Update Helm release redis to v21.1.5

Merge pull request 'Update tombursch/kitchenowl Docker tag to v0.6.15' (#445 ) from renovate/tombursch-kitchenowl-0.x into main
Reviewed-on: #445
2025-05-20 18:01:33 +00:00 · 2025-05-13 09:05:23 +00:00 · 2025-05-12 20:01:18 +00:00 · 2025-05-12 18:40:51 +00:00 · 2025-05-12 18:39:04 +00:00 · 2025-05-12 18:38:52 +00:00
148 changed files with 1973 additions and 728 deletions
--- a/apps/adguard/configmap.yaml
+++ b/apps/adguard/configmap.yaml
@@ -27,7 +27,10 @@ data:
      ratelimit_whitelist: []
      refuse_any: true
      upstream_dns:
-        - https://dns10.quad9.net/dns-query
+        - tls://1.1.1.1
        - tls://dns.google
        - tls://p0.freedns.controld.com
        - tls://dns.quad9.net
      upstream_dns_file: ""
      bootstrap_dns:
        - 9.9.9.10
@@ -35,8 +38,7 @@ data:
        - 2620:fe::10
        - 2620:fe::fe:10
      fallback_dns: []
-      all_servers: false
+      upstream_mode: load_balance
      fastest_addr: false
      fastest_timeout: 1s
      allowed_clients: []
      disallowed_clients: []
@@ -72,6 +74,8 @@ data:
      dns64_prefixes: []
      serve_http3: false
      use_http3_upstreams: false
      serve_plain_dns: true
      hostsfile_enabled: true
    tls:
      enabled: false
      server_name: ""
@@ -88,12 +92,14 @@ data:
      private_key_path: ""
      strict_sni_check: false
    querylog:
      dir_path: ""
      ignored: []
      interval: 2160h
      size_memory: 1000
      enabled: true
      file_enabled: true
    statistics:
      dir_path: ""
      ignored: []
      interval: 24h
      enabled: true
@@ -110,6 +116,10 @@ data:
        url: https://someonewhocares.org/hosts/zero/hosts
        name: Dan Pollock's List
        id: 1684963532
      - enabled: true
        url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_3.txt
        name: Peter Lowe's Blocklist
        id: 1735824753
    whitelist_filters: []
    user_rules: []
    dhcp:
@@ -134,13 +144,36 @@ data:
      blocking_ipv6: ""
      blocked_services:
        schedule:
-          time_zone: UTC
+          time_zone: Europe/Berlin
-        ids: []
+          sun:
            start: 18h
            end: 23h59m
          mon:
            start: 18h
            end: 23h59m
          tue:
            start: 18h
            end: 23h59m
          wed:
            start: 18h
            end: 23h59m
          thu:
            start: 18h
            end: 23h59m
          fri:
            start: 18h
            end: 23h59m
          sat:
            start: 18h
            end: 23h59m
        ids:
          - reddit
      protection_disabled_until: null
      safe_search:
        enabled: false
        bing: true
        duckduckgo: true
        ecosia: true
        google: true
        pixabay: true
        yandex: true
@@ -149,11 +182,13 @@ data:
      parental_block_host: family-block.dns.adguard.com
      safebrowsing_block_host: standard-block.dns.adguard.com
      rewrites: []
      safe_fs_patterns:
        - /opt/adguardhome/data/userfilters/*
      safebrowsing_cache_size: 1048576
      safesearch_cache_size: 1048576
      parental_cache_size: 1048576
      cache_time: 30
-      filters_update_interval: 24
+      filters_update_interval: 168
      blocked_response_ttl: 10
      filtering_enabled: true
      parental_enabled: true
@@ -168,6 +203,7 @@ data:
        hosts: true
      persistent: []
    log:
      enabled: true
      file: ""
      max_backups: 0
      max_size: 100
@@ -179,4 +215,4 @@ data:
      group: ""
      user: ""
      rlimit_nofile: 0
-    schema_version: 27
+    schema_version: 29
--- a/apps/adguard/kustomization.yaml
+++ b/apps/adguard/kustomization.yaml
@@ -10,7 +10,7 @@ resources:
 images:
  - name: adguard/adguardhome
    newName: adguard/adguardhome
-    newTag: v0.107.52
+    newTag: v0.107.61
 namespace: adguard
--- a/apps/audiobookshelf/kustomization.yaml
+++ b/apps/audiobookshelf/kustomization.yaml
@@ -12,4 +12,4 @@ namespace: audiobookshelf
 images:
  - name: audiobookshelf
    newName: ghcr.io/advplyr/audiobookshelf
-    newTag: "2.13.4"
+    newTag: "2.21.0"
--- a/apps/code-server/deployment.yaml
+++ b/apps/code-server/deployment.yaml
@@ -0,0 +1,41 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: code-server
 spec:
  replicas: 1
  selector:
    matchLabels:
      app: code-server
  template:
    metadata:
      labels:
        app: code-server
    spec:
      containers:
        - name: code-server
          image: code-server
          ports:
            - containerPort: 8080
          env:
          - name: TZ
            value: Europe/Berlin
          - name: CONFIG_PATH
            value: /data/config
          - name: METADATA_PATH
            value: /data/metadata
          volumeMounts:
            - name: data
              mountPath: /home/coder
          resources:
            requests:
              cpu: "50m"
              memory: "100Mi"
            limits:
              cpu: "6"
              memory: "16Gi"
      volumes:
        - name: data
          persistentVolumeClaim:
            claimName: code-server-data
--- a/apps/code-server/ingress.yaml
+++ b/apps/code-server/ingress.yaml
@@ -0,0 +1,17 @@
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
  name: audiobookshelf-ingressroute
 spec:
  entryPoints:
    - websecure
  routes:
  - match: Host(`code.kluster.moll.re`)
    kind: Rule
    services:
    - name: code-server-web
      port: 8080
  tls:
    certResolver: default-tls 
--- a/apps/code-server/kustomization.yaml
+++ b/apps/code-server/kustomization.yaml
@@ -0,0 +1,15 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources: 
  - namespace.yaml
  - pvc.yaml
  - deployment.yaml
  - service.yaml
  - ingress.yaml
 namespace: code-server
 images:
  - name: code-server
    newName: ghcr.io/coder/code-server
    newTag: 4.99.3-fedora
--- a/apps/code-server/namespace.yaml
+++ b/apps/code-server/namespace.yaml
--- a/apps/code-server/pvc.yaml
+++ b/apps/code-server/pvc.yaml
@@ -0,0 +1,11 @@
 kind: PersistentVolumeClaim
 apiVersion: v1
 metadata:
  name: code-server-data
 spec:
  storageClassName: "nfs-client"
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 10Gi
--- a/apps/code-server/service.yaml
+++ b/apps/code-server/service.yaml
@@ -0,0 +1,11 @@
 apiVersion: v1
 kind: Service
 metadata:
  name: code-server-web
 spec:
  selector:
    app: code-server
  ports:
  - port: 8080
    targetPort: 8080
  type: LoadBalancer
--- a/apps/files/kustomization.yaml
+++ b/apps/files/kustomization.yaml
@@ -13,4 +13,4 @@ namespace: files
 images:
  - name: ocis
    newName: owncloud/ocis
-    newTag: "5.0.7"
+    newTag: "7.1.2"
--- a/apps/files/ocis-config.sealedsecret.yaml
+++ b/apps/files/ocis-config.sealedsecret.yaml
--- a/apps/finance/kustomization.yaml
+++ b/apps/finance/kustomization.yaml
@@ -13,4 +13,4 @@ resources:
 images:
  - name: actualbudget
    newName: actualbudget/actual-server
-    newTag: 24.9.0
+    newTag: 25.5.0
--- a/apps/grafana/grafana-admin.sealedsecret.yaml
+++ b/apps/grafana/grafana-admin.sealedsecret.yaml
@@ -0,0 +1,17 @@
 ---
 apiVersion: bitnami.com/v1alpha1
 kind: SealedSecret
 metadata:
  creationTimestamp: null
  name: grafana-admin-secret
  namespace: grafana
 spec:
  encryptedData:
    password: AgAU6g/CwKj+1gPpt4DLvLsS0YCvJdVHWw4W4bRhibE9brVvcJtGB3D9MTJrSLVVwusaE6OR59og7oW5ge3yTd/9bbclXYLrxEi7OwvkQjCvo8MfD8yhJO9nV4Xs9Mjk2Z4SHGYuq6wvcssuJrpz5f0XEC7ocTRA+u0UaE+/b4FrYF71uyKGvj8GSXgLZUjGPFsGfPzwJn7cLBmlclVHx1xGbFpUc042m5Mulpn0QolFQnOwZiW4PL8pQyz1MXVRwCsz0RJd5apZL3XJ4X7BLMoAp+diHQ2xi3zoU9VScp+J2QgvFdRKgDa6v7Jz1f+HCwq5W/DoegwFXBrcMIfF2YrnvTnc1PCVwD9IHOeylO7J2hfi8teQiqTvvRlVgdBTLqoqlVovemf5k6ke6JfjTwnsJjTNnL7MKN5Qt0o7N2XRZ3ba9jp8cKbI7fyFQKaU2QEf2PIkp82kEnixmpA1aATgeA3W4E5Km7sKHUEB81+pwnOe54tzD2ShgQX/+UiswhWYTT+gdZKL1udBBemUDC0z9PSJNTPTy+hq+G4CIzVQUYxlioM3c+3geF7YLU8yXisj84pk44GN9KX3z5x+M2+LZL7agAWPUjxtrP2V+id7dNJQfCm0aSMeo57dVfb4zlBUAAgKIKjX+j1KqCVqE9zEO2F/QX7mY6MJTP2me3wmY7JAVRJ7d6bbkyyoDhs8JErLYLp0A+Eh+qx8nWgM9ErPVSA0
    user: AgB8ZLG2EuERjg1nKdH/xadbUuIR2c8a9gF5fE8ctrp4DNDLLuuqmjyoHRiWpkrtfnE1yKg1rPP+asV9Lj5iVmE9J+OB3QUOeFS4MHciBNj7pa68zfFgnHP4kxMX6aXyKRQrYruYjHwfzCpOM1zyTEphuGlnokjQXxjF/mZsoM2NWn7WGReqfxqH95tJXfs9AUC5vVv/PHqd+KKRZH7+G1AnWVJ7RFQHedR7wyftO4/rkm8deMuZWtOLl25fAOyOr7+hSqT69s9/uTKSLJXjobSqtulqsR+v5lkwx2ThNKzmcEcuoenKG6lk8XLRSIscccZH3JTPh6IknQWUOC4nmYj+XUxE8Go0RX/4eL+D/6FrYrtp0gr3HOCLAGU4vAHMeKfJoyqykJVnvY6QY6bFgaziyOlWaoEHpg6g0vHHDwyX7HIDcQfJZGOLH9dhrWJ2sOkzyuuxfqWEgz/M2eBW4EUAudHwfTLPocSMUI+D6fjeciMojet5uxWMP7ZHh/E061f5+Vfk6CKYd9Kpi69Xah8KEyyHYP5NImkdIwjgllaEAd/FBE2+QJyTVZlUQC7y9ObagDMCUFaFbTS5QOLh5BOJDL5buEYFWG0IhoH47SC/pKeEOQH//uvoo27K9zvxTOQN1YOTrxCozmexMOsTIdhvU0dOnJDBrThSHKYLCeIokDOgUUT52FqDH51RoLoK3UkyGbMoq+M=
  template:
    metadata:
      creationTimestamp: null
      name: grafana-admin-secret
      namespace: grafana
    type: Opaque
--- a/apps/grafana/grafana-auth.sealedsecret.yaml
+++ b/apps/grafana/grafana-auth.sealedsecret.yaml
@@ -0,0 +1,16 @@
 ---
 apiVersion: bitnami.com/v1alpha1
 kind: SealedSecret
 metadata:
  creationTimestamp: null
  name: grafana-auth
  namespace: grafana
 spec:
  encryptedData:
    client_secret: AgCEdC1/ERlPQyQP+bd9gcW33Yrvl4uRbx+RF5AY4vYAquOzxmLTygMl/WZlB5wlCE5idIHgto6/fUWVZrQbmfClRqsW2pFoddKQAtS9cQNXwMjLCm7e0lXk9GM9O3ZwktmklFbCu8XewHmefGHhoJ28vPxPMaINv1fM4zYKvNz5RHf0dJfTHgxb68wRYjAbE/eJpRcVE3a29Yw6Gfa8Mb+cFI7RTHvjuv9LBgWqM6b3qvvJ4wYR2WKuiQrnJ5xAtHpMAI/2R80qq151wlaZueDZ1PwjRBHURkmPTmwZnrMrmIugNge7Tpww+ArZlG9kDfSu1aTJidbXbcpN6fyt1qARTCYrBlbn60PTYLnPL/NObvMCpjS6DsYsYz7MJ7WoOupu46Ib5paZHmak+CilC6lb9LjJj4EKfRsagZmWT07JavhHBW/tqjB3GToccIz4fOAOdA9aU51J4wCL2ctp2SgzCEKe2EaBK/f9nDd9ASmmon9PDwRDVtG8yTukrNcZHNzodi09Af81DB0RNa36Z3Sjt5xu94paN+mjiOWGf2JduVEq+60NbPvDbPE9e1aVH3DdQcij2WGZaTE8dAGLSsLoOkIq3m2E+Mbk1Re1gI9H18xJM72ivb5uDe7pzReyvO5DY4Pfq8JgQhPxWcDq9ScmWS6Bb+jdCKytFq5NafSAl+akPbbwN+1GFu33if/P5D9I2TwOA8V1wyVU
  template:
    metadata:
      creationTimestamp: null
      name: grafana-auth
      namespace: grafana
    type: Opaque
--- a/apps/monitoring/grafana.ingress.yaml
+++ b/apps/monitoring/grafana.ingress.yaml
--- a/apps/monitoring/grafana.values.yaml
+++ b/apps/monitoring/grafana.values.yaml
@@ -16,6 +16,12 @@ serviceMonitor:
  ##
  enabled: false
 envValueFrom:
  AUTH_GRAFANA_CLIENT_SECRET:
    secretKeyRef:
      name: grafana-auth
      key: client_secret
 ingress:
  enabled: false
@@ -29,13 +35,17 @@ datasources:
  datasources.yaml:
    apiVersion: 1
    datasources:
      - name: Thanos
        type: prometheus
        url: http://thanos-querier.prometheus.svc:10902
        isDefault: true
      - name: Prometheus
        type: prometheus
-        url: http://prometheus.prometheus.svc:9090
+        url: http://prometheus.monitoring.svc:9090
        isDefault: true
      - name: Thanos
        type: prometheus
        url: http://thanos-querier.monitoring.svc:10902
        isDefault: false
      - name: Loki
        type: loki
        url: http://loki.monitoring.svc:3100
        isDefault: false
 dashboardProviders:
@@ -67,3 +77,22 @@ grafana.ini:
  default_theme: dark
  unified_alerting:
    enabled: false
  analytics:
    check_for_updates: false
  server:
    domain: grafana.kluster.moll.re
    root_url: https://grafana.kluster.moll.re
  auth.generic_oauth:
    name: Authelia
    enabled: true
    allow_sign_up: true
    client_id: grafana
    client_secret: ${AUTH_GRAFANA_CLIENT_SECRET}
    scopes: openid profile email groups
    auth_url: https://auth.kluster.moll.re/api/oidc/authorization
    token_url: https://auth.kluster.moll.re/api/oidc/token
    api_url: https://auth.kluster.moll.re/api/oidc/authorization/userinfo
    tls_skip_verify_insecure: true
    auto_login: true
    use_pkce: true
    role_attribute_path: contains(groups[*], 'apps_admin') && 'Admin' || 'Editor'
--- a/apps/monitoring/kustomization.yaml
+++ b/apps/monitoring/kustomization.yaml
@@ -1,12 +1,13 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
-namespace: monitoring
+namespace: grafana
 resources: 
  - namespace.yaml
  - grafana.ingress.yaml
  - grafana-admin.sealedsecret.yaml
  - grafana-auth.sealedsecret.yaml
  # grafana dashboards are provisioned from a git repository
  # in the initial bootstrap of the app of apps, the git repo won't be available, so this sync will initially fail
  - https://git.kluster.moll.re/remoll/grafana-dashboards//?timeout=10&ref=main
@@ -16,5 +17,5 @@ helmCharts:
  - releaseName: grafana
    name: grafana
    repo: https://grafana.github.io/helm-charts
-    version: 8.5.1
+    version: 9.0.0
    valuesFile: grafana.values.yaml
--- a/infrastructure/prometheus/namespace.yaml
+++ b/infrastructure/prometheus/namespace.yaml
--- a/apps/homeassistant/deployment.yaml
+++ b/apps/homeassistant/deployment.yaml
@@ -14,7 +14,7 @@ spec:
    spec:
      containers:
        - name: homeassistant
-          image: homeassistant/home-assistant
+          image: homeassistant
          ports:
            - containerPort: 8123
          env:
--- a/apps/homeassistant/kustomization.yaml
+++ b/apps/homeassistant/kustomization.yaml
@@ -13,6 +13,6 @@ resources:
 images:
-  - name: homeassistant/home-assistant
+  - name: homeassistant
    newName: homeassistant/home-assistant
-    newTag: "2024.9"
+    newTag: "2025.5"
--- a/apps/immich/ingress.yaml
+++ b/apps/immich/ingress.yaml
@@ -1,14 +1,5 @@
 apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: stripprefix
 spec:
  stripPrefix:
    prefixes:
      - /api
 ---
 apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: websocket
 spec:
@@ -21,19 +12,18 @@ spec:
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
-    name: immich-ingressroute
+  name: immich-ingressroute
 spec:
-    entryPoints:
+  entryPoints:
-        - websecure
+    - websecure
-    routes:
+  routes:
-        - match: Host(`immich.kluster.moll.re`)
+    - match: Host(`immich.kluster.moll.re`)
-          kind: Rule
+      kind: Rule
-          services:
+      services:
-              - name: immich-server
+        - name: immich-server
-                port: 3001
+          port: 2283
-                passHostHeader: true
+      middlewares:
-          middlewares:
+        - name: websocket
-              - name: websocket
+  tls:
-    tls:
+    certResolver: default-tls
        certResolver: default-tls
--- a/apps/immich/kustomization.yaml
+++ b/apps/immich/kustomization.yaml
@@ -6,6 +6,7 @@ resources:
  - pvc.yaml
  - postgres.yaml
  - postgres.sealedsecret.yaml
  - servicemonitor.yaml
 namespace: immich
@@ -14,20 +15,20 @@ namespace: immich
 helmCharts:
  - name: immich
    releaseName: immich
-    version: 0.7.2
+    version: 0.9.2
    valuesFile: values.yaml
    repo: https://immich-app.github.io/immich-charts
 images:
  - name: ghcr.io/immich-app/immich-machine-learning
-    newTag: v1.116.2
+    newTag: v1.132.3
  - name: ghcr.io/immich-app/immich-server
-    newTag: v1.116.2
+    newTag: v1.132.3
 patches:
  - path: patch-redis-pvc.yaml
    target:
      kind: StatefulSet
-      name: immich-redis-master
+      name: immich-redis-master
--- a/apps/immich/servicemonitor.yaml
+++ b/apps/immich/servicemonitor.yaml
@@ -0,0 +1,14 @@
 apiVersion: monitoring.coreos.com/v1
 kind: ServiceMonitor
 metadata:
  name: immich-service-monitor
 spec:
  endpoints:
  - port: metrics-api
    scheme: http
  - port: metrics-ms
    scheme: http
