democratic-csi-synology-iscsi/templates/_helpers.tpl
+++ b/clusters/cl01tl/helm/democratic-csi-synology-iscsi/templates/_helpers.tpl
@@ -1,14 +0,0 @@
 {{/*
 Common labels
 */}}
 {{- define "custom.labels" -}}
 {{ include "custom.selectorLabels" $ }}
 {{- end }}
 {{/*
 Selector labels
 */}}
 {{- define "custom.selectorLabels" -}}
 app.kubernetes.io/instance: {{ .Release.Name }}
 app.kubernetes.io/part-of: {{ .Release.Name }}
 {{- end }}
--- a/clusters/cl01tl/helm/democratic-csi-synology-iscsi/templates/external-secret.yaml
+++ b/clusters/cl01tl/helm/democratic-csi-synology-iscsi/templates/external-secret.yaml
@@ -1,15 +1,16 @@
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
-  name: synology-iscsi-config
+  name: synology-iscsi-config-secret
  namespace: {{ .Release.Namespace }}
  labels:
-    app.kubernetes.io/name: synology-iscsi-config
+    app.kubernetes.io/name: synology-iscsi-config-secret
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
-    name: openbao
+    name: vault
  data:
    - secretKey: driver-config-file.yaml
      remoteRef:
--- a/clusters/cl01tl/helm/democratic-csi-synology-iscsi/templates/namespace.yaml
+++ b/clusters/cl01tl/helm/democratic-csi-synology-iscsi/templates/namespace.yaml
@@ -1,10 +1,11 @@
 apiVersion: v1
 kind: Namespace
 metadata:
-  name: {{ .Release.Namespace }}
+  name: democratic-csi-synology-iscsi
  labels:
-    app.kubernetes.io/name: {{ .Release.Namespace }}
+    app.kubernetes.io/name: democratic-csi-synology-iscsi
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
    pod-security.kubernetes.io/audit: privileged
    pod-security.kubernetes.io/enforce: privileged
    pod-security.kubernetes.io/warn: privileged
--- a/clusters/cl01tl/helm/democratic-csi-synology-iscsi/values.yaml
+++ b/clusters/cl01tl/helm/democratic-csi-synology-iscsi/values.yaml
@@ -1,9 +1,6 @@
 democratic-csi:
  driver:
-    image:
+    existingConfigSecret: synology-iscsi-config-secret
      registry: ghcr.io/democratic-csi/democratic-csi
      tag: v1.9.5@@sha256:fc3b7d7ed3a616714139525075312758e23a5d425ffb539ad12c9bd20fb6001f
    existingConfigSecret: synology-iscsi-config
    config:
      driver: synology-iscsi
    resources:
@@ -13,23 +10,7 @@ democratic-csi:
  csiDriver:
    name: "org.democratic-csi.iscsi-synology"
  controller:
-    replicaCount: 3
+    replicaCount: 2
    externalAttacher:
      image:
        registry: registry.k8s.io/sig-storage/csi-attacher
        tag: v4.11.0@sha256:b74b05b39501565022883fc128002b4cb857a7bb6c858606bcb3fdedba0b0b80
    externalProvisioner:
      image:
        registry: registry.k8s.io/sig-storage/csi-provisioner
        tag: v3.6.4@sha256:e7ad666f1d9b0caa077c7f0c157c9f87d1e73858390732496f66dcc716ff10c5
    externalResizer:
      image:
        registry: registry.k8s.io/sig-storage/csi-resizer
        tag: v1.9.4@sha256:522911ef68bd2c5c17d90fb2a6d2b2fb72ae790f2c1463a466b4262a07fdbf5a
    externalSnapshotter:
      image:
        registry: registry.k8s.io/sig-storage/csi-snapshotter
        tag: v8.5.0@sha256:da081c27e8a6d91f36042c1942362d0515ced8d06e18c11b8f893e58c4d6d797
  storageClasses:
    - name: synology-iscsi-delete
      defaultClass: false
@@ -55,7 +36,3 @@ democratic-csi:
          value: /usr/local/sbin/iscsiadm
      iscsiDirHostPath: /var/iscsi
      iscsiDirHostPathType: ""
  driverRegistrar:
    image:
      registry: registry.k8s.io/sig-storage/csi-node-driver-registrar
      tag: v2.16.0@sha256:ab482308a4921e28a6df09a16ab99a457e9af9641ff44fb1be1a690d07ce8b70
--- a/clusters/cl01tl/helm/descheduler/Chart.yaml
+++ b/clusters/cl01tl/helm/descheduler/Chart.yaml
