Update Helm release loki to v6.24.1

2025-01-16 22:02:13 +00:00
50 changed files with 49 additions and 979 deletions
--- a/apps/adguard/kustomization.yaml
+++ b/apps/adguard/kustomization.yaml
@@ -10,7 +10,7 @@ resources:
 images:
  - name: adguard/adguardhome
    newName: adguard/adguardhome
-    newTag: v0.107.61
+    newTag: v0.107.55
 namespace: adguard
--- a/apps/audiobookshelf/kustomization.yaml
+++ b/apps/audiobookshelf/kustomization.yaml
@@ -12,4 +12,4 @@ namespace: audiobookshelf
 images:
  - name: audiobookshelf
    newName: ghcr.io/advplyr/audiobookshelf
-    newTag: "2.20.0"
+    newTag: "2.17.7"
--- a/apps/code-server/deployment.yaml
+++ b/apps/code-server/deployment.yaml
@@ -1,41 +0,0 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: code-server
 spec:
  replicas: 1
  selector:
    matchLabels:
      app: code-server
  template:
    metadata:
      labels:
        app: code-server
    spec:
      containers:
        - name: code-server
          image: code-server
          ports:
            - containerPort: 8080
          env:
          - name: TZ
            value: Europe/Berlin
          - name: CONFIG_PATH
            value: /data/config
          - name: METADATA_PATH
            value: /data/metadata
          volumeMounts:
            - name: data
              mountPath: /home/coder
          resources:
            requests:
              cpu: "50m"
              memory: "100Mi"
            limits:
              cpu: "6"
              memory: "16Gi"
      volumes:
        - name: data
          persistentVolumeClaim:
            claimName: code-server-data
--- a/apps/code-server/ingress.yaml
+++ b/apps/code-server/ingress.yaml
@@ -1,17 +0,0 @@
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
  name: audiobookshelf-ingressroute
 spec:
  entryPoints:
    - websecure
  routes:
  - match: Host(`code.kluster.moll.re`)
    kind: Rule
    services:
    - name: code-server-web
      port: 8080
  tls:
    certResolver: default-tls 
--- a/apps/code-server/kustomization.yaml
+++ b/apps/code-server/kustomization.yaml
@@ -1,15 +0,0 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources: 
  - namespace.yaml
  - pvc.yaml
  - deployment.yaml
  - service.yaml
  - ingress.yaml
 namespace: code-server
 images:
  - name: code-server
    newName: ghcr.io/coder/code-server
    newTag: 4.99.3-fedora
--- a/apps/code-server/namespace.yaml
+++ b/apps/code-server/namespace.yaml
@@ -1,4 +0,0 @@
 apiVersion: v1
 kind: Namespace
 metadata:
  name: placeholder
--- a/apps/code-server/pvc.yaml
+++ b/apps/code-server/pvc.yaml
@@ -1,11 +0,0 @@
 kind: PersistentVolumeClaim
 apiVersion: v1
 metadata:
  name: code-server-data
 spec:
  storageClassName: "nfs-client"
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 10Gi
--- a/apps/code-server/service.yaml
+++ b/apps/code-server/service.yaml
@@ -1,11 +0,0 @@
 apiVersion: v1
 kind: Service
 metadata:
  name: code-server-web
 spec:
  selector:
    app: code-server
  ports:
  - port: 8080
    targetPort: 8080
  type: LoadBalancer
--- a/apps/files/kustomization.yaml
+++ b/apps/files/kustomization.yaml
@@ -13,4 +13,4 @@ namespace: files
 images:
  - name: ocis
    newName: owncloud/ocis
-    newTag: "7.1.2"
+    newTag: "7.0.0"
--- a/apps/finance/kustomization.yaml
+++ b/apps/finance/kustomization.yaml
@@ -13,4 +13,4 @@ resources:
 images:
  - name: actualbudget
    newName: actualbudget/actual-server
-    newTag: 25.4.0
+    newTag: 25.1.0
--- a/apps/grafana/kustomization.yaml
+++ b/apps/grafana/kustomization.yaml
@@ -17,5 +17,5 @@ helmCharts:
  - releaseName: grafana
    name: grafana
    repo: https://grafana.github.io/helm-charts
-    version: 8.12.1
+    version: 8.8.3
    valuesFile: grafana.values.yaml
--- a/apps/homeassistant/kustomization.yaml
+++ b/apps/homeassistant/kustomization.yaml
@@ -15,4 +15,4 @@ resources:
 images:
  - name: homeassistant
    newName: homeassistant/home-assistant
-    newTag: "2025.4"
+    newTag: "2025.1"
--- a/apps/immich/kustomization.yaml
+++ b/apps/immich/kustomization.yaml
@@ -15,20 +15,20 @@ namespace: immich
 helmCharts:
  - name: immich
    releaseName: immich
-    version: 0.9.2
+    version: 0.9.0
    valuesFile: values.yaml
    repo: https://immich-app.github.io/immich-charts
 images:
  - name: ghcr.io/immich-app/immich-machine-learning
-    newTag: v1.130.3
+    newTag: v1.124.2
  - name: ghcr.io/immich-app/immich-server
-    newTag: v1.130.3
+    newTag: v1.124.2
 patches:
  - path: patch-redis-pvc.yaml
    target:
      kind: StatefulSet
-      name: immich-redis-master
+      name: immich-redis-master
--- a/apps/immich/values.yaml
+++ b/apps/immich/values.yaml
@@ -37,6 +37,10 @@ immich:
      existingClaim: data
 # Dependencies
 postgresql:
  enabled: false
 redis:
  enabled: true
  architecture: standalone
--- a/apps/kitchenowl/deployment.yaml
+++ b/apps/kitchenowl/deployment.yaml
@@ -1,42 +0,0 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: kitchenowl
 spec:
  replicas: 1
  selector:
    matchLabels:
      app: kitchenowl
  template:
    metadata:
      labels:
        app: kitchenowl
    spec:
      containers:
        - name: kitchenowl
          image: kitchenowl
          ports:
            - containerPort: 8080
          env:
          - name: TZ
            value: Europe/Berlin
          envFrom:
            - configMapRef:
                name: kitchenowl-config
            - secretRef:
                name: kitchenowl-oauth
          volumeMounts:
            - name: data
              mountPath: /data
          resources:
            requests:
              cpu: "50m"
              memory: "100Mi"
            limits:
              cpu: "100m"
              memory: "1Gi"
      volumes:
        - name: data
          persistentVolumeClaim:
            claimName: kitchenowl-data
--- a/apps/kitchenowl/ingress.yaml
+++ b/apps/kitchenowl/ingress.yaml
@@ -1,17 +0,0 @@
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
  name: kitchenowl-ingressroute
 spec:
  entryPoints:
    - websecure
  routes:
  - match: Host(`kitchen.kluster.moll.re`)
    kind: Rule
    services:
    - name: kitchenowl-web
      port: 8080
  tls:
    certResolver: default-tls 
--- a/apps/kitchenowl/kitchenowl-config.configmap.yaml
+++ b/apps/kitchenowl/kitchenowl-config.configmap.yaml
@@ -1,7 +0,0 @@
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: kitchenowl-config
 data:
  FRONT_URL: https://kitchen.kluster.moll.re
  DISABLE_USERNAME_PASSWORD_LOGIN: "true"
--- a/apps/kitchenowl/kitchenowl-oauth.sealedsecret.yaml
+++ b/apps/kitchenowl/kitchenowl-oauth.sealedsecret.yaml
@@ -1,19 +0,0 @@
 ---
 apiVersion: bitnami.com/v1alpha1
 kind: SealedSecret
 metadata:
  creationTimestamp: null
  name: kitchenowl-oauth
  namespace: kitchenowl
 spec:
  encryptedData:
