Update Helm release redis to v20.4.1

2024-12-10 21:01:27 +00:00
132 changed files with 350 additions and 1606 deletions
--- a/.envrc
+++ b/.envrc
@@ -1 +0,0 @@
 use nix
--- a/.gitignore
+++ b/.gitignore
@@ -3,7 +3,4 @@
 main.key
 # Helm Chart files
-charts/
+charts/
 # Nix and local environment files
 .direnv/
--- a/README.md
+++ b/README.md
@@ -1,7 +1,7 @@
 # Kluster setup and IaaC using argoCD
-### Description
+### Initial setup
 #### Requirements:
 - A running k3s instance
 - `sealedsecrets` deployed
@@ -27,61 +27,21 @@ The app-of-apps will bootstrap a fully featured cluster with the following compo
    - immich
    - ...
-## Setup instructions
+#### Recap
-1. install sealedsecrets see [README](./infrastructure/sealedsecrets/README.md)
+- install sealedsecrets see [README](./infrastructure/sealedsecrets/README.md)
    ```bash
    kubectl apply -k infrastructure/sealedsecrets
    kubectl apply -f infrastructure/sealedsecrets/main.key
    kubectl delete pod -n kube-system -l name=sealed-secrets-controller
    ```
-1. install argocd and the app-of-apps bundled with it
+- install argocd
    ```bash
    kubectl apply -k infrastructure/argocd
    ```
-
+- wait...
 > NOTE: The argocd kustomization already mentions some CRDs available only after the full bootstrapping (traefik). Some might fail to apply right away. Since the argo application is managed through argo as well, they will become available as all kluster applications are rolled out.
 ### Adding an application
-1. todo
+todo
 1. Don't forget to add the status badge.
 ### Status
 [![App Status](https://argocd.kluster.moll.re/api/badge?name=authelia-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/authelia-application)
 [![App Status](https://argocd.kluster.moll.re/api/badge?name=backup-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/backup-application)
 [![App Status](https://argocd.kluster.moll.re/api/badge?name=external-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/external-application)
 [![App Status](https://argocd.kluster.moll.re/api/badge?name=external-dns-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/external-dns-application)
 [![App Status](https://argocd.kluster.moll.re/api/badge?name=gitea-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/gitea-application)
 [![App Status](https://argocd.kluster.moll.re/api/badge?name=metallb-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/metallb-application)
 [![App Status](https://argocd.kluster.moll.re/api/badge?name=monitoring-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/monitoring-application)
 [![App Status](https://argocd.kluster.moll.re/api/badge?name=nfs-provisioner-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/nfs-provisioner-application)
 [![App Status](https://argocd.kluster.moll.re/api/badge?name=pg-ha-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/pg-ha-application)
 [![App Status](https://argocd.kluster.moll.re/api/badge?name=renovate-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/renovate-application)
 [![App Status](https://argocd.kluster.moll.re/api/badge?name=sealedsecrets-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/sealedsecrets-application)
 [![App Status](https://argocd.kluster.moll.re/api/badge?name=traefik-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/traefik-application)
 ---
 [![App Status](https://argocd.kluster.moll.re/api/badge?name=adguard-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/adguard-application)
 [![App Status](https://argocd.kluster.moll.re/api/badge?name=audiobookshelf-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/audiobookshelf-application)
 [![App Status](https://argocd.kluster.moll.re/api/badge?name=code-server-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/code-server-application)
 [![App Status](https://argocd.kluster.moll.re/api/badge?name=files-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/files-application)
 [![App Status](https://argocd.kluster.moll.re/api/badge?name=finance-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/finance-application)
 [![App Status](https://argocd.kluster.moll.re/api/badge?name=grafana-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/grafana-application)
 [![App Status](https://argocd.kluster.moll.re/api/badge?name=homeassistant-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/homeassistant-application)
 [![App Status](https://argocd.kluster.moll.re/api/badge?name=immich-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/immich-application)
 [![App Status](https://argocd.kluster.moll.re/api/badge?name=kitchenowl-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/kitchenowl-application)
 [![App Status](https://argocd.kluster.moll.re/api/badge?name=linkding-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/linkding-application)
 [![App Status](https://argocd.kluster.moll.re/api/badge?name=media-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/media-application)
 [![App Status](https://argocd.kluster.moll.re/api/badge?name=minecraft-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/minecraft-application)
 [![App Status](https://argocd.kluster.moll.re/api/badge?name=ntfy-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/ntfy-application)
 [![App Status](https://argocd.kluster.moll.re/api/badge?name=paperless-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/paperless-application)
 [![App Status](https://argocd.kluster.moll.re/api/badge?name=recipes-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/recipes-application)
 [![App Status](https://argocd.kluster.moll.re/api/badge?name=rss-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/rss-application)
 ---
 [![App Status](https://argocd.kluster.moll.re/api/badge?name=journal-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/journal-application)
 [![App Status](https://argocd.kluster.moll.re/api/badge?name=physics-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/physics-application)
--- a/apps/adguard/configmap.yaml
+++ b/apps/adguard/configmap.yaml
@@ -27,10 +27,7 @@ data:
      ratelimit_whitelist: []
      refuse_any: true
      upstream_dns:
-        - tls://1.1.1.1
+        - https://dns10.quad9.net/dns-query
        - tls://dns.google
        - tls://p0.freedns.controld.com
        - tls://dns.quad9.net
      upstream_dns_file: ""
      bootstrap_dns:
        - 9.9.9.10
@@ -38,7 +35,8 @@ data:
        - 2620:fe::10
        - 2620:fe::fe:10
      fallback_dns: []
-      upstream_mode: load_balance
+      all_servers: false
      fastest_addr: false
      fastest_timeout: 1s
      allowed_clients: []
      disallowed_clients: []
@@ -74,8 +72,6 @@ data:
      dns64_prefixes: []
      serve_http3: false
      use_http3_upstreams: false
      serve_plain_dns: true
      hostsfile_enabled: true
    tls:
      enabled: false
      server_name: ""
@@ -92,14 +88,12 @@ data:
      private_key_path: ""
      strict_sni_check: false
    querylog:
      dir_path: ""
      ignored: []
      interval: 2160h
      size_memory: 1000
      enabled: true
      file_enabled: true
    statistics:
      dir_path: ""
      ignored: []
      interval: 24h
      enabled: true
@@ -116,10 +110,6 @@ data:
        url: https://someonewhocares.org/hosts/zero/hosts
        name: Dan Pollock's List
        id: 1684963532
      - enabled: true
        url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_3.txt
        name: Peter Lowe's Blocklist
        id: 1735824753
    whitelist_filters: []
    user_rules: []
    dhcp:
@@ -144,36 +134,13 @@ data:
      blocking_ipv6: ""
      blocked_services:
        schedule:
-          time_zone: Europe/Berlin
+          time_zone: UTC
-          sun:
+        ids: []
            start: 18h
            end: 23h59m
          mon:
            start: 18h
            end: 23h59m
          tue:
            start: 18h
            end: 23h59m
          wed:
            start: 18h
            end: 23h59m
          thu:
            start: 18h
            end: 23h59m
          fri:
            start: 18h
            end: 23h59m
          sat:
            start: 18h
            end: 23h59m
        ids:
          - reddit
      protection_disabled_until: null
      safe_search:
        enabled: false
        bing: true
        duckduckgo: true
        ecosia: true
        google: true
        pixabay: true
        yandex: true
@@ -182,13 +149,11 @@ data:
      parental_block_host: family-block.dns.adguard.com
      safebrowsing_block_host: standard-block.dns.adguard.com
      rewrites: []
      safe_fs_patterns:
        - /opt/adguardhome/data/userfilters/*
      safebrowsing_cache_size: 1048576
      safesearch_cache_size: 1048576
      parental_cache_size: 1048576
      cache_time: 30
-      filters_update_interval: 168
+      filters_update_interval: 24
      blocked_response_ttl: 10
      filtering_enabled: true
      parental_enabled: true
@@ -203,7 +168,6 @@ data:
        hosts: true
      persistent: []
    log:
      enabled: true
      file: ""
      max_backups: 0
      max_size: 100
@@ -215,4 +179,4 @@ data:
      group: ""
      user: ""
      rlimit_nofile: 0
-    schema_version: 29
+    schema_version: 27
--- a/apps/adguard/kustomization.yaml
+++ b/apps/adguard/kustomization.yaml
@@ -10,7 +10,7 @@ resources:
 images:
  - name: adguard/adguardhome
    newName: adguard/adguardhome
-    newTag: v0.107.69
+    newTag: v0.107.54
 namespace: adguard
--- a/apps/audiobookshelf/kustomization.yaml
+++ b/apps/audiobookshelf/kustomization.yaml
@@ -12,4 +12,4 @@ namespace: audiobookshelf
 images:
  - name: audiobookshelf
    newName: ghcr.io/advplyr/audiobookshelf
-    newTag: "2.29.0"
+    newTag: "2.17.5"
--- a/apps/code-server/deployment.yaml
+++ b/apps/code-server/deployment.yaml
@@ -1,41 +0,0 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: code-server
 spec:
  replicas: 1
  selector:
    matchLabels:
      app: code-server
  template:
    metadata:
      labels:
        app: code-server
    spec:
      containers:
        - name: code-server
          image: code-server
          ports:
            - containerPort: 8080
          env:
          - name: TZ
            value: Europe/Berlin
          - name: CONFIG_PATH
            value: /data/config
          - name: METADATA_PATH
            value: /data/metadata
          volumeMounts:
            - name: data
              mountPath: /home/coder
          resources:
            requests:
              cpu: "50m"
              memory: "100Mi"
            limits:
              cpu: "6"
              memory: "16Gi"
      volumes:
        - name: data
          persistentVolumeClaim:
            claimName: code-server-data
--- a/apps/code-server/ingress.yaml
+++ b/apps/code-server/ingress.yaml
@@ -1,17 +0,0 @@
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
  name: audiobookshelf-ingressroute
 spec:
  entryPoints:
    - websecure
  routes:
  - match: Host(`code.kluster.moll.re`)
    kind: Rule
    services:
    - name: code-server-web
      port: 8080
  tls:
    certResolver: default-tls 
--- a/apps/code-server/kustomization.yaml
+++ b/apps/code-server/kustomization.yaml
@@ -1,15 +0,0 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources: 
  - namespace.yaml
  - pvc.yaml
  - deployment.yaml
  - service.yaml
  - ingress.yaml
 namespace: code-server
 images:
  - name: code-server
    newName: ghcr.io/coder/code-server
    newTag: 4.104.3-fedora
--- a/apps/code-server/pvc.yaml
+++ b/apps/code-server/pvc.yaml
@@ -1,11 +0,0 @@
 kind: PersistentVolumeClaim
 apiVersion: v1
 metadata:
  name: code-server-data
 spec:
  storageClassName: "nfs-client"
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 10Gi
--- a/apps/code-server/service.yaml
+++ b/apps/code-server/service.yaml
@@ -1,11 +0,0 @@
 apiVersion: v1
 kind: Service
 metadata:
  name: code-server-web
 spec:
  selector:
    app: code-server
  ports:
  - port: 8080
    targetPort: 8080
  type: LoadBalancer
--- a/apps/files/kustomization.yaml
+++ b/apps/files/kustomization.yaml
@@ -13,4 +13,4 @@ namespace: files
 images:
  - name: ocis
    newName: owncloud/ocis
-    newTag: "7.3.0"
+    newTag: "5.0.9"
--- a/apps/files/ocis-config.sealedsecret.yaml
+++ b/apps/files/ocis-config.sealedsecret.yaml
--- a/apps/finance/actualbudget.deployment.yaml
+++ b/apps/finance/actualbudget.deployment.yaml
@@ -21,9 +21,6 @@ spec:
          env:
            - name: TZ
              value: Europe/Berlin
          envFrom:
            - secretRef:
                name: actualbudget-oidc
          volumeMounts:
            - name: data
              mountPath: /data
--- a/apps/finance/kustomization.yaml
+++ b/apps/finance/kustomization.yaml
@@ -9,9 +9,8 @@ resources:
  - actualbudget.deployment.yaml
  - actualbudget.service.yaml
  - actualbudget.ingress.yaml
  - oidc.sealedsecret.yaml
 images:
  - name: actualbudget
    newName: actualbudget/actual-server
-    newTag: 25.10.0
+    newTag: 24.12.0
--- a/apps/finance/oidc.sealedsecret.yaml
+++ b/apps/finance/oidc.sealedsecret.yaml
@@ -1,19 +0,0 @@
 ---
 apiVersion: bitnami.com/v1alpha1
 kind: SealedSecret
 metadata:
  creationTimestamp: null
  name: actualbudget-oidc
  namespace: finance
 spec:
  encryptedData:
    ACTUAL_OPENID_AUTH_METHOD: AgAhPqooAS/7R9S/X3KGfSfs3ClN38J9CEfkUTYAUvKGEehQ2Tz3thPNvhvnbz/gKRc7C172jgxoxaGMiVXi40Qa+I7Y8JVHefjoSd8NuubzQZU8ZK5KlYRgc5OnoPM3RLarHyZ2DFw5Q/ngv3sp1c5dSI4/604KSQPxVAFCnb/lnSkOsBggDRymWvYclx1NrLIClpLAFwHgCOm6g1kHCvtGIdBLxKOHsiRJm62+UyHt0GLkR0QFTDXBQxoBm9QR9kLjQqw/QqcOIVx1by0RHoHBI6HDEEIQVH3UgWqlMmIwm+a4KQeBEdEfWLn9YC8MGSdlQRlaZoi5ltFT2c/DWuMuRStnaOWbsMQVR+y6yJ2UNBe29uVQh6877iqfmAJvT6gXic73zI7Vkq6IFQ7veQPBaTi22HP/sxiElGI8rY0LtRHD4TctKSePaOPvsgrv8k8SpB5qYAft7UonbTPWzzRSSc4Y3Z4fQiD0x/uhtTqTTtukx39nzM2TjVGcJThWaxUGa07w1fjTafieFVwwreURBUpRK92X2NY3ovOdA9c1WrHfqIzVtpcnfQyCeA5D4XT2sBFk0+crwEm1GmtscjPkGnyctNMUSmkHd+QKw8EAmWxKge4+7rfOrZp5ZK7cBFJcB4gVQcxnm3bXr0qZyiA1udaxmSxVflQR2AjduvhKuE73AGPi0bJki5TvKJp6bavTotYfdMY=
    ACTUAL_OPENID_CLIENT_ID: AgA6X0uYaU1n4XSXVntmT4+NgahYkkMVx61OZP8ExnSMkRPlwQfErhNHrwKsTsnD8OzP3svhxBe5bwaI8O1OKF0k5pQWG0DbRfmBrwiep9nBsKPt+fQm0AJUsZ2sQNShusmsSEumBKbMD0CMPklVMq18tLpOIh/YaXM34lsOutW0SIx7HWWQsyLmoolEoRVdkKvDhoh3FXjKqzGYlr1uKuqYG7pJPsxEpsTs2pZTUIlB2gVcEqb/ZXxgkj01GDYzB519swIOfYdISj7oCR8VG90M9iDrgmxsPkWozMDxFjNo5JR2dB9wvP7ptFex8JonbZZXYZD7tE+36U8iys6Cjh6JGwr9luN1AxYYSkRrNWJd2CuID+8ujWptoTvRSO0RwiVVp5LhXe1l2GxLsS2UVtO+nbWH6DGMJei4DQ+LAxDXFR8FAvi7615cneN0umQfF4ZMUJirvxHA3tFN42tbnRmSCbLAZLNLhQq8VbRmkYOAN6LCzSKYlyhSyA3NM2HjRTFkXGUhOPL+3tPZJB4v0QlEhlhy1Ffxh2mbUXgmQ+ZHGUsBXEHfc/Gba6gJhsj6S2DkiAeZUW6euY5/v4vpveWsS+YS+BxH441//8mOJnrpsWrcQbM5yCk4WMnmpETy/VFEkc3dqYfVWHDfvwAeqjVfXAovXBmwOoCASG6qDf0P7FdeLFTHUNuahyNhBzhBAQ/yNpOkbzKTJFBWwnM=
    ACTUAL_OPENID_CLIENT_SECRET: AgAbJinP4E8rbGAw7BTfh/GB3XxQOfHiLFrgaikQbUIsmZu+Y6ktK7aJdcX2/g6yhHXX6z8p4xoYTaGgkpo8H0XWvUDT4ohqJVdJSWZgNx8MyzisVKi+51BEpslL4JvGo/ISjXT0hNeYGzFXlHnnr3LX+fuTVh3dKtk4t8nmR8SqaCCIyvKiBPmX/1QWo4Vrfw7OLpVlfGP0i3J7FrhjNgKMRWcQKQC4Ohk+NLHHghdtqzuFB8eKwcuBZmynKCVyblOhwZSL5WnyJPskWLMjNEizWuCubDdyHVY3ZqYLDe5dgoi7Gop5/xY7FEuEkmTL0g7LpKo4RkEKRLjsZwWtW+xN6HRRt7zGoUdIpo20ZnTtEH8C/qcxjHKUycFvzKLnk6ntq5rEdK2/MhBtMfd3a8pb4vpT9JNra1AWsB7zCUv4yc/FT0RpkL+1r1CVva4o+tzM8ojnm4o0ch6qsGb0IOYZvJx6sF7c6aj7c41YQK3ZrQF3bhhhEHYyWOBjy1V4T/GJPZ9CbhGG0PIsSvpW7d5pG5jNAwU/Xo6FL/vVUPwmSq/hCqYMSSSKNiMH/q/vzKyu5B5aQbNDAumzsLRqD/auJz8nAaUoLNBVHq+7zTs3wV7pEayY22teq/MN5PRtYOQLE5Ck60gv9Q70cfhgvTeK+eX4h9BbhfijCV/EiSYhLP7meeIpE80icdLUSkNROfW+0sf3RNbW5q3JX8PsW0h29VJgREJdlziLj2cCshe+ww==
    ACTUAL_OPENID_DISCOVERY_URL: AgAQVZX6r8SPkwwBR1dmUF/ahuZKkGSsU/GULe5PF7Nm75UadtjPb5aHAZjWE59MdV61DQZDa4KJz1/fW4xDUrJBuUElIRQH4oyMTQG12MSMauQpLd25SVU8ex2NYyerbd85j521FSxujP0l3941KGsENLt5wCx/idXu47txhAHgS81mj3CLfWzT5yyG+V1i48a24xK905v+ft5ZKuNLOxvVb6yZSBt1j/3egx49eB49CRk/dxYQtPpSw8Zb6KgaN+skjq5HTH/Neb4J92nlJ1aFPVKbFLbtxyIHDSoO35U8ODHEJVGKBbZjjfrrjCpmQYnZPEWN9s+xj2NAXZ7qANcJfbFEF/3bOiKZhc0jLM5MyhiMZoytn4FvGM8zxINC3z8zqaWJm1wiMXEUH3/FLUa2UWeHKQB14h0f5XGwytb3s/nPCoBnHhtOK1y4utJ2APsQhRsxySZjgYNRaRCarp8PntY7yB7VHYlv5Mitx+qBWcAUmcKp1I4NTnm1LORRGzIFcrJJKtQfqcW7GNuZDA3AiLGyOMVigcA93GnPbppor5BItE9FK/BKqrR4Bz31jXSO8S7pjhi3JxBIKEMmMZRVbyelJ9o7gTpqrBvO7KZ5v/L+mlE0J8D2LZoEWPqxfa/BE+QZfwIS3wDWQl1GTruaAM4u0bp4i9GkyK3hPVXnml3dNMElSG3GvNqHhhy1Boo1cHXHbQ5YzbkGgzL9fLkigVQCi0FKItyBxdGsui9U0OU5LNi0EGKBibs22mdDkp6f051GWeMidtSwz9j5
    ACTUAL_OPENID_SERVER_HOSTNAME: AgB+C31GqtPKbMifuTFYhwOgUwXph+RQYdnVQaVIaDiveE6Lydl/2HnTyFQIi2mhrbiCpDgegXuvGBoM7WHxlPepny5E66lY/cAdFaFDGMARqMXCRLVmvkt3U1IyNn9zPCPil0x+eAv2S/ETLm8Nj2OL9utxkdNBHub9xiGrE0d7qBeBfK1FNmainthYQUpnCsR7jowmmvYGuEyDwfG+suUooDdb5zaWmCJZRYk1jKD3zlu21N0sfciBJ/GpTdz/2V+NXqJJqs3r2zoB2GJPQ64pMuZHZ+yw8bYUkg7/QOHD2ofWmtzNOGGtiNRHAG8MtvF6ovc4Hgv5uu+4x413UP6pSIJsrHrXSHYP+mvu+ya3gNUn6YK2qymezrqbvUF/n7LoaDzTRqa0PmemtdskuABiwfqrdiOarxaWjomkXqnrBK6VkJ8PhOMDMv/j/c6zlXdhpnqlUyxMcjBjqicfNBWN8UByDIEw4D0rhibzOS4fIKjNHrmXHv39GNJsY90avhZqq42oTMJL0vcaj3v4pBZJdJ05TOvY7PQ/iUwnnczGqOtpAQtBKfCV2+PXp9o/64wOGc0Br322kSpzjIleWP9VWVgbqvwMjUGtlL+xTkCaOFpiYETxUim09c745WDc+YgU55rd5i/5t20wiKy7RSYnHvYOwvdjAlEgAnD0YZBXOQkL51nL9P+nOMAYBE0HiM1vYsd8R6h6Fk+G2gcs/2CLgwglqOtMwAm9A9+5qSqyMak6Z68=
  template:
    metadata:
      creationTimestamp: null
      name: actualbudget-oidc
      namespace: finance
--- a/apps/grafana/grafana-admin.sealedsecret.yaml
+++ b/apps/grafana/grafana-admin.sealedsecret.yaml
@@ -1,17 +0,0 @@
 ---
 apiVersion: bitnami.com/v1alpha1
 kind: SealedSecret
 metadata:
  creationTimestamp: null
  name: grafana-admin-secret
  namespace: grafana
 spec:
  encryptedData:
    password: AgAU6g/CwKj+1gPpt4DLvLsS0YCvJdVHWw4W4bRhibE9brVvcJtGB3D9MTJrSLVVwusaE6OR59og7oW5ge3yTd/9bbclXYLrxEi7OwvkQjCvo8MfD8yhJO9nV4Xs9Mjk2Z4SHGYuq6wvcssuJrpz5f0XEC7ocTRA+u0UaE+/b4FrYF71uyKGvj8GSXgLZUjGPFsGfPzwJn7cLBmlclVHx1xGbFpUc042m5Mulpn0QolFQnOwZiW4PL8pQyz1MXVRwCsz0RJd5apZL3XJ4X7BLMoAp+diHQ2xi3zoU9VScp+J2QgvFdRKgDa6v7Jz1f+HCwq5W/DoegwFXBrcMIfF2YrnvTnc1PCVwD9IHOeylO7J2hfi8teQiqTvvRlVgdBTLqoqlVovemf5k6ke6JfjTwnsJjTNnL7MKN5Qt0o7N2XRZ3ba9jp8cKbI7fyFQKaU2QEf2PIkp82kEnixmpA1aATgeA3W4E5Km7sKHUEB81+pwnOe54tzD2ShgQX/+UiswhWYTT+gdZKL1udBBemUDC0z9PSJNTPTy+hq+G4CIzVQUYxlioM3c+3geF7YLU8yXisj84pk44GN9KX3z5x+M2+LZL7agAWPUjxtrP2V+id7dNJQfCm0aSMeo57dVfb4zlBUAAgKIKjX+j1KqCVqE9zEO2F/QX7mY6MJTP2me3wmY7JAVRJ7d6bbkyyoDhs8JErLYLp0A+Eh+qx8nWgM9ErPVSA0
    user: AgB8ZLG2EuERjg1nKdH/xadbUuIR2c8a9gF5fE8ctrp4DNDLLuuqmjyoHRiWpkrtfnE1yKg1rPP+asV9Lj5iVmE9J+OB3QUOeFS4MHciBNj7pa68zfFgnHP4kxMX6aXyKRQrYruYjHwfzCpOM1zyTEphuGlnokjQXxjF/mZsoM2NWn7WGReqfxqH95tJXfs9AUC5vVv/PHqd+KKRZH7+G1AnWVJ7RFQHedR7wyftO4/rkm8deMuZWtOLl25fAOyOr7+hSqT69s9/uTKSLJXjobSqtulqsR+v5lkwx2ThNKzmcEcuoenKG6lk8XLRSIscccZH3JTPh6IknQWUOC4nmYj+XUxE8Go0RX/4eL+D/6FrYrtp0gr3HOCLAGU4vAHMeKfJoyqykJVnvY6QY6bFgaziyOlWaoEHpg6g0vHHDwyX7HIDcQfJZGOLH9dhrWJ2sOkzyuuxfqWEgz/M2eBW4EUAudHwfTLPocSMUI+D6fjeciMojet5uxWMP7ZHh/E061f5+Vfk6CKYd9Kpi69Xah8KEyyHYP5NImkdIwjgllaEAd/FBE2+QJyTVZlUQC7y9ObagDMCUFaFbTS5QOLh5BOJDL5buEYFWG0IhoH47SC/pKeEOQH//uvoo27K9zvxTOQN1YOTrxCozmexMOsTIdhvU0dOnJDBrThSHKYLCeIokDOgUUT52FqDH51RoLoK3UkyGbMoq+M=
  template:
    metadata:
      creationTimestamp: null
      name: grafana-admin-secret
      namespace: grafana
    type: Opaque
--- a/apps/grafana/grafana-auth.sealedsecret.yaml
+++ b/apps/grafana/grafana-auth.sealedsecret.yaml
@@ -1,16 +0,0 @@
 ---
 apiVersion: bitnami.com/v1alpha1
 kind: SealedSecret
 metadata:
  creationTimestamp: null
  name: grafana-auth
  namespace: grafana
 spec:
  encryptedData:
    client_secret: AgCEdC1/ERlPQyQP+bd9gcW33Yrvl4uRbx+RF5AY4vYAquOzxmLTygMl/WZlB5wlCE5idIHgto6/fUWVZrQbmfClRqsW2pFoddKQAtS9cQNXwMjLCm7e0lXk9GM9O3ZwktmklFbCu8XewHmefGHhoJ28vPxPMaINv1fM4zYKvNz5RHf0dJfTHgxb68wRYjAbE/eJpRcVE3a29Yw6Gfa8Mb+cFI7RTHvjuv9LBgWqM6b3qvvJ4wYR2WKuiQrnJ5xAtHpMAI/2R80qq151wlaZueDZ1PwjRBHURkmPTmwZnrMrmIugNge7Tpww+ArZlG9kDfSu1aTJidbXbcpN6fyt1qARTCYrBlbn60PTYLnPL/NObvMCpjS6DsYsYz7MJ7WoOupu46Ib5paZHmak+CilC6lb9LjJj4EKfRsagZmWT07JavhHBW/tqjB3GToccIz4fOAOdA9aU51J4wCL2ctp2SgzCEKe2EaBK/f9nDd9ASmmon9PDwRDVtG8yTukrNcZHNzodi09Af81DB0RNa36Z3Sjt5xu94paN+mjiOWGf2JduVEq+60NbPvDbPE9e1aVH3DdQcij2WGZaTE8dAGLSsLoOkIq3m2E+Mbk1Re1gI9H18xJM72ivb5uDe7pzReyvO5DY4Pfq8JgQhPxWcDq9ScmWS6Bb+jdCKytFq5NafSAl+akPbbwN+1GFu33if/P5D9I2TwOA8V1wyVU
  template:
    metadata:
      creationTimestamp: null
      name: grafana-auth
      namespace: grafana
    type: Opaque
--- a/apps/homeassistant/base/kustomization.yaml
+++ b/apps/homeassistant/base/kustomization.yaml
@@ -1,20 +0,0 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
  # - namespace.yaml # not managed by kustomize but created as needed by the argo app. creates conflicts otherwise since both overlays share the same namespace
  - ingress.yaml
  - pvc.yaml
  - service.yaml
  - deployment.yaml
  - servicemonitor.yaml
 images:
  - name: homeassistant
    newName: homeassistant/home-assistant
    newTag: "2025.10"
 configurations:
  # allow nameReference to work with different mentions of the same resource as well
  - name_reference.yaml
--- a/apps/homeassistant/base/name_reference.yaml
+++ b/apps/homeassistant/base/name_reference.yaml
@@ -1,32 +0,0 @@
 nameReference:
  # Tie target Service metadata.name to other ingressroute fields
  - kind: Service
    fieldSpecs:
      # rewrite the backend service name
      - kind: IngressRoute
        group: traefik.io
        version: v1alpha1
        path: spec/routes/services/name
      # adapt the ingress url
      # DOES NOT WORK
      - kind: IngressRoute
        group: traefik.io
        version: v1alpha1
        path: /spec/routes/match
        create: false
      # adapt any middleware names
      - kind: IngressRoute
        group: traefik.io
        version: v1alpha1
        path: spec/routes/middlewares/name
  # Update deployment volume mounts according to name changes in the sealedsecret
  - kind: SealedSecret
    fieldSpecs:
      # volume mounts:
      - kind: Deployment
        group: apps
        version: v1
        path: spec/template/spec/volumes/secret/secretName
--- a/apps/homeassistant/base/deployment.yaml
+++ b/apps/homeassistant/base/deployment.yaml
@@ -14,7 +14,7 @@ spec:
    spec:
      containers:
        - name: homeassistant
-          image: homeassistant
+          image: homeassistant/home-assistant
          ports:
            - containerPort: 8123
          env:
@@ -34,3 +34,4 @@ spec:
        - name: config-dir
          persistentVolumeClaim:
            claimName: config
--- a/apps/homeassistant/base/ingress.yaml
+++ b/apps/homeassistant/base/ingress.yaml
@@ -1,17 +1,17 @@
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
-  name: homeassistant
+  name: homeassistant-ingress
 spec:
  entryPoints:
    - websecure
  routes:
-    - match: Host(`homeassistant.kluster.moll.re`)
+    - match: Host(`home.kluster.moll.re`) && !Path(`/api/prometheus`)
      middlewares:
-        - name: homeassistant
+        - name: homeassistant-websocket
      kind: Rule
      services:
-        - name: homeassistant
+        - name: homeassistant-web
          port: 8123
  tls:
    certResolver: default-tls
@@ -19,7 +19,7 @@ spec:
 apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
-  name: homeassistant
+  name: homeassistant-websocket
 spec:
  headers:
    customRequestHeaders:
--- a/apps/homeassistant/kustomization.yaml
+++ b/apps/homeassistant/kustomization.yaml
@@ -1,17 +1,18 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 namespace: homeassistant
 resources: 
  - namespace.yaml
  - pvc.yaml
  - stump-config.configmap.yaml
  - deployment.yaml
  - service.yaml
  - ingress.yaml
  - pvc.yaml
  - service.yaml
  - deployment.yaml
  - servicemonitor.yaml
 namespace: stump
 images:
-  - name: stump
+  - name: homeassistant/home-assistant
-    newName: aaronleopold/stump
+    newName: homeassistant/home-assistant
-    newTag: "0.0.12"
+    newTag: "2024.12"
--- a/apps/homeassistant/base/namespace.yaml
+++ b/apps/homeassistant/base/namespace.yaml
--- a/apps/homeassistant/overlays/flat/ingress.patch.yaml
+++ b/apps/homeassistant/overlays/flat/ingress.patch.yaml
@@ -1,3 +0,0 @@
 - op: replace
  path: /spec/routes/0/match
  value: Host(`home.kluster.moll.re`)
--- a/apps/homeassistant/overlays/flat/kustomization.yaml
+++ b/apps/homeassistant/overlays/flat/kustomization.yaml
@@ -1,17 +0,0 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
  - ../../base
 namespace: homeassistant
 nameSuffix: -flat
 labels:
  - includeSelectors: true
    pairs:
      env: flat
 patches:
  - path: ingress.patch.yaml
    target:
      kind: IngressRoute
--- a/apps/homeassistant/overlays/house/ingress.patch.yaml
+++ b/apps/homeassistant/overlays/house/ingress.patch.yaml
@@ -1,3 +0,0 @@
 - op: replace
  path: /spec/routes/0/match
  value: Host(`home-house.kluster.moll.re`)
--- a/apps/homeassistant/overlays/house/kustomization.yaml
+++ b/apps/homeassistant/overlays/house/kustomization.yaml
@@ -1,28 +0,0 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
  - ../../base
  - wireguard-config.sealedsecret.yaml
 namespace: homeassistant
 nameSuffix: -house
 labels:
  - includeSelectors: true
    pairs:
      env: house
 images:
  - name: wireguard
    newName: ghcr.io/linuxserver/wireguard
    newTag: "1.0.20250521"
 patches:
  - path: wireguard.deployment.yaml
    target:
      kind: Deployment
      name: homeassistant
  - path: ingress.patch.yaml
    target:
      kind: IngressRoute
--- a/apps/homeassistant/overlays/house/wireguard-config.sealedsecret.yaml
+++ b/apps/homeassistant/overlays/house/wireguard-config.sealedsecret.yaml
@@ -1,17 +0,0 @@
 ---
 apiVersion: bitnami.com/v1alpha1
 kind: SealedSecret
 metadata:
  creationTimestamp: null
  # WARNING - the originial secret was named wireguard-config-house, but we remove the suffix here, anticipating that it will be created by the kustomization overlay
  name: wireguard-config
  namespace: homeassistant
 spec:
  encryptedData:
    wireguard.conf: AgAz726k7X6IsabWUPX8kQ8r19mBq/N+YytlFS1gW2LUiYqc6H/O5/tqma5lLcazuxtsQhebeoitp2SkH7jTU8vRxn2tDWpyzcJr+BW4vKnghw5NhMbkNOzl7mvc7QIJk6rmRyD1umu33v6x8u3St9TVsUOI1zXJyXHxlbLdHVCORhgV79CGLjghpi23KyyFu6LzNrE5rhpB0Q7NzPUmbm5MHPNbtLsmImd/CZ9XjbyXSq0be8BgpUtGDE/NMx65G2+lLIw3EgbNwlirw/XKrM+pUIvEI6CxuNhbEM7KxCYlq2Du6bm7XsKHRzNu9oSfH+P4DaDoDt+M5k5miv4B8TIKXg7piy5mThXSTcVf5YpLJCiTfMDZOriG1ygr9gbJPYY1jumZA+vsZCvBx1o21BlNycWZWKBeYZZh47Hz9FGI/Smn8dOs5exZ34MrQtM4OuEqC/cJY8fdQ+nmGMezL0IKdbtpWgq5UqNH/wWv3F9kItB4KlSD4YtEGaY2z68BJG6t+9igSJCWmVca0EbOzhV0s5rI39ASVXOO50x774EEWUueoyfI+l5vwtQhc96I5Qn3kbFhwov0tHMg/IGBtS/7XdBBtOBx9KbcUHq1GlwWzQdw8WnRB6yyUVCqXyuExRhMPz5orqkTQwiUM2Fjse7xxnaEA0mbi0TVPKV/sFgWixvHqy3VAc1Jj6MEAWFAu+kPVlOFFCckEC5kPhNPFhBMeYX/3IblRjly/EHvrbrW/eFjNYE7bqpSCVhkB8bOXbJqt29V3+ffM1z/RkdSusgqdwid9CXhQw6SKAI/vcAqqxXdzcsbG1wsgP9bJ1Gk/i9ch8zUn7MwcFe6Tla86+xeiDIAmQmA7rhtmWhyyuxXdw+HXAFNhrbxHaUw3LZOExM+RzhWNepjSLnCBqnrtPkzFrHE02JKebWzX+IRZIOsEXJVhKTiSSjoB2v8h956kO+C7bdHz8GbxoJKJ7anrqFG13A//XLy5PvKr50qs/gQptrl9UtR7oj981bSDTVVa8h3OXbGLkZXly/qxsh5DlEjwnw2/2UqS+5yTT4FO/dNVtHryJ2tbc8ZuIHb6C/pQygqpseagthkm5T+Dv0T2xWpXFrvuktGNm58Cwg9bwNMcC6iofcjQP5JeNcat3RwzbJ9xwU4Nm8xLRMMc0ul6xUHRrL3ZjDfWHLuSuTp28HqXZ6xSKLlrRVjwZ6Mp/hhxj58SfVfLVIQxatGkwnIaHEFWE2n3S7m/iQO9tZIWCx5Yfs15atb1Ze8HjKjQ4o3sfaMD8Eokj9aFnXQQxpnOuSI3NLETe79QQ==