@@ -8,7 +8,6 @@ keywords:
 home: https://docs.alexlebens.dev/applications/descheduler/
 sources:
  - https://github.com/kubernetes-sigs/descheduler
  - https://explore.ggcr.dev/?repo=registry.k8s.io%2Fdescheduler%2Fdescheduler
  - https://github.com/kubernetes-sigs/descheduler/tree/master/charts/descheduler
 maintainers:
  - name: alexlebens
--- a/clusters/cl01tl/helm/descheduler/templates/_helpers.tpl
+++ b/clusters/cl01tl/helm/descheduler/templates/_helpers.tpl
@@ -1,14 +0,0 @@
 {{/*
 Common labels
 */}}
 {{- define "custom.labels" -}}
 {{ include "custom.selectorLabels" $ }}
 {{- end }}
 {{/*
 Selector labels
 */}}
 {{- define "custom.selectorLabels" -}}
 app.kubernetes.io/instance: {{ .Release.Name }}
 app.kubernetes.io/part-of: {{ .Release.Name }}
 {{- end }}
--- a/clusters/cl01tl/helm/descheduler/values.yaml
+++ b/clusters/cl01tl/helm/descheduler/values.yaml
@@ -1,7 +1,4 @@
 descheduler:
  image:
    repository: registry.k8s.io/descheduler/descheduler
    tag: v0.35.1@sha256:871d3b804390b0b8c7cb09d4e9b7856cf30e31f9e9e3d29562b0301a10453bb1
  kind: Deployment
  resources:
    limits:
--- a/clusters/cl01tl/helm/directus/Chart.lock
+++ b/clusters/cl01tl/helm/directus/Chart.lock
@@ -4,9 +4,9 @@ dependencies:
  version: 4.6.2
 - name: postgres-cluster
  repository: oci://harbor.alexlebens.net/helm-charts
-  version: 7.11.2
+  version: 7.10.0
 - name: valkey
  repository: oci://harbor.alexlebens.net/helm-charts
-  version: 0.6.1
+  version: 0.4.0
-digest: sha256:78f5065d1125792c88e4d24f5ac1ee3d6310b4997f552020c44d0615335ea329
+digest: sha256:dfcb5d35e03ecdc4206227d206d36509319f0dcdaed54363840d71337debb3f7
-generated: "2026-04-13T20:33:13.909018545Z"
+generated: "2026-03-15T20:05:03.156596646Z"
--- a/clusters/cl01tl/helm/directus/Chart.yaml
+++ b/clusters/cl01tl/helm/directus/Chart.yaml
@@ -5,7 +5,7 @@ description: Directus
 keywords:
  - directus
  - content-management-system
-home: https://docs.alexlebens.dev/applications/directus/
+home: https://docs.alexlebens.dev/applications/descheduler/
 sources:
  - https://github.com/directus/directus
  - https://github.com/directus/directus/pkgs/container/directus
@@ -21,12 +21,12 @@ dependencies:
    version: 4.6.2
  - name: postgres-cluster
    alias: postgres-18-cluster
-    version: 7.11.2
+    version: 7.10.0
    repository: oci://harbor.alexlebens.net/helm-charts
  - name: valkey
    alias: valkey
-    version: 0.6.1
+    version: 0.4.0
    repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/directus.png
 # renovate: datasource=github-releases depName=directus/directus
-appVersion: 11.17.3
+appVersion: 11.17.0
--- a/clusters/cl01tl/helm/directus/templates/_helpers.tpl
+++ b/clusters/cl01tl/helm/directus/templates/_helpers.tpl
@@ -1,14 +0,0 @@
 {{/*
 Common labels
 */}}
 {{- define "custom.labels" -}}
 {{ include "custom.selectorLabels" $ }}
 {{- end }}
 {{/*
 Selector labels
 */}}
 {{- define "custom.selectorLabels" -}}
 app.kubernetes.io/instance: {{ .Release.Name }}
 app.kubernetes.io/part-of: {{ .Release.Name }}
 {{- end }}
--- a/clusters/cl01tl/helm/directus/templates/external-secret.yaml
+++ b/clusters/cl01tl/helm/directus/templates/external-secret.yaml
@@ -5,20 +5,13 @@ metadata:
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: directus-config
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
-    name: openbao
+    name: vault
  data:
    - secretKey: key
      remoteRef:
        key: /cl01tl/directus/key
        property: key
    - secretKey: secret
      remoteRef:
        key: /cl01tl/directus/key
        property: secret
