Update ghcr.io/advplyr/audiobookshelf Docker tag to v2.17.6

2024-12-30 12:01:37 +00:00
85 changed files with 708 additions and 1148 deletions
--- a/README.md
+++ b/README.md
@@ -1,7 +1,7 @@
 # Kluster setup and IaaC using argoCD
-### Description
+### Initial setup
 #### Requirements:
 - A running k3s instance
 - `sealedsecrets` deployed
@@ -27,60 +27,21 @@ The app-of-apps will bootstrap a fully featured cluster with the following compo
    - immich
    - ...
-## Setup instructions
+#### Recap
-1. install sealedsecrets see [README](./infrastructure/sealedsecrets/README.md)
+- install sealedsecrets see [README](./infrastructure/sealedsecrets/README.md)
    ```bash
    kubectl apply -k infrastructure/sealedsecrets
    kubectl apply -f infrastructure/sealedsecrets/main.key
    kubectl delete pod -n kube-system -l name=sealed-secrets-controller
    ```
-1. install argocd and the app-of-apps bundled with it
+- install argocd
    ```bash
    kubectl apply -k infrastructure/argocd
    ```
 - wait...
 > NOTE: The argocd kustomization already mentions some CRDs available only after the full bootstrapping (traefik). You might have to apply the last step twice
 ### Adding an application
 todo
 ### Status
 [![App Status](https://argocd.kluster.moll.re/api/badge?name=authelia-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/authelia-application)
 [![App Status](https://argocd.kluster.moll.re/api/badge?name=backup-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/backup-application)
 [![App Status](https://argocd.kluster.moll.re/api/badge?name=external-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/external-application)
 [![App Status](https://argocd.kluster.moll.re/api/badge?name=external-dns-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/external-dns-application)
 [![App Status](https://argocd.kluster.moll.re/api/badge?name=gitea-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/gitea-application)
 [![App Status](https://argocd.kluster.moll.re/api/badge?name=metallb-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/metallb-application)
 [![App Status](https://argocd.kluster.moll.re/api/badge?name=monitoring-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/monitoring-application)
 [![App Status](https://argocd.kluster.moll.re/api/badge?name=nfs-provisioner-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/nfs-provisioner-application)
 [![App Status](https://argocd.kluster.moll.re/api/badge?name=pg-ha-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/pg-ha-application)
 [![App Status](https://argocd.kluster.moll.re/api/badge?name=renovate-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/renovate-application)
 [![App Status](https://argocd.kluster.moll.re/api/badge?name=sealedsecrets-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/sealedsecrets-application)
 [![App Status](https://argocd.kluster.moll.re/api/badge?name=traefik-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/traefik-application)
 ---
 [![App Status](https://argocd.kluster.moll.re/api/badge?name=adguard-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/adguard-application)
 [![App Status](https://argocd.kluster.moll.re/api/badge?name=audiobookshelf-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/audiobookshelf-application)
 [![App Status](https://argocd.kluster.moll.re/api/badge?name=code-server-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/code-server-application)
 [![App Status](https://argocd.kluster.moll.re/api/badge?name=files-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/files-application)
 [![App Status](https://argocd.kluster.moll.re/api/badge?name=finance-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/finance-application)
 [![App Status](https://argocd.kluster.moll.re/api/badge?name=grafana-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/grafana-application)
 [![App Status](https://argocd.kluster.moll.re/api/badge?name=homeassistant-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/homeassistant-application)
 [![App Status](https://argocd.kluster.moll.re/api/badge?name=immich-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/immich-application)
 [![App Status](https://argocd.kluster.moll.re/api/badge?name=kitchenowl-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/kitchenowl-application)
 [![App Status](https://argocd.kluster.moll.re/api/badge?name=linkding-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/linkding-application)
 [![App Status](https://argocd.kluster.moll.re/api/badge?name=media-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/media-application)
 [![App Status](https://argocd.kluster.moll.re/api/badge?name=minecraft-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/minecraft-application)
 [![App Status](https://argocd.kluster.moll.re/api/badge?name=ntfy-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/ntfy-application)
 [![App Status](https://argocd.kluster.moll.re/api/badge?name=paperless-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/paperless-application)
 [![App Status](https://argocd.kluster.moll.re/api/badge?name=recipes-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/recipes-application)
 [![App Status](https://argocd.kluster.moll.re/api/badge?name=rss-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/rss-application)
 ---
 [![App Status](https://argocd.kluster.moll.re/api/badge?name=journal-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/journal-application)
 [![App Status](https://argocd.kluster.moll.re/api/badge?name=physics-application&revision=true&showAppName=true)](https://argocd.kluster.moll.re/applications/physics-application)
--- a/apps/adguard/configmap.yaml
+++ b/apps/adguard/configmap.yaml
@@ -27,10 +27,7 @@ data:
      ratelimit_whitelist: []
      refuse_any: true
      upstream_dns:
-        - tls://1.1.1.1
+        - https://dns10.quad9.net/dns-query
        - tls://dns.google
        - tls://p0.freedns.controld.com
        - tls://dns.quad9.net
      upstream_dns_file: ""
      bootstrap_dns:
        - 9.9.9.10
@@ -38,7 +35,8 @@ data:
        - 2620:fe::10
        - 2620:fe::fe:10
      fallback_dns: []
-      upstream_mode: load_balance
+      all_servers: false
      fastest_addr: false
      fastest_timeout: 1s
      allowed_clients: []
      disallowed_clients: []
@@ -74,8 +72,6 @@ data:
      dns64_prefixes: []
      serve_http3: false
      use_http3_upstreams: false
      serve_plain_dns: true
      hostsfile_enabled: true
    tls:
      enabled: false
      server_name: ""
@@ -92,14 +88,12 @@ data:
      private_key_path: ""
      strict_sni_check: false
    querylog:
      dir_path: ""
      ignored: []
      interval: 2160h
      size_memory: 1000
      enabled: true
      file_enabled: true
    statistics:
      dir_path: ""
      ignored: []
      interval: 24h
      enabled: true
@@ -116,10 +110,6 @@ data:
        url: https://someonewhocares.org/hosts/zero/hosts
        name: Dan Pollock's List
        id: 1684963532
      - enabled: true
        url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_3.txt
        name: Peter Lowe's Blocklist
        id: 1735824753
    whitelist_filters: []
    user_rules: []
    dhcp:
@@ -144,36 +134,13 @@ data:
      blocking_ipv6: ""
      blocked_services:
        schedule:
-          time_zone: Europe/Berlin
+          time_zone: UTC
-          sun:
+        ids: []
            start: 18h
            end: 23h59m
          mon:
            start: 18h
            end: 23h59m
          tue:
            start: 18h
            end: 23h59m
          wed:
            start: 18h
            end: 23h59m
          thu:
            start: 18h
            end: 23h59m
          fri:
            start: 18h
            end: 23h59m
          sat:
            start: 18h
            end: 23h59m
        ids:
          - reddit
      protection_disabled_until: null
      safe_search:
        enabled: false
        bing: true
        duckduckgo: true
        ecosia: true
        google: true
        pixabay: true
        yandex: true
@@ -182,13 +149,11 @@ data:
      parental_block_host: family-block.dns.adguard.com
      safebrowsing_block_host: standard-block.dns.adguard.com
      rewrites: []
      safe_fs_patterns:
        - /opt/adguardhome/data/userfilters/*
      safebrowsing_cache_size: 1048576
      safesearch_cache_size: 1048576
      parental_cache_size: 1048576
      cache_time: 30
-      filters_update_interval: 168
+      filters_update_interval: 24
      blocked_response_ttl: 10
      filtering_enabled: true
      parental_enabled: true
@@ -203,7 +168,6 @@ data:
        hosts: true
      persistent: []
    log:
      enabled: true
      file: ""
      max_backups: 0
      max_size: 100
@@ -215,4 +179,4 @@ data:
      group: ""
      user: ""
      rlimit_nofile: 0
-    schema_version: 29
+    schema_version: 27
--- a/apps/adguard/kustomization.yaml
+++ b/apps/adguard/kustomization.yaml
@@ -10,7 +10,7 @@ resources:
 images:
  - name: adguard/adguardhome
    newName: adguard/adguardhome
-    newTag: v0.107.65
+    newTag: v0.107.55
 namespace: adguard
--- a/apps/audiobookshelf/kustomization.yaml
+++ b/apps/audiobookshelf/kustomization.yaml
@@ -12,4 +12,4 @@ namespace: audiobookshelf
 images:
  - name: audiobookshelf
    newName: ghcr.io/advplyr/audiobookshelf
-    newTag: "2.29.0"
+    newTag: "2.17.6"
--- a/apps/code-server/deployment.yaml
+++ b/apps/code-server/deployment.yaml
@@ -1,41 +0,0 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: code-server
 spec:
  replicas: 1
  selector:
    matchLabels:
      app: code-server
  template:
    metadata:
      labels:
        app: code-server
    spec:
      containers:
        - name: code-server
          image: code-server
          ports:
            - containerPort: 8080
          env:
          - name: TZ
            value: Europe/Berlin
          - name: CONFIG_PATH
            value: /data/config
          - name: METADATA_PATH
            value: /data/metadata
          volumeMounts:
            - name: data
              mountPath: /home/coder
          resources:
            requests:
              cpu: "50m"
              memory: "100Mi"
            limits:
              cpu: "6"
              memory: "16Gi"
      volumes:
        - name: data
          persistentVolumeClaim:
            claimName: code-server-data
--- a/apps/code-server/ingress.yaml
+++ b/apps/code-server/ingress.yaml
@@ -1,17 +0,0 @@
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
  name: audiobookshelf-ingressroute
 spec:
  entryPoints:
    - websecure
  routes:
  - match: Host(`code.kluster.moll.re`)
    kind: Rule
    services:
    - name: code-server-web
      port: 8080
  tls:
    certResolver: default-tls 
--- a/apps/code-server/kustomization.yaml
+++ b/apps/code-server/kustomization.yaml
@@ -1,15 +0,0 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources: 
  - namespace.yaml
  - pvc.yaml
  - deployment.yaml
  - service.yaml
  - ingress.yaml
 namespace: code-server
 images:
  - name: code-server
    newName: ghcr.io/coder/code-server
    newTag: 4.101.2-fedora
--- a/apps/code-server/namespace.yaml
+++ b/apps/code-server/namespace.yaml
@@ -1,4 +0,0 @@
 apiVersion: v1
 kind: Namespace
 metadata:
  name: placeholder
--- a/apps/code-server/pvc.yaml
+++ b/apps/code-server/pvc.yaml
@@ -1,11 +0,0 @@
 kind: PersistentVolumeClaim
 apiVersion: v1
 metadata:
  name: code-server-data
 spec:
  storageClassName: "nfs-client"
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 10Gi
--- a/apps/code-server/service.yaml
+++ b/apps/code-server/service.yaml
@@ -1,11 +0,0 @@
 apiVersion: v1
 kind: Service
 metadata:
  name: code-server-web
 spec:
  selector:
    app: code-server
  ports:
  - port: 8080
    targetPort: 8080
  type: LoadBalancer
--- a/apps/files/kustomization.yaml
+++ b/apps/files/kustomization.yaml
