add matrix deployment

2024-10-15 17:52:03 +02:00
106 changed files with 666 additions and 1222 deletions
--- a/apps/adguard/configmap.yaml
+++ b/apps/adguard/configmap.yaml
@@ -27,10 +27,7 @@ data:
      ratelimit_whitelist: []
      refuse_any: true
      upstream_dns:
-        - tls://1.1.1.1
+        - https://dns10.quad9.net/dns-query
        - tls://dns.google
        - tls://p0.freedns.controld.com
        - tls://dns.quad9.net
      upstream_dns_file: ""
      bootstrap_dns:
        - 9.9.9.10
@@ -38,7 +35,8 @@ data:
        - 2620:fe::10
        - 2620:fe::fe:10
      fallback_dns: []
-      upstream_mode: load_balance
+      all_servers: false
      fastest_addr: false
      fastest_timeout: 1s
      allowed_clients: []
      disallowed_clients: []
@@ -74,8 +72,6 @@ data:
      dns64_prefixes: []
      serve_http3: false
      use_http3_upstreams: false
      serve_plain_dns: true
      hostsfile_enabled: true
    tls:
      enabled: false
      server_name: ""
@@ -92,14 +88,12 @@ data:
      private_key_path: ""
      strict_sni_check: false
    querylog:
      dir_path: ""
      ignored: []
      interval: 2160h
      size_memory: 1000
      enabled: true
      file_enabled: true
    statistics:
      dir_path: ""
      ignored: []
      interval: 24h
      enabled: true
@@ -116,10 +110,6 @@ data:
        url: https://someonewhocares.org/hosts/zero/hosts
        name: Dan Pollock's List
        id: 1684963532
      - enabled: true
        url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_3.txt
        name: Peter Lowe's Blocklist
        id: 1735824753
    whitelist_filters: []
    user_rules: []
    dhcp:
@@ -144,36 +134,13 @@ data:
      blocking_ipv6: ""
      blocked_services:
        schedule:
-          time_zone: Europe/Berlin
+          time_zone: UTC
-          sun:
+        ids: []
            start: 18h
            end: 23h59m
          mon:
            start: 18h
            end: 23h59m
          tue:
            start: 18h
            end: 23h59m
          wed:
            start: 18h
            end: 23h59m
          thu:
            start: 18h
            end: 23h59m
          fri:
            start: 18h
            end: 23h59m
          sat:
            start: 18h
            end: 23h59m
        ids:
          - reddit
      protection_disabled_until: null
      safe_search:
        enabled: false
        bing: true
        duckduckgo: true
        ecosia: true
        google: true
        pixabay: true
        yandex: true
@@ -182,13 +149,11 @@ data:
      parental_block_host: family-block.dns.adguard.com
      safebrowsing_block_host: standard-block.dns.adguard.com
      rewrites: []
      safe_fs_patterns:
        - /opt/adguardhome/data/userfilters/*
      safebrowsing_cache_size: 1048576
      safesearch_cache_size: 1048576
      parental_cache_size: 1048576
      cache_time: 30
-      filters_update_interval: 168
+      filters_update_interval: 24
      blocked_response_ttl: 10
      filtering_enabled: true
      parental_enabled: true
@@ -203,7 +168,6 @@ data:
        hosts: true
      persistent: []
    log:
      enabled: true
      file: ""
      max_backups: 0
      max_size: 100
@@ -215,4 +179,4 @@ data:
      group: ""
      user: ""
      rlimit_nofile: 0
-    schema_version: 29
+    schema_version: 27
--- a/apps/adguard/kustomization.yaml
+++ b/apps/adguard/kustomization.yaml
@@ -10,7 +10,7 @@ resources:
 images:
  - name: adguard/adguardhome
    newName: adguard/adguardhome
-    newTag: v0.107.57
+    newTag: v0.107.53
 namespace: adguard
--- a/apps/audiobookshelf/kustomization.yaml
+++ b/apps/audiobookshelf/kustomization.yaml
@@ -12,4 +12,4 @@ namespace: audiobookshelf
 images:
  - name: audiobookshelf
    newName: ghcr.io/advplyr/audiobookshelf
-    newTag: "2.19.5"
+    newTag: "2.15.0"
--- a/apps/code-server/deployment.yaml
+++ b/apps/code-server/deployment.yaml
@@ -1,41 +0,0 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: code-server
 spec:
  replicas: 1
  selector:
    matchLabels:
      app: code-server
  template:
    metadata:
      labels:
        app: code-server
    spec:
      containers:
        - name: code-server
          image: code-server
          ports:
            - containerPort: 8080
          env:
          - name: TZ
            value: Europe/Berlin
          - name: CONFIG_PATH
            value: /data/config
          - name: METADATA_PATH
            value: /data/metadata
          volumeMounts:
            - name: data
              mountPath: /home/coder
          resources:
            requests:
              cpu: "50m"
              memory: "100Mi"
            limits:
              cpu: "6"
              memory: "16Gi"
      volumes:
        - name: data
          persistentVolumeClaim:
            claimName: code-server-data
--- a/apps/code-server/ingress.yaml
+++ b/apps/code-server/ingress.yaml
@@ -1,17 +0,0 @@
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
  name: audiobookshelf-ingressroute
 spec:
  entryPoints:
    - websecure
  routes:
  - match: Host(`code.kluster.moll.re`)
    kind: Rule
    services:
    - name: code-server-web
      port: 8080
  tls:
    certResolver: default-tls 
--- a/apps/code-server/kustomization.yaml
+++ b/apps/code-server/kustomization.yaml
@@ -1,15 +0,0 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources: 
  - namespace.yaml
  - pvc.yaml
  - deployment.yaml
  - service.yaml
  - ingress.yaml
 namespace: code-server
 images:
  - name: code-server
    newName: ghcr.io/coder/code-server
    newTag: 4.96.4-fedora
--- a/apps/code-server/pvc.yaml
+++ b/apps/code-server/pvc.yaml
@@ -1,11 +0,0 @@
 kind: PersistentVolumeClaim
 apiVersion: v1
 metadata:
  name: code-server-data
 spec:
  storageClassName: "nfs-client"
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 10Gi
--- a/apps/code-server/service.yaml
+++ b/apps/code-server/service.yaml
@@ -1,11 +0,0 @@
 apiVersion: v1
 kind: Service
 metadata:
  name: code-server-web
 spec:
  selector:
    app: code-server
  ports:
  - port: 8080
    targetPort: 8080
  type: LoadBalancer
--- a/apps/kitchenowl/ingress.yaml
+++ b/apps/kitchenowl/ingress.yaml
@@ -1,17 +1,18 @@
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
-  name: kitchenowl-ingressroute
+  name: dendrite-ingressroute
 spec:
  entryPoints:
    - websecure
  routes:
-  - match: Host(`kitchen.kluster.moll.re`)
+  - match: Host(`dendrite.kluster.moll.re`)
    kind: Rule
    services:
-    - name: kitchenowl-web
+    - name: dendrite
-      port: 8080
+      port: 8008
      # scheme: https
  tls:
    certResolver: default-tls 
--- a/apps/dendrite/kustomization.yaml
+++ b/apps/dendrite/kustomization.yaml
@@ -0,0 +1,16 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources: 
  - namespace.yaml
  - postgres.yaml
  - postgres-user.secret.yaml
  - ingress.yaml
 namespace: dendrite
 helmCharts:
  - name: dendrite
    releaseName: dendrite
    version: 0.13.5
    valuesFile: values.yaml
    repo: https://matrix-org.github.io/dendrite/
--- a/apps/code-server/namespace.yaml
+++ b/apps/code-server/namespace.yaml
--- a/apps/dendrite/postgres.yaml
+++ b/apps/dendrite/postgres.yaml
@@ -0,0 +1,25 @@
 apiVersion: postgresql.cnpg.io/v1
 kind: Cluster
 metadata:
  name: dendrite-postgres
 spec:
  instances: 1
  imageName: ghcr.io/cloudnative-pg/postgresql:16.4
  bootstrap:
    initdb:
      owner: dendrite
      database: dendrite
      secret:
        name: postgres-password
  # Persistent storage configuration
  storage:
    size: 2Gi
    pvcTemplate:
      accessModes:
        - ReadWriteOnce
      resources:
        requests:
          storage: 2Gi
      storageClassName: nfs-client
      volumeMode: Filesystem
--- a/apps/dendrite/values.yaml
+++ b/apps/dendrite/values.yaml
@@ -0,0 +1,287 @@
 # signing key to use
 signing_key:
  # -- Create a new signing key, if not exists
  create: true
 persistence:
  jetstream:
    # -- PVC Storage Request for the jetstream volume
    capacity: "1Gi"
    # -- The storage class to use for volume claims.
    storageClass: "nfs-client"
  media:
    # -- PVC Storage Request for the media volume
    capacity: "1Gi"
    # -- The storage class to use for volume claims.
    storageClass: "nfs-client"
  search:
    # -- PVC Storage Request for the search volume
    capacity: "1Gi"
    # -- The storage class to use for volume claims.
    storageClass: "nfs-client"
 dendrite_config:
  version: 2
  global:
    # -- **REQUIRED** Servername for this Dendrite deployment.
    server_name: "dendrite.kluster.moll.re"
    # -- The server name to delegate server-server communications to, with optional port
    # e.g. localhost:443
    well_known_server_name: ""
    # -- The server name to delegate client-server communications to, with optional port
    # e.g. localhost:443
    well_known_client_name: ""
    # -- Lists of domains that the server will trust as identity servers to verify third
    # party identifiers such as phone numbers and email addresses.
    trusted_third_party_id_servers:
      - matrix.org
      - vector.im
    # -- The paths and expiry timestamps (as a UNIX timestamp in millisecond precision)
    # to old signing keys that were formerly in use on this domain name. These
    # keys will not be used for federation request or event signing, but will be
    # provided to any other homeserver that asks when trying to verify old events.
    old_private_keys:
    #  If the old private key file is available:
    #  - private_key: old_matrix_key.pem
    #    expired_at: 1601024554498
    #  If only the public key (in base64 format) and key ID are known:
    #  - public_key: mn59Kxfdq9VziYHSBzI7+EDPDcBS2Xl7jeUdiiQcOnM=
    #    key_id: ed25519:mykeyid
    #    expired_at: 1601024554498
    # -- Disable federation. Dendrite will not be able to make any outbound HTTP requests
    # to other servers and the federation API will not be exposed.
    disable_federation: false
    key_validity_period: 168h0m0s
    database:
      # -- The connection string for connections to Postgres.
      # This will be set automatically if using the Postgres dependency
      connection_string: "postgresql://dendrite:supersecretpassword!@dendrite-postgres-rw/dendrite"
      # -- Default database maximum open connections
      max_open_conns: 90
      # -- Default database maximum idle connections
      max_idle_conns: 5
      # -- Default database maximum lifetime
      conn_max_lifetime: -1
    jetstream:
      # -- Persistent directory to store JetStream streams in.
      storage_path: "/data/jetstream"
      # -- NATS JetStream server addresses if not using internal NATS.
      addresses: []
      # -- The prefix for JetStream streams
      topic_prefix: "Dendrite"
      # -- Keep all data in memory. (**NOTE**: This is overriden in Helm to `false`)
      in_memory: false
      # -- Disables TLS validation. This should **NOT** be used in production.
      disable_tls_validation: true
    cache:
      # -- The estimated maximum size for the global cache in bytes, or in terabytes,
      # gigabytes, megabytes or kilobytes when the appropriate 'tb', 'gb', 'mb' or
      # 'kb' suffix is specified. Note that this is not a hard limit, nor is it a
      # memory limit for the entire process. A cache that is too small may ultimately
      # provide little or no benefit.
      max_size_estimated: 1gb
      # -- The maximum amount of time that a cache entry can live for in memory before
      # it will be evicted and/or refreshed from the database. Lower values result in
      # easier admission of new cache entries but may also increase database load in
      # comparison to higher values, so adjust conservatively. Higher values may make
      # it harder for new items to make it into the cache, e.g. if new rooms suddenly
      # become popular.
      max_age: 1h
    report_stats:
      # -- Configures phone-home statistics reporting. These statistics contain the server
      # name, number of active users and some information on your deployment config.
      # We use this information to understand how Dendrite is being used in the wild.
      enabled: false
    presence:
      # -- Controls whether we receive presence events from other servers
      enable_inbound: false
      # -- Controls whether we send presence events for our local users to other servers.
      # (_May increase CPU/memory usage_)
      enable_outbound: false
    server_notices:
      # -- Server notices allows server admins to send messages to all users on the server.
      enabled: false
      # -- The local part for the user sending server notices.
      local_part: "_server"
      # -- The display name for the user sending server notices.
      display_name: "Server Alerts"
      # -- The avatar URL (as a mxc:// URL) name for the user sending server notices.
      avatar_url: ""
      # The room name to be used when sending server notices. This room name will
      # appear in user clients.
      room_name: "Server Alerts"
    # prometheus metrics
    metrics:
      # -- Whether or not Prometheus metrics are enabled.
      enabled: false
      # HTTP basic authentication to protect access to monitoring.
      basic_auth:
        # -- HTTP basic authentication username
        user: "metrics"
        # -- HTTP basic authentication password
        password: metrics
  app_service_api:
    # -- Disable the validation of TLS certificates of appservices. This is
    # not recommended in production since it may allow appservice traffic
    # to be sent to an insecure endpoint.
    disable_tls_validation: false
    # -- Appservice config files to load on startup. (**NOTE**: This is overriden by Helm, if a folder `./appservices/` exists)
    config_files: []
  client_api:
    # -- Prevents new users from being able to register on this homeserver, except when
    # using the registration shared secret below.
    registration_disabled: true
    # Prevents new guest accounts from being created. Guest registration is also
    # disabled implicitly by setting 'registration_disabled' above.
    guests_disabled: true
    # -- If set, allows registration by anyone who knows the shared secret, regardless of
    # whether registration is otherwise disabled.
    registration_shared_secret: "supersecretpassword"
    # TURN server information that this homeserver should send to clients.
    turn:
      # -- Duration for how long users should be considered valid ([see time.ParseDuration](https://pkg.go.dev/time#ParseDuration) for more)
      turn_user_lifetime: "24h"
      turn_uris: []
      turn_shared_secret: ""
      # -- The TURN username
      turn_username: ""
      # -- The TURN password
      turn_password: ""
    rate_limiting:
      # -- Enable rate limiting
      enabled: true
      # -- After how many requests a rate limit should be activated
      threshold: 20
      # -- Cooloff time in milliseconds
      cooloff_ms: 500
      # -- Users which should be exempt from rate limiting
      exempt_user_ids:
  federation_api:
    # -- Federation failure threshold. How many consecutive failures that we should
    # tolerate when sending federation requests to a specific server. The backoff
    # is 2**x seconds, so 1 = 2 seconds, 2 = 4 seconds, 3 = 8 seconds, etc.
    # The default value is 16 if not specified, which is circa 18 hours.
    send_max_retries: 16
    # -- Disable TLS validation. This should **NOT** be used in production.
    disable_tls_validation: false
    prefer_direct_fetch: false
    # -- Prevents Dendrite from keeping HTTP connections
    # open for reuse for future requests. Connections will be closed quicker
    # but we may spend more time on TLS handshakes instead.
    disable_http_keepalives: false
    # -- Perspective keyservers, to use as a backup when direct key fetch
    # requests don't succeed.
    # @default -- See value.yaml
    key_perspectives:
      - server_name: matrix.org
        keys:
          - key_id: ed25519:auto
            public_key: Noi6WqcDj0QmPxCNQqgezwTlBKrfqehY1u2FyWP9uYw
          - key_id: ed25519:a_RXGa
            public_key: l8Hft5qXKn1vfHrg3p4+W8gELQVo8N13JkluMfmn2sQ
  media_api:
    # -- The path to store media files (e.g. avatars) in
    base_path: "/data/media_store"
    # -- The max file size for uploaded media files
    max_file_size_bytes: 10485760
    # Whether to dynamically generate thumbnails if needed.
    dynamic_thumbnails: false
    # -- The maximum number of simultaneous thumbnail generators to run.
    max_thumbnail_generators: 10
    # -- A list of thumbnail sizes to be generated for media content.
    # @default -- See value.yaml
    thumbnail_sizes:
      - width: 32
        height: 32
        method: crop
      - width: 96
        height: 96
        method: crop
      - width: 640
        height: 480
        method: scale
  sync_api:
    # -- This option controls which HTTP header to inspect to find the real remote IP
    # address of the client. This is likely required if Dendrite is running behind
    # a reverse proxy server.
    real_ip_header: X-Real-IP
    # -- Configuration for the full-text search engine.
    search:
      # -- Whether fulltext search is enabled.
      enabled: true
      # -- The path to store the search index in.
      index_path: "/data/search"
      # -- The language most likely to be used on the server - used when indexing, to
      # ensure the returned results match expectations. A full list of possible languages
      # can be found [here](https://github.com/matrix-org/dendrite/blob/76db8e90defdfb9e61f6caea8a312c5d60bcc005/internal/fulltext/bleve.go#L25-L46)
      language: "en"
  user_api:
    # -- bcrypt cost to use when hashing passwords.
    # (ranges from 4-31; 4 being least secure, 31 being most secure; _NOTE: Using a too high value can cause clients to timeout and uses more CPU._)
    bcrypt_cost: 10
    # -- OpenID Token lifetime in milliseconds.
    openid_token_lifetime_ms: 3600000
    # - Disable TLS validation when hitting push gateways. This should **NOT** be used in production.
    push_gateway_disable_tls_validation: false
    # -- Rooms to join users to after registration
    auto_join_rooms: []
  # -- Default logging configuration
  logging:
  - type: std
    level: info
 postgresql:
  # -- Enable and configure postgres as the database for dendrite.
  # @default -- See value.yaml
  enabled: false
 ingress:
  # -- Create an ingress for the deployment
  enabled: false
 service:
  type: ClusterIP
  port: 8008
 prometheus:
  servicemonitor:
    # -- Enable ServiceMonitor for Prometheus-Operator for scrape metric-endpoint
    enabled: false
    # -- Extra Labels on ServiceMonitor for selector of Prometheus Instance
    labels: {}
  rules:
    # -- Enable PrometheusRules for Prometheus-Operator for setup alerting
    enabled: false
    # -- Extra Labels on PrometheusRules for selector of Prometheus Instance
    labels: {}
    # -- additional alertrules (no default alertrules are provided)
    additionalRules: []
--- a/apps/files/kustomization.yaml
+++ b/apps/files/kustomization.yaml
@@ -13,4 +13,4 @@ namespace: files
 images:
  - name: ocis
    newName: owncloud/ocis
-    newTag: "7.0.1"
+    newTag: "5.0.8"
--- a/apps/files/ocis-config.sealedsecret.yaml
+++ b/apps/files/ocis-config.sealedsecret.yaml
--- a/apps/finance/kustomization.yaml
+++ b/apps/finance/kustomization.yaml
@@ -13,4 +13,4 @@ resources:
 images:
  - name: actualbudget
    newName: actualbudget/actual-server
-    newTag: 25.3.0
+    newTag: 24.10.1
--- a/apps/grafana/grafana-admin.sealedsecret.yaml
+++ b/apps/grafana/grafana-admin.sealedsecret.yaml
@@ -1,17 +0,0 @@
 ---
 apiVersion: bitnami.com/v1alpha1
 kind: SealedSecret
 metadata:
  creationTimestamp: null
  name: grafana-admin-secret
  namespace: grafana
 spec:
  encryptedData:
    password: AgAU6g/CwKj+1gPpt4DLvLsS0YCvJdVHWw4W4bRhibE9brVvcJtGB3D9MTJrSLVVwusaE6OR59og7oW5ge3yTd/9bbclXYLrxEi7OwvkQjCvo8MfD8yhJO9nV4Xs9Mjk2Z4SHGYuq6wvcssuJrpz5f0XEC7ocTRA+u0UaE+/b4FrYF71uyKGvj8GSXgLZUjGPFsGfPzwJn7cLBmlclVHx1xGbFpUc042m5Mulpn0QolFQnOwZiW4PL8pQyz1MXVRwCsz0RJd5apZL3XJ4X7BLMoAp+diHQ2xi3zoU9VScp+J2QgvFdRKgDa6v7Jz1f+HCwq5W/DoegwFXBrcMIfF2YrnvTnc1PCVwD9IHOeylO7J2hfi8teQiqTvvRlVgdBTLqoqlVovemf5k6ke6JfjTwnsJjTNnL7MKN5Qt0o7N2XRZ3ba9jp8cKbI7fyFQKaU2QEf2PIkp82kEnixmpA1aATgeA3W4E5Km7sKHUEB81+pwnOe54tzD2ShgQX/+UiswhWYTT+gdZKL1udBBemUDC0z9PSJNTPTy+hq+G4CIzVQUYxlioM3c+3geF7YLU8yXisj84pk44GN9KX3z5x+M2+LZL7agAWPUjxtrP2V+id7dNJQfCm0aSMeo57dVfb4zlBUAAgKIKjX+j1KqCVqE9zEO2F/QX7mY6MJTP2me3wmY7JAVRJ7d6bbkyyoDhs8JErLYLp0A+Eh+qx8nWgM9ErPVSA0
    user: AgB8ZLG2EuERjg1nKdH/xadbUuIR2c8a9gF5fE8ctrp4DNDLLuuqmjyoHRiWpkrtfnE1yKg1rPP+asV9Lj5iVmE9J+OB3QUOeFS4MHciBNj7pa68zfFgnHP4kxMX6aXyKRQrYruYjHwfzCpOM1zyTEphuGlnokjQXxjF/mZsoM2NWn7WGReqfxqH95tJXfs9AUC5vVv/PHqd+KKRZH7+G1AnWVJ7RFQHedR7wyftO4/rkm8deMuZWtOLl25fAOyOr7+hSqT69s9/uTKSLJXjobSqtulqsR+v5lkwx2ThNKzmcEcuoenKG6lk8XLRSIscccZH3JTPh6IknQWUOC4nmYj+XUxE8Go0RX/4eL+D/6FrYrtp0gr3HOCLAGU4vAHMeKfJoyqykJVnvY6QY6bFgaziyOlWaoEHpg6g0vHHDwyX7HIDcQfJZGOLH9dhrWJ2sOkzyuuxfqWEgz/M2eBW4EUAudHwfTLPocSMUI+D6fjeciMojet5uxWMP7ZHh/E061f5+Vfk6CKYd9Kpi69Xah8KEyyHYP5NImkdIwjgllaEAd/FBE2+QJyTVZlUQC7y9ObagDMCUFaFbTS5QOLh5BOJDL5buEYFWG0IhoH47SC/pKeEOQH//uvoo27K9zvxTOQN1YOTrxCozmexMOsTIdhvU0dOnJDBrThSHKYLCeIokDOgUUT52FqDH51RoLoK3UkyGbMoq+M=
  template:
    metadata:
      creationTimestamp: null
      name: grafana-admin-secret
      namespace: grafana
    type: Opaque
--- a/apps/grafana/grafana-auth.sealedsecret.yaml
+++ b/apps/grafana/grafana-auth.sealedsecret.yaml
@@ -1,16 +0,0 @@
 ---
 apiVersion: bitnami.com/v1alpha1
 kind: SealedSecret
 metadata:
  creationTimestamp: null
  name: grafana-auth
  namespace: grafana
 spec:
  encryptedData:
    client_secret: AgCEdC1/ERlPQyQP+bd9gcW33Yrvl4uRbx+RF5AY4vYAquOzxmLTygMl/WZlB5wlCE5idIHgto6/fUWVZrQbmfClRqsW2pFoddKQAtS9cQNXwMjLCm7e0lXk9GM9O3ZwktmklFbCu8XewHmefGHhoJ28vPxPMaINv1fM4zYKvNz5RHf0dJfTHgxb68wRYjAbE/eJpRcVE3a29Yw6Gfa8Mb+cFI7RTHvjuv9LBgWqM6b3qvvJ4wYR2WKuiQrnJ5xAtHpMAI/2R80qq151wlaZueDZ1PwjRBHURkmPTmwZnrMrmIugNge7Tpww+ArZlG9kDfSu1aTJidbXbcpN6fyt1qARTCYrBlbn60PTYLnPL/NObvMCpjS6DsYsYz7MJ7WoOupu46Ib5paZHmak+CilC6lb9LjJj4EKfRsagZmWT07JavhHBW/tqjB3GToccIz4fOAOdA9aU51J4wCL2ctp2SgzCEKe2EaBK/f9nDd9ASmmon9PDwRDVtG8yTukrNcZHNzodi09Af81DB0RNa36Z3Sjt5xu94paN+mjiOWGf2JduVEq+60NbPvDbPE9e1aVH3DdQcij2WGZaTE8dAGLSsLoOkIq3m2E+Mbk1Re1gI9H18xJM72ivb5uDe7pzReyvO5DY4Pfq8JgQhPxWcDq9ScmWS6Bb+jdCKytFq5NafSAl+akPbbwN+1GFu33if/P5D9I2TwOA8V1wyVU
  template:
    metadata:
      creationTimestamp: null
      name: grafana-auth
      namespace: grafana
    type: Opaque
--- a/apps/homeassistant/deployment.yaml
+++ b/apps/homeassistant/deployment.yaml
@@ -14,7 +14,7 @@ spec:
    spec:
      containers:
        - name: homeassistant
-          image: homeassistant
+          image: homeassistant/home-assistant
          ports:
            - containerPort: 8123
          env:
--- a/apps/homeassistant/kustomization.yaml
+++ b/apps/homeassistant/kustomization.yaml
@@ -13,6 +13,6 @@ resources:
 images:
-  - name: homeassistant
+  - name: homeassistant/home-assistant
    newName: homeassistant/home-assistant
-    newTag: "2025.2"
+    newTag: "2024.10"
--- a/apps/immich/ingress.yaml
+++ b/apps/immich/ingress.yaml
@@ -1,5 +1,14 @@
 apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: stripprefix
 spec:
  stripPrefix:
    prefixes:
      - /api
 ---
 apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: websocket
 spec:
@@ -22,7 +31,8 @@ spec:
          kind: Rule
          services:
              - name: immich-server
-          port: 2283
+                port: 3001
                passHostHeader: true
          middlewares:
              - name: websocket
    tls:
--- a/apps/immich/kustomization.yaml
+++ b/apps/immich/kustomization.yaml
@@ -6,7 +6,6 @@ resources:
  - pvc.yaml
  - postgres.yaml
  - postgres.sealedsecret.yaml
  - servicemonitor.yaml
 namespace: immich
@@ -15,16 +14,16 @@ namespace: immich
 helmCharts:
  - name: immich
    releaseName: immich
-    version: 0.9.0
+    version: 0.8.1
    valuesFile: values.yaml
    repo: https://immich-app.github.io/immich-charts
 images:
  - name: ghcr.io/immich-app/immich-machine-learning
-    newTag: v1.126.1
+    newTag: v1.117.0
  - name: ghcr.io/immich-app/immich-server
-    newTag: v1.126.1
+    newTag: v1.117.0
 patches:
--- a/apps/immich/servicemonitor.yaml
+++ b/apps/immich/servicemonitor.yaml
@@ -1,14 +0,0 @@
 apiVersion: monitoring.coreos.com/v1
 kind: ServiceMonitor
 metadata:
  name: immich-service-monitor
 spec:
  endpoints:
  - port: metrics-api
    scheme: http
  - port: metrics-ms
    scheme: http
  selector:
    matchLabels:
      app.kubernetes.io/name: server
      app.kubernetes.io/service: immich-server
--- a/apps/kitchenowl/deployment.yaml
+++ b/apps/kitchenowl/deployment.yaml
@@ -1,42 +0,0 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: kitchenowl
 spec:
  replicas: 1
  selector:
    matchLabels:
      app: kitchenowl
  template:
    metadata:
      labels:
        app: kitchenowl
    spec:
      containers:
        - name: kitchenowl
          image: kitchenowl
          ports:
            - containerPort: 8080
          env:
          - name: TZ
            value: Europe/Berlin
          envFrom:
            - configMapRef:
                name: kitchenowl-config
            - secretRef:
                name: kitchenowl-oauth
          volumeMounts:
            - name: data
              mountPath: /data
          resources:
            requests:
              cpu: "50m"
              memory: "100Mi"
            limits:
              cpu: "100m"
              memory: "1Gi"
      volumes:
        - name: data
          persistentVolumeClaim:
            claimName: kitchenowl-data
--- a/apps/kitchenowl/kitchenowl-config.configmap.yaml
+++ b/apps/kitchenowl/kitchenowl-config.configmap.yaml
@@ -1,7 +0,0 @@
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: kitchenowl-config
 data:
  FRONT_URL: https://kitchen.kluster.moll.re
  DISABLE_USERNAME_PASSWORD_LOGIN: "true"
--- a/apps/kitchenowl/kitchenowl-oauth.sealedsecret.yaml
+++ b/apps/kitchenowl/kitchenowl-oauth.sealedsecret.yaml
@@ -1,19 +0,0 @@
 ---
 apiVersion: bitnami.com/v1alpha1
 kind: SealedSecret
 metadata:
  creationTimestamp: null
  name: kitchenowl-oauth
  namespace: kitchenowl
 spec:
  encryptedData:
    JWT_SECRET_KEY: AgAclRIJS25ACVe4NqLQbAree6c6WpTBHnLpe3ZQJ0ScHG/EbW/ooABZj7y1ABAn/mCc+hBYXYHm81FNUfUtSuLKi2UlORbTCsfmisYH49WX0Lpku9LTM/8az9tjE0tjUUrJZcRUuJfdNJMDPQx7IPjUQ7sKk/exFnkPEbK98+AElXyHpPKXd9dxiCgll0n+ksbF9BDUR8KY8IB2Zvh4cXPww578qe/9XYnxLV8uY9K8KPvhl7NI40SIaL4PX8KmsDlBh1bpOR/OxhIwAGEZDQp/KROy6msrIOYW4SHM9nlSUSD4WvV8UjcbV1oNnYpE1usFOuxSfQlJ1zlFepKUv40JykyunvQv9nqVbEogsrS4o5N3gNEaB9yyFSHIlevp32LVpAuZu3cNplmT+Zg7+ODpCWIcVgmOAeapvB+X7H4ScbKVcYLAzrRFDtnS4Vo1M+RERhr0AuMU/tz0lGs99oRkCw2ZIg015R125u0VcRNqzgCtbBM5BFiKiP2kYrHn02Q6o5tRWxDQfrfb0mnfD5c/gM4+btlfM6DZMpr/l1kLlm8PDEpPGbkhK1XiAyJ4erHPDMLcmZXrSyxX9R1g8n7vnLnkqx5LkGmnltQI2FM7StxC6IrMlxY0nPnkq1lHhTz7yCpQJNXgfXZLVvov+f6jlD6WJhYHZCL/hIFfx3ybjGYZwJ0m84lH0OQJQw5dtsbPVqqoYZIPieqdRmHw7M7TTmFuQJXD94lZj5gsln1sMqs=
    OIDC_CLIENT_ID: AgDOxWtGCiFrIP5aWHimrR6bu0uMS1/i1v1Kzo1lIR3j3zlw/Da2oCPNx1ZuhNAp9UMIs2euc8mtrWkyv4R6pcci+IxXiGzlQNBSkMfWu4DwhwlEdnVyCVehfE00t0ytBxX6NeLfS1b8JOtH9yo3e22fdaeTwn/iwGLNwi1BJxMmzk9pVp7jzXH09Zia8UvUmXw5GyGpIOIiGcIfaXkr1ZnY2l30jTw8eS7HaouzfWHWTpNXkMLN3qim4vs/B1Sgz/y9tUyVo/qMhWLdEcVklYHT7xHx03SPD7RtK+zdYZCqvDtj+tsdpYHt05zeGV+wflNQuiocjwP8TW7vhtbjKrf9lQIxB5CErju178ELOVrpsPBAYMgdEl7qZeKdSpydIwe3VbOg3XJ7O/Ps1KSnRYwrCvgE4ZCMm3geHyJxSiKRhBcuVYz5JkNd5ylD0Eq9NL5RCqJ4szL9NaGNPbzkvcdZzAnbTYFTzyqZ+XHX/BUFisXl5bKNHtaqAsOK8woGYnxJiawKRrwDUmHXU4RB3QiPCPhHSLU7OkvU+XDhyQqLa8bKEQzj9dUf4bX3Savk4noiRsXMYJznAlgMPo0Q4taxVIoyQHELYwIIdP5YRuw27B9wKUR7e2hhu4FTOEcyhwuFql3OuAjq8HJCDX6+COkL2WYFFxWBnbSCYEdzfbMBCHjrUUonijcQluU2VbaHODNMAvB16MRKapAW
    OIDC_CLIENT_SECRET: AgAylnSUXwInlh/WvyCiFz+8asbCSZA6kk84Rt6l7bHVYw34c58lJHsZK2OvOIlHuaMe/ewnTqxVd0hI1Azl+wd/5NygMYlntKquq0vuzlhLrGc3u+0SOn9N2P6quA3slF9KR94CYsDx9ogy+EsEoA1yrsydB8S0g9W8syraR1MtpM0ZkcJ/D78OZ6qzyXUuBNAZc+iX/r96NvoMiGNYavgG7npOJh/pkKNYPuNkt4zpbAFjVyoCfgZd4V2nmZ6dhEVy8odW+jcsMn6OJ1OZVlPb1beq49lBEcaJqk83ZtKbq2evtBYHw9YAnENVq92ecenw/YL5LXUhOxeN0M9Amo99/O6pQwwrT1mtZqhTTeTIZTAxqmJKgyxGhE4DJUR/s71bc7K9hd2WvdAYnCyVC2uGa0MwXp4V7UuaN9GerldT8lcFxOpRnD7yroqVTqebjAJIkIinp5NNZ2ZP/LCiCwKKHHT19Pchn615WOPTofC6es/spIdQ8a1Nf2J5YzvRjsduFS55U6tMaC7cuV8kqKH9xTTf/sDHt+68wVEAO9koAe1zpO+zR2Pq3VuCnvcDGIwXopXjvyjfujEEhEWZl51PVJLZqtkP5Wg2wHvlgjJBbbIGTrqh4xa9pK7wLDM2hUFx1q/YKqwfP0EGVTc96G8Wermj0DtIqclqFLr54DtxVe+Rr8J4edG6YQ26/seYsrZ1Oq2PejHQt8u9EzQYAtYYlBsw2ujCWys6KrbhaVr3
    OIDC_ISSUER: AgA2JPd5axkL5YIRA95qm/iH8wgM2J0AjKjgGClWabYJ3UKIk0hi/L/zR+1Pw9Z+6amYXj7Q0FxLqCcNYG+H5ABxnqUi7Gl8gvfVbegaO3q5QiO27g18RMDssNHDSun8PPaxHBvBD68hxgsaXntu8sZavCGdwEK0TzLJi7eH/4jtHlofzfYgaCsGqeOBgvs/q87PVJ/qxazXlY9e7abbRAKl9ZMY7Wga58/IU2HhWwYMvI53yQyGMcKf3XiI9iNHgIcj1+TmlgQo+PRKyopNfzgFbey7on8woQXphY+ioqQ0hyworpxAVoWlvzKKopt1xBDr4zxzkzbWyxtjwPVOOH3iyenZz8tZa/JkNYWxkWHbh0KCs9yUIji3D3shQOFM/NtE17THsQm3NgpZ2lg9ET1v6uXqwfOLiQ+J1JQLwNFnYeruH2lK4EGt2nDCq2VycOIjW4kMpiJ4LiT8gap9HwYjTpAn+opicYn5e9fmpgiHdMPvrsG1m9edg0cbwdSpEelliHnAUfKsxMV2e1fLsga6yrhBLSXIQs8rbURRa6wqVvGoLB86a9Q5Rm94Jfm0Sa9v5LMGRYvqO5LbLrjrR8e/2r17pHQE8ynMQCAW1yVTe09FcgRwYhDUohfThtjIh16sdoC97eUel7fo/POt3atP69JsCIBZstprhVtBIBssmavpIotVqi8F2/yUkhrZR26mH3gsOxkNTEk6XzHHtJRu0cU+BmObTvYgMi3DHg==
  template:
    metadata:
      creationTimestamp: null
      name: kitchenowl-oauth
      namespace: kitchenowl
    type: Opaque
--- a/apps/kitchenowl/kustomization.yaml
+++ b/apps/kitchenowl/kustomization.yaml
@@ -1,17 +0,0 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources: 
  - namespace.yaml
  - pvc.yaml
  - kitchenowl-oauth.sealedsecret.yaml
  - kitchenowl-config.configmap.yaml
  - deployment.yaml
  - service.yaml
  - ingress.yaml
 namespace: kitchenowl
 images:
  - name: kitchenowl
    newName: tombursch/kitchenowl
    newTag: v0.6.10
--- a/apps/kitchenowl/pvc.yaml
+++ b/apps/kitchenowl/pvc.yaml
@@ -1,11 +0,0 @@
 kind: PersistentVolumeClaim
 apiVersion: v1
 metadata:
  name: kitchenowl-data
 spec:
  storageClassName: "nfs-client"
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 1Gi
--- a/apps/kitchenowl/service.yaml
+++ b/apps/kitchenowl/service.yaml
@@ -1,10 +0,0 @@
 apiVersion: v1
 kind: Service
 metadata:
  name: kitchenowl-web
 spec:
  selector:
    app: kitchenowl
  ports:
  - port: 8080
    targetPort: 8080
--- a/apps/linkding/deployment.yaml
+++ b/apps/linkding/deployment.yaml
@@ -1,40 +0,0 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: linkding
 spec:
  replicas: 1
  selector:
    matchLabels:
      app: linkding
  template:
    metadata:
      labels:
        app: linkding
    spec:
      containers:
        - name: linkding
          image: linkding
          ports:
            - containerPort: 9090
          env:
          - name: TZ
            value: Europe/Berlin
          envFrom:
            - secretRef:
                name: oauth-config
          volumeMounts:
            - name: linkding-data
              mountPath: /etc/linkding/data
          resources:
            requests:
              cpu: "100m"
              memory: "200Mi"
            limits:
              cpu: "1"
              memory: "1Gi"
      volumes:
        - name: linkding-data
          persistentVolumeClaim:
            claimName: data
--- a/apps/linkding/ingress.yaml
+++ b/apps/linkding/ingress.yaml
@@ -1,17 +0,0 @@
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
  name: linkding-ingressroute
 spec:
  entryPoints:
    - websecure
  routes:
  - match: Host(`linkding.kluster.moll.re`)
    kind: Rule
    services:
    - name: linkding-web
      port: 9090
  tls:
    certResolver: default-tls 
--- a/apps/linkding/kustomization.yaml
+++ b/apps/linkding/kustomization.yaml
@@ -1,16 +0,0 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources: 
  - namespace.yaml
  - ingress.yaml
  - service.yaml
  - pvc.yaml
  - deployment.yaml
  - oauth.sealedsecret.yaml
 namespace: linkding
 images:
  - name: linkding
    newName: sissbruecker/linkding
    newTag: "1.38.1"
--- a/apps/linkding/namespace.yaml
+++ b/apps/linkding/namespace.yaml
@@ -1,4 +0,0 @@
 apiVersion: v1
 kind: Namespace