  template:
    metadata:
      creationTimestamp: null
      name: wireguard-config-house
      namespace: homeassistant
    type: Opaque
--- a/apps/homeassistant/overlays/house/wireguard.deployment.yaml
+++ b/apps/homeassistant/overlays/house/wireguard.deployment.yaml
@@ -1,24 +0,0 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: homeassistant
 spec:
  template:
    spec:
      containers:
      - name: wireguard-sidecar
        image: wireguard
        securityContext:
          privileged: true
        volumeMounts:
        - name: wireguard-config
          mountPath: /config/wg_confs/
      volumes:
      - name: wireguard-config
        secret:
          secretName: wireguard-config
--- a/apps/homeassistant/base/pvc.yaml
+++ b/apps/homeassistant/base/pvc.yaml
--- a/apps/homeassistant/base/service.yaml
+++ b/apps/homeassistant/base/service.yaml
@@ -1,7 +1,7 @@
 apiVersion: v1
 kind: Service
 metadata:
-  name: homeassistant
+  name: homeassistant-web
  labels:
    app: homeassistant
 spec:
@@ -10,4 +10,4 @@ spec:
  ports:
  - port: 8123
    targetPort: 8123
-    name: http
+    name: http
--- a/apps/homeassistant/base/servicemonitor.yaml
+++ b/apps/homeassistant/base/servicemonitor.yaml
--- a/apps/immich/immich.postgres.yaml
+++ b/apps/immich/immich.postgres.yaml
@@ -1,39 +0,0 @@
 apiVersion: postgresql.cnpg.io/v1
 kind: Cluster
 metadata:
  name: immich-postgresql
 spec:
  instances: 1
  imageName: ghcr.io/tensorchord/cloudnative-vectorchord:16-0.3.0
  bootstrap:
    initdb:
      owner: immich
      database: immich
      secret:
        name: postgres-password
      dataChecksums: true
      postInitApplicationSQL:
        - ALTER USER immich WITH SUPERUSER;
        - CREATE EXTENSION IF NOT EXISTS vchord CASCADE;
        - CREATE EXTENSION IF NOT EXISTS "cube";
        - CREATE EXTENSION IF NOT EXISTS "earthdistance";
  postgresql:
    shared_preload_libraries:
      - "vchord.so"
  storage:
    size: 5Gi
    storageClass: nfs-client
  monitoring:
    enablePodMonitor: true
  resources:
    limits:
      cpu: '2'
      memory: 1Gi
    requests:
      cpu: 50m
      memory: 512Mi
--- a/apps/immich/kustomization.yaml
+++ b/apps/immich/kustomization.yaml
@@ -1,12 +1,11 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
-resources:
+resources: 
  - namespace.yaml
  - ingress.yaml
  - pvc.yaml
-  - immich.postgres.yaml
+  - postgres.yaml
  - postgres.sealedsecret.yaml
  # - servicemonitor.yaml
 namespace: immich
@@ -15,13 +14,20 @@ namespace: immich
 helmCharts:
  - name: immich
    releaseName: immich
-    version: 0.10.1
+    version: 0.8.4
    valuesFile: values.yaml
    repo: https://immich-app.github.io/immich-charts
 images:
  - name: ghcr.io/immich-app/immich-machine-learning
-    newTag: v2.2.2
+    newTag: v1.119.1
  - name: ghcr.io/immich-app/immich-server
-    newTag: v2.2.2
+    newTag: v1.119.1
 patches:
  - path: patch-redis-pvc.yaml
    target:
      kind: StatefulSet
      name: immich-redis-master
--- a/apps/immich/patch-redis-pvc.yaml
+++ b/apps/immich/patch-redis-pvc.yaml
@@ -0,0 +1,17 @@
 apiVersion: apps/v1
 kind: StatefulSet
 metadata:
  name: immich-redis-master
 spec:
  volumeClaimTemplates:
  - apiVersion: v1
    kind: PersistentVolumeClaim
    metadata:
      name: redis-data
    spec:
      storageClassName: nfs-client
      accessModes:
        - ReadWriteMany
      resources:
        requests:
          storage: 2Gi
--- a/apps/immich/renovate.json
+++ b/apps/immich/renovate.json
@@ -1,10 +0,0 @@
 {
  "packageRules": [
    {
      "matchDatasources": ["docker"],
      "matchPackagePrefixes": ["ghcr.io/immich-app/"],
      "groupName": "Immich containers",
      "groupSlug": "immich-app-images"
    }
  ]
 }
--- a/apps/immich/servicemonitor.yaml
+++ b/apps/immich/servicemonitor.yaml
@@ -1,14 +0,0 @@
 apiVersion: monitoring.coreos.com/v1
 kind: ServiceMonitor
 metadata:
  name: immich-service-monitor
 spec:
  endpoints:
  - port: metrics-api
    scheme: http
  - port: metrics-ms
    scheme: http
  selector:
    matchLabels:
      app.kubernetes.io/name: server
      app.kubernetes.io/service: immich-server
--- a/apps/immich/values.yaml
+++ b/apps/immich/values.yaml
@@ -4,30 +4,26 @@
 # These entries are shared between all the Immich components
-
+env:
-controllers:
+  REDIS_HOSTNAME: '{{ printf "%s-redis-master" .Release.Name }}'
-  main:
+  DB_HOSTNAME: "immich-postgres-rw"
-    containers:
+  DB_USERNAME: 
-      main:
+    valueFrom:
-        env:
+      secretKeyRef:
-          # some non-default vars
+        name: postgres-password
-          DB_HOSTNAME: "immich-postgresql-rw"
+        key: username
-          DB_USERNAME:
+  DB_DATABASE_NAME:
-            valueFrom:
+    valueFrom:
-              secretKeyRef:
+      secretKeyRef:
-                name: postgres-password
+        name: postgres-password
-                key: username
+        key: database
-          DB_DATABASE_NAME:
+  DB_PASSWORD:
-            valueFrom:
+    valueFrom:
-              secretKeyRef:
+      secretKeyRef:
-                name: postgres-password
+        name: postgres-password
-                key: database
+        key: password
-          DB_PASSWORD:
+  IMMICH_MACHINE_LEARNING_URL: '{{ printf "http://%s-machine-learning:3003" .Release.Name }}'
-            valueFrom:
+  IMMICH_METRICS: true
              secretKeyRef:
                name: postgres-password
                key: password
          IMMICH_METRICS: true
 immich:
  metrics:
@@ -41,15 +37,17 @@ immich:
      existingClaim: data
 # Dependencies
-valkey:
+
 postgresql:
  enabled: false
 redis:
  enabled: true
-  persistence:
+  architecture: standalone
-    data:
+  auth:
-      enabled: true
+    enabled: false
-      size: 1Gi
+
-      # Optional: Set this to persistentVolumeClaim to keep job queues persistent
+# Immich components
      type: emptyDir
      accessMode: ReadWriteOnce
 server:
  enabled: true
--- a/apps/kitchenowl/deployment.yaml
+++ b/apps/kitchenowl/deployment.yaml
@@ -1,42 +0,0 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: kitchenowl
 spec:
  replicas: 1
  selector:
    matchLabels:
      app: kitchenowl
  template:
    metadata:
      labels:
        app: kitchenowl
    spec:
      containers:
        - name: kitchenowl
          image: kitchenowl
          ports:
            - containerPort: 8080
          env:
          - name: TZ
            value: Europe/Berlin
          envFrom:
            - configMapRef:
                name: kitchenowl-config
            - secretRef:
                name: kitchenowl-oauth
          volumeMounts:
            - name: data
              mountPath: /data
          resources:
            requests:
              cpu: "50m"
              memory: "100Mi"
            limits:
              cpu: "100m"
              memory: "1Gi"
      volumes:
        - name: data
          persistentVolumeClaim:
            claimName: kitchenowl-data
--- a/apps/kitchenowl/ingress.yaml
+++ b/apps/kitchenowl/ingress.yaml
@@ -1,17 +0,0 @@
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
  name: kitchenowl-ingressroute
 spec:
  entryPoints:
    - websecure
  routes:
  - match: Host(`kitchen.kluster.moll.re`)
    kind: Rule
    services:
    - name: kitchenowl-web
      port: 8080
  tls:
    certResolver: default-tls 
--- a/apps/kitchenowl/kitchenowl-config.configmap.yaml
+++ b/apps/kitchenowl/kitchenowl-config.configmap.yaml
@@ -1,7 +0,0 @@
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: kitchenowl-config
 data:
  FRONT_URL: https://kitchen.kluster.moll.re
  DISABLE_USERNAME_PASSWORD_LOGIN: "true"
--- a/apps/kitchenowl/kitchenowl-oauth.sealedsecret.yaml
+++ b/apps/kitchenowl/kitchenowl-oauth.sealedsecret.yaml
@@ -1,19 +0,0 @@
 ---
 apiVersion: bitnami.com/v1alpha1
 kind: SealedSecret
 metadata:
  creationTimestamp: null
  name: kitchenowl-oauth
  namespace: kitchenowl
 spec:
  encryptedData:
    JWT_SECRET_KEY: AgAclRIJS25ACVe4NqLQbAree6c6WpTBHnLpe3ZQJ0ScHG/EbW/ooABZj7y1ABAn/mCc+hBYXYHm81FNUfUtSuLKi2UlORbTCsfmisYH49WX0Lpku9LTM/8az9tjE0tjUUrJZcRUuJfdNJMDPQx7IPjUQ7sKk/exFnkPEbK98+AElXyHpPKXd9dxiCgll0n+ksbF9BDUR8KY8IB2Zvh4cXPww578qe/9XYnxLV8uY9K8KPvhl7NI40SIaL4PX8KmsDlBh1bpOR/OxhIwAGEZDQp/KROy6msrIOYW4SHM9nlSUSD4WvV8UjcbV1oNnYpE1usFOuxSfQlJ1zlFepKUv40JykyunvQv9nqVbEogsrS4o5N3gNEaB9yyFSHIlevp32LVpAuZu3cNplmT+Zg7+ODpCWIcVgmOAeapvB+X7H4ScbKVcYLAzrRFDtnS4Vo1M+RERhr0AuMU/tz0lGs99oRkCw2ZIg015R125u0VcRNqzgCtbBM5BFiKiP2kYrHn02Q6o5tRWxDQfrfb0mnfD5c/gM4+btlfM6DZMpr/l1kLlm8PDEpPGbkhK1XiAyJ4erHPDMLcmZXrSyxX9R1g8n7vnLnkqx5LkGmnltQI2FM7StxC6IrMlxY0nPnkq1lHhTz7yCpQJNXgfXZLVvov+f6jlD6WJhYHZCL/hIFfx3ybjGYZwJ0m84lH0OQJQw5dtsbPVqqoYZIPieqdRmHw7M7TTmFuQJXD94lZj5gsln1sMqs=
    OIDC_CLIENT_ID: AgDOxWtGCiFrIP5aWHimrR6bu0uMS1/i1v1Kzo1lIR3j3zlw/Da2oCPNx1ZuhNAp9UMIs2euc8mtrWkyv4R6pcci+IxXiGzlQNBSkMfWu4DwhwlEdnVyCVehfE00t0ytBxX6NeLfS1b8JOtH9yo3e22fdaeTwn/iwGLNwi1BJxMmzk9pVp7jzXH09Zia8UvUmXw5GyGpIOIiGcIfaXkr1ZnY2l30jTw8eS7HaouzfWHWTpNXkMLN3qim4vs/B1Sgz/y9tUyVo/qMhWLdEcVklYHT7xHx03SPD7RtK+zdYZCqvDtj+tsdpYHt05zeGV+wflNQuiocjwP8TW7vhtbjKrf9lQIxB5CErju178ELOVrpsPBAYMgdEl7qZeKdSpydIwe3VbOg3XJ7O/Ps1KSnRYwrCvgE4ZCMm3geHyJxSiKRhBcuVYz5JkNd5ylD0Eq9NL5RCqJ4szL9NaGNPbzkvcdZzAnbTYFTzyqZ+XHX/BUFisXl5bKNHtaqAsOK8woGYnxJiawKRrwDUmHXU4RB3QiPCPhHSLU7OkvU+XDhyQqLa8bKEQzj9dUf4bX3Savk4noiRsXMYJznAlgMPo0Q4taxVIoyQHELYwIIdP5YRuw27B9wKUR7e2hhu4FTOEcyhwuFql3OuAjq8HJCDX6+COkL2WYFFxWBnbSCYEdzfbMBCHjrUUonijcQluU2VbaHODNMAvB16MRKapAW
    OIDC_CLIENT_SECRET: AgAylnSUXwInlh/WvyCiFz+8asbCSZA6kk84Rt6l7bHVYw34c58lJHsZK2OvOIlHuaMe/ewnTqxVd0hI1Azl+wd/5NygMYlntKquq0vuzlhLrGc3u+0SOn9N2P6quA3slF9KR94CYsDx9ogy+EsEoA1yrsydB8S0g9W8syraR1MtpM0ZkcJ/D78OZ6qzyXUuBNAZc+iX/r96NvoMiGNYavgG7npOJh/pkKNYPuNkt4zpbAFjVyoCfgZd4V2nmZ6dhEVy8odW+jcsMn6OJ1OZVlPb1beq49lBEcaJqk83ZtKbq2evtBYHw9YAnENVq92ecenw/YL5LXUhOxeN0M9Amo99/O6pQwwrT1mtZqhTTeTIZTAxqmJKgyxGhE4DJUR/s71bc7K9hd2WvdAYnCyVC2uGa0MwXp4V7UuaN9GerldT8lcFxOpRnD7yroqVTqebjAJIkIinp5NNZ2ZP/LCiCwKKHHT19Pchn615WOPTofC6es/spIdQ8a1Nf2J5YzvRjsduFS55U6tMaC7cuV8kqKH9xTTf/sDHt+68wVEAO9koAe1zpO+zR2Pq3VuCnvcDGIwXopXjvyjfujEEhEWZl51PVJLZqtkP5Wg2wHvlgjJBbbIGTrqh4xa9pK7wLDM2hUFx1q/YKqwfP0EGVTc96G8Wermj0DtIqclqFLr54DtxVe+Rr8J4edG6YQ26/seYsrZ1Oq2PejHQt8u9EzQYAtYYlBsw2ujCWys6KrbhaVr3
    OIDC_ISSUER: AgA2JPd5axkL5YIRA95qm/iH8wgM2J0AjKjgGClWabYJ3UKIk0hi/L/zR+1Pw9Z+6amYXj7Q0FxLqCcNYG+H5ABxnqUi7Gl8gvfVbegaO3q5QiO27g18RMDssNHDSun8PPaxHBvBD68hxgsaXntu8sZavCGdwEK0TzLJi7eH/4jtHlofzfYgaCsGqeOBgvs/q87PVJ/qxazXlY9e7abbRAKl9ZMY7Wga58/IU2HhWwYMvI53yQyGMcKf3XiI9iNHgIcj1+TmlgQo+PRKyopNfzgFbey7on8woQXphY+ioqQ0hyworpxAVoWlvzKKopt1xBDr4zxzkzbWyxtjwPVOOH3iyenZz8tZa/JkNYWxkWHbh0KCs9yUIji3D3shQOFM/NtE17THsQm3NgpZ2lg9ET1v6uXqwfOLiQ+J1JQLwNFnYeruH2lK4EGt2nDCq2VycOIjW4kMpiJ4LiT8gap9HwYjTpAn+opicYn5e9fmpgiHdMPvrsG1m9edg0cbwdSpEelliHnAUfKsxMV2e1fLsga6yrhBLSXIQs8rbURRa6wqVvGoLB86a9Q5Rm94Jfm0Sa9v5LMGRYvqO5LbLrjrR8e/2r17pHQE8ynMQCAW1yVTe09FcgRwYhDUohfThtjIh16sdoC97eUel7fo/POt3atP69JsCIBZstprhVtBIBssmavpIotVqi8F2/yUkhrZR26mH3gsOxkNTEk6XzHHtJRu0cU+BmObTvYgMi3DHg==
  template:
    metadata:
      creationTimestamp: null
      name: kitchenowl-oauth
      namespace: kitchenowl
    type: Opaque
--- a/apps/kitchenowl/kustomization.yaml
+++ b/apps/kitchenowl/kustomization.yaml
@@ -1,17 +0,0 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources: 
  - namespace.yaml
  - pvc.yaml
  - kitchenowl-oauth.sealedsecret.yaml
  - kitchenowl-config.configmap.yaml
  - deployment.yaml
  - service.yaml
  - ingress.yaml
 namespace: kitchenowl
 images:
  - name: kitchenowl
    newName: tombursch/kitchenowl
    newTag: v0.7.4
--- a/apps/kitchenowl/namespace.yaml
+++ b/apps/kitchenowl/namespace.yaml
@@ -1,4 +0,0 @@
 apiVersion: v1
 kind: Namespace
 metadata:
  name: placeholder
--- a/apps/kitchenowl/pvc.yaml
+++ b/apps/kitchenowl/pvc.yaml
@@ -1,11 +0,0 @@
 kind: PersistentVolumeClaim
 apiVersion: v1
 metadata:
  name: kitchenowl-data
 spec:
  storageClassName: "nfs-client"
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 1Gi
--- a/apps/kitchenowl/service.yaml
+++ b/apps/kitchenowl/service.yaml
@@ -1,10 +0,0 @@
 apiVersion: v1
 kind: Service
 metadata:
  name: kitchenowl-web
 spec:
  selector:
    app: kitchenowl
  ports:
  - port: 8080
    targetPort: 8080
--- a/apps/linkding/kustomization.yaml
+++ b/apps/linkding/kustomization.yaml
@@ -13,4 +13,4 @@ namespace: linkding
 images:
  - name: linkding
    newName: sissbruecker/linkding
-    newTag: "1.44.1"
+    newTag: "1.36.0"
--- a/apps/media/kustomization.yaml
+++ b/apps/media/kustomization.yaml
@@ -12,4 +12,4 @@ resources:
 images:
  - name: jellyfin/jellyfin
    newName: jellyfin/jellyfin
-    newTag: 10.10.7
+    newTag: 10.10.3
--- a/apps/minecraft/README.md
+++ b/apps/minecraft/README.md
@@ -1,11 +1,3 @@
 ## Setup
 Because minecraft is quite sensitive to io performance, we want the data to be stored on a local disk. But hostpath is not well supported in talos (and is not persistent), so we use an ephemeral volume instead. In order to do this, we create an emptyDir volume and mount it to the pod.