  selector:
    matchLabels:
      app.kubernetes.io/name: server
      app.kubernetes.io/service: immich-server
--- a/apps/immich/values.yaml
+++ b/apps/immich/values.yaml
@@ -37,10 +37,6 @@ immich:
      existingClaim: data
 # Dependencies
 postgresql:
  enabled: false
 redis:
  enabled: true
  architecture: standalone
--- a/apps/kitchenowl/deployment.yaml
+++ b/apps/kitchenowl/deployment.yaml
@@ -0,0 +1,42 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: kitchenowl
 spec:
  replicas: 1
  selector:
    matchLabels:
      app: kitchenowl
  template:
    metadata:
      labels:
        app: kitchenowl
    spec:
      containers:
        - name: kitchenowl
          image: kitchenowl
          ports:
            - containerPort: 8080
          env:
          - name: TZ
            value: Europe/Berlin
          envFrom:
            - configMapRef:
                name: kitchenowl-config
            - secretRef:
                name: kitchenowl-oauth
          volumeMounts:
            - name: data
              mountPath: /data
          resources:
            requests:
              cpu: "50m"
              memory: "100Mi"
            limits:
              cpu: "100m"
              memory: "1Gi"
      volumes:
        - name: data
          persistentVolumeClaim:
            claimName: kitchenowl-data
--- a/apps/kitchenowl/ingress.yaml
+++ b/apps/kitchenowl/ingress.yaml
@@ -0,0 +1,17 @@
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
  name: kitchenowl-ingressroute
 spec:
  entryPoints:
    - websecure
  routes:
  - match: Host(`kitchen.kluster.moll.re`)
    kind: Rule
    services:
    - name: kitchenowl-web
      port: 8080
  tls:
    certResolver: default-tls 
--- a/apps/kitchenowl/kitchenowl-config.configmap.yaml
+++ b/apps/kitchenowl/kitchenowl-config.configmap.yaml
@@ -0,0 +1,7 @@
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: kitchenowl-config
 data:
  FRONT_URL: https://kitchen.kluster.moll.re
  DISABLE_USERNAME_PASSWORD_LOGIN: "true"
--- a/apps/kitchenowl/kitchenowl-oauth.sealedsecret.yaml
+++ b/apps/kitchenowl/kitchenowl-oauth.sealedsecret.yaml
@@ -0,0 +1,19 @@
 ---
 apiVersion: bitnami.com/v1alpha1
 kind: SealedSecret
 metadata:
  creationTimestamp: null
  name: kitchenowl-oauth
  namespace: kitchenowl
 spec:
  encryptedData:
    JWT_SECRET_KEY: AgAclRIJS25ACVe4NqLQbAree6c6WpTBHnLpe3ZQJ0ScHG/EbW/ooABZj7y1ABAn/mCc+hBYXYHm81FNUfUtSuLKi2UlORbTCsfmisYH49WX0Lpku9LTM/8az9tjE0tjUUrJZcRUuJfdNJMDPQx7IPjUQ7sKk/exFnkPEbK98+AElXyHpPKXd9dxiCgll0n+ksbF9BDUR8KY8IB2Zvh4cXPww578qe/9XYnxLV8uY9K8KPvhl7NI40SIaL4PX8KmsDlBh1bpOR/OxhIwAGEZDQp/KROy6msrIOYW4SHM9nlSUSD4WvV8UjcbV1oNnYpE1usFOuxSfQlJ1zlFepKUv40JykyunvQv9nqVbEogsrS4o5N3gNEaB9yyFSHIlevp32LVpAuZu3cNplmT+Zg7+ODpCWIcVgmOAeapvB+X7H4ScbKVcYLAzrRFDtnS4Vo1M+RERhr0AuMU/tz0lGs99oRkCw2ZIg015R125u0VcRNqzgCtbBM5BFiKiP2kYrHn02Q6o5tRWxDQfrfb0mnfD5c/gM4+btlfM6DZMpr/l1kLlm8PDEpPGbkhK1XiAyJ4erHPDMLcmZXrSyxX9R1g8n7vnLnkqx5LkGmnltQI2FM7StxC6IrMlxY0nPnkq1lHhTz7yCpQJNXgfXZLVvov+f6jlD6WJhYHZCL/hIFfx3ybjGYZwJ0m84lH0OQJQw5dtsbPVqqoYZIPieqdRmHw7M7TTmFuQJXD94lZj5gsln1sMqs=
    OIDC_CLIENT_ID: AgDOxWtGCiFrIP5aWHimrR6bu0uMS1/i1v1Kzo1lIR3j3zlw/Da2oCPNx1ZuhNAp9UMIs2euc8mtrWkyv4R6pcci+IxXiGzlQNBSkMfWu4DwhwlEdnVyCVehfE00t0ytBxX6NeLfS1b8JOtH9yo3e22fdaeTwn/iwGLNwi1BJxMmzk9pVp7jzXH09Zia8UvUmXw5GyGpIOIiGcIfaXkr1ZnY2l30jTw8eS7HaouzfWHWTpNXkMLN3qim4vs/B1Sgz/y9tUyVo/qMhWLdEcVklYHT7xHx03SPD7RtK+zdYZCqvDtj+tsdpYHt05zeGV+wflNQuiocjwP8TW7vhtbjKrf9lQIxB5CErju178ELOVrpsPBAYMgdEl7qZeKdSpydIwe3VbOg3XJ7O/Ps1KSnRYwrCvgE4ZCMm3geHyJxSiKRhBcuVYz5JkNd5ylD0Eq9NL5RCqJ4szL9NaGNPbzkvcdZzAnbTYFTzyqZ+XHX/BUFisXl5bKNHtaqAsOK8woGYnxJiawKRrwDUmHXU4RB3QiPCPhHSLU7OkvU+XDhyQqLa8bKEQzj9dUf4bX3Savk4noiRsXMYJznAlgMPo0Q4taxVIoyQHELYwIIdP5YRuw27B9wKUR7e2hhu4FTOEcyhwuFql3OuAjq8HJCDX6+COkL2WYFFxWBnbSCYEdzfbMBCHjrUUonijcQluU2VbaHODNMAvB16MRKapAW
    OIDC_CLIENT_SECRET: AgAylnSUXwInlh/WvyCiFz+8asbCSZA6kk84Rt6l7bHVYw34c58lJHsZK2OvOIlHuaMe/ewnTqxVd0hI1Azl+wd/5NygMYlntKquq0vuzlhLrGc3u+0SOn9N2P6quA3slF9KR94CYsDx9ogy+EsEoA1yrsydB8S0g9W8syraR1MtpM0ZkcJ/D78OZ6qzyXUuBNAZc+iX/r96NvoMiGNYavgG7npOJh/pkKNYPuNkt4zpbAFjVyoCfgZd4V2nmZ6dhEVy8odW+jcsMn6OJ1OZVlPb1beq49lBEcaJqk83ZtKbq2evtBYHw9YAnENVq92ecenw/YL5LXUhOxeN0M9Amo99/O6pQwwrT1mtZqhTTeTIZTAxqmJKgyxGhE4DJUR/s71bc7K9hd2WvdAYnCyVC2uGa0MwXp4V7UuaN9GerldT8lcFxOpRnD7yroqVTqebjAJIkIinp5NNZ2ZP/LCiCwKKHHT19Pchn615WOPTofC6es/spIdQ8a1Nf2J5YzvRjsduFS55U6tMaC7cuV8kqKH9xTTf/sDHt+68wVEAO9koAe1zpO+zR2Pq3VuCnvcDGIwXopXjvyjfujEEhEWZl51PVJLZqtkP5Wg2wHvlgjJBbbIGTrqh4xa9pK7wLDM2hUFx1q/YKqwfP0EGVTc96G8Wermj0DtIqclqFLr54DtxVe+Rr8J4edG6YQ26/seYsrZ1Oq2PejHQt8u9EzQYAtYYlBsw2ujCWys6KrbhaVr3
    OIDC_ISSUER: AgA2JPd5axkL5YIRA95qm/iH8wgM2J0AjKjgGClWabYJ3UKIk0hi/L/zR+1Pw9Z+6amYXj7Q0FxLqCcNYG+H5ABxnqUi7Gl8gvfVbegaO3q5QiO27g18RMDssNHDSun8PPaxHBvBD68hxgsaXntu8sZavCGdwEK0TzLJi7eH/4jtHlofzfYgaCsGqeOBgvs/q87PVJ/qxazXlY9e7abbRAKl9ZMY7Wga58/IU2HhWwYMvI53yQyGMcKf3XiI9iNHgIcj1+TmlgQo+PRKyopNfzgFbey7on8woQXphY+ioqQ0hyworpxAVoWlvzKKopt1xBDr4zxzkzbWyxtjwPVOOH3iyenZz8tZa/JkNYWxkWHbh0KCs9yUIji3D3shQOFM/NtE17THsQm3NgpZ2lg9ET1v6uXqwfOLiQ+J1JQLwNFnYeruH2lK4EGt2nDCq2VycOIjW4kMpiJ4LiT8gap9HwYjTpAn+opicYn5e9fmpgiHdMPvrsG1m9edg0cbwdSpEelliHnAUfKsxMV2e1fLsga6yrhBLSXIQs8rbURRa6wqVvGoLB86a9Q5Rm94Jfm0Sa9v5LMGRYvqO5LbLrjrR8e/2r17pHQE8ynMQCAW1yVTe09FcgRwYhDUohfThtjIh16sdoC97eUel7fo/POt3atP69JsCIBZstprhVtBIBssmavpIotVqi8F2/yUkhrZR26mH3gsOxkNTEk6XzHHtJRu0cU+BmObTvYgMi3DHg==
  template:
    metadata:
      creationTimestamp: null
      name: kitchenowl-oauth
      namespace: kitchenowl
    type: Opaque
--- a/apps/kitchenowl/kustomization.yaml
+++ b/apps/kitchenowl/kustomization.yaml
@@ -0,0 +1,17 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources: 
  - namespace.yaml
  - pvc.yaml
  - kitchenowl-oauth.sealedsecret.yaml
  - kitchenowl-config.configmap.yaml
  - deployment.yaml
  - service.yaml
  - ingress.yaml
 namespace: kitchenowl
 images:
  - name: kitchenowl
    newName: tombursch/kitchenowl
    newTag: v0.6.15
--- a/apps/kitchenowl/namespace.yaml
+++ b/apps/kitchenowl/namespace.yaml
@@ -0,0 +1,4 @@
 apiVersion: v1
 kind: Namespace
 metadata:
  name: placeholder
--- a/apps/kitchenowl/pvc.yaml
+++ b/apps/kitchenowl/pvc.yaml
@@ -0,0 +1,11 @@
 kind: PersistentVolumeClaim
 apiVersion: v1
 metadata:
  name: kitchenowl-data
 spec:
  storageClassName: "nfs-client"
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 1Gi
--- a/apps/kitchenowl/service.yaml
+++ b/apps/kitchenowl/service.yaml
@@ -0,0 +1,10 @@
 apiVersion: v1
 kind: Service
 metadata:
  name: kitchenowl-web
 spec:
  selector:
    app: kitchenowl
  ports:
  - port: 8080
    targetPort: 8080
--- a/apps/linkding/deployment.yaml
+++ b/apps/linkding/deployment.yaml
@@ -0,0 +1,40 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: linkding
 spec:
  replicas: 1
  selector:
    matchLabels:
      app: linkding
  template:
    metadata:
      labels:
        app: linkding
    spec:
      containers:
        - name: linkding
          image: linkding
          ports:
            - containerPort: 9090
          env:
          - name: TZ
            value: Europe/Berlin
          envFrom:
            - secretRef:
                name: oauth-config
          volumeMounts:
            - name: linkding-data
              mountPath: /etc/linkding/data
          resources:
            requests:
              cpu: "100m"
              memory: "200Mi"
            limits:
              cpu: "1"
              memory: "1Gi"
      volumes:
        - name: linkding-data
          persistentVolumeClaim:
            claimName: data
--- a/apps/linkding/ingress.yaml
+++ b/apps/linkding/ingress.yaml
@@ -0,0 +1,17 @@
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
  name: linkding-ingressroute
 spec:
  entryPoints:
    - websecure
  routes:
  - match: Host(`linkding.kluster.moll.re`)
    kind: Rule
    services:
    - name: linkding-web
      port: 9090
  tls:
    certResolver: default-tls 
--- a/apps/linkding/kustomization.yaml
+++ b/apps/linkding/kustomization.yaml
@@ -0,0 +1,16 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources: 
  - namespace.yaml
  - ingress.yaml
  - service.yaml
  - pvc.yaml
  - deployment.yaml
  - oauth.sealedsecret.yaml
 namespace: linkding
 images:
  - name: linkding
    newName: sissbruecker/linkding
    newTag: "1.39.1"
--- a/apps/linkding/namespace.yaml
+++ b/apps/linkding/namespace.yaml
@@ -0,0 +1,4 @@
 apiVersion: v1
 kind: Namespace
 metadata:
  name: placeholder
--- a/apps/linkding/oauth.sealedsecret.yaml
+++ b/apps/linkding/oauth.sealedsecret.yaml
@@ -0,0 +1,22 @@
 ---
 apiVersion: bitnami.com/v1alpha1
 kind: SealedSecret
 metadata:
  creationTimestamp: null
  name: oauth-config
  namespace: linkding
 spec:
  encryptedData:
    LD_ENABLE_OIDC: AgBfiwAdh1RD8gpzzVnF6y3c8kn5NFbms0T74pmj1aaFD0uQd/dqIxrvZxiBMzgqdrrVUCxRlpG3tiJYMpDEVXQPwRj8uuAizYFEP4uuGFpCtErjb+Y+aOdXSPRCVPbIqROiE+qswNT5KkJm6rR3FPckWipiQdzfpoq+G00MARKqzo4sNrx8+JzgoBFbS/tVPej3VdmDy8iceeVCQ2dJs+roRw+jOfCxqiUjHH5SyoZPnCTlmTZcwr3F9gBGEWGyEl0FNVgL/ku7WEL2COeIIE/2r4RWPqZU4DkPtIv/J4Dosxuw7EQnC5kzTgJGB/TF9Mn/FcS7iYQZKATvWzjC/cTdwZ+aG1qZGz87wM4fxQ05GhgEUkVOlGgxlzxk9BUL3l9Xsaa1KTivaQ4dvB/jm3j12b9rPfO2CXB4jPK7Pk1vKbr5icPXa8dyFY4hiJ1PYh/295a7ZM02n3ao4uHw8KSaxK9GxsCFBxr59q+6ZpjOGnTHZvKGfJHn3jEcIT8k89J5gqrlWjLqR50TEJj3jPZ3QDPN/u1Bf0wAoIOGK7jpnwIXQpacudU2pxZNWC2KtdZbcF9QzuOqKVFABmabdCkBtLa34cyZdweBaCfLRg1Ic0yxrWGzctnwM0Rfd+OzsEpLB7GHKllV597znF5QiK3rQrl5TmgHf0jC1OmMsBkNYCRo2AhYsBN5nli0dgD1y028rsW6
    OIDC_OP_AUTHORIZATION_ENDPOINT: AgBYHGF/D1tzWRy2issyi3oZjYK/m5cuwdlHuqboPBBHybfTwCkvSfWAL8FSGAgoLYWZEwwoGr5GDSCnAWfhoYwVgCxWw7y4IohCkUSrwbzTVwJxoRTeWIilzwAdH2zX3mZJVHTYCQiLTCjv+MPRsF5FZP4+STtgfecK5Fjgb3sIfZa/yazbN6jf7bdaR91yX2iddeZn7B80aQvu3jOkujPX9yCJz/H+1BN35CtC7KLhFrKgw6uvfQi3g90On5uBHwrC53ve4rEvcOgi575WBA3fDYW4RxNb8yxxocQOuqNRa3jUa/RIjOnX9tFoG/QIXY89DUSsgpAZFWIlV4np4KOe4V+xWT1khz2TPRDaakDumkNmE/sAjpYfGX13+88A0N/hO9o2aXJhEXOFZ5eulyAwDdIodMg6lQTG43OhdSZLFfR5TrnzkVR1pIzwPMutgf8jai4dyYK+SV+oyGeZosNpD484gzhjMGkz8Djs7/cADcvJVmGfWWYvjenlfvFC5lK7F+355o9L38fUeG2lhRw8NsPWuzsiH7m6GaSEfEPcdqj/AohArtUnf9cfF04tocPwCuNLeIgR42W+cfapD9g14sN9v4Z7g/5IQSqL2EhNR9xQMoIT9BkBEhI9JR518Yds/Z89Lg0HsMw6UCrkg6um1If80gjHyRa7JrfxzepKifWNn9/suHlhecaeXcSOKMCCFYDtHyvO4/gCe8/PXjyVc/SUZNBDJsDOikVvVJfKqDlEkimfl+BISzkMv5ALxGDHMRc=
    OIDC_OP_JWKS_ENDPOINT: AgAg+6Ty8o++uc+UfaVNtJviu1A771rtazn9pj7KafqgIx1xNuPtUBwGEScfku8glUy0bS8r7MyMNlUe3sIYfnDKQmmHBVHFoiJ0IjLZP/pV51A4fT2DUrFv9pnIemqjFD2jew5ToXhuHwUc+Y3LvX8M8aPpB/J+DjIIvgKQe2faHyWt4c24jOZaH56xJhI114LIXD0A7Qvq4O7UfpIUNfYSMojTH7VURptL18Mh1YRKJmil1PmRIstX9Smr3ltAG9Rw032v9ISdDmV+OyuhPo1Wk3AU85RdOQ9hZGMSFXQXFEqQUp/N76n875KDUMT4W57//YGFRUrm8w4oB+PlkjGV2pG7DNYVxUZEmi5UXwY8fTI+KljAZHSk/YOSku+gc75hWYXX6s3g/R6/IWmr9sV5O5N0bc3guQ96nnRmjuzb3HebM0hPfPS+6/xn29erTDETs1bvfCQ9oWNMomDsH4FVz5gC+zwrUvUD3Af3TVsU5g+lfOE83+pmMMWcJFn8Z0uldud0jR27o/ftKgBDmUaGi3zCQWJrYxtXehBy9fo0K7QpbYnLHvNnXVX9fGQ0PZNMc8N0wYZUDuhOv114lqfbVR5dHYoger4iT0xC+SHcWGgvyjqb4YI7bfnY+bnh8TLfuI/ttw1l7/ev79/yvjrtgPuBwN9ygUxENLR2Ur1Cc/u72d+ST4NIg5esth+y9Z2JdP/3+nlYctnyakWhEkUyBPK+5Iyacv29t1bMXoesB6Ub5WsXaw==
    OIDC_OP_TOKEN_ENDPOINT: AgBRpyDYbQlq7dcqJ2Gd+CfSRZRgvpuUsIngAXX85dt0dChYhQ/YvnFl9r3GqsXNBrWQBa0uE7t+uXxo+oobjgfSibq28kQBL92PM/s7OctINTJBN3q0Gdv43vnliS69/WR21kZkLuAmPne1nL+FZJXavIUF8N6CX3gKb4WMdv+Rl4AAmUo9vsB1C7mxDcS1CppUeJ8KdF5qkb8Xag28Lv2rDA7W9Ne+tNGFi4q/UWqdU76iUxrHu/Kfg6RD0rYlOaW+0b3A5Rvj5oU8ho1Z/eIsA9NaZNYBQjtGAk9fiD2EB9IcFi6kYv5zGZsRcPTzMv/35Wh+lV8I3mDRGcfkmzQsZ8Hcfx7c3zpemZqvY7LMgrvO5AatWKYZUFPsTcaT/mVFmAaVuq5PqeuCQhqekug3rdQxxf2n1cWMMnbptf4g19oTFKx3FtXImpPk97Iv9RbMATKHE/nnfin5/7PtQNn9VBBW785hzzB7cs+IiEzdjGu7MnFlKaGEoS94eZtgLSEmpIMeXFW6V0rXHQ6J+CUjBjiEpAh6LKsh4De+IrWFuzAYH0jwowuY2r4VX3jx+Yv8SFEJ5AfDYbvx8qX1zy1dGfsQvrAai298QCOTizLmeuJLMIC0qlNLZWrYhf8XzF2/N8/bC0R0Pyr+6Jxo8HrtHyFcnl8ckHycWosCOkQmQIbX+vOffOpQ6vYUkHM4MqIAiTl6G+bxjtxBZUTXvqX1sKCEO7pccL8gJZQ+ICN9nP785JAd4eW2JeGW
    OIDC_OP_USER_ENDPOINT: AgBD4amxFPHYQR6JWjNTsPM63NNI+f9DgZ9+whv5f3bUo7KNtB05vAYYQtAdMYJR+5499S6t0BYwOi4cNxQVJyga1bKogqih3EI/QlJeLvoFvDFj2wEMmCkT5MS+qemtPJwXK7JTHzUFX74b+S/a30/mvWKkMRHzc+G+E678/RDIScFJFssfJVMJB4Kp9T4y+v9jJAKZRixkx2lOR48JR5umXwxm+xQGaexeJOv0MZY4Am4P/nJcWM+Gk1Ka/ih+VAJRLsu9dgvShytQ1OHaAPMRu6H7Wb2bLrzpz4rTcGbZA3aTgHfItjWQpBV3fhNvyNW8QRbRFSyxHBC4snqW5Bl77u4KdMicwL/0x1JhwP6cx+/TVEyZ2n+5Y5PyOW+E7LXtiZGZ/eRw3xVLxvrFDwY0EBMqAUWHyQjwlZLctjxgBud5XDtT4athaNq5hnCELMepRI05kF+o5ECxKWoFXN5rXrwrlcgftCV9PTZbP8pkxyau8O28C4YX07J65G9ntV3VIg9tAXww6X68YHIQEdAgjNOI1soWt15q582OlhXBTTKAf/QU7mrSCn5FH0Q4Z7VLIsJwMz0orGB69Qxo/lLF7z+pQEE4PArceoLi7cffQV/+VzUBOACDdfKFiN3LTDuoMm6lvkAOdmzXccmXlEGvNEwLR+8Ac26Ld4fAnEFSLIJpwQHheIQRY19qbN5+cOa+RmuOroxWWA2P/8uSlp4kXVvAmPJOt8PprI3h8iRG5zBv+J8kE8wpI1scJdDr
    OIDC_RP_CLIENT_ID: AgCOGuVP8BVfAT5FRmmJLptdv+8vtppOgpzJ2LXU3vR3sjQE4MLKgWwoAyrnkAa2IMrsmkg5+pyHBDlp1AMba3OTVZmhyEVLrFe/vCiL45hEaW2l6kiwlIW3nZnoJlGG2Ugj4SX8YCQGlyr19vEFcPdieWlKpHfda/EP4xYhXMSzXCxFCtT7uGjgnBlrV0uXeFCezYGzvmA4SbDli7fvGv5H85cwgUlMdSn2ZIP3DAxQ8gP0ETF6KaOK5QVP0e/7kw9SK3oo4XHE2c8AjHLFFnmz/uf07+7LuOunSqunolbVy+Lm2mHHnzx+0PBmMYvl7FHY/TkBZaVjVaZtrELbFYaraop8iE6hFMvOYNa/1BFY1x0aeRfPb0jt5IPnuebllnEh4P7JUQxef4Bqbjp8u7P+uOBWnQbeMEp5F3rWE8qy09NnjsKPz87Jw9pb0aPgXWLKVHjJpArhcb6gTJLESCw9kgT+c0pYI0s3BYmwNkJ+6wxflvTLb5z3YyY5/+8/s3PgDz6Hj4tyA8tBru/KQwnBVMw0GhF5YwlZ4SYHPwVX+ZMj9UQc6swNsrxKLqs5Ci7KjvzEDUJ4/aW+rv8naoCiebIJrbmLB8iSqNGh90s1S9BJsQaWXbKYday3spt0eg+tH/iQgAnUAjd9RK3TxkkmWVjmeUc/rOltsbaIvy6/WdyKnF8/f9B03Pm5eal73yC7reFyGYiXvA==
    OIDC_RP_CLIENT_SECRET: AgA+Q9osGcUgiGsyPfHph3vGiNBjmL7pK3JlaE4PoI+eGsvb+3Ozf9KnfHSMm2R0fq/eukFn6i25MZ/mKYliVSIcjWbnGDFSysiCAwirKTUXoFUo87zmguNUPr8Rr45m1AIaJb31T4MKeFQRHSg715rs/6fKlbejUWUBZuMTN1DXkWr+00atj0JmmZPScSfRmwKNsHnoZCUWFE/DaFChpoCU4fCp5vL9P2LcdzsY84vue8y7Trg0e/LpEi6+DzSoxurE9jwjoUauXmZnOSW3jFgy+u5c9Oa3RC+IB/UUsmHI8eUVOXGdQsSFufrAMd1uyPRa2g+aCX0zX5boZC9dTGqaT+D/6xXnMFsvw5K+K4Y/QZ+j9ZHx0232sPCFVi2HaYHV51c2Xi6tizy+/0J27/4gvaVREXw94pmsaI5rt9sNDHoKw6LwkPO8heqkYzfIWhAg5vKswDn/MWAVTIzIubdTvrDjVWxoJ2FM9sCUsai/X7rj6QUiVTgbWuYYO0hMrT2Q9y05n68hWOmpqmna4/JGIE+N48h0/wAHLsLeV4ZNLJdJhQovOSkYsB5FIYPTuihFASLhE+uf8VBwSfYlwcWORz7dssAYvCJAx3huYZCSHrT4WPtLt4Ok/IuplXvVbZ/d6NISqE/g+BiNmN7r4DZQ/QbN4TD9t6BQESKkTqPHYIiVtZHdalgPFFSS8JP2wv50mSh/imjlX51ruHGQbVbIfZnfJGwLEL0KN/Zn3BMrNtMgCqEs3itnGQQnBchQ
  template:
    metadata:
      creationTimestamp: null
      name: oauth-config
      namespace: linkding
    type: Opaque
--- a/apps/linkding/pvc.yaml
+++ b/apps/linkding/pvc.yaml
@@ -0,0 +1,11 @@
 kind: PersistentVolumeClaim
 apiVersion: v1
 metadata:
  name: data
 spec:
  storageClassName: "nfs-client"
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 1Gi
--- a/apps/linkding/service.yaml
+++ b/apps/linkding/service.yaml
@@ -0,0 +1,13 @@
 apiVersion: v1
 kind: Service
 metadata:
  name: linkding-web
  labels:
    app: linkding
 spec:
  selector:
    app: linkding
  ports:
  - port: 9090
    targetPort: 9090
    name: http
--- a/apps/media/kustomization.yaml
+++ b/apps/media/kustomization.yaml
@@ -12,4 +12,4 @@ resources:
 images:
  - name: jellyfin/jellyfin
    newName: jellyfin/jellyfin
-    newTag: 10.9.11
+    newTag: 10.10.7
--- a/apps/minecraft/README.md
+++ b/apps/minecraft/README.md
@@ -1,3 +1,11 @@
 ## Setup
 Because minecraft is quite sensitive to io performance, we want the data to be stored on a local disk. But hostpath is not well supported in talos (and is not persistent), so we use an ephemeral volume instead. In order to do this, we create an emptyDir volume and mount it to the pod.
