Update Helm release prometheus-node-exporter to v4.49.0

2025-10-25 15:05:59 +00:00
53 changed files with 148 additions and 300 deletions
--- a/apps/adguard/kustomization.yaml
+++ b/apps/adguard/kustomization.yaml
@@ -10,7 +10,7 @@ resources:
 images:
  - name: adguard/adguardhome
    newName: adguard/adguardhome
-    newTag: v0.107.71
+    newTag: v0.107.67
 namespace: adguard
--- a/apps/audiobookshelf/ingress.yaml
+++ b/apps/audiobookshelf/ingress.yaml
@@ -9,20 +9,9 @@ spec:
  routes:
  - match: Host(`audiobookshelf.kluster.moll.re`)
    kind: Rule
    middlewares:
    - name: buffering
    services:
    - name: audiobookshelf-web
      port: 80
  tls:
-    certResolver: default-tls
+    certResolver: default-tls 
 ---
 apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: buffering
 spec:
  buffering:
    maxRequestBodyBytes: 10000000000 # approx 10gb
    memRequestBodyBytes: 1048576
--- a/apps/audiobookshelf/kustomization.yaml
+++ b/apps/audiobookshelf/kustomization.yaml
@@ -12,4 +12,4 @@ namespace: audiobookshelf
 images:
  - name: audiobookshelf
    newName: ghcr.io/advplyr/audiobookshelf
-    newTag: "2.32.1"
+    newTag: "2.29.0"
--- a/apps/files/kustomization.yaml
+++ b/apps/files/kustomization.yaml
@@ -13,4 +13,4 @@ namespace: files
 images:
  - name: ocis
    newName: owncloud/ocis
-    newTag: "7.3.1"
+    newTag: "7.3.0"
--- a/apps/finance/kustomization.yaml
+++ b/apps/finance/kustomization.yaml
@@ -14,4 +14,4 @@ resources:
 images:
  - name: actualbudget
    newName: actualbudget/actual-server
-    newTag: 25.12.0
+    newTag: 25.10.0
--- a/apps/grafana/kustomization.yaml
+++ b/apps/grafana/kustomization.yaml
@@ -17,5 +17,5 @@ helmCharts:
  - releaseName: grafana
    name: grafana
    repo: https://grafana.github.io/helm-charts
-    version: 10.4.1
+    version: 10.1.2
    valuesFile: grafana.values.yaml
--- a/apps/homeassistant/base/kustomization.yaml
+++ b/apps/homeassistant/base/kustomization.yaml
@@ -1,20 +0,0 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
  # - namespace.yaml # not managed by kustomize but created as needed by the argo app. creates conflicts otherwise since both overlays share the same namespace
  - ingress.yaml
  - pvc.yaml
  - service.yaml
  - deployment.yaml
  - servicemonitor.yaml
 images:
  - name: homeassistant
    newName: homeassistant/home-assistant
    newTag: "2025.12"
 configurations:
  # allow nameReference to work with different mentions of the same resource as well
  - name_reference.yaml
--- a/apps/homeassistant/base/name_reference.yaml
+++ b/apps/homeassistant/base/name_reference.yaml
@@ -1,32 +0,0 @@
 nameReference:
  # Tie target Service metadata.name to other ingressroute fields
  - kind: Service
    fieldSpecs:
      # rewrite the backend service name
      - kind: IngressRoute
        group: traefik.io
        version: v1alpha1
        path: spec/routes/services/name
      # adapt the ingress url
      # DOES NOT WORK
      - kind: IngressRoute
        group: traefik.io
        version: v1alpha1
        path: /spec/routes/match
        create: false
      # adapt any middleware names
      - kind: IngressRoute
        group: traefik.io
        version: v1alpha1
        path: spec/routes/middlewares/name
  # Update deployment volume mounts according to name changes in the sealedsecret
  - kind: SealedSecret
    fieldSpecs:
      # volume mounts:
      - kind: Deployment
        group: apps
        version: v1
        path: spec/template/spec/volumes/secret/secretName