 We use an initContaier that copies the data to the local storage. Afterwards, copying from the local storage back to the persistent storage is handled by a preStop lifecycle event.
 This way, we can have the best of both worlds: fast local storage and persistent storage.
 ## Sending a command
 ```
 kubectl exec -it -n minecraft deploy/minecraft-server -- /bin/bash
--- a/apps/minecraft/curseforge.sealedsecret.yaml
+++ b/apps/minecraft/curseforge.sealedsecret.yaml
@@ -7,7 +7,7 @@ metadata:
  namespace: minecraft
 spec:
  encryptedData:
-    key: AgDG6apUvB38rB9tH+/ya5Af/32IUJjHiEGZFdYYqesuqyPB/qf99EtC/7CwqD6bDQQPVycJVcxwZuF8QtYfPXzv//yMkqEUJ2G1/Q5J8I6bjNGLR636UhliUpCkH1QDOspWJUjwKDVxlFN9l0g9UajvxnqLyGzbWPeay0sJEBvAY8ltEZpLP21V+GD+HgPk3HIfSFFBMsULS6GPCjMaFxkxQb6cG3K4Ej4NHCHRGOmax+4Rk7lwMyAHlXLlrwj/ytxrnHDWrugLIJE9KKmJn6UVNTuk6olgkhleg2PixV7oOiDVyu9ZQP8wbdppzRix6dnIcFEYJ1ZDK1rNF5QErYO0gBytiJnSsdFO0jUMsdBrho2FgUc5GgIdmgXWJJz3lrGFqXaRVvbPsBZTUAsQRh2+4IfqfWmAkEjBcjs1K8WWJfS+rO9e02KoHBT4decdsd8Qfr5EFdPIzMrkUoRMI9CJnIa5u2nR08Hhd9iojbL64FZ26kXMODtEdKmlo+HwjufLX5rYJVSfOyZYzivd/kgKA87YTFaMLKej07w3ofGrPYSoCnmLfJyoQdNyJhdonBDsgM1GgRWQZDpgJ1df0SB02A5lZ4V7lHWr8KlANv9YLuMoZnVehsH1NZjNQHDInIRiTLahEBbjcJzQz4vU1UWG100ATszEYKOUVkzPnTgkqKYU99ZQ23bHP8z7iAWQeumb6V84NTi6jNITBvU4yTFLuAiI3nW34Vb1mFVLwfWqMjEYX8gBB4yMSaVshB/japfkyXU0pYg4mK9gsB4=
+    key: AgBYeAiejdmxDBorvgnxQX5YvUhR3NId2vfWybMKlc27e6D/bKglLNyZMk70xSnFAPjcDmZ20mYjFPYvDOr9T6IU/REJ8QlzoKAn0xW779R4SkIxRToT+dJv+OM2avgQ9uqp7vja29xeXMjYAnQML+QGZKcrT8mE04G/Ty8rdUiv3yUXK5HFAR3SUF35aVLdlthLjpRkv1s0R7GAP4L2pNzBJNV3i37viceUSSjU0zpOa23fsQOkPAs67AIukAJBqh/hyF/hR9H1GeYZNTI3OcHcvC2iNk/XGstvv0Zy6ApzoebsfWGdsbVn+QUI0EBw+mSTPqpl71cbkz0v4S4XAVndosxWpe6AIgm5MBTU0FXIyGyoFDe1aMPq8BXiQikYVwB48oVNh9KF0xXX5AOG0whB/FEsL3OJsiNQvQ3R/Hru43JBn64oxjVtLfM3E7u8v/xr1VQahX8dylDmb4s5EV01U6O4y19Ou4td1eEMlhpJb0fBPDRUYuWxZAEDGmp+U4tAakyPed11VkcZPPn9fKAAcv8sGs3TYAbbF18hqsBnv2Wd+i7ZEvKwmdmfR/T0r1TJGsvKI7jaW0QtH256XrSxQp7a52qMKMVQWOSKw2k27t/IkRhxT2Prw4GfJvaVr4RozUaBf3LV/hfDWlDfmM2zg3X9W8HkzjotGg021OLxsa0Wzmhffvb8h4bvZwxeq3U1xaJocqXui7z0rT2pF4z3wYHR/lPtexHcOA2M8gfBGKb1rBKh+kW+N+/ZfVLNI0mokg5vrTO2nR2rb4c=
  template:
    metadata:
      creationTimestamp: null
--- a/apps/minecraft/job.yaml
+++ b/apps/minecraft/job.yaml
@@ -4,27 +4,14 @@ metadata:
  name: start-server
 spec:
  template:
    metadata:
      labels:
        app: minecraft-server
    spec:
      restartPolicy: OnFailure
      initContainers:
      - name: copy-data-to-local
        image: alpine
        command: ["/bin/sh"]
        args: ["-c", "cp -r /data/* /local-data/"]
        volumeMounts:
        - name: local-data
          mountPath: /local-data
        - name: minecraft-data
          mountPath: /data
      containers:
      - name: minecraft-server
        image: minecraft
        resources:
          limits:
-            memory: "11000Mi"
+            memory: "10000Mi"
            cpu: "5"
          requests:
            memory: "1500Mi"
@@ -42,13 +29,13 @@ spec:
              name: curseforge-api
              key: key
        - name: CF_PAGE_URL
-          value: "https://www.curseforge.com/minecraft/modpacks/vault-hunters-1-18-2/files/6807187"
+          value: "https://www.curseforge.com/minecraft/modpacks/vault-hunters-1-18-2/files/5413446"
        - name: VERSION
          value: "1.18.2"
        - name: INIT_MEMORY
          value: "1G"
        - name: MAX_MEMORY
-          value: "10G"
+          value: "8G"
        - name: MOTD
          value: "VaultHunters baby!"
        - name: ENABLE_RCON
@@ -56,37 +43,15 @@ spec:
        - name: CREATE_CONSOLE_IN_PIPE
          value: "true"
        - name: ONLINE_MODE
-          value: "false"
+          value: "true"
        - name: ENABLE_AUTOSTOP
          value: "true"
-        - name: AUTOSTOP_TIMEOUT_EST
+        
          value: "1800" # stop 30 min after last disconnect
        volumeMounts:
        - name: local-data
          mountPath: /data
      - name: copy-data-to-persistent
        image: rsync
        command: ["/bin/sh"]
        # args: ["-c", "sleep infinity"]
        args: ["/run-rsync.sh"]
        volumeMounts:
        - name: local-data
          mountPath: /local-data
        - name: minecraft-data
-          mountPath: /persistent-data
+          mountPath: /data
        - name: rsync-config
          mountPath: /run-rsync.sh
          subPath: run-rsync.sh
      volumes:
      - name: minecraft-data
        persistentVolumeClaim:
          claimName: minecraft-data
      - name: local-data
        emptyDir: {}
      - name: rsync-config
        configMap:
          name: rsync-config
          defaultMode: 0777
--- a/apps/minecraft/kustomization.yaml
+++ b/apps/minecraft/kustomization.yaml
@@ -8,7 +8,6 @@ resources:
  - pvc.yaml
  - job.yaml
  - service.yaml
  - rsync.configmap.yaml
  - curseforge.sealedsecret.yaml
@@ -16,9 +15,3 @@ images:
  - name: minecraft
    newName: itzg/minecraft-server
    newTag: java21
  - name: alpine
    newName: alpine
    newTag: "3.22"
  - name: rsync
    newName: eeacms/rsync
    newTag: "3.0"
--- a/apps/minecraft/rsync.configmap.yaml
+++ b/apps/minecraft/rsync.configmap.yaml
@@ -1,42 +0,0 @@
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: rsync-config
 data:
  run-rsync.sh: |-
    #!/bin/sh
    set -eu
    echo "Starting rsync..."
    no_change_count=0
    while [ "$no_change_count" -lt 3 ]; do
      # use the i flag to get per line output of each change
      rsync_output=$(rsync -avzi --delete /local-data/ /persistent-data/)
      # echo "$rsync_output"
      # in this format rsync outputs at least 4 lines:
      # ---
      # sending incremental file list
      #
      # sent 145,483 bytes  received 717 bytes  26,581.82 bytes/sec
      # total size is 708,682,765  speedup is 4,847.35
      # ---
      # even though a non-zero number of bytes is sent, no changes were made
      line_count=$(echo "$rsync_output" | wc -l)
      if [ "$line_count" -eq 4 ]; then
        echo "Rsync output was: $rsync_output"
        no_change_count=$((no_change_count + 1))
        echo "No changes detected. Incrementing no_change_count to $no_change_count."
      else
        no_change_count=0
        echo "Changes detected. Resetting no_change_count to 0."
      fi
      echo "Rsync completed. Sleeping for 10 minutes..."
      sleep 600
    done
    echo "No changes detected for 3 consecutive runs. Exiting."
--- a/apps/monitoring/grafana-admin.sealedsecret.yaml
+++ b/apps/monitoring/grafana-admin.sealedsecret.yaml
@@ -0,0 +1,17 @@
 ---
 apiVersion: bitnami.com/v1alpha1
 kind: SealedSecret
 metadata:
  creationTimestamp: null
  name: grafana-admin-secret
  namespace: monitoring
 spec:
  encryptedData:
    password: AgAwMLnsYN1y8JQSqgGQbNG/8jKensTDsEw6ogITdkhDRlJcg8HQ5t7a6xLzNCrLHLJiQW8YOoyLT4lvFkBRMOa2EYcrDvBiRD0PjygWLIscKa7dA+jpAUf/icD9zsiDnTym2yf+VUANcmEgE6DiNvlcsrcmYqiR4pKVUTDlKPNOjOpTJ3nXETb3/sbt69E0JSGwtkvusYQSXKLU9KLbciihv+ycdkdlC9xy9myd4+vYZYXSh/eAvyZeb/hsmdSX7yaASmupMvet6Qsdt99PNzFQxtbQH+LQvYalVZ8bjWZQvCN/p0bA4H15otKBfe8rtEwVthgvyEvo6TK0Mg0pFY/b3AOGFmImnT3rDmgG6S8KTZH0Jce17ksFqvELQmHjqHuYpQsPDl44glM8kWRJ9Mf/Z424LRwZlJNVcOkuVl4qFqPUjzd2rWIyF0RaD0BE012C0ThJxKn2l17lVJbNtdUiR3qNpW01ot2m0CgKd2kXbjDmgRgAll4WgrukfCIn9ZnE0gVCFLJuK3MOQAaipFYy/bDO0izwl9T8nldgcI8OfiC3NTk2O+Es5jJRXu0oJGaC3HrTB7wXiwOoELvAsxLTPxKBiN9mCHCMtZX0PEtrio0dFRQ6Pi5xPng0KVT0I9dvGNsPdhPETNOB913WEvbgP8Gt3cj016nCzk51eUsYbXPpNL2B4kmbIhecqW/8kwKQPwYjVlBSXj3NxjzwMY6PvOl1
    user: AgBqmjCYGMqy5zBE+vhtsynOvhWdHWDJDyl1D+laBtLjXTJwzRbNTdunHYo1ekwyqQ6Cr5pi4YMiLxAl1LIHF+Lfsp2QlY+ResAGzp9WgSBtNQDX3EmLDQofeWxMUDdMtMsE9wiKLCfNGDkRDsGquXTz+YFq03m1vH9cB8Bp+1ClWOTui+/Ce0MZlWsJZX1W8WXH7XTirtwUo0s53pc4AplUUH97ZEK3KSIxWa3gLCn0sAPDDLPX+JVA2xtpMq1XuVFiFifjzEtG2h0dejiF35FtSAR+rR4YmEfimk3QpRDfOqV5QUxvjCG+dTV49upSevF2mvbHW+o+lB6vEc6l9cZXvlbnMdaep3NmOsJcJ8wQIdFpFK4iVzFOTKSEbzLPlZ/J+sjS5vDXsfthorIO2faMA1iIf+I663zNxQU5btaK4TNYOZQlrFVjAmioRLkDhGZ6tDUPX/zMv+Crt+0HCwyEyhmvFZckDvezTZrxARSXXMKBVcvjHCyUNkz7ubZRiMU0PGM7fYuHr659e+XMRvj+LFA68ZaEIzCQpCFJenWWYAXgUdRG4LQ1LP2MwvRHpkOYSoRkHIpX7jOfhX82A60h/ta/CdbWifqNyL9OecvE3FKsZu/Kr0taw9W6nm6FBhQLgFkOnFrqp9dWnxfHruXuDBgcn0iE8nR7Ht2zS7hfQPeR4a3Y0xK3Plqbzdrb9HKnWQQhf14=
  template:
    metadata:
      creationTimestamp: null
      name: grafana-admin-secret
      namespace: monitoring
    type: Opaque
--- a/apps/monitoring/grafana-auth.sealedsecret.yaml
+++ b/apps/monitoring/grafana-auth.sealedsecret.yaml
@@ -0,0 +1,16 @@
 ---
 apiVersion: bitnami.com/v1alpha1
 kind: SealedSecret
 metadata:
  creationTimestamp: null
  name: grafana-auth
  namespace: monitoring
 spec:
  encryptedData:
    client_secret: AgCcKsnS3u2eI+fNVC9hAZ3QRFOHFErAzs5aQgX51CSdJwM03SZUoTyrDi5JPcHUVyS3MbevFH5piMhDTARMI3bLOjYlcwMbpf77JCPa7o95Y9asA/FW3lXicYt3biN9xBXJBz7Ws3fVRtEzyf6DmbGedT9gaX8aPwrUVbP19RdyJiuu76oB1A/jdUkX4K+X6kVvmoP/BWdypk/kdQJrzBNt00DIXF4NHfYey36AuhpBtqYZs4faA/tBXMXLE4RxPNtcHwNfVjnRj3v3qzNufD1fnweJvLq2UfLMrQjoR9XDVnM0zkpautylkI7yrvcoEH7ljnf6b1FMogOEZUfH1BIdqTd/WwrrlCqE58OPfJWthIfN+pQ8LvdHsGo3jc9gXvfXS2cStyhP06eTZ4D79kG+RtDQGOsD/Wpx7EcM6hbB3+dIjcs3wEAIGjpIVtY9JayW8YeRnFApMuhDST1+hscm+LdoGvaSTlAuGzv9BbVrPX/Fo9XKeYHlbG/x71Er+vF8WbW0wUa46MHLvbEy376XIdJDYi+vjl4eqznZ6YhvPbawhoKXT8ZcKUcUAjVcMue/O/jCSPZplbn3vdSCeqPTiqVqDw9PTMIeWFUepgPMxiGpFRAqdwIecFBnYItq0dXoGlFrZpo0S6AECgZjxzUR5EgdkdPlDDs2CN+d9yP7f2S+gmL7AIlQr74NW1GrTGw2x/rD4IJhunh7
  template:
    metadata:
      creationTimestamp: null
      name: grafana-auth
      namespace: monitoring
    type: Opaque
--- a/apps/monitoring/grafana.ingress.yaml
+++ b/apps/monitoring/grafana.ingress.yaml
--- a/apps/monitoring/grafana.values.yaml
+++ b/apps/monitoring/grafana.values.yaml
@@ -35,17 +35,13 @@ datasources:
  datasources.yaml:
    apiVersion: 1
    datasources:
      - name: Prometheus
        type: prometheus
        url: http://prometheus.monitoring.svc:9090
        isDefault: true
      - name: Thanos
        type: prometheus
-        url: http://thanos-querier.monitoring.svc:10902
+        url: http://thanos-querier.prometheus.svc:10902
-        isDefault: false
+        isDefault: true
-      - name: Loki
+      - name: Prometheus
-        type: loki
