fix: correct typo in PAPERLESS_URL environment variable

Reviewed-on: #316

.gitea/workflows/kubeconform.yml

@@ -0,0 +1,85 @@
+name: Validate Kubernetes Manifests
+
+on:
+  push:
+    paths:
+      - '**.yml'
+      - '**.yaml'
+      - '!.gitea/workflows/**'
+      - '!clusters/default/system-upgrade/crd.yml'
+
+jobs:
+  kubeconform:
+    runs-on: ubuntu-latest
+    container:
+      image: gitea.akshun-lab.cc/aggarwalakshun/kube-tools:1.1.0
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v6
+        with:
+          fetch-depth: 0
+
+      - name: Get changed files
+        id: changed-files
+        uses: tj-actions/changed-files@v47
+        with:
+          files: |
+            **.yml
+            **.yaml
+            !.gitea/workflows/**
+            !clusters/default/system-upgrade/crd.yml
+
+      - name: Validate Manifests
+        if: steps.changed-files.outputs.any_changed == 'true'
+        env:
+          ALL_CHANGED_FILES: ${{ steps.changed-files.outputs.all_changed_files }}
+        shell: bash
+        run: |
+          set -o pipefail
+
+          declare -A SCHEMA_MAP=(
+            ["HelmRelease"]="helm.toolkit.fluxcd.io/helmrelease_v2.json"
+            ["HelmRepository"]="source.toolkit.fluxcd.io/helmrepository_v1.json"
+            ["L2Advertisement"]="metallb.io/l2advertisement_v1beta1.json"
+            ["IPAddressPool"]="metallb.io/ipaddresspool_v1beta1.json"
+            ["SealedSecret"]="bitnami.com/sealedsecret_v1alpha1.json"
+            ["ClusterPolicy"]="nvidia.com/clusterpolicy_v1.json"
+            ["Plan"]="upgrade.cattle.io/plan_v1.json"
+          )
+
+          EXIT_CODE=0
+
+          for file in ${ALL_CHANGED_FILES}; do
+            [ -z "$file" ] && continue
+            echo "=== Validating: $file ==="
+
+            yq e -o=json '. as $item ireduce ([]; . + [$item])' "$file" | \
+              jq -c '.[] | select(.kind != null)' | \
+              while read -r manifest; do
+                KIND=$(echo "$manifest" | jq -r '.kind // ""')
+
+                if [[ -n "$KIND" && -n "${SCHEMA_MAP[$KIND]}" ]]; then
+                  echo "Found $KIND - using custom schema"
+                  SCHEMA_URL="https://raw.githubusercontent.com/datreeio/CRDs-catalog/refs/heads/main/${SCHEMA_MAP[$KIND]}"
+
+                  if ! echo "$manifest" | kubeconform \
+                      -schema-location "$SCHEMA_URL" \
+                      -output json \
+                      -; then
+                    EXIT_CODE=1
+                  fi
+                else
+                  echo "Validating with default schemas"
+                  if ! echo "$manifest" | kubeconform \
+                      -schema-location default \
+                      -output json \
+                      -; then
+                    EXIT_CODE=1
+                  fi
+                fi
+              done
+
+            echo ""
+          done
+
+          exit $EXIT_CODE

.gitea/workflows/renovate.yml

@@ -9,11 +9,11 @@ jobs:
   renovate:
     runs-on: ubuntu-latest
     container:
-      image: renovate/renovate:41.165.2
+      image: renovate/renovate:42.64.1
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
 
       - name: Run Renovate
         env:

.gitignore

@@ -0,0 +1,2 @@
+/tmp-pod.yml
+/Dockerfile

clusters/default/arr-stack/jellyseerr/jellyseerr.yml

@@ -18,7 +18,7 @@ spec:
     spec:
       initContainers:
       - name: gluetun
-        image: qmcgaw/gluetun:v3.40.3
+        image: qmcgaw/gluetun:v3.41.0
         restartPolicy: Always
         securityContext:
           capabilities:

clusters/default/arr-stack/prowlarr/prowlarr.yml

@@ -18,7 +18,7 @@ spec:
     spec:
       initContainers:
       - name: gluetun
-        image: qmcgaw/gluetun:v3.40.3
+        image: qmcgaw/gluetun:v3.41.0
         restartPolicy: Always
         securityContext:
           capabilities:

clusters/default/arr-stack/qbittorrent/qbittorrent-svc.yml

@@ -12,5 +12,5 @@ spec:
   selector:
     app: qbittorrent
   ports:
-  - port: 8080
+  - port: 7070
-    targetPort: 8080
+    targetPort: 7070

clusters/default/arr-stack/qbittorrent/qbittorrent.yml

@@ -18,7 +18,7 @@ spec:
     spec:
       initContainers:
       - name: gluetun
-        image: qmcgaw/gluetun:v3.40.3
+        image: qmcgaw/gluetun:v3.41.0
         restartPolicy: Always
         securityContext:
           capabilities:
@@ -40,9 +40,7 @@ spec:
               key: OPENVPN_USER
       containers:
       - name: qbittorrent
-        image: linuxserver/qbittorrent:5.1.2
+        image: linuxserver/qbittorrent:5.1.4
-        ports:
-        - containerPort: 8080
         env:
         - name: PUID
           value: "1000"
@@ -50,6 +48,8 @@ spec:
           value: "1000"
         - name: TZ
           value: "Asia/Kolkata"
+        - name: WEBUI_PORT
+          value: "7070"
         volumeMounts:
         - name: downloads
           mountPath: /downloads

clusters/default/arr-stack/sabnzbd/sabnzbd-pvc.yml

@@ -0,0 +1,14 @@
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: sabnzbd-longhorn
+  namespace: arr-stack
+spec:
+  accessModes:
+    - ReadWriteOnce
+  volumeMode: Filesystem
+  resources:
+    requests:
+      storage: 1Gi
+  storageClassName: longhorn

clusters/default/arr-stack/sabnzbd/sabnzbd-svc.yml

@@ -0,0 +1,16 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: sabnzbd-service
+  namespace: arr-stack
+  annotations:
+    metallb.io/allow-shared-ip: "shared-ip-1"
+spec:
+  loadBalancerIP: 192.168.1.230
+  type: LoadBalancer
+  selector:
+    app: sabnzbd
+  ports:
+  - port: 8080
+    targetPort: 8080

clusters/default/arr-stack/sabnzbd/sabnzbd.yml

@@ -0,0 +1,40 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: sabnzbd
+  namespace: arr-stack
+spec:
+  strategy:
+    type: Recreate
+  selector:
+    matchLabels:
+      app: sabnzbd
+  template:
+    metadata:
+      labels:
+        app: sabnzbd
+    spec:
+      containers:
+      - name: sabnzbd
+        image: lscr.io/linuxserver/sabnzbd:4.5.5
+        env:
+        - name: PUID
+          value: "1000"
+        - name: PGID
+          value: "1000"
+        - name: TZ
+          value: "Asia/Kolkata"
+        volumeMounts:
+        - name: sabnzbd-config
+          mountPath: /config
+        - name: downloads
+          mountPath: /downloads
+      volumes:
+      - name: sabnzbd-config
+        persistentVolumeClaim:
+          claimName: sabnzbd-longhorn
+      - name: downloads
+        nfs:
+          server: 10.0.0.123
+          path: /merge/downloads

clusters/default/flux-system/gotk-components.yaml

@@ -1,6 +1,6 @@
 ---
 # This manifest was generated by flux. DO NOT EDIT.
-# Flux Version: v2.7.3
+# Flux Version: v2.7.5
 # Components: source-controller,kustomize-controller,helm-controller,notification-controller
 apiVersion: v1
 kind: Namespace
@@ -8,7 +8,7 @@ metadata:
   labels:
     app.kubernetes.io/instance: flux-system
     app.kubernetes.io/part-of: flux
-    app.kubernetes.io/version: v2.7.3
+    app.kubernetes.io/version: v2.7.5
     pod-security.kubernetes.io/warn: restricted
     pod-security.kubernetes.io/warn-version: latest
   name: flux-system
@@ -19,7 +19,7 @@ metadata:
   labels:
     app.kubernetes.io/instance: flux-system
     app.kubernetes.io/part-of: flux
-    app.kubernetes.io/version: v2.7.3
+    app.kubernetes.io/version: v2.7.5
   name: allow-egress
   namespace: flux-system
 spec:
@@ -39,7 +39,7 @@ metadata:
   labels:
     app.kubernetes.io/instance: flux-system
     app.kubernetes.io/part-of: flux
-    app.kubernetes.io/version: v2.7.3
+    app.kubernetes.io/version: v2.7.5
   name: allow-scraping
   namespace: flux-system
 spec:
@@ -59,7 +59,7 @@ metadata:
   labels:
     app.kubernetes.io/instance: flux-system
     app.kubernetes.io/part-of: flux
-    app.kubernetes.io/version: v2.7.3
+    app.kubernetes.io/version: v2.7.5
   name: allow-webhooks
   namespace: flux-system
 spec:
@@ -78,7 +78,7 @@ metadata:
   labels:
     app.kubernetes.io/instance: flux-system
     app.kubernetes.io/part-of: flux
-    app.kubernetes.io/version: v2.7.3
+    app.kubernetes.io/version: v2.7.5
   name: critical-pods-flux-system
   namespace: flux-system
 spec:
@@ -98,7 +98,7 @@ metadata:
   labels:
     app.kubernetes.io/instance: flux-system
     app.kubernetes.io/part-of: flux
-    app.kubernetes.io/version: v2.7.3
+    app.kubernetes.io/version: v2.7.5
   name: crd-controller-flux-system
 rules:
 - apiGroups:
@@ -204,7 +204,7 @@ metadata:
   labels:
     app.kubernetes.io/instance: flux-system
     app.kubernetes.io/part-of: flux
-    app.kubernetes.io/version: v2.7.3
+    app.kubernetes.io/version: v2.7.5
     rbac.authorization.k8s.io/aggregate-to-admin: "true"
     rbac.authorization.k8s.io/aggregate-to-edit: "true"
   name: flux-edit-flux-system
@@ -212,6 +212,7 @@ rules:
 - apiGroups:
   - notification.toolkit.fluxcd.io
   - source.toolkit.fluxcd.io
+  - source.extensions.fluxcd.io
   - helm.toolkit.fluxcd.io
   - image.toolkit.fluxcd.io
   - kustomize.toolkit.fluxcd.io
@@ -230,7 +231,7 @@ metadata:
   labels:
     app.kubernetes.io/instance: flux-system
     app.kubernetes.io/part-of: flux
-    app.kubernetes.io/version: v2.7.3
+    app.kubernetes.io/version: v2.7.5
     rbac.authorization.k8s.io/aggregate-to-admin: "true"
     rbac.authorization.k8s.io/aggregate-to-edit: "true"
     rbac.authorization.k8s.io/aggregate-to-view: "true"
@@ -239,6 +240,7 @@ rules:
 - apiGroups:
   - notification.toolkit.fluxcd.io
   - source.toolkit.fluxcd.io
+  - source.extensions.fluxcd.io
   - helm.toolkit.fluxcd.io
   - image.toolkit.fluxcd.io
   - kustomize.toolkit.fluxcd.io
@@ -255,7 +257,7 @@ metadata:
   labels:
     app.kubernetes.io/instance: flux-system
     app.kubernetes.io/part-of: flux
-    app.kubernetes.io/version: v2.7.3
+    app.kubernetes.io/version: v2.7.5
   name: cluster-reconciler-flux-system
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -275,7 +277,7 @@ metadata:
   labels:
     app.kubernetes.io/instance: flux-system
     app.kubernetes.io/part-of: flux
-    app.kubernetes.io/version: v2.7.3
+    app.kubernetes.io/version: v2.7.5
   name: crd-controller-flux-system
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -313,7 +315,7 @@ metadata:
     app.kubernetes.io/component: source-controller
     app.kubernetes.io/instance: flux-system
     app.kubernetes.io/part-of: flux
-    app.kubernetes.io/version: v2.7.3
+    app.kubernetes.io/version: v2.7.5
   name: buckets.source.toolkit.fluxcd.io
 spec:
   group: source.toolkit.fluxcd.io
@@ -1084,7 +1086,7 @@ metadata:
     app.kubernetes.io/component: source-controller
     app.kubernetes.io/instance: flux-system
     app.kubernetes.io/part-of: flux
-    app.kubernetes.io/version: v2.7.3
+    app.kubernetes.io/version: v2.7.5
   name: externalartifacts.source.toolkit.fluxcd.io
 spec:
   group: source.toolkit.fluxcd.io
@@ -1280,7 +1282,7 @@ metadata:
     app.kubernetes.io/component: source-controller
     app.kubernetes.io/instance: flux-system
     app.kubernetes.io/part-of: flux
-    app.kubernetes.io/version: v2.7.3
+    app.kubernetes.io/version: v2.7.5
   name: gitrepositories.source.toolkit.fluxcd.io
 spec:
   group: source.toolkit.fluxcd.io
@@ -2234,7 +2236,7 @@ metadata:
     app.kubernetes.io/component: source-controller
     app.kubernetes.io/instance: flux-system
     app.kubernetes.io/part-of: flux
-    app.kubernetes.io/version: v2.7.3
+    app.kubernetes.io/version: v2.7.5
   name: helmcharts.source.toolkit.fluxcd.io
 spec:
   group: source.toolkit.fluxcd.io
@@ -2960,7 +2962,7 @@ metadata:
     app.kubernetes.io/component: source-controller
     app.kubernetes.io/instance: flux-system
     app.kubernetes.io/part-of: flux
-    app.kubernetes.io/version: v2.7.3
+    app.kubernetes.io/version: v2.7.5
   name: helmrepositories.source.toolkit.fluxcd.io
 spec:
   group: source.toolkit.fluxcd.io
@@ -3591,7 +3593,7 @@ metadata:
     app.kubernetes.io/component: source-controller
     app.kubernetes.io/instance: flux-system
     app.kubernetes.io/part-of: flux
-    app.kubernetes.io/version: v2.7.3
+    app.kubernetes.io/version: v2.7.5
   name: ocirepositories.source.toolkit.fluxcd.io
 spec:
   group: source.toolkit.fluxcd.io
@@ -4417,7 +4419,7 @@ metadata:
     app.kubernetes.io/component: source-controller
     app.kubernetes.io/instance: flux-system
     app.kubernetes.io/part-of: flux
-    app.kubernetes.io/version: v2.7.3
+    app.kubernetes.io/version: v2.7.5
   name: source-controller
   namespace: flux-system
 ---
@@ -4428,7 +4430,7 @@ metadata:
     app.kubernetes.io/component: source-controller
     app.kubernetes.io/instance: flux-system
     app.kubernetes.io/part-of: flux
-    app.kubernetes.io/version: v2.7.3
+    app.kubernetes.io/version: v2.7.5
     control-plane: controller
   name: source-controller
   namespace: flux-system
@@ -4449,7 +4451,7 @@ metadata:
     app.kubernetes.io/component: source-controller
     app.kubernetes.io/instance: flux-system
     app.kubernetes.io/part-of: flux
-    app.kubernetes.io/version: v2.7.3
+    app.kubernetes.io/version: v2.7.5
     control-plane: controller
   name: source-controller
   namespace: flux-system
@@ -4470,7 +4472,7 @@ spec:
         app.kubernetes.io/component: source-controller
         app.kubernetes.io/instance: flux-system
         app.kubernetes.io/part-of: flux
-        app.kubernetes.io/version: v2.7.3
+        app.kubernetes.io/version: v2.7.5
     spec:
       containers:
       - args:
@@ -4493,7 +4495,7 @@ spec:
             resourceFieldRef:
               containerName: manager
               resource: limits.memory
-        image: ghcr.io/fluxcd/source-controller:v1.7.3
+        image: ghcr.io/fluxcd/source-controller:v1.7.4
         imagePullPolicy: IfNotPresent
         livenessProbe:
           httpGet:
@@ -4557,7 +4559,7 @@ metadata:
     app.kubernetes.io/component: kustomize-controller
     app.kubernetes.io/instance: flux-system
     app.kubernetes.io/part-of: flux
-    app.kubernetes.io/version: v2.7.3
+    app.kubernetes.io/version: v2.7.5
   name: kustomizations.kustomize.toolkit.fluxcd.io
 spec:
   group: kustomize.toolkit.fluxcd.io
@@ -5927,7 +5929,7 @@ metadata:
     app.kubernetes.io/component: kustomize-controller
     app.kubernetes.io/instance: flux-system
     app.kubernetes.io/part-of: flux
-    app.kubernetes.io/version: v2.7.3
+    app.kubernetes.io/version: v2.7.5
   name: kustomize-controller
   namespace: flux-system
 ---
@@ -5938,7 +5940,7 @@ metadata:
     app.kubernetes.io/component: kustomize-controller
     app.kubernetes.io/instance: flux-system
     app.kubernetes.io/part-of: flux
-    app.kubernetes.io/version: v2.7.3
+    app.kubernetes.io/version: v2.7.5
     control-plane: controller
   name: kustomize-controller
   namespace: flux-system
@@ -5957,7 +5959,7 @@ spec:
         app.kubernetes.io/component: kustomize-controller
         app.kubernetes.io/instance: flux-system
         app.kubernetes.io/part-of: flux
-        app.kubernetes.io/version: v2.7.3
+        app.kubernetes.io/version: v2.7.5
     spec:
       containers:
       - args:
@@ -5976,7 +5978,7 @@ spec:
             resourceFieldRef:
               containerName: manager
               resource: limits.memory
-        image: ghcr.io/fluxcd/kustomize-controller:v1.7.2
+        image: ghcr.io/fluxcd/kustomize-controller:v1.7.3
         imagePullPolicy: IfNotPresent
         livenessProbe:
           httpGet:
@@ -6033,7 +6035,7 @@ metadata:
     app.kubernetes.io/component: helm-controller
     app.kubernetes.io/instance: flux-system
     app.kubernetes.io/part-of: flux
-    app.kubernetes.io/version: v2.7.3
+    app.kubernetes.io/version: v2.7.5
   name: helmreleases.helm.toolkit.fluxcd.io
 spec:
   group: helm.toolkit.fluxcd.io
@@ -8664,7 +8666,7 @@ metadata:
     app.kubernetes.io/component: helm-controller
     app.kubernetes.io/instance: flux-system
     app.kubernetes.io/part-of: flux
-    app.kubernetes.io/version: v2.7.3
+    app.kubernetes.io/version: v2.7.5
   name: helm-controller
   namespace: flux-system
 ---
@@ -8675,7 +8677,7 @@ metadata:
     app.kubernetes.io/component: helm-controller
     app.kubernetes.io/instance: flux-system
     app.kubernetes.io/part-of: flux
-    app.kubernetes.io/version: v2.7.3
+    app.kubernetes.io/version: v2.7.5
     control-plane: controller
   name: helm-controller
   namespace: flux-system
@@ -8694,7 +8696,7 @@ spec:
         app.kubernetes.io/component: helm-controller
         app.kubernetes.io/instance: flux-system
         app.kubernetes.io/part-of: flux
-        app.kubernetes.io/version: v2.7.3
+        app.kubernetes.io/version: v2.7.5
     spec:
       containers:
       - args:
@@ -8713,7 +8715,7 @@ spec:
             resourceFieldRef:
               containerName: manager
               resource: limits.memory
-        image: ghcr.io/fluxcd/helm-controller:v1.4.3
+        image: ghcr.io/fluxcd/helm-controller:v1.4.5
         imagePullPolicy: IfNotPresent
         livenessProbe:
           httpGet:
@@ -8770,7 +8772,7 @@ metadata:
     app.kubernetes.io/component: notification-controller
     app.kubernetes.io/instance: flux-system
     app.kubernetes.io/part-of: flux
-    app.kubernetes.io/version: v2.7.3
+    app.kubernetes.io/version: v2.7.5
   name: alerts.notification.toolkit.fluxcd.io
 spec:
   group: notification.toolkit.fluxcd.io
@@ -9160,7 +9162,7 @@ metadata:
     app.kubernetes.io/component: notification-controller
     app.kubernetes.io/instance: flux-system
     app.kubernetes.io/part-of: flux
-    app.kubernetes.io/version: v2.7.3
+    app.kubernetes.io/version: v2.7.5
   name: providers.notification.toolkit.fluxcd.io
 spec:
   group: notification.toolkit.fluxcd.io
@@ -9572,7 +9574,7 @@ metadata:
     app.kubernetes.io/component: notification-controller
     app.kubernetes.io/instance: flux-system
     app.kubernetes.io/part-of: flux
-    app.kubernetes.io/version: v2.7.3
+    app.kubernetes.io/version: v2.7.5
   name: receivers.notification.toolkit.fluxcd.io
 spec:
   group: notification.toolkit.fluxcd.io
@@ -10049,7 +10051,7 @@ metadata:
     app.kubernetes.io/component: notification-controller
     app.kubernetes.io/instance: flux-system
     app.kubernetes.io/part-of: flux
-    app.kubernetes.io/version: v2.7.3
+    app.kubernetes.io/version: v2.7.5
   name: notification-controller
   namespace: flux-system
 ---
@@ -10060,7 +10062,7 @@ metadata:
     app.kubernetes.io/component: notification-controller
     app.kubernetes.io/instance: flux-system
     app.kubernetes.io/part-of: flux
-    app.kubernetes.io/version: v2.7.3
+    app.kubernetes.io/version: v2.7.5
     control-plane: controller
   name: notification-controller
   namespace: flux-system
@@ -10081,7 +10083,7 @@ metadata:
     app.kubernetes.io/component: notification-controller
     app.kubernetes.io/instance: flux-system
     app.kubernetes.io/part-of: flux
-    app.kubernetes.io/version: v2.7.3
+    app.kubernetes.io/version: v2.7.5
     control-plane: controller
   name: webhook-receiver
   namespace: flux-system
@@ -10102,7 +10104,7 @@ metadata:
     app.kubernetes.io/component: notification-controller
     app.kubernetes.io/instance: flux-system
     app.kubernetes.io/part-of: flux
-    app.kubernetes.io/version: v2.7.3
+    app.kubernetes.io/version: v2.7.5
     control-plane: controller
   name: notification-controller
   namespace: flux-system
@@ -10121,7 +10123,7 @@ spec:
         app.kubernetes.io/component: notification-controller
         app.kubernetes.io/instance: flux-system
         app.kubernetes.io/part-of: flux
-        app.kubernetes.io/version: v2.7.3
+        app.kubernetes.io/version: v2.7.5
     spec:
       containers:
       - args:
@@ -10139,7 +10141,7 @@ spec:
             resourceFieldRef:
               containerName: manager
               resource: limits.memory
-        image: ghcr.io/fluxcd/notification-controller:v1.7.4
+        image: ghcr.io/fluxcd/notification-controller:v1.7.5
         imagePullPolicy: IfNotPresent
         livenessProbe:
           httpGet:

clusters/default/flux-system/gotk-sync.yaml

@@ -11,7 +11,7 @@ spec:
     branch: main
   secretRef:
     name: flux-system
-  url: ssh://git@gitea.akshun-lab.cc:222/aggarwalakshun/k3s
+  url: ssh://git@gitea.akshun-lab.cc/aggarwalakshun/k3s-at-home.git
 ---
 apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization

clusters/default/git-ops/gitea-act/gitea-act-secrets.yml

@@ -6,8 +6,8 @@ metadata:
   namespace: git-ops
 spec:
   encryptedData:
-    TOKEN: AgACJkhEafIeRdcLRHBiyjAXz8aK4m1w8238FhwhX8cKDMg3J2hD11CDI5K6R+idPxfIxJSry7yarr4j+3hB9JOfrVTGSMyt8zadIjeE6MZMQFrE+Ufbo+JRqz9lBjY2enmxfjvFS5LiZGogUaomuvmeFywWWmqLlLcyANNIHN/sw/JVIZc32oLsElSCQc8GgWoLDHPFbTkoeqqCFtWiEYDhZDf5BsGHxNh2MOI0N55TPL5izKrgSUTHvDiehYddeIYz85K3WCDTGXBztIteM7+DrHGdyuYOimP4J3w9CExnf3ObtqcfnOgv9a1wiXER484q5fpaidWIVZm/dZiTFuLwAWpPNRP/WcTkMXEJVSAEWkdYxb8fk6Zn6VifT1fTSzTUN90TP0IXlrjP55nvG7oHvkBNWydSRxc3d2wwXKhSnAOk94cWPxilOkqhsc/aqCQzkxgHZXNV94jb8KzV5r1XCCD/kYd+crbfNs4uEKXNSa9KZqE4Did8eelEfst+VGhUpWwMLn9QNNlMxKUhWuqjEM30QTO51p7cB12dqQxi1nuXB6NREW8LtOOJ5uRDnSTY0ZTwioNZ5OqgMVfAPAY6HBZrYOQFvG5/rDRkkWLWdDRLJfz1OZq+qwoXBfXhKCEQnK2J8zIxjVJKjdK4U7myWzB9peN5XQN29aisxCY7k0ikpD8Crog7jnxAXo2hmLNaCt2xVgKpHc8RnuC9dNIlJUXI0KhTT649s6Jja09ZfuTF/3oboHBH
+    TOKEN: AgCCHSvlowNtj3ghhB/mYSnSlVMiB/yxLjWesHNtxiFLO4lGPfDp/KYMJ+0makytpQBlOS5nfSCh8u11Vh4vje0v2QLCkt8XCkDfpYOb/tJIaeMuojszaoaf3ZQqgzEbwy4hgaV8ur3K77jnHE+dnYMGNcd0Thg3nVhIs8rMK/2kBcTrp/Jfy61TAeyS3ObFgjayGqyUCc8BI1VjkKFXLPp82d7tqlGKTYlI+hVnWpSwS7MrybesTU8AGYC5GLRr3crfbff/H20m6aFb/4rDKQb7FIEOXYhbuxZw5OuFxlORnGNFWQP+aCyywOxmalNV1F2kZk0YRlWoaXrtyeT46cBI7WIgbFeUwlpRLxKGz8mBdJ8QluE2vu9HSUmMiFCOV6V0znUjz5jWyJ839FsUDHY78sRLaycu5fZNBeq0QndBDNYYkkhZ/uxvGsfdF8camCGNLIGC65nT3kHnWuZ0ZRSXJRf4Jb5TdK81aBceAEHqrtFkjger3v6ZEblTABV2fykRyFeK3eZ0TF5tsOa/8yNGI94sxjv/TXvdXNK2Z4VuaXRQpmCfnLkvKc4Fra0Pk2N1beI8NDTgqLBHWBPYeK1lryeYZ/nISj7W6hBasEPXdOYcJ8lCYwWmGmWO+B0zt8u0gvm0mkrZAZvluOYqRd+/Y8Cg9Q1S3lIFBd/JaPH/nTAXiHWU5ZNowGxuVYWIo6r85pv5oRJodVFhTZD/7mBsZHAh2XUVbLeN2ZfQHrSTFbZydkDz5f66
-    URL: AgAF2MrmaYUOGlLqyMhJpLyTT/qZbvSHC787uLNKwjqTqRIhU34DoR4F0ZxcDfiUl7KQgZVL+ujOU1MdpBxsMtsvLRFoQl+bGm4G1miE7BUpsETp2ll3kVbLMTk8eNeFdRq1P4WEtF6vidwVfJ0ggwyISdMpLm7tS/oFg4l0FImmpqjsycCMuwheB4azcU/1sEy046NLFQUm+ErKN88qRvFQwMlKj2DHKrtBxGZfdo7xo8hcBdq5IWDfMs8yAvalafp+O922mzF7ADp2IMoTgipCGiGNo8dengg18mfjqI7sUJHZag1apGmJmUSBK8xxFv7Cc8iS8PPpBZIROe8/rEwpNYH/JTVbfNZvdu5qVzmXs7BUppGG6dg5ASUkYW7lVf1Bo1M/dFreuHOlr1UucwJoIXcMFu/eOLcNbAchH4I4K1LQFPNNDkViAKozP5E8k1fIcpGPRSPK9hRnr21w3+kJ8ruJl7TFWY0aqi0kemtXq2lZenFlaUEk2pilINGNZ16AZBAnuzafPRC76c4EVtEKlffKC+/4Oq3hXHneVoikJZYuJ0CP/mqKVzFf/HgfOxzDyGbtXsAZ1m+dcl25U81VzbEuvzGrgt3q7FNLwQ4heSeDNDkkSvotDWji8VT1W3IN6ShXZ+gHmL7UrY3HuG3BsuuekSHvmc1gXGOHOO/qKYkHeJ2NzZODhgh/xo/vbXiilQrNBnuoJ1cxPY8Xz0jAx6WfWqsTtahe2h4=
+    URL: AgATClAgHoLFuwCkQjQvl0MI0YRe7o2mCiaagecYvNgDH8uCMhY7vVFjmTmamfH0MBEbE+3QGQthlV+/aDjvpjJg3P5cFX+0EnU95SPPJHo0+oKAIxfP5DahCFl6nyyqZ57BTKNN5J4Mki4jCbkXxpnx5o2s+wjv4O56Al2yAK9ykk7vLo44VT9U8glxrEmpwQDp1Q/AVO0pk3NchvluAbq3PpcSQ2tPRK79aPGQyscfId9H/9WL4pNzyRFc+WLhMVuZWHxa2mEVYkl6tHU0BFjG0YZIkZTFfVBvhCXi8CRBWSMm9IeuIQGbLxnaH0SyVPqA2hO5YorQw54TL1gVnXIDo3zxyFYyYew/x7goq5Ab/pAHpb70RfCa9TSUjDVt9trrUyuh/Elvp6OX25FuPcOYiQlKcEnf4Hm/a5fiubZG53ejweEAx22O1KG0zWFTy6LzTXZqU6uhqcmslQgmSjQXCrbUfPV3yHXpRetilh4fHFLFsXHm9FoWqjCQ0qW//BwoNRj9jk7rR3/BDVDmOFYj+xau260TtbkqgE8uWHQw5jXM0AM6f1xDlF/ZdoHnvBs1VGF10SDLc0qr8+44L4MDRHhlLXcADlXBG0osfkXBFDqdYpC+Phsphhh81aV7Wg9u9dCKTbE3FcMGGaOT0mbnyrs2Jm7IS6EW3KeZrpm5taXmJLLjN0xwGPit1XUrKJw9RPngaXfi+SCX/MckEPIy2aLTssCqvKX2zD4=
   template:
     metadata:
       name: gitea-act-runner-secret

clusters/default/git-ops/gitea-act/gitea-act.yml

@@ -19,29 +19,26 @@ spec:
         app: gitea-act-runner
     spec:
       restartPolicy: Always
-      hostNetwork: true
       volumes:
       - name: docker-certs
         emptyDir: {}
       - name: runner-data
         persistentVolumeClaim:
           claimName: gitea-act-runner-longhorn
-      initContainers:
-      - name: wait-for-gitea
-        image: busybox
-        command:
-        - sh
-        - -c
-        - |
-          while ! nc -z gitea.akshun-lab.cc 443; do
-            echo "Waiting for Gitea to be ready..."
-            sleep 5
-          done
-          echo "Gitea is ready!"
       containers:
       - name: runner
         image: gitea/act_runner@sha256:8477d5b61b655caad4449888bae39f1f34bebd27db56cb15a62dccb3dcf3a944
         command: ["sh", "-c", "while ! nc -z localhost 2376 </dev/null; do echo 'waiting for docker daemon...'; sleep 5; done; /sbin/tini -- run.sh"]
+        readinessProbe:
+          exec:
+            command:
+            - sh
+            - -c
+            - |
+              nc -z gitea-int-service.git-ops.svc.cluster.local 3000
+          initialDelaySeconds: 5
+          periodSeconds: 5
+          failureThreshold: 3
         env:
         - name: DOCKER_HOST
           value: tcp://localhost:2376
@@ -67,7 +64,7 @@ spec:
         - name: runner-data
           mountPath: /data
       - name: daemon
-        image: docker:29.0.2-dind
+        image: docker:29.1.3-dind
         env:
         - name: DOCKER_TLS_CERTDIR
           value: /certs

clusters/default/git-ops/gitea/gitea-db.yml

@@ -1,15 +1,15 @@
 ---
 apiVersion: apps/v1
-kind: Deployment
+kind: StatefulSet
 metadata:
   name: gitea-db
   namespace: git-ops
 spec:
-  strategy:
-    type: Recreate
   selector:
     matchLabels:
       app: gitea-db
+  serviceName: gitea-db
+  replicas: 1
   template:
     metadata:
       labels:
@@ -40,7 +40,12 @@ spec:
         volumeMounts:
         - name: gitea-db
           mountPath: /var/lib/postgresql
-      volumes:
+  volumeClaimTemplates:
-      - name: gitea-db
+  - metadata:
-        persistentVolumeClaim:
+      name: gitea-db
-          claimName: gitea-db-new-longhorn
+    spec:
+      accessModes: ["ReadWriteOnce"]
+      resources:
+        requests:
+          storage: 2Gi
+      storageClassName: longhorn

clusters/default/git-ops/gitea/gitea-pvc.yml

@@ -12,18 +12,3 @@ spec:
     requests:
       storage: 2Gi
   storageClassName: longhorn
-
----
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  name: gitea-db-new-longhorn
-  namespace: git-ops
-spec:
-  accessModes:
-    - ReadWriteOnce
-  volumeMode: Filesystem
-  resources:
-    requests:
-      storage: 2Gi
-  storageClassName: longhorn

clusters/default/git-ops/gitea/gitea-svc.yml

@@ -16,7 +16,7 @@ spec:
     targetPort: 3000
     protocol: TCP
     name: http
-  - port: 222
+  - port: 22
     targetPort: 22
     name: ssh
 
@@ -38,12 +38,12 @@ spec:
 apiVersion: v1
 kind: Service
 metadata:
-  name: gitea-db-service
+  name: gitea-db
   namespace: git-ops
 spec:
+  ports:
+    - port: 5432
+      targetPort: 5432
   selector:
     app: gitea-db
-  ports:
+  clusterIP: None
-    - protocol: TCP
-      port: 5432
-      targetPort: 5432

clusters/default/git-ops/gitea/gitea.yml

@@ -16,20 +16,19 @@ spec:
       labels:
         app: gitea-app
     spec:
-      initContainers:
-      - name: wait-for-db
-        image: busybox
-        command:
-        - sh
-        - -c
-        - |
-          until nc -z -v -w30 gitea-db-service 5432; do
-            echo "Waiting for psql database to be ready"
-            sleep 2
-          done
       containers:
       - name: gitea
-        image: gitea/gitea:1.25.1
+        image: gitea/gitea:1.25.3
+        readinessProbe:
+          exec:
+            command:
+            - sh
+            - -c
+            - |
+              nc -z gitea-db.git-ops.svc.cluster.local 5432
+          initialDelaySeconds: 5
+          periodSeconds: 5
+          failureThreshold: 3
         ports:
         - containerPort: 22
           name: ssh
@@ -43,7 +42,7 @@ spec:
         - name: GITEA__database__DB_TYPE
           value: "postgres"
         - name: GITEA__database__HOST
-          value: "gitea-db-service:5432"
+          value: "gitea-db.git-ops.svc.cluster.local:5432"
         - name: GITEA__database__NAME
           value: "gitea"
         - name: GITEA__database__USER

clusters/default/git-ops/semaphore/semaphore-configmap.yml

@@ -6,7 +6,7 @@ metadata:
   namespace: git-ops
 data:
   SEMAPHORE_DB_USER: "semaphore"
-  SEMAPHORE_DB_HOST: "localhost"
+  SEMAPHORE_DB_HOST: "semaphore-db"
   SEMAPHORE_DB_PORT: "3306"
   SEMAPHORE_DB_DIALECT: "mysql"
   SEMAPHORE_DB: "semaphore"

clusters/default/git-ops/semaphore/semaphore-db.yml

@@ -0,0 +1,46 @@
+---
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: semaphore-db
+  namespace: git-ops
+spec:
+  selector:
+    matchLabels:
+      app: semaphore-db
+  serviceName: semaphore-db
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        app: semaphore-db
+    spec:
+      containers:
+      - name: mysql
+        image: mysql:9.5.0
+        ports:
+        - containerPort: 3306
+        env:
+        - name: MYSQL_RANDOM_ROOT_PASSWORD
+          value: "'yes'"
+        - name: MYSQL_DATABASE
+          value: "semaphore"
+        - name: MYSQL_USER
+          value: "semaphore"
+        - name: MYSQL_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: semaphore-secrets
+              key: mysql_password
+        volumeMounts:
+        - name: semaphore-db
+          mountPath: /var/lib/mysql
+  volumeClaimTemplates:
+  - metadata:
+      name: semaphore-db
+    spec:
+      accessModes: ["ReadWriteOnce"]
+      resources:
+        requests:
+          storage: 2Gi
+      storageClassName: longhorn

clusters/default/git-ops/semaphore/semaphore-svc.yml

@@ -12,5 +12,20 @@ spec:
   selector:
     app: semaphore
   ports:
-  - port: 3002
+  - name: http
+    port: 3002
     targetPort: 3000
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: semaphore-db
+  namespace: git-ops
+spec:
+  selector:
+    app: semaphore-db
+  ports:
+  - port: 3306
+    targetPort: 3306
+  clusterIP: None

clusters/default/git-ops/semaphore/semaphore.yml

@@ -16,33 +16,22 @@ spec:
       labels:
         app: semaphore
     spec:
-      initContainers:
-      - name: mysql
-        image: mysql:9.5.0
-        restartPolicy: Always
-        ports:
-        - containerPort: 3306
-        env:
-        - name: MYSQL_RANDOM_ROOT_PASSWORD
-          value: "'yes'"
-        - name: MYSQL_DATABASE
-          value: "semaphore"
-        - name: MYSQL_USER
-          value: "semaphore"
-        - name: MYSQL_PASSWORD
-          valueFrom:
-            secretKeyRef:
-              name: semaphore-secrets
-              key: mysql_password
-        volumeMounts:
-        - name: db
-          mountPath: /var/lib/mysql
-          subPath: db
       containers:
       - name: semaphore
-        image: public.ecr.aws/semaphore/pro/server:v2.16.45
+        image: public.ecr.aws/semaphore/pro/server:v2.16.47
+        readinessProbe:
+          exec:
+            command:
+            - sh
+            - -c
+            - |
+              nc -z semaphore-db.git-ops.svc.cluster.local 3306
+          initialDelaySeconds: 5
+          periodSeconds: 5
+          failureThreshold: 3
         ports:
-        - containerPort: 3000
+        - name: http
+          containerPort: 3000
         envFrom:
         - configMapRef:
             name: semaphore-config
@@ -62,7 +51,3 @@ spec:
             secretKeyRef:
               name: semaphore-secrets
               key: key
-      volumes:
-      - name: db
-        persistentVolumeClaim:
-          claimName: semaphore-longhorn

clusters/default/helm/cert-manager/cert-manager-release.yml

@@ -5,16 +5,16 @@ metadata:
   name: cert-manager
   namespace: cert-manager
 spec:
-  interval: 24h
+  interval: 6h
   chart:
     spec:
       chart: cert-manager
-      version: "v1.19.1"
+      version: "v1.19.2"
       sourceRef:
         kind: HelmRepository
         name: jetstack
         namespace: flux-system
-      interval: 24h
+      interval: 6h
   install:
     remediation:
       retries: 3