@@ -13,4 +13,4 @@ namespace: files
 images:
  - name: ocis
    newName: owncloud/ocis
-    newTag: "7.2.0"
+    newTag: "5.0.9"
--- a/apps/files/ocis-config.sealedsecret.yaml
+++ b/apps/files/ocis-config.sealedsecret.yaml
--- a/apps/finance/actualbudget.deployment.yaml
+++ b/apps/finance/actualbudget.deployment.yaml
@@ -21,9 +21,6 @@ spec:
          env:
            - name: TZ
              value: Europe/Berlin
          envFrom:
            - secretRef:
                name: actualbudget-oidc
          volumeMounts:
            - name: data
              mountPath: /data
--- a/apps/finance/kustomization.yaml
+++ b/apps/finance/kustomization.yaml
@@ -9,9 +9,8 @@ resources:
  - actualbudget.deployment.yaml
  - actualbudget.service.yaml
  - actualbudget.ingress.yaml
  - oidc.sealedsecret.yaml
 images:
  - name: actualbudget
    newName: actualbudget/actual-server
-    newTag: 25.9.0
+    newTag: 24.12.0
--- a/apps/finance/oidc.sealedsecret.yaml
+++ b/apps/finance/oidc.sealedsecret.yaml
@@ -1,19 +0,0 @@
 ---
 apiVersion: bitnami.com/v1alpha1
 kind: SealedSecret
 metadata:
  creationTimestamp: null
  name: actualbudget-oidc
  namespace: finance
 spec:
  encryptedData:
    ACTUAL_OPENID_AUTH_METHOD: AgAhPqooAS/7R9S/X3KGfSfs3ClN38J9CEfkUTYAUvKGEehQ2Tz3thPNvhvnbz/gKRc7C172jgxoxaGMiVXi40Qa+I7Y8JVHefjoSd8NuubzQZU8ZK5KlYRgc5OnoPM3RLarHyZ2DFw5Q/ngv3sp1c5dSI4/604KSQPxVAFCnb/lnSkOsBggDRymWvYclx1NrLIClpLAFwHgCOm6g1kHCvtGIdBLxKOHsiRJm62+UyHt0GLkR0QFTDXBQxoBm9QR9kLjQqw/QqcOIVx1by0RHoHBI6HDEEIQVH3UgWqlMmIwm+a4KQeBEdEfWLn9YC8MGSdlQRlaZoi5ltFT2c/DWuMuRStnaOWbsMQVR+y6yJ2UNBe29uVQh6877iqfmAJvT6gXic73zI7Vkq6IFQ7veQPBaTi22HP/sxiElGI8rY0LtRHD4TctKSePaOPvsgrv8k8SpB5qYAft7UonbTPWzzRSSc4Y3Z4fQiD0x/uhtTqTTtukx39nzM2TjVGcJThWaxUGa07w1fjTafieFVwwreURBUpRK92X2NY3ovOdA9c1WrHfqIzVtpcnfQyCeA5D4XT2sBFk0+crwEm1GmtscjPkGnyctNMUSmkHd+QKw8EAmWxKge4+7rfOrZp5ZK7cBFJcB4gVQcxnm3bXr0qZyiA1udaxmSxVflQR2AjduvhKuE73AGPi0bJki5TvKJp6bavTotYfdMY=
    ACTUAL_OPENID_CLIENT_ID: AgA6X0uYaU1n4XSXVntmT4+NgahYkkMVx61OZP8ExnSMkRPlwQfErhNHrwKsTsnD8OzP3svhxBe5bwaI8O1OKF0k5pQWG0DbRfmBrwiep9nBsKPt+fQm0AJUsZ2sQNShusmsSEumBKbMD0CMPklVMq18tLpOIh/YaXM34lsOutW0SIx7HWWQsyLmoolEoRVdkKvDhoh3FXjKqzGYlr1uKuqYG7pJPsxEpsTs2pZTUIlB2gVcEqb/ZXxgkj01GDYzB519swIOfYdISj7oCR8VG90M9iDrgmxsPkWozMDxFjNo5JR2dB9wvP7ptFex8JonbZZXYZD7tE+36U8iys6Cjh6JGwr9luN1AxYYSkRrNWJd2CuID+8ujWptoTvRSO0RwiVVp5LhXe1l2GxLsS2UVtO+nbWH6DGMJei4DQ+LAxDXFR8FAvi7615cneN0umQfF4ZMUJirvxHA3tFN42tbnRmSCbLAZLNLhQq8VbRmkYOAN6LCzSKYlyhSyA3NM2HjRTFkXGUhOPL+3tPZJB4v0QlEhlhy1Ffxh2mbUXgmQ+ZHGUsBXEHfc/Gba6gJhsj6S2DkiAeZUW6euY5/v4vpveWsS+YS+BxH441//8mOJnrpsWrcQbM5yCk4WMnmpETy/VFEkc3dqYfVWHDfvwAeqjVfXAovXBmwOoCASG6qDf0P7FdeLFTHUNuahyNhBzhBAQ/yNpOkbzKTJFBWwnM=
    ACTUAL_OPENID_CLIENT_SECRET: AgAbJinP4E8rbGAw7BTfh/GB3XxQOfHiLFrgaikQbUIsmZu+Y6ktK7aJdcX2/g6yhHXX6z8p4xoYTaGgkpo8H0XWvUDT4ohqJVdJSWZgNx8MyzisVKi+51BEpslL4JvGo/ISjXT0hNeYGzFXlHnnr3LX+fuTVh3dKtk4t8nmR8SqaCCIyvKiBPmX/1QWo4Vrfw7OLpVlfGP0i3J7FrhjNgKMRWcQKQC4Ohk+NLHHghdtqzuFB8eKwcuBZmynKCVyblOhwZSL5WnyJPskWLMjNEizWuCubDdyHVY3ZqYLDe5dgoi7Gop5/xY7FEuEkmTL0g7LpKo4RkEKRLjsZwWtW+xN6HRRt7zGoUdIpo20ZnTtEH8C/qcxjHKUycFvzKLnk6ntq5rEdK2/MhBtMfd3a8pb4vpT9JNra1AWsB7zCUv4yc/FT0RpkL+1r1CVva4o+tzM8ojnm4o0ch6qsGb0IOYZvJx6sF7c6aj7c41YQK3ZrQF3bhhhEHYyWOBjy1V4T/GJPZ9CbhGG0PIsSvpW7d5pG5jNAwU/Xo6FL/vVUPwmSq/hCqYMSSSKNiMH/q/vzKyu5B5aQbNDAumzsLRqD/auJz8nAaUoLNBVHq+7zTs3wV7pEayY22teq/MN5PRtYOQLE5Ck60gv9Q70cfhgvTeK+eX4h9BbhfijCV/EiSYhLP7meeIpE80icdLUSkNROfW+0sf3RNbW5q3JX8PsW0h29VJgREJdlziLj2cCshe+ww==
    ACTUAL_OPENID_DISCOVERY_URL: AgAQVZX6r8SPkwwBR1dmUF/ahuZKkGSsU/GULe5PF7Nm75UadtjPb5aHAZjWE59MdV61DQZDa4KJz1/fW4xDUrJBuUElIRQH4oyMTQG12MSMauQpLd25SVU8ex2NYyerbd85j521FSxujP0l3941KGsENLt5wCx/idXu47txhAHgS81mj3CLfWzT5yyG+V1i48a24xK905v+ft5ZKuNLOxvVb6yZSBt1j/3egx49eB49CRk/dxYQtPpSw8Zb6KgaN+skjq5HTH/Neb4J92nlJ1aFPVKbFLbtxyIHDSoO35U8ODHEJVGKBbZjjfrrjCpmQYnZPEWN9s+xj2NAXZ7qANcJfbFEF/3bOiKZhc0jLM5MyhiMZoytn4FvGM8zxINC3z8zqaWJm1wiMXEUH3/FLUa2UWeHKQB14h0f5XGwytb3s/nPCoBnHhtOK1y4utJ2APsQhRsxySZjgYNRaRCarp8PntY7yB7VHYlv5Mitx+qBWcAUmcKp1I4NTnm1LORRGzIFcrJJKtQfqcW7GNuZDA3AiLGyOMVigcA93GnPbppor5BItE9FK/BKqrR4Bz31jXSO8S7pjhi3JxBIKEMmMZRVbyelJ9o7gTpqrBvO7KZ5v/L+mlE0J8D2LZoEWPqxfa/BE+QZfwIS3wDWQl1GTruaAM4u0bp4i9GkyK3hPVXnml3dNMElSG3GvNqHhhy1Boo1cHXHbQ5YzbkGgzL9fLkigVQCi0FKItyBxdGsui9U0OU5LNi0EGKBibs22mdDkp6f051GWeMidtSwz9j5
    ACTUAL_OPENID_SERVER_HOSTNAME: AgB+C31GqtPKbMifuTFYhwOgUwXph+RQYdnVQaVIaDiveE6Lydl/2HnTyFQIi2mhrbiCpDgegXuvGBoM7WHxlPepny5E66lY/cAdFaFDGMARqMXCRLVmvkt3U1IyNn9zPCPil0x+eAv2S/ETLm8Nj2OL9utxkdNBHub9xiGrE0d7qBeBfK1FNmainthYQUpnCsR7jowmmvYGuEyDwfG+suUooDdb5zaWmCJZRYk1jKD3zlu21N0sfciBJ/GpTdz/2V+NXqJJqs3r2zoB2GJPQ64pMuZHZ+yw8bYUkg7/QOHD2ofWmtzNOGGtiNRHAG8MtvF6ovc4Hgv5uu+4x413UP6pSIJsrHrXSHYP+mvu+ya3gNUn6YK2qymezrqbvUF/n7LoaDzTRqa0PmemtdskuABiwfqrdiOarxaWjomkXqnrBK6VkJ8PhOMDMv/j/c6zlXdhpnqlUyxMcjBjqicfNBWN8UByDIEw4D0rhibzOS4fIKjNHrmXHv39GNJsY90avhZqq42oTMJL0vcaj3v4pBZJdJ05TOvY7PQ/iUwnnczGqOtpAQtBKfCV2+PXp9o/64wOGc0Br322kSpzjIleWP9VWVgbqvwMjUGtlL+xTkCaOFpiYETxUim09c745WDc+YgU55rd5i/5t20wiKy7RSYnHvYOwvdjAlEgAnD0YZBXOQkL51nL9P+nOMAYBE0HiM1vYsd8R6h6Fk+G2gcs/2CLgwglqOtMwAm9A9+5qSqyMak6Z68=
  template:
    metadata:
      creationTimestamp: null
      name: actualbudget-oidc
      namespace: finance
--- a/apps/grafana/grafana.values.yaml
+++ b/apps/grafana/grafana.values.yaml
@@ -37,7 +37,7 @@ datasources:
    datasources:
      - name: Prometheus
        type: prometheus
-        url: http://prometheus.monitoring.svc:9090
+        url: http://prometheus-server.monitoring.svc:80
        isDefault: true
      - name: Thanos
        type: prometheus
@@ -85,14 +85,13 @@ grafana.ini:
  auth.generic_oauth:
    name: Authelia
    enabled: true
-    icon: signin
+    allow_sign_up: true
    client_id: grafana
    client_secret: ${AUTH_GRAFANA_CLIENT_SECRET}
    scopes: openid profile email groups
    empty_scopes: false
    auth_url: https://auth.kluster.moll.re/api/oidc/authorization
    token_url: https://auth.kluster.moll.re/api/oidc/token
-    api_url: https://auth.kluster.moll.re/api/oidc/userinfo
+    api_url: https://auth.kluster.moll.re/api/oidc/authorization/userinfo
    tls_skip_verify_insecure: true
    auto_login: true
    use_pkce: true
--- a/apps/grafana/kustomization.yaml
+++ b/apps/grafana/kustomization.yaml
@@ -17,5 +17,5 @@ helmCharts:
  - releaseName: grafana
    name: grafana
    repo: https://grafana.github.io/helm-charts
-    version: 9.4.4
+    version: 8.8.2
    valuesFile: grafana.values.yaml
--- a/apps/homeassistant/deployment.yaml
+++ b/apps/homeassistant/deployment.yaml
@@ -14,7 +14,7 @@ spec:
    spec:
      containers:
        - name: homeassistant
-          image: homeassistant
+          image: homeassistant/home-assistant
          ports:
            - containerPort: 8123
          env:
--- a/apps/homeassistant/kustomization.yaml
+++ b/apps/homeassistant/kustomization.yaml
@@ -13,6 +13,6 @@ resources:
 images:
-  - name: homeassistant
+  - name: homeassistant/home-assistant
    newName: homeassistant/home-assistant
-    newTag: "2025.9"
+    newTag: "2024.12"
--- a/apps/immich/immich.postgres.yaml
+++ b/apps/immich/immich.postgres.yaml
@@ -1,39 +0,0 @@
 apiVersion: postgresql.cnpg.io/v1
 kind: Cluster
 metadata:
  name: immich-postgresql
 spec:
  instances: 1
  imageName: ghcr.io/tensorchord/cloudnative-vectorchord:16-0.3.0
  bootstrap:
    initdb:
      owner: immich
      database: immich
      secret:
        name: postgres-password
      dataChecksums: true
      postInitApplicationSQL:
        - ALTER USER immich WITH SUPERUSER;
        - CREATE EXTENSION IF NOT EXISTS vchord CASCADE;
        - CREATE EXTENSION IF NOT EXISTS "cube";
        - CREATE EXTENSION IF NOT EXISTS "earthdistance";
  postgresql:
    shared_preload_libraries:
      - "vchord.so"
  storage:
    size: 5Gi
    storageClass: nfs-client
  monitoring:
    enablePodMonitor: true
  resources:
    limits:
      cpu: 2
      memory: 1024Mi
    requests:
      cpu: 50m
      memory: 512Mi
--- a/apps/immich/kustomization.yaml
+++ b/apps/immich/kustomization.yaml
@@ -1,12 +1,11 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
-resources:
+resources: 
  - namespace.yaml
  - ingress.yaml
  - pvc.yaml
-  - immich.postgres.yaml
+  - postgres.yaml
  - postgres.sealedsecret.yaml
  - servicemonitor.yaml
 namespace: immich
@@ -15,20 +14,20 @@ namespace: immich
 helmCharts:
  - name: immich
    releaseName: immich
-    version: 0.9.3
+    version: 0.9.0
    valuesFile: values.yaml
    repo: https://immich-app.github.io/immich-charts
 images:
  - name: ghcr.io/immich-app/immich-machine-learning
-    newTag: v1.140.1
+    newTag: v1.123.0
  - name: ghcr.io/immich-app/immich-server
-    newTag: v1.140.1
+    newTag: v1.123.0
 patches:
  - path: patch-redis-pvc.yaml
    target:
      kind: StatefulSet
-      name: immich-redis-master
+      name: immich-redis-master
--- a/apps/immich/renovate.json
+++ b/apps/immich/renovate.json
@@ -1,10 +0,0 @@
 {
    "packageRules": [
      {
        "matchDatasources": ["docker"],
        "matchPackagePrefixes": ["ghcr.io/immich-app/"],
        "groupName": "Immich containers",
        "groupSlug": "immich-app-images"
      }
    ]
  }
--- a/apps/immich/servicemonitor.yaml
+++ b/apps/immich/servicemonitor.yaml
@@ -1,14 +0,0 @@
 apiVersion: monitoring.coreos.com/v1
 kind: ServiceMonitor
 metadata:
  name: immich-service-monitor
 spec:
  endpoints:
  - port: metrics-api
    scheme: http
  - port: metrics-ms
    scheme: http
  selector:
    matchLabels:
      app.kubernetes.io/name: server
      app.kubernetes.io/service: immich-server
--- a/apps/immich/values.yaml
+++ b/apps/immich/values.yaml
@@ -6,8 +6,8 @@
 env:
  REDIS_HOSTNAME: '{{ printf "%s-redis-master" .Release.Name }}'
-  DB_HOSTNAME: "immich-postgresql-rw"
+  DB_HOSTNAME: "immich-postgres-rw"
-  DB_USERNAME:
+  DB_USERNAME: 
    valueFrom:
      secretKeyRef:
        name: postgres-password
@@ -37,6 +37,10 @@ immich:
      existingClaim: data
 # Dependencies
 postgresql:
  enabled: false
 redis:
  enabled: true
  architecture: standalone
@@ -56,7 +60,7 @@ machine-learning:
  persistence:
    cache:
      enabled: true
-      size: 200Gi
+      size: 10Gi
      # Optional: Set this to pvc to avoid downloading the ML models every start.
      type: emptyDir
      accessMode: ReadWriteMany
--- a/apps/kitchenowl/deployment.yaml
+++ b/apps/kitchenowl/deployment.yaml
@@ -1,42 +0,0 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: kitchenowl
 spec:
  replicas: 1
  selector:
    matchLabels:
      app: kitchenowl
  template:
    metadata:
      labels:
        app: kitchenowl
    spec:
      containers:
        - name: kitchenowl
          image: kitchenowl
          ports:
            - containerPort: 8080
          env:
          - name: TZ
            value: Europe/Berlin
          envFrom:
            - configMapRef:
                name: kitchenowl-config
            - secretRef:
                name: kitchenowl-oauth
          volumeMounts:
            - name: data
              mountPath: /data
          resources:
            requests:
              cpu: "50m"
              memory: "100Mi"
            limits:
              cpu: "100m"
              memory: "1Gi"
      volumes:
        - name: data
          persistentVolumeClaim:
            claimName: kitchenowl-data
--- a/apps/kitchenowl/ingress.yaml
+++ b/apps/kitchenowl/ingress.yaml
@@ -1,17 +0,0 @@
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
  name: kitchenowl-ingressroute
 spec:
  entryPoints:
    - websecure
  routes:
  - match: Host(`kitchen.kluster.moll.re`)
    kind: Rule
    services:
    - name: kitchenowl-web
      port: 8080
  tls:
    certResolver: default-tls 
--- a/apps/kitchenowl/kitchenowl-config.configmap.yaml
+++ b/apps/kitchenowl/kitchenowl-config.configmap.yaml
@@ -1,7 +0,0 @@
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: kitchenowl-config
