Update Helm release prometheus-node-exporter to v4.49.1

Merge pull request 'Update Helm release redis to v23.2.2' (#650 ) from renovate/redis-23.x into main
Update Helm release redis to v23.2.2
2025-10-27 14:06:58 +00:00 · 2025-10-27 14:06:35 +00:00 · 2025-10-27 14:01:44 +00:00 · 2025-10-27 14:48:08 +01:00 · 2025-10-24 23:26:52 +00:00 · 2025-10-24 23:25:30 +00:00
77 changed files with 667 additions and 170 deletions
--- a/.envrc
+++ b/.envrc
@@ -0,0 +1 @@
 use nix
--- a/.gitignore
+++ b/.gitignore
@@ -3,4 +3,7 @@
 main.key
 # Helm Chart files
-charts/
+charts/
 # Nix and local environment files
 .direnv/
--- a/README.md
+++ b/README.md
@@ -1,7 +1,7 @@
 # Kluster setup and IaaC using argoCD
-### Initial setup
+### Description
 #### Requirements:
 - A running k3s instance
 - `sealedsecrets` deployed
@@ -27,21 +27,61 @@ The app-of-apps will bootstrap a fully featured cluster with the following compo
    - immich
    - ...
-#### Recap
+## Setup instructions
- install sealedsecrets see [README](./infrastructure/sealedsecrets/README.md)
+1. install sealedsecrets see [README](./infrastructure/sealedsecrets/README.md)
    ```bash
    kubectl apply -k infrastructure/sealedsecrets
    kubectl apply -f infrastructure/sealedsecrets/main.key
    kubectl delete pod -n kube-system -l name=sealed-secrets-controller
    ```
- install argocd
+1. install argocd and the app-of-apps bundled with it
    ```bash
    kubectl apply -k infrastructure/argocd
    ```
- wait...
+
 > NOTE: The argocd kustomization already mentions some CRDs available only after the full bootstrapping (traefik). Some might fail to apply right away. Since the argo application is managed through argo as well, they will become available as all kluster applications are rolled out.
 ### Adding an application
-todo
+1. todo
 1. Don't forget to add the status badge.
 ### Status
 [![App Status](https://argocd.kluster.moll.re/api/badge?name=authelia-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/authelia-application)
 [![App Status](https://argocd.kluster.moll.re/api/badge?name=backup-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/backup-application)
 [![App Status](https://argocd.kluster.moll.re/api/badge?name=external-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/external-application)
 [![App Status](https://argocd.kluster.moll.re/api/badge?name=external-dns-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/external-dns-application)
 [![App Status](https://argocd.kluster.moll.re/api/badge?name=gitea-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/gitea-application)
 [![App Status](https://argocd.kluster.moll.re/api/badge?name=metallb-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/metallb-application)
 [![App Status](https://argocd.kluster.moll.re/api/badge?name=monitoring-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/monitoring-application)
 [![App Status](https://argocd.kluster.moll.re/api/badge?name=nfs-provisioner-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/nfs-provisioner-application)
 [![App Status](https://argocd.kluster.moll.re/api/badge?name=pg-ha-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/pg-ha-application)
 [![App Status](https://argocd.kluster.moll.re/api/badge?name=renovate-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/renovate-application)
 [![App Status](https://argocd.kluster.moll.re/api/badge?name=sealedsecrets-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/sealedsecrets-application)
 [![App Status](https://argocd.kluster.moll.re/api/badge?name=traefik-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/traefik-application)
 ---
 [![App Status](https://argocd.kluster.moll.re/api/badge?name=adguard-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/adguard-application)
 [![App Status](https://argocd.kluster.moll.re/api/badge?name=audiobookshelf-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/audiobookshelf-application)
 [![App Status](https://argocd.kluster.moll.re/api/badge?name=code-server-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/code-server-application)
 [![App Status](https://argocd.kluster.moll.re/api/badge?name=files-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/files-application)
 [![App Status](https://argocd.kluster.moll.re/api/badge?name=finance-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/finance-application)
 [![App Status](https://argocd.kluster.moll.re/api/badge?name=grafana-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/grafana-application)
 [![App Status](https://argocd.kluster.moll.re/api/badge?name=homeassistant-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/homeassistant-application)
 [![App Status](https://argocd.kluster.moll.re/api/badge?name=immich-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/immich-application)
 [![App Status](https://argocd.kluster.moll.re/api/badge?name=kitchenowl-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/kitchenowl-application)
 [![App Status](https://argocd.kluster.moll.re/api/badge?name=linkding-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/linkding-application)
 [![App Status](https://argocd.kluster.moll.re/api/badge?name=media-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/media-application)
 [![App Status](https://argocd.kluster.moll.re/api/badge?name=minecraft-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/minecraft-application)
 [![App Status](https://argocd.kluster.moll.re/api/badge?name=ntfy-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/ntfy-application)
 [![App Status](https://argocd.kluster.moll.re/api/badge?name=paperless-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/paperless-application)
 [![App Status](https://argocd.kluster.moll.re/api/badge?name=recipes-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/recipes-application)
 [![App Status](https://argocd.kluster.moll.re/api/badge?name=rss-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/rss-application)
 ---
 [![App Status](https://argocd.kluster.moll.re/api/badge?name=journal-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/journal-application)
 [![App Status](https://argocd.kluster.moll.re/api/badge?name=physics-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/physics-application)
--- a/apps/adguard/kustomization.yaml
+++ b/apps/adguard/kustomization.yaml
@@ -10,7 +10,7 @@ resources:
 images:
  - name: adguard/adguardhome
    newName: adguard/adguardhome
-    newTag: v0.107.63
+    newTag: v0.107.67
 namespace: adguard
--- a/apps/audiobookshelf/kustomization.yaml
+++ b/apps/audiobookshelf/kustomization.yaml
@@ -12,4 +12,4 @@ namespace: audiobookshelf
 images:
  - name: audiobookshelf
    newName: ghcr.io/advplyr/audiobookshelf
-    newTag: "2.25.1"
+    newTag: "2.29.0"
--- a/apps/code-server/kustomization.yaml
+++ b/apps/code-server/kustomization.yaml
@@ -12,4 +12,4 @@ namespace: code-server
 images:
  - name: code-server
    newName: ghcr.io/coder/code-server
-    newTag: 4.100.3-fedora
+    newTag: 4.104.3-fedora
--- a/apps/files/kustomization.yaml
+++ b/apps/files/kustomization.yaml
@@ -13,4 +13,4 @@ namespace: files
 images:
  - name: ocis
    newName: owncloud/ocis
-    newTag: "7.1.3"
+    newTag: "7.3.0"
--- a/apps/finance/actualbudget.deployment.yaml
+++ b/apps/finance/actualbudget.deployment.yaml
@@ -21,6 +21,9 @@ spec:
          env:
            - name: TZ
              value: Europe/Berlin
          envFrom:
            - secretRef:
                name: actualbudget-oidc
          volumeMounts:
            - name: data
              mountPath: /data
--- a/apps/finance/kustomization.yaml
+++ b/apps/finance/kustomization.yaml
@@ -9,8 +9,9 @@ resources:
  - actualbudget.deployment.yaml
  - actualbudget.service.yaml
  - actualbudget.ingress.yaml
  - oidc.sealedsecret.yaml
 images:
  - name: actualbudget
    newName: actualbudget/actual-server
-    newTag: 25.6.1
+    newTag: 25.10.0
--- a/apps/finance/oidc.sealedsecret.yaml
+++ b/apps/finance/oidc.sealedsecret.yaml
@@ -0,0 +1,19 @@
 ---
 apiVersion: bitnami.com/v1alpha1
 kind: SealedSecret
 metadata:
  creationTimestamp: null
  name: actualbudget-oidc
  namespace: finance
 spec:
  encryptedData:
    ACTUAL_OPENID_AUTH_METHOD: AgAhPqooAS/7R9S/X3KGfSfs3ClN38J9CEfkUTYAUvKGEehQ2Tz3thPNvhvnbz/gKRc7C172jgxoxaGMiVXi40Qa+I7Y8JVHefjoSd8NuubzQZU8ZK5KlYRgc5OnoPM3RLarHyZ2DFw5Q/ngv3sp1c5dSI4/604KSQPxVAFCnb/lnSkOsBggDRymWvYclx1NrLIClpLAFwHgCOm6g1kHCvtGIdBLxKOHsiRJm62+UyHt0GLkR0QFTDXBQxoBm9QR9kLjQqw/QqcOIVx1by0RHoHBI6HDEEIQVH3UgWqlMmIwm+a4KQeBEdEfWLn9YC8MGSdlQRlaZoi5ltFT2c/DWuMuRStnaOWbsMQVR+y6yJ2UNBe29uVQh6877iqfmAJvT6gXic73zI7Vkq6IFQ7veQPBaTi22HP/sxiElGI8rY0LtRHD4TctKSePaOPvsgrv8k8SpB5qYAft7UonbTPWzzRSSc4Y3Z4fQiD0x/uhtTqTTtukx39nzM2TjVGcJThWaxUGa07w1fjTafieFVwwreURBUpRK92X2NY3ovOdA9c1WrHfqIzVtpcnfQyCeA5D4XT2sBFk0+crwEm1GmtscjPkGnyctNMUSmkHd+QKw8EAmWxKge4+7rfOrZp5ZK7cBFJcB4gVQcxnm3bXr0qZyiA1udaxmSxVflQR2AjduvhKuE73AGPi0bJki5TvKJp6bavTotYfdMY=
    ACTUAL_OPENID_CLIENT_ID: AgA6X0uYaU1n4XSXVntmT4+NgahYkkMVx61OZP8ExnSMkRPlwQfErhNHrwKsTsnD8OzP3svhxBe5bwaI8O1OKF0k5pQWG0DbRfmBrwiep9nBsKPt+fQm0AJUsZ2sQNShusmsSEumBKbMD0CMPklVMq18tLpOIh/YaXM34lsOutW0SIx7HWWQsyLmoolEoRVdkKvDhoh3FXjKqzGYlr1uKuqYG7pJPsxEpsTs2pZTUIlB2gVcEqb/ZXxgkj01GDYzB519swIOfYdISj7oCR8VG90M9iDrgmxsPkWozMDxFjNo5JR2dB9wvP7ptFex8JonbZZXYZD7tE+36U8iys6Cjh6JGwr9luN1AxYYSkRrNWJd2CuID+8ujWptoTvRSO0RwiVVp5LhXe1l2GxLsS2UVtO+nbWH6DGMJei4DQ+LAxDXFR8FAvi7615cneN0umQfF4ZMUJirvxHA3tFN42tbnRmSCbLAZLNLhQq8VbRmkYOAN6LCzSKYlyhSyA3NM2HjRTFkXGUhOPL+3tPZJB4v0QlEhlhy1Ffxh2mbUXgmQ+ZHGUsBXEHfc/Gba6gJhsj6S2DkiAeZUW6euY5/v4vpveWsS+YS+BxH441//8mOJnrpsWrcQbM5yCk4WMnmpETy/VFEkc3dqYfVWHDfvwAeqjVfXAovXBmwOoCASG6qDf0P7FdeLFTHUNuahyNhBzhBAQ/yNpOkbzKTJFBWwnM=
    ACTUAL_OPENID_CLIENT_SECRET: AgAbJinP4E8rbGAw7BTfh/GB3XxQOfHiLFrgaikQbUIsmZu+Y6ktK7aJdcX2/g6yhHXX6z8p4xoYTaGgkpo8H0XWvUDT4ohqJVdJSWZgNx8MyzisVKi+51BEpslL4JvGo/ISjXT0hNeYGzFXlHnnr3LX+fuTVh3dKtk4t8nmR8SqaCCIyvKiBPmX/1QWo4Vrfw7OLpVlfGP0i3J7FrhjNgKMRWcQKQC4Ohk+NLHHghdtqzuFB8eKwcuBZmynKCVyblOhwZSL5WnyJPskWLMjNEizWuCubDdyHVY3ZqYLDe5dgoi7Gop5/xY7FEuEkmTL0g7LpKo4RkEKRLjsZwWtW+xN6HRRt7zGoUdIpo20ZnTtEH8C/qcxjHKUycFvzKLnk6ntq5rEdK2/MhBtMfd3a8pb4vpT9JNra1AWsB7zCUv4yc/FT0RpkL+1r1CVva4o+tzM8ojnm4o0ch6qsGb0IOYZvJx6sF7c6aj7c41YQK3ZrQF3bhhhEHYyWOBjy1V4T/GJPZ9CbhGG0PIsSvpW7d5pG5jNAwU/Xo6FL/vVUPwmSq/hCqYMSSSKNiMH/q/vzKyu5B5aQbNDAumzsLRqD/auJz8nAaUoLNBVHq+7zTs3wV7pEayY22teq/MN5PRtYOQLE5Ck60gv9Q70cfhgvTeK+eX4h9BbhfijCV/EiSYhLP7meeIpE80icdLUSkNROfW+0sf3RNbW5q3JX8PsW0h29VJgREJdlziLj2cCshe+ww==
    ACTUAL_OPENID_DISCOVERY_URL: AgAQVZX6r8SPkwwBR1dmUF/ahuZKkGSsU/GULe5PF7Nm75UadtjPb5aHAZjWE59MdV61DQZDa4KJz1/fW4xDUrJBuUElIRQH4oyMTQG12MSMauQpLd25SVU8ex2NYyerbd85j521FSxujP0l3941KGsENLt5wCx/idXu47txhAHgS81mj3CLfWzT5yyG+V1i48a24xK905v+ft5ZKuNLOxvVb6yZSBt1j/3egx49eB49CRk/dxYQtPpSw8Zb6KgaN+skjq5HTH/Neb4J92nlJ1aFPVKbFLbtxyIHDSoO35U8ODHEJVGKBbZjjfrrjCpmQYnZPEWN9s+xj2NAXZ7qANcJfbFEF/3bOiKZhc0jLM5MyhiMZoytn4FvGM8zxINC3z8zqaWJm1wiMXEUH3/FLUa2UWeHKQB14h0f5XGwytb3s/nPCoBnHhtOK1y4utJ2APsQhRsxySZjgYNRaRCarp8PntY7yB7VHYlv5Mitx+qBWcAUmcKp1I4NTnm1LORRGzIFcrJJKtQfqcW7GNuZDA3AiLGyOMVigcA93GnPbppor5BItE9FK/BKqrR4Bz31jXSO8S7pjhi3JxBIKEMmMZRVbyelJ9o7gTpqrBvO7KZ5v/L+mlE0J8D2LZoEWPqxfa/BE+QZfwIS3wDWQl1GTruaAM4u0bp4i9GkyK3hPVXnml3dNMElSG3GvNqHhhy1Boo1cHXHbQ5YzbkGgzL9fLkigVQCi0FKItyBxdGsui9U0OU5LNi0EGKBibs22mdDkp6f051GWeMidtSwz9j5