clusters/default/helm/cert-manager/cert-manager-repo.yml

@@ -5,5 +5,5 @@ metadata:
   name: jetstack
   namespace: flux-system
 spec:
-  interval: 24h
+  interval: 6h
   url: https://charts.jetstack.io

clusters/default/helm/csi-driver-smb/csi-driver-smb-release.yml

@@ -5,7 +5,7 @@ metadata:
   name: csi-driver-smb
   namespace: kube-system
 spec:
-  interval: 24h
+  interval: 6h
   chart:
     spec:
       chart: csi-driver-smb
@@ -14,7 +14,7 @@ spec:
         kind: HelmRepository
         name: csi-driver-smb
         namespace: flux-system
-      interval: 24h
+      interval: 6h
   install:
     createNamespace: true
   upgrade:

clusters/default/helm/csi-driver-smb/csi-driver-smb-repo.yml

@@ -5,5 +5,5 @@ metadata:
   name: csi-driver-smb
   namespace: flux-system
 spec:
-  interval: 24h
+  interval: 6h
   url: https://raw.githubusercontent.com/kubernetes-csi/csi-driver-smb/master/charts

clusters/default/helm/gpu-operator/gpu-operator-policy.yml

@@ -0,0 +1,289 @@
+apiVersion: nvidia.com/v1
+kind: ClusterPolicy
+metadata:
+  annotations:
+    meta.helm.sh/release-name: gpu-operator
+    meta.helm.sh/release-namespace: gpu-operator
+  generation: 2
+  labels:
+    app.kubernetes.io/component: gpu-operator
+    app.kubernetes.io/instance: gpu-operator
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: gpu-operator
+    app.kubernetes.io/version: v25.3.2
+    helm.sh/chart: gpu-operator-v25.3.2
+    helm.toolkit.fluxcd.io/name: gpu-operator
+    helm.toolkit.fluxcd.io/namespace: gpu-operator
+  name: cluster-policy
+spec:
+  ccManager:
+    defaultMode: "off"
+    enabled: false
+    env: []
+    image: k8s-cc-manager
+    imagePullPolicy: IfNotPresent
+    repository: nvcr.io/nvidia/cloud-native
+    version: v0.1.1
+  cdi:
+    default: false
+    enabled: false
+  daemonsets:
+    labels:
+      app.kubernetes.io/managed-by: gpu-operator
+      helm.sh/chart: gpu-operator-v25.3.2
+    priorityClassName: system-node-critical
+    rollingUpdate:
+      maxUnavailable: "1"
+    tolerations:
+    - effect: NoSchedule
+      key: nvidia.com/gpu
+      operator: Exists
+    updateStrategy: RollingUpdate
+  dcgm:
+    enabled: false
+    image: dcgm
+    imagePullPolicy: IfNotPresent
+    repository: nvcr.io/nvidia/cloud-native
+    version: 4.2.3-1-ubuntu22.04
+  dcgmExporter:
+    enabled: true
+    env:
+    - name: DCGM_EXPORTER_LISTEN
+      value: :9400
+    - name: DCGM_EXPORTER_KUBERNETES
+      value: "true"
+    - name: DCGM_EXPORTER_COLLECTORS
+      value: /etc/dcgm-exporter/dcp-metrics-included.csv
+    image: dcgm-exporter
+    imagePullPolicy: IfNotPresent
+    repository: nvcr.io/nvidia/k8s
+    serviceMonitor:
+      additionalLabels: {}
+      enabled: false
+      honorLabels: false
+      interval: 15s
+      relabelings: []
+    version: 4.2.3-4.1.3-ubuntu22.04
+  devicePlugin:
+    config:
+      default: any
+      name: time-slicing-config
+    enabled: true
+    env:
+    - name: PASS_DEVICE_SPECS
+      value: "true"
+    - name: FAIL_ON_INIT_ERROR
+      value: "true"
+    - name: DEVICE_LIST_STRATEGY
+      value: envvar
+    - name: DEVICE_ID_STRATEGY
+      value: uuid
+    - name: NVIDIA_VISIBLE_DEVICES
+      value: all
+    - name: NVIDIA_DRIVER_CAPABILITIES
+      value: all
+    image: k8s-device-plugin
+    imagePullPolicy: IfNotPresent
+    repository: nvcr.io/nvidia
+    version: v0.17.3
+  driver:
+    certConfig:
+      name: ""
+    enabled: false
+    image: driver
+    imagePullPolicy: IfNotPresent
+    kernelModuleConfig:
+      name: ""
+    licensingConfig:
+      configMapName: ""
+      nlsEnabled: true
+    manager:
+      env:
+      - name: ENABLE_GPU_POD_EVICTION
+        value: "true"
+      - name: ENABLE_AUTO_DRAIN
+        value: "false"
+      - name: DRAIN_USE_FORCE
+        value: "false"
+      - name: DRAIN_POD_SELECTOR_LABEL
+        value: ""
+      - name: DRAIN_TIMEOUT_SECONDS
+        value: 0s
+      - name: DRAIN_DELETE_EMPTYDIR_DATA
+        value: "false"
+      image: k8s-driver-manager
+      imagePullPolicy: IfNotPresent
+      repository: nvcr.io/nvidia/cloud-native
+      version: v0.8.0
+    rdma:
+      enabled: false
+      useHostMofed: false
+    repoConfig:
+      configMapName: ""
+    repository: nvcr.io/nvidia
+    startupProbe:
+      failureThreshold: 120
+      initialDelaySeconds: 60
+      periodSeconds: 10
+      timeoutSeconds: 60
+    upgradePolicy:
+      autoUpgrade: true
+      drain:
+        deleteEmptyDir: false
+        enable: false
+        force: false
+        timeoutSeconds: 300
+      maxParallelUpgrades: 1
+      maxUnavailable: 25%
+      podDeletion:
+        deleteEmptyDir: false
+        force: false
+        timeoutSeconds: 300
+      waitForCompletion:
+        timeoutSeconds: 0
+    useNvidiaDriverCRD: false
+    usePrecompiled: false
+    version: 570.148.08
+    virtualTopology:
+      config: ""
+  gdrcopy:
+    enabled: false
+    image: gdrdrv
+    imagePullPolicy: IfNotPresent
+    repository: nvcr.io/nvidia/cloud-native
+    version: v2.5
+  gfd:
+    enabled: true
+    env:
+    - name: GFD_SLEEP_INTERVAL
+      value: 60s
+    - name: GFD_FAIL_ON_INIT_ERROR
+      value: "true"
+    image: k8s-device-plugin
+    imagePullPolicy: IfNotPresent
+    repository: nvcr.io/nvidia
+    version: v0.17.3
+  hostPaths:
+    driverInstallDir: /run/nvidia/driver
+    rootFS: /
+  kataManager:
+    config:
+      artifactsDir: /opt/nvidia-gpu-operator/artifacts/runtimeclasses
+      runtimeClasses:
+      - artifacts:
+          pullSecret: ""
+          url: nvcr.io/nvidia/cloud-native/kata-gpu-artifacts:ubuntu22.04-535.54.03
+        name: kata-nvidia-gpu
+        nodeSelector: {}
+      - artifacts:
+          pullSecret: ""
+          url: nvcr.io/nvidia/cloud-native/kata-gpu-artifacts:ubuntu22.04-535.86.10-snp
+        name: kata-nvidia-gpu-snp
+        nodeSelector:
+          nvidia.com/cc.capable: "true"
+    enabled: false
+    image: k8s-kata-manager
+    imagePullPolicy: IfNotPresent
+    repository: nvcr.io/nvidia/cloud-native
+    version: v0.2.3
+  mig:
+    strategy: single
+  migManager:
+    config:
+      default: all-disabled
+      name: default-mig-parted-config
+    enabled: true
+    env:
+    - name: WITH_REBOOT
+      value: "false"
+    gpuClientsConfig:
+      name: ""
+    image: k8s-mig-manager
+    imagePullPolicy: IfNotPresent
+    repository: nvcr.io/nvidia/cloud-native
+    version: v0.12.2-ubuntu20.04
+  nodeStatusExporter:
+    enabled: false
+    image: gpu-operator-validator
+    imagePullPolicy: IfNotPresent
+    repository: nvcr.io/nvidia/cloud-native
+    version: v25.3.2
+  operator:
+    defaultRuntime: docker
+    initContainer:
+      image: cuda
+      imagePullPolicy: IfNotPresent
+      repository: nvcr.io/nvidia
+      version: 12.8.1-base-ubi9
+    runtimeClass: nvidia
+  psa:
+    enabled: false
+  sandboxDevicePlugin:
+    enabled: true
+    image: kubevirt-gpu-device-plugin
+    imagePullPolicy: IfNotPresent
+    repository: nvcr.io/nvidia
+    version: v1.3.1
+  sandboxWorkloads:
+    defaultWorkload: container
+    enabled: false
+  toolkit:
+    enabled: true
+    env:
+    - name: CONTAINERD_SOCKET
+      value: /run/k3s/containerd/containerd.sock
+    - name: CONTAINERD_CONFIG
+      value: /var/lib/rancher/k3s/agent/etc/containerd/config.toml
+    image: container-toolkit
+    imagePullPolicy: IfNotPresent
+    installDir: /usr/local/nvidia
+    repository: nvcr.io/nvidia/k8s
+    version: v1.17.8-ubuntu20.04
+  validator:
+    image: gpu-operator-validator
+    imagePullPolicy: IfNotPresent
+    plugin:
+      env:
+      - name: WITH_WORKLOAD
+        value: "false"
+    repository: nvcr.io/nvidia/cloud-native
+    version: v25.3.2
+  vfioManager:
+    driverManager:
+      env:
+      - name: ENABLE_GPU_POD_EVICTION
+        value: "false"
+      - name: ENABLE_AUTO_DRAIN
+        value: "false"
+      image: k8s-driver-manager
+      imagePullPolicy: IfNotPresent
+      repository: nvcr.io/nvidia/cloud-native
+      version: v0.8.0
+    enabled: true
+    image: cuda
+    imagePullPolicy: IfNotPresent
+    repository: nvcr.io/nvidia
+    version: 12.8.1-base-ubi9
+  vgpuDeviceManager:
+    config:
+      default: default
+      name: ""
+    enabled: true
+    image: vgpu-device-manager
+    imagePullPolicy: IfNotPresent
+    repository: nvcr.io/nvidia/cloud-native
+    version: v0.3.0
+  vgpuManager:
+    driverManager:
+      env:
+      - name: ENABLE_GPU_POD_EVICTION
+        value: "false"
+      - name: ENABLE_AUTO_DRAIN
+        value: "false"
+      image: k8s-driver-manager
+      imagePullPolicy: IfNotPresent
+      repository: nvcr.io/nvidia/cloud-native
+      version: v0.8.0
+    enabled: false
+    image: vgpu-manager
+    imagePullPolicy: IfNotPresent

clusters/default/helm/gpu-operator/gpu-operator-release.yml

@@ -5,16 +5,16 @@ metadata:
   name: gpu-operator
   namespace: gpu-operator
 spec:
-  interval: 24h
+  interval: 6h
   chart:
     spec:
       chart: gpu-operator
-      version: "v25.3.2"
+      version: "v25.10.1"
       sourceRef:
         kind: HelmRepository
         name: nvidia
         namespace: flux-system
-      interval: 24h
+      interval: 6h
   install:
     createNamespace: true
   upgrade:

clusters/default/helm/gpu-operator/gpu-operator-repo.yml

@@ -5,5 +5,5 @@ metadata:
   name: nvidia
   namespace: flux-system
 spec:
-  interval: 24h
+  interval: 6h
   url: https://helm.ngc.nvidia.com/nvidia

clusters/default/helm/intel-gpu/intel-device-operator.yml

@@ -9,7 +9,7 @@ spec:
   chart:
     spec:
       chart: intel-device-plugins-operator
-      version: "0.34.0"
+      version: "0.34.1"
       sourceRef:
         kind: HelmRepository
         name: intel

clusters/default/helm/intel-gpu/intel-plugin-operator.yml

@@ -5,16 +5,16 @@ metadata:
   name: gpu-device-plugin
   namespace: gpu-operator
 spec:
-  interval: 24h
+  interval: 6h
   chart:
     spec:
       chart: intel-device-plugins-gpu
-      version: "0.34.0"
+      version: "0.34.1"
       sourceRef:
         kind: HelmRepository
         name: intel
         namespace: flux-system
-      interval: 24h
+      interval: 6h
   install:
     remediation:
       retries: 3

clusters/default/helm/intel-gpu/intel-repo.yml

@@ -5,5 +5,5 @@ metadata:
   name: intel
   namespace: flux-system
 spec:
-  interval: 24h
+  interval: 6h
   url: https://intel.github.io/helm-charts

clusters/default/helm/longhorn/longhorn-release.yml

@@ -5,7 +5,7 @@ metadata:
   name: longhorn
   namespace: longhorn-system
 spec:
-  interval: 24h
+  interval: 6h
   chart:
     spec:
       chart: longhorn
@@ -14,7 +14,7 @@ spec:
         kind: HelmRepository
         name: longhorn
         namespace: flux-system
-      interval: 24h
+      interval: 6h
   install:
     createNamespace: true
   upgrade:

clusters/default/helm/longhorn/longhorn-repo.yml

@@ -5,5 +5,5 @@ metadata:
   name: longhorn
   namespace: flux-system
 spec:
-  interval: 24h
+  interval: 6h
   url: https://charts.longhorn.io

clusters/default/helm/metallb/metallb-release.yml

@@ -5,16 +5,16 @@ metadata:
   name: metallb
   namespace: metallb-system
 spec:
-  interval: 24h
+  interval: 6h
   chart:
     spec:
       chart: metallb
-      version: "0.15.2"
+      version: "0.15.3"
       sourceRef:
         kind: HelmRepository
         name: metallb
         namespace: flux-system
-      interval: 24h
+      interval: 6h
   install:
     createNamespace: true
   upgrade:

clusters/default/helm/metallb/metallb-repo.yml

@@ -5,5 +5,5 @@ metadata:
   name: metallb
   namespace: flux-system
 spec:
-  interval: 24h
+  interval: 6h
   url: https://metallb.github.io/metallb

clusters/default/helm/ollama/ollama-pvc.yml

@@ -0,0 +1,14 @@
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: ollama-longhorn
+  namespace: tools
+spec:
+  accessModes:
+    - ReadWriteOnce
+  volumeMode: Filesystem
+  resources:
+    requests:
+      storage: 10Gi
+  storageClassName: longhorn

clusters/default/helm/ollama/ollama-release.yml

@@ -0,0 +1,35 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: ollama
+  namespace: tools
+spec:
+  interval: 6h
+  chart:
+    spec:
+      chart: ollama
+      version: "1.36.0"
+      sourceRef:
+        kind: HelmRepository
+        name: ollama
+        namespace: flux-system
+      interval: 6h
+  install:
+    remediation:
+      retries: 3
+  upgrade:
+    remediation:
+      retries: 3
+  values:
+    ollama:
+      gpu:
+        enabled: true
+        type: nvidia
+    service:
+      type: LoadBalancer
+      port: 2123
+    runtimeClassName: nvidia
+    persistentVolume:
+      enabled: true
+      existingClaim: ollama-longhorn

clusters/default/helm/ollama/ollama-repo.yml

@@ -0,0 +1,9 @@
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: ollama
+  namespace: flux-system
+spec:
+  interval: 6h
+  url: https://otwld.github.io/ollama-helm/

clusters/default/helm/prometheus/prometheus-release.yml

@@ -5,16 +5,16 @@ metadata:
   name: prometheus
   namespace: monitoring
 spec:
-  interval: 24h
+  interval: 6h
   chart:
     spec:
       chart: prometheus
-      version: "27.45.0"
+      version: "28.0.0"
       sourceRef:
         kind: HelmRepository
         name: prometheus-community
         namespace: flux-system
-      interval: 24h
+      interval: 6h
   install:
     remediation:
       retries: 3

clusters/default/helm/prometheus/prometheus-repo.yml

@@ -5,5 +5,5 @@ metadata:
   name: prometheus-community
   namespace: flux-system
 spec:
-  interval: 24h
+  interval: 6h
   url: https://prometheus-community.github.io/helm-charts

clusters/default/helm/sealed-secrets/sealed-secrets-release.yaml

@@ -15,7 +15,7 @@ spec:
       version: '>=1.15.0-0'
   install:
     crds: Create
-  interval: 24h
+  interval: 6h
   releaseName: sealed-secrets-controller
   upgrade:
     crds: CreateReplace

clusters/default/helm/sealed-secrets/sealed-secrets-repo.yml

@@ -5,5 +5,5 @@ metadata:
   name: sealed-secrets
   namespace: flux-system
 spec:
-  interval: 24h
+  interval: 6h
   url: https://bitnami-labs.github.io/sealed-secrets

clusters/default/media/ersatztv/ersatztv.yml

@@ -18,7 +18,7 @@ spec:
     spec:
       containers:
       - name: ersatztv
-        image: jasongdove/ersatztv:v25.8.0
+        image: jasongdove/ersatztv:v25.9.0
         ports:
         - containerPort: 8409
         volumeMounts:

clusters/default/media/immich/immich-db.yml

@@ -1,30 +1,33 @@
 ---
 apiVersion: apps/v1
-kind: Deployment
+kind: StatefulSet
 metadata:
-  name: immich-db
+  name: immich-psql
   namespace: media
 spec:
   selector:
     matchLabels:
-      app: immich-db
+      app: immich-psql
+  serviceName: immich-psql
+  replicas: 1
   template:
     metadata:
       labels:
-        app: immich-db
+        app: immich-psql
     spec:
+      initContainers:
+      - name: cleanup
+        image: busybox
+        command: ['sh', '-c', 'rm -rf /var/lib/postgresql/data/lost+found']
+        volumeMounts:
+        - name: immich-db
+          mountPath: /var/lib/postgresql/data
       containers:
-      - name: redis
-        image: docker.io/valkey/valkey:8-bookworm@sha256:fea8b3e67b15729d4bb70589eb03367bab9ad1ee89c876f54327fc7c6e618571
-        env:
-        - name: REDIS_HOSTNAME
-          value: "localhost"
-        ports:
-        - containerPort: 6379
       - name: immich-psql
         image: ghcr.io/immich-app/postgres:14-vectorchord0.3.0-pgvectors0.2.0
         ports:
         - containerPort: 5432
+          name: postgres
         env:
         - name: POSTGRES_PASSWORD
           valueFrom:
@@ -39,9 +42,13 @@ spec:
           value: "--data-checksums"
         volumeMounts:
         - mountPath: /var/lib/postgresql/data
-          name: immich
+          name: immich-db
-      volumes:
+  volumeClaimTemplates:
-      - name: immich
+  - metadata:
-        nfs: 
+      name: immich-db
-          server: 10.0.0.10
+    spec:
-          path: /home/akshun/immich-data
+      accessModes: ["ReadWriteOnce"]
+      resources:
+        requests:
+          storage: 5Gi
+      storageClassName: longhorn

clusters/default/media/immich/immich-ml.yml

@@ -19,7 +19,7 @@ spec:
       runtimeClassName: nvidia
       containers:
       - name: immich-machine-learning
-        image: ghcr.io/immich-app/immich-machine-learning:v2.3.0-cuda
+        image: ghcr.io/immich-app/immich-machine-learning:v2.4.1-cuda
         ports:
         - containerPort: 3003
         env:

clusters/default/media/immich/immich-redis.yml

@@ -0,0 +1,23 @@
+---
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: immich-redis
+  namespace: media
+spec:
+  selector:
+    matchLabels:
+      app: immich-redis
+  serviceName: immich-redis
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        app: immich-redis
+    spec:
+      containers:
+      - name: redis
+        image: docker.io/valkey/valkey:8-bookworm@sha256:fea8b3e67b15729d4bb70589eb03367bab9ad1ee89c876f54327fc7c6e618571
+        ports:
+        - containerPort: 6379
+          name: redis

clusters/default/media/immich/immich-svc.yml

@@ -36,26 +36,28 @@ spec:
 apiVersion: v1
 kind: Service
 metadata:
-  name: immich-psql-service
+  name: immich-psql
   namespace: media
 spec:
   selector:
-    app: immich-db
+    app: immich-psql
   ports:
-    - protocol: TCP
+    - name: postgres
       port: 5432
       targetPort: 5432
+  clusterIP: None
 
