fix: correct typo in PAPERLESS_URL environment variable

Reviewed-on: #316

.gitea/workflows/kubeconform.yml

@@ -1,95 +1,85 @@
 name: Validate Kubernetes Manifests
 
 on:
-  pull_request:
-    branches: [main]
+  push:
+    paths:
+      - '**.yml'
+      - '**.yaml'
+      - '!.gitea/workflows/**'
+      - '!clusters/default/system-upgrade/crd.yml'
 
 jobs:
   kubeconform:
     runs-on: ubuntu-latest
     container:
-      image: ghcr.io/yannh/kubeconform:v0.7.0-alpine
+      image: gitea.akshun-lab.cc/aggarwalakshun/kube-tools:1.1.0
     steps:
-
-      - name: Install dependencies
-        run: |
-          apk add --no-cache \
-            yq \
-            findutils \
-            curl \
-            jq \
-            npm \
-            nodejs \
-            bash
-
       - name: Checkout code
         uses: actions/checkout@v6
         with:
           fetch-depth: 0
 
-      - name: Create kubeconform configuration
-        run: |
-          cat > /tmp/kubeconform-config.yaml << 'EOF'
-          schema_location:
-            - default
-            - "https://raw.githubusercontent.com/datreeio/CRDs-catalog/refs/heads/main/{{ .ResourceKind }}_{{ .ResourceAPIVersion }}.json"
-          EOF
+      - name: Get changed files
+        id: changed-files
+        uses: tj-actions/changed-files@v47
+        with:
+          files: |
+            **.yml
+            **.yaml
+            !.gitea/workflows/**
+            !clusters/default/system-upgrade/crd.yml
 
       - name: Validate Manifests
+        if: steps.changed-files.outputs.any_changed == 'true'
+        env:
+          ALL_CHANGED_FILES: ${{ steps.changed-files.outputs.all_changed_files }}
         shell: bash
         run: |
-          # Define schema mappings
+          set -o pipefail
+
           declare -A SCHEMA_MAP=(
             ["HelmRelease"]="helm.toolkit.fluxcd.io/helmrelease_v2.json"
             ["HelmRepository"]="source.toolkit.fluxcd.io/helmrepository_v1.json"
             ["L2Advertisement"]="metallb.io/l2advertisement_v1beta1.json"
             ["IPAddressPool"]="metallb.io/ipaddresspool_v1beta1.json"
             ["SealedSecret"]="bitnami.com/sealedsecret_v1alpha1.json"
+            ["ClusterPolicy"]="nvidia.com/clusterpolicy_v1.json"
+            ["Plan"]="upgrade.cattle.io/plan_v1.json"
           )
-          
-          # Create cache directory
-          export KUBECONFORM_CACHE_DIR="/tmp/kubeconform-cache"
-          mkdir -p "$KUBECONFORM_CACHE_DIR"
-          
-          # Exit code tracking
+
           EXIT_CODE=0
-          
-          # Process all YAML files
-          while IFS= read -r file; do
+
+          for file in ${ALL_CHANGED_FILES}; do
+            [ -z "$file" ] && continue
             echo "=== Validating: $file ==="
-            
-            # Skip excluded paths
-            if [[ "$file" == *".gitea/"* ]] || [[ "$file" == *"clusters/default/system-upgrade/"* ]]; then
-              echo "Skipping excluded file"
-              continue
-            fi
-            
-            # Detect resource kind
-            KIND=$(yq -r '.kind // ""' "$file" 2>/dev/null || echo "")
-            
-            if [[ -n "$KIND" && -n "${SCHEMA_MAP[$KIND]}" ]]; then
-              echo "Found $KIND - using custom schema"
-              SCHEMA_URL="https://raw.githubusercontent.com/datreeio/CRDs-catalog/refs/heads/main/${SCHEMA_MAP[$KIND]}"
-              
-              if ! /kubeconform \
-                -schema-location "$SCHEMA_URL" \
-                -cache "$KUBECONFORM_CACHE_DIR" \
-                -output json \
-                "$file"; then
-                EXIT_CODE=1
-              fi
-            else
-              echo "Validating with default schemas"
-              if ! /kubeconform \
-                -schema-location default \
-                -cache "$KUBECONFORM_CACHE_DIR" \
-                -output json \
-                "$file"; then
-                EXIT_CODE=1
-              fi
-            fi
-            
+
+            yq e -o=json '. as $item ireduce ([]; . + [$item])' "$file" | \
+              jq -c '.[] | select(.kind != null)' | \
+              while read -r manifest; do
+                KIND=$(echo "$manifest" | jq -r '.kind // ""')
+
+                if [[ -n "$KIND" && -n "${SCHEMA_MAP[$KIND]}" ]]; then
+                  echo "Found $KIND - using custom schema"
+                  SCHEMA_URL="https://raw.githubusercontent.com/datreeio/CRDs-catalog/refs/heads/main/${SCHEMA_MAP[$KIND]}"
+
+                  if ! echo "$manifest" | kubeconform \
+                      -schema-location "$SCHEMA_URL" \
+                      -output json \
+                      -; then
+                    EXIT_CODE=1
+                  fi
+                else
+                  echo "Validating with default schemas"
+                  if ! echo "$manifest" | kubeconform \
+                      -schema-location default \
+                      -output json \
+                      -; then
+                    EXIT_CODE=1
+                  fi
+                fi
+              done
+
             echo ""
-          done < <(find . -type f \( -name "*.yml" \) -print)
-          
+          done
+
           exit $EXIT_CODE

.gitea/workflows/renovate.yml

@@ -9,11 +9,11 @@ jobs:
   renovate:
     runs-on: ubuntu-latest
     container:
-      image: renovate/renovate:42.26.11
+      image: renovate/renovate:42.64.1
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
 
       - name: Run Renovate
         env:

.gitignore

@@ -0,0 +1,2 @@
+/tmp-pod.yml
+/Dockerfile

clusters/default/arr-stack/jellyseerr/jellyseerr.yml

@@ -18,7 +18,7 @@ spec:
     spec:
       initContainers:
       - name: gluetun
-        image: qmcgaw/gluetun:v3.40.3
+        image: qmcgaw/gluetun:v3.41.0
         restartPolicy: Always
         securityContext:
           capabilities:

clusters/default/arr-stack/prowlarr/prowlarr.yml

@@ -18,7 +18,7 @@ spec:
     spec:
       initContainers:
       - name: gluetun
-        image: qmcgaw/gluetun:v3.40.3
+        image: qmcgaw/gluetun:v3.41.0
         restartPolicy: Always
         securityContext:
           capabilities:

clusters/default/arr-stack/qbittorrent/qbittorrent.yml

@@ -18,7 +18,7 @@ spec:
     spec:
       initContainers:
       - name: gluetun
-        image: qmcgaw/gluetun:v3.40.3
+        image: qmcgaw/gluetun:v3.41.0
         restartPolicy: Always
         securityContext:
           capabilities:

clusters/default/arr-stack/sabnzbd/sabnzbd.yml

@@ -17,7 +17,7 @@ spec:
     spec:
       containers:
       - name: sabnzbd
-        image: lscr.io/linuxserver/sabnzbd:latest
+        image: lscr.io/linuxserver/sabnzbd:4.5.5
         env:
         - name: PUID
           value: "1000"

clusters/default/flux-system/gotk-sync.yaml

@@ -11,7 +11,7 @@ spec:
     branch: main
   secretRef:
     name: flux-system
-  url: ssh://git@gitea.akshun-lab.cc/aggarwalakshun/k3s
+  url: ssh://git@gitea.akshun-lab.cc/aggarwalakshun/k3s-at-home.git
 ---
 apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization

clusters/default/git-ops/gitea-act/gitea-act-secrets.yml

@@ -6,8 +6,8 @@ metadata:
   namespace: git-ops
 spec:
   encryptedData:
-    TOKEN: AgACJkhEafIeRdcLRHBiyjAXz8aK4m1w8238FhwhX8cKDMg3J2hD11CDI5K6R+idPxfIxJSry7yarr4j+3hB9JOfrVTGSMyt8zadIjeE6MZMQFrE+Ufbo+JRqz9lBjY2enmxfjvFS5LiZGogUaomuvmeFywWWmqLlLcyANNIHN/sw/JVIZc32oLsElSCQc8GgWoLDHPFbTkoeqqCFtWiEYDhZDf5BsGHxNh2MOI0N55TPL5izKrgSUTHvDiehYddeIYz85K3WCDTGXBztIteM7+DrHGdyuYOimP4J3w9CExnf3ObtqcfnOgv9a1wiXER484q5fpaidWIVZm/dZiTFuLwAWpPNRP/WcTkMXEJVSAEWkdYxb8fk6Zn6VifT1fTSzTUN90TP0IXlrjP55nvG7oHvkBNWydSRxc3d2wwXKhSnAOk94cWPxilOkqhsc/aqCQzkxgHZXNV94jb8KzV5r1XCCD/kYd+crbfNs4uEKXNSa9KZqE4Did8eelEfst+VGhUpWwMLn9QNNlMxKUhWuqjEM30QTO51p7cB12dqQxi1nuXB6NREW8LtOOJ5uRDnSTY0ZTwioNZ5OqgMVfAPAY6HBZrYOQFvG5/rDRkkWLWdDRLJfz1OZq+qwoXBfXhKCEQnK2J8zIxjVJKjdK4U7myWzB9peN5XQN29aisxCY7k0ikpD8Crog7jnxAXo2hmLNaCt2xVgKpHc8RnuC9dNIlJUXI0KhTT649s6Jja09ZfuTF/3oboHBH
-    URL: AgAF2MrmaYUOGlLqyMhJpLyTT/qZbvSHC787uLNKwjqTqRIhU34DoR4F0ZxcDfiUl7KQgZVL+ujOU1MdpBxsMtsvLRFoQl+bGm4G1miE7BUpsETp2ll3kVbLMTk8eNeFdRq1P4WEtF6vidwVfJ0ggwyISdMpLm7tS/oFg4l0FImmpqjsycCMuwheB4azcU/1sEy046NLFQUm+ErKN88qRvFQwMlKj2DHKrtBxGZfdo7xo8hcBdq5IWDfMs8yAvalafp+O922mzF7ADp2IMoTgipCGiGNo8dengg18mfjqI7sUJHZag1apGmJmUSBK8xxFv7Cc8iS8PPpBZIROe8/rEwpNYH/JTVbfNZvdu5qVzmXs7BUppGG6dg5ASUkYW7lVf1Bo1M/dFreuHOlr1UucwJoIXcMFu/eOLcNbAchH4I4K1LQFPNNDkViAKozP5E8k1fIcpGPRSPK9hRnr21w3+kJ8ruJl7TFWY0aqi0kemtXq2lZenFlaUEk2pilINGNZ16AZBAnuzafPRC76c4EVtEKlffKC+/4Oq3hXHneVoikJZYuJ0CP/mqKVzFf/HgfOxzDyGbtXsAZ1m+dcl25U81VzbEuvzGrgt3q7FNLwQ4heSeDNDkkSvotDWji8VT1W3IN6ShXZ+gHmL7UrY3HuG3BsuuekSHvmc1gXGOHOO/qKYkHeJ2NzZODhgh/xo/vbXiilQrNBnuoJ1cxPY8Xz0jAx6WfWqsTtahe2h4=
+    TOKEN: AgCCHSvlowNtj3ghhB/mYSnSlVMiB/yxLjWesHNtxiFLO4lGPfDp/KYMJ+0makytpQBlOS5nfSCh8u11Vh4vje0v2QLCkt8XCkDfpYOb/tJIaeMuojszaoaf3ZQqgzEbwy4hgaV8ur3K77jnHE+dnYMGNcd0Thg3nVhIs8rMK/2kBcTrp/Jfy61TAeyS3ObFgjayGqyUCc8BI1VjkKFXLPp82d7tqlGKTYlI+hVnWpSwS7MrybesTU8AGYC5GLRr3crfbff/H20m6aFb/4rDKQb7FIEOXYhbuxZw5OuFxlORnGNFWQP+aCyywOxmalNV1F2kZk0YRlWoaXrtyeT46cBI7WIgbFeUwlpRLxKGz8mBdJ8QluE2vu9HSUmMiFCOV6V0znUjz5jWyJ839FsUDHY78sRLaycu5fZNBeq0QndBDNYYkkhZ/uxvGsfdF8camCGNLIGC65nT3kHnWuZ0ZRSXJRf4Jb5TdK81aBceAEHqrtFkjger3v6ZEblTABV2fykRyFeK3eZ0TF5tsOa/8yNGI94sxjv/TXvdXNK2Z4VuaXRQpmCfnLkvKc4Fra0Pk2N1beI8NDTgqLBHWBPYeK1lryeYZ/nISj7W6hBasEPXdOYcJ8lCYwWmGmWO+B0zt8u0gvm0mkrZAZvluOYqRd+/Y8Cg9Q1S3lIFBd/JaPH/nTAXiHWU5ZNowGxuVYWIo6r85pv5oRJodVFhTZD/7mBsZHAh2XUVbLeN2ZfQHrSTFbZydkDz5f66
+    URL: AgATClAgHoLFuwCkQjQvl0MI0YRe7o2mCiaagecYvNgDH8uCMhY7vVFjmTmamfH0MBEbE+3QGQthlV+/aDjvpjJg3P5cFX+0EnU95SPPJHo0+oKAIxfP5DahCFl6nyyqZ57BTKNN5J4Mki4jCbkXxpnx5o2s+wjv4O56Al2yAK9ykk7vLo44VT9U8glxrEmpwQDp1Q/AVO0pk3NchvluAbq3PpcSQ2tPRK79aPGQyscfId9H/9WL4pNzyRFc+WLhMVuZWHxa2mEVYkl6tHU0BFjG0YZIkZTFfVBvhCXi8CRBWSMm9IeuIQGbLxnaH0SyVPqA2hO5YorQw54TL1gVnXIDo3zxyFYyYew/x7goq5Ab/pAHpb70RfCa9TSUjDVt9trrUyuh/Elvp6OX25FuPcOYiQlKcEnf4Hm/a5fiubZG53ejweEAx22O1KG0zWFTy6LzTXZqU6uhqcmslQgmSjQXCrbUfPV3yHXpRetilh4fHFLFsXHm9FoWqjCQ0qW//BwoNRj9jk7rR3/BDVDmOFYj+xau260TtbkqgE8uWHQw5jXM0AM6f1xDlF/ZdoHnvBs1VGF10SDLc0qr8+44L4MDRHhlLXcADlXBG0osfkXBFDqdYpC+Phsphhh81aV7Wg9u9dCKTbE3FcMGGaOT0mbnyrs2Jm7IS6EW3KeZrpm5taXmJLLjN0xwGPit1XUrKJw9RPngaXfi+SCX/MckEPIy2aLTssCqvKX2zD4=
   template:
     metadata:
       name: gitea-act-runner-secret

clusters/default/git-ops/gitea-act/gitea-act.yml

@@ -19,29 +19,26 @@ spec:
         app: gitea-act-runner
     spec:
       restartPolicy: Always
-      hostNetwork: true
       volumes:
       - name: docker-certs
         emptyDir: {}
       - name: runner-data
         persistentVolumeClaim:
           claimName: gitea-act-runner-longhorn
-      initContainers:
-      - name: wait-for-gitea
-        image: busybox
-        command:
-        - sh
-        - -c
-        - |
-          while ! nc -z gitea.akshun-lab.cc 443; do
-            echo "Waiting for Gitea to be ready..."
-            sleep 5
-          done
-          echo "Gitea is ready!"
       containers:
       - name: runner
         image: gitea/act_runner@sha256:8477d5b61b655caad4449888bae39f1f34bebd27db56cb15a62dccb3dcf3a944
         command: ["sh", "-c", "while ! nc -z localhost 2376 </dev/null; do echo 'waiting for docker daemon...'; sleep 5; done; /sbin/tini -- run.sh"]
+        readinessProbe:
+          exec:
+            command:
+            - sh
+            - -c
+            - |
+              nc -z gitea-int-service.git-ops.svc.cluster.local 3000
+          initialDelaySeconds: 5
+          periodSeconds: 5
+          failureThreshold: 3
         env:
         - name: DOCKER_HOST
           value: tcp://localhost:2376
@@ -67,7 +64,7 @@ spec:
         - name: runner-data
           mountPath: /data
       - name: daemon
-        image: docker:29.1.1-dind
+        image: docker:29.1.3-dind
         env:
         - name: DOCKER_TLS_CERTDIR
           value: /certs

clusters/default/git-ops/gitea/gitea-db.yml

@@ -1,15 +1,15 @@
 ---
 apiVersion: apps/v1
-kind: Deployment
+kind: StatefulSet
 metadata:
   name: gitea-db
   namespace: git-ops
 spec:
-  strategy:
-    type: Recreate
   selector:
     matchLabels:
       app: gitea-db
+  serviceName: gitea-db
+  replicas: 1
   template:
     metadata:
       labels:
@@ -40,7 +40,12 @@ spec:
         volumeMounts:
         - name: gitea-db
           mountPath: /var/lib/postgresql
-      volumes:
-      - name: gitea-db
-        persistentVolumeClaim:
-          claimName: gitea-db-new-longhorn
+  volumeClaimTemplates:
+  - metadata:
+      name: gitea-db
+    spec:
+      accessModes: ["ReadWriteOnce"]
+      resources:
+        requests:
+          storage: 2Gi
+      storageClassName: longhorn

clusters/default/git-ops/gitea/gitea-pvc.yml

@@ -12,18 +12,3 @@ spec:
     requests:
       storage: 2Gi
   storageClassName: longhorn
-
----
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  name: gitea-db-new-longhorn
-  namespace: git-ops
-spec:
-  accessModes:
-    - ReadWriteOnce
-  volumeMode: Filesystem
-  resources:
-    requests:
-      storage: 2Gi
-  storageClassName: longhorn

clusters/default/git-ops/gitea/gitea-svc.yml

@@ -38,12 +38,12 @@ spec:
 apiVersion: v1
 kind: Service
 metadata:
-  name: gitea-db-service
+  name: gitea-db
   namespace: git-ops
 spec:
+  ports:
+    - port: 5432
+      targetPort: 5432
   selector:
     app: gitea-db
-  ports:
-    - protocol: TCP
-      port: 5432
-      targetPort: 5432
+  clusterIP: None