    - secretKey: admin-email
      remoteRef:
        key: /cl01tl/directus/config
@@ -27,6 +20,38 @@ spec:
      remoteRef:
        key: /cl01tl/directus/config
        property: admin-password
    - secretKey: secret
      remoteRef:
        key: /cl01tl/directus/config
        property: secret
    - secretKey: key
      remoteRef:
        key: /cl01tl/directus/config
        property: key
 ---
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
  name: directus-oidc-secret
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: directus-oidc-secret
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: vault
  data:
    - secretKey: OIDC_CLIENT_ID
      remoteRef:
        key: /authentik/oidc/directus
        property: client
    - secretKey: OIDC_CLIENT_SECRET
      remoteRef:
        key: /authentik/oidc/directus
        property: secret
 ---
 apiVersion: external-secrets.io/v1
@@ -36,67 +61,18 @@ metadata:
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: directus-metric-token
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
-    name: openbao
+    name: vault
  data:
    - secretKey: metric-token
      remoteRef:
        key: /cl01tl/directus/metrics
        property: metric-token
 ---
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
  name: directus-valkey-config
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: directus-valkey-config
    {{- include "custom.labels" . | nindent 4 }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: openbao
  data:
    - secretKey: user
      remoteRef:
        key: /cl01tl/directus/valkey
        property: user
    - secretKey: password
      remoteRef:
        key: /cl01tl/directus/valkey
        property: password
    - secretKey: default
      remoteRef:
        key: /cl01tl/directus/valkey
        property: password
 ---
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
  name: directus-oidc-authentik
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: directus-oidc-authentik
    {{- include "custom.labels" . | nindent 4 }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: openbao
  data:
    - secretKey: OIDC_CLIENT_ID
      remoteRef:
        key: /cl01tl/authentik/oidc/directus
        property: client
    - secretKey: OIDC_CLIENT_SECRET
      remoteRef:
        key: /cl01tl/authentik/oidc/directus
        property: secret
 ---
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
@@ -105,11 +81,12 @@ metadata:
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: directus-bucket-garage
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
-    name: openbao
+    name: vault
  data:
    - secretKey: ACCESS_KEY_ID
      remoteRef:
@@ -123,3 +100,31 @@ spec:
      remoteRef:
        key: /garage/home-infra/directus-assets
        property: ACCESS_REGION
 ---
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
  name: directus-valkey-config
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: directus-valkey-config
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: vault
  data:
    - secretKey: default
      remoteRef:
        key: /cl01tl/directus/valkey
        property: password
    - secretKey: user
      remoteRef:
        key: /cl01tl/directus/valkey
        property: user
    - secretKey: password
      remoteRef:
        key: /cl01tl/directus/valkey
        property: password
--- a/clusters/cl01tl/helm/directus/values.yaml
+++ b/clusters/cl01tl/helm/directus/values.yaml
@@ -8,7 +8,8 @@ directus:
        main:
          image:
            repository: ghcr.io/directus/directus
-            tag: 11.17.3@sha256:ae6ab737fd04077d295bbefa545cc4aefccc206e3d0120c83812f9b482a8c9a5