 data:
  FRONT_URL: https://kitchen.kluster.moll.re
  DISABLE_USERNAME_PASSWORD_LOGIN: "true"
--- a/apps/kitchenowl/kitchenowl-oauth.sealedsecret.yaml
+++ b/apps/kitchenowl/kitchenowl-oauth.sealedsecret.yaml
@@ -1,19 +0,0 @@
 ---
 apiVersion: bitnami.com/v1alpha1
 kind: SealedSecret
 metadata:
  creationTimestamp: null
  name: kitchenowl-oauth
  namespace: kitchenowl
 spec:
  encryptedData:
    JWT_SECRET_KEY: AgAclRIJS25ACVe4NqLQbAree6c6WpTBHnLpe3ZQJ0ScHG/EbW/ooABZj7y1ABAn/mCc+hBYXYHm81FNUfUtSuLKi2UlORbTCsfmisYH49WX0Lpku9LTM/8az9tjE0tjUUrJZcRUuJfdNJMDPQx7IPjUQ7sKk/exFnkPEbK98+AElXyHpPKXd9dxiCgll0n+ksbF9BDUR8KY8IB2Zvh4cXPww578qe/9XYnxLV8uY9K8KPvhl7NI40SIaL4PX8KmsDlBh1bpOR/OxhIwAGEZDQp/KROy6msrIOYW4SHM9nlSUSD4WvV8UjcbV1oNnYpE1usFOuxSfQlJ1zlFepKUv40JykyunvQv9nqVbEogsrS4o5N3gNEaB9yyFSHIlevp32LVpAuZu3cNplmT+Zg7+ODpCWIcVgmOAeapvB+X7H4ScbKVcYLAzrRFDtnS4Vo1M+RERhr0AuMU/tz0lGs99oRkCw2ZIg015R125u0VcRNqzgCtbBM5BFiKiP2kYrHn02Q6o5tRWxDQfrfb0mnfD5c/gM4+btlfM6DZMpr/l1kLlm8PDEpPGbkhK1XiAyJ4erHPDMLcmZXrSyxX9R1g8n7vnLnkqx5LkGmnltQI2FM7StxC6IrMlxY0nPnkq1lHhTz7yCpQJNXgfXZLVvov+f6jlD6WJhYHZCL/hIFfx3ybjGYZwJ0m84lH0OQJQw5dtsbPVqqoYZIPieqdRmHw7M7TTmFuQJXD94lZj5gsln1sMqs=
    OIDC_CLIENT_ID: AgDOxWtGCiFrIP5aWHimrR6bu0uMS1/i1v1Kzo1lIR3j3zlw/Da2oCPNx1ZuhNAp9UMIs2euc8mtrWkyv4R6pcci+IxXiGzlQNBSkMfWu4DwhwlEdnVyCVehfE00t0ytBxX6NeLfS1b8JOtH9yo3e22fdaeTwn/iwGLNwi1BJxMmzk9pVp7jzXH09Zia8UvUmXw5GyGpIOIiGcIfaXkr1ZnY2l30jTw8eS7HaouzfWHWTpNXkMLN3qim4vs/B1Sgz/y9tUyVo/qMhWLdEcVklYHT7xHx03SPD7RtK+zdYZCqvDtj+tsdpYHt05zeGV+wflNQuiocjwP8TW7vhtbjKrf9lQIxB5CErju178ELOVrpsPBAYMgdEl7qZeKdSpydIwe3VbOg3XJ7O/Ps1KSnRYwrCvgE4ZCMm3geHyJxSiKRhBcuVYz5JkNd5ylD0Eq9NL5RCqJ4szL9NaGNPbzkvcdZzAnbTYFTzyqZ+XHX/BUFisXl5bKNHtaqAsOK8woGYnxJiawKRrwDUmHXU4RB3QiPCPhHSLU7OkvU+XDhyQqLa8bKEQzj9dUf4bX3Savk4noiRsXMYJznAlgMPo0Q4taxVIoyQHELYwIIdP5YRuw27B9wKUR7e2hhu4FTOEcyhwuFql3OuAjq8HJCDX6+COkL2WYFFxWBnbSCYEdzfbMBCHjrUUonijcQluU2VbaHODNMAvB16MRKapAW
    OIDC_CLIENT_SECRET: AgAylnSUXwInlh/WvyCiFz+8asbCSZA6kk84Rt6l7bHVYw34c58lJHsZK2OvOIlHuaMe/ewnTqxVd0hI1Azl+wd/5NygMYlntKquq0vuzlhLrGc3u+0SOn9N2P6quA3slF9KR94CYsDx9ogy+EsEoA1yrsydB8S0g9W8syraR1MtpM0ZkcJ/D78OZ6qzyXUuBNAZc+iX/r96NvoMiGNYavgG7npOJh/pkKNYPuNkt4zpbAFjVyoCfgZd4V2nmZ6dhEVy8odW+jcsMn6OJ1OZVlPb1beq49lBEcaJqk83ZtKbq2evtBYHw9YAnENVq92ecenw/YL5LXUhOxeN0M9Amo99/O6pQwwrT1mtZqhTTeTIZTAxqmJKgyxGhE4DJUR/s71bc7K9hd2WvdAYnCyVC2uGa0MwXp4V7UuaN9GerldT8lcFxOpRnD7yroqVTqebjAJIkIinp5NNZ2ZP/LCiCwKKHHT19Pchn615WOPTofC6es/spIdQ8a1Nf2J5YzvRjsduFS55U6tMaC7cuV8kqKH9xTTf/sDHt+68wVEAO9koAe1zpO+zR2Pq3VuCnvcDGIwXopXjvyjfujEEhEWZl51PVJLZqtkP5Wg2wHvlgjJBbbIGTrqh4xa9pK7wLDM2hUFx1q/YKqwfP0EGVTc96G8Wermj0DtIqclqFLr54DtxVe+Rr8J4edG6YQ26/seYsrZ1Oq2PejHQt8u9EzQYAtYYlBsw2ujCWys6KrbhaVr3
    OIDC_ISSUER: AgA2JPd5axkL5YIRA95qm/iH8wgM2J0AjKjgGClWabYJ3UKIk0hi/L/zR+1Pw9Z+6amYXj7Q0FxLqCcNYG+H5ABxnqUi7Gl8gvfVbegaO3q5QiO27g18RMDssNHDSun8PPaxHBvBD68hxgsaXntu8sZavCGdwEK0TzLJi7eH/4jtHlofzfYgaCsGqeOBgvs/q87PVJ/qxazXlY9e7abbRAKl9ZMY7Wga58/IU2HhWwYMvI53yQyGMcKf3XiI9iNHgIcj1+TmlgQo+PRKyopNfzgFbey7on8woQXphY+ioqQ0hyworpxAVoWlvzKKopt1xBDr4zxzkzbWyxtjwPVOOH3iyenZz8tZa/JkNYWxkWHbh0KCs9yUIji3D3shQOFM/NtE17THsQm3NgpZ2lg9ET1v6uXqwfOLiQ+J1JQLwNFnYeruH2lK4EGt2nDCq2VycOIjW4kMpiJ4LiT8gap9HwYjTpAn+opicYn5e9fmpgiHdMPvrsG1m9edg0cbwdSpEelliHnAUfKsxMV2e1fLsga6yrhBLSXIQs8rbURRa6wqVvGoLB86a9Q5Rm94Jfm0Sa9v5LMGRYvqO5LbLrjrR8e/2r17pHQE8ynMQCAW1yVTe09FcgRwYhDUohfThtjIh16sdoC97eUel7fo/POt3atP69JsCIBZstprhVtBIBssmavpIotVqi8F2/yUkhrZR26mH3gsOxkNTEk6XzHHtJRu0cU+BmObTvYgMi3DHg==
  template:
    metadata:
      creationTimestamp: null
      name: kitchenowl-oauth
      namespace: kitchenowl
    type: Opaque
--- a/apps/kitchenowl/kustomization.yaml
+++ b/apps/kitchenowl/kustomization.yaml
@@ -1,17 +0,0 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources: 
  - namespace.yaml
  - pvc.yaml
  - kitchenowl-oauth.sealedsecret.yaml
  - kitchenowl-config.configmap.yaml
  - deployment.yaml
  - service.yaml
  - ingress.yaml
 namespace: kitchenowl
 images:
  - name: kitchenowl
    newName: tombursch/kitchenowl
    newTag: v0.7.3
--- a/apps/kitchenowl/namespace.yaml
+++ b/apps/kitchenowl/namespace.yaml
@@ -1,4 +0,0 @@
 apiVersion: v1
 kind: Namespace
 metadata:
  name: placeholder
--- a/apps/kitchenowl/pvc.yaml
+++ b/apps/kitchenowl/pvc.yaml
@@ -1,11 +0,0 @@
 kind: PersistentVolumeClaim
 apiVersion: v1
 metadata:
  name: kitchenowl-data
 spec:
  storageClassName: "nfs-client"
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 1Gi
--- a/apps/kitchenowl/service.yaml
+++ b/apps/kitchenowl/service.yaml
@@ -1,10 +0,0 @@
 apiVersion: v1
 kind: Service
 metadata:
  name: kitchenowl-web
 spec:
  selector:
    app: kitchenowl
  ports:
  - port: 8080
    targetPort: 8080
--- a/apps/linkding/kustomization.yaml
+++ b/apps/linkding/kustomization.yaml
@@ -13,4 +13,4 @@ namespace: linkding
 images:
  - name: linkding
    newName: sissbruecker/linkding
-    newTag: "1.42.0"
+    newTag: "1.36.0"
--- a/apps/media/kustomization.yaml
+++ b/apps/media/kustomization.yaml
@@ -12,4 +12,4 @@ resources:
 images:
  - name: jellyfin/jellyfin
    newName: jellyfin/jellyfin
-    newTag: 10.10.7
+    newTag: 10.10.3
--- a/apps/minecraft/README.md
+++ b/apps/minecraft/README.md
@@ -1,11 +1,3 @@
 ## Setup
 Because minecraft is quite sensitive to io performance, we want the data to be stored on a local disk. But hostpath is not well supported in talos (and is not persistent), so we use an ephemeral volume instead. In order to do this, we create an emptyDir volume and mount it to the pod.
 We use an initContaier that copies the data to the local storage. Afterwards, copying from the local storage back to the persistent storage is handled by a preStop lifecycle event.
 This way, we can have the best of both worlds: fast local storage and persistent storage.
 ## Sending a command
 ```
 kubectl exec -it -n minecraft deploy/minecraft-server -- /bin/bash
--- a/apps/minecraft/curseforge.sealedsecret.yaml
+++ b/apps/minecraft/curseforge.sealedsecret.yaml
@@ -7,7 +7,7 @@ metadata:
  namespace: minecraft
 spec:
  encryptedData:
-    key: AgDG6apUvB38rB9tH+/ya5Af/32IUJjHiEGZFdYYqesuqyPB/qf99EtC/7CwqD6bDQQPVycJVcxwZuF8QtYfPXzv//yMkqEUJ2G1/Q5J8I6bjNGLR636UhliUpCkH1QDOspWJUjwKDVxlFN9l0g9UajvxnqLyGzbWPeay0sJEBvAY8ltEZpLP21V+GD+HgPk3HIfSFFBMsULS6GPCjMaFxkxQb6cG3K4Ej4NHCHRGOmax+4Rk7lwMyAHlXLlrwj/ytxrnHDWrugLIJE9KKmJn6UVNTuk6olgkhleg2PixV7oOiDVyu9ZQP8wbdppzRix6dnIcFEYJ1ZDK1rNF5QErYO0gBytiJnSsdFO0jUMsdBrho2FgUc5GgIdmgXWJJz3lrGFqXaRVvbPsBZTUAsQRh2+4IfqfWmAkEjBcjs1K8WWJfS+rO9e02KoHBT4decdsd8Qfr5EFdPIzMrkUoRMI9CJnIa5u2nR08Hhd9iojbL64FZ26kXMODtEdKmlo+HwjufLX5rYJVSfOyZYzivd/kgKA87YTFaMLKej07w3ofGrPYSoCnmLfJyoQdNyJhdonBDsgM1GgRWQZDpgJ1df0SB02A5lZ4V7lHWr8KlANv9YLuMoZnVehsH1NZjNQHDInIRiTLahEBbjcJzQz4vU1UWG100ATszEYKOUVkzPnTgkqKYU99ZQ23bHP8z7iAWQeumb6V84NTi6jNITBvU4yTFLuAiI3nW34Vb1mFVLwfWqMjEYX8gBB4yMSaVshB/japfkyXU0pYg4mK9gsB4=
+    key: AgBYeAiejdmxDBorvgnxQX5YvUhR3NId2vfWybMKlc27e6D/bKglLNyZMk70xSnFAPjcDmZ20mYjFPYvDOr9T6IU/REJ8QlzoKAn0xW779R4SkIxRToT+dJv+OM2avgQ9uqp7vja29xeXMjYAnQML+QGZKcrT8mE04G/Ty8rdUiv3yUXK5HFAR3SUF35aVLdlthLjpRkv1s0R7GAP4L2pNzBJNV3i37viceUSSjU0zpOa23fsQOkPAs67AIukAJBqh/hyF/hR9H1GeYZNTI3OcHcvC2iNk/XGstvv0Zy6ApzoebsfWGdsbVn+QUI0EBw+mSTPqpl71cbkz0v4S4XAVndosxWpe6AIgm5MBTU0FXIyGyoFDe1aMPq8BXiQikYVwB48oVNh9KF0xXX5AOG0whB/FEsL3OJsiNQvQ3R/Hru43JBn64oxjVtLfM3E7u8v/xr1VQahX8dylDmb4s5EV01U6O4y19Ou4td1eEMlhpJb0fBPDRUYuWxZAEDGmp+U4tAakyPed11VkcZPPn9fKAAcv8sGs3TYAbbF18hqsBnv2Wd+i7ZEvKwmdmfR/T0r1TJGsvKI7jaW0QtH256XrSxQp7a52qMKMVQWOSKw2k27t/IkRhxT2Prw4GfJvaVr4RozUaBf3LV/hfDWlDfmM2zg3X9W8HkzjotGg021OLxsa0Wzmhffvb8h4bvZwxeq3U1xaJocqXui7z0rT2pF4z3wYHR/lPtexHcOA2M8gfBGKb1rBKh+kW+N+/ZfVLNI0mokg5vrTO2nR2rb4c=
  template:
    metadata:
      creationTimestamp: null
--- a/apps/minecraft/job.yaml
+++ b/apps/minecraft/job.yaml
@@ -4,27 +4,14 @@ metadata:
  name: start-server
 spec:
  template:
    metadata:
      labels:
        app: minecraft-server
    spec:
      restartPolicy: OnFailure
      initContainers:
      - name: copy-data-to-local
        image: alpine
        command: ["/bin/sh"]
        args: ["-c", "cp -r /data/* /local-data/"]
        volumeMounts:
        - name: local-data
          mountPath: /local-data
        - name: minecraft-data
          mountPath: /data
      containers:
      - name: minecraft-server
        image: minecraft
        resources:
          limits:
-            memory: "11000Mi"
+            memory: "10000Mi"
            cpu: "5"
          requests:
            memory: "1500Mi"
@@ -42,13 +29,13 @@ spec:
              name: curseforge-api
              key: key
        - name: CF_PAGE_URL
-          value: "https://www.curseforge.com/minecraft/modpacks/vault-hunters-1-18-2/files/6807187"
+          value: "https://www.curseforge.com/minecraft/modpacks/vault-hunters-1-18-2/files/5413446"
        - name: VERSION
          value: "1.18.2"
        - name: INIT_MEMORY
          value: "1G"
        - name: MAX_MEMORY
-          value: "10G"
+          value: "8G"
        - name: MOTD
          value: "VaultHunters baby!"
        - name: ENABLE_RCON
@@ -56,37 +43,15 @@ spec:
        - name: CREATE_CONSOLE_IN_PIPE
          value: "true"
        - name: ONLINE_MODE
-          value: "false"
+          value: "true"
        - name: ENABLE_AUTOSTOP
          value: "true"
-        - name: AUTOSTOP_TIMEOUT_EST
+        
          value: "1800" # stop 30 min after last disconnect
        volumeMounts:
        - name: local-data
          mountPath: /data
      - name: copy-data-to-persistent
        image: rsync
        command: ["/bin/sh"]
        # args: ["-c", "sleep infinity"]
        args: ["/run-rsync.sh"]
        volumeMounts:
        - name: local-data
          mountPath: /local-data
        - name: minecraft-data
-          mountPath: /persistent-data
+          mountPath: /data
        - name: rsync-config
          mountPath: /run-rsync.sh
          subPath: run-rsync.sh
      volumes:
      - name: minecraft-data
        persistentVolumeClaim:
          claimName: minecraft-data
      - name: local-data
        emptyDir: {}
      - name: rsync-config
        configMap:
          name: rsync-config
          defaultMode: 0777
--- a/apps/minecraft/kustomization.yaml
+++ b/apps/minecraft/kustomization.yaml
@@ -8,7 +8,6 @@ resources:
  - pvc.yaml
  - job.yaml
  - service.yaml
  - rsync.configmap.yaml
  - curseforge.sealedsecret.yaml
@@ -16,9 +15,3 @@ images:
  - name: minecraft
    newName: itzg/minecraft-server
    newTag: java21
  - name: alpine
    newName: alpine
    newTag: "3.22"
  - name: rsync
    newName: eeacms/rsync
    newTag: "2.7"
--- a/apps/minecraft/rsync.configmap.yaml
+++ b/apps/minecraft/rsync.configmap.yaml
@@ -1,42 +0,0 @@
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: rsync-config
 data:
  run-rsync.sh: |-
    #!/bin/sh
    set -eu
    echo "Starting rsync..."
    no_change_count=0
    while [ "$no_change_count" -lt 3 ]; do
      # use the i flag to get per line output of each change
      rsync_output=$(rsync -avzi --delete /local-data/ /persistent-data/)
      # echo "$rsync_output"
      # in this format rsync outputs at least 4 lines:
      # ---
      # sending incremental file list
      #
      # sent 145,483 bytes  received 717 bytes  26,581.82 bytes/sec
      # total size is 708,682,765  speedup is 4,847.35
      # ---
      # even though a non-zero number of bytes is sent, no changes were made
      line_count=$(echo "$rsync_output" | wc -l)
      if [ "$line_count" -eq 4 ]; then
        echo "Rsync output was: $rsync_output"
        no_change_count=$((no_change_count + 1))
        echo "No changes detected. Incrementing no_change_count to $no_change_count."
      else
        no_change_count=0
        echo "Changes detected. Resetting no_change_count to 0."
      fi
      echo "Rsync completed. Sleeping for 10 minutes..."
      sleep 600
    done
    echo "No changes detected for 3 consecutive runs. Exiting."