 We use an initContaier that copies the data to the local storage. Afterwards, copying from the local storage back to the persistent storage is handled by a preStop lifecycle event.
 This way, we can have the best of both worlds: fast local storage and persistent storage.
 ## Sending a command
 ```
 kubectl exec -it -n minecraft deploy/minecraft-server -- /bin/bash
--- a/apps/minecraft/curseforge.sealedsecret.yaml
+++ b/apps/minecraft/curseforge.sealedsecret.yaml
@@ -7,7 +7,7 @@ metadata:
  namespace: minecraft
 spec:
  encryptedData:
-    key: AgBYeAiejdmxDBorvgnxQX5YvUhR3NId2vfWybMKlc27e6D/bKglLNyZMk70xSnFAPjcDmZ20mYjFPYvDOr9T6IU/REJ8QlzoKAn0xW779R4SkIxRToT+dJv+OM2avgQ9uqp7vja29xeXMjYAnQML+QGZKcrT8mE04G/Ty8rdUiv3yUXK5HFAR3SUF35aVLdlthLjpRkv1s0R7GAP4L2pNzBJNV3i37viceUSSjU0zpOa23fsQOkPAs67AIukAJBqh/hyF/hR9H1GeYZNTI3OcHcvC2iNk/XGstvv0Zy6ApzoebsfWGdsbVn+QUI0EBw+mSTPqpl71cbkz0v4S4XAVndosxWpe6AIgm5MBTU0FXIyGyoFDe1aMPq8BXiQikYVwB48oVNh9KF0xXX5AOG0whB/FEsL3OJsiNQvQ3R/Hru43JBn64oxjVtLfM3E7u8v/xr1VQahX8dylDmb4s5EV01U6O4y19Ou4td1eEMlhpJb0fBPDRUYuWxZAEDGmp+U4tAakyPed11VkcZPPn9fKAAcv8sGs3TYAbbF18hqsBnv2Wd+i7ZEvKwmdmfR/T0r1TJGsvKI7jaW0QtH256XrSxQp7a52qMKMVQWOSKw2k27t/IkRhxT2Prw4GfJvaVr4RozUaBf3LV/hfDWlDfmM2zg3X9W8HkzjotGg021OLxsa0Wzmhffvb8h4bvZwxeq3U1xaJocqXui7z0rT2pF4z3wYHR/lPtexHcOA2M8gfBGKb1rBKh+kW+N+/ZfVLNI0mokg5vrTO2nR2rb4c=
+    key: AgDG6apUvB38rB9tH+/ya5Af/32IUJjHiEGZFdYYqesuqyPB/qf99EtC/7CwqD6bDQQPVycJVcxwZuF8QtYfPXzv//yMkqEUJ2G1/Q5J8I6bjNGLR636UhliUpCkH1QDOspWJUjwKDVxlFN9l0g9UajvxnqLyGzbWPeay0sJEBvAY8ltEZpLP21V+GD+HgPk3HIfSFFBMsULS6GPCjMaFxkxQb6cG3K4Ej4NHCHRGOmax+4Rk7lwMyAHlXLlrwj/ytxrnHDWrugLIJE9KKmJn6UVNTuk6olgkhleg2PixV7oOiDVyu9ZQP8wbdppzRix6dnIcFEYJ1ZDK1rNF5QErYO0gBytiJnSsdFO0jUMsdBrho2FgUc5GgIdmgXWJJz3lrGFqXaRVvbPsBZTUAsQRh2+4IfqfWmAkEjBcjs1K8WWJfS+rO9e02KoHBT4decdsd8Qfr5EFdPIzMrkUoRMI9CJnIa5u2nR08Hhd9iojbL64FZ26kXMODtEdKmlo+HwjufLX5rYJVSfOyZYzivd/kgKA87YTFaMLKej07w3ofGrPYSoCnmLfJyoQdNyJhdonBDsgM1GgRWQZDpgJ1df0SB02A5lZ4V7lHWr8KlANv9YLuMoZnVehsH1NZjNQHDInIRiTLahEBbjcJzQz4vU1UWG100ATszEYKOUVkzPnTgkqKYU99ZQ23bHP8z7iAWQeumb6V84NTi6jNITBvU4yTFLuAiI3nW34Vb1mFVLwfWqMjEYX8gBB4yMSaVshB/japfkyXU0pYg4mK9gsB4=
  template:
    metadata:
      creationTimestamp: null
--- a/apps/minecraft/job.yaml
+++ b/apps/minecraft/job.yaml
@@ -4,14 +4,27 @@ metadata:
  name: start-server
 spec:
  template:
    metadata:
      labels:
        app: minecraft-server
    spec:
      restartPolicy: OnFailure
      initContainers:
      - name: copy-data-to-local
        image: alpine
        command: ["/bin/sh"]
        args: ["-c", "cp -r /data/* /local-data/"]
        volumeMounts:
        - name: local-data
          mountPath: /local-data
        - name: minecraft-data
          mountPath: /data
      containers:
      - name: minecraft-server
        image: minecraft
        resources:
          limits:
-            memory: "10000Mi"
+            memory: "11000Mi"
            cpu: "5"
          requests:
            memory: "1500Mi"
@@ -29,13 +42,13 @@ spec:
              name: curseforge-api
              key: key
        - name: CF_PAGE_URL
-          value: "https://www.curseforge.com/minecraft/modpacks/vault-hunters-1-18-2/files/5413446"
+          value: "https://www.curseforge.com/minecraft/modpacks/vault-hunters-1-18-2/files/5925838"
        - name: VERSION
          value: "1.18.2"
        - name: INIT_MEMORY
          value: "1G"
        - name: MAX_MEMORY
-          value: "8G"
+          value: "10G"
        - name: MOTD
          value: "VaultHunters baby!"
        - name: ENABLE_RCON
@@ -43,15 +56,37 @@ spec:
        - name: CREATE_CONSOLE_IN_PIPE
          value: "true"
        - name: ONLINE_MODE
-          value: "true"
+          value: "false"
        - name: ENABLE_AUTOSTOP
          value: "true"
-        
+        - name: AUTOSTOP_TIMEOUT_EST
          value: "1800" # stop 30 min after last disconnect
        volumeMounts:
-        - name: minecraft-data
+        - name: local-data
          mountPath: /data
      - name: copy-data-to-persistent
        image: rsync
        command: ["/bin/sh"]
        # args: ["-c", "sleep infinity"]
        args: ["/run-rsync.sh"]
        volumeMounts:
        - name: local-data
          mountPath: /local-data
        - name: minecraft-data
          mountPath: /persistent-data
        - name: rsync-config
          mountPath: /run-rsync.sh
          subPath: run-rsync.sh
      volumes:
      - name: minecraft-data
        persistentVolumeClaim:
          claimName: minecraft-data
      - name: local-data
        emptyDir: {}
      - name: rsync-config
        configMap:
          name: rsync-config
          defaultMode: 0777
--- a/apps/minecraft/kustomization.yaml
+++ b/apps/minecraft/kustomization.yaml
@@ -8,6 +8,7 @@ resources:
  - pvc.yaml
  - job.yaml
  - service.yaml
  - rsync.configmap.yaml
  - curseforge.sealedsecret.yaml
@@ -15,3 +16,9 @@ images:
  - name: minecraft
    newName: itzg/minecraft-server
    newTag: java21
  - name: alpine
    newName: alpine
    newTag: "3.21"
  - name: rsync
    newName: eeacms/rsync
    newTag: "2.6"
--- a/apps/minecraft/rsync.configmap.yaml
+++ b/apps/minecraft/rsync.configmap.yaml
@@ -0,0 +1,42 @@
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: rsync-config
 data:
  run-rsync.sh: |-
    #!/bin/sh
    set -eu
    echo "Starting rsync..."
    no_change_count=0
    while [ "$no_change_count" -lt 3 ]; do
      # use the i flag to get per line output of each change
      rsync_output=$(rsync -avzi --delete /local-data/ /persistent-data/)
      # echo "$rsync_output"
      # in this format rsync outputs at least 4 lines:
      # ---
      # sending incremental file list
      #
      # sent 145,483 bytes  received 717 bytes  26,581.82 bytes/sec
      # total size is 708,682,765  speedup is 4,847.35
      # ---
      # even though a non-zero number of bytes is sent, no changes were made
      line_count=$(echo "$rsync_output" | wc -l)
      if [ "$line_count" -eq 4 ]; then
        echo "Rsync output was: $rsync_output"
        no_change_count=$((no_change_count + 1))
        echo "No changes detected. Incrementing no_change_count to $no_change_count."
      else
        no_change_count=0
        echo "Changes detected. Resetting no_change_count to 0."
      fi
      echo "Rsync completed. Sleeping for 10 minutes..."
      sleep 600
    done
    echo "No changes detected for 3 consecutive runs. Exiting."
--- a/apps/monitoring/grafana-admin.sealedsecret.yaml
+++ b/apps/monitoring/grafana-admin.sealedsecret.yaml
@@ -1,17 +0,0 @@
 ---
 apiVersion: bitnami.com/v1alpha1
 kind: SealedSecret
 metadata:
  creationTimestamp: null
  name: grafana-admin-secret
  namespace: monitoring
 spec:
  encryptedData:
    password: AgAwMLnsYN1y8JQSqgGQbNG/8jKensTDsEw6ogITdkhDRlJcg8HQ5t7a6xLzNCrLHLJiQW8YOoyLT4lvFkBRMOa2EYcrDvBiRD0PjygWLIscKa7dA+jpAUf/icD9zsiDnTym2yf+VUANcmEgE6DiNvlcsrcmYqiR4pKVUTDlKPNOjOpTJ3nXETb3/sbt69E0JSGwtkvusYQSXKLU9KLbciihv+ycdkdlC9xy9myd4+vYZYXSh/eAvyZeb/hsmdSX7yaASmupMvet6Qsdt99PNzFQxtbQH+LQvYalVZ8bjWZQvCN/p0bA4H15otKBfe8rtEwVthgvyEvo6TK0Mg0pFY/b3AOGFmImnT3rDmgG6S8KTZH0Jce17ksFqvELQmHjqHuYpQsPDl44glM8kWRJ9Mf/Z424LRwZlJNVcOkuVl4qFqPUjzd2rWIyF0RaD0BE012C0ThJxKn2l17lVJbNtdUiR3qNpW01ot2m0CgKd2kXbjDmgRgAll4WgrukfCIn9ZnE0gVCFLJuK3MOQAaipFYy/bDO0izwl9T8nldgcI8OfiC3NTk2O+Es5jJRXu0oJGaC3HrTB7wXiwOoELvAsxLTPxKBiN9mCHCMtZX0PEtrio0dFRQ6Pi5xPng0KVT0I9dvGNsPdhPETNOB913WEvbgP8Gt3cj016nCzk51eUsYbXPpNL2B4kmbIhecqW/8kwKQPwYjVlBSXj3NxjzwMY6PvOl1
    user: AgBqmjCYGMqy5zBE+vhtsynOvhWdHWDJDyl1D+laBtLjXTJwzRbNTdunHYo1ekwyqQ6Cr5pi4YMiLxAl1LIHF+Lfsp2QlY+ResAGzp9WgSBtNQDX3EmLDQofeWxMUDdMtMsE9wiKLCfNGDkRDsGquXTz+YFq03m1vH9cB8Bp+1ClWOTui+/Ce0MZlWsJZX1W8WXH7XTirtwUo0s53pc4AplUUH97ZEK3KSIxWa3gLCn0sAPDDLPX+JVA2xtpMq1XuVFiFifjzEtG2h0dejiF35FtSAR+rR4YmEfimk3QpRDfOqV5QUxvjCG+dTV49upSevF2mvbHW+o+lB6vEc6l9cZXvlbnMdaep3NmOsJcJ8wQIdFpFK4iVzFOTKSEbzLPlZ/J+sjS5vDXsfthorIO2faMA1iIf+I663zNxQU5btaK4TNYOZQlrFVjAmioRLkDhGZ6tDUPX/zMv+Crt+0HCwyEyhmvFZckDvezTZrxARSXXMKBVcvjHCyUNkz7ubZRiMU0PGM7fYuHr659e+XMRvj+LFA68ZaEIzCQpCFJenWWYAXgUdRG4LQ1LP2MwvRHpkOYSoRkHIpX7jOfhX82A60h/ta/CdbWifqNyL9OecvE3FKsZu/Kr0taw9W6nm6FBhQLgFkOnFrqp9dWnxfHruXuDBgcn0iE8nR7Ht2zS7hfQPeR4a3Y0xK3Plqbzdrb9HKnWQQhf14=
  template:
    metadata:
      creationTimestamp: null
      name: grafana-admin-secret
      namespace: monitoring
    type: Opaque
--- a/apps/ollama/backend.deployment.yaml
+++ b/apps/ollama/backend.deployment.yaml
@@ -1,55 +0,0 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: ollama-rocm
 spec:
  replicas: 1
  selector:
    matchLabels:
      app: ollama-rocm
  template:
    metadata:
      labels:
        app: ollama-rocm
    spec:
      nodeSelector:
        gpu: full
      containers:
      - name: ollama
        image: ollama
        env:
        - name: HSA_OVERRIDE_GFX_VERSION
          # allows to run on IGPU as well
          value: "11.0.0"
        ports:
        - containerPort: 11434
          name: ollama
        volumeMounts:
        - name: ollama-data
          mountPath: /root/.ollama
        - name: dshm
          mountPath: /dev/shm
        - name: dri
          mountPath: /dev/dri/
        - name: kfd
          mountPath: /dev/kfd
        resources:
          requests:
            memory: "1Gi"
            cpu: "1"
          limits:
            memory: "16Gi"
            cpu: "8"
      volumes:
      - name: ollama-data
        emptyDir: {}
      - name: dri
        hostPath:
          path: /dev/dri/
      - name: dshm
        emptyDir:
          medium: Memory
      - name: kfd
        hostPath: /dev/kfd
--- a/apps/ollama/backend.service.yaml
+++ b/apps/ollama/backend.service.yaml
@@ -1,13 +0,0 @@
 apiVersion: v1
 kind: Service
 metadata:
  name: ollama-service
 spec:
  selector:
    app: ollama-rocm
  ports:
  - protocol: TCP
    port: 11434
    targetPort: 11434
    name: ollama
--- a/apps/ollama/frontend.deployment.yaml
+++ b/apps/ollama/frontend.deployment.yaml
@@ -1,30 +0,0 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: ollama-ui
  labels:
    app: ollama-ui
 spec:
  replicas: 1
  selector:
    matchLabels:
      app: ollama-ui
  template:
    metadata:
      labels:
        app: ollama-ui
    spec:
      containers:
        - name: ollama-ui
          image: ollama-ui
          ports:
            - containerPort: 8080
          env:
            - name: OLLAMA_BASE_URL
              value: http://ollama-service:11434
          volumeMounts:
            - name: ollama-ui-data
              mountPath: /app/backend/data
      volumes:
        - name: ollama-ui-data
          emptyDir: {}
--- a/apps/ollama/frontend.service.yaml
+++ b/apps/ollama/frontend.service.yaml
@@ -1,13 +0,0 @@
 apiVersion: v1
 kind: Service
 metadata:
  name: ollama-ui-service
 spec:
  selector:
    app: ollama-ui
  ports:
  - protocol: TCP
    port: 8080
    targetPort: 8080
    name: ollama-ui
--- a/apps/ollama/ingress.yaml
+++ b/apps/ollama/ingress.yaml
@@ -1,21 +0,0 @@
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
  name: ollama-ingressroute
 spec:
  entryPoints:
    - websecure
  routes:
    - match: Host(`llm.kluster.moll.re`)
      kind: Rule
      services:
        - name: ollama-ui-service
          port: 8080
    # - match: Host(`todos.kluster.moll.re`) && PathPrefix(`/`)
    #   kind: Rule
    #   services:
    #     - name: todos-frontend
    #       port: 80
  tls:
    certResolver: default-tls
--- a/apps/ollama/kustomization.yaml
+++ b/apps/ollama/kustomization.yaml
@@ -1,23 +0,0 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 namespace: ollama
 resources:
  - namespace.yaml
  - backend.deployment.yaml
  - backend.service.yaml
  - frontend.deployment.yaml
  - frontend.service.yaml
  - ingress.yaml
 images:
  - name: ollama
    newName: ollama/ollama
    newTag: 0.3.6-rocm
  - name: ollama-ui
    newName: ghcr.io/open-webui/open-webui
    newTag: main
--- a/apps/paperless/deployment.yaml
+++ b/apps/paperless/deployment.yaml
@@ -26,6 +26,8 @@ spec:
            value: deu+eng+fra
          - name: PAPERLESS_URL
            value: https://paperless.kluster.moll.re
          - name: PAPERLESS_OCR_USER_ARGS
            value: '{"invalidate_digital_signatures": true}'
          - name: PAPERLESS_SECRET_KEY
            valueFrom:
              secretKeyRef:
@@ -35,6 +37,15 @@ spec:
            value: /data
          - name: PAPERLESS_MEDIA_ROOT
            value: /data
          - name: PAPERLESS_APPS
            value: allauth.socialaccount.providers.openid_connect
          - name: PAPERLESS_SOCIALACCOUNT_PROVIDERS
            valueFrom:
              secretKeyRef:
                name: paperless-oauth
                key: provider-config
          # - name: PAPERLESS_DISABLE_REGULAR_LOGIN
          #   value: "True"
          volumeMounts:
            - name: data
              mountPath: /data
@@ -44,7 +55,7 @@ spec:
              memory: "200Mi"
            limits:
              cpu: "2"
-              memory: "1Gi"
+              memory: "4Gi"
      volumes:
        - name: data
          persistentVolumeClaim:
--- a/apps/paperless/ingress.yaml
+++ b/apps/paperless/ingress.yaml
@@ -0,0 +1,17 @@
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
  name: paperless-ingressroute
 spec:
  entryPoints:
    - websecure
  routes:
  - match: Host(`paperless.kluster.moll.re`)
    kind: Rule
    services:
    - name: paperless-web
      port: 8000
  tls:
    certResolver: default-tls 
--- a/apps/paperless/kustomization.yaml
+++ b/apps/paperless/kustomization.yaml
@@ -7,20 +7,21 @@ resources:
  - service.yaml
  - ingress.yaml
  - paperless-secret-key.sealedsecret.yaml