+            tag: 11.17.0@sha256:076269ccbe7d4a0c44ce5f5b7f11e2ea5f7b3e4c4f704c0f88a52805e069c1c6
            pullPolicy: IfNotPresent
          env:
            - name: PUBLIC_URL
              value: https://directus.alexlebens.net
@@ -113,12 +114,12 @@ directus:
            - name: AUTH_AUTHENTIK_CLIENT_ID
              valueFrom:
                secretKeyRef:
-                  name: directus-oidc-authentik
+                  name: directus-oidc-secret
                  key: OIDC_CLIENT_ID
            - name: AUTH_AUTHENTIK_CLIENT_SECRET
              valueFrom:
                secretKeyRef:
-                  name: directus-oidc-authentik
+                  name: directus-oidc-secret
                  key: OIDC_CLIENT_SECRET
            - name: AUTH_AUTHENTIK_SCOPE
              value: openid profile email
@@ -142,7 +143,7 @@ directus:
          resources:
            requests:
              cpu: 10m
-              memory: 300Mi
+              memory: 1Gi
  service:
    main:
      controller: main
@@ -150,6 +151,7 @@ directus:
        http:
          port: 80
          targetPort: 8055
          protocol: TCP
  serviceMonitor:
    main:
      selector:
@@ -210,7 +212,3 @@ valkey:
      aclUsers:
        default:
          permissions: "~* &* +@all"
    # No option to configure metrics when auth is enabled
    # https://github.com/valkey-io/valkey-helm/issues/135
    metrics:
      enabled: false
--- a/clusters/cl01tl/helm/elastic-operator/Chart.lock
+++ b/clusters/cl01tl/helm/elastic-operator/Chart.lock
@@ -1,6 +1,6 @@
 dependencies:
 - name: eck-operator
  repository: https://helm.elastic.co
-  version: 3.3.2
+  version: 3.3.1
-digest: sha256:ac7a849a6d8244ef56c11f18438c4c76133f92d245228c5a1c8369d42562c177
+digest: sha256:8585f3ea3e4cafc4ff2969ea7e797017b7cfe4becb3385f0b080725908c02f09
-generated: "2026-04-01T21:30:02.975920565Z"
+generated: "2026-02-25T18:48:55.77034549Z"
--- a/clusters/cl01tl/helm/elastic-operator/Chart.yaml
+++ b/clusters/cl01tl/helm/elastic-operator/Chart.yaml
@@ -14,8 +14,8 @@ maintainers:
  - name: alexlebens
 dependencies:
  - name: eck-operator
-    version: 3.3.2
+    version: 3.3.1
    repository: https://helm.elastic.co
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons@main/png/elastic.png
 # renovate: datasource=github-releases depName=elastic/cloud-on-k8s
-appVersion: v3.3.2
+appVersion: v3.3.1
--- a/clusters/cl01tl/helm/elastic-operator/templates/_helpers.tpl
+++ b/clusters/cl01tl/helm/elastic-operator/templates/_helpers.tpl
@@ -1,14 +0,0 @@
 {{/*
 Common labels
 */}}
 {{- define "custom.labels" -}}
 {{ include "custom.selectorLabels" $ }}
 {{- end }}
 {{/*
 Selector labels
 */}}
 {{- define "custom.selectorLabels" -}}
 app.kubernetes.io/instance: {{ .Release.Name }}
 app.kubernetes.io/part-of: {{ .Release.Name }}
 {{- end }}
--- a/clusters/cl01tl/helm/elastic-operator/values.yaml
+++ b/clusters/cl01tl/helm/elastic-operator/values.yaml
@@ -1,7 +1,7 @@
 eck-operator:
  managedNamespaces:
    - stalwart
    - tubearchivist
    - stalwart
  installCRDs: true
  replicaCount: 2
  resources:
--- a/clusters/cl01tl/helm/element-web/Chart.lock
+++ b/clusters/cl01tl/helm/element-web/Chart.lock
@@ -1,9 +1,9 @@
 dependencies:
 - name: element-web
  repository: https://ananace.gitlab.io/charts
-  version: 1.4.34
+  version: 1.4.33
 - name: cloudflared
  repository: oci://harbor.alexlebens.net/helm-charts
-  version: 2.5.0
+  version: 2.4.0
-digest: sha256:8640b8a250bdcd9e7561e3d28538ccf4644a7159a035ee0a5fdbcf71dc5b2bbe
+digest: sha256:63b0e582d42fb42bcf4d96ba4b299e42c434c42f284208596808288543192fe0