--- a/apps/ntfy/kustomization.yaml
+++ b/apps/ntfy/kustomization.yaml
@@ -13,4 +13,4 @@ resources:
 images:
  - name: binwiederhier/ntfy
    newName: binwiederhier/ntfy
-    newTag: v2.14.0
+    newTag: v2.11.0
--- a/apps/paperless/kustomization.yaml
+++ b/apps/paperless/kustomization.yaml
@@ -14,14 +14,14 @@ namespace: paperless
 images:
  - name: paperless
    newName: ghcr.io/paperless-ngx/paperless-ngx
-    newTag: "2.18.4"
+    newTag: "2.13.5"
 helmCharts:
  - name: redis
    releaseName: redis
    repo: https://charts.bitnami.com/bitnami
-    version: 22.0.7
+    version: 20.6.1
    valuesInline:
      auth:
        enabled: false
--- a/apps/recipes/kustomization.yaml
+++ b/apps/recipes/kustomization.yaml
@@ -13,5 +13,5 @@ resources:
 images:
  - name: mealie
-    newTag: v3.1.2
+    newTag: nightly
    newName: ghcr.io/mealie-recipes/mealie
--- a/apps/stump/deployment.yaml
+++ b/apps/stump/deployment.yaml
@@ -1,48 +0,0 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: stump
 spec:
  replicas: 1
  selector:
    matchLabels:
      app: stump
  template:
    metadata:
      labels:
        app: stump
    spec:
      containers:
      - name: stump
        image: stump
        resources:
          requests:
            memory: "64Mi"
            cpu: "250m"
          limits:
            memory: "128Mi"
            cpu: "500m"
        ports:
        - containerPort: 10801
        envFrom:
        - configMapRef:
            name: stump-config
        volumeMounts:
        - name: stump-data
          mountPath: /data
        - name: stump-config
          mountPath: /config
      volumes:
      - name: stump-config
        persistentVolumeClaim:
          claimName: stump-config
      - name: stump-data
        persistentVolumeClaim:
          claimName: stump-data
--- a/apps/stump/ingress.yaml
+++ b/apps/stump/ingress.yaml
@@ -1,17 +0,0 @@
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
  name: stump-ingressroute
 spec:
  entryPoints:
    - websecure
  routes:
  - match: Host(`stump.kluster.moll.re`)
    kind: Rule
    services:
    - name: stump-web
      port: 10801
  tls:
    certResolver: default-tls 
--- a/apps/stump/kustomization.yaml
+++ b/apps/stump/kustomization.yaml
@@ -1,17 +0,0 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources: 
  - namespace.yaml
  - pvc.yaml
  - stump-config.configmap.yaml
  - deployment.yaml
  - service.yaml
  - ingress.yaml
 namespace: stump
 images:
  - name: stump
    newName: aaronleopold/stump
    newTag: "0.0.11"
--- a/apps/stump/namespace.yaml
+++ b/apps/stump/namespace.yaml
@@ -1,4 +0,0 @@
 apiVersion: v1
 kind: Namespace
 metadata:
  name: placeholder
--- a/apps/stump/pvc.yaml
+++ b/apps/stump/pvc.yaml
@@ -1,23 +0,0 @@
 kind: PersistentVolumeClaim
 apiVersion: v1
 metadata:
  name: stump-data
 spec:
  storageClassName: "nfs-client"
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 10Gi
 ---
 kind: PersistentVolumeClaim
 apiVersion: v1
 metadata:
  name: stump-config
 spec:
  storageClassName: "nfs-client"
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 10Gi
--- a/apps/stump/service.yaml
+++ b/apps/stump/service.yaml
@@ -1,10 +0,0 @@
 apiVersion: v1
 kind: Service
 metadata:
  name: stump-web
 spec:
  selector:
    app: stump
  ports:
  - port: 10801
    targetPort: 10801
--- a/apps/stump/stump-config.configmap.yaml
+++ b/apps/stump/stump-config.configmap.yaml
@@ -1,8 +0,0 @@
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: stump-config
 data:
  STUMP_ENABLE_UPLOAD: "true"
  STUMP_CONFIG_DIR: /config
  ENABLE_KOREADER_SYNC: "true"
--- a/infrastructure/argocd/argocd-cmd-params.configmap.yaml
+++ b/infrastructure/argocd/argocd-cmd-params.configmap.yaml
@@ -3,6 +3,4 @@ kind: ConfigMap
 metadata:
  name: argocd-cmd-params-cm
 data:
-  # server.insecure: "true"
+  server.insecure: "true"
  # DID NOT FIX RELOAD LOOPS
  # application.namespaces: "*"
--- a/infrastructure/argocd/argocd.configmap.yaml
+++ b/infrastructure/argocd/argocd.configmap.yaml
@@ -3,9 +3,7 @@ kind: ConfigMap
 metadata:
  name: argocd-cm
 data:
  # enable helm when using kustomize
  kustomize.buildOptions: --enable-helm
-  # disable admin user - use oidc
+  # switch to annotation based resource tracking as per
-  admin.enabled: "false"
+  # https://argo-cd.readthedocs.io/en/stable/user-guide/resource_tracking/
-  # show neat status badges in the UI or as embeds
+  application.resourceTrackingMethod: annotation+label
  statusbadge.enabled: "true"
--- a/infrastructure/argocd/ingress.yaml
+++ b/infrastructure/argocd/ingress.yaml
@@ -9,9 +9,16 @@ spec:
  routes:
    - kind: Rule
      match: Host(`argocd.kluster.moll.re`)
      priority: 10
      services:
        - name: argocd-server
-          port: 443
+          port: 80
-          scheme: https
+    - kind: Rule
      match: Host(`argocd.kluster.moll.re`) && Header(`Content-Type`, `application/grpc`)
      priority: 11
      services:
        - name: argocd-server
          port: 80
          scheme: h2c
  tls:
    certResolver: default-tls
--- a/infrastructure/argocd/kustomization.yaml
+++ b/infrastructure/argocd/kustomization.yaml
@@ -4,13 +4,14 @@ kind: Kustomization
 namespace: argocd
 resources:
  - namespace.yaml
-  - https://github.com/argoproj/argo-cd//manifests/cluster-install?timeout=120&ref=v3.0.12
+  - https://raw.githubusercontent.com/argoproj/argo-cd/v2.13.1/manifests/install.yaml
  - ingress.yaml
  - argo-apps.application.yaml
  - bootstrap-repo.sealedsecret.yaml
  - argocd-oauth.sealedsecret.yaml
  - servicemonitor.yaml
 components:
  - https://github.com/argoproj-labs/argocd-extensions/manifests
 patches:
  - path: argocd.configmap.yaml
--- a/infrastructure/argocd/servicemonitor.yaml
+++ b/infrastructure/argocd/servicemonitor.yaml
@@ -1,77 +0,0 @@
 apiVersion: monitoring.coreos.com/v1
 kind: ServiceMonitor
 metadata:
  name: argocd-metrics
  labels:
    release: prometheus-operator
 spec:
  selector:
    matchLabels:
      app.kubernetes.io/name: argocd-metrics
  endpoints:
  - port: metrics
 ---
 apiVersion: monitoring.coreos.com/v1
 kind: ServiceMonitor
 metadata:
  name: argocd-server-metrics
  labels:
    release: prometheus-operator
 spec:
  selector:
    matchLabels:
      app.kubernetes.io/name: argocd-server-metrics
  endpoints:
  - port: metrics
 ---
 apiVersion: monitoring.coreos.com/v1
 kind: ServiceMonitor
 metadata:
  name: argocd-repo-server-metrics
  labels:
    release: prometheus-operator
 spec:
  selector:
    matchLabels:
      app.kubernetes.io/name: argocd-repo-server
  endpoints:
  - port: metrics
 ---
 apiVersion: monitoring.coreos.com/v1
 kind: ServiceMonitor
 metadata:
  name: argocd-applicationset-controller-metrics
  labels:
    release: prometheus-operator
 spec:
  selector:
    matchLabels:
      app.kubernetes.io/name: argocd-applicationset-controller
  endpoints:
  - port: metrics
 ---
 apiVersion: monitoring.coreos.com/v1
 kind: ServiceMonitor
 metadata:
  name: argocd-dex-server
  labels:
    release: prometheus-operator
 spec:
  selector:
    matchLabels:
      app.kubernetes.io/name: argocd-dex-server
  endpoints:
    - port: metrics
 ---
 apiVersion: monitoring.coreos.com/v1
 kind: ServiceMonitor
 metadata:
  name: argocd-redis-haproxy-metrics
  labels:
    release: prometheus-operator
 spec:
  selector:
    matchLabels:
      app.kubernetes.io/name: argocd-redis-ha-haproxy
  endpoints:
  - port: http-exporter-port
--- a/infrastructure/authelia/README.md
+++ b/infrastructure/authelia/README.md
@@ -1,8 +0,0 @@
 ### Adding clients
 Generate a new secret + hash:
 ```
 k exec -it  -n authelia deployments/authelia -- authelia crypto hash generate pbkdf2
 ```
 give the client the hash, store the secret in `authelia-oidc.secret.yaml` and seal it.
--- a/infrastructure/authelia/authelia-oidc.sealedsecret.yaml
+++ b/infrastructure/authelia/authelia-oidc.sealedsecret.yaml
@@ -7,15 +7,13 @@ metadata:
  namespace: authelia
 spec:
  encryptedData:
-    client.actualbudget: AgBkqA3lAi7ofkC47b1OlqFGQQ7TG2xJ71uT33fvXCuibkOdvpGyk5eeY2YGh4gqH9zPt739Vcee+y2w+DW/rrqoIPZqO1tx2wgNVT8H/ll8eFe3+3gBIylYXe0JQ2+AhonAjJgUuOKlTfv3tOiNavZEiDM4bVqv+5QfIRAy//YNr9p+G4/grLzc3+yfvGR9DaFrldaPDsg49m0rR2KXGL417V47WL/d1/7tDdoPEYYsmd3iB+RT3L1pQlGIGpieswcI6LETb2HuS/lelL9pC3yA8zBYq1jVW43LF/E99affv3VBdVZckHn9Ad5juKICXqxphp8Op2ynOzW0QNMdMjVahWPbNAAn27cTP5RZDodTmQGbPrK49R00IjzKKU4bDxtAwOpZKVJq3ArIh3j2ETycn/FhMIpLGEAGpMl+ZO077aznJl77nOAkjSXioOkNiPh32gKg5b3jVwry//8g4vTS6AEkNQkMrRey12p42MnT+CHDwgqAu0pDVAM0QvE8g+hhX8tENNN6IalRar/mNAa/lFcm1mXPVEv0ST+7YfQPm5vMY/BNixlpPTN3qd3KJje/Ahv7xHhNWnkez/+G++/l/mUjgVUsoD9cJ+p/87JZOKLiPEbxINFNcoJfO4XJrua6BwtwiGhsdVv61myC408AiBJ7akir2IMe/b/O54xZ+H0SHKlXc1lqRyQS83awcZj9tBAQut2B4IY9yNaudQyce82qMuH/X8pEWrNxfcxgnBCbAMJ24ZU1yWNFO3wqRaWO1MxOny8iefUosZI1wjYuDyzTcMqnq4rEoKEF/Q6NV/N+Rr2NNOiXR1/NjAfsk0CKIdSrERMazzM58omAxULlCgZGTw6i29Xulj4ToLXNhKAJqw==
+    client.argocd: AgAO/s+1K/QyLFsj44qAsgj+qS0qE7Q1De6cjc8UpsXDTQ7Y1SrP+NP8K7mZwGgQ1ItJN7bsIo79CFi4wLVEUOmAhu9dFwot665F0iwA8aUrcohk9xfqxqcv0A80i6mbchd60/GTaOTiQ6IFbeKBsxdv37NhvExHia9zdPFBVZoor5gmfZi1l8Aujge0dHqN0Qtg6R73b+abiJZS/h24HmETPJnRARK9aX1HSO8syBv2cxOuX3oYpVT8qvw+J2pgF7pD7YF8ZXG5v8VkXLn9vZ/EznTRNPguGC7YZgEXB9dvSJMcQ7KXNqtreKtSJk9V6EuhHHteHAlrCMdJ/UILUx+S1MLdSlnmoXHLU4oXITI688ZiGxtp0MyhknKPk/rRHV8To/lbEswy16j39ES4+vV7UgBVIvl4Ds51C39VC5G3gKL4xuEWbSuXv3oNbIPQzNZXGPkn77f4A7NQy2Wnp9G8RKtJSQqoWaOCNoytngyIkEy/Z6tbNFmafRvEKSSNLMVeH8nChpbqCwVBTrk1jASYFPW8sIlVh9zia2uihiHzIxdKOQXsvWMSGLdFSSiG0vlC+yeBb5PhWBA+0nAsKGO88a916E9B011w9qK/92GOcYaU/Kgyo6CnseVyJgSjv6d2IHxKTHnQtWpEQEHO2VEVfuqiISDz8rSCFbM5U91Qly947bRMCXXY8GuFnmlNJpqq7QPp6HRZBt4ZfRmkI/E5y7Nb/L/SfXDJsjSd0z4U0vJi1tYxIs0XnprhxjkuS88ZuqdEZaHxG8PMrACSltKzZhwBnjImb2LuOF3mUitngF2YQ5L4q5S7AcOU4fVHwoK+wONNCEjI63RiGo7DTm1AwM9lA5gM0pQSU9T1JqWtYcPZVg==
-    client.argocd: AgAMeMuApKfbUmJ7qxTVuiFCoQvQnVY9e914jZJzZVoD7NNghd+GoI/kl9JuaTGd8FXC9Snp+Pdduvw88PNlR+ZLDQChh9z04BbYm0jOhu+6mxMl9klVc5kbEUILC8nA2Oad0KshnFuRt8PucbM3Adk5P8WwsH0+R0QCQqze36d5pZrNT3XsVHFzkEO69TVNmNDtde04UnlGKlXhtsZHVF0QXU+O0knNPK8Gav4NEAP0GiPSA4Hx49rpu3PzyISi0vUnW4jZQYP2hnD8arR4pAjehuHzkjt8A4sP635KaQ3kEE/6VL6eBLxzFeht31p7/owMAqvjA3Z2TwHc0Eo8zqzQdYIejDvBcm3p/iIECBJUffRRKT6ijlJnzmL8dFVRDkWGN3D2eg7xELQyoQfQLo8m8v3o5rRLDMxGin/dP/7DqL4GLRRIJMIcg3VMNqdSbi7ESlZ0zWZaFQ/3GQKy6y7ooqQS/nn+2stVo6RRuwAlPkpyTa29wOu4fjIsuQ4O9CQrBXowk+4xO1FqWVMUcPGfrLx32IcIC9iZ+QAb1goh1eADnl9D5eKJjWouStvA/i+YlRayHrIBn6XwRgcLaz3ydlZUtwt/HhheeB/N0jRRFD7Tf7SWMdOtyEnngglOmOoiytU0F8B+jNW2OPfPU3CP2AkKvLQ0El9kbLQHYpnpNfbjq6Fjj7b6l8LPo58WBua8uQBwghKL0d6NnjdRymLylJdMUJvGF/9F8rW+1VRndyVyuNRPUXFJv9wqklLQYu7+dtAphsnhO17LdGomjCkP51VtFloWNH49aBWj0p6scsMVahzU2lhzwWOSLh7iK3lm5Pyhkwl2GPR3ayQG8adSE6BaswtmdEpKYEbvi5kWy4In/Q==
+    client.gitea: AgAbX2GgysUuAg3TLLK7Puhtl+L8x4cQOGo+3TP60DPms42Tw6oihHQpSTzIEetdaqJ/QWrdB2FQfzhKQVM0hQji2uVH34SyzvP5TepJJSURUZAHGRiwhb/E7S8ag/ybBWQ9OIQzMZBiOOyDULrhmjbtr/CbozwmvdTIKiXIBLxQbXA9PjcM76UyYZAr69wP9a6xOzwOZgQ2/aJbWEFnItreUaqY76FHzKwkcPkzwPPryD7jvpVoLC2ZsbFLCptKbaCpRuHNQgHblWB2dj5wkFRGmNyHH7mglq9A2FbB9uiAD+2K2tgYgSc4yGaeGIvu/Qbnioc4F9nTT4ZceEtMu+sn1gVWy3kKkUDOvCcGUALo759/FuyTQ8JKKJ/zLYHhCJ8IAYXFhALe+aQMZbcycbD9KU8Iepq1DCTsyjpbM9K5w0D5ZnBf3V9IemjtMNaCllDq1Io5mPQaxlyjsWIDgvXIP2KEGekSlnh5O2yNCQl0gLAKM245B0lxyRgr22lTH9AJacbIVevwdBq0B+iSm/JGJvWjwLzfL5D41HY0Z6ZLOLUFKnTHQGiRp2+g9ysg+38aOQ1PUAXlloXM6UVnEHdahyvuPmAfo34f8vSaSrT1b3Xp0MzxUwxzl0bXO9wQ/As41qpI/DKC45CFDl1yQ3/+LOggAF///peSyzUNYUvbqB2u5KWNrLulXO11IKffHYeiwfeINxB0B3Rzxpl2ZBm4k8cauArTneYYcic+DbweY3WjcFQPCtfQiiS56S1wQeF9xgZfL2WNQA3qnnsB4mYyCLxH/oJ2JiiKrISPUmEcERnU8rdUelZ+idiT4s4PDpOo34QK756nzTtyWGjU0pIm6PIpz35i4djMkUoNpLq7bcVcKw==