  - paperless-oauth.sealedsecret.yaml
 namespace: paperless
 images:
  - name: paperless
    newName: ghcr.io/paperless-ngx/paperless-ngx
-    newTag: "2.12.1"
+    newTag: "2.15.3"
 helmCharts:
  - name: redis
    releaseName: redis
    repo: https://charts.bitnami.com/bitnami
-    version: 20.1.5
+    version: 21.1.5
    valuesInline:
      auth:
        enabled: false
--- a/apps/paperless/paperless-oauth.sealedsecret.yaml
+++ b/apps/paperless/paperless-oauth.sealedsecret.yaml
@@ -0,0 +1,15 @@
 ---
 apiVersion: bitnami.com/v1alpha1
 kind: SealedSecret
 metadata:
  creationTimestamp: null
  name: paperless-oauth
  namespace: paperless
 spec:
  encryptedData:
    provider-config: AgBI9IcNOfBevjUtIMwNTd0MTnr1WGxMKJ0cPnHzAS3cddmI+LTrkxxdRBuz2PFKTrhJ6/vh/2tiI9FBWMVm/YqTB64drbF3v13GfZMk/9c7W4SFyMoMcoE4xe6gs4SOm1ggTVxWT6O8IQ0gt7+FRUFaiLmwa08dxTkzrT0/zfQfYg+0aV8qS0eCJIrQk/IA1N31RpUoNV5Jl6vF7oE+cKIVyZ6LVMdecmFnuUgU+1qTC7ncgxxhWQekDQXJQnfYpgsQTF5GaHkGV8kvqJOa2Ohnk7MIeQEz5WuiKaXzU1ZMCYq3D8q/kaf/itLLBlL5MQh/hkuksCVG13aWxvulA/zIw3rSDujjZcSrD8LWH6oCMCn8zVcZjYQQBcTKUYEyYNvHLsmm0fOFIkUmFfBOS4WdHhjsBudz+941Wuc2EX5i6eLind7dk6gOlCL1HEyvbQRV6W50T104DQSNHslRG9CIjPh0BueGJ5fiaFoQa/UuM/JI8R/7cv3y5VkCG6j4gax9FVFgZKxPMtOTxB3gKolT25JHPDOqbDo996T4lsmiYRrYShni4JFZ8ALhcr7pKwlg+gVbDVaqMrVaSz1xzTP0MNxPMsojXVLtG3/Zv0/iXSVW4DPY67pFITEbZBWB3bHLvL9MiwKbWNwsDwPUylWkXTTFHsNbuRUnAXhRxcLn43uIv98JFTQcMVl2J9qrYkHm7w0FVImUr3oC+Ny/Z6j89ARposNx27B4FBgW7H7+yWMKRsAObC8cAjBOkBdXue0x5bEl7Al2BRRG7/WUKHXZvTOlvlj7GFTpLOQbPYjnBo8V8h42uOjGbiMLaCeN5sWlMtWD+7mpHV3XGdcGtPAZlIzgpUs2si/XIRNun2oDoUmJhb7YcGmugodcAK9+aYBThIkNU3guXdrM6Vc7CO2RP8PFpKBpcI9pUHgYA8dyYY+TaBqfYGrKFlGgoVcgh6oVkeOuctTX90XkojVFfqkCqab93faMh2pGCGcH4IZ81sdTYeWwNIvz1RGoi9GhUhQU5NfDeUBn2eHdOpfdsf4FkWe0kgE6TBPlQx7GQy56FldIc0G4QA8H8utL3E/MXYrao70ek/GHIxuev1/hzljJDk+5HJz5itBtKiW4s/5j2ZMD7MMBu/voDQW14XEK5pM9EbwmC6kRg6ljXvTlnUVmw1s04iUvIzF/dO6bCgaOEwFPjZj8oZs0dt64Ov+ZPLwTrmezFgHtfh4dyiRgHt4cO/WYFmzzYwd532p2De3JqjHUzT0iQIpkaz4jrF7+fdtDxtj7XgkJIg==
  template:
    metadata:
      creationTimestamp: null
      name: paperless-oauth
      namespace: paperless
--- a/apps/recipes/deployment.yaml
+++ b/apps/recipes/deployment.yaml
@@ -21,12 +21,15 @@ spec:
        ports:
        - containerPort: 9000
        env:
          - name: ALLOW_SIGNUP
            value: "true"
          - name: TZ
            value: Europe/Paris
          - name: BASE_URL
            value: https://recipes.kluster.moll.re
          - name: ALLOW_SIGNUP
            value: "true"
        envFrom:
          - secretRef:
              name: mealie-oauth
        volumeMounts:
        - name: mealie-data
          mountPath: /app/data
--- a/apps/recipes/ingress.yaml
+++ b/apps/recipes/ingress.yaml
@@ -14,3 +14,4 @@ spec:
          port: 9000
  tls:
    certResolver: default-tls
--- a/apps/recipes/kustomization.yaml
+++ b/apps/recipes/kustomization.yaml
@@ -6,11 +6,12 @@ namespace: recipes
 resources:
  - namespace.yaml
  - deployment.yaml
  - mealie-oauth.sealedsecret.yaml
  - pvc.yaml
  - service.yaml
  - ingress.yaml
 images:
  - name: mealie
-    newTag: v1.12.0
+    newTag: v2.8.0
-    newName: ghcr.io/mealie-recipes/mealie
+    newName: ghcr.io/mealie-recipes/mealie
--- a/apps/recipes/mealie-oauth.sealedsecret.yaml
+++ b/apps/recipes/mealie-oauth.sealedsecret.yaml
@@ -0,0 +1,26 @@
 ---
 apiVersion: bitnami.com/v1alpha1
 kind: SealedSecret
 metadata:
  creationTimestamp: null
  name: mealie-oauth
  namespace: recipes
 spec:
  encryptedData:
    OIDC_ADMIN_GROUP: AgChDLTJLcQutEytCeipPcd9KOPQzh2LiObcGcqSBv54IojcwOSYrdKODrF3l8IR98L4PH7sAvS756vlZy+UxElgtwa951zqYGwf3SHoBMU8fl3QU7ZG44vGHKAZ8+gi1ybDaImUW6xH3TK24PSWH8bvwjLs2JAGCUQ1hPzOQ7yQQRPRTRk8jbhDkBefy718eSMqTSrxJqakIPgicZcIeMg16d7pFMkztEuo8iZCPTF8XgDbY0HVJ/pGxAf/rgerLCeOfdKF1tJRulUt1VzmX4A7Votyg521twa6RIN2NvgJHRYEmMPTosrBO/i70OwYcy8QI3PaWisoId0MFSSYk+n1iCU0EM3pXVal5rDoji4EVjazcuRjZ+TQ4SZh6jkRrHGyDNtrs1w7Hdw0GSwb8ONoGPiZF+qU34kDQH7tkNZ+iaG5in8kwSbZoLH2vrdUv/2yNXtHGFM4eJNwcfwMqs1wbS3zt2c73JQ0HgE2c4ocy4iTJbtd13fouNH+MPFl6BJXcMjvMdUaxerEFZQhhdvyx69ATMyLsUqgodr+vSFo+uA9gtv5JPyiA8HPJPJ05plSBAS/QxaV+F9NCbmI/XG2MM/i55dy5dX3lLaTehDtZ/TZK/mVHlkue+4lHisrtXFL2UGlqdX/QPNX+ccZ0qLKjnvobflBPqPr0y35KE+QNOVNlup2mVJjMr/dgNqi6Xm34UwX4GaW9y5Q
    OIDC_AUTH_ENABLED: AgCC/9BtmP59y8keEx9z6f2ifXdatpR4BBSCpLlpELjSBPAk5QrZ5v50n8Raz6zUt7+HVL5CYsShGRPoVqTd+evEqDCbbY+0y8fu0Xrapcq2V0I+DBfOzob0V53HpIzHdcAEyGXEqhE9zTDoTlZszmUCQzB/ih7Jr8V0bq3AKh9n+y4REYsHoiecPPb1MeuJmp9mfuSU+dVqvW8GYwumLQmpH1+PrWeQvf94y48yMJ78wroR3MoUIrTPuVe0RCAK+A25ODrXSaT9et0qx4mzS+qW2Vjpyh7MiNQhJdaYrGHlcUcje9C/RRsqzFdwXQqONwAAQUfH21fxMjpyAD4O3pc5X31kZ216w4iTp5DlTYBH7Ci8sUySaweQT1XdCBTqZTd+Q1fkU9UJqkLFZZ0Vds6K0GSQlqxcL43t5jp96n5uCm4qgaEX7oBpz6CqYM0Zh1OsfFe3ju3IBaPLNpboY9BwXaOlnYIMS+BR7hZGWf45cyEjL5IyEQIfpCw9drTzwnQAkiHtWo/8gzgds9FcW0cVPNx8XQjlZYw/voYhFJZcpNkwk+wl4Vs6kHPwtYAhR7nHj7nyqyd72IEutd0LZSL2ICMFKQ3XbYKa7JZlKLeL0gy3YKm8D5I+BRDBR4AB8MrjzSkJR0C+FOHVMImxLIHblEtVoOla4xWbu9aa+fB5hUrJ9EpwSiBYJWQzKshHx6cvX7Zc
    OIDC_AUTO_REDIRECT: AgB6K8H8eDmuaRhPeeKVtkPBzvtdEgNzBeqBLEPOW5tE0YiWT53mlQaW8eMtCUI/yvIKY8Tjcwg/CoiAgtboalS+HoJ5vUqfBBgeqYRE8xdRw6QJhLjKIViyg/wsTp0epmL50XX2qg6FINVWT6A8P3OXmVP+kxxr5dZDJ5jT7Af1j3XC0uGZWja9DWkfz7AXiUh89kekGqO4rkplQIBmPOUl9re1D5JFuL7mCmqBo4MNHV0baf451+XaOQF5jKT/luyHkvjs2V0+YZY7BvBqmqg3Dt+buAMyFnXAziVgcpSRzPQtGSCq9WJK5JsDfZltTVkzyJP83Vb3fPtOnBs+7ZWYshOh/1r84hbdEUOjTec9zcYQY/1MGc+4t6DsK0st03cNYWhKBBeN8nmUGMfca5kGWnRx5nJ6rjrF+Tw7yXJdjRiZ5Kom+VwcBtT7bXsxpoUYqAY1W4oUhpCrGGG6431DbUbjWMSaHPDiGdF6rIMD3OmbOaUxGTooCvesoRTdia9pO5Jk/c694N1MVKW+SNInuyZZ3BI8oxi74NV1zZYwTCADHSvWShuqCkZtnX1Rz1kNlI2e++HFnObvfbdXSyDymwJ0WX8rO8sXJYzEkJLv021Tdn64+1jBKviAi7m7FfS9/E07AR7OWyEjv2KYgxsZMC3KR8mEs9WZYYqkvCuKdWQofpLOTjkMVJ69X37EKUCGzUvr
    OIDC_CLIENT_ID: AgBosCGO5L+/1WJIGaNA4Z6vbqJL57JtuRXQDEICAiTJns4YBqvpbiIg+LZ6b5DDwHi0uq/v1yd61TV0+A6U7t5LYjRsywryseP+vGycDQlPWIBAegs/gVzMspNOrJe+g00VEfbrkZl9U63WMKAVBJS4Qd+MHzgnSxZ0IFMP/vaSE7JQ25LqSMjWs/OOBF4EJbTf9RV35/6kk6VpYIOLlT9Y4FaFwilj1Fve7YROIms5RykrLeEhIw/XeKjviyZqbE+rRsM+3lo0FPwVTruTGNbqLBrYox2FSVK6y+xPp9IHREu+17gf7ROLSj8PIhG3Q0mWOSfdv2qbB7RxOfNf4eGwy1m4rL+DDwLU/g2rZNnIvxa2C+l927ADFj5fJCuBPV9o8PtJjD5zsE2wpdqJ/PJMpg0106LylewH662hvIYL3u5s3Pc3mW0jPElgygnZYihSRxzxvEYdfw7+gV4alhlU++X/C/qwbzw1g+ZqgbVYH/jZxixsAu7fOiFRW2G0qkvnKnwJstnjs/Q81R816dnRylETxtINTpyvSF5MAPE1g0HL2Ocs1rOqLsL68FpPnI9GgOD0bkStuYSq+6adMyPmJgyzOqa9sGjhQvrLI4AISx0YVDZLaG7UIp18UF9AFQhImkv6hh8jpOHR1sYmmWKBwbyBJHtEpDn4/RKGjb2v/AHvUtZcE9TAM7kQeP1fRWPXPcA3SfF7
    OIDC_CLIENT_SECRET: AgAI7LDC9J+IQk6qPSxs5PSyr5fKAflxBxfCd2IcjQUKc4mCLzWdcQkyxXuOqLETCpT9yNFlRA+g0k3Bc+Sp+Y9rmF9nS9EyshezZOMT8/G5bacEBXgxxlqyTQUqXp7FpKK30lrBvxa56xDeatF5G6H68lLfJ86K2FH35f8IvRJv+GqFrOQ+PL1M9Kl+N6XpNihy70+jpDornbNpyr48yFawAone6zKg9qFxeJ4FHPL5wYrS0r++JoEoCGo4XZ34mPHQ1jiK3wPiiuGhf6dbAvh/wlCH2+ehiTnOQwKUY5C12gVwafOrA5BRI/TBjlTrAEG1qjxdff10fkkuFaa3Y07V+lz316H1+8xdzPVNDN5bG0hVVVWmj1jAuqUnOqPEfzPOc4jUFVom2wSXI1SS3n1oeDnTiO/5vkmTRcQZdGeuLM0+StTtXHmbtrfU6ZyfdtKoZ209jR997pYmNf8PrDbhKtcvJaxbT6RHqXpJwk4fKtQeLInY0Pl0HSg3f+OVLdikESgX8mJm/nGJxwN/y1cSjLawMoZhbvHP4aWKWokLxAvX4pfUfm9iv5fm2pwQ2eWWKAI0P9I1l9Dbbs0u2HC7QLI3EsJFQ/D1gkhall8cLPQmg9LnsXpnxnKXtIMLS8sNqE5TyXTX1AvFJz79dT7nezS20TLF2chZ1ch6tpM0n7JNYVaD5Rgxqc9XFpUvJrGHYjSR7twjXZd0XRVXCOBKWwe6aSdPi5OXtu1tBvvXTjoqMbQrGgk=
    OIDC_CONFIGURATION_URL: AgCZnFFlMYEQgPBXanDrQRdfPad/xux4wIVXpPfOqsDGzWSYu0HYDuoO8cETdf0fI0dppwAb9167Iz+sz9t36b4jb5X4nXTVWa4Co90s3uDwRsvMcg1dNMK8EDABxlGS9XThwehs6qXyYSN06CF+SyrGZonDgVcXb0pEW5B/EHFc5TwRrvYvVe9z8v8JbNehQet3HxXZBepkuntI5CzCkCseTvOiKV6oohr9l1DaK8e0IHQdq7XZshdZ7/CmafVY87fGElC5J2nhAML10fXHwyJ8HA99mwLFIvBLnlAc4KnG3FS2uysvoKrUs+GPXRgXMBlsL67upV5jO2B7VKQRpy0VcO7oYiwMV7Lc9EkOOgVNghIKGkCVQqN3JOuaNg3vuJlutDjLlDk+oCBP0BvYkZ1U+1NmndKRG/7YNXJ+MOe3KZ2gWGZgQLzpbmQRq81FxTn2rSNhZyBsMHyviIZFqZJyXnln6xPRIi4uuxtRQY9PLVcwHd6Q9hi6n8QGBYNc+AEsGwy+9upkZ6hpyo4hcOCJi/e0aUH92+Y/feNGYAPFBHP1sTHP2sEbVFISQadDdsxQIvQvaJy0J9+UKghz/qAsipkBYc2mv/waJwlpnFqDoCTOIkIadutyBAehkXawNsDXcWPU52hGpQ6dQQKCIxsRKBO0JQsI5rFf4jc/PxfSUYu2Fps34mmMggAb00UBLDb2arNdI/OcSirZ04XSp6G7Eeqn6gfMfrrhnnqpg7zokXXNMcLPJcrV0jHflauahmft5+LnWHfYVa0uNAJP
    OIDC_PROVIDER_NAME: AgBI3oFosMR5sPgr6JqFPJX8U8A2XNNYpZ7C4XIW9VPeczIU5NUNQaePowps509Y0ddHXPwASr0OeTgIVU2Z68Hg6Tpj8CehL+P+DaFMOqMOub0qmrakLBBaWcaXprQi2eys7mP9jqiC4iMx23w1Yen9lid9FSjLIEpfLE1VsPzAUcrvGMW8dbgwchrxKnb0HG0e/bsyaLubzEZWHfPaUo4cSWQf4KWAhYBlfZQAbNPkatOskzKw7nZ03X6RI5oub6hjcBclRjMh28MsExIRJDwWtB/inwLpWEAiPOU7xQmjQJdC2BqmKXHyTk6Z9rnwgUjG3pgH74mNH7/pF1ekOK220JYTbMa6Uga0r/v971AlC6RBEo8kuaJ/xptSdHp8lfg1spJ1sYobV782+zmJ0rc615BsYwef4lcFDBSXKnk42NhUNY6OORNbwD/tW/Mxac3o1OOoe3mSgRnFXJLqTh9i7D6kN7TiQ8HXNgkEfZKoqCloKo2TKW2gB++hXJTiZ1ItocaDPbPSIaq3LJsIw6YwwkXxBQeOmZhYLpaPI8dHjn1h8Jg2CPKNQJdAossrsHpBrEM+UXA1HxVmUCv/q5WIum+tO1d7sKeCuZ/g0JOcNK/tX2+tYY5fDT2G97GrXSGpgZgIfhYhWStYfkcOdB5ayqj0ncadZ0uJ3akFWBLHAr6sYemmVtW+BYbMLTTjlprGq8EIu3Kyqw==
    OIDC_REMEMBER_ME: AgA0vxQG7k6gaMmviyTVccCkIl4r37YHX97gO8ZlFtZFhBNIXti7Ocn3R2paSf5J4A7xT5Ml5imfdn1jS6XXBM/z6oXA7kvyrh5V04vcueGXtOk6PSzdqMB+qsmZr8VuY+41CllUwXyXGDLMCzQ6tA9K1rdLEQoA8TYdDi3KI91vb4JgOTaAum+JHXI8N3ZguzXyF7nTR/nTtoqvKoD9b6/B69Gu7FDuef0AEAf/aFYQb6JSNeStKbYYyNjY30/MdECEf5Y5kl6mtAT54KwNiz/GF9JMKa3yAO4XVc0Pq3Fo4BoptW/8yyngnhrjB8c6/LydTbwQgrxXO6JJKOnLMMrNq+llBNFyBqUD3ZyVzY3CRAetL3loAdoA+zTQCAKMoRjL22m48yyxdBSC9Fwy9crb95DqJaEQa1M5UrDqt3uWsEoJhrT5dUUnC45N4Yk9/cTWLMf/xSqP9tRWVcw4wyU8b/ptuCTqq6WvMVeS+MCLCnQnZB6s/sdFQBm7x75P2llro7iwYp72YRAfV1jZavUXc6XxdVvvyFV8Q4bNRxLvXgjnuvD+6STTmqzlceVkxcv1KvDyvjxHtcy4qxr3dU0h+vmo7kkTFfcaJpmIP4CTVc+lkNvj6FvkXwtmiW/RMG7kW8ES7I+tHSD2hJle8FWciAwP9iZadszTVOSgyx+S7alOXGczUDAe0bpWqeNnIBkJYpX0
    OIDC_SIGNUP_ENABLED: AgB/TkKgJ1GioaGCvyXVA+RRHJ64/KqBt19dNm3LUdxGrhQYOq0zDmNET26w8FneYXrP4zH3IY+ZvXkS3L5i9PNBXkUGhXaoNXPx2KYm6c6YeGkrW+sDlCVPFx2zypCIgXNpJHiTIb2vfZHTyVMvmpo1m9nlQVfdueFV5ToLwt4pWR04VYCzXoaSILqJAuX5IBkhac8hsr4yc6u+RuLhtDTmziB/3+/FWA+Gsv82U8CNDBCMAyLZ+439F9aiJv+scOzVzzmmIxfCz4GPzfiTmMcwlsAjqMs42C62x8m+yoPAs9/Ur7f0p7JYE8fjYQbWP2OliJic2Nm9KaS/o8akojIKlIN36Y1I/srimuH9LbuRJlwRQjTQ4qq3quiW7Z/7Tgsm71ISPqeLUHO2xR0714MnDMW+dOwRoQzBaNZepo2aEb2DhiVzT1OLsSeGCs6UOTau9sjd5ow+pCBZWUNPAzrcskw4cSfoHGfWiMf6wytCp6agiwnogM9wMAdjFXi9VnHxNmn4oViCmeg/y36z0RDyW1p8fU5fv68qWoqiPH5lbzJUcKDzW9HpfcuaGaAKJrr3RbEqdqxh6pc8hLwzzCo+FxiX/UAnMd+2BCFWzEQzWznyin2Z9vv4d7dYYiKRmoLxNQO5T6xSZvv0DYd9dhSxy8HB/viZuBh7AiprORuh26jCotcbKZq13/x5xC7qm7t4WQzO
    OIDC_USER_CLAIM: AgA/FYOGrV1qHlvdlJd8HNOdG2VlAVTo6nEoAtJRn3G7z3OkexS3O51x3TsiIhpKliaFl2/ATZFk5okUnUSeoibqpxpLNVMpVF6VX6IrnjxdbtznGpyz7sIri9RvKZwTpuDT8wNrJ2q7t1xwvnK7QYxKzf+rIkQqcSzN9k0QF7XPE7ijeWSjqMpbjRya+vxjWR12L5BRmtUgjrm7J/8uRMkVQQtl3/Y0c99qMwj91v1F37RejoqOLC6OFdCOhVvwatq0C+y3F7BB6Zl2EQBYoinVuSfmlJ9rorSyAeNeeVb7s5vm+WflB4Dn+taJAFCuGiq7DK8n1XDvkW7kThlJckdXBfEiCOlzYCSdiJ33ToV2mWo0zSOZC5UrYslx5hhzwdb+Nw7/74c3g0TeV8doLWhczpd38eYEkYrFIZdQdBtwK+Lwlb7Bq2eT9X3l73uE2ho+u+o2o4RtQdCw00TouBJQBf/vhyEfk6eWuhHikIUVSQAOm8mCKaOseH+m0RMrpbDDRbl7pcrozSUJjP1eygTVPJwQF6uFjIbvNHsodP1ld83HTR3vMfwfwwngocEonnayUDeYfk2KOdWONUFmfh6k6miULhNr7QVnTit6b7EwsrLuu8UqJzih/pINELf/mA2oliD2TCQH6WwSu+G7W/BjECO2ANyJE/1UQxQxaw8NtmRtcuIU6cdHi7ow5ENYLnYb1GXQBH4TGGZgKBaBGUEz5gQ=
    OIDC_USER_GROUP: AgBIMaa7sVROh0jXJQLrnKVKzCRg2Xg55d4Xp5sQFQ/hBlrFwSE+fj/Irx2hGx8TiuotN3wG0dIJgxLt2IGcXSZoO4iABz6tI88yJgP6InRjU83qxFusjxljOb7JI4Vz/OV4XpxMEibcv+TF2z2669p+6hBbdgGwWAO0luCYPKgwTZWDZr9J2KOqCK0rs2uVtR//UnfUNTM8IbEHDxKJ9aKmB3Xxpgo6xw5ydx2V5J6juXF7gZbthGapgerEMx0D+cdCQwyRmZZaA03IuZbNqgouYPpMJr15vCGsyZWM3mOJ1GOBSnZVTsubmd0WO199LDognEjKNTN+IPbTZUp53zMjcFf9bCfHNZe/+bTs3Jyb2IEH57OAjuMhiA8gU8oBPq9i+CI+NH76MTXrIKdiLtUAfQ0Br1bdR72AmWNpaIC2cGA60QVAtTvHtr/SZBkaQos+KpVXeHVG9WiK4ejfVkFX5r3EjVxPQFs7sGw4DCuytaNjSM66vWqsodC38bKqB5RACR2ApDJXGgQtA5L3jFHzV/Qb66S0I5WsX1+u3E8Sx53Q2/xI/MKnK0VrLy1Pnlrb7GWNyyOQJhB764D8UwA6ElTt29/IkJu6c378yOGsZSNMd689mfoPLeYhby9DMLgQOFMRx5euXIzojpuomtuclP80BzGUHBvLKLKZGLf8HiN8ko0X250MdAouFa3EhNvKjaQ6YYa5
  template:
    metadata:
      creationTimestamp: null
      name: mealie-oauth
      namespace: recipes
    type: Opaque
--- a/apps/stump/deployment.yaml
+++ b/apps/stump/deployment.yaml
@@ -0,0 +1,48 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: stump
 spec:
  replicas: 1
  selector:
    matchLabels:
      app: stump
  template:
    metadata:
      labels:
        app: stump
    spec:
      containers:
      - name: stump
        image: stump
        resources:
          requests:
            memory: "64Mi"
            cpu: "250m"
          limits:
            memory: "128Mi"
            cpu: "500m"
        ports:
        - containerPort: 10801
        envFrom:
        - configMapRef:
            name: stump-config
        volumeMounts:
        - name: stump-data
          mountPath: /data
        - name: stump-config
          mountPath: /config
      volumes:
      - name: stump-config
        persistentVolumeClaim:
          claimName: stump-config
      - name: stump-data
        persistentVolumeClaim:
          claimName: stump-data
--- a/apps/stump/ingress.yaml
+++ b/apps/stump/ingress.yaml
@@ -0,0 +1,17 @@
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
  name: stump-ingressroute
 spec:
  entryPoints:
    - websecure
  routes:
  - match: Host(`stump.kluster.moll.re`)
    kind: Rule
    services:
    - name: stump-web
      port: 10801
  tls:
    certResolver: default-tls 
--- a/apps/stump/kustomization.yaml
+++ b/apps/stump/kustomization.yaml
@@ -0,0 +1,17 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources: 
  - namespace.yaml
  - pvc.yaml
  - stump-config.configmap.yaml
  - deployment.yaml
  - service.yaml
  - ingress.yaml
 namespace: stump
 images:
  - name: stump
    newName: aaronleopold/stump
    newTag: "0.0.10"