    JWT_SECRET_KEY: AgAclRIJS25ACVe4NqLQbAree6c6WpTBHnLpe3ZQJ0ScHG/EbW/ooABZj7y1ABAn/mCc+hBYXYHm81FNUfUtSuLKi2UlORbTCsfmisYH49WX0Lpku9LTM/8az9tjE0tjUUrJZcRUuJfdNJMDPQx7IPjUQ7sKk/exFnkPEbK98+AElXyHpPKXd9dxiCgll0n+ksbF9BDUR8KY8IB2Zvh4cXPww578qe/9XYnxLV8uY9K8KPvhl7NI40SIaL4PX8KmsDlBh1bpOR/OxhIwAGEZDQp/KROy6msrIOYW4SHM9nlSUSD4WvV8UjcbV1oNnYpE1usFOuxSfQlJ1zlFepKUv40JykyunvQv9nqVbEogsrS4o5N3gNEaB9yyFSHIlevp32LVpAuZu3cNplmT+Zg7+ODpCWIcVgmOAeapvB+X7H4ScbKVcYLAzrRFDtnS4Vo1M+RERhr0AuMU/tz0lGs99oRkCw2ZIg015R125u0VcRNqzgCtbBM5BFiKiP2kYrHn02Q6o5tRWxDQfrfb0mnfD5c/gM4+btlfM6DZMpr/l1kLlm8PDEpPGbkhK1XiAyJ4erHPDMLcmZXrSyxX9R1g8n7vnLnkqx5LkGmnltQI2FM7StxC6IrMlxY0nPnkq1lHhTz7yCpQJNXgfXZLVvov+f6jlD6WJhYHZCL/hIFfx3ybjGYZwJ0m84lH0OQJQw5dtsbPVqqoYZIPieqdRmHw7M7TTmFuQJXD94lZj5gsln1sMqs=
    OIDC_CLIENT_ID: AgDOxWtGCiFrIP5aWHimrR6bu0uMS1/i1v1Kzo1lIR3j3zlw/Da2oCPNx1ZuhNAp9UMIs2euc8mtrWkyv4R6pcci+IxXiGzlQNBSkMfWu4DwhwlEdnVyCVehfE00t0ytBxX6NeLfS1b8JOtH9yo3e22fdaeTwn/iwGLNwi1BJxMmzk9pVp7jzXH09Zia8UvUmXw5GyGpIOIiGcIfaXkr1ZnY2l30jTw8eS7HaouzfWHWTpNXkMLN3qim4vs/B1Sgz/y9tUyVo/qMhWLdEcVklYHT7xHx03SPD7RtK+zdYZCqvDtj+tsdpYHt05zeGV+wflNQuiocjwP8TW7vhtbjKrf9lQIxB5CErju178ELOVrpsPBAYMgdEl7qZeKdSpydIwe3VbOg3XJ7O/Ps1KSnRYwrCvgE4ZCMm3geHyJxSiKRhBcuVYz5JkNd5ylD0Eq9NL5RCqJ4szL9NaGNPbzkvcdZzAnbTYFTzyqZ+XHX/BUFisXl5bKNHtaqAsOK8woGYnxJiawKRrwDUmHXU4RB3QiPCPhHSLU7OkvU+XDhyQqLa8bKEQzj9dUf4bX3Savk4noiRsXMYJznAlgMPo0Q4taxVIoyQHELYwIIdP5YRuw27B9wKUR7e2hhu4FTOEcyhwuFql3OuAjq8HJCDX6+COkL2WYFFxWBnbSCYEdzfbMBCHjrUUonijcQluU2VbaHODNMAvB16MRKapAW
    OIDC_CLIENT_SECRET: AgAylnSUXwInlh/WvyCiFz+8asbCSZA6kk84Rt6l7bHVYw34c58lJHsZK2OvOIlHuaMe/ewnTqxVd0hI1Azl+wd/5NygMYlntKquq0vuzlhLrGc3u+0SOn9N2P6quA3slF9KR94CYsDx9ogy+EsEoA1yrsydB8S0g9W8syraR1MtpM0ZkcJ/D78OZ6qzyXUuBNAZc+iX/r96NvoMiGNYavgG7npOJh/pkKNYPuNkt4zpbAFjVyoCfgZd4V2nmZ6dhEVy8odW+jcsMn6OJ1OZVlPb1beq49lBEcaJqk83ZtKbq2evtBYHw9YAnENVq92ecenw/YL5LXUhOxeN0M9Amo99/O6pQwwrT1mtZqhTTeTIZTAxqmJKgyxGhE4DJUR/s71bc7K9hd2WvdAYnCyVC2uGa0MwXp4V7UuaN9GerldT8lcFxOpRnD7yroqVTqebjAJIkIinp5NNZ2ZP/LCiCwKKHHT19Pchn615WOPTofC6es/spIdQ8a1Nf2J5YzvRjsduFS55U6tMaC7cuV8kqKH9xTTf/sDHt+68wVEAO9koAe1zpO+zR2Pq3VuCnvcDGIwXopXjvyjfujEEhEWZl51PVJLZqtkP5Wg2wHvlgjJBbbIGTrqh4xa9pK7wLDM2hUFx1q/YKqwfP0EGVTc96G8Wermj0DtIqclqFLr54DtxVe+Rr8J4edG6YQ26/seYsrZ1Oq2PejHQt8u9EzQYAtYYlBsw2ujCWys6KrbhaVr3
    OIDC_ISSUER: AgA2JPd5axkL5YIRA95qm/iH8wgM2J0AjKjgGClWabYJ3UKIk0hi/L/zR+1Pw9Z+6amYXj7Q0FxLqCcNYG+H5ABxnqUi7Gl8gvfVbegaO3q5QiO27g18RMDssNHDSun8PPaxHBvBD68hxgsaXntu8sZavCGdwEK0TzLJi7eH/4jtHlofzfYgaCsGqeOBgvs/q87PVJ/qxazXlY9e7abbRAKl9ZMY7Wga58/IU2HhWwYMvI53yQyGMcKf3XiI9iNHgIcj1+TmlgQo+PRKyopNfzgFbey7on8woQXphY+ioqQ0hyworpxAVoWlvzKKopt1xBDr4zxzkzbWyxtjwPVOOH3iyenZz8tZa/JkNYWxkWHbh0KCs9yUIji3D3shQOFM/NtE17THsQm3NgpZ2lg9ET1v6uXqwfOLiQ+J1JQLwNFnYeruH2lK4EGt2nDCq2VycOIjW4kMpiJ4LiT8gap9HwYjTpAn+opicYn5e9fmpgiHdMPvrsG1m9edg0cbwdSpEelliHnAUfKsxMV2e1fLsga6yrhBLSXIQs8rbURRa6wqVvGoLB86a9Q5Rm94Jfm0Sa9v5LMGRYvqO5LbLrjrR8e/2r17pHQE8ynMQCAW1yVTe09FcgRwYhDUohfThtjIh16sdoC97eUel7fo/POt3atP69JsCIBZstprhVtBIBssmavpIotVqi8F2/yUkhrZR26mH3gsOxkNTEk6XzHHtJRu0cU+BmObTvYgMi3DHg==
  template:
    metadata:
      creationTimestamp: null
      name: kitchenowl-oauth
      namespace: kitchenowl
    type: Opaque
--- a/apps/kitchenowl/kustomization.yaml
+++ b/apps/kitchenowl/kustomization.yaml
@@ -1,17 +0,0 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources: 
  - namespace.yaml
  - pvc.yaml
  - kitchenowl-oauth.sealedsecret.yaml
  - kitchenowl-config.configmap.yaml
  - deployment.yaml
  - service.yaml
  - ingress.yaml
 namespace: kitchenowl
 images:
  - name: kitchenowl
    newName: tombursch/kitchenowl
    newTag: v0.6.11
--- a/apps/kitchenowl/namespace.yaml
+++ b/apps/kitchenowl/namespace.yaml
@@ -1,4 +0,0 @@
 apiVersion: v1
 kind: Namespace
 metadata:
  name: placeholder
--- a/apps/kitchenowl/pvc.yaml
+++ b/apps/kitchenowl/pvc.yaml
@@ -1,11 +0,0 @@
 kind: PersistentVolumeClaim
 apiVersion: v1
 metadata:
  name: kitchenowl-data
 spec:
  storageClassName: "nfs-client"
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 1Gi
--- a/apps/kitchenowl/service.yaml
+++ b/apps/kitchenowl/service.yaml
@@ -1,10 +0,0 @@
 apiVersion: v1
 kind: Service
 metadata:
  name: kitchenowl-web
 spec:
  selector:
    app: kitchenowl
  ports:
  - port: 8080
    targetPort: 8080
--- a/apps/linkding/kustomization.yaml
+++ b/apps/linkding/kustomization.yaml
@@ -13,4 +13,4 @@ namespace: linkding
 images:
  - name: linkding
    newName: sissbruecker/linkding
-    newTag: "1.39.1"
+    newTag: "1.36.0"
--- a/apps/media/kustomization.yaml
+++ b/apps/media/kustomization.yaml
@@ -12,4 +12,4 @@ resources:
 images:
  - name: jellyfin/jellyfin
    newName: jellyfin/jellyfin
-    newTag: 10.10.7
+    newTag: 10.10.3
--- a/apps/minecraft/curseforge.sealedsecret.yaml
+++ b/apps/minecraft/curseforge.sealedsecret.yaml
@@ -7,7 +7,7 @@ metadata:
  namespace: minecraft
 spec:
  encryptedData:
-    key: AgDG6apUvB38rB9tH+/ya5Af/32IUJjHiEGZFdYYqesuqyPB/qf99EtC/7CwqD6bDQQPVycJVcxwZuF8QtYfPXzv//yMkqEUJ2G1/Q5J8I6bjNGLR636UhliUpCkH1QDOspWJUjwKDVxlFN9l0g9UajvxnqLyGzbWPeay0sJEBvAY8ltEZpLP21V+GD+HgPk3HIfSFFBMsULS6GPCjMaFxkxQb6cG3K4Ej4NHCHRGOmax+4Rk7lwMyAHlXLlrwj/ytxrnHDWrugLIJE9KKmJn6UVNTuk6olgkhleg2PixV7oOiDVyu9ZQP8wbdppzRix6dnIcFEYJ1ZDK1rNF5QErYO0gBytiJnSsdFO0jUMsdBrho2FgUc5GgIdmgXWJJz3lrGFqXaRVvbPsBZTUAsQRh2+4IfqfWmAkEjBcjs1K8WWJfS+rO9e02KoHBT4decdsd8Qfr5EFdPIzMrkUoRMI9CJnIa5u2nR08Hhd9iojbL64FZ26kXMODtEdKmlo+HwjufLX5rYJVSfOyZYzivd/kgKA87YTFaMLKej07w3ofGrPYSoCnmLfJyoQdNyJhdonBDsgM1GgRWQZDpgJ1df0SB02A5lZ4V7lHWr8KlANv9YLuMoZnVehsH1NZjNQHDInIRiTLahEBbjcJzQz4vU1UWG100ATszEYKOUVkzPnTgkqKYU99ZQ23bHP8z7iAWQeumb6V84NTi6jNITBvU4yTFLuAiI3nW34Vb1mFVLwfWqMjEYX8gBB4yMSaVshB/japfkyXU0pYg4mK9gsB4=
+    key: AgBYeAiejdmxDBorvgnxQX5YvUhR3NId2vfWybMKlc27e6D/bKglLNyZMk70xSnFAPjcDmZ20mYjFPYvDOr9T6IU/REJ8QlzoKAn0xW779R4SkIxRToT+dJv+OM2avgQ9uqp7vja29xeXMjYAnQML+QGZKcrT8mE04G/Ty8rdUiv3yUXK5HFAR3SUF35aVLdlthLjpRkv1s0R7GAP4L2pNzBJNV3i37viceUSSjU0zpOa23fsQOkPAs67AIukAJBqh/hyF/hR9H1GeYZNTI3OcHcvC2iNk/XGstvv0Zy6ApzoebsfWGdsbVn+QUI0EBw+mSTPqpl71cbkz0v4S4XAVndosxWpe6AIgm5MBTU0FXIyGyoFDe1aMPq8BXiQikYVwB48oVNh9KF0xXX5AOG0whB/FEsL3OJsiNQvQ3R/Hru43JBn64oxjVtLfM3E7u8v/xr1VQahX8dylDmb4s5EV01U6O4y19Ou4td1eEMlhpJb0fBPDRUYuWxZAEDGmp+U4tAakyPed11VkcZPPn9fKAAcv8sGs3TYAbbF18hqsBnv2Wd+i7ZEvKwmdmfR/T0r1TJGsvKI7jaW0QtH256XrSxQp7a52qMKMVQWOSKw2k27t/IkRhxT2Prw4GfJvaVr4RozUaBf3LV/hfDWlDfmM2zg3X9W8HkzjotGg021OLxsa0Wzmhffvb8h4bvZwxeq3U1xaJocqXui7z0rT2pF4z3wYHR/lPtexHcOA2M8gfBGKb1rBKh+kW+N+/ZfVLNI0mokg5vrTO2nR2rb4c=
  template:
    metadata:
      creationTimestamp: null
--- a/apps/minecraft/job.yaml
+++ b/apps/minecraft/job.yaml
@@ -4,9 +4,6 @@ metadata:
  name: start-server
 spec:
  template:
    metadata:
      labels:
        app: minecraft-server
    spec:
      restartPolicy: OnFailure
      containers:
@@ -14,7 +11,7 @@ spec:
        image: minecraft
        resources:
          limits:
-            memory: "11000Mi"
+            memory: "10000Mi"
            cpu: "5"
          requests:
            memory: "1500Mi"
@@ -32,13 +29,13 @@ spec:
              name: curseforge-api
              key: key
        - name: CF_PAGE_URL
-          value: "https://www.curseforge.com/minecraft/modpacks/vault-hunters-1-18-2/files/5925838"
+          value: "https://www.curseforge.com/minecraft/modpacks/vault-hunters-1-18-2/files/5413446"
        - name: VERSION
          value: "1.18.2"
        - name: INIT_MEMORY
          value: "1G"
        - name: MAX_MEMORY
-          value: "10G"
+          value: "8G"
        - name: MOTD
          value: "VaultHunters baby!"