-    client.gitea: AgAhsbmgb1LaYsCtd85vEu6dkwdzlIt9rfliyrjFxAmLwstrlhY1IXXrtd1f25sjWmxpiRnUmPgSaaeBpd2YEOFI2tDh3rwUW84q77ynmcIOGKEHpfQicVurvOuj2YNFE91hBf4A18QYRSLDZyCg4yJ/Ult5vS88mNSfaSrDkknjnNfV4+PZzM1JAfILQtWEMmG89vyIr75Ix+i6IkHdKu5YZK/2aOS+vX5LYiOGp7qVXkkKDCvbk8KNe/2gqvaSDCSoRCdtzEP9SdqOY+Zvw1A6dMTP8EZQmXW3qsNn6m9J+bFw8C0SJ+ptG3teuzKKvfkuyUVRSoO2aXREmwzkENG7jQBy4y3BBDU+U4iF73e1LCFczXsXy590rHZ66Jx6OseKFoGn1Jw/ir12soNCU2dnkUfgdiqN8yvkRJ3O/h2BYC5r7IJqIxNiqY2R1EhTgiG4/DhAvTcy+iZlgk/YMqSGVFLJtOQiy41+Vej79f7kw3A2u8HGksTkL5zkGxYIY8EyM+/VR4wHtUsjJTiP8+VHFWw/v5sxnTWAAAIdRn10371F8FNqdD1dCs5U8Xop0/WwFYaix0/dLkI+tJxQvopObAY1G4RKmTy0GTgE4sBGgqjI+KKdVdh6gO26WxtF07MlL57IjfQMlMFYXyapnDRplZkTfDBioF7+8eOd1hajgKUFv3OqkEJnk4ifZzfjXlAAdXRzic6ppfb4w+0YkSluZUTdTFr/SWt9eUnLYz/dkZ8ZV5mV4KZHlvPvfCwBWR3F2JfT0WUKlvC8l8AJKwyBokZJZODKDxaaGvoMvKgj/e11YncDpY/vLP/QbE2onVQKaA25ukUZNFL3WTZR1igi2huRns+/066HdUOLzncGceyDKg==
+    client.grafana: AgAtsKa6TPkGYqT3BcmbKnOnKG4xNd4N7tv7Vt81rh10KupR5z9c12y78uyKQZMyWb7PDDi58nIeWzTmtVmoSl06D8NCOfYrlbZQEl+NJsePX/kiwmlOnOrLBQ89uHHdlU7MCBPVDZNPY88xzkZg0pPnWYlKuvtNpV0Uq03gUosM5kV6zF10LRM4Twhpw9su5mDkwzyrALB0eALkmcktDpbayr0b0ZnK1X1HYuG9/GRTfa4uE5Jqbl+h3wV8cqUHt5drCVu3yGEP8palqTWh3LZoVFddDZ6EjX98FNGorpgvXzQrSwR3DHEovhER77MFgJu5vvVecgygPMHpQETb7VPpCoiY8WwjcJMElcFbVFgeih3mMxe0vgkf4AmyNmHvV52QT01+a2UJfwb2l7J+BJQS2qRLWX22eUJ3jWthFZp1bHxrgrizaqLmuR0WCabiWClS6+w5ecuuEnjZKhnNgGViUTZEo9r4Y+Hq34DbpSbQCPD+KFwjSy38cu585wHnMJHbmP4tVH0+zAA4sNzlcO+Dt2bqNZ5bIl+pq1y8qP6sABiRIxvHOhnXSHFhRQzUqrO7D/0WEHzsHNR/FyuJJ8gsE/ZS3gmMq1qaYAdLWanNPtJtcZxk03ZTGRmx+TRnoeTdGniyROACL2e78MX6gszjCpjIQWJOh/gDmMtO/r/0wu+OFUlKm6ynpm9hwjTfVXIAxVGQZP0GNzhxWekkB31og/XUHDDSARhfqozor5Og9vznx6t0wtOOzMXt0M6P7w7+kIEfLHSroKgY0D8QlXNmBQf1Aub7j6NjyF8xdQtxMhGmwbQ6AC4H8jUdzRy+zPCck70dA3hSwS9aaxDy+xD4zWAmZAzjAQS2lRbbdxpxh8L97A==
-    client.grafana: AgB2SV+f10heiF3WsurC2+cFZP4d+IvjVE++cDzVRacTcatR2eI7dn23bDYZv8ThLtByI76VWgIIgC3443WeyA1cXFfwUU/yL0sVTUmWqkMLjNosCbW0m6MzIN4nfTwG2QgkeNG9bTpO4KXhteTnNOZ8YYBIfKLeBiePUF22B/SrDu3l9AgBi0myjC2uoYVnXY723x6URbrapS6E5tbQTO9NfEIL1fsNIKOEskepLNfVSo0Np6jhkn4FA8FKkKNbbHr+im2zZkuo4xgfdUY4NEHpe/SYpsng8v2dhhy2/S7FOFZfJLyunCfrz1Y5UFvhNiosLgfcbPaF/+2Z9heYLEnW07suklQAwyhmFhHwukkeO3zdbJNDJMd1KnNfCSU//OQjsAuwwmXmh9Dqz89A/cimtpk4AjbRw9Zj1whrJJCx3WcisLrEJr9KrxNSY8LAzFTTq5k1bipOCpXnov0ZOrOpzgBsrmOToVuqfExD1cPAlm6L11a2H+SGs0271LIzcekhCnCE11mOK88/z6nLSmyYZH4f8TVt9RU8YmNZzfEJr9JCLISsznIILdtroPbCj3ovp2Q4brT5FdsvhAHSiHL8XHvDwbPJF71p0P6u/P/2oAGmbHdr6nltYi7zKiHLe2ATxEm0dozh/0usayTOvl4jyJKsn3HQQrBrGt/fNPRRm3L/vtvBSfhlP6slwRl9NUcrW1Q4QhBPsQWAEf1xBUYGMephez/4wpOUgxpmLnMZlWa2IKKWUP9R6BuP095ts/YKVT6otScXHs7h6sarQEgMELPyISDTmqBFQvX4Hm/M3uLSuyKsC7g+MBbgIYZX+/2IeR5jLN7zIdv9FVFOmwi5ChFD1Gk+QrQz0qLIScwPN61xHQ==
+    client.linkding: AgCUlf4WAphijd9Oy2x+WRZv28o5alDpfF9hiro8y/99jZb79HbODkS+Z48mFRypMmu6nsAp4NJmaM5Tc0kOXCfoqAkcw6AQ+noalSCzGpH+laPYRnvD4ccVbJlePIeQlnQZTipSTcNgoCvocIfi/5sgKFv22VKEyYuOEmZ3VfQ96CIbyitbyApw0JHi5x1kanw2QFE3dmumnNG075zQ/aJYucM4lrpDY8P2YhAbLNaJx5dB7SCeGoVvviDtuZFHskLFIIzV0fjBIhX6b6vfRgT4IQpaBTpEZcQ+tLLrEcL4jAPWzooDmpgCU0l1wg0Xf3FmV8aBpzs9oicvQauLVgKF8ouBMoECjB82sLAuI1pBUbOKOjxCnFTnL6kGbOZm77maddJ837Bd5BOO2spAhUYfQCuPg98ZyiNFSCKzf1XX7mDY1xeV3S6KizpULc1fimKoQL4EImKYWLI7GVnKUGvS2V8WVTQu/ZuPCTfpg+OSO0YOc3eZPqQ5immSK0Azt/PvHcoxiNYHajI7Jy3OvF6Fhv7HN/prHZJZMARRnMTgpPjvp5ZE+xA+F2FURllLtmNF3c3i8s4pM6xi0GSBsYWc03WNIk7aY1oENg4aEufOHnknuX8GiGQqdnKPPUuhiTK4k5iyqk7Lo9ntdu+WJQllUoNe6s9kSRua78wyYb684nKNfAFbyYXUW6oiWD6eYCSgyCj8xAGdBv41/Lz1jpUgSetvoHcDPjh/mDjGWRAgg1hqaIr++DRuFW7mEaXthoGsu3pM6JxVzge/mEfs/DM/vn5GEIFvSGuC3Nn9IGcyqeVWcTtlRh5AfTe1tNlohkYkNr96Fe+j/7MJLWgc59th8FEH2F5ygbPg9ay6c1rGjSYD2Q==
-    client.kitchenowl: AgDDhHuXHy1bEVjoJkEJsqKGUmoVDT1cMYxB02J+pxQ3BrN2YfZDK4CDMCdG9srzSBD7tG9BsZ9Oja/8imV3cjsXGc90hW/L3doSqe583N9TcDayMNX/lYPgZUfA/7rva02fHyO5dKRSUtRHaR2MjqZdmxhG9EgQX0tIrgwoFIjnU3Jj5co0cWwnd68G8CMZn72DRX3rRRmYv2I9KW/FUva2tIViPVtnJ6DcpFt3eMUhBmW/XOJWsea1QtJ1Ab9d1P+Zi47O9X5eNkkQrlIYMAt52VlbfhLDnI/67WA88yI7OTlsvucFYlvakAbZSk4CFfO7X/cg3v8Yxb9cD8S4vMB+sx7r5g6JfL+psaifAmJDQl4CLmzohaxegiHGWj5k+rWJgO6z4wl7jmiEKQkRcqlE724U9/3tF288AItlZcDUX9UifexeP8bJFua7vm9/wZqLg6eF02BNo+oWzFLjNSWBaEkSAjYCqUkqayfIgbYdutB83tB1gR/LKmF1fEIje0q0dap/b0Jrtq6LRSyPDMXiNeZSiRB+/GpoqkHz05I0H6887dEMwOZMhu9v4YLRyhH7FjtjwOSOiw3CaNCTW97IC0Z6EnFoiOJ9gl7TXg9CbpiaRN3Ds3RonL9scspOnMnZ6zez3khQwZCoeDeXOsE5YBYCRJkTkbZzMFoFBpOEhb83IfsLYlTQBF/LHD6FbwwaNHZscZSueMqK/6iq4R9SLeSgaz+/KKTpQ+KZVmGUttv0feNxC37/1jqbQZ7xH8Ykt6/Hvba7JvDRHrxNzgsMYWcZXL9oLDfheHXPpuFYE5KfZzMNDqvdje4+C0aFlEI/Zj+ESCNRobqAFg3UFuUrgtMjbzfpgoMhnPYL9/Xqz2Xh4Q==
+    client.paperless: AgBJXjDVqEubR+5He9KVfmfHV4cH5DLtiLmBil5srrUTTlJpjBtD0OBA0Rj4qpZjrOHal/p0nfGQkgtvOmj5NWbplktEjmX4z7uRT8zjatK6zTjDHW2x2x9T7V0LCBQwkPtboBuxQ6tSc9yQQr15Ru6rT0BgvgDd5rOubnQQjK9AjxUe0VKeW0nGnZI0Zh9zIOiW+Yt6AFzheYgAfF4dsbBe1hTq7N4L2JK147YLI50GqFCL+vGYpz7MxcU3AzDi4eEP1ZmLga79eGvMelUSR4d1l3k6fjFQ8mCPPQ+PkMoWuu8FZ8pT0F+qdb2jB7GCqPedBmuzJNT127mqWMJN929n5j/towZjI9IDd+q3YXlfMEWSY74r8x/GUGSq8mB0/kS+iLyC+p6Rmu/aaW7GNkwZNtcuQkI346JBOnUSa0bT/ElXDNnRxxHGPCNQshrv3wTVoKgN7wxkVVXbX/MdXPE9NqWNRQK42TdROXpjWa/FVklraQ30XPy/SHBENbhXvmqlzrbMWmK9/auBKDB1tmLASUcO4iObOSFPUdQrj+pJ4oQFN1nlyX06i/X8ECENov2jwfpf5tW0sWoYVSPWuZOIOk2wEF3HXnzCtv/f41vMixtqhpWPRvasJ4UejsuatHaYNRj7uD2FjbpYItvT4QA0xepIR97jVWqc6bsN23AFUJIHJ+twOYpNIQJqJ+mx/g6Yzt7YOTM7X2VJO6dKwBhuXx3cRigU4nadZoTELT+Wh8i6n1lA/kD0+A3OuMjwuTrvutDTOHH5RjDwRWRw3m6LohWfdQIVvEkAM0RwwvcC9Yu9W0PH5ZpUGw3zpiqzgydtxTXEwi1IGS2rUKkdhkoShKJ/ODMZjjRxRX0H4zkelPUDGg==
-    client.linkding: AgC3GAgek9/3PvUSx3IEoqrf/kp7o8tMIZvf4cjv/mDOYKkwW5qvLbAHSdOfa+ZgpNNtZLC0jP9qYLJ1ULwZwTqQbq0PdNURag055u7w/dhIc5x/dGlu5p3mNGHWBFdwgZ8z4d1SEl05j1RfaM3OgtNwVBK9uqDLAwB6k3dry8MVLxq42+LeuhqaW3gqrecLDJsMlQtOlcuaz0IsVFPZvpFCVjGpLrw5wp5sEeInw9P6BJov5zNEi3YotoiOGuWmbrcGAcuw+wkql+lAVppQ0qx21XQqzwROu4TT2UmSIGkPC4tTykDR9tVUiikEIdnh9JuFXtDcMBmNMJUHoPVyiB7rMyCGRlkA5DkNp6zAccdJl1/E52TolbpXZC9qygZRCqavkDedEdJaGZVzV01Tv/UZrX8BBl0wljfZ/stweJG4QEuAp7oH4zyty22P21V7nd0EI4NUnVOFkZm0OY5DHF2EJx3fOpUzy4jr/Eys3Qr3mOeqlVAxGFI/kKdmWgZWkiGkQhGboJYshfdxgwZWwZ3csinfVMQqQKUt84OimGTbWhKd01LeeD6tPsB9KYdZt9S70JSY3bh1vRcvuR+hrq4ZBU1GfhGHMJOfs6kqijVHdScGqSFcTvOi3cVq1U3leppDCo8Iq3skJlGXQnrAqlzAf7RiV3vUob/fCe+IWPXppqZHk6ktuAjVp3e9kDigq0MJNsufXELTgTHVpLXxfh5yH9vxVOxPBg5iunRNM+mMm7BGzaJ2WNno+TA3I6v8HUK7LJ36I4ncKY/pYSBPIZ/AgKYHZwnS9fzMuDBV0jMnFkrw0O+2Wsh/Vfaptx4TCaQCYzoY28RbXepnieUrOOQjTevaJVp9/exHnqHRU14easU8Ng==
+    client.recipes: AgCK/GYJr88kUCQ00YtksasTKChbCvSxxaIAa+08Xzgn2eRLmw0quTgqHS5yQrdj6SHNsI+tZifmUkfHXjDSP7SShhg4fe6T+r/AzZmYb6xFwvZGHF5nSmX5Xy94Lla/x0rOOTuk42kV6g6KJYD91VTLOYGMD0IjdZkI2NMFwXN0UIqOZD6SGhKav4WwZRk0GxjFwwW32NZH3+O1aqTCdBYsMzNFAJyur/Wj7ZpeFXZ0fdBHF+gk/RYOhIzGuoUJN9qeh1m/miT032jcapF2/bYGakufAl6gGtA13ssYcXqRZxqrOTHzvIo+/TULlXL5KJxA8cyTj696YsIc2svugvyrvJmHghZ3y1uVU7V7OjxRLTni8pO4boq11TTkiWdkDdSWmXm9lyXrTrHYstHs/KfdOxgshOXNktME0HOFsXdCJCD/dBRd8+Csqb+Xo4hy+m5ROIP1QP0lJeMId+yWL15xEb0CiEBw6LVLhtO3aZ1mYxJBwcjvBTllLhU1y3z8Ah0fOvcOdBx8ncRIn+tmVCgjJXwm5eBIku/74ubvR1avAB/C0qX1zQnWRWvmaE6/k58RlUrQHFWFI9OvJUSNushlUus6roEux7suZ6uhXJFfB8hM8okbIMuNJA99HdA9BHRr0ieoZALbQ5HZf/zFbKhGYYX3HcyExUgv6lxvwxlYJJfXtMPic3p4iPq3f3aLMyco8pDECKvoVlyAgU6RoCp2RDZeJ/bwaL2farGTy3HXHpw0jy6/6dZuQCD457v6a3f+eLBDbubaGXJsGF1msRyChdcc0JU2niKwKd454WJoWBLn3LVIsthtCLT5ZBY3yfttdjLUmocyPcYFy03LA1ogOztKjvXf0FjcofdcpIrfWenV3w==
-    client.paperless: AgAnr9ea5mnC5CyAUoyfdzThsMq+djYbaknoGS50haZOP9KkE3tj8+IU1fIBF+RM5IssgrDTTJlt1O0dbSEQeFZYeVmx70v3sfV89suc9mHAmTaMSMpLfA0T6Q5dzZVjkxuRj6Qc2d8qCdX04rXBBWQDmdAo+29kvdoSiBtYeFg5z3MwhjxqKCPm+Ep6u+6xdYbcxIZgSz+/C2o/Op5vstWUEqBT4RATHouqAOK4He8fgnbeMjM9MzXmR2Jb4X+rovpwsOlH4eyoYBexeSry7eYkOhe3o9S43Hr2QxyRK6lwAF12gU4r86fCq+wKk07TlY4/yf0L90R1xPRTCO5JtAO/jTDxhU7SpzYgdG2DSAXlCT/LIBOfLuUXi7XY+EfRveKpdmPYIVNWF6OM0MjtfQLn9Kgt2onFxwOvb0v0i8P6Ivs4hoy9CnZMsIG3avbNB/8WZ7gaf4WdrtLK0HNfNjSDmfTKsuggkdA8ZuJa+QQfjfPj0ozLz60PAdz8aXV/W84NC0isaJc+KYXcx+FkmNJNyv/Usvo8RvDb6XfzfDjf5LiZ+Ylk6E3gvBGrWstVDi3WJ5dUwIAcfrmFz70Uffkme/w+zxwsaZH4tqayhPxjGALzf6Y9XAa+EkuyfJKfLU5JuHm7jHSsO0fWyflsF7LrjytyFm9CUlVAdbIZmjsoYPlHy/M6QHVGAwtKTUB/QOTT/PphCc2ZOetGZ8kQx13lHBBfMGCO6ihyflUEzGRrTVo3Rd3FqvFRnS/2Vf9S6u03/9qRPS7hK62VtuNxKcGZLka6odoxOKxHk34+mMC1qO0uGLVbM5wYPxBw0Av5L+F13Q4SBa04RJd8OWkspd/T6Yv1PTRGDEUmLZXT0Jv/e2YKPw==
+    client.todos: AgBSbi/vsGzl/L2/BAWefZZNySo9TEHHUlf/ilCgcQcPm53wmd5gFJUyVhjOheN1AUdiLw5UpeITig/A8UID4B/4UOfDeSfwLYUvPgTP/5OxtxjoonWkrR2YGjPmtdBd9WZJVZcjb1YABuXew3SoVfuObw4F8uAn3iojxrScaO7J+vUZSNUE2fbd8kJ0064v/Huoan0PheFbRFqSVcDKVg62byh5LIGVtmcwdcWz1v3aYIRRB04TyyHAlmihv8/N3ppTrz5HR98Q8WHOrORIF4liS1c80swAUeFNFuDHjxbN9yphF3Z7taoBSwSdqNgEWjAr5tnFVRO7A3VmbuMsM5y9ryitbPqPijB1GIqqwLz1Ucn+KF7eK8kdhyZWidrBVWCQ8E2EEQELcJnotZd49M7y505LDsZgl8drqPoXoUW2HdPXcZzNqaGrc1DNhEK1aUHtuE4jBwPNVjEV8D2cQ1mm/rzF1YPyUPQ+TvqXgLvPQx0tZU7vSVBEQDAK+bj3hkgivPPM67iiSt3rrX8Egp53Hg11jzIE1al/Zlfja14broOL9yCc0dUVMpOXrT71t7RjYiPNg8CsK4GM2nopGN4IzMhP/sFzSSlwq5YoDxV/mysAGLRBzL615Gv3QRNAubQocnPj4iOCMvpIZdDuBTmCrUzPEzppwbb+JHnNoFOYQBdJEImLicnsGAiAW4Jzns0kElCpCl7wp9b+GCoqmGpzkg6Vk/LU8UGVDCnhuXmtNA7EbT04jb9SxRXIUl4/fmpzQWAC5HGfoSoO1M4LKp46sS7es2Ts+ggXrGJhAYiDnX/EJxkl4OWzhJ4SFiLVbeqcIIIYslQkz4KP+haPvbjY419zEDDp1P/lBPtJp6Dj81B7xw==
    client.recipes: AgBuQOpnlwK9qgNWTmpO2c9V8IehsbpHUN6UrwWjZrixE2If4/9z5KhdOsV509HMKFzphZLvso0R19HVtU4eKjhtXE62guzRS6aClQzxtgYDUSSdC3nTuBkTn6TL/dZeJjU6G6t9jPZG1nAACSPLlrbSgfcMvtEat4rEssDO6gNw+lS87cJTDzbqxVWsmQ2xDcCqWtuHH6E4nfJa6BvIrJ/1pd0sEij2iWJgciIwg7y/g9yziFtJudfag0EBRpPSxNtdorYxRSYTxKF5VkHuZKenfiRgU1wxz0KcvSjqE/ZPpB4UpSiNQlQnvpI3GUz2XIbaRGdQl0Ak1NEhKs89BXzcE+7tC3A/qY0tJkJRg6ePImKn6NxxJ9MQHpsRk2mW6r317BGLkabsIhqpn5Sw4Xm5MBmvmWVReDyy8rAiCpSXO5tVUrBHT0TX3pxq+TuX5j70G7kJxVyUBsVK6FsjTIOtGsrNEGbv3FhMG8bxRmBt/4XH8OIc0H98acWhor/kEQIHlmnW6tQNuvKT9ukv9H+e9RnPW7D/r+kqf/ZghbssF/Xjo2mbkdpz5aFNuFQwM0SUbVplIwXJqgaYZOznatwH3m37NYe3bcKPIr4b35NnQM9RI4UeLCs3WYRfm8260n7bvKlv98MRTr0P37O4gZ3uf/Dff9UryVaO42VvMF4n68eixOYmSeZ0CrafXYaAmd4eTnKQkBR/KxLb+Gp3PMZm0pZJ8hS5+Rew24EMtxBkT0KvaKBlTePOQtU8WloaWuyCYtgJTCogBn0QZ5nvxFTtICDDSJQ0p2yKbw5Lf3QZhjYqbF/e1uir20+a2Ic0FVU/gjfzW4FI3+wawqKDBpxsa2bAkg/4Au9INGTYV0YMLX0gWg==
    client.todos: AgCbiUqRaoP7jTPPmJvqrzPgOJKY2ffG6MPH64xiZXF7gw3Is0PHFYU2XNxBf0dm9zjnKNIF+pe8tE9/IVyO2cwJdxFrp/fJng/sTXBW+gGKc4I1CEexQYFQyEUFNGKs7jn+3diWs+tXmUyN5SmU8hwuriYg6UxqQmjZCBBEHpCkXAGF3nXGUemmS7EOud/PhnWT8wUhaUTyPt1qDTPpfRx9I2GUpQ+KJUPK5h75m0BGYsCdG9suzC5PjpFoySaUPdh+PbzxPhpV92QEZW43MmUkA/bEMcYQnyUO96SpgsM+JSLOXhvQN5rStmXqxxuW2b6WRiDHdd2RHuMwn3pExwEK8FPoMt58Wo8do6SAasz6icskhdzAE44FhNpMUxUhJRqU0M/ZKIygfq5/oYDYTfimlwD2w9jEhQ7PZSjOAdfhC/u4ISJzsqGpkbwRORfnPuYDR8FJ/W7euF9V904fH/YGrRgd1IQm6pILxAJ8ebeYqmF2DXuxcJKS9ba0t8kl/W2j987/36DZ+jvfolrldgeMOvQBr3WCoeDBhTL1ujiTkPaWVI6w2PcHK57+C97FiAxkDHQnpTs7Nk7/B/aI9/XN333zHWVD+DIYflbfF16wbt4tJ/o3DH5t0NNvg/e9n3YLinvup6LVpeDZXY8E6imKAdDMHJ1EiLFhb1Qe605XPqWKwlGK4EKLmHcsP1/F2C6h3IZruoYpatqa6rwzgbKTtjlCgHSpPd0ndieAEi2RtGTtAqc9kSNzxUK0aMn2rubCZ2YMPsN7rbNGY1v+ow9zLiiVOLkHHXsf35BFP9v+kjA3SsT8xX1Qgx51pAiWdxgmuj/z5Y/nhGAZEc8T7gkhECbrXB4c+MiNRNXh6jR6qPK4Hw==