clusters/default/git-ops/gitea/gitea.yml

@@ -16,20 +16,19 @@ spec:
       labels:
         app: gitea-app
     spec:
-      initContainers:
-      - name: wait-for-db
-        image: busybox
-        command:
-        - sh
-        - -c
-        - |
-          until nc -z -v -w30 gitea-db-service 5432; do
-            echo "Waiting for psql database to be ready"
-            sleep 2
-          done
       containers:
       - name: gitea
-        image: gitea/gitea:1.25.2
+        image: gitea/gitea:1.25.3
+        readinessProbe:
+          exec:
+            command:
+            - sh
+            - -c
+            - |
+              nc -z gitea-db.git-ops.svc.cluster.local 5432
+          initialDelaySeconds: 5
+          periodSeconds: 5
+          failureThreshold: 3
         ports:
         - containerPort: 22
           name: ssh
@@ -43,7 +42,7 @@ spec:
         - name: GITEA__database__DB_TYPE
           value: "postgres"
         - name: GITEA__database__HOST
-          value: "gitea-db-service:5432"
+          value: "gitea-db.git-ops.svc.cluster.local:5432"
         - name: GITEA__database__NAME
           value: "gitea"
         - name: GITEA__database__USER

clusters/default/git-ops/semaphore/semaphore-configmap.yml

@@ -6,7 +6,7 @@ metadata:
   namespace: git-ops
 data:
   SEMAPHORE_DB_USER: "semaphore"
-  SEMAPHORE_DB_HOST: "localhost"
+  SEMAPHORE_DB_HOST: "semaphore-db"
   SEMAPHORE_DB_PORT: "3306"
   SEMAPHORE_DB_DIALECT: "mysql"
   SEMAPHORE_DB: "semaphore"

clusters/default/git-ops/semaphore/semaphore-db.yml

@@ -0,0 +1,46 @@
+---
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: semaphore-db
+  namespace: git-ops
+spec:
+  selector:
+    matchLabels:
+      app: semaphore-db
+  serviceName: semaphore-db
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        app: semaphore-db
+    spec:
+      containers:
+      - name: mysql
+        image: mysql:9.5.0
+        ports:
+        - containerPort: 3306
+        env:
+        - name: MYSQL_RANDOM_ROOT_PASSWORD
+          value: "'yes'"
+        - name: MYSQL_DATABASE
+          value: "semaphore"
+        - name: MYSQL_USER
+          value: "semaphore"
+        - name: MYSQL_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: semaphore-secrets
+              key: mysql_password
+        volumeMounts:
+        - name: semaphore-db
+          mountPath: /var/lib/mysql
+  volumeClaimTemplates:
+  - metadata:
+      name: semaphore-db
+    spec:
+      accessModes: ["ReadWriteOnce"]
+      resources:
+        requests:
+          storage: 2Gi
+      storageClassName: longhorn

clusters/default/git-ops/semaphore/semaphore-svc.yml

@@ -12,5 +12,20 @@ spec:
   selector:
     app: semaphore
   ports:
-  - port: 3002
+  - name: http
+    port: 3002
     targetPort: 3000
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: semaphore-db
+  namespace: git-ops
+spec:
+  selector:
+    app: semaphore-db
+  ports:
+  - port: 3306
+    targetPort: 3306
+  clusterIP: None

clusters/default/git-ops/semaphore/semaphore.yml

@@ -16,33 +16,22 @@ spec:
       labels:
         app: semaphore
     spec:
-      initContainers:
-      - name: mysql
-        image: mysql:9.5.0
-        restartPolicy: Always
-        ports:
-        - containerPort: 3306
-        env:
-        - name: MYSQL_RANDOM_ROOT_PASSWORD
-          value: "'yes'"
-        - name: MYSQL_DATABASE
-          value: "semaphore"
-        - name: MYSQL_USER
-          value: "semaphore"
-        - name: MYSQL_PASSWORD
-          valueFrom:
-            secretKeyRef:
-              name: semaphore-secrets
-              key: mysql_password
-        volumeMounts:
-        - name: db
-          mountPath: /var/lib/mysql
-          subPath: db
       containers:
       - name: semaphore
-        image: public.ecr.aws/semaphore/pro/server:v2.16.45
+        image: public.ecr.aws/semaphore/pro/server:v2.16.47
+        readinessProbe:
+          exec:
+            command:
+            - sh
+            - -c
+            - |
+              nc -z semaphore-db.git-ops.svc.cluster.local 3306
+          initialDelaySeconds: 5
+          periodSeconds: 5
+          failureThreshold: 3
         ports:
-        - containerPort: 3000
+        - name: http
+          containerPort: 3000
         envFrom:
         - configMapRef:
             name: semaphore-config
@@ -62,7 +51,3 @@ spec:
             secretKeyRef:
               name: semaphore-secrets
               key: key
-      volumes:
-      - name: db
-        persistentVolumeClaim:
-          claimName: semaphore-longhorn

clusters/default/helm/cert-manager/cert-manager-release.yml

@@ -5,16 +5,16 @@ metadata:
   name: cert-manager
   namespace: cert-manager
 spec:
-  interval: 24h
+  interval: 6h
   chart:
     spec:
       chart: cert-manager
-      version: "v1.19.1"
+      version: "v1.19.2"
       sourceRef:
         kind: HelmRepository
         name: jetstack
         namespace: flux-system
-      interval: 24h
+      interval: 6h
   install:
     remediation:
       retries: 3

clusters/default/helm/cert-manager/cert-manager-repo.yml

@@ -5,5 +5,5 @@ metadata:
   name: jetstack
   namespace: flux-system
 spec:
-  interval: 24h
+  interval: 6h
   url: https://charts.jetstack.io

clusters/default/helm/csi-driver-smb/csi-driver-smb-release.yml

@@ -5,7 +5,7 @@ metadata:
   name: csi-driver-smb
   namespace: kube-system
 spec:
-  interval: 24h
+  interval: 6h
   chart:
     spec:
       chart: csi-driver-smb
@@ -14,7 +14,7 @@ spec:
         kind: HelmRepository
         name: csi-driver-smb
         namespace: flux-system
-      interval: 24h
+      interval: 6h
   install:
     createNamespace: true
   upgrade:

clusters/default/helm/csi-driver-smb/csi-driver-smb-repo.yml

@@ -5,5 +5,5 @@ metadata:
   name: csi-driver-smb
   namespace: flux-system
 spec:
-  interval: 24h
+  interval: 6h
   url: https://raw.githubusercontent.com/kubernetes-csi/csi-driver-smb/master/charts

clusters/default/helm/gpu-operator/gpu-operator-policy.yml

@@ -0,0 +1,289 @@
+apiVersion: nvidia.com/v1
+kind: ClusterPolicy
+metadata:
+  annotations:
+    meta.helm.sh/release-name: gpu-operator
+    meta.helm.sh/release-namespace: gpu-operator
+  generation: 2
+  labels:
+    app.kubernetes.io/component: gpu-operator
+    app.kubernetes.io/instance: gpu-operator
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: gpu-operator
+    app.kubernetes.io/version: v25.3.2
+    helm.sh/chart: gpu-operator-v25.3.2
+    helm.toolkit.fluxcd.io/name: gpu-operator
+    helm.toolkit.fluxcd.io/namespace: gpu-operator
+  name: cluster-policy
+spec:
+  ccManager:
+    defaultMode: "off"
+    enabled: false
+    env: []
+    image: k8s-cc-manager
+    imagePullPolicy: IfNotPresent
+    repository: nvcr.io/nvidia/cloud-native
+    version: v0.1.1
+  cdi:
+    default: false
+    enabled: false
+  daemonsets:
+    labels:
+      app.kubernetes.io/managed-by: gpu-operator
+      helm.sh/chart: gpu-operator-v25.3.2
+    priorityClassName: system-node-critical
+    rollingUpdate:
+      maxUnavailable: "1"
+    tolerations:
+    - effect: NoSchedule
+      key: nvidia.com/gpu
+      operator: Exists
+    updateStrategy: RollingUpdate
+  dcgm:
+    enabled: false
+    image: dcgm
+    imagePullPolicy: IfNotPresent
+    repository: nvcr.io/nvidia/cloud-native
+    version: 4.2.3-1-ubuntu22.04
+  dcgmExporter:
+    enabled: true
+    env:
+    - name: DCGM_EXPORTER_LISTEN
+      value: :9400
+    - name: DCGM_EXPORTER_KUBERNETES
+      value: "true"
+    - name: DCGM_EXPORTER_COLLECTORS
+      value: /etc/dcgm-exporter/dcp-metrics-included.csv
+    image: dcgm-exporter
+    imagePullPolicy: IfNotPresent
+    repository: nvcr.io/nvidia/k8s
+    serviceMonitor:
+      additionalLabels: {}
+      enabled: false
+      honorLabels: false
+      interval: 15s
+      relabelings: []
+    version: 4.2.3-4.1.3-ubuntu22.04
+  devicePlugin:
+    config:
+      default: any
+      name: time-slicing-config
+    enabled: true
+    env:
+    - name: PASS_DEVICE_SPECS
+      value: "true"
+    - name: FAIL_ON_INIT_ERROR
+      value: "true"
+    - name: DEVICE_LIST_STRATEGY
+      value: envvar
+    - name: DEVICE_ID_STRATEGY
+      value: uuid
+    - name: NVIDIA_VISIBLE_DEVICES
+      value: all
+    - name: NVIDIA_DRIVER_CAPABILITIES
+      value: all
+    image: k8s-device-plugin
+    imagePullPolicy: IfNotPresent
+    repository: nvcr.io/nvidia
+    version: v0.17.3
+  driver:
+    certConfig:
+      name: ""
+    enabled: false
+    image: driver
+    imagePullPolicy: IfNotPresent
+    kernelModuleConfig:
+      name: ""
+    licensingConfig:
+      configMapName: ""
+      nlsEnabled: true
+    manager:
+      env:
+      - name: ENABLE_GPU_POD_EVICTION
+        value: "true"
+      - name: ENABLE_AUTO_DRAIN
+        value: "false"
+      - name: DRAIN_USE_FORCE
+        value: "false"
+      - name: DRAIN_POD_SELECTOR_LABEL
+        value: ""
+      - name: DRAIN_TIMEOUT_SECONDS
+        value: 0s
+      - name: DRAIN_DELETE_EMPTYDIR_DATA
+        value: "false"
+      image: k8s-driver-manager
+      imagePullPolicy: IfNotPresent
+      repository: nvcr.io/nvidia/cloud-native
+      version: v0.8.0
+    rdma:
+      enabled: false
+      useHostMofed: false
+    repoConfig:
+      configMapName: ""
+    repository: nvcr.io/nvidia
+    startupProbe:
+      failureThreshold: 120
+      initialDelaySeconds: 60
+      periodSeconds: 10
+      timeoutSeconds: 60
+    upgradePolicy:
+      autoUpgrade: true
+      drain:
+        deleteEmptyDir: false
+        enable: false
+        force: false
+        timeoutSeconds: 300
+      maxParallelUpgrades: 1
+      maxUnavailable: 25%
+      podDeletion:
+        deleteEmptyDir: false
+        force: false
+        timeoutSeconds: 300
+      waitForCompletion:
+        timeoutSeconds: 0
+    useNvidiaDriverCRD: false
+    usePrecompiled: false
+    version: 570.148.08
+    virtualTopology:
+      config: ""
+  gdrcopy:
+    enabled: false
+    image: gdrdrv
+    imagePullPolicy: IfNotPresent
+    repository: nvcr.io/nvidia/cloud-native
+    version: v2.5
+  gfd:
+    enabled: true
+    env:
+    - name: GFD_SLEEP_INTERVAL
+      value: 60s
+    - name: GFD_FAIL_ON_INIT_ERROR
+      value: "true"
+    image: k8s-device-plugin
+    imagePullPolicy: IfNotPresent
+    repository: nvcr.io/nvidia
+    version: v0.17.3
+  hostPaths:
+    driverInstallDir: /run/nvidia/driver
+    rootFS: /
+  kataManager:
+    config:
+      artifactsDir: /opt/nvidia-gpu-operator/artifacts/runtimeclasses
+      runtimeClasses:
+      - artifacts:
+          pullSecret: ""
+          url: nvcr.io/nvidia/cloud-native/kata-gpu-artifacts:ubuntu22.04-535.54.03
+        name: kata-nvidia-gpu
+        nodeSelector: {}
+      - artifacts:
+          pullSecret: ""
+          url: nvcr.io/nvidia/cloud-native/kata-gpu-artifacts:ubuntu22.04-535.86.10-snp
+        name: kata-nvidia-gpu-snp
+        nodeSelector:
+          nvidia.com/cc.capable: "true"
+    enabled: false
+    image: k8s-kata-manager
+    imagePullPolicy: IfNotPresent
+    repository: nvcr.io/nvidia/cloud-native
+    version: v0.2.3
+  mig:
+    strategy: single
+  migManager:
+    config:
+      default: all-disabled
+      name: default-mig-parted-config
+    enabled: true
+    env:
+    - name: WITH_REBOOT
+      value: "false"
+    gpuClientsConfig:
+      name: ""
+    image: k8s-mig-manager
+    imagePullPolicy: IfNotPresent
+    repository: nvcr.io/nvidia/cloud-native
+    version: v0.12.2-ubuntu20.04
+  nodeStatusExporter:
+    enabled: false
+    image: gpu-operator-validator
+    imagePullPolicy: IfNotPresent
+    repository: nvcr.io/nvidia/cloud-native
+    version: v25.3.2
+  operator:
+    defaultRuntime: docker
+    initContainer:
+      image: cuda
+      imagePullPolicy: IfNotPresent
+      repository: nvcr.io/nvidia
+      version: 12.8.1-base-ubi9
+    runtimeClass: nvidia
+  psa:
+    enabled: false
+  sandboxDevicePlugin:
+    enabled: true
+    image: kubevirt-gpu-device-plugin
+    imagePullPolicy: IfNotPresent
+    repository: nvcr.io/nvidia
+    version: v1.3.1
+  sandboxWorkloads:
+    defaultWorkload: container
+    enabled: false
+  toolkit:
+    enabled: true
+    env:
+    - name: CONTAINERD_SOCKET
+      value: /run/k3s/containerd/containerd.sock
+    - name: CONTAINERD_CONFIG
+      value: /var/lib/rancher/k3s/agent/etc/containerd/config.toml
+    image: container-toolkit
+    imagePullPolicy: IfNotPresent
+    installDir: /usr/local/nvidia
+    repository: nvcr.io/nvidia/k8s
+    version: v1.17.8-ubuntu20.04
+  validator:
+    image: gpu-operator-validator
+    imagePullPolicy: IfNotPresent
+    plugin:
+      env:
+      - name: WITH_WORKLOAD
+        value: "false"
+    repository: nvcr.io/nvidia/cloud-native
+    version: v25.3.2
+  vfioManager:
+    driverManager:
+      env:
+      - name: ENABLE_GPU_POD_EVICTION
+        value: "false"
+      - name: ENABLE_AUTO_DRAIN
+        value: "false"
+      image: k8s-driver-manager
+      imagePullPolicy: IfNotPresent
+      repository: nvcr.io/nvidia/cloud-native
+      version: v0.8.0
+    enabled: true
+    image: cuda
+    imagePullPolicy: IfNotPresent
+    repository: nvcr.io/nvidia
+    version: 12.8.1-base-ubi9
+  vgpuDeviceManager:
+    config:
+      default: default
+      name: ""
+    enabled: true
+    image: vgpu-device-manager
+    imagePullPolicy: IfNotPresent
+    repository: nvcr.io/nvidia/cloud-native
+    version: v0.3.0
+  vgpuManager:
+    driverManager:
+      env:
+      - name: ENABLE_GPU_POD_EVICTION
+        value: "false"
+      - name: ENABLE_AUTO_DRAIN
+        value: "false"
+      image: k8s-driver-manager
+      imagePullPolicy: IfNotPresent
+      repository: nvcr.io/nvidia/cloud-native
+      version: v0.8.0
+    enabled: false
+    image: vgpu-manager
+    imagePullPolicy: IfNotPresent

clusters/default/helm/gpu-operator/gpu-operator-release.yml

@@ -5,16 +5,16 @@ metadata:
   name: gpu-operator
   namespace: gpu-operator
 spec:
-  interval: 24h
+  interval: 6h
   chart:
     spec:
       chart: gpu-operator
-      version: "v25.3.2"
+      version: "v25.10.1"
       sourceRef:
         kind: HelmRepository
         name: nvidia
         namespace: flux-system
-      interval: 24h
+      interval: 6h
   install:
     createNamespace: true
   upgrade:

clusters/default/helm/gpu-operator/gpu-operator-repo.yml

@@ -5,5 +5,5 @@ metadata:
   name: nvidia
   namespace: flux-system
 spec:
-  interval: 24h
+  interval: 6h
   url: https://helm.ngc.nvidia.com/nvidia

clusters/default/helm/intel-gpu/intel-device-operator.yml

@@ -9,7 +9,7 @@ spec:
   chart:
     spec:
       chart: intel-device-plugins-operator
-      version: "0.34.0"
+      version: "0.34.1"
       sourceRef:
         kind: HelmRepository
         name: intel

clusters/default/helm/intel-gpu/intel-plugin-operator.yml

@@ -5,16 +5,16 @@ metadata:
   name: gpu-device-plugin
   namespace: gpu-operator
 spec:
-  interval: 24h
+  interval: 6h
   chart:
     spec:
       chart: intel-device-plugins-gpu
-      version: "0.34.0"
+      version: "0.34.1"
       sourceRef:
         kind: HelmRepository
         name: intel
         namespace: flux-system
-      interval: 24h
+      interval: 6h
   install:
     remediation:
       retries: 3

clusters/default/helm/intel-gpu/intel-repo.yml

@@ -5,5 +5,5 @@ metadata:
   name: intel
   namespace: flux-system
 spec:
-  interval: 24h
+  interval: 6h
   url: https://intel.github.io/helm-charts