        - name: ENABLE_RCON
@@ -46,7 +43,7 @@ spec:
        - name: CREATE_CONSOLE_IN_PIPE
          value: "true"
        - name: ONLINE_MODE
-          value: "false"
+          value: "true"
        - name: ENABLE_AUTOSTOP
          value: "true"
--- a/apps/paperless/kustomization.yaml
+++ b/apps/paperless/kustomization.yaml
@@ -14,14 +14,14 @@ namespace: paperless
 images:
  - name: paperless
    newName: ghcr.io/paperless-ngx/paperless-ngx
-    newTag: "2.15.3"
+    newTag: "2.14.3"
 helmCharts:
  - name: redis
    releaseName: redis
    repo: https://charts.bitnami.com/bitnami
-    version: 20.13.0
+    version: 20.6.3
    valuesInline:
      auth:
        enabled: false
--- a/apps/recipes/kustomization.yaml
+++ b/apps/recipes/kustomization.yaml
@@ -13,5 +13,5 @@ resources:
 images:
  - name: mealie
-    newTag: v2.8.0
+    newTag: v2.4.2
    newName: ghcr.io/mealie-recipes/mealie
--- a/infrastructure/authelia/README.md
+++ b/infrastructure/authelia/README.md
@@ -1,10 +0,0 @@
 ### Adding clients
 Generate a new secret + hash:
 ```
 k exec -it  -n authelia deployments/authelia -- authelia crypto hash generate pbkdf2
 ```
 give the client the hash, store the secret in `authelia-oidc.secret.yaml` and seal it.
 }cnnhzH|Mf/yLn(v4rF#>KnGMgUS+TY
--- a/infrastructure/authelia/authelia-oidc.sealedsecret.yaml
+++ b/infrastructure/authelia/authelia-oidc.sealedsecret.yaml
@@ -7,14 +7,13 @@ metadata:
  namespace: authelia
 spec:
  encryptedData:
-    client.argocd: AgBWKTgzqy1UjMClw8+9MKCZAM53ErvunxeIMkyPkOvioGN5+QuvtT3rSCNJentXEhIK3V1mt0kYNb0yLei+W8o2Vgr/wqvPfA+JbtgfPKuHg1eayTXDB7TPXG8MzONM75pPEq6nTSz7YOfu5AU0OjX/3D4E8lBD3hCfEteAA6tbxplD0P17yEzQTspPbXh+YNRY8/BmRr4xbp3aDdekeYfrZ8HQaYOCs6vl3JH4SvYoPGxrsSS2muZEPESmWBBC72NcFVnpNG4i106qxwvMlfOwKz4+FQsHMZAdRYmXayefwMWTxOC4MN1VUE3S6FDZlU5Zds52qOF1bO8w0cLyFaILtcPkjV0w+7eCUhrYx3CzyaCnVAHBBwvUt3VZ+g7RESI+Qc0CDV5IwTpj0R0Z4K8ieGMr/gEU83Wm5Hv66aneZppAJV5E8BixIdFTAoZlLNXg3Q6R6I8PrcnTlF9IzBbrWBrE1MuYgvzIIZm4+lohV+jhJcOPgRANxVkDwAz1Sk3AfHFwKtxtzwjvpOyr+R49+I14GGyKtUcZjHioSUSiTqV4JOYvFmSDXsy5CrzFdO4zCn5jMhkGRWztBJY9nN1Ui5yODag2S7TVsCgcYNF0tItaNMHmhkez/NoWFDUvcNwr/+hGC+DQN0xoZTO3vskyW0RGKjBSnoI5QUnuJqFJsRymh7VpRvMr2C+0Tvk1nEoOoRmA65aRJScgp/acZl4UXhwOjyIpSNzai9kvIj5PVVf6+78z11h5c9w+vF1IDKCDGGgjrnXBeHFGoty35UVGOGOXQoQbLXyYu9ZWN6i6garwl5ATwea8oaUB1h1xweoqSz6xrHcLmjqWLbm8Me4eSA3TjvsD8gtnhAfnVAETxBT3UQ==
+    client.argocd: AgAO/s+1K/QyLFsj44qAsgj+qS0qE7Q1De6cjc8UpsXDTQ7Y1SrP+NP8K7mZwGgQ1ItJN7bsIo79CFi4wLVEUOmAhu9dFwot665F0iwA8aUrcohk9xfqxqcv0A80i6mbchd60/GTaOTiQ6IFbeKBsxdv37NhvExHia9zdPFBVZoor5gmfZi1l8Aujge0dHqN0Qtg6R73b+abiJZS/h24HmETPJnRARK9aX1HSO8syBv2cxOuX3oYpVT8qvw+J2pgF7pD7YF8ZXG5v8VkXLn9vZ/EznTRNPguGC7YZgEXB9dvSJMcQ7KXNqtreKtSJk9V6EuhHHteHAlrCMdJ/UILUx+S1MLdSlnmoXHLU4oXITI688ZiGxtp0MyhknKPk/rRHV8To/lbEswy16j39ES4+vV7UgBVIvl4Ds51C39VC5G3gKL4xuEWbSuXv3oNbIPQzNZXGPkn77f4A7NQy2Wnp9G8RKtJSQqoWaOCNoytngyIkEy/Z6tbNFmafRvEKSSNLMVeH8nChpbqCwVBTrk1jASYFPW8sIlVh9zia2uihiHzIxdKOQXsvWMSGLdFSSiG0vlC+yeBb5PhWBA+0nAsKGO88a916E9B011w9qK/92GOcYaU/Kgyo6CnseVyJgSjv6d2IHxKTHnQtWpEQEHO2VEVfuqiISDz8rSCFbM5U91Qly947bRMCXXY8GuFnmlNJpqq7QPp6HRZBt4ZfRmkI/E5y7Nb/L/SfXDJsjSd0z4U0vJi1tYxIs0XnprhxjkuS88ZuqdEZaHxG8PMrACSltKzZhwBnjImb2LuOF3mUitngF2YQ5L4q5S7AcOU4fVHwoK+wONNCEjI63RiGo7DTm1AwM9lA5gM0pQSU9T1JqWtYcPZVg==
-    client.gitea: AgBEIzadyU5+RT5nKUII3EPXfi4yl52FzvQQxEfX8T5845fAQh0/8ay/E3oXKjH/MvsnPWvIwBfAG3DZ6LBVt39SOA3+5csbcwgQn8ZSigfriowkGJKiSu/UhqloiCuIvzZwu7CrTUaAdrWdMOpYvVPts0TYUUdA5tcPGYyw4Sd4Z5hi22+NeMoCdMl67iag31I0PLEWl92WQcQ/V/sOKuLm0p8TEIZaPyCHLBwUPbD7Hvka6JhrkmkybnOJfmQLrHAblPptVlIOVwER3e3Wrzvh6YfOq3KUtFboeyLRRafOy4j5j0dWXj21WLznomH644ioUeysAG6gP/HZthuNMTUydz2dsWtIu5J82jP9bbjUibZeQIHjS1Y1eqPSd9lJWNjWBb69xuDIewLZ75rfOuTdVp83+iGkha2yhc8OEHBaXRFO3zDL/eYSuBGxLRtSR30WSHD6sgGmrGzSShAlM7MnuSU8tqeHtmLuKH85ls89HvVvgn6ZVj5+P6dmHctFM1tp8Q97nUeZZGbThT0DztKExNTdb1yCsb9m8lDxX7avGfBYvx7ntqBdxz5CurbFvEYi/9C98EYZycaurjUIRBjEgbT7vHkIIvJBy1JDVZYDFzNGkvZ0oOhehANvx9UNKeb32iCV3ypGE7oXF0/WFdFImSZWfTHVpqOUN+LJTnZylkwcyByp8Ut4R7xS5by/bBV846LK985fzCRWldHk0U7xli1FUvqHMvocOTsrwVjWtE0C9X+GDQMAJEP7z5xWlMCEePjEZq2/OPHXiRlDZ/rQfQS5zpkIZAK/vaiRCZ/arpN0RslwOzIDnnyFJB0jqhIsXf1JUDZUis7yLtnyaVh3I9a0EXrPu49ItBk7XdSNMYJ9Hg==
+    client.gitea: AgAbX2GgysUuAg3TLLK7Puhtl+L8x4cQOGo+3TP60DPms42Tw6oihHQpSTzIEetdaqJ/QWrdB2FQfzhKQVM0hQji2uVH34SyzvP5TepJJSURUZAHGRiwhb/E7S8ag/ybBWQ9OIQzMZBiOOyDULrhmjbtr/CbozwmvdTIKiXIBLxQbXA9PjcM76UyYZAr69wP9a6xOzwOZgQ2/aJbWEFnItreUaqY76FHzKwkcPkzwPPryD7jvpVoLC2ZsbFLCptKbaCpRuHNQgHblWB2dj5wkFRGmNyHH7mglq9A2FbB9uiAD+2K2tgYgSc4yGaeGIvu/Qbnioc4F9nTT4ZceEtMu+sn1gVWy3kKkUDOvCcGUALo759/FuyTQ8JKKJ/zLYHhCJ8IAYXFhALe+aQMZbcycbD9KU8Iepq1DCTsyjpbM9K5w0D5ZnBf3V9IemjtMNaCllDq1Io5mPQaxlyjsWIDgvXIP2KEGekSlnh5O2yNCQl0gLAKM245B0lxyRgr22lTH9AJacbIVevwdBq0B+iSm/JGJvWjwLzfL5D41HY0Z6ZLOLUFKnTHQGiRp2+g9ysg+38aOQ1PUAXlloXM6UVnEHdahyvuPmAfo34f8vSaSrT1b3Xp0MzxUwxzl0bXO9wQ/As41qpI/DKC45CFDl1yQ3/+LOggAF///peSyzUNYUvbqB2u5KWNrLulXO11IKffHYeiwfeINxB0B3Rzxpl2ZBm4k8cauArTneYYcic+DbweY3WjcFQPCtfQiiS56S1wQeF9xgZfL2WNQA3qnnsB4mYyCLxH/oJ2JiiKrISPUmEcERnU8rdUelZ+idiT4s4PDpOo34QK756nzTtyWGjU0pIm6PIpz35i4djMkUoNpLq7bcVcKw==
-    client.grafana: AgAuT9f75mVVegFb5kC7v0wq/myoG6JlN8DLvY2tBqqCJ3pDMaFkVSALustQvUxpQ3UDFndKk3vF3rL/ot2h4R5dQO82guqR5rnyi7dGgf4+guV31V+Pz+cMKMNGDzvP6gq1+ePuGgR8Q70OKKk28Neiv1zd0quzKNY+Fmi3nYVonnKt7SDRrMgHdrak1jTyyBCDCl3k1S/kCjSsBUOfZuPDWxbSyKi8UvizwEm7QmK4ifsdA4IyaO6R5u/B9aQP4/eeb9uXaoBZVDWsrqi0ZHBavCnyJ79rYwDx+6ThsEbwYYsJ00omGts/1EPZL+1EpdJ97biIzapXpvlTRQwcxOZ0sXnA+5ig0Bs25u+T012HNZndYLcqmRsgKk+Iz7YjPRddaIFFEhttgubxCk/dMvzcchkOFI36gEC2TQCX7B7EcBAi6lQG7I7BVV0UrqmNhrzYCeY8AyNd9k6dNj+NslHfxM9QFIJmK8UnX4tx3OSJQJLaXN2ZG7TcPxv+Hn5z6A+PTE8+iwJ4mZmjxoVbyN+PYwz0m+uDqS4iDrd689NjFNy2lUxoCTtoYHs/U+GNOFD67YjT7DE9PbuS5zWlHCYM/W+5Hfasqs3/NgpbX6P44ZIMUBSdcgD/TEKyjP/ttjXG3FKVO/RkrJCNyUSHQKRlMJrzwEfwze3YQ1XKw5xLzDN8dTb1fkeDSE0EuGCtqH2S7cZE/3/w16PJ/ba5WR3v3CC99WQMMdeXLGP6C8PGq7Z/WErXlNLLPCsQKIMqlhoupm/r65SEcgf+OBI1iUG2dFNdB4VwFIU9UwHm2t3gcnU9Lq3DGQaOQusIHJgVF7UuamogkTfmCt6vxxIxXyPodiebZ520TeGgKIxvwTftxl+miw==
