Update Immich containers to v1.142.0

Merge pull request 'Update Immich containers to v1.141.1' (#590 ) from renovate/immich-app-images into main
Reviewed-on: #590
2025-09-12 20:02:23 +00:00 · 2025-09-12 07:23:31 +00:00 · 2025-09-12 00:01:54 +00:00 · 2025-09-12 00:01:45 +00:00 · 2025-09-11 14:03:26 +00:00 · 2025-09-11 14:02:48 +00:00
294 changed files with 4484 additions and 5553 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,6 @@
 # Kubernetes secrets
 *.secret.yaml
-charts/
+main.key
 # Helm Chart files
 charts/
--- a/README.md
+++ b/README.md
@@ -1,17 +1,86 @@
 # Kluster setup and IaaC using argoCD
 ### Description
 #### Requirements:
 - A running k3s instance
 - `sealedsecrets` deployed
-### Initial setup
+#### Installing argo and the app-of-apps
 On a running (and sealed-secrets installed) k3s instance run:
 ```
 kubectl apply -k infrastructure/argocd
 ```
-This will install argocd and CRDs in a dedicated namespace along with the app-of-apps configured under `kluster-deployments/`.
+This will install argocd and its CRDs in a dedicated namespace. The app-of-apps is configured under `kluster-deployments/` and deployed as well. This will bootstrap all other apps, as described in `./kluster-deployments`.
 The app-of-apps will bootstrap a fully featured cluster with the following components
 - postgres instance with backups
 - backup of all nfs PVCs using restic
 - traefik (along with metallb as a publicly accessible reverse proxy)
 - an nfs-provisioner creating PVCs on-demand
- a range of selfhosted apps
+- gitea
 - a range of selfhosted apps:
    - nextcloud
    - jellyfin
    - adguard-home
    - homarr
    - homeassistant
    - immich
    - ...
 ## Setup instructions
 1. install sealedsecrets see [README](./infrastructure/sealedsecrets/README.md)
    ```bash
    kubectl apply -k infrastructure/sealedsecrets
    kubectl apply -f infrastructure/sealedsecrets/main.key
    kubectl delete pod -n kube-system -l name=sealed-secrets-controller
    ```
 1. install argocd and the app-of-apps bundled with it
    ```bash
    kubectl apply -k infrastructure/argocd
    ```
 > NOTE: The argocd kustomization already mentions some CRDs available only after the full bootstrapping (traefik). You might have to apply the last step twice
 ### Adding an application
 todo
 ### Status
 [![App Status](https://argocd.kluster.moll.re/api/badge?name=authelia-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/authelia-application)
 [![App Status](https://argocd.kluster.moll.re/api/badge?name=backup-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/backup-application)
 [![App Status](https://argocd.kluster.moll.re/api/badge?name=external-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/external-application)
 [![App Status](https://argocd.kluster.moll.re/api/badge?name=external-dns-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/external-dns-application)
 [![App Status](https://argocd.kluster.moll.re/api/badge?name=gitea-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/gitea-application)
 [![App Status](https://argocd.kluster.moll.re/api/badge?name=metallb-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/metallb-application)
 [![App Status](https://argocd.kluster.moll.re/api/badge?name=monitoring-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/monitoring-application)
 [![App Status](https://argocd.kluster.moll.re/api/badge?name=nfs-provisioner-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/nfs-provisioner-application)
 [![App Status](https://argocd.kluster.moll.re/api/badge?name=pg-ha-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/pg-ha-application)
 [![App Status](https://argocd.kluster.moll.re/api/badge?name=renovate-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/renovate-application)
 [![App Status](https://argocd.kluster.moll.re/api/badge?name=sealedsecrets-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/sealedsecrets-application)
 [![App Status](https://argocd.kluster.moll.re/api/badge?name=traefik-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/traefik-application)
 ---
 [![App Status](https://argocd.kluster.moll.re/api/badge?name=adguard-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/adguard-application)
 [![App Status](https://argocd.kluster.moll.re/api/badge?name=audiobookshelf-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/audiobookshelf-application)
 [![App Status](https://argocd.kluster.moll.re/api/badge?name=code-server-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/code-server-application)
 [![App Status](https://argocd.kluster.moll.re/api/badge?name=files-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/files-application)
 [![App Status](https://argocd.kluster.moll.re/api/badge?name=finance-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/finance-application)
 [![App Status](https://argocd.kluster.moll.re/api/badge?name=grafana-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/grafana-application)
 [![App Status](https://argocd.kluster.moll.re/api/badge?name=homeassistant-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/homeassistant-application)
 [![App Status](https://argocd.kluster.moll.re/api/badge?name=immich-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/immich-application)
 [![App Status](https://argocd.kluster.moll.re/api/badge?name=kitchenowl-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/kitchenowl-application)
 [![App Status](https://argocd.kluster.moll.re/api/badge?name=linkding-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/linkding-application)
 [![App Status](https://argocd.kluster.moll.re/api/badge?name=media-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/media-application)
 [![App Status](https://argocd.kluster.moll.re/api/badge?name=minecraft-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/minecraft-application)
 [![App Status](https://argocd.kluster.moll.re/api/badge?name=ntfy-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/ntfy-application)
 [![App Status](https://argocd.kluster.moll.re/api/badge?name=paperless-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/paperless-application)
 [![App Status](https://argocd.kluster.moll.re/api/badge?name=recipes-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/recipes-application)
 [![App Status](https://argocd.kluster.moll.re/api/badge?name=rss-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/rss-application)
 ---
 [![App Status](https://argocd.kluster.moll.re/api/badge?name=journal-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/journal-application)
 [![App Status](https://argocd.kluster.moll.re/api/badge?name=physics-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/physics-application)
--- a/apps/adguard/configmap.yaml
+++ b/apps/adguard/configmap.yaml
@@ -2,59 +2,53 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
  name: adguard-home-config
  namespace: adguard
 data:
  AdGuardHome.yaml: |-
-    bind_host: 0.0.0.0
+    http:
-    bind_port: 3000
+      pprof:
-    beta_bind_port: 0
+        port: 6060
        enabled: false
      address: 0.0.0.0:3000
      session_ttl: 720h
    users: []
    auth_attempts: 5
    block_auth_min: 15
    http_proxy: ""
    language: ""
-    debug_pprof: false
+    theme: auto
    web_session_ttl: 720
    dns:
      bind_hosts:
-      - 0.0.0.0
+        - 0.0.0.0
      port: 53
      statistics_interval: 1
      querylog_enabled: true
      querylog_file_enabled: true
      querylog_interval: 2160h
      querylog_size_memory: 1000
      anonymize_client_ip: false
      protection_enabled: true
      blocking_mode: default
      blocking_ipv4: ""
      blocking_ipv6: ""
      blocked_response_ttl: 10
      parental_block_host: family-block.dns.adguard.com
      safebrowsing_block_host: standard-block.dns.adguard.com
      ratelimit: 20
      ratelimit_subnet_len_ipv4: 24
      ratelimit_subnet_len_ipv6: 56
      ratelimit_whitelist: []
      refuse_any: true
      upstream_dns:
-      - https://dns10.quad9.net/dns-query
+        - tls://1.1.1.1
        - tls://dns.google
        - tls://p0.freedns.controld.com
        - tls://dns.quad9.net
      upstream_dns_file: ""
      bootstrap_dns:
-      - 9.9.9.10
+        - 9.9.9.10
-      - 149.112.112.10
+        - 149.112.112.10
-      - 2620:fe::10
+        - 2620:fe::10
-      - 2620:fe::fe:10
+        - 2620:fe::fe:10
-      all_servers: false
+      fallback_dns: []
-      fastest_addr: false
+      upstream_mode: load_balance
      fastest_timeout: 1s
      allowed_clients: []
      disallowed_clients: []
      blocked_hosts:
-      - version.bind
+        - version.bind
-      - id.server
+        - id.server
-      - hostname.bind
+        - hostname.bind
      trusted_proxies:
-      - 127.0.0.0/8
+        - 127.0.0.0/8
-      - ::1/128
+        - ::1/128
      cache_size: 4194304
      cache_ttl_min: 0
      cache_ttl_max: 0
@@ -62,25 +56,26 @@ data:
      bogus_nxdomain: []
      aaaa_disabled: false
      enable_dnssec: false
-      edns_client_subnet: false
+      edns_client_subnet:
        custom_ip: ""
        enabled: false
        use_custom: false
      max_goroutines: 300
      handle_ddr: true
      ipset: []
-      filtering_enabled: true
+      ipset_file: ""
-      filters_update_interval: 24
+      bootstrap_prefer_ipv6: false
      parental_enabled: false
      safesearch_enabled: false
      safebrowsing_enabled: false
      safebrowsing_cache_size: 1048576
      safesearch_cache_size: 1048576
      parental_cache_size: 1048576
      cache_time: 30
      rewrites: []
      blocked_services: []
      upstream_timeout: 10s
      private_networks: []
      use_private_ptr_resolvers: true
      local_ptr_upstreams:
-      - 192.168.1.1
+        - 192.168.1.1
      use_dns64: false
      dns64_prefixes: []
      serve_http3: false
      use_http3_upstreams: false
      serve_plain_dns: true
      hostsfile_enabled: true
    tls:
      enabled: false
      server_name: ""
@@ -91,24 +86,40 @@ data:
      port_dnscrypt: 0
      dnscrypt_config_file: ""
      allow_unencrypted_doh: false
      strict_sni_check: false
      certificate_chain: ""
      private_key: ""
      certificate_path: ""
      private_key_path: ""
      strict_sni_check: false
    querylog:
      dir_path: ""
      ignored: []
      interval: 2160h
      size_memory: 1000
      enabled: true
      file_enabled: true
    statistics:
      dir_path: ""
      ignored: []
      interval: 24h
      enabled: true
    filters:
-    - enabled: true
+      - enabled: true
-      url: https://adguardteam.github.io/AdGuardSDNSFilter/Filters/filter.txt
+        url: https://adguardteam.github.io/AdGuardSDNSFilter/Filters/filter.txt
-      name: AdGuard DNS filter
+        name: AdGuard DNS filter
-      id: 1
+        id: 1
-    - enabled: true
+      - enabled: true
-      url: https://adaway.org/hosts.txt
+        url: https://adaway.org/hosts.txt
-      name: AdAway Default Blocklist
+        name: AdAway Default Blocklist
-      id: 2
+        id: 2
-    - enabled: true
+      - enabled: true
-      url: https://someonewhocares.org/hosts/zero/hosts
+        url: https://someonewhocares.org/hosts/zero/hosts
-      name: Dan Pollock's List
+        name: Dan Pollock's List
-      id: 1684963532
+        id: 1684963532
      - enabled: true
        url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_3.txt
        name: Peter Lowe's Blocklist
        id: 1735824753
    whitelist_filters: []
    user_rules: []
    dhcp:
@@ -128,6 +139,61 @@ data:
        lease_duration: 86400
        ra_slaac_only: false
        ra_allow_slaac: false
    filtering:
      blocking_ipv4: ""
      blocking_ipv6: ""
      blocked_services:
        schedule:
          time_zone: Europe/Berlin
          sun:
            start: 18h
            end: 23h59m
          mon:
            start: 18h
            end: 23h59m
          tue:
            start: 18h
            end: 23h59m
          wed:
            start: 18h
            end: 23h59m
          thu:
            start: 18h
            end: 23h59m
          fri:
            start: 18h
            end: 23h59m
          sat:
            start: 18h
            end: 23h59m
        ids:
          - reddit
      protection_disabled_until: null
      safe_search:
        enabled: false
        bing: true
        duckduckgo: true
        ecosia: true
        google: true
        pixabay: true
        yandex: true
        youtube: true
      blocking_mode: default
      parental_block_host: family-block.dns.adguard.com
      safebrowsing_block_host: standard-block.dns.adguard.com
      rewrites: []
      safe_fs_patterns:
        - /opt/adguardhome/data/userfilters/*
      safebrowsing_cache_size: 1048576
      safesearch_cache_size: 1048576
      parental_cache_size: 1048576
      cache_time: 30
      filters_update_interval: 168
      blocked_response_ttl: 10
      filtering_enabled: true
      parental_enabled: true
      safebrowsing_enabled: false
      protection_enabled: true
    clients:
      runtime_sources:
        whois: true
@@ -136,15 +202,17 @@ data:
        dhcp: true
        hosts: true
      persistent: []
-    log_compress: false
+    log:
-    log_localtime: false
+      enabled: true
-    log_max_backups: 0
+      file: ""
-    log_max_size: 100
+      max_backups: 0
-    log_max_age: 3
+      max_size: 100
-    log_file: ""
+      max_age: 3
-    verbose: false
+      compress: false
      local_time: false
      verbose: false
    os:
      group: ""
      user: ""
      rlimit_nofile: 0
-    schema_version: 14
+    schema_version: 29
--- a/apps/adguard/deployment.yaml
+++ b/apps/adguard/deployment.yaml
@@ -2,7 +2,6 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: adguard-home
  namespace: adguard
 spec:
  replicas: 1
  revisionHistoryLimit: 3
@@ -19,16 +18,23 @@ spec:
        app.kubernetes.io/name: adguard-home
    spec:
      containers:
-      - args:
+      - command:
-        - --config
+        - "sh"
-        - /opt/adguardhome/conf/AdGuardHome.yaml
+        - "-c"
-        - --work-dir
+        - >
-        - /opt/adguardhome/work
+          cp /config/AdGuardHome.yaml /opt/adguardhome/conf/AdGuardHome.yaml &&
-        - --no-check-update
+          sleep 5 &&
          /opt/adguardhome/AdGuardHome --no-check-update --config /opt/adguardhome/conf/AdGuardHome.yaml
      # - args:
      #   - --config
      #   - /opt/adguardhome/conf/AdGuardHome.yaml
      #   - --work-dir
      #   - /opt/adguardhome/work
      #   - --no-check-update
        env:
        - name: TZ
          value: Europe/Berlin
-        image: adguard/adguardhome:v0.107.41
+        image: adguard/adguardhome
        imagePullPolicy: IfNotPresent
        livenessProbe:
          failureThreshold: 3
@@ -66,8 +72,9 @@ spec:
        terminationMessagePath: /dev/termination-log
        terminationMessagePolicy: File
        volumeMounts:
-        - mountPath: /opt/adguardhome/conf/
+        - mountPath: /config/AdGuardHome.yaml
          name: adguard-home-config
          subPath: AdGuardHome.yaml
      dnsPolicy: ClusterFirst
      restartPolicy: Always
--- a/apps/adguard/ingress.yaml
+++ b/apps/adguard/ingress.yaml
@@ -1,15 +1,14 @@
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: IngressRouteTCP
 metadata:
  name: adguard-tls-ingress
  namespace: adguard
 spec:
  entryPoints:
    - dnsovertls
  routes:
    - match: HostSNI(`adguard.kluster.moll.re`)
      services:
-        - name: adguard-adguard-home-dns-tcp
+        - name: adguard-home-dns-tcp
          port: 53
  tls:
    certResolver: default-tls
--- a/apps/adguard/kustomization.yaml
+++ b/apps/adguard/kustomization.yaml
@@ -0,0 +1,16 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources: 
  - namespace.yaml
  - configmap.yaml
  - ingress.yaml
  - service.yaml
  - deployment.yaml
 images:
  - name: adguard/adguardhome
    newName: adguard/adguardhome
    newTag: v0.107.65
 namespace: adguard
--- a/infrastructure/nfs/namespace.yaml
+++ b/infrastructure/nfs/namespace.yaml
@@ -1,5 +1,4 @@
 # namespace.yaml
 apiVersion: v1
 kind: Namespace
 metadata:
-  name: nfs-provisioner
+  name: placeholder
--- a/apps/adguard/service.yaml
+++ b/apps/adguard/service.yaml
@@ -1,8 +1,7 @@
 apiVersion: v1
 kind: Service
 metadata:
-  name: adguard-home
+  name: adguard-home-web
  namespace: adguard
 spec:
  ports:
  - name: http
@@ -22,10 +21,11 @@ metadata:
    metallb.universe.tf/allow-shared-ip: adguard-svc
  name: adguard-home-dns-tcp
  namespace: adguard
 spec:
  allocateLoadBalancerNodePorts: true
  loadBalancerIP: 192.168.3.2
  externalTrafficPolicy: Local
  ports:
  - name: dns-tcp
    nodePort: 31306
@@ -45,10 +45,10 @@ metadata:
    metallb.universe.tf/allow-shared-ip: adguard-svc
  name: adguard-home-dns-udp
  namespace: adguard
 spec:
  allocateLoadBalancerNodePorts: true
  loadBalancerIP: 192.168.3.2
  externalTrafficPolicy: Local
  ports:
  - name: dns-udp
    nodePort: 30547
@@ -58,4 +58,4 @@ spec:
  selector:
    app.kubernetes.io/instance: adguard
    app.kubernetes.io/name: adguard-home
-  type: LoadBalancer
+  type: LoadBalancer
--- a/apps/adguard/values.yaml
+++ b/apps/adguard/values.yaml
@@ -1,365 +0,0 @@
 #
 # IMPORTANT NOTE
 #
 # This chart inherits from our common library chart. You can check the default values/options here:
 # https://github.com/k8s-at-home/library-charts/tree/main/charts/stable/common/values.yaml
 #
 controller:
  # -- Number of pods to load balance between
  replicas: 1
 initContainers:
 # -- Configures an initContainer that copies the configmap to the AdGuardHome conf directory
 # It does NOT overwrite when the file already exists.
 # @default -- See values.yaml
  copy-configmap:
    image: busybox
    imagePullPolicy: IfNotPresent
    command:
    - "sh"
    - "-c"
    - |
      if [ ! -f /opt/adguardhome/conf/AdGuardHome.yaml ]; then
        mkdir -p /opt/adguardhome/conf
        cp /tmp/AdGuardHome.yaml /opt/adguardhome/conf/AdGuardHome.yaml
      fi
    volumeMounts:
    - name: adguard-home-config
      mountPath: /tmp/AdGuardHome.yaml
      subPath: AdGuardHome.yaml
    - name: config
      mountPath: /opt/adguardhome/conf
    securityContext:
      runAsUser: 0
 image:
  # -- image repository
  repository: adguard/adguardhome
  # @default -- chart.appVersion
  tag:
  # -- image pull policy
  pullPolicy: IfNotPresent
 # -- environment variables.
 # @default -- See below
 env:
  # -- Set the container timezone
  TZ: Europe/Berlin
 # -- arguments passed to the adguard-home command line.
 args:
 - "--config"
 - "/opt/adguardhome/conf/AdGuardHome.yaml"
 - "--work-dir"
 - "/opt/adguardhome/work"
 - "--no-check-update"
 # -- Configures service settings for the chart.
 # @default -- See values.yaml
 service:
  main:
    primary: true
    ports:
      http:
        port: 3000
  dns-tcp:
    enabled: true
    type: LoadBalancer
    loadBalancerIP: 192.168.3.2
    annotations: 
      metallb.universe.tf/allow-shared-ip: adguard-svc
    ports:
      dns-tcp:
        enabled: true
        port: 53
        protocol: TCP
        targetPort: 53
  dns-udp:
    enabled: true
    type: LoadBalancer
    loadBalancerIP: 192.168.3.2
    annotations: 
      metallb.universe.tf/allow-shared-ip: adguard-svc
    ports:
      dns-udp:
        enabled: true
        port: 53
        protocol: UDP
        targetPort: 53
  dns-tls-udp:
    enabled: true
    type: LoadBalancer
    loadBalancerIP: 192.168.3.5
    annotations: 
      metallb.universe.tf/allow-shared-ip: adguard-svc
    ports:
      dns-tls-udp:
        enabled: true
        port: 853
        protocol: UDP
        targetPort: 853
  dns-tls-tcp:
    enabled: true
    type: LoadBalancer
    loadBalancerIP: 192.168.3.5
    annotations: 
      metallb.universe.tf/allow-shared-ip: adguard-svc
    ports:
      dns-tls-tcp:
        enabled: true
        port: 853
        protocol: TCP
        targetPort: 853
 # -- Configure persistence settings for the chart under this key.
 # @default -- See values.yaml
 persistence:
  config:
    enabled: true
    mountPath: /opt/adguardhome/conf
  data:
    enabled: false
    mountPath: /opt/adguardhome/work
 # config -- AdGuard Home cojnfiguration. For a full list of options see https://github.com/AdguardTeam/AdGuardHome/wiki/Configuration.