+        type: prometheus
-        url: http://loki.monitoring.svc:3100
+        url: http://prometheus.prometheus.svc:9090
        isDefault: false
 dashboardProviders:
@@ -85,15 +81,13 @@ grafana.ini:
  auth.generic_oauth:
    name: Authelia
    enabled: true
-    icon: signin
+    allow_sign_up: true
    client_id: grafana
    client_secret: ${AUTH_GRAFANA_CLIENT_SECRET}
    scopes: openid profile email groups
    empty_scopes: false
    auth_url: https://auth.kluster.moll.re/api/oidc/authorization
    token_url: https://auth.kluster.moll.re/api/oidc/token
-    api_url: https://auth.kluster.moll.re/api/oidc/userinfo
+    api_url: https://auth.kluster.moll.re/api/oidc/authorization/userinfo
    tls_skip_verify_insecure: true
    auto_login: true
-    use_pkce: true
+    use_pkce: true
    role_attribute_path: contains(groups[*], 'apps_admin') && 'Admin' || 'Editor'
--- a/apps/monitoring/kustomization.yaml
+++ b/apps/monitoring/kustomization.yaml
@@ -1,7 +1,7 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
-namespace: grafana
+namespace: monitoring
 resources: 
  - namespace.yaml
@@ -17,5 +17,5 @@ helmCharts:
  - releaseName: grafana
    name: grafana
    repo: https://grafana.github.io/helm-charts
-    version: 10.1.4
+    version: 8.6.4
    valuesFile: grafana.values.yaml
--- a/apps/code-server/namespace.yaml
+++ b/apps/code-server/namespace.yaml
--- a/apps/ntfy/kustomization.yaml
+++ b/apps/ntfy/kustomization.yaml
@@ -13,4 +13,4 @@ resources:
 images:
  - name: binwiederhier/ntfy
    newName: binwiederhier/ntfy
-    newTag: v2.14.0
+    newTag: v2.11.0
--- a/apps/paperless/kustomization.yaml
+++ b/apps/paperless/kustomization.yaml
@@ -14,14 +14,14 @@ namespace: paperless
 images:
  - name: paperless
    newName: ghcr.io/paperless-ngx/paperless-ngx
-    newTag: "2.18.4"
+    newTag: "2.13.5"
 helmCharts:
  - name: redis
    releaseName: redis
    repo: https://charts.bitnami.com/bitnami
-    version: 23.2.3
+    version: 20.4.1
    valuesInline:
      auth:
        enabled: false
--- a/apps/recipes/kustomization.yaml
+++ b/apps/recipes/kustomization.yaml
@@ -13,5 +13,5 @@ resources:
 images:
  - name: mealie
-    newTag: v3.4.0
+    newTag: nightly
    newName: ghcr.io/mealie-recipes/mealie
--- a/apps/stump/deployment.yaml
+++ b/apps/stump/deployment.yaml
@@ -1,48 +0,0 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: stump
 spec:
  replicas: 1
  selector:
    matchLabels:
      app: stump
  template:
    metadata:
      labels:
        app: stump
    spec:
      containers:
      - name: stump
        image: stump
        resources:
          requests:
            memory: "64Mi"
            cpu: "250m"
          limits:
            memory: "128Mi"
            cpu: "500m"
        ports:
        - containerPort: 10801
        envFrom:
        - configMapRef:
            name: stump-config
        volumeMounts:
        - name: stump-data
          mountPath: /data
        - name: stump-config
          mountPath: /config
      volumes:
      - name: stump-config
        persistentVolumeClaim:
          claimName: stump-config
      - name: stump-data
        persistentVolumeClaim:
          claimName: stump-data
--- a/apps/stump/ingress.yaml
+++ b/apps/stump/ingress.yaml
@@ -1,17 +0,0 @@
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
  name: stump-ingressroute
 spec:
  entryPoints:
    - websecure
  routes:
  - match: Host(`stump.kluster.moll.re`)
    kind: Rule
    services:
    - name: stump-web
      port: 10801
  tls:
    certResolver: default-tls 
--- a/apps/stump/namespace.yaml
+++ b/apps/stump/namespace.yaml
@@ -1,4 +0,0 @@
 apiVersion: v1
 kind: Namespace
 metadata:
  name: placeholder
--- a/apps/stump/pvc.yaml
+++ b/apps/stump/pvc.yaml
@@ -1,23 +0,0 @@
 kind: PersistentVolumeClaim
 apiVersion: v1
 metadata:
  name: stump-data
 spec:
  storageClassName: "nfs-client"
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 10Gi
 ---
 kind: PersistentVolumeClaim
 apiVersion: v1
 metadata:
  name: stump-config
 spec:
  storageClassName: "nfs-client"
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 10Gi
--- a/apps/stump/service.yaml
+++ b/apps/stump/service.yaml
@@ -1,10 +0,0 @@
 apiVersion: v1
 kind: Service
 metadata:
  name: stump-web
 spec:
  selector:
    app: stump
  ports:
  - port: 10801
    targetPort: 10801
--- a/apps/stump/stump-config.configmap.yaml
+++ b/apps/stump/stump-config.configmap.yaml
@@ -1,8 +0,0 @@
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: stump-config
 data:
  STUMP_ENABLE_UPLOAD: "true"
  STUMP_CONFIG_DIR: /config
  ENABLE_KOREADER_SYNC: "true"
--- a/apps/todos/kustomization.yaml
+++ b/apps/todos/kustomization.yaml
@@ -15,4 +15,4 @@ resources:
 images:
  - name: todos
    newName: vikunja/vikunja
-    newTag: 0.24.6
+    newTag: 0.24.5
--- a/default.nix
+++ b/default.nix
@@ -1,16 +0,0 @@
 { pkgs ? import <nixpkgs> {} }:
 pkgs.mkShell {
  name = "infra-shell";
  buildInputs = with pkgs; [
    kubeseal
    yq
    jq
    kubernetes-helm-wrapped
  ];
  env = {
  };
 }
--- a/infrastructure/argocd/argocd-cmd-params.configmap.yaml
+++ b/infrastructure/argocd/argocd-cmd-params.configmap.yaml
@@ -3,6 +3,4 @@ kind: ConfigMap
 metadata:
  name: argocd-cmd-params-cm
 data:
-  # server.insecure: "true"
+  server.insecure: "true"
  # DID NOT FIX RELOAD LOOPS
  # application.namespaces: "*"
--- a/infrastructure/argocd/argocd.configmap.yaml
+++ b/infrastructure/argocd/argocd.configmap.yaml
@@ -3,9 +3,7 @@ kind: ConfigMap
 metadata:
  name: argocd-cm
 data:
  # enable helm when using kustomize
  kustomize.buildOptions: --enable-helm
-  # disable admin user - use oidc
+  # switch to annotation based resource tracking as per
-  admin.enabled: "false"
+  # https://argo-cd.readthedocs.io/en/stable/user-guide/resource_tracking/
-  # show neat status badges in the UI or as embeds
+  application.resourceTrackingMethod: annotation+label
  statusbadge.enabled: "true"
--- a/infrastructure/argocd/ingress.yaml
+++ b/infrastructure/argocd/ingress.yaml
@@ -9,9 +9,16 @@ spec:
  routes:
    - kind: Rule
      match: Host(`argocd.kluster.moll.re`)
      priority: 10
      services:
        - name: argocd-server
-          port: 443
+          port: 80
-          scheme: https
+    - kind: Rule
      match: Host(`argocd.kluster.moll.re`) && Header(`Content-Type`, `application/grpc`)
      priority: 11
      services:
        - name: argocd-server
          port: 80
          scheme: h2c
  tls:
    certResolver: default-tls
--- a/infrastructure/argocd/kustomization.yaml
+++ b/infrastructure/argocd/kustomization.yaml
@@ -4,13 +4,14 @@ kind: Kustomization
 namespace: argocd
 resources:
  - namespace.yaml
-  - https://github.com/argoproj/argo-cd//manifests/cluster-install?timeout=120&ref=v3.1.9
+  - https://raw.githubusercontent.com/argoproj/argo-cd/v2.13.1/manifests/install.yaml
  - ingress.yaml
  - argo-apps.application.yaml
  - bootstrap-repo.sealedsecret.yaml
  - argocd-oauth.sealedsecret.yaml
  - servicemonitor.yaml
 components:
  - https://github.com/argoproj-labs/argocd-extensions/manifests
 patches:
  - path: argocd.configmap.yaml
--- a/infrastructure/argocd/servicemonitor.yaml
+++ b/infrastructure/argocd/servicemonitor.yaml
@@ -1,77 +0,0 @@
 apiVersion: monitoring.coreos.com/v1
 kind: ServiceMonitor
 metadata:
  name: argocd-metrics
  labels:
    release: prometheus-operator
 spec:
  selector:
    matchLabels:
      app.kubernetes.io/name: argocd-metrics
  endpoints:
  - port: metrics
 ---
 apiVersion: monitoring.coreos.com/v1
 kind: ServiceMonitor
 metadata:
  name: argocd-server-metrics
  labels:
    release: prometheus-operator
 spec:
  selector:
    matchLabels:
      app.kubernetes.io/name: argocd-server-metrics
  endpoints:
  - port: metrics
 ---
 apiVersion: monitoring.coreos.com/v1
 kind: ServiceMonitor
 metadata:
  name: argocd-repo-server-metrics
  labels:
    release: prometheus-operator
 spec:
  selector:
    matchLabels:
      app.kubernetes.io/name: argocd-repo-server
  endpoints:
  - port: metrics
 ---
 apiVersion: monitoring.coreos.com/v1
 kind: ServiceMonitor
 metadata:
  name: argocd-applicationset-controller-metrics
  labels:
    release: prometheus-operator
 spec:
  selector:
    matchLabels:
      app.kubernetes.io/name: argocd-applicationset-controller
  endpoints:
  - port: metrics
 ---
 apiVersion: monitoring.coreos.com/v1
 kind: ServiceMonitor
 metadata:
  name: argocd-dex-server
  labels:
    release: prometheus-operator
 spec:
  selector:
    matchLabels:
      app.kubernetes.io/name: argocd-dex-server
  endpoints:
    - port: metrics
 ---
 apiVersion: monitoring.coreos.com/v1
 kind: ServiceMonitor
 metadata:
  name: argocd-redis-haproxy-metrics
  labels:
    release: prometheus-operator
 spec:
  selector:
    matchLabels:
      app.kubernetes.io/name: argocd-redis-ha-haproxy
  endpoints:
  - port: http-exporter-port
--- a/infrastructure/authelia/README.md
+++ b/infrastructure/authelia/README.md
@@ -1,8 +0,0 @@
 ### Adding clients
 Generate a new secret + hash:
 ```
 k exec -it  -n authelia deployments/authelia -- authelia crypto hash generate pbkdf2
 ```
 give the client the hash, store the secret in `authelia-oidc.secret.yaml` and seal it.
--- a/infrastructure/authelia/authelia-oidc.sealedsecret.yaml
+++ b/infrastructure/authelia/authelia-oidc.sealedsecret.yaml
@@ -7,16 +7,13 @@ metadata:
  namespace: authelia
 spec:
  encryptedData:
-    client.actualbudget: AgCfKgV0f3oEB+04Xk7qg3bE4omsXQQxTga/5O38714RNSSeYtcBTcVGbfu7jfOmuVOX8OXQPIWhcHRVnHdOyd75mEpAmYyHw5M9RfqoRHWRPgzu2lBIMHxrFXoy6Vr5b7UXAfpdKPcQddERFqSy+uklO1npwbPHh1YMdDxLGA7l+HQo+rVnShiUbFUJeuhUoZAsluO4awBWmG1jyiwVRjlc1MiQFnvy/lZHnJJ7PAGgZxtoKfG2zATuFaJXHLPuqhV/fPclegKCbY6FdaQUmiQqZqH2tQlsTNOykozY1/VToLJNQw4RZwhS1mA3giM+zPOzdwWtxZg9LLWzm9oZjNbJU0LZX6E2tmQ6vZl9UBRfVx5Vx1ermNTLmWkvFybX870uRRRTF79N83v5q2QbM4hVgSkKZwwplzodoveoQYtpPL6oJZFxiPBR8VoBtIG4gUHUiMmdKJg4Fs+IsvECOE87JmZHsHVgRhNcCi6uZrobk1D9CFCsyIJog0h/U5zxlMHc8GcTR+p+zvkawooD12n4TB/2lOm+yL3/VPx0j8Y1H2xuYk7EorMGsYiQ+Q//HNZkpGsTRlVYTQp3napvsbvBK+Ekh8tPHsIWGSQueK8k6T1wTAUQaBhWdorwKre8oeBpdG4BgX17MRmeYs+vkJx/sKGhBMHIx2wFROXZIWBzo37nHHRIfjSFkIcxZGwPLoQ9YSVn44XCRQh7zE2ZRzQKV+d5Hs70GHiaFwzZs+sd7wDd211p027AYdLIiDpBwO/f0bgQzvBMBNWZ83InGa9s+r2LruxVj+wD0dnw73SgEiZR2TvFdBpj2T+YMCcMnIVwulpm94cWhEIFgRQwIKmwdfTWB7HdN84Jf+bi4SgRcvpRVw==