clusters/default/helm/longhorn/longhorn-release.yml

@@ -5,7 +5,7 @@ metadata:
   name: longhorn
   namespace: longhorn-system
 spec:
-  interval: 24h
+  interval: 6h
   chart:
     spec:
       chart: longhorn
@@ -14,7 +14,7 @@ spec:
         kind: HelmRepository
         name: longhorn
         namespace: flux-system
-      interval: 24h
+      interval: 6h
   install:
     createNamespace: true
   upgrade:

clusters/default/helm/longhorn/longhorn-repo.yml

@@ -5,5 +5,5 @@ metadata:
   name: longhorn
   namespace: flux-system
 spec:
-  interval: 24h
+  interval: 6h
   url: https://charts.longhorn.io

clusters/default/helm/metallb/metallb-release.yml

@@ -5,16 +5,16 @@ metadata:
   name: metallb
   namespace: metallb-system
 spec:
-  interval: 24h
+  interval: 6h
   chart:
     spec:
       chart: metallb
-      version: "0.15.2"
+      version: "0.15.3"
       sourceRef:
         kind: HelmRepository
         name: metallb
         namespace: flux-system
-      interval: 24h
+      interval: 6h
   install:
     createNamespace: true
   upgrade:

clusters/default/helm/metallb/metallb-repo.yml

@@ -5,5 +5,5 @@ metadata:
   name: metallb
   namespace: flux-system
 spec:
-  interval: 24h
+  interval: 6h
   url: https://metallb.github.io/metallb

clusters/default/helm/ollama/ollama-pvc.yml

@@ -0,0 +1,14 @@
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: ollama-longhorn
+  namespace: tools
+spec:
+  accessModes:
+    - ReadWriteOnce
+  volumeMode: Filesystem
+  resources:
+    requests:
+      storage: 10Gi
+  storageClassName: longhorn

clusters/default/helm/ollama/ollama-release.yml

@@ -0,0 +1,35 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: ollama
+  namespace: tools
+spec:
+  interval: 6h
+  chart:
+    spec:
+      chart: ollama
+      version: "1.36.0"
+      sourceRef:
+        kind: HelmRepository
+        name: ollama
+        namespace: flux-system
+      interval: 6h
+  install:
+    remediation:
+      retries: 3
+  upgrade:
+    remediation:
+      retries: 3
+  values:
+    ollama:
+      gpu:
+        enabled: true
+        type: nvidia
+    service:
+      type: LoadBalancer
+      port: 2123
+    runtimeClassName: nvidia
+    persistentVolume:
+      enabled: true
+      existingClaim: ollama-longhorn

clusters/default/helm/ollama/ollama-repo.yml

@@ -0,0 +1,9 @@
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: ollama
+  namespace: flux-system
+spec:
+  interval: 6h
+  url: https://otwld.github.io/ollama-helm/

clusters/default/helm/prometheus/prometheus-release.yml

@@ -5,16 +5,16 @@ metadata:
   name: prometheus
   namespace: monitoring
 spec:
-  interval: 24h
+  interval: 6h
   chart:
     spec:
       chart: prometheus
-      version: "27.48.0"
+      version: "28.0.0"
       sourceRef:
         kind: HelmRepository
         name: prometheus-community
         namespace: flux-system
-      interval: 24h
+      interval: 6h
   install:
     remediation:
       retries: 3

clusters/default/helm/prometheus/prometheus-repo.yml

@@ -5,5 +5,5 @@ metadata:
   name: prometheus-community
   namespace: flux-system
 spec:
-  interval: 24h
+  interval: 6h
   url: https://prometheus-community.github.io/helm-charts

clusters/default/helm/sealed-secrets/sealed-secrets-release.yaml

@@ -15,7 +15,7 @@ spec:
       version: '>=1.15.0-0'
   install:
     crds: Create
-  interval: 24h
+  interval: 6h
   releaseName: sealed-secrets-controller
   upgrade:
     crds: CreateReplace

clusters/default/helm/sealed-secrets/sealed-secrets-repo.yml

@@ -5,5 +5,5 @@ metadata:
   name: sealed-secrets
   namespace: flux-system
 spec:
-  interval: 24h
+  interval: 6h
   url: https://bitnami-labs.github.io/sealed-secrets

clusters/default/media/immich/immich-db.yml

@@ -1,30 +1,33 @@
 ---
 apiVersion: apps/v1
-kind: Deployment
+kind: StatefulSet
 metadata:
-  name: immich-db
+  name: immich-psql
   namespace: media
 spec:
   selector:
     matchLabels:
-      app: immich-db
+      app: immich-psql
+  serviceName: immich-psql
+  replicas: 1
   template:
     metadata:
       labels:
-        app: immich-db
+        app: immich-psql
     spec:
+      initContainers:
+      - name: cleanup
+        image: busybox
+        command: ['sh', '-c', 'rm -rf /var/lib/postgresql/data/lost+found']
+        volumeMounts:
+        - name: immich-db
+          mountPath: /var/lib/postgresql/data
       containers:
-      - name: redis
-        image: docker.io/valkey/valkey:8-bookworm@sha256:fea8b3e67b15729d4bb70589eb03367bab9ad1ee89c876f54327fc7c6e618571
-        env:
-        - name: REDIS_HOSTNAME
-          value: "localhost"
-        ports:
-        - containerPort: 6379
       - name: immich-psql
         image: ghcr.io/immich-app/postgres:14-vectorchord0.3.0-pgvectors0.2.0
         ports:
         - containerPort: 5432
+          name: postgres
         env:
         - name: POSTGRES_PASSWORD
           valueFrom:
@@ -39,9 +42,13 @@ spec:
           value: "--data-checksums"
         volumeMounts:
         - mountPath: /var/lib/postgresql/data
-          name: immich
-      volumes:
-      - name: immich
-        nfs: 
-          server: 10.0.0.10
-          path: /home/akshun/immich-data
+          name: immich-db
+  volumeClaimTemplates:
+  - metadata:
+      name: immich-db
+    spec:
+      accessModes: ["ReadWriteOnce"]
+      resources:
+        requests:
+          storage: 5Gi
+      storageClassName: longhorn

clusters/default/media/immich/immich-ml.yml

@@ -19,7 +19,7 @@ spec:
       runtimeClassName: nvidia
       containers:
       - name: immich-machine-learning
-        image: ghcr.io/immich-app/immich-machine-learning:v2.3.1-cuda
+        image: ghcr.io/immich-app/immich-machine-learning:v2.4.1-cuda
         ports:
         - containerPort: 3003
         env:

clusters/default/media/immich/immich-redis.yml

@@ -0,0 +1,23 @@
+---
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: immich-redis
+  namespace: media
+spec:
+  selector:
+    matchLabels:
+      app: immich-redis
+  serviceName: immich-redis
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        app: immich-redis
+    spec:
+      containers:
+      - name: redis
+        image: docker.io/valkey/valkey:8-bookworm@sha256:fea8b3e67b15729d4bb70589eb03367bab9ad1ee89c876f54327fc7c6e618571
+        ports:
+        - containerPort: 6379
+          name: redis

clusters/default/media/immich/immich-svc.yml

@@ -36,26 +36,28 @@ spec:
 apiVersion: v1
 kind: Service
 metadata:
-  name: immich-psql-service
+  name: immich-psql
   namespace: media
 spec:
   selector:
-    app: immich-db
+    app: immich-psql
   ports:
-    - protocol: TCP
+    - name: postgres
       port: 5432
       targetPort: 5432
+  clusterIP: None
 
 ---
 apiVersion: v1
 kind: Service
 metadata:
-  name: immich-redis-service
+  name: immich-redis
   namespace: media
 spec:
   selector:
-    app: immich-db
+    app: immich-redis
   ports:
-    - protocol: TCP
+    - name: redis
       port: 6379
       targetPort: 6379
+  clusterIP: None

clusters/default/media/immich/immich.yml

@@ -16,48 +16,37 @@ spec:
       labels:
         app: immich-app
     spec:
-      initContainers:
-      - name: wait-for-redis
-        image: busybox
-        command:
-        - sh
-        - -c
-        - |
-          until nc -z -v -w30 immich-redis-service 6379; do
-            echo "Waiting for redis database to be ready..."
-            sleep 2
-          done
-      - name: wait-for-psql
-        image: busybox
-        command:
-        - sh
-        - -c
-        - |
-          until nc -z -v -w30 immich-psql-service 5432; do
-            echo "Waiting for psql database to be ready"
-            sleep 2
-          done
       containers:
       - name: immich-server
-        image: ghcr.io/immich-app/immich-server:v2.3.1
+        image: ghcr.io/immich-app/immich-server:v2.4.1
+        readinessProbe:
+          exec:
+            command:
+            - sh
+            - -c
+            - |
+              pg_isready -h immich-psql.media.svc.cluster.local -U postgres -p 5432
+          initialDelaySeconds: 10
+          periodSeconds: 5
+          failureThreshold: 5
         ports:
         - containerPort: 2283
         env:
         - name: TZ
           value: "Asia/Kolkata"
         - name: REDIS_HOSTNAME
-          value: "immich-redis-service"
-        - name: DB_PASSWORD
-          valueFrom:
-            secretKeyRef:
-              name: immich-postgres-secret
-              key: password
+          value: "immich-redis.media.svc.cluster.local"
         - name: DB_USERNAME
           value: "postgres"
         - name: DB_DATABASE_NAME
           value: "immich"
         - name: DB_HOSTNAME
-          value: "immich-psql-service"
+          value: "immich-psql.media.svc.cluster.local"
+        - name: DB_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: immich-postgres-secret
+              key: password
         volumeMounts:
         - mountPath: /usr/src/app/upload
           name: pictures

clusters/default/media/invidious/invidious-companion.yml

@@ -0,0 +1,28 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: invidious-companion
+  namespace: media
+spec:
+  selector:
+    matchLabels:
+      app: invidious-companion
+  template:
+    metadata:
+      labels:
+        app: invidious-companion
+    spec:
+      containers:
+      - name: inv-companion
+        image: quay.io/invidious/invidious-companion@sha256:639c8b32dec2e0200c36ed369cf494eb0ca765fdb14d5890d7f460c89a34272d
+        env:
+        - name: SERVER_SECRET_KEY
+          valueFrom:
+            secretKeyRef:
+              name: invidious-secrets
+              key: INVIDIOUS_COMPANION_KEY
+        securityContext:
+          capabilities:
+            drop:
+            - ALL

clusters/default/media/invidious/invidious-config.yml

@@ -10,10 +10,10 @@ data:
       dbname: invidious
       user: kemal
       password: ${INVIDIOUS_DB_PASSWORD}
-      host: localhost
+      host: invidious-db.media.svc.cluster.local
       port: 5432
     check_tables: true
     invidious_companion:
-    - private_url: "http://localhost:8282/companion"
+    - private_url: "http://invidious-companion-service.media.svc.cluster.local:8282/companion"
     invidious_companion_key: ${INVIDIOUS_COMPANION_KEY}
     hmac_key: ${INVIDIOUS_HMAC_KEY}

clusters/default/media/invidious/invidious-db.yml

@@ -0,0 +1,59 @@
+---
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: invidious-db
+  namespace: media
+spec:
+  selector:
+    matchLabels:
+      app: invidious-db
+  serviceName: invidious-db
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        app: invidious-db
+    spec:
+      initContainers:
+      - name: clean-db-dir
+        image: busybox
+        command:
+        - sh
+        - -c
+        - |
+          rm -rf /var/lib/postgresql/lost+found
+        volumeMounts:
+        - name: postgres-data
+          mountPath: /var/lib/postgresql
+      containers:
+      - name: postgres
+        image: postgres:18
+        env:
+        - name: POSTGRES_DB
+          valueFrom:
+            secretKeyRef:
+              name: invidious-db-secrets
+              key: postgres-db
+        - name: POSTGRES_USER
+          valueFrom:
+            secretKeyRef:
+              name: invidious-db-secrets
+              key: postgres-user
+        - name: POSTGRES_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: invidious-db-secrets
+              key: postgres-password
+        volumeMounts:
+        - name: postgres-data
+          mountPath: /var/lib/postgresql
+  volumeClaimTemplates:
+  - metadata:
+      name: postgres-data
+    spec:
+      accessModes: ["ReadWriteOnce"]
+      resources:
+        requests:
+          storage: 1Gi
+      storageClassName: longhorn

clusters/default/media/invidious/invidious-svc.yml

@@ -15,3 +15,30 @@ spec:
   - port: 3111
     targetPort: 3000
     protocol: TCP
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: invidious-companion-service
+  namespace: media
+spec:
+  selector:
+    app: invidious-companion
+  ports:
+  - port: 8282
+    targetPort: 8282
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: invidious-db
+  namespace: media
+spec:
+  selector:
+    app: invidious-db
+  ports:
+  - port: 5432
+    targetPort: 5432
+  clusterIP: None

clusters/default/media/invidious/invidious.yml

@@ -33,51 +33,6 @@ spec:
         - name: tmp
           mountPath: /mnt
           subPath: invidious.yml
-      - name: clean-db-dir
-        image: busybox
-        command:
-        - sh
-        - -c
-        - |
-          rm -rf /var/lib/postgresql/lost+found
-        volumeMounts:
-        - name: postgres-data
-          mountPath: /var/lib/postgresql
-      - name: postgres
-        image: postgres:18
-        restartPolicy: Always
-        env:
-        - name: POSTGRES_DB
-          valueFrom:
-            secretKeyRef:
-              name: invidious-db-secrets
-              key: postgres-db
-        - name: POSTGRES_USER
-          valueFrom:
-            secretKeyRef:
-              name: invidious-db-secrets
-              key: postgres-user
-        - name: POSTGRES_PASSWORD
-          valueFrom:
-            secretKeyRef:
-              name: invidious-db-secrets
-              key: postgres-password
-        volumeMounts:
-        - name: postgres-data
-          mountPath: /var/lib/postgresql
-      - name: inv-companion
-        image: quay.io/invidious/invidious-companion@sha256:9c6039ebe1691e70c76aefd207b1ea2784a4d8d1a7c531cdb18e6d1317c468e9
-        restartPolicy: Always
-        env:
-        - name: SERVER_SECRET_KEY
-          valueFrom:
-            secretKeyRef:
-              name: invidious-secrets
-              key: INVIDIOUS_COMPANION_KEY
-        securityContext:
-          capabilities:
-            drop:
-            - ALL
       containers:
       - name: invidious
         image: quay.io/invidious/invidious@sha256:2836b5b8226a53a9cc2afdbd5f5fe6bccdd200f2e17cd92a828b4dc8d8b5cc06
@@ -87,6 +42,13 @@ spec:
         - |
           export INVIDIOUS_CONFIG="$(cat /mnt/invidious.yml)" &&
           exec /invidious/invidious
+        readinessProbe:
+          exec:
+            command:
+            - sh
+            - -c
+            - |
+              nc -z invidious-db.media.svc.cluster.local 5432 && nc -z invidious-companion-service.media.svc.cluster.local 8282
         env:
         - name: INVIDIOUS_PORT
           value: "3000"
@@ -106,6 +68,3 @@ spec:
       - name: invidious-config
         configMap:
           name: invidious-config
-      - name: postgres-data
-        persistentVolumeClaim:
-          claimName: invidious-longhorn

clusters/default/media/jellyfin/jellyfin-pvc.yml

@@ -2,13 +2,13 @@
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
-  name: jellyfin-longhorn
+  name: jellyfin-pvc
   namespace: media
 spec:
-  accessModes:
-    - ReadWriteOnce
-  volumeMode: Filesystem
   resources:
     requests:
-      storage: 15Gi
+      storage: 5Gi
   storageClassName: longhorn
+  volumeMode: Filesystem
+  accessModes:
+    - ReadWriteOnce

clusters/default/media/jellyfin/jellyfin.yml

@@ -18,7 +18,7 @@ spec:
     spec:
       containers:
       - name: jellyfin
-        image: jellyfin/jellyfin:10.11.4
+        image: jellyfin/jellyfin:10.11.5
         ports:
         - containerPort: 8096
         volumeMounts:
@@ -40,7 +40,7 @@ spec:
       volumes:
       - name: config
         persistentVolumeClaim:
-          claimName: jellyfin-longhorn
+          claimName: jellyfin-pvc
       - name: cache
         emptyDir: {}
       - name: media