-generated: "2026-04-10T01:17:19.932208699Z"
+generated: "2026-03-24T16:11:50.424321433Z"
--- a/clusters/cl01tl/helm/element-web/Chart.yaml
+++ b/clusters/cl01tl/helm/element-web/Chart.yaml
@@ -15,11 +15,11 @@ maintainers:
  - name: alexlebens
 dependencies:
  - name: element-web
-    version: 1.4.34
+    version: 1.4.33
    repository: https://ananace.gitlab.io/charts
  - name: cloudflared
    repository: oci://harbor.alexlebens.net/helm-charts
-    version: 2.5.0
+    version: 2.4.0
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/element.png
 # renovate: datasource=github-releases depName=element-hq/element-web
-appVersion: v1.12.15
+appVersion: v1.12.13
--- a/clusters/cl01tl/helm/element-web/templates/_helpers.tpl
+++ b/clusters/cl01tl/helm/element-web/templates/_helpers.tpl
@@ -1,14 +0,0 @@
 {{/*
 Common labels
 */}}
 {{- define "custom.labels" -}}
 {{ include "custom.selectorLabels" $ }}
 {{- end }}
 {{/*
 Selector labels
 */}}
 {{- define "custom.selectorLabels" -}}
 app.kubernetes.io/instance: {{ .Release.Name }}
 app.kubernetes.io/part-of: {{ .Release.Name }}
 {{- end }}
--- a/clusters/cl01tl/helm/element-web/values.yaml
+++ b/clusters/cl01tl/helm/element-web/values.yaml
@@ -2,7 +2,7 @@ element-web:
  replicaCount: 1
  image:
    repository: ghcr.io/element-hq/element-web
-    tag: v1.12.15@sha256:c7fa40b5ba3891f8af3ce63da0818f457c1802a9ee4d2f5e46a9df36a2388eed
+    tag: v1.12.13@sha256:5107e63026c13ed014f743e485821b7d4b56d275a41e76303859bb14f5f94eb6
  defaultServer:
    url: https://matrix.alexlebens.dev
    name: alexlebens.dev
--- a/clusters/cl01tl/helm/eraser/Chart.lock
+++ b/clusters/cl01tl/helm/eraser/Chart.lock
@@ -2,8 +2,5 @@ dependencies:
 - name: eraser
  repository: https://eraser-dev.github.io/eraser/charts
  version: 1.4.1
- name: app-template
+digest: sha256:da828de684b0cd82e99994586f3db4f55c43c01607c4d8d0e70e204c7bbbbf5b
-  repository: https://bjw-s-labs.github.io/helm-charts/
+generated: "2025-12-03T22:53:20.200917773Z"
  version: 4.6.2
 digest: sha256:8414813d3d9d195b16ef7ebf814f7095a16413f4b0e579fcb37738000624f68c
 generated: "2026-04-08T21:39:05.689756-05:00"
--- a/clusters/cl01tl/helm/eraser/Chart.yaml
+++ b/clusters/cl01tl/helm/eraser/Chart.yaml
@@ -9,19 +9,13 @@ home: https://docs.alexlebens.dev/applications/eraser/
 sources:
  - https://github.com/eraser-dev/eraser
  - https://github.com/eraser-dev/eraser/pkgs/container/eraser-manager
  - https://github.com/open-telemetry/opentelemetry-collector-releases/pkgs/container/opentelemetry-collector-releases%2Fopentelemetry-collector
  - https://github.com/eraser-dev/eraser/tree/main/charts/eraser
  - https://github.com/bjw-s-labs/helm-charts/tree/main/charts/other/app-template
 maintainers:
  - name: alexlebens
 dependencies:
  - name: eraser
    version: 1.4.1
    repository: https://eraser-dev.github.io/eraser/charts
  - name: app-template
    alias: eraser-metrics
    repository: https://bjw-s-labs.github.io/helm-charts/
    version: 4.6.2
 icon: https://raw.githubusercontent.com/eraser-dev/eraser/refs/heads/main/images/eraser-logo-color-1c.png
 # renovate: datasource=github-releases depName=eraser-dev/eraser
 appVersion: v1.4.1
--- a/clusters/cl01tl/helm/eraser/templates/_helpers.tpl
+++ b/clusters/cl01tl/helm/eraser/templates/_helpers.tpl
@@ -1,14 +0,0 @@
 {{/*
 Common labels
 */}}
 {{- define "custom.labels" -}}
 {{ include "custom.selectorLabels" $ }}
 {{- end }}
 {{/*
 Selector labels
 */}}
 {{- define "custom.selectorLabels" -}}
 app.kubernetes.io/instance: {{ .Release.Name }}