    ACTUAL_OPENID_SERVER_HOSTNAME: AgB+C31GqtPKbMifuTFYhwOgUwXph+RQYdnVQaVIaDiveE6Lydl/2HnTyFQIi2mhrbiCpDgegXuvGBoM7WHxlPepny5E66lY/cAdFaFDGMARqMXCRLVmvkt3U1IyNn9zPCPil0x+eAv2S/ETLm8Nj2OL9utxkdNBHub9xiGrE0d7qBeBfK1FNmainthYQUpnCsR7jowmmvYGuEyDwfG+suUooDdb5zaWmCJZRYk1jKD3zlu21N0sfciBJ/GpTdz/2V+NXqJJqs3r2zoB2GJPQ64pMuZHZ+yw8bYUkg7/QOHD2ofWmtzNOGGtiNRHAG8MtvF6ovc4Hgv5uu+4x413UP6pSIJsrHrXSHYP+mvu+ya3gNUn6YK2qymezrqbvUF/n7LoaDzTRqa0PmemtdskuABiwfqrdiOarxaWjomkXqnrBK6VkJ8PhOMDMv/j/c6zlXdhpnqlUyxMcjBjqicfNBWN8UByDIEw4D0rhibzOS4fIKjNHrmXHv39GNJsY90avhZqq42oTMJL0vcaj3v4pBZJdJ05TOvY7PQ/iUwnnczGqOtpAQtBKfCV2+PXp9o/64wOGc0Br322kSpzjIleWP9VWVgbqvwMjUGtlL+xTkCaOFpiYETxUim09c745WDc+YgU55rd5i/5t20wiKy7RSYnHvYOwvdjAlEgAnD0YZBXOQkL51nL9P+nOMAYBE0HiM1vYsd8R6h6Fk+G2gcs/2CLgwglqOtMwAm9A9+5qSqyMak6Z68=
  template:
    metadata:
      creationTimestamp: null
      name: actualbudget-oidc
      namespace: finance
--- a/apps/grafana/grafana.values.yaml
+++ b/apps/grafana/grafana.values.yaml
@@ -85,13 +85,14 @@ grafana.ini:
  auth.generic_oauth:
    name: Authelia
    enabled: true
-    allow_sign_up: true
+    icon: signin
    client_id: grafana
    client_secret: ${AUTH_GRAFANA_CLIENT_SECRET}
    scopes: openid profile email groups
    empty_scopes: false
    auth_url: https://auth.kluster.moll.re/api/oidc/authorization
    token_url: https://auth.kluster.moll.re/api/oidc/token
-    api_url: https://auth.kluster.moll.re/api/oidc/authorization/userinfo
+    api_url: https://auth.kluster.moll.re/api/oidc/userinfo
    tls_skip_verify_insecure: true
    auto_login: true
    use_pkce: true
--- a/apps/grafana/kustomization.yaml
+++ b/apps/grafana/kustomization.yaml
@@ -17,5 +17,5 @@ helmCharts:
  - releaseName: grafana
    name: grafana
    repo: https://grafana.github.io/helm-charts
-    version: 9.2.9
+    version: 10.1.2
    valuesFile: grafana.values.yaml
--- a/apps/homeassistant/base/deployment.yaml
+++ b/apps/homeassistant/base/deployment.yaml
@@ -34,4 +34,3 @@ spec:
        - name: config-dir
          persistentVolumeClaim:
            claimName: config
--- a/apps/homeassistant/base/ingress.yaml
+++ b/apps/homeassistant/base/ingress.yaml
@@ -1,17 +1,17 @@
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
-  name: homeassistant-ingress
+  name: homeassistant
 spec:
  entryPoints:
    - websecure
  routes:
-    - match: Host(`home.kluster.moll.re`) && !Path(`/api/prometheus`)
+    - match: Host(`homeassistant.kluster.moll.re`)
      middlewares:
-        - name: homeassistant-websocket
+        - name: homeassistant
      kind: Rule
      services:
-        - name: homeassistant-web
+        - name: homeassistant
          port: 8123
  tls:
    certResolver: default-tls
@@ -19,7 +19,7 @@ spec:
 apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
-  name: homeassistant-websocket
+  name: homeassistant
 spec:
  headers:
    customRequestHeaders:
--- a/apps/homeassistant/base/kustomization.yaml
+++ b/apps/homeassistant/base/kustomization.yaml
@@ -0,0 +1,20 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
  # - namespace.yaml # not managed by kustomize but created as needed by the argo app. creates conflicts otherwise since both overlays share the same namespace
  - ingress.yaml
  - pvc.yaml
  - service.yaml
  - deployment.yaml
  - servicemonitor.yaml
 images:
  - name: homeassistant
    newName: homeassistant/home-assistant
    newTag: "2025.10"
 configurations:
  # allow nameReference to work with different mentions of the same resource as well
  - name_reference.yaml
--- a/apps/homeassistant/base/name_reference.yaml
+++ b/apps/homeassistant/base/name_reference.yaml
@@ -0,0 +1,32 @@
 nameReference:
  # Tie target Service metadata.name to other ingressroute fields
  - kind: Service
    fieldSpecs:
      # rewrite the backend service name
      - kind: IngressRoute
        group: traefik.io
        version: v1alpha1
        path: spec/routes/services/name
      # adapt the ingress url
      # DOES NOT WORK
      - kind: IngressRoute
        group: traefik.io
        version: v1alpha1
        path: /spec/routes/match
        create: false
      # adapt any middleware names
      - kind: IngressRoute
        group: traefik.io
        version: v1alpha1
        path: spec/routes/middlewares/name
  # Update deployment volume mounts according to name changes in the sealedsecret
  - kind: SealedSecret
    fieldSpecs:
      # volume mounts:
      - kind: Deployment
        group: apps
        version: v1
        path: spec/template/spec/volumes/secret/secretName
--- a/apps/homeassistant/base/namespace.yaml
+++ b/apps/homeassistant/base/namespace.yaml
--- a/apps/homeassistant/base/pvc.yaml
+++ b/apps/homeassistant/base/pvc.yaml
--- a/apps/homeassistant/base/service.yaml
+++ b/apps/homeassistant/base/service.yaml
@@ -1,7 +1,7 @@
 apiVersion: v1
 kind: Service
 metadata:
-  name: homeassistant-web
+  name: homeassistant
  labels:
    app: homeassistant
 spec:
@@ -10,4 +10,4 @@ spec:
  ports:
  - port: 8123
    targetPort: 8123
-    name: http
+    name: http
--- a/apps/homeassistant/base/servicemonitor.yaml
+++ b/apps/homeassistant/base/servicemonitor.yaml
--- a/apps/homeassistant/kustomization.yaml
+++ b/apps/homeassistant/kustomization.yaml
@@ -1,18 +0,0 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 namespace: homeassistant
 resources: 
  - namespace.yaml
  - ingress.yaml
  - pvc.yaml
  - service.yaml
  - deployment.yaml
  - servicemonitor.yaml
 images:
  - name: homeassistant
    newName: homeassistant/home-assistant
    newTag: "2025.6"
--- a/apps/homeassistant/overlays/flat/ingress.patch.yaml
+++ b/apps/homeassistant/overlays/flat/ingress.patch.yaml
@@ -0,0 +1,3 @@
 - op: replace
  path: /spec/routes/0/match
  value: Host(`home.kluster.moll.re`)
--- a/apps/homeassistant/overlays/flat/kustomization.yaml
+++ b/apps/homeassistant/overlays/flat/kustomization.yaml
@@ -0,0 +1,17 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
  - ../../base
 namespace: homeassistant
 nameSuffix: -flat
 labels:
  - includeSelectors: true
    pairs:
      env: flat
 patches:
  - path: ingress.patch.yaml
    target:
      kind: IngressRoute
--- a/apps/homeassistant/overlays/house/ingress.patch.yaml
+++ b/apps/homeassistant/overlays/house/ingress.patch.yaml
@@ -0,0 +1,3 @@
 - op: replace
  path: /spec/routes/0/match
  value: Host(`home-house.kluster.moll.re`)
--- a/apps/homeassistant/overlays/house/kustomization.yaml
+++ b/apps/homeassistant/overlays/house/kustomization.yaml
@@ -0,0 +1,28 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
  - ../../base
  - wireguard-config.sealedsecret.yaml
 namespace: homeassistant
 nameSuffix: -house
 labels:
  - includeSelectors: true
    pairs:
      env: house
 images:
  - name: wireguard
    newName: ghcr.io/linuxserver/wireguard
    newTag: "1.0.20250521"
 patches:
  - path: wireguard.deployment.yaml
    target:
      kind: Deployment
      name: homeassistant
  - path: ingress.patch.yaml
    target:
      kind: IngressRoute
--- a/apps/homeassistant/overlays/house/wireguard-config.sealedsecret.yaml
+++ b/apps/homeassistant/overlays/house/wireguard-config.sealedsecret.yaml
@@ -0,0 +1,17 @@
 ---
 apiVersion: bitnami.com/v1alpha1
 kind: SealedSecret
 metadata:
  creationTimestamp: null
  # WARNING - the originial secret was named wireguard-config-house, but we remove the suffix here, anticipating that it will be created by the kustomization overlay
  name: wireguard-config
  namespace: homeassistant
 spec:
  encryptedData:
    wireguard.conf: AgAz726k7X6IsabWUPX8kQ8r19mBq/N+YytlFS1gW2LUiYqc6H/O5/tqma5lLcazuxtsQhebeoitp2SkH7jTU8vRxn2tDWpyzcJr+BW4vKnghw5NhMbkNOzl7mvc7QIJk6rmRyD1umu33v6x8u3St9TVsUOI1zXJyXHxlbLdHVCORhgV79CGLjghpi23KyyFu6LzNrE5rhpB0Q7NzPUmbm5MHPNbtLsmImd/CZ9XjbyXSq0be8BgpUtGDE/NMx65G2+lLIw3EgbNwlirw/XKrM+pUIvEI6CxuNhbEM7KxCYlq2Du6bm7XsKHRzNu9oSfH+P4DaDoDt+M5k5miv4B8TIKXg7piy5mThXSTcVf5YpLJCiTfMDZOriG1ygr9gbJPYY1jumZA+vsZCvBx1o21BlNycWZWKBeYZZh47Hz9FGI/Smn8dOs5exZ34MrQtM4OuEqC/cJY8fdQ+nmGMezL0IKdbtpWgq5UqNH/wWv3F9kItB4KlSD4YtEGaY2z68BJG6t+9igSJCWmVca0EbOzhV0s5rI39ASVXOO50x774EEWUueoyfI+l5vwtQhc96I5Qn3kbFhwov0tHMg/IGBtS/7XdBBtOBx9KbcUHq1GlwWzQdw8WnRB6yyUVCqXyuExRhMPz5orqkTQwiUM2Fjse7xxnaEA0mbi0TVPKV/sFgWixvHqy3VAc1Jj6MEAWFAu+kPVlOFFCckEC5kPhNPFhBMeYX/3IblRjly/EHvrbrW/eFjNYE7bqpSCVhkB8bOXbJqt29V3+ffM1z/RkdSusgqdwid9CXhQw6SKAI/vcAqqxXdzcsbG1wsgP9bJ1Gk/i9ch8zUn7MwcFe6Tla86+xeiDIAmQmA7rhtmWhyyuxXdw+HXAFNhrbxHaUw3LZOExM+RzhWNepjSLnCBqnrtPkzFrHE02JKebWzX+IRZIOsEXJVhKTiSSjoB2v8h956kO+C7bdHz8GbxoJKJ7anrqFG13A//XLy5PvKr50qs/gQptrl9UtR7oj981bSDTVVa8h3OXbGLkZXly/qxsh5DlEjwnw2/2UqS+5yTT4FO/dNVtHryJ2tbc8ZuIHb6C/pQygqpseagthkm5T+Dv0T2xWpXFrvuktGNm58Cwg9bwNMcC6iofcjQP5JeNcat3RwzbJ9xwU4Nm8xLRMMc0ul6xUHRrL3ZjDfWHLuSuTp28HqXZ6xSKLlrRVjwZ6Mp/hhxj58SfVfLVIQxatGkwnIaHEFWE2n3S7m/iQO9tZIWCx5Yfs15atb1Ze8HjKjQ4o3sfaMD8Eokj9aFnXQQxpnOuSI3NLETe79QQ==
  template:
    metadata:
      creationTimestamp: null
      name: wireguard-config-house
      namespace: homeassistant
    type: Opaque
--- a/apps/homeassistant/overlays/house/wireguard.deployment.yaml
+++ b/apps/homeassistant/overlays/house/wireguard.deployment.yaml
@@ -0,0 +1,24 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: homeassistant
 spec:
  template:
    spec:
      containers:
      - name: wireguard-sidecar
        image: wireguard
        securityContext:
          privileged: true
        volumeMounts:
        - name: wireguard-config
          mountPath: /config/wg_confs/
      volumes:
      - name: wireguard-config
        secret:
          secretName: wireguard-config
--- a/apps/immich/immich.postgres.yaml
+++ b/apps/immich/immich.postgres.yaml
@@ -0,0 +1,39 @@
 apiVersion: postgresql.cnpg.io/v1
 kind: Cluster
 metadata:
  name: immich-postgresql
 spec:
  instances: 1
  imageName: ghcr.io/tensorchord/cloudnative-vectorchord:16-0.3.0
  bootstrap:
    initdb:
      owner: immich
      database: immich
      secret:
        name: postgres-password
      dataChecksums: true
      postInitApplicationSQL:
        - ALTER USER immich WITH SUPERUSER;
        - CREATE EXTENSION IF NOT EXISTS vchord CASCADE;
        - CREATE EXTENSION IF NOT EXISTS "cube";
        - CREATE EXTENSION IF NOT EXISTS "earthdistance";
  postgresql:
    shared_preload_libraries:
      - "vchord.so"
  storage:
    size: 5Gi
    storageClass: nfs-client
  monitoring:
    enablePodMonitor: true
  resources:
    limits:
      cpu: 2
      memory: 1024Mi
    requests:
      cpu: 50m
      memory: 512Mi
--- a/apps/immich/kustomization.yaml
+++ b/apps/immich/kustomization.yaml
@@ -1,10 +1,10 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
-resources: 
+resources:
  - namespace.yaml
  - ingress.yaml
  - pvc.yaml
-  - postgres.yaml
+  - immich.postgres.yaml
  - postgres.sealedsecret.yaml
  - servicemonitor.yaml
@@ -22,9 +22,9 @@ helmCharts:
 images:
  - name: ghcr.io/immich-app/immich-machine-learning
-    newTag: v1.132.3
+    newTag: v1.144.1
  - name: ghcr.io/immich-app/immich-server
-    newTag: v1.132.3
+    newTag: v1.144.1
 patches:
--- a/apps/immich/values.yaml
+++ b/apps/immich/values.yaml
@@ -6,8 +6,8 @@
 env:
  REDIS_HOSTNAME: '{{ printf "%s-redis-master" .Release.Name }}'
-  DB_HOSTNAME: "immich-postgres-rw"
+  DB_HOSTNAME: "immich-postgresql-rw"
-  DB_USERNAME: 
+  DB_USERNAME:
    valueFrom:
      secretKeyRef:
        name: postgres-password
@@ -56,7 +56,7 @@ machine-learning:
  persistence:
    cache:
      enabled: true
-      size: 10Gi
+      size: 200Gi
      # Optional: Set this to pvc to avoid downloading the ML models every start.
      type: emptyDir
      accessMode: ReadWriteMany
--- a/apps/kitchenowl/kustomization.yaml
+++ b/apps/kitchenowl/kustomization.yaml
@@ -14,4 +14,4 @@ namespace: kitchenowl
 images:
  - name: kitchenowl
    newName: tombursch/kitchenowl
-    newTag: v0.7.1
+    newTag: v0.7.4
--- a/apps/linkding/kustomization.yaml
+++ b/apps/linkding/kustomization.yaml
@@ -13,4 +13,4 @@ namespace: linkding
 images:
  - name: linkding
    newName: sissbruecker/linkding
-    newTag: "1.41.0"
+    newTag: "1.44.1"
--- a/apps/minecraft/job.yaml
+++ b/apps/minecraft/job.yaml
@@ -42,7 +42,7 @@ spec:
              name: curseforge-api
              key: key
        - name: CF_PAGE_URL
-          value: "https://www.curseforge.com/minecraft/modpacks/vault-hunters-1-18-2/files/5925838"
+          value: "https://www.curseforge.com/minecraft/modpacks/vault-hunters-1-18-2/files/6807187"
        - name: VERSION
          value: "1.18.2"
        - name: INIT_MEMORY
--- a/apps/minecraft/kustomization.yaml
+++ b/apps/minecraft/kustomization.yaml
@@ -21,4 +21,4 @@ images:
    newTag: "3.22"
  - name: rsync
    newName: eeacms/rsync
-    newTag: "2.6"
+    newTag: "3.0"
--- a/apps/ntfy/kustomization.yaml
+++ b/apps/ntfy/kustomization.yaml
@@ -13,4 +13,4 @@ resources:
 images:
  - name: binwiederhier/ntfy
    newName: binwiederhier/ntfy
-    newTag: v2.12.0
+    newTag: v2.14.0
--- a/apps/paperless/kustomization.yaml
+++ b/apps/paperless/kustomization.yaml
@@ -14,14 +14,14 @@ namespace: paperless
 images:
  - name: paperless
    newName: ghcr.io/paperless-ngx/paperless-ngx
-    newTag: "2.17.1"
+    newTag: "2.18.4"
 helmCharts:
  - name: redis
    releaseName: redis
    repo: https://charts.bitnami.com/bitnami
-    version: 21.2.6
+    version: 23.2.2
    valuesInline:
      auth:
        enabled: false
--- a/apps/recipes/kustomization.yaml
+++ b/apps/recipes/kustomization.yaml
@@ -13,5 +13,5 @@ resources:
 images:
  - name: mealie
-    newTag: v2.8.0
+    newTag: v3.3.2
    newName: ghcr.io/mealie-recipes/mealie
--- a/apps/stump/kustomization.yaml
+++ b/apps/stump/kustomization.yaml
@@ -14,4 +14,4 @@ namespace: stump
 images:
  - name: stump
    newName: aaronleopold/stump
-    newTag: "0.0.10"
+    newTag: "0.0.12"
--- a/default.nix
+++ b/default.nix
@@ -0,0 +1,15 @@
 { pkgs ? import <nixpkgs> {} }:
 pkgs.mkShell {
  name = "infra-shell";
  buildInputs = with pkgs; [
    kubeseal
    yq
    jq
  ];
  env = {
  };
 }
--- a/infrastructure/argocd/argocd.configmap.yaml
+++ b/infrastructure/argocd/argocd.configmap.yaml
@@ -3,9 +3,9 @@ kind: ConfigMap
 metadata:
  name: argocd-cm
 data:
  # enable helm when using kustomize
  kustomize.buildOptions: --enable-helm
  # switch to annotation based resource tracking as per
  # https://argo-cd.readthedocs.io/en/stable/user-guide/resource_tracking/
  application.resourceTrackingMethod: annotation+label
  # disable admin user - use oidc
  admin.enabled: "false"
  # show neat status badges in the UI or as embeds
  statusbadge.enabled: "true"
--- a/infrastructure/argocd/kustomization.yaml
+++ b/infrastructure/argocd/kustomization.yaml
@@ -4,7 +4,7 @@ kind: Kustomization
 namespace: argocd
 resources:
  - namespace.yaml
-  - https://github.com/argoproj/argo-cd//manifests/cluster-install?timeout=120&ref=v2.14.15
+  - https://github.com/argoproj/argo-cd//manifests/cluster-install?timeout=120&ref=v3.1.9
  - ingress.yaml
  - argo-apps.application.yaml
  - bootstrap-repo.sealedsecret.yaml
--- a/infrastructure/authelia/README.md
+++ b/infrastructure/authelia/README.md
@@ -6,5 +6,3 @@ k exec -it  -n authelia deployments/authelia -- authelia crypto hash generate pb
 ```
 give the client the hash, store the secret in `authelia-oidc.secret.yaml` and seal it.
 }cnnhzH|Mf/yLn(v4rF#>KnGMgUS+TY
--- a/infrastructure/authelia/authelia-oidc.sealedsecret.yaml
+++ b/infrastructure/authelia/authelia-oidc.sealedsecret.yaml
@@ -7,14 +7,16 @@ metadata:
  namespace: authelia
 spec:
  encryptedData:
-    client.argocd: AgBWKTgzqy1UjMClw8+9MKCZAM53ErvunxeIMkyPkOvioGN5+QuvtT3rSCNJentXEhIK3V1mt0kYNb0yLei+W8o2Vgr/wqvPfA+JbtgfPKuHg1eayTXDB7TPXG8MzONM75pPEq6nTSz7YOfu5AU0OjX/3D4E8lBD3hCfEteAA6tbxplD0P17yEzQTspPbXh+YNRY8/BmRr4xbp3aDdekeYfrZ8HQaYOCs6vl3JH4SvYoPGxrsSS2muZEPESmWBBC72NcFVnpNG4i106qxwvMlfOwKz4+FQsHMZAdRYmXayefwMWTxOC4MN1VUE3S6FDZlU5Zds52qOF1bO8w0cLyFaILtcPkjV0w+7eCUhrYx3CzyaCnVAHBBwvUt3VZ+g7RESI+Qc0CDV5IwTpj0R0Z4K8ieGMr/gEU83Wm5Hv66aneZppAJV5E8BixIdFTAoZlLNXg3Q6R6I8PrcnTlF9IzBbrWBrE1MuYgvzIIZm4+lohV+jhJcOPgRANxVkDwAz1Sk3AfHFwKtxtzwjvpOyr+R49+I14GGyKtUcZjHioSUSiTqV4JOYvFmSDXsy5CrzFdO4zCn5jMhkGRWztBJY9nN1Ui5yODag2S7TVsCgcYNF0tItaNMHmhkez/NoWFDUvcNwr/+hGC+DQN0xoZTO3vskyW0RGKjBSnoI5QUnuJqFJsRymh7VpRvMr2C+0Tvk1nEoOoRmA65aRJScgp/acZl4UXhwOjyIpSNzai9kvIj5PVVf6+78z11h5c9w+vF1IDKCDGGgjrnXBeHFGoty35UVGOGOXQoQbLXyYu9ZWN6i6garwl5ATwea8oaUB1h1xweoqSz6xrHcLmjqWLbm8Me4eSA3TjvsD8gtnhAfnVAETxBT3UQ==
+    client.actualbudget: AgCfKgV0f3oEB+04Xk7qg3bE4omsXQQxTga/5O38714RNSSeYtcBTcVGbfu7jfOmuVOX8OXQPIWhcHRVnHdOyd75mEpAmYyHw5M9RfqoRHWRPgzu2lBIMHxrFXoy6Vr5b7UXAfpdKPcQddERFqSy+uklO1npwbPHh1YMdDxLGA7l+HQo+rVnShiUbFUJeuhUoZAsluO4awBWmG1jyiwVRjlc1MiQFnvy/lZHnJJ7PAGgZxtoKfG2zATuFaJXHLPuqhV/fPclegKCbY6FdaQUmiQqZqH2tQlsTNOykozY1/VToLJNQw4RZwhS1mA3giM+zPOzdwWtxZg9LLWzm9oZjNbJU0LZX6E2tmQ6vZl9UBRfVx5Vx1ermNTLmWkvFybX870uRRRTF79N83v5q2QbM4hVgSkKZwwplzodoveoQYtpPL6oJZFxiPBR8VoBtIG4gUHUiMmdKJg4Fs+IsvECOE87JmZHsHVgRhNcCi6uZrobk1D9CFCsyIJog0h/U5zxlMHc8GcTR+p+zvkawooD12n4TB/2lOm+yL3/VPx0j8Y1H2xuYk7EorMGsYiQ+Q//HNZkpGsTRlVYTQp3napvsbvBK+Ekh8tPHsIWGSQueK8k6T1wTAUQaBhWdorwKre8oeBpdG4BgX17MRmeYs+vkJx/sKGhBMHIx2wFROXZIWBzo37nHHRIfjSFkIcxZGwPLoQ9YSVn44XCRQh7zE2ZRzQKV+d5Hs70GHiaFwzZs+sd7wDd211p027AYdLIiDpBwO/f0bgQzvBMBNWZ83InGa9s+r2LruxVj+wD0dnw73SgEiZR2TvFdBpj2T+YMCcMnIVwulpm94cWhEIFgRQwIKmwdfTWB7HdN84Jf+bi4SgRcvpRVw==
-    client.gitea: AgBEIzadyU5+RT5nKUII3EPXfi4yl52FzvQQxEfX8T5845fAQh0/8ay/E3oXKjH/MvsnPWvIwBfAG3DZ6LBVt39SOA3+5csbcwgQn8ZSigfriowkGJKiSu/UhqloiCuIvzZwu7CrTUaAdrWdMOpYvVPts0TYUUdA5tcPGYyw4Sd4Z5hi22+NeMoCdMl67iag31I0PLEWl92WQcQ/V/sOKuLm0p8TEIZaPyCHLBwUPbD7Hvka6JhrkmkybnOJfmQLrHAblPptVlIOVwER3e3Wrzvh6YfOq3KUtFboeyLRRafOy4j5j0dWXj21WLznomH644ioUeysAG6gP/HZthuNMTUydz2dsWtIu5J82jP9bbjUibZeQIHjS1Y1eqPSd9lJWNjWBb69xuDIewLZ75rfOuTdVp83+iGkha2yhc8OEHBaXRFO3zDL/eYSuBGxLRtSR30WSHD6sgGmrGzSShAlM7MnuSU8tqeHtmLuKH85ls89HvVvgn6ZVj5+P6dmHctFM1tp8Q97nUeZZGbThT0DztKExNTdb1yCsb9m8lDxX7avGfBYvx7ntqBdxz5CurbFvEYi/9C98EYZycaurjUIRBjEgbT7vHkIIvJBy1JDVZYDFzNGkvZ0oOhehANvx9UNKeb32iCV3ypGE7oXF0/WFdFImSZWfTHVpqOUN+LJTnZylkwcyByp8Ut4R7xS5by/bBV846LK985fzCRWldHk0U7xli1FUvqHMvocOTsrwVjWtE0C9X+GDQMAJEP7z5xWlMCEePjEZq2/OPHXiRlDZ/rQfQS5zpkIZAK/vaiRCZ/arpN0RslwOzIDnnyFJB0jqhIsXf1JUDZUis7yLtnyaVh3I9a0EXrPu49ItBk7XdSNMYJ9Hg==
+    client.argocd: AgDArHcXxQMBvhBY0hwOYqal31JlFna7GQg6s41+XAUTsb1ahFeCCFfLv/WI993y5NMvH3CpnJtPFiunc1JT4yxLTZROKVrSrwjjrDKRuVt57lb8lz6gtNR3ucvpTXjqEO6FXTNL6w+j+ZIWybrdBUheQCj41aYvQ7TP3lTyLcxQSL/UpWLKnXW+jkibqsDqVVaGG26gNniOBg2GoI1bWHvZ+ZUBy/eZflOH9lgLo1vMNw9M+fP9EeuU3CDj717zS00n8X/vDAxGJF7AIVbllqNRX0NilgKwYCfoS79fuUYhzYSI1jYMPCQvdlTLa4bA88wfkomZstVgVtWxel0IaulDOnDgKYonkRqlCDYw+oMC/d4k3xKTEugfV9Ihx9isYZYv4+31v6QTkXFFj5VQlWSDDPllmV1XWfAdRDwT6CVhg5tKWOPWb/YHZJz+idDPEGn5qiklJ7Ar9YEJfuzkfAjCaq4XBjDFKyTfZGeTuLjbq6HnigKlQFdSNOG64QzBbQu6tmR5otipQDbquxhzGRDdCP3uPFy/CXNOn1J2UrGZamWdQzrO6lQQBypFHGAV4ltRrQcp72krPIeL4hPLr8WbUwbUFtESSN2aOYWqs+hnAmcxqy3hqEcouky1K+drgqsAgTp4EkRRwnQXHGrAi3bEeoPqoS8Ec0xfgs529322acKyjOLEObqtNuC/3hg5kNL2fu58MJeoJ1Q2U9pvbAsCrpHJHd9DmHbVwC6orBfL1P50USvTsFm+UikdJpfesLxEGDiUKSU2Al6ntHzswcB304J2Zdb8zrIZaFXs+bmSUoT1Ml+/PqySZc04Fgt7uNBh48nKsl2OlmdGKiKXafxTVBewYWJd6uDkji375i+Ji/5rEg==