clusters/default/monitoring/homepage/home-secrets.yml

@@ -6,22 +6,23 @@ metadata:
   namespace: monitoring
 spec:
   encryptedData:
-    ALLOWED_HOSTS: AgAUKCAFKds1pbbKlF45HLQC238Ueg2kaS83tp23uE7MCUrzFDMF8OrRwVg79cLFcQlKVMNj4FYHqMpkRHfueOAN9shIXMPfEK+IzQvzl4r0cMopuuBRumq2/ObGOLudeK3JWQm5CygmRFGi3auJS8EBD+a3xGPJPlgb6b7J7SrMka0DjIUZxLAknSVLP6fI05ZUQjnP4M0Rv1FaO63VrXOhQ+1boReiuc0mSFA0HR1M+Jv3NscUhxx9KwWdJL3igH+84PUC6JfvFyrY5E+V+HVCf//W4yIT+tTiWIQ03ySCA3+Fpdsm+RqvUC3Hqpf/CC/HpTx8pSLeVYFT3Bak5OgQNen4HBANwBuns8CJLMKKLe7OQfluzc81EnGjcBOYJRjZTXIyrkvLBsRdNodK/ho+YeO65f1ZOZVVL1XsCa2R/YemvPiRYhjyIiCNNi+HSzDUwc8hSuO8JHIO6NK+pswQgL0IqbGudl7JOJzcbEfpFwV4NUZLbO/McWpr5h/L0ZHmjf8weD52YKkoppjLbr9SXPRqGsHQkURoVQcGEerd/+IWWeV/6dT7Do6GRZGUWBuiCuxnXFgVnkUx3FnDSZ9Pd5nj5oGKrhzs3F89aeD50FkVEoXhW9FTXh+WPwfzyRfj6UyhthUE/sjs93aghjXqKrdEcNE3aUEQee2FTEQ0HC7XpEXmYnjqoD15kD/+azBaCeyddbVpfZJ9eovy+ribwWg=
-    BAZARR_API_KEY: AgDFkohbhrDZ2yYGHRCmu29+jqwxjp+KVIivRMiCMoFGglFA6HZYvGuwpNtYH8uFCmRmOx9ew8/xzhGLfsjye7Flnrt8FZ9l9MvgVVkSa4YaQBlM9mFx+esM4Q0B4LUoswKD4+jdvqAlEB427TZLYUgeZ4EMNJnhIfT+HtlRTIZdSA9i8GzFu0W1FyLf/KyF9IUtn+6sUAuHBpj0aqiYxyhkW6jXFIQ8suG8PpQPWsXKBotdGu3tei0dCsCs76phqDFONEWlhhpLdPGEFtkfF+HXaf4mZnOUhqguKVMPsmjEfUWOm7KWUqF/ya80k2eSXu/GT5FtofISNAsyth5iU5F/f4QdJaQb1T0ZMOzVvBURD4ddCEAWI1v+Ea+P/dvOEULpi2QN6VSLSkUagXgKJV5CKEDKHJayw3lY2t/8wCO3qvuNgl8029asuAML6MYSnI5c3aKcDbIRyEgu2j1yJdWlS4RI/2u+Ga0pWr5sC6E9ehufUI8hdcMe5dxlTfySp/rgZ9wV7c42MgyDsIKsUef/8fN2WlqVMbiocS8eUYxVrjTgUhoaDYgaGIl+ex48Tz14OH9wCNtUfL39p6sxKl1XW5slUz0mdtnQoOajdSwGRfVCVeACiKs/jTnsAM4DEy0Uuz/q0l7SH53gN/8oQNAqEgJbVwofsC3Ka5EnjZEv54zcLQuya2VojsR6IdwRK6ju2oTa7kvQZiL6GrF9yz0UDLYo7iEJsk9Bw2J5fAGxQw==
-    DOMAIN: AgAKkN95LerXHe/p1CS3O/foK+ouRxBVwgOpinqC5Rk5shz2CQ8YYR0AsTeh2mN2zHYB5jyrAdCTxsSGbe/ZbwdwWm9MiDKHwYZKiHI8UazXfIKm4sFLlDtyi57ChdkQLzHALvnAILygMzSGz8uZjJDan88ByeFW2rTqYYQnylbHJi0TTIeOAGoYWbxD6FdQQbG07DYLLb/1gSDtDoAV/omD2xIOttii8m54ZzTzJpThCZWVige4Bjdl+h+BRCkZJ6AwMRrXZ7hyb/0Qzo0LDYog+TYVKaX8jDnIsszudGlOikVtdVhhu1OeLYB+ma7+zYRC0tq87LryFvSc7lR7gMh2QwHnkNmqsWK0MuXvg+F04i+xJFcj8wpEUKH4DvcApGRG7AbYi9CCk29O+jZzvbaEVvO571cIaJd1SP/CtBjiuArVU826IW3wNxu9Wz0bOtZEkcMMqdst41Q2d5ESm0LDFlrrHZZG5Bc/2NCCAVMjiOgsRRaGLvLWUwaDoZO2rrmx7q5d6plmTplmNS2AP/TVITdpG4MIKe+VtZ842uF3tXbeQt7y624c9db+R8wSun5QPZ1nS7c9m9SRi+dIe9liTnaeNRw/HQDawwwxeHpYWEfMKjRYon7JicBV0EL5/HAXlrhOEKSGgGLT8U3zeLT8uvIcBpU8AcMWJZoGOSi/XTgsI5jy7H0JO6B6OBd4nGlW5N0Mrg1B9RH1Dp0X
-    GITEA_API_KEY: AgBDJSM/3KOBDpL2u3aBUWP4Dczx0X669QmNb7bMDft7UY4P07MDIZGgLe19Gu39nsFvp0La9SGv7xPz42jSwM4dB4vEifnD98b86fD2GdVMTUwfScH2E6KatNuI4f713kLFryYqBGxcFQ1ka/2MmXUHaEwo//MhL+pcVzaK/WDej6coGb11Cp51W8R2OOxSHr1wToErtfOEn/0ucVop01QrMbEmj3dnuGGAXPZthmZ00vTzuUfNFJQqKEboNE0kt0EsqiAdHCTdYyRVFOEMMjSgxYecfnn/nJ3feXRimVdspzRAm9pOclbASrq3KUOmdyRyABAfHW2HZq3tt8O2nAE2ZkQ7o3+g0uZkgclq6Duhnehn0cvcUzfDkVKuzz6SAMVo550VsvtFVbmyu3RgzLJXZDA1UYooV7f1PzEL8ejO6Y7FTfr6b+0sGzLGiwBDpjJsmVFSdMvVnJ38bvwmyOQxp1CFsmNxY5zlQk6vjQv6A0M/hZ8K7/E/9oVw9asfDeO9Tiy43IQiyn7egTty6loOSXrNwb3shcndctLyYNAt0wtmyfWUmoQnbpd6ME73VSf+KIpgp4ypiKMY/Ec6bUPYxCl0GM126pg8UPVPvBcB0JEL6+8x6fsB9z+kqfIohT6gzekdPN2FArDWBfoBg0Tro2uKAqEcpXROGfjSDe+NMWxGeTPCto5bBCs2z5VM6IiDLe6QItfy2BOsAqIaYxgrhvHdQK36Y/KvhxTpqLtyeHVe7RhVwIvF
-    IMMICH_API_KEY: AgB302QdlUawaxR6aVH5HhOlHWRIHtievkVaeFecOWwH0+N2hUvSFt0N7IQQD4G+cZFjoIgStHuAuaFFvYmDI8iw5523ui94nXFKXJ04Dz+/4IIwl/rzqEWBVLI/GP/XWsknh9hnZtaPTCSp8IpXji6+k4ZU8vPBQFVr9IgdXO/Raz7yzGTEwP1rNu3mkizVn6RWuy4LwLrPxq4tdJ2mVN0zqfaSpQZTPBs0AbMvtN7EBfNTnnxqHFMn+Zqt/EfUHkhMwHd9bAop+XMDyc7eoFgwCtGZATV7Z1NmQX5+HKGIfIONf7HVvygCWqhKRTn7fShQj5W9/kAkKm98WfyPrCerF21fid9sCYJ4u6p4Jhzi/sqKV5YPhNTBD4d8p7dRvo3f9U/aPj/y8IpIrsXDhdquXOypN69YNKv98R7bqdcuZ7BMd/B447byR2MCe3F40SsQwmUr7jHAql75q1F4CMjcUMIUGwN4pxLTdOTmHKSdHaN9VnmDK4rmfawph1iE8Spx7NS8fxQ5oLUPat+VTENHv7agVNvrowcxZIAtT1t7EMe5i5Gqr8pzddg0HiH4DfmbKtioUxfrGDr7rVpHHgirm2S/KFGEJD78hc17QYUQIYtXYL6DB6PZ3cZ6nDq9R5Y1QuTP/cieYfLVtPsmBq85WscFWzzB7cc3mKvmd6gHrNZ0ldxpQZhsfEQohRAjEF3GQKhglbeY8FIIBOAOaDoch/qCr7dmDJ6ARz81x5wBwAajmScHHD5bdTg=
-    JELLYFIN_API_KEY: AgC2gPgvLMIxZkyvGJvLXqFOTDOiz3PZyt2JVAlQaqZpDJf7gsZ0vQ5u4CeFqgB5xLYYOuds7ShaRhqopFC7PO/YOVRRthU84AGYBBer51y3Ind7SwHzJVfjqcexkuqh/an4wqWvsgl2ESu5kisii5FIgMEdAXrnq77/E3Qnlv5Fw6HSl+MGAX5rw0sGzAhpRMCCDJFoYBcECXIhCKnZKfTxE1TQne+NPmj/oymvQGCY3eKnv0LbjdbFzRHWWmfK4QbiC2L8fnrZ3Iuumhorjb2u/aa++21JwL9UfvAhaioZn/KAbVTgWphQMARpOZBw9kfvU+GLW3I+Jkzt39KYFhgT4euce0LwgLwdnYjw81o+CsS8U5IaVRAuLNCwlcYkWLmg/R9JcwyjznbNt+mYP1iUPhpiLD7n/iV7JtLI0GvqSZHohBa9Pu5gNQ/+NN4XG3ujaDRvjVSdfb/ZTxnxWFgpbEjkLDs6aLnjRkGa1aMOczli5GRJPJ65N4oBT2kTSz14Z9LqF3eeiEb0HMZcvbIe/WGguPWM/5y3jcCH82JDUJNBeEOtgm4UT8zWnrFRce8p1CKy/CPeAjTkoVyQJ8hRRv6SsKUNd2Vqs4FP/PrvfdmQxNZcUEithuZ2afrXEshg01KORBm0g8eWoSXTrKUFL0mdsoHGLrzB6U56FJN1+L9FE6w//qbuxkP703NmWeSiHLWfk0hLrEt7ntczt/ZCOopu4FX/FKKnhyN7Usp9oA==
-    JELLYSEERR_API_KEY: AgAt/JMmEK2igQQmQYF3/eCmoRTh58GUmA7F7jfkzmjyswSljX2kyRSC6SouxNQ+NxtqoQ3toJnuc2twN4g1uWZabRZf9nNxlFYswItex7hWQela5YMGXzvkhk+peStfn3chrWqrvUuFDswK907tf9T5jf0xA4ZIglDocckLH58zqFYSPin+i7Dl3xN9R1Y7fpFDMKjFlnZ/6NvWBLd7kOBJtEfxxFiBIPpBc0X8ygQWv5v31DTVjaXOxglAtS2rtf4DUZYadjAGFCZ6M1NIUHg2Uwga/C/uDAMBjN/umnsrDDjS9Zug/n9D5WKpLzAwiLs3JbXVvfbpbJKUJEI2GpPh4msokFR+NmXwT2HhA4pFpzoOQxS2SFT6Jx2AQs8fVNGazEP+PrOXw+L8MM0Z3NDP5gqFwasgu6kopCK+2hOObZq9GBEXcb2OJmg/xVWHL+IAJTf5afVAIEuu6k//I/W8VVn2VlfTnwDLPrxbr3ILHILaMZbuZR9nY8zQ1TL+4vvji9RLQ3E3fTSeqvhu8+dvCRg2oG8nPSLD5BRrmiV8jHh3fT410RKzXmWJTgN9mNADSePsOH760KsfB25U+4xUBvqYuab08/NvYkrSrn87SpZ2rS3IebKSyLjyK6rqhzHLzR9iNBlC/YCdyYxVBN7WHPevZBCxEr9uPSxt557n8JY8qpDTPncr7y5yeNnPs9gHCLbgoaFL9TKAHux40sdQRA6LwhD5MraKwxrNHqjch8hP8gqiWo5klwYnrA+NMTXhjCh/zn3YG6V6JCEv2HFvkwoJ1A==
-    NEXTCLOUD_PASSWORD: AgC1Qd25JG72huqwQQquQ+J3pzdRwdKA5SmJr2apSCwSp/CDgj3J+du7HdcOv0e72xbf87cKyfG3bKJibYhsLvem4bg3fd6nMd9JghC38gAC+QEQ+eXb1sFcAuMk8pfHC0RKuZYhvi1o3TO7KOPID3uAPD3zscM0AczSREzqHSn1nei7jSQ0+fT9ZmmHC+nO1iWJdahlgWNVYCqrd5lO3zJjVpRjDH3nnz7zAyle7lEx6CWJDkLPS6sDaRYw2wepqRcYZ4rbC+91Nh5qr9Fphnf3S38VZDkkfiYLZY6o9Baqz2I8Wj2XCz1oIV7Ui6hkc5zVVDLmQGqZSED9zMV0YznCU7c5HNglYCrWUWiEu+kBetGPeiUQjx444PWoQYxTOgBoBAQD4EM8QeK5O+pjBfhrOrTLO3S2nmf3bSJVp5VA6JE8FfG0zuPQOJU4cbLdZ7HKyLaHsTvrKxz4KI6jo9Ic4bN7jC0pLNWFloSOFTfd4qwl7Sd5TK8Yf9lNFDLJFIErN4j4D9OOh1SMp5jA3/2KJsYu0yOtbNdNOetvoWSot0FCTsA7IdXL0fLLfo9LvAUlsRKehyow+cRg7c/MrRz34WZCMBDiDu4vXJp8L+8kA7yepUfdvrt/VqpblZisqspdJWPkUxfuMWIzT/bu6bd0nkWaxZjM46n9KMgkD9SMDqIdUlZaKQKrXLJWojMMtpaad9GmOREig6T+7A==
-    PIHOLE_PASSWORD: AgAeo1207dqEPIRKom8exZkq3gZfN4//avKzparh7fZ1SrvmzuU/cnPwvhMJrUnjziuq6mssFmMppUHLDqdNL/jkHHBfwyacI5ZWJJ0YL9/oMKhs5ujlsOOlgJcUBm6FZZ2YOX47uuBrF+OPYNzDSyVALJiRAdKGnRNEc1HiQ4LBHjuGqVvEeFmv4XXpyF6D/67lFRm3TSt8gTWtddSBlVDLZxAv/IunTpsgC+q1n7EiYCFTwqbhN09MnT9bVy5UVQ4cGiGIpZyZoJA/+7I1HkRxzOi14ZcEy12qcEhQUdaMkBxjUN8aUjm5tiwl47H+6ChPzakK2IWF1FVJseGTTthXKjXZwIRwy5h4ujEQ9kyPpeUTIz6T9xk9npFU4BmKpdtSdq39NyWtiuO/kJRbd38iNWdjQkcr50Ycc0HYbH2EuzmUJvK92RnsiFDkT+UppI/rAu3Uvl8OFdfnZp59gOEEuIdQmNDhP31KfCWp8A8Wqt/lX4AKwaQdXzv5jTZQMm0hhQttt0QuEnS12/hwJoC4O6Cu3gCAjlAxAUVrTye//8Lf7pd+/ZxxB1gLtWDMy45AXQOQvm/g0t5OLhb/3Ib9uH4im6dPlSo8EqX6UGcDcCbROxNOytZkpgaslsEpSese8q8lgbEE7j8UIkOof+UbsikzPslyLqdtO7GVINWkQw3SpdUlu5dybqlXk0cgQusCZ72BRjut23l3vQ==
-    PROWLARR_API_KEY: AgB6vNTTovXWjFCFxtZinPT2iEcesapI9iHEXVAmvYjzz+14BDNHisskMkToVg4wa1gLrF1bSWjKvYSI6Sb5LWlu8qyjjjvcpzQtFTL4VseXaDtm/hkgz/w0RwDwmkASphgJ4tMEW3noCzENZCldNlAgnAUsy829CDRqgdfyHU9SnXYe/X+LyNql+JkswvK4YoEntk79E3hl4c9wUc6PnRUV3bfs51I8vkUlPkDxwg5xKTl5eWk2ZcrJv9NXaO+C808RKjNlQAdN5Nx3j/PWgrSA40j+YW90WYjds32Gqtxo7Jh1KSevjQaLul2C4zcMcSJU+6XtYRNlKsgdfD8luDm22zW6fGIfS3TZV+TlXF8haJSmKQEle9dm0bCdbff/wAHcyudTesv314UnI4Ff5zGKfHRL6vvzsLa6WQ+W16qx18WzLXuLJV3AduzAXCAKPswcY6r/xGpse6KmTi9g10wf0zJ7v8Fj8QYXIcU594a1As4Cg8aVxCTHiZrKTdiBkV/HvHu+dFUi1J4tWDE93BKCFtDRFtpv67FZyQ1jd2CcI9t7lJGtfJqVoVcPCvEczLu9vNAiGyp6pQt0MEOP053ndHmhjL8kQz35dXQeV5qGT8yVBPXaP4m6ib5OV+zVhQEQuqlnd/hQ1IrD28Gh0yNw7mdwVxUTCUdFZYX6VuKkDm66QxQqyW1vAy2JKewTbjQW2vhlj3EPleIETi5fSVbKrOwioM7qlpAUxDkmr1FXbA==
-    PROXMOX_BACKUP_SERVER_PASSWORD: AgBtWazeVChipqazWVp5IDp3u2KY+4uGCjxjhydZ0thfptGhegppNEfaqqYFT2+F1bHYXDEZFQwuuVHLBRD5ArT89jib/xks92/pBR4SDVf5kfkGiUKAz1n8R8os+YIN3XfQ9nxCoePpmfCVkmJnz3iFYM47shNYc8r39YVBAsMYV7WH2au1xbIwj1sQ4E6azwCo6/Scl9Cb0z/voHlwGxo92KXcryHSQNjDQM4o6NlzniJ0MK0OpFMPy78JB7G/VpS0wQFC7J234Xjc1vqW0gSqjadoThTirVhBGqRGcIY95I4ogb8lNBErcwvBvUx7k11of1978v5R7DcYV8mD0ef40fxVE0UECARnAz7c+zoTvqqAUmjGw/znHbuKECEdLEFUd+ogu6zgH0euik0wmoBwvAwOmTSgvKdKogJQee7swOnYoI7ytQixZv42f9K7HSd7QrRKLZNNMSHkcQ5sSQIT+2KPCj9vpZWT7b0gD6w5HxEFc5FUQW9a4XuNw4TX4HSz1tTKJGhLha+7ulmknsDnmsQl7lrkCG+6B33EMsteoBUro/4AuLwwjgp27hoTG/RmW3hA26UaJkujXpSzurkclKrHfcpUP3RmrFYGYGv+eH2vx3hNkuZgfEslCuOu4H+i3zslNsbwy2x1MtqRQsjNQ+guKJTEVsYcN/QT9tR2PnHpJu1IdH8/ZALHYNYaKHxXAzgPwyioeBFtQz/8pT9E+TMKZjam+3nPoA+2EaWLEA3L3Gc=