+    client.grafana: AgAtsKa6TPkGYqT3BcmbKnOnKG4xNd4N7tv7Vt81rh10KupR5z9c12y78uyKQZMyWb7PDDi58nIeWzTmtVmoSl06D8NCOfYrlbZQEl+NJsePX/kiwmlOnOrLBQ89uHHdlU7MCBPVDZNPY88xzkZg0pPnWYlKuvtNpV0Uq03gUosM5kV6zF10LRM4Twhpw9su5mDkwzyrALB0eALkmcktDpbayr0b0ZnK1X1HYuG9/GRTfa4uE5Jqbl+h3wV8cqUHt5drCVu3yGEP8palqTWh3LZoVFddDZ6EjX98FNGorpgvXzQrSwR3DHEovhER77MFgJu5vvVecgygPMHpQETb7VPpCoiY8WwjcJMElcFbVFgeih3mMxe0vgkf4AmyNmHvV52QT01+a2UJfwb2l7J+BJQS2qRLWX22eUJ3jWthFZp1bHxrgrizaqLmuR0WCabiWClS6+w5ecuuEnjZKhnNgGViUTZEo9r4Y+Hq34DbpSbQCPD+KFwjSy38cu585wHnMJHbmP4tVH0+zAA4sNzlcO+Dt2bqNZ5bIl+pq1y8qP6sABiRIxvHOhnXSHFhRQzUqrO7D/0WEHzsHNR/FyuJJ8gsE/ZS3gmMq1qaYAdLWanNPtJtcZxk03ZTGRmx+TRnoeTdGniyROACL2e78MX6gszjCpjIQWJOh/gDmMtO/r/0wu+OFUlKm6ynpm9hwjTfVXIAxVGQZP0GNzhxWekkB31og/XUHDDSARhfqozor5Og9vznx6t0wtOOzMXt0M6P7w7+kIEfLHSroKgY0D8QlXNmBQf1Aub7j6NjyF8xdQtxMhGmwbQ6AC4H8jUdzRy+zPCck70dA3hSwS9aaxDy+xD4zWAmZAzjAQS2lRbbdxpxh8L97A==
-    client.kitchenowl: AgAb9vWFHkiFgsHs+1nrq65n+kT03igRLq3KWIvDg6EokA2TDXYb4KwYBZa1xcFwgT1iiLge71Y6spMRVkJdLAjRCaPCtSTGygzlZ7z9NFkn5O9YuWgkp+cPr62ElHpx9umKEx+Ug4vgyvrBk9eLWxdZZsiJZL6GcjUbMe/Mx2429mveg0kyfKg3XjraeU7xcHWwAj9PbjeRnhEewvr+9sdv3H1wA45E2+pZ9cZ+ETl9wXXNquUzUFSp8IOxzXwx34aDqjdnMbEgU3k2TEe3N9wU+r9vuzn4kesh0zEGkEfXhKtnGNSXFheU+aa/5cTfIp/GPfx3+dJ54LLWfVGU9X+COI70zvTEtAhgJptkWqJ7dVp6SLgQotvg3bTNohof1/6JDPKQvGvkQ3ALYMXYDd27NrmP3ZSJYdNGev0yDr6MXyNlv8SglnsRIpfMmPyl913/10DbvB5b0Tiy2xzmmODpG6Gk6EQquaJ2g+imaV8VPSdDOoRK+rDg2AH5KKRn8vxH7d/NRsmOmCxadqmyyWBbl9onu+TzSnjnPxyc2cl3EeqaaciXyh/eu3Ar27DVu1l6Iorv+N34Bttdti0TZgeeMD6/Y7eAXTry482ix26UOYmTH5+mGoGVAkh5BuWO2fR52vuEHV1T1VYVRK3+PX1OIeWEoEdPMvDokELc4W1Av4lVDKcacvNzuMZ1gpiXmdCNnYfDq9CbW00rS1/LPPUIdIyOfHg2q/OgxtkjiPUwWQCTc5NO8FPlQ2B4ZsJ51vfxl2zx19w9tgQVi7C7T7Iek/2Svz8QMiZtf9N3W8CoUp2RXktV+Z2yI3FWG55IzicRbVLWpeidRxuJTEdm8emgHSiMpDM9Uejv7pAs3QkLRX2+og==
+    client.linkding: AgCUlf4WAphijd9Oy2x+WRZv28o5alDpfF9hiro8y/99jZb79HbODkS+Z48mFRypMmu6nsAp4NJmaM5Tc0kOXCfoqAkcw6AQ+noalSCzGpH+laPYRnvD4ccVbJlePIeQlnQZTipSTcNgoCvocIfi/5sgKFv22VKEyYuOEmZ3VfQ96CIbyitbyApw0JHi5x1kanw2QFE3dmumnNG075zQ/aJYucM4lrpDY8P2YhAbLNaJx5dB7SCeGoVvviDtuZFHskLFIIzV0fjBIhX6b6vfRgT4IQpaBTpEZcQ+tLLrEcL4jAPWzooDmpgCU0l1wg0Xf3FmV8aBpzs9oicvQauLVgKF8ouBMoECjB82sLAuI1pBUbOKOjxCnFTnL6kGbOZm77maddJ837Bd5BOO2spAhUYfQCuPg98ZyiNFSCKzf1XX7mDY1xeV3S6KizpULc1fimKoQL4EImKYWLI7GVnKUGvS2V8WVTQu/ZuPCTfpg+OSO0YOc3eZPqQ5immSK0Azt/PvHcoxiNYHajI7Jy3OvF6Fhv7HN/prHZJZMARRnMTgpPjvp5ZE+xA+F2FURllLtmNF3c3i8s4pM6xi0GSBsYWc03WNIk7aY1oENg4aEufOHnknuX8GiGQqdnKPPUuhiTK4k5iyqk7Lo9ntdu+WJQllUoNe6s9kSRua78wyYb684nKNfAFbyYXUW6oiWD6eYCSgyCj8xAGdBv41/Lz1jpUgSetvoHcDPjh/mDjGWRAgg1hqaIr++DRuFW7mEaXthoGsu3pM6JxVzge/mEfs/DM/vn5GEIFvSGuC3Nn9IGcyqeVWcTtlRh5AfTe1tNlohkYkNr96Fe+j/7MJLWgc59th8FEH2F5ygbPg9ay6c1rGjSYD2Q==
-    client.linkding: AgChIcLDfhCZshqJgG+H5exbWt29ms882BkAgDAopvbhbXE/e+I0tVw2FNDZWmKbI+i/Hlrvj4Bputn7pUcoAZf5W8FUJ2nOMhJjtjwMF6O0QzBje0Xrzi9eK91XWA3PRxbPOzBZYWlmWvwelYw0hCgfp1XRn3aXkPcpsZFV8Bb2KSXDSk39+UqIm1I4rR9hCXPMkorTUZOa/NYpDr4ieenbRS8PeeWATPzSxn0hN+RnXHnoUrKdO03px/2mYS4SYJrgZ2DrkGN7uz3/ARwqxxKcMBQeQCe0S3Udsw0tvvJbjeHJIQ3fzIz+BZdbKLgVuJa0ZNQxmuDVBFY+60d89nR6wKsyoRgC8y/sEHRpztUjiJC7WBiiJ/g80luMuo/7ZTIvu6u1I/eugsopJKUONv23cowdqthyzlsnKCsBTgfdzXuFy5YYoL7GPcybdpUcOA8upr15dE8vsN3UJEYJCZkw1V4iedzHVGPpo6tts4sewnzplH93QpwbVywMcSl1k8oeHqbdmh0srJ54hBFboyNRr2eQT+b43oFJZtQb3hhuZyO/uXKx44jeBoVYkmKCVldBBDE0FdQpAk2m6dtvXae37Eu7xHiWxY/KDzVxBzJn4NWboQRiTM9HQ7pLuAKgG+Ec1+nwfBgq3G9jZrdIN4/tWNvuBRuPrUTt7pwGJ7RCbMgSz9xbVFCxwBx8GwaNRFOH3/RoMdVwlUntRELYN7+pU9S0FS/VPnbVxOZbJI3ZHFj9n8qZ3lBD3SiHB4rNnirQf34CuEfnLigpSdskKdOsekXQybxVq68T63Ntf/yn/t0+nV5VdqpW0stqRBQaUq3yEqfAn0/HQ7nTgSbHf4ZsTMsAU+CSAewnig6qKTcS7a7Lrw==
+    client.paperless: AgBJXjDVqEubR+5He9KVfmfHV4cH5DLtiLmBil5srrUTTlJpjBtD0OBA0Rj4qpZjrOHal/p0nfGQkgtvOmj5NWbplktEjmX4z7uRT8zjatK6zTjDHW2x2x9T7V0LCBQwkPtboBuxQ6tSc9yQQr15Ru6rT0BgvgDd5rOubnQQjK9AjxUe0VKeW0nGnZI0Zh9zIOiW+Yt6AFzheYgAfF4dsbBe1hTq7N4L2JK147YLI50GqFCL+vGYpz7MxcU3AzDi4eEP1ZmLga79eGvMelUSR4d1l3k6fjFQ8mCPPQ+PkMoWuu8FZ8pT0F+qdb2jB7GCqPedBmuzJNT127mqWMJN929n5j/towZjI9IDd+q3YXlfMEWSY74r8x/GUGSq8mB0/kS+iLyC+p6Rmu/aaW7GNkwZNtcuQkI346JBOnUSa0bT/ElXDNnRxxHGPCNQshrv3wTVoKgN7wxkVVXbX/MdXPE9NqWNRQK42TdROXpjWa/FVklraQ30XPy/SHBENbhXvmqlzrbMWmK9/auBKDB1tmLASUcO4iObOSFPUdQrj+pJ4oQFN1nlyX06i/X8ECENov2jwfpf5tW0sWoYVSPWuZOIOk2wEF3HXnzCtv/f41vMixtqhpWPRvasJ4UejsuatHaYNRj7uD2FjbpYItvT4QA0xepIR97jVWqc6bsN23AFUJIHJ+twOYpNIQJqJ+mx/g6Yzt7YOTM7X2VJO6dKwBhuXx3cRigU4nadZoTELT+Wh8i6n1lA/kD0+A3OuMjwuTrvutDTOHH5RjDwRWRw3m6LohWfdQIVvEkAM0RwwvcC9Yu9W0PH5ZpUGw3zpiqzgydtxTXEwi1IGS2rUKkdhkoShKJ/ODMZjjRxRX0H4zkelPUDGg==
-    client.paperless: AgA4weCcn9z4H2WIqADKRpOMkCmA/6pci0SCKsTcS2nf6XuRG0pFufVqrVTe5jYIfAymKJs+Yzlf6V5ViE+3U/PhtBgHC1zifYBVkC0lSUUKx2YWkmrnSylAZZIYArC+kdNXU7pwIS4i8eCxeB8NhTtHBMXdfPig5kH/G6/FaL5RZ52Ly3jf3h2UP3JrWbk4dYijZbjvHsGNJMyDJ5cW2DtgMmFNMte2ScBuGpgF2tDiVKW7Zq2aEpVtVXvWjF2euuL39EFvLzPAIXeG4TaagBCnFfMVVxyrS8Dk63CiWQzTSaeBDbUhRuOGAYD0GELhSxpsKjOgm5AaOk/sJBjoAliFtSyejO30tP+5PBC+FE4RlJM5dMjHU8/9T/tBSOus3k7xWmExc5Eavf8yeXVmNeTJfC+Sji6QZxG5P9xisKXgn7EX+T4aKpeJ2FxAtL7NKgnrKeoztiHV2vJH6TepGjFejf5VJRjOP2QAJkX0ApnUVfhww4CjhBFo20zRYyI591ZMbw8PxlRFmAsXhL9XeaXQcl7nq2P2N0IdodtR9xMVlvpkuv11AZnzXjC8GfWgPE9vmDz5RW7Eo4WzWDaFVBL8Sjx+NZllV/qVHlJfbGgqgKmtzJWUZUATE9y9YwOG8PSKmw7fbIHccJ1o1HOG7BWIOQ/QIo94uQQWI0Z5ESRgaCsbf2oBX8HyYFdMA0s9sS9OdD1NWDTb1mVnhA8Pjq4XatA2PGlRPWBVD8YpjbeuNQXR4RuSuUvuKGOOO4Jsv0/ZXc4cUmPB3VWNzQO/0iNt8MOsZWjtQNiDBLZ3xVjRWo/p+Q7P+o1YCThuLxwdmyvAxkioRfR0DJY+ZrkErVnTv1CfLdS4ejf7ZYXcgsh5ZC8Kww==