+    client.argocd: AgAO/s+1K/QyLFsj44qAsgj+qS0qE7Q1De6cjc8UpsXDTQ7Y1SrP+NP8K7mZwGgQ1ItJN7bsIo79CFi4wLVEUOmAhu9dFwot665F0iwA8aUrcohk9xfqxqcv0A80i6mbchd60/GTaOTiQ6IFbeKBsxdv37NhvExHia9zdPFBVZoor5gmfZi1l8Aujge0dHqN0Qtg6R73b+abiJZS/h24HmETPJnRARK9aX1HSO8syBv2cxOuX3oYpVT8qvw+J2pgF7pD7YF8ZXG5v8VkXLn9vZ/EznTRNPguGC7YZgEXB9dvSJMcQ7KXNqtreKtSJk9V6EuhHHteHAlrCMdJ/UILUx+S1MLdSlnmoXHLU4oXITI688ZiGxtp0MyhknKPk/rRHV8To/lbEswy16j39ES4+vV7UgBVIvl4Ds51C39VC5G3gKL4xuEWbSuXv3oNbIPQzNZXGPkn77f4A7NQy2Wnp9G8RKtJSQqoWaOCNoytngyIkEy/Z6tbNFmafRvEKSSNLMVeH8nChpbqCwVBTrk1jASYFPW8sIlVh9zia2uihiHzIxdKOQXsvWMSGLdFSSiG0vlC+yeBb5PhWBA+0nAsKGO88a916E9B011w9qK/92GOcYaU/Kgyo6CnseVyJgSjv6d2IHxKTHnQtWpEQEHO2VEVfuqiISDz8rSCFbM5U91Qly947bRMCXXY8GuFnmlNJpqq7QPp6HRZBt4ZfRmkI/E5y7Nb/L/SfXDJsjSd0z4U0vJi1tYxIs0XnprhxjkuS88ZuqdEZaHxG8PMrACSltKzZhwBnjImb2LuOF3mUitngF2YQ5L4q5S7AcOU4fVHwoK+wONNCEjI63RiGo7DTm1AwM9lA5gM0pQSU9T1JqWtYcPZVg==
-    client.argocd: AgDArHcXxQMBvhBY0hwOYqal31JlFna7GQg6s41+XAUTsb1ahFeCCFfLv/WI993y5NMvH3CpnJtPFiunc1JT4yxLTZROKVrSrwjjrDKRuVt57lb8lz6gtNR3ucvpTXjqEO6FXTNL6w+j+ZIWybrdBUheQCj41aYvQ7TP3lTyLcxQSL/UpWLKnXW+jkibqsDqVVaGG26gNniOBg2GoI1bWHvZ+ZUBy/eZflOH9lgLo1vMNw9M+fP9EeuU3CDj717zS00n8X/vDAxGJF7AIVbllqNRX0NilgKwYCfoS79fuUYhzYSI1jYMPCQvdlTLa4bA88wfkomZstVgVtWxel0IaulDOnDgKYonkRqlCDYw+oMC/d4k3xKTEugfV9Ihx9isYZYv4+31v6QTkXFFj5VQlWSDDPllmV1XWfAdRDwT6CVhg5tKWOPWb/YHZJz+idDPEGn5qiklJ7Ar9YEJfuzkfAjCaq4XBjDFKyTfZGeTuLjbq6HnigKlQFdSNOG64QzBbQu6tmR5otipQDbquxhzGRDdCP3uPFy/CXNOn1J2UrGZamWdQzrO6lQQBypFHGAV4ltRrQcp72krPIeL4hPLr8WbUwbUFtESSN2aOYWqs+hnAmcxqy3hqEcouky1K+drgqsAgTp4EkRRwnQXHGrAi3bEeoPqoS8Ec0xfgs529322acKyjOLEObqtNuC/3hg5kNL2fu58MJeoJ1Q2U9pvbAsCrpHJHd9DmHbVwC6orBfL1P50USvTsFm+UikdJpfesLxEGDiUKSU2Al6ntHzswcB304J2Zdb8zrIZaFXs+bmSUoT1Ml+/PqySZc04Fgt7uNBh48nKsl2OlmdGKiKXafxTVBewYWJd6uDkji375i+Ji/5rEg==
+    client.gitea: AgAbX2GgysUuAg3TLLK7Puhtl+L8x4cQOGo+3TP60DPms42Tw6oihHQpSTzIEetdaqJ/QWrdB2FQfzhKQVM0hQji2uVH34SyzvP5TepJJSURUZAHGRiwhb/E7S8ag/ybBWQ9OIQzMZBiOOyDULrhmjbtr/CbozwmvdTIKiXIBLxQbXA9PjcM76UyYZAr69wP9a6xOzwOZgQ2/aJbWEFnItreUaqY76FHzKwkcPkzwPPryD7jvpVoLC2ZsbFLCptKbaCpRuHNQgHblWB2dj5wkFRGmNyHH7mglq9A2FbB9uiAD+2K2tgYgSc4yGaeGIvu/Qbnioc4F9nTT4ZceEtMu+sn1gVWy3kKkUDOvCcGUALo759/FuyTQ8JKKJ/zLYHhCJ8IAYXFhALe+aQMZbcycbD9KU8Iepq1DCTsyjpbM9K5w0D5ZnBf3V9IemjtMNaCllDq1Io5mPQaxlyjsWIDgvXIP2KEGekSlnh5O2yNCQl0gLAKM245B0lxyRgr22lTH9AJacbIVevwdBq0B+iSm/JGJvWjwLzfL5D41HY0Z6ZLOLUFKnTHQGiRp2+g9ysg+38aOQ1PUAXlloXM6UVnEHdahyvuPmAfo34f8vSaSrT1b3Xp0MzxUwxzl0bXO9wQ/As41qpI/DKC45CFDl1yQ3/+LOggAF///peSyzUNYUvbqB2u5KWNrLulXO11IKffHYeiwfeINxB0B3Rzxpl2ZBm4k8cauArTneYYcic+DbweY3WjcFQPCtfQiiS56S1wQeF9xgZfL2WNQA3qnnsB4mYyCLxH/oJ2JiiKrISPUmEcERnU8rdUelZ+idiT4s4PDpOo34QK756nzTtyWGjU0pIm6PIpz35i4djMkUoNpLq7bcVcKw==
-    client.gitea: AgAs4pl1bs8nqBsenxhMHhq9mtCcbjMZpNeTNyUrWSRzUkJx9uoiQJ+plJgQ/xHl7vDbslLxDPF8Rx6rEns+tDdbaIp9LU8YADHqMbctV2PB+pp4wTkWSUamquA6Khrrgr4xQxCbzthL9/2QQJOBBNJsIFcJDfyFZZm5lzsrzVZ+lCpWmnSH5YUpdVAHbjyOZw+Oi+tnO6Zg/8lxjKEf20SFVCAKDly/VK6j8SvT9jzisBHL+uoxZ58fyKd7C3KWVJegBIuT9pIvxXc0jg+t5ltcXQcHyZfmk4mH8nWN96KWDTe42IRA6EGyxiruppAzQoKuNKisUj7grqsE3YbCmq3g4/Mp43FUlz0gqOmI4pwaV8BckVbyMNEyMxKGar6ymz5nWit5hX86U1jmvMrUcKsROJlm7DsyC258PgLwFspnbBhTEN7fJ7iEsTR4PdGPUTQ9rH3F42t3aYe3kCXXNz1wovwKmSt5Ex5S7UenVKfuZ2HvsAuZ+nZYW7zgVW9kf1PLz5jE5NYoieatmdk2O7gBUcXQBNqVwgvCmuiJbyv6jIz+Cyn753tOSZRqgrGH1i8B7EUzKsaQJcTTc+SZY7HVw9ohilirC4vrgSx9amYMCGxkOKhBEPVYSRN4N+Yt1A+ZsmiToAsotiQ4uzYY+UXQ3hAuiPzP7vJXDHAdPQZASwI4UdiMa26d3f/FqJJthnFnkg9GFvD4T2dqduepYsnxqN9t3IDYgQYba0vAIzmdmZW8UlyBise9yb5RfsJRmwvxG7yykRAoM+j2Fs070kBCF+ohTg9pWOEmry7HNu+fvMyUMKja7Bjm3gE+MAjgXquoILIW+ZeZud15yb0NkV4LQ78K/8YuYiGXC3aD+hv5IJmJjQ==
+    client.grafana: AgAtsKa6TPkGYqT3BcmbKnOnKG4xNd4N7tv7Vt81rh10KupR5z9c12y78uyKQZMyWb7PDDi58nIeWzTmtVmoSl06D8NCOfYrlbZQEl+NJsePX/kiwmlOnOrLBQ89uHHdlU7MCBPVDZNPY88xzkZg0pPnWYlKuvtNpV0Uq03gUosM5kV6zF10LRM4Twhpw9su5mDkwzyrALB0eALkmcktDpbayr0b0ZnK1X1HYuG9/GRTfa4uE5Jqbl+h3wV8cqUHt5drCVu3yGEP8palqTWh3LZoVFddDZ6EjX98FNGorpgvXzQrSwR3DHEovhER77MFgJu5vvVecgygPMHpQETb7VPpCoiY8WwjcJMElcFbVFgeih3mMxe0vgkf4AmyNmHvV52QT01+a2UJfwb2l7J+BJQS2qRLWX22eUJ3jWthFZp1bHxrgrizaqLmuR0WCabiWClS6+w5ecuuEnjZKhnNgGViUTZEo9r4Y+Hq34DbpSbQCPD+KFwjSy38cu585wHnMJHbmP4tVH0+zAA4sNzlcO+Dt2bqNZ5bIl+pq1y8qP6sABiRIxvHOhnXSHFhRQzUqrO7D/0WEHzsHNR/FyuJJ8gsE/ZS3gmMq1qaYAdLWanNPtJtcZxk03ZTGRmx+TRnoeTdGniyROACL2e78MX6gszjCpjIQWJOh/gDmMtO/r/0wu+OFUlKm6ynpm9hwjTfVXIAxVGQZP0GNzhxWekkB31og/XUHDDSARhfqozor5Og9vznx6t0wtOOzMXt0M6P7w7+kIEfLHSroKgY0D8QlXNmBQf1Aub7j6NjyF8xdQtxMhGmwbQ6AC4H8jUdzRy+zPCck70dA3hSwS9aaxDy+xD4zWAmZAzjAQS2lRbbdxpxh8L97A==
-    client.grafana: AgBemPXmz04WdYAS9DerbbkoriqYiFwvvZfNYdfXo9eMwMGBnO17jTwlsKx5Vq+dB0UVqm16HutV41bB3BAtp8cSeFw0kivMdzVC2I0ZZ+bDWNzEKhCSdcH01THvvuoaeNWYusPuS8/cjbk/I551Im3EMSkryVjrErgvV5barf7Ox8+z5pSob+LfGGs0JJL5kOawGYEdjj3PGrYo/X0zA6EculcVyFiUJGf8ueQMshoTfUEUc0sR0LA+/ZN6LHG1ZjQ/Q6H8firrogf7luJ7Hp3S7vc/WFI3L1aE5E+u/tlDo6AelIgha+3lWtQXwwTiiiWRoxRDxU5pfJ5lUwHY9dxWefRNpQaNDZdthykLV2MZp9RW4Vfq8sZ7AnnSVQVH0wtsZLQG/m5EDb/mbBAnxLVZOFntyVtKQZ5UnMPbs0G/7tD0alkVBBR8iE4S+QMyUq9QVkGU6Tso3W1VrUdz8UfKIXGaf2eyeOzqNqXM81uYpRw4Tmv0XrDPrQ2QZ5ASd1VAnHxu9NoNOj4FEGvIJb9PaZAOHwYV8VW00uoqWYuabbo1T4uSAKijsf4ekdCvCfkBzcJsF3r8FWHbsCKcCLYp1mm7bQS5YUfa3FRWGQGbZvHI1SYrCTJzB2eZvTieIRts25CsQrBu4OOQGEpaUBLLOSaKi9Aa4yN01vOpxCcBtDdz9MdcNFFpt5hvHBTOef/lBvXOtLF1NGuFqczhpptfAM0zKqqdoYNs0d15vErdTaaUYliaW1xj01XJYwB6L4JM+YQZaOIfMv0APGzylcM+h9jCfQa2k5Kkgmz6RJoupdknddiji7LfZsmSSegE5a1DGrME7QDXa5hJ5OjSw7+5FIByaTcRBwpusr4mY0Q4q0DAdw==
+    client.linkding: AgCUlf4WAphijd9Oy2x+WRZv28o5alDpfF9hiro8y/99jZb79HbODkS+Z48mFRypMmu6nsAp4NJmaM5Tc0kOXCfoqAkcw6AQ+noalSCzGpH+laPYRnvD4ccVbJlePIeQlnQZTipSTcNgoCvocIfi/5sgKFv22VKEyYuOEmZ3VfQ96CIbyitbyApw0JHi5x1kanw2QFE3dmumnNG075zQ/aJYucM4lrpDY8P2YhAbLNaJx5dB7SCeGoVvviDtuZFHskLFIIzV0fjBIhX6b6vfRgT4IQpaBTpEZcQ+tLLrEcL4jAPWzooDmpgCU0l1wg0Xf3FmV8aBpzs9oicvQauLVgKF8ouBMoECjB82sLAuI1pBUbOKOjxCnFTnL6kGbOZm77maddJ837Bd5BOO2spAhUYfQCuPg98ZyiNFSCKzf1XX7mDY1xeV3S6KizpULc1fimKoQL4EImKYWLI7GVnKUGvS2V8WVTQu/ZuPCTfpg+OSO0YOc3eZPqQ5immSK0Azt/PvHcoxiNYHajI7Jy3OvF6Fhv7HN/prHZJZMARRnMTgpPjvp5ZE+xA+F2FURllLtmNF3c3i8s4pM6xi0GSBsYWc03WNIk7aY1oENg4aEufOHnknuX8GiGQqdnKPPUuhiTK4k5iyqk7Lo9ntdu+WJQllUoNe6s9kSRua78wyYb684nKNfAFbyYXUW6oiWD6eYCSgyCj8xAGdBv41/Lz1jpUgSetvoHcDPjh/mDjGWRAgg1hqaIr++DRuFW7mEaXthoGsu3pM6JxVzge/mEfs/DM/vn5GEIFvSGuC3Nn9IGcyqeVWcTtlRh5AfTe1tNlohkYkNr96Fe+j/7MJLWgc59th8FEH2F5ygbPg9ay6c1rGjSYD2Q==
-    client.kitchenowl: AgA9v0zIBn//VmvUgu4yLhALCWP7Wiu0Q4lPgrqXOIoLYdAX1jh+7cpI4oIKak+MBtCfxnd+os5xFEG0Mvg8qs6/RxgoCFcEyzjHfU65sNol0/x8ZTXQSHLpyZxy85fK4oKaHyvolDW3nnpoy2nrw+NJvwQTPquqVzCMswAE37MoNiU64OXyJU1VJFDo9VNwzzxhz02xczEk5Gh/LeVDPk+EPKzXupct0BM4GN3PZnbsvO/46i8alem7D9JIPvB7+tWzmXnXKoQ+3os6Xbwqu4wDH1cJZYFd/VOXQWk3badO3QYlewF0qEbSLLxXnvdJbR3JaA6IMiZJQUDTypZ5Z84phdAzG9v+e7DGlr4bHPEGV3DZPWCg2rWHjleDuCNJlIQP+9Di/piiTRe6rsz9lI1oncYCVPwjxtS2tpKZO6HJ7mMiENivsRLpAq1xiclCbQ6UERpBb+fmTv8a6GCIer6GzhaioN/MLthaMRuIGTjKlwaeC5EPswY5Cj5pYWXB6xhGRjTtvMyKEtWt8VbOtgESkgq0ES0yYuP37ZcKWWJjTiVii4JR1JVW8hdmXxzw8iQ6eq27fi7fyEJhIDoozwvorohqktlzqGCnIXiUN/gUgFQiMdOSHYVh8BrFCq6MbXDq1AxnoKov2h5YBlj2FqrubVpLWIJWBp+xbTDNIFkIpmzOE8uKigeCAyMxeqEd/SLylDl/2wD4XiaMVXpUucGkWW3asNvYjXTUbxHHL610ricaaYS/0adK4YLUpgr+1jE5gNKwA5j3DliDuVZSNpppzdCvWD3vr2kTOvnJhH8IyGNAs5CZmsYNtd2VKoHHhPFXnO8iU2XT3DP6qez9vN4SCPkwhlyH7NaqMhxiYnYkcLXBIw==
+    client.paperless: AgBJXjDVqEubR+5He9KVfmfHV4cH5DLtiLmBil5srrUTTlJpjBtD0OBA0Rj4qpZjrOHal/p0nfGQkgtvOmj5NWbplktEjmX4z7uRT8zjatK6zTjDHW2x2x9T7V0LCBQwkPtboBuxQ6tSc9yQQr15Ru6rT0BgvgDd5rOubnQQjK9AjxUe0VKeW0nGnZI0Zh9zIOiW+Yt6AFzheYgAfF4dsbBe1hTq7N4L2JK147YLI50GqFCL+vGYpz7MxcU3AzDi4eEP1ZmLga79eGvMelUSR4d1l3k6fjFQ8mCPPQ+PkMoWuu8FZ8pT0F+qdb2jB7GCqPedBmuzJNT127mqWMJN929n5j/towZjI9IDd+q3YXlfMEWSY74r8x/GUGSq8mB0/kS+iLyC+p6Rmu/aaW7GNkwZNtcuQkI346JBOnUSa0bT/ElXDNnRxxHGPCNQshrv3wTVoKgN7wxkVVXbX/MdXPE9NqWNRQK42TdROXpjWa/FVklraQ30XPy/SHBENbhXvmqlzrbMWmK9/auBKDB1tmLASUcO4iObOSFPUdQrj+pJ4oQFN1nlyX06i/X8ECENov2jwfpf5tW0sWoYVSPWuZOIOk2wEF3HXnzCtv/f41vMixtqhpWPRvasJ4UejsuatHaYNRj7uD2FjbpYItvT4QA0xepIR97jVWqc6bsN23AFUJIHJ+twOYpNIQJqJ+mx/g6Yzt7YOTM7X2VJO6dKwBhuXx3cRigU4nadZoTELT+Wh8i6n1lA/kD0+A3OuMjwuTrvutDTOHH5RjDwRWRw3m6LohWfdQIVvEkAM0RwwvcC9Yu9W0PH5ZpUGw3zpiqzgydtxTXEwi1IGS2rUKkdhkoShKJ/ODMZjjRxRX0H4zkelPUDGg==
-    client.linkding: AgCeuXqdo0hFi0fsV+Lu6D5nPwOj4CuqrwIEZwlIubWi9/IOsXIOgJlMAH69yLymd0yXnA36hJU2/s7sXVj7bwpahNZXqAVFhfUCjP2ab95VXpawPFg7PpnjEPlODCkDnFffOf6DqYHQ5XRWfq0fTah+I18BkZWAbhCYD9qeYMRu/juluqiExP2yi63D2l5uDJpnM9QxxzH66toqPCqvFQ1tVWGEpNh4O6k4qB+t/1vj6DBcawbjVLINoiUahHgaHmkOzidZEo2shrBrLMZu/pUcR1sSjXCMHpcbSZC6zQUFkiDQ+K+cOrz7XE/vam6oYdwf/ks+kowWDKGDAyT6k0rRU3E0tW+PDRa61ffF7c9lWQDtqNUFJL5GhB2QcG58w1lWS97vdPdHNqOIrgBM8SUGaevshwl2HLsV7q5xRidgI9m3Z+OKwCaszC0HDQD7rRCwOhutvh9IP/FR1G2NhsWscjXocM9Sf2vMLiZU2RDVx281jc/EqgeMZ958O7LLR2ZfhDOBra+N0UZlhQfFdwCMSgyPpJ5HjAPia2ecON1LHi4XPqxMEEpMxtirSNSwrcvoM8OgxcOeYpdEX96TuZxtPiKjboy8h1WBMS3QD6b5F7C7LTrHu/BlluZigA4dfDEtn95XsHS7w4lGgWy9ukCRhXdjDQo/FAekFsGSuDDyBp7ecK1bpkvXaZBiaRVjq6eV7293rZdNzsk1kzhoIg67KFzBrDx1wofvJWTN6+pQOCD+f4LEvo0cL6YqWmDSW6SnfZV9/NaBq6B61YUwOACXVhAkZ9VVAN76RPl+KHth3FNTXvStjxnHfj0SMuPByemwG1MZ2SrZ6phcIQz8TJb8TS5l/fmaDH/QfLSFvvHv5gKi1Q==
+    client.recipes: AgCK/GYJr88kUCQ00YtksasTKChbCvSxxaIAa+08Xzgn2eRLmw0quTgqHS5yQrdj6SHNsI+tZifmUkfHXjDSP7SShhg4fe6T+r/AzZmYb6xFwvZGHF5nSmX5Xy94Lla/x0rOOTuk42kV6g6KJYD91VTLOYGMD0IjdZkI2NMFwXN0UIqOZD6SGhKav4WwZRk0GxjFwwW32NZH3+O1aqTCdBYsMzNFAJyur/Wj7ZpeFXZ0fdBHF+gk/RYOhIzGuoUJN9qeh1m/miT032jcapF2/bYGakufAl6gGtA13ssYcXqRZxqrOTHzvIo+/TULlXL5KJxA8cyTj696YsIc2svugvyrvJmHghZ3y1uVU7V7OjxRLTni8pO4boq11TTkiWdkDdSWmXm9lyXrTrHYstHs/KfdOxgshOXNktME0HOFsXdCJCD/dBRd8+Csqb+Xo4hy+m5ROIP1QP0lJeMId+yWL15xEb0CiEBw6LVLhtO3aZ1mYxJBwcjvBTllLhU1y3z8Ah0fOvcOdBx8ncRIn+tmVCgjJXwm5eBIku/74ubvR1avAB/C0qX1zQnWRWvmaE6/k58RlUrQHFWFI9OvJUSNushlUus6roEux7suZ6uhXJFfB8hM8okbIMuNJA99HdA9BHRr0ieoZALbQ5HZf/zFbKhGYYX3HcyExUgv6lxvwxlYJJfXtMPic3p4iPq3f3aLMyco8pDECKvoVlyAgU6RoCp2RDZeJ/bwaL2farGTy3HXHpw0jy6/6dZuQCD457v6a3f+eLBDbubaGXJsGF1msRyChdcc0JU2niKwKd454WJoWBLn3LVIsthtCLT5ZBY3yfttdjLUmocyPcYFy03LA1ogOztKjvXf0FjcofdcpIrfWenV3w==