--- a/apps/homeassistant/base/deployment.yaml
+++ b/apps/homeassistant/base/deployment.yaml
@@ -34,3 +34,4 @@ spec:
        - name: config-dir
          persistentVolumeClaim:
            claimName: config
--- a/apps/homeassistant/base/ingress.yaml
+++ b/apps/homeassistant/base/ingress.yaml
@@ -1,17 +1,17 @@
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
-  name: homeassistant
+  name: homeassistant-ingress
 spec:
  entryPoints:
    - websecure
  routes:
-    - match: Host(`homeassistant.kluster.moll.re`)
+    - match: Host(`home.kluster.moll.re`) && !Path(`/api/prometheus`)
      middlewares:
-        - name: homeassistant
+        - name: homeassistant-websocket
      kind: Rule
      services:
-        - name: homeassistant
+        - name: homeassistant-web
          port: 8123
  tls:
    certResolver: default-tls
@@ -19,7 +19,7 @@ spec:
 apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
-  name: homeassistant
+  name: homeassistant-websocket
 spec:
  headers:
    customRequestHeaders:
--- a/apps/homeassistant/kustomization.yaml
+++ b/apps/homeassistant/kustomization.yaml
@@ -0,0 +1,18 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 namespace: homeassistant
 resources: 
  - namespace.yaml
  - ingress.yaml
  - pvc.yaml
  - service.yaml
  - deployment.yaml
  - servicemonitor.yaml
 images:
  - name: homeassistant
    newName: homeassistant/home-assistant
    newTag: "2025.10"
--- a/apps/homeassistant/base/namespace.yaml
+++ b/apps/homeassistant/base/namespace.yaml
--- a/apps/homeassistant/overlays/flat/ingress.patch.yaml
+++ b/apps/homeassistant/overlays/flat/ingress.patch.yaml
@@ -1,3 +0,0 @@
 - op: replace
  path: /spec/routes/0/match
  value: Host(`home.kluster.moll.re`)
--- a/apps/homeassistant/overlays/flat/kustomization.yaml
+++ b/apps/homeassistant/overlays/flat/kustomization.yaml
@@ -1,17 +0,0 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
  - ../../base
 namespace: homeassistant
 nameSuffix: -flat
 labels:
  - includeSelectors: true
    pairs:
      env: flat
 patches:
  - path: ingress.patch.yaml
    target:
      kind: IngressRoute
--- a/apps/homeassistant/overlays/house/ingress.patch.yaml
+++ b/apps/homeassistant/overlays/house/ingress.patch.yaml
@@ -1,3 +0,0 @@
 - op: replace
  path: /spec/routes/0/match
  value: Host(`home-house.kluster.moll.re`)
--- a/apps/homeassistant/overlays/house/kustomization.yaml
+++ b/apps/homeassistant/overlays/house/kustomization.yaml
@@ -1,28 +0,0 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
  - ../../base
  - wireguard-config.sealedsecret.yaml
 namespace: homeassistant
 nameSuffix: -house
 labels:
  - includeSelectors: true
    pairs:
      env: house
 images:
  - name: wireguard
    newName: ghcr.io/linuxserver/wireguard
    newTag: "1.0.20250521"
 patches:
  - path: wireguard.deployment.yaml
    target:
      kind: Deployment
      name: homeassistant
  - path: ingress.patch.yaml
    target:
      kind: IngressRoute
--- a/apps/homeassistant/overlays/house/wireguard-config.sealedsecret.yaml
+++ b/apps/homeassistant/overlays/house/wireguard-config.sealedsecret.yaml
@@ -1,17 +0,0 @@
 ---
 apiVersion: bitnami.com/v1alpha1
 kind: SealedSecret
 metadata:
  creationTimestamp: null
  # WARNING - the originial secret was named wireguard-config-house, but we remove the suffix here, anticipating that it will be created by the kustomization overlay
  name: wireguard-config
  namespace: homeassistant
 spec:
  encryptedData:
    wireguard.conf: AgAz726k7X6IsabWUPX8kQ8r19mBq/N+YytlFS1gW2LUiYqc6H/O5/tqma5lLcazuxtsQhebeoitp2SkH7jTU8vRxn2tDWpyzcJr+BW4vKnghw5NhMbkNOzl7mvc7QIJk6rmRyD1umu33v6x8u3St9TVsUOI1zXJyXHxlbLdHVCORhgV79CGLjghpi23KyyFu6LzNrE5rhpB0Q7NzPUmbm5MHPNbtLsmImd/CZ9XjbyXSq0be8BgpUtGDE/NMx65G2+lLIw3EgbNwlirw/XKrM+pUIvEI6CxuNhbEM7KxCYlq2Du6bm7XsKHRzNu9oSfH+P4DaDoDt+M5k5miv4B8TIKXg7piy5mThXSTcVf5YpLJCiTfMDZOriG1ygr9gbJPYY1jumZA+vsZCvBx1o21BlNycWZWKBeYZZh47Hz9FGI/Smn8dOs5exZ34MrQtM4OuEqC/cJY8fdQ+nmGMezL0IKdbtpWgq5UqNH/wWv3F9kItB4KlSD4YtEGaY2z68BJG6t+9igSJCWmVca0EbOzhV0s5rI39ASVXOO50x774EEWUueoyfI+l5vwtQhc96I5Qn3kbFhwov0tHMg/IGBtS/7XdBBtOBx9KbcUHq1GlwWzQdw8WnRB6yyUVCqXyuExRhMPz5orqkTQwiUM2Fjse7xxnaEA0mbi0TVPKV/sFgWixvHqy3VAc1Jj6MEAWFAu+kPVlOFFCckEC5kPhNPFhBMeYX/3IblRjly/EHvrbrW/eFjNYE7bqpSCVhkB8bOXbJqt29V3+ffM1z/RkdSusgqdwid9CXhQw6SKAI/vcAqqxXdzcsbG1wsgP9bJ1Gk/i9ch8zUn7MwcFe6Tla86+xeiDIAmQmA7rhtmWhyyuxXdw+HXAFNhrbxHaUw3LZOExM+RzhWNepjSLnCBqnrtPkzFrHE02JKebWzX+IRZIOsEXJVhKTiSSjoB2v8h956kO+C7bdHz8GbxoJKJ7anrqFG13A//XLy5PvKr50qs/gQptrl9UtR7oj981bSDTVVa8h3OXbGLkZXly/qxsh5DlEjwnw2/2UqS+5yTT4FO/dNVtHryJ2tbc8ZuIHb6C/pQygqpseagthkm5T+Dv0T2xWpXFrvuktGNm58Cwg9bwNMcC6iofcjQP5JeNcat3RwzbJ9xwU4Nm8xLRMMc0ul6xUHRrL3ZjDfWHLuSuTp28HqXZ6xSKLlrRVjwZ6Mp/hhxj58SfVfLVIQxatGkwnIaHEFWE2n3S7m/iQO9tZIWCx5Yfs15atb1Ze8HjKjQ4o3sfaMD8Eokj9aFnXQQxpnOuSI3NLETe79QQ==
  template:
    metadata:
      creationTimestamp: null
      name: wireguard-config-house
      namespace: homeassistant
    type: Opaque
--- a/apps/homeassistant/overlays/house/wireguard.deployment.yaml
+++ b/apps/homeassistant/overlays/house/wireguard.deployment.yaml
@@ -1,24 +0,0 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: homeassistant
 spec:
  template:
    spec:
      containers:
      - name: wireguard-sidecar
        image: wireguard
        securityContext:
          privileged: true
        volumeMounts:
        - name: wireguard-config
          mountPath: /config/wg_confs/
      volumes:
      - name: wireguard-config
        secret:
          secretName: wireguard-config
--- a/apps/homeassistant/base/pvc.yaml
+++ b/apps/homeassistant/base/pvc.yaml
--- a/apps/homeassistant/base/service.yaml
+++ b/apps/homeassistant/base/service.yaml
@@ -1,7 +1,7 @@
 apiVersion: v1
 kind: Service
 metadata:
-  name: homeassistant
+  name: homeassistant-web
  labels:
    app: homeassistant
 spec:
@@ -10,4 +10,4 @@ spec:
  ports:
  - port: 8123
    targetPort: 8123
-    name: http
+    name: http
--- a/apps/homeassistant/base/servicemonitor.yaml
+++ b/apps/homeassistant/base/servicemonitor.yaml
--- a/apps/immich/immich.postgres.yaml
+++ b/apps/immich/immich.postgres.yaml
@@ -32,8 +32,8 @@ spec:
  resources:
    limits:
-      cpu: '2'
+      cpu: 2
-      memory: 1Gi
+      memory: 1024Mi
    requests:
      cpu: 50m
      memory: 512Mi
--- a/apps/immich/ingress.yaml
+++ b/apps/immich/ingress.yaml
@@ -18,7 +18,7 @@ spec:
  entryPoints:
    - websecure
  routes:
-    - match: Host(`immich.kluster.moll.re`) || Host(`photos.kluster.moll.re`)
+    - match: Host(`immich.kluster.moll.re`)
      kind: Rule
      services:
        - name: immich-server
--- a/apps/immich/kustomization.yaml
+++ b/apps/immich/kustomization.yaml
@@ -6,7 +6,7 @@ resources:
  - pvc.yaml
  - immich.postgres.yaml
  - postgres.sealedsecret.yaml
-  # - servicemonitor.yaml
+  - servicemonitor.yaml
 namespace: immich
@@ -15,13 +15,20 @@ namespace: immich
 helmCharts:
  - name: immich
    releaseName: immich
-    version: 0.10.3
+    version: 0.9.3
    valuesFile: values.yaml
    repo: https://immich-app.github.io/immich-charts