--- a/apps/stump/namespace.yaml
+++ b/apps/stump/namespace.yaml
@@ -0,0 +1,4 @@
 apiVersion: v1
 kind: Namespace
 metadata:
  name: placeholder
--- a/apps/stump/pvc.yaml
+++ b/apps/stump/pvc.yaml
@@ -0,0 +1,23 @@
 kind: PersistentVolumeClaim
 apiVersion: v1
 metadata:
  name: stump-data
 spec:
  storageClassName: "nfs-client"
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 10Gi
 ---
 kind: PersistentVolumeClaim
 apiVersion: v1
 metadata:
  name: stump-config
 spec:
  storageClassName: "nfs-client"
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 10Gi
--- a/apps/stump/service.yaml
+++ b/apps/stump/service.yaml
@@ -0,0 +1,10 @@
 apiVersion: v1
 kind: Service
 metadata:
  name: stump-web
 spec:
  selector:
    app: stump
  ports:
  - port: 10801
    targetPort: 10801
--- a/apps/stump/stump-config.configmap.yaml
+++ b/apps/stump/stump-config.configmap.yaml
@@ -0,0 +1,8 @@
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: stump-config
 data:
  STUMP_ENABLE_UPLOAD: "true"
  STUMP_CONFIG_DIR: /config
  ENABLE_KOREADER_SYNC: "true"
--- a/apps/todos/deployment.yaml
+++ b/apps/todos/deployment.yaml
@@ -0,0 +1,43 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: todos
  labels:
    app: todos
 spec:
  selector:
    matchLabels:
      app: todos
  replicas: 1
  template:
    metadata:
      labels:
        app: todos
    spec:
      containers:
      - name: todos
        image: todos
        resources:
          requests:
            cpu: 100m
            memory: 100Mi
          limits:
            cpu: 200m
            memory: 200Mi
        ports:
        - containerPort: 3456
          name: web
        volumeMounts:
        - name: data
          mountPath: /db
        - name: config
          mountPath: /app/vikunja/config.yml
          subPath: config.yml
      volumes:
      - name: data
        persistentVolumeClaim:
          claimName: data
      - name: config
        secret:
          secretName: todos-config
--- a/apps/todos/ingress.yaml
+++ b/apps/todos/ingress.yaml
@@ -7,15 +7,11 @@ spec:
  entryPoints:
    - websecure
  routes:
-    - match: Host(`todos.kluster.moll.re`) && PathPrefix(`/api/v1`)
+
    - match: Host(`todos.kluster.moll.re`)
      kind: Rule
      services:
-        - name: todos-api
+        - name: todos-web
          port: 3456
    - match: Host(`todos.kluster.moll.re`) && PathPrefix(`/`)
      kind: Rule
      services:
        - name: todos-frontend
          port: 80
  tls:
    certResolver: default-tls
--- a/apps/todos/kustomization.yaml
+++ b/apps/todos/kustomization.yaml
@@ -6,13 +6,13 @@ namespace: todos
 resources:
  - namespace.yaml
  - pvc.yaml
  - todos-config.sealedsecret.yaml
  - deployment.yaml
  - service.yaml
  - ingress.yaml
-# helmCharts:
+images:
-#   - name: vikunja
+  - name: todos
-#     version: 0.1.5
+    newName: vikunja/vikunja
-#     repo: https://charts.oecis.io
+    newTag: 0.24.6
 #     valuesFile: values.yaml
 #     releaseName: todos
 # managed by argocd directly
--- a/apps/todos/service.yaml
+++ b/apps/todos/service.yaml
@@ -0,0 +1,11 @@
 apiVersion: v1
 kind: Service
 metadata:
  name: todos-web
 spec:
  selector:
    app: todos
  ports:
  - name: todos
    port: 3456
    targetPort: 3456
--- a/apps/todos/todos-config.sealedsecret.yaml
+++ b/apps/todos/todos-config.sealedsecret.yaml
@@ -0,0 +1,16 @@
 ---
 apiVersion: bitnami.com/v1alpha1
 kind: SealedSecret
 metadata:
  creationTimestamp: null
  name: todos-config
  namespace: todos
 spec:
  encryptedData:
    config.yml: AgBRKmf5GSn6EcCH4r+I/lJkNiwZp0Pa/TFloYlPzqJ1aQWrTRDCLiljHYs1n/PTBWWv5SdWj+3Uvx4M+tzTXpRTp1dWomJ1C8pUDpf4N7SSZeAMoJxz5/mSUpA1YsYwiy/jhOzSsaeC80JX9WTXhCE5cnox/OUjcDf62vVg/7kgy8tHYpCSRmTGMah82642gP0/rlLpp+ctb29oYttmL0fWafHMRHgZYwkO1Ol7tmfbVOfr/bQljTQD3h/f0+ef2s3kDNtAkXSBAwHo6TfukB5bZi+pj3q3TLHAWU/belC38RZtIYW7trJf20WzbxxWKcS7rnQ8GHJqpbNgoWdnBQgP5OGHzySnQrdIAWLvOxw3JdJ8S1ZMbZfWASGpeIdfTI1p99Bhu1MGE3nnAzUCM93sLySE/mjjGDPdA9+Q7orgLGX3ct+w4deu1ABLR/HWxFYvPah11xs+MyzBFVh2rRj+MMzSWwQmbo+widmHWnzx6fjTiLd8eyGmvz1M9hBwFjqUTjbAR70S4xx2ALlYqAtbmJUk07PmTdTMhvokvaY5NX7Ylahx2oFE2q/FxMBwvPZVyI9tSbrZHEK9a67QaXnnwyfSqj3nErNkpdAa/zSJ9M6SG5cJrJvZCBn5cFg6pxtY65wZoj0GWMZ5kF2oqxDuekdjitWGMTp5q6ROJYSs/o3Lc/Abga9pSZYEtNrHr68tJuSeO61s9TjUftbkxkJ97/dwTfVQOd7aJui2EDp8NVcZg0CkEOgI7tt0nOEsll30RWS46QJwUbJM34FD646bpEk50K/GsIvFovKjZjtoCjeKczGdMpYS2XFwEMb8UjgSATxcVYjSWwvx+7prEChvoyVcg8Bi8ZEGcBVxSAD9fJu8PtyPBeijs7ZVwVyGGxiSafd3gAPU8spSuvbEDl/VZAKy9k2vrI2c/gtTqwaIasnBHudIbbNqDHlTlH8dk0z+kuNg/AzqheZWireMvBvgQ3TlHan0RN6+vVpZCY5XbzWkj/DEmoor8UfeuYt3GD7/JHniAorMPj61n2od7TLXmLunPG/B/zNpJCgJ8LgtUriDDZno99IDCXaZ/MO2+jppMaKizl83axxrv9HUTYDDgtX4RqLLdutd4i/AsOe0GgayFrOjUtDVOL6MKhX7dRJfbNsL5IcGEVZ1cdzcjjazoDpSlDdMC6E1XNS1NWprqUpmfjFPtFk1FWW3oRF3iEYUimngYvy6oTx3d70EZ+eOdEvp6A+aHbmG6fyEQb3AKYhMIOsn4AbKpDLjTsHiqWNGwT9ummS5kOLhnWBBB4ohDpCl4UMCtP61+1lhtx//Jne8QFAoq31MMFcCO2X3b2JfD6egLDc8Vwju6NHNy7jrmkponKqKxQPSs0w9Aj2biUBuFkMCiAik0Cf1fPk59bjJqs2ypwURDPAs1ShPoSU=
  template:
    metadata:
      creationTimestamp: null
      name: todos-config
      namespace: todos
    type: Opaque
--- a/apps/todos/values.yaml
+++ b/apps/todos/values.yaml
@@ -1,51 +0,0 @@
 ######################
 # VIKUNJA COMPONENTS #
 ######################
 # You can find the default values that this `values.yaml` overrides, in the comment at the top of this file.
 api:
  enabled: true
  image:
    tag: 0.22.1
  persistence:
    # This is your Vikunja data will live, you can either let
    # the chart create a new PVC for you or provide an existing one.
    data:
      enabled: true
      existingClaim: data
      accessMode: ReadWriteOnce
      size: 10Gi
      mountPath: /app/vikunja/files
  ingress:
    main:
      enabled: false
  configMaps:
    # The configuration for Vikunja's api.
    # https://vikunja.io/docs/config-options/
    config:
      enabled: true
      data:
        config.yml: |
          service:
              frontendUrl: https://todos.kluster.moll.re
          database:
            type: sqlite
            path: /app/vikunja/files/vikunja.db
          registration: false
  env:
 frontend:
  enabled: true
  image:
    tag: 0.22.1
  ingress:
    main:
      enabled: false
 postgresql:
  enabled: false
 redis:
  enabled: false
 typesense:
  enabled: false
--- a/infrastructure/argocd/argocd-cmd-params.configmap.yaml
+++ b/infrastructure/argocd/argocd-cmd-params.configmap.yaml
@@ -0,0 +1,8 @@
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: argocd-cmd-params-cm
 data:
  # server.insecure: "true"
  # DID NOT FIX RELOAD LOOPS
  # application.namespaces: "*"
--- a/infrastructure/argocd/argocd-oauth.configmap.yaml
+++ b/infrastructure/argocd/argocd-oauth.configmap.yaml
@@ -0,0 +1,22 @@
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: argocd-cm
 data:
  url: https://argocd.kluster.moll.re
  oidc.config: |
    name: Authelia
    issuer: https://auth.kluster.moll.re
    clientID: argocd
    # If you want to store sensitive data in another Kubernetes Secret, instead of argocd-secret. ArgoCD knows to check the keys under data in your Kubernetes Secret for a corresponding key whenever a value in a configmap or secret starts with $, then your Kubernetes Secret name and : (colon).
    clientSecret: $argocd-oauth:client-secret
    # Optional set of OIDC scopes to request. If omitted, defaults to: ["openid", "profile", "email", "groups"]
    requestedScopes: ["openid", "profile", "email", "groups"]
    # Optional set of OIDC claims to request on the ID token.
    requestedIDTokenClaims: {"groups": {"essential": true}}
--- a/infrastructure/argocd/argocd-oauth.sealedsecret.yaml
+++ b/infrastructure/argocd/argocd-oauth.sealedsecret.yaml
@@ -0,0 +1,18 @@
 ---
 apiVersion: bitnami.com/v1alpha1
 kind: SealedSecret
 metadata:
  creationTimestamp: null
  name: argocd-oauth
  namespace: argocd
 spec:
  encryptedData:
    client-secret: AgBmXMtAHgooKGgj3s/ndddVxxOXqUYyGev5BeUoAYL9IYYT3yB54cQp7v1suEwVGUJQQPOgc3YDUeS5kdOLcpYi7mOi7/aJYPmUHx1DU644JsebpeqJNMFt52SCynLjP9Vntlbkji9mPCQj0tHGhqleA+3y9mamuz3tZ+kaSY4+qUywXekMQz13YQgagQc+0BK2xzUzVedNj2AB0NmCIs8oOIL1ZL0iMi/+/a1VSh/pzm3Tv/ap3w5nqP6FUbZLcL0hU6+VTa6ZqoDcIIEm5x23tDXwgbHM7CJ5E/bHu+cNrvVO9XqI5x4KRIe/TDJGmO3oZ4bdeU2mtIxTXIHG3kKFCQzKPqteffctEusvdyqkpCqPsLUny8loOQKX8XjY6K6a7fMsYUsKkJ1Le3Zuif0AhzNvDCX69pz3uPEOf6ZR2pU0B0g3fc3gIwIuY97WiHzHg++pLJ6/yT32Ja9Ub6k72fJDA1HvvAOY0+fXoJdOwkJCfGFF/dXLp2M1/3xxDI05mJeFywE9NYBrb2yRNN9XAdwSJ5mpRnyiyBlMv/1W52yDBCavyMR+vLlyxaXGeVHvDSTdGCY8bCBEz2kbm3WEFxGR/LM3ls6d8WvvT5YJ+RxxEYSN/o0Zi233AK53toni+e2luBBIjUITa+QUIxpeWrz2aAe19PO+XiDHu8G2sErWxwE336USCnOiFIkqeJpBqtfOm0sWnxmQWhucMqTlGYdbus+DBkWWM23JLFuRsOI/VawqRg==
  template:
    metadata:
      creationTimestamp: null
      labels:
        app.kubernetes.io/part-of: argocd
      name: argocd-oauth
      namespace: argocd
    type: Opaque
--- a/infrastructure/argocd/argocd-rbac.configmap.yaml
+++ b/infrastructure/argocd/argocd-rbac.configmap.yaml
@@ -0,0 +1,11 @@
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: argocd-rbac-cm
 data:
  policy.csv: |
    # use oidc group apps_admin as admin group in argocd
    g, apps_admin, role:admin
    g, argocd, role:readonly
  # all other user that might have entered via oidc, are blocked: deny everything
  policy.default: deny
--- a/infrastructure/argocd/argocd.configmap.yaml
+++ b/infrastructure/argocd/argocd.configmap.yaml
@@ -3,4 +3,8 @@ kind: ConfigMap
 metadata:
  name: argocd-cm
 data:
-  kustomize.buildOptions: --enable-helm
+  kustomize.buildOptions: --enable-helm
  # switch to annotation based resource tracking as per
  # https://argo-cd.readthedocs.io/en/stable/user-guide/resource_tracking/
  application.resourceTrackingMethod: annotation+label
  admin.enabled: "false"
--- a/infrastructure/argocd/ingress.yaml
+++ b/infrastructure/argocd/ingress.yaml
@@ -1,19 +1,17 @@
 ---
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
-    name: argocd-ingressroute
+  name: argocd-ingressroute
 spec:
-    entryPoints:
+  entryPoints:
-        - websecure
+    - websecure
-    routes:
+  routes:
-
+    - kind: Rule
-        - match: Host(`argocd.kluster.moll.re`)
+      match: Host(`argocd.kluster.moll.re`)
-          kind: Rule
+      services:
-          services:
+        - name: argocd-server
-              - name: argocd-server
+          port: 443
-                port: 443
+          scheme: https
-
+  tls:
-    tls:
+    certResolver: default-tls
        certResolver: default-tls
--- a/infrastructure/argocd/kustomization.yaml
+++ b/infrastructure/argocd/kustomization.yaml
@@ -3,13 +3,20 @@ kind: Kustomization
 namespace: argocd
 resources:
  - https://raw.githubusercontent.com/argoproj/argo-cd/stable/manifests/install.yaml
  - namespace.yaml
  - https://raw.githubusercontent.com/argoproj/argo-cd/v2.13.3/manifests/install.yaml
  - ingress.yaml
  - argo-apps.application.yaml
  - bootstrap-repo.sealedsecret.yaml
  - argocd-oauth.sealedsecret.yaml
  - servicemonitor.yaml
  # DID NOT FIX RELOAD LOOPS
  # - github.com/argoproj/argo-cd/examples/k8s-rbac/argocd-server-applications?ref=master
 patches:
  - path: known-hosts.configmap.yaml
  - path: argocd.configmap.yaml
  - path: known-hosts.configmap.yaml
  - path: argocd-oauth.configmap.yaml
  - path: argocd-rbac.configmap.yaml
  - path: argocd-cmd-params.configmap.yaml
--- a/infrastructure/argocd/namespace.yaml
+++ b/infrastructure/argocd/namespace.yaml
@@ -2,3 +2,5 @@ apiVersion: v1
 kind: Namespace
 metadata:
  name: argocd
  labels:
    pod-security.kubernetes.io/enforce: privileged 
--- a/infrastructure/argocd/servicemonitor.yaml
+++ b/infrastructure/argocd/servicemonitor.yaml
@@ -0,0 +1,77 @@
 apiVersion: monitoring.coreos.com/v1
 kind: ServiceMonitor
 metadata:
  name: argocd-metrics
  labels:
    release: prometheus-operator
 spec:
  selector:
    matchLabels:
      app.kubernetes.io/name: argocd-metrics
  endpoints:
  - port: metrics
 ---
 apiVersion: monitoring.coreos.com/v1
 kind: ServiceMonitor
 metadata:
  name: argocd-server-metrics
  labels:
    release: prometheus-operator
 spec:
  selector:
    matchLabels:
      app.kubernetes.io/name: argocd-server-metrics
  endpoints:
  - port: metrics
 ---
 apiVersion: monitoring.coreos.com/v1
 kind: ServiceMonitor
 metadata:
  name: argocd-repo-server-metrics
  labels:
    release: prometheus-operator
 spec:
  selector:
    matchLabels:
      app.kubernetes.io/name: argocd-repo-server
  endpoints:
  - port: metrics
 ---
 apiVersion: monitoring.coreos.com/v1
 kind: ServiceMonitor
 metadata:
  name: argocd-applicationset-controller-metrics
  labels:
    release: prometheus-operator
 spec:
  selector:
    matchLabels:
      app.kubernetes.io/name: argocd-applicationset-controller
  endpoints:
  - port: metrics
 ---
 apiVersion: monitoring.coreos.com/v1
 kind: ServiceMonitor
 metadata:
  name: argocd-dex-server
  labels:
    release: prometheus-operator
 spec:
  selector:
    matchLabels:
      app.kubernetes.io/name: argocd-dex-server
  endpoints:
    - port: metrics
 ---
 apiVersion: monitoring.coreos.com/v1
 kind: ServiceMonitor
 metadata:
  name: argocd-redis-haproxy-metrics
  labels:
    release: prometheus-operator
 spec:
  selector:
    matchLabels:
      app.kubernetes.io/name: argocd-redis-ha-haproxy
  endpoints:
  - port: http-exporter-port
--- a/infrastructure/authelia/README.md
+++ b/infrastructure/authelia/README.md
@@ -0,0 +1,10 @@
 ### Adding clients
 Generate a new secret + hash:
 ```
 k exec -it  -n authelia deployments/authelia -- authelia crypto hash generate pbkdf2
 ```
 give the client the hash, store the secret in `authelia-oidc.secret.yaml` and seal it.