-    client.grafana: AgAuT9f75mVVegFb5kC7v0wq/myoG6JlN8DLvY2tBqqCJ3pDMaFkVSALustQvUxpQ3UDFndKk3vF3rL/ot2h4R5dQO82guqR5rnyi7dGgf4+guV31V+Pz+cMKMNGDzvP6gq1+ePuGgR8Q70OKKk28Neiv1zd0quzKNY+Fmi3nYVonnKt7SDRrMgHdrak1jTyyBCDCl3k1S/kCjSsBUOfZuPDWxbSyKi8UvizwEm7QmK4ifsdA4IyaO6R5u/B9aQP4/eeb9uXaoBZVDWsrqi0ZHBavCnyJ79rYwDx+6ThsEbwYYsJ00omGts/1EPZL+1EpdJ97biIzapXpvlTRQwcxOZ0sXnA+5ig0Bs25u+T012HNZndYLcqmRsgKk+Iz7YjPRddaIFFEhttgubxCk/dMvzcchkOFI36gEC2TQCX7B7EcBAi6lQG7I7BVV0UrqmNhrzYCeY8AyNd9k6dNj+NslHfxM9QFIJmK8UnX4tx3OSJQJLaXN2ZG7TcPxv+Hn5z6A+PTE8+iwJ4mZmjxoVbyN+PYwz0m+uDqS4iDrd689NjFNy2lUxoCTtoYHs/U+GNOFD67YjT7DE9PbuS5zWlHCYM/W+5Hfasqs3/NgpbX6P44ZIMUBSdcgD/TEKyjP/ttjXG3FKVO/RkrJCNyUSHQKRlMJrzwEfwze3YQ1XKw5xLzDN8dTb1fkeDSE0EuGCtqH2S7cZE/3/w16PJ/ba5WR3v3CC99WQMMdeXLGP6C8PGq7Z/WErXlNLLPCsQKIMqlhoupm/r65SEcgf+OBI1iUG2dFNdB4VwFIU9UwHm2t3gcnU9Lq3DGQaOQusIHJgVF7UuamogkTfmCt6vxxIxXyPodiebZ520TeGgKIxvwTftxl+miw==
+    client.gitea: AgAs4pl1bs8nqBsenxhMHhq9mtCcbjMZpNeTNyUrWSRzUkJx9uoiQJ+plJgQ/xHl7vDbslLxDPF8Rx6rEns+tDdbaIp9LU8YADHqMbctV2PB+pp4wTkWSUamquA6Khrrgr4xQxCbzthL9/2QQJOBBNJsIFcJDfyFZZm5lzsrzVZ+lCpWmnSH5YUpdVAHbjyOZw+Oi+tnO6Zg/8lxjKEf20SFVCAKDly/VK6j8SvT9jzisBHL+uoxZ58fyKd7C3KWVJegBIuT9pIvxXc0jg+t5ltcXQcHyZfmk4mH8nWN96KWDTe42IRA6EGyxiruppAzQoKuNKisUj7grqsE3YbCmq3g4/Mp43FUlz0gqOmI4pwaV8BckVbyMNEyMxKGar6ymz5nWit5hX86U1jmvMrUcKsROJlm7DsyC258PgLwFspnbBhTEN7fJ7iEsTR4PdGPUTQ9rH3F42t3aYe3kCXXNz1wovwKmSt5Ex5S7UenVKfuZ2HvsAuZ+nZYW7zgVW9kf1PLz5jE5NYoieatmdk2O7gBUcXQBNqVwgvCmuiJbyv6jIz+Cyn753tOSZRqgrGH1i8B7EUzKsaQJcTTc+SZY7HVw9ohilirC4vrgSx9amYMCGxkOKhBEPVYSRN4N+Yt1A+ZsmiToAsotiQ4uzYY+UXQ3hAuiPzP7vJXDHAdPQZASwI4UdiMa26d3f/FqJJthnFnkg9GFvD4T2dqduepYsnxqN9t3IDYgQYba0vAIzmdmZW8UlyBise9yb5RfsJRmwvxG7yykRAoM+j2Fs070kBCF+ohTg9pWOEmry7HNu+fvMyUMKja7Bjm3gE+MAjgXquoILIW+ZeZud15yb0NkV4LQ78K/8YuYiGXC3aD+hv5IJmJjQ==
-    client.kitchenowl: AgAb9vWFHkiFgsHs+1nrq65n+kT03igRLq3KWIvDg6EokA2TDXYb4KwYBZa1xcFwgT1iiLge71Y6spMRVkJdLAjRCaPCtSTGygzlZ7z9NFkn5O9YuWgkp+cPr62ElHpx9umKEx+Ug4vgyvrBk9eLWxdZZsiJZL6GcjUbMe/Mx2429mveg0kyfKg3XjraeU7xcHWwAj9PbjeRnhEewvr+9sdv3H1wA45E2+pZ9cZ+ETl9wXXNquUzUFSp8IOxzXwx34aDqjdnMbEgU3k2TEe3N9wU+r9vuzn4kesh0zEGkEfXhKtnGNSXFheU+aa/5cTfIp/GPfx3+dJ54LLWfVGU9X+COI70zvTEtAhgJptkWqJ7dVp6SLgQotvg3bTNohof1/6JDPKQvGvkQ3ALYMXYDd27NrmP3ZSJYdNGev0yDr6MXyNlv8SglnsRIpfMmPyl913/10DbvB5b0Tiy2xzmmODpG6Gk6EQquaJ2g+imaV8VPSdDOoRK+rDg2AH5KKRn8vxH7d/NRsmOmCxadqmyyWBbl9onu+TzSnjnPxyc2cl3EeqaaciXyh/eu3Ar27DVu1l6Iorv+N34Bttdti0TZgeeMD6/Y7eAXTry482ix26UOYmTH5+mGoGVAkh5BuWO2fR52vuEHV1T1VYVRK3+PX1OIeWEoEdPMvDokELc4W1Av4lVDKcacvNzuMZ1gpiXmdCNnYfDq9CbW00rS1/LPPUIdIyOfHg2q/OgxtkjiPUwWQCTc5NO8FPlQ2B4ZsJ51vfxl2zx19w9tgQVi7C7T7Iek/2Svz8QMiZtf9N3W8CoUp2RXktV+Z2yI3FWG55IzicRbVLWpeidRxuJTEdm8emgHSiMpDM9Uejv7pAs3QkLRX2+og==
+    client.grafana: AgBemPXmz04WdYAS9DerbbkoriqYiFwvvZfNYdfXo9eMwMGBnO17jTwlsKx5Vq+dB0UVqm16HutV41bB3BAtp8cSeFw0kivMdzVC2I0ZZ+bDWNzEKhCSdcH01THvvuoaeNWYusPuS8/cjbk/I551Im3EMSkryVjrErgvV5barf7Ox8+z5pSob+LfGGs0JJL5kOawGYEdjj3PGrYo/X0zA6EculcVyFiUJGf8ueQMshoTfUEUc0sR0LA+/ZN6LHG1ZjQ/Q6H8firrogf7luJ7Hp3S7vc/WFI3L1aE5E+u/tlDo6AelIgha+3lWtQXwwTiiiWRoxRDxU5pfJ5lUwHY9dxWefRNpQaNDZdthykLV2MZp9RW4Vfq8sZ7AnnSVQVH0wtsZLQG/m5EDb/mbBAnxLVZOFntyVtKQZ5UnMPbs0G/7tD0alkVBBR8iE4S+QMyUq9QVkGU6Tso3W1VrUdz8UfKIXGaf2eyeOzqNqXM81uYpRw4Tmv0XrDPrQ2QZ5ASd1VAnHxu9NoNOj4FEGvIJb9PaZAOHwYV8VW00uoqWYuabbo1T4uSAKijsf4ekdCvCfkBzcJsF3r8FWHbsCKcCLYp1mm7bQS5YUfa3FRWGQGbZvHI1SYrCTJzB2eZvTieIRts25CsQrBu4OOQGEpaUBLLOSaKi9Aa4yN01vOpxCcBtDdz9MdcNFFpt5hvHBTOef/lBvXOtLF1NGuFqczhpptfAM0zKqqdoYNs0d15vErdTaaUYliaW1xj01XJYwB6L4JM+YQZaOIfMv0APGzylcM+h9jCfQa2k5Kkgmz6RJoupdknddiji7LfZsmSSegE5a1DGrME7QDXa5hJ5OjSw7+5FIByaTcRBwpusr4mY0Q4q0DAdw==
-    client.linkding: AgChIcLDfhCZshqJgG+H5exbWt29ms882BkAgDAopvbhbXE/e+I0tVw2FNDZWmKbI+i/Hlrvj4Bputn7pUcoAZf5W8FUJ2nOMhJjtjwMF6O0QzBje0Xrzi9eK91XWA3PRxbPOzBZYWlmWvwelYw0hCgfp1XRn3aXkPcpsZFV8Bb2KSXDSk39+UqIm1I4rR9hCXPMkorTUZOa/NYpDr4ieenbRS8PeeWATPzSxn0hN+RnXHnoUrKdO03px/2mYS4SYJrgZ2DrkGN7uz3/ARwqxxKcMBQeQCe0S3Udsw0tvvJbjeHJIQ3fzIz+BZdbKLgVuJa0ZNQxmuDVBFY+60d89nR6wKsyoRgC8y/sEHRpztUjiJC7WBiiJ/g80luMuo/7ZTIvu6u1I/eugsopJKUONv23cowdqthyzlsnKCsBTgfdzXuFy5YYoL7GPcybdpUcOA8upr15dE8vsN3UJEYJCZkw1V4iedzHVGPpo6tts4sewnzplH93QpwbVywMcSl1k8oeHqbdmh0srJ54hBFboyNRr2eQT+b43oFJZtQb3hhuZyO/uXKx44jeBoVYkmKCVldBBDE0FdQpAk2m6dtvXae37Eu7xHiWxY/KDzVxBzJn4NWboQRiTM9HQ7pLuAKgG+Ec1+nwfBgq3G9jZrdIN4/tWNvuBRuPrUTt7pwGJ7RCbMgSz9xbVFCxwBx8GwaNRFOH3/RoMdVwlUntRELYN7+pU9S0FS/VPnbVxOZbJI3ZHFj9n8qZ3lBD3SiHB4rNnirQf34CuEfnLigpSdskKdOsekXQybxVq68T63Ntf/yn/t0+nV5VdqpW0stqRBQaUq3yEqfAn0/HQ7nTgSbHf4ZsTMsAU+CSAewnig6qKTcS7a7Lrw==
+    client.kitchenowl: AgA9v0zIBn//VmvUgu4yLhALCWP7Wiu0Q4lPgrqXOIoLYdAX1jh+7cpI4oIKak+MBtCfxnd+os5xFEG0Mvg8qs6/RxgoCFcEyzjHfU65sNol0/x8ZTXQSHLpyZxy85fK4oKaHyvolDW3nnpoy2nrw+NJvwQTPquqVzCMswAE37MoNiU64OXyJU1VJFDo9VNwzzxhz02xczEk5Gh/LeVDPk+EPKzXupct0BM4GN3PZnbsvO/46i8alem7D9JIPvB7+tWzmXnXKoQ+3os6Xbwqu4wDH1cJZYFd/VOXQWk3badO3QYlewF0qEbSLLxXnvdJbR3JaA6IMiZJQUDTypZ5Z84phdAzG9v+e7DGlr4bHPEGV3DZPWCg2rWHjleDuCNJlIQP+9Di/piiTRe6rsz9lI1oncYCVPwjxtS2tpKZO6HJ7mMiENivsRLpAq1xiclCbQ6UERpBb+fmTv8a6GCIer6GzhaioN/MLthaMRuIGTjKlwaeC5EPswY5Cj5pYWXB6xhGRjTtvMyKEtWt8VbOtgESkgq0ES0yYuP37ZcKWWJjTiVii4JR1JVW8hdmXxzw8iQ6eq27fi7fyEJhIDoozwvorohqktlzqGCnIXiUN/gUgFQiMdOSHYVh8BrFCq6MbXDq1AxnoKov2h5YBlj2FqrubVpLWIJWBp+xbTDNIFkIpmzOE8uKigeCAyMxeqEd/SLylDl/2wD4XiaMVXpUucGkWW3asNvYjXTUbxHHL610ricaaYS/0adK4YLUpgr+1jE5gNKwA5j3DliDuVZSNpppzdCvWD3vr2kTOvnJhH8IyGNAs5CZmsYNtd2VKoHHhPFXnO8iU2XT3DP6qez9vN4SCPkwhlyH7NaqMhxiYnYkcLXBIw==
-    client.paperless: AgA4weCcn9z4H2WIqADKRpOMkCmA/6pci0SCKsTcS2nf6XuRG0pFufVqrVTe5jYIfAymKJs+Yzlf6V5ViE+3U/PhtBgHC1zifYBVkC0lSUUKx2YWkmrnSylAZZIYArC+kdNXU7pwIS4i8eCxeB8NhTtHBMXdfPig5kH/G6/FaL5RZ52Ly3jf3h2UP3JrWbk4dYijZbjvHsGNJMyDJ5cW2DtgMmFNMte2ScBuGpgF2tDiVKW7Zq2aEpVtVXvWjF2euuL39EFvLzPAIXeG4TaagBCnFfMVVxyrS8Dk63CiWQzTSaeBDbUhRuOGAYD0GELhSxpsKjOgm5AaOk/sJBjoAliFtSyejO30tP+5PBC+FE4RlJM5dMjHU8/9T/tBSOus3k7xWmExc5Eavf8yeXVmNeTJfC+Sji6QZxG5P9xisKXgn7EX+T4aKpeJ2FxAtL7NKgnrKeoztiHV2vJH6TepGjFejf5VJRjOP2QAJkX0ApnUVfhww4CjhBFo20zRYyI591ZMbw8PxlRFmAsXhL9XeaXQcl7nq2P2N0IdodtR9xMVlvpkuv11AZnzXjC8GfWgPE9vmDz5RW7Eo4WzWDaFVBL8Sjx+NZllV/qVHlJfbGgqgKmtzJWUZUATE9y9YwOG8PSKmw7fbIHccJ1o1HOG7BWIOQ/QIo94uQQWI0Z5ESRgaCsbf2oBX8HyYFdMA0s9sS9OdD1NWDTb1mVnhA8Pjq4XatA2PGlRPWBVD8YpjbeuNQXR4RuSuUvuKGOOO4Jsv0/ZXc4cUmPB3VWNzQO/0iNt8MOsZWjtQNiDBLZ3xVjRWo/p+Q7P+o1YCThuLxwdmyvAxkioRfR0DJY+ZrkErVnTv1CfLdS4ejf7ZYXcgsh5ZC8Kww==
+    client.linkding: AgCeuXqdo0hFi0fsV+Lu6D5nPwOj4CuqrwIEZwlIubWi9/IOsXIOgJlMAH69yLymd0yXnA36hJU2/s7sXVj7bwpahNZXqAVFhfUCjP2ab95VXpawPFg7PpnjEPlODCkDnFffOf6DqYHQ5XRWfq0fTah+I18BkZWAbhCYD9qeYMRu/juluqiExP2yi63D2l5uDJpnM9QxxzH66toqPCqvFQ1tVWGEpNh4O6k4qB+t/1vj6DBcawbjVLINoiUahHgaHmkOzidZEo2shrBrLMZu/pUcR1sSjXCMHpcbSZC6zQUFkiDQ+K+cOrz7XE/vam6oYdwf/ks+kowWDKGDAyT6k0rRU3E0tW+PDRa61ffF7c9lWQDtqNUFJL5GhB2QcG58w1lWS97vdPdHNqOIrgBM8SUGaevshwl2HLsV7q5xRidgI9m3Z+OKwCaszC0HDQD7rRCwOhutvh9IP/FR1G2NhsWscjXocM9Sf2vMLiZU2RDVx281jc/EqgeMZ958O7LLR2ZfhDOBra+N0UZlhQfFdwCMSgyPpJ5HjAPia2ecON1LHi4XPqxMEEpMxtirSNSwrcvoM8OgxcOeYpdEX96TuZxtPiKjboy8h1WBMS3QD6b5F7C7LTrHu/BlluZigA4dfDEtn95XsHS7w4lGgWy9ukCRhXdjDQo/FAekFsGSuDDyBp7ecK1bpkvXaZBiaRVjq6eV7293rZdNzsk1kzhoIg67KFzBrDx1wofvJWTN6+pQOCD+f4LEvo0cL6YqWmDSW6SnfZV9/NaBq6B61YUwOACXVhAkZ9VVAN76RPl+KHth3FNTXvStjxnHfj0SMuPByemwG1MZ2SrZ6phcIQz8TJb8TS5l/fmaDH/QfLSFvvHv5gKi1Q==