+    client.recipes: AgCK/GYJr88kUCQ00YtksasTKChbCvSxxaIAa+08Xzgn2eRLmw0quTgqHS5yQrdj6SHNsI+tZifmUkfHXjDSP7SShhg4fe6T+r/AzZmYb6xFwvZGHF5nSmX5Xy94Lla/x0rOOTuk42kV6g6KJYD91VTLOYGMD0IjdZkI2NMFwXN0UIqOZD6SGhKav4WwZRk0GxjFwwW32NZH3+O1aqTCdBYsMzNFAJyur/Wj7ZpeFXZ0fdBHF+gk/RYOhIzGuoUJN9qeh1m/miT032jcapF2/bYGakufAl6gGtA13ssYcXqRZxqrOTHzvIo+/TULlXL5KJxA8cyTj696YsIc2svugvyrvJmHghZ3y1uVU7V7OjxRLTni8pO4boq11TTkiWdkDdSWmXm9lyXrTrHYstHs/KfdOxgshOXNktME0HOFsXdCJCD/dBRd8+Csqb+Xo4hy+m5ROIP1QP0lJeMId+yWL15xEb0CiEBw6LVLhtO3aZ1mYxJBwcjvBTllLhU1y3z8Ah0fOvcOdBx8ncRIn+tmVCgjJXwm5eBIku/74ubvR1avAB/C0qX1zQnWRWvmaE6/k58RlUrQHFWFI9OvJUSNushlUus6roEux7suZ6uhXJFfB8hM8okbIMuNJA99HdA9BHRr0ieoZALbQ5HZf/zFbKhGYYX3HcyExUgv6lxvwxlYJJfXtMPic3p4iPq3f3aLMyco8pDECKvoVlyAgU6RoCp2RDZeJ/bwaL2farGTy3HXHpw0jy6/6dZuQCD457v6a3f+eLBDbubaGXJsGF1msRyChdcc0JU2niKwKd454WJoWBLn3LVIsthtCLT5ZBY3yfttdjLUmocyPcYFy03LA1ogOztKjvXf0FjcofdcpIrfWenV3w==
-    client.recipes: AgC3w8qEgD9fru8tJRi3mYSDbJVq5oG++x8XfeRKAQPXFtMKdFYAvn3zGPc4viavPnvE1mkHWSn0ECC+YKEThiXlI9ok1CKnspLrzi6oQlReCUnyJdu9e49xgV7kb5/SQsZbDlVmtluTi8j8y9AIUows/HsMjXgoNrG6RodAsWp5cauCgLBrqMk9nPuQVH1jTNFm27rMrJahLTjr/z/5chdiU6sjPH9EIDnaLEP3o8/ACpPTtwF4PYQszUVT3Uhn4YlekqAYMfEolBYsPLSDQyiDr1fwO3/4YUHNSO/+bN+7vscS+x8zozb750Oi9c1ARc8ENn6AiM3ZEd32ZJKqfqJ3+CxsXsuG7VjfHu3+gc4uqLTbwZ+BVacSoA7JObsoQEbWdCGWTNo5FMXrhIv+BKDB59eLKXTOlBfVTLlbh0P7tSR57fhSpBomcvvnQ+MtfSS9hDFMNiPhb135c8hjJcbMZ6xdQz6HARVtP5nVuPyDafbez6A+VT9sUDt29+oNf5qpk25526Q4GI/YlyvXH+3RT5q8syYuSIZsmh92qD5ZltffW5kRooCeskAryiyWdgyqjMAekR1dZR9wqvzRraDpY/neLvrpUAPl7U6kdlzuIdaJFTnXmNKc1wK5NaeAEf4wwO6H/ibWEzIJKQJcTlmi+0J1SfHcCULYZ5ASeAkSRUxpdVk16LCTHWbyHYFOYmGsmeMmRTYylB/FdOuUEZWrO5B99xw5baSvLN842v2JnwR27Mha3RvS0teSgbuXgG5kWWGGZs9oibsNaaNz9p1MPw/HR4M6PmfEJRsaz+cX02bVUVzdaXhoTZ/D0DoNe8lB+Ofupjl7jAGzEJpGbwK7cB1gnITa4blqyszrKg1dg2L+ZA==
+    client.todos: AgBSbi/vsGzl/L2/BAWefZZNySo9TEHHUlf/ilCgcQcPm53wmd5gFJUyVhjOheN1AUdiLw5UpeITig/A8UID4B/4UOfDeSfwLYUvPgTP/5OxtxjoonWkrR2YGjPmtdBd9WZJVZcjb1YABuXew3SoVfuObw4F8uAn3iojxrScaO7J+vUZSNUE2fbd8kJ0064v/Huoan0PheFbRFqSVcDKVg62byh5LIGVtmcwdcWz1v3aYIRRB04TyyHAlmihv8/N3ppTrz5HR98Q8WHOrORIF4liS1c80swAUeFNFuDHjxbN9yphF3Z7taoBSwSdqNgEWjAr5tnFVRO7A3VmbuMsM5y9ryitbPqPijB1GIqqwLz1Ucn+KF7eK8kdhyZWidrBVWCQ8E2EEQELcJnotZd49M7y505LDsZgl8drqPoXoUW2HdPXcZzNqaGrc1DNhEK1aUHtuE4jBwPNVjEV8D2cQ1mm/rzF1YPyUPQ+TvqXgLvPQx0tZU7vSVBEQDAK+bj3hkgivPPM67iiSt3rrX8Egp53Hg11jzIE1al/Zlfja14broOL9yCc0dUVMpOXrT71t7RjYiPNg8CsK4GM2nopGN4IzMhP/sFzSSlwq5YoDxV/mysAGLRBzL615Gv3QRNAubQocnPj4iOCMvpIZdDuBTmCrUzPEzppwbb+JHnNoFOYQBdJEImLicnsGAiAW4Jzns0kElCpCl7wp9b+GCoqmGpzkg6Vk/LU8UGVDCnhuXmtNA7EbT04jb9SxRXIUl4/fmpzQWAC5HGfoSoO1M4LKp46sS7es2Ts+ggXrGJhAYiDnX/EJxkl4OWzhJ4SFiLVbeqcIIIYslQkz4KP+haPvbjY419zEDDp1P/lBPtJp6Dj81B7xw==
    client.todos: AgBaZOU3D5ZEi2iZud0kLIgZVVNwWjreEDMiadtgZ99S236SOckGlqTes+6gcTcMUQe6CFcxatx8sXamGd9xtIwyZa/5jns4Ju0L4Tozf57uQS1CPY10wyLlPc/a/thn6dItfh5l0Fr+vQBmV0dlEJ12UM9iIH/w9raaf0VkDP/XbZw6PZ0lVoJp6u8LrjMIf5+pdlPOSytFNzB0EbWfQYGObD/zgt45V48+gE9jLolLIEz7QPMrUg0dj1RjWJE+dWXzv+4gCsRi/64gPUdkOZS4YWIlFP08jcDChzbqhVkqUXz3AOQOxF7+2NpD966dxWiYRQfDfFwb+V4vK8C4+DlQL8p22MxWt6iOhxpSoXVVlCInYxxhjpk/gpECqfu6gKlEexg+ekccAvkKVmBX9TbOjsurYFjL3JfuL057fjWIpvZhkQjJCQJiCgVGPtyVhoCzsKeyVDNJvXs6dYp8CMrRAcn/fdo4wI0/tva723ub++AsKSsXCRT+d+03FnBbjRrxSQdDiP4xYY6BqNfjwHGYSoULxtop5t2qt7PzFlpCxNjRe4NrkENCw8xDDSRrg4CLmazPi1Xs+MDeEP3cpi9sRzQx9u2JrvvHmsTeHjVY/MQHb072nLa6xAiUQoXQLMlzxJuwx0U5DmsMe6o8FfKaLikcS4CDKEAddLDI25z2XUBA9J7BTXdhtHB012S1COhouRqn333uKF/BnABI32/Afj9qsDy8VQ3iZyTKpLQUOrOzKKTenXy0b3VV9Vw3DoDPhEb9//fGrVoLdbXDpYaJScza9qg7QWmLqO8Cbk/83t1C28LWqZKWyMtq+QFQ1ANIbi53BopX8zBQargctEVielkpN5HqVCAIow0nQcGmZdZClg==
  template:
    metadata:
      creationTimestamp: null
--- a/infrastructure/authelia/authelia.values.yaml
+++ b/infrastructure/authelia/authelia.values.yaml
@@ -12,7 +12,7 @@ pod:
 ## Authelia Config Map Generator
 ##
 configMap:
-  key: 'configuration.yaml'
+  key: 'configuration.yml'
  # include sub-maps wich OVERRIDE the values generated by the helm chart
  extraConfigs:
    - /secrets/authelia-smtp/smtp.yml
@@ -78,6 +78,10 @@ configMap:
      file: /config/db.sqlite3
  # notifier:
  # notifier is configured via the smtp secret and merged by authelia upon startup
  identity_validation:
    reset_password:
      secret:
@@ -223,25 +227,6 @@ configMap:
          userinfo_signed_response_alg: 'none'
          token_endpoint_auth_method: 'client_secret_basic'
          consent_mode: 'implicit'
        - client_id: 'kitchenowl'
          client_name: 'KitchenOwl'
          client_secret:
            path: '/secrets/authelia-oidc/client.kitchenowl'
          public: false
          token_endpoint_auth_method: 'client_secret_post'
          authorization_policy: 'one_factor'
          redirect_uris:
            - 'https://kitchen.kluster.moll.re/signin/redirect'
            - kitchenowl:///signin/redirect
            # mobile app as well
          scopes:
            - openid
            - email
            - profile
  # notifier
  # is set through a secret
 persistence:
--- a/infrastructure/authelia/kustomization.yaml
+++ b/infrastructure/authelia/kustomization.yaml
@@ -27,6 +27,6 @@ images:
 helmCharts:
  - name: authelia
    releaseName: authelia
-    version: 0.10.4
+    version: 0.9.14
    repo: https://charts.authelia.com
    valuesFile: authelia.values.yaml