 }cnnhzH|Mf/yLn(v4rF#>KnGMgUS+TY
--- a/infrastructure/authelia/authelia-internal.sealedsecret.yaml
+++ b/infrastructure/authelia/authelia-internal.sealedsecret.yaml
@@ -0,0 +1,20 @@
 ---
 apiVersion: bitnami.com/v1alpha1
 kind: SealedSecret
 metadata:
  creationTimestamp: null
  name: authelia-internal
  namespace: authelia
 spec:
  encryptedData:
    identity_providers.oidc.hmac.key: AgBiAFMdVNGubsvfYu9oi6SE1AF8ZmiSbiSPjZhrSjpw8J8vN0Zjm/4TQX+I+qD7GQu0zO72D2hF/26fBZrLx2N1IJAj0va1NYEkmGgAaYa3lVC948n5OzyNPpOwfFCMBKo/BJwh0VeZ0wa7gm6L7+Gfk+YutGmkNa7Cuf+F/e8LxlT0MHlyoj+YGzeNEWkm2uUv73f74ND+a15AnBkvGMfm5A8vt/EdN3IOqD8EUCwRpf+lqhrJe9Mwp28kHp4NdO2W97I40BWA7LFXQco7CuhjNafHkpaNMZ1bkbYLjlpqyC6Xs7bCZU9wMIPOHL9cGt2QvfQG5gMWrJmJsyes9qadBk/TKmqPi3iPH2DzUYO2vMETI765RVrL6IVOwxXc663JxfpZVQTiCSXz8oCVYZ7Ka7gcjXSPTMSxwD2cBVG9KDwjntYaXTairO/Kyx0HiPbbXzhENYkqY7oZvJde/l83l5TvPi+M4/a0Pa8COq8voRw+Fkrfw/qhPDn4AZnuanceOLog3xfrXw0Z45rZ34unovKP+3NjTdBUX5YB8OgGd5tXc4Ur6oK8nxt5IhQ1EzJkh1VEUU8pbDaw9EX1xCKZxVk86MEzW7zqFZWRve5Sp34CJdwHcUk8hLs2PweEzyvibLJIACn1mQoM6nC+Wep5iYXjUzQ9qobItzKFpw/mGsceCu8VqNoBtQBws+I47EF2NkzT45szvxF9tvSzmgmRBHtzES11bqePopHvye4310pywFYJ/WeiWOLEn1IEd4rrTJ6zIoqU1QH9qHShT4SoT0uC5wqz+Tgl64OdMIHKwQLcWih7A5lcDMv+jPV1Xvd52g3EYx13epNTPHtHwi4sBlFi1VuDrwXgTAlnpvM6N5Ij0qNNK5NMcWHerbLyOaMzng1pOtRfYA5UKGG4KYQd49vh5Fw9mHsk9/lelT+iyTs4GhA=
    identity_validation.reset_password.jwt.hmac.key: AgCOsW1JBwnAB7BEIkEwqTLNHX5N/HrqHoxz7axdr3ppES7BnPKGRak846aKHrUVEykAV470SCgdwomTh/KBVAvHtml9L8h+FBu24rDbqZjHnL/BVy+2SkukNoVq6A2vDQRI521HBZntQQljhG0XTFTMMyI7tUhhM/PwmzeyZpKsDPcw6EJAMk9ERxdYtM7iaYEIAAcn0N2NPI7+I/A7nMKYpx4oGr79tobQyM1aDQF2VFwlRq1vqCrkEzBtPUPa9SrfnFE2GrIJlIR3xh/h5SmXCaAjF0uZFjPBPMrHSU4XtZVqtmwIEXpXFqjf+M6N5LTA5rKEviHV5oSJ4sDbMC1GMzwYw8u1Z2gvi/sP87ncbtSbW6ereAXC/5i7/bkOiyBlwVbNV+YcY6RlHG6DzEO/4Fqx9ET6XJhms1TcNb8Cp/VA7NS79IYbtnnZozefHnZAKQa7k/SR8tUVcVET2LhW6/j4QhxhFsASbws/yaZkEKdQnDqCpDlMkXKWxAt/7wlu/URTKlYTtCV5tvhrDj14Hdvs2CtpbXsYuf9FEn6OkRjFFXtr2c8tlOgh63qLoDfgmc+NlfLmkOGEtfEi9KCt9UY4qBAh2bc0PkkKod5JhMoiBUCwc2H8WlXAeUj2v7UmB5fvaP+IbeNKGf6+v8adVW3m7tckFeARG71QHkv049EKVfNyIP+CvBhEFZwTMNtzYGhr280zpEuvKowVXYlLp9pSBA/3vEIFcsnNzQfg2eFzsETOVtHXd7KnPoRKk29fTXmgIKdMThaSgvs72LoGdiYpYPaVrRKgCeqCah697bsOo6q2gv/jAeofRkcoaUx3sMb8nZJ3fnijr5Z5DFq6PM2VyJy8PlgfoIKO/w1nkQ==
    oidc.jwks.key: AgCuYKmdCv3LcmH8zpNAuS5oeHjf/cEmcAlGjRfv2CtfXmlYhcysDLeo2Cyn9kMUEPyRwxhQ/b9G6ZfkfuIh83v4j8PFBitoyaAmDNLmhn/tEjxUG4ddRZ+X1m+Skqs/QyGSt8w4iCBv2tzVV8v9mbbh0GSEk4Nz/tOi8oyUBF/RF0Pgan7JubQ9E7uT2c2rD+hVeWJx9dL6Vv6z/OdbNEjpDvlMNjpQBqMj7H0dMXSnMIxoQHXn2TduI/2qoc84qfNf8diGaG9DN/lrm4rebPwQZvwkidSKEGCCca8ICwXEN2b2q2TijiaVGJPtpd+R9n3BDa8SHi94ptwxuWwHEQBA5QlkK5TMUT8SGLzUIJK5Z/sX7QQcTxxSX2pySA+3eKveBIiHJeLjiuABkioo9uZMoWsp/piwZBQy5xB7yF2WIGz6cAg1Y098Khw8ZYrnYrJSHG35/Ai9270eiJOvdXDvOdiXEbxUhI6EGwypl1E18AevE3Pe6OcthEfwErbYdEevSNSfUNthC6gFh/PM8qCEi9ZpX1IrbDq/4lyPltKNbhev7OJuci2CF4kc/kMu9Swdih2p4UV/FOHk6z0hfpjxuqXBwdQYcNOZvyZgnGNjb0fqtrKN953A8Skb8+g1XeWzOVxRYGLi/M/oUaWiy2ksLgxlEhKgSzlQ2al0qMBTdr+I+W3bm1HjITocnEFHR54x7+i6V9LydtWXqy08xH1p4LXi56+PtoUQ6901nE8vyofVcuoV1tqqrnVv+L7XHqsM2qGgdvsYlYBttt3zBy/JbOTcUhVe0KIjRGtuAF2MPJWSxcyFc0crfC7dYmKllV3sKO+MowyDjDQ7OQ3MxgPufLKMRJUAB1XsX5BUE5HyQketKHE5hYWzLR+PmQPShq6wc/Er36jPBLkGUsNVJhUdPewbEzZEcqeBdDsncXUwZjcjAlclWpM1VYxT71BLBT0SUL6YyoeesW0RZ+LG/reD9klfYQM5vfhXTDax5crOcp5BIo8T7mJEYIFBvUU0ruAi3Ur7GqgSCCE8AAcILTeqex22KP6JcFUB7nzFsn3PlUv1lJ+TJutmUe3aGXjVMQGD2B3s5cMHCcqMD302gj39gLVsCV4gQo2hb+UeZcfz7X2ltJ0H6ch/CHeLZbBQoCreVVDWBcoMl4tncdbrkdFK0Bo1tCjY+MScsYATswn4/fbEIKALBVO4gS/WI4NcbGl6HXyNnJvbYv+6l48EHcTHtMqER1hur7Wkso3YpC5zHx7RVfnuCTXP9kWPcCCr1VMj4Uth86LB5xi4FIs3X8DvoyOTVgUyu4T9tedldhMurOh8qt/kqxdxjKkREFk80sH2kb61xPypY/779hLXG9PeDHLFyETYgdHiJWSv8UhizVVOBErjKUljWZ2y5zZam8DNKI6QRislPE++pYsqQw2Pe0iyjjcSWMAriCVJW1klkgmOkEoweFjD98CIUWJUcJx/as1YOIc+QqtVRKH/1AA/CuPrPJWfPXzGBfNFXveQB/G9lvJ4MNfVLNdAz5kUv6bGnGaAyR2LFTl/ficNZv8IFBQvHi91CLe0PjMoq32SO/wCJMX9f7yESWgFnCWS/HfuzWJR+f30hbsM/JbE8hXQQ8/VPgzgRkaKPz3XW9j4w6Wb2mBX3GAYtRtGUKfWsOJWIOjKDlqd73HiIM31MUsiDMgo4DdSV9ocEuH+Y8EiAgtK8P1nSUp2Y6wRVZ5dMz471GC/qAtZS2eYEYzbe57sX2i+pjmA790O28fZauEipPs4d8tbUyef+wPD+aJLyYLRX+R19IU5y+Hk7VdFoi/o+5roDyqAESYfOKhY2dRV6MjLvgbb0g4spJBPefFppKxEW46pi/zMniqUmel+czm704i9/Hr8LrZHUwHQqPN+iLqLTvQQo9Uj0xNzeM+fF4BG+QpYPPl8hNlRFcz/H486i7z1qIRjDvCHko5nQx6nMjJgY3DVyCV6w92NvWKsuWtJ5S+LyCe3Mt2z3R+l7JVntf0xPcAaUjruEnPC9jkpiD7GtZJaeqqm9X6NwanPrTD9KRw3czDyN00H51tmqut/St0O9ThpCNDDO06TrtvWIGmbO3zuBLawOnYniISNhpwpCO1jfV5J8zg8iv57LclG1O7LcwqAbLg6fdYNRnViIn3FRmwrIunSjcL+KbQP6sPQRHqiRxUbO0jp8v48wfzrxc1V4hzvrzlMQzIFRwqGKRjRaHzsBVjln1Ec8Bbg3bvVVCr60rVNVQEy40ldTz22nNjecAUp88v5DXqslHgwD1jEA7rDAmjAIpdN0fVOZBHKxalXVzq/cYssuAMg8NgJXCoLvi+mZj+iR8LsV4OtrSd8nJSCADrVrLJwccHjRo0GnPBD3jJFchy77gPN+8OnzRXPVVuuMSOjrxfAfrjwCUkj3KybOH3MMLu5NUFz27DcpLRxBqACQOtSOshkuuJuk1FXIexssFMZvO2StYecv5R880WX0LqZwKNTJRqQOXTGaV1VWNEexSu4iegOtaX0UZQNyDyHygNU9JXsve4u/2Sd6VyTy/i69XouFCY21DE/fonqBGuIen+TqxshpPJGy3HZJ7Y044rFCcWyTjzz8XH5s836CUWmwri+DsGeT/L/E3C+zR17ImU1Na4IA8f11ThR5aaomfTEwbNseFr8L51dJrgQl/QgRJrViHwowLDVClCbhszVKFg7i0ERRjSNNxZ9tUluOyCHSeg4wP1DOERumYwj5oV9I0isAOpG5cCDUDMrrZP831YmeUgJsH5aciRZmho9/p+Q0R+s7v0PA2HKtRNOfIm1VWSL7y185LKvYO6DPfZNDnOFobwg9ANP7H7kdE1GOlsnEQYWTFlc8wtRLfENNCHlBUwrIGJUoNPlSHVG3PXGz4vah6wwJD/QBH+9TKtLvdV1+2T4+cdCIn08MbdlHDKvWLraMtmSOTJKNJxtXOuXfdAuGYIoqyc1Em7nbV/Oo4de/n1zWkrwZPeTx7d9D1Io/ana8+2LlJEjrIltr4IzdnuCtImbANCDA45VFmlq87s+2lYdbKDvDMNUviw//s80G3qTT3VpGFnnyEF6TsJzpTJ7PrpE1A0PMufNbg8kJTMBifBU+XzoBDTqBwPzim4VqwazuScOqzwZDTgLdQhGzeo1bKIJKHrLOEgZm1KCp+tjPPhnhK0zIGUjqB+UL2+3IvHDmVr9ly7buGub+kuyBiXnoIr4B6bwa7cpFgNU9zmTng+hFlTDgfSLBlz+69knYDlEpgE6BsVfTcXFpfVgS/eRHH04OrYB0t7kwUD0Ku+Ljpn6nd/x7/gcDOGaiQH7TpW1qKTF8E5+sfbn7f8j6fGYRT7dDQ0n4ljZ8qAYsPw3k+hY1MBIiNqAfQKpwTc88yB6EmB7Ul1N28tsLTuEGCCHtXvhTaQLTFzTVoKdtn5B8eNJDqOdBc5+g0qPgp1W8cVESH9nc80pcGo382GND/QllOEmmaKEasYEzPeMJAcPM4UxMuXF7SnadQweoCTIPXuQyZW+eKlMW4RlC5DHQ1m4NymrN6GFptQtTiG5v182BR2ibp4NogkEyZhHeMCtGXZV6QgGbnoJ24ii0vY4iO/08YgXOxDLcH83vvdiya/WxO/75rRVH052z0doEC4jLUleLEs398o59LBEolHSyPYOemzHLOkSB7w6acxiuujb9nujMuE2im5httFXKhq0cu6ytxlVKtKbVwB1y5lZigpTAh9FZXki8OBNIEa1FwtrYsoLz4hJP2CyRqUrHCY9WmCDTOUFTq7NrltBL2+wFvbPAtJbrzM0ALJYNaOb7J5N8R8sP3voXaL5DEEFoS57+xSvtx+lIOCNweJqzzZMoxZ2p9JL6qaJxG+EJIGTeHhWMxX9UJTJJACgB2W/cZyCaD43E5XIxSC6czgdOgwii27fFAJKJabmj+FsSwYBMiyHiFE=
    session.encryption.key: AgB6LuT3btnwlDtP19iS6TAA6hz5t2gtXn93/sKI+ANzRvDtAUEJf934pWS0xhWu8Zfqwe5YuPy6Hb7CYG1Xk76Z3IFAEKcENcAA4Ngl6f80yBPgaL+6pzkeHyouYhpuRFenPoCcoa60OuusnDBUvBO0v6Mtqd39nACDJwdrJH0VzoLiWlMPzNsqJSkX+qNumrFlahqEtpswgoQBFtgljfMh8jCfAiqtwwe4Gx77B3GHNDuRQ7tSKhq5pSPUfDE9i/a1fb5yd1z8mlDkbivb0/yhvBsUi7stV9TE7HpBcsxtd6vSzt+MgXsflFfHZ9HU7oVVS0PuDzeDEXac9r2XDA96eUdhz/9NF3d9BvBMZqsi4YlF9tvsODNR7BofF5axxuRb2sptVwM5HuexXhG6S2PPpjLWi0BnY2P4Y12rXUhtYTisKgk7J1H5kZ1XYdjySFIQpMnWvdQD4TDmvqCi2YbnDts5labuFPQmgdrguRbqb1W94Pwg3SOuhJdsNJkfvXFBOOPf2eJBdGsrv4hOFiWt87pNh5Idzi9DAsV9CHZyLwxchwSpNre3yb1TnrTUE9xuQexY/xviAKAc1XjLsKyapryyAtv1AF6UnZMECDyElyenWblPBlWyOYTAWk8yiYl11C/2cipP6+pv8/XpbHKaQKGVQLIQdixXVGKRZwChTo5b3wliSJD2FXiC7ZkWfjOHlgXa+1DNYEoAlUfIU+IMdTP+x82QIjeYRH5wmhujd0JrYu4AygU1Zg==
    storage.encryption.key: AgBOR7VfqNstwSBQ3pZIuHUo6m6bcbqTRluZ+G52d2djiyYm2E6FEfzeNrVgPSyw/9CuWXnzzQRyyGVvwP9FwtF6wWqNByhtY4sHd4xoHLEv3L4ZNRvNCf/iCGw0yI46k7nGifvIGw7BNWMkzGVOY+926aa9CAahxh27nQf0dztuFM3DPX4ASKpJ7c3IRGbMi0x0gPTU+Z1/3JLlhn+WvM95UpbPq75LHSzo4A2YfdluZEOpvvo8M5NnPgvHIvRC3tjZuXsDJwRQhqLVa8oFdrjJ7DvMonScKyv4IF/fttd4K0h+g/WZqCRix1dw/7LburKVicYBLl4IQJDIDORKXIUqU1M7i28UVF6DBe/r6jBTGDJcqv9Zor5hoQHuswyC0p+2+sm0EGUvGJLGJ4aqq5UBSsZyD98vMwGT3H3sofIqESHJo4O6rOSo+NFag2P/E1Ij2PFN2+wJTMRJ467CPnzEC85/mm3Tii+NRRb4CKEuxh+zfmVB/Bpny+7zjL7atS3BFR95PbI1jM5yI4uu1uHaVJaXjI3nQKYKjYetS3POOdxae5YRs8CywtZWkv+wUnlbPlzB7XRObQ2yzwNj8tZL8/846TykafDsvPB51B4wAnY8w1LaxNYBTZHQGco/rO7fUNEbuwPyDcbDtUaNxbUD7Yfu1pUY2fay0YtTLDlm1FEZePm9LLKQVj2K703Hu4YA2F/wKhcWKfjtijaC6z8KTaPQiVpjhA==
  template:
    metadata:
      creationTimestamp: null
      name: authelia-internal
      namespace: authelia
    type: Opaque
--- a/infrastructure/authelia/authelia-ldap.sealedsecret.yaml
+++ b/infrastructure/authelia/authelia-ldap.sealedsecret.yaml
@@ -0,0 +1,16 @@
 ---
 apiVersion: bitnami.com/v1alpha1
 kind: SealedSecret
 metadata:
  creationTimestamp: null
  name: authelia-ldap
  namespace: authelia
 spec:
  encryptedData:
    authentication.ldap.password.txt: AgA+MKR3OQQyrnroueYPamFH16HxlenRWc4ysREC6bsQYPq3FwjW1sJbz1yPxVywpi7BkClS/8i6oMxPBcl3amefYQd4aK9FeXFCy+oknhM6ml4r7lk8gIVNiUKIbt8XluGwg5SRc+I1x+5TBsinAsfwVZDpz1TYEvTbfpi5xrijlC0KY1UW9tkkt5Cp7sr0NDdk1hzwQWW+7JlpOYlVqvs2o02xT+C+wncV/3RYtKqT/OCC5SKbR+DVjDxG97CHahF6DC4o5rzFlPl5JD0yUPenbXCzuGmfQmfuqRSekJBZJ99fykwRf82eeOao/hPJ5MzCf4otorPh3/UZk57D5nnWe1cWGsLz5RIp3lmZfEn4vKICauuJK8mFIbnZMeR0lsP5prbNU+gwF1N+VHcUl39Ob1y83XowQzIynMQuJhcnP1e02/HwIl6uqNG0XsWWw57K/z289yCid8woeStvteFL9vL1i1JiaQsVuriOjIh7nZVFgUvHXfGaMQp58O5qlLQ0EDApMjuBDsZ31acFHqoR4RSw14up6GMpw7lXbOANFi9KmiDe6ugZ2TXzm1GU6lcqUMX4SXIVwAsbf8BhRZb28sJ3z2e7rfRGoAqOdxFKLYaX4+ENnN/tk971Es8IE/lM2Ylqj1oBCceEC+YSkRNBe2B+n9rpe10T/F7sq3K+8wH0axMvesRkCY1coUoKVkx7cw5bEZ9Z/oHnTuw=
  template:
    metadata:
      creationTimestamp: null
      name: authelia-ldap
      namespace: authelia
    type: Opaque
--- a/infrastructure/authelia/authelia-oidc.sealedsecret.yaml
+++ b/infrastructure/authelia/authelia-oidc.sealedsecret.yaml
@@ -0,0 +1,23 @@
 ---
 apiVersion: bitnami.com/v1alpha1
 kind: SealedSecret
 metadata:
  creationTimestamp: null
  name: authelia-oidc
  namespace: authelia
 spec:
  encryptedData:
    client.argocd: AgBWKTgzqy1UjMClw8+9MKCZAM53ErvunxeIMkyPkOvioGN5+QuvtT3rSCNJentXEhIK3V1mt0kYNb0yLei+W8o2Vgr/wqvPfA+JbtgfPKuHg1eayTXDB7TPXG8MzONM75pPEq6nTSz7YOfu5AU0OjX/3D4E8lBD3hCfEteAA6tbxplD0P17yEzQTspPbXh+YNRY8/BmRr4xbp3aDdekeYfrZ8HQaYOCs6vl3JH4SvYoPGxrsSS2muZEPESmWBBC72NcFVnpNG4i106qxwvMlfOwKz4+FQsHMZAdRYmXayefwMWTxOC4MN1VUE3S6FDZlU5Zds52qOF1bO8w0cLyFaILtcPkjV0w+7eCUhrYx3CzyaCnVAHBBwvUt3VZ+g7RESI+Qc0CDV5IwTpj0R0Z4K8ieGMr/gEU83Wm5Hv66aneZppAJV5E8BixIdFTAoZlLNXg3Q6R6I8PrcnTlF9IzBbrWBrE1MuYgvzIIZm4+lohV+jhJcOPgRANxVkDwAz1Sk3AfHFwKtxtzwjvpOyr+R49+I14GGyKtUcZjHioSUSiTqV4JOYvFmSDXsy5CrzFdO4zCn5jMhkGRWztBJY9nN1Ui5yODag2S7TVsCgcYNF0tItaNMHmhkez/NoWFDUvcNwr/+hGC+DQN0xoZTO3vskyW0RGKjBSnoI5QUnuJqFJsRymh7VpRvMr2C+0Tvk1nEoOoRmA65aRJScgp/acZl4UXhwOjyIpSNzai9kvIj5PVVf6+78z11h5c9w+vF1IDKCDGGgjrnXBeHFGoty35UVGOGOXQoQbLXyYu9ZWN6i6garwl5ATwea8oaUB1h1xweoqSz6xrHcLmjqWLbm8Me4eSA3TjvsD8gtnhAfnVAETxBT3UQ==
    client.gitea: AgBEIzadyU5+RT5nKUII3EPXfi4yl52FzvQQxEfX8T5845fAQh0/8ay/E3oXKjH/MvsnPWvIwBfAG3DZ6LBVt39SOA3+5csbcwgQn8ZSigfriowkGJKiSu/UhqloiCuIvzZwu7CrTUaAdrWdMOpYvVPts0TYUUdA5tcPGYyw4Sd4Z5hi22+NeMoCdMl67iag31I0PLEWl92WQcQ/V/sOKuLm0p8TEIZaPyCHLBwUPbD7Hvka6JhrkmkybnOJfmQLrHAblPptVlIOVwER3e3Wrzvh6YfOq3KUtFboeyLRRafOy4j5j0dWXj21WLznomH644ioUeysAG6gP/HZthuNMTUydz2dsWtIu5J82jP9bbjUibZeQIHjS1Y1eqPSd9lJWNjWBb69xuDIewLZ75rfOuTdVp83+iGkha2yhc8OEHBaXRFO3zDL/eYSuBGxLRtSR30WSHD6sgGmrGzSShAlM7MnuSU8tqeHtmLuKH85ls89HvVvgn6ZVj5+P6dmHctFM1tp8Q97nUeZZGbThT0DztKExNTdb1yCsb9m8lDxX7avGfBYvx7ntqBdxz5CurbFvEYi/9C98EYZycaurjUIRBjEgbT7vHkIIvJBy1JDVZYDFzNGkvZ0oOhehANvx9UNKeb32iCV3ypGE7oXF0/WFdFImSZWfTHVpqOUN+LJTnZylkwcyByp8Ut4R7xS5by/bBV846LK985fzCRWldHk0U7xli1FUvqHMvocOTsrwVjWtE0C9X+GDQMAJEP7z5xWlMCEePjEZq2/OPHXiRlDZ/rQfQS5zpkIZAK/vaiRCZ/arpN0RslwOzIDnnyFJB0jqhIsXf1JUDZUis7yLtnyaVh3I9a0EXrPu49ItBk7XdSNMYJ9Hg==
    client.grafana: AgAuT9f75mVVegFb5kC7v0wq/myoG6JlN8DLvY2tBqqCJ3pDMaFkVSALustQvUxpQ3UDFndKk3vF3rL/ot2h4R5dQO82guqR5rnyi7dGgf4+guV31V+Pz+cMKMNGDzvP6gq1+ePuGgR8Q70OKKk28Neiv1zd0quzKNY+Fmi3nYVonnKt7SDRrMgHdrak1jTyyBCDCl3k1S/kCjSsBUOfZuPDWxbSyKi8UvizwEm7QmK4ifsdA4IyaO6R5u/B9aQP4/eeb9uXaoBZVDWsrqi0ZHBavCnyJ79rYwDx+6ThsEbwYYsJ00omGts/1EPZL+1EpdJ97biIzapXpvlTRQwcxOZ0sXnA+5ig0Bs25u+T012HNZndYLcqmRsgKk+Iz7YjPRddaIFFEhttgubxCk/dMvzcchkOFI36gEC2TQCX7B7EcBAi6lQG7I7BVV0UrqmNhrzYCeY8AyNd9k6dNj+NslHfxM9QFIJmK8UnX4tx3OSJQJLaXN2ZG7TcPxv+Hn5z6A+PTE8+iwJ4mZmjxoVbyN+PYwz0m+uDqS4iDrd689NjFNy2lUxoCTtoYHs/U+GNOFD67YjT7DE9PbuS5zWlHCYM/W+5Hfasqs3/NgpbX6P44ZIMUBSdcgD/TEKyjP/ttjXG3FKVO/RkrJCNyUSHQKRlMJrzwEfwze3YQ1XKw5xLzDN8dTb1fkeDSE0EuGCtqH2S7cZE/3/w16PJ/ba5WR3v3CC99WQMMdeXLGP6C8PGq7Z/WErXlNLLPCsQKIMqlhoupm/r65SEcgf+OBI1iUG2dFNdB4VwFIU9UwHm2t3gcnU9Lq3DGQaOQusIHJgVF7UuamogkTfmCt6vxxIxXyPodiebZ520TeGgKIxvwTftxl+miw==
    client.kitchenowl: AgAb9vWFHkiFgsHs+1nrq65n+kT03igRLq3KWIvDg6EokA2TDXYb4KwYBZa1xcFwgT1iiLge71Y6spMRVkJdLAjRCaPCtSTGygzlZ7z9NFkn5O9YuWgkp+cPr62ElHpx9umKEx+Ug4vgyvrBk9eLWxdZZsiJZL6GcjUbMe/Mx2429mveg0kyfKg3XjraeU7xcHWwAj9PbjeRnhEewvr+9sdv3H1wA45E2+pZ9cZ+ETl9wXXNquUzUFSp8IOxzXwx34aDqjdnMbEgU3k2TEe3N9wU+r9vuzn4kesh0zEGkEfXhKtnGNSXFheU+aa/5cTfIp/GPfx3+dJ54LLWfVGU9X+COI70zvTEtAhgJptkWqJ7dVp6SLgQotvg3bTNohof1/6JDPKQvGvkQ3ALYMXYDd27NrmP3ZSJYdNGev0yDr6MXyNlv8SglnsRIpfMmPyl913/10DbvB5b0Tiy2xzmmODpG6Gk6EQquaJ2g+imaV8VPSdDOoRK+rDg2AH5KKRn8vxH7d/NRsmOmCxadqmyyWBbl9onu+TzSnjnPxyc2cl3EeqaaciXyh/eu3Ar27DVu1l6Iorv+N34Bttdti0TZgeeMD6/Y7eAXTry482ix26UOYmTH5+mGoGVAkh5BuWO2fR52vuEHV1T1VYVRK3+PX1OIeWEoEdPMvDokELc4W1Av4lVDKcacvNzuMZ1gpiXmdCNnYfDq9CbW00rS1/LPPUIdIyOfHg2q/OgxtkjiPUwWQCTc5NO8FPlQ2B4ZsJ51vfxl2zx19w9tgQVi7C7T7Iek/2Svz8QMiZtf9N3W8CoUp2RXktV+Z2yI3FWG55IzicRbVLWpeidRxuJTEdm8emgHSiMpDM9Uejv7pAs3QkLRX2+og==
    client.linkding: AgChIcLDfhCZshqJgG+H5exbWt29ms882BkAgDAopvbhbXE/e+I0tVw2FNDZWmKbI+i/Hlrvj4Bputn7pUcoAZf5W8FUJ2nOMhJjtjwMF6O0QzBje0Xrzi9eK91XWA3PRxbPOzBZYWlmWvwelYw0hCgfp1XRn3aXkPcpsZFV8Bb2KSXDSk39+UqIm1I4rR9hCXPMkorTUZOa/NYpDr4ieenbRS8PeeWATPzSxn0hN+RnXHnoUrKdO03px/2mYS4SYJrgZ2DrkGN7uz3/ARwqxxKcMBQeQCe0S3Udsw0tvvJbjeHJIQ3fzIz+BZdbKLgVuJa0ZNQxmuDVBFY+60d89nR6wKsyoRgC8y/sEHRpztUjiJC7WBiiJ/g80luMuo/7ZTIvu6u1I/eugsopJKUONv23cowdqthyzlsnKCsBTgfdzXuFy5YYoL7GPcybdpUcOA8upr15dE8vsN3UJEYJCZkw1V4iedzHVGPpo6tts4sewnzplH93QpwbVywMcSl1k8oeHqbdmh0srJ54hBFboyNRr2eQT+b43oFJZtQb3hhuZyO/uXKx44jeBoVYkmKCVldBBDE0FdQpAk2m6dtvXae37Eu7xHiWxY/KDzVxBzJn4NWboQRiTM9HQ7pLuAKgG+Ec1+nwfBgq3G9jZrdIN4/tWNvuBRuPrUTt7pwGJ7RCbMgSz9xbVFCxwBx8GwaNRFOH3/RoMdVwlUntRELYN7+pU9S0FS/VPnbVxOZbJI3ZHFj9n8qZ3lBD3SiHB4rNnirQf34CuEfnLigpSdskKdOsekXQybxVq68T63Ntf/yn/t0+nV5VdqpW0stqRBQaUq3yEqfAn0/HQ7nTgSbHf4ZsTMsAU+CSAewnig6qKTcS7a7Lrw==
    client.paperless: AgA4weCcn9z4H2WIqADKRpOMkCmA/6pci0SCKsTcS2nf6XuRG0pFufVqrVTe5jYIfAymKJs+Yzlf6V5ViE+3U/PhtBgHC1zifYBVkC0lSUUKx2YWkmrnSylAZZIYArC+kdNXU7pwIS4i8eCxeB8NhTtHBMXdfPig5kH/G6/FaL5RZ52Ly3jf3h2UP3JrWbk4dYijZbjvHsGNJMyDJ5cW2DtgMmFNMte2ScBuGpgF2tDiVKW7Zq2aEpVtVXvWjF2euuL39EFvLzPAIXeG4TaagBCnFfMVVxyrS8Dk63CiWQzTSaeBDbUhRuOGAYD0GELhSxpsKjOgm5AaOk/sJBjoAliFtSyejO30tP+5PBC+FE4RlJM5dMjHU8/9T/tBSOus3k7xWmExc5Eavf8yeXVmNeTJfC+Sji6QZxG5P9xisKXgn7EX+T4aKpeJ2FxAtL7NKgnrKeoztiHV2vJH6TepGjFejf5VJRjOP2QAJkX0ApnUVfhww4CjhBFo20zRYyI591ZMbw8PxlRFmAsXhL9XeaXQcl7nq2P2N0IdodtR9xMVlvpkuv11AZnzXjC8GfWgPE9vmDz5RW7Eo4WzWDaFVBL8Sjx+NZllV/qVHlJfbGgqgKmtzJWUZUATE9y9YwOG8PSKmw7fbIHccJ1o1HOG7BWIOQ/QIo94uQQWI0Z5ESRgaCsbf2oBX8HyYFdMA0s9sS9OdD1NWDTb1mVnhA8Pjq4XatA2PGlRPWBVD8YpjbeuNQXR4RuSuUvuKGOOO4Jsv0/ZXc4cUmPB3VWNzQO/0iNt8MOsZWjtQNiDBLZ3xVjRWo/p+Q7P+o1YCThuLxwdmyvAxkioRfR0DJY+ZrkErVnTv1CfLdS4ejf7ZYXcgsh5ZC8Kww==
    client.recipes: AgC3w8qEgD9fru8tJRi3mYSDbJVq5oG++x8XfeRKAQPXFtMKdFYAvn3zGPc4viavPnvE1mkHWSn0ECC+YKEThiXlI9ok1CKnspLrzi6oQlReCUnyJdu9e49xgV7kb5/SQsZbDlVmtluTi8j8y9AIUows/HsMjXgoNrG6RodAsWp5cauCgLBrqMk9nPuQVH1jTNFm27rMrJahLTjr/z/5chdiU6sjPH9EIDnaLEP3o8/ACpPTtwF4PYQszUVT3Uhn4YlekqAYMfEolBYsPLSDQyiDr1fwO3/4YUHNSO/+bN+7vscS+x8zozb750Oi9c1ARc8ENn6AiM3ZEd32ZJKqfqJ3+CxsXsuG7VjfHu3+gc4uqLTbwZ+BVacSoA7JObsoQEbWdCGWTNo5FMXrhIv+BKDB59eLKXTOlBfVTLlbh0P7tSR57fhSpBomcvvnQ+MtfSS9hDFMNiPhb135c8hjJcbMZ6xdQz6HARVtP5nVuPyDafbez6A+VT9sUDt29+oNf5qpk25526Q4GI/YlyvXH+3RT5q8syYuSIZsmh92qD5ZltffW5kRooCeskAryiyWdgyqjMAekR1dZR9wqvzRraDpY/neLvrpUAPl7U6kdlzuIdaJFTnXmNKc1wK5NaeAEf4wwO6H/ibWEzIJKQJcTlmi+0J1SfHcCULYZ5ASeAkSRUxpdVk16LCTHWbyHYFOYmGsmeMmRTYylB/FdOuUEZWrO5B99xw5baSvLN842v2JnwR27Mha3RvS0teSgbuXgG5kWWGGZs9oibsNaaNz9p1MPw/HR4M6PmfEJRsaz+cX02bVUVzdaXhoTZ/D0DoNe8lB+Ofupjl7jAGzEJpGbwK7cB1gnITa4blqyszrKg1dg2L+ZA==
    client.todos: AgBaZOU3D5ZEi2iZud0kLIgZVVNwWjreEDMiadtgZ99S236SOckGlqTes+6gcTcMUQe6CFcxatx8sXamGd9xtIwyZa/5jns4Ju0L4Tozf57uQS1CPY10wyLlPc/a/thn6dItfh5l0Fr+vQBmV0dlEJ12UM9iIH/w9raaf0VkDP/XbZw6PZ0lVoJp6u8LrjMIf5+pdlPOSytFNzB0EbWfQYGObD/zgt45V48+gE9jLolLIEz7QPMrUg0dj1RjWJE+dWXzv+4gCsRi/64gPUdkOZS4YWIlFP08jcDChzbqhVkqUXz3AOQOxF7+2NpD966dxWiYRQfDfFwb+V4vK8C4+DlQL8p22MxWt6iOhxpSoXVVlCInYxxhjpk/gpECqfu6gKlEexg+ekccAvkKVmBX9TbOjsurYFjL3JfuL057fjWIpvZhkQjJCQJiCgVGPtyVhoCzsKeyVDNJvXs6dYp8CMrRAcn/fdo4wI0/tva723ub++AsKSsXCRT+d+03FnBbjRrxSQdDiP4xYY6BqNfjwHGYSoULxtop5t2qt7PzFlpCxNjRe4NrkENCw8xDDSRrg4CLmazPi1Xs+MDeEP3cpi9sRzQx9u2JrvvHmsTeHjVY/MQHb072nLa6xAiUQoXQLMlzxJuwx0U5DmsMe6o8FfKaLikcS4CDKEAddLDI25z2XUBA9J7BTXdhtHB012S1COhouRqn333uKF/BnABI32/Afj9qsDy8VQ3iZyTKpLQUOrOzKKTenXy0b3VV9Vw3DoDPhEb9//fGrVoLdbXDpYaJScza9qg7QWmLqO8Cbk/83t1C28LWqZKWyMtq+QFQ1ANIbi53BopX8zBQargctEVielkpN5HqVCAIow0nQcGmZdZClg==