-    client.recipes: AgC3w8qEgD9fru8tJRi3mYSDbJVq5oG++x8XfeRKAQPXFtMKdFYAvn3zGPc4viavPnvE1mkHWSn0ECC+YKEThiXlI9ok1CKnspLrzi6oQlReCUnyJdu9e49xgV7kb5/SQsZbDlVmtluTi8j8y9AIUows/HsMjXgoNrG6RodAsWp5cauCgLBrqMk9nPuQVH1jTNFm27rMrJahLTjr/z/5chdiU6sjPH9EIDnaLEP3o8/ACpPTtwF4PYQszUVT3Uhn4YlekqAYMfEolBYsPLSDQyiDr1fwO3/4YUHNSO/+bN+7vscS+x8zozb750Oi9c1ARc8ENn6AiM3ZEd32ZJKqfqJ3+CxsXsuG7VjfHu3+gc4uqLTbwZ+BVacSoA7JObsoQEbWdCGWTNo5FMXrhIv+BKDB59eLKXTOlBfVTLlbh0P7tSR57fhSpBomcvvnQ+MtfSS9hDFMNiPhb135c8hjJcbMZ6xdQz6HARVtP5nVuPyDafbez6A+VT9sUDt29+oNf5qpk25526Q4GI/YlyvXH+3RT5q8syYuSIZsmh92qD5ZltffW5kRooCeskAryiyWdgyqjMAekR1dZR9wqvzRraDpY/neLvrpUAPl7U6kdlzuIdaJFTnXmNKc1wK5NaeAEf4wwO6H/ibWEzIJKQJcTlmi+0J1SfHcCULYZ5ASeAkSRUxpdVk16LCTHWbyHYFOYmGsmeMmRTYylB/FdOuUEZWrO5B99xw5baSvLN842v2JnwR27Mha3RvS0teSgbuXgG5kWWGGZs9oibsNaaNz9p1MPw/HR4M6PmfEJRsaz+cX02bVUVzdaXhoTZ/D0DoNe8lB+Ofupjl7jAGzEJpGbwK7cB1gnITa4blqyszrKg1dg2L+ZA==
+    client.paperless: AgDVOPvaQwEd8qrzFj3NTcGW6luSiSwGLmQOGiKps7DNZYiIn4FBdII1I+J78h+B4wmZ3LnLrju8YAZ3s7G3aTvV+YJHxMhlAc7rO0wkq/IUeDzGb/AM4POusm58T2o0a8zD3z4C+iHYuE/gjT+lquUKxgKP4IYPXM6Ni7lhmewJ5PCyoznoTeYnRVwjsZomip37M8/h4hOID19HZpPWMGMXtMTWrNzgmbeiVFRTqIgqqKMnASuMfeauxfCl2u+C3OvaYxgIRyP4BNzmU7itFTcOgmaFd40V0RkaALFBiU82ot1L46FZSMeqIEjprvTIdCSlNITFweYvoYhNSA0+/kUAy21uyJFqnoFW6COT9RfHFgGvi13lk++ZrPJKIMGhK29z3dC5HsEf3Rb0W+BQ6yNFEc+LTL2/ejxZwTtymzkXftVj6U9xa+BjDjgXk45H3ZAy0uWfQnm2RGBTYN7+MEccRpYp3aMh73jH1aBQIPt0lQTwmbc5rh9pTdqu1/c3NDS6OO3H2cx/AIbyPTq0pdX9w61UHVbR+E9I25wrjqJeZIRe66MerlngFxiPJKygEnuN1Nz+1feECQoq59P4FbykI51NZO64gK647QhEsbMN1nCmKFOLcT96Rjf1JQruhgoO0ljhAB8JRK3oEBIfjJtJIC+gtFaPzgldr0spr7Q7+rmgkNJIggwMSlr+/UXycB5a58cIhS0cuAUm/UOLKCIQ3xjE9OuUdQA5J2eaO/54GSLCnSdOYuiXzEQuV2VRWST+RhRmVnSqugF6d/xWfkC/ahsXo1o8ZIWFabNaHQzYmofRybK0LNc/rN0t6z2Lv0aWdGlm32eyAcUfUIMsuSKK+rDozgAmXQdz4QEghWQm5Sz3Jw==
-    client.todos: AgBaZOU3D5ZEi2iZud0kLIgZVVNwWjreEDMiadtgZ99S236SOckGlqTes+6gcTcMUQe6CFcxatx8sXamGd9xtIwyZa/5jns4Ju0L4Tozf57uQS1CPY10wyLlPc/a/thn6dItfh5l0Fr+vQBmV0dlEJ12UM9iIH/w9raaf0VkDP/XbZw6PZ0lVoJp6u8LrjMIf5+pdlPOSytFNzB0EbWfQYGObD/zgt45V48+gE9jLolLIEz7QPMrUg0dj1RjWJE+dWXzv+4gCsRi/64gPUdkOZS4YWIlFP08jcDChzbqhVkqUXz3AOQOxF7+2NpD966dxWiYRQfDfFwb+V4vK8C4+DlQL8p22MxWt6iOhxpSoXVVlCInYxxhjpk/gpECqfu6gKlEexg+ekccAvkKVmBX9TbOjsurYFjL3JfuL057fjWIpvZhkQjJCQJiCgVGPtyVhoCzsKeyVDNJvXs6dYp8CMrRAcn/fdo4wI0/tva723ub++AsKSsXCRT+d+03FnBbjRrxSQdDiP4xYY6BqNfjwHGYSoULxtop5t2qt7PzFlpCxNjRe4NrkENCw8xDDSRrg4CLmazPi1Xs+MDeEP3cpi9sRzQx9u2JrvvHmsTeHjVY/MQHb072nLa6xAiUQoXQLMlzxJuwx0U5DmsMe6o8FfKaLikcS4CDKEAddLDI25z2XUBA9J7BTXdhtHB012S1COhouRqn333uKF/BnABI32/Afj9qsDy8VQ3iZyTKpLQUOrOzKKTenXy0b3VV9Vw3DoDPhEb9//fGrVoLdbXDpYaJScza9qg7QWmLqO8Cbk/83t1C28LWqZKWyMtq+QFQ1ANIbi53BopX8zBQargctEVielkpN5HqVCAIow0nQcGmZdZClg==
+    client.recipes: AgBn5K5p5Nq5D9ishKI04kDR5uCvKuy4DN3vHuFwP2j3tWqrfJ9YfWGUBL4oE1Mod4071habqZaoP7nIHCWv8eoMwke9G2qFfJ7VZi0ezXeY1aTXDxn2qnPNf4MXYIVfbD5ZSU0nVPOETuJ2vsHg1R/pnfjMU1Ha9L/67ZnDsqona4259zCF5AfCV/kVsZWslAV8YrxDSlCobm2Vw202Me6CV6rFon6HmkZlO7on7LYfBL2tCHr4N1A1EOvVvF0Ua6vDexOJ0sGVjQWADEXy31H1a3c9lDizb1xqvCIcKXAYNKKGxiNrLh7TlWsK6dUX7OLUw/uDTryKwtwOl/GYfYJEX2wy3pK9PNWjjOUrpv4VoaGOKmObXQ/pIafI27r8WPTvPvm71YgUcsi1D+71a/iMWy7tXbHpvEB13qwn6/2zUSGcuGlaC8P91jRVi6xtnTg2XcvcgjeT4bTnpAEOYUZKBLqIP9qmLvxxsuVrvQoMisylYIyJzAAE+JJSYj019dP6JKgBKV6u6rPW7AkoT3Wsxkr8bwcvNSigW3c+PtbU8fvws8VY1HHTviNOflEwZePfGw+CfroS9y7hEQH2stNHaZ+5zXwjQ9+FLH4BlzbggavfL+AYY7zE5eOrL2WrD7c/1qMcDD4rxwrNwsz3mqZ9GXpe6PCxxU/W0RtLqMERx54b17ILC4Jq++XxzDyGZdUAzA8vYLhxQo/wgeWn7df6CVOM3acWbHeLAmPBM5FWKmEC1OShpzI/LmYFbLkosaAeLOWACeyl67GIwR573juRcr/6ITuUOgGXSdR5jMiqVT9Gu7x7pDkNJN+8Q4oAXITtfEaqb23M5KhtZuaZAWZgsdRpDTgPQNB2u4sBSYQluXsR3w==
    client.todos: AgDYtDtvcP0MXbzE60kLauD8piAsfJwSDNWexsFQyezMc9vEtq8UGza198mE59eNGeUgm8crZBqlfBbKCY2luB1dq+GrkTkZHCXztR2nKTxt0X0B7LJV4DVYwlNuji7HMJ/XR/ynfjVbGi4rtoZ7MXJYOhxoLPDCt7umwG2jIMhbmuBMf8q1EpUmgFtUxTNY7i5JQAvmlCp8rgdwdAePSHCeTS4KdPTyvaj3zN/EJSX7lnc1m1D11Xld8klBsde+zrdPjm+UJQFqKu2pHXMdM19G8tqSijNcCuCGkhjQkOrMv8VhudPs6kR2whPOXtSmr9X6gNXgZ024o79fz4hBlx47MrriVW4Th2f43Q5ISJ1KoXYgjXHMF5Dt0+C1ej/0x5DBokUapNAjBZsKEe1fBI2h52G+IFpvxMAHh6T2nIHPRaYGCznxuPeqWErachhQT5QXOI/7DBCO1h/GJo9KJ5UfkMTT6Qzis1RjU/t6cbXO2PoKrFPOjqYRcTIAQFUp7ylJ4Ep85gRidd0NONfc82y+LUZAwbzYTZ3ipckirsihFBW2IMjRD46+3LT9CzdJscr/kYPA7zbTrxxMPqPiDSKAyK3LPRm25u6cKQD8vM3+n6S5gYI2svlogR0zCcJiW8+8rIPk0kUzITioSYFUP6jXvuYNfdmq2VJPk5SNK9grMG/RM3Y4XDnWuMR8lUl3oA9/HMCviVzbJwgjSQNO4n1qsLIvuDr40KWSfaKH/UCm5zaf9jIDXzXRsXeHtSHsPfr+cN3WgsP35Do1CgHPzB0tihCfesFPAk5Jt0keg77G0O76rJsq0c4u0a4vtcSk4i40wVnb1wr+GUKXweR53LdJ7j6X/MFUs4KB4s1M4A9a0J0t9A==
    client.vaultwarden: AgC5Gimoj3+qhKQuDijPFX1niOpCx6b4MUHgRttOPKFYz19HgFzsbkuPiCcA0AsnaGSwS2wwOTv29ywpGeFzjGRk0vBUGYX6aCbGIkjs7GRvmIovLs5uHcgPsoRp1OOAH7eDdFGGSpQN+4312pLoKKmjp9cwFIAHaAs5IavCXIv8/Fk6h2sLslHqoO0LVP24qkilqV22IxRSV5mKxg1A5FW2mDUxWwSkditJYoQ89Bze6GbI6xIHHo6NZD5uaBzf7kGZyUPz77zFPTfBatmjJpVkqdvvBnCQF65qrZAXy5Rw1trYyEgGMM0vFaBm2R9YWrLfv7w1nhNNP/Gq0/XwDrz/KywMXujjp8jbOKUJmN02RJrinYYSV8Z3AXZ80V3pgVsCjPLnaY7LHa+l+f45RW3A7B1e58qUEeb/wCPXRP0ng72gIcbX7rTl926XrzK6d2Bkw0scKIIXoYYAtJ+AbzfKJCx4FsoUxTlXslhO+HAT3aM5ofwR/dgUnbQKRnTjGa9R7FwpUOLizxfZYcjUTDT3+Bgjx1eiShxveVD+v6JjjPvmWn370J/1t8CnxL4l7ylXj9YsL+4z2j/s9xNsN1HiuETBYQcZXw9kgcXaEhLRnIsbwpsa5Hw4PODujPUkwkc+VN34V1BNq891h1JvxHq57SAKf36cLosybHTIWaIRaLktgAdntj7/5vmQGtjnEvekXk6f82CEzEaOJvqE8jV62Q1KYiOjKi1r5dXmZ3xqwsh9nuluC+YBVhbI3fxKJ/xkKiMhpkF7S9JHIOCFuyAAqf/IS08fC+Rm51U2ImECeoTiyhKAm5q+Vco81IjzRnwiBHj02Zug4FIX7n8qgWLEr/f5643y3fkCpo5uY9TSQ/HK3Q==
  template:
    metadata:
      creationTimestamp: null
--- a/infrastructure/authelia/authelia.values.yaml
+++ b/infrastructure/authelia/authelia.values.yaml
@@ -75,7 +75,7 @@ configMap:
    local:
      enabled: true
-      file: /config/db.sqlite3
+      path: /config/db.sqlite3
  identity_validation:
@@ -105,7 +105,7 @@ configMap:
      cors:
        allowed_origins_from_client_redirect_uris: true
-      
+
      clients:
        - client_id: 'grafana'
          client_name: 'Grafana'
@@ -122,8 +122,12 @@ configMap:
            - 'profile'
            - 'groups'
            - 'email'
-          userinfo_signed_response_alg: 'none'
+          response_types:
-          token_endpoint_auth_method: 'client_secret_post'
+            - 'code'
          grant_types:
            - 'authorization_code'
          access_token_signed_response_alg: 'none'
          token_endpoint_auth_method: 'client_secret_basic'
          consent_mode: 'implicit'
        - client_id: 'recipes'
          client_name: 'Recipes'
@@ -232,13 +236,56 @@ configMap:
          authorization_policy: 'one_factor'
          redirect_uris:
            - 'https://kitchen.kluster.moll.re/signin/redirect'
-            - kitchenowl:///signin/redirect
+            - kitchenowl:/signin/redirect
            # mobile app as well
          scopes:
            - openid
            - email
            - profile
-
+        - client_id: 'actualbudget'
          client_name: 'Actual Budget'
          client_secret:
            path: '/secrets/authelia-oidc/client.actualbudget'
          public: false
          authorization_policy: 'one_factor'
          require_pkce: false
          pkce_challenge_method: ''
          redirect_uris:
            - 'https://actualbudget.kluster.moll.re/openid/callback'
          scopes:
            - 'openid'
            - 'profile'
            - 'groups'
            - 'email'
          response_types:
            - 'code'
          grant_types:
            - 'authorization_code'
          access_token_signed_response_alg: 'none'
          userinfo_signed_response_alg: 'none'
          token_endpoint_auth_method: 'client_secret_basic'
        - client_id: 'vaultwarden'
          client_name: 'VaultWarden'
          client_secret:
            path: '/secrets/authelia-oidc/client.vaultwarden'
          public: false
          authorization_policy: 'one_factor'
          require_pkce: false
          pkce_challenge_method: ''
          redirect_uris:
            - 'https://passwords.kluster.moll.re/identity/connect/oidc-signin'
          scopes:
            - 'openid'
            - 'profile'
            - 'groups'
            - 'email'
          response_types:
            - 'code'
          grant_types:
            - 'authorization_code'
          access_token_signed_response_alg: 'none'
          userinfo_signed_response_alg: 'none'
          token_endpoint_auth_method: 'client_secret_basic'
  # notifier
  # is set through a secret
--- a/infrastructure/authelia/kustomization.yaml
+++ b/infrastructure/authelia/kustomization.yaml
@@ -27,6 +27,6 @@ images:
 helmCharts:
  - name: authelia
    releaseName: authelia
-    version: 0.10.34
+    version: 0.10.47
    repo: https://charts.authelia.com
    valuesFile: authelia.values.yaml
--- a/infrastructure/external-dns/cronjob.yaml
+++ b/infrastructure/external-dns/cronjob.yaml
@@ -9,55 +9,15 @@ spec:
  jobTemplate:
    spec:
      backoffLimit: 0
      template:
        spec:
          initContainers:
            - name: git
              image: git
              command: ["git"]
              args:
                - clone
                - https://git.kluster.moll.re/remoll/dns.git
                - /etc/octodns
              volumeMounts:
                - name: octodns-config
                  mountPath: /etc/octodns
          containers:
-            - name: octodns
+            - name: dns
-              image: octodns
+              image: dns
              env:
                # - name: CLOUDFLARE_ACCOUNT_ID
                #   valueFrom:
                #     secretKeyRef:
                #       name: cloudflare-api
                #       key: CLOUDFLARE_ACCOUNT_ID
                - name: CLOUDFLARE_TOKEN
                  valueFrom:
                    secretKeyRef:
                      name: cloudflare-api
                      key: CLOUDFLARE_TOKEN
                # - name: CLOUDFLARE_EMAIL
                #   valueFrom:
                #     secretKeyRef:
                #       name: cloudflare-api
                #       key: CLOUDFLARE_EMAIL
              command: ["/bin/sh", "-c"]
              args:
                - >-
                  cd /etc/octodns
                  &&
                  pip install -r ./requirements.txt
                  &&
                  octodns-sync --config-file ./config.yaml --doit
                  &&
                  echo "done..."
              volumeMounts:
                - name: octodns-config
                  mountPath: /etc/octodns
          volumes:
          - name: octodns-config
            emptyDir: {}
          restartPolicy: Never
--- a/infrastructure/external-dns/kustomization.yaml
+++ b/infrastructure/external-dns/kustomization.yaml
@@ -9,10 +9,6 @@ resources:
  - cronjob.yaml
 images:
-  - name: octodns
+  - name: dns
-    newName: octodns/octodns # has all plugins
+    newName: git.kluster.moll.re/remoll/dns
-    newTag: "2025.06"
+    newTag: 0.0.2-build.68
  - name: git
    newName: alpine/git
    newTag: "v2.49.0"
--- a/infrastructure/external-dns/renovate.json
+++ b/infrastructure/external-dns/renovate.json
@@ -0,0 +1,14 @@
 {
  "hostRules": [
    {
      "hostType": "docker",
      "matchHost": "git.kluster.moll.re"
    }
  ],
  "packageRules": [
    {
      "matchDatasources": ["docker"],
      "versioning": "regex:^(?<major>\\d+)\\.(?<minor>\\d+)\\.(?<patch>\\d+)-build.(?<build>\\d+)$"
    }
  ]
 }
--- a/infrastructure/gitea/kustomization.yaml
+++ b/infrastructure/gitea/kustomization.yaml
@@ -23,6 +23,6 @@ helmCharts:
  - name: gitea
    namespace: gitea # needs to be set explicitly for svc to be referenced correctly
    releaseName: gitea
-    version: 12.0.0
+    version: 12.4.0
    valuesFile: gitea.values.yaml
    repo: https://dl.gitea.io/charts/
--- a/infrastructure/metallb-system/ipaddresspool.yaml
+++ b/infrastructure/metallb-system/ipaddresspool.yaml
@@ -2,7 +2,6 @@ apiVersion: metallb.io/v1beta1
 kind: IPAddressPool
 metadata:
  name: default
  namespace: metallb-system
 spec:
  addresses:
    - 192.168.3.0/24
@@ -10,5 +9,8 @@ spec:
 apiVersion: metallb.io/v1beta1
 kind: L2Advertisement
 metadata:
-  name: empty
+  name: default
-  namespace: metallb-system
+# selector is left empty on purpose to match all IPAddressPools
 # spec:
 #   ipAddressPools:
 #   - default
--- a/infrastructure/metallb-system/kustomization.yaml
+++ b/infrastructure/metallb-system/kustomization.yaml
@@ -1,15 +1,12 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources: 
  - namespace.yaml
  - ipaddresspool.yaml
 namespace: metallb-system
 resources:
  # - namespace.yaml
  # namespace is already included in the remote kustomization
  # - github.com/metallb/metallb/config/native?ref=v0.15.2
  - github.com/metallb/metallb/config/frr?ref=v0.15.2
  - ipaddresspool.yaml
 helmCharts:
  - name: metallb
    repo: https://metallb.github.io/metallb
    version: 0.15.2
    releaseName: metallb
    valuesFile: values.yaml
--- a/infrastructure/metallb-system/namespace.yaml
+++ b/infrastructure/metallb-system/namespace.yaml
@@ -1,6 +1,6 @@
 apiVersion: v1
 kind: Namespace
 metadata:
-  name: placeholder
+  name: metallb-system
-  labels:
+  # labels:
-    pod-security.kubernetes.io/enforce: privileged 
+    # pod-security.kubernetes.io/enforce: privileged
--- a/infrastructure/monitoring/kustomization.yaml
+++ b/infrastructure/monitoring/kustomization.yaml
@@ -6,7 +6,7 @@ namespace: monitoring
 resources: 
  - namespace.yaml
  # prometheus-operator crds
-  - https://github.com/prometheus-operator/prometheus-operator?ref=v0.83.0
+  - https://github.com/prometheus-operator/prometheus-operator?ref=v0.85.0
  # single prometheus instance with a thanos sidecar
  - prometheus.yaml
  - thanos-store.statefulset.yaml
@@ -17,17 +17,17 @@ resources:
 images:
  - name: thanos
    newName: quay.io/thanos/thanos
-    newTag: v0.38.0
+    newTag: v0.39.2
 helmCharts:
  - name: loki
    releaseName: loki
    repo: https://grafana.github.io/helm-charts
-    version: 6.30.1
+    version: 6.44.0
    valuesFile: loki.values.yaml
  - name: prometheus-node-exporter
    releaseName: prometheus-node-exporter
    repo: https://prometheus-community.github.io/helm-charts
-    version: 4.47.1
+    version: 4.49.1
    valuesFile: prometheus-node-exporter.values.yaml
--- a/infrastructure/monitoring/loki.values.yaml
+++ b/infrastructure/monitoring/loki.values.yaml
@@ -30,7 +30,6 @@ loki:
    filesystem:
      chunks_directory: /var/loki/chunks
      rules_directory: /var/loki/rules
      admin_api_directory: /var/loki/admin
 minio:
  enabled: false
--- a/infrastructure/passwords/configmap.yaml
+++ b/infrastructure/passwords/configmap.yaml
@@ -0,0 +1,15 @@
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: config
 data:
  DOMAIN: "https://passwords.kluster.moll.re"
  SIGNUPS_ALLOWED: "false"
  INVITATIONS_ALLOWED: "true" # not sure about that?