 # @default -- See values.yaml
 config: |
  bind_host: 0.0.0.0
  bind_port: 3000
  beta_bind_port: 0
  users: []
  auth_attempts: 5
  block_auth_min: 15
  http_proxy: ""
  language: ""
  debug_pprof: false
  web_session_ttl: 720
  dns:
    bind_hosts:
    - 0.0.0.0
    port: 53
    statistics_interval: 1
    querylog_enabled: true
    querylog_file_enabled: true
    querylog_interval: 2160h
    querylog_size_memory: 1000
    anonymize_client_ip: false
    protection_enabled: true
    blocking_mode: default
    blocking_ipv4: ""
    blocking_ipv6: ""
    blocked_response_ttl: 10
    parental_block_host: family-block.dns.adguard.com
    safebrowsing_block_host: standard-block.dns.adguard.com
    ratelimit: 20
    ratelimit_whitelist: []
    refuse_any: true
    upstream_dns:
    - https://dns10.quad9.net/dns-query
    upstream_dns_file: ""
    bootstrap_dns:
    - 9.9.9.10
    - 149.112.112.10
    - 2620:fe::10
    - 2620:fe::fe:10
    all_servers: false
    fastest_addr: false
    fastest_timeout: 1s
    allowed_clients: []
    disallowed_clients: []
    blocked_hosts:
    - version.bind
    - id.server
    - hostname.bind
    trusted_proxies:
    - 127.0.0.0/8
    - ::1/128
    cache_size: 4194304
    cache_ttl_min: 0
    cache_ttl_max: 0
    cache_optimistic: false
    bogus_nxdomain: []
    aaaa_disabled: false
    enable_dnssec: false
    edns_client_subnet: false
    max_goroutines: 300
    ipset: []
    filtering_enabled: true
    filters_update_interval: 24
    parental_enabled: false
    safesearch_enabled: false
    safebrowsing_enabled: false
    safebrowsing_cache_size: 1048576
    safesearch_cache_size: 1048576
    parental_cache_size: 1048576
    cache_time: 30
    rewrites: []
    blocked_services: []
    upstream_timeout: 10s
    private_networks: []
    use_private_ptr_resolvers: true
    local_ptr_upstreams:
    - 192.168.1.1
  tls:
    enabled: true
    server_name: "dns.moll.re"
    force_https: false
    port_https: 443
    port_dns_over_tls: 853
    port_dns_over_quic: 853
    port_dnscrypt: 0
    dnscrypt_config_file: ""
    allow_unencrypted_doh: false
    strict_sni_check: false
    certificate_chain: |-
      -----BEGIN CERTIFICATE-----
      MIIFyzCCA7OgAwIBAgIUEvyI5bCa56vvyQgTbLyR7+c7vQMwDQYJKoZIhvcNAQEL
      BQAwdTELMAkGA1UEBhMCREUxCzAJBgNVBAgMAkJXMREwDwYDVQQHDAhGcmVpYnVy
      ZzENMAsGA1UECgwEUmVteTEKMAgGA1UECwwBTTEQMA4GA1UEAwwHbW9sbC5yZTEZ
      MBcGCSqGSIb3DQEJARYKbWVAbW9sbC5yZTAeFw0yMzA3MTUxNzQ0MTVaFw0yNDA3
      MTQxNzQ0MTVaMHUxCzAJBgNVBAYTAkRFMQswCQYDVQQIDAJCVzERMA8GA1UEBwwI
      RnJlaWJ1cmcxDTALBgNVBAoMBFJlbXkxCjAIBgNVBAsMAU0xEDAOBgNVBAMMB21v
      bGwucmUxGTAXBgkqhkiG9w0BCQEWCm1lQG1vbGwucmUwggIiMA0GCSqGSIb3DQEB
      AQUAA4ICDwAwggIKAoICAQDpS0Xtii0VITKFr9XFLcWchI6//I7iMeKkYi7uEq60
      1YZQ8/Zppg1M15BhD8ZEQ0JZ42ufi0p4B0LYMGHYF+2kKsbFxcEPQTUeXCLcjYVA
      ueZ+GTh+FrUrSQvHSevUbVXytAwiqAN/eAvXBMdOKisPUM9Cmk/KHA+W+anw4Uxq
      ZvHq5GG9Z0IksTHI2oEMp/8cZ8lRXzHmOUYQGveBX6PBPvcttP8GwCU6vsPVSphZ
      7XF2LPqeMnBGgmOz51QTRpS7NBHMsSDR20VgSTjI+F8nJnQsGO5Iq9IpQzlDlAsL
      jgPOT3W/pdeZD1mX/c9EpYEKf/0ubEBiWc+kJqkrdmsUX6cZ06qEUa08yCMSzkao
      mHrMzw22kjICG9h+0sZvTetPvpYZsBqQRejDS/cu+buAaDNchGNhl1YPp8iAlKUT
      YB4gbcNqceCGUmbQX06B/OwJiYIoN5ghh2wmqNrFXYltfALBVhWFtU2DTAS9k399
      W2hd4u77uJngK0WLoKQuV/wi81dbk0kAI7eRUI1H/Y4hC1MCI5M6zewrJ7QgOYBi
      qkYydYQGFu1ToDt6maDVBX05PcoBPwbUfrmZBjR5kzBawvH6reDuANkEXfJ0+2hA
      JBAxXPKyQVc9Y87nDATvkl7qWOKjfJairKAd03lvJlesr6+7GwMMnE/6h91QF4Vq
      OQIDAQABo1MwUTAdBgNVHQ4EFgQUunr29QozKy+AlTrq+PAoSjPFOQIwHwYDVR0j
      BBgwFoAUunr29QozKy+AlTrq+PAoSjPFOQIwDwYDVR0TAQH/BAUwAwEB/zANBgkq
      hkiG9w0BAQsFAAOCAgEAPeczDC1OScGZ6UVjFUF+BqI1Am9TwUNVD2cRnbXvQ2g7
      nU8vYSfWx00bhRTpuDEG997HkCCvaUYIArbGtgplB+bCk6GMnQQfnRWIyFz/cy+Y
      yuftUY0PufXzCe33J2Q0SQCNKdEvOsfiPCkyrgMSlomoIDPhs4wQ8SOE0Lnl4fNw
      i1uVDd6pTxwwfpfsvN5lBwXN+RDr1Awe07f9SJmYklqQAIP5Kthq7QJsN1QHvmtW
      JL7AYlltDTUYvE2kBnQKjkNYv9Qj4PGUvipVlCKA4cEVAZXHam01RqPXEFj5I9B4
      Q9S+oT7htoXWuz9kAwsSCZVEW1QBzRL7UNIckMWsc1jRSiCT5Nc/sOtPyIc9in+i
      J/XGPjSBvQZrnitLhR4qByG/dY+istQkcEERjElwhzucEyNkgtENJfJEevdJsrBf
      oGaaK5ljemYsk1e+QHB3FWmNbIysKBMn44bHgu7DeQediLCjvwdasjVorDW1mv5Z
      8Aoe075vxTmHGSjfMPiAzJnYMy0zCT1VcR+AtPKUtr11z2xgOrAqZqlTaR/ud6ce
      B11n3oIs5Kwarvhwx2Qw7XvcGOa2PBGZW4kcoDRn9GNFcP5K2AAuRJD9FLTbr8ZO
      6a0bv0KUksQYX+U/r3+qSn87TXyIJ1IbKY2jQYu/+KEpeyFnviXw+IoM/YHDqdw=
      -----END CERTIFICATE-----
    private_key: |-
      -----BEGIN PRIVATE KEY-----
      MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQDpS0Xtii0VITKF
      r9XFLcWchI6//I7iMeKkYi7uEq601YZQ8/Zppg1M15BhD8ZEQ0JZ42ufi0p4B0LY
      MGHYF+2kKsbFxcEPQTUeXCLcjYVAueZ+GTh+FrUrSQvHSevUbVXytAwiqAN/eAvX
      BMdOKisPUM9Cmk/KHA+W+anw4UxqZvHq5GG9Z0IksTHI2oEMp/8cZ8lRXzHmOUYQ
      GveBX6PBPvcttP8GwCU6vsPVSphZ7XF2LPqeMnBGgmOz51QTRpS7NBHMsSDR20Vg
      STjI+F8nJnQsGO5Iq9IpQzlDlAsLjgPOT3W/pdeZD1mX/c9EpYEKf/0ubEBiWc+k
      JqkrdmsUX6cZ06qEUa08yCMSzkaomHrMzw22kjICG9h+0sZvTetPvpYZsBqQRejD
      S/cu+buAaDNchGNhl1YPp8iAlKUTYB4gbcNqceCGUmbQX06B/OwJiYIoN5ghh2wm
      qNrFXYltfALBVhWFtU2DTAS9k399W2hd4u77uJngK0WLoKQuV/wi81dbk0kAI7eR
      UI1H/Y4hC1MCI5M6zewrJ7QgOYBiqkYydYQGFu1ToDt6maDVBX05PcoBPwbUfrmZ
      BjR5kzBawvH6reDuANkEXfJ0+2hAJBAxXPKyQVc9Y87nDATvkl7qWOKjfJairKAd
      03lvJlesr6+7GwMMnE/6h91QF4VqOQIDAQABAoICAFXdtDe5X12DEf7dmJ9R+QVi
      Ts5ADXEYrlQVpTNQIgiB/MVn/d6l1Qhe4Q+wiCeQ3+eIypB26qph9crvh9vK9tcx
      PWcGocfVFtF9VQF7fzuzELCB5OaXwgfUA2dPAGN3+KXzefH5iAwPKcByzE6rO50P
      /7ECbfK0QFKvwspbik4xZMIxW/4j9tbddzb3oX8AiGeylYkDMjEMDIsZ+dYe1v1m
      CQFEOIeKCknkc9zZ71hOCjBWXsoCQ4vYKw1IzAuqM0zx3clKuoszGwZU/PcPX6pf
      v2uJo46Q2zH/waBraWNP2nvBiFPJHSEDYtUMAJFCH0w3jn7bLhlk+AVxi1tpYwBx
      SOFQKmKbJgTWpmX7o8bhyNmSg6gLTquKKYuOeUsJTe4SERnhKNVen/mf1BdV5S1A
      iLj9mg5tFL1O+f8wl8q0QA5aM3o1G/YMlG28Na6X8l89BiDvfdG4YALzeJs5k1yn
      VnpZElikhx63HQjaLE+u4nSBwr0s79Hnq4Xge+rEPCRVpHhfZ1T/Ka3NwqcflcM7
      GvvRnXfLLyfS3DOQg9BCwE94hzJgh7V4BqEQInzkAR3/wF83xTT0LaWLBsJXTsWr
      rHcdPxpMVXNUfelBmA3Blu1d07lDw8kMzYXzCJ4AE9gjdgN9ltwjg7ZDQ3w6Tnc1
      09aLmIUeRx6r7vs8pBMPAoIBAQD3epVeC4Urpmop21Jzop7nqvQqmHwDvUPIHKWZ
      a1e9YmHfNR6Vibzw8jqjd7IJMd5mzlcot+bTjfFGxfZ/KidE5MB8rvwS0MVQnamZ
      dnl1OX9c/+G4jW8xCzNQlkAXT2xcaMPO/ged6smdtZkvvnjfyX0L78fbKG+4fsc8
      PoIB5gXjApVVN4ujeaKUud2jr2uHueQqI8taZlhlIojxc1w/a9r0iiLK+sY/HvWH
      gERxDFWQjg8kkFGXC3KFOz0UJiolDus9sK9cLcDI4IavOotVaxEoz778u9644+GM
      wfRJCN8OBT3RQjPy77L1VOCjrbd1TtknDDG+kAN4ZLLEPCO/AoIBAQDxU6gqjGDy
      SC1mSgl8x6ODkmCs2a9UvZeg9/KA/UzTGCLeSgftPwgCeGV6d6dpqFxsvqhVDVtp
      pkqFa2+X0rsIG4JFl6qZTbXpJIqbdkTeWjjimg809fTqZnSJSchUiuIWzqvGlOSL
      cM5c7+WNteLVHjldiNT0+jReXPtxAJD9jIV3LubmWZ5qs3tYXKGgQvCItLo6REYE
      SKUZAsX/T6O6HAypv89AcS+UZxc2pq4htFRJY5XarLbs8BuDJAYWm3chMwwGIDEx
      J7cCXWWWQkU7W1GOckU4oo6FPGzjREPwyeiYcvias2/nm4tOc5t0gRJHIR8W6tQF
      5An7lLSHe5AHAoIBAADiNSpSzDTtsS9ZEyBKklqtZ5XHWZoB0P4j7AtyMKwCb+sG
      G4fZKA2ML91pjf8uaGbhkboZff9/YD8qccjec6lxT6aiUVAX4rx486QSojhi7it8
      1md8SctZCOPexXfP1sk1ro1MpuZPckzX2yYqfe/+ni2uu33y1QNJoJh8eKZdFeRL
      nBDj0+HPi18QktQEylN/vGrSGeXGu8YQq4CBMvEfB3ccDye+YXrUN3g2YwgsTRnp
      B/DPexsY9V24am1p/XiIZxqfSOEBYNDWzGRPxzOU4EjPBRWN7ium1KVWA/NGztUT
      +7aFj/3sES2DEhJDioYms+vJxVuy0/BYG7NLq60CggEAZCxZre+/flK/paot7gHg
      ugjU4GssAH0Cp+rEWw7KCQYH00XfrHdxl7TqSr/IWm9sjidGMKfuvhgs7tz94YOz
      51Wj6cdfJWvAixqD/qxFQhcpbcaNcWp3U6Vb0nEyGwXbe6QmYbQEem1E/AcIvp41
      nkmBfnYCD/6cJl9qcCnQBa+C50osxomE3L3MAY3R+XhP6C887lrQxY5yGcOw9J3W
      VLa3+u6H1TQmj++LD0B5H7x/EEeqOK9g71Fr2i/l5xR5iuppn1FVmhXmPbEPLiQs
      IMtzOzHr0eqIRn4ipOP9X8IwLrfqwiyh0v4aAWKzsNSzBZuWEClCAX/7NNcxaNu9
      mQKCAQEA3dk8ScY8bVPgFg2x7oqujVZbrNizhw2+BXYuH6HRVINPDYzIapur9uiw
      I+STHoUod8aRNvwDLfhkI+MabmEbt/eDsBpRrJYYLi2uTed5gIiLqPS8MPuKr++7
      UwJz4OPZu1xOjbFapvKvPSbPhS254tozQyi5Xbl8W268SCQhF+hEb+AT5JTcoPlI
      ZNN5hp0Ooq6EouX8heyeG7le9V2G+HFHR9aWniD9kRRirO+oqWTXcG+9zHRhkdbF
      4vRGwZ8+mj/0fKAHlFpeDRiKNbma7rTNDyEDR9jQ+GOC1QmOYeiei6FDKYEPcHxh
      UBWqdlD+gUjtzQvD3yMo7JN9DIO5Eg==
      -----END PRIVATE KEY-----
    certificate_path: ""
    private_key_path: ""
  filters:
  - enabled: true
    url: https://adguardteam.github.io/AdGuardSDNSFilter/Filters/filter.txt
    name: AdGuard DNS filter
    id: 1
  - enabled: true
    url: https://adaway.org/hosts.txt
    name: AdAway Default Blocklist
    id: 2
  - enabled: true
    url: https://someonewhocares.org/hosts/zero/hosts
    name: Dan Pollock's List
    id: 1684963532
  whitelist_filters: []
  user_rules: []
  dhcp:
    enabled: false
    interface_name: ""
    local_domain_name: lan
    dhcpv4:
      gateway_ip: ""
      subnet_mask: ""
      range_start: ""
      range_end: ""
      lease_duration: 86400
      icmp_timeout_msec: 1000
      options: []
    dhcpv6:
      range_start: ""
      lease_duration: 86400
      ra_slaac_only: false
      ra_allow_slaac: false
  clients:
    runtime_sources:
      whois: true
      arp: true
      rdns: true
      dhcp: true
      hosts: true
    persistent: []
  log_compress: false
  log_localtime: false
  log_max_backups: 0
  log_max_size: 100
  log_max_age: 3
  log_file: ""
  verbose: false
  os:
    group: ""
    user: ""
    rlimit_nofile: 0
  schema_version: 14
--- a/apps/audiobookshelf/deployment.yaml
+++ b/apps/audiobookshelf/deployment.yaml
@@ -0,0 +1,42 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: audiobookshelf
 spec:
  replicas: 1
  selector:
    matchLabels:
      app: audiobookshelf
  template:
    metadata:
      labels:
        app: audiobookshelf
    spec:
      containers:
        - name: audiobookshelf
          image: audiobookshelf
          ports:
            - containerPort: 80
          env:
          - name: TZ
            value: Europe/Berlin
          - name: CONFIG_PATH
            value: /data/config
          - name: METADATA_PATH
            value: /data/metadata
          volumeMounts:
            - name: data
              mountPath: /data
          resources:
            requests:
              cpu: "100m"
              memory: "200Mi"
            limits:
              cpu: "2"
              memory: "1Gi"
      volumes:
        - name: data
          persistentVolumeClaim:
            claimName: audiobookshelf-data
--- a/apps/audiobookshelf/ingress.yaml
+++ b/apps/audiobookshelf/ingress.yaml
@@ -0,0 +1,17 @@
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
  name: audiobookshelf-ingressroute
 spec:
  entryPoints:
    - websecure
  routes:
  - match: Host(`audiobookshelf.kluster.moll.re`)
    kind: Rule
    services:
    - name: audiobookshelf-web
      port: 80
  tls:
    certResolver: default-tls 
--- a/apps/audiobookshelf/kustomization.yaml
+++ b/apps/audiobookshelf/kustomization.yaml
@@ -0,0 +1,15 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources: 
  - namespace.yaml
  - pvc.yaml
  - deployment.yaml
  - service.yaml
  - ingress.yaml
 namespace: audiobookshelf
 images:
  - name: audiobookshelf
    newName: ghcr.io/advplyr/audiobookshelf
    newTag: "2.29.0"
--- a/apps/audiobookshelf/namespace.yaml
+++ b/apps/audiobookshelf/namespace.yaml
@@ -0,0 +1,4 @@
 apiVersion: v1
 kind: Namespace
 metadata:
  name: placeholder
--- a/infrastructure/backup/postgres/pvc.yaml
+++ b/infrastructure/backup/postgres/pvc.yaml
@@ -1,11 +1,9 @@
 kind: PersistentVolumeClaim
 apiVersion: v1
 metadata:
-  name: postgres-backup-claim
+  name: audiobookshelf-data
 spec:
-  storageClassName: nfs-client
+  storageClassName: "nfs-client"
  accessModes:
    - ReadWriteOnce
  resources:
--- a/apps/audiobookshelf/service.yaml
+++ b/apps/audiobookshelf/service.yaml
@@ -0,0 +1,10 @@
 apiVersion: v1
 kind: Service
 metadata:
  name: audiobookshelf-web
 spec:
  selector:
    app: audiobookshelf
  ports:
  - port: 80
    targetPort: 80
--- a/apps/code-server/deployment.yaml
+++ b/apps/code-server/deployment.yaml
@@ -0,0 +1,41 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: code-server
 spec:
  replicas: 1
  selector:
    matchLabels:
      app: code-server
  template:
    metadata:
      labels:
        app: code-server
    spec:
      containers:
        - name: code-server
          image: code-server
          ports:
            - containerPort: 8080
          env:
          - name: TZ
            value: Europe/Berlin
          - name: CONFIG_PATH
            value: /data/config
          - name: METADATA_PATH
            value: /data/metadata
          volumeMounts:
            - name: data
              mountPath: /home/coder
          resources:
            requests:
              cpu: "50m"
              memory: "100Mi"
            limits:
              cpu: "6"
              memory: "16Gi"
      volumes:
        - name: data
          persistentVolumeClaim:
            claimName: code-server-data
--- a/apps/code-server/ingress.yaml
+++ b/apps/code-server/ingress.yaml
@@ -0,0 +1,17 @@
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
  name: audiobookshelf-ingressroute
 spec:
  entryPoints:
    - websecure
  routes:
  - match: Host(`code.kluster.moll.re`)
    kind: Rule
    services:
    - name: code-server-web
      port: 8080
  tls:
    certResolver: default-tls 
--- a/apps/code-server/kustomization.yaml
+++ b/apps/code-server/kustomization.yaml
@@ -0,0 +1,15 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources: 
  - namespace.yaml
  - pvc.yaml
  - deployment.yaml
  - service.yaml
  - ingress.yaml
 namespace: code-server
 images:
  - name: code-server
    newName: ghcr.io/coder/code-server
    newTag: 4.101.2-fedora
--- a/apps/code-server/namespace.yaml
+++ b/apps/code-server/namespace.yaml
@@ -0,0 +1,4 @@
 apiVersion: v1
 kind: Namespace
 metadata:
  name: placeholder
--- a/apps/code-server/pvc.yaml
+++ b/apps/code-server/pvc.yaml
@@ -0,0 +1,11 @@
 kind: PersistentVolumeClaim
 apiVersion: v1
 metadata:
  name: code-server-data
 spec:
  storageClassName: "nfs-client"
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 10Gi
--- a/apps/code-server/service.yaml
+++ b/apps/code-server/service.yaml
@@ -0,0 +1,11 @@
 apiVersion: v1
 kind: Service
 metadata:
  name: code-server-web
 spec:
  selector:
    app: code-server
  ports:
  - port: 8080
    targetPort: 8080
  type: LoadBalancer
--- a/apps/files/deployment.yaml
+++ b/apps/files/deployment.yaml
@@ -0,0 +1,48 @@
 apiVersion: apps/v1
 kind: StatefulSet
 metadata:
  name: ocis-statefulset
 spec:
  selector:
    matchLabels:
      app: ocis
  serviceName: ocis-web
  replicas: 1
  template:
    metadata:
      labels:
        app: ocis
    spec:
      containers:
      - name: ocis
        image: ocis
        resources:
          limits:
            memory: "1Gi"
            cpu: "1000m"
        env:
        - name: OCIS_INSECURE
          value: "true"
        - name: OCIS_URL
          value: "https://ocis.kluster.moll.re"
        - name: OCIS_LOG_LEVEL
          value: "debug"
        ports:
        - containerPort: 9200
        volumeMounts:
        - name: config
          mountPath: /etc/ocis
        # - name: ocis-config-file
        #   mountPath: /etc/ocis/config.yaml
        - name: data
          mountPath: /var/lib/ocis
      volumes:
      # - name: ocis-config
      #   persistentVolumeClaim:
      #     claimName: ocis-config
      - name: config
        secret:
          secretName: ocis-config
      - name: data
        persistentVolumeClaim:
          claimName: ocis
--- a/apps/files/ingress.yaml
+++ b/apps/files/ingress.yaml
@@ -0,0 +1,18 @@
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
  name: ocis-ingressroute
 spec:
  entryPoints:
    - websecure
  routes:
  - match: Host(`ocis.kluster.moll.re`)
    kind: Rule
    services:
    - name: ocis-web
      port: 9200
      scheme: https
  tls:
    certResolver: default-tls 
--- a/apps/files/kustomization.yaml
+++ b/apps/files/kustomization.yaml
@@ -0,0 +1,16 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources: 
  - namespace.yaml
  - ingress.yaml
  - service.yaml
  - pvc.yaml
  - deployment.yaml
  - ocis-config.sealedsecret.yaml
 namespace: files
 images:
  - name: ocis
    newName: owncloud/ocis
    newTag: "7.2.0"
--- a/apps/files/namespace.yaml
+++ b/apps/files/namespace.yaml
@@ -0,0 +1,4 @@
 apiVersion: v1
 kind: Namespace
 metadata:
  name: placeholder
--- a/apps/files/ocis-config.sealedsecret.yaml
+++ b/apps/files/ocis-config.sealedsecret.yaml
--- a/infrastructure/nfs/USAGE.md
+++ b/infrastructure/nfs/USAGE.md
@@ -1,13 +1,11 @@
 ```
 kind: PersistentVolumeClaim
 apiVersion: v1
 metadata:
-  name: test-claim
+  name: ocis
 spec:
-  storageClassName: nfs-client
+  storageClassName: "nfs-client"
  accessModes:
-    - ReadWriteMany
+    - ReadWriteOnce
  resources:
    requests:
-      storage: 1Mi
+      storage: 150Gi
 ```
--- a/apps/files/service.yaml
+++ b/apps/files/service.yaml
@@ -0,0 +1,10 @@
 apiVersion: v1
 kind: Service
 metadata:
  name: ocis-web
 spec:
  selector:
    app: ocis
  ports:
  - port: 9200
    targetPort: 9200
--- a/apps/finance/actualbudget.deployment.yaml
+++ b/apps/finance/actualbudget.deployment.yaml
@@ -1,12 +1,10 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  namespace: finance
  name: actualbudget
  labels:
    app: actualbudget
 spec:
 # deployment running a single container
  selector:
    matchLabels:
      app: actualbudget
@@ -18,83 +16,22 @@ spec:
    spec:
      containers:
        - name: actualbudget
-          image: actualbudget/actual-server:latest
+          image: actualbudget
          imagePullPolicy: Always
          env:
            - name: TZ
              value: Europe/Berlin
          envFrom:
            - secretRef:
                name: actualbudget-oidc
          volumeMounts:
-            - name: actualbudget-data-nfs
+            - name: data
              mountPath: /data
          ports:
            - containerPort: 5006
              name: http
              protocol: TCP
      volumes:
-        - name: actualbudget-data-nfs
+        - name: data
          persistentVolumeClaim:
-            claimName: actualbudget-data-nfs
+            claimName: data
 ---
 apiVersion: v1
 kind: PersistentVolume
 metadata:
  namespace: finance
  name: "actualbudget-data-nfs"
 spec:
  # storageClassName: fast
  capacity:
    storage: "5Gi"
  accessModes:
    - ReadWriteOnce
  nfs:
    path: /export/kluster/actualbudget
    server: 192.168.1.157
 ---
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
  namespace: finance
  name: "actualbudget-data-nfs"
 spec:
  storageClassName: "fast"
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: "5Gi"
  # selector:
  #   matchLabels:
  #     directory: "journal-data"
 ---
 apiVersion: v1
 kind: Service
 metadata:
  namespace: finance
  name: actualbudget
 spec:
  selector:
    app: actualbudget
  ports:
    - protocol: TCP
      port: 5006
      targetPort: 5006
  type: ClusterIP
 ---
 apiVersion: traefik.containo.us/v1alpha1
 kind: IngressRoute
 metadata:
  namespace: finance
  name: actualbudget
 spec:
  entryPoints:
    - websecure
  routes:
  - match: Host(`actualbudget.kluster.moll.re`)
    kind: Rule
    services:
    - name: actualbudget
      port: 5006
  tls:
    certResolver: default-tls
--- a/apps/finance/actualbudget.ingress.yaml
+++ b/apps/finance/actualbudget.ingress.yaml
@@ -0,0 +1,15 @@
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
  name: actualbudget
 spec:
  entryPoints:
    - websecure
  routes:
  - match: Host(`actualbudget.kluster.moll.re`)
    kind: Rule
    services:
    - name: actualbudget
      port: 5006
  tls:
    certResolver: default-tls
--- a/apps/finance/actualbudget.pvc.yaml
+++ b/apps/finance/actualbudget.pvc.yaml
@@ -0,0 +1,11 @@
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
  name: "data"
 spec:
  storageClassName: "nfs-client"
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: "5Gi"
--- a/apps/finance/actualbudget.service.yaml
+++ b/apps/finance/actualbudget.service.yaml
@@ -0,0 +1,12 @@
 apiVersion: v1
 kind: Service
 metadata:
  name: actualbudget
 spec:
  selector:
    app: actualbudget
  ports:
    - protocol: TCP
      port: 5006
      targetPort: 5006
  type: ClusterIP
--- a/apps/finance/firefly-importer.deployment.yaml
+++ b/apps/finance/firefly-importer.deployment.yaml
@@ -1,66 +0,0 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  labels:
    app: firefly-importer
  name: firefly-importer
  namespace: finance
 spec:
  selector:
    matchLabels:
      app: firefly-importer
  template:
    metadata:
      labels:
        app: firefly-importer
    spec:
      containers:
      - image: fireflyiii/data-importer:latest
        imagePullPolicy: Always
        name: firefly-importer
        resources: {}
        ports:
        - containerPort: 8080
        env:
          - name: FIREFLY_III_ACCESS_TOKEN
            value: redacted
          - name: FIREFLY_III_URL
            value: firefly-http:8080
          # - name: APP_URL
          #   value: https://finance.kluster.moll.re
          - name: TRUSTED_PROXIES
            value: "**"
 ---
 apiVersion: v1
 kind: Service
 metadata:
  name: firefly-importer-http
  namespace: finance
  labels:
    app: firefly-importer-http
 spec:
  type: ClusterIP
  ports:
  - port: 8080
    # name: http
  selector:
    app: firefly-importer
 ---
 apiVersion: traefik.containo.us/v1alpha1
 kind: IngressRoute
 metadata:
  name: firefly-importer-ingress
  namespace: finance
 spec:
  entryPoints:
    - websecure
  routes:
    - match: Host(`importer.finance.kluster.moll.re`)
      kind: Rule
      services:
        - name: firefly-importer-http
          port: 8080
  tls:
    certResolver: default-tls
--- a/apps/finance/firefly.deployment.yaml
+++ b/apps/finance/firefly.deployment.yaml
@@ -1,79 +0,0 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  labels:
    app: firefly
  name: firefly
  namespace: finance
 spec:
  selector:
    matchLabels:
      app: firefly
  template:
    metadata:
      labels:
        app: firefly
    spec:
      containers:
      - image: fireflyiii/core:latest
        imagePullPolicy: Always
        name: firefly
        resources: {}
        ports:
        - containerPort: 8080
        env:
          - name: APP_ENV
            value: "local"
          - name: APP_KEY
            value: iKejRAlgwx2Y/fxdosXjABbNxNzEuJdl
          - name: DB_CONNECTION
            value: sqlite
          - name: APP_URL
            value: https://finance.kluster.moll.re
          - name: TRUSTED_PROXIES
            value: "**"
        volumeMounts:
        - mountPath: /var/www/html/storage/database
          name: firefly-database
      volumes:
      - name: firefly-database
        persistentVolumeClaim:
          claimName: firefly-database-nfs
 ---
 apiVersion: v1
 kind: Service
 metadata:
  name: firefly-http
  namespace: finance
  labels:
    app: firefly-http
 spec:
  type: ClusterIP
  ports:
  - port: 8080
    # name: http
  selector:
    app: firefly
 ---
 apiVersion: traefik.containo.us/v1alpha1
 kind: IngressRoute
 metadata:
  name: firefly-ingress
  namespace: finance
 spec:
  entryPoints:
    - websecure
  routes:
    - match: Host(`finance.kluster.moll.re`)
      kind: Rule
      services:
        - name: firefly-http
          port: 8080
  tls:
    certResolver: default-tls
--- a/apps/finance/firefly.pvc.yaml
+++ b/apps/finance/firefly.pvc.yaml
@@ -1,34 +0,0 @@
 ---
 apiVersion: v1
 kind: PersistentVolume
 metadata:
  namespace: finance
  name: firefly-database-nfs
  labels:
    directory: firefly
 spec:
  # storageClassName: fast
  # volumeMode: Filesystem
  accessModes:
    - ReadOnlyMany
  capacity:
    storage: "1G"
  nfs:
    path: /firefly # inside nfs part.