 metadata:
  name: placeholder
--- a/apps/linkding/oauth.sealedsecret.yaml
+++ b/apps/linkding/oauth.sealedsecret.yaml
@@ -1,22 +0,0 @@
 ---
 apiVersion: bitnami.com/v1alpha1
 kind: SealedSecret
 metadata:
  creationTimestamp: null
  name: oauth-config
  namespace: linkding
 spec:
  encryptedData:
    LD_ENABLE_OIDC: AgBfiwAdh1RD8gpzzVnF6y3c8kn5NFbms0T74pmj1aaFD0uQd/dqIxrvZxiBMzgqdrrVUCxRlpG3tiJYMpDEVXQPwRj8uuAizYFEP4uuGFpCtErjb+Y+aOdXSPRCVPbIqROiE+qswNT5KkJm6rR3FPckWipiQdzfpoq+G00MARKqzo4sNrx8+JzgoBFbS/tVPej3VdmDy8iceeVCQ2dJs+roRw+jOfCxqiUjHH5SyoZPnCTlmTZcwr3F9gBGEWGyEl0FNVgL/ku7WEL2COeIIE/2r4RWPqZU4DkPtIv/J4Dosxuw7EQnC5kzTgJGB/TF9Mn/FcS7iYQZKATvWzjC/cTdwZ+aG1qZGz87wM4fxQ05GhgEUkVOlGgxlzxk9BUL3l9Xsaa1KTivaQ4dvB/jm3j12b9rPfO2CXB4jPK7Pk1vKbr5icPXa8dyFY4hiJ1PYh/295a7ZM02n3ao4uHw8KSaxK9GxsCFBxr59q+6ZpjOGnTHZvKGfJHn3jEcIT8k89J5gqrlWjLqR50TEJj3jPZ3QDPN/u1Bf0wAoIOGK7jpnwIXQpacudU2pxZNWC2KtdZbcF9QzuOqKVFABmabdCkBtLa34cyZdweBaCfLRg1Ic0yxrWGzctnwM0Rfd+OzsEpLB7GHKllV597znF5QiK3rQrl5TmgHf0jC1OmMsBkNYCRo2AhYsBN5nli0dgD1y028rsW6
    OIDC_OP_AUTHORIZATION_ENDPOINT: AgBYHGF/D1tzWRy2issyi3oZjYK/m5cuwdlHuqboPBBHybfTwCkvSfWAL8FSGAgoLYWZEwwoGr5GDSCnAWfhoYwVgCxWw7y4IohCkUSrwbzTVwJxoRTeWIilzwAdH2zX3mZJVHTYCQiLTCjv+MPRsF5FZP4+STtgfecK5Fjgb3sIfZa/yazbN6jf7bdaR91yX2iddeZn7B80aQvu3jOkujPX9yCJz/H+1BN35CtC7KLhFrKgw6uvfQi3g90On5uBHwrC53ve4rEvcOgi575WBA3fDYW4RxNb8yxxocQOuqNRa3jUa/RIjOnX9tFoG/QIXY89DUSsgpAZFWIlV4np4KOe4V+xWT1khz2TPRDaakDumkNmE/sAjpYfGX13+88A0N/hO9o2aXJhEXOFZ5eulyAwDdIodMg6lQTG43OhdSZLFfR5TrnzkVR1pIzwPMutgf8jai4dyYK+SV+oyGeZosNpD484gzhjMGkz8Djs7/cADcvJVmGfWWYvjenlfvFC5lK7F+355o9L38fUeG2lhRw8NsPWuzsiH7m6GaSEfEPcdqj/AohArtUnf9cfF04tocPwCuNLeIgR42W+cfapD9g14sN9v4Z7g/5IQSqL2EhNR9xQMoIT9BkBEhI9JR518Yds/Z89Lg0HsMw6UCrkg6um1If80gjHyRa7JrfxzepKifWNn9/suHlhecaeXcSOKMCCFYDtHyvO4/gCe8/PXjyVc/SUZNBDJsDOikVvVJfKqDlEkimfl+BISzkMv5ALxGDHMRc=
    OIDC_OP_JWKS_ENDPOINT: AgAg+6Ty8o++uc+UfaVNtJviu1A771rtazn9pj7KafqgIx1xNuPtUBwGEScfku8glUy0bS8r7MyMNlUe3sIYfnDKQmmHBVHFoiJ0IjLZP/pV51A4fT2DUrFv9pnIemqjFD2jew5ToXhuHwUc+Y3LvX8M8aPpB/J+DjIIvgKQe2faHyWt4c24jOZaH56xJhI114LIXD0A7Qvq4O7UfpIUNfYSMojTH7VURptL18Mh1YRKJmil1PmRIstX9Smr3ltAG9Rw032v9ISdDmV+OyuhPo1Wk3AU85RdOQ9hZGMSFXQXFEqQUp/N76n875KDUMT4W57//YGFRUrm8w4oB+PlkjGV2pG7DNYVxUZEmi5UXwY8fTI+KljAZHSk/YOSku+gc75hWYXX6s3g/R6/IWmr9sV5O5N0bc3guQ96nnRmjuzb3HebM0hPfPS+6/xn29erTDETs1bvfCQ9oWNMomDsH4FVz5gC+zwrUvUD3Af3TVsU5g+lfOE83+pmMMWcJFn8Z0uldud0jR27o/ftKgBDmUaGi3zCQWJrYxtXehBy9fo0K7QpbYnLHvNnXVX9fGQ0PZNMc8N0wYZUDuhOv114lqfbVR5dHYoger4iT0xC+SHcWGgvyjqb4YI7bfnY+bnh8TLfuI/ttw1l7/ev79/yvjrtgPuBwN9ygUxENLR2Ur1Cc/u72d+ST4NIg5esth+y9Z2JdP/3+nlYctnyakWhEkUyBPK+5Iyacv29t1bMXoesB6Ub5WsXaw==
    OIDC_OP_TOKEN_ENDPOINT: AgBRpyDYbQlq7dcqJ2Gd+CfSRZRgvpuUsIngAXX85dt0dChYhQ/YvnFl9r3GqsXNBrWQBa0uE7t+uXxo+oobjgfSibq28kQBL92PM/s7OctINTJBN3q0Gdv43vnliS69/WR21kZkLuAmPne1nL+FZJXavIUF8N6CX3gKb4WMdv+Rl4AAmUo9vsB1C7mxDcS1CppUeJ8KdF5qkb8Xag28Lv2rDA7W9Ne+tNGFi4q/UWqdU76iUxrHu/Kfg6RD0rYlOaW+0b3A5Rvj5oU8ho1Z/eIsA9NaZNYBQjtGAk9fiD2EB9IcFi6kYv5zGZsRcPTzMv/35Wh+lV8I3mDRGcfkmzQsZ8Hcfx7c3zpemZqvY7LMgrvO5AatWKYZUFPsTcaT/mVFmAaVuq5PqeuCQhqekug3rdQxxf2n1cWMMnbptf4g19oTFKx3FtXImpPk97Iv9RbMATKHE/nnfin5/7PtQNn9VBBW785hzzB7cs+IiEzdjGu7MnFlKaGEoS94eZtgLSEmpIMeXFW6V0rXHQ6J+CUjBjiEpAh6LKsh4De+IrWFuzAYH0jwowuY2r4VX3jx+Yv8SFEJ5AfDYbvx8qX1zy1dGfsQvrAai298QCOTizLmeuJLMIC0qlNLZWrYhf8XzF2/N8/bC0R0Pyr+6Jxo8HrtHyFcnl8ckHycWosCOkQmQIbX+vOffOpQ6vYUkHM4MqIAiTl6G+bxjtxBZUTXvqX1sKCEO7pccL8gJZQ+ICN9nP785JAd4eW2JeGW
    OIDC_OP_USER_ENDPOINT: AgBD4amxFPHYQR6JWjNTsPM63NNI+f9DgZ9+whv5f3bUo7KNtB05vAYYQtAdMYJR+5499S6t0BYwOi4cNxQVJyga1bKogqih3EI/QlJeLvoFvDFj2wEMmCkT5MS+qemtPJwXK7JTHzUFX74b+S/a30/mvWKkMRHzc+G+E678/RDIScFJFssfJVMJB4Kp9T4y+v9jJAKZRixkx2lOR48JR5umXwxm+xQGaexeJOv0MZY4Am4P/nJcWM+Gk1Ka/ih+VAJRLsu9dgvShytQ1OHaAPMRu6H7Wb2bLrzpz4rTcGbZA3aTgHfItjWQpBV3fhNvyNW8QRbRFSyxHBC4snqW5Bl77u4KdMicwL/0x1JhwP6cx+/TVEyZ2n+5Y5PyOW+E7LXtiZGZ/eRw3xVLxvrFDwY0EBMqAUWHyQjwlZLctjxgBud5XDtT4athaNq5hnCELMepRI05kF+o5ECxKWoFXN5rXrwrlcgftCV9PTZbP8pkxyau8O28C4YX07J65G9ntV3VIg9tAXww6X68YHIQEdAgjNOI1soWt15q582OlhXBTTKAf/QU7mrSCn5FH0Q4Z7VLIsJwMz0orGB69Qxo/lLF7z+pQEE4PArceoLi7cffQV/+VzUBOACDdfKFiN3LTDuoMm6lvkAOdmzXccmXlEGvNEwLR+8Ac26Ld4fAnEFSLIJpwQHheIQRY19qbN5+cOa+RmuOroxWWA2P/8uSlp4kXVvAmPJOt8PprI3h8iRG5zBv+J8kE8wpI1scJdDr
    OIDC_RP_CLIENT_ID: AgCOGuVP8BVfAT5FRmmJLptdv+8vtppOgpzJ2LXU3vR3sjQE4MLKgWwoAyrnkAa2IMrsmkg5+pyHBDlp1AMba3OTVZmhyEVLrFe/vCiL45hEaW2l6kiwlIW3nZnoJlGG2Ugj4SX8YCQGlyr19vEFcPdieWlKpHfda/EP4xYhXMSzXCxFCtT7uGjgnBlrV0uXeFCezYGzvmA4SbDli7fvGv5H85cwgUlMdSn2ZIP3DAxQ8gP0ETF6KaOK5QVP0e/7kw9SK3oo4XHE2c8AjHLFFnmz/uf07+7LuOunSqunolbVy+Lm2mHHnzx+0PBmMYvl7FHY/TkBZaVjVaZtrELbFYaraop8iE6hFMvOYNa/1BFY1x0aeRfPb0jt5IPnuebllnEh4P7JUQxef4Bqbjp8u7P+uOBWnQbeMEp5F3rWE8qy09NnjsKPz87Jw9pb0aPgXWLKVHjJpArhcb6gTJLESCw9kgT+c0pYI0s3BYmwNkJ+6wxflvTLb5z3YyY5/+8/s3PgDz6Hj4tyA8tBru/KQwnBVMw0GhF5YwlZ4SYHPwVX+ZMj9UQc6swNsrxKLqs5Ci7KjvzEDUJ4/aW+rv8naoCiebIJrbmLB8iSqNGh90s1S9BJsQaWXbKYday3spt0eg+tH/iQgAnUAjd9RK3TxkkmWVjmeUc/rOltsbaIvy6/WdyKnF8/f9B03Pm5eal73yC7reFyGYiXvA==
    OIDC_RP_CLIENT_SECRET: AgA+Q9osGcUgiGsyPfHph3vGiNBjmL7pK3JlaE4PoI+eGsvb+3Ozf9KnfHSMm2R0fq/eukFn6i25MZ/mKYliVSIcjWbnGDFSysiCAwirKTUXoFUo87zmguNUPr8Rr45m1AIaJb31T4MKeFQRHSg715rs/6fKlbejUWUBZuMTN1DXkWr+00atj0JmmZPScSfRmwKNsHnoZCUWFE/DaFChpoCU4fCp5vL9P2LcdzsY84vue8y7Trg0e/LpEi6+DzSoxurE9jwjoUauXmZnOSW3jFgy+u5c9Oa3RC+IB/UUsmHI8eUVOXGdQsSFufrAMd1uyPRa2g+aCX0zX5boZC9dTGqaT+D/6xXnMFsvw5K+K4Y/QZ+j9ZHx0232sPCFVi2HaYHV51c2Xi6tizy+/0J27/4gvaVREXw94pmsaI5rt9sNDHoKw6LwkPO8heqkYzfIWhAg5vKswDn/MWAVTIzIubdTvrDjVWxoJ2FM9sCUsai/X7rj6QUiVTgbWuYYO0hMrT2Q9y05n68hWOmpqmna4/JGIE+N48h0/wAHLsLeV4ZNLJdJhQovOSkYsB5FIYPTuihFASLhE+uf8VBwSfYlwcWORz7dssAYvCJAx3huYZCSHrT4WPtLt4Ok/IuplXvVbZ/d6NISqE/g+BiNmN7r4DZQ/QbN4TD9t6BQESKkTqPHYIiVtZHdalgPFFSS8JP2wv50mSh/imjlX51ruHGQbVbIfZnfJGwLEL0KN/Zn3BMrNtMgCqEs3itnGQQnBchQ
  template:
    metadata:
      creationTimestamp: null
      name: oauth-config
      namespace: linkding
    type: Opaque
--- a/apps/linkding/pvc.yaml
+++ b/apps/linkding/pvc.yaml
@@ -1,11 +0,0 @@
 kind: PersistentVolumeClaim
 apiVersion: v1
 metadata:
  name: data
 spec:
  storageClassName: "nfs-client"
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 1Gi
--- a/apps/linkding/service.yaml
+++ b/apps/linkding/service.yaml
@@ -1,13 +0,0 @@
 apiVersion: v1
 kind: Service
 metadata:
  name: linkding-web
  labels:
    app: linkding
 spec:
  selector:
    app: linkding
  ports:
  - port: 9090
    targetPort: 9090
    name: http
--- a/apps/media/kustomization.yaml
+++ b/apps/media/kustomization.yaml
@@ -12,4 +12,4 @@ resources:
 images:
  - name: jellyfin/jellyfin
    newName: jellyfin/jellyfin
-    newTag: 10.10.6
+    newTag: 10.9.11
--- a/apps/monitoring/grafana-admin.sealedsecret.yaml
+++ b/apps/monitoring/grafana-admin.sealedsecret.yaml
@@ -0,0 +1,17 @@
 ---
 apiVersion: bitnami.com/v1alpha1
 kind: SealedSecret
 metadata:
  creationTimestamp: null
  name: grafana-admin-secret
  namespace: monitoring
 spec:
  encryptedData:
    password: AgAwMLnsYN1y8JQSqgGQbNG/8jKensTDsEw6ogITdkhDRlJcg8HQ5t7a6xLzNCrLHLJiQW8YOoyLT4lvFkBRMOa2EYcrDvBiRD0PjygWLIscKa7dA+jpAUf/icD9zsiDnTym2yf+VUANcmEgE6DiNvlcsrcmYqiR4pKVUTDlKPNOjOpTJ3nXETb3/sbt69E0JSGwtkvusYQSXKLU9KLbciihv+ycdkdlC9xy9myd4+vYZYXSh/eAvyZeb/hsmdSX7yaASmupMvet6Qsdt99PNzFQxtbQH+LQvYalVZ8bjWZQvCN/p0bA4H15otKBfe8rtEwVthgvyEvo6TK0Mg0pFY/b3AOGFmImnT3rDmgG6S8KTZH0Jce17ksFqvELQmHjqHuYpQsPDl44glM8kWRJ9Mf/Z424LRwZlJNVcOkuVl4qFqPUjzd2rWIyF0RaD0BE012C0ThJxKn2l17lVJbNtdUiR3qNpW01ot2m0CgKd2kXbjDmgRgAll4WgrukfCIn9ZnE0gVCFLJuK3MOQAaipFYy/bDO0izwl9T8nldgcI8OfiC3NTk2O+Es5jJRXu0oJGaC3HrTB7wXiwOoELvAsxLTPxKBiN9mCHCMtZX0PEtrio0dFRQ6Pi5xPng0KVT0I9dvGNsPdhPETNOB913WEvbgP8Gt3cj016nCzk51eUsYbXPpNL2B4kmbIhecqW/8kwKQPwYjVlBSXj3NxjzwMY6PvOl1
    user: AgBqmjCYGMqy5zBE+vhtsynOvhWdHWDJDyl1D+laBtLjXTJwzRbNTdunHYo1ekwyqQ6Cr5pi4YMiLxAl1LIHF+Lfsp2QlY+ResAGzp9WgSBtNQDX3EmLDQofeWxMUDdMtMsE9wiKLCfNGDkRDsGquXTz+YFq03m1vH9cB8Bp+1ClWOTui+/Ce0MZlWsJZX1W8WXH7XTirtwUo0s53pc4AplUUH97ZEK3KSIxWa3gLCn0sAPDDLPX+JVA2xtpMq1XuVFiFifjzEtG2h0dejiF35FtSAR+rR4YmEfimk3QpRDfOqV5QUxvjCG+dTV49upSevF2mvbHW+o+lB6vEc6l9cZXvlbnMdaep3NmOsJcJ8wQIdFpFK4iVzFOTKSEbzLPlZ/J+sjS5vDXsfthorIO2faMA1iIf+I663zNxQU5btaK4TNYOZQlrFVjAmioRLkDhGZ6tDUPX/zMv+Crt+0HCwyEyhmvFZckDvezTZrxARSXXMKBVcvjHCyUNkz7ubZRiMU0PGM7fYuHr659e+XMRvj+LFA68ZaEIzCQpCFJenWWYAXgUdRG4LQ1LP2MwvRHpkOYSoRkHIpX7jOfhX82A60h/ta/CdbWifqNyL9OecvE3FKsZu/Kr0taw9W6nm6FBhQLgFkOnFrqp9dWnxfHruXuDBgcn0iE8nR7Ht2zS7hfQPeR4a3Y0xK3Plqbzdrb9HKnWQQhf14=
  template:
    metadata:
      creationTimestamp: null
      name: grafana-admin-secret
      namespace: monitoring
    type: Opaque
--- a/apps/monitoring/grafana-auth.sealedsecret.yaml
+++ b/apps/monitoring/grafana-auth.sealedsecret.yaml
@@ -0,0 +1,16 @@
 ---
 apiVersion: bitnami.com/v1alpha1
 kind: SealedSecret
 metadata:
  creationTimestamp: null
  name: grafana-auth
  namespace: monitoring
 spec:
  encryptedData:
    client_secret: AgCcKsnS3u2eI+fNVC9hAZ3QRFOHFErAzs5aQgX51CSdJwM03SZUoTyrDi5JPcHUVyS3MbevFH5piMhDTARMI3bLOjYlcwMbpf77JCPa7o95Y9asA/FW3lXicYt3biN9xBXJBz7Ws3fVRtEzyf6DmbGedT9gaX8aPwrUVbP19RdyJiuu76oB1A/jdUkX4K+X6kVvmoP/BWdypk/kdQJrzBNt00DIXF4NHfYey36AuhpBtqYZs4faA/tBXMXLE4RxPNtcHwNfVjnRj3v3qzNufD1fnweJvLq2UfLMrQjoR9XDVnM0zkpautylkI7yrvcoEH7ljnf6b1FMogOEZUfH1BIdqTd/WwrrlCqE58OPfJWthIfN+pQ8LvdHsGo3jc9gXvfXS2cStyhP06eTZ4D79kG+RtDQGOsD/Wpx7EcM6hbB3+dIjcs3wEAIGjpIVtY9JayW8YeRnFApMuhDST1+hscm+LdoGvaSTlAuGzv9BbVrPX/Fo9XKeYHlbG/x71Er+vF8WbW0wUa46MHLvbEy376XIdJDYi+vjl4eqznZ6YhvPbawhoKXT8ZcKUcUAjVcMue/O/jCSPZplbn3vdSCeqPTiqVqDw9PTMIeWFUepgPMxiGpFRAqdwIecFBnYItq0dXoGlFrZpo0S6AECgZjxzUR5EgdkdPlDDs2CN+d9yP7f2S+gmL7AIlQr74NW1GrTGw2x/rD4IJhunh7
  template:
    metadata:
      creationTimestamp: null
      name: grafana-auth
      namespace: monitoring
    type: Opaque
--- a/apps/monitoring/grafana.ingress.yaml
+++ b/apps/monitoring/grafana.ingress.yaml
--- a/apps/monitoring/grafana.values.yaml
+++ b/apps/monitoring/grafana.values.yaml
@@ -35,17 +35,13 @@ datasources:
  datasources.yaml:
    apiVersion: 1
    datasources:
      - name: Prometheus
        type: prometheus
        url: http://prometheus.monitoring.svc:9090
        isDefault: true
      - name: Thanos
        type: prometheus
-        url: http://thanos-querier.monitoring.svc:10902
+        url: http://thanos-querier.prometheus.svc:10902
-        isDefault: false
+        isDefault: true
-      - name: Loki
+      - name: Prometheus
-        type: loki
+        type: prometheus
-        url: http://loki.monitoring.svc:3100
+        url: http://prometheus.prometheus.svc:9090
        isDefault: false
 dashboardProviders:
@@ -95,4 +91,3 @@ grafana.ini:
    tls_skip_verify_insecure: true
    auto_login: true
    use_pkce: true
    role_attribute_path: contains(groups[*], 'apps_admin') && 'Admin' || 'Editor'
--- a/apps/monitoring/kustomization.yaml
+++ b/apps/monitoring/kustomization.yaml
@@ -1,7 +1,7 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
-namespace: grafana
+namespace: monitoring
 resources: 
  - namespace.yaml
@@ -17,5 +17,5 @@ helmCharts:
  - releaseName: grafana
    name: grafana
    repo: https://grafana.github.io/helm-charts
-    version: 8.10.1
+    version: 8.5.4
    valuesFile: grafana.values.yaml
--- a/apps/monitoring/namespace.yaml
+++ b/apps/monitoring/namespace.yaml
--- a/apps/paperless/deployment.yaml
+++ b/apps/paperless/deployment.yaml
@@ -55,7 +55,7 @@ spec:
              memory: "200Mi"
            limits:
              cpu: "2"
-              memory: "4Gi"
+              memory: "1Gi"
      volumes:
        - name: data
          persistentVolumeClaim:
--- a/apps/paperless/kustomization.yaml
+++ b/apps/paperless/kustomization.yaml
@@ -14,14 +14,14 @@ namespace: paperless
 images:
  - name: paperless
    newName: ghcr.io/paperless-ngx/paperless-ngx
-    newTag: "2.14.7"
+    newTag: "2.12.1"
 helmCharts:
  - name: redis
    releaseName: redis
    repo: https://charts.bitnami.com/bitnami
-    version: 20.10.1
+    version: 20.1.5
    valuesInline:
      auth:
        enabled: false
--- a/apps/recipes/ingress.yaml
+++ b/apps/recipes/ingress.yaml
@@ -14,4 +14,3 @@ spec:
          port: 9000
  tls:
    certResolver: default-tls
--- a/apps/recipes/kustomization.yaml
+++ b/apps/recipes/kustomization.yaml
@@ -13,5 +13,5 @@ resources:
 images:
  - name: mealie
-    newTag: v2.7.1
+    newTag: v1.12.0
    newName: ghcr.io/mealie-recipes/mealie
--- a/apps/recipes/mealie-oauth.sealedsecret.yaml
+++ b/apps/recipes/mealie-oauth.sealedsecret.yaml
@@ -7,17 +7,17 @@ metadata:
  namespace: recipes
 spec:
  encryptedData:
-    OIDC_ADMIN_GROUP: AgChDLTJLcQutEytCeipPcd9KOPQzh2LiObcGcqSBv54IojcwOSYrdKODrF3l8IR98L4PH7sAvS756vlZy+UxElgtwa951zqYGwf3SHoBMU8fl3QU7ZG44vGHKAZ8+gi1ybDaImUW6xH3TK24PSWH8bvwjLs2JAGCUQ1hPzOQ7yQQRPRTRk8jbhDkBefy718eSMqTSrxJqakIPgicZcIeMg16d7pFMkztEuo8iZCPTF8XgDbY0HVJ/pGxAf/rgerLCeOfdKF1tJRulUt1VzmX4A7Votyg521twa6RIN2NvgJHRYEmMPTosrBO/i70OwYcy8QI3PaWisoId0MFSSYk+n1iCU0EM3pXVal5rDoji4EVjazcuRjZ+TQ4SZh6jkRrHGyDNtrs1w7Hdw0GSwb8ONoGPiZF+qU34kDQH7tkNZ+iaG5in8kwSbZoLH2vrdUv/2yNXtHGFM4eJNwcfwMqs1wbS3zt2c73JQ0HgE2c4ocy4iTJbtd13fouNH+MPFl6BJXcMjvMdUaxerEFZQhhdvyx69ATMyLsUqgodr+vSFo+uA9gtv5JPyiA8HPJPJ05plSBAS/QxaV+F9NCbmI/XG2MM/i55dy5dX3lLaTehDtZ/TZK/mVHlkue+4lHisrtXFL2UGlqdX/QPNX+ccZ0qLKjnvobflBPqPr0y35KE+QNOVNlup2mVJjMr/dgNqi6Xm34UwX4GaW9y5Q
+    OIDC_ADMIN_GROUP: AgCTE4M54XEyKP1cHcsosZwIp5GYcvZPIzb7sgOpvVJb7mzKT9kYFOqUkwc1eyn4bjqaXu6SJyP3M4ss3K7CgkNWMsSjBVrYpP6yqsREoWqoETwwecSxRS7hrK8pJb6kRKBKyLDd2oaFMxeg0y1lm9+ul4HwNL+uPcNLSX7KRue1Hy5xqjDNlwL2mzU9JVVZGqEW8FyvPCRKMPliQtK7WpTUbadKbltN9RKrRa4PqFW9xyBrg8Al35Xj7HrNfwt8YAUDeq+73QMLtbP3y2orSck2I46h9DKW4foqYWGnVh/272fvQSXDr3tr8Il969o5M/IfVzpRS74f4zU0LeI4POxT9EgBL2sALoKhxil0EZGJ3dsPREvSS7eccCMY8n0AQE8rOT8AHyRDhd8RzsCoyPoDTAJJWf4oGS4aSH/N7f6CvsMF2EdOSCghBWC7klfRFxraWcbTiFRi5ICxlFL4GkiB9svNWpQlCkiduR9RZTop1DU+xJK2XgBmTampbjlEiS+yf9L7tXpCRvp+vRcxHwlvsMUncIxUzY3CPTST6FrVOL0BMtLeKI+MmgaCxgzo6BBAUKBZSCJbJKLTrcnhviLJnxYXKYPah5ozfk5XBzcz4C7dWuhN6N1Uwa08nDtHbuN9Mj0AWElT3HAqf3naowVBeXgLV6vRNTwYOIVoqGhyVG0O65DpwuxUdFZMUBpmhFz1QTpAZ6cbDZbL