-    PROXMOX_PASSWORD: AgDAyutvM9QB3MoZYUrEuqnG7HthwshmDaDA4hV2zyURkzk72u9LjpFwKicvFf4+2lVocDfYebqU9mWEVRjnNBHELaN1xSWXSd4jwOndlIrNMJVGeuhi/ohMIYN0MgRGw0FkvdpN2//akgmLdaP4ugZ3N8QV19qCYAi6QyjMJE8U1ASuJDdkAZddOgqmLwamEk2ss32gTj0cHsw4P7VTtKhBCTctoPZzC6hfuaOI8Gn2k0eRHgh+yLgZzXxzQDUUx2I8n3iEuTq8j0hTxZ0D0BZRnsLVRE7CTlT9eWMud6vHLCbqlTUwA8f54t7eB6eFbADHsBbreDImDyzLW76FYo9OtcVYZ+LEDRplh9LYQjlvStvHDRsG/H4GbkQNZRUkUUwiDbAVvNClxC3kk6WzsX/TvJErDDV+1fKxdEYLowlDR3/w/T1h59zjgOw3ZUU+CUZIqXsOwFNd5/JWxqwdHZaSJe17OxsNUFx9ARyLkFAm8tZvgyfiw5SzMUaPEZrQNcjwDnf960OhUKaeWHory99StqOfnbB5HqROltnlWZDdoxzKwzkdkSYrWv6OhUR5WvwDKW5I3biVMYflwXrFSvH0+q3DMB3hQ8ydx/JTUmjMB5vVntRBjiiofyUGkG5jjL3I2kcAPEJKCEsng3PPhaNzR8KqaAEdPixAArNPmL/KkZetNpUFR1EPppwSfh5BspP0cg5n05V2mv09XOT1J8J9Urt2mJ4fQON++LxfPHQcvNqFans=
-    QBITTORRENT_PASSWORD: AgCCcxImOsReceVf9/euw4xQZXwnJbT1ete2Vmcxbqk3859SMKDWi/KZzGsbsnI8fbljdmxxBIODf4VBOsNs8Jxv5ciQLJmZa6VNAxqNXOFWZ7urVb33dwwQqUyLFJ9UhdAXeWFPbz4vkK6Mr4x+kn6UBYyI20xos3AqDHCbdih4N1foy+aW874xZZ13kH7rxAiF537MkZZPc2VVQMMovphJuKTDXctPzjRHTsGZb3YmUnjbGCRkQGwJqxMr1CincgPyrI9EHFCnj8+xZpWd6CNgFgADNaNTquOtb6W4od6SVGw78/xUd/TNM3KRscH9wnU8nsrJumMslqGPSy2Btu6uFjAfDJo3DC5bh1ZB/kIlMz64r6fI8V5hogl6Iq8C4QBZA0jwyfeHVP9pZmityLDADvwFlnNUd1yfCskp6lfrDd3vobHslLeelIQBsYNDqd05AYwg4tOpvjtIt3jUOYGNo09Rx8DyzJ4fOS9oU6tX8Ut+bB0RKV+k3fKmQx8oYtR8gXxtApILzLRqReRTO0S9PNdCKPR7kA+QBdc78DDhgJECJCEPZMwtAWff6UnEzh48+PYfcf/R6aljw15LpyR2eQk/LYmaLk1Wupuyu/kWhQYakzjWfoEoKs+K8DyKkR8D2ihNlCJx8/hjNZ4QodBBeIQJ1D/Sc7xScpkY1B5bItXDGj6y89GjHH3pfvFcMpmi8eEVEVk7+9xL
-    RADARR_API_KEY: AgCYpnUSNjkjnAE54Z+2TmK4OtiukA5r2BAHUpD6C2d8lrduH1xw/WZ+omnB1qAGG4U/zDw/3PwqyumpTn7Iryq0ZmxVuS+2aaYKeK5LNVpV1I1eGTPrVnjdAZ+t8xdm13Qq/+uqu/yUbn7+yoqD5lfV63LEgqUQNWyZRFdAc2qbg87ETyElNv1NDqT3X06A7byANILETAzktOuWcB/zqPi4hsPpyeFrIESaOiuJMZUi2UIzbKbfoVzpW2ksSspm3Qga855HmnhKEiCQIEuUSMxUaECRwZbKrPjrmTcJGiUV+CQXNz6MKYT284TURtOs3Q9CpRAfLfgIXSDopi33bBl+6IczJYXqCnzQOe0X+2dAomfvC1F2suW5nabgfU2D4wGzjPJFXSys7t9q1wDCNvxvx1gG1euh/Uhb1/xhFstXA4ZKqK1wb/va1wt6ZfAbt2kXhqYv6bAEiU50XebNtxKw4o+DPPfoa58sfBkd3NgODCgHFxbExw1LVBBh5bcJzncHGeK+F2xSpZfERNWrbXdPdeDqRocyOT3N/GGaMWEBZmYYMpoGzlkbB26eYQRUsihXB91OfMSTfDJ+uVgbE7qZde9Oyt87q7Il3FT7F7GektHgcllmeOPTZa4JS2RyhEPU25+0jQlkWKmj6Cd+9qyLJ0+Xxkhs0wmutfWcDIvBKbgeq0ygIdzb+PffCm8mWxR1Nf0fnapX8oQ0q0SDfSUIWuy4o1D8fGvioowlTZmbmQ==
-    SABNZBD_API_KEY: AgAna64TkVRcAbxKt1lgnxVzpUHrdxey0qOIF3H4VEcX4o5fGPOBukuUaU4RPeM20fOaqAlllKIQKISUZbKEioPey5CY663SM5pTys1HhicMQUlfPNhUejzYgewJ85cWsHlsF5MdjNd+rMZnW6JGGbVoDfDnU1wmi5YEr5KzalSyWwxGUH641xhwHN+itG9n4+254RAX3Jq5ijWwyO3zmagDEEv3+MgVdChPmzMh580Ugdi8O3PNE9O6kalXslDcs6QnndNqXJVJfuClREu9QYXQSugSjkcD8hRS26pnIr6RMjZQW7n0aR5wSgfLCT2CIAB9AGzP9Pltn/98kBJgsgFTJpWnQvh9yNbIDMeF1C2MhAxKn1kQg6TPNGBRosI6mxuOXMqUmTAN6oMr5lTuciIOQQdL7s08pmNISZtCT9QT/kiIth/MBei3R2pJGRUDHJ3xFlMZjbXv125zKIoIkSf2bcvPI9HJG5QUbyEh9q5tEwpBHLqg+ftMxlCbBxBednCV4Rtg/nKTs8BP+KZhkBpqsDLJdFRmFRsedSndbpRKIEGvQCqBGdmu9817mZXOU/yjboLLDloWk4Yw142sGEzsq/YlQqmQer4QKdxc8j/gQICSiGFAGdDhnIVy7pnOsAKpIxNHWXb7wjGgU9yp/jTBolyLJ3TxDPDkM1d2ZNmTWHvKWBniTnJr1v44qoPwJ2Gx53iiN8WhDFCfY6TIAtLNVfApKT5vdUbYs/uq6/rnrg==
-    SONARR_API_KEY: AgA4+fLrXQkajYR1t0bSJ7g4C+EfnxmapbTFehIf5tFmqyxtLj5JeixrZ+Gfb5v4x0NGb9q68ahP+6VWhrjRCZsWMNQ71fuySk6069AG4P1JFyaNOCrTmSb+HGh6+L2FEd/IUK5QW8a0j7NiEfmhFuiippEYeLkv4XYtDDXs9z8qNIrJGzRBibVupRTkgvMmvt7z+BnzW7Y/rSr7yNth6n9APXzhhcPMOZCy2tmvGLMmdsfhRI/t9PmAmyfcgYWi4ntDYPZfqNTRsj70fEDn2rK1Ts6TyIX+GBcpQW9qn3WPpoNYfUcTwfsUQRwZOOub63eMt/wM6xVMY0AuSmRBMj8HKh+aXtMgqiu5PtPJlj/Pp4bdtiY380uYjHxh2The6LaWY0Nobr6VRL4lqrfWo9tNajGSBx9uQmHU8oa+l9ISXpuigMQ7HGtoKbZSkE+8AycB3d4Wd22GoEDZQnx4uhbaPpeN53OnsDTV0sTU7pHxdZEGmN52DFcl5aEcoogz8PzRpbZwNqD4vVecCua7wHE4mskuVAHElltD0TN9yCnX+mEcECNgKx+diwginwMgrj2DCAbUPZwOoEh5ITzZiqatOP/yk848sigvLo7S2h1Sc0geJH1O7ddw50pBvLx+4S6eS1DdUe/BIt9B4SkhfxJRMavrkVvsRJbaWfzOiKq39FkqShMgH62QewFl8w13XvujaVGdNqgpLasRJl5pb4ch3GHs2KpNM9fDKjfIkD22lQ==
+    ALLOWED_HOSTS: AgAwNxnFMRAE5sHGwA+CWTVKGkL4ompOb2alObZfiM2x2GkuQoeNEIKAgW1nZSIJnn60NZd7zwG6xNS/hFXVEzLQ0+07Aqd9zORQr8MLe0rBJxXPjp2RHzHuW/DSh5cadjanwuazZ5LSfDGKtwI1xC2qdIpM+eUUxfu5QozSGiOuM8eSzi0t7uwa9yvYI80+J7NErJBhOiKiUf+CUtd6UA2upBXHNgs2fcu2o89XtjGzP3k+fjA4GcLugLJ8HOAcF5JWNAUlWBuLPoDiAbSsTYavpbl05bghbTqyPIhaX9ifDA1wyZOjYywITZ1SUE1Av61l8GT9DfHEvgORvweuONRoUyi8o1aLDc2idIlQQTSwzsP3O/Z+iiGLWi3fo4/4KuMDqDWNmTtiuRiYEqhE33bt4IXhiQDQweanqyb4QboXORmmKfuqyzgC1RFd2foKVSDaFUkKeQDiLUCTBt2QNJPPD+4Grxa/KDujIWBV9eDiWQIM7qsQPn+4/fZA+h8nn++o1u/Faz3fE3q1NznsvMXIeBqYx/s93K2M9pGvDjrwHs7nIXalg+QzIFLP3wHTbKshwBgF9zcRiioblBucTjvy2MRv9VgaJDjcMhfSSWuyFsSkQNNQUkyud1XbPZ/563LKArqmOONU/x9X0tx3cdL3X3KcmwaCNijulWG4UGTHVTfAKNHnRgtIy+S8LoAnnXq8Mw9y7gjqzECT4KfWiN7BGkc=
+    BAZARR_API_KEY: AgBEsWcgL2EBxfwz56b5qbTyeqY/5q40Sm2V2gmmb+y+/4irQi8CVdUdb3CwlIhoMrB7qCWyGMps9wHx+KMWWc2xqAN+0x0mw1KliVEPQhdbdTnn6/gEHar3mjVj6wFvgXy2I8YPlWNiqKtFyyNWs6KrbvwCh5qHPNqVRUgNAT64z+WWDsPbaDLta3+x6IV+zQLvQELU+R2F5uoJb/dkgmtl97NdUT+/esc61B1MkSkg5cy49N9jzuKsZpvtusSFIJvzr2tTJxviS3mzHk2SqmfZcjZhgo9YerJXnlLvW9dYME6FVMeWG4NkU1Nid4Obcr1UKc6zi6YnF7g6lCg1R3dehVkcdUacbxcaJGTX495ugWDJqKcGXJiHd+2iL9VVjGpRIK9mLy6a3FliPURfw4yjhbLh4GJAd9GJEpj943cJAOxookeiuimJwmtHszcxlUqXJI+n6NcTdesT/F+MzNTC10X7ikR3osBm5FdB1IXpLDlcyLZY/IjsnbGUtSica6HyPBenW7kZHsEDU+tVCggHCrLS7vPmK/Wjj3D9Ijza3guVOkvTf1pBI/9+9TDpXm93RLAAYf+e+TBOXIWtBBaPed9JGgxZZEmimedAjU0rc/mysPeZkfkgLUa6FafWEdiWhXHF4x85iSp3aXs8N5rY9bHswpht+U0F8DbquYSm74IPC9Af6GVUgFuxXpXnu8ePIGi9yRyi1u2QE8d3JZxJHzam6Fy/EFMhY/r4xSMr6A==
+    DOMAIN: AgAc/axtBDWTTaaefN4lv4mx0SAAxgIKGf1bnwtL9jsPolr+HwDCOHpkFZcvhA5BHvssRQM5w/3T8nSepCTsZ9V8AYhvKqPg9rRGEnmqnWiOdoBLT4yNXP6tDZ3vy/XawFRk//dA9aG9fbAzsJgqYrGOOOMEURb6U8GRS7+AamsEbsnm00D5xE0/16YUveW1pGNRm2EKlHJMGAnpnBqaVK4u7LyNyUf9UDt4KUyz+VdSB2Ij/bkuQyNRo2YFGnUBA0AxUo7ve4CdsRpcwL8TCPeUgng4A9p2Bmeo5Z1WuKExJWHfGWVX0fxNhHoVA462fg7HORc3asC/Gi+MnEDosE8NfpWhylW6TPzpuXu957jvZhs996JUFxGhgMRVn9KRRaXGdmNPo4BiD3JmKE9MX26nDO3tGrilc5d9vuhCchfu6RwWAxbbMpz9Y3LM6hP84bbeLbmEDZ6I/ILGxx1sggkcJF8IZ/QtC1JIg6p/T4+BfQzMIj00LVPxVEP97dw/hkiTP4xbwBTMRtCf8RF5DXprQXokE5hPtfpOpRyLFnlhvXkHPMl1HgRUSmB3JvnVTf4Pf0tmvr5wS0shDI0SbjxeQMBO8wkTQcLMPH4g3wM2YL+az9hRnv7ZZ+P4duUghUReYIjgjaoG0UU8wTNxIFKnzLP6S7Ys0/8FxqM4ML0KHy2uW/Ip869UVupQY17+qQ+ek8dbuMIqE1kW3lLH
+    GITEA_API_KEY: AgCDvcSCoZHlgXRV2EQ9Axi5uVbXiqeWrgu7v5dzzjmSHz36bftH+PCR/NQwj79uCPfyDCMEqfYDK0Bypn+K0vPlf3vktAxOc6sxjh61ciZo9lu/FTRsmDV9thQA+ZTxJtYg6ZfyFaVd2/XxA3Lsh3Un530qwu2wTFC5raoyqIBkyZm83T6dlz4GhrteOAvGibOYWaEPcJlVslARqrzHg/rJK0nCNS88OhvIVLcIUq0j82boEB2CUqlLfP36kx2y0eUdOfQYgzTF2uGL7oZTEkXrb4+QG2+SY1NUCg4SS6CJbqP5TPFYDCpCoi4YNCd0De/YgOKoUBDs0gV/VHNRs/YgDbYcC30I9UL9Da3KSYcQtS9SMs57RcBNHPGE0WurP+E36RbodfuIAP6XPTBPvP93XDLavHNJesHAmcNX13hqx3Otzca4zC0IbIl67jNzPS4bo3Spta9FCtN589PMEzhm/YOxAaklttKQ4IqGS+yadIgKRbfUOEUnGEtFyk6IpcccXuNE6A2OKqVEbDHr2JCuCpsC0WT/Ysvkic1yoScetzsHtM1m9ASOZGvwJZnIxfzF5wOzmYo3QLJAWcDH3956NU8J18orpiifU9yyRk7viQYH07AarjoRwR97nN1JlP1CJ9p3+vdxgBtnwpQDKeJUnVtq5OpqzyGJ7ZTlNb694rNE+rY1Ufm+1vVUUv/8B7yGxi6YT2kzQia7aWIkP2B3ngaZPt4EkJwCgITkB1qTl2SJZvjNDJxg
+    IMMICH_API_KEY: AgAsbCSTCRY3aiCtCEsg9uF49S3TF++x6tPr9MRiYt0xYLv28oZk1Y0E/aiX63MfRAh/WGu3zp0qPlQ6vb/Op8CT62uHZZ+Ngm33C1YS/ZyMzmyMqKaNg8kTpUdW9h6gb6HVdRtJmtCwjJMgpVocnItS7Swg/GPTPwNit2Vq6S5D/qK2uG+dkWFWaF11looSkpmG2l90LWRFK02p16vIdRW3wieJtBeo9mkuNPMu06toX6iAM3OaoWqFVeU0skTPvM55r7JN4kckpjxf+UwZw07tDAOyWlOoCpPy+tzr0Ezyd3mp4FwlgB5RVJwLsHRgqQ9QsBjKdQ5EOyhIo0g3J7jhkRTZblUcv+Q8zsMrE2uwYsSxx7Lu5bp1QjiZHAHZ7AepwSPl0uLpAx+9x03lr4Y+vKTfPcRHRBqo+A6/vGwqdeNahnrTTMG8dO3akN15f6ssZvcYAI3YD4PiSWYHr18mu5IZGRnwwZkfrJGeMvbJAnQAOOJMP+VE3Ca3cVpbHQ878Fc3ZbYVrhJveJY45i9OIiPjzm4h1hM/ISzMmeECb2unQsjzlwtbXMeRf9/HzwICBBa8XmBiDFb9p9Xl9SCwF7hgzdtHi7p8B+M13FShbwxplFHHLUBP/SR4TqWodMVad8JfgT7LUs2+qN0BqNX8Ogltx9MyHUEGH+VZMkYr6l3HY+y1X8gv1SHHFsxkDT00nbEHlgHp8CMxXydIAGQT/QCFTqXY/G+v2Lo159KXyVVcmsS9vyBIFfc=
+    JELLYFIN_API_KEY: AgAMLEPLxHadKP7Ln+Y/zYXpROzPqTib9hiDE9EKqwlhdv93XX7+NUPC22jrkRBkR3/ICwOJs32v8cqD/T+3ERmN5vPphRyBRroONMRSfUfFRA3cqRDfTXKYFwoKJFCZBiOSarNcOpY+hmFM++4lhnsOOG6tk2Gt+C8WGQSynJ45YFDgyOQUFBT5FdQTbdEOMts7RY6MXtS5S11Ej9Ri7fckxjeKCidoagdvZt27GegiqRdOc0Zc1DJelqTorSYi4UZL4Tho2H9EHcGPR2s3XBfFNWXH94Rw6yh8bvtvMkvzeL8RLUDq+diciRZw6k7TvluF92TcQxkjfnryb/nIGV1cy1ccTrW0XcnBYD6A6pe4CPCKiTmlDZmTNDqWiPg4rVyhqjeUiMUgIK367gYY2H9rFlrZms6+tJe0KtQnFS+lAck3sSeyjavL5fv0A2MgL1zXd41fOWibSLMPP9D/v/lE5YuqJVFfj/AsMgGZx2K5yY0le7bAeVbIq8f0eoroAwL5OLd91IQD+YUzqBWhe41VXC5nuPSstAVDkg6RYJVB4mrO/m2hc6KsWK29m11qAFUImut0P4j1Rb5FOy2MhORbDv18mQu0pqoKVxnJQVgdTJ5puDxlCFfe/jzR8UcKlICu2LR/R5uyY5T0SQ04aI5bLp+RiZjU2SS5GfXDrjz7C7h7j15aEBgZNNggvcSTFr/kNZVczmBWxCah5ckTF/4pWr8WlS17YSvSxQT3OgYDRQ==