 app.kubernetes.io/part-of: {{ .Release.Name }}
 {{- end }}
--- a/clusters/cl01tl/helm/eraser/values.yaml
+++ b/clusters/cl01tl/helm/eraser/values.yaml
@@ -35,85 +35,3 @@ eraser:
      requests:
        cpu: 1m
        memory: 20Mi
 eraser-metrics:
  global:
    nameOverride: eraser-metrics
    fullnameOverride: eraser-metrics
  controllers:
    main:
      type: deployment
      replicas: 1
      strategy: Recreate
      containers:
        main:
          image:
            repository: ghcr.io/open-telemetry/opentelemetry-collector-releases/opentelemetry-collector
            tag: 0.150.1@sha256:618f7867e49fdb173d9b46d535b01f82254b0b14beac6ab1f6f2eb8cf62c5d42
          command:
            - /otelcol
            - --config=/conf/otel-collector-config.yaml
          resources:
            requests:
              cpu: 10m
              memory: 20Mi
  configMaps:
    config:
      enabled: true
      forceRename: eraser-config
      data:
        otel-collector-config.yaml: |
          receivers:
            otlp:
              protocols:
                http:
          exporters:
            prometheus:
              endpoint: "0.0.0.0:8889"
              send_timestamps: true
              metric_expiration: 180m
          service:
            telemetry:
              logs:
                encoding: json
            pipelines:
              metrics:
                receivers:
                  - otlp
                exporters:
                  - prometheus
  service:
    main:
      controller: main
      ports:
        http:
          port: 4318
          targetPort: 4318
        metrics:
          port: 8889
          targetPort: 8889
  serviceMonitor:
    main:
      selector:
        matchLabels:
          app.kubernetes.io/name: eraser-metrics
          app.kubernetes.io/instance: eraser-metrics
      serviceName: '{{ include "bjw-s.common.lib.chart.names.fullname" $ }}'
      endpoints:
        - port: metrics
          interval: 30s
          scrapeTimeout: 15s
          path: /metrics
  persistence:
    config:
      enabled: true
      type: configMap
      name: eraser-config
      advancedMounts:
        main:
          main:
            - path: /conf/otel-collector-config.yaml
              readOnly: true
              mountPropagation: None
              subPath: otel-collector-config.yaml
--- a/clusters/cl01tl/helm/excalidraw/Chart.yaml
+++ b/clusters/cl01tl/helm/excalidraw/Chart.yaml
@@ -5,7 +5,7 @@ description: Excalidraw
 keywords:
  - excalidraw
  - drawing
-home: https://docs.alexlebens.dev/applications/excalidraw/
+home: https://docs.alexlebens.dev/applications/eraser/
 sources:
  - https://github.com/excalidraw/excalidraw
  - https://hub.docker.com/r/excalidraw/excalidraw
--- a/clusters/cl01tl/helm/excalidraw/templates/_helpers.tpl
+++ b/clusters/cl01tl/helm/excalidraw/templates/_helpers.tpl
@@ -1,14 +0,0 @@
 {{/*
 Common labels
 */}}
 {{- define "custom.labels" -}}
 {{ include "custom.selectorLabels" $ }}
 {{- end }}
 {{/*
 Selector labels
 */}}
 {{- define "custom.selectorLabels" -}}
 app.kubernetes.io/instance: {{ .Release.Name }}
 app.kubernetes.io/part-of: {{ .Release.Name }}
 {{- end }}
--- a/clusters/cl01tl/helm/excalidraw/values.yaml
+++ b/clusters/cl01tl/helm/excalidraw/values.yaml
@@ -8,7 +8,7 @@ excalidraw:
        main:
          image:
            repository: excalidraw/excalidraw
-            tag: latest@sha256:20ffa04668e19616bb0c1b3632849e5cd96e0bc7a1336b73d9d072667f2c2854
+            tag: latest@sha256:3c2513e830bb6e195147c05b34ecf8393d0ba2b1cc86e93b407a5777d6135c6c
          env:
            - name: NODE_ENV