-    OIDC_AUTH_ENABLED: AgCC/9BtmP59y8keEx9z6f2ifXdatpR4BBSCpLlpELjSBPAk5QrZ5v50n8Raz6zUt7+HVL5CYsShGRPoVqTd+evEqDCbbY+0y8fu0Xrapcq2V0I+DBfOzob0V53HpIzHdcAEyGXEqhE9zTDoTlZszmUCQzB/ih7Jr8V0bq3AKh9n+y4REYsHoiecPPb1MeuJmp9mfuSU+dVqvW8GYwumLQmpH1+PrWeQvf94y48yMJ78wroR3MoUIrTPuVe0RCAK+A25ODrXSaT9et0qx4mzS+qW2Vjpyh7MiNQhJdaYrGHlcUcje9C/RRsqzFdwXQqONwAAQUfH21fxMjpyAD4O3pc5X31kZ216w4iTp5DlTYBH7Ci8sUySaweQT1XdCBTqZTd+Q1fkU9UJqkLFZZ0Vds6K0GSQlqxcL43t5jp96n5uCm4qgaEX7oBpz6CqYM0Zh1OsfFe3ju3IBaPLNpboY9BwXaOlnYIMS+BR7hZGWf45cyEjL5IyEQIfpCw9drTzwnQAkiHtWo/8gzgds9FcW0cVPNx8XQjlZYw/voYhFJZcpNkwk+wl4Vs6kHPwtYAhR7nHj7nyqyd72IEutd0LZSL2ICMFKQ3XbYKa7JZlKLeL0gy3YKm8D5I+BRDBR4AB8MrjzSkJR0C+FOHVMImxLIHblEtVoOla4xWbu9aa+fB5hUrJ9EpwSiBYJWQzKshHx6cvX7Zc
+    OIDC_AUTH_ENABLED: AgAQ48wodtQ11peCbSpBL61n28GMeMJPq6cmb0a39x/n+AJGOZbjcE2e/xdFu06J+ahHTehi2QtwWxlRBi4Op6sbjdn5cXkTZ+8vGB3v/JQZQzJpGraFT1WTPZ9onYXTLl8iGsZSteF3iaxSOMzLswMahDvk/DCNrIY78mkTpqSC3Pggf9GnAWTQKOnuTFYyStBaL9ExyDBiJkbFahm/bC8h7QG9OXD93bDQrApS/W6LF+3CU6TOKj1VXmeVuMpxGdasC4B5ShL9kvBz66i5P7BJYjPfTEJfIACIFzZQmLJwxzfST1kV0urdQ9PZmcvQLapxGI4xUssD275hSPrUE6XXMLyo0BzVEBPq5QsMW5UZB1sOPQMcIajdzWagByFJWcBU1mFMwJXVUHQXlsMDEl1pDTGbSS660XCS1aAtmVb19ToXH/GIEkWlohiNpVqI+D8ypoAwMzF1FnHGvyxF6maHV4vZA4zDE7bT4S+E6dEmXM2cc0essUDlbwgOTLi/3fuqxIar3Dub857H0B9++SeriHrSUJD1A/9IOZQQNsAOwEOylK+9BuyhHYFVzk9l2lKnCRYqif75wusyoly+4yBS69LGzg4mc4Bk6LejZe91VnZLlZB3M6fZzS87qWoSKuEibxJ469KVrCPNc5mn33gfg5nW/05rSYcBnl1VazPmA18sZyX1nWnQUwwErg98jGn7Ft0q
-    OIDC_AUTO_REDIRECT: AgB6K8H8eDmuaRhPeeKVtkPBzvtdEgNzBeqBLEPOW5tE0YiWT53mlQaW8eMtCUI/yvIKY8Tjcwg/CoiAgtboalS+HoJ5vUqfBBgeqYRE8xdRw6QJhLjKIViyg/wsTp0epmL50XX2qg6FINVWT6A8P3OXmVP+kxxr5dZDJ5jT7Af1j3XC0uGZWja9DWkfz7AXiUh89kekGqO4rkplQIBmPOUl9re1D5JFuL7mCmqBo4MNHV0baf451+XaOQF5jKT/luyHkvjs2V0+YZY7BvBqmqg3Dt+buAMyFnXAziVgcpSRzPQtGSCq9WJK5JsDfZltTVkzyJP83Vb3fPtOnBs+7ZWYshOh/1r84hbdEUOjTec9zcYQY/1MGc+4t6DsK0st03cNYWhKBBeN8nmUGMfca5kGWnRx5nJ6rjrF+Tw7yXJdjRiZ5Kom+VwcBtT7bXsxpoUYqAY1W4oUhpCrGGG6431DbUbjWMSaHPDiGdF6rIMD3OmbOaUxGTooCvesoRTdia9pO5Jk/c694N1MVKW+SNInuyZZ3BI8oxi74NV1zZYwTCADHSvWShuqCkZtnX1Rz1kNlI2e++HFnObvfbdXSyDymwJ0WX8rO8sXJYzEkJLv021Tdn64+1jBKviAi7m7FfS9/E07AR7OWyEjv2KYgxsZMC3KR8mEs9WZYYqkvCuKdWQofpLOTjkMVJ69X37EKUCGzUvr
+    OIDC_AUTO_REDIRECT: AgBuLoXhaCs86FfeiagJQg2bnz99Poebydj212AdXpt66Lx1nciFlJMzZ03ahJiF5T8lalxPLSzkHnc5VHBT8yRSrKe1lCisDmXVv9SBBoZHntu9zQdJeChkkHImxILlJVZk4steD2CyIBDj2xjbjUfRjFYJX4F1WrzSDXG4Vf5bal8tPXNuqbHEGfx7xw9CRetMD4cfDESyKl7FgbXi4vyLgGyNTnKTAvY1w72Y7WKminiScj7S39TZZIVH7wJyvvsNEv7MCgwaPeT+W5pNwpx34oqfumTHTeJUwQWccwCnZknhOl9jwNRJ4cHFAsVArT1yvjLCbMir9p1DvP2w0R/A8CzPgDQxbJno1QKeGnw02YVlsYH5KiOKkQQdT6/kT+kk444Mg0JLPbG7XZSUZXGmVl5n31DuDFvTGum5BQOwFzYfOim1MM1OJyFiM7XuaCZCzSMNUQHtLGv3kBHZFhIS5PXqMjfdV/RAv3QhZgAnJzGYLEDawOwy4KwIXTk9b55OX7AyEwQzwMlJUujg/+IJP28BH71tgVtgQsVDnWVT2GtWW+UMamXhqh+YK6VD2BZ/81D/p0BEGq8m/dweP/qv3MK/CGBjgtIFOHnEcNZkqMH4HhrxFeu6fabUpT6+C5cGNyYJSEFpbUqjJRb7vBPIu/ewb8Y43SNikzaSp3/1A2LtkGDyzcRckQYTuFIiIg5r3jcg
-    OIDC_CLIENT_ID: AgBosCGO5L+/1WJIGaNA4Z6vbqJL57JtuRXQDEICAiTJns4YBqvpbiIg+LZ6b5DDwHi0uq/v1yd61TV0+A6U7t5LYjRsywryseP+vGycDQlPWIBAegs/gVzMspNOrJe+g00VEfbrkZl9U63WMKAVBJS4Qd+MHzgnSxZ0IFMP/vaSE7JQ25LqSMjWs/OOBF4EJbTf9RV35/6kk6VpYIOLlT9Y4FaFwilj1Fve7YROIms5RykrLeEhIw/XeKjviyZqbE+rRsM+3lo0FPwVTruTGNbqLBrYox2FSVK6y+xPp9IHREu+17gf7ROLSj8PIhG3Q0mWOSfdv2qbB7RxOfNf4eGwy1m4rL+DDwLU/g2rZNnIvxa2C+l927ADFj5fJCuBPV9o8PtJjD5zsE2wpdqJ/PJMpg0106LylewH662hvIYL3u5s3Pc3mW0jPElgygnZYihSRxzxvEYdfw7+gV4alhlU++X/C/qwbzw1g+ZqgbVYH/jZxixsAu7fOiFRW2G0qkvnKnwJstnjs/Q81R816dnRylETxtINTpyvSF5MAPE1g0HL2Ocs1rOqLsL68FpPnI9GgOD0bkStuYSq+6adMyPmJgyzOqa9sGjhQvrLI4AISx0YVDZLaG7UIp18UF9AFQhImkv6hh8jpOHR1sYmmWKBwbyBJHtEpDn4/RKGjb2v/AHvUtZcE9TAM7kQeP1fRWPXPcA3SfF7
+    OIDC_CLIENT_ID: AgBQiUtbuXKJABinO8VfjQ+yIj0a4AEvKboHd544CxYdx1OfZd0DZLsKpkowZS+Wl5QiheC/+8HFqsRzzwKas2i4IyOpihhSW/xd6X7XjDtu2Tjwuol1oRel5AmBpBj6Kl6zTvgLbHE+iUaJi7u5f2Pw0w2vXAJWxg9nhOFVEfTVtKaafYqVVXPB1KTqRPzwR5zsTuIZToEx0BvA95yWM5oKRPnjlSLk1vHMBDPqdgUq+7u+7qhj7C+rvhI7nuTOWRk0NzsELBl3AyAg82w0r+I9H7buU8OHPEhVOID//UIc/wL/QuaJNxeFiU+rM6K0CD6MMGQanuUngaEr/ZpEdxe82hGSuaLik2mWfvG4J4328a1bmmTT/JgPPDQW8Xtg68Tsqj9zT4rfaVt/+TttMMgj4oAFkyVLGZkp1sfgIX5zT7gHc0fCusTR5gGNLJ5PmHyqCu9D2jP1ERLRltiyXH6wms8+aACj+wsmo1OKUjmqrtqtAWNwZz2bmOJhhUgkP1mPz4o2LeECjBPPv9uPWkMb67ZUI4+Qp8o7J0SgQt4ZlRqhg04Rh5MxCY9TvbhLxQD5QqTktmGYWo6cDVnIEIKd/XOSG9pBT6bTGsRLicgRxjDwm/0ZU1Y3stI6UhONKYA1HG8rso8ZfRLvDsgp1Zb8tH/GAw+bl2HkOw1DbyFXWeRxau3RPwTym3GYjFgWZhP5ScOu2Rjg
-    OIDC_CLIENT_SECRET: AgAI7LDC9J+IQk6qPSxs5PSyr5fKAflxBxfCd2IcjQUKc4mCLzWdcQkyxXuOqLETCpT9yNFlRA+g0k3Bc+Sp+Y9rmF9nS9EyshezZOMT8/G5bacEBXgxxlqyTQUqXp7FpKK30lrBvxa56xDeatF5G6H68lLfJ86K2FH35f8IvRJv+GqFrOQ+PL1M9Kl+N6XpNihy70+jpDornbNpyr48yFawAone6zKg9qFxeJ4FHPL5wYrS0r++JoEoCGo4XZ34mPHQ1jiK3wPiiuGhf6dbAvh/wlCH2+ehiTnOQwKUY5C12gVwafOrA5BRI/TBjlTrAEG1qjxdff10fkkuFaa3Y07V+lz316H1+8xdzPVNDN5bG0hVVVWmj1jAuqUnOqPEfzPOc4jUFVom2wSXI1SS3n1oeDnTiO/5vkmTRcQZdGeuLM0+StTtXHmbtrfU6ZyfdtKoZ209jR997pYmNf8PrDbhKtcvJaxbT6RHqXpJwk4fKtQeLInY0Pl0HSg3f+OVLdikESgX8mJm/nGJxwN/y1cSjLawMoZhbvHP4aWKWokLxAvX4pfUfm9iv5fm2pwQ2eWWKAI0P9I1l9Dbbs0u2HC7QLI3EsJFQ/D1gkhall8cLPQmg9LnsXpnxnKXtIMLS8sNqE5TyXTX1AvFJz79dT7nezS20TLF2chZ1ch6tpM0n7JNYVaD5Rgxqc9XFpUvJrGHYjSR7twjXZd0XRVXCOBKWwe6aSdPi5OXtu1tBvvXTjoqMbQrGgk=
+    OIDC_CONFIGURATION_URL: AgBiXJGc7WugRqlUE58fVPkkKkka3G39lhajhuR7EQePZ1HdE1D02/XncXgRO0r7C4kPAX3oZ1Uczo0XAMxQxAZye9NNFNei7E4rlc3BTNOOxCc2Uj57DjuqFA74cHcjs0xRCJ1KVMEcGX8zdG85v/qEI9Oru7vQf8YT3giTKNHDZMgeyrbCMFNS0cyXniseMMVIkiX0ky6TfcFdn84bZiqJYwXwnNNzeM/kJe01NvEe3DuvxZTEme8LNkie7CTgaMHfEYeXZWIh+JqkIPW+48uDYe4ojf/Ts9P2jwzf6qW8XyqwlLti0MxoVH6IqbLbJ9JVJZ94WNMm2tcjigD1eSV2klNxXYZefyqqratQpfi7Ou/KXdfs9Reijj7dtfZDOnztVouS7ivBLlufqdxgyJrnQok1MxQloZs602CBPRDE+oSHGh5ean2wbJLqt/Vl9NxcsFZpWI4tazZ0DUhD5pgS4MXoG8D+RXIz4++nfn+XhYhv84vP4VJh6kCF84dKSYDFUKkAMGJSZRDCcs4jaORO/DZLUUnytnOHV8Mo2ypfC9KgETdnbXWT7OcdCQPesABE/l2lN9KDYHxL6DqE3GibmCqE7yk6TOF36pmVeEsECeBkmcl2DpHVu9PRBiwO0YVTGUr9AVmwO3vAR+2LAVHkDmU+jn/e5SFHg2dkEpWDORC7Zn4vZrjy3pmTJdxBthVwTYqmdnWk4uvppyKP2l6MBtaVPqtB35sDuYtLGSFV1FLBJGJueW+Kk2cGbNxJJEEhBUf6ZHCDWLrZEJPN
-    OIDC_CONFIGURATION_URL: AgCZnFFlMYEQgPBXanDrQRdfPad/xux4wIVXpPfOqsDGzWSYu0HYDuoO8cETdf0fI0dppwAb9167Iz+sz9t36b4jb5X4nXTVWa4Co90s3uDwRsvMcg1dNMK8EDABxlGS9XThwehs6qXyYSN06CF+SyrGZonDgVcXb0pEW5B/EHFc5TwRrvYvVe9z8v8JbNehQet3HxXZBepkuntI5CzCkCseTvOiKV6oohr9l1DaK8e0IHQdq7XZshdZ7/CmafVY87fGElC5J2nhAML10fXHwyJ8HA99mwLFIvBLnlAc4KnG3FS2uysvoKrUs+GPXRgXMBlsL67upV5jO2B7VKQRpy0VcO7oYiwMV7Lc9EkOOgVNghIKGkCVQqN3JOuaNg3vuJlutDjLlDk+oCBP0BvYkZ1U+1NmndKRG/7YNXJ+MOe3KZ2gWGZgQLzpbmQRq81FxTn2rSNhZyBsMHyviIZFqZJyXnln6xPRIi4uuxtRQY9PLVcwHd6Q9hi6n8QGBYNc+AEsGwy+9upkZ6hpyo4hcOCJi/e0aUH92+Y/feNGYAPFBHP1sTHP2sEbVFISQadDdsxQIvQvaJy0J9+UKghz/qAsipkBYc2mv/waJwlpnFqDoCTOIkIadutyBAehkXawNsDXcWPU52hGpQ6dQQKCIxsRKBO0JQsI5rFf4jc/PxfSUYu2Fps34mmMggAb00UBLDb2arNdI/OcSirZ04XSp6G7Eeqn6gfMfrrhnnqpg7zokXXNMcLPJcrV0jHflauahmft5+LnWHfYVa0uNAJP
+    OIDC_GROUPS_CLAIM: AgBjsoq/VaSx/P7PnODa2TIiSy/noUFrVmPuIPAyjoZP/w62zmwTqy8Ln4yRKywmsy+n9CMGgauUzkEU8HSuWJ0Moxzt+NBRpuA3nL5R8b0hMsdQXCvY3L5zqyvPH7hfY1LRVcM5cVyzTR2CTVUNbO04EeGaFt8Mh8tsmyHk+Cf8VidbkeqgEpee8tNO638F4xQGx9aob7H7UVKOou8CdpOvH3zsNFzGmSbwv9qm1sgcTxkZkjt8cGH/c4k30p8szcMFQmUK7dzrZAma5bDPg5BuwspCnRXoGVWLYN02jHYDg/08qLpL/vL+pPpChf0DMB4j2M+s5EDHnbcfT7S7pf2NkHCnWINCJSKLMUIcBSFXXEkbmSrHo1Ft6aHf/i6JHld4CT0dQs5AyK68mCzkZTWoHU6MM8+/3/J3J/TWkSP8HOyBY3gWPOU4hYEQQQlJp3T+mnnua70mo/vMr4CuZFyxLjz872CDwG5WfZkzJxM69s0XRkHEmsXi7VYjn7NThrqhh2lqbiIIJNpAemjruRl49T3gtfstVdxfgp3dfz/H/4FWRy5KY5XDUjGwYBXDCpaEey42CFSiT1w9yXV67emahUwKekvq1vvuz2bWzaTYGtCW77WzCO1cC26hORPAYbZZxgSeDgWmxMIhJF6tVFNSAu11rMjcMUKErujC5cKWb8N4DuF0H4cQv36SESKBdVCOMPzPxDg=
-    OIDC_PROVIDER_NAME: AgBI3oFosMR5sPgr6JqFPJX8U8A2XNNYpZ7C4XIW9VPeczIU5NUNQaePowps509Y0ddHXPwASr0OeTgIVU2Z68Hg6Tpj8CehL+P+DaFMOqMOub0qmrakLBBaWcaXprQi2eys7mP9jqiC4iMx23w1Yen9lid9FSjLIEpfLE1VsPzAUcrvGMW8dbgwchrxKnb0HG0e/bsyaLubzEZWHfPaUo4cSWQf4KWAhYBlfZQAbNPkatOskzKw7nZ03X6RI5oub6hjcBclRjMh28MsExIRJDwWtB/inwLpWEAiPOU7xQmjQJdC2BqmKXHyTk6Z9rnwgUjG3pgH74mNH7/pF1ekOK220JYTbMa6Uga0r/v971AlC6RBEo8kuaJ/xptSdHp8lfg1spJ1sYobV782+zmJ0rc615BsYwef4lcFDBSXKnk42NhUNY6OORNbwD/tW/Mxac3o1OOoe3mSgRnFXJLqTh9i7D6kN7TiQ8HXNgkEfZKoqCloKo2TKW2gB++hXJTiZ1ItocaDPbPSIaq3LJsIw6YwwkXxBQeOmZhYLpaPI8dHjn1h8Jg2CPKNQJdAossrsHpBrEM+UXA1HxVmUCv/q5WIum+tO1d7sKeCuZ/g0JOcNK/tX2+tYY5fDT2G97GrXSGpgZgIfhYhWStYfkcOdB5ayqj0ncadZ0uJ3akFWBLHAr6sYemmVtW+BYbMLTTjlprGq8EIu3Kyqw==
+    OIDC_PROVIDER_NAME: AgBHYuK2JYedcaHwDca/c1RKzq8YgO9cJ0lXPY2+ain+lwFJwZ7oMOPevVOq3RoUHznEYbRxKw0CLE+110NFr16bav4bn4pXRD5CeqQDAWPIxxouu+w2NgWijnqfKnVYrtrprQlfGO9mYsZiEGj/sbftX2Wd73L7oXp/6Ab+28rnxtv3KF46wXo8yfqzOGf+QRQKdT+2pv58zjN3UCGrSANirLHvmY8+a73YiVW8/xuJZN4og3JbPW65FwBpgnvQCaHKFTbPyPIpILx7sKz2yxGzT6Jt2PeSjdwou/fT70tmrwOVucbHJkKUsd/jkI0gzRPLr9Fo5LcALAKQsn70hNQIRgTFgCy4ILurJMBKeYtHkNMdnBwKRh4NlTgJB2vNXq604480ta20Z3E2m3DUxW6XPFTQN9uC5/7IT0e/F4UgQai6HENwAqIPGuOM4eKeouw8pr+RoLMI76Z0B6xWhLRqxrZknzwzOngpaku8w9SeJPkifSFwxxFjacAqFrMwLGT1kg/KIJcBa3BUK8gVRLzqJd9hq1hQtavmm6T3W9PW8yCG3IP4b/Kxsm0+B1pXSaFC2a3elFu5lgw7JeJO22NwPmCUw3cX/zfYcn4u1MSsn2Wlr5tLNwjfpeGXb0w9eGStEZNKpj/OLo5W6sxdO1PIdCRd/IdxFuDd3q3G9cJTP7aMjeWSQhr7bzgzx1K78zZ9h4Qiw4YXrw==
-    OIDC_REMEMBER_ME: AgA0vxQG7k6gaMmviyTVccCkIl4r37YHX97gO8ZlFtZFhBNIXti7Ocn3R2paSf5J4A7xT5Ml5imfdn1jS6XXBM/z6oXA7kvyrh5V04vcueGXtOk6PSzdqMB+qsmZr8VuY+41CllUwXyXGDLMCzQ6tA9K1rdLEQoA8TYdDi3KI91vb4JgOTaAum+JHXI8N3ZguzXyF7nTR/nTtoqvKoD9b6/B69Gu7FDuef0AEAf/aFYQb6JSNeStKbYYyNjY30/MdECEf5Y5kl6mtAT54KwNiz/GF9JMKa3yAO4XVc0Pq3Fo4BoptW/8yyngnhrjB8c6/LydTbwQgrxXO6JJKOnLMMrNq+llBNFyBqUD3ZyVzY3CRAetL3loAdoA+zTQCAKMoRjL22m48yyxdBSC9Fwy9crb95DqJaEQa1M5UrDqt3uWsEoJhrT5dUUnC45N4Yk9/cTWLMf/xSqP9tRWVcw4wyU8b/ptuCTqq6WvMVeS+MCLCnQnZB6s/sdFQBm7x75P2llro7iwYp72YRAfV1jZavUXc6XxdVvvyFV8Q4bNRxLvXgjnuvD+6STTmqzlceVkxcv1KvDyvjxHtcy4qxr3dU0h+vmo7kkTFfcaJpmIP4CTVc+lkNvj6FvkXwtmiW/RMG7kW8ES7I+tHSD2hJle8FWciAwP9iZadszTVOSgyx+S7alOXGczUDAe0bpWqeNnIBkJYpX0
+    OIDC_REMEMBER_ME: AgARqfhGDWYi0iqE//vNsJfgZBYJklJ7KUUHm3GkD27gNk0JtOobt/RlE3UV4cBGkstjGQkEGldkwshtQk/hAuuu8Qb9PpeDxQOUABAFX7NDcr2hWnDosFSShq724ycY6B63vjzahMBYEGo9tAB07VPy6RtvZDH5EGYcubfSe2GgX/P9VcKq64eO2NkOHJWc1A9cPqQGYqFi3YZkN1yaix7kRW7sL627Slv3nU/yLpFpEwUi9ayzDBCDxfiBZoRZh+Gy4VpD2S0XmTNYgr+uRTmFxEm0gL4qvualqahssswG6x+l6S+KizbLOkhNmLtZ12t166mZLWlzUPQKiJwEiWUK5DfJs2LtZCWyqVko9972df+buaQ4yPEBO212OoM1gF0P0JaTJ7TNzo0hhYxDIBZPIx9RnG7XzqI+sccj/OLQMeyB4p9gbbKHP4YJyyYQTSPK3dHG8BFdfUDyyq1tv5IkzKRHmy48xaumN6KCPsCqrpr8j1XL9oLPGPtDgf9VRjfp01FkTg9ujskxjnfAt6fNw8JThMyRUdInagos8Wh/qxPPV33yN+EvQaooXxq1FhvZtLVAXsErzqXnNbLBmQGx87IpBT4KMpXBWmQ7+XaiFCWXQ2pdXRtwL9IT7c6dtyCpUpYtlVjYuh8L64W8GJuRUjzg6pRbcw0205MFUZfWuOObAHK67K+ChNgzzsCCy4GHVtpp
-    OIDC_SIGNUP_ENABLED: AgB/TkKgJ1GioaGCvyXVA+RRHJ64/KqBt19dNm3LUdxGrhQYOq0zDmNET26w8FneYXrP4zH3IY+ZvXkS3L5i9PNBXkUGhXaoNXPx2KYm6c6YeGkrW+sDlCVPFx2zypCIgXNpJHiTIb2vfZHTyVMvmpo1m9nlQVfdueFV5ToLwt4pWR04VYCzXoaSILqJAuX5IBkhac8hsr4yc6u+RuLhtDTmziB/3+/FWA+Gsv82U8CNDBCMAyLZ+439F9aiJv+scOzVzzmmIxfCz4GPzfiTmMcwlsAjqMs42C62x8m+yoPAs9/Ur7f0p7JYE8fjYQbWP2OliJic2Nm9KaS/o8akojIKlIN36Y1I/srimuH9LbuRJlwRQjTQ4qq3quiW7Z/7Tgsm71ISPqeLUHO2xR0714MnDMW+dOwRoQzBaNZepo2aEb2DhiVzT1OLsSeGCs6UOTau9sjd5ow+pCBZWUNPAzrcskw4cSfoHGfWiMf6wytCp6agiwnogM9wMAdjFXi9VnHxNmn4oViCmeg/y36z0RDyW1p8fU5fv68qWoqiPH5lbzJUcKDzW9HpfcuaGaAKJrr3RbEqdqxh6pc8hLwzzCo+FxiX/UAnMd+2BCFWzEQzWznyin2Z9vv4d7dYYiKRmoLxNQO5T6xSZvv0DYd9dhSxy8HB/viZuBh7AiprORuh26jCotcbKZq13/x5xC7qm7t4WQzO
+    OIDC_SIGNUP_ENABLED: AgBju2S3K1/i7oEsF+KyOIAyduYJMqA5c/spXNVDtFDgrf5+v8dIa25b1LyNZWctBPLZrcuviQtY3uJWgBbY4cKagheBlwN/eCijghdFLR5U9iFNJUv31zkmnVeOAZqkLKAmO1fmHfgqrZ8+UG5YlaRXcGsMjtuCuteKhF+/ss8VxWNwsWVcJc+xcfK11UG/ogrQ3+h/Ii1RCiS5WSMmQB3uNRvyNQEdDJHdtK6gifK5ZHboHN36Rx3DEzyr3eDeIJasyYgfDtepTBTyw5cb/7yFhRMSraHTpGy3uxJwzzNL1YdCi2EHyllJMea1/AvxUQXQAxD3zOSmNwQdroE8NU/Y+Y/vuCOLVrLeveHaTUWvI9PkIlIxbU1Xql7UGf7s+Y1PTnG7aXWNYNuTCgaw03TO5bhAPX1tBubVT9oVUZgjOH+XGY4nImtBOt/1bJ2xmciC6t2nt+8lUxLfNuFS/876vJokYtd22YHGqHuGSLhAdWg7LcwIilx4iCB3OY0ORBtdE0hDOu5KR282vRqGu5vi977k6kD7sL2far0fHjpb8rOaJqfy56UsF1CjClqQWB0F2vPh/ZNjecC87ei0ds3hCEhGtXxYYdJ1u9U3lZHyvA37NxKaagTHZCmhgs4M6Pdqm5YjsO0iDorv+aBnRkZysqzdG8LPuZNy7BkqxejW9icS5+b4TeJgCButl2Cb2RO77tda
-    OIDC_USER_CLAIM: AgA/FYOGrV1qHlvdlJd8HNOdG2VlAVTo6nEoAtJRn3G7z3OkexS3O51x3TsiIhpKliaFl2/ATZFk5okUnUSeoibqpxpLNVMpVF6VX6IrnjxdbtznGpyz7sIri9RvKZwTpuDT8wNrJ2q7t1xwvnK7QYxKzf+rIkQqcSzN9k0QF7XPE7ijeWSjqMpbjRya+vxjWR12L5BRmtUgjrm7J/8uRMkVQQtl3/Y0c99qMwj91v1F37RejoqOLC6OFdCOhVvwatq0C+y3F7BB6Zl2EQBYoinVuSfmlJ9rorSyAeNeeVb7s5vm+WflB4Dn+taJAFCuGiq7DK8n1XDvkW7kThlJckdXBfEiCOlzYCSdiJ33ToV2mWo0zSOZC5UrYslx5hhzwdb+Nw7/74c3g0TeV8doLWhczpd38eYEkYrFIZdQdBtwK+Lwlb7Bq2eT9X3l73uE2ho+u+o2o4RtQdCw00TouBJQBf/vhyEfk6eWuhHikIUVSQAOm8mCKaOseH+m0RMrpbDDRbl7pcrozSUJjP1eygTVPJwQF6uFjIbvNHsodP1ld83HTR3vMfwfwwngocEonnayUDeYfk2KOdWONUFmfh6k6miULhNr7QVnTit6b7EwsrLuu8UqJzih/pINELf/mA2oliD2TCQH6WwSu+G7W/BjECO2ANyJE/1UQxQxaw8NtmRtcuIU6cdHi7ow5ENYLnYb1GXQBH4TGGZgKBaBGUEz5gQ=
+    OIDC_USER_CLAIM: AgCKYNaYTjJxEFBsijRDPNXRH2nodeUMG6SBa/emB6QKNh9jnQISn9poaZXZ8Tc/xwy1sLJ3m02x+Uh7/PE+A/jiQ26uc8FVvnjvzzUOaily9Hj+xgKZnjQHmNpxPBfj3pzomWZIEoEHybsWGrae1jDzIBxSeKbMYgTGfwJoWt9n4lnQ1Z++Z5/Texp7o+oV5ZJqsEqvjebTUT+nwWaDicKpDA/QbAjD+ysCim+gh8q8FXDCHZKNgD4OcXONTpDR185EpBYV0EKSMytlz5bdBSKHxVUACTATjf3WrFDG5NtckzmJA3bA85Xl39Jxi9pLP9D0SLk5cSOLkwNbLVL1EeQ4Q2FApXcPGhmEAgan11HQo2vJW3Dsn1R3G69zNC2ArMC6Dz6pH5f8nFId5lyTKsQQs25fCf/BV2we3910a9hGKAEPdkp27xGczu0mBdo3LLWeiFaQcDo326N2pqNm3119mdCdu5I7rhjGGvOLZ7z1c8XwS9NdE0Kb3iQZLqu1xr/FSeQZLd9NNF6qYtyFM3CtdqKSgdM4vpsRkqMEiZA84u7hdglXohuaVOjIaQD66bi0He1LemzyzRkRD57zxdVSvubKIQmedNpeG2yOT7pjZqVEk7FwWPaWZZiK61UhBZNvGXUKSMEWVJ1DIr9QBsK2E4/EGdqWKa/A5+75PKvv1TpINTw26z9schtduuPfaGO4Z/2ThfPlYFwD2eoVMZpAYjI=