 ---
 apiVersion: v1
 kind: Service
 metadata:
-  name: immich-redis-service
+  name: immich-redis
   namespace: media
 spec:
   selector:
-    app: immich-db
+    app: immich-redis
   ports:
-    - protocol: TCP
+    - name: redis
       port: 6379
       targetPort: 6379
+  clusterIP: None

clusters/default/media/immich/immich.yml

@@ -16,48 +16,37 @@ spec:
       labels:
         app: immich-app
     spec:
-      initContainers:
-      - name: wait-for-redis
-        image: busybox
-        command:
-        - sh
-        - -c
-        - |
-          until nc -z -v -w30 immich-redis-service 6379; do
-            echo "Waiting for redis database to be ready..."
-            sleep 2
-          done
-      - name: wait-for-psql
-        image: busybox
-        command:
-        - sh
-        - -c
-        - |
-          until nc -z -v -w30 immich-psql-service 5432; do
-            echo "Waiting for psql database to be ready"
-            sleep 2
-          done
       containers:
       - name: immich-server
-        image: ghcr.io/immich-app/immich-server:v2.3.0
+        image: ghcr.io/immich-app/immich-server:v2.4.1
+        readinessProbe:
+          exec:
+            command:
+            - sh
+            - -c
+            - |
+              pg_isready -h immich-psql.media.svc.cluster.local -U postgres -p 5432
+          initialDelaySeconds: 10
+          periodSeconds: 5
+          failureThreshold: 5
         ports:
         - containerPort: 2283
         env:
         - name: TZ
           value: "Asia/Kolkata"
         - name: REDIS_HOSTNAME
-          value: "immich-redis-service"
+          value: "immich-redis.media.svc.cluster.local"
-        - name: DB_PASSWORD
-          valueFrom:
-            secretKeyRef:
-              name: immich-postgres-secret
-              key: password
         - name: DB_USERNAME
           value: "postgres"
         - name: DB_DATABASE_NAME
           value: "immich"
         - name: DB_HOSTNAME
-          value: "immich-psql-service"
+          value: "immich-psql.media.svc.cluster.local"
+        - name: DB_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: immich-postgres-secret
+              key: password
         volumeMounts:
         - mountPath: /usr/src/app/upload
           name: pictures

clusters/default/media/invidious/invidious-companion.yml

@@ -0,0 +1,28 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: invidious-companion
+  namespace: media
+spec:
+  selector:
+    matchLabels:
+      app: invidious-companion
+  template:
+    metadata:
+      labels:
+        app: invidious-companion
+    spec:
+      containers:
+      - name: inv-companion
+        image: quay.io/invidious/invidious-companion@sha256:639c8b32dec2e0200c36ed369cf494eb0ca765fdb14d5890d7f460c89a34272d
+        env:
+        - name: SERVER_SECRET_KEY
+          valueFrom:
+            secretKeyRef:
+              name: invidious-secrets
+              key: INVIDIOUS_COMPANION_KEY
+        securityContext:
+          capabilities:
+            drop:
+            - ALL

clusters/default/media/invidious/invidious-config.yml

@@ -10,10 +10,10 @@ data:
       dbname: invidious
       user: kemal
       password: ${INVIDIOUS_DB_PASSWORD}
-      host: localhost
+      host: invidious-db.media.svc.cluster.local
       port: 5432
     check_tables: true
     invidious_companion:
-    - private_url: "http://localhost:8282/companion"
+    - private_url: "http://invidious-companion-service.media.svc.cluster.local:8282/companion"
     invidious_companion_key: ${INVIDIOUS_COMPANION_KEY}
     hmac_key: ${INVIDIOUS_HMAC_KEY}

clusters/default/media/invidious/invidious-db.yml

@@ -0,0 +1,59 @@
+---
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: invidious-db
+  namespace: media
+spec:
+  selector:
+    matchLabels:
+      app: invidious-db
+  serviceName: invidious-db
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        app: invidious-db
+    spec:
+      initContainers:
+      - name: clean-db-dir
+        image: busybox
+        command:
+        - sh
+        - -c
+        - |
+          rm -rf /var/lib/postgresql/lost+found
+        volumeMounts:
+        - name: postgres-data
+          mountPath: /var/lib/postgresql
+      containers:
+      - name: postgres
+        image: postgres:18
+        env:
+        - name: POSTGRES_DB
+          valueFrom:
+            secretKeyRef:
+              name: invidious-db-secrets
+              key: postgres-db
+        - name: POSTGRES_USER
+          valueFrom:
+            secretKeyRef:
+              name: invidious-db-secrets
+              key: postgres-user
+        - name: POSTGRES_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: invidious-db-secrets
+              key: postgres-password
+        volumeMounts:
+        - name: postgres-data
+          mountPath: /var/lib/postgresql
+  volumeClaimTemplates:
+  - metadata:
+      name: postgres-data
+    spec:
+      accessModes: ["ReadWriteOnce"]
+      resources:
+        requests:
+          storage: 1Gi
+      storageClassName: longhorn

clusters/default/media/invidious/invidious-svc.yml

@@ -15,3 +15,30 @@ spec:
   - port: 3111
     targetPort: 3000
     protocol: TCP
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: invidious-companion-service
+  namespace: media
+spec:
+  selector:
+    app: invidious-companion
+  ports:
+  - port: 8282
+    targetPort: 8282
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: invidious-db
+  namespace: media
+spec:
+  selector:
+    app: invidious-db
+  ports:
+  - port: 5432
+    targetPort: 5432
+  clusterIP: None

clusters/default/media/invidious/invidious.yml

@@ -33,51 +33,6 @@ spec:
         - name: tmp
           mountPath: /mnt
           subPath: invidious.yml
-      - name: clean-db-dir
-        image: busybox
-        command:
-        - sh
-        - -c
-        - |
-          rm -rf /var/lib/postgresql/lost+found
-        volumeMounts:
-        - name: postgres-data
-          mountPath: /var/lib/postgresql
-      - name: postgres
-        image: postgres:18
-        restartPolicy: Always
-        env:
-        - name: POSTGRES_DB
-          valueFrom:
-            secretKeyRef:
-              name: invidious-db-secrets
-              key: postgres-db
-        - name: POSTGRES_USER
-          valueFrom:
-            secretKeyRef:
-              name: invidious-db-secrets
-              key: postgres-user
-        - name: POSTGRES_PASSWORD
-          valueFrom:
-            secretKeyRef:
-              name: invidious-db-secrets
-              key: postgres-password
-        volumeMounts:
-        - name: postgres-data
-          mountPath: /var/lib/postgresql
-      - name: inv-companion
-        image: quay.io/invidious/invidious-companion@sha256:a445ef2390360a491c6e4ebee9e53588792ebdbfebf505a6b5df45cffaa8f554
-        restartPolicy: Always
-        env:
-        - name: SERVER_SECRET_KEY
-          valueFrom:
-            secretKeyRef:
-              name: invidious-secrets
-              key: INVIDIOUS_COMPANION_KEY
-        securityContext:
-          capabilities:
-            drop:
-            - ALL
       containers:
       - name: invidious
         image: quay.io/invidious/invidious@sha256:2836b5b8226a53a9cc2afdbd5f5fe6bccdd200f2e17cd92a828b4dc8d8b5cc06
@@ -87,6 +42,13 @@ spec:
         - |
           export INVIDIOUS_CONFIG="$(cat /mnt/invidious.yml)" &&
           exec /invidious/invidious
+        readinessProbe:
+          exec:
+            command:
+            - sh
+            - -c
+            - |
+              nc -z invidious-db.media.svc.cluster.local 5432 && nc -z invidious-companion-service.media.svc.cluster.local 8282
         env:
         - name: INVIDIOUS_PORT
           value: "3000"
@@ -106,6 +68,3 @@ spec:
       - name: invidious-config
         configMap:
           name: invidious-config
-      - name: postgres-data
-        persistentVolumeClaim:
-          claimName: invidious-longhorn

clusters/default/media/jellyfin/jellyfin-pvc.yml

@@ -2,13 +2,13 @@
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
-  name: jellyfin-longhorn
+  name: jellyfin-pvc
   namespace: media
 spec:
-  accessModes:
-    - ReadWriteOnce
-  volumeMode: Filesystem
   resources:
     requests:
-      storage: 15Gi
+      storage: 5Gi
   storageClassName: longhorn
+  volumeMode: Filesystem
+  accessModes:
+    - ReadWriteOnce

clusters/default/media/jellyfin/jellyfin.yml

@@ -18,7 +18,7 @@ spec:
     spec:
       containers:
       - name: jellyfin
-        image: jellyfin/jellyfin:10.11.3
+        image: jellyfin/jellyfin:10.11.5
         ports:
         - containerPort: 8096
         volumeMounts:
@@ -40,7 +40,7 @@ spec:
       volumes:
       - name: config
         persistentVolumeClaim:
-          claimName: jellyfin-longhorn
+          claimName: jellyfin-pvc
       - name: cache
         emptyDir: {}
       - name: media