    server: 10.43.239.43 # assigned to nfs-server service. Won't change as long as service is not redeployed
 ---
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
  namespace: finance
  name: firefly-database-nfs
 spec:
  resources:
    requests:
      storage: "1G"
  # storageClassName: fast
  accessModes:
    - ReadOnlyMany
  volumeName: firefly-database-nfs
--- a/apps/finance/kustomization.yaml
+++ b/apps/finance/kustomization.yaml
@@ -0,0 +1,17 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 namespace: finance
 resources:
  - namespace.yaml
  - actualbudget.pvc.yaml
  - actualbudget.deployment.yaml
  - actualbudget.service.yaml
  - actualbudget.ingress.yaml
  - oidc.sealedsecret.yaml
 images:
  - name: actualbudget
    newName: actualbudget/actual-server
    newTag: 25.9.0
--- a/apps/finance/namespace.yaml
+++ b/apps/finance/namespace.yaml
@@ -0,0 +1,4 @@
 apiVersion: v1
 kind: Namespace
 metadata:
  name: placeholder
--- a/apps/finance/oidc.sealedsecret.yaml
+++ b/apps/finance/oidc.sealedsecret.yaml
@@ -0,0 +1,19 @@
 ---
 apiVersion: bitnami.com/v1alpha1
 kind: SealedSecret
 metadata:
  creationTimestamp: null
  name: actualbudget-oidc
  namespace: finance
 spec:
  encryptedData:
    ACTUAL_OPENID_AUTH_METHOD: AgAhPqooAS/7R9S/X3KGfSfs3ClN38J9CEfkUTYAUvKGEehQ2Tz3thPNvhvnbz/gKRc7C172jgxoxaGMiVXi40Qa+I7Y8JVHefjoSd8NuubzQZU8ZK5KlYRgc5OnoPM3RLarHyZ2DFw5Q/ngv3sp1c5dSI4/604KSQPxVAFCnb/lnSkOsBggDRymWvYclx1NrLIClpLAFwHgCOm6g1kHCvtGIdBLxKOHsiRJm62+UyHt0GLkR0QFTDXBQxoBm9QR9kLjQqw/QqcOIVx1by0RHoHBI6HDEEIQVH3UgWqlMmIwm+a4KQeBEdEfWLn9YC8MGSdlQRlaZoi5ltFT2c/DWuMuRStnaOWbsMQVR+y6yJ2UNBe29uVQh6877iqfmAJvT6gXic73zI7Vkq6IFQ7veQPBaTi22HP/sxiElGI8rY0LtRHD4TctKSePaOPvsgrv8k8SpB5qYAft7UonbTPWzzRSSc4Y3Z4fQiD0x/uhtTqTTtukx39nzM2TjVGcJThWaxUGa07w1fjTafieFVwwreURBUpRK92X2NY3ovOdA9c1WrHfqIzVtpcnfQyCeA5D4XT2sBFk0+crwEm1GmtscjPkGnyctNMUSmkHd+QKw8EAmWxKge4+7rfOrZp5ZK7cBFJcB4gVQcxnm3bXr0qZyiA1udaxmSxVflQR2AjduvhKuE73AGPi0bJki5TvKJp6bavTotYfdMY=
    ACTUAL_OPENID_CLIENT_ID: AgA6X0uYaU1n4XSXVntmT4+NgahYkkMVx61OZP8ExnSMkRPlwQfErhNHrwKsTsnD8OzP3svhxBe5bwaI8O1OKF0k5pQWG0DbRfmBrwiep9nBsKPt+fQm0AJUsZ2sQNShusmsSEumBKbMD0CMPklVMq18tLpOIh/YaXM34lsOutW0SIx7HWWQsyLmoolEoRVdkKvDhoh3FXjKqzGYlr1uKuqYG7pJPsxEpsTs2pZTUIlB2gVcEqb/ZXxgkj01GDYzB519swIOfYdISj7oCR8VG90M9iDrgmxsPkWozMDxFjNo5JR2dB9wvP7ptFex8JonbZZXYZD7tE+36U8iys6Cjh6JGwr9luN1AxYYSkRrNWJd2CuID+8ujWptoTvRSO0RwiVVp5LhXe1l2GxLsS2UVtO+nbWH6DGMJei4DQ+LAxDXFR8FAvi7615cneN0umQfF4ZMUJirvxHA3tFN42tbnRmSCbLAZLNLhQq8VbRmkYOAN6LCzSKYlyhSyA3NM2HjRTFkXGUhOPL+3tPZJB4v0QlEhlhy1Ffxh2mbUXgmQ+ZHGUsBXEHfc/Gba6gJhsj6S2DkiAeZUW6euY5/v4vpveWsS+YS+BxH441//8mOJnrpsWrcQbM5yCk4WMnmpETy/VFEkc3dqYfVWHDfvwAeqjVfXAovXBmwOoCASG6qDf0P7FdeLFTHUNuahyNhBzhBAQ/yNpOkbzKTJFBWwnM=
    ACTUAL_OPENID_CLIENT_SECRET: AgAbJinP4E8rbGAw7BTfh/GB3XxQOfHiLFrgaikQbUIsmZu+Y6ktK7aJdcX2/g6yhHXX6z8p4xoYTaGgkpo8H0XWvUDT4ohqJVdJSWZgNx8MyzisVKi+51BEpslL4JvGo/ISjXT0hNeYGzFXlHnnr3LX+fuTVh3dKtk4t8nmR8SqaCCIyvKiBPmX/1QWo4Vrfw7OLpVlfGP0i3J7FrhjNgKMRWcQKQC4Ohk+NLHHghdtqzuFB8eKwcuBZmynKCVyblOhwZSL5WnyJPskWLMjNEizWuCubDdyHVY3ZqYLDe5dgoi7Gop5/xY7FEuEkmTL0g7LpKo4RkEKRLjsZwWtW+xN6HRRt7zGoUdIpo20ZnTtEH8C/qcxjHKUycFvzKLnk6ntq5rEdK2/MhBtMfd3a8pb4vpT9JNra1AWsB7zCUv4yc/FT0RpkL+1r1CVva4o+tzM8ojnm4o0ch6qsGb0IOYZvJx6sF7c6aj7c41YQK3ZrQF3bhhhEHYyWOBjy1V4T/GJPZ9CbhGG0PIsSvpW7d5pG5jNAwU/Xo6FL/vVUPwmSq/hCqYMSSSKNiMH/q/vzKyu5B5aQbNDAumzsLRqD/auJz8nAaUoLNBVHq+7zTs3wV7pEayY22teq/MN5PRtYOQLE5Ck60gv9Q70cfhgvTeK+eX4h9BbhfijCV/EiSYhLP7meeIpE80icdLUSkNROfW+0sf3RNbW5q3JX8PsW0h29VJgREJdlziLj2cCshe+ww==
    ACTUAL_OPENID_DISCOVERY_URL: AgAQVZX6r8SPkwwBR1dmUF/ahuZKkGSsU/GULe5PF7Nm75UadtjPb5aHAZjWE59MdV61DQZDa4KJz1/fW4xDUrJBuUElIRQH4oyMTQG12MSMauQpLd25SVU8ex2NYyerbd85j521FSxujP0l3941KGsENLt5wCx/idXu47txhAHgS81mj3CLfWzT5yyG+V1i48a24xK905v+ft5ZKuNLOxvVb6yZSBt1j/3egx49eB49CRk/dxYQtPpSw8Zb6KgaN+skjq5HTH/Neb4J92nlJ1aFPVKbFLbtxyIHDSoO35U8ODHEJVGKBbZjjfrrjCpmQYnZPEWN9s+xj2NAXZ7qANcJfbFEF/3bOiKZhc0jLM5MyhiMZoytn4FvGM8zxINC3z8zqaWJm1wiMXEUH3/FLUa2UWeHKQB14h0f5XGwytb3s/nPCoBnHhtOK1y4utJ2APsQhRsxySZjgYNRaRCarp8PntY7yB7VHYlv5Mitx+qBWcAUmcKp1I4NTnm1LORRGzIFcrJJKtQfqcW7GNuZDA3AiLGyOMVigcA93GnPbppor5BItE9FK/BKqrR4Bz31jXSO8S7pjhi3JxBIKEMmMZRVbyelJ9o7gTpqrBvO7KZ5v/L+mlE0J8D2LZoEWPqxfa/BE+QZfwIS3wDWQl1GTruaAM4u0bp4i9GkyK3hPVXnml3dNMElSG3GvNqHhhy1Boo1cHXHbQ5YzbkGgzL9fLkigVQCi0FKItyBxdGsui9U0OU5LNi0EGKBibs22mdDkp6f051GWeMidtSwz9j5
    ACTUAL_OPENID_SERVER_HOSTNAME: AgB+C31GqtPKbMifuTFYhwOgUwXph+RQYdnVQaVIaDiveE6Lydl/2HnTyFQIi2mhrbiCpDgegXuvGBoM7WHxlPepny5E66lY/cAdFaFDGMARqMXCRLVmvkt3U1IyNn9zPCPil0x+eAv2S/ETLm8Nj2OL9utxkdNBHub9xiGrE0d7qBeBfK1FNmainthYQUpnCsR7jowmmvYGuEyDwfG+suUooDdb5zaWmCJZRYk1jKD3zlu21N0sfciBJ/GpTdz/2V+NXqJJqs3r2zoB2GJPQ64pMuZHZ+yw8bYUkg7/QOHD2ofWmtzNOGGtiNRHAG8MtvF6ovc4Hgv5uu+4x413UP6pSIJsrHrXSHYP+mvu+ya3gNUn6YK2qymezrqbvUF/n7LoaDzTRqa0PmemtdskuABiwfqrdiOarxaWjomkXqnrBK6VkJ8PhOMDMv/j/c6zlXdhpnqlUyxMcjBjqicfNBWN8UByDIEw4D0rhibzOS4fIKjNHrmXHv39GNJsY90avhZqq42oTMJL0vcaj3v4pBZJdJ05TOvY7PQ/iUwnnczGqOtpAQtBKfCV2+PXp9o/64wOGc0Br322kSpzjIleWP9VWVgbqvwMjUGtlL+xTkCaOFpiYETxUim09c745WDc+YgU55rd5i/5t20wiKy7RSYnHvYOwvdjAlEgAnD0YZBXOQkL51nL9P+nOMAYBE0HiM1vYsd8R6h6Fk+G2gcs/2CLgwglqOtMwAm9A9+5qSqyMak6Z68=
  template:
    metadata:
      creationTimestamp: null
      name: actualbudget-oidc
      namespace: finance
--- a/apps/grafana/grafana-admin.sealedsecret.yaml
+++ b/apps/grafana/grafana-admin.sealedsecret.yaml
@@ -0,0 +1,17 @@
 ---
 apiVersion: bitnami.com/v1alpha1
 kind: SealedSecret
 metadata:
  creationTimestamp: null
  name: grafana-admin-secret
  namespace: grafana
 spec:
  encryptedData:
    password: AgAU6g/CwKj+1gPpt4DLvLsS0YCvJdVHWw4W4bRhibE9brVvcJtGB3D9MTJrSLVVwusaE6OR59og7oW5ge3yTd/9bbclXYLrxEi7OwvkQjCvo8MfD8yhJO9nV4Xs9Mjk2Z4SHGYuq6wvcssuJrpz5f0XEC7ocTRA+u0UaE+/b4FrYF71uyKGvj8GSXgLZUjGPFsGfPzwJn7cLBmlclVHx1xGbFpUc042m5Mulpn0QolFQnOwZiW4PL8pQyz1MXVRwCsz0RJd5apZL3XJ4X7BLMoAp+diHQ2xi3zoU9VScp+J2QgvFdRKgDa6v7Jz1f+HCwq5W/DoegwFXBrcMIfF2YrnvTnc1PCVwD9IHOeylO7J2hfi8teQiqTvvRlVgdBTLqoqlVovemf5k6ke6JfjTwnsJjTNnL7MKN5Qt0o7N2XRZ3ba9jp8cKbI7fyFQKaU2QEf2PIkp82kEnixmpA1aATgeA3W4E5Km7sKHUEB81+pwnOe54tzD2ShgQX/+UiswhWYTT+gdZKL1udBBemUDC0z9PSJNTPTy+hq+G4CIzVQUYxlioM3c+3geF7YLU8yXisj84pk44GN9KX3z5x+M2+LZL7agAWPUjxtrP2V+id7dNJQfCm0aSMeo57dVfb4zlBUAAgKIKjX+j1KqCVqE9zEO2F/QX7mY6MJTP2me3wmY7JAVRJ7d6bbkyyoDhs8JErLYLp0A+Eh+qx8nWgM9ErPVSA0
    user: AgB8ZLG2EuERjg1nKdH/xadbUuIR2c8a9gF5fE8ctrp4DNDLLuuqmjyoHRiWpkrtfnE1yKg1rPP+asV9Lj5iVmE9J+OB3QUOeFS4MHciBNj7pa68zfFgnHP4kxMX6aXyKRQrYruYjHwfzCpOM1zyTEphuGlnokjQXxjF/mZsoM2NWn7WGReqfxqH95tJXfs9AUC5vVv/PHqd+KKRZH7+G1AnWVJ7RFQHedR7wyftO4/rkm8deMuZWtOLl25fAOyOr7+hSqT69s9/uTKSLJXjobSqtulqsR+v5lkwx2ThNKzmcEcuoenKG6lk8XLRSIscccZH3JTPh6IknQWUOC4nmYj+XUxE8Go0RX/4eL+D/6FrYrtp0gr3HOCLAGU4vAHMeKfJoyqykJVnvY6QY6bFgaziyOlWaoEHpg6g0vHHDwyX7HIDcQfJZGOLH9dhrWJ2sOkzyuuxfqWEgz/M2eBW4EUAudHwfTLPocSMUI+D6fjeciMojet5uxWMP7ZHh/E061f5+Vfk6CKYd9Kpi69Xah8KEyyHYP5NImkdIwjgllaEAd/FBE2+QJyTVZlUQC7y9ObagDMCUFaFbTS5QOLh5BOJDL5buEYFWG0IhoH47SC/pKeEOQH//uvoo27K9zvxTOQN1YOTrxCozmexMOsTIdhvU0dOnJDBrThSHKYLCeIokDOgUUT52FqDH51RoLoK3UkyGbMoq+M=
  template:
    metadata:
      creationTimestamp: null
      name: grafana-admin-secret
      namespace: grafana
    type: Opaque
--- a/apps/grafana/grafana-auth.sealedsecret.yaml
+++ b/apps/grafana/grafana-auth.sealedsecret.yaml
@@ -0,0 +1,16 @@
 ---
 apiVersion: bitnami.com/v1alpha1
 kind: SealedSecret
 metadata:
  creationTimestamp: null
  name: grafana-auth
  namespace: grafana
 spec:
  encryptedData:
    client_secret: AgCEdC1/ERlPQyQP+bd9gcW33Yrvl4uRbx+RF5AY4vYAquOzxmLTygMl/WZlB5wlCE5idIHgto6/fUWVZrQbmfClRqsW2pFoddKQAtS9cQNXwMjLCm7e0lXk9GM9O3ZwktmklFbCu8XewHmefGHhoJ28vPxPMaINv1fM4zYKvNz5RHf0dJfTHgxb68wRYjAbE/eJpRcVE3a29Yw6Gfa8Mb+cFI7RTHvjuv9LBgWqM6b3qvvJ4wYR2WKuiQrnJ5xAtHpMAI/2R80qq151wlaZueDZ1PwjRBHURkmPTmwZnrMrmIugNge7Tpww+ArZlG9kDfSu1aTJidbXbcpN6fyt1qARTCYrBlbn60PTYLnPL/NObvMCpjS6DsYsYz7MJ7WoOupu46Ib5paZHmak+CilC6lb9LjJj4EKfRsagZmWT07JavhHBW/tqjB3GToccIz4fOAOdA9aU51J4wCL2ctp2SgzCEKe2EaBK/f9nDd9ASmmon9PDwRDVtG8yTukrNcZHNzodi09Af81DB0RNa36Z3Sjt5xu94paN+mjiOWGf2JduVEq+60NbPvDbPE9e1aVH3DdQcij2WGZaTE8dAGLSsLoOkIq3m2E+Mbk1Re1gI9H18xJM72ivb5uDe7pzReyvO5DY4Pfq8JgQhPxWcDq9ScmWS6Bb+jdCKytFq5NafSAl+akPbbwN+1GFu33if/P5D9I2TwOA8V1wyVU
  template:
    metadata:
      creationTimestamp: null
      name: grafana-auth
      namespace: grafana
    type: Opaque
--- a/apps/monitoring/grafana.ingress.yaml
+++ b/apps/monitoring/grafana.ingress.yaml
@@ -1,5 +1,5 @@
 kind: IngressRoute
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 metadata:
  name: grafana-ingress
 spec:
@@ -13,5 +13,3 @@ spec:
          port: 80
  tls:
    certResolver: default-tls
--- a/apps/grafana/grafana.values.yaml
+++ b/apps/grafana/grafana.values.yaml
@@ -0,0 +1,99 @@
 replicas: 1
 ## Create a headless service for the deployment
 headlessService: false
 ## Expose the grafana service to be accessed from outside the cluster (LoadBalancer service).
 ## or access it from within the cluster (ClusterIP service). Set the service type and the port to serve it.
 ## ref: http://kubernetes.io/docs/user-guide/services/
 ##
 service:
  enabled: true
 serviceMonitor:
  ## If true, a ServiceMonitor CRD is created for a prometheus operator
  ## https://github.com/coreos/prometheus-operator
  ##
  enabled: false
 envValueFrom:
  AUTH_GRAFANA_CLIENT_SECRET:
    secretKeyRef:
      name: grafana-auth
      key: client_secret
 ingress:
  enabled: false
 # credentials
 admin:
  existingSecret: grafana-admin-secret
  userKey: user
  passwordKey: password
 datasources:
  datasources.yaml:
    apiVersion: 1
    datasources:
      - name: Prometheus
        type: prometheus
        url: http://prometheus.monitoring.svc:9090
        isDefault: true
      - name: Thanos
        type: prometheus
        url: http://thanos-querier.monitoring.svc:10902
        isDefault: false
      - name: Loki
        type: loki
        url: http://loki.monitoring.svc:3100
        isDefault: false
 dashboardProviders:
 dashboardproviders.yaml:
   apiVersion: 1
   providers:
   - name: 'default'
     orgId: 1
     folder: ''
     type: file
     disableDeletion: false
     editable: true
     options:
       path: /var/lib/grafana/dashboards/default
 ## Reference to external ConfigMap per provider. Use provider name as key and ConfigMap name as value.
 ## A provider dashboards must be defined either by external ConfigMaps or in values.yaml, not in both.
 ## ConfigMap data example:
 ##
 ## data:
 ##   example-dashboard.json: |
 ##     RAW_JSON
 ##
 dashboardsConfigMaps:
  default: grafana-dashboards
 grafana.ini:
  wal: true
  default_theme: dark
  unified_alerting:
    enabled: false
  analytics:
    check_for_updates: false
  server:
    domain: grafana.kluster.moll.re
    root_url: https://grafana.kluster.moll.re
  auth.generic_oauth:
    name: Authelia
    enabled: true
    icon: signin
    client_id: grafana
    client_secret: ${AUTH_GRAFANA_CLIENT_SECRET}
    scopes: openid profile email groups
    empty_scopes: false
    auth_url: https://auth.kluster.moll.re/api/oidc/authorization
    token_url: https://auth.kluster.moll.re/api/oidc/token
    api_url: https://auth.kluster.moll.re/api/oidc/userinfo
    tls_skip_verify_insecure: true
    auto_login: true
    use_pkce: true
    role_attribute_path: contains(groups[*], 'apps_admin') && 'Admin' || 'Editor'
--- a/apps/grafana/kustomization.yaml
+++ b/apps/grafana/kustomization.yaml
@@ -0,0 +1,21 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 namespace: grafana
 resources: 
  - namespace.yaml
  - grafana.ingress.yaml
  - grafana-admin.sealedsecret.yaml
  - grafana-auth.sealedsecret.yaml
  # grafana dashboards are provisioned from a git repository
  # in the initial bootstrap of the app of apps, the git repo won't be available, so this sync will initially fail
  - https://git.kluster.moll.re/remoll/grafana-dashboards//?timeout=10&ref=main
 helmCharts:
  - releaseName: grafana
    name: grafana
    repo: https://grafana.github.io/helm-charts
    version: 9.4.5
    valuesFile: grafana.values.yaml
--- a/apps/grafana/namespace.yaml
+++ b/apps/grafana/namespace.yaml
@@ -0,0 +1,4 @@
 apiVersion: v1
 kind: Namespace
 metadata:
  name: placeholder
--- a/apps/homeassistant/deployment.yaml
+++ b/apps/homeassistant/deployment.yaml
@@ -1,4 +1,3 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -15,14 +14,14 @@ spec:
    spec:
      containers:
        - name: homeassistant
-          image: homeassistant/home-assistant:2023.11
+          image: homeassistant
          ports:
            - containerPort: 8123
          env:
          - name: TZ
            value: Europe/Berlin
          volumeMounts:
-            - name: config
+            - name: config-dir
              mountPath: /config
          resources:
            requests:
@@ -32,6 +31,7 @@ spec:
              cpu: "2"
              memory: "1Gi"
      volumes:
-        - name: config
+        - name: config-dir
          persistentVolumeClaim:
-            claimName: homeassistant-nfs
+            claimName: config
--- a/apps/homeassistant/ingress.yaml
+++ b/apps/homeassistant/ingress.yaml
@@ -1,4 +1,4 @@
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
  name: homeassistant-ingress
@@ -6,7 +6,7 @@ spec:
  entryPoints:
    - websecure
  routes:
-    - match: Host(`home.kluster.moll.re`)
+    - match: Host(`home.kluster.moll.re`) && !Path(`/api/prometheus`)
      middlewares:
        - name: homeassistant-websocket
      kind: Rule
@@ -15,9 +15,8 @@ spec:
          port: 8123
  tls:
    certResolver: default-tls
 ---
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: homeassistant-websocket
@@ -27,6 +26,3 @@ spec:
      X-Forwarded-Proto: "https"
      # enable websockets
      Upgrade: "websocket"
--- a/apps/homeassistant/kustomization.yaml
+++ b/apps/homeassistant/kustomization.yaml
@@ -1,18 +1,18 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources: 
 - namespace.yaml
 - ingress.yaml
 - pvc.yaml
 - service.yaml
 - deployment.yaml
 namespace: homeassistant
 resources: 
  - namespace.yaml
  - ingress.yaml
  - pvc.yaml
  - service.yaml
  - deployment.yaml
  - servicemonitor.yaml
-# helmCharts:
+
-#   - name: home-assistant
+images:
-#     releaseName: homeassistant
+  - name: homeassistant
-#     version: 13.4.2
+    newName: homeassistant/home-assistant
-#     valuesFile: values.yaml
+    newTag: "2025.9"
 #     repo: https://k8s-at-home.com/charts/
--- a/apps/homeassistant/pvc.yaml
+++ b/apps/homeassistant/pvc.yaml
@@ -1,28 +1,11 @@
 ---
 apiVersion: v1
 kind: PersistentVolume
 metadata:
  name: homeassistant-nfs
 spec:
  # storageClassName: slow
  capacity:
    storage: "1Gi"
  # volumeMode: Filesystem
  accessModes:
    - ReadWriteOnce
  nfs:
    path: /kluster/homeassistant
    server: 192.168.1.157
 ---
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
-  name: homeassistant-nfs
+  name: config
 spec:
-  storageClassName: ""
+  storageClassName: "nfs-client"
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: "1Gi"
  volumeName: homeassistant-nfs
--- a/apps/homeassistant/service.yaml
+++ b/apps/homeassistant/service.yaml
@@ -2,9 +2,12 @@ apiVersion: v1
 kind: Service
 metadata:
  name: homeassistant-web
  labels:
    app: homeassistant
 spec:
  selector:
    app: homeassistant
  ports:
  - port: 8123
-    targetPort: 8123
+    targetPort: 8123
    name: http
--- a/apps/homeassistant/servicemonitor.yaml
+++ b/apps/homeassistant/servicemonitor.yaml
@@ -0,0 +1,13 @@
 apiVersion: monitoring.coreos.com/v1
 kind: ServiceMonitor
 metadata:
  name: homeassistant-servicemonitor
  labels:
    app: homeassistant
 spec:
  selector:
    matchLabels:
      app: homeassistant
  endpoints:
    - port: http
      path: /api/prometheus
--- a/apps/homeassistant/values.yaml
+++ b/apps/homeassistant/values.yaml
@@ -1,136 +0,0 @@
 #
 # IMPORTANT NOTE
 #
 # This chart inherits from our common library chart. You can check the default values/options here:
 # https://github.com/k8s-at-home/library-charts/tree/main/charts/stable/common/values.yaml
 #
 image:
  # -- image repository
  repository: homeassistant/home-assistant
  # -- image tag
  tag: "2023.10"
  # -- image pull policy
  pullPolicy: IfNotPresent
 # -- environment variables.
 # @default -- See below
 env:
  # -- Set the container timezone
  TZ: Europe/Berlin
 # -- Configures service settings for the chart. Normally this does not need to be modified.
 # @default -- See values.yaml
 service:
  main:
    ports:
      http:
        port: 8123
 ingress:
  # -- Enable and configure ingress settings for the chart under this key.
  # @default -- See values.yaml
  main:
    enabled: false
 # -- Enable devices to be discoverable
 # hostNetwork: true
 # -- When hostNetwork is true set dnsPolicy to ClusterFirstWithHostNet
 # dnsPolicy: ClusterFirstWithHostNet
 securityContext:
  # -- (bool) Privileged securityContext may be required if USB devics are accessed directly through the host machine
  privileged:  # true
 resources:
  requests:
    cpu: "100m"
    memory: "200Mi"
  limits:
    cpu: "2"
    memory: "1Gi"
 # -- Configure persistence settings for the chart under this key.
 # @default -- See values.yaml
 persistence:
  config:
    enabled: true
    existingClaim: homeassistant-nfs
  # -- Configure a hostPathMount to mount a USB device in the container.
  # @default -- See values.yaml
  usb:
    enabled: false
    type: hostPath
    hostPath: /path/to/device
 # -- Enable and configure mariadb database subchart under this key.
 #    For more options see [mariadb chart documentation](https://github.com/bitnami/charts/tree/master/bitnami/mariadb)
 # @default -- See values.yaml
 mariadb:
  enabled: false
  architecture: standalone
  auth:
    database: home-assistant
    username: home-assistant
    password: home-assistant-pass
    rootPassword: home-assistantrootpass
  primary:
    persistence:
      enabled: false
      # storageClass: ""
 # -- Enable and configure postgresql database subchart under this key.
 #    For more options see [postgresql chart documentation](https://github.com/bitnami/charts/tree/master/bitnami/postgresql)
 # @default -- See values.yaml
 postgresql:
  enabled: false
  image:
 # -- Enable and configure influxdb database subchart under this key.
 #    For more options see [influxdb chart documentation](https://github.com/bitnami/charts/tree/master/bitnami/influxdb)
 # @default -- See values.yaml
 influxdb:
  enabled: false
  architecture: standalone
  database: home_assistant
  authEnabled: false
  persistence:
    enabled: false
    # storageClass: ""
    # size: 8Gi
 metrics:
  # -- Enable and configure a Prometheus serviceMonitor for the chart under this key.
  # @default -- See values.yaml
  enabled: false
  serviceMonitor:
    interval: 1m
    scrapeTimeout: 30s
    labels: {}
    ## See https://www.home-assistant.io/docs/authentication/ for where to find
    ## long lived access token creation under your account profile, which is
    ## needed to monitor Home Assistant
    # bearerTokenSecret:
    #   name: ""
    #   key: ""
  # -- Enable and configure Prometheus Rules for the chart under this key.
  # @default -- See values.yaml
  prometheusRule:
    enabled: false
    labels: {}
    # -- Configure additionial rules for the chart under this key.
    # @default -- See prometheusrules.yaml
    rules: []
      # - alert: HomeAssistantAbsent
      #   annotations:
      #     description: Home Assistant has disappeared from Prometheus service discovery.
      #     summary: Home Assistant is down.
      #   expr: |
      #     absent(up{job=~".*home-assistant.*"} == 1)
      #   for: 5m
      #   labels:
      #     severity: critical
--- a/apps/immich/immich.postgres.yaml
+++ b/apps/immich/immich.postgres.yaml
@@ -0,0 +1,39 @@
 apiVersion: postgresql.cnpg.io/v1
 kind: Cluster
 metadata:
  name: immich-postgresql
 spec:
  instances: 1
  imageName: ghcr.io/tensorchord/cloudnative-vectorchord:16-0.3.0
  bootstrap:
    initdb:
      owner: immich
      database: immich
      secret:
        name: postgres-password
      dataChecksums: true
      postInitApplicationSQL:
        - ALTER USER immich WITH SUPERUSER;
        - CREATE EXTENSION IF NOT EXISTS vchord CASCADE;
        - CREATE EXTENSION IF NOT EXISTS "cube";
        - CREATE EXTENSION IF NOT EXISTS "earthdistance";
  postgresql:
    shared_preload_libraries:
      - "vchord.so"
  storage:
    size: 5Gi
    storageClass: nfs-client
  monitoring:
    enablePodMonitor: true
  resources:
    limits:
      cpu: 2
      memory: 1024Mi
    requests:
      cpu: 50m
      memory: 512Mi
--- a/apps/immich/ingress.yaml
+++ b/apps/immich/ingress.yaml
@@ -1,13 +1,4 @@
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: stripprefix
 spec:
  stripPrefix:
    prefixes:
      - /api
 ---
 apiVersion: traefik.containo.us/v1alpha1
 kind: Middleware
 metadata:
  name: websocket
@@ -18,22 +9,21 @@ spec:
      # enable websockets
      Upgrade: "websocket"
 ---
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
-    name: immich-ingressroute
+  name: immich-ingressroute
 spec:
-    entryPoints:
+  entryPoints:
-        - websecure
+    - websecure
-    routes:
+  routes:
-        - match: Host(`immich.kluster.moll.re`)
+    - match: Host(`immich.kluster.moll.re`)
-          kind: Rule
+      kind: Rule
-          services:
+      services:
-              - name: immich-server
+        - name: immich-server
-                port: 3001
+          port: 2283
-                passHostHeader: true
+      middlewares:
-          middlewares:
+        - name: websocket
-              - name: websocket
+  tls:
-    tls:
+    certResolver: default-tls
        certResolver: default-tls
--- a/apps/immich/kustomization.yaml
+++ b/apps/immich/kustomization.yaml
@@ -1,16 +1,34 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
-resources: 
+resources:
- namespace.yaml
+  - namespace.yaml
- ingress.yaml
+  - ingress.yaml
- pvc.yaml
+  - pvc.yaml
- postgres.sealedsecret.yaml
+  - immich.postgres.yaml
  - postgres.sealedsecret.yaml
  - servicemonitor.yaml
 namespace: immich
 helmCharts:
  - name: immich
    releaseName: immich
-    version: 0.2.0
+    version: 0.9.3
    valuesFile: values.yaml
    repo: https://immich-app.github.io/immich-charts
 images:
  - name: ghcr.io/immich-app/immich-machine-learning
    newTag: v1.142.0
  - name: ghcr.io/immich-app/immich-server
    newTag: v1.142.0
 patches:
  - path: patch-redis-pvc.yaml
    target:
      kind: StatefulSet
      name: immich-redis-master
--- a/apps/immich/patch-redis-pvc.yaml
+++ b/apps/immich/patch-redis-pvc.yaml
@@ -0,0 +1,17 @@
 apiVersion: apps/v1
 kind: StatefulSet
 metadata:
  name: immich-redis-master
 spec:
  volumeClaimTemplates:
  - apiVersion: v1
    kind: PersistentVolumeClaim
    metadata:
      name: redis-data
    spec:
      storageClassName: nfs-client
      accessModes:
        - ReadWriteMany
      resources:
        requests:
          storage: 2Gi
--- a/apps/immich/postgres.yaml
+++ b/apps/immich/postgres.yaml
@@ -0,0 +1,35 @@
 apiVersion: postgresql.cnpg.io/v1
 kind: Cluster
 metadata:
  name: immich-postgres
 spec:
  instances: 1
  imageName: ghcr.io/tensorchord/cloudnative-pgvecto.rs:16.2
  bootstrap:
    initdb:
      owner: immich
      database: immich
      secret:
        name: postgres-password
  # Enable the VECTORS extension
      postInitSQL:
        - CREATE EXTENSION IF NOT EXISTS "vectors";
  postgresql:
    shared_preload_libraries:
      - "vectors.so"
  # Persistent storage configuration
  storage:
    size: 2Gi
    pvcTemplate:
      accessModes:
        - ReadWriteOnce
      resources:
        requests:
          storage: 2Gi
      storageClassName: nfs-client
      volumeMode: Filesystem
  monitoring:
    enablePodMonitor: true
--- a/apps/immich/pvc.yaml
+++ b/apps/immich/pvc.yaml
@@ -1,26 +1,11 @@
 ---
 apiVersion: v1
 kind: PersistentVolume
 metadata:
  name: immich-nfs
 spec:
  capacity:
    storage: "50Gi"
  accessModes:
    - ReadWriteOnce
  nfs:
    path: /kluster/immich
    server: 192.168.1.157
 ---
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
-  name: immich-nfs
+  name: data
 spec:
-  storageClassName: ""
+  storageClassName: "nfs-client"
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
-      storage: "50Gi"
+      storage: "100Gi"
  volumeName: immich-nfs
--- a/apps/immich/renovate.json
+++ b/apps/immich/renovate.json
@@ -0,0 +1,10 @@
 {
    "packageRules": [
      {
        "matchDatasources": ["docker"],
        "matchPackagePrefixes": ["ghcr.io/immich-app/"],
        "groupName": "Immich containers",
        "groupSlug": "immich-app-images"
      }
    ]
  }
--- a/apps/immich/servicemonitor.yaml
+++ b/apps/immich/servicemonitor.yaml
@@ -0,0 +1,14 @@
 apiVersion: monitoring.coreos.com/v1
 kind: ServiceMonitor
 metadata:
  name: immich-service-monitor
 spec:
  endpoints:
  - port: metrics-api
    scheme: http
  - port: metrics-ms
    scheme: http
  selector:
    matchLabels:
      app.kubernetes.io/name: server
      app.kubernetes.io/service: immich-server
--- a/apps/immich/values.yaml
+++ b/apps/immich/values.yaml
@@ -6,8 +6,8 @@
 env:
  REDIS_HOSTNAME: '{{ printf "%s-redis-master" .Release.Name }}'
-  DB_HOSTNAME: "postgres-postgresql.postgres"
+  DB_HOSTNAME: "immich-postgresql-rw"
-  DB_USERNAME: 
+  DB_USERNAME:
    valueFrom:
      secretKeyRef:
        name: postgres-password
@@ -22,94 +22,41 @@ env:
      secretKeyRef:
        name: postgres-password
        key: password
  TYPESENSE_ENABLED: "{{ .Values.typesense.enabled }}"
  TYPESENSE_API_KEY: "{{ .Values.typesense.env.TYPESENSE_API_KEY }}"
  TYPESENSE_HOST: '{{ printf "%s-typesense" .Release.Name }}'
  IMMICH_WEB_URL: '{{ printf "http://%s-web:3000" .Release.Name }}'
  IMMICH_SERVER_URL: '{{ printf "http://%s-server:3001" .Release.Name }}'
  IMMICH_MACHINE_LEARNING_URL: '{{ printf "http://%s-machine-learning:3003" .Release.Name }}'
-
+  IMMICH_METRICS: true
 image:
  tag: v1.89.0
 immich:
  metrics:
    # Enabling this will create the service monitors needed to monitor immich with the prometheus operator
    enabled: true
  persistence:
    # Main data store for all photos shared between different components.
    library:
      # Automatically creating the library volume is not supported by this chart
      # You have to specify an existing PVC to use
-      existingClaim: immich-nfs
+      existingClaim: data
 # Dependencies
 postgresql:
  enabled: false
 redis:
  enabled: true
  architecture: standalone
  auth:
    enabled: false
 typesense:
  enabled: true
  env:
    TYPESENSE_DATA_DIR: /tsdata
    TYPESENSE_API_KEY: typesense
  persistence:
    tsdata:
      # Enabling typesense persistence is recommended to avoid slow reindexing
      enabled: true
      accessMode: ReadWriteOnce
      size: 1Gi
      # storageClass: storage-class
  image:
    repository: docker.io/typesense/typesense
    tag: 0.24.0
    pullPolicy: IfNotPresent
 # Immich components
 server:
  enabled: true
  image:
    repository: ghcr.io/immich-app/immich-server
    pullPolicy: IfNotPresent
  ingress:
    main:
      enabled: false
 microservices:
  enabled: true
  env:
    REVERSE_GEOCODING_DUMP_DIRECTORY: /geodata-cache
  persistence:
    geodata-cache:
      enabled: true
      size: 1Gi
      # Optional: Set this to pvc to avoid downloading the geodata every start.
      type: emptyDir
      accessMode: ReadWriteMany
      # storageClass: your-class
  image:
    repository: ghcr.io/immich-app/immich-server
    pullPolicy: IfNotPresent
 machine-learning:
  enabled: true
  image:
    repository: ghcr.io/immich-app/immich-machine-learning
    pullPolicy: IfNotPresent
  env:
    TRANSFORMERS_CACHE: /cache
  persistence:
    cache:
      enabled: true
-      size: 10Gi
+      size: 200Gi
      # Optional: Set this to pvc to avoid downloading the ML models every start.
      type: emptyDir
      accessMode: ReadWriteMany
      # storageClass: your-class
--- a/apps/kitchenowl/deployment.yaml
+++ b/apps/kitchenowl/deployment.yaml
@@ -0,0 +1,42 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: kitchenowl
 spec:
  replicas: 1
  selector:
    matchLabels:
      app: kitchenowl
  template:
    metadata:
      labels:
        app: kitchenowl
    spec:
      containers:
        - name: kitchenowl
          image: kitchenowl
          ports:
            - containerPort: 8080
          env:
          - name: TZ
            value: Europe/Berlin
          envFrom:
            - configMapRef:
                name: kitchenowl-config
            - secretRef:
                name: kitchenowl-oauth
          volumeMounts:
            - name: data
              mountPath: /data
          resources:
            requests:
              cpu: "50m"
              memory: "100Mi"
            limits:
              cpu: "100m"
              memory: "1Gi"
      volumes:
        - name: data
          persistentVolumeClaim:
            claimName: kitchenowl-data
--- a/apps/kitchenowl/ingress.yaml
+++ b/apps/kitchenowl/ingress.yaml
@@ -0,0 +1,17 @@
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
  name: kitchenowl-ingressroute
 spec:
  entryPoints:
    - websecure
  routes:
  - match: Host(`kitchen.kluster.moll.re`)
    kind: Rule
    services:
    - name: kitchenowl-web
      port: 8080
  tls:
    certResolver: default-tls 
--- a/apps/kitchenowl/kitchenowl-config.configmap.yaml
+++ b/apps/kitchenowl/kitchenowl-config.configmap.yaml
@@ -0,0 +1,7 @@
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: kitchenowl-config
 data:
  FRONT_URL: https://kitchen.kluster.moll.re
  DISABLE_USERNAME_PASSWORD_LOGIN: "true"
--- a/apps/kitchenowl/kitchenowl-oauth.sealedsecret.yaml
+++ b/apps/kitchenowl/kitchenowl-oauth.sealedsecret.yaml
@@ -0,0 +1,19 @@
 ---
 apiVersion: bitnami.com/v1alpha1
 kind: SealedSecret
 metadata:
  creationTimestamp: null
  name: kitchenowl-oauth
  namespace: kitchenowl
 spec:
  encryptedData:
    JWT_SECRET_KEY: AgAclRIJS25ACVe4NqLQbAree6c6WpTBHnLpe3ZQJ0ScHG/EbW/ooABZj7y1ABAn/mCc+hBYXYHm81FNUfUtSuLKi2UlORbTCsfmisYH49WX0Lpku9LTM/8az9tjE0tjUUrJZcRUuJfdNJMDPQx7IPjUQ7sKk/exFnkPEbK98+AElXyHpPKXd9dxiCgll0n+ksbF9BDUR8KY8IB2Zvh4cXPww578qe/9XYnxLV8uY9K8KPvhl7NI40SIaL4PX8KmsDlBh1bpOR/OxhIwAGEZDQp/KROy6msrIOYW4SHM9nlSUSD4WvV8UjcbV1oNnYpE1usFOuxSfQlJ1zlFepKUv40JykyunvQv9nqVbEogsrS4o5N3gNEaB9yyFSHIlevp32LVpAuZu3cNplmT+Zg7+ODpCWIcVgmOAeapvB+X7H4ScbKVcYLAzrRFDtnS4Vo1M+RERhr0AuMU/tz0lGs99oRkCw2ZIg015R125u0VcRNqzgCtbBM5BFiKiP2kYrHn02Q6o5tRWxDQfrfb0mnfD5c/gM4+btlfM6DZMpr/l1kLlm8PDEpPGbkhK1XiAyJ4erHPDMLcmZXrSyxX9R1g8n7vnLnkqx5LkGmnltQI2FM7StxC6IrMlxY0nPnkq1lHhTz7yCpQJNXgfXZLVvov+f6jlD6WJhYHZCL/hIFfx3ybjGYZwJ0m84lH0OQJQw5dtsbPVqqoYZIPieqdRmHw7M7TTmFuQJXD94lZj5gsln1sMqs=
    OIDC_CLIENT_ID: AgDOxWtGCiFrIP5aWHimrR6bu0uMS1/i1v1Kzo1lIR3j3zlw/Da2oCPNx1ZuhNAp9UMIs2euc8mtrWkyv4R6pcci+IxXiGzlQNBSkMfWu4DwhwlEdnVyCVehfE00t0ytBxX6NeLfS1b8JOtH9yo3e22fdaeTwn/iwGLNwi1BJxMmzk9pVp7jzXH09Zia8UvUmXw5GyGpIOIiGcIfaXkr1ZnY2l30jTw8eS7HaouzfWHWTpNXkMLN3qim4vs/B1Sgz/y9tUyVo/qMhWLdEcVklYHT7xHx03SPD7RtK+zdYZCqvDtj+tsdpYHt05zeGV+wflNQuiocjwP8TW7vhtbjKrf9lQIxB5CErju178ELOVrpsPBAYMgdEl7qZeKdSpydIwe3VbOg3XJ7O/Ps1KSnRYwrCvgE4ZCMm3geHyJxSiKRhBcuVYz5JkNd5ylD0Eq9NL5RCqJ4szL9NaGNPbzkvcdZzAnbTYFTzyqZ+XHX/BUFisXl5bKNHtaqAsOK8woGYnxJiawKRrwDUmHXU4RB3QiPCPhHSLU7OkvU+XDhyQqLa8bKEQzj9dUf4bX3Savk4noiRsXMYJznAlgMPo0Q4taxVIoyQHELYwIIdP5YRuw27B9wKUR7e2hhu4FTOEcyhwuFql3OuAjq8HJCDX6+COkL2WYFFxWBnbSCYEdzfbMBCHjrUUonijcQluU2VbaHODNMAvB16MRKapAW
    OIDC_CLIENT_SECRET: AgAylnSUXwInlh/WvyCiFz+8asbCSZA6kk84Rt6l7bHVYw34c58lJHsZK2OvOIlHuaMe/ewnTqxVd0hI1Azl+wd/5NygMYlntKquq0vuzlhLrGc3u+0SOn9N2P6quA3slF9KR94CYsDx9ogy+EsEoA1yrsydB8S0g9W8syraR1MtpM0ZkcJ/D78OZ6qzyXUuBNAZc+iX/r96NvoMiGNYavgG7npOJh/pkKNYPuNkt4zpbAFjVyoCfgZd4V2nmZ6dhEVy8odW+jcsMn6OJ1OZVlPb1beq49lBEcaJqk83ZtKbq2evtBYHw9YAnENVq92ecenw/YL5LXUhOxeN0M9Amo99/O6pQwwrT1mtZqhTTeTIZTAxqmJKgyxGhE4DJUR/s71bc7K9hd2WvdAYnCyVC2uGa0MwXp4V7UuaN9GerldT8lcFxOpRnD7yroqVTqebjAJIkIinp5NNZ2ZP/LCiCwKKHHT19Pchn615WOPTofC6es/spIdQ8a1Nf2J5YzvRjsduFS55U6tMaC7cuV8kqKH9xTTf/sDHt+68wVEAO9koAe1zpO+zR2Pq3VuCnvcDGIwXopXjvyjfujEEhEWZl51PVJLZqtkP5Wg2wHvlgjJBbbIGTrqh4xa9pK7wLDM2hUFx1q/YKqwfP0EGVTc96G8Wermj0DtIqclqFLr54DtxVe+Rr8J4edG6YQ26/seYsrZ1Oq2PejHQt8u9EzQYAtYYlBsw2ujCWys6KrbhaVr3
    OIDC_ISSUER: AgA2JPd5axkL5YIRA95qm/iH8wgM2J0AjKjgGClWabYJ3UKIk0hi/L/zR+1Pw9Z+6amYXj7Q0FxLqCcNYG+H5ABxnqUi7Gl8gvfVbegaO3q5QiO27g18RMDssNHDSun8PPaxHBvBD68hxgsaXntu8sZavCGdwEK0TzLJi7eH/4jtHlofzfYgaCsGqeOBgvs/q87PVJ/qxazXlY9e7abbRAKl9ZMY7Wga58/IU2HhWwYMvI53yQyGMcKf3XiI9iNHgIcj1+TmlgQo+PRKyopNfzgFbey7on8woQXphY+ioqQ0hyworpxAVoWlvzKKopt1xBDr4zxzkzbWyxtjwPVOOH3iyenZz8tZa/JkNYWxkWHbh0KCs9yUIji3D3shQOFM/NtE17THsQm3NgpZ2lg9ET1v6uXqwfOLiQ+J1JQLwNFnYeruH2lK4EGt2nDCq2VycOIjW4kMpiJ4LiT8gap9HwYjTpAn+opicYn5e9fmpgiHdMPvrsG1m9edg0cbwdSpEelliHnAUfKsxMV2e1fLsga6yrhBLSXIQs8rbURRa6wqVvGoLB86a9Q5Rm94Jfm0Sa9v5LMGRYvqO5LbLrjrR8e/2r17pHQE8ynMQCAW1yVTe09FcgRwYhDUohfThtjIh16sdoC97eUel7fo/POt3atP69JsCIBZstprhVtBIBssmavpIotVqi8F2/yUkhrZR26mH3gsOxkNTEk6XzHHtJRu0cU+BmObTvYgMi3DHg==
  template:
    metadata:
      creationTimestamp: null
      name: kitchenowl-oauth
      namespace: kitchenowl
    type: Opaque
--- a/apps/kitchenowl/kustomization.yaml
+++ b/apps/kitchenowl/kustomization.yaml
@@ -0,0 +1,17 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources: 
  - namespace.yaml
  - pvc.yaml
  - kitchenowl-oauth.sealedsecret.yaml
  - kitchenowl-config.configmap.yaml
  - deployment.yaml
  - service.yaml
  - ingress.yaml
 namespace: kitchenowl
 images:
  - name: kitchenowl
    newName: tombursch/kitchenowl
    newTag: v0.7.3
--- a/apps/kitchenowl/namespace.yaml
+++ b/apps/kitchenowl/namespace.yaml
@@ -0,0 +1,4 @@
 apiVersion: v1
 kind: Namespace
 metadata:
  name: placeholder
--- a/apps/kitchenowl/pvc.yaml
+++ b/apps/kitchenowl/pvc.yaml
@@ -0,0 +1,11 @@
 kind: PersistentVolumeClaim
 apiVersion: v1
 metadata:
  name: kitchenowl-data
 spec:
  storageClassName: "nfs-client"
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 1Gi
--- a/apps/kitchenowl/service.yaml
+++ b/apps/kitchenowl/service.yaml
@@ -0,0 +1,10 @@
 apiVersion: v1
 kind: Service
 metadata:
  name: kitchenowl-web
 spec:
  selector:
    app: kitchenowl
  ports:
  - port: 8080
    targetPort: 8080
--- a/apps/linkding/deployment.yaml
+++ b/apps/linkding/deployment.yaml
@@ -0,0 +1,40 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: linkding
 spec:
  replicas: 1
  selector:
    matchLabels:
      app: linkding
  template:
    metadata:
      labels:
        app: linkding
    spec:
      containers:
        - name: linkding
          image: linkding
          ports:
            - containerPort: 9090
          env:
          - name: TZ
            value: Europe/Berlin
          envFrom:
            - secretRef:
                name: oauth-config
          volumeMounts:
            - name: linkding-data
              mountPath: /etc/linkding/data
          resources:
            requests:
              cpu: "100m"
              memory: "200Mi"
            limits:
              cpu: "1"
              memory: "1Gi"
      volumes:
        - name: linkding-data
          persistentVolumeClaim:
            claimName: data
--- a/apps/linkding/ingress.yaml
+++ b/apps/linkding/ingress.yaml
@@ -0,0 +1,17 @@
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
  name: linkding-ingressroute
 spec:
  entryPoints:
    - websecure
  routes:
  - match: Host(`linkding.kluster.moll.re`)
    kind: Rule
    services:
    - name: linkding-web
      port: 9090
  tls:
    certResolver: default-tls 
--- a/apps/linkding/kustomization.yaml
+++ b/apps/linkding/kustomization.yaml
@@ -0,0 +1,16 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources: 
  - namespace.yaml
  - ingress.yaml
  - service.yaml
  - pvc.yaml
  - deployment.yaml
  - oauth.sealedsecret.yaml
 namespace: linkding
 images:
  - name: linkding
    newName: sissbruecker/linkding
    newTag: "1.42.0"
--- a/apps/linkding/namespace.yaml
+++ b/apps/linkding/namespace.yaml
@@ -0,0 +1,4 @@
 apiVersion: v1
 kind: Namespace
 metadata:
  name: placeholder
--- a/apps/linkding/oauth.sealedsecret.yaml
+++ b/apps/linkding/oauth.sealedsecret.yaml
@@ -0,0 +1,22 @@
 ---
 apiVersion: bitnami.com/v1alpha1
 kind: SealedSecret
 metadata:
  creationTimestamp: null
  name: oauth-config
  namespace: linkding
 spec:
  encryptedData:
    LD_ENABLE_OIDC: AgBfiwAdh1RD8gpzzVnF6y3c8kn5NFbms0T74pmj1aaFD0uQd/dqIxrvZxiBMzgqdrrVUCxRlpG3tiJYMpDEVXQPwRj8uuAizYFEP4uuGFpCtErjb+Y+aOdXSPRCVPbIqROiE+qswNT5KkJm6rR3FPckWipiQdzfpoq+G00MARKqzo4sNrx8+JzgoBFbS/tVPej3VdmDy8iceeVCQ2dJs+roRw+jOfCxqiUjHH5SyoZPnCTlmTZcwr3F9gBGEWGyEl0FNVgL/ku7WEL2COeIIE/2r4RWPqZU4DkPtIv/J4Dosxuw7EQnC5kzTgJGB/TF9Mn/FcS7iYQZKATvWzjC/cTdwZ+aG1qZGz87wM4fxQ05GhgEUkVOlGgxlzxk9BUL3l9Xsaa1KTivaQ4dvB/jm3j12b9rPfO2CXB4jPK7Pk1vKbr5icPXa8dyFY4hiJ1PYh/295a7ZM02n3ao4uHw8KSaxK9GxsCFBxr59q+6ZpjOGnTHZvKGfJHn3jEcIT8k89J5gqrlWjLqR50TEJj3jPZ3QDPN/u1Bf0wAoIOGK7jpnwIXQpacudU2pxZNWC2KtdZbcF9QzuOqKVFABmabdCkBtLa34cyZdweBaCfLRg1Ic0yxrWGzctnwM0Rfd+OzsEpLB7GHKllV597znF5QiK3rQrl5TmgHf0jC1OmMsBkNYCRo2AhYsBN5nli0dgD1y028rsW6
    OIDC_OP_AUTHORIZATION_ENDPOINT: AgBYHGF/D1tzWRy2issyi3oZjYK/m5cuwdlHuqboPBBHybfTwCkvSfWAL8FSGAgoLYWZEwwoGr5GDSCnAWfhoYwVgCxWw7y4IohCkUSrwbzTVwJxoRTeWIilzwAdH2zX3mZJVHTYCQiLTCjv+MPRsF5FZP4+STtgfecK5Fjgb3sIfZa/yazbN6jf7bdaR91yX2iddeZn7B80aQvu3jOkujPX9yCJz/H+1BN35CtC7KLhFrKgw6uvfQi3g90On5uBHwrC53ve4rEvcOgi575WBA3fDYW4RxNb8yxxocQOuqNRa3jUa/RIjOnX9tFoG/QIXY89DUSsgpAZFWIlV4np4KOe4V+xWT1khz2TPRDaakDumkNmE/sAjpYfGX13+88A0N/hO9o2aXJhEXOFZ5eulyAwDdIodMg6lQTG43OhdSZLFfR5TrnzkVR1pIzwPMutgf8jai4dyYK+SV+oyGeZosNpD484gzhjMGkz8Djs7/cADcvJVmGfWWYvjenlfvFC5lK7F+355o9L38fUeG2lhRw8NsPWuzsiH7m6GaSEfEPcdqj/AohArtUnf9cfF04tocPwCuNLeIgR42W+cfapD9g14sN9v4Z7g/5IQSqL2EhNR9xQMoIT9BkBEhI9JR518Yds/Z89Lg0HsMw6UCrkg6um1If80gjHyRa7JrfxzepKifWNn9/suHlhecaeXcSOKMCCFYDtHyvO4/gCe8/PXjyVc/SUZNBDJsDOikVvVJfKqDlEkimfl+BISzkMv5ALxGDHMRc=
    OIDC_OP_JWKS_ENDPOINT: AgAg+6Ty8o++uc+UfaVNtJviu1A771rtazn9pj7KafqgIx1xNuPtUBwGEScfku8glUy0bS8r7MyMNlUe3sIYfnDKQmmHBVHFoiJ0IjLZP/pV51A4fT2DUrFv9pnIemqjFD2jew5ToXhuHwUc+Y3LvX8M8aPpB/J+DjIIvgKQe2faHyWt4c24jOZaH56xJhI114LIXD0A7Qvq4O7UfpIUNfYSMojTH7VURptL18Mh1YRKJmil1PmRIstX9Smr3ltAG9Rw032v9ISdDmV+OyuhPo1Wk3AU85RdOQ9hZGMSFXQXFEqQUp/N76n875KDUMT4W57//YGFRUrm8w4oB+PlkjGV2pG7DNYVxUZEmi5UXwY8fTI+KljAZHSk/YOSku+gc75hWYXX6s3g/R6/IWmr9sV5O5N0bc3guQ96nnRmjuzb3HebM0hPfPS+6/xn29erTDETs1bvfCQ9oWNMomDsH4FVz5gC+zwrUvUD3Af3TVsU5g+lfOE83+pmMMWcJFn8Z0uldud0jR27o/ftKgBDmUaGi3zCQWJrYxtXehBy9fo0K7QpbYnLHvNnXVX9fGQ0PZNMc8N0wYZUDuhOv114lqfbVR5dHYoger4iT0xC+SHcWGgvyjqb4YI7bfnY+bnh8TLfuI/ttw1l7/ev79/yvjrtgPuBwN9ygUxENLR2Ur1Cc/u72d+ST4NIg5esth+y9Z2JdP/3+nlYctnyakWhEkUyBPK+5Iyacv29t1bMXoesB6Ub5WsXaw==
    OIDC_OP_TOKEN_ENDPOINT: AgBRpyDYbQlq7dcqJ2Gd+CfSRZRgvpuUsIngAXX85dt0dChYhQ/YvnFl9r3GqsXNBrWQBa0uE7t+uXxo+oobjgfSibq28kQBL92PM/s7OctINTJBN3q0Gdv43vnliS69/WR21kZkLuAmPne1nL+FZJXavIUF8N6CX3gKb4WMdv+Rl4AAmUo9vsB1C7mxDcS1CppUeJ8KdF5qkb8Xag28Lv2rDA7W9Ne+tNGFi4q/UWqdU76iUxrHu/Kfg6RD0rYlOaW+0b3A5Rvj5oU8ho1Z/eIsA9NaZNYBQjtGAk9fiD2EB9IcFi6kYv5zGZsRcPTzMv/35Wh+lV8I3mDRGcfkmzQsZ8Hcfx7c3zpemZqvY7LMgrvO5AatWKYZUFPsTcaT/mVFmAaVuq5PqeuCQhqekug3rdQxxf2n1cWMMnbptf4g19oTFKx3FtXImpPk97Iv9RbMATKHE/nnfin5/7PtQNn9VBBW785hzzB7cs+IiEzdjGu7MnFlKaGEoS94eZtgLSEmpIMeXFW6V0rXHQ6J+CUjBjiEpAh6LKsh4De+IrWFuzAYH0jwowuY2r4VX3jx+Yv8SFEJ5AfDYbvx8qX1zy1dGfsQvrAai298QCOTizLmeuJLMIC0qlNLZWrYhf8XzF2/N8/bC0R0Pyr+6Jxo8HrtHyFcnl8ckHycWosCOkQmQIbX+vOffOpQ6vYUkHM4MqIAiTl6G+bxjtxBZUTXvqX1sKCEO7pccL8gJZQ+ICN9nP785JAd4eW2JeGW
    OIDC_OP_USER_ENDPOINT: AgBD4amxFPHYQR6JWjNTsPM63NNI+f9DgZ9+whv5f3bUo7KNtB05vAYYQtAdMYJR+5499S6t0BYwOi4cNxQVJyga1bKogqih3EI/QlJeLvoFvDFj2wEMmCkT5MS+qemtPJwXK7JTHzUFX74b+S/a30/mvWKkMRHzc+G+E678/RDIScFJFssfJVMJB4Kp9T4y+v9jJAKZRixkx2lOR48JR5umXwxm+xQGaexeJOv0MZY4Am4P/nJcWM+Gk1Ka/ih+VAJRLsu9dgvShytQ1OHaAPMRu6H7Wb2bLrzpz4rTcGbZA3aTgHfItjWQpBV3fhNvyNW8QRbRFSyxHBC4snqW5Bl77u4KdMicwL/0x1JhwP6cx+/TVEyZ2n+5Y5PyOW+E7LXtiZGZ/eRw3xVLxvrFDwY0EBMqAUWHyQjwlZLctjxgBud5XDtT4athaNq5hnCELMepRI05kF+o5ECxKWoFXN5rXrwrlcgftCV9PTZbP8pkxyau8O28C4YX07J65G9ntV3VIg9tAXww6X68YHIQEdAgjNOI1soWt15q582OlhXBTTKAf/QU7mrSCn5FH0Q4Z7VLIsJwMz0orGB69Qxo/lLF7z+pQEE4PArceoLi7cffQV/+VzUBOACDdfKFiN3LTDuoMm6lvkAOdmzXccmXlEGvNEwLR+8Ac26Ld4fAnEFSLIJpwQHheIQRY19qbN5+cOa+RmuOroxWWA2P/8uSlp4kXVvAmPJOt8PprI3h8iRG5zBv+J8kE8wpI1scJdDr
    OIDC_RP_CLIENT_ID: AgCOGuVP8BVfAT5FRmmJLptdv+8vtppOgpzJ2LXU3vR3sjQE4MLKgWwoAyrnkAa2IMrsmkg5+pyHBDlp1AMba3OTVZmhyEVLrFe/vCiL45hEaW2l6kiwlIW3nZnoJlGG2Ugj4SX8YCQGlyr19vEFcPdieWlKpHfda/EP4xYhXMSzXCxFCtT7uGjgnBlrV0uXeFCezYGzvmA4SbDli7fvGv5H85cwgUlMdSn2ZIP3DAxQ8gP0ETF6KaOK5QVP0e/7kw9SK3oo4XHE2c8AjHLFFnmz/uf07+7LuOunSqunolbVy+Lm2mHHnzx+0PBmMYvl7FHY/TkBZaVjVaZtrELbFYaraop8iE6hFMvOYNa/1BFY1x0aeRfPb0jt5IPnuebllnEh4P7JUQxef4Bqbjp8u7P+uOBWnQbeMEp5F3rWE8qy09NnjsKPz87Jw9pb0aPgXWLKVHjJpArhcb6gTJLESCw9kgT+c0pYI0s3BYmwNkJ+6wxflvTLb5z3YyY5/+8/s3PgDz6Hj4tyA8tBru/KQwnBVMw0GhF5YwlZ4SYHPwVX+ZMj9UQc6swNsrxKLqs5Ci7KjvzEDUJ4/aW+rv8naoCiebIJrbmLB8iSqNGh90s1S9BJsQaWXbKYday3spt0eg+tH/iQgAnUAjd9RK3TxkkmWVjmeUc/rOltsbaIvy6/WdyKnF8/f9B03Pm5eal73yC7reFyGYiXvA==
    OIDC_RP_CLIENT_SECRET: AgA+Q9osGcUgiGsyPfHph3vGiNBjmL7pK3JlaE4PoI+eGsvb+3Ozf9KnfHSMm2R0fq/eukFn6i25MZ/mKYliVSIcjWbnGDFSysiCAwirKTUXoFUo87zmguNUPr8Rr45m1AIaJb31T4MKeFQRHSg715rs/6fKlbejUWUBZuMTN1DXkWr+00atj0JmmZPScSfRmwKNsHnoZCUWFE/DaFChpoCU4fCp5vL9P2LcdzsY84vue8y7Trg0e/LpEi6+DzSoxurE9jwjoUauXmZnOSW3jFgy+u5c9Oa3RC+IB/UUsmHI8eUVOXGdQsSFufrAMd1uyPRa2g+aCX0zX5boZC9dTGqaT+D/6xXnMFsvw5K+K4Y/QZ+j9ZHx0232sPCFVi2HaYHV51c2Xi6tizy+/0J27/4gvaVREXw94pmsaI5rt9sNDHoKw6LwkPO8heqkYzfIWhAg5vKswDn/MWAVTIzIubdTvrDjVWxoJ2FM9sCUsai/X7rj6QUiVTgbWuYYO0hMrT2Q9y05n68hWOmpqmna4/JGIE+N48h0/wAHLsLeV4ZNLJdJhQovOSkYsB5FIYPTuihFASLhE+uf8VBwSfYlwcWORz7dssAYvCJAx3huYZCSHrT4WPtLt4Ok/IuplXvVbZ/d6NISqE/g+BiNmN7r4DZQ/QbN4TD9t6BQESKkTqPHYIiVtZHdalgPFFSS8JP2wv50mSh/imjlX51ruHGQbVbIfZnfJGwLEL0KN/Zn3BMrNtMgCqEs3itnGQQnBchQ
  template:
    metadata:
      creationTimestamp: null
      name: oauth-config
      namespace: linkding
    type: Opaque
--- a/apps/linkding/pvc.yaml
+++ b/apps/linkding/pvc.yaml
@@ -0,0 +1,11 @@
 kind: PersistentVolumeClaim
 apiVersion: v1
 metadata:
  name: data
 spec:
  storageClassName: "nfs-client"
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 1Gi
--- a/apps/linkding/service.yaml
+++ b/apps/linkding/service.yaml
@@ -0,0 +1,13 @@
 apiVersion: v1
 kind: Service
 metadata:
  name: linkding-web
  labels:
    app: linkding
 spec:
  selector:
    app: linkding
  ports:
  - port: 9090
    targetPort: 9090
    name: http
--- a/apps/media/deployment.yaml
+++ b/apps/media/deployment.yaml
@@ -0,0 +1,48 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: jellyfin-server
 spec:
  selector:
    matchLabels:
      app: jellyfin-server
  template:
    metadata:
      labels:
        app: jellyfin-server
    spec:
      containers:
      - name: jellyfin-server
        image: jellyfin/jellyfin
        resources:
          limits:
            memory: "2Gi"
            cpu: "2"
          requests:
            memory: "128Mi"
            cpu: "250m"
        ports:
        - containerPort: 8096
          name: jellyfin
        env:
        - name: TZ
          value: Europe/Berlin
        volumeMounts:
        - name: config
          mountPath: /config
        - name: media
          mountPath: /media
        livenessProbe:
          httpGet:
            path: /health
            port: 8096
          initialDelaySeconds: 100
          periodSeconds: 15
      volumes:
      - name: config
        persistentVolumeClaim:
          claimName: config
      - name: media
        persistentVolumeClaim:
          claimName: media
--- a/apps/media/ingress.yaml
+++ b/apps/media/ingress.yaml
@@ -0,0 +1,44 @@
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
  name: jellyfin-backend-ingress
  namespace: media
 spec:
  entryPoints:
    - websecure
  routes:
    - match: Host(`media.kluster.moll.re`) && !Path(`/metrics`)
      middlewares:
        - name: jellyfin-websocket
        - name: jellyfin-server-headers
      kind: Rule
      services:
        - name: jellyfin-server
          port: 8096
  tls:
    certResolver: default-tls
 ---
 apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: jellyfin-websocket
  namespace: media
 spec:
  headers:
    customRequestHeaders:
      Connection: keep-alive, Upgrade
      Upgrade: WebSocket
 ---
 apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: jellyfin-server-headers
  namespace: media
 spec:
  headers:
    accessControlAllowCredentials: true
    accessControlAllowHeaders: [ "Authorization","Content-Type" ] # "Accept","Origin"
    accessControlAllowMethods: [ "GET","HEAD","OPTIONS" ] # "POST","PUT"
    accessControlAllowOriginList:
      - "*"
    accessControlMaxAge: 100
--- a/apps/media/jellyfin.ingress.yaml
+++ b/apps/media/jellyfin.ingress.yaml
@@ -1,32 +0,0 @@
 apiVersion: traefik.containo.us/v1alpha1
 kind: IngressRoute
 metadata:
  name: jellyfin-ingress
  namespace: media
 spec:
  entryPoints:
    - websecure
  routes:
    - match: Host(`media.kluster.moll.re`)
      middlewares:
        - name: jellyfin-websocket
      kind: Rule
      services:
        - name: jellyfin
          port: 8096
  tls:
    certResolver: default-tls
 ---
 apiVersion: traefik.containo.us/v1alpha1
 kind: Middleware
 metadata:
  name: jellyfin-websocket
  namespace: media
 spec:
  headers:
    customRequestHeaders:
      X-Forwarded-Proto: "https"
      Upgrade: "websocket"
--- a/apps/media/jellyfin.pvc.yaml
+++ b/apps/media/jellyfin.pvc.yaml
@@ -1,62 +0,0 @@
 apiVersion: v1
 kind: PersistentVolume
 metadata:
  namespace: media
  name: jellyfin-config-nfs
 spec:
  # storageClassName: slow
  capacity:
    storage: "1Gi"
  # volumeMode: Filesystem
  accessModes:
    - ReadWriteOnce
  nfs:
    path: /export/kluster/jellyfin-config
    server: 192.168.1.157
 ---
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
  namespace: media
  name: jellyfin-config-nfs
 spec:
  storageClassName: ""
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: "1Gi"
  volumeName: jellyfin-config-nfs
 ---
 apiVersion: v1
 kind: PersistentVolume
 metadata:
  namespace: media
  name: jellyfin-data-nfs
 spec:
  # storageClassName: slow
  capacity:
    storage: "1Ti"
  # volumeMode: Filesystem
  accessModes:
    - ReadWriteOnce
  nfs:
    path: /export/jellyfin-media
    server: 192.168.1.157
 ---
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
  namespace: media
  name: jellyfin-data-nfs
 spec:
  storageClassName: nfs-client
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: "1Ti"
  volumeName: jellyfin-data-nfs
--- a/apps/media/jellyfin.values.yaml
+++ b/apps/media/jellyfin.values.yaml
@@ -1,108 +0,0 @@
 image:
  # -- image repository
  repository: jellyfin/jellyfin
  # -- image tag
  tag: 10.8.9
  # -- image pull policy
  pullPolicy: IfNotPresent
 # -- environment variables. See [image docs](https://jellyfin.org/docs/general/administration/configuration.html) for more details.
 # @default -- See below
 env:
  # -- Set the container timezone
  TZ: Europe/Berlin
 # -- Configures service settings for the chart.
 # @default -- See values.yaml
 service:
  main:
    ports:
      http:
        port: 8096
 ingress:
  # -- Enable and configure ingress settings for the chart under this key.
  # @default -- See values.yaml
  main:
    enabled: false
 # -- Configure persistence settings for the chart under this key.
 # @default -- See values.yaml
 persistence:
  config:
    enabled: true
    type: pvc
    existingClaim: jellyfin-config-nfs
    accessMode: 
      - ReadWriteOnce
  # Cache does NOT contain temporary transcoding data.
  cache:
    enabled: false
    mountPath: /cache
  media:
    enabled: true
    # use local storage
    type: pvc
    existingClaim: jellyfin-data-nfs
    accessMode: 
      - ReadWriteOnce
    mountPath: /media
  # encoder:
  #   enabled: true
  #   type: hostPath
  #   hostPath: /dev/dri/renderD128
 # # -- Configure the Security Context for the Pod
 # podSecurityContext:
 #   runAsUser: 0 # root user -> access to /dev/video*
 #   runAsUser: 568
 #   runAsGroup: 568
 #   fsGroup: 568
 #   # Hardware acceleration using an Intel iGPU w/ QuickSync
 #   # These IDs below should be matched to your `video` and `render` group on the host
 #   # To obtain those IDs run the following grep statement on the host:
 #   # $ cat /etc/group | grep "video\|render"
 #   # video:x:44:
 #   # render:x:109:
 #   supplementalGroups:
 #   - 44
 #   - 109
 # resources:
 #   requests:
 #     # Hardware acceleration using an Intel iGPU w/ QuickSync and
 #     # using intel-gpu-plugin (https://github.com/intel/intel-device-plugins-for-kubernetes)
 #     gpu.intel.com/i915: 1
 #     cpu: 200m
 #     memory: 256Mi
 #   limits:
 #     # Hardware acceleration using an Intel iGPU w/ QuickSync and
 #     # using intel-gpu-plugin (https://github.com/intel/intel-device-plugins-for-kubernetes)
 #     gpu.intel.com/i915: 1
 #     memory: 4096Mi
 probes:
  # -- Liveness probe configuration
  # @default -- See below
  liveness:
    # -- Enable the liveness probe
    enabled: true
    # -- Set this to `true` if you wish to specify your own livenessProbe
    custom: true
    # -- The spec field contains the values for the default livenessProbe.
    # If you selected `custom: true`, this field holds the definition of the livenessProbe.
    # @default -- See below
    spec:
      initialDelaySeconds: 100
      periodSeconds: 100
      timeoutSeconds: 5
      failureThreshold: 3
      httpGet:
        path: /health
        port: 8096
--- a/apps/media/kustomization.yaml
+++ b/apps/media/kustomization.yaml
@@ -0,0 +1,15 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 namespace: media
 resources: 
  - namespace.yaml
  - pvc.yaml
  - deployment.yaml
  - service.yaml
  - ingress.yaml
 images:
  - name: jellyfin/jellyfin
    newName: jellyfin/jellyfin
    newTag: 10.10.7
--- a/apps/media/namespace.yaml
+++ b/apps/media/namespace.yaml
@@ -0,0 +1,4 @@
 apiVersion: v1
 kind: Namespace
 metadata:
  name: placeholder
--- a/apps/media/pvc.yaml
+++ b/apps/media/pvc.yaml
@@ -0,0 +1,39 @@
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
  name: config
 spec:
  storageClassName: "nfs-client"
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: "1Gi"
 ---
 apiVersion: v1
 kind: PersistentVolume
 metadata:
  name: media
 spec:
  capacity:
    storage: "1Ti"
  accessModes:
    - ReadWriteOnce
  nfs:
    path: /export/jellyfin-media
    server: 192.168.1.157
 ---
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
  name: media
 spec:
  storageClassName: ""
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: "1Ti"
  volumeName: media
--- a/apps/media/service.yaml
+++ b/apps/media/service.yaml
@@ -0,0 +1,14 @@
 apiVersion: v1
 kind: Service
 metadata:
  name: jellyfin-server
  labels:
    app: jellyfin-server-service
 spec:
  selector:
    app: jellyfin-server
  ports:
    - protocol: TCP
      port: 8096
      targetPort: 8096
--- a/apps/minecraft/README.md
+++ b/apps/minecraft/README.md
@@ -0,0 +1,15 @@
 ## Setup
 Because minecraft is quite sensitive to io performance, we want the data to be stored on a local disk. But hostpath is not well supported in talos (and is not persistent), so we use an ephemeral volume instead. In order to do this, we create an emptyDir volume and mount it to the pod.
 We use an initContaier that copies the data to the local storage. Afterwards, copying from the local storage back to the persistent storage is handled by a preStop lifecycle event.
 This way, we can have the best of both worlds: fast local storage and persistent storage.
 ## Sending a command
 ```
 kubectl exec -it -n minecraft deploy/minecraft-server -- /bin/bash
 mc-send-to-console /help
 # or directly
 kubectl exec -it -n minecraft deploy/minecraft-server -- mc-send-to-console /help
 ```
--- a/apps/minecraft/curseforge.sealedsecret.yaml
+++ b/apps/minecraft/curseforge.sealedsecret.yaml
@@ -0,0 +1,16 @@
 ---
 apiVersion: bitnami.com/v1alpha1
 kind: SealedSecret
 metadata:
  creationTimestamp: null
  name: curseforge-api
  namespace: minecraft
 spec:
  encryptedData:
    key: AgDG6apUvB38rB9tH+/ya5Af/32IUJjHiEGZFdYYqesuqyPB/qf99EtC/7CwqD6bDQQPVycJVcxwZuF8QtYfPXzv//yMkqEUJ2G1/Q5J8I6bjNGLR636UhliUpCkH1QDOspWJUjwKDVxlFN9l0g9UajvxnqLyGzbWPeay0sJEBvAY8ltEZpLP21V+GD+HgPk3HIfSFFBMsULS6GPCjMaFxkxQb6cG3K4Ej4NHCHRGOmax+4Rk7lwMyAHlXLlrwj/ytxrnHDWrugLIJE9KKmJn6UVNTuk6olgkhleg2PixV7oOiDVyu9ZQP8wbdppzRix6dnIcFEYJ1ZDK1rNF5QErYO0gBytiJnSsdFO0jUMsdBrho2FgUc5GgIdmgXWJJz3lrGFqXaRVvbPsBZTUAsQRh2+4IfqfWmAkEjBcjs1K8WWJfS+rO9e02KoHBT4decdsd8Qfr5EFdPIzMrkUoRMI9CJnIa5u2nR08Hhd9iojbL64FZ26kXMODtEdKmlo+HwjufLX5rYJVSfOyZYzivd/kgKA87YTFaMLKej07w3ofGrPYSoCnmLfJyoQdNyJhdonBDsgM1GgRWQZDpgJ1df0SB02A5lZ4V7lHWr8KlANv9YLuMoZnVehsH1NZjNQHDInIRiTLahEBbjcJzQz4vU1UWG100ATszEYKOUVkzPnTgkqKYU99ZQ23bHP8z7iAWQeumb6V84NTi6jNITBvU4yTFLuAiI3nW34Vb1mFVLwfWqMjEYX8gBB4yMSaVshB/japfkyXU0pYg4mK9gsB4=
  template:
    metadata:
      creationTimestamp: null
      name: curseforge-api
      namespace: minecraft
    type: Opaque
--- a/apps/minecraft/job.yaml
+++ b/apps/minecraft/job.yaml
@@ -0,0 +1,92 @@
 apiVersion: batch/v1
 kind: Job
 metadata:
  name: start-server
 spec:
  template:
    metadata:
      labels:
        app: minecraft-server
    spec:
      restartPolicy: OnFailure
      initContainers:
      - name: copy-data-to-local
        image: alpine
        command: ["/bin/sh"]
        args: ["-c", "cp -r /data/* /local-data/"]
        volumeMounts:
        - name: local-data
          mountPath: /local-data
        - name: minecraft-data
          mountPath: /data
      containers:
      - name: minecraft-server
        image: minecraft
        resources:
          limits:
            memory: "11000Mi"
            cpu: "5"
          requests:
            memory: "1500Mi"
            cpu: "500m"
        ports:
        - containerPort: 25565
        env:
        - name: EULA
          value: "TRUE"
        - name: TYPE
          value: "AUTO_CURSEFORGE"
        - name: CF_API_KEY
          valueFrom:
            secretKeyRef:
              name: curseforge-api
              key: key
        - name: CF_PAGE_URL
          value: "https://www.curseforge.com/minecraft/modpacks/vault-hunters-1-18-2/files/6807187"
        - name: VERSION
          value: "1.18.2"
        - name: INIT_MEMORY
          value: "1G"
        - name: MAX_MEMORY
          value: "10G"
        - name: MOTD
          value: "VaultHunters baby!"
        - name: ENABLE_RCON
          value: "false"
        - name: CREATE_CONSOLE_IN_PIPE
          value: "true"
        - name: ONLINE_MODE
          value: "false"
        - name: ENABLE_AUTOSTOP
          value: "true"
        - name: AUTOSTOP_TIMEOUT_EST
          value: "1800" # stop 30 min after last disconnect
        volumeMounts:
        - name: local-data
          mountPath: /data
      - name: copy-data-to-persistent
        image: rsync
        command: ["/bin/sh"]
        # args: ["-c", "sleep infinity"]
        args: ["/run-rsync.sh"]
        volumeMounts:
        - name: local-data
          mountPath: /local-data
        - name: minecraft-data
          mountPath: /persistent-data
        - name: rsync-config
          mountPath: /run-rsync.sh
          subPath: run-rsync.sh
      volumes:
      - name: minecraft-data
        persistentVolumeClaim:
          claimName: minecraft-data
      - name: local-data
        emptyDir: {}
      - name: rsync-config
        configMap:
          name: rsync-config
          defaultMode: 0777
--- a/apps/minecraft/kustomization.yaml
+++ b/apps/minecraft/kustomization.yaml
@@ -0,0 +1,24 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 namespace: minecraft
 resources:
  - namespace.yaml
  - pvc.yaml
  - job.yaml
  - service.yaml
  - rsync.configmap.yaml
  - curseforge.sealedsecret.yaml
 images:
  - name: minecraft
    newName: itzg/minecraft-server
    newTag: java21
  - name: alpine
    newName: alpine
    newTag: "3.22"
  - name: rsync
    newName: eeacms/rsync
    newTag: "2.7"
--- a/apps/minecraft/namespace.yaml
+++ b/apps/minecraft/namespace.yaml
@@ -0,0 +1,4 @@
 apiVersion: v1
 kind: Namespace
 metadata:
  name: placeholder
--- a/apps/minecraft/pvc.yaml
+++ b/apps/minecraft/pvc.yaml
@@ -0,0 +1,11 @@
 kind: PersistentVolumeClaim
 apiVersion: v1
 metadata:
  name: minecraft-data
 spec:
  storageClassName: "nfs-client"
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 1Gi
--- a/apps/minecraft/rsync.configmap.yaml
+++ b/apps/minecraft/rsync.configmap.yaml
@@ -0,0 +1,42 @@
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: rsync-config
 data:
  run-rsync.sh: |-
    #!/bin/sh
    set -eu
    echo "Starting rsync..."
    no_change_count=0
    while [ "$no_change_count" -lt 3 ]; do
      # use the i flag to get per line output of each change
      rsync_output=$(rsync -avzi --delete /local-data/ /persistent-data/)
      # echo "$rsync_output"
      # in this format rsync outputs at least 4 lines:
      # ---
      # sending incremental file list
      #
      # sent 145,483 bytes  received 717 bytes  26,581.82 bytes/sec
      # total size is 708,682,765  speedup is 4,847.35
      # ---
      # even though a non-zero number of bytes is sent, no changes were made
      line_count=$(echo "$rsync_output" | wc -l)
      if [ "$line_count" -eq 4 ]; then
        echo "Rsync output was: $rsync_output"
        no_change_count=$((no_change_count + 1))
        echo "No changes detected. Incrementing no_change_count to $no_change_count."
      else
        no_change_count=0
        echo "Changes detected. Resetting no_change_count to 0."
      fi
      echo "Rsync completed. Sleeping for 10 minutes..."
      sleep 600
    done
    echo "No changes detected for 3 consecutive runs. Exiting."