-    OIDC_USER_GROUP: AgBIMaa7sVROh0jXJQLrnKVKzCRg2Xg55d4Xp5sQFQ/hBlrFwSE+fj/Irx2hGx8TiuotN3wG0dIJgxLt2IGcXSZoO4iABz6tI88yJgP6InRjU83qxFusjxljOb7JI4Vz/OV4XpxMEibcv+TF2z2669p+6hBbdgGwWAO0luCYPKgwTZWDZr9J2KOqCK0rs2uVtR//UnfUNTM8IbEHDxKJ9aKmB3Xxpgo6xw5ydx2V5J6juXF7gZbthGapgerEMx0D+cdCQwyRmZZaA03IuZbNqgouYPpMJr15vCGsyZWM3mOJ1GOBSnZVTsubmd0WO199LDognEjKNTN+IPbTZUp53zMjcFf9bCfHNZe/+bTs3Jyb2IEH57OAjuMhiA8gU8oBPq9i+CI+NH76MTXrIKdiLtUAfQ0Br1bdR72AmWNpaIC2cGA60QVAtTvHtr/SZBkaQos+KpVXeHVG9WiK4ejfVkFX5r3EjVxPQFs7sGw4DCuytaNjSM66vWqsodC38bKqB5RACR2ApDJXGgQtA5L3jFHzV/Qb66S0I5WsX1+u3E8Sx53Q2/xI/MKnK0VrLy1Pnlrb7GWNyyOQJhB764D8UwA6ElTt29/IkJu6c378yOGsZSNMd689mfoPLeYhby9DMLgQOFMRx5euXIzojpuomtuclP80BzGUHBvLKLKZGLf8HiN8ko0X250MdAouFa3EhNvKjaQ6YYa5
+    OIDC_USER_GROUP: AgCTGx9h4At2lcx4tN5YUBN2PRHG9ex3curTTq4kid+kKQXRUOYckYC3LNzC7aIbJ8byhFHtJVF/T37olPkgJjWzPN6C16C9eGDv8bgq6JnG9faveeXr2zjcceZ9O3bSb4sRxlQ5Zke1Asc2olYP/H6br4VPDdKkDsJ5h5/B/W/dd9FDXuPAbTp32bK/l+3YStR4Zpmaldt4hostPu9TXfE+UxJqcLCFMtQuHsHEtFV3Pimt0XIkoNPsodpKKoAhje8vNwk5YYSlhzH13XgZvKcP43z8bfekicOgRNM6T27sVGRrFM4sE635406sOXWXbxJzwlBQJTqajCtX+tAtei3LHdr0l1sjjyMDzlREUq6RYt/6klMZrLW5gsdma769AFA76JX+e+wjekmv72/aqUVn9635IamFM1J6+jIWKdWo76vJwzR/EisO12vkSbocSoAEsUxc3rGMN2aLZEvo0LjsjENKlj8fNxog5i+4jO9Bc0AXEQaFhlQwPdIKlylQPhrSiW/cnDG1WemDn+e77a9NiOkDxMXGequzdC5KyIeIrSjITXpg1MQNa039yIKkjfVL0uMsH7OL7+qzKPSPm5LOABBxKducSHHK4t364YD+8e7KeQStHjaCTpcxgf43at4BKuQ31Ty2bWfpMRofGRBvJPusgjXrdutNEAIVrzFfW11o0Yx06U7CRF5198yXHCig3zKgxgQW
  template:
    metadata:
      creationTimestamp: null
--- a/apps/todos/deployment.yaml
+++ b/apps/todos/deployment.yaml
@@ -1,43 +0,0 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: todos
  labels:
    app: todos
 spec:
  selector:
    matchLabels:
      app: todos
  replicas: 1
  template:
    metadata:
      labels:
        app: todos
    spec:
      containers:
      - name: todos
        image: todos
        resources:
          requests:
            cpu: 100m
            memory: 100Mi
          limits:
            cpu: 200m
            memory: 200Mi
        ports:
        - containerPort: 3456
          name: web
        volumeMounts:
        - name: data
          mountPath: /db
        - name: config
          mountPath: /app/vikunja/config.yml
          subPath: config.yml
      volumes:
      - name: data
        persistentVolumeClaim:
          claimName: data
      - name: config
        secret:
          secretName: todos-config
--- a/apps/todos/ingress.yaml
+++ b/apps/todos/ingress.yaml
@@ -7,11 +7,15 @@ spec:
  entryPoints:
    - websecure
  routes:
-
+    - match: Host(`todos.kluster.moll.re`) && PathPrefix(`/api/v1`)
    - match: Host(`todos.kluster.moll.re`)
      kind: Rule
      services:
-        - name: todos-web
+        - name: todos-api
          port: 3456
    - match: Host(`todos.kluster.moll.re`) && PathPrefix(`/`)
      kind: Rule
      services:
        - name: todos-frontend
          port: 80
  tls:
    certResolver: default-tls
--- a/apps/todos/kustomization.yaml
+++ b/apps/todos/kustomization.yaml
@@ -6,13 +6,13 @@ namespace: todos
 resources:
  - namespace.yaml
  - pvc.yaml
  - todos-config.sealedsecret.yaml
  - deployment.yaml
  - service.yaml
  - ingress.yaml
-images:
+# helmCharts:
-  - name: todos
+#   - name: vikunja
-    newName: vikunja/vikunja
+#     version: 0.1.5
-    newTag: 0.24.6
+#     repo: https://charts.oecis.io
 #     valuesFile: values.yaml
 #     releaseName: todos
 # managed by argocd directly
--- a/apps/todos/service.yaml
+++ b/apps/todos/service.yaml
@@ -1,11 +0,0 @@
 apiVersion: v1
 kind: Service
 metadata:
  name: todos-web
 spec:
  selector:
    app: todos
  ports:
  - name: todos
    port: 3456
    targetPort: 3456
--- a/apps/todos/todos-config.sealedsecret.yaml
+++ b/apps/todos/todos-config.sealedsecret.yaml
@@ -1,16 +0,0 @@
 ---
 apiVersion: bitnami.com/v1alpha1
 kind: SealedSecret
 metadata:
  creationTimestamp: null
  name: todos-config
  namespace: todos
 spec:
  encryptedData:
    config.yml: AgBRKmf5GSn6EcCH4r+I/lJkNiwZp0Pa/TFloYlPzqJ1aQWrTRDCLiljHYs1n/PTBWWv5SdWj+3Uvx4M+tzTXpRTp1dWomJ1C8pUDpf4N7SSZeAMoJxz5/mSUpA1YsYwiy/jhOzSsaeC80JX9WTXhCE5cnox/OUjcDf62vVg/7kgy8tHYpCSRmTGMah82642gP0/rlLpp+ctb29oYttmL0fWafHMRHgZYwkO1Ol7tmfbVOfr/bQljTQD3h/f0+ef2s3kDNtAkXSBAwHo6TfukB5bZi+pj3q3TLHAWU/belC38RZtIYW7trJf20WzbxxWKcS7rnQ8GHJqpbNgoWdnBQgP5OGHzySnQrdIAWLvOxw3JdJ8S1ZMbZfWASGpeIdfTI1p99Bhu1MGE3nnAzUCM93sLySE/mjjGDPdA9+Q7orgLGX3ct+w4deu1ABLR/HWxFYvPah11xs+MyzBFVh2rRj+MMzSWwQmbo+widmHWnzx6fjTiLd8eyGmvz1M9hBwFjqUTjbAR70S4xx2ALlYqAtbmJUk07PmTdTMhvokvaY5NX7Ylahx2oFE2q/FxMBwvPZVyI9tSbrZHEK9a67QaXnnwyfSqj3nErNkpdAa/zSJ9M6SG5cJrJvZCBn5cFg6pxtY65wZoj0GWMZ5kF2oqxDuekdjitWGMTp5q6ROJYSs/o3Lc/Abga9pSZYEtNrHr68tJuSeO61s9TjUftbkxkJ97/dwTfVQOd7aJui2EDp8NVcZg0CkEOgI7tt0nOEsll30RWS46QJwUbJM34FD646bpEk50K/GsIvFovKjZjtoCjeKczGdMpYS2XFwEMb8UjgSATxcVYjSWwvx+7prEChvoyVcg8Bi8ZEGcBVxSAD9fJu8PtyPBeijs7ZVwVyGGxiSafd3gAPU8spSuvbEDl/VZAKy9k2vrI2c/gtTqwaIasnBHudIbbNqDHlTlH8dk0z+kuNg/AzqheZWireMvBvgQ3TlHan0RN6+vVpZCY5XbzWkj/DEmoor8UfeuYt3GD7/JHniAorMPj61n2od7TLXmLunPG/B/zNpJCgJ8LgtUriDDZno99IDCXaZ/MO2+jppMaKizl83axxrv9HUTYDDgtX4RqLLdutd4i/AsOe0GgayFrOjUtDVOL6MKhX7dRJfbNsL5IcGEVZ1cdzcjjazoDpSlDdMC6E1XNS1NWprqUpmfjFPtFk1FWW3oRF3iEYUimngYvy6oTx3d70EZ+eOdEvp6A+aHbmG6fyEQb3AKYhMIOsn4AbKpDLjTsHiqWNGwT9ummS5kOLhnWBBB4ohDpCl4UMCtP61+1lhtx//Jne8QFAoq31MMFcCO2X3b2JfD6egLDc8Vwju6NHNy7jrmkponKqKxQPSs0w9Aj2biUBuFkMCiAik0Cf1fPk59bjJqs2ypwURDPAs1ShPoSU=
  template:
    metadata:
      creationTimestamp: null
      name: todos-config
      namespace: todos
    type: Opaque
--- a/apps/todos/values.yaml
+++ b/apps/todos/values.yaml
@@ -0,0 +1,51 @@
 ######################
 # VIKUNJA COMPONENTS #
 ######################
 # You can find the default values that this `values.yaml` overrides, in the comment at the top of this file.
 api:
  enabled: true
  image:
    tag: 0.22.1
  persistence:
    # This is your Vikunja data will live, you can either let
    # the chart create a new PVC for you or provide an existing one.
    data:
      enabled: true
      existingClaim: data
      accessMode: ReadWriteOnce
      size: 10Gi
      mountPath: /app/vikunja/files
  ingress:
    main:
      enabled: false
  configMaps:
    # The configuration for Vikunja's api.
    # https://vikunja.io/docs/config-options/
    config:
      enabled: true
      data:
        config.yml: |
          service:
              frontendUrl: https://todos.kluster.moll.re
          database:
            type: sqlite
            path: /app/vikunja/files/vikunja.db
          registration: false
  env:
 frontend:
  enabled: true
  image:
    tag: 0.22.1
  ingress:
    main:
      enabled: false
 postgresql:
  enabled: false
 redis:
  enabled: false
 typesense:
  enabled: false
--- a/infrastructure/argocd/argocd-cmd-params.configmap.yaml
+++ b/infrastructure/argocd/argocd-cmd-params.configmap.yaml
@@ -1,8 +0,0 @@
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: argocd-cmd-params-cm
 data:
  # server.insecure: "true"
  # DID NOT FIX RELOAD LOOPS
  # application.namespaces: "*"
--- a/infrastructure/argocd/argocd-oauth.configmap.yaml
+++ b/infrastructure/argocd/argocd-oauth.configmap.yaml
@@ -12,11 +12,10 @@ data:
    # If you want to store sensitive data in another Kubernetes Secret, instead of argocd-secret. ArgoCD knows to check the keys under data in your Kubernetes Secret for a corresponding key whenever a value in a configmap or secret starts with $, then your Kubernetes Secret name and : (colon).
    clientSecret: $argocd-oauth:client-secret
    skipAudienceCheckWhenTokenHasNoAudience: true
    # Optional set of OIDC scopes to request. If omitted, defaults to: ["openid", "profile", "email", "groups"]
    requestedScopes: ["openid", "profile", "email", "groups"]
    # Optional set of OIDC claims to request on the ID token.
    requestedIDTokenClaims: {"groups": {"essential": true}}
--- a/infrastructure/argocd/argocd-oauth.sealedsecret.yaml
+++ b/infrastructure/argocd/argocd-oauth.sealedsecret.yaml
@@ -7,12 +7,10 @@ metadata:
  namespace: argocd
 spec:
  encryptedData:
-    client-secret: AgBmXMtAHgooKGgj3s/ndddVxxOXqUYyGev5BeUoAYL9IYYT3yB54cQp7v1suEwVGUJQQPOgc3YDUeS5kdOLcpYi7mOi7/aJYPmUHx1DU644JsebpeqJNMFt52SCynLjP9Vntlbkji9mPCQj0tHGhqleA+3y9mamuz3tZ+kaSY4+qUywXekMQz13YQgagQc+0BK2xzUzVedNj2AB0NmCIs8oOIL1ZL0iMi/+/a1VSh/pzm3Tv/ap3w5nqP6FUbZLcL0hU6+VTa6ZqoDcIIEm5x23tDXwgbHM7CJ5E/bHu+cNrvVO9XqI5x4KRIe/TDJGmO3oZ4bdeU2mtIxTXIHG3kKFCQzKPqteffctEusvdyqkpCqPsLUny8loOQKX8XjY6K6a7fMsYUsKkJ1Le3Zuif0AhzNvDCX69pz3uPEOf6ZR2pU0B0g3fc3gIwIuY97WiHzHg++pLJ6/yT32Ja9Ub6k72fJDA1HvvAOY0+fXoJdOwkJCfGFF/dXLp2M1/3xxDI05mJeFywE9NYBrb2yRNN9XAdwSJ5mpRnyiyBlMv/1W52yDBCavyMR+vLlyxaXGeVHvDSTdGCY8bCBEz2kbm3WEFxGR/LM3ls6d8WvvT5YJ+RxxEYSN/o0Zi233AK53toni+e2luBBIjUITa+QUIxpeWrz2aAe19PO+XiDHu8G2sErWxwE336USCnOiFIkqeJpBqtfOm0sWnxmQWhucMqTlGYdbus+DBkWWM23JLFuRsOI/VawqRg==
+    client-secret: AgAGtwiMd6OOz2IT2QJJR6unSYgLqNVJCb63a6hHko749nK8Kx1WgLwCYT/UURQYUusqMMPkNqbkA+jLUgh92fa7MKhtj4GysSvWavB+j8oFWT3YZbNcYNoJsTxg8mIRKiMFmp5um703e5RtGCv7eiOWdVtHftVv1BycPVeVHUuLU5usc8lmgnTTEPiRUEUB8MjGd7bIEgJ9q5oAiRTiwefickS1NgC02K2K8hVAhG/VkP0lqYn0xYgsy4W4i/7Q7AxRxCwX3y23spjXNUCRJRYvgF7Cf+MHdBgk6xPtvJF3jDLJfw8H2ilUx0GaxkESCDIE/FSVlbhMXmUdVYB9SLVo9K/tzqHe536ufGWO+U7H92mhZl5oZcA7qP9iXLUy13sAY/slixbKT6y4BJ3Tnt/pK1IydASsOE/uuwuN5q6AHWvG++DSHEPfE8xOH3bRVph8aIJD9hi8UlH7KGlEDPIaY3twpaJDUweaGVRTEnjvxW/hKfp2SF8A0PtGDeKSSii/XBZjxjROdOvE2+xM/WTVdVqddvErzogEKfljMvb5Z4OQiNj7fFvFMVuRD55To8p/cYZu+KHx+D8tuUMH3zk6AdADs/0bjI0xAz3PJUAmVp4RE4k0vP8LAImF5rWkIyVUcvJmP8S90jf0d7usJaEFd1ZayFLyUnwGAkP8ua2RiupnNUrZ/49A31cGm1RCpw00DGEJ/5VK6VMP1+T4KOUP5pB90FUYVHUv6S8dAg==
  template:
    metadata:
      creationTimestamp: null
      labels:
        app.kubernetes.io/part-of: argocd
      name: argocd-oauth
      namespace: argocd
    type: Opaque
--- a/infrastructure/argocd/argocd-rbac.configmap.yaml
+++ b/infrastructure/argocd/argocd-rbac.configmap.yaml
@@ -1,11 +0,0 @@
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: argocd-rbac-cm
 data:
  policy.csv: |
    # use oidc group apps_admin as admin group in argocd
    g, apps_admin, role:admin
    g, argocd, role:readonly
  # all other user that might have entered via oidc, are blocked: deny everything
  policy.default: deny
--- a/infrastructure/argocd/argocd.configmap.yaml
+++ b/infrastructure/argocd/argocd.configmap.yaml
@@ -4,7 +4,3 @@ metadata:
  name: argocd-cm
 data:
  kustomize.buildOptions: --enable-helm
  # switch to annotation based resource tracking as per
  # https://argo-cd.readthedocs.io/en/stable/user-guide/resource_tracking/
  application.resourceTrackingMethod: annotation+label
  admin.enabled: "false"
--- a/infrastructure/argocd/ingress.yaml
+++ b/infrastructure/argocd/ingress.yaml
@@ -1,3 +1,4 @@
 ---
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
@@ -7,11 +8,12 @@ spec:
    entryPoints:
        - websecure
    routes:
-    - kind: Rule
+
-      match: Host(`argocd.kluster.moll.re`)
+        - match: Host(`argocd.kluster.moll.re`)
          kind: Rule
          services:
              - name: argocd-server
                port: 443
-          scheme: https
+
    tls:
        certResolver: default-tls
--- a/infrastructure/argocd/kustomization.yaml
+++ b/infrastructure/argocd/kustomization.yaml
@@ -3,20 +3,15 @@ kind: Kustomization
 namespace: argocd
 resources:
  - https://raw.githubusercontent.com/argoproj/argo-cd/stable/manifests/install.yaml
  - namespace.yaml
  - https://raw.githubusercontent.com/argoproj/argo-cd/v2.13.3/manifests/install.yaml
  - ingress.yaml
  - argo-apps.application.yaml
  - bootstrap-repo.sealedsecret.yaml
  - argocd-oauth.sealedsecret.yaml
  - servicemonitor.yaml
  # DID NOT FIX RELOAD LOOPS
  # - github.com/argoproj/argo-cd/examples/k8s-rbac/argocd-server-applications?ref=master
 patches:
  - path: argocd.configmap.yaml
  - path: known-hosts.configmap.yaml
  - path: argocd.configmap.yaml
  - path: argocd-oauth.configmap.yaml
  - path: argocd-rbac.configmap.yaml
  - path: argocd-cmd-params.configmap.yaml
--- a/infrastructure/argocd/namespace.yaml
+++ b/infrastructure/argocd/namespace.yaml
@@ -2,5 +2,3 @@ apiVersion: v1
 kind: Namespace
 metadata:
  name: argocd
  labels:
    pod-security.kubernetes.io/enforce: privileged 
--- a/infrastructure/argocd/servicemonitor.yaml
+++ b/infrastructure/argocd/servicemonitor.yaml
@@ -1,77 +0,0 @@
 apiVersion: monitoring.coreos.com/v1
 kind: ServiceMonitor
 metadata:
  name: argocd-metrics
  labels:
    release: prometheus-operator
 spec:
  selector:
    matchLabels:
      app.kubernetes.io/name: argocd-metrics
  endpoints:
  - port: metrics
 ---
 apiVersion: monitoring.coreos.com/v1
 kind: ServiceMonitor
 metadata:
  name: argocd-server-metrics
  labels:
    release: prometheus-operator
 spec:
  selector:
    matchLabels:
      app.kubernetes.io/name: argocd-server-metrics
  endpoints:
  - port: metrics
 ---
 apiVersion: monitoring.coreos.com/v1
 kind: ServiceMonitor
 metadata:
  name: argocd-repo-server-metrics
  labels:
    release: prometheus-operator
 spec:
  selector:
    matchLabels:
      app.kubernetes.io/name: argocd-repo-server
  endpoints:
  - port: metrics
 ---
 apiVersion: monitoring.coreos.com/v1
 kind: ServiceMonitor
 metadata:
  name: argocd-applicationset-controller-metrics
  labels:
    release: prometheus-operator
 spec:
  selector:
    matchLabels:
      app.kubernetes.io/name: argocd-applicationset-controller
  endpoints:
  - port: metrics
 ---
 apiVersion: monitoring.coreos.com/v1
 kind: ServiceMonitor
 metadata:
  name: argocd-dex-server
  labels:
    release: prometheus-operator
 spec:
  selector:
    matchLabels:
      app.kubernetes.io/name: argocd-dex-server
  endpoints:
    - port: metrics
 ---
 apiVersion: monitoring.coreos.com/v1
 kind: ServiceMonitor
 metadata:
  name: argocd-redis-haproxy-metrics
  labels:
    release: prometheus-operator
 spec:
  selector:
    matchLabels:
      app.kubernetes.io/name: argocd-redis-ha-haproxy
  endpoints:
  - port: http-exporter-port
--- a/infrastructure/authelia/README.md
+++ b/infrastructure/authelia/README.md
@@ -1,10 +0,0 @@
 ### Adding clients
 Generate a new secret + hash:
 ```
 k exec -it  -n authelia deployments/authelia -- authelia crypto hash generate pbkdf2
 ```
 give the client the hash, store the secret in `authelia-oidc.secret.yaml` and seal it.