 images:
  - name: ghcr.io/immich-app/immich-machine-learning
-    newTag: v2.3.1
+    newTag: v1.144.1
  - name: ghcr.io/immich-app/immich-server
-    newTag: v2.3.1
+    newTag: v1.144.1
 patches:
  - path: patch-redis-pvc.yaml
    target:
      kind: StatefulSet
      name: immich-redis-master
--- a/apps/immich/patch-redis-pvc.yaml
+++ b/apps/immich/patch-redis-pvc.yaml
@@ -0,0 +1,17 @@
 apiVersion: apps/v1
 kind: StatefulSet
 metadata:
  name: immich-redis-master
 spec:
  volumeClaimTemplates:
  - apiVersion: v1
    kind: PersistentVolumeClaim
    metadata:
      name: redis-data
    spec:
      storageClassName: nfs-client
      accessModes:
        - ReadWriteMany
      resources:
        requests:
          storage: 2Gi
--- a/apps/immich/renovate.json
+++ b/apps/immich/renovate.json
@@ -1,10 +1,10 @@
 {
-  "packageRules": [
+    "packageRules": [
-    {
+      {
-      "matchDatasources": ["docker"],
+        "matchDatasources": ["docker"],
-      "matchPackagePrefixes": ["ghcr.io/immich-app/"],
+        "matchPackagePrefixes": ["ghcr.io/immich-app/"],
-      "groupName": "Immich containers",
+        "groupName": "Immich containers",
-      "groupSlug": "immich-app-images"
+        "groupSlug": "immich-app-images"
-    }
+      }
-  ]
+    ]
-}
+  }
--- a/apps/immich/servicemonitor.yaml
+++ b/apps/immich/servicemonitor.yaml
@@ -6,9 +6,9 @@ spec:
  endpoints:
  - port: metrics-api
    scheme: http
-    path: /metrics
+  - port: metrics-ms
    scheme: http
  selector:
    matchLabels:
-      # app.kubernetes.io/name: server
+      app.kubernetes.io/name: server
      app.kubernetes.io/service: immich-server
      app.kubernetes.io/instance: immich
--- a/apps/immich/values.yaml
+++ b/apps/immich/values.yaml
@@ -4,30 +4,26 @@
 # These entries are shared between all the Immich components
-
+env:
-controllers:
+  REDIS_HOSTNAME: '{{ printf "%s-redis-master" .Release.Name }}'
-  main:
+  DB_HOSTNAME: "immich-postgresql-rw"
-    containers:
+  DB_USERNAME:
-      main:
+    valueFrom:
-        env:
+      secretKeyRef:
-          # some non-default vars
+        name: postgres-password
-          DB_HOSTNAME: "immich-postgresql-rw"
+        key: username
-          DB_USERNAME:
+  DB_DATABASE_NAME:
-            valueFrom:
+    valueFrom:
-              secretKeyRef:
+      secretKeyRef:
-                name: postgres-password
+        name: postgres-password
-                key: username
+        key: database
-          DB_DATABASE_NAME:
+  DB_PASSWORD:
-            valueFrom:
+    valueFrom:
-              secretKeyRef:
+      secretKeyRef:
-                name: postgres-password
+        name: postgres-password
-                key: database
+        key: password
-          DB_PASSWORD:
+  IMMICH_MACHINE_LEARNING_URL: '{{ printf "http://%s-machine-learning:3003" .Release.Name }}'
-            valueFrom:
+  IMMICH_METRICS: true
              secretKeyRef:
                name: postgres-password
                key: password
          IMMICH_METRICS: true
 immich:
  metrics:
@@ -41,15 +37,13 @@ immich:
      existingClaim: data
 # Dependencies
-valkey:
+redis:
  enabled: true
-  persistence:
+  architecture: standalone
-    data:
+  auth:
-      enabled: true
+    enabled: false
-      size: 1Gi
+
-      # Optional: Set this to persistentVolumeClaim to keep job queues persistent
+# Immich components
      type: emptyDir
      accessMode: ReadWriteOnce
 server:
  enabled: true
@@ -62,7 +56,7 @@ machine-learning:
  persistence:
    cache:
      enabled: true
-      size: 10Gi
+      size: 200Gi
      # Optional: Set this to pvc to avoid downloading the ML models every start.
      type: emptyDir
      accessMode: ReadWriteMany
--- a/apps/kitchenowl/ingress.yaml
+++ b/apps/kitchenowl/ingress.yaml
@@ -8,22 +8,10 @@ spec:
    - websecure
  routes:
  - match: Host(`kitchen.kluster.moll.re`)
    middlewares:
      - name: kitchenowl
    kind: Rule
    services:
    - name: kitchenowl-web
      port: 8080
  tls:
-    certResolver: default-tls
+    certResolver: default-tls 
 ---
 apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: kitchenowl
 spec:
  headers:
    customRequestHeaders:
      X-Forwarded-Proto: "https"
      Upgrade: "websocket"
--- a/apps/linkding/kustomization.yaml
+++ b/apps/linkding/kustomization.yaml
@@ -13,4 +13,4 @@ namespace: linkding
 images:
  - name: linkding
    newName: sissbruecker/linkding
-    newTag: "1.44.2"
+    newTag: "1.44.1"
--- a/apps/media/kustomization.yaml
+++ b/apps/media/kustomization.yaml
@@ -12,4 +12,4 @@ resources:
 images:
  - name: jellyfin/jellyfin
    newName: jellyfin/jellyfin
-    newTag: 10.11.5
+    newTag: 10.10.7
--- a/apps/minecraft/job.yaml
+++ b/apps/minecraft/job.yaml
@@ -56,7 +56,7 @@ spec:
        - name: CREATE_CONSOLE_IN_PIPE
          value: "true"
        - name: ONLINE_MODE
-          value: "true"
+          value: "false"
        - name: ENABLE_AUTOSTOP
          value: "true"
        - name: AUTOSTOP_TIMEOUT_EST
--- a/apps/minecraft/kustomization.yaml
+++ b/apps/minecraft/kustomization.yaml
@@ -18,7 +18,7 @@ images:
    newTag: java21
  - name: alpine
    newName: alpine
-    newTag: "3.23"
+    newTag: "3.22"
  - name: rsync
    newName: eeacms/rsync
    newTag: "3.0"
--- a/apps/ntfy/kustomization.yaml
+++ b/apps/ntfy/kustomization.yaml
@@ -13,4 +13,4 @@ resources:
 images:
  - name: binwiederhier/ntfy
    newName: binwiederhier/ntfy
-    newTag: v2.15.0
+    newTag: v2.14.0
--- a/apps/paperless/kustomization.yaml
+++ b/apps/paperless/kustomization.yaml
@@ -14,14 +14,14 @@ namespace: paperless
 images:
  - name: paperless
    newName: ghcr.io/paperless-ngx/paperless-ngx
-    newTag: "2.20.3"
+    newTag: "2.18.4"
 helmCharts:
  - name: redis
    releaseName: redis
    repo: https://charts.bitnami.com/bitnami
-    version: 24.1.0
+    version: 23.2.1
    valuesInline:
      auth:
        enabled: false
--- a/apps/recipes/kustomization.yaml
+++ b/apps/recipes/kustomization.yaml
@@ -13,5 +13,5 @@ resources:
 images:
  - name: mealie
-    newTag: v3.9.1
+    newTag: v3.3.2
    newName: ghcr.io/mealie-recipes/mealie
--- a/default.nix
+++ b/default.nix
@@ -7,7 +7,6 @@ pkgs.mkShell {
    kubeseal
    yq
    jq
    kubernetes-helm-wrapped
  ];
  env = {
--- a/infrastructure/argocd/kustomization.yaml
+++ b/infrastructure/argocd/kustomization.yaml
@@ -4,7 +4,7 @@ kind: Kustomization
 namespace: argocd
 resources:
  - namespace.yaml
-  - https://github.com/argoproj/argo-cd//manifests/cluster-install?timeout=120&ref=v3.2.3
+  - https://github.com/argoproj/argo-cd//manifests/cluster-install?timeout=120&ref=v3.1.9
  - ingress.yaml
  - argo-apps.application.yaml
  - bootstrap-repo.sealedsecret.yaml
--- a/infrastructure/authelia/kustomization.yaml
+++ b/infrastructure/authelia/kustomization.yaml
@@ -27,6 +27,6 @@ images:
 helmCharts:
  - name: authelia
    releaseName: authelia