              value: production
@@ -25,6 +25,7 @@ excalidraw:
        http:
          port: 80
          targetPort: 80
          protocol: HTTP
  route:
    main:
      kind: HTTPRoute
--- a/clusters/cl01tl/helm/external-dns/Chart.yaml
+++ b/clusters/cl01tl/helm/external-dns/Chart.yaml
@@ -5,10 +5,9 @@ description: External DNS
 keywords:
  - external-dns
  - dns
-home: https://docs.alexlebens.dev/applications/external-dns/
+home: https://docs.alexlebens.dev/applications/eraser/
 sources:
  - https://github.com/kubernetes-sigs/external-dns
  - https://explore.ggcr.dev/?repo=registry.k8s.io%2Fexternal-dns%2Fexternal-dns
  - https://github.com/kashalls/external-dns-unifi-webhook
  - https://github.com/kubernetes-sigs/external-dns/tree/master/charts/external-dns
 maintainers:
@@ -20,4 +19,4 @@ dependencies:
    repository: https://kubernetes-sigs.github.io/external-dns/
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/kubernetes.png
 # renovate: datasource=github-releases depName=kubernetes-sigs/external-dns
-appVersion: v0.21.0
+appVersion: v0.20.0
--- a/clusters/cl01tl/helm/external-dns/templates/_helpers.tpl
+++ b/clusters/cl01tl/helm/external-dns/templates/_helpers.tpl
@@ -1,14 +0,0 @@
 {{/*
 Common labels
 */}}
 {{- define "custom.labels" -}}
 {{ include "custom.selectorLabels" $ }}
 {{- end }}
 {{/*
 Selector labels
 */}}
 {{- define "custom.selectorLabels" -}}
 app.kubernetes.io/instance: {{ .Release.Name }}
 app.kubernetes.io/part-of: {{ .Release.Name }}
 {{- end }}
--- a/clusters/cl01tl/helm/external-dns/templates/dns-endpoint.yaml
+++ b/clusters/cl01tl/helm/external-dns/templates/dns-endpoint.yaml
@@ -5,7 +5,8 @@ metadata:
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: external-device-names
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  endpoints:
    # Unifi UDM
@@ -47,7 +48,8 @@ metadata:
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: iot-device-names
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  endpoints:
    # Airgradient
@@ -80,18 +82,6 @@ spec:
      recordType: A
      targets:
        - 10.230.0.100
    # HD Homerun
    - dnsName: dv01hr.alexlebens.net
      recordTTL: 180
      recordType: A
      targets:
        - 10.232.1.72
    # Pi KVM
    - dnsName: dv02kv.alexlebens.net
      recordTTL: 180
      recordType: A
      targets:
        - 10.232.1.71
 ---
 apiVersion: externaldns.k8s.io/v1alpha1
@@ -101,7 +91,8 @@ metadata:
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: server-host-names
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  endpoints:
    # Unifi Gateway
@@ -134,18 +125,6 @@ spec:
      recordType: A
      targets:
        - 10.232.1.52
    # Desktop
    - dnsName: pd05wd.alexlebens.net
      recordTTL: 180
      recordType: A
      targets:
        - 10.230.0.115
    # Laptop
    - dnsName: pl02mc.alexlebens.net
      recordTTL: 180
      recordType: A
      targets:
        - 10.230.0.105
 ---
 apiVersion: externaldns.k8s.io/v1alpha1
@@ -155,7 +134,8 @@ metadata:
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: cluster-service-names
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  endpoints:
    # Treafik Proxy
--- a/clusters/cl01tl/helm/external-dns/templates/external-secret.yaml
+++ b/clusters/cl01tl/helm/external-dns/templates/external-secret.yaml
@@ -5,11 +5,12 @@ metadata:
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: external-dns-unifi-secret
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
-    name: openbao
+    name: vault
  data:
    - secretKey: api-key
      remoteRef:
--- a/Show More
+++ b/Show More