+    JELLYSEERR_API_KEY: AgCmBjM6O/Y/gsb+BXwCFhDu3dea/itAx6zGvz+ammVzUSPJE4+N4u4PEkT8ZUIay9Q8Uf3BERiidu2wcMdT5BJ74JhLRZdxMAjC1MbSz92DRKntWDxNm5q0FgRYrbSV8qWNhwG9vNROObNTmgLuxMw5RF2Py0IJxA2Yy8Lc+Ff3d95mkijjuKf4Q3VdI1Zk1mGuZhQbw4+yJE0SzeEv+dQlqWTXMWc74K3xXpEipEJSUMXj856vnTvUJlp5vCWZS3nCfEZoCdMrZ8cvx8iV8tRqGk3zGVaAekZKq+YMLe5ERbAHlNj0f0imJZ7IesVBUdkYEWZUzepMidiEIkITrFfTUKHUCZzfThCKJrQtl8c7d8dtPyklqA0HLcD2TsqAF5XO6fBrBXUm3+9B7siTFAZCfuit5Q2hon+Sx+uIEEwZMmwzf2RbpXQxXViK+Hs7NpeGPUqOH4HpagBzwzyrXu76swelnKSgMMo/D9iTR1ymnsc05t3MAp3ypRfqfvRWbUmpWZYiz5CejuUXecm7osZuz3vMoopBUI/q/aaLhs4+6DOGIWCme20wDo/Me+im29sDyCmcws+OscbkqmlXO2sqOBmwPbF0qzNXkIeeg/zqvSIR47/Pm97oMecu4o9YY6hei4+0I2bpe+CEs2vYaU6+hXB8M6mGauNrLH/0LB0J1dmwNzHlXnHPj/OhmG9MDUp0muasHKdoTRPFuFoW/vtqNTpEV43Be3tJu0ky9+8XuVGOA22lGCiv4ZLvldzrfg0xthq4iVa7+wr1enllzeNFvSM+oQ==
+    NEXTCLOUD_PASSWORD: AgCc8eCMeOs5UR7jCf30qivGD4Bd6SXewfRKmME6WBYMACiYctORNgt+Smwm3oFSGS6Rjtc3gfNmU87gvVamCcrzxIdOH8pT/I7uJBkhRz+dWNAevW4WsZmBqDh5oYkNWa42wSTZQQRsfR2fYUQaQB+EAf8eo08fGY/thWuDpH+QBvqn1ODCXJiRl2SUpax47/jxTkRCIrpWQkndjlAmTHwONaWKFHVYayY4HkkRq2Wdtq13u0Iq4Zo1AMYaX3p+3s1Uthlk6jDJuAkifZUqTn6vyvI6nT6lFN10ilf3SDxWbQmyZn39vwYCzOUWG3niCYogJRWO0vRd6GnTu7ndzmiumMz1Cp/4qyUiWN9jass4+rgwCi33Qz5zP1+YDKWmuDs1uRf6m+ub9nG/TvcT/b5U8luv3RIoaMc8yRt8IC2bHZzSmDVZSG/wLh2YPaRfzmx4YxjXTsvliONbPpZavnIm0gHrQnwvEla+1xba/CtpVjQa3F6h2tCFJuc7AgP7fGYt1PLuim5y4GfNfmZV3ZljMPUqJ/YjgXJ+Z1A+XRLKRWBcNzy9k0D31Z9m4R80D2uT/1rtHR43RNnuugRJND6ejs66rM2rdBdXLnrLra2XpByh9TShrCQS5ir+Hnl4mnVmEqIDQ19mANJtYNtmEBTo3xiyEQCPiq/xaSjDm8U6QeqkhbfXvFm59RxdVPQA1iHQBknS+cqyF6qGaw==
+    PIHOLE_API_KEY: AgAkXqWweu5cFLjJAusl6l85l+TsYRZRKf+mUbV3Lo6gtN4n07zJrOzFYH4u2GYkgPftfOaRZ/CpUOEJflkakXoTwru1L4THk0irP6yNqGvBNJF1b53+zH1hO1tAUM0B101fCmnJ3yZ50onExfwHL/mDAqyl0LlWaZ+9M/S4Kr3lqePhwdBRUv9UXaVBe5BtF4nLwnux/Ya6+lgJ9SvyD4ZQF6ueDYT2woUz4cJa1wqOVZVueS/wYobma6I5wrY3oQVT/feFCDsd8vf7uOcJDjwn/GobBeEhpc3yyti3vW+y9B+tmfvGGk2voAtxVDiN6ysHQQfO5pfqb1q92BREIZ18+jPdQQGXJ7BCvS3TIYhfMcW0EvZb5GgOyp26DZyVHIt+HZHKz2FTISli/EtHsXKUaxUQIEs5VouIDjX3gGRWWaHfMu/2neWJmlZcrRAZsOEHF0C4VXTzq7NsaTgCL6Qbp9QIlDaXMLvroGT/HHGfIcLY5kL0xneHsQyZrp/PqbUkEGCNdYopAuwmSdSbZoTMv6yJNUZFa9OYXqLzees4L6c+3POuKdpdBI3cMMllEmWMQGYgSa6Dw5hIpAUsKP5methfAsr7ASah2vQu6GYFcc5cI9dM4jt8ZAkLKPIummC1REuwdD/JAa+7XQRVqae/D/j8dcftwpuHMez5iKsahdKVInaCgG+bMt6PsnPu0+fGAl6yGbJ+39zl
+    PIHOLE_PASSWORD: AgAcUZTYElvizIHDgtvMTkS2XSHRrYYAzq29uwa3lyigqOyvvsw6F2WEySm6j0Oowv2Wb3uvm0ZLCydRy/Zk8Ba0B/pvTTnZs1n6mdN6KSC9WYW1vXxy2dtSFCQvEnEmnJN+BrsCfNCEJyQKreoJr8GdowJc367f8eghH02sJrJIai9SFU/h/4hn1ALqozLOBDxtM5PPG6AqTFh4InYcO0iaLiMuic0c7kEA7AALV96/OtkNfi0wr1JOfLpicm8yKwSOo0isEyHyF9rLohUgH261LAcS99XYdefYas4w1C6ex60xcP7lxJVGggoO8YRZY6pYtOjfa2zpWJh9JHl5Mo906B7GbTtqBvn7quoElxKN+Gjsv2gdzR6I1MWlzwW0MXuUGwrhX0I8NITOP6twRQgqKsf8ncXUvNPwpKDQ63g+abb8eboebEdq2titFVLIrPGey1y6SVbH15jnsL1eCaNdMvbAL4/e1wOoSDVgAuUREHo6NKG+U9T+GQ1VJor1n88gcpWddHq/Kok+SiNLW2d1dXTg5CSr5I2p35J/ShojFm6tBwjqtwLUgPlPrxDlm9EAW0N3nk0ATUXObx8xoqU+zJM2Utf2RXAN5BUkXdvNrGDREja/IXLaHZKilqg5qRs/HVxJwTDOOcWqCnJNXvcl/RJchN5AHEnz/8PoFtsZfcOEaVtmHwm4gAH5FKEZIErnuWKZIEWt1O6sTA==
+    PROWLARR_API_KEY: AgBlA/pCQWKVAw925RVAhSILv/aWfexF0GvmsQrRGD+vFkpW2W9aZG7p1fV+5hJkzyJaTBva6xO5Jd+2lksZo8/CpGyTioZQAo+mZKAanJVKKo/TJO4R729GyfZND4T5P55Kqj+CoLn/0RFE/HIQNa0YefzsW1IWXQv1AS5vFXwqLigZBaOBS8twQOk80bMHtb0K+EP2hSa1GZG++MGIV3QIy1xJ087cizf/wSrNg1ohafhRHZfA97+vfbm2HdJ98Y4sInwf1bF53cFNpHkhW3MYFLU8Oaw+tTKmmtTT0zDmFcIdnkNp6Fm2evISbmNyeDut+2J98hqRuPEkUCfV6Rv8lrm2DXkLfzmedmRMPnJLpYNJiJXiAs63JTd4kjfLwCmGPo6PH8ECRlOWsrkBxuQ48eoBq9E61p42hpLdtZynW0Z6cZLAQTx2obEnbBtOoJ2rhKkizbbijRLKWa9cMXtzqyoAOk0aE1VtTw5BfjIzBA2XWe4/FALLEHOkzJWW+TFEOLkHjMCM6E0mkRcVkUyOB9V8vG7Rj6qzkazp7lKl9CgxTs1mZpdhrTnfFy1axwifB0NZcm+fjjKTTqs+zmr6nCcZG++mTgkrh5jK+aiV4ItrKbGbPTHYtsdvuzVWYeNCfqlxa7ZsaLmfAMXiC6qPNvosSef3IHIyrKE8raqrHNEM5vZ4hhYRKmlJCVnAoAl4W49lzUbpGvMn5i1WRcFoMtzE8g6oELhBBTxTk+Y8Ag==
+    PROXMOX_BACKUP_SERVER_PASSWORD: AgBHdIz2VxogpHvgYujwMmt3tWF90GcbCp0czkgHHESsd2m7bJGPZfY0yA+hmQ1t+iAorjGwOKUfZQFSfI20nktTHFTRhknIpu52259KrjroDftDbE75AlFSqZ1Nc2+6yUkZe1N4+SJT56JBumV9p0qEggxImKuP0hdTPFdcPYYQcE/vKJAYh4ysIcXrcUGA+RTrd10hQd96F1/wxc7ljbY0m7pg/LDSO6lcUf0lVrNRg0MgDt5WIZXM2HsSlSSbH81dDOOXMjmcylQSZkB2Tbe11KSEj/NcovhW0AFQS2D8J40s/dJ9ez4F0YSiz1UB5AQZhneBoSLwUhFE+5smyliGMeyYTai4N5l02A69/JdQa5qf3wJ+MDAPsCbw/sqsP8wz3+mG5aznCjJcwZomaGuUi3O1y/UKl+4hNbiWlcxXLAHKcTpyX/EHWYH9mucbsz9PqO9BniEF5d78D3gTZyGMLeeWjFgshx7eFsw0UV++PTneF0TMacwJA0bp3lm2VrW5Ae5aSdEL6/RUZmny0wkkVPy8YUYpjsfm8nPbxTG6RqOZie8q05lEGKPxWWTO5b5OrQ2sepUSvIxBS+TsLLEKqqiBtRa4TYXBh+ChwTetHLK5cDbpS5XJbnfunovPtfgBRjikbuf0Ez3d9Rhz8BOToEzHTSW+gsGbUJcnCD/NESCOYEZqpcFNGDFL3vDSQgFr0Fnyd3SFZC4uIm4dzRI5urrlTBkQPBhgOaACjVJEjUYvCIE=
+    PROXMOX_PASSWORD: AgACQWEwrEjBcb6Y4GGrvGKgmKf2V6OhAh+WblEBBPilDa2lITukc7kKLIMF0jYmVCILV8reZ/ByBTTD+7mNuGlZZ7sogyyQlo4LI94pM/fdZCGk3RIwNglQtDfN2+/tF7F6JruBOq5Pf/9u0ZRk20XBQsqZIlWmD7Y8Ul3Cz2OYHpP6KJCNJrzjYEo1f7fkYqg+Rz0z+UVULisUlqbFbEfXXP5N0Z+lSs5vGcFC4MSamQngDX1BKlXbpKsaqNahnffgS/tgQWpQ7xPvdyQR2w3fnEKngQVPk9RKcQaLqxwmndTqy7HGsqII6wcn40cFMrE09+bCZmdZQTaSgiUZcTFLTEsnC0exWVtHiCbSaM+oHM77Q7efcvWY1CEdeI8k7jOOGfmJGZhkc+eqLMvqKYX16dw4A2ffhNn3Fj1+Mu+J/GNsytk7rTFgxdPNqx+QQZsziYdlhDoOTMO9LgEa7l/cLxRrK2hz/2inyKyLTFIkhZJrDniebNM0QHGkSCPHyhDStcQ2zGIy6JOIQsGkMXmrqnZebaYDk4hAmXQS8iJQTb+oFGFXWCO6Fd/VfOBzcN0Fiss/BQLuMH8MYisIl3+oHFALQ1Ovvhzc13U7bqgMBN+6oqg1w0VsM5kqJ54zy2A1RQg77itLBOwfgz2ftpbcySCn4ZeDNgu8KeT/TeY0JoujmM4i83hq0XLiO2GAJgKrHiuIYomg5staK109DzSLeHI0n4MAqZGuNp6hOv4JgyKhMI4=
+    QBITTORRENT_PASSWORD: AgAdMAxiSrxWpdmrD6FrZXceFVqhqk1UqL3kruE7aEjmHVmpNqv6BM4u8CdxUIZS99U/Z0CtfAGZ9IEoKH5Ldq+kbtwHNXLxNqYLIkwk7aKJhISRwFAMpg6+FGbTIvoBJgC1xwTZhYC2L9HtwZPj2PN98uMlHpm48yv/qw7awE5o35MmUKyd8EwCi0iT8WaxpGguXyg0ITNSW9D1NZ5OZqVNeL7FJ0GuLWOrHImiZtNAbZuB6B0+3UeQiFE31FbchB7JzCIJu7NZ0+yqxfCBX/4cTR+gZZ6eyaUHIfve5PT2mKjQ2WTAEVbGaEjhE1V5B+bkAJUULtFbcsQUatQm/cj8pyDNT1nCleKRBUFOnB078jguhOLB7FzE1+e2xl2vbCSERS272OegGzf6/FPqXrOcELMKlSNCQlPwWZ94MomGbUKsjmPrFGrqP5aXfY2zCXrv2KSpcHDtUndeyE9OCIucx7dMFrIPpEi22J+oJY87quZqrpyjMypDfxcAJbAgQFBlHBgJZ/ACszqfoAr56x1xXZIM0QVK6Up7irt9rt1RBAkNlSywsqHEWcDgnx+tH0qz8y5NdACjK8xY5iWSGgifkq4kiecQdf4BRhiBLbe4FydQv/AZu1dNMJbGU2hnPESUIntTHqJQ0mM8d0aMNkOdSH9qc0NAJDFsC3oEjnuRXEOSwXSyzEqDBTVuLESyf2iabmPzyMqdbv7i
+    RADARR_API_KEY: AgA5tKo/V/uCwIpSKNSBrtgJst9n8JXYrlqWD0HgJM5ccUdvUdgwf+Mun+rQDNMDrPz/uIxkjNkUIoplatpQh0s4WlwaEkosf57gmq0TIiId6+x/Z9S4bDfrjqaaFJTDZRaiZWxMgOkSNzKdFh5itSdw0Vjh6ojB/fElB0zYENZAXI8uKIPeebdCYtPgVG+ap7tLlj2Y28zinJc6lHO73g+qgHeEx22N6rr5coY8OIB58KuZ6mcSUvEsPLItkvQ9vDxbv28uv+c9ktfwSDbK7+lbVHQdqfkk8QT1GQCS2Xlf9CXndxzhqQ6ME5W1PWs7znC2K+b7rJ1UInlUpXkzsP1nDsrrPeC14dQ80kR3+Yz/AbLvKBV9eK4FRMp5fLK9C2s5Gy5tcWJLoFA7N8tR2oAIkZCIEaJ34YQeGGP631UyIa1IUuN8ZotvZo3nUXKF0SJhc7SAvqxNYLKfw3Xk1fa/T1Mr4wWIbtfrO3NvoPkt5gHGfTi5ECjPsd72XV185323nOvVBmiYpQCA7RCEOm7cXR/EEcxX7nKHdsZIOULJElc3dYflsd61uKZdwIRXa8ACNLSuRAQRtxUVQ+t5UlWxmxYB5wjRwjSSJ5HXOqNrcr9Go/zh2XFY6XaWoCF97t9xCa+P3SSokfTFhfLutYmSPwZ5VyZTXyH+/bjd8stxeBeneWso7yK2cDdOLSX29/Ke2U1+k1qw4i0wTEC3XHvH3sy1TwE7LDdjjYiHNNeuxA==
+    SABNZBD_API_KEY: AgC5/8HHS6IYQfRI+H0pkkV1+JHeZvgVYYJ6RHU8sgquXDliGSGVa36UwgdmPFeoO4vpCDvvNPvv452rkwxrLwn7Tc2TC2k8zxDkzHlHsKl3T/9CqQ5gD/XKiA2sKETTGD5wVTAk9D7WpMQXZ+P0KDSW+j0s4hz1IOZGNHLn4TuzkV3HzQ+2madOOkfJ11OYoT9xp8HkKJdYy1OkCRB/izbWpwGGl8ul35CNOhHg/nNYLSm8d6YLzYMw7ix9ds1nsUQysco2Lf2cwlMDPvv2HNT16cPUm8+Pr5/FMYuIgMfoTE1ZG1bxRxW92GQqOWzpY91/UxGEaOSkvxoY8rn2KqshVG50l1/GDRTXM4kUaH6sfI2DszfAc0ZPQpV3RnMMRNesbKpebbTljYjut6V08spskHvbcN6cG2KoVBbwaW7xdEiWJtwc/wBLu5lEBCHSgzrgDI8F/EP108a8aCNVzjsl2G+uJsVFj0YcRImTICLDCMC4zW/QBVU5LRtnwWBM8z4IPvKc5c5P+ci1/PVF5qM3WY5Lh1giZsL61kvCfRgJLK2aotlt7VF5fCmi0xj5fpwnSF0A8SdLOrflpJwn+1e69Q8EP/ErEyuyV6o7Bd98j505JYkNTDZigFccZ5k4i2olaTJBSSJsPu0ds92b56bl2/dgwzw2RimrSuztWGysNaC5t8fu3ntpKj2GmqPY4c24boAeuhSoKIhqfa03musDQFhRTmEmT+SIgNZLOKbGaQ==
+    SONARR_API_KEY: AgCIs/MR1p1HjdA1zc9vtDViYqhpLR2V5npw7qd9ueylmh2mdvyNGP9Oh0/v5ZDXiilfar/rUgUed5AwDVx1Z7KG5GpYnkQwchK2/X0kMxCnZPLfmVb7PMHyQq9Bl2O0n/TVoBpyUsbMg5L6Hz5OhrcgtQysE3QCcWwcXeUsrFNf48FEnPXh4jhPqaKmxyyoCwdhRg9XzuZXrMa/66jBQ0aLcPsQgewOXK+UuAtoo7iVxxkaRsebnBo+KX3vMZzzxpeORaDvPAK/QSC1XWynaxAWFbxrDNjL4kFahSwh1bbBaEQ86fu58BMRjJBbLQsnrsqhETZMVpCDX9I6tPMCWzLcsyozmKv/S/lVDb3wIX3D1x6bXYBQr7XcFpVDlMldNIM6hA0Fai2xeou7A8F6orxnhNFkn7l7lhCD3dixuyhyrrM1MhYrQBtSGvRaHHr3c56CzgPR8ZMVLjl6dRObS+A42k/2rqjPeuxre6+vjgzy73PLVfpTxZrH1vJp0eO8tfKfpR3s7jLXxVBmaraI3VmnQgtTuwK19WtbCZBMuDY4faB//291JctfYcG0Ai+uTuMCHWsnXaHRMcVVU2OiQuiweRXkkPAs0Cfkrzr3pG0qNUL8KsCqwO54IM59vf/riFAE2e2w0hzbj80yXLwcqQxU27VtAIJuG/WzO3UOn9uwEk61nkmwEhPue377CA/n6OMf2lFyykTEGOwKS2dzpxFXUDnEhpDqNIx/thg0MEoO7Q==
   template:
     metadata:
       name: homepage-secrets