--- a/infrastructure/external-dns/kustomization.yaml
+++ b/infrastructure/external-dns/kustomization.yaml
@@ -11,8 +11,8 @@ resources:
 images:
  - name: octodns
    newName: octodns/octodns # has all plugins
-    newTag: "2025.04"
+    newTag: "2024.09"
  - name: git
    newName: alpine/git
-    newTag: "v2.47.2"
+    newTag: "v2.47.1"
--- a/infrastructure/gitea/kustomization.yaml
+++ b/infrastructure/gitea/kustomization.yaml
@@ -23,6 +23,6 @@ helmCharts:
  - name: gitea
    namespace: gitea # needs to be set explicitly for svc to be referenced correctly
    releaseName: gitea
-    version: 11.0.1
+    version: 10.6.0
    valuesFile: gitea.values.yaml
    repo: https://dl.gitea.io/charts/
--- a/infrastructure/headscale/deployment.yaml
+++ b/infrastructure/headscale/deployment.yaml
@@ -1,77 +0,0 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name:  headscale
  labels:
    app:  headscale
 spec:
  selector:
    matchLabels:
      app: headscale
  replicas: 1
  template:
    metadata:
      labels:
        app: headscale
    spec:
      shareProcessNamespace: true
      serviceAccountName: default
      containers:
      - name: headplane
        image: headplane
        env:
        # Set these if the pod name for Headscale is not static
        # We will use the downward API to get the pod name instead
        - name: HEADPLANE_LOAD_ENV_OVERRIDES
          value: 'true'
        - name: 'HEADPLANE_INTEGRATION__KUBERNETES__POD_NAME'
          valueFrom:
            fieldRef:
              fieldPath: metadata.name
        ports:
        - containerPort: 3000
        volumeMounts:
        - name: headscale-config
          mountPath: /etc/headscale/config.yaml
          subPath: config.yaml
        - name: headplane-config
          mountPath: /etc/headplane/config.yaml
          subPath: config.yaml
        - name: headplane-data
          mountPath: /var/lib/headplane
      - name: headscale
        image: headscale
        args: ["serve"]
        resources:
          requests:
            cpu: 100m
            memory: 100Mi
          limits:
            cpu: 100m
            memory: 100Mi
        # env:
        ports:
        - containerPort: 8080
        volumeMounts:
        - name: headscale-config
          mountPath: /etc/headscale/config.yaml
          subPath: config.yaml
        - mountPath: /persistence
          name: headscale-data
      terminationGracePeriodSeconds: 30
      volumes:
      - name: headscale-config
        configMap:
          name: headscale-config
      - name: headscale-data
        persistentVolumeClaim:
          claimName: headscale-data
      - name: headplane-config
        configMap:
          name: headplane-config
      - name: headplane-data
        persistentVolumeClaim:
          claimName: headplane-data
--- a/infrastructure/headscale/headplane-config.configmap.yaml
+++ b/infrastructure/headscale/headplane-config.configmap.yaml
@@ -1,99 +0,0 @@
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: headplane-config
 data:
  config.yaml: |
    # Configuration for the Headplane server and web application
    server:
      host: "0.0.0.0"
      port: 3000
      # The secret used to encode and decode web sessions
      # Ensure that this is exactly 32 characters long
      cookie_secret: "<change_me_to_something_secure!>"
      # Should the cookies only work over HTTPS?
      # Set to false if running via HTTP without a proxy
      # (I recommend this is true in production)
      cookie_secure: true
    # Headscale specific settings to allow Headplane to talk
    # to Headscale and access deep integration features
    headscale:
      # The URL to your Headscale instance
      # (All API requests are routed through this URL)
      # (THIS IS NOT the gRPC endpoint, but the HTTP endpoint)
      #
      # IMPORTANT: If you are using TLS this MUST be set to `https://`
      url: "http://0.0.0.0:8080"
      # If you use the TLS configuration in Headscale, and you are not using
      # Let's Encrypt for your certificate, pass in the path to the certificate.
      # (This has no effect `url` does not start with `https://`)
      # tls_cert_path: "/var/lib/headplane/tls.crt"
      # Optional, public URL if they differ
      # This affects certain parts of the web UI
      # public_url: "https://headscale.example.com"
      # Path to the Headscale configuration file
      # This is optional, but HIGHLY recommended for the best experience
      # If this is read only, Headplane will show your configuration settings
      # in the Web UI, but they cannot be changed.
      config_path: "/etc/headscale/config.yaml"
      # Headplane internally validates the Headscale configuration
      # to ensure that it changes the configuration in a safe way.
      # If you want to disable this validation, set this to false.
      config_strict: true
    # Integration configurations for Headplane to interact with Headscale
    # Only one of these should be enabled at a time or you will get errors
    integration:
      kubernetes:
        enabled: true
        # Validates the manifest for the Pod to ensure all of the criteria
        # are set correctly. Turn this off if you are having issues with
        # shareProcessNamespace not being validated correctly.
        validate_manifest: true
        # This should be the name of the Pod running Headscale and Headplane.
        # If this isn't static you should be using the Kubernetes Downward API
        # to set this value (refer to docs/Integrated-Mode.md for more info).
        pod_name: "headscale"