  template:
    metadata:
      creationTimestamp: null
--- a/infrastructure/authelia/authelia.values.yaml
+++ b/infrastructure/authelia/authelia.values.yaml
@@ -12,7 +12,7 @@ pod:
 ## Authelia Config Map Generator
 ##
 configMap:
-  key: 'configuration.yaml'
+  key: 'configuration.yml'
  # include sub-maps wich OVERRIDE the values generated by the helm chart
  extraConfigs:
    - /secrets/authelia-smtp/smtp.yml
@@ -75,7 +75,11 @@ configMap:
    local:
      enabled: true
-      path: /config/db.sqlite3
+      file: /config/db.sqlite3
  # notifier:
  # notifier is configured via the smtp secret and merged by authelia upon startup
  identity_validation:
@@ -105,7 +109,7 @@ configMap:
      cors:
        allowed_origins_from_client_redirect_uris: true
-
+      
      clients:
        - client_id: 'grafana'
          client_name: 'Grafana'
@@ -122,12 +126,8 @@ configMap:
            - 'profile'
            - 'groups'
            - 'email'
-          response_types:
+          userinfo_signed_response_alg: 'none'
-            - 'code'
+          token_endpoint_auth_method: 'client_secret_post'
          grant_types:
            - 'authorization_code'
          access_token_signed_response_alg: 'none'
          token_endpoint_auth_method: 'client_secret_basic'
          consent_mode: 'implicit'
        - client_id: 'recipes'
          client_name: 'Recipes'
@@ -227,46 +227,6 @@ configMap:
          userinfo_signed_response_alg: 'none'
          token_endpoint_auth_method: 'client_secret_basic'
          consent_mode: 'implicit'
        - client_id: 'kitchenowl'
          client_name: 'KitchenOwl'
          client_secret:
            path: '/secrets/authelia-oidc/client.kitchenowl'
          public: false
          token_endpoint_auth_method: 'client_secret_post'
          authorization_policy: 'one_factor'
          redirect_uris:
            - 'https://kitchen.kluster.moll.re/signin/redirect'
            - kitchenowl:/signin/redirect
            # mobile app as well
          scopes:
            - openid
            - email
            - profile
        - client_id: 'actualbudget'
          client_name: 'Actual Budget'
          client_secret:
            path: '/secrets/authelia-oidc/client.actualbudget'
          public: false
          authorization_policy: 'one_factor'
          require_pkce: false
          pkce_challenge_method: ''
          redirect_uris:
            - 'https://actualbudget.kluster.moll.re/openid/callback'
          scopes:
            - 'openid'
            - 'profile'
            - 'groups'
            - 'email'
          response_types:
            - 'code'
          grant_types:
            - 'authorization_code'
          access_token_signed_response_alg: 'none'
          userinfo_signed_response_alg: 'none'
          token_endpoint_auth_method: 'client_secret_basic'
  # notifier
  # is set through a secret
 persistence:
--- a/infrastructure/authelia/kustomization.yaml
+++ b/infrastructure/authelia/kustomization.yaml
@@ -27,6 +27,6 @@ images:
 helmCharts:
  - name: authelia
    releaseName: authelia
-    version: 0.10.45
+    version: 0.9.14
    repo: https://charts.authelia.com
    valuesFile: authelia.values.yaml
--- a/infrastructure/external-dns/kustomization.yaml
+++ b/infrastructure/external-dns/kustomization.yaml
@@ -11,8 +11,8 @@ resources:
 images:
  - name: octodns
    newName: octodns/octodns # has all plugins
-    newTag: "2025.07"
+    newTag: "2024.09"
  - name: git
    newName: alpine/git
-    newTag: "v2.49.1"
+    newTag: "v2.47.1"
--- a/infrastructure/gitea/gitea.values.yaml
+++ b/infrastructure/gitea/gitea.values.yaml
@@ -59,8 +59,7 @@ ingress:
 resources:
  limits:
    cpu: 1
-    memory: 5Gi
+    memory: 1Gi
    # high memory should be allowed to handle package uploads
  requests:
    cpu: 100m
    memory: 128Mi
@@ -170,7 +169,5 @@ postgresql:
  enabled: false
 postgresql-ha:
  enabled: false
-valkey:
+redis-cluster:
  enabled: false
 valkey-cluster:
  enabled: false
--- a/infrastructure/gitea/kustomization.yaml
+++ b/infrastructure/gitea/kustomization.yaml
@@ -23,6 +23,6 @@ helmCharts:
  - name: gitea
    namespace: gitea # needs to be set explicitly for svc to be referenced correctly
    releaseName: gitea
-    version: 12.2.0
+    version: 10.6.0
    valuesFile: gitea.values.yaml
    repo: https://dl.gitea.io/charts/
--- a/infrastructure/metallb-system/ipaddresspool.yaml
+++ b/infrastructure/metallb-system/ipaddresspool.yaml
@@ -2,6 +2,7 @@ apiVersion: metallb.io/v1beta1
 kind: IPAddressPool
 metadata:
  name: default
  namespace: metallb-system
 spec:
  addresses:
    - 192.168.3.0/24
@@ -9,8 +10,5 @@ spec:
 apiVersion: metallb.io/v1beta1
 kind: L2Advertisement
 metadata:
-  name: default
+  name: empty
-# selector is left empty on purpose to match all IPAddressPools
+  namespace: metallb-system
 # spec:
 #   ipAddressPools:
 #   - default
--- a/infrastructure/metallb-system/kustomization.yaml
+++ b/infrastructure/metallb-system/kustomization.yaml
@@ -1,12 +1,15 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources: 
  - namespace.yaml
  - ipaddresspool.yaml
 namespace: metallb-system
 resources:
  # - namespace.yaml
  # namespace is already included in the remote kustomization
  # - github.com/metallb/metallb/config/native?ref=v0.15.2
  - github.com/metallb/metallb/config/frr?ref=v0.15.2
  - ipaddresspool.yaml
 helmCharts:
  - name: metallb
    repo: https://metallb.github.io/metallb
    version: 0.14.9
    releaseName: metallb
    valuesFile: values.yaml
--- a/infrastructure/metallb-system/namespace.yaml
+++ b/infrastructure/metallb-system/namespace.yaml
@@ -1,6 +1,6 @@
 apiVersion: v1
 kind: Namespace
 metadata:
-  name: metallb-system
+  name: placeholder
-  # labels:
+  labels:
-    # pod-security.kubernetes.io/enforce: privileged
+    pod-security.kubernetes.io/enforce: privileged 
--- a/infrastructure/monitoring/kustomization.yaml
+++ b/infrastructure/monitoring/kustomization.yaml
@@ -6,28 +6,23 @@ namespace: monitoring
 resources: 
  - namespace.yaml
  # prometheus-operator crds
  - https://github.com/prometheus-operator/prometheus-operator?ref=v0.84.0
  # single prometheus instance with a thanos sidecar
  - prometheus.yaml
  - thanos-store.statefulset.yaml
  - thanos-query.deployment.yaml
  - thanos-objstore-config.sealedsecret.yaml
-
+  # - loki-objstore-config.sealedsecret.yaml
 images:
  - name: thanos
    newName: quay.io/thanos/thanos
-    newTag: v0.39.2
+    newTag: v0.37.2
 helmCharts:
  - name: loki
    releaseName: loki
    repo: https://grafana.github.io/helm-charts
-    version: 6.39.0
+    version: 6.24.0
    valuesFile: loki.values.yaml
-  - name: prometheus-node-exporter
+  - name: prometheus
-    releaseName: prometheus-node-exporter
+    releaseName: prometheus
    repo: https://prometheus-community.github.io/helm-charts
-    version: 4.47.3
+    version: 26.0.1
-    valuesFile: prometheus-node-exporter.values.yaml
+    valuesFile: prometheus.values.yaml
--- a/infrastructure/monitoring/loki.values.yaml
+++ b/infrastructure/monitoring/loki.values.yaml
@@ -30,6 +30,7 @@ loki:
    filesystem:
      chunks_directory: /var/loki/chunks
      rules_directory: /var/loki/rules
      admin_api_directory: /var/loki/admin
 minio:
  enabled: false
--- a/infrastructure/monitoring/prometheus-node-exporter.values.yaml
+++ b/infrastructure/monitoring/prometheus-node-exporter.values.yaml
@@ -1,18 +0,0 @@
 prometheus:
  monitor:
    enabled: true
    jobLabel: "node-exporter"
    selectorOverride:
      app.kubernetes.io/name: prometheus-node-exporter
      app.kubernetes.io/part-of: prometheus-node-exporter
 resources:
  limits:
    cpu: 200m
    memory: 50Mi
  requests:
    cpu: 100m
    memory: 30Mi
--- a/infrastructure/monitoring/prometheus.values.yaml
+++ b/infrastructure/monitoring/prometheus.values.yaml
@@ -0,0 +1,574 @@
 podSecurityPolicy:
  enabled: true
 server:
  extraArgs:
    log.level: debug
    storage.tsdb.min-block-duration: 2h # Don't change this, see docs/components/sidecar.md
    storage.tsdb.max-block-duration: 2h # Don't change this, see docs/components/sidecar.md
  retention: 180d
  service:
    annotations:
      prometheus.io/scrape: "true"
      prometheus.io/port: "9090"
  statefulSet:
    enabled: true
  podAnnotations:
    prometheus.io/scrape: "true"
    prometheus.io/port: "10902"
  # sidecarContainers:
  #   thanos-sidecar:
  #     image: thanos
  #     resources:
  #       requests:
  #         memory: "512Mi"
  #     env:
  #       - name: GOOGLE_APPLICATION_CREDENTIALS
  #         value: /etc/secret/sa
  #     args:
  #       - "sidecar"
  #       - "--log.level=debug"
  #       - "--tsdb.path=/data/"
  #       - "--prometheus.url=http://127.0.0.1:9090"
  #       - "--objstore.config={type: GCS, config: {bucket: BUCKET_REPLACE_ME}}"
  #       - "--reloader.config-file=/etc/prometheus-config/prometheus.yml"
  #       - "--reloader.config-envsubst-file=/etc/prometheus-shared/prometheus.yml"
  #       - "--reloader.rule-dir=/etc/prometheus-config/rules"
  #     ports:
  #       - name: sidecar-http
  #         containerPort: 10902
  #       - name: grpc
  #         containerPort: 10901
  #       - name: cluster
  #         containerPort: 10900
  #     volumeMounts:
  #       - name: storage-volume
  #         mountPath: /data
  #       - name: thanos-storage-secret
  #         mountPath: /etc/secret
  #       - name: config-volume
  #         mountPath: /etc/prometheus-config
  #         readOnly: false
  #       - name: prometheus-config-shared
  #         mountPath: /etc/prometheus-shared/
  #         readOnly: false
  # # configPath: /etc/prometheus-shared/prometheus.yml
  # replicaCount: 1
  # persistentVolume:
  #   size: 20Gi
  #   storageClass: nfs-client
  # extraVolumes: # spec.template.spec.volumes
  #   - name: prometheus-config-shared
  #     emptyDir: {}
  # extraVolumeMounts: # spec.template.spec.containers.volumeMounts for prometheus container
  #   - name: prometheus-config-shared
  #     mountPath: /etc/prometheus-shared/
  # resources:
  #   requests:
  #     memory: 1Gi
  # global:
  #   scrape_interval: 5s
  #   scrape_timeout: 4s
  #   external_labels:
  #     prometheus_group: KLUSTER
  #     prometheus_replica: '$(HOSTNAME)'
  #   evaluation_interval: 5s
  # extraSecretMounts:
  #   - name: thanos-storage-secret
  #     mountPath: /etc/secret/
  #     subPath: sa
  #     readOnly: false
  #     secretName: thanos-objstore-config
 # as thanos sidecar is taking care of the config reload
 # we can disable the prometheus configmap reload
 configmapReload:
  prometheus:
    enabled: false
 ## Prometheus server ConfigMap entries
 ##
 serverFiles:
  ## Alerts configuration
  ## Ref: https://prometheus.io/docs/prometheus/latest/configuration/alerting_rules/
  alerting_rules.yml: {}
  # groups:
  #   - name: Instances
  #     rules:
  #       - alert: InstanceDown
  #         expr: up == 0
  #         for: 5m
  #         labels:
  #           severity: page
  #         annotations:
  #           description: '{{ $labels.instance }} of job {{ $labels.job }} has been down for more than 5 minutes.'
  #           summary: 'Instance {{ $labels.instance }} down'
  ## DEPRECATED DEFAULT VALUE, unless explicitly naming your files, please use alerting_rules.yml
  alerts: {}