clusters/default/monitoring/homepage/homepage-config.yml

@@ -213,6 +213,18 @@ data:
                         password: "${PROXMOX_BACKUP_SERVER_PASSWORD}"
                         datastore: backups
                         fields: ["datastore_usage", "cpu_usage", "memory_usage"]
+              - Pi-hole:
+                    href: https://pihole.${DOMAIN}/admin
+                    description: network adblocker
+                    icon: pi-hole.png
+                    namespace: tools
+                    podSelector: app=pihole
+                    app: pihole
+                    widget:
+                        type: pihole
+                        url: http://192.168.1.212
+                        key: "${PIHOLE_API_KEY}"
+                        version: 6
               - Invidious:
                     href: https://invidious.${DOMAIN}
                     description: youtube frontend
@@ -270,7 +282,7 @@ data:
                     podSelector: app=searxng
                     app: searxng
               - Pulse:
-                    icon: proxmox.png
+                    icon: pulse.png
                     description: Proxmox monitoring
                     href: https://pulse.${DOMAIN}
                     namespace: monitoring

clusters/default/monitoring/homepage/homepage.yml

@@ -41,7 +41,7 @@ spec:
               subPath: services.yaml
       containers:
         - name: homepage
-          image: "ghcr.io/gethomepage/homepage:v1.7.0"
+          image: "ghcr.io/gethomepage/homepage:v1.8.0"
           imagePullPolicy: IfNotPresent
           env:
             - name: HOMEPAGE_ALLOWED_HOSTS

clusters/default/monitoring/jellystat/jellystat-db.yml

@@ -0,0 +1,46 @@
+---
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: jellystat-db
+  namespace: monitoring
+spec:
+  selector:
+    matchLabels:
+      app: jellystat-db
+  serviceName: jellystat-db
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        app: jellystat-db
+    spec:
+      containers:
+      - name: jellystat-db
+        image: postgres:18-alpine
+        ports:
+        - containerPort: 5432
+        env:
+        - name: POSTGRES_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: jellystat-secret
+              key: password
+        - name: POSTGRES_DB
+          value: "jfstat"
+        - name: POSTGRES_USER
+          value: "postgres"
+        - name: PGDATA
+          value: /mnt/postgres/data
+        volumeMounts:
+        - name: postgres-data
+          mountPath: /mnt/postgres
+  volumeClaimTemplates:
+  - metadata:
+      name: postgres-data
+    spec:
+      accessModes: ["ReadWriteOnce"]
+      resources:
+        requests:
+          storage: 1Gi
+      storageClassName: longhorn

clusters/default/monitoring/jellystat/jellystat-pvc.yml

@@ -1,18 +1,3 @@
----
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  name: jellystat-longhorn
-  namespace: monitoring
-spec:
-  accessModes:
-    - ReadWriteOnce
-  volumeMode: Filesystem
-  resources:
-    requests:
-      storage: 1Gi
-  storageClassName: longhorn
-
 ---
 apiVersion: v1
 kind: PersistentVolumeClaim

clusters/default/monitoring/jellystat/jellystat-svc.yml

@@ -15,3 +15,17 @@ spec:
   - port: 3001
     targetPort: 3000
     protocol: TCP
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: jellystat-db
+  namespace: monitoring
+spec:
+  selector:
+    app: jellystat-db
+  ports:
+  - port: 5432
+    targetPort: 5432
+  clusterIP: None

clusters/default/monitoring/jellystat/jellystat.yml

@@ -16,56 +16,40 @@ spec:
       labels:
         app: jellystat
     spec:
-      initContainers:
-      - name: jellystat-db
-        image: postgres:alpine
-        restartPolicy: Always
-        ports:
-        - containerPort: 5432
+      containers:
+      - name: jellystat
+        image: cyfershepard/jellystat:1.1.7
+        readinessProbe:
+          exec:
+            command:
+            - bash
+            - -c
+            - |
+              (echo >/dev/tcp/jellystat-db.monitoring.svc.cluster.local/5432)
+          initialDelaySeconds: 5
+          periodSeconds: 5
+          failureThreshold: 3
         env:
-        - name: POSTGRES_DB
-          value: "jfstat"
-        - name: POSTGRES_USER
-          value: "postgres"
-        - name: POSTGRES_PASSWORD
+        - name: JWT_SECRET
           valueFrom:
             secretKeyRef:
               name: jellystat-secret
-              key: password
-        - name: PGDATA
-          value: /mnt/postgres/data
-        volumeMounts:
-        - name: postgres-data
-          mountPath: /mnt/postgres
-      containers:
-      - name: jellystat
-        image: cyfershepard/jellystat:1.1.6
-        ports:
-        - containerPort: 3000
-        env:
-        - name: POSTGRES_USER
-          value: "postgres"
+              key: jwt
         - name: POSTGRES_PASSWORD
           valueFrom:
             secretKeyRef:
               name: jellystat-secret
               key: password
         - name: POSTGRES_IP
-          value: "localhost"
+          value: "jellystat-db.monitoring.svc.cluster.local"
         - name: POSTGRES_PORT
           value: "5432"
-        - name: JWT_SECRET
-          valueFrom:
-            secretKeyRef:
-              name: jellystat-secret
-              key: jwt
+        - name: POSTGRES_USER
+          value: "postgres"
         volumeMounts:
         - name: backups
           mountPath: /app/backend/backup-data
       volumes:
-      - name: postgres-data
-        persistentVolumeClaim:
-          claimName: jellystat-longhorn
       - name: backups
         persistentVolumeClaim:
           claimName: jellystat-backups-longhorn

clusters/default/monitoring/pulse/pulse.yml

@@ -17,7 +17,7 @@ spec:
     spec:
       containers:
       - name: pulse
-        image: rcourtman/pulse:4.35.0
+        image: rcourtman/pulse:5.0.10
         volumeMounts:
         - name: pulse-data
           mountPath: /data

clusters/default/monitoring/speedtest/speedtest.yml

@@ -18,7 +18,7 @@ spec:
     spec:
       containers:
       - name: speedtest
-        image: lscr.io/linuxserver/speedtest-tracker:1.10.3
+        image: lscr.io/linuxserver/speedtest-tracker:1.13.4
         ports:
         - containerPort: 80
         env:

clusters/default/system-upgrade/system-upgrade-controller.yml

@@ -264,7 +264,7 @@ spec:
         envFrom:
         - configMapRef:
             name: default-controller-env
-        image: rancher/system-upgrade-controller:v0.16.3
+        image: rancher/system-upgrade-controller:v0.18.0
         imagePullPolicy: IfNotPresent
         name: system-upgrade-controller
         securityContext:

clusters/default/system-upgrade/system-upgrade-plan.yml

@@ -0,0 +1,42 @@
+# Server plan
+apiVersion: upgrade.cattle.io/v1
+kind: Plan
+metadata:
+  name: server-plan
+  namespace: system-upgrade
+spec:
+  concurrency: 1
+  cordon: true
+  nodeSelector:
+    matchExpressions:
+    - key: node-role.kubernetes.io/control-plane
+      operator: In
+      values:
+      - "true"
+  serviceAccountName: system-upgrade
+  upgrade:
+    image: rancher/k3s-upgrade
+  channel: https://update.k3s.io/v1-release/channels/v1.33
+---
+# Agent plan
+apiVersion: upgrade.cattle.io/v1
+kind: Plan
+metadata:
+  name: agent-plan
+  namespace: system-upgrade
+spec:
+  concurrency: 1
+  cordon: true
+  nodeSelector:
+    matchExpressions:
+    - key: node-role.kubernetes.io/control-plane
+      operator: DoesNotExist
+  prepare:
+    args:
+    - prepare
+    - server-plan
+    image: rancher/k3s-upgrade
+  serviceAccountName: system-upgrade
+  upgrade:
+    image: rancher/k3s-upgrade
+  channel: https://update.k3s.io/v1-release/channels/v1.33

clusters/default/tools/code-server/code-server.yml

@@ -18,7 +18,7 @@ spec:
     spec:
       containers:
       - name: code-server
-        image: lscr.io/linuxserver/code-server:4.106.3
+        image: lscr.io/linuxserver/code-server:4.107.0
         ports:
         - containerPort: 8443
         env:

clusters/default/tools/nextcloud/collabora.yml

@@ -17,7 +17,7 @@ spec:
     spec:
       containers:
       - name: collabora
-        image: collabora/code:25.04.7.3.1
+        image: collabora/code:25.04.8.1.1
         ports:
         - containerPort: 9980
         env:

clusters/default/tools/nextcloud/nextcloud-db.yml

@@ -1,6 +1,6 @@
 ---
 apiVersion: apps/v1
-kind: Deployment
+kind: StatefulSet
 metadata:
   name: nextcloud-db
   namespace: tools
@@ -8,6 +8,8 @@ spec:
   selector:
     matchLabels:
       app: nextcloud-db
+  serviceName: nextcloud-db
+  replicas: 1
   template:
     metadata:
       labels:
@@ -36,9 +38,14 @@ spec:
         - name: MARIADB_AUTO_UPGRADE
           value: "1"
         volumeMounts:
-        - name: nextcloud-db-storage
+        - name: nextcloud-db
           mountPath: /var/lib/mysql
-      volumes:
-      - name: nextcloud-db-storage
-        persistentVolumeClaim:
-          claimName: nextcloud-db-longhorn
+  volumeClaimTemplates:
+  - metadata:
+      name: nextcloud-db
+    spec:
+      accessModes: ["ReadWriteOnce"]
+      resources:
+        requests:
+          storage: 2Gi
+      storageClassName: longhorn

clusters/default/tools/nextcloud/nextcloud-pvc.yml

@@ -1,18 +1,3 @@
----
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  name: nextcloud-db-longhorn
-  namespace: tools
-spec:
-  accessModes:
-    - ReadWriteOnce
-  volumeMode: Filesystem
-  resources:
-    requests:
-      storage: 2Gi
-  storageClassName: longhorn
-
 ---
 apiVersion: v1
 kind: PersistentVolumeClaim

clusters/default/tools/nextcloud/nextcloud-svc.yml

@@ -38,7 +38,7 @@ spec:
 apiVersion: v1
 kind: Service
 metadata:
-  name: nextcloud-db-service
+  name: nextcloud-db
   namespace: tools
 spec:
   selector:
@@ -47,3 +47,4 @@ spec:
     - protocol: TCP
       port: 3306
       targetPort: 3306
+  clusterIP: None

clusters/default/tools/nextcloud/nextcloud.yml

@@ -15,20 +15,18 @@ spec:
       labels:
         app: nextcloud
     spec:
-      initContainers:
-      - name: wait-for-db
-        image: busybox
-        command:
-          - sh
-          - -c
-          - |
-            until nc -z -v -w30 nextcloud-db-service 3306; do
-              echo "Waiting for database to be ready..."
-              sleep 2
-            done
       containers:
       - name: nextcloud
-        image: lscr.io/linuxserver/nextcloud:32.0.2
+        image: lscr.io/linuxserver/nextcloud:32.0.3
+        readinessProbe:
+          exec:
+            command:
+            - sh
+            - -c
+            - nc -z nextcloud-db.tools.svc.cluster.local 3306
+          initialDelaySeconds: 5
+          periodSeconds: 5
+          failureThreshold: 3
         ports:
         - containerPort: 443
         env:

clusters/default/tools/open-webui/open-webui-pvc.yml

@@ -0,0 +1,14 @@
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: open-webui-longhorn
+  namespace: tools
+spec:
+  accessModes:
+    - ReadWriteOnce
+  volumeMode: Filesystem
+  resources:
+    requests:
+      storage: 2Gi
+  storageClassName: longhorn

clusters/default/tools/open-webui/open-webui-svc.yml

@@ -0,0 +1,16 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: open-webui-service
+  namespace: tools
+  annotations:
+    metallb.io/allow-shared-ip: "shared-ip-1"
+spec:
+  loadBalancerIP: 192.168.1.230
+  type: LoadBalancer
+  selector:
+    app: open-webui
+  ports:
+  - port: 8123
+    targetPort: 8080

clusters/default/tools/open-webui/open-webui.yml

@@ -0,0 +1,32 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: open-webui
+  namespace: tools
+spec:
+  strategy:
+    type: Recreate
+  selector:
+    matchLabels:
+      app: open-webui
+  template:
+    metadata:
+      labels:
+        app: open-webui
+    spec:
+      containers:
+      - name: open-webui
+        image: ghcr.io/open-webui/open-webui:0.6.43
+        ports:
+        - containerPort: 8080
+        env:
+        - name: OLLAMA_BASE_URL
+          value: "http://ollama.tools.svc.cluster.local:2123"
+        volumeMounts:
+        - name: config
+          mountPath: /app/backend/data
+      volumes:
+      - name: config
+        persistentVolumeClaim:
+          claimName: open-webui-longhorn

clusters/default/tools/paperless-ngx/paperless-ngx-db.yml

@@ -0,0 +1,35 @@
+---
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: paperless-ngx-db
+  namespace: tools
+spec:
+  selector:
+    matchLabels:
+      app: paperless-ngx-db
+  serviceName: paperless-ngx-db
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        app: paperless-ngx-db
+    spec:
+      containers:
+      - name: paperless-ngx-db
+        image: docker.io/library/redis:8
+        ports:
+        - containerPort: 6379
+        volumeMounts:
+        - name: paperless-ngx-db
+          mountPath: /data
+          subPath: redis
+  volumeClaimTemplates:
+  - metadata:
+      name: paperless-ngx-db
+    spec:
+      accessModes: ["ReadWriteOnce"]
+      resources:
+        requests:
+          storage: 500Mi
+      storageClassName: longhorn

clusters/default/tools/paperless-ngx/paperless-ngx-svc.yml

@@ -14,3 +14,16 @@ spec:
   ports:
   - port: 8001
     targetPort: 8000
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: paperless-ngx-db
+  namespace: tools
+spec:
+  selector:
+    app: paperless-ngx-db
+  ports:
+  - port: 6379
+    targetPort: 6379

clusters/default/tools/paperless-ngx/paperless-ngx.yml

@@ -15,24 +15,24 @@ spec:
       labels:
         app: paperless-ngx
     spec:
-      initContainers:
-      - name: paperless-ngx-db
-        image: docker.io/library/redis:8
-        restartPolicy: Always
-        ports:
-        - containerPort: 6379
-        volumeMounts:
-        - name: data
-          mountPath: /data
-          subPath: redis
       containers:
       - name: paperless-ngx
-        image: ghcr.io/paperless-ngx/paperless-ngx:2.20.1
+        image: ghcr.io/paperless-ngx/paperless-ngx:2.20.3
+        readinessProbe:
+          exec:
+            command:
+            - bash
+            - -c
+            - |
+              (echo >/dev/tcp/paperless-ngx-db.tools.svc.cluster.local/6379)
+          initialDelaySeconds: 5
+          periodSeconds: 5
+          failureThreshold: 3
         ports:
         - containerPort: 8000
         env:
         - name: PAPERLESS_REDIS
-          value: "redis://localhost:6379"
+          value: "redis://paperless-ngx-db.tools.svc.cluster.local:6379"
         - name: PAPERLESS_URL
           valueFrom:
             secretKeyRef:
@@ -53,9 +53,9 @@ spec:
         - name: PAPERLESS_TIKA_ENABLED
           value: "1"
         - name: PAPERLESS_TIKA_ENDPOINT
-          value: "http://tika-service:9998"
+          value: "http://tika-service.tools.svc.cluster.local:9998"
         - name: PAPERLESS_TIKA_GOTENBERG_ENDPOINT
-          value: "http://gotenberg-service:3000"
+          value: "http://gotenberg-service.tools.svc.cluster.local:3000"
         volumeMounts:
         - name: data
           mountPath: /usr/src/paperless/data

clusters/default/tools/paperless-ngx/paperless-pvc.yml

@@ -10,5 +10,5 @@ spec:
   volumeMode: Filesystem
   resources:
     requests:
-      storage: 1Gi
+      storage: 2Gi
   storageClassName: longhorn

clusters/default/tools/searxng/searxng.yml

@@ -18,7 +18,7 @@ spec:
     spec:
       containers:
       - name: searxng
-        image: searxng/searxng@sha256:277cb4b82fbdd69d88812089a5755860d379de907f09fb511443ff03d35191af
+        image: searxng/searxng@sha256:472dd0c84b8e2a05bca773b4a430b9fc9e4e92cd4fa0afaa223efab925ab752a
         ports:
         - containerPort: 8080
         env:

clusters/default/tools/vaultwarden/vaultwarden.yml

@@ -18,7 +18,7 @@ spec:
     spec:
       containers:
       - name: vaultwarden
-        image: vaultwarden/server:1.34.3
+        image: vaultwarden/server:1.35.1
         ports:
         - containerPort: 80
         env:

clusters/ipv6/arr-stack/bazarr/bazarr-ingress.yml

@@ -0,0 +1,28 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: bazarr-ingress
+  namespace: arr-stack
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-cloudflare
+    traefik.ingress.kubernetes.io/router.middlewares: tools-authelia@kubernetescrd
+    traefik.ingress.kubernetes.io/router.entrypoints: websecure
+spec:
+  ingressClassName: traefik
+  tls:
+  - hosts:
+    - bazarr.akshun-lab.cc
+    secretName: bazarr-tls
+  rules:
+  - host: bazarr.akshun-lab.cc
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: bazarr-service
+            port:
+              number: 6767
+

clusters/ipv6/arr-stack/bazarr/bazarr-pvc.yml

@@ -0,0 +1,15 @@
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: bazarr-longhorn
+  namespace: arr-stack
+spec:
+  accessModes:
+    - ReadWriteOnce
+  volumeMode: Filesystem
+  resources:
+    requests:
+      storage: 2Gi
+  storageClassName: longhorn
+

clusters/ipv6/arr-stack/bazarr/bazarr-svc.yml

@@ -0,0 +1,13 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: bazarr-service
+  namespace: arr-stack
+spec:
+  selector:
+    app: bazarr
+  ports:
+  - protocol: TCP
+    port: 6767
+    targetPort: 6767

clusters/ipv6/arr-stack/bazarr/bazarr.yml

@@ -0,0 +1,48 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: bazarr
+  namespace: arr-stack
+spec:
+  strategy:
+    type: Recreate
+  replicas: 1
+  selector:
+    matchLabels:
+      app: bazarr
+  template:
+    metadata:
+      labels:
+        app: bazarr
+    spec:
+      containers:
+      - name: bazarr
+        image: linuxserver/bazarr:1.5.4
+        env:
+        - name: PUID
+          value: "1000"
+        - name: PGID
+          value: "1000"
+        - name: TZ
+          value: "Asia/Kolkata"
+        volumeMounts:
+        - name: movies
+          mountPath: /movies
+        - name: tv
+          mountPath: /tv
+        - name: config
+          mountPath: /config
+      volumes:
+      - name: config
+        persistentVolumeClaim:
+          claimName: bazarr-longhorn
+      - name: tv
+        nfs:
+          server: 10.0.0.123
+          path: /merge/series
+      - name: movies
+        nfs:
+          server: 10.0.0.123
+          path: /merge/movies
+

clusters/ipv6/arr-stack/jellyseerr/jellyseerr-ingress.yml

@@ -0,0 +1,28 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: jellyseerr-ingress
+  namespace: arr-stack
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-cloudflare
+    traefik.ingress.kubernetes.io/router.middlewares: tools-authelia@kubernetescrd
+    traefik.ingress.kubernetes.io/router.entrypoints: websecure
+spec:
+  ingressClassName: traefik
+  tls:
+  - hosts:
+    - jellyseerr.akshun-lab.cc
+    secretName: jellyseerr-tls
+  rules:
+  - host: jellyseerr.akshun-lab.cc
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: jellyseerr-service
+            port:
+              number: 5055
+

clusters/ipv6/arr-stack/jellyseerr/jellyseerr-pvc.yml

@@ -0,0 +1,15 @@
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: jellyseerr-longhorn
+  namespace: arr-stack
+spec:
+  accessModes:
+    - ReadWriteOnce
+  volumeMode: Filesystem
+  resources:
+    requests:
+      storage: 1Gi
+  storageClassName: longhorn
+

clusters/ipv6/arr-stack/jellyseerr/jellyseerr-svc.yml

@@ -0,0 +1,14 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: jellyseerr-service
+  namespace: arr-stack
+spec:
+  selector:
+    app: jellyseerr
+  ports:
+  - port: 5055
+    targetPort: 5055
+    protocol: TCP
+

clusters/ipv6/arr-stack/jellyseerr/jellyseerr.yml

@@ -0,0 +1,58 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: jellyseerr
+  namespace: arr-stack
+spec:
+  strategy:
+    type: Recreate
+  replicas: 1
+  selector:
+    matchLabels:
+      app: jellyseerr
+  template:
+    metadata:
+      labels:
+        app: jellyseerr
+    spec:
+      initContainers:
+      - name: gluetun
+        image: qmcgaw/gluetun:v3.41.0
+        restartPolicy: Always
+        securityContext:
+          capabilities:
+            add:
+            - NET_ADMIN
+        envFrom:
+        - configMapRef:
+            name: gluetun-config
+        env:
+        - name: OPENVPN_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: openvpn-secrets
+              key: OPENVPN_PASSWORD
+        - name: OPENVPN_USER
+          valueFrom:
+            secretKeyRef:
+              name: openvpn-secrets
+              key: OPENVPN_USER
+      containers:
+      - name: jellyseerr
+        image: fallenbagel/jellyseerr:2.7.3
+        ports:
+        - containerPort: 5055
+        env:
+        - name: LOG_LEVEL
+          value: "info"
+        - name: TZ
+          value: "Asia/Kolkata"
+        volumeMounts:
+        - name: config
+          mountPath: /app/config
+      volumes:
+      - name: config
+        persistentVolumeClaim:
+          claimName: jellyseerr-longhorn
+

clusters/ipv6/arr-stack/namespace.yml

@@ -0,0 +1,7 @@
+---
+kind: Namespace
+apiVersion: v1
+metadata:
+  name: arr-stack
+  labels:
+    name: arr-stack

clusters/ipv6/arr-stack/openvpn/gluetun-config.yml

@@ -0,0 +1,13 @@
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: gluetun-config
+  namespace: arr-stack
+data:
+  VPN_SERVICE_PROVIDER: "surfshark"
+  SERVER_COUNTRIES: "Netherlands"
+  HTTPPROXY: "ON"
+  FIREWALL_OUTBOUND_SUBNETS: "192.168.1.0/24,10.42.0.0/16,10.43.0.0/16"
+  DNS_ADDRESS: "8.8.8.8"
+

clusters/ipv6/arr-stack/openvpn/gluetun-secrets-sealed.yml

@@ -0,0 +1,15 @@
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  name: openvpn-secrets
+  namespace: arr-stack
+spec:
+  encryptedData:
+    OPENVPN_PASSWORD: AgCq8+4OOOqt0Z0zTiVdtjz5uWoH7flNKwreecXW7zZ3gMi7t2dg9YApYV5lBzIxXSCx1DhMWqbgBx545n4SFkZhJhJeJRxRMYYV1b034W4TCzyJXU9d1kcUY4zesutK/HVY2R6riUdGLZzxJ9RPEa62LfdmjCc7ilOnMG2zqGwUF8g7+/I8ANnxNKYZ6WF6kmD96C6RdMMO5D2AUs7YppppsADkoQmHyTjx5geceDm7nGHSyy5ieFuvg7qd7S5s7E+GpsMWsXgl1RGD2nsyJ94h7FH0/krWR4DBu7YivgKtehTf/fK1tkqbxuqPUDJG2QVhmYwLmcEMhfajV8tmJrptfgxQ0nRbqIM/kcJeopPhbcHg/HMMfp7GwiTjfub6gxti9JQPBgMjoOdyMrYsdWPbIF8CaScF9S5owPx0sI1oHlS/q4vhQs/2jh5rIrwLTJbmo1Xwrkd86TJfuUv2G7khUDF1xLBOX9gHQFiCF+F2/JC08CKuodJ5NyYIbQ3jTFMbZHnwlsONKAgbVz40s90OumD4ujk+CtB89/p4Pz8zJC26qB3mFSiFAIQ4RbAwygA9jsFXmsuS86dxinWD+XZYWGAXvG9GHtmV1lRG55CGQ4SAKmAgECqvE0q3MCmmhIquUgl0HolkkDRC+eJadb0w2z3bpFQ9K8ZdFP50Gj37hxcaVY/CREkAuiRhpxBOzbjwQShnly4qW6mB6/r0VF8THYPOsDy5DfQ=
+    OPENVPN_USER: AgC/5sKPgHylU/nDJ/S63t/07I1Ll9gdBipIyWtL0Fl+OStZ1DAzt7n4oGZ+HRqZA1bLJ4ZB0xgOIL7JjFN+1AqvybrCrIrira7AwxwsRWHzboFzA8St81pQR2Bu6O6B+cfFUiFNI43yOVAn1LRWzPFjRc6wtJTym2tQbzDaFL5pdvnMRHRlDSrGfWMHvl/iNDwL4CUctBSLYNsSbew15g/KavkEfNT6DqVhGZ8LNA+223x6Xs2tsscAYZo9zEX4qxYO1jk0WxfMXA8iFqjl2icI3y6FMLtnfM4dA+4LK+5rrlyLQVoBWznwPTMSvRLEKmstKQAe4jSel/DxL0oa0SnfAty1n+weM5uA4UIvo3mgDX2tGNIeibV6Hn6aG0jTAWgSaWVjIDe/NCVKOks18nnqOI9p91MS93EoYU7gRwwpVCNYWoXQoul6G1P4EkiqtDbwKPOMgVPWIdu0unP1Af7K/QhqaelEMM/EageSXdMeZ/hDA9vMTNQlhNf+eowU0KwpQ9MXYre4m8N4twPzRQfXvU4+SNr1QsrlpB52Y0QJJJZvG9HOPfLK52Re42TxbLxGap1oQLyHhRscsQ6XIDszpEDBlXj8RYxhgaCIKfywK2Z5v0tbjdAWJuQ3Cw/kcaEa8dGT2x6BenU+XxwNIsyFkCCR5+0bJLdKZFPaT3J1wpIP8JQ/HuAWW89lxXFQ74935oecAwr93eN2rRAvdNmL71sDJoUGoSU=
+  template:
+    metadata:
+      name: openvpn-secrets
+      namespace: arr-stack
+    type: Opaque

clusters/ipv6/arr-stack/prowlarr/prowlarr-ingress.yml

@@ -0,0 +1,28 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: prowlarr-ingress
+  namespace: arr-stack
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-cloudflare
+    traefik.ingress.kubernetes.io/router.middlewares: tools-authelia@kubernetescrd
+    traefik.ingress.kubernetes.io/router.entrypoints: websecure
+spec:
+  ingressClassName: traefik
+  tls:
+  - hosts:
+    - prowlarr.akshun-lab.cc
+    secretName: prowlarr-tls
+  rules:
+  - host: prowlarr.akshun-lab.cc
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: prowlarr-service
+            port:
+              number: 9696
+

clusters/ipv6/arr-stack/prowlarr/prowlarr-pvc.yml

@@ -0,0 +1,14 @@
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: prowlarr-longhorn
+  namespace: arr-stack
+spec:
+  accessModes:
+    - ReadWriteOnce
+  volumeMode: Filesystem
+  resources:
+    requests:
+      storage: 1Gi
+  storageClassName: longhorn

clusters/ipv6/arr-stack/prowlarr/prowlarr-svc.yml

@@ -0,0 +1,13 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: prowlarr-service
+  namespace: arr-stack
+spec:
+  selector:
+    app: prowlarr
+  ports:
+  - port: 9696
+    targetPort: 9696
+  clusterIP: 10.43.0.142

clusters/ipv6/arr-stack/prowlarr/prowlarr.yml

@@ -0,0 +1,59 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: prowlarr
+  namespace: arr-stack
+spec:
+  strategy:
+    type: Recreate
+  replicas: 1
+  selector:
+    matchLabels:
+      app: prowlarr
+  template:
+    metadata:
+      labels:
+        app: prowlarr
+    spec:
+      initContainers:
+      - name: gluetun
+        image: qmcgaw/gluetun:v3.41.0
+        restartPolicy: Always
+        securityContext:
+          capabilities:
+            add:
+            - NET_ADMIN
+        envFrom:
+        - configMapRef:
+            name: gluetun-config
+        env:
+        - name: OPENVPN_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: openvpn-secrets
+              key: OPENVPN_PASSWORD
+        - name: OPENVPN_USER
+          valueFrom:
+            secretKeyRef:
+              name: openvpn-secrets
+              key: OPENVPN_USER
+      containers:
+      - name: prowlarr
+        image: lscr.io/linuxserver/prowlarr:2.3.0
+        volumeMounts:
+        - name: config
+          mountPath: /config
+        ports:
+        - containerPort: 9696
+        env:
+        - name: PUID
+          value: "1000"
+        - name: PGID
+          value: "1000"
+        - name: TZ
+          value: "Asia/Kolkata"
+      volumes:
+      - name: config
+        persistentVolumeClaim:
+          claimName: prowlarr-longhorn

clusters/ipv6/arr-stack/qbittorrent/qbittorrent-ingress.yml

@@ -0,0 +1,27 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: qbittorrent-ingress
+  namespace: arr-stack
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-cloudflare
+    traefik.ingress.kubernetes.io/router.middlewares: tools-authelia@kubernetescrd
+    traefik.ingress.kubernetes.io/router.entrypoints: websecure
+spec:
+  ingressClassName: traefik
+  tls:
+  - hosts:
+    - qbittorrent.akshun-lab.cc
+    secretName: qbittorrent-tls
+  rules:
+  - host: qbittorrent.akshun-lab.cc
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: qbittorrent-service
+            port:
+              number: 8080

clusters/ipv6/arr-stack/qbittorrent/qbittorrent-pvc.yml

@@ -0,0 +1,14 @@
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: qbittorrent-longhorn
+  namespace: arr-stack
+spec:
+  accessModes:
+    - ReadWriteOnce
+  volumeMode: Filesystem
+  resources:
+    requests:
+      storage: 1Gi
+  storageClassName: longhorn

clusters/ipv6/arr-stack/qbittorrent/qbittorrent-svc.yml

@@ -0,0 +1,12 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: qbittorrent-service
+  namespace: arr-stack
+spec:
+  selector:
+    app: qbittorrent
+  ports:
+  - port: 8080
+    targetPort: 8080

clusters/ipv6/arr-stack/qbittorrent/qbittorrent.yml

@@ -0,0 +1,63 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: qbittorrent
+  namespace: arr-stack
+spec:
+  strategy:
+    type: Recreate
+  replicas: 1
+  selector:
+    matchLabels:
+      app: qbittorrent
+  template:
+    metadata:
+      labels:
+        app: qbittorrent
+    spec:
+      initContainers:
+      - name: gluetun
+        image: qmcgaw/gluetun:v3.41.0
+        restartPolicy: Always
+        securityContext:
+          capabilities:
+            add:
+            - NET_ADMIN
+        envFrom:
+        - configMapRef:
+            name: gluetun-config
+        env:
+        - name: OPENVPN_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: openvpn-secrets
+              key: OPENVPN_PASSWORD
+        - name: OPENVPN_USER
+          valueFrom:
+            secretKeyRef:
+              name: openvpn-secrets
+              key: OPENVPN_USER
+      containers:
+      - name: qbittorrent
+        image: linuxserver/qbittorrent:5.1.4
+        env:
+        - name: PUID
+          value: "1000"
+        - name: PGID
+          value: "1000"
+        - name: TZ
+          value: "Asia/Kolkata"
+        volumeMounts:
+        - name: downloads
+          mountPath: /downloads
+        - name: config
+          mountPath: /config
+      volumes:
+      - name: config
+        persistentVolumeClaim:
+          claimName: qbittorrent-longhorn
+      - name: downloads
+        nfs:
+          server: 10.0.0.123
+          path: /merge/downloads

clusters/ipv6/arr-stack/radarr/radarr-ingress.yml

@@ -0,0 +1,27 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: radarr-ingress
+  namespace: arr-stack
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-cloudflare
+    traefik.ingress.kubernetes.io/router.middlewares: tools-authelia@kubernetescrd
+    traefik.ingress.kubernetes.io/router.entrypoints: websecure
+spec:
+  ingressClassName: traefik
+  tls:
+  - hosts:
+    - radarr.akshun-lab.cc
+    secretName: radarr-tls
+  rules:
+  - host: radarr.akshun-lab.cc
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: radarr-service
+            port:
+              number: 7878

clusters/ipv6/arr-stack/radarr/radarr-pvc.yml

@@ -0,0 +1,14 @@
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: radarr-longhorn
+  namespace: arr-stack
+spec:
+  accessModes:
+    - ReadWriteOnce
+  volumeMode: Filesystem
+  resources:
+    requests:
+      storage: 2Gi
+  storageClassName: longhorn

clusters/ipv6/arr-stack/radarr/radarr-svc.yml

@@ -0,0 +1,13 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: radarr-service
+  namespace: arr-stack
+spec:
+  selector:
+    app: radarr
+  ports:
+  - port: 7878
+    targetPort: 7878
+  clusterIP: 10.43.0.204

clusters/ipv6/arr-stack/radarr/radarr.yml

@@ -0,0 +1,49 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: radarr
+  namespace: arr-stack
+spec:
+  strategy:
+    type: Recreate
+  replicas: 1
+  selector:
+    matchLabels:
+      app: radarr
+  template:
+    metadata:
+      labels:
+        app: radarr
+    spec:
+      containers:
+      - name: radarr
+        image: lscr.io/linuxserver/radarr:6.0.4
+        ports:
+        - containerPort: 7878
+        env:
+        - name: PUID
+          value: "1000"
+        - name: PGID
+          value: "1000"
+        - name: TZ
+          value: "Asia/Kolkata"
+        volumeMounts:
+        - name: movies
+          mountPath: /movies
+        - name: downloads
+          mountPath: /downloads
+        - name: config
+          mountPath: /config
+      volumes:
+      - name: movies
+        nfs:
+          server: 10.0.0.123
+          path: /merge/movies
+      - name: downloads
+        nfs:
+          server: 10.0.0.123
+          path: /merge/downloads
+      - name: config
+        persistentVolumeClaim:
+          claimName: radarr-longhorn