 }cnnhzH|Mf/yLn(v4rF#>KnGMgUS+TY
--- a/infrastructure/authelia/authelia-internal.sealedsecret.yaml
+++ b/infrastructure/authelia/authelia-internal.sealedsecret.yaml
@@ -1,20 +0,0 @@
 ---
 apiVersion: bitnami.com/v1alpha1
 kind: SealedSecret
 metadata:
  creationTimestamp: null
  name: authelia-internal
  namespace: authelia
 spec:
  encryptedData:
    identity_providers.oidc.hmac.key: AgBiAFMdVNGubsvfYu9oi6SE1AF8ZmiSbiSPjZhrSjpw8J8vN0Zjm/4TQX+I+qD7GQu0zO72D2hF/26fBZrLx2N1IJAj0va1NYEkmGgAaYa3lVC948n5OzyNPpOwfFCMBKo/BJwh0VeZ0wa7gm6L7+Gfk+YutGmkNa7Cuf+F/e8LxlT0MHlyoj+YGzeNEWkm2uUv73f74ND+a15AnBkvGMfm5A8vt/EdN3IOqD8EUCwRpf+lqhrJe9Mwp28kHp4NdO2W97I40BWA7LFXQco7CuhjNafHkpaNMZ1bkbYLjlpqyC6Xs7bCZU9wMIPOHL9cGt2QvfQG5gMWrJmJsyes9qadBk/TKmqPi3iPH2DzUYO2vMETI765RVrL6IVOwxXc663JxfpZVQTiCSXz8oCVYZ7Ka7gcjXSPTMSxwD2cBVG9KDwjntYaXTairO/Kyx0HiPbbXzhENYkqY7oZvJde/l83l5TvPi+M4/a0Pa8COq8voRw+Fkrfw/qhPDn4AZnuanceOLog3xfrXw0Z45rZ34unovKP+3NjTdBUX5YB8OgGd5tXc4Ur6oK8nxt5IhQ1EzJkh1VEUU8pbDaw9EX1xCKZxVk86MEzW7zqFZWRve5Sp34CJdwHcUk8hLs2PweEzyvibLJIACn1mQoM6nC+Wep5iYXjUzQ9qobItzKFpw/mGsceCu8VqNoBtQBws+I47EF2NkzT45szvxF9tvSzmgmRBHtzES11bqePopHvye4310pywFYJ/WeiWOLEn1IEd4rrTJ6zIoqU1QH9qHShT4SoT0uC5wqz+Tgl64OdMIHKwQLcWih7A5lcDMv+jPV1Xvd52g3EYx13epNTPHtHwi4sBlFi1VuDrwXgTAlnpvM6N5Ij0qNNK5NMcWHerbLyOaMzng1pOtRfYA5UKGG4KYQd49vh5Fw9mHsk9/lelT+iyTs4GhA=
    identity_validation.reset_password.jwt.hmac.key: AgCOsW1JBwnAB7BEIkEwqTLNHX5N/HrqHoxz7axdr3ppES7BnPKGRak846aKHrUVEykAV470SCgdwomTh/KBVAvHtml9L8h+FBu24rDbqZjHnL/BVy+2SkukNoVq6A2vDQRI521HBZntQQljhG0XTFTMMyI7tUhhM/PwmzeyZpKsDPcw6EJAMk9ERxdYtM7iaYEIAAcn0N2NPI7+I/A7nMKYpx4oGr79tobQyM1aDQF2VFwlRq1vqCrkEzBtPUPa9SrfnFE2GrIJlIR3xh/h5SmXCaAjF0uZFjPBPMrHSU4XtZVqtmwIEXpXFqjf+M6N5LTA5rKEviHV5oSJ4sDbMC1GMzwYw8u1Z2gvi/sP87ncbtSbW6ereAXC/5i7/bkOiyBlwVbNV+YcY6RlHG6DzEO/4Fqx9ET6XJhms1TcNb8Cp/VA7NS79IYbtnnZozefHnZAKQa7k/SR8tUVcVET2LhW6/j4QhxhFsASbws/yaZkEKdQnDqCpDlMkXKWxAt/7wlu/URTKlYTtCV5tvhrDj14Hdvs2CtpbXsYuf9FEn6OkRjFFXtr2c8tlOgh63qLoDfgmc+NlfLmkOGEtfEi9KCt9UY4qBAh2bc0PkkKod5JhMoiBUCwc2H8WlXAeUj2v7UmB5fvaP+IbeNKGf6+v8adVW3m7tckFeARG71QHkv049EKVfNyIP+CvBhEFZwTMNtzYGhr280zpEuvKowVXYlLp9pSBA/3vEIFcsnNzQfg2eFzsETOVtHXd7KnPoRKk29fTXmgIKdMThaSgvs72LoGdiYpYPaVrRKgCeqCah697bsOo6q2gv/jAeofRkcoaUx3sMb8nZJ3fnijr5Z5DFq6PM2VyJy8PlgfoIKO/w1nkQ==
    oidc.jwks.key: AgCuYKmdCv3LcmH8zpNAuS5oeHjf/cEmcAlGjRfv2CtfXmlYhcysDLeo2Cyn9kMUEPyRwxhQ/b9G6ZfkfuIh83v4j8PFBitoyaAmDNLmhn/tEjxUG4ddRZ+X1m+Skqs/QyGSt8w4iCBv2tzVV8v9mbbh0GSEk4Nz/tOi8oyUBF/RF0Pgan7JubQ9E7uT2c2rD+hVeWJx9dL6Vv6z/OdbNEjpDvlMNjpQBqMj7H0dMXSnMIxoQHXn2TduI/2qoc84qfNf8diGaG9DN/lrm4rebPwQZvwkidSKEGCCca8ICwXEN2b2q2TijiaVGJPtpd+R9n3BDa8SHi94ptwxuWwHEQBA5QlkK5TMUT8SGLzUIJK5Z/sX7QQcTxxSX2pySA+3eKveBIiHJeLjiuABkioo9uZMoWsp/piwZBQy5xB7yF2WIGz6cAg1Y098Khw8ZYrnYrJSHG35/Ai9270eiJOvdXDvOdiXEbxUhI6EGwypl1E18AevE3Pe6OcthEfwErbYdEevSNSfUNthC6gFh/PM8qCEi9ZpX1IrbDq/4lyPltKNbhev7OJuci2CF4kc/kMu9Swdih2p4UV/FOHk6z0hfpjxuqXBwdQYcNOZvyZgnGNjb0fqtrKN953A8Skb8+g1XeWzOVxRYGLi/M/oUaWiy2ksLgxlEhKgSzlQ2al0qMBTdr+I+W3bm1HjITocnEFHR54x7+i6V9LydtWXqy08xH1p4LXi56+PtoUQ6901nE8vyofVcuoV1tqqrnVv+L7XHqsM2qGgdvsYlYBttt3zBy/JbOTcUhVe0KIjRGtuAF2MPJWSxcyFc0crfC7dYmKllV3sKO+MowyDjDQ7OQ3MxgPufLKMRJUAB1XsX5BUE5HyQketKHE5hYWzLR+PmQPShq6wc/Er36jPBLkGUsNVJhUdPewbEzZEcqeBdDsncXUwZjcjAlclWpM1VYxT71BLBT0SUL6YyoeesW0RZ+LG/reD9klfYQM5vfhXTDax5crOcp5BIo8T7mJEYIFBvUU0ruAi3Ur7GqgSCCE8AAcILTeqex22KP6JcFUB7nzFsn3PlUv1lJ+TJutmUe3aGXjVMQGD2B3s5cMHCcqMD302gj39gLVsCV4gQo2hb+UeZcfz7X2ltJ0H6ch/CHeLZbBQoCreVVDWBcoMl4tncdbrkdFK0Bo1tCjY+MScsYATswn4/fbEIKALBVO4gS/WI4NcbGl6HXyNnJvbYv+6l48EHcTHtMqER1hur7Wkso3YpC5zHx7RVfnuCTXP9kWPcCCr1VMj4Uth86LB5xi4FIs3X8DvoyOTVgUyu4T9tedldhMurOh8qt/kqxdxjKkREFk80sH2kb61xPypY/779hLXG9PeDHLFyETYgdHiJWSv8UhizVVOBErjKUljWZ2y5zZam8DNKI6QRislPE++pYsqQw2Pe0iyjjcSWMAriCVJW1klkgmOkEoweFjD98CIUWJUcJx/as1YOIc+QqtVRKH/1AA/CuPrPJWfPXzGBfNFXveQB/G9lvJ4MNfVLNdAz5kUv6bGnGaAyR2LFTl/ficNZv8IFBQvHi91CLe0PjMoq32SO/wCJMX9f7yESWgFnCWS/HfuzWJR+f30hbsM/JbE8hXQQ8/VPgzgRkaKPz3XW9j4w6Wb2mBX3GAYtRtGUKfWsOJWIOjKDlqd73HiIM31MUsiDMgo4DdSV9ocEuH+Y8EiAgtK8P1nSUp2Y6wRVZ5dMz471GC/qAtZS2eYEYzbe57sX2i+pjmA790O28fZauEipPs4d8tbUyef+wPD+aJLyYLRX+R19IU5y+Hk7VdFoi/o+5roDyqAESYfOKhY2dRV6MjLvgbb0g4spJBPefFppKxEW46pi/zMniqUmel+czm704i9/Hr8LrZHUwHQqPN+iLqLTvQQo9Uj0xNzeM+fF4BG+QpYPPl8hNlRFcz/H486i7z1qIRjDvCHko5nQx6nMjJgY3DVyCV6w92NvWKsuWtJ5S+LyCe3Mt2z3R+l7JVntf0xPcAaUjruEnPC9jkpiD7GtZJaeqqm9X6NwanPrTD9KRw3czDyN00H51tmqut/St0O9ThpCNDDO06TrtvWIGmbO3zuBLawOnYniISNhpwpCO1jfV5J8zg8iv57LclG1O7LcwqAbLg6fdYNRnViIn3FRmwrIunSjcL+KbQP6sPQRHqiRxUbO0jp8v48wfzrxc1V4hzvrzlMQzIFRwqGKRjRaHzsBVjln1Ec8Bbg3bvVVCr60rVNVQEy40ldTz22nNjecAUp88v5DXqslHgwD1jEA7rDAmjAIpdN0fVOZBHKxalXVzq/cYssuAMg8NgJXCoLvi+mZj+iR8LsV4OtrSd8nJSCADrVrLJwccHjRo0GnPBD3jJFchy77gPN+8OnzRXPVVuuMSOjrxfAfrjwCUkj3KybOH3MMLu5NUFz27DcpLRxBqACQOtSOshkuuJuk1FXIexssFMZvO2StYecv5R880WX0LqZwKNTJRqQOXTGaV1VWNEexSu4iegOtaX0UZQNyDyHygNU9JXsve4u/2Sd6VyTy/i69XouFCY21DE/fonqBGuIen+TqxshpPJGy3HZJ7Y044rFCcWyTjzz8XH5s836CUWmwri+DsGeT/L/E3C+zR17ImU1Na4IA8f11ThR5aaomfTEwbNseFr8L51dJrgQl/QgRJrViHwowLDVClCbhszVKFg7i0ERRjSNNxZ9tUluOyCHSeg4wP1DOERumYwj5oV9I0isAOpG5cCDUDMrrZP831YmeUgJsH5aciRZmho9/p+Q0R+s7v0PA2HKtRNOfIm1VWSL7y185LKvYO6DPfZNDnOFobwg9ANP7H7kdE1GOlsnEQYWTFlc8wtRLfENNCHlBUwrIGJUoNPlSHVG3PXGz4vah6wwJD/QBH+9TKtLvdV1+2T4+cdCIn08MbdlHDKvWLraMtmSOTJKNJxtXOuXfdAuGYIoqyc1Em7nbV/Oo4de/n1zWkrwZPeTx7d9D1Io/ana8+2LlJEjrIltr4IzdnuCtImbANCDA45VFmlq87s+2lYdbKDvDMNUviw//s80G3qTT3VpGFnnyEF6TsJzpTJ7PrpE1A0PMufNbg8kJTMBifBU+XzoBDTqBwPzim4VqwazuScOqzwZDTgLdQhGzeo1bKIJKHrLOEgZm1KCp+tjPPhnhK0zIGUjqB+UL2+3IvHDmVr9ly7buGub+kuyBiXnoIr4B6bwa7cpFgNU9zmTng+hFlTDgfSLBlz+69knYDlEpgE6BsVfTcXFpfVgS/eRHH04OrYB0t7kwUD0Ku+Ljpn6nd/x7/gcDOGaiQH7TpW1qKTF8E5+sfbn7f8j6fGYRT7dDQ0n4ljZ8qAYsPw3k+hY1MBIiNqAfQKpwTc88yB6EmB7Ul1N28tsLTuEGCCHtXvhTaQLTFzTVoKdtn5B8eNJDqOdBc5+g0qPgp1W8cVESH9nc80pcGo382GND/QllOEmmaKEasYEzPeMJAcPM4UxMuXF7SnadQweoCTIPXuQyZW+eKlMW4RlC5DHQ1m4NymrN6GFptQtTiG5v182BR2ibp4NogkEyZhHeMCtGXZV6QgGbnoJ24ii0vY4iO/08YgXOxDLcH83vvdiya/WxO/75rRVH052z0doEC4jLUleLEs398o59LBEolHSyPYOemzHLOkSB7w6acxiuujb9nujMuE2im5httFXKhq0cu6ytxlVKtKbVwB1y5lZigpTAh9FZXki8OBNIEa1FwtrYsoLz4hJP2CyRqUrHCY9WmCDTOUFTq7NrltBL2+wFvbPAtJbrzM0ALJYNaOb7J5N8R8sP3voXaL5DEEFoS57+xSvtx+lIOCNweJqzzZMoxZ2p9JL6qaJxG+EJIGTeHhWMxX9UJTJJACgB2W/cZyCaD43E5XIxSC6czgdOgwii27fFAJKJabmj+FsSwYBMiyHiFE=
    session.encryption.key: AgB6LuT3btnwlDtP19iS6TAA6hz5t2gtXn93/sKI+ANzRvDtAUEJf934pWS0xhWu8Zfqwe5YuPy6Hb7CYG1Xk76Z3IFAEKcENcAA4Ngl6f80yBPgaL+6pzkeHyouYhpuRFenPoCcoa60OuusnDBUvBO0v6Mtqd39nACDJwdrJH0VzoLiWlMPzNsqJSkX+qNumrFlahqEtpswgoQBFtgljfMh8jCfAiqtwwe4Gx77B3GHNDuRQ7tSKhq5pSPUfDE9i/a1fb5yd1z8mlDkbivb0/yhvBsUi7stV9TE7HpBcsxtd6vSzt+MgXsflFfHZ9HU7oVVS0PuDzeDEXac9r2XDA96eUdhz/9NF3d9BvBMZqsi4YlF9tvsODNR7BofF5axxuRb2sptVwM5HuexXhG6S2PPpjLWi0BnY2P4Y12rXUhtYTisKgk7J1H5kZ1XYdjySFIQpMnWvdQD4TDmvqCi2YbnDts5labuFPQmgdrguRbqb1W94Pwg3SOuhJdsNJkfvXFBOOPf2eJBdGsrv4hOFiWt87pNh5Idzi9DAsV9CHZyLwxchwSpNre3yb1TnrTUE9xuQexY/xviAKAc1XjLsKyapryyAtv1AF6UnZMECDyElyenWblPBlWyOYTAWk8yiYl11C/2cipP6+pv8/XpbHKaQKGVQLIQdixXVGKRZwChTo5b3wliSJD2FXiC7ZkWfjOHlgXa+1DNYEoAlUfIU+IMdTP+x82QIjeYRH5wmhujd0JrYu4AygU1Zg==
    storage.encryption.key: AgBOR7VfqNstwSBQ3pZIuHUo6m6bcbqTRluZ+G52d2djiyYm2E6FEfzeNrVgPSyw/9CuWXnzzQRyyGVvwP9FwtF6wWqNByhtY4sHd4xoHLEv3L4ZNRvNCf/iCGw0yI46k7nGifvIGw7BNWMkzGVOY+926aa9CAahxh27nQf0dztuFM3DPX4ASKpJ7c3IRGbMi0x0gPTU+Z1/3JLlhn+WvM95UpbPq75LHSzo4A2YfdluZEOpvvo8M5NnPgvHIvRC3tjZuXsDJwRQhqLVa8oFdrjJ7DvMonScKyv4IF/fttd4K0h+g/WZqCRix1dw/7LburKVicYBLl4IQJDIDORKXIUqU1M7i28UVF6DBe/r6jBTGDJcqv9Zor5hoQHuswyC0p+2+sm0EGUvGJLGJ4aqq5UBSsZyD98vMwGT3H3sofIqESHJo4O6rOSo+NFag2P/E1Ij2PFN2+wJTMRJ467CPnzEC85/mm3Tii+NRRb4CKEuxh+zfmVB/Bpny+7zjL7atS3BFR95PbI1jM5yI4uu1uHaVJaXjI3nQKYKjYetS3POOdxae5YRs8CywtZWkv+wUnlbPlzB7XRObQ2yzwNj8tZL8/846TykafDsvPB51B4wAnY8w1LaxNYBTZHQGco/rO7fUNEbuwPyDcbDtUaNxbUD7Yfu1pUY2fay0YtTLDlm1FEZePm9LLKQVj2K703Hu4YA2F/wKhcWKfjtijaC6z8KTaPQiVpjhA==
  template:
    metadata:
      creationTimestamp: null
      name: authelia-internal
      namespace: authelia
    type: Opaque
--- a/infrastructure/authelia/authelia-ldap.sealedsecret.yaml
+++ b/infrastructure/authelia/authelia-ldap.sealedsecret.yaml
--- a/infrastructure/authelia/authelia-oidc.sealedsecret.yaml
+++ b/infrastructure/authelia/authelia-oidc.sealedsecret.yaml
--- a/infrastructure/authelia/authelia-smtp.sealedsecret.yaml
+++ b/infrastructure/authelia/authelia-smtp.sealedsecret.yaml
@@ -7,7 +7,7 @@ metadata:
  namespace: authelia
 spec:
  encryptedData:
-    smtp.yml: AgCfZqHvV3N/S7C3BCeBZv5erYNnbc3yuhYswXBxJUmvfWt/oyEi0VM9830cV740zF532ZteMaEC47Yer1dm1zwBb8degsSPOnivTU3HVN1MQKMxB0T9roN7ytXnS48dIVLlZAy5/7AqU/+F081zJeGW/8lsQKJ7QVa3zG7BDGJmaExxttrB5ZsSiVmFldSQap1FNIcPFU1O4N1w59r29IsUNbOVpnb4NqONBBh7Lt/RoUwYVmdMT8OxOAtgovft1z+KuZN2ZnvBlm3EgY70wAWTs/tSmZLWuDGa8yo0M6LPIjO9zlc+l1YuI25AqGHDuhGU+H+gQWZhtIglwKHtU8oUuDchWxQpb4tJSokpyegkWrpty8vBEEGK9CtLk13EmPUHTPicv9XYgwxvROeXB7+6/gQC8Yc/PzjjZwSrNo8SC/rF4VJY9jXMJ2nS7UkubcfdOY/bKhu1jZENrav7Zd/z5hiy2stg2LFJ2rnzIrSKeYWN3ygR24KRGh/7Bpwz6LhCkPdrfJJyymA+Azwq06CoyyPTLkYRMpTdkzx8zLNCvfQfmEKYRxRcXVBDfSr/Wn/9QNmCAG/rp1Ep23xRYegQRTUyGD2JVVSjE0WcMRRnqb70IYfEPk4w5TS14RcO2/59Lvs+1mF8g9JfLhrxOjLDAvnSKjN5KZ3PgLdpqbkcVjUb0Hs18SAilmZhs5cQtNR++LqYePIe1r7R3V9IPIvPudCs7/2BrLLpuREhTdQIiA3catZ6kLZgHuh/KswFEDAcZ1NisSNvZZLAKTHupIe7XjBp+0zGHLZ7hgbA/Ojf4e6M4RLjqR41Uix+stkKuwWwdoXs/YAf2GUl6+4fb/8iPVUwPA7XHf92ALxv5neNEDlo4awXvuBQG8XdmaCqkYXBe1GE+vgmzfQhr1gjcO1VxvpsAJXT9/Ak1whQbs8kLfwxDfGp3CYQxx+eaxxm4Q2xumeQYXHFyhNZ5d5XOpmlx9EovRwM/uGoZdslykZ27ZbKRMYcqwhJ16CS/y5ptMcEbB1RkqodM55UCslR/fo+9aJejX0x8V91U2bm8eFrDFhFJsM6Z6oClxOXeAbSoE8m4KclRWTtF4+CIXq+qszdWzwqrHBWvKAtVwGo3L08Sxw24ajT9Rw1Ay2kvb4xO2SVzIRhHdzIFpF6iSiDqBJsSH7SL0kP1C07j3vl95qZBp01BW8BUnVxFyqOVMvVnXMaNQZdFrsq4MVEsxDftgciF9oE8rVv4Q==
+    smtp.yml: AgAHiNwse+aFYVoun500VoUTUKg22yDSn+cD9pLO4HKG26nqmOxkiTSi5BELpzWouqHXiHNwYLEKPv13ZFJX6AFfFskspBfe+svLvLSzEvtH8kNCSJar0G5jcACEk27xcCxTN0nhmjc6L9lmZF8UUth7l5Mrsl0EG+79pCNYhUtjy16g7HdbmYgmgrY6d7VWCen2R4HZK4A9zPx+8HEsoMzUD0mG+uKKKfmqYaxJ563Gzp7trDcQRXd4tmea9MM8t+bk9TYCDvBj9JbsNuIdzFk8MArlvlesDYqiJj/8wny49NoVyX8vvGVDF3Y5s+OmKA9+MoBIYNc4oT4FLcc14wpnMnk5WgbKtTYfExcGTdTWuTTVWPsF18dvbKTU3C6dnf2kh9T8CydIdu27jwrBbChWffxNbh5nlLlQT3Xvogai8o6qhMn+EqTnw/u93OIxNzPEooVP349VVW/mlhGX3od/IlVzXiIlQIxL5EP2pRCXL2T1KONvkpbClJ/BTuwfjRZTXz3ZaRhaTPdBAZ+bpkRkt+kEAecjqaf9EF+pHy+dOaR4tIrwBWBbrAy47iV4e/Q60B97bRHzgo9N1uaYonGmyzmyVc9TXIkhf7PIlu/cSyDaHKdobVx0AA0p2usi5D1QYMcS9fngXyM1U9imO6QiYopysxQ9gJL8rfuySRJ/YQ6JJ71fLdMxsiQ0r21D7v7LEdJK5SKLovpnmPgk4PBoL9E4ZPE6g5zRXZFj1IxpKkOqRMpyBzBvas9Q1OFFs0Y79kGtyWIXb7Z2HGYmMU1us9Pm95xVF/V34sAtMIEz7qi+SaXQHFvyqbaiJ48U8qHhHL5y+lt9e8PGmQo0tRWfHMejs5BCcFAEZKDiif6zUEsjV/WC9WKO9NUjvRiu0CYCq5z9QzKaZQqWo0LPeM6DMY8pT3w4OqpJ/OLyMfbdoWT/uQ1JW5npApGifL0lhWRIkQHCG7oZA/BkJfbiexV8jwtToS+UX/s9HkbkuQ/O4zDte8qg/Xzh5TOj5AxlAPN6wGCwd6t1RTSITSKVMnTpFabkEvPYnGeiyWU8TrckvaKmhRUNoj2ZWQCCffHKp/bimEHxRqFnW6B+cu35reTjFc2dqp12EhCBR727G0EARx3Gt/LSdPh8OYt+Bs0rLaHiUrCJh4HRBJPmg0PARVwDL7OWx6pwtclnrALmfELKKaopy6yFctDogOtkvxHbL8DNhJqNuQJo6ttzlHhz4bnQcWb2K92HIw==
  template:
    metadata:
      creationTimestamp: null
--- a/infrastructure/authelia/authelia.values.yaml
+++ b/infrastructure/authelia/authelia.values.yaml
@@ -1,3 +1,4 @@
 ingress:
  enabled: false
@@ -5,254 +6,80 @@ ingress:
 pod:
  kind: 'Deployment'
  replicas: 1
  extraVolumes:
    - name: config-ldap
      secret:
        secretName: authelia-ldap
    - name: config-oidc
      secret:
        secretName: authelia-oidc
    - name: config-smtp
      secret:
        secretName: authelia-smtp
  extraVolumeMounts:
    - name: config-ldap
      mountPath: /extra-config/ldap.yml
      readOnly: true
    - name: config-oidc
      mountPath: /extra-config/oidc.yml
      readOnly: true
    - name: config-smtp
      mountPath: /extra-config/smtp.yml
      readOnly: true
 ##
 ## Authelia Config Map Generator
 ##
 configMap:
  # Enable the configMap source for the Authelia config.
  # If this is false you need to provide a volumeMount via PV/PVC or other means that mounts to /config.
  disabled: false
  key: 'configuration.yml'
-  # include sub-maps wich OVERRIDE the values generated by the helm chart
+  # do not use a pre-existing configMap
  # BUT, include sub-maps wich OVERRIDE the values generated by the helm chart
  extraConfigs:
-    - /secrets/authelia-smtp/smtp.yml
+    - /extra-config/ldap.yml
-
+    - /extra-config/oidc.yml
-
+    - /extra-config/smtp.yml
  # many of the values remain default from the helm chart
  authentication_backend:
    ldap:
      enabled: true
      implementation: 'custom'
      address: 'ldap://lldap:3890'
      base_dn: 'DC=moll,DC=re'
      additional_users_dn: 'OU=people'
      users_filter: "(&({username_attribute}={input})(objectClass=person))"
      additional_groups_dn: 'OU=groups'
      groups_filter: "(member={dn})"
      ## The username of the admin user.
      user: 'uid=authelia,ou=people,dc=moll,dc=re'
      password:
        # ## Disables this secret and leaves configuring it entirely up to you.
        # disabled: false
        # ## The secret name. The ~ name is special as it is the secret we generate either automatically or via the
        # ## secret_value option below.
        # secret_name: ~
        # ## The value of a generated secret when using the ~ secret_name.
        # value: ''
        # ## The path to the secret. If it has a '/' prefix it's assumed to be an absolute path within the pod. Otherwise
        # ## it uses the format '{mountPath}/{secret_name}/{path}' where '{mountPath}' refers to the 'secret.mountPath'
        # ## value, '{secret_name}' is the secret_name above, and '{path}' is this value.
        path: 'authentication.ldap.password.txt'
        secret_name: authelia-ldap
      attributes:
        display_name: displayName
        username: uid
        group_name: cn
        mail: mail
    file:
      enabled: false
  session:
    inactivity: '2d'
    expiration: '7d'
    remember_me: '1M'
    cookies:
      - name: authelia_session
        domain: auth.kluster.moll.re
    encryption_key:
      secret_name: authelia-internal
  storage:
    encryption_key:
-      secret_name: authelia-internal
+      value: 'authelia-encryption-key'
    local:
      enabled: true
      file: /config/db.sqlite3
-  # notifier:
+##
-  # notifier is configured via the smtp secret and merged by authelia upon startup
+## Authelia Secret Configuration.
-
+##
  identity_validation:
    reset_password:
 secret:
-        secret_name: authelia-internal
+
-        path: 'identity_validation.reset_password.jwt.hmac.key'
+  disabled: false
  existingSecret: ''
-  identity_providers:
+certificates:
-    oidc:
+  # don't use the pre-existing secret
-      enabled: true
+  existingSecret: ''
      hmac_secret:
        secret_name: authelia-internal
        path: 'identity_providers.oidc.hmac.key'
      # lifespans:
      #   access_token: '1 hour'
      #   authorize_code: '1 minute'
      #   id_token: '1 hour'
      #   refresh_token: '1 hour and 30 minutes'
      jwks:
        - algorithm: 'RS256'
          key:
            path: '/secrets/authelia-internal/oidc.jwks.key'
      cors:
        allowed_origins_from_client_redirect_uris: true
      clients:
        - client_id: 'grafana'
          client_name: 'Grafana'
          client_secret:
            path: '/secrets/authelia-oidc/client.grafana'
          public: false
          authorization_policy: 'one_factor'
          require_pkce: true
          pkce_challenge_method: 'S256'
          redirect_uris:
            - 'https://grafana.kluster.moll.re/login/generic_oauth'
          scopes:
            - 'openid'
            - 'profile'
            - 'groups'
            - 'email'
          userinfo_signed_response_alg: 'none'
          token_endpoint_auth_method: 'client_secret_post'
          consent_mode: 'implicit'
        - client_id: 'recipes'
          client_name: 'Recipes'
          client_secret:
            path: '/secrets/authelia-oidc/client.recipes'
          public: false
          authorization_policy: 'one_factor'
          require_pkce: true
          pkce_challenge_method: 'S256'
          redirect_uris:
            - 'https://recipes.kluster.moll.re/login'
          scopes:
            - 'openid'
            - 'email'
            - 'profile'
            - 'groups'
          userinfo_signed_response_alg: 'none'
          token_endpoint_auth_method: 'client_secret_basic'
          consent_mode: 'implicit'
        - client_id: 'gitea'
          client_name: 'Gitea'
          client_secret:
            path: '/secrets/authelia-oidc/client.gitea'
          public: false
          authorization_policy: 'one_factor'
          redirect_uris:
            - 'https://git.kluster.moll.re/user/oauth2/authelia/callback'
          scopes:
            - 'openid'
            - 'email'
            - 'profile'
            - 'groups'
          userinfo_signed_response_alg: 'none'
          token_endpoint_auth_method: 'client_secret_basic'
          consent_mode: 'implicit'
        - client_id: 'argocd'
          client_name: 'Argo CD'
          client_secret:
            path: '/secrets/authelia-oidc/client.argocd'
          public: false
          authorization_policy: 'one_factor'
          redirect_uris:
            - 'https://argocd.kluster.moll.re/auth/callback'
          scopes:
            - 'openid'
            - 'groups'
            - 'email'
            - 'profile'
          userinfo_signed_response_alg: 'none'
          token_endpoint_auth_method: 'client_secret_post'
          consent_mode: 'implicit'
        - client_id: 'paperless'
          client_name: 'Paperless'
          client_secret:
            path: '/secrets/authelia-oidc/client.paperless'
          public: false
          authorization_policy: 'one_factor'
          redirect_uris:
            - 'https://paperless.kluster.moll.re/accounts/oidc/authelia/login/callback/'
          scopes:
            - 'openid'
            - 'profile'
            - 'email'
            - 'groups'
          userinfo_signed_response_alg: 'none'
          token_endpoint_auth_method: 'client_secret_basic'
          consent_mode: 'implicit'
        - client_id: 'linkding'
          client_name: 'LinkDing'
          client_secret:
            path: '/secrets/authelia-oidc/client.linkding'
          public: false
          authorization_policy: 'one_factor'
          redirect_uris:
            - 'https://linkding.kluster.moll.re/oidc/callback/'
          scopes:
            - 'openid'
            - 'groups'
            - 'email'
            - 'profile'
          userinfo_signed_response_alg: 'none'
          token_endpoint_auth_method: 'client_secret_post'
          consent_mode: 'implicit'
        - client_id: 'todos'
          client_name: 'Todos'
          client_secret:
            path: '/secrets/authelia-oidc/client.todos'
          public: false
          authorization_policy: 'one_factor'
          redirect_uris:
            - 'https://todos.kluster.moll.re/auth/openid/authelia'
          scopes:
            - 'openid'
            - 'groups'
            - 'email'
            - 'profile'
          userinfo_signed_response_alg: 'none'
          token_endpoint_auth_method: 'client_secret_basic'
          consent_mode: 'implicit'
        - client_id: 'kitchenowl'
          client_name: 'KitchenOwl'
          client_secret:
            path: '/secrets/authelia-oidc/client.kitchenowl'
          public: false
          token_endpoint_auth_method: 'client_secret_post'
          authorization_policy: 'one_factor'
          redirect_uris:
            - 'https://kitchen.kluster.moll.re/signin/redirect'
            - kitchenowl:///signin/redirect
            # mobile app as well
          scopes:
            - openid
            - email
            - profile
 ##
 ## Authelia Persistence Configuration.
 ##
 ## Useful in scenarios where you need persistent storage.
 ## Auth Provider Use Case: file; we recommend you use the ldap provider instead.
 ## Storage Provider Use Case: local; we recommend you use the mysql/mariadb or postgres provider instead.
 ## Configuration Use Case: when you want to manually configure the configuration entirely (set configMap.enabled = false).
 ##
 persistence:
  enabled: true
  storageClass: 'nfs-client'
 secret:
  mountPath: '/secrets'
  additionalSecrets:
    # the oidc client secrets referenced in the oidc config
    authelia-oidc: {}
    authelia-internal: {}
    authelia-ldap: {}
    authelia-smtp: {}
--- a/infrastructure/authelia/kustomization.yaml
+++ b/infrastructure/authelia/kustomization.yaml
@@ -14,7 +14,6 @@ resources:
  - authelia-ldap.sealedsecret.yaml
  - authelia-oidc.sealedsecret.yaml
  - authelia-smtp.sealedsecret.yaml
  - authelia-internal.sealedsecret.yaml
  - ingress.yaml
@@ -27,6 +26,6 @@ images:
 helmCharts:
  - name: authelia
    releaseName: authelia
-    version: 0.9.16
+    version: 0.9.9
    repo: https://charts.authelia.com
    valuesFile: authelia.values.yaml
--- a/infrastructure/authelia/lldap.ingress.yaml
+++ b/infrastructure/authelia/lldap.ingress.yaml
--- a/infrastructure/external-dns/kustomization.yaml
+++ b/infrastructure/external-dns/kustomization.yaml
@@ -15,4 +15,4 @@ images:
  - name: git
    newName: alpine/git
-    newTag: "v2.47.2"
+    newTag: "v2.45.2"
--- a/infrastructure/gitea/gitea.values.yaml
+++ b/infrastructure/gitea/gitea.values.yaml
@@ -1,6 +1,3 @@
 strategy:
  type: Recreate
 ## @section Service
 service:
@@ -59,8 +56,7 @@ ingress:
 resources:
  limits:
    cpu: 1
-    memory: 5Gi
+    memory: 1Gi
    # high memory should be allowed to handle package uploads
  requests:
    cpu: 100m
    memory: 128Mi
@@ -100,7 +96,6 @@ gitea:
    email: "gitea@delete.me"
  metrics:
    # service monitor is configured manually
    enabled: true
  ## @param gitea.config  Configuration for the Gitea server,ref: [config-cheat-sheet](https://docs.gitea.io/en-us/config-cheat-sheet/)
@@ -121,10 +116,6 @@ gitea:
    indexer:
      ISSUE_INDEXER_TYPE: bleve
      REPO_INDEXER_ENABLED: false
    service:
      DISABLE_REGISTRATION: true
    oauth2_client:
      ENABLE_AUTO_REGISTRATION: true
  oauth:
    - name: authelia
@@ -134,11 +125,9 @@ gitea:
      existingSecret: gitea-oauth
      required-claim-name: groups
      required-claim-value: gitea
      group-claim-name: groups
      admin-group: apps_admin
  # since we want to reuse the postgres secret, we cannot directly use it in
  # additionalConfigSources:
  #   - secret:
--- a/infrastructure/gitea/kustomization.yaml
+++ b/infrastructure/gitea/kustomization.yaml
@@ -23,6 +23,6 @@ helmCharts:
  - name: gitea
    namespace: gitea # needs to be set explicitly for svc to be referenced correctly
    releaseName: gitea
-    version: 11.0.0
+    version: 10.4.1
    valuesFile: gitea.values.yaml
    repo: https://dl.gitea.io/charts/
--- a/infrastructure/gitea/postgres-password.sealedsecret.yaml
+++ b/infrastructure/gitea/postgres-password.sealedsecret.yaml
@@ -7,9 +7,9 @@ metadata:
  namespace: gitea
 spec:
  encryptedData:
-    database: AgDONZUiFyHQLH3lq7vBovX5fqIDdxViQr8PFAh3hnHM8PqJpZ5MCkBL65hVuKmQ6EgrMj+0smPbfk9Rfwq42wFw+i2cgTgN69G9iMwp47+ng5GADPiQ2tIJQNFfqz9VQP0mmu9VXnckoBU0HXQmV21jkK2AKk5YHVLmIhu++1g8LjjYSBMP8iYiritOuyHbOn8OP26FmqBvnTCGg4pFzd/WIhsj7Zz9BeP+AOP/BTA+VZCOqBJJDzztHp9xYamcWslDX2snQG1Iw/rs4zyBVx+sWWPJgkiLmY1aRDnVYmwkh9RC81usrtrC9FZ6VYoxsufGj+Ie25hbbUukqKFuwk3V0dbZTRGa+4xHr7535fDYSxFm8/dkAyh8yM03VUy/2dhrtv9qWM1Yu50tcEoe/YoBdwItyNk/AELjfCvfXzwDttzsl85QVtSil+V6WRhpiQlH5EGhqSMzH9eduAddMrIEMQiSqn9J/vME5j7fJhgFs0bP7kqB9UKT6yTIU8QchRRUUYZwEFevLox01dRtJDoa8DVuO1G2LDZVUEoHrfEvFwzRGhuBH9B2yXAZLXgXbOreoiPi76xI0fw9VNXJ90KYcpwuMv8MykdNWQLsyCraf/WJIXMpm+UEVMqArJnscky0K1YHX6eQeQx0BU5hEeIAZucOwimSv2jJLqlBK/heiMgfp0pWu2lIu+tQ4AarkFsWNdbiBA==
+    database: AgB8FeAX7Dx/SO/deoqeIRNPMe7DwgKtwFznjntm9TNnEJQDLVVu+D80eolcrTTOhlZJZgtKvpM9xgw7DLtKG+ARACaPYgaMW2m4V/B87Z3xAU0DCF16sv9LVIfNA8KyQZWYthEcWLpqoB0zVFBrb2PxI8QIV22QkNG4oITMCv/Xjf7P+pTa6iWWSLdPcR2tQVfkHsdWWJvtLcrLkI7i+sWjQOW8tgV8QAcQr5JcxEjSgb3X1J3R1EEVHsPAqQcdpUB7eQ7T9SbIaIpTXw05Tant42GMgALVx2J5TAzqLPdaVaUlKVRoN26eVthYhY9qKbskXkXZp/0Sa/RxXoVHt1jMyZFicMzp5w5yC3DZd9gTtsZOrn21NS1QAVh6twB2bxtf7EHjpS5AyvhaF9qbbGkZtUh4IhFSOpd6bMGZLZqQMcH+Ih9b+jv0j3cLBLY0Bzsj4u5yLvoqhOBcxLoVnW3N3x248y3ZUWkO7hPwP+Lo5FOX/cmK9VHvn5ZhNWNNO9xv0LYSzhqnAvVyTgvAGLDTrZbnp36Q+JkqlhrhFQoQkXRQ2HHNU5CC+o59OL0RnshJg4UUed1ETmOPCJmcPZdKNvfUiW1PUB2AwDeWhRyN6wjwzreioSN6qHrxctXpEQohTwzGeG+rgG0tj9V3yHn1Er1j0pR6S9VJBkaQ0qnaInSthxSC5MkXTKXFmW8YfHQqXKmQcQ==
-    password: AgAp0473gvkk/8OFkxg59+LArAD7v8rRryOuYnScxkhJxSngXnnLXYr2iaeOMgjWryOPtWEWa0F6+hDaTtsp+vhg0X8rtdvyonV/I/I/K5rV70N/bao+kIf5LfcntZ6RjGaQtaeHjh15tY3LxmJ3PdJpDcLJXn1+iBsfTnEEsBFDKolD2RcXwH+74feX+Q8bG7KkAo4r0OfEaO/KC2FCC8vg/AHgzNUFL08mnK7DPgNjgNc3MYk/+Ey91LfvMD9NfuO1xrlsV6gy12gVwZV14kfAqHL4DvifmaHY14hScJC3tK6HqmSitKmNRcJZ3Ad2y7rS63X6DeaXmKFpDDYk69ubfVWBT5CWaBHfYHCWJqJITtoJq4PdLp7xRchRrZblqLUKnTrs8Dmry4qapa/uAma4k84ZSnFl6XeM8n8ZYpx3Tx91fwsYLCWiGX7AblFsEmzsT7jf0wTri7HYyNcF1s5YhL59ZO7iGzruAJRDA4BMrXWFrNjsDQrCR4FTYDIr4cR05mi9nPd2C5dAzZtARpBQZgr/lruE3GKgalYF0oxIJGYKcDbCO5pntAPpL/7rbhdjVtvpUg2d+wJYkVIn6zTaOmr0TCnMOzFPzwwbxrr7U8opfYcjep2XeVOfHKfitrgKwFCwO/CsbP+ao0b6PT7K9KGqrI5lVrEAO+pOU6s3Omgm3AJGzGEIzIXCnkeD2dYsRrfyHM0zQ23+iUyUk8x3XIItFe7cq34X935y+bbViqAQ
+    password: AgB+i/mSHnQJnBpRu1cGwKzqrqoSzKfbGkxWTv57ozmiVkEendzudwKu+3MJQh9fHrBwUa0Cu2OqIzGqMQIwDKC5+LDiYAnDOfacu/VBX6mWVABIeg8fqU/PRqym/sGxJtcmwPdo8H8zJm+/vyPpLv4dkYYjHFkAhF3QShq1qMhfeaB/vd6ZNjQEfvCWX14V2F/RTq8skuwQkVQJoz9OsaF+KiTmKC7R1aeZaTUUCFIWGGIq9V2k3O7VAITGJanAT5IYo+epQf2HLsC2xyIUs9prk1rF0yUishgc2bsb4joPULl/G2VUgafH9SKQ37TFqZi2z20gVutrkLyuCMk25tW7m+z4+YCC/dJ9aW/31sFUwSnVhdYh6gwsnNP5GzSguAoOq+6izVD8hV2QzfdIYPrIZyADI7HY9o4LK8YuRS5KgJdaCU3kWYY+tVTSvkGFCWu5q/pBihBG2bN83asTHZcnkocMEvCaTsbPq2CN8/WCRZJs84M6CEzCioNmuGAmUU+fEF/MVEZtTI+6yCrJkOEHdVywtdLufNPGFut97XF+YvJZ1UZ6AW546JGmlmEMFukNHi1XDBm/mWL8e1H6xwLe6I9rwL6YTDrji3IixdERS+a6tq2vcksU5EjW9x9WYt6ctZD/cfhEFAvpssJLCs2vmjNgMhmilPoTppvXyUYnE4bCZuVFRrO/a+ogjXUU2nkqnyKQsA==
-    username: AgBInyjzij13Ea3HB2CPXENjd6g5dJ3j3p3hgbO7oT5ld/GFgcwgjkduq5D8edouDzKEcoPMrAAS0XX46d9l618ZMxxKGdNq+Yw8intpziaI5AB9xDPesP5+mjXw08Clf5GfTMQW9SqYbNVm+GGwIKo05P3Z+cLtv8l8jqqJbMmEMQ9Ir/gRgPVbpPKFC4zX4BTuIKpaRrPiyraD2hmGXrvDaFBIt8lSmLyEh3UclW5cTBJQIRnstBv8mbIRDf4zS/bJtQPknncVASBVVHynEauMTqd4+sPdG/8y7KYsrH3rfrXWLEecmiu9E7mgxw7M6qur8qoi88KX3Ydjngy56mj3nQQ8k1knc8I50cg6yT42Z6vaKeAoqtDzkxEvOlIzXZVwikPAuIf7B7VPZSE6qz7Xgo4QQ5FGONE5JnFGLosqSqEMnBtOXEZgHCrOerJo2f3Mw1fkaJ2OLnd93w97IODIM3LU8bVsRFbjiRYPbZiM2H5f6Rnsw3M7/qlkdmXyda4xnOeSp3i39UfSrtIAJO8HPo9lk+ANOBO7Q8SBAkFXH8V2Hva4NSKtPwmBZjtOGeUDB7Nfv2KT4jvQRBdlpfLtDMDzBmq2sL7ua2Uq5u6FDy0tAmWeU4m3GGSNlheVQZSfAW3+icvs/WlqotAloTy12Dq/H6DgcRI0W2V0bRxoIQ3z6N+cAHbL892g8wdPUFu9mSBZhA==