  ## Records configuration
  ## Ref: https://prometheus.io/docs/prometheus/latest/configuration/recording_rules/
  recording_rules.yml: {}
  ## DEPRECATED DEFAULT VALUE, unless explicitly naming your files, please use recording_rules.yml
  rules: {}
  prometheus.yml:
    rule_files:
      - /etc/config/recording_rules.yml
      - /etc/config/alerting_rules.yml
    ## Below two files are DEPRECATED will be removed from this default values file
      - /etc/config/rules
      - /etc/config/alerts
    scrape_configs:
      - job_name: prometheus
        static_configs:
          - targets:
            - localhost:9090
      # A scrape configuration for running Prometheus on a Kubernetes cluster.
      # This uses separate scrape configs for cluster components (i.e. API server, node)
      # and services to allow each to use different authentication configs.
      #
      # Kubernetes labels will be added as Prometheus labels on metrics via the
      # `labelmap` relabeling action.
      # Scrape config for API servers.
      #
      # Kubernetes exposes API servers as endpoints to the default/kubernetes
      # service so this uses `endpoints` role and uses relabelling to only keep
      # the endpoints associated with the default/kubernetes service using the
      # default named port `https`. This works for single API server deployments as
      # well as HA API server deployments.
      - job_name: 'kubernetes-apiservers'
        kubernetes_sd_configs:
          - role: endpoints
        # Default to scraping over https. If required, just disable this or change to
        # `http`.
        scheme: https
        # This TLS & bearer token file config is used to connect to the actual scrape
        # endpoints for cluster components. This is separate to discovery auth
        # configuration because discovery & scraping are two separate concerns in
        # Prometheus. The discovery auth config is automatic if Prometheus runs inside
        # the cluster. Otherwise, more config options have to be provided within the
        # <kubernetes_sd_config>.
        tls_config:
          ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
          # If your node certificates are self-signed or use a different CA to the
          # master CA, then disable certificate verification below. Note that
          # certificate verification is an integral part of a secure infrastructure
          # so this should only be disabled in a controlled environment. You can
          # disable certificate verification by uncommenting the line below.
          #
          insecure_skip_verify: true
        bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
        # Keep only the default/kubernetes service endpoints for the https port. This
        # will add targets for each API server which Kubernetes adds an endpoint to
        # the default/kubernetes service.
        relabel_configs:
          - source_labels: [__meta_kubernetes_namespace, __meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name]
            action: keep
            regex: default;kubernetes;https
      - job_name: 'kubernetes-nodes'
        # Default to scraping over https. If required, just disable this or change to
        # `http`.
        scheme: https
        # This TLS & bearer token file config is used to connect to the actual scrape
        # endpoints for cluster components. This is separate to discovery auth
        # configuration because discovery & scraping are two separate concerns in
        # Prometheus. The discovery auth config is automatic if Prometheus runs inside
        # the cluster. Otherwise, more config options have to be provided within the
        # <kubernetes_sd_config>.
        tls_config:
          ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
          # If your node certificates are self-signed or use a different CA to the
          # master CA, then disable certificate verification below. Note that
          # certificate verification is an integral part of a secure infrastructure
          # so this should only be disabled in a controlled environment. You can
          # disable certificate verification by uncommenting the line below.
          #
          insecure_skip_verify: true
        bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
        kubernetes_sd_configs:
          - role: node
        relabel_configs:
          - action: labelmap
            regex: __meta_kubernetes_node_label_(.+)
          - target_label: __address__
            replacement: kubernetes.default.svc:443
          - source_labels: [__meta_kubernetes_node_name]
            regex: (.+)
            target_label: __metrics_path__
            replacement: /api/v1/nodes/$1/proxy/metrics
      - job_name: 'kubernetes-nodes-cadvisor'
        # Default to scraping over https. If required, just disable this or change to
        # `http`.
        scheme: https
        # This TLS & bearer token file config is used to connect to the actual scrape
        # endpoints for cluster components. This is separate to discovery auth
        # configuration because discovery & scraping are two separate concerns in
        # Prometheus. The discovery auth config is automatic if Prometheus runs inside
        # the cluster. Otherwise, more config options have to be provided within the
        # <kubernetes_sd_config>.
        tls_config:
          ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
          # If your node certificates are self-signed or use a different CA to the
          # master CA, then disable certificate verification below. Note that
          # certificate verification is an integral part of a secure infrastructure
          # so this should only be disabled in a controlled environment. You can
          # disable certificate verification by uncommenting the line below.
          #
          insecure_skip_verify: true
        bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
        kubernetes_sd_configs:
          - role: node
        # This configuration will work only on kubelet 1.7.3+
        # As the scrape endpoints for cAdvisor have changed
        # if you are using older version you need to change the replacement to
        # replacement: /api/v1/nodes/$1:4194/proxy/metrics
        # more info here https://github.com/coreos/prometheus-operator/issues/633
        relabel_configs:
          - action: labelmap
            regex: __meta_kubernetes_node_label_(.+)
          - target_label: __address__
            replacement: kubernetes.default.svc:443
          - source_labels: [__meta_kubernetes_node_name]
            regex: (.+)
            target_label: __metrics_path__
            replacement: /api/v1/nodes/$1/proxy/metrics/cadvisor
        # Metric relabel configs to apply to samples before ingestion.
        # [Metric Relabeling](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#metric_relabel_configs)
        # metric_relabel_configs:
        # - action: labeldrop
        #   regex: (kubernetes_io_hostname|failure_domain_beta_kubernetes_io_region|beta_kubernetes_io_os|beta_kubernetes_io_arch|beta_kubernetes_io_instance_type|failure_domain_beta_kubernetes_io_zone)
      # Scrape config for service endpoints.
      #
      # The relabeling allows the actual service scrape endpoint to be configured
      # via the following annotations:
      #
      # * `prometheus.io/scrape`: Only scrape services that have a value of
      # `true`, except if `prometheus.io/scrape-slow` is set to `true` as well.
      # * `prometheus.io/scheme`: If the metrics endpoint is secured then you will need
      # to set this to `https` & most likely set the `tls_config` of the scrape config.
      # * `prometheus.io/path`: If the metrics path is not `/metrics` override this.
      # * `prometheus.io/port`: If the metrics are exposed on a different port to the
      # service then set this appropriately.
      # * `prometheus.io/param_<parameter>`: If the metrics endpoint uses parameters
      # then you can set any parameter
      - job_name: 'kubernetes-service-endpoints'
        honor_labels: true
        kubernetes_sd_configs:
          - role: endpoints
        relabel_configs:
          - source_labels: [__meta_kubernetes_service_annotation_prometheus_io_scrape]
            action: keep
            regex: true
          - source_labels: [__meta_kubernetes_service_annotation_prometheus_io_scrape_slow]
            action: drop
            regex: true
          - source_labels: [__meta_kubernetes_service_annotation_prometheus_io_scheme]
            action: replace
            target_label: __scheme__
            regex: (https?)
          - source_labels: [__meta_kubernetes_service_annotation_prometheus_io_path]
            action: replace
            target_label: __metrics_path__
            regex: (.+)
          - source_labels: [__address__, __meta_kubernetes_service_annotation_prometheus_io_port]
            action: replace
            target_label: __address__
            regex: (.+?)(?::\d+)?;(\d+)
            replacement: $1:$2
          - action: labelmap
            regex: __meta_kubernetes_service_annotation_prometheus_io_param_(.+)
            replacement: __param_$1
          - action: labelmap
            regex: __meta_kubernetes_service_label_(.+)
          - source_labels: [__meta_kubernetes_namespace]
            action: replace
            target_label: namespace
          - source_labels: [__meta_kubernetes_service_name]
            action: replace
            target_label: service
          - source_labels: [__meta_kubernetes_pod_node_name]
            action: replace
            target_label: node
      # Scrape config for slow service endpoints; same as above, but with a larger
      # timeout and a larger interval
      #
      # The relabeling allows the actual service scrape endpoint to be configured
      # via the following annotations:
      #
      # * `prometheus.io/scrape-slow`: Only scrape services that have a value of `true`
      # * `prometheus.io/scheme`: If the metrics endpoint is secured then you will need
      # to set this to `https` & most likely set the `tls_config` of the scrape config.
      # * `prometheus.io/path`: If the metrics path is not `/metrics` override this.
      # * `prometheus.io/port`: If the metrics are exposed on a different port to the
      # service then set this appropriately.
      # * `prometheus.io/param_<parameter>`: If the metrics endpoint uses parameters
      # then you can set any parameter
      - job_name: 'kubernetes-service-endpoints-slow'
        honor_labels: true
        scrape_interval: 5m
        scrape_timeout: 30s
        kubernetes_sd_configs:
          - role: endpoints
        relabel_configs:
          - source_labels: [__meta_kubernetes_service_annotation_prometheus_io_scrape_slow]
            action: keep
            regex: true
          - source_labels: [__meta_kubernetes_service_annotation_prometheus_io_scheme]
            action: replace
            target_label: __scheme__
            regex: (https?)