-    client.paperless: AgDVOPvaQwEd8qrzFj3NTcGW6luSiSwGLmQOGiKps7DNZYiIn4FBdII1I+J78h+B4wmZ3LnLrju8YAZ3s7G3aTvV+YJHxMhlAc7rO0wkq/IUeDzGb/AM4POusm58T2o0a8zD3z4C+iHYuE/gjT+lquUKxgKP4IYPXM6Ni7lhmewJ5PCyoznoTeYnRVwjsZomip37M8/h4hOID19HZpPWMGMXtMTWrNzgmbeiVFRTqIgqqKMnASuMfeauxfCl2u+C3OvaYxgIRyP4BNzmU7itFTcOgmaFd40V0RkaALFBiU82ot1L46FZSMeqIEjprvTIdCSlNITFweYvoYhNSA0+/kUAy21uyJFqnoFW6COT9RfHFgGvi13lk++ZrPJKIMGhK29z3dC5HsEf3Rb0W+BQ6yNFEc+LTL2/ejxZwTtymzkXftVj6U9xa+BjDjgXk45H3ZAy0uWfQnm2RGBTYN7+MEccRpYp3aMh73jH1aBQIPt0lQTwmbc5rh9pTdqu1/c3NDS6OO3H2cx/AIbyPTq0pdX9w61UHVbR+E9I25wrjqJeZIRe66MerlngFxiPJKygEnuN1Nz+1feECQoq59P4FbykI51NZO64gK647QhEsbMN1nCmKFOLcT96Rjf1JQruhgoO0ljhAB8JRK3oEBIfjJtJIC+gtFaPzgldr0spr7Q7+rmgkNJIggwMSlr+/UXycB5a58cIhS0cuAUm/UOLKCIQ3xjE9OuUdQA5J2eaO/54GSLCnSdOYuiXzEQuV2VRWST+RhRmVnSqugF6d/xWfkC/ahsXo1o8ZIWFabNaHQzYmofRybK0LNc/rN0t6z2Lv0aWdGlm32eyAcUfUIMsuSKK+rDozgAmXQdz4QEghWQm5Sz3Jw==
+    client.todos: AgBSbi/vsGzl/L2/BAWefZZNySo9TEHHUlf/ilCgcQcPm53wmd5gFJUyVhjOheN1AUdiLw5UpeITig/A8UID4B/4UOfDeSfwLYUvPgTP/5OxtxjoonWkrR2YGjPmtdBd9WZJVZcjb1YABuXew3SoVfuObw4F8uAn3iojxrScaO7J+vUZSNUE2fbd8kJ0064v/Huoan0PheFbRFqSVcDKVg62byh5LIGVtmcwdcWz1v3aYIRRB04TyyHAlmihv8/N3ppTrz5HR98Q8WHOrORIF4liS1c80swAUeFNFuDHjxbN9yphF3Z7taoBSwSdqNgEWjAr5tnFVRO7A3VmbuMsM5y9ryitbPqPijB1GIqqwLz1Ucn+KF7eK8kdhyZWidrBVWCQ8E2EEQELcJnotZd49M7y505LDsZgl8drqPoXoUW2HdPXcZzNqaGrc1DNhEK1aUHtuE4jBwPNVjEV8D2cQ1mm/rzF1YPyUPQ+TvqXgLvPQx0tZU7vSVBEQDAK+bj3hkgivPPM67iiSt3rrX8Egp53Hg11jzIE1al/Zlfja14broOL9yCc0dUVMpOXrT71t7RjYiPNg8CsK4GM2nopGN4IzMhP/sFzSSlwq5YoDxV/mysAGLRBzL615Gv3QRNAubQocnPj4iOCMvpIZdDuBTmCrUzPEzppwbb+JHnNoFOYQBdJEImLicnsGAiAW4Jzns0kElCpCl7wp9b+GCoqmGpzkg6Vk/LU8UGVDCnhuXmtNA7EbT04jb9SxRXIUl4/fmpzQWAC5HGfoSoO1M4LKp46sS7es2Ts+ggXrGJhAYiDnX/EJxkl4OWzhJ4SFiLVbeqcIIIYslQkz4KP+haPvbjY419zEDDp1P/lBPtJp6Dj81B7xw==
    client.recipes: AgBn5K5p5Nq5D9ishKI04kDR5uCvKuy4DN3vHuFwP2j3tWqrfJ9YfWGUBL4oE1Mod4071habqZaoP7nIHCWv8eoMwke9G2qFfJ7VZi0ezXeY1aTXDxn2qnPNf4MXYIVfbD5ZSU0nVPOETuJ2vsHg1R/pnfjMU1Ha9L/67ZnDsqona4259zCF5AfCV/kVsZWslAV8YrxDSlCobm2Vw202Me6CV6rFon6HmkZlO7on7LYfBL2tCHr4N1A1EOvVvF0Ua6vDexOJ0sGVjQWADEXy31H1a3c9lDizb1xqvCIcKXAYNKKGxiNrLh7TlWsK6dUX7OLUw/uDTryKwtwOl/GYfYJEX2wy3pK9PNWjjOUrpv4VoaGOKmObXQ/pIafI27r8WPTvPvm71YgUcsi1D+71a/iMWy7tXbHpvEB13qwn6/2zUSGcuGlaC8P91jRVi6xtnTg2XcvcgjeT4bTnpAEOYUZKBLqIP9qmLvxxsuVrvQoMisylYIyJzAAE+JJSYj019dP6JKgBKV6u6rPW7AkoT3Wsxkr8bwcvNSigW3c+PtbU8fvws8VY1HHTviNOflEwZePfGw+CfroS9y7hEQH2stNHaZ+5zXwjQ9+FLH4BlzbggavfL+AYY7zE5eOrL2WrD7c/1qMcDD4rxwrNwsz3mqZ9GXpe6PCxxU/W0RtLqMERx54b17ILC4Jq++XxzDyGZdUAzA8vYLhxQo/wgeWn7df6CVOM3acWbHeLAmPBM5FWKmEC1OShpzI/LmYFbLkosaAeLOWACeyl67GIwR573juRcr/6ITuUOgGXSdR5jMiqVT9Gu7x7pDkNJN+8Q4oAXITtfEaqb23M5KhtZuaZAWZgsdRpDTgPQNB2u4sBSYQluXsR3w==
    client.todos: AgDYtDtvcP0MXbzE60kLauD8piAsfJwSDNWexsFQyezMc9vEtq8UGza198mE59eNGeUgm8crZBqlfBbKCY2luB1dq+GrkTkZHCXztR2nKTxt0X0B7LJV4DVYwlNuji7HMJ/XR/ynfjVbGi4rtoZ7MXJYOhxoLPDCt7umwG2jIMhbmuBMf8q1EpUmgFtUxTNY7i5JQAvmlCp8rgdwdAePSHCeTS4KdPTyvaj3zN/EJSX7lnc1m1D11Xld8klBsde+zrdPjm+UJQFqKu2pHXMdM19G8tqSijNcCuCGkhjQkOrMv8VhudPs6kR2whPOXtSmr9X6gNXgZ024o79fz4hBlx47MrriVW4Th2f43Q5ISJ1KoXYgjXHMF5Dt0+C1ej/0x5DBokUapNAjBZsKEe1fBI2h52G+IFpvxMAHh6T2nIHPRaYGCznxuPeqWErachhQT5QXOI/7DBCO1h/GJo9KJ5UfkMTT6Qzis1RjU/t6cbXO2PoKrFPOjqYRcTIAQFUp7ylJ4Ep85gRidd0NONfc82y+LUZAwbzYTZ3ipckirsihFBW2IMjRD46+3LT9CzdJscr/kYPA7zbTrxxMPqPiDSKAyK3LPRm25u6cKQD8vM3+n6S5gYI2svlogR0zCcJiW8+8rIPk0kUzITioSYFUP6jXvuYNfdmq2VJPk5SNK9grMG/RM3Y4XDnWuMR8lUl3oA9/HMCviVzbJwgjSQNO4n1qsLIvuDr40KWSfaKH/UCm5zaf9jIDXzXRsXeHtSHsPfr+cN3WgsP35Do1CgHPzB0tihCfesFPAk5Jt0keg77G0O76rJsq0c4u0a4vtcSk4i40wVnb1wr+GUKXweR53LdJ7j6X/MFUs4KB4s1M4A9a0J0t9A==
    client.vaultwarden: AgC5Gimoj3+qhKQuDijPFX1niOpCx6b4MUHgRttOPKFYz19HgFzsbkuPiCcA0AsnaGSwS2wwOTv29ywpGeFzjGRk0vBUGYX6aCbGIkjs7GRvmIovLs5uHcgPsoRp1OOAH7eDdFGGSpQN+4312pLoKKmjp9cwFIAHaAs5IavCXIv8/Fk6h2sLslHqoO0LVP24qkilqV22IxRSV5mKxg1A5FW2mDUxWwSkditJYoQ89Bze6GbI6xIHHo6NZD5uaBzf7kGZyUPz77zFPTfBatmjJpVkqdvvBnCQF65qrZAXy5Rw1trYyEgGMM0vFaBm2R9YWrLfv7w1nhNNP/Gq0/XwDrz/KywMXujjp8jbOKUJmN02RJrinYYSV8Z3AXZ80V3pgVsCjPLnaY7LHa+l+f45RW3A7B1e58qUEeb/wCPXRP0ng72gIcbX7rTl926XrzK6d2Bkw0scKIIXoYYAtJ+AbzfKJCx4FsoUxTlXslhO+HAT3aM5ofwR/dgUnbQKRnTjGa9R7FwpUOLizxfZYcjUTDT3+Bgjx1eiShxveVD+v6JjjPvmWn370J/1t8CnxL4l7ylXj9YsL+4z2j/s9xNsN1HiuETBYQcZXw9kgcXaEhLRnIsbwpsa5Hw4PODujPUkwkc+VN34V1BNq891h1JvxHq57SAKf36cLosybHTIWaIRaLktgAdntj7/5vmQGtjnEvekXk6f82CEzEaOJvqE8jV62Q1KYiOjKi1r5dXmZ3xqwsh9nuluC+YBVhbI3fxKJ/xkKiMhpkF7S9JHIOCFuyAAqf/IS08fC+Rm51U2ImECeoTiyhKAm5q+Vco81IjzRnwiBHj02Zug4FIX7n8qgWLEr/f5643y3fkCpo5uY9TSQ/HK3Q==
  template:
    metadata:
      creationTimestamp: null
--- a/infrastructure/authelia/authelia.values.yaml
+++ b/infrastructure/authelia/authelia.values.yaml
@@ -12,7 +12,7 @@ pod:
 ## Authelia Config Map Generator
 ##
 configMap:
-  key: 'configuration.yaml'
+  key: 'configuration.yml'
  # include sub-maps wich OVERRIDE the values generated by the helm chart
  extraConfigs:
    - /secrets/authelia-smtp/smtp.yml
@@ -75,7 +75,11 @@ configMap:
    local:
      enabled: true
-      path: /config/db.sqlite3
+      file: /config/db.sqlite3
  # notifier:
  # notifier is configured via the smtp secret and merged by authelia upon startup
  identity_validation:
@@ -105,7 +109,7 @@ configMap:
      cors:
        allowed_origins_from_client_redirect_uris: true
-
+      
      clients:
        - client_id: 'grafana'
          client_name: 'Grafana'
@@ -122,12 +126,8 @@ configMap:
            - 'profile'
            - 'groups'
            - 'email'
-          response_types:
+          userinfo_signed_response_alg: 'none'
-            - 'code'
+          token_endpoint_auth_method: 'client_secret_post'
          grant_types:
            - 'authorization_code'
          access_token_signed_response_alg: 'none'
          token_endpoint_auth_method: 'client_secret_basic'
          consent_mode: 'implicit'
        - client_id: 'recipes'
          client_name: 'Recipes'
@@ -227,68 +227,6 @@ configMap:
          userinfo_signed_response_alg: 'none'
          token_endpoint_auth_method: 'client_secret_basic'
          consent_mode: 'implicit'
        - client_id: 'kitchenowl'
          client_name: 'KitchenOwl'
          client_secret:
            path: '/secrets/authelia-oidc/client.kitchenowl'
          public: false
          token_endpoint_auth_method: 'client_secret_post'
          authorization_policy: 'one_factor'
          redirect_uris:
            - 'https://kitchen.kluster.moll.re/signin/redirect'
            - kitchenowl:/signin/redirect
            # mobile app as well
          scopes:
            - openid
            - email
            - profile
        - client_id: 'actualbudget'
          client_name: 'Actual Budget'
          client_secret:
            path: '/secrets/authelia-oidc/client.actualbudget'
          public: false
          authorization_policy: 'one_factor'
          require_pkce: false
          pkce_challenge_method: ''
          redirect_uris:
            - 'https://actualbudget.kluster.moll.re/openid/callback'
          scopes:
            - 'openid'
            - 'profile'
            - 'groups'
            - 'email'
          response_types:
            - 'code'
          grant_types:
            - 'authorization_code'
          access_token_signed_response_alg: 'none'
          userinfo_signed_response_alg: 'none'
          token_endpoint_auth_method: 'client_secret_basic'
        - client_id: 'vaultwarden'
          client_name: 'VaultWarden'
          client_secret:
            path: '/secrets/authelia-oidc/client.vaultwarden'
          public: false
          authorization_policy: 'one_factor'
          require_pkce: false
          pkce_challenge_method: ''
          redirect_uris:
            - 'https://passwords.kluster.moll.re/identity/connect/oidc-signin'
          scopes:
            - 'openid'
            - 'profile'
            - 'groups'
            - 'email'
          response_types:
            - 'code'
          grant_types:
            - 'authorization_code'
          access_token_signed_response_alg: 'none'
          userinfo_signed_response_alg: 'none'
          token_endpoint_auth_method: 'client_secret_basic'
  # notifier
  # is set through a secret
 persistence:
--- a/infrastructure/authelia/kustomization.yaml
+++ b/infrastructure/authelia/kustomization.yaml
@@ -27,6 +27,6 @@ images:
 helmCharts:
  - name: authelia
    releaseName: authelia
-    version: 0.10.47
+    version: 0.9.14
    repo: https://charts.authelia.com
    valuesFile: authelia.values.yaml
--- a/infrastructure/external-dns/cronjob.yaml
+++ b/infrastructure/external-dns/cronjob.yaml
@@ -9,15 +9,55 @@ spec:
  jobTemplate:
    spec:
      backoffLimit: 0
      template:
        spec:
          initContainers:
            - name: git
              image: git
              command: ["git"]
              args:
                - clone
                - https://git.kluster.moll.re/remoll/dns.git
                - /etc/octodns
              volumeMounts:
                - name: octodns-config
                  mountPath: /etc/octodns
          containers:
-            - name: dns
+            - name: octodns
-              image: dns
+              image: octodns
              env:
                # - name: CLOUDFLARE_ACCOUNT_ID
                #   valueFrom:
                #     secretKeyRef:
                #       name: cloudflare-api
                #       key: CLOUDFLARE_ACCOUNT_ID
                - name: CLOUDFLARE_TOKEN
                  valueFrom:
                    secretKeyRef:
                      name: cloudflare-api
                      key: CLOUDFLARE_TOKEN
                # - name: CLOUDFLARE_EMAIL
                #   valueFrom:
                #     secretKeyRef:
                #       name: cloudflare-api
                #       key: CLOUDFLARE_EMAIL
              command: ["/bin/sh", "-c"]
              args:
                - >-
                  cd /etc/octodns
                  &&
                  pip install -r ./requirements.txt
                  &&
                  octodns-sync --config-file ./config.yaml --doit
                  &&
                  echo "done..."