    # # OIDC Configuration for simpler authentication
    # # (This is optional, but recommended for the best experience)
    # oidc:
    #   issuer: "https://accounts.google.com"
    #   client_id: "your-client-id"
    #   # The client secret for the OIDC client
    #   # Either this or `client_secret_path` must be set for OIDC to work
    #   client_secret: "<your-client-secret>"
    #   # You can alternatively set `client_secret_path` to read the secret from disk.
    #   # The path specified can resolve environment variables, making integration
    #   # with systemd's `LoadCredential` straightforward:
    #   # client_secret_path: "${CREDENTIALS_DIRECTORY}/oidc_client_secret"
    #   disable_api_key_login: false
    #   token_endpoint_auth_method: "client_secret_post"
    #   # If you are using OIDC, you need to generate an API key
    #   # that can be used to authenticate other sessions when signing in.
    #   #
    #   # This can be done with `headscale apikeys create --expiration 999d`
    #   headscale_api_key: "<your-headscale-api-key>"
    #   # Optional, but highly recommended otherwise Headplane
    #   # will attempt to automatically guess this from the issuer
    #   #
    #   # This should point to your publicly accessibly URL
    #   # for your Headplane instance with /admin/oidc/callback
    #   redirect_uri: "http://localhost:3000/admin/oidc/callback"
    #   # Stores the users and their permissions for Headplane
    #   # This is a path to a JSON file, default is specified below.
    #   user_storage_file: "/var/lib/headplane/users.json"
--- a/infrastructure/headscale/headscale-config.configmap.yaml
+++ b/infrastructure/headscale/headscale-config.configmap.yaml
@@ -1,376 +0,0 @@
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: headscale-config
 data:
  config.yaml: |
    server_url: http://127.0.0.1:8080
    # Address to listen to / bind to on the server
    #
    # For production:
    listen_addr: 0.0.0.0:8080
    # Address to listen to /metrics and /debug, you may want
    # to keep this endpoint private to your internal network
    metrics_listen_addr: 127.0.0.1:9090
    # Address to listen for gRPC.
    # gRPC is used for controlling a headscale server
    # remotely with the CLI
    # Note: Remote access _only_ works if you have
    # valid certificates.
    #
    # For production:
    # grpc_listen_addr: 0.0.0.0:50443
    grpc_listen_addr: 127.0.0.1:50443
    # Allow the gRPC admin interface to run in INSECURE
    # mode. This is not recommended as the traffic will
    # be unencrypted. Only enable if you know what you
    # are doing.
    grpc_allow_insecure: false
    # The Noise section includes specific configuration for the
    # TS2021 Noise protocol
    noise:
      # The Noise private key is used to encrypt the traffic between headscale and
      # Tailscale clients when using the new Noise-based protocol. A missing key
      # will be automatically generated.
      private_key_path: /var/lib/headscale/noise_private.key
    # List of IP prefixes to allocate tailaddresses from.
    # Each prefix consists of either an IPv4 or IPv6 address,
    # and the associated prefix length, delimited by a slash.
    # It must be within IP ranges supported by the Tailscale
    # client - i.e., subnets of 100.64.0.0/10 and fd7a:115c:a1e0::/48.
    # See below:
    # IPv6: https://github.com/tailscale/tailscale/blob/22ebb25e833264f58d7c3f534a8b166894a89536/net/tsaddr/tsaddr.go#LL81C52-L81C71
    # IPv4: https://github.com/tailscale/tailscale/blob/22ebb25e833264f58d7c3f534a8b166894a89536/net/tsaddr/tsaddr.go#L33
    # Any other range is NOT supported, and it will cause unexpected issues.
    prefixes:
      v4: 100.64.0.0/10
      v6: fd7a:115c:a1e0::/48
      # Strategy used for allocation of IPs to nodes, available options:
      # - sequential (default): assigns the next free IP from the previous given IP.
      # - random: assigns the next free IP from a pseudo-random IP generator (crypto/rand).
      allocation: sequential
    # DERP is a relay system that Tailscale uses when a direct
    # connection cannot be established.
    # https://tailscale.com/blog/how-tailscale-works/#encrypted-tcp-relays-derp
    #
    # headscale needs a list of DERP servers that can be presented
    # to the clients.
    derp:
      server:
        # If enabled, runs the embedded DERP server and merges it into the rest of the DERP config
        # The Headscale server_url defined above MUST be using https, DERP requires TLS to be in place
        enabled: false
        # Region ID to use for the embedded DERP server.
        # The local DERP prevails if the region ID collides with other region ID coming from
        # the regular DERP config.
        region_id: 999
        # Region code and name are displayed in the Tailscale UI to identify a DERP region
        region_code: "headscale"
        region_name: "Headscale Embedded DERP"
        # Listens over UDP at the configured address for STUN connections - to help with NAT traversal.
        # When the embedded DERP server is enabled stun_listen_addr MUST be defined.
        #
        # For more details on how this works, check this great article: https://tailscale.com/blog/how-tailscale-works/
        stun_listen_addr: "0.0.0.0:3478"
        # Private key used to encrypt the traffic between headscale DERP and
        # Tailscale clients. A missing key will be automatically generated.
        private_key_path: /var/lib/headscale/derp_server_private.key
        # This flag can be used, so the DERP map entry for the embedded DERP server is not written automatically,
        # it enables the creation of your very own DERP map entry using a locally available file with the parameter DERP.paths
        # If you enable the DERP server and set this to false, it is required to add the DERP server to the DERP map using DERP.paths
        automatically_add_embedded_derp_region: true
        # For better connection stability (especially when using an Exit-Node and DNS is not working),
        # it is possible to optionally add the public IPv4 and IPv6 address to the Derp-Map using:
        ipv4: 1.2.3.4
        ipv6: 2001:db8::1
      # List of externally available DERP maps encoded in JSON
      urls:
        - https://controlplane.tailscale.com/derpmap/default
      # Locally available DERP map files encoded in YAML
      #
      # This option is mostly interesting for people hosting
      # their own DERP servers:
      # https://tailscale.com/kb/1118/custom-derp-servers/
      #
      # paths:
      #   - /etc/headscale/derp-example.yaml
      paths: []
      # If enabled, a worker will be set up to periodically
      # refresh the given sources and update the derpmap
      # will be set up.
      auto_update_enabled: true
      # How often should we check for DERP updates?
      update_frequency: 24h
    # Disables the automatic check for headscale updates on startup
    disable_check_updates: false
    # Time before an inactive ephemeral node is deleted?
    ephemeral_node_inactivity_timeout: 30m
    database:
      # Database type. Available options: sqlite, postgres
      # Please note that using Postgres is highly discouraged as it is only supported for legacy reasons.
      # All new development, testing and optimisations are done with SQLite in mind.
      type: sqlite
      # Enable debug mode. This setting requires the log.level to be set to "debug" or "trace".
      debug: false
      # GORM configuration settings.
      gorm:
        # Enable prepared statements.
        prepare_stmt: true
        # Enable parameterized queries.
        parameterized_queries: true
        # Skip logging "record not found" errors.
        skip_err_record_not_found: true
        # Threshold for slow queries in milliseconds.
        slow_threshold: 1000
      # SQLite config
      sqlite:
        path: /persistence/db.sqlite
        # Enable WAL mode for SQLite. This is recommended for production environments.
        # https://www.sqlite.org/wal.html
        write_ahead_log: true
        # Maximum number of WAL file frames before the WAL file is automatically checkpointed.
        # https://www.sqlite.org/c3ref/wal_autocheckpoint.html
        # Set to 0 to disable automatic checkpointing.
        wal_autocheckpoint: 1000
    ### TLS configuration
    #
    ## Let's encrypt / ACME
    #
    # headscale supports automatically requesting and setting up
    # TLS for a domain with Let's Encrypt.
    #
    # URL to ACME directory
    acme_url: https://acme-v02.api.letsencrypt.org/directory
    # Email to register with ACME provider
    acme_email: ""
    # Domain name to request a TLS certificate for:
    tls_letsencrypt_hostname: ""
    # Path to store certificates and metadata needed by
    # letsencrypt
    # For production:
    tls_letsencrypt_cache_dir: /var/lib/headscale/cache
    # Type of ACME challenge to use, currently supported types:
    # HTTP-01 or TLS-ALPN-01
    # See: docs/ref/tls.md for more information
    tls_letsencrypt_challenge_type: HTTP-01
    # When HTTP-01 challenge is chosen, letsencrypt must set up a
    # verification endpoint, and it will be listening on:
    # :http = port 80
    tls_letsencrypt_listen: ":http"
    ## Use already defined certificates:
    tls_cert_path: ""
    tls_key_path: ""
    log:
      # Output formatting for logs: text or json
      format: text
      level: info
    ## Policy
    # headscale supports Tailscale's ACL policies.
    # Please have a look to their KB to better
    # understand the concepts: https://tailscale.com/kb/1018/acls/
    policy:
      # The mode can be "file" or "database" that defines
      # where the ACL policies are stored and read from.
      mode: file
      # If the mode is set to "file", the path to a
      # HuJSON file containing ACL policies.
      path: ""
    ## DNS
    #
    # headscale supports Tailscale's DNS configuration and MagicDNS.
    # Please have a look to their KB to better understand the concepts:
    #
    # - https://tailscale.com/kb/1054/dns/
    # - https://tailscale.com/kb/1081/magicdns/
    # - https://tailscale.com/blog/2021-09-private-dns-with-magicdns/
    #
    # Please note that for the DNS configuration to have any effect,
    # clients must have the `--accept-dns=true` option enabled. This is the
    # default for the Tailscale client. This option is enabled by default
    # in the Tailscale client.
    #
    # Setting _any_ of the configuration and `--accept-dns=true` on the
    # clients will integrate with the DNS manager on the client or
    # overwrite /etc/resolv.conf.
    # https://tailscale.com/kb/1235/resolv-conf
    #
    # If you want stop Headscale from managing the DNS configuration
    # all the fields under `dns` should be set to empty values.
    dns:
      # Whether to use [MagicDNS](https://tailscale.com/kb/1081/magicdns/).
      magic_dns: true
      # Defines the base domain to create the hostnames for MagicDNS.
      # This domain _must_ be different from the server_url domain.
      # `base_domain` must be a FQDN, without the trailing dot.
      # The FQDN of the hosts will be
      # `hostname.base_domain` (e.g., _myhost.example.com_).
      base_domain: example.com
      # List of DNS servers to expose to clients.
      nameservers:
        global:
          - 1.1.1.1
          - 1.0.0.1
          - 2606:4700:4700::1111
          - 2606:4700:4700::1001
          # NextDNS (see https://tailscale.com/kb/1218/nextdns/).
          # "abc123" is example NextDNS ID, replace with yours.
          # - https://dns.nextdns.io/abc123
        # Split DNS (see https://tailscale.com/kb/1054/dns/),
        # a map of domains and which DNS server to use for each.
        split:
          {}
          # foo.bar.com:
          #   - 1.1.1.1
          # darp.headscale.net:
          #   - 1.1.1.1
          #   - 8.8.8.8
      # Set custom DNS search domains. With MagicDNS enabled,
      # your tailnet base_domain is always the first search domain.
      search_domains: []
      # Extra DNS records
      # so far only A and AAAA records are supported (on the tailscale side)
      # See: docs/ref/dns.md
      extra_records: []