  template:
    metadata:
      creationTimestamp: null
      name: authelia-oidc
      namespace: authelia
    type: Opaque
--- a/infrastructure/authelia/authelia-smtp.sealedsecret.yaml
+++ b/infrastructure/authelia/authelia-smtp.sealedsecret.yaml
@@ -0,0 +1,16 @@
 ---
 apiVersion: bitnami.com/v1alpha1
 kind: SealedSecret
 metadata:
  creationTimestamp: null
  name: authelia-smtp
  namespace: authelia
 spec:
  encryptedData:
    smtp.yml: AgCfZqHvV3N/S7C3BCeBZv5erYNnbc3yuhYswXBxJUmvfWt/oyEi0VM9830cV740zF532ZteMaEC47Yer1dm1zwBb8degsSPOnivTU3HVN1MQKMxB0T9roN7ytXnS48dIVLlZAy5/7AqU/+F081zJeGW/8lsQKJ7QVa3zG7BDGJmaExxttrB5ZsSiVmFldSQap1FNIcPFU1O4N1w59r29IsUNbOVpnb4NqONBBh7Lt/RoUwYVmdMT8OxOAtgovft1z+KuZN2ZnvBlm3EgY70wAWTs/tSmZLWuDGa8yo0M6LPIjO9zlc+l1YuI25AqGHDuhGU+H+gQWZhtIglwKHtU8oUuDchWxQpb4tJSokpyegkWrpty8vBEEGK9CtLk13EmPUHTPicv9XYgwxvROeXB7+6/gQC8Yc/PzjjZwSrNo8SC/rF4VJY9jXMJ2nS7UkubcfdOY/bKhu1jZENrav7Zd/z5hiy2stg2LFJ2rnzIrSKeYWN3ygR24KRGh/7Bpwz6LhCkPdrfJJyymA+Azwq06CoyyPTLkYRMpTdkzx8zLNCvfQfmEKYRxRcXVBDfSr/Wn/9QNmCAG/rp1Ep23xRYegQRTUyGD2JVVSjE0WcMRRnqb70IYfEPk4w5TS14RcO2/59Lvs+1mF8g9JfLhrxOjLDAvnSKjN5KZ3PgLdpqbkcVjUb0Hs18SAilmZhs5cQtNR++LqYePIe1r7R3V9IPIvPudCs7/2BrLLpuREhTdQIiA3catZ6kLZgHuh/KswFEDAcZ1NisSNvZZLAKTHupIe7XjBp+0zGHLZ7hgbA/Ojf4e6M4RLjqR41Uix+stkKuwWwdoXs/YAf2GUl6+4fb/8iPVUwPA7XHf92ALxv5neNEDlo4awXvuBQG8XdmaCqkYXBe1GE+vgmzfQhr1gjcO1VxvpsAJXT9/Ak1whQbs8kLfwxDfGp3CYQxx+eaxxm4Q2xumeQYXHFyhNZ5d5XOpmlx9EovRwM/uGoZdslykZ27ZbKRMYcqwhJ16CS/y5ptMcEbB1RkqodM55UCslR/fo+9aJejX0x8V91U2bm8eFrDFhFJsM6Z6oClxOXeAbSoE8m4KclRWTtF4+CIXq+qszdWzwqrHBWvKAtVwGo3L08Sxw24ajT9Rw1Ay2kvb4xO2SVzIRhHdzIFpF6iSiDqBJsSH7SL0kP1C07j3vl95qZBp01BW8BUnVxFyqOVMvVnXMaNQZdFrsq4MVEsxDftgciF9oE8rVv4Q==
  template:
    metadata:
      creationTimestamp: null
      name: authelia-smtp
      namespace: authelia
    type: Opaque
--- a/infrastructure/authelia/authelia.values.yaml
+++ b/infrastructure/authelia/authelia.values.yaml
@@ -0,0 +1,259 @@
 ingress:
  enabled: false
 pod:
  kind: 'Deployment'
  replicas: 1
 ##
 ## Authelia Config Map Generator
 ##
 configMap:
  key: 'configuration.yaml'
  # include sub-maps wich OVERRIDE the values generated by the helm chart
  extraConfigs:
    - /secrets/authelia-smtp/smtp.yml
  # many of the values remain default from the helm chart
  authentication_backend:
    ldap:
      enabled: true
      implementation: 'custom'
      address: 'ldap://lldap:3890'
      base_dn: 'DC=moll,DC=re'
      additional_users_dn: 'OU=people'
      users_filter: "(&({username_attribute}={input})(objectClass=person))"
      additional_groups_dn: 'OU=groups'
      groups_filter: "(member={dn})"
      ## The username of the admin user.
      user: 'uid=authelia,ou=people,dc=moll,dc=re'
      password:
        # ## Disables this secret and leaves configuring it entirely up to you.
        # disabled: false
        # ## The secret name. The ~ name is special as it is the secret we generate either automatically or via the
        # ## secret_value option below.
        # secret_name: ~
        # ## The value of a generated secret when using the ~ secret_name.
        # value: ''
        # ## The path to the secret. If it has a '/' prefix it's assumed to be an absolute path within the pod. Otherwise
        # ## it uses the format '{mountPath}/{secret_name}/{path}' where '{mountPath}' refers to the 'secret.mountPath'
        # ## value, '{secret_name}' is the secret_name above, and '{path}' is this value.
        path: 'authentication.ldap.password.txt'
        secret_name: authelia-ldap
      attributes:
        display_name: displayName
        username: uid
        group_name: cn
        mail: mail
    file:
      enabled: false
  session:
    inactivity: '2d'
    expiration: '7d'
    remember_me: '1M'
    cookies:
      - name: authelia_session
        domain: auth.kluster.moll.re
    encryption_key:
      secret_name: authelia-internal
  storage:
    encryption_key:
      secret_name: authelia-internal
    local:
      enabled: true
      file: /config/db.sqlite3
  identity_validation:
    reset_password:
      secret:
        secret_name: authelia-internal
        path: 'identity_validation.reset_password.jwt.hmac.key'
  identity_providers:
    oidc:
      enabled: true
      hmac_secret:
        secret_name: authelia-internal
        path: 'identity_providers.oidc.hmac.key'
      # lifespans:
      #   access_token: '1 hour'
      #   authorize_code: '1 minute'
      #   id_token: '1 hour'
      #   refresh_token: '1 hour and 30 minutes'
      jwks:
        - algorithm: 'RS256'
          key:
            path: '/secrets/authelia-internal/oidc.jwks.key'
      cors:
        allowed_origins_from_client_redirect_uris: true
      clients:
        - client_id: 'grafana'
          client_name: 'Grafana'
          client_secret:
            path: '/secrets/authelia-oidc/client.grafana'
          public: false
          authorization_policy: 'one_factor'
          require_pkce: true
          pkce_challenge_method: 'S256'
          redirect_uris:
            - 'https://grafana.kluster.moll.re/login/generic_oauth'
          scopes:
            - 'openid'
            - 'profile'
            - 'groups'
            - 'email'
          userinfo_signed_response_alg: 'none'
          token_endpoint_auth_method: 'client_secret_post'
          consent_mode: 'implicit'
        - client_id: 'recipes'
          client_name: 'Recipes'
          client_secret:
            path: '/secrets/authelia-oidc/client.recipes'
          public: false
          authorization_policy: 'one_factor'
          require_pkce: true
          pkce_challenge_method: 'S256'
          redirect_uris:
            - 'https://recipes.kluster.moll.re/login'
          scopes:
            - 'openid'
            - 'email'
            - 'profile'
            - 'groups'
          userinfo_signed_response_alg: 'none'
          token_endpoint_auth_method: 'client_secret_basic'
          consent_mode: 'implicit'
        - client_id: 'gitea'
          client_name: 'Gitea'
          client_secret:
            path: '/secrets/authelia-oidc/client.gitea'
          public: false
          authorization_policy: 'one_factor'
          redirect_uris:
            - 'https://git.kluster.moll.re/user/oauth2/authelia/callback'
          scopes:
            - 'openid'
            - 'email'
            - 'profile'
            - 'groups'
          userinfo_signed_response_alg: 'none'
          token_endpoint_auth_method: 'client_secret_basic'
          consent_mode: 'implicit'
        - client_id: 'argocd'
          client_name: 'Argo CD'
          client_secret:
            path: '/secrets/authelia-oidc/client.argocd'
          public: false
          authorization_policy: 'one_factor'
          redirect_uris:
            - 'https://argocd.kluster.moll.re/auth/callback'
          scopes:
            - 'openid'
            - 'groups'
            - 'email'
            - 'profile'
          userinfo_signed_response_alg: 'none'
          token_endpoint_auth_method: 'client_secret_post'
          consent_mode: 'implicit'
        - client_id: 'paperless'
          client_name: 'Paperless'
          client_secret:
            path: '/secrets/authelia-oidc/client.paperless'
          public: false
          authorization_policy: 'one_factor'
          redirect_uris:
            - 'https://paperless.kluster.moll.re/accounts/oidc/authelia/login/callback/'
          scopes:
            - 'openid'
            - 'profile'
            - 'email'
            - 'groups'
          userinfo_signed_response_alg: 'none'
          token_endpoint_auth_method: 'client_secret_basic'
          consent_mode: 'implicit'
        - client_id: 'linkding'
          client_name: 'LinkDing'
          client_secret:
            path: '/secrets/authelia-oidc/client.linkding'
          public: false
          authorization_policy: 'one_factor'
          redirect_uris:
            - 'https://linkding.kluster.moll.re/oidc/callback/'
          scopes:
            - 'openid'
            - 'groups'
            - 'email'
            - 'profile'
          userinfo_signed_response_alg: 'none'
          token_endpoint_auth_method: 'client_secret_post'
          consent_mode: 'implicit'
        - client_id: 'todos'
          client_name: 'Todos'
          client_secret:
            path: '/secrets/authelia-oidc/client.todos'
          public: false
          authorization_policy: 'one_factor'
          redirect_uris:
            - 'https://todos.kluster.moll.re/auth/openid/authelia'
          scopes:
            - 'openid'
            - 'groups'
            - 'email'
            - 'profile'
          userinfo_signed_response_alg: 'none'
          token_endpoint_auth_method: 'client_secret_basic'
          consent_mode: 'implicit'
        - client_id: 'kitchenowl'
          client_name: 'KitchenOwl'
          client_secret:
            path: '/secrets/authelia-oidc/client.kitchenowl'
          public: false
          token_endpoint_auth_method: 'client_secret_post'
          authorization_policy: 'one_factor'
          redirect_uris:
            - 'https://kitchen.kluster.moll.re/signin/redirect'
            - kitchenowl:///signin/redirect
            # mobile app as well
          scopes:
            - openid
            - email
            - profile
  # notifier
  # is set through a secret
 persistence:
  enabled: true
  storageClass: 'nfs-client'
 secret:
  mountPath: '/secrets'
  additionalSecrets:
    # the oidc client secrets referenced in the oidc config
    authelia-oidc: {}
    authelia-internal: {}
    authelia-ldap: {}
    authelia-smtp: {}
--- a/infrastructure/authelia/ingress.yaml
+++ b/infrastructure/authelia/ingress.yaml
@@ -0,0 +1,17 @@
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
  name: authelia-ingressroute
 spec:
  entryPoints:
    - websecure
  routes:
    - match: Host(`auth.kluster.moll.re`)
      kind: Rule
      services:
        - name: authelia
          port: 80
  tls:
    certResolver: default-tls
--- a/infrastructure/authelia/kustomization.yaml
+++ b/infrastructure/authelia/kustomization.yaml
@@ -0,0 +1,32 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 namespace: authelia
 resources:
  - namespace.yaml
  # # As a user management tool, we use LDAP, more specifically, ligh ldap
  - lldap-credentials.sealedsecret.yaml
  - lldap.pvc.yaml
  - lldap.deployment.yaml
  - lldap.service.yaml
  # Authelia itself is installed as a helm chart
  - authelia-ldap.sealedsecret.yaml
  - authelia-oidc.sealedsecret.yaml
  - authelia-smtp.sealedsecret.yaml
  - authelia-internal.sealedsecret.yaml
  - ingress.yaml
 images:
  - name: lldap
    newName: nitnelave/lldap
    newTag: latest
 helmCharts:
  - name: authelia
    releaseName: authelia
    version: 0.10.10
    repo: https://charts.authelia.com
    valuesFile: authelia.values.yaml
--- a/infrastructure/authelia/lldap-credentials.sealedsecret.yaml
+++ b/infrastructure/authelia/lldap-credentials.sealedsecret.yaml
@@ -0,0 +1,18 @@
 ---
 apiVersion: bitnami.com/v1alpha1
 kind: SealedSecret
 metadata:
  creationTimestamp: null
  name: lldap-credentials
  namespace: authelia
 spec:
  encryptedData:
    base-dn: AgBC27VFLsDFHQ6qMN3kbyilhgRwa++hJ5uDsBOqtemO4mOj3nw3/79SJRrO4201zeFq54WJaG5tRHS4SaB5+hYMjdZKqtgTE5Cl9amKIXsfZOzHQ8bKj//WJZYgfmfPxDm5tVdElvF0CGJQMf4SbN52F4V5ujnl2x/j2Qu6gyoJdTaa8lRRIOewXrgOc16lGuAmgVIFB3KR9SEOiSQb2sJxi4tbBPvu0qcLnnfq8/roWouqlfNycanf+Smgc23P112U4ZcirF/oSoeYjUxSy/yxRMrfSzrcxjLPMeb0hyHgsKpFc17YghBt6Ofqx/JOeb4rCZUAGe2PJYoNg6EvGNlgiL02h5TqPF0GfZ02QLiEVK+jUkrEZGMEqEl97iw8juVW3fFJQpcZxyA4eZWAN2ocH7LjDg/UaPvjaZzXbkkva92X1g9LXFCukbMXYoR6QrRI4AyjLWdAHRlBm1M/7w0x5SH3uh05MR3Su0uhRgwreKxJGndd02SsWYs3I9+xM4RjzIs//aNYvhoUgeMzvhIjda8Jut4HzCTqcycIwxkE9aIUlSAgcS+0HrLuvMb236F5OROz2kwx187KlZn6FlK5vDO3m1pWQwmq2E2q0oRhg2mOJDSexzKwzaTkvOdtNiEOWgitYkML93L9I+9scDd3RbIfA5ejOKu5+JR+8cxpwvO5puURvyzI4BTZcTSj+Jnm6MK0pl6tJgfHtgt/
    jwt-secret: AgCI0LA/Y2ZTUl1VZax9Wqd5DxC9OFDe3NfWH9Mr85N5xbF6X5oe49fjW0GTjBE2cytN4aCUy+Gu5kAuo2qgfF1p5XyFY42Tg8q8fyF+LMN0Uu3JlgyA1D3ql0ePc5kNKxD8TRsfcWZOX/KtIWiZxceQ4YJi+OY/7llso3ZiGRCwzV1pXPoFd7A9dSA0qbUklpFI/58VkAUJ1HSel5oCx0JUfxZZAHQaCo72ZPqhbAskOZ4ofH1hzq66NJG5VbOhtBWkPDi4e82OOgT1VqiOiVOUC3w0GAvt6S1SD5P3N2FRqUbRag02rETnja/uahRKDHvLJG82zHXDVGxt5aZQ7bKRYe93gizCaZ4mTfAgrEaz9ys3ywRNr8UL7Cda18YWghvyOqDJSNePn6tUsntc2wA5rRhkPV3NKEhi0Tskqalc8zKXTf4MrX1WJSKw2D8i2l1B6Z7/UhjncAZKaAz7pky33QlitaDtp4Jg4k/ERcqcODB8jG+7oW17At96tXpiqCu6LUki4gkMrtsojRyaVHhl12w4XjVUHW9DyyzELlUT3CluF42wN9zyqDuyhPsuuIr4JrrhNrjvhFU6dcWppvjOvaZMIBvHH5A77F7LDVoCcLwYlrqmpnpxmateeIQHC8IId2JcFlg5CbD3abN9CjtUpoK8ZDRiEt3ULNkyOZ7z1hSfwa9TpJ//HkpWoXsO1b16+ZcNUdM=
    ldap-user-pass: AgBX8ryuZX2fr6CZDaYOR54I445RNY123jp5LpyYLtB4QQljzmD6CC9BIOP5eju46cu5q/GoMSRdz5OthSLXfUB+I0iRrq+yI4bWpckpcrecNa0eJn0PAbWoI+T4gfAbkOxLLz1+yfG8J2PKqwZGVmpBqSBaqw1PQnkj8HggP05YtU8kfmH8W+Gi6c5mOBOL6RtIOgWW0pHgz1OZRKLKgyb70D+suvK1Xw9cKehkNoWtbmS9YvB+2lXZpWPW96Bw1mYnilEWr5WgMRz5aYYShe7/yf9OaFHfHpORgH42dpt+nvMSb5fY8nYVjEm6cYyS/mRm7H5cuBYwj5XnghAAoSIhX1B2KxIhbLh+yvFo+y1tdZB+q7sbJHFTegqRXi/eVvM3qkqTxksxhw9kGvCT/v7vRlS6jXHNTk1wS/Ka40Sv2AHaKlg/cMLQGZZur2LJcCZW6UVZwc2uqpJuszm1RwNX7hiTe+Pj1nCE+Iu/nHJrsk4SVEVcsRGOCAQjXwCXqbkuCz8dqZvCHVYBa2qIZTEd4gTXPjabaabudUzAXRiBg1SHLTVwz4HszUY3yfKASNdpYSxZwHTDt/BTENC8NJyT0Y48Daw26uS3U+87Ntsoe0gruccamhoKPdZlzA9Pl1hoD/GEryhVCLbuUhHC02qGo7WhjPaDZ/Cguu906e6qR4bq78PqBMiz6XllZgrZ0QMshT8/ubo9Bh7HxUD0aw==
  template:
    metadata:
      creationTimestamp: null
      name: lldap-credentials
      namespace: authelia
    type: Opaque
--- a/infrastructure/authelia/lldap.deployment.yaml
+++ b/infrastructure/authelia/lldap.deployment.yaml
@@ -0,0 +1,54 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  labels:
    app: lldap
  name: lldap
 spec:
  replicas: 1
  selector:
    matchLabels:
      app: lldap
  strategy:
    type: Recreate
  template:
    metadata:
      labels:
        app: lldap
    spec:
      containers:
        - env:
            - name: GID
              value: "1001"
            - name: LLDAP_JWT_SECRET
              valueFrom:
                secretKeyRef:
                  name: lldap-credentials
                  key: jwt-secret
            - name: LLDAP_LDAP_BASE_DN
              valueFrom:
                secretKeyRef:
                  name: lldap-credentials
                  key: base-dn
            - name: LLDAP_LDAP_USER_PASS
              valueFrom:
                secretKeyRef:
                  name: lldap-credentials
                  key: ldap-user-pass
            - name: TZ
              value: Europe/Berlin
            - name: UID
              value: "1001"
          image: lldap
          name: lldap
          ports:
            - containerPort: 3890
            - containerPort: 17170
          volumeMounts:
            - mountPath: /data
              name: lldap-data
      restartPolicy: Always
      volumes:
        - name: lldap-data
          persistentVolumeClaim:
            claimName: lldap-data
--- a/infrastructure/authelia/lldap.pvc.yaml
+++ b/infrastructure/authelia/lldap.pvc.yaml
@@ -0,0 +1,11 @@
 kind: PersistentVolumeClaim
 apiVersion: v1
 metadata:
  name: lldap-data
 spec:
  storageClassName: "nfs-client"
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 1Gi
--- a/infrastructure/authelia/lldap.service.yaml
+++ b/infrastructure/authelia/lldap.service.yaml
@@ -0,0 +1,10 @@
 apiVersion: v1
 kind: Service
 metadata:
  name: lldap
 spec:
  selector:
    app: lldap
  ports:
  - port: 3890
    targetPort: 3890
--- a/infrastructure/authelia/namespace.yaml
+++ b/infrastructure/authelia/namespace.yaml
@@ -0,0 +1,4 @@
 apiVersion: v1
 kind: Namespace
 metadata:
  name: placeholder
--- a/infrastructure/backup/README.md
+++ b/infrastructure/backup/README.md
@@ -1,15 +1,8 @@
-# How to restore
+# How to initialize a new target
 I used multiple targets for backup. Each target needs to be initialized with a repository.