  ADMIN_TOKEN: null # not set in order to disable the admin interface
  SHOW_PASSWORD_HINT: "false"
  SSO_ENABLED: "true"
  SSO_ONLY: "true" # disable email+Master password authentication
  SSO_ALLOW_UNKNOWN_EMAIL_VERIFICATION: "true"
  # remaining SSO_ variables are set in a secret
--- a/infrastructure/passwords/deployment.yaml
+++ b/infrastructure/passwords/deployment.yaml
@@ -0,0 +1,40 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: passwords
 spec:
  replicas: 1
  selector:
    matchLabels:
      app: passwords
  template:
    metadata:
      labels:
        app: passwords
    spec:
      containers:
        - name: passwords
          image: vaultwarden
          ports:
            - containerPort: 80
          envFrom:
            - configMapRef:
                name: config
            - secretRef:
                name: oidc-client-secret
            - secretRef:
                name: smtp-secret
          volumeMounts:
            - name: data
              mountPath: /data
          resources:
            requests:
              cpu: "100m"
              memory: "200Mi"
            limits:
              cpu: "2"
              memory: "4Gi"
      volumes:
        - name: data
          persistentVolumeClaim:
            claimName: vaultwarden-data
--- a/infrastructure/passwords/ingress.yaml
+++ b/infrastructure/passwords/ingress.yaml
@@ -0,0 +1,17 @@
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
  name: passwords-ingressroute
 spec:
  entryPoints:
    - websecure
  routes:
  - match: Host(`passwords.kluster.moll.re`)
    kind: Rule
    services:
    - name: passwords-web
      port: 80
  tls:
    certResolver: default-tls
--- a/infrastructure/passwords/kustomization.yaml
+++ b/infrastructure/passwords/kustomization.yaml
@@ -0,0 +1,18 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
  - namespace.yaml
  - pvc.yaml
  - configmap.yaml
  - deployment.yaml
  - service.yaml
  - ingress.yaml
  - oidc.sealedsecret.yaml
  - smtp.sealedsecret.yaml
 namespace: passwords
 images:
  - name: vaultwarden
    newName: vaultwarden/server
    newTag: testing # required for SSO support
--- a/infrastructure/passwords/namespace.yaml
+++ b/infrastructure/passwords/namespace.yaml
@@ -0,0 +1,4 @@
 apiVersion: v1
 kind: Namespace
 metadata:
  name: placeholder
--- a/infrastructure/passwords/oidc.sealedsecret.yaml
+++ b/infrastructure/passwords/oidc.sealedsecret.yaml
@@ -0,0 +1,18 @@
 ---
 apiVersion: bitnami.com/v1alpha1
 kind: SealedSecret
 metadata:
  creationTimestamp: null
  name: oidc-client-secret
  namespace: passwords
 spec:
  encryptedData:
    SSO_AUTHORITY: AgCuaACGgTZhrOv5FDVbPIzVusjzvbwgrogCt1kZJsX7K3G1vCWZDRzPMJ06k0Ofb5Yvby/AcKx0UyPJwWDmhlk7geuYzG1G1pBk97fNTOzac7ZheCZ68LFshalT5F6dMJBSMTRz+uG3N+MztCyvCcKUxYUIkGbopf7is12FJhEIKNbrQe4C5H2SVHSIZ8udE4Nv2HqertLVKE9Z7CNmq4KV3UBAGqJEqBkITsN/qhgpHOjY1dQKK5myL89BYERQGBdoqKSUYJOZiEoINwj161QtG/H2Y9n6xlAVO4irsva/6m1BjA/7wfWAK8RJGX8N1e9axlxgIUH7HAA/bh+riLKvQea23NRqT9bsIOy+FRNEqTWXM4FiNxtmufi9gRHnLyQhrSQAB4Zuyzelsqn+aKDlCFGkE3NLuquychWly24pLtNa+9UPPOm0BZhbOzXOObXJOzbFIoBqxcKkwen3ca1YjyqOK1DryJevjczLVuWY+NprnjlH6BgdTyqPnI+FyXhLRa3nJCafkVfNaIJW8n1+P0hKiEwGVXiyU0fR40DaueBR8F8jr5MKlEFvdwJ8/IvkfMZUsccPVYIYw08Ama+vFrJidPvicM8gNpkqoU2TnSEEjBk0eX9jd6ahiwffE9s01uQFjcr6rNL+SiYXJCpp/Ti8v0iJ4C5ID9h0GS7v4IBOUYCGRYfWrYUlp3LFMB6Saq4a4DhTlxC3cORn0ini8dUPJLq0x8n1rzGt
    SSO_CLIENT_ID: AgB1oES4V0P53fkAch+aDkCHd6seVExYMGCU72H8Slky0j4FZ5LjtBpzGxro8sxxr/Ri2wEc1f+TC2hHWbdtUNwE3SwA0McPODS0nmmxPkSj1ZRHlVQtG9TkFdEHEeWJnECHX0y6hp/qbdYxF+2Pgz9YQtbdi8r49H2iwqfD/8/ojMzlvpdOJRdE+K/aYQ8Q08GBZCusLm8vCW+bDn6U9+aj72SCH0i91xoPWI6P9v96mcWOipK0COhYl32ypz5GLaNpyIhDccJvrAzVKZ0tGX01t6+JT2f0lZc2jjVosTk0nPhLTQdLYJC1TboPtqwzaRWwV/lm+St07cSaaxMT0CHqmoxwiqazNNgkgPzddOaduTpbid2I1rH/2jYKD8uY5UKTZYa+wxXF8KQBMCyRw2k1bdebvc20z53T0UtmRkquKXVq1WyOTZEH4bhqVapuMjyAF9vzR7Juga6lF9P68Er8lYr5MGeimslyRUVfrqdA4VTFO6sALHyrpkuYdHIwEi5ZlNb2pRzqaBFeQaaJYgiXPZMhcIRIfEOU8JQ5FWu++OzM75RF2YA1Ww70SZxHANn/K/ksyAqhZNgNFRm++6YQKfBI6z+N6ObjJPJE3J/WCHGCmVCQRa7lg73THqPXeqvfoSDgH8nTHamg8AshAKWxJuTD9mPXN4TqbxBuXuQBa9UGu/HNBMpYo2hHEHYIr42XZwScpo5qvo4RUQ==
    SSO_CLIENT_SECRET: AgBzGmskaj/eliwfsOzdRb1PdiSJC9vLr7CyCAqQ4QmxVXOSVbiJu39ud2alH+Rx8UZ51l5Wd9CkyizyVpD8AgREk8fpE8V0cRlDplj/OmGSJ5VtNyLLJko13PkPAB2scexapZ/PxZpJEkH5ONPvzvVKC8liUoz1XoEQEWAgDkSiRqgt1aVm4v1Fvl0Ift3eJtkWkU6xGrL7OwTnV/nCaNt6w7Fd/37uWYgosGvQivcy11/QoppgVARCWrFl9ZjjsimV5i2hfoRXvd+saUuMvRfD95+POB6+hRK0fvbnARXW0ePj7W9oWG9fAhSA7S/J0cnx3zFjpJ8QBvaHYXJ+rsDHsxlqRSFUVXgMGZ5cISTzIjPWaVRv5cU3WK0vEeT2gPHsebTX6JgguzT728rZA2r7BuMZF20f89GeV21iYksABWMC1MYwGfScBPHfyDqxhgc39wxZTdH5gz9/DhuHd5+0iLjwIwqsStqVu6W1SqpuFd0psfyVNFY0DkDS28gcliRPSNF0bJEA7QIsDl5NVAl1fXEG4QrJMQx6i5BTrfI6HDYW0nq3fT/fPlSipmbUf4OWQVTrEmot5UvFDowBemZNG2Z2+vgAE0bbnQKeqAifUr7KMUGf9bmj42r8x1TLiDAyI9h5iSU/y4WHLpzxg2GNgkLQ0mKcAJ/xHnaWNti/dr2pwzCSx2Apmvps8/AVuYP+unRxmlstYl1ko+esv4agfbg/43H2/dkNeA+5iQw=
  template:
    metadata:
      creationTimestamp: null
      name: oidc-client-secret
      namespace: passwords
    type: Opaque
--- a/infrastructure/passwords/pvc.yaml
+++ b/infrastructure/passwords/pvc.yaml
@@ -0,0 +1,11 @@
 kind: PersistentVolumeClaim
 apiVersion: v1
 metadata:
  name: vaultwarden-data
 spec:
  storageClassName: "nfs-client"
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 1Gi
--- a/infrastructure/passwords/service.yaml
+++ b/infrastructure/passwords/service.yaml
@@ -0,0 +1,10 @@
 apiVersion: v1
 kind: Service
 metadata:
  name: passwords-web
 spec:
  selector:
    app: passwords
  ports:
  - port: 80
    targetPort: 80
--- a/infrastructure/passwords/smtp.sealedsecret.yaml
+++ b/infrastructure/passwords/smtp.sealedsecret.yaml
@@ -0,0 +1,21 @@
 ---
 apiVersion: bitnami.com/v1alpha1
 kind: SealedSecret
 metadata:
  creationTimestamp: null
  name: smtp-secret
  namespace: passwords
 spec:
  encryptedData:
    SMTP_FROM: AgAbhbyTdArio1wEn4/zj+AK4YaLyMtMkaPFqtVOU8UWAtEg8ko/tIXHj7nn/NVQt6sS2O9x02ShoVJC1HXqzG8reMLkzZg5cb0wtCSNpzHnLH2voH1p4KrgnHo1AznIkXoajcOHjWSYQ2/rAeCmuuEfPZ7jOWNMN2c5GWqm0mXsfqAUVxznC8sHCmIVdeHUcSaLRpwnvr2fjSrOqh+AI6df3tzCpQjfu+zf4Z2JSgvAPLCyCzj9NDDFqawpRRHinhbXk34ZYO00CrjCMqnxaBev7qXmPeDx4eTPR8WNyMzdO2Yx5vmmXNay+QhoO3eP6leQQyaGtYkQSep35wMyA46MmM+A4nQCMIFPFzBGAqle32L+u6KP5D9GWtmiGXWmdM8LOf2qt1wKiEfEZXldtc3hoKjM4NTb+0wgUXE+ZpVOQiorGta6jhAwJYhTDPO0rP6lC31G9EQ9bI5N+OpZpRK+EELNPrjEfTIfPUMg40B9DG3WK5yXTmC3DvHsCj25dnKokNvxcaZ3EhG6+k/5Z5zTESAMWuGepr34ROE5a0+zRLcOfVD9S5QwpqIxi8GJJuJvI/SAjUEPLY7pPsBLYKMl3zAGgAcI8yjAWhurgVS1DKhufTmp+hh+JypyLnCc4hUJIXaRwSJrBhezsajkxMmORboHM/d19SmUorzczo2i54LtTTTIRfAWui/EWc3QCSbfoPF6asESXD45M/yblI++EVfc
    SMTP_HOST: AgA2KfKxxUvzHrkbL4ZDUU/TuylhnhRSm3OGVSVGt54OFJqBuh4fCA2PSPzw84Kh46zJjX8vh5fjzN00gfHfqtm0K4W1D+i+UAz/JAIcQVAjPyjgVNPZUSNSrZrV2CDRMJ8HhbVYx8xiRb2kHV+HTjtINccdxjxR+OpfMn1lb+aA3zoI8yv9s2pkVrt1+T1GepXm9KMCd+rS3XSx2w9ujkPTaT3MwY66l/1i6agpY3MtNVXt+Y8pK9yx5mhjNRAnyfbCZfHzaswKGfDetOzkfmSy3ddP22uHOjbEKp99yQPxgY0bNwGhA137oUAgzmWu0Yn9z3KFz0G2as/tKTQT5240aJlHzFSsWfbW4Y4DQahQzbF45aS61SlKAsSXzPc/kyEE/Tizuh3eACY6yfw6Zs+R1y5Y27oS5/GNyAYdk/acM/C0nO3da5qBL0ItzMKYy3kufbOvDwt9na0uWV32JusYAeP81e9LRcxO7+a/oFlmwBtFMLExXWQEHwIIwWFC6RGlF0OOfZN9mXsqr1IDlRvDWN4b/YXkFQJBpySByxQ0xYUeHOAFSacGC8rPq68Scc7djyq8mTh87plBQzo4FL/rAch61Mmlp4VVsN6hyJ50CC1qfzsZ0bcFd+lh45T+lSg5OSGrw14F/01dhS5EoH5DVv6Ug9UY+0q0w1iST+6KH4/nxTJe/lBF9eAQEU+FHvyUfVZksHua0jdCQKSxXzLp
    SMTP_PASSWORD: AgBf3JVFUU16IVhPBcYkzZY4Qn5tNRahtsGygd8E6WGAxw90MY9/gmm+LWAEAYWc4ZNonCZiGR+JegkN4nmmxpiseYShW2Dp3rH33BOmVSAvnQttTCq4zV8jEk52Y49hmpIvEVh9nO6UVP4KujnEqz7rnL6I6dIsdkyXdDjZTnSgZlkn7FaAkfEdmpRtYH31qYOa8TyL0Q7PIzr/sJGn0YKvSH7a6w0FJ9RV0+t4pNuqLpiPltMX9B7RLLNm+TgzO37oA3cePAAtUR0PXFW8GnCB0KcAeoqZFc4UAzhwp9FX6oa7KUfvoWAq0RHzJfdAa8laVJtZcWP1lLOgyW6z7PeoUahjFscfDisp2aRl4jAIV5ZaOe3ZAYGOMFR0VyIt1vCaYKtdplSzlNVlGj8jvLY1rg5VVnXHNheaqmL1xAhB8uCCIcRKquCSU0wvd6YBKrUIDJX9d9IXkLvVfvAhdBnTLSkMHJErxWvu2dRm5HqiiGrvRjJewIz4n8rwUapykKX8ujlu9mf6sGxGuVbaOU+gZrNSIffz5GUewf38ZHcidAiPVsA6WnX93ZDVfZk0xObrzUQ+s4dmlZMrQFgvhv9Q2zJP0cEtMnGPsTy8klC4FeYVEWJyAXCyt3+2MbUZYf2H+yCOnHeRkzOejrrfvEep3BF8dzKmYnrmNClP2skZEPr2afttUo8a5CTs6gX6mckplUqHz2R4oi8/kispJf8Y
    SMTP_PORT: AgCYfANfQLW15FIgRb0AQoBXJ7mOBh8vb59eelZdm1aX66GlXMQOIi9yAIm/2fe1xOsYui+6do4JV7xlvYBOkC8JJ3MNZLdTrepRf6ejuM8QI7V7L2lXsRrPIqLEJOfO/rn3tHnuWbfXOw7UdSvt7x2BoB1XWGZuigsa66FGkTSCMlqKhJJngeSu5VeFGpSc4LANL/XGnXNc4tQdpZN9AjpPdSUTpexgY10Zd4ppvBR174XidRabe4WDs9H6uZj92Bpht3axq0fEYRwkDiNPQLFx8kkOKCU98xV7RVyqT8UnRE/Q+eng26lGNMa+c3bbN/6MYUmSe2RU2Ymaz2AJqMOBn72Y4blDMgOdrZEz/ITiOE3zzZG890qFq/lfLueIEwd7LmBpAZMDzsKYWs+7UI1EKAfavWIO9BUoH9JbVkUgAQ7YtPXLCxUeBvMTci5YlZKmNyhMP2fWnqYvhZXJNZYJqHEbtTQGAoLuD/5xupVhB0ouguwkjRvGwLHpQncbFfybhWIflcVjAgHH3AelKyhWNDLNZatIVqWIfmEcZpj1CbNbO3Pzb/kSa57cNZc0S/N/rrYQKR8vK6vpXxrmC5MouhdH0x45ONA2GqXHehqgdNayN8T6y3xfY7UqSUbksM2smWFY0gxqBoFdEkosSyvFPpqQnAzbiJWlsQDmSTmj0dodENotHQhRdrZSEuhFGkI7MVaW