      #   - name: "grafana.myvpn.example.com"
      #     type: "A"
      #     value: "100.64.0.3"
      #
      #   # you can also put it in one line
      #   - { name: "prometheus.myvpn.example.com", type: "A", value: "100.64.0.3" }
      #
      # Alternatively, extra DNS records can be loaded from a JSON file.
      # Headscale processes this file on each change.
      # extra_records_path: /var/lib/headscale/extra-records.json
    # Unix socket used for the CLI to connect without authentication
    # Note: for production you will want to set this to something like:
    unix_socket: /var/run/headscale/headscale.sock
    unix_socket_permission: "0770"
    #
    # headscale supports experimental OpenID connect support,
    # it is still being tested and might have some bugs, please
    # help us test it.
    # OpenID Connect
    # oidc:
    #   only_start_if_oidc_is_available: true
    #   issuer: "https://your-oidc.issuer.com/path"
    #   client_id: "your-oidc-client-id"
    #   client_secret: "your-oidc-client-secret"
    #   # Alternatively, set `client_secret_path` to read the secret from the file.
    #   # It resolves environment variables, making integration to systemd's
    #   # `LoadCredential` straightforward:
    #   client_secret_path: "${CREDENTIALS_DIRECTORY}/oidc_client_secret"
    #   # client_secret and client_secret_path are mutually exclusive.
    #
    #   # The amount of time from a node is authenticated with OpenID until it
    #   # expires and needs to reauthenticate.
    #   # Setting the value to "0" will mean no expiry.
    #   expiry: 180d
    #
    #   # Use the expiry from the token received from OpenID when the user logged
    #   # in, this will typically lead to frequent need to reauthenticate and should
    #   # only been enabled if you know what you are doing.
    #   # Note: enabling this will cause `oidc.expiry` to be ignored.
    #   use_expiry_from_token: false
    #
    #   # Customize the scopes used in the OIDC flow, defaults to "openid", "profile" and "email" and add custom query
    #   # parameters to the Authorize Endpoint request. Scopes default to "openid", "profile" and "email".
    #
    #   scope: ["openid", "profile", "email", "custom"]
    #   extra_params:
    #     domain_hint: example.com
    #
    #   # List allowed principal domains and/or users. If an authenticated user's domain is not in this list, the
    #   # authentication request will be rejected.
    #
    #   allowed_domains:
    #     - example.com
    #   # Note: Groups from keycloak have a leading '/'
    #   allowed_groups:
    #     - /headscale
    #   allowed_users:
    #     - alice@example.com
    #
    #   # Optional: PKCE (Proof Key for Code Exchange) configuration
    #   # PKCE adds an additional layer of security to the OAuth 2.0 authorization code flow
    #   # by preventing authorization code interception attacks
    #   # See https://datatracker.ietf.org/doc/html/rfc7636
    #   pkce:
    #     # Enable or disable PKCE support (default: false)
    #     enabled: false
    #     # PKCE method to use:
    #     # - plain: Use plain code verifier
    #     # - S256: Use SHA256 hashed code verifier (default, recommended)
    #     method: S256
    #
    #   # Map legacy users from pre-0.24.0 versions of headscale to the new OIDC users
    #   # by taking the username from the legacy user and matching it with the username
    #   # provided by the OIDC. This is useful when migrating from legacy users to OIDC
    #   # to force them using the unique identifier from the OIDC and to give them a
    #   # proper display name and picture if available.
    #   # Note that this will only work if the username from the legacy user is the same
    #   # and there is a possibility for account takeover should a username have changed
    #   # with the provider.
    #   # When this feature is disabled, it will cause all new logins to be created as new users.
    #   # Note this option will be removed in the future and should be set to false
    #   # on all new installations, or when all users have logged in with OIDC once.
    #   map_legacy_users: false
    # Logtail configuration
    # Logtail is Tailscales logging and auditing infrastructure, it allows the control panel
    # to instruct tailscale nodes to log their activity to a remote server.
    logtail:
      # Enable logtail for this headscales clients.
      # As there is currently no support for overriding the log server in headscale, this is
      # disabled by default. Enabling this will make your clients send logs to Tailscale Inc.
      enabled: false
    # Enabling this option makes devices prefer a random port for WireGuard traffic over the
    # default static port 41641. This option is intended as a workaround for some buggy
    # firewall devices. See https://tailscale.com/kb/1181/firewalls/ for more information.
    randomize_client_port: false
--- a/infrastructure/headscale/ingress.yaml
+++ b/infrastructure/headscale/ingress.yaml
@@ -1,17 +0,0 @@
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
  name: headscale-ingressroute
 spec:
  entryPoints:
    - websecure
  routes:
  - match: Host(`headscale.kluster.moll.re`)
    kind: Rule
    services:
    - name: headscale-web
      port: 8080
  tls:
    certResolver: default-tls 
--- a/infrastructure/headscale/kustomization.yaml
+++ b/infrastructure/headscale/kustomization.yaml
@@ -1,22 +0,0 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 namespace: headscale
 resources:
  - namespace.yaml
  - headscale-config.configmap.yaml
  - headplane-config.configmap.yaml
  - pvc.yaml
  - deployment.yaml
  - serviceaccount.yaml
  - service.yaml
  - ingress.yaml
 images:
  - name: headscale
    newName: headscale/headscale # has all plugins
    newTag: v0.25.1
  - name: headplane
    newName: ghcr.io/tale/headplane
    newTag: "0.5.10"
--- a/infrastructure/headscale/namespace.yaml
+++ b/infrastructure/headscale/namespace.yaml
@@ -1,6 +0,0 @@
 apiVersion: v1
 kind: Namespace
 metadata:
  name: placeholder
  labels:
    pod-security.kubernetes.io/enforce: privileged 
--- a/infrastructure/headscale/pvc.yaml
+++ b/infrastructure/headscale/pvc.yaml
@@ -1,23 +0,0 @@
 kind: PersistentVolumeClaim
 apiVersion: v1
 metadata:
  name: headscale-data
 spec:
  storageClassName: "nfs-client"
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 1Gi
 ---
 kind: PersistentVolumeClaim
 apiVersion: v1
 metadata:
  name: headplane-data
 spec:
  storageClassName: "nfs-client"
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 1Gi
--- a/infrastructure/headscale/service.yaml
+++ b/infrastructure/headscale/service.yaml
@@ -1,10 +0,0 @@
 apiVersion: v1
 kind: Service
 metadata:
  name: headscale-web
 spec:
  selector:
    app: headscale
  ports:
  - port: 8080
    targetPort: 8080
--- a/infrastructure/headscale/serviceaccount.yaml
+++ b/infrastructure/headscale/serviceaccount.yaml
@@ -1,26 +0,0 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
  name: headplane-agent
  # namespace: default # Adjust namespace as needed
 rules:
 - apiGroups: ['']
  resources: ['pods']
  verbs: ['get', 'list']
 - apiGroups: ['apps']
  resources: ['deployments']
  verbs: ['get', 'list']
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
  name: headplane-agent
  # namespace: default # Adjust namespace as needed
 roleRef:
    apiGroup: rbac.authorization.k8s.io
    kind: Role
    name: headplane-agent
 subjects:
 - kind: ServiceAccount
  name: default # If you use a different service account, change this
  # namespace: default # Adjust namespace as needed
--- a/infrastructure/monitoring/kustomization.yaml
+++ b/infrastructure/monitoring/kustomization.yaml
@@ -6,7 +6,7 @@ namespace: monitoring
 resources: 
  - namespace.yaml
  # prometheus-operator crds
-  - https://github.com/prometheus-operator/prometheus-operator?ref=v0.82.0
+  - https://github.com/prometheus-operator/prometheus-operator?ref=v0.79.2
  # single prometheus instance with a thanos sidecar
  - prometheus.yaml
  - thanos-store.statefulset.yaml
@@ -17,17 +17,17 @@ resources:
 images:
  - name: thanos
    newName: quay.io/thanos/thanos
-    newTag: v0.38.0
+    newTag: v0.37.2
 helmCharts:
  - name: loki
    releaseName: loki
    repo: https://grafana.github.io/helm-charts
-    version: 6.29.0
+    version: 6.24.1
    valuesFile: loki.values.yaml
  - name: prometheus-node-exporter
    releaseName: prometheus-node-exporter
    repo: https://prometheus-community.github.io/helm-charts
-    version: 4.45.2
+    version: 4.43.1
    valuesFile: prometheus-node-exporter.values.yaml
--- a/infrastructure/pg-ha/kustomization.yaml
+++ b/infrastructure/pg-ha/kustomization.yaml
@@ -9,6 +9,6 @@ namespace: pg-ha
 helmCharts:
  - name: cloudnative-pg
    releaseName: pg-controller
-    version: 0.23.2
+    version: 0.23.0
    valuesFile: values.yaml
    repo: https://cloudnative-pg.io/charts/
--- a/infrastructure/sealedsecrets/kustomization.yaml
+++ b/infrastructure/sealedsecrets/kustomization.yaml
@@ -9,4 +9,4 @@ resources:
 images:
  - name: controller
    newName: docker.io/bitnami/sealed-secrets-controller
-    newTag: 0.29.0
+    newTag: 0.27.3
--- a/infrastructure/traefik-system/kustomization.yaml
+++ b/infrastructure/traefik-system/kustomization.yaml
@@ -13,6 +13,6 @@ namespace: traefik-system
 helmCharts:
  - name: traefik
    releaseName: traefik
-    version: 35.0.1
+    version: 33.2.1
    valuesFile: values.yaml
    repo: https://traefik.github.io/charts
--- a/kluster-deployments/kitchenowl/application.yaml
+++ b/kluster-deployments/kitchenowl/application.yaml
@@ -1,18 +0,0 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: kitchenowl-application
  namespace: argocd
 spec:
  project: apps
  source:
    repoURL: ssh://git@git.kluster.moll.re:2222/remoll/k3s-infra.git
    targetRevision: main
    path: apps/kitchenowl/
  destination:
    server: https://kubernetes.default.svc
    namespace: kitchenowl
  syncPolicy:
    automated:
      prune: true
      selfHeal: true
--- a/kluster-deployments/kitchenowl/kustomization.yaml
+++ b/kluster-deployments/kitchenowl/kustomization.yaml
@@ -1,4 +0,0 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - application.yaml
--- a/kluster-deployments/kustomization.yaml
+++ b/kluster-deployments/kustomization.yaml
@@ -29,17 +29,16 @@ resources:
  - eth-physics/
  - files/
  - finance/
  - grafana/
  - homeassistant/
  - immich/
  - journal/
  - kitchenowl/
  - linkding/
  - media/
  - minecraft/application.yaml
  - grafana/
  - ntfy/
  - paperless/
  - recipes/
  - rss/
  - todos/
  - whoami/
  - todos/