-1.  Port forward the rest api for gcloud
+After the target (bucket or other) is created, run the following command **locally** to initialize the target:
    ```bash
    kubectl port-forward -n backup service/rclone-gcloud 8000
    ```
-2. Load the snapshots locally
+```bash
-    ```bash
+restic -r <target> init
-    restic -r rest:http://127.0.0.1:8000/kluster mount /mnt/restic
+```
    ```
    (The password is in a secret)
 3. Copy relevant files to the correct location on the NAS
--- a/infrastructure/backup/backblaze-credentials.sealedsecret.yaml
+++ b/infrastructure/backup/backblaze-credentials.sealedsecret.yaml
@@ -7,10 +7,10 @@ metadata:
  namespace: backup
 spec:
  encryptedData:
-    bucket-id: AgBwwjlkGjskxMXXpXrnfcT9fJGgDXtbOO/6WcpqsX0exoADw31dADjLTHztiddsGYipiGFf2DBWge69UEnL04NXIzh/xTwWtWaqlz6yOJm/89FMQE1mfbrrLc7tk98TO3oS8i+IDAnkUiYyvDXJexgJg56QLY595PXkpplYit2bAk43mAB02yUZAK0gMs3KRDIvhHFsMq8Uiqx78En5KGGXwEg6KbVDyNvI2k8suEyy+C0yNO/M6dlczoUQiIJbllQzbqIzuxbOp609PfvGFAYHuPlz1kwsg+feZJ3kNsHYi4hWvpd64BWb30iO9J3dAYfW6d7C61t3S5uabmnd9E7bMYZA/OppD8SCknBFalXF91BUiJao9qBVd/BB7TCZOzhdzhxTW+FhgARcA+GIfg+nIzgBqHfAfQQmAOO2RZnsWrvMysyZaUpODvU8kSsLWZJ3CESVRVU3BHmJZpyxjX/s6QEXShQXZaLq54zoFJULZU/kbom5yFNNDWW5sKbURPvbKJcf/J9QabY5toO4yOwDk96Sr/FI+CHHvMh8/amigva0Upq6naiTHXMf4BR6+w3VKP5ALn5cbD5jG7EpUA/j1roMoLn68GMAtTJDLvSq2BGeJENWrUpOmjWZHDKZy8DEKorJk/Wbp46ksteSALE8eXpi4DRKXYDPvDb57EhzoJGQ9NMXgAvU9+1vw2nyTZE4gAWKpg0JkiHglu4Om79HfuGuewzJXlY=
+    bucket-id: AgBZ4U2eKOmIy5oj7KLvDy7LYi41KtyZLYhMsxRcKYeQVW0lYetrsHbnsCTsw1u3kqI6pSrjUVQslpOupAlwmEdwpT5pSfAvgmLpl8NV8JFLSf1vv4cd0yBe3raFxTtTjmt9BPrEaZY1NrvW2l9SeK1JsRBJoVo9+NOlNmMWAsABi2iK/r2O9bTr9e9sOKH1DQZrvxgZKYRH40CosaQL7eBJR9EZcxSvCCp5mjZISuVI0FSgA+Xj1pXODvnf7cXkDMRg6mDDOkdYCZsQ+3a7/YZkoDBEcrO734WojHDDMLVq8lEOqzepJZJnje0jLjz5vn2pDYKGe7j3cbmMPUsNpSnUDmjFFuXTIS70RIoHUAVaPvdRpWlhYYeZiwecc+Y8gKramApCYKuUUzu8opIcckpGd/qzHCaKPyKL7qwtm9aA1rkaKLkrYjJkIhF32gp6E1qiea2L4QQD3ww/2r3UryLHygNeiNbey22covJsABA15B7LbGBaNCHhj1sqaboYvDg+FWK+Nu09UYuIvvQYw2vhKWREILbtRbyHq5J46mWtekSA0B4JU/mZL/GKwGIyS32pSZGo8gFnNzpJUDC5aNSpOPdE0FyeuJ8o+XVA43Rs6DE6885uAYMGTZhNWLZtsgOIs45ly0o8Phg02P1KvWmZzyitHWpWyAW9TXADh4GETJbFOcH7AjrrAVC5+bqI6Dx8O3qM8wnN/5MTo3EnL/lxg1wBf2c1SQU=
-    key-id: AgBe4Iytjw9CkT7CqqNLHWyG4F8F+R6m8W1fnQZdGJvLy7D81+nB2ZDMCUZgUQV/mppGnXCkSxHyelcyTYCswQ9bD8hZsAIiQACq39v2UFxdORFEgNMj4bTWPo65fwhSK2giozPqN/4lzPopP91uyq1Z0gQaiqn/HDtbfNjq+Nu9kPmV06O1NUj1f7QqvfsMK+Xadv0G+DAA+ClGaq1q3fZPDkl2MSDdbEPGq+fLPK2DSdYu9fr1bc9TPyaU5JDFvGrCg8Nyigugi4wVGjQFtVwR1QsHAADmnoDAdXoj1Sz65QO5F+zNaDZWvnLnVFxAFrXJHihilc4ilAc8hSpE6YHQm7dGO5gGejLRNaaCspb/fPJD1g2XlnkckhFCSwd9sHNrXb07BZk8gFTHfndEC0t2UyUNloYpXsfap6fvehPK91ey35jbxDk9zYdgKZ7bz/tY0450CkofSbhisf2DwS3prt5YCEDaXasrpUqlk4dSbmLaGm6aee8lM5VpO8qYE56nvXY7qr0yB6z/NGWuLX3oH3fV+C8hH1P4mxDjvVEFdtewlF50Bf9WFoE7KpboSvmChZhBfjOkbtsGmQE41ZuNoYVupetXn6IfvYo6MzGoG6dTRVpJ5S2KLQDtsUljQfXJDFCSYwo87DD2dGBEn/z9GFCIPAYNO2ewzU4RUgcXPuDD4I2tdNIC+xdEBZq7BaWn/46Yfc1+FAWUA9VWEL/9kz5tK6hFD3Ww
+    key-id: AgCPco6/scrq+3BDVimLOssVYG78vAmNOLgo4ZM9k+ayfy9morHOBQRflAJDrLO+F/2fJFM0WvZ+8gd+NnR7W6i7R3wGImN5xr115sCsBWUAM7ued7QunyrumB+Sw/o1FDcW4+S5bqwONtr07bS/M5dYM7l8Uy1zO3BOxtvWOMqdEzSrmyW/j2Kg3tQq1lEze/TOPjS4LgXqqWMWHVCyzJTpfImS3u73EUisVQBPqO7y1m3fEUvZuqVeJVK9hT3PPGuX2HUAVcIMMKWIhsA2/aMYhHQ/J0UOgc/YrGzU6DWVQoaetAHPPrt+fFQXL+MbDVaLQwk18AaRe8vhMXMwWakQEzK3fGtwPeklJB78OV4HNwpGXGFQWr1wU+T1evMJ5mv8O4VvWg7pu6blwjLCEseaCuwib5tPghIFT+LXpl2jPuyRveD5Qdl4seDZwoE9joaTWlcPreQYfuCwsQnBX25Owf4uo3XzVuVrHHRfm4O7g2VqhI5W3NcVwKhfXKuqUKDfsAmbX/RlwcihmlX6UySL42EIO5Z3xcFqEtQzba3IYgLOP8yRjGzRKUklcKFjrtoa+ZQjewKjS5x685Ffjgb4PCmpearUlVeboqH34zQBiflnecZQrwdhntVRfd3F0tkbtA/Th550IqYwezBv3AqVwZZPm+q3jeM7i0HDu6JzVYsUVpxe2MTVSKncy2p6wihhdbJeTO0gnHHydlUsyd2C2P2pXUppgjoY
-    key-secret: AgBcKSHdXHeNBzkZRtbaOEZra7AAWVlzmubaQoklECr14gKNL7rTReqX87qQObjQjmGKXtnJlKXIVHGDuiuHGkqfxQ9PCxccvpA3/7LdbFZnZtlFDWpAv+VB6Tp7H7Quho/GeAo8u6de0BXz85lz7+RyDCssBpuuzpchMgOlcEmhhfgQM5E6ye7bD6LpAZWcay3PV6FW2xTrJvLobpCcJordye6iTdSySPKdk6zflkon9h1KuQT+njmW4cfTQg/u7iS/NDQYcHdCpDHRLCor4GkVmi7NW8q+WuYhUSGWBy55SGvcUobhUL7GEHFJZpKmyrBOwSbwiWUDoN+NjI2TR5xvG0Ldjd/Hj32Vk29I+xSnj/O7pZj5ho35qExlZ/WCe42i0VHjzHFbOoU1MkqB+Skm24L1cLufhyNBtA8NNN3GWZhkcozpe164gpx4H/Vfe0UyzxUn4VJIws/IXYiLb4DgDkGrV+wzigN2QfSgTgs6syQkSs4UJ4gUZeN0jsyq0YHIhq1VZ8qPtLH310d8LZLxpTjZdO0obBwJfnHkg3blwSABEt5756C5DvjKmvO1pjG+JX/PJ0yAINL9Sc+FsY7TnGlItVzD830NcZ3Gg9C4Tg4xBEHybUWCSl1rJjwMvmUvVKNcIzLBHPAOyle1VLTZ37zb13MnhwNwdUtBu7+RZTy9wVO26iqemXTtFVj13kgZkJsyLjM6bo2y2wvFmjBCV9EKQtm87ROStM7iKB46
+    key-secret: AgAQ9GBMK/sXev8MKfCeYYgtf3tW93xvDn2jjTHaO/trAoU2OgWMS3kWKme/E+ONOxVOA3qonHhUgXcWxyut4OgMFJj2yBGRb+TqD+e0fE0KCqAwRKuYhXgFFl5SgAPZiWOAnYIJM16xu5Ci3UbrM8a8QAXAVV9aH3eT5HMF+GeqgSvhEVEQO1C8KOjVkawoqIHmDmr5KUbK4SFnIut+zCz/2HQLApNkZhPUY2whZOZjz4rwMtu2NDu8k08lI3Zl03OAw38rsbcNfZC8KbENsf1vthn5YpVJomcJKp/prgEp+/C64ZexgBWzZysq1WHs96F8R/ZmgD/Hu1Am/VjvHoFrfbLvXYUZzXGhyCBjhSwqcysm08uI5FvCs9F7WGVbYe5M/sYUMMJwLP5iILd2fkodm/+GWgl/p3EzQ76aCH85FqFhL3/9zA69bM8mZUpVG85i2yNJ9HvLe8z2EnZrh4BTgMRod/DsP9qN5NlofP0dJhK4SyXvy6M+ZO2V7CE4ksLvdWWXcJFmzuiG35DC/dQYHu8tcgywYyFVOw6uAetXSVrIzgGSCche1PZ7RKz2N4CqV5eTe6zUAgNPf4IxPne86f2AGKkivh+QcsIqfXkkR4OzcMslaKskkCniKD0IMf2aFHniSWzivi07gk5PYDxjwpa9AM2yUGRXYTcDSZquNXAt4SxE1YLDb5twZ8JyPP1Q884dwJ3+/M1DwTJj4CewO+zhH4MIURfRaGvipwsV
-    repository-string: AgAEYSqT6VR4OKW9/ZDgjYV+rm4tK3uucZsQG2u7W+8rRO0Rowkuba1AbybjgTE+G3q8si/GtlgsB1J8suvztHcVLNxg0y0Olb40pn2sZjKd85Q8AzsM0pFMkzme1lvnwu1Bcgd6Ck+FCr4CuUnh+UvJM5iWhAoSHJtdBb/EKw2F1BhewAqMXSX4oWM7V/T8RTtW2wBUk4wgX4ia+gCBPMpTo6i00ZtSpRB3Ub9VfGJfRmiXZA7oh5j3yN9nJlXonbJYBp4DNWod76CF7s35HBnSzS7YfIV80R4lH4xAPgRbZ0tvPWkTLMhSBX8rJCEnxT7DjL2lS7WfyboLdL4Uy8WmP7n2difZSr7p2iic6SCP44YgQ8JY5UgXh2QZENQ6oLvjK/PpFTjQ4bfw3E1/dakg1EdCYc/6DPyK3YekccUe/pXvVBrazpgObxXWeKKT6RMDeYWLUXTBHWhJ5OaJHHePD5t9IM65FlFTtkuUFbxExTi/u+RczBlWWcy10Yow3I3LGrDPJ/PfBy4RPfHCeQDQ+WoLJkNT20nu5mBXEYYKgNvgdn4yogifSiNG8vsNpo4dO89aHppbnHdmdp7F9asfbn27btEoFoHzIFku/mEnY5srs+Smrhhzy0+iPKge9LOuW33Gi4oJban1UYFvLAjq8YsZGkbIO82r2p+v15UjwU3girWPl1KBUc8WzLJtnqBvRPWS1ul6/X9JIdmmrHJjC0KlcGiVMU/Ls9ljnQj7dgLXuDW7JzuK3MhTWV3Y2kS39ze3TskCKcbL
+    repository-string: AgBuD/n5Pnz2AwkFUR6ChGSPMTahm5fdStTay2dD12g+IJC+zNKGlY96rxy1RRLpGJi9sj5UzqIjWd2ke+BB9Xx3RfNygh+hjQEqwb15Z5w8Vo2j7iNRYdjqm/q/ug337Ycc+p2AAxEaA4GZln+Ujq7Xh0m0mOg58N640A+zuav5Xg8dQvUoO5vrqcx8lKzUwZuEayjubZPOZDtED14bTj8FWp6a8A88PjvH+xX9ZCi+omuplHFD8+iJyHewMaPq8CPxsa90J/jHR0FyEzkPcx3/zxryeodQFSiCtvMEb4TZsABMYGlFWOdJwqTcPvqSLRZH9Emx7NmaapknERxuoozDegl/KYF8GpshizBcHaV2YEPxNFiAcPMAqmLTJc0E8SbtGcWeilVdqz2z0+Ezqs0VL5DRICBVFg+HT01bYg3yL8FYd3dfeXepijXurMJodL+pORy0y6NeS9dSvOTqoGr7mf/SeaXSMG+cdHw1+V88CVozqFgV7yLe3NzoOPSIgjyoHckpprZSZHfYF9bgX4r8tT1vrlZqN/KlBcbyYsexYK9+s866b9rpZppvgYx1I50sWm+bAeMEYrVBy2sm6fAbpb1U+3+j9CICVnJ0E1VRyOCRCvh3ncpCRgDhvXAfZTMujxGWR6m9nAi6ixp6nLx3oWsgnszK0kAoxKoHTFiNGzdpr9M092ziBnjPosmLp4fV/HdmWKlldWMsbo0HkdMmPQlKQXmtzZ09WgeSHRh1T/3rSybzwXfukh1tj1IcVIM=
  template:
    metadata:
      creationTimestamp: null
--- a/infrastructure/backup/cronjobs-base/cronjob.yaml
+++ b/infrastructure/backup/cronjobs-base/cronjob.yaml
@@ -1,7 +1,7 @@
 apiVersion: batch/v1
 kind: CronJob
 metadata:
-  name: restic-rclone-gdrive
+  name: restic-backblaze
 spec:
  successfulJobsHistoryLimit: 2
@@ -12,7 +12,7 @@ spec:
      template:
        spec:
          restartPolicy: Never
-          hostname: restic-k3s-pod
+          hostname: restic-kluster
          # used by restic to identify the host
          containers:
          # run after completion of initContainers
@@ -62,7 +62,7 @@ spec:
                  secretKeyRef:
                    name: backblaze-credentials
                    key: key-id
-              - name: AWS_ACCESS_KEY
+              - name: AWS_SECRET_ACCESS_KEY
                valueFrom:
                  secretKeyRef:
                    name: backblaze-credentials
--- a/infrastructure/backup/cronjobs-overlays/applying.md
+++ b/infrastructure/backup/cronjobs-overlays/applying.md
@@ -1,8 +0,0 @@
 ```
 k kustomize backup/overlays/backup | k apply -f -
 > secret/restic-credentials-backup created
 > cronjob.batch/restic-backblaze-backup created
 k kustomize backup/overlays/prune | k apply -f -
 > secret/restic-credentials-prune created
 > cronjob.batch/restic-backblaze-prune created
 ```
--- a/infrastructure/backup/cronjobs-overlays/backup/kustomization.yaml
+++ b/infrastructure/backup/cronjobs-overlays/backup/kustomization.yaml
@@ -13,12 +13,12 @@ patches:
  - path: restic-commands.yaml
    target:
      kind: CronJob
-      name: restic-rclone-gdrive
+      name: restic-backblaze
  - target:
      kind: CronJob
-      name: restic-rclone-gdrive
+      name: restic-backblaze
      # replace the name of the cronjob
    patch: |-
      - op: replace
        path: /metadata/name
-        value: restic-gdrive-backup
+        value: restic-backblaze-backup
--- a/Show More
+++ b/Show More