clusters/default/monitoring/homepage/home-secrets.yml

@@ -6,21 +6,23 @@ metadata:
   namespace: monitoring
 spec:
   encryptedData:
-    ALLOWED_HOSTS: AgCyRYkyN6jBUOle+ezAJNEetq5FsaAQepIUuVgofjbksG+XmnZaIchXp+r5AmgrZMg0ZTKFXNE1Y1TewoYinASFhFEG5yFLHVBB4dO+0qOTum209gwZwlW4q346Y+gh3uZ7uk2PR3hCB9WYka6gPbzKWUwux+IrJsoUXiJSbIaXWftqob3vVMdKBAjEUZXkAl5QRaInhvlGgCp8pZV7o23g+7l1pNO1HEiuLCPhLFOgRNQvM99U2WsXIuSp7o5u7tqZKM1SELXY/ITL3OVrolJVABedcjvC5cS6ag55usO1/O+smvaHlqpoeshp3RM5FPIA0sEfhsvYkB9bVvfRio+DToWFyBUktbXHPpw01nLDUuMuRe+wl/Up7zIP4aLTH87zOLEeWiI0/vT4C3B5eNVEm4vljU6+pOavFVrJiJ4jurH9qHWpa2wy3TKvhw6VEehi6V/RBkQ6vAUPzok7c9LY2WFA/K0wvY6cvIUN1o/vkZtuTKTvrKGDJZhtQnUjTP8DO2O5Rd2i9IEc8zE5nwwfqqMy/JqAoBk8MY9xVkdyChdDYtkhiEtT0U5Zu4y4EIvoJMAZnjUOPV5kTK0YqDUh48H16BtvihOnFAwPGPIjBdAZYlggH/AE5gkdZR+zwW9iuMz8AFp3qccDB+yAFCLURyoBdi779Yz4HxCXtmCh0LYOPNeUoIKRHTe6ttySZfTuSBe2z4lxS9X4xMl2l/a8lio=
+    ALLOWED_HOSTS: AgAwNxnFMRAE5sHGwA+CWTVKGkL4ompOb2alObZfiM2x2GkuQoeNEIKAgW1nZSIJnn60NZd7zwG6xNS/hFXVEzLQ0+07Aqd9zORQr8MLe0rBJxXPjp2RHzHuW/DSh5cadjanwuazZ5LSfDGKtwI1xC2qdIpM+eUUxfu5QozSGiOuM8eSzi0t7uwa9yvYI80+J7NErJBhOiKiUf+CUtd6UA2upBXHNgs2fcu2o89XtjGzP3k+fjA4GcLugLJ8HOAcF5JWNAUlWBuLPoDiAbSsTYavpbl05bghbTqyPIhaX9ifDA1wyZOjYywITZ1SUE1Av61l8GT9DfHEvgORvweuONRoUyi8o1aLDc2idIlQQTSwzsP3O/Z+iiGLWi3fo4/4KuMDqDWNmTtiuRiYEqhE33bt4IXhiQDQweanqyb4QboXORmmKfuqyzgC1RFd2foKVSDaFUkKeQDiLUCTBt2QNJPPD+4Grxa/KDujIWBV9eDiWQIM7qsQPn+4/fZA+h8nn++o1u/Faz3fE3q1NznsvMXIeBqYx/s93K2M9pGvDjrwHs7nIXalg+QzIFLP3wHTbKshwBgF9zcRiioblBucTjvy2MRv9VgaJDjcMhfSSWuyFsSkQNNQUkyud1XbPZ/563LKArqmOONU/x9X0tx3cdL3X3KcmwaCNijulWG4UGTHVTfAKNHnRgtIy+S8LoAnnXq8Mw9y7gjqzECT4KfWiN7BGkc=
-    BAZARR_API_KEY: AgCUuUvh/1V+pOnehjOh/aJ3QgbS/dPsdFYZ6pAvFG9hS3VvLmuBTvRD3s+uysqxn/yFgvmCpjZD3Y57ahPOXoBwNrO6veXX8xl7PcECdsqfzWVD2p0koJt7Ci/ezPYJrFH8vY7PgYAti3GlK4y38g3JqRz9iAF2vCj4KosDPL1s8xVIVg+eGV7uHPZtjMMCOXLyYZ7SKblEdaicZYck2O3iUZpB7jTlug9Vn1Kht0LxgSlWcgrauGGrr+CjpdfnZsiT+0CBiaAwJfG6wyXh7vb3HbrSCQHTjHt8/Z2vqSuC8l60VfF5ONwgbOGMCNxSqW4szW8Cg4nF0VBPBZhltiWQ5h48iUkFEgNGFh9kW9DslU6JQkppa8GbPffSDc5RB27djoY9O/aqtygNHp/S+ZiHpShAfVROFDBRrLT4UHcVtZgJ+99NHrZBkQXieuyMmvAUNwdvi0AjmvqwiJW/vCt+LE4mPbPioLTh0sO7ThSyqp7NITq7bZm/EbxLuE9tQdMJI7xXt1Qff6g/Gxx4ykMyZ+LC0HS43YtLysJ/jyF66ZFzTHb5cf/dACERUxs/k5Zh3N4/0SQTqOO8EX4XXJzMz8rr9ZKpBkDPaQqhaKPwHi/OHyUUikDVCDKks1i190S4stbJ3JtZv8XTDTIO2XY27gyoSuP3fOTcmKdpCwZ28LkwwKSb9JFm14MSm/w1+8eewPsLqNoeKPsuhXj5i+wN/JjgMrEvh26mifDTSj+EBA==
+    BAZARR_API_KEY: AgBEsWcgL2EBxfwz56b5qbTyeqY/5q40Sm2V2gmmb+y+/4irQi8CVdUdb3CwlIhoMrB7qCWyGMps9wHx+KMWWc2xqAN+0x0mw1KliVEPQhdbdTnn6/gEHar3mjVj6wFvgXy2I8YPlWNiqKtFyyNWs6KrbvwCh5qHPNqVRUgNAT64z+WWDsPbaDLta3+x6IV+zQLvQELU+R2F5uoJb/dkgmtl97NdUT+/esc61B1MkSkg5cy49N9jzuKsZpvtusSFIJvzr2tTJxviS3mzHk2SqmfZcjZhgo9YerJXnlLvW9dYME6FVMeWG4NkU1Nid4Obcr1UKc6zi6YnF7g6lCg1R3dehVkcdUacbxcaJGTX495ugWDJqKcGXJiHd+2iL9VVjGpRIK9mLy6a3FliPURfw4yjhbLh4GJAd9GJEpj943cJAOxookeiuimJwmtHszcxlUqXJI+n6NcTdesT/F+MzNTC10X7ikR3osBm5FdB1IXpLDlcyLZY/IjsnbGUtSica6HyPBenW7kZHsEDU+tVCggHCrLS7vPmK/Wjj3D9Ijza3guVOkvTf1pBI/9+9TDpXm93RLAAYf+e+TBOXIWtBBaPed9JGgxZZEmimedAjU0rc/mysPeZkfkgLUa6FafWEdiWhXHF4x85iSp3aXs8N5rY9bHswpht+U0F8DbquYSm74IPC9Af6GVUgFuxXpXnu8ePIGi9yRyi1u2QE8d3JZxJHzam6Fy/EFMhY/r4xSMr6A==
-    DOMAIN: AgCJ5tcgzz2DqiHR8P8fzUE1/zz+8J/jW5/DMlrCJp9y/zSD1H2H4asGd/txOREfZXHbH7pWOe+MUjYtTB7tlMSs6nRY+Ng7Eow5MbToS8r2US67dk+d6ZYMZTCwEHtnubBD77wSHAx319CXyB5YIA7OBQ5iYMLwT0QYYWlfo/m1sG/sbHQYKJ239IwYInE9fonWOTw/7BxteXyyStpPSbxnZd9BfcjUhjh5pNv5Js+ip4LKVE9CMHqxou2cgqIfiQq6ul9l6mzB6D0IXXnaU4KUxY7utHZVGVjqZ/mefjtShgJ6zJYhOD9GUqA2VxvVf9aioHqHfY4rsqVgNLJ6w9gDf1XW9K4cvz3+ays0BhqeqRLLc8lVd51Q3lPs2R78MR7g5b6gryLKO87fGheY+WtqEAOhlq9GgrBmXSelWjVc0NvTY3S/MJJLooG6ruhTnOxEBO4wrQzNjdZ6iGUUZfsI2pJOREcng+85sUDrAlfLZXT6KG2m8HjnEKXYz52rDEcasOfuKxFsi3G4vk/YP7RFIlw7bMJujFiCtCuEXeJ/pZmSwUU4ikAGo70Ha9X52O2xevXDayVxnyN/ARXnex8NaD3BAKUcOt/tLtg9L1X2is4qlkUIYOV6SuRtGtXqZq+2uOiyWCFSUXSl7STjAifl7dmQXOVFNBzTRHP+sre4Mc58rXpxvi3qneZupUX1qV0S8FfA4qzvjptXThiJ
+    DOMAIN: AgAc/axtBDWTTaaefN4lv4mx0SAAxgIKGf1bnwtL9jsPolr+HwDCOHpkFZcvhA5BHvssRQM5w/3T8nSepCTsZ9V8AYhvKqPg9rRGEnmqnWiOdoBLT4yNXP6tDZ3vy/XawFRk//dA9aG9fbAzsJgqYrGOOOMEURb6U8GRS7+AamsEbsnm00D5xE0/16YUveW1pGNRm2EKlHJMGAnpnBqaVK4u7LyNyUf9UDt4KUyz+VdSB2Ij/bkuQyNRo2YFGnUBA0AxUo7ve4CdsRpcwL8TCPeUgng4A9p2Bmeo5Z1WuKExJWHfGWVX0fxNhHoVA462fg7HORc3asC/Gi+MnEDosE8NfpWhylW6TPzpuXu957jvZhs996JUFxGhgMRVn9KRRaXGdmNPo4BiD3JmKE9MX26nDO3tGrilc5d9vuhCchfu6RwWAxbbMpz9Y3LM6hP84bbeLbmEDZ6I/ILGxx1sggkcJF8IZ/QtC1JIg6p/T4+BfQzMIj00LVPxVEP97dw/hkiTP4xbwBTMRtCf8RF5DXprQXokE5hPtfpOpRyLFnlhvXkHPMl1HgRUSmB3JvnVTf4Pf0tmvr5wS0shDI0SbjxeQMBO8wkTQcLMPH4g3wM2YL+az9hRnv7ZZ+P4duUghUReYIjgjaoG0UU8wTNxIFKnzLP6S7Ys0/8FxqM4ML0KHy2uW/Ip869UVupQY17+qQ+ek8dbuMIqE1kW3lLH
-    GITEA_API_KEY: AgBoVWmdNBwzRUp1CTplE7VSJZc+VTGv191G9UqeQKGeV5HIUyF9Bcd7+49uQ/0PfXJkRJFLn8vBEm+2CdHElvDn72JwhFO4QNklCtkQAecVAcHu+mHhU4JF4xoJzpjiajT64yBKiJpyNf05yvBmaByArAcMVfRkp57E6KpiVDQ67VNTF80qV+Bwr8wXYdgb9YFpPVvQAGg7n1Sw7M5xXk0YHQrLAAUcm5UF4FrvOY4FiG5evPvNsoVn8utRkOYUfgAYk95NilLjgZpC0v+sgX746PLODwKic+98dzzMeGCawTWLiHsQWIll5OOVjpGi1zVql0dUM2uJcOKSOStGFEqt8CrIqKI3JhA1k1fB6ro5i+WjW8cAf23FnyKzv7EsVGSkUfi2ilZVDUgK0h1IEAjy11iCjIkv0S4/muD7RWU+o13ExUUgViHQFj9ZgRCD0qF9t902bf4o0ZDn5hUNFGW0PgvltU3LYT1llNt/CZePkEtJNUkBO9GS1igri1vZo4V2ZXyjD47XqfWYIXx24oUAfSLPV8DorjorsWo50YqSNoqXoVyVr+oAuCiJQZGJ61HMFZggy0nRFyZfMZE9F6XHML4SdxW2u+m5teq4NTwnGqoowubgxn+9nasKw27oPPAcs3Bk4bzlnaQGdV5FgCt0yQqDtLTO/yG0CatuQ/WIXj1FsxpCwYL15hXmXwR2jkGpRrDOWxVXrtWUupXxzHRc+5GOSk/TNDI547gTwa0Z5Ez5Rkm6U+fY
+    GITEA_API_KEY: AgCDvcSCoZHlgXRV2EQ9Axi5uVbXiqeWrgu7v5dzzjmSHz36bftH+PCR/NQwj79uCPfyDCMEqfYDK0Bypn+K0vPlf3vktAxOc6sxjh61ciZo9lu/FTRsmDV9thQA+ZTxJtYg6ZfyFaVd2/XxA3Lsh3Un530qwu2wTFC5raoyqIBkyZm83T6dlz4GhrteOAvGibOYWaEPcJlVslARqrzHg/rJK0nCNS88OhvIVLcIUq0j82boEB2CUqlLfP36kx2y0eUdOfQYgzTF2uGL7oZTEkXrb4+QG2+SY1NUCg4SS6CJbqP5TPFYDCpCoi4YNCd0De/YgOKoUBDs0gV/VHNRs/YgDbYcC30I9UL9Da3KSYcQtS9SMs57RcBNHPGE0WurP+E36RbodfuIAP6XPTBPvP93XDLavHNJesHAmcNX13hqx3Otzca4zC0IbIl67jNzPS4bo3Spta9FCtN589PMEzhm/YOxAaklttKQ4IqGS+yadIgKRbfUOEUnGEtFyk6IpcccXuNE6A2OKqVEbDHr2JCuCpsC0WT/Ysvkic1yoScetzsHtM1m9ASOZGvwJZnIxfzF5wOzmYo3QLJAWcDH3956NU8J18orpiifU9yyRk7viQYH07AarjoRwR97nN1JlP1CJ9p3+vdxgBtnwpQDKeJUnVtq5OpqzyGJ7ZTlNb694rNE+rY1Ufm+1vVUUv/8B7yGxi6YT2kzQia7aWIkP2B3ngaZPt4EkJwCgITkB1qTl2SJZvjNDJxg
-    IMMICH_API_KEY: AgA5J7L36M1XYLuwpRsdLGxLWh2SPdHewfueOLxlRoSL7ROz+PfXxkLtOzZVuu3dZ7op/QRL/yHt4YimIVHuerPCePmPxGovxX6a47BNkbe6kN+1yG0kc/t/EoAuwQqf7tGg3bBSIBf/opm7cy4Av83imbCsktwbjfiiu+omdTgiqB92bizWu/Av9FuG3f9i1WMX3L8jJWg9KE/IuONhfRzciE4K3r8ci6G5dIMGKk1WHGDGZGkquw0NWFk2dnRIMWKKB70QynfNcXdc6FRZRx2mZtXRNyWcbu+kvmC9LlcKWbrsrMW1HtN/+3CuUQvkUZjbQo2V97b5/zITe3aJGoC/Pjxk+uvwklhUD346Z//8tZEw/Z4FlZXOjyONIqs9DPx76bd5n2fc0mk8FbEZ2Bgj2HLtq6ZrCR0V6R0KwF4gIhV8YTMc0lYAWBNhckK2EEb+lN9etEDS8PJH7PI46QuFhi1xrP5W811wnzcqf3vs9O3JeFsX13/m2IokbPhc3hGVFyVGfNHCGENT4lfirN2Yct9EGkuHYMNWVpVKTsSQWdT03dJmCB84eKyskruz0XGukJIt9OFh79R3aeXVZB1JIyJX5u0Z6lFa4XGqGFKovry3JP7hGG98UNPMTBxqF2Ngu4Ei5jJ9azifF3oup80lq9bS1Zvin1AhAnrxW5m8Q2z4IKdVXWO3w80/qOBDmVzlUMuIjaEVj/zTZMZhP9QmXax7c8RO5nwW5J4x/yFxKNbnwF3PgsndMV0=
+    IMMICH_API_KEY: AgAsbCSTCRY3aiCtCEsg9uF49S3TF++x6tPr9MRiYt0xYLv28oZk1Y0E/aiX63MfRAh/WGu3zp0qPlQ6vb/Op8CT62uHZZ+Ngm33C1YS/ZyMzmyMqKaNg8kTpUdW9h6gb6HVdRtJmtCwjJMgpVocnItS7Swg/GPTPwNit2Vq6S5D/qK2uG+dkWFWaF11looSkpmG2l90LWRFK02p16vIdRW3wieJtBeo9mkuNPMu06toX6iAM3OaoWqFVeU0skTPvM55r7JN4kckpjxf+UwZw07tDAOyWlOoCpPy+tzr0Ezyd3mp4FwlgB5RVJwLsHRgqQ9QsBjKdQ5EOyhIo0g3J7jhkRTZblUcv+Q8zsMrE2uwYsSxx7Lu5bp1QjiZHAHZ7AepwSPl0uLpAx+9x03lr4Y+vKTfPcRHRBqo+A6/vGwqdeNahnrTTMG8dO3akN15f6ssZvcYAI3YD4PiSWYHr18mu5IZGRnwwZkfrJGeMvbJAnQAOOJMP+VE3Ca3cVpbHQ878Fc3ZbYVrhJveJY45i9OIiPjzm4h1hM/ISzMmeECb2unQsjzlwtbXMeRf9/HzwICBBa8XmBiDFb9p9Xl9SCwF7hgzdtHi7p8B+M13FShbwxplFHHLUBP/SR4TqWodMVad8JfgT7LUs2+qN0BqNX8Ogltx9MyHUEGH+VZMkYr6l3HY+y1X8gv1SHHFsxkDT00nbEHlgHp8CMxXydIAGQT/QCFTqXY/G+v2Lo159KXyVVcmsS9vyBIFfc=
-    JELLYFIN_API_KEY: AgA7AncQWkgYfnBTLUj67lAYERi9AeKOt+UY5sk0pyVVIzrF62qZ6X8T3owLMFpDqYNDbRKMlqHNgbMjyo6O1Vj0mjMB1y9bPOfjjNKUEB/iI0Cxk9ZpoArEqjj0u0Yyts6Od7ASQ1JK0arkhT47FxQPBAqK/MMV9b8QOICb4/L6Tv5ciboBJHsiEaJnXrF2DHnc3A2ongsSZIYbOBvR6s7r7t17MNrOuidO7DHF+dw6gtIn07c3cKKmlCbQ5nDeXkRBk7fGR4jx5VDs8DdbaHxMCDeRXNTCT2jZawijyqBt8M/IE7CpRDeY4XKIVY3i59k9IiD5J/mfRSGmlhQeHvQQ+KbrumbVd+acNdABM3Gcc6qWPjZOJmmnl3BYET3uZm3yWAxU3FbKMhqyH27fySV8b+Eep+HqshiSTekwc6iphdHqPo1aW17xIxR9WJyrQycYH4N1KsDOlbI+T4HbAbXoR3obPpEbm9LyfXGp82/cnmxX5Sr3bbeBzjQ9BjtPTjsbvqR78nGktTVjwxi2fOdArx40IGI9dU3MEbxG6KP3nUHosAmHGcgpeX2tnKxCGChoEDB1AoxD2DfNiLK/WaqmiH2161X/+zEtki4tboCopO7Eb/dASJb43ix+5RlvxC7wS3MhLrzpHRTJogGdfN8OQtpCkkxUkWa4J1uEht6hqeDTagRXsP//SEJLFCt7ovuvIJrd37upn0wnEE/DfO6b/i97BcW3z+DQkqsW6nCAAA==
+    JELLYFIN_API_KEY: AgAMLEPLxHadKP7Ln+Y/zYXpROzPqTib9hiDE9EKqwlhdv93XX7+NUPC22jrkRBkR3/ICwOJs32v8cqD/T+3ERmN5vPphRyBRroONMRSfUfFRA3cqRDfTXKYFwoKJFCZBiOSarNcOpY+hmFM++4lhnsOOG6tk2Gt+C8WGQSynJ45YFDgyOQUFBT5FdQTbdEOMts7RY6MXtS5S11Ej9Ri7fckxjeKCidoagdvZt27GegiqRdOc0Zc1DJelqTorSYi4UZL4Tho2H9EHcGPR2s3XBfFNWXH94Rw6yh8bvtvMkvzeL8RLUDq+diciRZw6k7TvluF92TcQxkjfnryb/nIGV1cy1ccTrW0XcnBYD6A6pe4CPCKiTmlDZmTNDqWiPg4rVyhqjeUiMUgIK367gYY2H9rFlrZms6+tJe0KtQnFS+lAck3sSeyjavL5fv0A2MgL1zXd41fOWibSLMPP9D/v/lE5YuqJVFfj/AsMgGZx2K5yY0le7bAeVbIq8f0eoroAwL5OLd91IQD+YUzqBWhe41VXC5nuPSstAVDkg6RYJVB4mrO/m2hc6KsWK29m11qAFUImut0P4j1Rb5FOy2MhORbDv18mQu0pqoKVxnJQVgdTJ5puDxlCFfe/jzR8UcKlICu2LR/R5uyY5T0SQ04aI5bLp+RiZjU2SS5GfXDrjz7C7h7j15aEBgZNNggvcSTFr/kNZVczmBWxCah5ckTF/4pWr8WlS17YSvSxQT3OgYDRQ==
-    JELLYSEERR_API_KEY: AgCm/zo3jsGo4d7aWb7q07jfMnpwpdNiyp6Wpc4FsIhLmnaclr2+yrNC4N3nFvRK6h/s9nJaRC9fDXUQ673AcNcSujXQ8XzQ8SiS/47T3925ZZ1ni7ZJkpaxV1bJK4X8puq17NZ2XEUntdTNUtXywnMlAw0E/jEFF+um5BJuvwAo+cvKLY51eHR9sjxWCzrJIM3Ty6CjX2sixu/r+v9mtFxI3gnSvg3yw/bUXKBhYK7REPiIdlAnzX3Muh6IxB1Ag5tbSJJFMeJnoMXkvoEDfD7aCC256SbuPxr2skzQtL/Ai+glFPy8xVo2obgj03I7hHUJVLqi5lbYjO+gLTjIGPHSEmr0nv3/IKlxJDJDy/xzMwJbnCa40vtKmfvQLCR0e0jNfM0PZ7qcxx1UZTTE6Yvku0wWDgda/26fS4UNV/0MXmT9tjDK86ubJZwwuIDqMPi7H+HOFF7t+0O4OK4avPxF0G8xtejF1nhvAyGA0176qjeqEbo2MisNroc//F+lH3uSSaMa2G3BymIqjdVfBuI/RhEYpad8gFyu+/oBiGppfzjrz9qWLL+EcUyyarRMGNUPWAxgCn6wKbLc/OurfIBoXvZINucavo58S5OY4Yw4n2Fvff29GTszl0pzrOKuN1GisxdqsMvUsUxQjuf/HAazow1NAcKmj8pzVxlKvRDYcNzzkuvXI0FEoSB8mp+z2QAnzdHVvSHJlKZn5PBSKfQU8B4LKcZ3FTB1OETetqgIbB6G5Nfxk/Ibc/BD2jdbpf/olLQjH9zm8+UGFsgdX/ILRaZRHA==
+    JELLYSEERR_API_KEY: AgCmBjM6O/Y/gsb+BXwCFhDu3dea/itAx6zGvz+ammVzUSPJE4+N4u4PEkT8ZUIay9Q8Uf3BERiidu2wcMdT5BJ74JhLRZdxMAjC1MbSz92DRKntWDxNm5q0FgRYrbSV8qWNhwG9vNROObNTmgLuxMw5RF2Py0IJxA2Yy8Lc+Ff3d95mkijjuKf4Q3VdI1Zk1mGuZhQbw4+yJE0SzeEv+dQlqWTXMWc74K3xXpEipEJSUMXj856vnTvUJlp5vCWZS3nCfEZoCdMrZ8cvx8iV8tRqGk3zGVaAekZKq+YMLe5ERbAHlNj0f0imJZ7IesVBUdkYEWZUzepMidiEIkITrFfTUKHUCZzfThCKJrQtl8c7d8dtPyklqA0HLcD2TsqAF5XO6fBrBXUm3+9B7siTFAZCfuit5Q2hon+Sx+uIEEwZMmwzf2RbpXQxXViK+Hs7NpeGPUqOH4HpagBzwzyrXu76swelnKSgMMo/D9iTR1ymnsc05t3MAp3ypRfqfvRWbUmpWZYiz5CejuUXecm7osZuz3vMoopBUI/q/aaLhs4+6DOGIWCme20wDo/Me+im29sDyCmcws+OscbkqmlXO2sqOBmwPbF0qzNXkIeeg/zqvSIR47/Pm97oMecu4o9YY6hei4+0I2bpe+CEs2vYaU6+hXB8M6mGauNrLH/0LB0J1dmwNzHlXnHPj/OhmG9MDUp0muasHKdoTRPFuFoW/vtqNTpEV43Be3tJu0ky9+8XuVGOA22lGCiv4ZLvldzrfg0xthq4iVa7+wr1enllzeNFvSM+oQ==
-    NEXTCLOUD_PASSWORD: AgAQPkQEKvy8CzRTrpfxqz5YswiZSLkkzxf8H6k9KrNJFRim/qEbmAyyC+JdMdnuJMT84j5XuDcehPc42d6vfm+YaYF+cRA3xP/xkyyAB17UhLSJu8Go/JFqPLNcxEBmSsogh1MXUU2TFYl1uCQwBn0BoLjdBffEKTw9yL0Izizd9VbwBCNJFHWv5PMkcdquBhnfjNhb6fH7667YdCMBY++TVQ94X5AwgJrZgV2+C2b+7BR4QNmcCzevS3ahBfZFvQCVAnPuZ1Bzs2xKZw0eg77soGCXCh2KG6sjjYIx7+bPPMjRSxBOJYb/e4HdpDDscH27F7RYbSPdQx/+Xd3cwu7BU6S8+px/1RrX4w3HvpxjuSrelBje5qD9ezEx8+4OqQc/sd003j0pKJdv8U0V8qDgSjenmd/xujkgY3ooKwgj3cvdotR3RherUMYrfKtz2KEO0nfRH0nlwwkg+X2gfwTHRnM2ONWyLhuomwHRHlKH5XgPvjqQxm3wMGsShEXBJdQiNOHwyfcLG352dOFP6q2wRr98h/7vWZh0b5eR7d5rJmy4k5XF5R8auYkfzHGAUnDmWIhJweHmQJ/Xto2p3QjJVUm8ToPOYx/FDdHCHwf11Kz4qJIk48B4KKkr/7llwmw5/iQzvTyH/U04TBnltXosSbrndmWYm6fee+QbB9vVGOGdVYvCcISdmmjMzNuuXgoHpEknDE+O1P4SNA==
+    NEXTCLOUD_PASSWORD: AgCc8eCMeOs5UR7jCf30qivGD4Bd6SXewfRKmME6WBYMACiYctORNgt+Smwm3oFSGS6Rjtc3gfNmU87gvVamCcrzxIdOH8pT/I7uJBkhRz+dWNAevW4WsZmBqDh5oYkNWa42wSTZQQRsfR2fYUQaQB+EAf8eo08fGY/thWuDpH+QBvqn1ODCXJiRl2SUpax47/jxTkRCIrpWQkndjlAmTHwONaWKFHVYayY4HkkRq2Wdtq13u0Iq4Zo1AMYaX3p+3s1Uthlk6jDJuAkifZUqTn6vyvI6nT6lFN10ilf3SDxWbQmyZn39vwYCzOUWG3niCYogJRWO0vRd6GnTu7ndzmiumMz1Cp/4qyUiWN9jass4+rgwCi33Qz5zP1+YDKWmuDs1uRf6m+ub9nG/TvcT/b5U8luv3RIoaMc8yRt8IC2bHZzSmDVZSG/wLh2YPaRfzmx4YxjXTsvliONbPpZavnIm0gHrQnwvEla+1xba/CtpVjQa3F6h2tCFJuc7AgP7fGYt1PLuim5y4GfNfmZV3ZljMPUqJ/YjgXJ+Z1A+XRLKRWBcNzy9k0D31Z9m4R80D2uT/1rtHR43RNnuugRJND6ejs66rM2rdBdXLnrLra2XpByh9TShrCQS5ir+Hnl4mnVmEqIDQ19mANJtYNtmEBTo3xiyEQCPiq/xaSjDm8U6QeqkhbfXvFm59RxdVPQA1iHQBknS+cqyF6qGaw==