    SMTP_SECURITY: AgApP3Kzb1qAZCassr3Q2YPCcc4zi0Py0ezXnixHF0GXVjbyEjjw+5EZ6LmtE4In+hu7HXhYKqwVi50VXmtb1sI17wK3hF8EXa+4jSZtAo/PKKKh4CkVVFqwIjyvtdnokXIJUkSHDMnIWLFG9Lblr5qib8tUyeyJH6vzbC7ai/nXZ7amGTJOx2HLKPal7QM1y7TAdeee1IFdlg05vJ/Dp2+EY13DLWwNvTr5+DgBVDGKALwHu54KnuKJCuXtptZvS1PuVL+55sEByUikU00u8ZZ0GVSNIJFHfYjtYMHWbw1gUiKvUb0GngEQ58/v8QPTsZNTDWcUjONy1ncGGQT7mrsarCZvY5EzJmWQgkzrLcEKOtQfSEJZvUAaxTa3WgvfUchhMAkLYN4Bml+wajQfnjmyKpPsMc11n4yQ0O+5pu17lIImtLiMA2+g1dSDs0mr6+AQIjOw6TDwU7u/7qM1xTUUvWBiOHaT4xnDi6TYOEHiQmGLXVz1TYCX1RX7Y0RtHkZHPTPACs+zY6VfWEaxFgK0r8+aykgRGMZLSsw+MVwzgxWt96iLQLpcO1qVhLpbOKFFdtxbava3FiSRlLdGHRX12WVcFmn2gun0SsxF2HAg5fT2Kt7aC9qSVoxH5ExtDg2uVFVpeltFPZ3UyyOLhXhwGF1VJR4tCts/MJKD0pWOpKCe92LMm4FGjt4ytWlMErbcfIbtCy1oqQ==
    SMTP_USERNAME: AgAWUwitsOQ1MGS4mJ4UzNsLvL8sgtVuMlua6sTdukpFPfZEcZaHBgWzw+Rv0HKCn8ebjp4dfGzmr/cIiMRGRe/ZbA8f6FMQg4lIlmHIJ1EbpGmfRL9m2bJRfl/aNifxTZD6Qgk4JBzlZIlwI6d9xB51sjFAPnEJmTM4AhC7bAhtTGHWLLdn33bXW/+aBWEz465cQdksTrketrHbz6O/Z77bL6Zh+zNwS7AwoQ2bUg/g9ORjRBirYJcojEYdQeDeBNWN3VUrbWENF/ouISvgSJFKeka/G2a9lMNbraSSLlru2xZOLdM5OTald+mi+VgdTDARiJFPL5tyhdUMe+8ZpIG1t2dUEasZZernXpoHyOckijufN92zyxfdXJu0RPIkC1w9zH5ArpoYjCxIzHz6e/wMvjqfEPbE7FtMfGHlzZZCikjt2+8+sDJ/mApgqYKNo68v6773ou6P0HTrti9fM8e2jlZ/nfe3xnzQL2XNjIC5wBc+f825y0U37QduoEeDCE+R3Uihxjq7dAg0omeNeKXChUJkPaX7QvDr1TnXaqSZZgoXZ3U0WujF9Z6A34CwAjJY0ao55ggwai0w0FyFOdUDv5P/bQU+1ex5l5m94MG3KwLmy9Pb3xyDXzpB9oWIskaBzN+v1XdWSRoRzzoZHV/KFJ1HYn1m4yww/JgAxTqiq4pNPKdxDGX+pL4e7U0SmuEPIRw85PpA
  template:
    metadata:
      creationTimestamp: null
      name: smtp-secret
      namespace: passwords
    type: Opaque
--- a/infrastructure/pg-ha/kustomization.yaml
+++ b/infrastructure/pg-ha/kustomization.yaml
@@ -9,6 +9,6 @@ namespace: pg-ha
 helmCharts:
  - name: cloudnative-pg
    releaseName: pg-controller
-    version: 0.24.0
+    version: 0.26.1
    valuesFile: values.yaml
    repo: https://cloudnative-pg.io/charts/
--- a/infrastructure/sealedsecrets/kustomization.yaml
+++ b/infrastructure/sealedsecrets/kustomization.yaml
@@ -9,4 +9,4 @@ resources:
 images:
  - name: controller
    newName: docker.io/bitnami/sealed-secrets-controller
-    newTag: 0.30.0
+    newTag: 0.32.2
--- a/infrastructure/traefik-system/configmap.yaml
+++ b/infrastructure/traefik-system/configmap.yaml
@@ -5,15 +5,15 @@ metadata:
 data:
  traefik.toml: |
    [ping]
-    
+
    [global]
      checkNewVersion = false
      # renovate does that
      sendAnonymousUsage = false
-    
+
    [log]
      level = "INFO"
-    
+
    [accessLog]
      [accessLog.fields]
        defaultMode = "keep"
@@ -41,17 +41,17 @@ data:
      dashboard = true
      insecure = true
      debug = false
- 
+
    [providers]
      [providers.kubernetesCRD]
        allowCrossNamespace = true
      [providers.kubernetesIngress]
        allowExternalNameServices = true
-        ingressClass = "traefik"    
+        ingressClass = "traefik"
    [serversTransport]
      insecureSkipVerify = true
- 
+
    [entryPoints]
      [entryPoints.web]
        address = ":8000"
@@ -66,13 +66,13 @@ data:
        [entryPoints.websecure.forwardedHeaders]
          insecure = true
          # forward ip headers no matter where they come from
-      
+
      [entryPoints.metrics]
        address = ":9100"
-      
+
      [entryPoints.traefik]
-        address = ":9000"
+        address = ":8080"
-      
+
      [entryPoints.dnsovertls]
        address = ":8853"
        # route dns over https to other pods but provide own certificate
--- a/infrastructure/traefik-system/kustomization.yaml
+++ b/infrastructure/traefik-system/kustomization.yaml
@@ -13,6 +13,6 @@ namespace: traefik-system
 helmCharts:
  - name: traefik
    releaseName: traefik
-    version: 35.4.0
+    version: 37.2.0
    valuesFile: values.yaml
    repo: https://traefik.github.io/charts
--- a/infrastructure/traefik-system/values.yaml
+++ b/infrastructure/traefik-system/values.yaml
@@ -23,8 +23,7 @@ ingressClass:
  # true is not unit-testable yet, pending https://github.com/rancher/helm-unittest/pull/12
  enabled: true
  isDefaultClass: true
-  # Use to force a networking.k8s.io API Version for certain CI/CD applications. E.g. "v1beta1"
+
  fallbackApiVersion: ""
 # Activate Pilot integration
 pilot:
@@ -67,10 +66,11 @@ providers:
  kubernetesIngress:
    enabled: true
    allowExternalNameServices: true
-    ingressClass: traefik
+    # Ingresses missing the annotation, having an empty value, or the value traefik are processed by default.
    # ingressClass: traefik
    # labelSelector: environment=production,method=traefik
-  
+
 # Additional volumeMounts to add to the Traefik container
 additionalVolumeMounts:
--- a/kluster-deployments/argocd/application.yaml
+++ b/kluster-deployments/argocd/application.yaml
@@ -0,0 +1,19 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: argocd-application
  namespace: argocd
 spec:
  project: infrastructure
  source:
    repoURL: git@github.com:moll-re/bootstrap-k3s-infra.git
    targetRevision: main
    path: infrastructure/argocd
  destination:
    server: https://kubernetes.default.svc
    namespace: argocd
  syncPolicy:
    automated:
      prune: false
      # since other argo projects are added to this namespace (but not managed in this repo), they should not be deleted even though they are not referenced in this manifest
      selfHeal: true
--- a/kluster-deployments/argocd/kustomization.yaml
+++ b/kluster-deployments/argocd/kustomization.yaml
@@ -0,0 +1,4 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
  - application.yaml
--- a/kluster-deployments/homeassistant/application.yaml
+++ b/kluster-deployments/homeassistant/application.yaml
@@ -1,18 +1,20 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
-  name: homeassistant-application
+  name: homeassistant-flat-application
  namespace: argocd
 spec:
  project: apps
  source:
    repoURL: ssh://git@git.kluster.moll.re:2222/remoll/k3s-infra.git
    targetRevision: main
-    path: apps/homeassistant
+    path: apps/homeassistant/overlays/flat
  destination:
    server: https://kubernetes.default.svc
    namespace: homeassistant
  syncPolicy:
    syncOptions:
      - CreateNamespace=true
    automated:
      prune: true
-      selfHeal: true
+      selfHeal: true
--- a/kluster-deployments/homeassistant/house.application.yaml
+++ b/kluster-deployments/homeassistant/house.application.yaml
@@ -0,0 +1,23 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: homeassistant-house-application
  namespace: argocd
 spec:
  project: apps
  source:
    repoURL: ssh://git@git.kluster.moll.re:2222/remoll/k3s-infra.git
    targetRevision: main
    path: apps/homeassistant/overlays/house
  destination:
    server: https://kubernetes.default.svc
    namespace: homeassistant
  syncPolicy:
    managedNamespaceMetadata:
      labels:
        pod-security.kubernetes.io/enforce: privileged
    syncOptions:
      - CreateNamespace=true
    automated:
      prune: true
      selfHeal: true
--- a/kluster-deployments/homeassistant/kustomization.yaml
+++ b/kluster-deployments/homeassistant/kustomization.yaml
@@ -1,4 +1,5 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
- application.yaml
+- application.yaml
 - house.application.yaml
--- a/kluster-deployments/kustomization.yaml
+++ b/kluster-deployments/kustomization.yaml
@@ -9,6 +9,9 @@ resources:
  # - bootstrap-repo.sealedsecret.yaml already set for app of apps
  - gitea-repo.sealedsecret.yaml
  # let argocd manage its own namespace
  - argocd/
  # infrastructure apps
  - projects.yaml
  - nfs-provisioner/
@@ -22,6 +25,7 @@ resources:
  - external-services/
  - monitoring/application.yaml
  - authelia/
  - passwords/
  # simple apps
  - adguard/
--- a/kluster-deployments/passwords/application.yaml
+++ b/kluster-deployments/passwords/application.yaml
@@ -0,0 +1,23 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: passwords-application
  namespace: argocd
 spec:
  project: infrastructure
  source:
    repoURL: git@github.com:moll-re/bootstrap-k3s-infra.git
    targetRevision: main
    path: infrastructure/passwords
  destination:
    server: https://kubernetes.default.svc
    namespace: passwords
  syncPolicy:
    automated:
      prune: true
      selfHeal: true
  ignoreDifferences:
    - group: apps/v1
      kind: Deployment
      jsonPointers:
        - /metadata/annotations
--- a/kluster-deployments/passwords/kustomization.yaml
+++ b/kluster-deployments/passwords/kustomization.yaml
@@ -0,0 +1,4 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
  - application.yaml
--- a/renovate.json
+++ b/renovate.json
@@ -2,7 +2,8 @@
  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
  "dependencyDashboard": true,
  "extends": [
-    "local>remoll/k3s-infra//apps/immich/renovate.json"
+    "local>remoll/k3s-infra//apps/immich/renovate.json",
    "local>remoll/k3s-infra//infrastructure/external-dns/renovate.json"
  ],
  "packageRules": [
    {