-    version: 0.10.49
+    version: 0.10.47
    repo: https://charts.authelia.com
    valuesFile: authelia.values.yaml
--- a/infrastructure/external-dns/kustomization.yaml
+++ b/infrastructure/external-dns/kustomization.yaml
@@ -11,4 +11,4 @@ resources:
 images:
  - name: dns
    newName: git.kluster.moll.re/remoll/dns
-    newTag: 0.0.2-build.128
+    newTag: 0.0.2-build.68
--- a/infrastructure/external-dns/renovate.json
+++ b/infrastructure/external-dns/renovate.json
@@ -8,7 +8,6 @@
  "packageRules": [
    {
      "matchDatasources": ["docker"],
      "matchPackageNames": ["git.kluster.moll.re/remoll/dns"],
      "versioning": "regex:^(?<major>\\d+)\\.(?<minor>\\d+)\\.(?<patch>\\d+)-build.(?<build>\\d+)$"
    }
  ]
--- a/infrastructure/metallb-system/kustomization.yaml
+++ b/infrastructure/metallb-system/kustomization.yaml
@@ -7,6 +7,6 @@ resources:
  # - namespace.yaml
  # namespace is already included in the remote kustomization
  # - github.com/metallb/metallb/config/native?ref=v0.15.2
-  - github.com/metallb/metallb/config/frr?ref=v0.15.3
+  - github.com/metallb/metallb/config/frr?ref=v0.15.2
  - ipaddresspool.yaml
--- a/infrastructure/monitoring/kustomization.yaml
+++ b/infrastructure/monitoring/kustomization.yaml
@@ -6,7 +6,7 @@ namespace: monitoring
 resources: 
  - namespace.yaml
  # prometheus-operator crds
-  - https://github.com/prometheus-operator/prometheus-operator?ref=v0.87.1
+  - https://github.com/prometheus-operator/prometheus-operator?ref=v0.85.0
  # single prometheus instance with a thanos sidecar
  - prometheus.yaml
  - thanos-store.statefulset.yaml
@@ -17,17 +17,17 @@ resources:
 images:
  - name: thanos
    newName: quay.io/thanos/thanos
-    newTag: v0.40.1
+    newTag: v0.39.2
 helmCharts:
  - name: loki
    releaseName: loki
    repo: https://grafana.github.io/helm-charts
-    version: 6.49.0
+    version: 6.44.0
    valuesFile: loki.values.yaml
  - name: prometheus-node-exporter
    releaseName: prometheus-node-exporter
    repo: https://prometheus-community.github.io/helm-charts
-    version: 4.49.2
+    version: 4.49.0
    valuesFile: prometheus-node-exporter.values.yaml
--- a/infrastructure/pg-ha/kustomization.yaml
+++ b/infrastructure/pg-ha/kustomization.yaml
@@ -9,6 +9,6 @@ namespace: pg-ha
 helmCharts:
  - name: cloudnative-pg
    releaseName: pg-controller
-    version: 0.27.0
+    version: 0.26.1
    valuesFile: values.yaml
    repo: https://cloudnative-pg.io/charts/
--- a/infrastructure/renovate/kustomization.yaml
+++ b/infrastructure/renovate/kustomization.yaml
@@ -11,4 +11,4 @@ resources:
 images:
  - name: renovate/renovate
    newName: renovate/renovate
-    newTag: "42"
+    newTag: "41"
--- a/infrastructure/sealedsecrets/kustomization.yaml
+++ b/infrastructure/sealedsecrets/kustomization.yaml
@@ -9,4 +9,4 @@ resources:
 images:
  - name: controller
    newName: docker.io/bitnami/sealed-secrets-controller
-    newTag: 0.34.0
+    newTag: 0.32.2
--- a/infrastructure/traefik-system/configmap.yaml
+++ b/infrastructure/traefik-system/configmap.yaml
@@ -66,11 +66,6 @@ data:
        [entryPoints.websecure.forwardedHeaders]
          insecure = true
          # forward ip headers no matter where they come from
        [entryPoints.websecure.transport.respondingTimeouts]
          readTimeout  = "0"
          # writeTimeout = "300s"
          # idleTimeout  = "180s"