-    PIHOLE_PASSWORD: AgAFZHwzPUmNfWBDKHjdhmGJy4l+JzvYAKZ/95dmmNl4lFe9t8kwixy1gAoyoYHMUywTwSoD7HZkRqQigDrac0xyS2B/zglKg6MoIfGsMQ/WWGsHCZZLEt4E6FhSdz8BZYuT6aBtfRlGVI2Uwx1jfoO414LClNiYXv5mO4JvitQYOMo2tPxU7z02RZq5ZAA10bfC5yU6bbvNH+tnSWbmVVchptaYk9ssbk6TWtOu9oMYY9+Vkhyyg0UgVRTnTeBW8pA/HB6JsgCxwnXwzs+wD2LtO46Ev+aBrWtYAN3MyyeevGd41JqjCXowjCwVzT6SzCDcsN2NZT0EtHc7DwHYbrly1ZzMmSxRFhvMSDUht8Cfl+C36aBXz685rdj/+guzH+URxmMNXkUsoFXEnyvrrKbQnfBpeMsT//3YdO7Pd5MlkDwvqiNMSbNuZh5REk1f5XYDY5hubGQ1KMDxAPgEfPKOQSh+kbLLE5LOe9OngVrdEgY25nYYceJNZEE1z07biMQAS582QAyZjUWd2X1tzPyKLCLxkm8DC/FSkO86VTjkN3egJg+8F8Jn+w7mCyRlfYHVNzWxQ1Jt4sw7x9slH7Py03GeGGEoBsxG100RWMQqdiBcrZcow/psYzFaGeGvwDZHgQkzFpSAJTYcWoEoowfoFdAfxwEXEbkKf9FD+HQom5rrm/a1diPQZ/U3uqLmNffo2oaXGwad6jAOEQ==
+    PIHOLE_API_KEY: AgAkXqWweu5cFLjJAusl6l85l+TsYRZRKf+mUbV3Lo6gtN4n07zJrOzFYH4u2GYkgPftfOaRZ/CpUOEJflkakXoTwru1L4THk0irP6yNqGvBNJF1b53+zH1hO1tAUM0B101fCmnJ3yZ50onExfwHL/mDAqyl0LlWaZ+9M/S4Kr3lqePhwdBRUv9UXaVBe5BtF4nLwnux/Ya6+lgJ9SvyD4ZQF6ueDYT2woUz4cJa1wqOVZVueS/wYobma6I5wrY3oQVT/feFCDsd8vf7uOcJDjwn/GobBeEhpc3yyti3vW+y9B+tmfvGGk2voAtxVDiN6ysHQQfO5pfqb1q92BREIZ18+jPdQQGXJ7BCvS3TIYhfMcW0EvZb5GgOyp26DZyVHIt+HZHKz2FTISli/EtHsXKUaxUQIEs5VouIDjX3gGRWWaHfMu/2neWJmlZcrRAZsOEHF0C4VXTzq7NsaTgCL6Qbp9QIlDaXMLvroGT/HHGfIcLY5kL0xneHsQyZrp/PqbUkEGCNdYopAuwmSdSbZoTMv6yJNUZFa9OYXqLzees4L6c+3POuKdpdBI3cMMllEmWMQGYgSa6Dw5hIpAUsKP5methfAsr7ASah2vQu6GYFcc5cI9dM4jt8ZAkLKPIummC1REuwdD/JAa+7XQRVqae/D/j8dcftwpuHMez5iKsahdKVInaCgG+bMt6PsnPu0+fGAl6yGbJ+39zl
-    PROWLARR_API_KEY: AgCj9aH1N2xav3cZzpdX7yrudiiwr6+k0bJwbUln3qkIviT2XrnjNOeCk4mridm25waYzIMGaoXe2qOsMX7xqASiSCkYTpP71RkC8XWme7SZGkpcuG3VZWr7PKhxHtSTKFxiHp+Dh0NfIFlaqm5bVRZMCfBVjjkaJgqOg06puyQ89ILsFvKkjLjBhYWfNQ9+exaFoAt6aZEbTjyENvjMnMdndfMcbM1UhWAVVmM6HAChlpg7nbrG4/RIL8I0Xu53vUF6WKslZ7sInNVFm8xakUn8oPBk+2quD8BqYgxp7jAO9IJUOskCkJYCG9Wa91Bn87iI7YYti1cdtFH6xYgx0tPWXZ6A6fShSB5ItWVvoZb2krTbdMC5W97yV9uQ+PBRhOzYslwLA1Wl3oYYfd6HUFi0i22UCG4YiZH9wSKBKKSxHVB/5IIDIMHhEl3kFVv4U2IP+UkQf14g5bIAbm8XZwKBlIKNDAjKjHHT0YQemmnQeRT1V8rb2bk6XLrhOAs2zE0hyjcYc6UvIz54a7Yrsxnu0qOauIaWtea7nNLCJoOoloYaBN8dsOxC3cElHVnay78psouaheMTkl4bd/raxoQjB5MeNXJgg+i57NC6XAYQOs+2HXrpRPkcWNn+SK0P/nYG9H/YOC8luB1CI76iNxETp59B/rsQmS99SNdT+pMd6NyuQ1LV83TPbK+N+GRUEAFk3PpvO2lErVbV860fXtMPrfzzBKlBxhh0gSIa1wcmNw==
+    PIHOLE_PASSWORD: AgAcUZTYElvizIHDgtvMTkS2XSHRrYYAzq29uwa3lyigqOyvvsw6F2WEySm6j0Oowv2Wb3uvm0ZLCydRy/Zk8Ba0B/pvTTnZs1n6mdN6KSC9WYW1vXxy2dtSFCQvEnEmnJN+BrsCfNCEJyQKreoJr8GdowJc367f8eghH02sJrJIai9SFU/h/4hn1ALqozLOBDxtM5PPG6AqTFh4InYcO0iaLiMuic0c7kEA7AALV96/OtkNfi0wr1JOfLpicm8yKwSOo0isEyHyF9rLohUgH261LAcS99XYdefYas4w1C6ex60xcP7lxJVGggoO8YRZY6pYtOjfa2zpWJh9JHl5Mo906B7GbTtqBvn7quoElxKN+Gjsv2gdzR6I1MWlzwW0MXuUGwrhX0I8NITOP6twRQgqKsf8ncXUvNPwpKDQ63g+abb8eboebEdq2titFVLIrPGey1y6SVbH15jnsL1eCaNdMvbAL4/e1wOoSDVgAuUREHo6NKG+U9T+GQ1VJor1n88gcpWddHq/Kok+SiNLW2d1dXTg5CSr5I2p35J/ShojFm6tBwjqtwLUgPlPrxDlm9EAW0N3nk0ATUXObx8xoqU+zJM2Utf2RXAN5BUkXdvNrGDREja/IXLaHZKilqg5qRs/HVxJwTDOOcWqCnJNXvcl/RJchN5AHEnz/8PoFtsZfcOEaVtmHwm4gAH5FKEZIErnuWKZIEWt1O6sTA==
-    PROXMOX_BACKUP_SERVER_PASSWORD: AgCVMXSjbcMi33l/lAvSpfK0hZIiem/BsAsytKLAgdCkhidl226OWm8zaecQdkE2lCLIJ9TBvk298QO7vK6Nh0snTTfJwTLDgMM6P5HnzwjmVG0zAYq0k8ilORC84IP5tKxvoK/9z3S7NNOi95aU17aMpugHRQKyAYEdnn6Qz6Le3cMc/asXaqdwxN3/jF8AjWcGP9kve+9sayiQDxeCoZD7HP+zN8UW1ts40SUM01wLvoMMVFWp9L+tzbxP+QogMIn75/SPhymRNK5YZg4Nb6NulJ2iQj7K8qPp1cwuaul3kJO6RD9QcSV0mvlIafFkzoISGSq6VFsPIMOvfGWS37u2aaBi7v7qiC4kudM2N3ArXyDA5aIWTbKG41QgVRxzwxkKSBHJWnUx7ZXyzldcAr9Sl+U6RQCATw93/o9JwAo2D36yvn5++SurfBP5GImGgI1aVNX6FbBeKUAte8sF7VV4usoeTdDQ/BQgEdaqtTtbc9+jv7G+6KacQcDvmEXN2L5cvw6C+KShEX0F8CnjjIoDg2RhzmGzJp4aWRaj8KXnqVJnlhpBVevoyNb651/eGc6c4ekj70drC/qvyM7EHPq4Lj/c/slsN9VxoZ+hjBNTM4G3eUBm2TsIfcmw03YRTd8Rl1iSDF41zb3oZe2167OGFPdxMqahZ1yqSSrw633mJBIz7DMLMbr2Bpt/Vb/8+8IJlBjhwOH6EViuQXuBDH+c06GWj7qzrG2mle7ZPOWDXzpo/74=
+    PROWLARR_API_KEY: AgBlA/pCQWKVAw925RVAhSILv/aWfexF0GvmsQrRGD+vFkpW2W9aZG7p1fV+5hJkzyJaTBva6xO5Jd+2lksZo8/CpGyTioZQAo+mZKAanJVKKo/TJO4R729GyfZND4T5P55Kqj+CoLn/0RFE/HIQNa0YefzsW1IWXQv1AS5vFXwqLigZBaOBS8twQOk80bMHtb0K+EP2hSa1GZG++MGIV3QIy1xJ087cizf/wSrNg1ohafhRHZfA97+vfbm2HdJ98Y4sInwf1bF53cFNpHkhW3MYFLU8Oaw+tTKmmtTT0zDmFcIdnkNp6Fm2evISbmNyeDut+2J98hqRuPEkUCfV6Rv8lrm2DXkLfzmedmRMPnJLpYNJiJXiAs63JTd4kjfLwCmGPo6PH8ECRlOWsrkBxuQ48eoBq9E61p42hpLdtZynW0Z6cZLAQTx2obEnbBtOoJ2rhKkizbbijRLKWa9cMXtzqyoAOk0aE1VtTw5BfjIzBA2XWe4/FALLEHOkzJWW+TFEOLkHjMCM6E0mkRcVkUyOB9V8vG7Rj6qzkazp7lKl9CgxTs1mZpdhrTnfFy1axwifB0NZcm+fjjKTTqs+zmr6nCcZG++mTgkrh5jK+aiV4ItrKbGbPTHYtsdvuzVWYeNCfqlxa7ZsaLmfAMXiC6qPNvosSef3IHIyrKE8raqrHNEM5vZ4hhYRKmlJCVnAoAl4W49lzUbpGvMn5i1WRcFoMtzE8g6oELhBBTxTk+Y8Ag==
-    PROXMOX_PASSWORD: AgBQo8cxn6yQ/l6OyQBc6LJlvY46ddDIDVc8UcY210eGpUbmF7apcYp7uf62b/Z3qgZCTcfimlOeMTWnLqlWAHkp5ARE1H6ou8Z/X8kH7aaYoGR4mTlIaIASvkn5WAUfsnW/+AZRoMkwJc0l1Ns4XATbn7sMTexVqZei407iW8/yDshVsIbnv2en0np9vBB+cHwkjfCrJViLxc8vKhXuxNeJYG/w2qsnbQQeiAYFQ8KtC4J3J6xylVSLA5Qpur5r+XsElDSbxuB1V2R9BPRIz6pIutk99RhFeU1xkDrcyxYUBbiWg2w0c6c6Alp5GtkEQs+pOSpoaXbpBUcRJq4FEWPRt9mFIdtCtP1LK31lAL9K/Be+i5pHr1glCvtGM/IaFtgdU+LF7V1SxEHB37sRvInbsf00RN3rUUFy3lOsYVx9RzsrFLjFufJ/uZlYjiMoOUQV93v05LtBqSQhLj8IHGLuPUSp4c81sGKnyRj+j2Mp2gVdxmg0mDYZPopOpE7rh1s6F35hr/dYzaKVKCUo02XcmextvOEbmdHvJwsDeqmntbUh1C7aXN5wG4XXtTJkvyTvOA81wZxlkMuQHRnB1w6lUo8pGAbdTd+QIzibvnHbqpOEi5Z69GYfF8F5lPEEFSsidobu9ybRAGfKyAM/F3RQa5t515UDNJZxRAiEwaNukS6bI2/i9P+lj5EEisO3vf533cgpuDoersEHFaByr60vAz0P1/0WbfFnVs2ckBOlBq0JJ0I=
+    PROXMOX_BACKUP_SERVER_PASSWORD: AgBHdIz2VxogpHvgYujwMmt3tWF90GcbCp0czkgHHESsd2m7bJGPZfY0yA+hmQ1t+iAorjGwOKUfZQFSfI20nktTHFTRhknIpu52259KrjroDftDbE75AlFSqZ1Nc2+6yUkZe1N4+SJT56JBumV9p0qEggxImKuP0hdTPFdcPYYQcE/vKJAYh4ysIcXrcUGA+RTrd10hQd96F1/wxc7ljbY0m7pg/LDSO6lcUf0lVrNRg0MgDt5WIZXM2HsSlSSbH81dDOOXMjmcylQSZkB2Tbe11KSEj/NcovhW0AFQS2D8J40s/dJ9ez4F0YSiz1UB5AQZhneBoSLwUhFE+5smyliGMeyYTai4N5l02A69/JdQa5qf3wJ+MDAPsCbw/sqsP8wz3+mG5aznCjJcwZomaGuUi3O1y/UKl+4hNbiWlcxXLAHKcTpyX/EHWYH9mucbsz9PqO9BniEF5d78D3gTZyGMLeeWjFgshx7eFsw0UV++PTneF0TMacwJA0bp3lm2VrW5Ae5aSdEL6/RUZmny0wkkVPy8YUYpjsfm8nPbxTG6RqOZie8q05lEGKPxWWTO5b5OrQ2sepUSvIxBS+TsLLEKqqiBtRa4TYXBh+ChwTetHLK5cDbpS5XJbnfunovPtfgBRjikbuf0Ez3d9Rhz8BOToEzHTSW+gsGbUJcnCD/NESCOYEZqpcFNGDFL3vDSQgFr0Fnyd3SFZC4uIm4dzRI5urrlTBkQPBhgOaACjVJEjUYvCIE=
-    QBITTORRENT_PASSWORD: AgAwLB/GGtFpjQKwRdlxFjp5+r3J7UKNAnz86KaxEEDUyBrmed0KjdXskX5HUn2lbzktDD94MRCbez4mVODr2XjXunzNW+kY96qG1+Z632eC19FTRv/Ve4TVOOx75DVsjWp+UaPUHPJUuh+ojPER8IhhFNi1Yrr6EwljnBGSP9aKjazi6cAIYgcYm+n0UgMWOwVJ1sJiPB/EqJY7nh8QbnwxPIDL1lSuSq2VAcAUIAKDzT1GUYDux1BVM6qVaHEt+JVS6pa4Gyi3ArzfTYvX1Ph5e67BdTpjXoNOBeiQLLcrBRtqx7Q7WmoC1jsyReZRtIOvJzbA3IFYUuHgqMYD/sd1roW529Z7IHWmc38pEdbPS+VuTLw0Za1Oh1mFKTDVFepvIa97+aBOK1P1JJA+oFy3YSdk0pcjdRQ88jFLYUcS3IKnTi1oFNPjP5Y0PDUDTIDFA/26lTgEfraaHmCeEZ5vZaQr8uFQ8bsghpbiQAmIzLhg7+XlcGMcOaTWFtPuui8XVgmoStF7pCoIDZ+/RDXqAJ4YDZCW/Aw8BrIh8H3tbFGn+9xt4XDmoD/ORcwXn4PhAo8QTajnrsRd2z7zhK2EO7vJND2YzJ7Yi2E7wbBddUQApg4gTt3h+IO4doxNiRH+1SL/fR129Ofh2icofeQa4AugJERJBXz5ySOJkGz2iwrgQKFK6nYGkJQIqwZRV9nuYy7uq47NigSB
+    PROXMOX_PASSWORD: AgACQWEwrEjBcb6Y4GGrvGKgmKf2V6OhAh+WblEBBPilDa2lITukc7kKLIMF0jYmVCILV8reZ/ByBTTD+7mNuGlZZ7sogyyQlo4LI94pM/fdZCGk3RIwNglQtDfN2+/tF7F6JruBOq5Pf/9u0ZRk20XBQsqZIlWmD7Y8Ul3Cz2OYHpP6KJCNJrzjYEo1f7fkYqg+Rz0z+UVULisUlqbFbEfXXP5N0Z+lSs5vGcFC4MSamQngDX1BKlXbpKsaqNahnffgS/tgQWpQ7xPvdyQR2w3fnEKngQVPk9RKcQaLqxwmndTqy7HGsqII6wcn40cFMrE09+bCZmdZQTaSgiUZcTFLTEsnC0exWVtHiCbSaM+oHM77Q7efcvWY1CEdeI8k7jOOGfmJGZhkc+eqLMvqKYX16dw4A2ffhNn3Fj1+Mu+J/GNsytk7rTFgxdPNqx+QQZsziYdlhDoOTMO9LgEa7l/cLxRrK2hz/2inyKyLTFIkhZJrDniebNM0QHGkSCPHyhDStcQ2zGIy6JOIQsGkMXmrqnZebaYDk4hAmXQS8iJQTb+oFGFXWCO6Fd/VfOBzcN0Fiss/BQLuMH8MYisIl3+oHFALQ1Ovvhzc13U7bqgMBN+6oqg1w0VsM5kqJ54zy2A1RQg77itLBOwfgz2ftpbcySCn4ZeDNgu8KeT/TeY0JoujmM4i83hq0XLiO2GAJgKrHiuIYomg5staK109DzSLeHI0n4MAqZGuNp6hOv4JgyKhMI4=
-    RADARR_API_KEY: AgC9iADuhEDNFW8tW9yl/Mut43g98t6xGe2TwxDubHRYUgAloJXbWvSh5LYW/O5UytjXoXC7XqLntqKDm2JOl1iKjtsXsHFM4Gyt9oPebfYdgMD2S8UZR5RI/O1gS81nerOZprO4ad6jzP0i5+wFf5q/7UaYRQuhaqPrDy5ecBwgdTHJTXbiw1UVzeWcidiyuTI7rKeUW7oBHbRFWY+7fb1M4kv+NWJA/BozzlA4NvtRLoaXQkPpqj4BqYJF5jdL9jvj6TuFZd5uBFKY5urM4jvbPM+ZrpRx6QM3BdzG7O4rnaVPUm1+O1Zkv3UJn3mx+7+h6HRzaCti8i2HklB8Qo6kAS/geBdnPwP/bBMfdfIhvpA4WUeGJ+Fsr3pmrrB07O2RtNfnrtAq4gy7Zx/e5TbxZm2QUNcWDTKHkgFd4UZQMDDZL0BTNOYCW+970Ozljh9Q+TlMwboH8fLwllvcjomkINKEt/ljwJ1gJqh2ioAe9SuGFw0X89pR7tP8CAWo5piJPZ1f/CbjJmL4frjE7NFCH4hWTQMV6x9Z5uDnu3zEuQDIlV692Gkrh3XFnQsBmWheR3ASoApP64gb/HVg5V/rZM2bP7+HUKR9S1A8ipn9M/chIbb5r07Q42iPsoJ9KjMB5v+IJgZX0xkX2API16l6rGib4/phFbCj+Yvl37EEwyPVvVlYi6G/PyIH/sAk5QAGVUteh1xENpG/1MM91xMxCSwaVN/1XK2HgFIrx04jJQ==
+    QBITTORRENT_PASSWORD: AgAdMAxiSrxWpdmrD6FrZXceFVqhqk1UqL3kruE7aEjmHVmpNqv6BM4u8CdxUIZS99U/Z0CtfAGZ9IEoKH5Ldq+kbtwHNXLxNqYLIkwk7aKJhISRwFAMpg6+FGbTIvoBJgC1xwTZhYC2L9HtwZPj2PN98uMlHpm48yv/qw7awE5o35MmUKyd8EwCi0iT8WaxpGguXyg0ITNSW9D1NZ5OZqVNeL7FJ0GuLWOrHImiZtNAbZuB6B0+3UeQiFE31FbchB7JzCIJu7NZ0+yqxfCBX/4cTR+gZZ6eyaUHIfve5PT2mKjQ2WTAEVbGaEjhE1V5B+bkAJUULtFbcsQUatQm/cj8pyDNT1nCleKRBUFOnB078jguhOLB7FzE1+e2xl2vbCSERS272OegGzf6/FPqXrOcELMKlSNCQlPwWZ94MomGbUKsjmPrFGrqP5aXfY2zCXrv2KSpcHDtUndeyE9OCIucx7dMFrIPpEi22J+oJY87quZqrpyjMypDfxcAJbAgQFBlHBgJZ/ACszqfoAr56x1xXZIM0QVK6Up7irt9rt1RBAkNlSywsqHEWcDgnx+tH0qz8y5NdACjK8xY5iWSGgifkq4kiecQdf4BRhiBLbe4FydQv/AZu1dNMJbGU2hnPESUIntTHqJQ0mM8d0aMNkOdSH9qc0NAJDFsC3oEjnuRXEOSwXSyzEqDBTVuLESyf2iabmPzyMqdbv7i
-    SONARR_API_KEY: AgAOgN6pcsz+r8JD+LCeytbSN3MM6qu+fJlfBWV/CHIoqap7HKTpny4jf9P5/sCXRuoNvqhECnGic6cn5HTukR6nbt+/J21hBYs1rQ99l1/QwF69x5K/6N0tG1gB8dD5B/ELsJO0bOask9yl0Bg5xj2gmZLXVRXMvyZZLG4j4+yxcgdaZbv7JbIAPQVxLkR7ijL7ZCir3rjcQ7DDDvjTNFpqYLgLRAhZ82rlMH3UB/pXpNu/44bnJ20jzwxwqjym1aVTL7YjdBg0w2Po03TnAOnX52Cesug1Q0MRwInrgWF7xPOqufd3BZOSFC5LGVVYyhc3wW/ZfvlY4U+bxy+WNUoJdsoWErW8MkmV7C9qN9v7b8jP6JR5r+gAVvw7reLo45KilxGek3ZHtzzbi8t+9KXJmyFVLhrrERhO4qQTFZKOR+6C61zSg1C1hTZ9OxRVbGsvHABo6TB2BOcctMLZBwh7AukPqBp4JfHWxmXEBpZhzeKKw/+x01c79V73BbowweKrfTrVrD/i9SW/veHsG1aosLSLkJhTNvH1iyQC+Kf5HJgQKL54yJWbS0dd9a7cNzo6gCOdUTsemGRK7/kA2WbOK++zJ+/j804K3JLBKsmG9qb+xZ22KJFsWg8A+Mx17CbAE7DP0AKhPxkOFx9b8ud5IhwKTQRt4JiLMpPpSa1Q2lhXEjGtyL0piBKOqkqBCxPPUJwHdEa4y0y+tGXshV9khpSb6hyHXiHdFzbXWDI7NA==
+    RADARR_API_KEY: AgA5tKo/V/uCwIpSKNSBrtgJst9n8JXYrlqWD0HgJM5ccUdvUdgwf+Mun+rQDNMDrPz/uIxkjNkUIoplatpQh0s4WlwaEkosf57gmq0TIiId6+x/Z9S4bDfrjqaaFJTDZRaiZWxMgOkSNzKdFh5itSdw0Vjh6ojB/fElB0zYENZAXI8uKIPeebdCYtPgVG+ap7tLlj2Y28zinJc6lHO73g+qgHeEx22N6rr5coY8OIB58KuZ6mcSUvEsPLItkvQ9vDxbv28uv+c9ktfwSDbK7+lbVHQdqfkk8QT1GQCS2Xlf9CXndxzhqQ6ME5W1PWs7znC2K+b7rJ1UInlUpXkzsP1nDsrrPeC14dQ80kR3+Yz/AbLvKBV9eK4FRMp5fLK9C2s5Gy5tcWJLoFA7N8tR2oAIkZCIEaJ34YQeGGP631UyIa1IUuN8ZotvZo3nUXKF0SJhc7SAvqxNYLKfw3Xk1fa/T1Mr4wWIbtfrO3NvoPkt5gHGfTi5ECjPsd72XV185323nOvVBmiYpQCA7RCEOm7cXR/EEcxX7nKHdsZIOULJElc3dYflsd61uKZdwIRXa8ACNLSuRAQRtxUVQ+t5UlWxmxYB5wjRwjSSJ5HXOqNrcr9Go/zh2XFY6XaWoCF97t9xCa+P3SSokfTFhfLutYmSPwZ5VyZTXyH+/bjd8stxeBeneWso7yK2cDdOLSX29/Ke2U1+k1qw4i0wTEC3XHvH3sy1TwE7LDdjjYiHNNeuxA==
+    SABNZBD_API_KEY: AgC5/8HHS6IYQfRI+H0pkkV1+JHeZvgVYYJ6RHU8sgquXDliGSGVa36UwgdmPFeoO4vpCDvvNPvv452rkwxrLwn7Tc2TC2k8zxDkzHlHsKl3T/9CqQ5gD/XKiA2sKETTGD5wVTAk9D7WpMQXZ+P0KDSW+j0s4hz1IOZGNHLn4TuzkV3HzQ+2madOOkfJ11OYoT9xp8HkKJdYy1OkCRB/izbWpwGGl8ul35CNOhHg/nNYLSm8d6YLzYMw7ix9ds1nsUQysco2Lf2cwlMDPvv2HNT16cPUm8+Pr5/FMYuIgMfoTE1ZG1bxRxW92GQqOWzpY91/UxGEaOSkvxoY8rn2KqshVG50l1/GDRTXM4kUaH6sfI2DszfAc0ZPQpV3RnMMRNesbKpebbTljYjut6V08spskHvbcN6cG2KoVBbwaW7xdEiWJtwc/wBLu5lEBCHSgzrgDI8F/EP108a8aCNVzjsl2G+uJsVFj0YcRImTICLDCMC4zW/QBVU5LRtnwWBM8z4IPvKc5c5P+ci1/PVF5qM3WY5Lh1giZsL61kvCfRgJLK2aotlt7VF5fCmi0xj5fpwnSF0A8SdLOrflpJwn+1e69Q8EP/ErEyuyV6o7Bd98j505JYkNTDZigFccZ5k4i2olaTJBSSJsPu0ds92b56bl2/dgwzw2RimrSuztWGysNaC5t8fu3ntpKj2GmqPY4c24boAeuhSoKIhqfa03musDQFhRTmEmT+SIgNZLOKbGaQ==
+    SONARR_API_KEY: AgCIs/MR1p1HjdA1zc9vtDViYqhpLR2V5npw7qd9ueylmh2mdvyNGP9Oh0/v5ZDXiilfar/rUgUed5AwDVx1Z7KG5GpYnkQwchK2/X0kMxCnZPLfmVb7PMHyQq9Bl2O0n/TVoBpyUsbMg5L6Hz5OhrcgtQysE3QCcWwcXeUsrFNf48FEnPXh4jhPqaKmxyyoCwdhRg9XzuZXrMa/66jBQ0aLcPsQgewOXK+UuAtoo7iVxxkaRsebnBo+KX3vMZzzxpeORaDvPAK/QSC1XWynaxAWFbxrDNjL4kFahSwh1bbBaEQ86fu58BMRjJBbLQsnrsqhETZMVpCDX9I6tPMCWzLcsyozmKv/S/lVDb3wIX3D1x6bXYBQr7XcFpVDlMldNIM6hA0Fai2xeou7A8F6orxnhNFkn7l7lhCD3dixuyhyrrM1MhYrQBtSGvRaHHr3c56CzgPR8ZMVLjl6dRObS+A42k/2rqjPeuxre6+vjgzy73PLVfpTxZrH1vJp0eO8tfKfpR3s7jLXxVBmaraI3VmnQgtTuwK19WtbCZBMuDY4faB//291JctfYcG0Ai+uTuMCHWsnXaHRMcVVU2OiQuiweRXkkPAs0Cfkrzr3pG0qNUL8KsCqwO54IM59vf/riFAE2e2w0hzbj80yXLwcqQxU27VtAIJuG/WzO3UOn9uwEk61nkmwEhPue377CA/n6OMf2lFyykTEGOwKS2dzpxFXUDnEhpDqNIx/thg0MEoO7Q==
   template:
     metadata:
       name: homepage-secrets