--- a/apps/minecraft/service.yaml
+++ b/apps/minecraft/service.yaml
@@ -0,0 +1,12 @@
 apiVersion: v1
 kind: Service
 metadata:
  name: minecraft-server
 spec:
  selector:
    app: minecraft-server
  ports:
  - port: 25565
    targetPort: 25565
  type: LoadBalancer
  loadBalancerIP: 192.168.3.4
--- a/apps/monitoring/grafana.pvc.yaml
+++ b/apps/monitoring/grafana.pvc.yaml
@@ -1,35 +0,0 @@
 ---
 apiVersion: v1
 kind: PersistentVolume
 metadata:
  name: grafana-nfs
  labels:
    directory: grafana
 spec:
  # storageClassName: slow
  capacity:
    storage: "1Gi"
  # volumeMode: Filesystem
  accessModes:
    - ReadWriteOnce
  nfs:
    path: /export/kluster/grafana
    server: 192.168.1.157
 ---
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
  name: grafana-nfs
 spec:
  # storageClassName: slow
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: "1Gi"
  selector:
    matchLabels:
      directory: grafana
--- a/apps/monitoring/grafana.values.yaml
+++ b/apps/monitoring/grafana.values.yaml
@@ -1,873 +0,0 @@
 rbac:
  create: true
  ## Use an existing ClusterRole/Role (depending on rbac.namespaced false/true)
  # useExistingRole: name-of-some-(cluster)role
  pspEnabled: true
  pspUseAppArmor: true
  namespaced: false
  extraRoleRules: []
  # - apiGroups: []
  #   resources: []
  #   verbs: []
  extraClusterRoleRules: []
  # - apiGroups: []
  #   resources: []
  #   verbs: []
 serviceAccount:
  create: true
  name:
  nameTest:
 ## Service account annotations. Can be templated.
 #  annotations:
 #    eks.amazonaws.com/role-arn: arn:aws:iam::123456789000:role/iam-role-name-here
  autoMount: true
 replicas: 1
 ## Create a headless service for the deployment
 headlessService: false
 ## Create HorizontalPodAutoscaler object for deployment type
 #
 autoscaling:
  enabled: false
 #   minReplicas: 1
 #   maxReplicas: 10
 #   metrics:
 #   - type: Resource
 #     resource:
 #       name: cpu
 #       targetAverageUtilization: 60
 #   - type: Resource
 #     resource:
 #       name: memory
 #       targetAverageUtilization: 60
 ## See `kubectl explain poddisruptionbudget.spec` for more
 ## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/
 podDisruptionBudget: {}
 #  minAvailable: 1
 #  maxUnavailable: 1
 ## See `kubectl explain deployment.spec.strategy` for more
 ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy
 deploymentStrategy:
  type: RollingUpdate
 readinessProbe:
  httpGet:
    path: /api/health
    port: 3000
 livenessProbe:
  httpGet:
    path: /api/health
    port: 3000
  initialDelaySeconds: 60
  timeoutSeconds: 30
  failureThreshold: 10
 ## Use an alternate scheduler, e.g. "stork".
 ## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/
 ##
 # schedulerName: "default-scheduler"
 image:
  repository: grafana/grafana
  tag: 9.0.2
  sha: ""
  pullPolicy: IfNotPresent
  ## Optionally specify an array of imagePullSecrets.
  ## Secrets must be manually created in the namespace.
  ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
  ## Can be templated.
  ##
  # pullSecrets:
  #   - myRegistrKeySecretName
 testFramework:
  enabled: true
  image: "bats/bats"
  tag: "v1.4.1"
  imagePullPolicy: IfNotPresent
  securityContext: {}
 securityContext:
  runAsUser: 472
  runAsGroup: 472
  fsGroup: 472
 containerSecurityContext:
  {}
 # Extra configmaps to mount in grafana pods
 # Values are templated.
 extraConfigmapMounts: []
  # - name: certs-configmap
  #   mountPath: /etc/grafana/ssl/
  #   subPath: certificates.crt # (optional)
  #   configMap: certs-configmap
  #   readOnly: true
 extraEmptyDirMounts: []
  # - name: provisioning-notifiers
  #   mountPath: /etc/grafana/provisioning/notifiers
 # Apply extra labels to common labels.
 extraLabels: {}
 ## Assign a PriorityClassName to pods if set
 # priorityClassName:
 downloadDashboardsImage:
  repository: curlimages/curl
  tag: 7.73.0
  sha: ""
  pullPolicy: IfNotPresent
 downloadDashboards:
  env: {}
  envFromSecret: ""
  resources: {}
 ## Pod Annotations
 # podAnnotations: {}
 ## Pod Labels
 # podLabels: {}
 podPortName: grafana
 ## Deployment annotations
 # annotations: {}
 ## Expose the grafana service to be accessed from outside the cluster (LoadBalancer service).
 ## or access it from within the cluster (ClusterIP service). Set the service type and the port to serve it.
 ## ref: http://kubernetes.io/docs/user-guide/services/
 ##
 service:
  enabled: true
  type: ClusterIP
  port: 80
  targetPort: 3000
    # targetPort: 4181 To be used with a proxy extraContainer
  annotations: {}
  labels: {}
  portName: service
 serviceMonitor:
  ## If true, a ServiceMonitor CRD is created for a prometheus operator
  ## https://github.com/coreos/prometheus-operator
  ##
  enabled: false
  path: /metrics
  #  namespace: monitoring  (defaults to use the namespace this chart is deployed to)
  labels: {}
  interval: 1m
  scheme: http
  tlsConfig: {}
  scrapeTimeout: 30s
  relabelings: []
 extraExposePorts: []
 # - name: keycloak
 #   port: 8080
 #   targetPort: 8080
 #   type: ClusterIP
 # overrides pod.spec.hostAliases in the grafana deployment's pods
 hostAliases: []
  # - ip: "1.2.3.4"
  #   hostnames:
  #     - "my.host.com"
 ingress:
  enabled: true
  # For Kubernetes >= 1.18 you should specify the ingress-controller via the field ingressClassName
  # See https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/#specifying-the-class-of-an-ingress
  # ingressClassName: nginx
  # Values can be templated
  annotations: {
    kubernetes.io/ingress.class: nginx,
    cert-manager.io/cluster-issuer: cloudflare-letsencrypt-prod
  }
    # kubernetes.io/ingress.class: nginx
    # kubernetes.io/tls-acme: "true"
  labels: {}
  path: /
  # pathType is only for k8s >= 1.1=
  pathType: Prefix
  hosts:
    - grafana.kluster.moll.re
  ## Extra paths to prepend to every host configuration. This is useful when working with annotation based services.
  extraPaths: []
  # - path: /*
  #   backend:
  #     serviceName: ssl-redirect
  #     servicePort: use-annotation
  ## Or for k8s > 1.19
  # - path: /*
  #   pathType: Prefix
  #   backend:
  #     service:
  #       name: ssl-redirect
  #       port:
  #         name: use-annotation
  tls: 
    - hosts:
      - grafana.kluster.moll.re
      secretName: cloudflare-letsencrypt-issuer-account-key
    #  - secretName: chart-example-tls
  #    hosts:
  #      - chart-example.local
 resources: {}
 #  limits:
 #    cpu: 100m
 #    memory: 128Mi
 #  requests:
 #    cpu: 100m
 #    memory: 128Mi
 ## Node labels for pod assignment
 ## ref: https://kubernetes.io/docs/user-guide/node-selection/
 #
 nodeSelector: {}
 ## Tolerations for pod assignment
 ## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
 ##
 tolerations: []
 ## Affinity for pod assignment (evaluated as template)
 ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
 ##
 affinity: {}
 ## Additional init containers (evaluated as template)
 ## ref: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/
 ##
 extraInitContainers: []
 ## Enable an Specify container in extraContainers. This is meant to allow adding an authentication proxy to a grafana pod
 extraContainers: ""
 # extraContainers: |
 # - name: proxy
 #   image: quay.io/gambol99/keycloak-proxy:latest
 #   args:
 #   - -provider=github
 #   - -client-id=
 #   - -client-secret=
 #   - -github-org=<ORG_NAME>
 #   - -email-domain=*
 #   - -cookie-secret=
 #   - -http-address=http://0.0.0.0:4181
 #   - -upstream-url=http://127.0.0.1:3000
 #   ports:
 #     - name: proxy-web
 #       containerPort: 4181
 ## Volumes that can be used in init containers that will not be mounted to deployment pods
 extraContainerVolumes: []
 #  - name: volume-from-secret
 #    secret:
 #      secretName: secret-to-mount
 #  - name: empty-dir-volume
 #    emptyDir: {}
 ## Enable persistence using Persistent Volume Claims
 ## ref: http://kubernetes.io/docs/user-guide/persistent-volumes/
 ##
 persistence:
  type: pvc
  enabled: true
  # storageClassName: default
  accessModes:
    - ReadWriteOnce
  size: 10Gi
  # annotations: {}
  finalizers:
    - kubernetes.io/pvc-protection
  # selectorLabels: {}
  ## Sub-directory of the PV to mount. Can be templated.
  # subPath: ""
  ## Name of an existing PVC. Can be templated.
  existingClaim: grafana-nfs
  ## If persistence is not enabled, this allows to mount the
  ## local storage in-memory to improve performance
  ##
  inMemory:
    enabled: false
    ## The maximum usage on memory medium EmptyDir would be
    ## the minimum value between the SizeLimit specified
    ## here and the sum of memory limits of all containers in a pod
    ##
    # sizeLimit: 300Mi
 initChownData:
  ## If false, data ownership will not be reset at startup
  ## This allows the prometheus-server to be run with an arbitrary user
  ##
  enabled: true
  ## initChownData container image
  ##
  image:
    repository: busybox
    tag: "1.31.1"
    sha: ""
    pullPolicy: IfNotPresent
  ## initChownData resource requests and limits
  ## Ref: http://kubernetes.io/docs/user-guide/compute-resources/
  ##
  resources: {}
  #  limits:
  #    cpu: 100m
  #    memory: 128Mi
  #  requests:
  #    cpu: 100m
  #    memory: 128Mi
 # Administrator credentials when not using an existing secret (see below)
 adminUser: admin
 # adminPassword: strongpassword
 # Use an existing secret for the admin user.
 admin:
  ## Name of the secret. Can be templated.
  existingSecret: ""
  userKey: admin-user
  passwordKey: admin-password
 ## Define command to be executed at startup by grafana container
 ## Needed if using `vault-env` to manage secrets (ref: https://banzaicloud.com/blog/inject-secrets-into-pods-vault/)
 ## Default is "run.sh" as defined in grafana's Dockerfile
 # command:
 # - "sh"
 # - "/run.sh"
 ## Use an alternate scheduler, e.g. "stork".
 ## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/
 ##
 # schedulerName:
 ## Extra environment variables that will be pass onto deployment pods
 ##
 ## to provide grafana with access to CloudWatch on AWS EKS:
 ## 1. create an iam role of type "Web identity" with provider oidc.eks.* (note the provider for later)
 ## 2. edit the "Trust relationships" of the role, add a line inside the StringEquals clause using the
 ## same oidc eks provider as noted before (same as the existing line)
 ## also, replace NAMESPACE and prometheus-operator-grafana with the service account namespace and name
 ##
 ##  "oidc.eks.us-east-1.amazonaws.com/id/XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:sub": "system:serviceaccount:NAMESPACE:prometheus-operator-grafana",
 ##
 ## 3. attach a policy to the role, you can use a built in policy called CloudWatchReadOnlyAccess
 ## 4. use the following env: (replace 123456789000 and iam-role-name-here with your aws account number and role name)
 ##
 ## env:
 ##   AWS_ROLE_ARN: arn:aws:iam::123456789000:role/iam-role-name-here
 ##   AWS_WEB_IDENTITY_TOKEN_FILE: /var/run/secrets/eks.amazonaws.com/serviceaccount/token
 ##   AWS_REGION: us-east-1
 ##
 ## 5. uncomment the EKS section in extraSecretMounts: below
 ## 6. uncomment the annotation section in the serviceAccount: above
 ## make sure to replace arn:aws:iam::123456789000:role/iam-role-name-here with your role arn
 env: {}
 ## "valueFrom" environment variable references that will be added to deployment pods. Name is templated.
 ## ref: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#envvarsource-v1-core
 ## Renders in container spec as:
 ##   env:
 ##     ...
 ##     - name: <key>
 ##       valueFrom:
 ##         <value rendered as YAML>
 envValueFrom: {}
  #  ENV_NAME:
  #    configMapKeyRef:
  #      name: configmap-name
  #      key: value_key
 ## The name of a secret in the same kubernetes namespace which contain values to be added to the environment
 ## This can be useful for auth tokens, etc. Value is templated.
 envFromSecret: ""
 ## Sensible environment variables that will be rendered as new secret object
 ## This can be useful for auth tokens, etc
 envRenderSecret: {}
 ## The names of secrets in the same kubernetes namespace which contain values to be added to the environment
 ## Each entry should contain a name key, and can optionally specify whether the secret must be defined with an optional key.
 ## Name is templated.
 envFromSecrets: []
 ## - name: secret-name
 ##   optional: true
 ## The names of conifgmaps in the same kubernetes namespace which contain values to be added to the environment
 ## Each entry should contain a name key, and can optionally specify whether the configmap must be defined with an optional key.
 ## Name is templated.
 ## ref: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#configmapenvsource-v1-core
 envFromConfigMaps: []
 ## - name: configmap-name
 ##   optional: true
 # Inject Kubernetes services as environment variables.
 # See https://kubernetes.io/docs/concepts/services-networking/connect-applications-service/#environment-variables
 enableServiceLinks: true
 ## Additional grafana server secret mounts
 # Defines additional mounts with secrets. Secrets must be manually created in the namespace.
 extraSecretMounts: []
  # - name: secret-files
  #   mountPath: /etc/secrets
  #   secretName: grafana-secret-files
  #   readOnly: true
  #   subPath: ""
  #
  # for AWS EKS (cloudwatch) use the following (see also instruction in env: above)
  # - name: aws-iam-token
  #   mountPath: /var/run/secrets/eks.amazonaws.com/serviceaccount
  #   readOnly: true
  #   projected:
  #     defaultMode: 420
  #     sources:
  #       - serviceAccountToken:
  #           audience: sts.amazonaws.com
  #           expirationSeconds: 86400
  #           path: token
  #
  # for CSI e.g. Azure Key Vault use the following
  # - name: secrets-store-inline
  #  mountPath: /run/secrets
  #  readOnly: true
  #  csi:
  #    driver: secrets-store.csi.k8s.io
  #    readOnly: true
  #    volumeAttributes:
  #      secretProviderClass: "akv-grafana-spc"
  #    nodePublishSecretRef:                       # Only required when using service principal mode
  #       name: grafana-akv-creds                  # Only required when using service principal mode
 ## Additional grafana server volume mounts
 # Defines additional volume mounts.
 extraVolumeMounts: []
  # - name: extra-volume-0
  #   mountPath: /mnt/volume0
  #   readOnly: true
  #   existingClaim: volume-claim
  # - name: extra-volume-1
  #   mountPath: /mnt/volume1
  #   readOnly: true
  #   hostPath: /usr/shared/
 ## Container Lifecycle Hooks. Execute a specific bash command or make an HTTP request
 lifecycleHooks: {}
  # postStart:
  #   exec:
  #     command: []
 ## Pass the plugins you want installed as a list.
 ##
 plugins: []
  # - digrich-bubblechart-panel
  # - grafana-clock-panel
 ## Configure grafana datasources
 ## ref: http://docs.grafana.org/administration/provisioning/#datasources
 ##
 datasources: {}
 #  datasources.yaml:
 #    apiVersion: 1
 #    datasources:
 #    - name: Prometheus
 #      type: prometheus
 #      url: http://prometheus-prometheus-server
 #      access: proxy
 #      isDefault: true
 #    - name: CloudWatch
 #      type: cloudwatch
 #      access: proxy
 #      uid: cloudwatch
 #      editable: false
 #      jsonData:
 #        authType: default
 #        defaultRegion: us-east-1
 ## Configure notifiers
 ## ref: http://docs.grafana.org/administration/provisioning/#alert-notification-channels
 ##
 notifiers: {}
 #  notifiers.yaml:
 #    notifiers:
 #    - name: email-notifier
 #      type: email
 #      uid: email1
 #      # either:
 #      org_id: 1
 #      # or
 #      org_name: Main Org.
 #      is_default: true
 #      settings:
 #        addresses: an_email_address@example.com
 #    delete_notifiers:
 ## Configure grafana dashboard providers
 ## ref: http://docs.grafana.org/administration/provisioning/#dashboards
 ##
 ## `path` must be /var/lib/grafana/dashboards/<provider_name>
 ##
 dashboardProviders: {}
 #  dashboardproviders.yaml:
 #    apiVersion: 1
 #    providers:
 #    - name: 'default'
 #      orgId: 1
 #      folder: ''
 #      type: file
 #      disableDeletion: false
 #      editable: true
 #      options:
 #        path: /var/lib/grafana/dashboards/default
 ## Configure grafana dashboard to import
 ## NOTE: To use dashboards you must also enable/configure dashboardProviders
 ## ref: https://grafana.com/dashboards
 ##
 ## dashboards per provider, use provider name as key.
 ##
 dashboards: {}
  # default:
  #   some-dashboard:
  #     json: |
  #       $RAW_JSON
  #   custom-dashboard:
  #     file: dashboards/custom-dashboard.json
  #   prometheus-stats:
  #     gnetId: 2
  #     revision: 2
  #     datasource: Prometheus
  #   local-dashboard:
  #     url: https://example.com/repository/test.json
  #     token: ''
  #   local-dashboard-base64:
  #     url: https://example.com/repository/test-b64.json
  #     token: ''
  #     b64content: true
 ## Reference to external ConfigMap per provider. Use provider name as key and ConfigMap name as value.
 ## A provider dashboards must be defined either by external ConfigMaps or in values.yaml, not in both.
 ## ConfigMap data example:
 ##
 ## data:
 ##   example-dashboard.json: |
 ##     RAW_JSON
 ##
 dashboardsConfigMaps: {}
 #  default: ""
 ## Grafana's primary configuration
 ## NOTE: values in map will be converted to ini format
 ## ref: http://docs.grafana.org/installation/configuration/
 ##
 grafana.ini:
  paths:
    data: /var/lib/grafana/
    logs: /var/log/grafana
    plugins: /var/lib/grafana/plugins
    provisioning: /etc/grafana/provisioning
  analytics:
    check_for_updates: true
  log:
    mode: console
  grafana_net:
    url: https://grafana.net
 ## grafana Authentication can be enabled with the following values on grafana.ini
 # server:
      # The full public facing url you use in browser, used for redirects and emails
 #    root_url:
 # https://grafana.com/docs/grafana/latest/auth/github/#enable-github-in-grafana
 # auth.github:
 #    enabled: false
 #    allow_sign_up: false
 #    scopes: user:email,read:org
 #    auth_url: https://github.com/login/oauth/authorize
 #    token_url: https://github.com/login/oauth/access_token
 #    api_url: https://api.github.com/user
 #    team_ids:
 #    allowed_organizations:
 #    client_id:
 #    client_secret:
 ## LDAP Authentication can be enabled with the following values on grafana.ini
 ## NOTE: Grafana will fail to start if the value for ldap.toml is invalid
  # auth.ldap:
  #   enabled: true
  #   allow_sign_up: true
  #   config_file: /etc/grafana/ldap.toml
 ## Grafana's LDAP configuration
 ## Templated by the template in _helpers.tpl
 ## NOTE: To enable the grafana.ini must be configured with auth.ldap.enabled
 ## ref: http://docs.grafana.org/installation/configuration/#auth-ldap
 ## ref: http://docs.grafana.org/installation/ldap/#configuration
 ldap:
  enabled: false
  # `existingSecret` is a reference to an existing secret containing the ldap configuration
  # for Grafana in a key `ldap-toml`.
  existingSecret: ""
  # `config` is the content of `ldap.toml` that will be stored in the created secret
  config: ""
  # config: |-
  #   verbose_logging = true
  #   [[servers]]
  #   host = "my-ldap-server"
  #   port = 636
  #   use_ssl = true
  #   start_tls = false
  #   ssl_skip_verify = false
  #   bind_dn = "uid=%s,ou=users,dc=myorg,dc=com"
 ## Grafana's SMTP configuration
 ## NOTE: To enable, grafana.ini must be configured with smtp.enabled
 ## ref: http://docs.grafana.org/installation/configuration/#smtp
 smtp:
  # `existingSecret` is a reference to an existing secret containing the smtp configuration
  # for Grafana.
  existingSecret: ""
  userKey: "user"
  passwordKey: "password"
 ## Sidecars that collect the configmaps with specified label and stores the included files them into the respective folders
 ## Requires at least Grafana 5 to work and can't be used together with parameters dashboardProviders, datasources and dashboards
 sidecar:
  image:
    repository: quay.io/kiwigrid/k8s-sidecar
    tag: 1.15.6
    sha: ""
  imagePullPolicy: IfNotPresent
  resources: {}
 #   limits:
 #     cpu: 100m
 #     memory: 100Mi
 #   requests:
 #     cpu: 50m
 #     memory: 50Mi
  securityContext: {}
  # skipTlsVerify Set to true to skip tls verification for kube api calls
  # skipTlsVerify: true
  enableUniqueFilenames: false
  readinessProbe: {}
  livenessProbe: {}
  dashboards:
    enabled: false
    SCProvider: true
    # label that the configmaps with dashboards are marked with
    label: grafana_dashboard
    # value of label that the configmaps with dashboards are set to
    labelValue: null
    # folder in the pod that should hold the collected dashboards (unless `defaultFolderName` is set)
    folder: /tmp/dashboards
    # The default folder name, it will create a subfolder under the `folder` and put dashboards in there instead
    defaultFolderName: null
    # Namespaces list. If specified, the sidecar will search for config-maps/secrets inside these namespaces.
    # Otherwise the namespace in which the sidecar is running will be used.
    # It's also possible to specify ALL to search in all namespaces.
    searchNamespace: null
    # Method to use to detect ConfigMap changes. With WATCH the sidecar will do a WATCH requests, with SLEEP it will list all ConfigMaps, then sleep for 60 seconds.
    watchMethod: WATCH
    # search in configmap, secret or both
    resource: both
    # If specified, the sidecar will look for annotation with this name to create folder and put graph here.
    # You can use this parameter together with `provider.foldersFromFilesStructure`to annotate configmaps and create folder structure.
    folderAnnotation: null
    # Absolute path to shell script to execute after a configmap got reloaded
    script: null
    # watchServerTimeout: request to the server, asking it to cleanly close the connection after that.
    # defaults to 60sec; much higher values like 3600 seconds (1h) are feasible for non-Azure K8S
    # watchServerTimeout: 3600
    #
    # watchClientTimeout: is a client-side timeout, configuring your local socket.
    # If you have a network outage dropping all packets with no RST/FIN,
    # this is how long your client waits before realizing & dropping the connection.
    # defaults to 66sec (sic!)
    # watchClientTimeout: 60
    #
    # provider configuration that lets grafana manage the dashboards
    provider:
      # name of the provider, should be unique
      name: sidecarProvider
      # orgid as configured in grafana
      orgid: 1
      # folder in which the dashboards should be imported in grafana
      folder: ''
      # type of the provider
      type: file
      # disableDelete to activate a import-only behaviour
      disableDelete: false
      # allow updating provisioned dashboards from the UI
      allowUiUpdates: false
      # allow Grafana to replicate dashboard structure from filesystem
      foldersFromFilesStructure: false
    # Additional dashboard sidecar volume mounts
    extraMounts: []
    # Sets the size limit of the dashboard sidecar emptyDir volume
    sizeLimit: {}
  datasources:
    enabled: false
    # label that the configmaps with datasources are marked with
    label: grafana_datasource
    # value of label that the configmaps with datasources are set to
    labelValue: null
    # If specified, the sidecar will search for datasource config-maps inside this namespace.
    # Otherwise the namespace in which the sidecar is running will be used.
    # It's also possible to specify ALL to search in all namespaces
    searchNamespace: null
    # Method to use to detect ConfigMap changes. With WATCH the sidecar will do a WATCH requests, with SLEEP it will list all ConfigMaps, then sleep for 60 seconds.
    watchMethod: WATCH
    # search in configmap, secret or both
    resource: both
    # Endpoint to send request to reload datasources
    reloadURL: "http://localhost:3000/api/admin/provisioning/datasources/reload"
    skipReload: false
    # Deploy the datasource sidecar as an initContainer in addition to a container.
    # This is needed if skipReload is true, to load any datasources defined at startup time.
    initDatasources: false
    # Sets the size limit of the datasource sidecar emptyDir volume
    sizeLimit: {}
  plugins:
    enabled: false
    # label that the configmaps with plugins are marked with
    label: grafana_plugin
    # value of label that the configmaps with plugins are set to
    labelValue: null
    # If specified, the sidecar will search for plugin config-maps inside this namespace.
    # Otherwise the namespace in which the sidecar is running will be used.
    # It's also possible to specify ALL to search in all namespaces
    searchNamespace: null
    # Method to use to detect ConfigMap changes. With WATCH the sidecar will do a WATCH requests, with SLEEP it will list all ConfigMaps, then sleep for 60 seconds.