              volumeMounts:
                - name: octodns-config
                  mountPath: /etc/octodns
          volumes:
          - name: octodns-config
            emptyDir: {}
          restartPolicy: Never
--- a/infrastructure/external-dns/kustomization.yaml
+++ b/infrastructure/external-dns/kustomization.yaml
@@ -9,6 +9,10 @@ resources:
  - cronjob.yaml
 images:
-  - name: dns
+  - name: octodns
-    newName: git.kluster.moll.re/remoll/dns
+    newName: octodns/octodns # has all plugins
-    newTag: 0.0.2-build.100
+    newTag: "2024.09"
  - name: git
    newName: alpine/git
    newTag: "v2.47.1"
--- a/infrastructure/external-dns/renovate.json
+++ b/infrastructure/external-dns/renovate.json
@@ -1,15 +0,0 @@
 {
  "hostRules": [
    {
      "hostType": "docker",
      "matchHost": "git.kluster.moll.re"
    }
  ],
  "packageRules": [
    {
      "matchDatasources": ["docker"],
      "matchPackageNames": ["git.kluster.moll.re/remoll/dns"],
      "versioning": "regex:^(?<major>\\d+)\\.(?<minor>\\d+)\\.(?<patch>\\d+)-build.(?<build>\\d+)$"
    }
  ]
 }
--- a/infrastructure/gitea/gitea.values.yaml
+++ b/infrastructure/gitea/gitea.values.yaml
@@ -59,8 +59,7 @@ ingress:
 resources:
  limits:
    cpu: 1
-    memory: 5Gi
+    memory: 1Gi
    # high memory should be allowed to handle package uploads
  requests:
    cpu: 100m
    memory: 128Mi
@@ -170,7 +169,5 @@ postgresql:
  enabled: false
 postgresql-ha:
  enabled: false
-valkey:
+redis-cluster:
  enabled: false
 valkey-cluster:
  enabled: false
--- a/infrastructure/gitea/kustomization.yaml
+++ b/infrastructure/gitea/kustomization.yaml
@@ -23,6 +23,6 @@ helmCharts:
  - name: gitea
    namespace: gitea # needs to be set explicitly for svc to be referenced correctly
    releaseName: gitea
-    version: 12.4.0
+    version: 10.6.0
    valuesFile: gitea.values.yaml
    repo: https://dl.gitea.io/charts/
--- a/infrastructure/metallb-system/ipaddresspool.yaml
+++ b/infrastructure/metallb-system/ipaddresspool.yaml
@@ -2,6 +2,7 @@ apiVersion: metallb.io/v1beta1
 kind: IPAddressPool
 metadata:
  name: default
  namespace: metallb-system
 spec:
  addresses:
    - 192.168.3.0/24
@@ -9,8 +10,5 @@ spec:
 apiVersion: metallb.io/v1beta1
 kind: L2Advertisement
 metadata:
-  name: default
+  name: empty
-# selector is left empty on purpose to match all IPAddressPools
+  namespace: metallb-system
 # spec:
 #   ipAddressPools:
 #   - default
--- a/infrastructure/metallb-system/kustomization.yaml
+++ b/infrastructure/metallb-system/kustomization.yaml
@@ -1,12 +1,15 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources: 
  - namespace.yaml
  - ipaddresspool.yaml
 namespace: metallb-system
 resources:
  # - namespace.yaml
  # namespace is already included in the remote kustomization
  # - github.com/metallb/metallb/config/native?ref=v0.15.2
  - github.com/metallb/metallb/config/frr?ref=v0.15.2
  - ipaddresspool.yaml
 helmCharts:
  - name: metallb
    repo: https://metallb.github.io/metallb
    version: 0.14.8
    releaseName: metallb
    valuesFile: values.yaml
--- a/infrastructure/metallb-system/namespace.yaml
+++ b/infrastructure/metallb-system/namespace.yaml
@@ -1,6 +1,6 @@
 apiVersion: v1
 kind: Namespace
 metadata:
-  name: metallb-system
+  name: placeholder
-  # labels:
+  labels:
-    # pod-security.kubernetes.io/enforce: privileged
+    pod-security.kubernetes.io/enforce: privileged 
--- a/infrastructure/monitoring/kustomization.yaml
+++ b/infrastructure/monitoring/kustomization.yaml
@@ -1,33 +0,0 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 namespace: monitoring
 resources: 
  - namespace.yaml
  # prometheus-operator crds
  - https://github.com/prometheus-operator/prometheus-operator?ref=v0.86.1
  # single prometheus instance with a thanos sidecar
  - prometheus.yaml
  - thanos-store.statefulset.yaml
  - thanos-query.deployment.yaml
  - thanos-objstore-config.sealedsecret.yaml
 images:
  - name: thanos
    newName: quay.io/thanos/thanos
    newTag: v0.39.2
 helmCharts:
  - name: loki
    releaseName: loki
    repo: https://grafana.github.io/helm-charts
    version: 6.45.2
    valuesFile: loki.values.yaml
  - name: prometheus-node-exporter
    releaseName: prometheus-node-exporter
    repo: https://prometheus-community.github.io/helm-charts
    version: 4.49.1
    valuesFile: prometheus-node-exporter.values.yaml
--- a/infrastructure/monitoring/loki.values.yaml
+++ b/infrastructure/monitoring/loki.values.yaml
@@ -1,85 +0,0 @@
 loki:
  commonConfig:
    replication_factor: 1
  schemaConfig:
    configs:
      - from: "2024-04-01"
        store: tsdb
        object_store: filesystem
        schema: v13
        index:
          prefix: loki_index_
          period: 24h
  auth_enabled: false
  pattern_ingester:
    enabled: true
  limits_config:
    allow_structured_metadata: true
    volume_enabled: true
    retention_period: 672h # 28 days retention
  ruler:
    enable_api: true
  storage:
    bucketNames:
      # don't care since we use the filesystem
      chunks: NOTUSED
      ruler: NOTUSED
      admin: NOTUSED
    type: filesystem
    filesystem:
      chunks_directory: /var/loki/chunks
      rules_directory: /var/loki/rules
 minio:
  enabled: false
 deploymentMode: SingleBinary
 singleBinary:
  replicas: 1
  persistence:
    # -- Enable StatefulSetAutoDeletePVC feature
    enableStatefulSetAutoDeletePVC: true
    # -- Enable persistent disk
    enabled: true
    # -- Size of persistent disk
    size: 10Gi
    # -- Storage class to be used.
    # If defined, storageClassName: <storageClass>.
    # If set to "-", storageClassName: "", which disables dynamic provisioning.
    # If empty or set to null, no storageClassName spec is
    # set, choosing the default provisioner (gp2 on AWS, standard on GKE, AWS, and OpenStack).
    storageClass: nfs-client
 # -- Section for configuring optional Helm test
 helm:
  enabled: false
 # Zero out replica counts of other deployment modes
 backend:
  replicas: 0
 read:
  replicas: 0
 write:
  replicas: 0
 ingester:
  replicas: 0
 querier:
  replicas: 0
 queryFrontend:
  replicas: 0
 queryScheduler:
  replicas: 0
 distributor:
  replicas: 0
 compactor:
  replicas: 0
 indexGateway:
  replicas: 0
 bloomCompactor:
  replicas: 0
 bloomGateway:
  replicas: 0
--- a/infrastructure/monitoring/namespace.yaml
+++ b/infrastructure/monitoring/namespace.yaml
@@ -1,6 +0,0 @@
 apiVersion: v1
 kind: Namespace
 metadata:
  name: placeholder
  labels:
    pod-security.kubernetes.io/enforce: privileged 
--- a/infrastructure/monitoring/prometheus-node-exporter.values.yaml
+++ b/infrastructure/monitoring/prometheus-node-exporter.values.yaml
@@ -1,18 +0,0 @@
 prometheus:
  monitor:
    enabled: true
    jobLabel: "node-exporter"
    selectorOverride:
      app.kubernetes.io/name: prometheus-node-exporter
      app.kubernetes.io/part-of: prometheus-node-exporter
 resources:
  limits:
    cpu: 200m
    memory: 50Mi
  requests:
    cpu: 100m
    memory: 30Mi
--- a/infrastructure/monitoring/thanos-objstore-config.sealedsecret.yaml
+++ b/infrastructure/monitoring/thanos-objstore-config.sealedsecret.yaml
@@ -1,16 +0,0 @@
 ---
 apiVersion: bitnami.com/v1alpha1
 kind: SealedSecret
 metadata:
  creationTimestamp: null
  name: thanos-objstore-config
  namespace: monitoring
 spec:
  encryptedData:
    thanos.yaml: AgAqlul2V1idfgbWvq/0ljSFlxOOsQmwlGd+jRvDDyi1nlR8woHrp7lW6AxJ/8mBtb5htCuJzLgx+HVrN/EN+fRn5xG3D5+8xs4jWBOQ49MgLSAjJavFPcVY5xiBpGaw/N8aotlbfv6Wa2/+cmiAzVDPwnOj5zCS/EU58Tu2YFeVSbMUlu0NFAeyBW0DVT2enuVLToP4Ge4T0U9F99NHOh2zlVG82iI+4RxCu/WBkOU/urVleGwCYkcr/ItmXiwRXbwnWUtEUf28Q4ArpuZXFkKZUMoIwOjkXgOn/ySBLVvf0yy1+WOcYAIX9ouxu6i4T1GAZO9RnKeMJOIyebI3EOMA2dxQFpQg2/XhhHz2Ds2oDX/yr7vXbZJGyiCvTnnFUvFALKWIjRXXWphdqHDk6iP8tFIKVFsn7UxgMVFRcs6DmcMpBgFOcjpHr4HFZap5G9hI3cscmkNfwU+JOXkDEGRpZkkECza4wlQln8Wptq1qa+I+DSclqLOcvoEvNCJCIIgh5tINJ0KiZcrBvymUZZ9VduH4TFHR/UQK7M7It892TDNUlIp2UDWiuQ2DJysOJXmvSiNo8PGWSyDJwKJPhaWqXz9RUsb4D8gq/a+0qC7DOICrJEUj7WL8dwaKoQa32Cf+wopwrjFWSE7pAfiBJo+Dqa9jHIDv2hVsdU8NXqiFK35XHyUT4i0KWc+UZg4ObotGxYMvRtJuc3S7ZGTJ4YKDP5iThuNSuNd1pd1YjirpvVtL2o5BYh2i55F3DfVREofYpBCjK1e43mHOwEUYZ7Ff6p1+S0PXZnkL53xHMiiW3yr0v1g2ZYk7vzkENb9epzm24fNX/4ZiJdb0glEJmB674bgDSeh9PA5q8nJIKk6vsbrzfaAYWIn5Ai9MPbAVfg9pPkMyy9ydd+SqecujkWm++4dHqB1WJUg=
  template:
    metadata:
      creationTimestamp: null
      name: thanos-objstore-config
      namespace: monitoring
    type: Opaque
--- a/infrastructure/passwords/configmap.yaml
+++ b/infrastructure/passwords/configmap.yaml
@@ -1,15 +0,0 @@
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: config
 data:
  DOMAIN: "https://passwords.kluster.moll.re"
  SIGNUPS_ALLOWED: "false"
  INVITATIONS_ALLOWED: "true" # not sure about that?
  ADMIN_TOKEN: null # not set in order to disable the admin interface
  SHOW_PASSWORD_HINT: "false"
  SSO_ENABLED: "true"
  SSO_ONLY: "true" # disable email+Master password authentication
  SSO_ALLOW_UNKNOWN_EMAIL_VERIFICATION: "true"
  # remaining SSO_ variables are set in a secret
--- a/infrastructure/passwords/deployment.yaml
+++ b/infrastructure/passwords/deployment.yaml
@@ -1,40 +0,0 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: passwords
 spec:
  replicas: 1
  selector:
    matchLabels:
      app: passwords
  template:
    metadata:
      labels:
        app: passwords
    spec:
      containers:
        - name: passwords
          image: vaultwarden
          ports:
            - containerPort: 80
          envFrom:
            - configMapRef:
                name: config
            - secretRef:
                name: oidc-client-secret
            - secretRef:
                name: smtp-secret
          volumeMounts:
            - name: data
              mountPath: /data
          resources:
            requests:
              cpu: "100m"
              memory: "200Mi"
            limits:
              cpu: "2"
              memory: "4Gi"
      volumes:
        - name: data
          persistentVolumeClaim:
            claimName: vaultwarden-data
--- a/infrastructure/passwords/ingress.yaml
+++ b/infrastructure/passwords/ingress.yaml
@@ -1,17 +0,0 @@
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
  name: passwords-ingressroute
 spec:
  entryPoints:
    - websecure
  routes:
  - match: Host(`passwords.kluster.moll.re`)
    kind: Rule
    services:
    - name: passwords-web
      port: 80
  tls:
    certResolver: default-tls
--- a/infrastructure/passwords/kustomization.yaml
+++ b/infrastructure/passwords/kustomization.yaml
@@ -1,18 +0,0 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
  - namespace.yaml
  - pvc.yaml
  - configmap.yaml
  - deployment.yaml
  - service.yaml
  - ingress.yaml
  - oidc.sealedsecret.yaml
  - smtp.sealedsecret.yaml
 namespace: passwords
 images:
  - name: vaultwarden
    newName: vaultwarden/server
    newTag: testing # required for SSO support
--- a/infrastructure/passwords/namespace.yaml
+++ b/infrastructure/passwords/namespace.yaml
@@ -1,4 +0,0 @@
 apiVersion: v1
 kind: Namespace
 metadata:
  name: placeholder
--- a/infrastructure/passwords/oidc.sealedsecret.yaml
+++ b/infrastructure/passwords/oidc.sealedsecret.yaml
@@ -1,18 +0,0 @@
 ---
 apiVersion: bitnami.com/v1alpha1
 kind: SealedSecret
 metadata:
  creationTimestamp: null
  name: oidc-client-secret
  namespace: passwords
 spec:
  encryptedData:
    SSO_AUTHORITY: AgCuaACGgTZhrOv5FDVbPIzVusjzvbwgrogCt1kZJsX7K3G1vCWZDRzPMJ06k0Ofb5Yvby/AcKx0UyPJwWDmhlk7geuYzG1G1pBk97fNTOzac7ZheCZ68LFshalT5F6dMJBSMTRz+uG3N+MztCyvCcKUxYUIkGbopf7is12FJhEIKNbrQe4C5H2SVHSIZ8udE4Nv2HqertLVKE9Z7CNmq4KV3UBAGqJEqBkITsN/qhgpHOjY1dQKK5myL89BYERQGBdoqKSUYJOZiEoINwj161QtG/H2Y9n6xlAVO4irsva/6m1BjA/7wfWAK8RJGX8N1e9axlxgIUH7HAA/bh+riLKvQea23NRqT9bsIOy+FRNEqTWXM4FiNxtmufi9gRHnLyQhrSQAB4Zuyzelsqn+aKDlCFGkE3NLuquychWly24pLtNa+9UPPOm0BZhbOzXOObXJOzbFIoBqxcKkwen3ca1YjyqOK1DryJevjczLVuWY+NprnjlH6BgdTyqPnI+FyXhLRa3nJCafkVfNaIJW8n1+P0hKiEwGVXiyU0fR40DaueBR8F8jr5MKlEFvdwJ8/IvkfMZUsccPVYIYw08Ama+vFrJidPvicM8gNpkqoU2TnSEEjBk0eX9jd6ahiwffE9s01uQFjcr6rNL+SiYXJCpp/Ti8v0iJ4C5ID9h0GS7v4IBOUYCGRYfWrYUlp3LFMB6Saq4a4DhTlxC3cORn0ini8dUPJLq0x8n1rzGt
    SSO_CLIENT_ID: AgB1oES4V0P53fkAch+aDkCHd6seVExYMGCU72H8Slky0j4FZ5LjtBpzGxro8sxxr/Ri2wEc1f+TC2hHWbdtUNwE3SwA0McPODS0nmmxPkSj1ZRHlVQtG9TkFdEHEeWJnECHX0y6hp/qbdYxF+2Pgz9YQtbdi8r49H2iwqfD/8/ojMzlvpdOJRdE+K/aYQ8Q08GBZCusLm8vCW+bDn6U9+aj72SCH0i91xoPWI6P9v96mcWOipK0COhYl32ypz5GLaNpyIhDccJvrAzVKZ0tGX01t6+JT2f0lZc2jjVosTk0nPhLTQdLYJC1TboPtqwzaRWwV/lm+St07cSaaxMT0CHqmoxwiqazNNgkgPzddOaduTpbid2I1rH/2jYKD8uY5UKTZYa+wxXF8KQBMCyRw2k1bdebvc20z53T0UtmRkquKXVq1WyOTZEH4bhqVapuMjyAF9vzR7Juga6lF9P68Er8lYr5MGeimslyRUVfrqdA4VTFO6sALHyrpkuYdHIwEi5ZlNb2pRzqaBFeQaaJYgiXPZMhcIRIfEOU8JQ5FWu++OzM75RF2YA1Ww70SZxHANn/K/ksyAqhZNgNFRm++6YQKfBI6z+N6ObjJPJE3J/WCHGCmVCQRa7lg73THqPXeqvfoSDgH8nTHamg8AshAKWxJuTD9mPXN4TqbxBuXuQBa9UGu/HNBMpYo2hHEHYIr42XZwScpo5qvo4RUQ==
    SSO_CLIENT_SECRET: AgBzGmskaj/eliwfsOzdRb1PdiSJC9vLr7CyCAqQ4QmxVXOSVbiJu39ud2alH+Rx8UZ51l5Wd9CkyizyVpD8AgREk8fpE8V0cRlDplj/OmGSJ5VtNyLLJko13PkPAB2scexapZ/PxZpJEkH5ONPvzvVKC8liUoz1XoEQEWAgDkSiRqgt1aVm4v1Fvl0Ift3eJtkWkU6xGrL7OwTnV/nCaNt6w7Fd/37uWYgosGvQivcy11/QoppgVARCWrFl9ZjjsimV5i2hfoRXvd+saUuMvRfD95+POB6+hRK0fvbnARXW0ePj7W9oWG9fAhSA7S/J0cnx3zFjpJ8QBvaHYXJ+rsDHsxlqRSFUVXgMGZ5cISTzIjPWaVRv5cU3WK0vEeT2gPHsebTX6JgguzT728rZA2r7BuMZF20f89GeV21iYksABWMC1MYwGfScBPHfyDqxhgc39wxZTdH5gz9/DhuHd5+0iLjwIwqsStqVu6W1SqpuFd0psfyVNFY0DkDS28gcliRPSNF0bJEA7QIsDl5NVAl1fXEG4QrJMQx6i5BTrfI6HDYW0nq3fT/fPlSipmbUf4OWQVTrEmot5UvFDowBemZNG2Z2+vgAE0bbnQKeqAifUr7KMUGf9bmj42r8x1TLiDAyI9h5iSU/y4WHLpzxg2GNgkLQ0mKcAJ/xHnaWNti/dr2pwzCSx2Apmvps8/AVuYP+unRxmlstYl1ko+esv4agfbg/43H2/dkNeA+5iQw=
  template:
    metadata:
      creationTimestamp: null
      name: oidc-client-secret
      namespace: passwords
    type: Opaque
--- a/infrastructure/passwords/pvc.yaml
+++ b/infrastructure/passwords/pvc.yaml
@@ -1,11 +0,0 @@
 kind: PersistentVolumeClaim
 apiVersion: v1
 metadata:
  name: vaultwarden-data
 spec:
  storageClassName: "nfs-client"
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 1Gi
--- a/Show More
+++ b/Show More