clusters/default/monitoring/homepage/homepage-config.yml

@@ -118,7 +118,18 @@ data:
                         type: qbittorrent
                         username: admin
                         password: "${QBITTORRENT_PASSWORD}"
-                        url: http://qbittorrent-service.arr-stack.svc.cluster.local:8080
+                        url: http://qbittorrent-service.arr-stack.svc.cluster.local:7070
+              - Sabnzbd:
+                    href: https://sabnzbd.${DOMAIN}
+                    description: nzb client
+                    icon: sabnzbd.png
+                    namespace: arr-stack
+                    podSelector: app=sabnzbd
+                    app: sabnzbd
+                    widget:
+                        type: sabnzbd
+                        url: http://sabnzbd-service.arr-stack.svc.cluster.local:8080
+                        key: "${SABNZBD_API_KEY}"
               - Jellyseerr:
                     href: https://jellyseerr.${DOMAIN}
                     description: request movies and shows
@@ -202,6 +213,18 @@ data:
                         password: "${PROXMOX_BACKUP_SERVER_PASSWORD}"
                         datastore: backups
                         fields: ["datastore_usage", "cpu_usage", "memory_usage"]
+              - Pi-hole:
+                    href: https://pihole.${DOMAIN}/admin
+                    description: network adblocker
+                    icon: pi-hole.png
+                    namespace: tools
+                    podSelector: app=pihole
+                    app: pihole
+                    widget:
+                        type: pihole
+                        url: http://192.168.1.212
+                        key: "${PIHOLE_API_KEY}"
+                        version: 6
               - Invidious:
                     href: https://invidious.${DOMAIN}
                     description: youtube frontend
@@ -258,6 +281,13 @@ data:
                     namespace: tools
                     podSelector: app=searxng
                     app: searxng
+              - Pulse:
+                    icon: pulse.png
+                    description: Proxmox monitoring
+                    href: https://pulse.${DOMAIN}
+                    namespace: monitoring
+                    podSelector: app=pulse
+                    app: pulse
               - Open Media Vault:
                     href: http://192.168.1.4
                     description: NAS

clusters/default/monitoring/homepage/homepage.yml

@@ -41,7 +41,7 @@ spec:
               subPath: services.yaml
       containers:
         - name: homepage
-          image: "ghcr.io/gethomepage/homepage:v1.7.0"
+          image: "ghcr.io/gethomepage/homepage:v1.8.0"
           imagePullPolicy: IfNotPresent
           env:
             - name: HOMEPAGE_ALLOWED_HOSTS

clusters/default/monitoring/jellystat/jellystat-db.yml

@@ -0,0 +1,46 @@
+---
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: jellystat-db
+  namespace: monitoring
+spec:
+  selector:
+    matchLabels:
+      app: jellystat-db
+  serviceName: jellystat-db
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        app: jellystat-db
+    spec:
+      containers:
+      - name: jellystat-db
+        image: postgres:18-alpine
+        ports:
+        - containerPort: 5432
+        env:
+        - name: POSTGRES_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: jellystat-secret
+              key: password
+        - name: POSTGRES_DB
+          value: "jfstat"
+        - name: POSTGRES_USER
+          value: "postgres"
+        - name: PGDATA
+          value: /mnt/postgres/data
+        volumeMounts:
+        - name: postgres-data
+          mountPath: /mnt/postgres
+  volumeClaimTemplates:
+  - metadata:
+      name: postgres-data
+    spec:
+      accessModes: ["ReadWriteOnce"]
+      resources:
+        requests:
+          storage: 1Gi
+      storageClassName: longhorn

clusters/default/monitoring/jellystat/jellystat-pvc.yml

@@ -1,18 +1,3 @@
----
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  name: jellystat-longhorn
-  namespace: monitoring
-spec:
-  accessModes:
-    - ReadWriteOnce
-  volumeMode: Filesystem
-  resources:
-    requests:
-      storage: 1Gi
-  storageClassName: longhorn
-
 ---
 apiVersion: v1
 kind: PersistentVolumeClaim

clusters/default/monitoring/jellystat/jellystat-svc.yml

@@ -15,3 +15,17 @@ spec:
   - port: 3001
     targetPort: 3000
     protocol: TCP
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: jellystat-db
+  namespace: monitoring
+spec:
+  selector:
+    app: jellystat-db
+  ports:
+  - port: 5432
+    targetPort: 5432
+  clusterIP: None

clusters/default/monitoring/jellystat/jellystat.yml

@@ -16,56 +16,40 @@ spec:
       labels:
         app: jellystat
     spec:
-      initContainers:
+      containers:
-      - name: jellystat-db
+      - name: jellystat
-        image: postgres:alpine
+        image: cyfershepard/jellystat:1.1.7
-        restartPolicy: Always
+        readinessProbe:
-        ports:
+          exec:
-        - containerPort: 5432
+            command:
+            - bash
+            - -c
+            - |
+              (echo >/dev/tcp/jellystat-db.monitoring.svc.cluster.local/5432)
+          initialDelaySeconds: 5
+          periodSeconds: 5
+          failureThreshold: 3
         env:
-        - name: POSTGRES_DB
+        - name: JWT_SECRET
-          value: "jfstat"
-        - name: POSTGRES_USER
-          value: "postgres"
-        - name: POSTGRES_PASSWORD
           valueFrom:
             secretKeyRef:
               name: jellystat-secret
-              key: password
+              key: jwt
-        - name: PGDATA
-          value: /mnt/postgres/data
-        volumeMounts:
-        - name: postgres-data
-          mountPath: /mnt/postgres
-      containers:
-      - name: jellystat
-        image: cyfershepard/jellystat:1.1.6
-        ports:
-        - containerPort: 3000
-        env:
-        - name: POSTGRES_USER
-          value: "postgres"
         - name: POSTGRES_PASSWORD
           valueFrom:
             secretKeyRef:
               name: jellystat-secret
               key: password
         - name: POSTGRES_IP
-          value: "localhost"
+          value: "jellystat-db.monitoring.svc.cluster.local"
         - name: POSTGRES_PORT
           value: "5432"
-        - name: JWT_SECRET
+        - name: POSTGRES_USER
-          valueFrom:
+          value: "postgres"
-            secretKeyRef:
-              name: jellystat-secret
-              key: jwt
         volumeMounts:
         - name: backups
           mountPath: /app/backend/backup-data
       volumes:
-      - name: postgres-data
-        persistentVolumeClaim:
-          claimName: jellystat-longhorn
       - name: backups
         persistentVolumeClaim:
           claimName: jellystat-backups-longhorn

clusters/default/monitoring/pulse/pulse.yml

@@ -17,7 +17,7 @@ spec:
     spec:
       containers:
       - name: pulse
-        image: rcourtman/pulse:4.31.0
+        image: rcourtman/pulse:5.0.10
         volumeMounts:
         - name: pulse-data
           mountPath: /data

clusters/default/monitoring/speedtest/speedtest.yml

@@ -18,7 +18,7 @@ spec:
     spec:
       containers:
       - name: speedtest
-        image: lscr.io/linuxserver/speedtest-tracker:1.8.0
+        image: lscr.io/linuxserver/speedtest-tracker:1.13.4
         ports:
         - containerPort: 80
         env:

clusters/default/system-upgrade/system-upgrade-controller.yml

@@ -264,7 +264,7 @@ spec:
         envFrom:
         - configMapRef:
             name: default-controller-env
-        image: rancher/system-upgrade-controller:v0.16.3
+        image: rancher/system-upgrade-controller:v0.18.0
         imagePullPolicy: IfNotPresent
         name: system-upgrade-controller
         securityContext:

clusters/default/system-upgrade/system-upgrade-plan.yml

@@ -16,7 +16,7 @@ spec:
   serviceAccountName: system-upgrade
   upgrade:
     image: rancher/k3s-upgrade
-  channel: https://update.k3s.io/v1-release/channels/stable
+  channel: https://update.k3s.io/v1-release/channels/v1.33
 ---
 # Agent plan
 apiVersion: upgrade.cattle.io/v1
@@ -39,4 +39,4 @@ spec:
   serviceAccountName: system-upgrade
   upgrade:
     image: rancher/k3s-upgrade
-  channel: https://update.k3s.io/v1-release/channels/stable
+  channel: https://update.k3s.io/v1-release/channels/v1.33

clusters/default/tools/code-server/code-server.yml

@@ -18,7 +18,7 @@ spec:
     spec:
       containers:
       - name: code-server
-        image: lscr.io/linuxserver/code-server:4.106.0
+        image: lscr.io/linuxserver/code-server:4.107.0
         ports:
         - containerPort: 8443
         env:

clusters/default/tools/nextcloud/collabora.yml

@@ -17,7 +17,7 @@ spec:
     spec:
       containers:
       - name: collabora
-        image: collabora/code:25.04.7.2.1
+        image: collabora/code:25.04.8.1.1
         ports:
         - containerPort: 9980
         env:

clusters/default/tools/nextcloud/nextcloud-db.yml

@@ -1,6 +1,6 @@
 ---
 apiVersion: apps/v1
-kind: Deployment
+kind: StatefulSet
 metadata:
   name: nextcloud-db
   namespace: tools
@@ -8,6 +8,8 @@ spec:
   selector:
     matchLabels:
       app: nextcloud-db
+  serviceName: nextcloud-db
+  replicas: 1
   template:
     metadata:
       labels:
@@ -15,7 +17,7 @@ spec:
     spec:
       containers:
       - name: nextcloud-db
-        image: mariadb:12.0.2
+        image: mariadb:12.1.2
         ports:
         - containerPort: 3306
         env:
@@ -36,9 +38,14 @@ spec:
         - name: MARIADB_AUTO_UPGRADE
           value: "1"
         volumeMounts:
-        - name: nextcloud-db-storage
+        - name: nextcloud-db
           mountPath: /var/lib/mysql
-      volumes:
+  volumeClaimTemplates:
-      - name: nextcloud-db-storage
+  - metadata:
-        persistentVolumeClaim:
+      name: nextcloud-db
-          claimName: nextcloud-db-longhorn
+    spec:
+      accessModes: ["ReadWriteOnce"]
+      resources:
+        requests:
+          storage: 2Gi
+      storageClassName: longhorn

clusters/default/tools/nextcloud/nextcloud-pvc.yml

@@ -1,18 +1,3 @@
----
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  name: nextcloud-db-longhorn
-  namespace: tools
-spec:
-  accessModes:
-    - ReadWriteOnce
-  volumeMode: Filesystem
-  resources:
-    requests:
-      storage: 2Gi
-  storageClassName: longhorn
-
 ---
 apiVersion: v1
 kind: PersistentVolumeClaim

clusters/default/tools/nextcloud/nextcloud-svc.yml

@@ -38,7 +38,7 @@ spec:
 apiVersion: v1
 kind: Service
 metadata:
-  name: nextcloud-db-service
+  name: nextcloud-db
   namespace: tools
 spec:
   selector:
@@ -47,3 +47,4 @@ spec:
     - protocol: TCP
       port: 3306
       targetPort: 3306
+  clusterIP: None

clusters/default/tools/nextcloud/nextcloud.yml

@@ -15,20 +15,18 @@ spec:
       labels:
         app: nextcloud
     spec:
-      initContainers:
-      - name: wait-for-db
-        image: busybox
-        command:
-          - sh
-          - -c
-          - |
-            until nc -z -v -w30 nextcloud-db-service 3306; do
-              echo "Waiting for database to be ready..."
-              sleep 2
-            done
       containers:
       - name: nextcloud
-        image: lscr.io/linuxserver/nextcloud:32.0.1
+        image: lscr.io/linuxserver/nextcloud:32.0.3
+        readinessProbe:
+          exec:
+            command:
+            - sh
+            - -c
+            - nc -z nextcloud-db.tools.svc.cluster.local 3306
+          initialDelaySeconds: 5
+          periodSeconds: 5
+          failureThreshold: 3
         ports:
         - containerPort: 443
         env:

clusters/default/tools/open-webui/open-webui-pvc.yml

@@ -0,0 +1,14 @@
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: open-webui-longhorn
+  namespace: tools
+spec:
+  accessModes:
+    - ReadWriteOnce
+  volumeMode: Filesystem
+  resources:
+    requests:
+      storage: 2Gi
+  storageClassName: longhorn

clusters/default/tools/open-webui/open-webui-svc.yml

@@ -0,0 +1,16 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: open-webui-service
+  namespace: tools
+  annotations:
+    metallb.io/allow-shared-ip: "shared-ip-1"
+spec:
+  loadBalancerIP: 192.168.1.230
+  type: LoadBalancer
+  selector:
+    app: open-webui
+  ports:
+  - port: 8123
+    targetPort: 8080