    watchMethod: WATCH
    # search in configmap, secret or both
    resource: both
    # Endpoint to send request to reload plugins
    reloadURL: "http://localhost:3000/api/admin/provisioning/plugins/reload"
    skipReload: false
    # Deploy the datasource sidecar as an initContainer in addition to a container.
    # This is needed if skipReload is true, to load any plugins defined at startup time.
    initPlugins: false
    # Sets the size limit of the plugin sidecar emptyDir volume
    sizeLimit: {}
  notifiers:
    enabled: false
    # label that the configmaps with notifiers are marked with
    label: grafana_notifier
    # If specified, the sidecar will search for notifier config-maps inside this namespace.
    # Otherwise the namespace in which the sidecar is running will be used.
    # It's also possible to specify ALL to search in all namespaces
    searchNamespace: null
    # search in configmap, secret or both
    resource: both
    # Sets the size limit of the notifier sidecar emptyDir volume
    sizeLimit: {}
 ## Override the deployment namespace
 ##
 namespaceOverride: ""
 ## Number of old ReplicaSets to retain
 ##
 revisionHistoryLimit: 10
 ## Add a seperate remote image renderer deployment/service
 imageRenderer:
  # Enable the image-renderer deployment & service
  enabled: false
  replicas: 1
  image:
    # image-renderer Image repository
    repository: grafana/grafana-image-renderer
    # image-renderer Image tag
    tag: latest
    # image-renderer Image sha (optional)
    sha: ""
    # image-renderer ImagePullPolicy
    pullPolicy: Always
  # extra environment variables
  env:
    HTTP_HOST: "0.0.0.0"
    # RENDERING_ARGS: --no-sandbox,--disable-gpu,--window-size=1280x758
    # RENDERING_MODE: clustered
    # IGNORE_HTTPS_ERRORS: true
  # image-renderer deployment serviceAccount
  serviceAccountName: ""
  # image-renderer deployment securityContext
  securityContext: {}
  # image-renderer deployment Host Aliases
  hostAliases: []
  # image-renderer deployment priority class
  priorityClassName: ''
  service:
    # Enable the image-renderer service
    enabled: true
    # image-renderer service port name
    portName: 'http'
    # image-renderer service port used by both service and deployment
    port: 8081
    targetPort: 8081
  # If https is enabled in Grafana, this needs to be set as 'https' to correctly configure the callback used in Grafana
  grafanaProtocol: http
  # In case a sub_path is used this needs to be added to the image renderer callback
  grafanaSubPath: ""
  # name of the image-renderer port on the pod
  podPortName: http
  # number of image-renderer replica sets to keep
  revisionHistoryLimit: 10
  networkPolicy:
    # Enable a NetworkPolicy to limit inbound traffic to only the created grafana pods
    limitIngress: true
    # Enable a NetworkPolicy to limit outbound traffic to only the created grafana pods
    limitEgress: false
  resources: {}
 #   limits:
 #     cpu: 100m
 #     memory: 100Mi
 #   requests:
 #     cpu: 50m
 #     memory: 50Mi
  ## Node labels for pod assignment
  ## ref: https://kubernetes.io/docs/user-guide/node-selection/
  #
  nodeSelector: {}
  ## Tolerations for pod assignment
  ## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
  ##
  tolerations: []
  ## Affinity for pod assignment (evaluated as template)
  ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
  ##
  affinity: {}
 # Create a dynamic manifests via values:
 extraObjects: []
  # - apiVersion: "kubernetes-client.io/v1"
  #   kind: ExternalSecret
  #   metadata:
  #     name: grafana-secrets
  #   spec:
  #     backendType: gcpSecretsManager
  #     data:
  #       - key: grafana-admin-password
  #         name: adminPassword
--- a/apps/monitoring/influxdb-telegraf.values.yaml
+++ b/apps/monitoring/influxdb-telegraf.values.yaml
@@ -1,157 +0,0 @@
 ## Default values.yaml for Telegraf
 ## This is a YAML-formatted file.
 ## ref: https://hub.docker.com/r/library/telegraf/tags/
 image:
  repo: "telegraf"
  tag: "1.22"
  pullPolicy: IfNotPresent
 ## Configure resource requests and limits
 ## ref: http://kubernetes.io/docs/user-guide/compute-resources/
 resources:
  requests:
    memory: 256Mi
    cpu: 0.1
  limits:
    memory: 1Gi
    cpu: 1
 ## Pod annotations
 podAnnotations: {}
 ## Pod labels
 podLabels: {}
 ## Configure args passed to Telegraf containers
 args: []
 ## The name of a secret in the same kubernetes namespace which contains values to
 ## be added to the environment (must be manually created)
 ## This can be useful for auth tokens, etc.
 # envFromSecret: "telegraf-tokens"
 ## Environment
 env:
  # This pulls HOSTNAME from the node, not the pod.
  - name: HOSTNAME
    valueFrom:
      fieldRef:
        fieldPath: spec.nodeName
  # In test clusters where hostnames are resolved in /etc/hosts on each node,
  # the HOSTNAME is not resolvable from inside containers
  # So inject the host IP as well
  - name: HOSTIP
    valueFrom:
      fieldRef:
        fieldPath: status.hostIP
  # Mount the host filesystem and set the appropriate env variables.
  # ref: https://github.com/influxdata/telegraf/blob/master/docs/FAQ.md
  # HOST_PROC is required by the cpu, disk, diskio, kernel and processes input plugins
  - name: "HOST_PROC"
    value: "/hostfs/proc"
  # HOST_SYS is required by the diskio plugin
  - name: "HOST_SYS"
    value: "/hostfs/sys"
  - name: "HOST_MOUNT_PREFIX"
    value: "/hostfs"
 ## Add custom volumes and mounts
 # volumes:
 # - name: telegraf-output-influxdb2
 #   configMap:
 #     name: "telegraf-output-influxdb2"
 # mountPoints:
 # - name: telegraf-output-influxdb2
 #   mountPath: /etc/telegraf/conf.d
 #   subPath: influxdb2.conf
 ## Tolerations for pod assignment
 ## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
 ##
 tolerations: []
 ## If the DaemonSet should run on the host's network namespace
 ## hostNetwork: true
 ## If using hostNetwork=true, set dnsPolicy to ClusterFirstWithHostNet
 ## ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#
 ## dnsPolicy: ClusterFirstWithHostNet
 ## If using dnsPolicy=None, set dnsConfig
 ## ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-dns-config
 ## dnsConfig:
 ##   nameservers:
 ##     - 1.2.3.4
 ##   searches:
 ##     - ns1.svc.cluster-domain.example
 ##     - my.dns.search.suffix
 ##   options:
 ##     - name: ndots
 ##       value: "2"
 ##     - name: edns0
 rbac:
  # Specifies whether RBAC resources should be created
  create: true
 serviceAccount:
  # Specifies whether a ServiceAccount should be created
  create: true
  # The name of the ServiceAccount to use.
  # If not set and create is true, a name is generated using the fullname template
  # name:
  # Annotations for the ServiceAccount
  annotations: {}
 ## Specify priorityClassName
 ## Ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/
 # priorityClassName: system-node-critical
 # Specify the pod's SecurityContext, including the OS user and group to run the pod
 podSecurityContext: {}
 override_config:
  toml: ~
  # Provide a literal TOML config
  # toml: |+
  #   [global_tags]
  #     foo = "bar"
  #   [agent]
  #     interval = "10s"
  #   [[inputs.mem]]
  #   [[outputs.influxdb_v2]]
  #     urls           = ["https://us-west-2-1.aws.cloud2.influxdata.com"]
  #     bucket         = "data"
  #     organization   = "OurCompany"
  #     token          = "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
 ## Exposed telegraf configuration
 ## ref: https://docs.influxdata.com/telegraf/v1.13/administration/configuration/
 config:
  # global_tags:
  #   cluster: "mycluster"
  agent:
    interval: "10s"
    round_interval: true
    metric_batch_size: 1000
    metric_buffer_limit: 10000
    collection_jitter: "0s"
    flush_interval: "10s"
    flush_jitter: "0s"
    precision: ""
    debug: false
    quiet: false
    logfile: ""
    hostname: "$HOSTNAME"
    omit_hostname: false
  outputs:
    - influxdb_v2:
        urls:
          - "http://influxdb-influxdb2.monitoring:80"
        token: N_jNm1hZTfyhJneTJj2G357mQ7EJdNzdvebjSJX6JkbyaXNup_IAqeYowblMgV8EjLypNvauTl27ewJvI_rbqQ==
        organization: "influxdata"
        bucket: "kluster"
  monitor_self: false
  docker_endpoint: "unix:///run/k3s/containerd/containerd.sock"
--- a/apps/monitoring/influxdb.pvc.yaml
+++ b/apps/monitoring/influxdb.pvc.yaml
@@ -1,32 +0,0 @@
 ---
 apiVersion: v1
 kind: PersistentVolume
 metadata:
  name: influxdb-nfs
  labels:
    directory: influxdb
 spec:
  # storageClassName: slow
  capacity:
    storage: "10Gi"
  # volumeMode: Filesystem
  accessModes:
    - ReadWriteOnce
  nfs:
    path: /export/kluster/influxdb
    server: 192.168.1.157
 ---
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
  name: influxdb-nfs
 spec:
  storageClassName: ""
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: "10Gi"
  selector:
    matchLabels:
      directory: influxdb
--- a/apps/monitoring/influxdb.values.yaml
+++ b/apps/monitoring/influxdb.values.yaml
@@ -1,195 +0,0 @@
 image:
  repository: influxdb
  tag: 2.3.0-alpine
  pullPolicy: IfNotPresent
 ## Annotations to be added to InfluxDB pods
 ##
 podAnnotations: {}
 ## Labels to be added to InfluxDB pods
 ##
 podLabels: {}
 nameOverride: ""
 fullnameOverride: ""
 ## Configure resource requests and limits
 ## ref: http://kubernetes.io/docs/user-guide/compute-resources/
 ##
 resources: {}
  # We usually recommend not to specify default resources and to leave this as a conscious
  # choice for the user. This also increases chances charts run on environments with little
  # resources, such as Minikube. If you do want to specify resources, uncomment the following
  # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
  # limits:
  #  cpu: 100m
  #  memory: 128Mi
  # requests:
  #  cpu: 100m
  #  memory: 128Mi
 ## Node labels for pod assignment
 ## ref: https://kubernetes.io/docs/user-guide/node-selection/
 ##
 nodeSelector: {}
 ## Tolerations for pod assignment
 ## Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
 ##
 tolerations: []
 ## Affinity for pod assignment
 ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
 ##
 affinity: {}
 securityContext: {}
 ## Customize liveness, readiness and startup probes
 ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/
 ##
 livenessProbe: {}
  # path: "/health"
  # scheme: "HTTP"
  # initialDelaySeconds: 0
  # periodSeconds: 10
  # timeoutSeconds: 1
  # failureThreshold: 3
 readinessProbe: {}
  # path: "/health"
  # scheme: "HTTP"
  # initialDelaySeconds: 0
  # periodSeconds: 10
  # timeoutSeconds: 1
  # successThreshold: 1
  # failureThreshold: 3
 startupProbe:
  enabled: false
  # path: "/health"
  # scheme: "HTTP"
  # initialDelaySeconds: 30
  # periodSeconds: 5
  # timeoutSeconds: 1
  # failureThreshold: 6
 ## Extra environment variables to configure influxdb
 ## e.g.
 # env:
 #   - name: FOO
 #     value: BAR
 #   - name: BAZ
 #     valueFrom:
 #       secretKeyRef:
 #         name: my-secret
 #         key: my-key
 env: {}
 ## Create default user through docker entrypoint
 ## Defaults indicated below
 ##
 adminUser:
  organization: "influxdata"
  bucket: "default"
  user: "admin"
  retention_policy: "0s"
  ## Leave empty to generate a random password and token.
  ## Or fill any of these values to use fixed values.
  password: ""
  token: ""
  ## The password and token are obtained from an existing secret. The expected
  ## keys are `admin-password` and `admin-token`.
  ## If set, the password and token values above are ignored.
  # existingSecret: influxdb-auth
 ## Persist data to a persistent volume
 ##
 persistence:
  enabled: true
  ## If true will use an existing PVC instead of creating one
  useExisting: true
  ## Name of existing PVC to be used in the influx deployment
  name: influxdb-nfs
  ## influxdb data Persistent Volume Storage Class
  ## If defined, storageClassName: <storageClass>
  ## If set to "-", storageClassName: "", which disables dynamic provisioning
  ## If undefined (the default) or set to null, no storageClassName spec is
  ##   set, choosing the default provisioner.  (gp2 on AWS, standard on
  ##   GKE, AWS & OpenStack)
  ##
  # storageClass: "-"
  accessMode: ReadWriteOnce
  size: 10Gi
  mountPath: /var/lib/influxdb2
  subPath: ""
 ## Add custom volume and volumeMounts
 ##
 # volumes:
 #   - name: influxdb2-templates
 #     hostPath:
 #       path: /data/influxdb2-templates
 #       type: Directory
 # mountPoints:
 #   - name: influxdb2-templates
 #     mountPath: /influxdb2-templates
 #     readOnly: true
 ## Allow executing custom init scripts
 ## If the container finds any files with the .sh extension inside of the
 ## /docker-entrypoint-initdb.d folder, it will execute them.
 ## When multiple scripts are present, they will be executed in lexical sort order by name.
 ## For more details see Custom Initialization Scripts in https://hub.docker.com/_/influxdb
 initScripts:
  enabled: false
  scripts:
    init.sh: |+
      #!/bin/bash
      influx apply --force yes -u https://raw.githubusercontent.com/influxdata/community-templates/master/influxdb2_operational_monitoring/influxdb2_operational_monitoring.yml
 ## Specify a service type
 ## ref: http://kubernetes.io/docs/user-guide/services/
 ##
 service:
  type: LoadBalancer
  loadBalancerIP: 192.168.3.4
  port: 80
  targetPort: 8086
  annotations: {}
  labels: {}
  portName: http
 serviceAccount:
  # Specifies whether a ServiceAccount should be created
  create: true
  # The name of the ServiceAccount to use.
  # If not set and create is true, a name is generated using the fullname template
  name:
  # Annotations for the ServiceAccount
  annotations: {}
 ingress:
  enabled: false
  # For Kubernetes >= 1.18 you should specify the ingress-controller via the field ingressClassName
  # See https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/#specifying-the-class-of-an-ingress
  # className: nginx
  tls: false
  # secretName: my-tls-cert # only needed if tls above is true or default certificate is not configured for Nginx
  hostname: influxdb.foobar.com
  annotations: {}
    # kubernetes.io/ingress.class: "nginx"
    # kubernetes.io/tls-acme: "true"
  path: /
 ## Pod disruption budget configuration
 ##
 pdb:
  ## Specifies whether a Pod disruption budget should be created
  ##
  create: true
  minAvailable: 1
  # maxUnavailable: 1
--- a/apps/monitoring/telegraf-adguard.values.yaml
+++ b/apps/monitoring/telegraf-adguard.values.yaml
@@ -1,167 +0,0 @@
 ## Default values.yaml for Telegraf
 ## This is a YAML-formatted file.
 ## ref: https://hub.docker.com/r/library/telegraf/tags/
 replicaCount: 1
 image:
  repo: "telegraf"
  tag: "1.25"
  pullPolicy: IfNotPresent
 podAnnotations: {}
 podLabels: {}
 imagePullSecrets: []
 ## Configure args passed to Telegraf containers
 args: []
 # The name of a secret in the same kubernetes namespace which contains values to
 # be added to the environment (must be manually created)
 # This can be useful for auth tokens, etc.
 # envFromSecret: "telegraf-tokens"
 env:
  - name: HOSTNAME
    value: "telegraf-polling-service"
 # An older "volumeMounts" key was previously added which will likely
 # NOT WORK as you expect. Please use this newer configuration.
 # volumes:
 # - name: telegraf-output-influxdb2
 #   configMap:
 #     name: "telegraf-output-influxdb2"
 # mountPoints:
 # - name: telegraf-output-influxdb2
 #   mountPath: /etc/telegraf/conf.d
 #   subPath: influxdb2.conf
 ## Configure resource requests and limits
 ## ref: http://kubernetes.io/docs/user-guide/compute-resources/
 resources: {}
 # requests:
 #   memory: 128Mi
 #   cpu: 100m
 # limits:
 #   memory: 128Mi
 #   cpu: 100m
 ## Node labels for pod assignment
 ## ref: https://kubernetes.io/docs/user-guide/node-selection/
 nodeSelector: {}
 ## Affinity for pod assignment
 ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
 ##
 affinity: {}
 ## Tolerations for pod assignment
 ## Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
 ##
 tolerations: []
 # - key: "key"
 #   operator: "Equal|Exists"
 #   value: "value"
 #   effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)"
 service:
  enabled: false
  type: ClusterIP
  annotations: {}
 rbac:
  # Specifies whether RBAC resources should be created
  create: true
  # Create only for the release namespace or cluster wide (Role vs ClusterRole)
  clusterWide: false
  # Rules for the created rule
  rules: []
 # When using the prometheus input to scrape all pods you need extra rules set to the ClusterRole to be
 # able to scan the pods for scraping labels. The following rules have been taken from:
 # https://github.com/helm/charts/blob/master/stable/prometheus/templates/server-clusterrole.yaml#L8-L46
 #    - apiGroups:
 #        - ""
 #      resources:
 #        - nodes
 #        - nodes/proxy
 #        - nodes/metrics
 #        - services
 #        - endpoints
 #        - pods
 #        - ingresses
 #        - configmaps
 #      verbs:
 #        - get
 #        - list
 #        - watch
 #    - apiGroups:
 #        - "extensions"
 #      resources:
 #        - ingresses/status
 #        - ingresses
 #      verbs:
 #        - get
 #        - list
 #        - watch
 #    - nonResourceURLs:
 #        - "/metrics"
 #      verbs:
 #        - get
 serviceAccount:
  # Specifies whether a ServiceAccount should be created
  create: false
 ## Exposed telegraf configuration
 ## For full list of possible values see `/docs/all-config-values.yaml` and `/docs/all-config-values.toml`
 ## ref: https://docs.influxdata.com/telegraf/v1.1/administration/configuration/
 config:
  agent:
    interval: "2m"
    round_interval: true
    metric_batch_size: 1000
    metric_buffer_limit: 10000
    collection_jitter: "0s"
    flush_interval: "10s"
    flush_jitter: "0s"
    precision: ""
    debug: false
    quiet: false
    logfile: ""
    hostname: "$HOSTNAME"
    omit_hostname: false
  processors:
    - enum:
        mapping:
          field: "status"
          dest: "status_code"
          value_mappings:
            healthy: 1
            problem: 2
            critical: 3
  outputs:
    - influxdb_v2:
        urls:
          - "http://influxdb-influxdb2.monitoring:80"
        token: We64mk4L4bqYCL77x3fAUSYfOse9Kktyf2eBLyrryG9c3-y8PQFiKPIh9EvSWuq78QSQz6hUcsm7XSFR2Zj1MA==
        organization: "influxdata"
        bucket: "homeassistant"
  inputs:
    - http:
        urls:
          - "http://adguard-home.adguard:3000/control/stats"
        data_format: "json"
 metrics:
  health:
    enabled: false
    service_address: "http://:8888"
    threshold: 5000.0
  internal:
    enabled: true
    collect_memstats: false
 # Lifecycle hooks
 # hooks:
 #   postStart: ["/bin/sh", "-c", "echo Telegraf started"]
 #   preStop: ["/bin/sh", "-c", "sleep 60"]
 ## Pod disruption budget configuration
 ##
 pdb:
  ## Specifies whether a Pod disruption budget should be created
  ##
  create: true
  minAvailable: 1
  # maxUnavailable: 1
--- a/apps/monitoring/telegraf-speedtest.values.yaml
+++ b/apps/monitoring/telegraf-speedtest.values.yaml
@@ -1,110 +0,0 @@
 ## Default values.yaml for Telegraf
 ## This is a YAML-formatted file.
 ## ref: https://hub.docker.com/r/library/telegraf/tags/
 replicaCount: 1
 image:
  repo: "telegraf"
  tag: "1.25"
  pullPolicy: IfNotPresent
 podAnnotations: {}
 podLabels: {}
 imagePullSecrets: []
 ## Configure args passed to Telegraf containers
 args: []
 # The name of a secret in the same kubernetes namespace which contains values to
 # be added to the environment (must be manually created)
 # This can be useful for auth tokens, etc.
 # envFromSecret: "telegraf-tokens"
 env:
  - name: HOSTNAME
    value: "telegraf-speedtest"
 ## Configure resource requests and limits
 ## ref: http://kubernetes.io/docs/user-guide/compute-resources/
 resources: {}
 # requests:
 #   memory: 128Mi
 #   cpu: 100m
 # limits:
 #   memory: 128Mi
 #   cpu: 100m
 ## Node labels for pod assignment
 ## ref: https://kubernetes.io/docs/user-guide/node-selection/
 nodeSelector: {}
 ## Affinity for pod assignment
 ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
 ##
 affinity: {}
 ## Tolerations for pod assignment
 ## Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
 ##
 tolerations: []
 # - key: "key"
 #   operator: "Equal|Exists"
 #   value: "value"
 #   effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)"
 service:
  enabled: false
 rbac:
  # Specifies whether RBAC resources should be created
  create: false
 serviceAccount:
  # Specifies whether a ServiceAccount should be created
  create: false
 ## Exposed telegraf configuration
 ## For full list of possible values see `/docs/all-config-values.yaml` and `/docs/all-config-values.toml`
 ## ref: https://docs.influxdata.com/telegraf/v1.1/administration/configuration/
 config:
  agent:
    interval: "2h"
    round_interval: true
    metric_batch_size: 1000
    metric_buffer_limit: 10000
    collection_jitter: "0s"
    flush_interval: "10s"
    flush_jitter: "0s"
    precision: ""
    debug: false
    quiet: false
    logfile: ""
    hostname: "$HOSTNAME"
    omit_hostname: false
  processors:
    - enum:
        mapping:
          field: "status"
          dest: "status_code"
          value_mappings:
            healthy: 1
            problem: 2
            critical: 3
  outputs:
    - influxdb_v2:
        urls:
          - "http://influxdb-influxdb2.monitoring:80"
        token: We64mk4L4bqYCL77x3fAUSYfOse9Kktyf2eBLyrryG9c3-y8PQFiKPIh9EvSWuq78QSQz6hUcsm7XSFR2Zj1MA==
        organization: "influxdata"
        bucket: "homeassistant"
  inputs:
    - internet_speed:
        enable_file_download: false
 # Lifecycle hooks
 # hooks:
 #   postStart: ["/bin/sh", "-c", "echo Telegraf started"]
 #   preStop: ["/bin/sh", "-c", "sleep 60"]
 ## Pod disruption budget configuration
 ##
 pdb:
  ## Specifies whether a Pod disruption budget should be created
  ##
  create: true
  minAvailable: 1
  # maxUnavailable: 1
--- a/apps/nextcloud/ingress.yaml
+++ b/apps/nextcloud/ingress.yaml
@@ -1,17 +0,0 @@
 apiVersion: traefik.containo.us/v1alpha1
 kind: IngressRoute
 metadata:
  namespace: nextcloud
  name: nextcloud-ingressroute
 spec:
  entryPoints:
    - websecure
  routes:
  - match: Host(`nextcloud.kluster.moll.re`)
    kind: Rule
    services:
    - name: nextcloud
      port: 8080
  tls:
    certResolver: default-tls 
--- a/Show More
+++ b/Show More