          - source_labels: [__meta_kubernetes_service_annotation_prometheus_io_path]
            action: replace
            target_label: __metrics_path__
            regex: (.+)
          - source_labels: [__address__, __meta_kubernetes_service_annotation_prometheus_io_port]
            action: replace
            target_label: __address__
            regex: (.+?)(?::\d+)?;(\d+)
            replacement: $1:$2
          - action: labelmap
            regex: __meta_kubernetes_service_annotation_prometheus_io_param_(.+)
            replacement: __param_$1
          - action: labelmap
            regex: __meta_kubernetes_service_label_(.+)
          - source_labels: [__meta_kubernetes_namespace]
            action: replace
            target_label: namespace
          - source_labels: [__meta_kubernetes_service_name]
            action: replace
            target_label: service
          - source_labels: [__meta_kubernetes_pod_node_name]
            action: replace
            target_label: node
      - job_name: 'prometheus-pushgateway'
        honor_labels: true
        kubernetes_sd_configs:
          - role: service
        relabel_configs:
          - source_labels: [__meta_kubernetes_service_annotation_prometheus_io_probe]
            action: keep
            regex: pushgateway
      # Example scrape config for probing services via the Blackbox Exporter.
      #
      # The relabeling allows the actual service scrape endpoint to be configured
      # via the following annotations:
      #
      # * `prometheus.io/probe`: Only probe services that have a value of `true`
      - job_name: 'kubernetes-services'
        honor_labels: true
        metrics_path: /probe
        params:
          module: [http_2xx]
        kubernetes_sd_configs:
          - role: service
        relabel_configs:
          - source_labels: [__meta_kubernetes_service_annotation_prometheus_io_probe]
            action: keep
            regex: true
          - source_labels: [__address__]
            target_label: __param_target
          - target_label: __address__
            replacement: blackbox
          - source_labels: [__param_target]
            target_label: instance
          - action: labelmap
            regex: __meta_kubernetes_service_label_(.+)
          - source_labels: [__meta_kubernetes_namespace]
            target_label: namespace
          - source_labels: [__meta_kubernetes_service_name]
            target_label: service
      # Example scrape config for pods
      #
      # The relabeling allows the actual pod scrape endpoint to be configured via the
      # following annotations:
      #
      # * `prometheus.io/scrape`: Only scrape pods that have a value of `true`,
      # except if `prometheus.io/scrape-slow` is set to `true` as well.
      # * `prometheus.io/scheme`: If the metrics endpoint is secured then you will need
      # to set this to `https` & most likely set the `tls_config` of the scrape config.
      # * `prometheus.io/path`: If the metrics path is not `/metrics` override this.
      # * `prometheus.io/port`: Scrape the pod on the indicated port instead of the default of `9102`.
      - job_name: 'kubernetes-pods'
        honor_labels: true
        kubernetes_sd_configs:
          - role: pod
        relabel_configs:
          - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_scrape]
            action: keep
            regex: true
          - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_scrape_slow]
            action: drop
            regex: true
          - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_scheme]
            action: replace
            regex: (https?)
            target_label: __scheme__
          - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_path]
            action: replace
            target_label: __metrics_path__
            regex: (.+)
          - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_port, __meta_kubernetes_pod_ip]
            action: replace
            regex: (\d+);(([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4})
            replacement: '[$2]:$1'
            target_label: __address__
          - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_port, __meta_kubernetes_pod_ip]
            action: replace
            regex: (\d+);((([0-9]+?)(\.|$)){4})
            replacement: $2:$1
            target_label: __address__
          - action: labelmap
            regex: __meta_kubernetes_pod_annotation_prometheus_io_param_(.+)
            replacement: __param_$1
          - action: labelmap
            regex: __meta_kubernetes_pod_label_(.+)
          - source_labels: [__meta_kubernetes_namespace]
            action: replace
            target_label: namespace
          - source_labels: [__meta_kubernetes_pod_name]
            action: replace
            target_label: pod
          - source_labels: [__meta_kubernetes_pod_phase]
            regex: Pending|Succeeded|Failed|Completed
            action: drop
          - source_labels: [__meta_kubernetes_pod_node_name]
            action: replace
            target_label: node
      # Example Scrape config for pods which should be scraped slower. An useful example
      # would be stackriver-exporter which queries an API on every scrape of the pod
      #
      # The relabeling allows the actual pod scrape endpoint to be configured via the
      # following annotations:
      #
      # * `prometheus.io/scrape-slow`: Only scrape pods that have a value of `true`
      # * `prometheus.io/scheme`: If the metrics endpoint is secured then you will need
      # to set this to `https` & most likely set the `tls_config` of the scrape config.
      # * `prometheus.io/path`: If the metrics path is not `/metrics` override this.
      # * `prometheus.io/port`: Scrape the pod on the indicated port instead of the default of `9102`.
      - job_name: 'kubernetes-pods-slow'
        honor_labels: true
        scrape_interval: 5m
        scrape_timeout: 30s
        kubernetes_sd_configs:
          - role: pod
        relabel_configs:
          - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_scrape_slow]
            action: keep
            regex: true
          - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_scheme]
            action: replace
            regex: (https?)
            target_label: __scheme__
          - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_path]
            action: replace
            target_label: __metrics_path__
            regex: (.+)
          - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_port, __meta_kubernetes_pod_ip]
            action: replace
            regex: (\d+);(([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4})
            replacement: '[$2]:$1'
            target_label: __address__
          - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_port, __meta_kubernetes_pod_ip]
            action: replace
            regex: (\d+);((([0-9]+?)(\.|$)){4})
            replacement: $2:$1
            target_label: __address__
          - action: labelmap
            regex: __meta_kubernetes_pod_annotation_prometheus_io_param_(.+)
            replacement: __param_$1
          - action: labelmap
            regex: __meta_kubernetes_pod_label_(.+)
          - source_labels: [__meta_kubernetes_namespace]
            action: replace
            target_label: namespace
          - source_labels: [__meta_kubernetes_pod_name]
            action: replace
            target_label: pod
          - source_labels: [__meta_kubernetes_pod_phase]
            regex: Pending|Succeeded|Failed|Completed
            action: drop
          - source_labels: [__meta_kubernetes_pod_node_name]
            action: replace
            target_label: node
 # Configuration of subcharts defined in Chart.yaml
 ## alertmanager sub-chart configurable values
 ## Please see https://github.com/prometheus-community/helm-charts/tree/main/charts/alertmanager
 ##
 alertmanager:
  enabled: false
 ## kube-state-metrics sub-chart configurable values
 ## Please see https://github.com/prometheus-community/helm-charts/tree/main/charts/kube-state-metrics
 ##
 kube-state-metrics:
  ## If false, kube-state-metrics sub-chart will not be installed
  ##
  enabled: true
 ## prometheus-node-exporter sub-chart configurable values
 ## Please see https://github.com/prometheus-community/helm-charts/tree/main/charts/prometheus-node-exporter
 ##
 prometheus-node-exporter:
  ## If false, node-exporter will not be installed
  ##
  enabled: true
  rbac:
    pspEnabled: false
  containerSecurityContext:
    allowPrivilegeEscalation: false
 ## prometheus-pushgateway sub-chart configurable values
 ## Please see https://github.com/prometheus-community/helm-charts/tree/main/charts/prometheus-pushgateway
 ##
 prometheus-pushgateway:
  ## If false, pushgateway will not be installed
  ##
  enabled: false
--- a/infrastructure/monitoring/prometheus.yaml
+++ b/infrastructure/monitoring/prometheus.yaml
@@ -1,78 +0,0 @@
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: prometheus
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
  name: prometheus
 rules:
 - apiGroups: [""]
  resources:
  - nodes
  - nodes/metrics
  - services
  - endpoints
  - pods
  verbs: ["get", "list", "watch"]
 - apiGroups: [""]
  resources:
  - configmaps
  verbs: ["get"]
 - apiGroups:
  - networking.k8s.io
  resources:
  - ingresses
  verbs: ["get", "list", "watch"]
 - nonResourceURLs: ["/metrics"]
  verbs: ["get"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
  name: prometheus
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: prometheus
 subjects:
 - kind: ServiceAccount
  name: prometheus
  namespace: monitoring # needs to be the same as in the kustomization.yaml
 ---
 apiVersion: monitoring.coreos.com/v1
 kind: Prometheus
 metadata:
  name: prometheus
 spec:
  securityContext:
    runAsUser: 65534 # same as the thanos sidecar
  resources:
    requests:
      memory: 400Mi
  retention: 730d
  retentionSize: 3GiB
  serviceAccountName: prometheus
  enableAdminAPI: false
  serviceMonitorNamespaceSelector: {}
  serviceMonitorSelector: {}
  thanos:
    version: v0.34.1
    objectStorageConfig:
      # loads the config from a secret named thanos-objstore-config in the same namespace
      key: thanos.yaml
      name: thanos-objstore-config
 ---
 apiVersion: v1
 kind: Service
 metadata:
  name: prometheus
 spec:
  type: ClusterIP
  ports:
  - port: 9090
    targetPort: 9090
    protocol: TCP
  selector:
    prometheus: prometheus
--- a/infrastructure/monitoring/thanos-query.deployment.yaml
+++ b/infrastructure/monitoring/thanos-query.deployment.yaml
@@ -1,55 +0,0 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: thanos-querier
  labels:
    app: thanos-querier
 spec:
  replicas: 1
  selector:
    matchLabels:
      app: thanos-querier
  template:
    metadata:
      labels:
        app: thanos-querier
    spec:
      containers:
      - name: thanos
        image: thanos
        args:
        - query
        - --log.level=debug
        - --query.replica-label=replica
        - --endpoint=dnssrv+_grpc._tcp.thanos-store:10901
        - --endpoint=dnssrv+_grpc._tcp.prometheus:9090
        ports:
        - name: http
          containerPort: 10902
        - name: grpc
          containerPort: 10901
        livenessProbe:
          httpGet:
            port: http
            path: /-/healthy
        readinessProbe:
          httpGet:
            port: http
            path: /-/ready
 ---
 apiVersion: v1
 kind: Service
 metadata:
  name: thanos-querier
 spec:
  selector:
    app: thanos-querier
  ports:
    - name: http
      protocol: TCP
      port: 10902
      targetPort: http
    - name: grpc
      protocol: TCP
      port: 10901
      targetPort: grpc
--- a/infrastructure/monitoring/thanos-store.statefulset.yaml
+++ b/infrastructure/monitoring/thanos-store.statefulset.yaml
@@ -1,71 +0,0 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: thanos-store
  labels:
    app: thanos-store
 spec:
  replicas: 1
  selector:
    matchLabels:
      app: thanos-store
  template:
    metadata:
      labels:
        app: thanos-store
        thanos-store-api: "true"
    spec:
      containers:
        - name: thanos
          image: thanos
          args:
          - store
          - --log.level=debug
          - --data-dir=/data
          - --grpc-address=0.0.0.0:10901
          - --http-address=0.0.0.0:10902
          - --objstore.config-file=/etc/secret/thanos.yaml
          - --index-cache-size=500MB
          - --chunk-pool-size=500MB
          ports:
          - name: http
            containerPort: 10902
          - name: grpc
            containerPort: 10901
          livenessProbe:
            httpGet:
              port: 10902
              path: /-/healthy
          readinessProbe:
            httpGet:
              port: 10902
              path: /-/ready
          volumeMounts:
            - name: thanos-objstore-config
              mountPath: /etc/secret
              readOnly: true
            - name: thanos-data
              mountPath: /data
      volumes:
        - name: thanos-objstore-config
          secret:
            secretName: thanos-objstore-config
        - name: thanos-data
          emptyDir: {}
 ---
 apiVersion: v1
 kind: Service
 metadata:
  labels:
    app.kubernetes.io/name: thanos-store
  name: thanos-store
 spec:
  ports:
  - name: grpc
    port: 10901
    targetPort: 10901
  - name: http
    port: 10902
    targetPort: 10902
  selector:
    app: thanos-store
--- a/infrastructure/pg-ha/kustomization.yaml
+++ b/infrastructure/pg-ha/kustomization.yaml
@@ -9,6 +9,6 @@ namespace: pg-ha
 helmCharts:
  - name: cloudnative-pg
    releaseName: pg-controller
-    version: 0.24.0
+    version: 0.23.0
    valuesFile: values.yaml
    repo: https://cloudnative-pg.io/charts/
--- a/infrastructure/renovate/cronjob.yaml
+++ b/infrastructure/renovate/cronjob.yaml
@@ -3,7 +3,7 @@ kind: CronJob
 metadata:
  name: renovate
 spec:
-  schedule: '0 */2 * * *'
+  schedule: '0,30 * * * *'
  concurrencyPolicy: Forbid
  jobTemplate:
    spec:
--- a/infrastructure/renovate/kustomization.yaml
+++ b/infrastructure/renovate/kustomization.yaml
@@ -11,4 +11,4 @@ resources:
 images:
  - name: renovate/renovate
    newName: renovate/renovate
-    newTag: "41"
+    newTag: "39"
--- a/infrastructure/sealedsecrets/kustomization.yaml
+++ b/infrastructure/sealedsecrets/kustomization.yaml
@@ -9,4 +9,4 @@ resources:
 images:
  - name: controller
    newName: docker.io/bitnami/sealed-secrets-controller
-    newTag: 0.31.0
+    newTag: 0.27.3
--- a/infrastructure/traefik-system/configmap.yaml
+++ b/infrastructure/traefik-system/configmap.yaml
@@ -5,15 +5,15 @@ metadata:
 data:
  traefik.toml: |
    [ping]
-
+    
    [global]
      checkNewVersion = false
      # renovate does that
      sendAnonymousUsage = false
-
+    
    [log]
      level = "INFO"
-
+    
    [accessLog]
      [accessLog.fields]
        defaultMode = "keep"
@@ -41,17 +41,17 @@ data:
      dashboard = true
      insecure = true
      debug = false
-
+ 
    [providers]
      [providers.kubernetesCRD]
        allowCrossNamespace = true
      [providers.kubernetesIngress]
        allowExternalNameServices = true
-        ingressClass = "traefik"
+        ingressClass = "traefik"    
    [serversTransport]
      insecureSkipVerify = true
-
+ 
    [entryPoints]
      [entryPoints.web]
        address = ":8000"
@@ -66,13 +66,13 @@ data:
        [entryPoints.websecure.forwardedHeaders]
          insecure = true
          # forward ip headers no matter where they come from
-
+      
      [entryPoints.metrics]
        address = ":9100"
-
+      
      [entryPoints.traefik]
-        address = ":8080"
+        address = ":9000"
-
+      
      [entryPoints.dnsovertls]
        address = ":8853"
        # route dns over https to other pods but provide own certificate
--- a/infrastructure/traefik-system/kustomization.yaml
+++ b/infrastructure/traefik-system/kustomization.yaml
@@ -13,6 +13,6 @@ namespace: traefik-system
 helmCharts:
  - name: traefik
    releaseName: traefik
-    version: 37.1.1
+    version: 33.2.1
    valuesFile: values.yaml
    repo: https://traefik.github.io/charts
--- a/infrastructure/traefik-system/values.yaml
+++ b/infrastructure/traefik-system/values.yaml
@@ -23,7 +23,8 @@ ingressClass:
  # true is not unit-testable yet, pending https://github.com/rancher/helm-unittest/pull/12
  enabled: true
  isDefaultClass: true
-
+  # Use to force a networking.k8s.io API Version for certain CI/CD applications. E.g. "v1beta1"
  fallbackApiVersion: ""
 # Activate Pilot integration
 pilot:
@@ -66,11 +67,10 @@ providers:
  kubernetesIngress:
    enabled: true
    allowExternalNameServices: true
-    # Ingresses missing the annotation, having an empty value, or the value traefik are processed by default.
+    ingressClass: traefik
    # ingressClass: traefik
    # labelSelector: environment=production,method=traefik
-
+  
 # Additional volumeMounts to add to the Traefik container
 additionalVolumeMounts:
--- a/kluster-deployments/kitchenowl/application.yaml
+++ b/kluster-deployments/kitchenowl/application.yaml
@@ -1,18 +0,0 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: kitchenowl-application
  namespace: argocd
 spec:
  project: apps
  source:
    repoURL: ssh://git@git.kluster.moll.re:2222/remoll/k3s-infra.git
    targetRevision: main
    path: apps/kitchenowl/
  destination:
    server: https://kubernetes.default.svc
    namespace: kitchenowl
  syncPolicy:
    automated:
      prune: true
      selfHeal: true
--- a/kluster-deployments/kitchenowl/kustomization.yaml
+++ b/kluster-deployments/kitchenowl/kustomization.yaml
@@ -1,4 +0,0 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - application.yaml
--- a/kluster-deployments/kustomization.yaml
+++ b/kluster-deployments/kustomization.yaml
@@ -29,18 +29,16 @@ resources:
  - eth-physics/
  - files/
  - finance/
  - grafana/
  - homeassistant/
  - immich/
  - journal/
  - kitchenowl/
  - linkding/
  - media/
  - minecraft/application.yaml
  - grafana/
  - ntfy/
  - paperless/
  - recipes/
  - rss/
  - stump/
  - todos/
  - whoami/
  - todos/
--- a/kluster-deployments/monitoring/application.yaml
+++ b/kluster-deployments/monitoring/application.yaml
@@ -17,6 +17,3 @@ spec:
    automated:
      prune: true
      selfHeal: true
    syncOptions:
      - Replace=true
      # because the prometheus-operator CRDs are too large
--- a/kluster-deployments/stump/application.yaml
+++ b/kluster-deployments/stump/application.yaml
@@ -1,18 +0,0 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: stump-application
 spec:
  project: apps
  destination:
    server: https://kubernetes.default.svc
    namespace: stump
  syncPolicy:
    automated:
      prune: true
      selfHeal: true
  sources:
    - repoURL: ssh://git@git.kluster.moll.re:2222/remoll/k3s-infra.git
      targetRevision: main
      path: apps/stump
--- a/kluster-deployments/stump/kustomization.yaml
+++ b/kluster-deployments/stump/kustomization.yaml
@@ -1,4 +0,0 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
  - application.yaml
--- a/renovate.json
+++ b/renovate.json
@@ -1,14 +1,4 @@
 {
  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
-  "dependencyDashboard": true,
+  "dependencyDashboard": true
  "extends": [
    "local>remoll/k3s-infra//apps/immich/renovate.json"
  ],
  "packageRules": [
    {
      "matchUpdateTypes": ["patch"],
      "automerge": true,
      "ignoreTests": true
    }
  ]
 }