clusters/default/tools/open-webui/open-webui.yml

@@ -0,0 +1,32 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: open-webui
+  namespace: tools
+spec:
+  strategy:
+    type: Recreate
+  selector:
+    matchLabels:
+      app: open-webui
+  template:
+    metadata:
+      labels:
+        app: open-webui
+    spec:
+      containers:
+      - name: open-webui
+        image: ghcr.io/open-webui/open-webui:0.6.43
+        ports:
+        - containerPort: 8080
+        env:
+        - name: OLLAMA_BASE_URL
+          value: "http://ollama.tools.svc.cluster.local:2123"
+        volumeMounts:
+        - name: config
+          mountPath: /app/backend/data
+      volumes:
+      - name: config
+        persistentVolumeClaim:
+          claimName: open-webui-longhorn

clusters/default/tools/paperless-ngx/paperless-ngx-db.yml

@@ -0,0 +1,35 @@
+---
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: paperless-ngx-db
+  namespace: tools
+spec:
+  selector:
+    matchLabels:
+      app: paperless-ngx-db
+  serviceName: paperless-ngx-db
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        app: paperless-ngx-db
+    spec:
+      containers:
+      - name: paperless-ngx-db
+        image: docker.io/library/redis:8
+        ports:
+        - containerPort: 6379
+        volumeMounts:
+        - name: paperless-ngx-db
+          mountPath: /data
+          subPath: redis
+  volumeClaimTemplates:
+  - metadata:
+      name: paperless-ngx-db
+    spec:
+      accessModes: ["ReadWriteOnce"]
+      resources:
+        requests:
+          storage: 500Mi
+      storageClassName: longhorn

clusters/default/tools/paperless-ngx/paperless-ngx-svc.yml

@@ -14,3 +14,16 @@ spec:
   ports:
   - port: 8001
     targetPort: 8000
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: paperless-ngx-db
+  namespace: tools
+spec:
+  selector:
+    app: paperless-ngx-db
+  ports:
+  - port: 6379
+    targetPort: 6379

clusters/default/tools/paperless-ngx/paperless-ngx.yml

@@ -15,24 +15,24 @@ spec:
       labels:
         app: paperless-ngx
     spec:
-      initContainers:
-      - name: paperless-ngx-db
-        image: docker.io/library/redis:8
-        restartPolicy: Always
-        ports:
-        - containerPort: 6379
-        volumeMounts:
-        - name: data
-          mountPath: /data
-          subPath: redis
       containers:
       - name: paperless-ngx
-        image: ghcr.io/paperless-ngx/paperless-ngx:2.19.6
+        image: ghcr.io/paperless-ngx/paperless-ngx:2.20.3
+        readinessProbe:
+          exec:
+            command:
+            - bash
+            - -c
+            - |
+              (echo >/dev/tcp/paperless-ngx-db.tools.svc.cluster.local/6379)
+          initialDelaySeconds: 5
+          periodSeconds: 5
+          failureThreshold: 3
         ports:
         - containerPort: 8000
         env:
         - name: PAPERLESS_REDIS
-          value: "redis://localhost:6379"
+          value: "redis://paperless-ngx-db.tools.svc.cluster.local:6379"
         - name: PAPERLESS_URL
           valueFrom:
             secretKeyRef:
@@ -53,9 +53,9 @@ spec:
         - name: PAPERLESS_TIKA_ENABLED
           value: "1"
         - name: PAPERLESS_TIKA_ENDPOINT
-          value: "http://tika-service:9998"
+          value: "http://tika-service.tools.svc.cluster.local:9998"
         - name: PAPERLESS_TIKA_GOTENBERG_ENDPOINT
-          value: "http://gotenberg-service:3000"
+          value: "http://gotenberg-service.tools.svc.cluster.local:3000"
         volumeMounts:
         - name: data
           mountPath: /usr/src/paperless/data

clusters/default/tools/paperless-ngx/paperless-pvc.yml

@@ -10,5 +10,5 @@ spec:
   volumeMode: Filesystem
   resources:
     requests:
-      storage: 1Gi
+      storage: 2Gi
   storageClassName: longhorn

clusters/default/tools/pihole/pihole-cm.yml

@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: keepalived-config
+  namespace: tools
+data:
+  keepalived.conf: |
+    vrrp_instance PIHOLE_VIP {
+      state MASTER
+      interface eth0
+      virtual_router_id 212
+      priority 50
+      advert_int 1
+
+      virtual_ipaddress {
+        192.168.1.212/24
+      }
+    }

clusters/default/tools/pihole/pihole-pvc.yml

@@ -6,7 +6,7 @@ metadata:
   namespace: tools
 spec:
   accessModes:
-    - ReadWriteOnce
+    - ReadWriteMany
   volumeMode: Filesystem
   resources:
     requests:

clusters/default/tools/pihole/pihole.yml

@@ -0,0 +1,90 @@
+---
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: pihole
+  namespace: tools
+spec:
+  selector:
+    matchLabels:
+      app: pihole
+  template:
+    metadata:
+      labels:
+        app: pihole
+    spec:
+      hostNetwork: true
+
+      affinity:
+        nodeAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+            nodeSelectorTerms:
+            - matchExpressions:
+                - key: kubernetes.io/hostname
+                  operator: NotIn
+                  values:
+                    - "kube-01"
+                    
+      initContainers:
+      - name: init-keepalived
+        image: osixia/keepalived:2.0.20
+        command:
+          - sh
+          - -c
+          - |
+            cp -r /container/service/keepalived/assets/* /etc/keepalived/
+            cp /config/keepalived.conf /etc/keepalived/keepalived.conf
+        volumeMounts:
+          - name: keepalived-config
+            mountPath: /config
+          - name: keepalived-runtime
+            mountPath: /etc/keepalived
+
+      containers:
+      - name: pihole
+        image: pihole/pihole:latest
+        securityContext:
+          capabilities:
+            add: ["NET_ADMIN"]
+        env:
+          - name: TZ
+            value: "Asia/Kolkata"
+          - name: FTLCONF_webserver_api_password
+            valueFrom:
+              secretKeyRef:
+                name: pihole-webpassword
+                key: password
+        ports:
+          - containerPort: 53
+            protocol: UDP
+          - containerPort: 53
+            protocol: TCP
+          - containerPort: 67
+            protocol: UDP
+          - containerPort: 80
+            protocol: TCP
+        volumeMounts:
+          - name: pihole-data
+            mountPath: /etc/pihole
+
+      - name: keepalived
+        image: osixia/keepalived:2.0.20
+        securityContext:
+          capabilities:
+            add: ["NET_ADMIN", "NET_BROADCAST", "NET_RAW"]
+
+        volumeMounts:
+          - name: keepalived-runtime
+            mountPath: /container/service/keepalived/assets
+
+      volumes:
+      - name: keepalived-config
+        configMap:
+          name: keepalived-config
+
+      - name: keepalived-runtime
+        emptyDir: {}
+
+      - name: pihole-data
+        persistentVolumeClaim:
+          claimName: pihole-longhorn

clusters/default/tools/searxng/searxng.yml

@@ -18,7 +18,7 @@ spec:
     spec:
       containers:
       - name: searxng
-        image: searxng/searxng@sha256:91da34403fc1d2c7ac23d1459af87870d87810b7d50b0c6a4585ab78846cb534
+        image: searxng/searxng@sha256:472dd0c84b8e2a05bca773b4a430b9fc9e4e92cd4fa0afaa223efab925ab752a
         ports:
         - containerPort: 8080
         env:

clusters/default/tools/vaultwarden/vaultwarden.yml

@@ -18,7 +18,7 @@ spec:
     spec:
       containers:
       - name: vaultwarden
-        image: vaultwarden/server:1.34.3
+        image: vaultwarden/server:1.35.1
         ports:
         - containerPort: 80
         env:

clusters/ipv6/arr-stack/bazarr/bazarr-ingress.yml

@@ -0,0 +1,28 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: bazarr-ingress
+  namespace: arr-stack
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-cloudflare
+    traefik.ingress.kubernetes.io/router.middlewares: tools-authelia@kubernetescrd
+    traefik.ingress.kubernetes.io/router.entrypoints: websecure
+spec:
+  ingressClassName: traefik
+  tls:
+  - hosts:
+    - bazarr.akshun-lab.cc
+    secretName: bazarr-tls
+  rules:
+  - host: bazarr.akshun-lab.cc
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: bazarr-service
+            port:
+              number: 6767
+

clusters/ipv6/arr-stack/bazarr/bazarr-pvc.yml

@@ -0,0 +1,15 @@
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: bazarr-longhorn
+  namespace: arr-stack
+spec:
+  accessModes:
+    - ReadWriteOnce
+  volumeMode: Filesystem
+  resources:
+    requests:
+      storage: 2Gi
+  storageClassName: longhorn
+

clusters/ipv6/arr-stack/bazarr/bazarr-svc.yml

@@ -0,0 +1,13 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: bazarr-service
+  namespace: arr-stack
+spec:
+  selector:
+    app: bazarr
+  ports:
+  - protocol: TCP
+    port: 6767
+    targetPort: 6767

clusters/ipv6/arr-stack/bazarr/bazarr.yml

@@ -0,0 +1,48 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: bazarr
+  namespace: arr-stack
+spec:
+  strategy:
+    type: Recreate
+  replicas: 1
+  selector:
+    matchLabels:
+      app: bazarr
+  template:
+    metadata:
+      labels:
+        app: bazarr
+    spec:
+      containers:
+      - name: bazarr
+        image: linuxserver/bazarr:1.5.4
+        env:
+        - name: PUID
+          value: "1000"
+        - name: PGID
+          value: "1000"
+        - name: TZ
+          value: "Asia/Kolkata"
+        volumeMounts:
+        - name: movies
+          mountPath: /movies
+        - name: tv
+          mountPath: /tv
+        - name: config
+          mountPath: /config
+      volumes:
+      - name: config
+        persistentVolumeClaim:
+          claimName: bazarr-longhorn
+      - name: tv
+        nfs:
+          server: 10.0.0.123
+          path: /merge/series
+      - name: movies
+        nfs:
+          server: 10.0.0.123
+          path: /merge/movies
+

clusters/ipv6/arr-stack/jellyseerr/jellyseerr-ingress.yml

@@ -0,0 +1,28 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: jellyseerr-ingress
+  namespace: arr-stack
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-cloudflare
+    traefik.ingress.kubernetes.io/router.middlewares: tools-authelia@kubernetescrd
+    traefik.ingress.kubernetes.io/router.entrypoints: websecure
+spec:
+  ingressClassName: traefik
+  tls:
+  - hosts:
+    - jellyseerr.akshun-lab.cc
+    secretName: jellyseerr-tls
+  rules:
+  - host: jellyseerr.akshun-lab.cc
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: jellyseerr-service
+            port:
+              number: 5055
+

clusters/ipv6/arr-stack/jellyseerr/jellyseerr-pvc.yml

@@ -0,0 +1,15 @@
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: jellyseerr-longhorn
+  namespace: arr-stack
+spec:
+  accessModes:
+    - ReadWriteOnce
+  volumeMode: Filesystem
+  resources:
+    requests:
+      storage: 1Gi
+  storageClassName: longhorn
+

clusters/ipv6/arr-stack/jellyseerr/jellyseerr-svc.yml

@@ -0,0 +1,14 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: jellyseerr-service
+  namespace: arr-stack
+spec:
+  selector:
+    app: jellyseerr
+  ports:
+  - port: 5055
+    targetPort: 5055
+    protocol: TCP
+

clusters/ipv6/arr-stack/jellyseerr/jellyseerr.yml

@@ -0,0 +1,58 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: jellyseerr
+  namespace: arr-stack
+spec:
+  strategy:
+    type: Recreate
+  replicas: 1
+  selector:
+    matchLabels:
+      app: jellyseerr
+  template:
+    metadata:
+      labels:
+        app: jellyseerr
+    spec:
+      initContainers:
+      - name: gluetun
+        image: qmcgaw/gluetun:v3.41.0
+        restartPolicy: Always
+        securityContext:
+          capabilities:
+            add:
+            - NET_ADMIN
+        envFrom:
+        - configMapRef:
+            name: gluetun-config
+        env:
+        - name: OPENVPN_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: openvpn-secrets
+              key: OPENVPN_PASSWORD
+        - name: OPENVPN_USER
+          valueFrom:
+            secretKeyRef:
+              name: openvpn-secrets
+              key: OPENVPN_USER
+      containers:
+      - name: jellyseerr
+        image: fallenbagel/jellyseerr:2.7.3
+        ports:
+        - containerPort: 5055
+        env:
+        - name: LOG_LEVEL
+          value: "info"
+        - name: TZ
+          value: "Asia/Kolkata"
+        volumeMounts:
+        - name: config
+          mountPath: /app/config
+      volumes:
+      - name: config
+        persistentVolumeClaim:
+          claimName: jellyseerr-longhorn
+

clusters/ipv6/arr-stack/namespace.yml

@@ -0,0 +1,7 @@
+---
+kind: Namespace
+apiVersion: v1
+metadata:
+  name: arr-stack
+  labels:
+    name: arr-stack

clusters/ipv6/arr-stack/openvpn/gluetun-config.yml

@@ -0,0 +1,13 @@
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: gluetun-config
+  namespace: arr-stack
+data:
+  VPN_SERVICE_PROVIDER: "surfshark"
+  SERVER_COUNTRIES: "Netherlands"
+  HTTPPROXY: "ON"
+  FIREWALL_OUTBOUND_SUBNETS: "192.168.1.0/24,10.42.0.0/16,10.43.0.0/16"
+  DNS_ADDRESS: "8.8.8.8"
+

clusters/ipv6/arr-stack/openvpn/gluetun-secrets-sealed.yml

@@ -0,0 +1,15 @@
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  name: openvpn-secrets
+  namespace: arr-stack
+spec:
+  encryptedData:
+    OPENVPN_PASSWORD: AgCq8+4OOOqt0Z0zTiVdtjz5uWoH7flNKwreecXW7zZ3gMi7t2dg9YApYV5lBzIxXSCx1DhMWqbgBx545n4SFkZhJhJeJRxRMYYV1b034W4TCzyJXU9d1kcUY4zesutK/HVY2R6riUdGLZzxJ9RPEa62LfdmjCc7ilOnMG2zqGwUF8g7+/I8ANnxNKYZ6WF6kmD96C6RdMMO5D2AUs7YppppsADkoQmHyTjx5geceDm7nGHSyy5ieFuvg7qd7S5s7E+GpsMWsXgl1RGD2nsyJ94h7FH0/krWR4DBu7YivgKtehTf/fK1tkqbxuqPUDJG2QVhmYwLmcEMhfajV8tmJrptfgxQ0nRbqIM/kcJeopPhbcHg/HMMfp7GwiTjfub6gxti9JQPBgMjoOdyMrYsdWPbIF8CaScF9S5owPx0sI1oHlS/q4vhQs/2jh5rIrwLTJbmo1Xwrkd86TJfuUv2G7khUDF1xLBOX9gHQFiCF+F2/JC08CKuodJ5NyYIbQ3jTFMbZHnwlsONKAgbVz40s90OumD4ujk+CtB89/p4Pz8zJC26qB3mFSiFAIQ4RbAwygA9jsFXmsuS86dxinWD+XZYWGAXvG9GHtmV1lRG55CGQ4SAKmAgECqvE0q3MCmmhIquUgl0HolkkDRC+eJadb0w2z3bpFQ9K8ZdFP50Gj37hxcaVY/CREkAuiRhpxBOzbjwQShnly4qW6mB6/r0VF8THYPOsDy5DfQ=
+    OPENVPN_USER: AgC/5sKPgHylU/nDJ/S63t/07I1Ll9gdBipIyWtL0Fl+OStZ1DAzt7n4oGZ+HRqZA1bLJ4ZB0xgOIL7JjFN+1AqvybrCrIrira7AwxwsRWHzboFzA8St81pQR2Bu6O6B+cfFUiFNI43yOVAn1LRWzPFjRc6wtJTym2tQbzDaFL5pdvnMRHRlDSrGfWMHvl/iNDwL4CUctBSLYNsSbew15g/KavkEfNT6DqVhGZ8LNA+223x6Xs2tsscAYZo9zEX4qxYO1jk0WxfMXA8iFqjl2icI3y6FMLtnfM4dA+4LK+5rrlyLQVoBWznwPTMSvRLEKmstKQAe4jSel/DxL0oa0SnfAty1n+weM5uA4UIvo3mgDX2tGNIeibV6Hn6aG0jTAWgSaWVjIDe/NCVKOks18nnqOI9p91MS93EoYU7gRwwpVCNYWoXQoul6G1P4EkiqtDbwKPOMgVPWIdu0unP1Af7K/QhqaelEMM/EageSXdMeZ/hDA9vMTNQlhNf+eowU0KwpQ9MXYre4m8N4twPzRQfXvU4+SNr1QsrlpB52Y0QJJJZvG9HOPfLK52Re42TxbLxGap1oQLyHhRscsQ6XIDszpEDBlXj8RYxhgaCIKfywK2Z5v0tbjdAWJuQ3Cw/kcaEa8dGT2x6BenU+XxwNIsyFkCCR5+0bJLdKZFPaT3J1wpIP8JQ/HuAWW89lxXFQ74935oecAwr93eN2rRAvdNmL71sDJoUGoSU=
+  template:
+    metadata:
+      name: openvpn-secrets
+      namespace: arr-stack
+    type: Opaque

clusters/ipv6/arr-stack/prowlarr/prowlarr-ingress.yml

@@ -0,0 +1,28 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: prowlarr-ingress
+  namespace: arr-stack
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-cloudflare
+    traefik.ingress.kubernetes.io/router.middlewares: tools-authelia@kubernetescrd
+    traefik.ingress.kubernetes.io/router.entrypoints: websecure
+spec:
+  ingressClassName: traefik
+  tls:
+  - hosts:
+    - prowlarr.akshun-lab.cc
+    secretName: prowlarr-tls
+  rules:
+  - host: prowlarr.akshun-lab.cc
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: prowlarr-service
+            port:
+              number: 9696
+

clusters/ipv6/arr-stack/prowlarr/prowlarr-pvc.yml

@@ -0,0 +1,14 @@
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: prowlarr-longhorn
+  namespace: arr-stack
+spec:
+  accessModes:
+    - ReadWriteOnce
+  volumeMode: Filesystem
+  resources:
+    requests:
+      storage: 1Gi
+  storageClassName: longhorn

clusters/ipv6/arr-stack/prowlarr/prowlarr-svc.yml

@@ -0,0 +1,13 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: prowlarr-service
+  namespace: arr-stack
+spec:
+  selector:
+    app: prowlarr
+  ports:
+  - port: 9696
+    targetPort: 9696
+  clusterIP: 10.43.0.142

clusters/ipv6/arr-stack/prowlarr/prowlarr.yml

@@ -0,0 +1,59 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: prowlarr
+  namespace: arr-stack
+spec:
+  strategy:
+    type: Recreate
+  replicas: 1
+  selector:
+    matchLabels:
+      app: prowlarr
+  template:
+    metadata:
+      labels:
+        app: prowlarr
+    spec:
+      initContainers:
+      - name: gluetun
+        image: qmcgaw/gluetun:v3.41.0
+        restartPolicy: Always
+        securityContext:
+          capabilities:
+            add:
+            - NET_ADMIN
+        envFrom:
+        - configMapRef:
+            name: gluetun-config
+        env:
+        - name: OPENVPN_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: openvpn-secrets
+              key: OPENVPN_PASSWORD
+        - name: OPENVPN_USER
+          valueFrom:
+            secretKeyRef:
+              name: openvpn-secrets
+              key: OPENVPN_USER
+      containers:
+      - name: prowlarr
+        image: lscr.io/linuxserver/prowlarr:2.3.0
+        volumeMounts:
+        - name: config
+          mountPath: /config
+        ports:
+        - containerPort: 9696
+        env:
+        - name: PUID
+          value: "1000"
+        - name: PGID
+          value: "1000"
+        - name: TZ
+          value: "Asia/Kolkata"
+      volumes:
+      - name: config
+        persistentVolumeClaim:
+          claimName: prowlarr-longhorn