+    username: AgCS0tZPssPP8LFwMdTWrXd64oYKb/vmEH8ir+fnc7MgnPkW9kop+hF2X7/KIWTVNe1MAkreW40DxZ6/T4UO7gGTGv52BItcQp87Rr+RMZ5Y720bhivBC33zmDXlWR7TQDMqo733cdcWRnMDvCSvzKV1Mn18iF0VqhOlDZITcyConmKIWcuzzElt90iYtC9o3UIYw6crBD6l9ikrFwU1wH9mL+FdvM8fWG83qkbJGoaqjxj5FEgMXwXFUWVzUqC8dEe8wiHcyq7eeFpyXrF7/WtAiZOwPBy6EG4zFQoRSihR+qme+pZdXP+fHVzGrcBsMxjW4l16R1MmyS9PLpA3r+LdX81K7XHPEctNihrV4U1Dmb2fkANcP2SV95Moftb160WRkfR1cElHxOJs0kaKbZ0P4k74U2UFaZSVIEw85fYm1TE0C5qnpFKktOhOhSKcia+XGG58TQLuosQCYH+P1OZ1LbFfj9O/NBmqWnH2dBIRCC5Ba6b+nNpOQaSztMeEOCSCdYmglS9MmP34zzFjusZ8hAj7ebe25gCo1UCSxYR/xEjrGQsyXY9VB9IPjVO8F7Ms9ex3KITYoib5HcMFCvDUOKl3SOmsJmzf/ahufHXRr/NdPFAoqLU6sehcNAx8LKp/795h3N3PBqol/y9Kv4xbAquz8/qY0giHJfaWcKP/LuVZ81s6MvQlnqn/UWXWzQgNo/RbZw==
  template:
    metadata:
      creationTimestamp: null
--- a/infrastructure/gitea/postgres.yaml
+++ b/infrastructure/gitea/postgres.yaml
@@ -4,7 +4,7 @@ metadata:
  name: gitea-postgres
 spec:
  instances: 1
-  imageName: ghcr.io/cloudnative-pg/postgresql:16
+  imageName: ghcr.io/cloudnative-pg/postgresql:11
  bootstrap:
    initdb:
      owner: gitea
--- a/infrastructure/metallb-system/kustomization.yaml
+++ b/infrastructure/metallb-system/kustomization.yaml
@@ -10,6 +10,6 @@ namespace: metallb-system
 helmCharts:
  - name: metallb
    repo: https://metallb.github.io/metallb
-    version: 0.14.9
+    version: 0.14.8
    releaseName: metallb
    valuesFile: values.yaml
--- a/infrastructure/monitoring/kustomization.yaml
+++ b/infrastructure/monitoring/kustomization.yaml
@@ -1,33 +0,0 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 namespace: monitoring
 resources: 
  - namespace.yaml
  # prometheus-operator crds
  - https://github.com/prometheus-operator/prometheus-operator?ref=v0.80.1
  # single prometheus instance with a thanos sidecar
  - prometheus.yaml
  - thanos-store.statefulset.yaml
  - thanos-query.deployment.yaml
  - thanos-objstore-config.sealedsecret.yaml
 images:
  - name: thanos
    newName: quay.io/thanos/thanos
    newTag: v0.37.2
 helmCharts:
  - name: loki
    releaseName: loki
    repo: https://grafana.github.io/helm-charts
    version: 6.27.0
    valuesFile: loki.values.yaml
  - name: prometheus-node-exporter
    releaseName: prometheus-node-exporter
    repo: https://prometheus-community.github.io/helm-charts
    version: 4.44.0
    valuesFile: prometheus-node-exporter.values.yaml
--- a/infrastructure/monitoring/loki.values.yaml
+++ b/infrastructure/monitoring/loki.values.yaml
@@ -1,86 +0,0 @@
 loki:
  commonConfig:
    replication_factor: 1
  schemaConfig:
    configs:
      - from: "2024-04-01"
        store: tsdb
        object_store: filesystem
        schema: v13
        index:
          prefix: loki_index_
          period: 24h
  auth_enabled: false
  pattern_ingester:
    enabled: true
  limits_config:
    allow_structured_metadata: true
    volume_enabled: true
    retention_period: 672h # 28 days retention
  ruler:
    enable_api: true
  storage:
    bucketNames:
      # don't care since we use the filesystem
      chunks: NOTUSED
      ruler: NOTUSED
      admin: NOTUSED
    type: filesystem
    filesystem:
      chunks_directory: /var/loki/chunks
      rules_directory: /var/loki/rules
      admin_api_directory: /var/loki/admin
 minio:
  enabled: false
 deploymentMode: SingleBinary
 singleBinary:
  replicas: 1
  persistence:
    # -- Enable StatefulSetAutoDeletePVC feature
    enableStatefulSetAutoDeletePVC: true
    # -- Enable persistent disk
    enabled: true
    # -- Size of persistent disk
    size: 10Gi
    # -- Storage class to be used.
    # If defined, storageClassName: <storageClass>.
    # If set to "-", storageClassName: "", which disables dynamic provisioning.
    # If empty or set to null, no storageClassName spec is
    # set, choosing the default provisioner (gp2 on AWS, standard on GKE, AWS, and OpenStack).
    storageClass: nfs-client
 # -- Section for configuring optional Helm test
 helm:
  enabled: false
 # Zero out replica counts of other deployment modes
 backend:
  replicas: 0
 read:
  replicas: 0
 write:
  replicas: 0
 ingester:
  replicas: 0
 querier:
  replicas: 0
 queryFrontend:
  replicas: 0
 queryScheduler:
  replicas: 0
 distributor:
  replicas: 0
 compactor:
  replicas: 0
 indexGateway:
  replicas: 0
 bloomCompactor:
  replicas: 0
 bloomGateway:
  replicas: 0
--- a/infrastructure/monitoring/namespace.yaml
+++ b/infrastructure/monitoring/namespace.yaml
@@ -1,6 +0,0 @@
 apiVersion: v1
 kind: Namespace
 metadata:
  name: placeholder
  labels:
    pod-security.kubernetes.io/enforce: privileged 
--- a/infrastructure/monitoring/prometheus-node-exporter.values.yaml
+++ b/infrastructure/monitoring/prometheus-node-exporter.values.yaml
@@ -1,18 +0,0 @@
 prometheus:
  monitor:
    enabled: true
    jobLabel: "node-exporter"
    selectorOverride:
      app.kubernetes.io/name: prometheus-node-exporter
      app.kubernetes.io/part-of: prometheus-node-exporter
 resources:
  limits:
    cpu: 200m
    memory: 50Mi
  requests:
    cpu: 100m
    memory: 30Mi
--- a/infrastructure/monitoring/thanos-objstore-config.sealedsecret.yaml
+++ b/infrastructure/monitoring/thanos-objstore-config.sealedsecret.yaml
@@ -1,16 +0,0 @@
 ---
 apiVersion: bitnami.com/v1alpha1
 kind: SealedSecret
 metadata:
  creationTimestamp: null
  name: thanos-objstore-config
  namespace: monitoring
 spec:
  encryptedData:
    thanos.yaml: AgAqlul2V1idfgbWvq/0ljSFlxOOsQmwlGd+jRvDDyi1nlR8woHrp7lW6AxJ/8mBtb5htCuJzLgx+HVrN/EN+fRn5xG3D5+8xs4jWBOQ49MgLSAjJavFPcVY5xiBpGaw/N8aotlbfv6Wa2/+cmiAzVDPwnOj5zCS/EU58Tu2YFeVSbMUlu0NFAeyBW0DVT2enuVLToP4Ge4T0U9F99NHOh2zlVG82iI+4RxCu/WBkOU/urVleGwCYkcr/ItmXiwRXbwnWUtEUf28Q4ArpuZXFkKZUMoIwOjkXgOn/ySBLVvf0yy1+WOcYAIX9ouxu6i4T1GAZO9RnKeMJOIyebI3EOMA2dxQFpQg2/XhhHz2Ds2oDX/yr7vXbZJGyiCvTnnFUvFALKWIjRXXWphdqHDk6iP8tFIKVFsn7UxgMVFRcs6DmcMpBgFOcjpHr4HFZap5G9hI3cscmkNfwU+JOXkDEGRpZkkECza4wlQln8Wptq1qa+I+DSclqLOcvoEvNCJCIIgh5tINJ0KiZcrBvymUZZ9VduH4TFHR/UQK7M7It892TDNUlIp2UDWiuQ2DJysOJXmvSiNo8PGWSyDJwKJPhaWqXz9RUsb4D8gq/a+0qC7DOICrJEUj7WL8dwaKoQa32Cf+wopwrjFWSE7pAfiBJo+Dqa9jHIDv2hVsdU8NXqiFK35XHyUT4i0KWc+UZg4ObotGxYMvRtJuc3S7ZGTJ4YKDP5iThuNSuNd1pd1YjirpvVtL2o5BYh2i55F3DfVREofYpBCjK1e43mHOwEUYZ7Ff6p1+S0PXZnkL53xHMiiW3yr0v1g2ZYk7vzkENb9epzm24fNX/4ZiJdb0glEJmB674bgDSeh9PA5q8nJIKk6vsbrzfaAYWIn5Ai9MPbAVfg9pPkMyy9ydd+SqecujkWm++4dHqB1WJUg=
  template:
    metadata:
      creationTimestamp: null
      name: thanos-objstore-config
      namespace: monitoring
    type: Opaque
--- a/infrastructure/pg-ha/README.md
+++ b/infrastructure/pg-ha/README.md
@@ -1,23 +1,3 @@
 # Rebuilding the kluster
-When rebuilding the kluster from scratch, the CNPG containers will be considered as new and will be set up according to their `initdb` config.
+When rebuilding the kluster from scratch, the CNPG containers 
 Since most of the clusters here are formally defined as a fresh clusters, the following will happen:
 - in the relevant PVC the `pgdata` folder will be renamed to `pgdata-old`
 - a fresh `pgdata` folder will be created
 - a database with RBAC as defined in the `initdb` config will be created
 This is problematic since the PVC content is the actual state of the database in the present setup. In order to get back to a functional state, some manual intervention is therefore required.
 1. Bootstrap the kubernetes cluster
 2. Wait for the CNPG containers to be up and running - they will be setup fresh at this point
 3. follow the procedure from [https://cloudnative-pg.io/documentation/1.20/declarative_hibernation/](https://cloudnative-pg.io/documentation/1.20/declarative_hibernation/):
    - hibernate the postgresql cluster
    - wait for the pod to be shut down
    - copy the `pgdata-old` content to the `pgdata` folder
    - de-hibernate the postgresql cluster
 4. The database should now be in a functional state
 Also see https://argo-cd.readthedocs.io/en/stable/operator-manual/applicationset/Controlling-Resource-Modification/#preserving-changes-made-to-an-applications-annotations-and-labels
--- a/infrastructure/pg-ha/kustomization.yaml
+++ b/infrastructure/pg-ha/kustomization.yaml
@@ -9,6 +9,6 @@ namespace: pg-ha
 helmCharts:
  - name: cloudnative-pg
    releaseName: pg-controller
-    version: 0.23.0
+    version: 0.22.0
    valuesFile: values.yaml
    repo: https://cloudnative-pg.io/charts/
--- a/infrastructure/prometheus/kustomization.yaml
+++ b/infrastructure/prometheus/kustomization.yaml
@@ -0,0 +1,20 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 namespace: prometheus
 resources: 
  - namespace.yaml
  # prometheus-operator crds
  - https://github.com/prometheus-operator/prometheus-operator/releases/download/v0.70.0/bundle.yaml
  - prometheus.yaml
  - thanos-objstore-config.sealedsecret.yaml
  # thanos deployment from kube-thanos project
  - thanos-store.statefulset.yaml
  - thanos-query.deployment.yaml
 images:
  - name: thanos
    newName: quay.io/thanos/thanos
    newTag: v0.36.1
--- a/infrastructure/prometheus/namespace.yaml
+++ b/infrastructure/prometheus/namespace.yaml
--- a/infrastructure/prometheus/prometheus.yaml
+++ b/infrastructure/prometheus/prometheus.yaml
@@ -39,7 +39,7 @@ roleRef:
 subjects:
 - kind: ServiceAccount
  name: prometheus
-  namespace: monitoring # needs to be the same as in the kustomization.yaml
+  namespace: prometheus # needs to be the same as in the kustomization.yaml
 ---
 apiVersion: monitoring.coreos.com/v1
 kind: Prometheus
--- a/infrastructure/prometheus/thanos-objstore-config.sealedsecret.yaml
+++ b/infrastructure/prometheus/thanos-objstore-config.sealedsecret.yaml
@@ -0,0 +1,16 @@
 ---
 apiVersion: bitnami.com/v1alpha1
 kind: SealedSecret
 metadata:
  creationTimestamp: null
  name: thanos-objstore-config
  namespace: prometheus
 spec:
  encryptedData:
    thanos.yaml: AgByW/LKzPh0QeNsHR8Us4bJ/0chIQErhfh5plY1tjqiZyNLlxZ+NygYYzVggW02k4gAsKs68trbLBbeTTEhpKYP8hUphNb13lrgp07wYpOQjUF57i6RjPM2QNJpO0qLSk/nOPIOtR3XKn+nXxdJDmh3j5y0zxVz5O7MLh7adwOaHlyWTLMJjI1cda8YljDp2FYs24lHHMw4gXAYUecGDJNQqw5Xy9IiGh8kBbcKe3j6bVCj1yxPbHszmvZ2s+Q+mnndXnoeLMhwjZhMF8/PETxmSZ2bs41k3lHm/2rcPQCJsl9CuJEGKhu6ndKrVhtury4/US/FheEOoGF0YZk/AQMHII/mxy8haPNxtQTDs4rfYz/BA8cMMZll44wxOY9gAOmhm3sG6GI9wcB1Z65p98xSuDaInknO80l07vwMAAvmrZbT53Fmefrxl+jE1pImcGEsL0MfP621nTXlOBW9keF+6aUOubrwjPKKSXdqZU21acNbaIeRQSJyaOBStAKLfnPFmaryGisgNu0hCk/WmszZ0/s/ilvdMdAD6kKoiKL/NWfXtHATh/fnd76bKfSzNQk6e+WWfomToYVU0HRgAaWnIzjB9Q4tjxkbRwteEodU+K1BvD4xQ0sfQB2vHlDjQGC3pjIUFCWG0SzQGb7oe6+X2CJpcNIBHwF661iELJpJkg8dLsPtwb+8Rj6BL+ZtyVKYv18nDNON0WVpwJb/IHHSmxfYD5b/q6fATCFj55IXK5Nr4VO65a2Sv5Iv0/TTUVkwb8dkMmwfs5qcQiZ4oKWx8Ol6GkjDZrFARUtHQ/9KiZ9xDj3tPic2TeQfKr27sgc4lEL8RSxaRKHkkxIAioea3YgFfBm7ZfoxMlzJnQ1vI2vDvJcRXhWKSGdXiKOddwLSVMZFsSRRi9AxH87Sjt7j1wvsA7xgBqc=
  template:
    metadata:
      creationTimestamp: null
      name: thanos-objstore-config
      namespace: prometheus
    type: Opaque
--- a/infrastructure/prometheus/thanos-query.deployment.yaml
+++ b/infrastructure/prometheus/thanos-query.deployment.yaml
--- a/infrastructure/prometheus/thanos-store.statefulset.yaml
+++ b/infrastructure/prometheus/thanos-store.statefulset.yaml
--- a/infrastructure/renovate/cronjob.yaml
+++ b/infrastructure/renovate/cronjob.yaml
@@ -3,7 +3,7 @@ kind: CronJob
 metadata:
  name: renovate
 spec:
-  schedule: '0 */2 * * *'
+  schedule: '0,30 * * * *'
  concurrencyPolicy: Forbid
  jobTemplate:
    spec:
--- a/infrastructure/renovate/kustomization.yaml
+++ b/infrastructure/renovate/kustomization.yaml
@@ -11,4 +11,4 @@ resources:
 images:
  - name: renovate/renovate
    newName: renovate/renovate
-    newTag: "39"
+    newTag: "38"
--- a/infrastructure/sealedsecrets/kustomization.yaml
+++ b/infrastructure/sealedsecrets/kustomization.yaml
@@ -9,4 +9,4 @@ resources:
 images:
  - name: controller
    newName: docker.io/bitnami/sealed-secrets-controller
-    newTag: 0.28.0
+    newTag: 0.27.1
--- a/infrastructure/traefik-system/kustomization.yaml
+++ b/infrastructure/traefik-system/kustomization.yaml
@@ -13,6 +13,6 @@ namespace: traefik-system
 helmCharts:
  - name: traefik
    releaseName: traefik
-    version: 34.4.0
+    version: 32.1.1
    valuesFile: values.yaml
    repo: https://traefik.github.io/charts
--- a/kluster-deployments/authelia/application.yaml
+++ b/kluster-deployments/authelia/application.yaml
@@ -16,8 +16,3 @@ spec:
    automated:
      prune: true
      selfHeal: true
  ignoreDifferences:
    - group: apps/v1
      kind: Deployment
      jsonPointers:
        - /metadata/annotations
--- a/kluster-deployments/kitchenowl/application.yaml
+++ b/kluster-deployments/kitchenowl/application.yaml
@@ -1,18 +0,0 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: kitchenowl-application
  namespace: argocd
 spec:
  project: apps
  source:
    repoURL: ssh://git@git.kluster.moll.re:2222/remoll/k3s-infra.git
    targetRevision: main
    path: apps/kitchenowl/
  destination:
    server: https://kubernetes.default.svc
    namespace: kitchenowl
  syncPolicy:
    automated:
      prune: true
      selfHeal: true
--- a/kluster-deployments/kitchenowl/kustomization.yaml
+++ b/kluster-deployments/kitchenowl/kustomization.yaml
@@ -1,4 +0,0 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - application.yaml
--- a/kluster-deployments/kustomization.yaml
+++ b/kluster-deployments/kustomization.yaml
@@ -20,7 +20,7 @@ resources:
  - traefik/
  - external-dns/
  - external-services/
-  - monitoring/application.yaml
+  - prometheus/application.yaml
  - authelia/
  # simple apps
@@ -29,17 +29,15 @@ resources:
  - eth-physics/
  - files/
  - finance/
  - grafana/
  - homeassistant/
  - immich/
  - journal/
  - kitchenowl/
  - linkding/
  - media/
  - minecraft/application.yaml
  - monitoring/
  - ntfy/
  - paperless/
  - recipes/
  - rss/
  - todos/
  - whoami/
  - todos/
--- a/kluster-deployments/linkding/application.yaml
+++ b/kluster-deployments/linkding/application.yaml
@@ -1,18 +0,0 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: linkding-application
  namespace: argocd
 spec:
  project: apps
  source:
    repoURL: ssh://git@git.kluster.moll.re:2222/remoll/k3s-infra.git
    targetRevision: main
    path: apps/linkding/
  destination:
    server: https://kubernetes.default.svc
    namespace: linkding
  syncPolicy:
    automated:
      prune: true
      selfHeal: true
--- a/kluster-deployments/linkding/kustomization.yaml
+++ b/kluster-deployments/linkding/kustomization.yaml
@@ -1,4 +0,0 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - application.yaml
--- a/Show More
+++ b/Show More