      [entryPoints.metrics]
        address = ":9100"
--- a/infrastructure/traefik-system/kustomization.yaml
+++ b/infrastructure/traefik-system/kustomization.yaml
@@ -13,6 +13,6 @@ namespace: traefik-system
 helmCharts:
  - name: traefik
    releaseName: traefik
-    version: 37.4.0
+    version: 37.2.0
    valuesFile: values.yaml
    repo: https://traefik.github.io/charts
--- a/infrastructure/traefik-system/servicemonitor.yaml
+++ b/infrastructure/traefik-system/servicemonitor.yaml
@@ -1,13 +1,29 @@
 # apiVersion: monitoring.coreos.com/v1
 # kind: ServiceMonitor
 # metadata:
 #   name: traefik-servicemonitor
 #   labels:
 #     app: traefik
 # spec:
 #   selector:
 #     matchLabels:
 #       app.kubernetes.io/name: traefik
 #   endpoints:
 #     - port: metrics
 #       path: /metrics
 apiVersion: monitoring.coreos.com/v1
-kind: ServiceMonitor
+kind: PodMonitor
 metadata:
-  name: traefik-servicemonitor
+  name: traefik-podmonitor
  labels:
    app: traefik
 spec:
  selector:
    matchLabels:
      app.kubernetes.io/name: traefik
-  endpoints:
+  namespaceSelector:
    matchNames:
      - traefik-system
  podMetricsEndpoints:
    - port: metrics
      path: /metrics
--- a/infrastructure/traefik-system/values.yaml
+++ b/infrastructure/traefik-system/values.yaml
@@ -101,12 +101,6 @@ ports:
      default: true
    exposedPort: 853
    protocol: TCP
  metrics:
    port: 9100
    expose:
      default: true
    exposedPort: 9100
@@ -128,5 +122,6 @@ service:
  # Additional entries here will be added to the service spec.
  # Cannot contain type, selector or ports entries.
  spec:
    # externalTrafficPolicy: Local
    loadBalancerIP: 192.168.3.1
-    externalTrafficPolicy: Local
+
--- a/kluster-deployments/homeassistant/application.yaml
+++ b/kluster-deployments/homeassistant/application.yaml
@@ -1,20 +1,18 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
-  name: homeassistant-flat-application
+  name: homeassistant-application
  namespace: argocd
 spec:
  project: apps
  source:
    repoURL: ssh://git@git.kluster.moll.re:2222/remoll/k3s-infra.git
    targetRevision: main
-    path: apps/homeassistant/overlays/flat
+    path: apps/homeassistant
  destination:
    server: https://kubernetes.default.svc
    namespace: homeassistant
  syncPolicy:
    syncOptions:
      - CreateNamespace=true
    automated:
      prune: true
-      selfHeal: true
+      selfHeal: true
--- a/kluster-deployments/homeassistant/house.application.yaml
+++ b/kluster-deployments/homeassistant/house.application.yaml
@@ -1,23 +0,0 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: homeassistant-house-application
  namespace: argocd
 spec:
  project: apps
  source:
    repoURL: ssh://git@git.kluster.moll.re:2222/remoll/k3s-infra.git
    targetRevision: main
    path: apps/homeassistant/overlays/house
  destination:
    server: https://kubernetes.default.svc
    namespace: homeassistant
  syncPolicy:
    managedNamespaceMetadata:
      labels:
        pod-security.kubernetes.io/enforce: privileged
    syncOptions:
      - CreateNamespace=true
    automated:
      prune: true
      selfHeal: true
--- a/kluster-deployments/homeassistant/kustomization.yaml
+++ b/kluster-deployments/homeassistant/kustomization.yaml
@@ -1,5 +1,4 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
- application.yaml
+- application.yaml
 - house.application.yaml