remove larry from psql

This reverts commit a1474579a5.

.sops.yaml

@@ -0,0 +1,3 @@
+creation_rules:
+  - encrypted_regex: ^(data|stringData)$
+    age: age1s0206tnfaaw849x5xmt95axgu8qhxzlu5ywrwz09tpt8lwpx858q089nq9

apps/actual/deployment.yaml

@@ -0,0 +1,32 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: actual
+  namespace: actual
+spec:
+  selector:
+    matchLabels:
+      app: actual
+  template:
+    metadata:
+      labels:
+        app: actual
+    spec:
+      containers:
+      - name: actual
+        image: docker.io/actualbudget/actual-server:latest
+        imagePullPolicy: Always
+        env:
+          - name: ACTUAL_PORT
+            value: "5006"
+        ports:
+        - containerPort: 5006
+          name: http
+          protocol: TCP
+        volumeMounts:
+        - mountPath: /data
+          name: data
+      volumes:
+      - name: data
+        persistentVolumeClaim: 
+          claimName: actual-data

apps/actual/ingress.yaml

@@ -0,0 +1,28 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: actual
+  namespace: actual
+  annotations:
+    cert-manager.io/cluster-issuer: "letsencrypt-prod"
+    cert-manager.io/cluster-issuer: "letsencrypt-prod"
+    external-dns.alpha.kubernetes.io/target: michaelthomson.ddns.net
+    external-dns.alpha.kubernetes.io/cloudflare-proxied: "true"
+    traefik.ingress.kubernetes.io/router.entrypoints: websecure
+    traefik.ingress.kubernetes.io/router.tls: "true"
+spec:
+  rules:
+  - host: actual.michaelthomson.dev
+    http:
+      paths:
+      - pathType: ImplementationSpecific
+        path: /
+        backend:
+          service:
+            name: actual
+            port: 
+              name: http
+  tls:
+  - hosts:
+    - actual.michaelthomson.dev
+    secretName: actual-tls

apps/actual/pvc-data.yaml

@@ -1,12 +1,12 @@
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
-  name: roundcubemail-temp-pvc
-  namespace: roundcube
+  name: actual-data
+  namespace: actual
 spec:
-  storageClassName: longhorn
-  accessModes:
-    - ReadWriteOnce
   resources:
     requests:
       storage: 10Gi
+  storageClassName: longhorn
+  accessModes:
+    - ReadWriteOnce

apps/actual/service.yaml

@@ -1,11 +1,11 @@
 apiVersion: v1
 kind: Service
 metadata:
-  name: readarr
-  namespace: media
+  name: actual
+  namespace: actual
 spec:
   selector:
-    app: readarr
+    app: actual
   ports:
   - port: 80
     targetPort: http

apps/authentik/authentik-postgres-credentials.yaml

@@ -0,0 +1,23 @@
+apiVersion: v1
+data:
+    password: ENC[AES256_GCM,data:a7nwc49lItIjjg6f7Vaz6Kyyb4CgwMmudHpsQAY39539fvCWtYjsoQzEqEXZdcwPyqB2qlOHewXcStBgG1B1iKKZhqE=,iv:yK9EZWhBNLm9lNs7V7Fm2MQWv3Lfb1o34P25+p00FgQ=,tag:ie24X9bcK1NdxZWhEKITHw==,type:str]
+    username: ENC[AES256_GCM,data:VmGN5YxRGZcS/EWy,iv:QKGSkxBSfMusEkl3sS1m3KQREvwUCP0aag8u7VPzWxo=,tag:zXthxvtKBex3XpRqO6Qcyg==,type:str]
+kind: Secret
+metadata:
+    name: authentik-postgres-credentials
+    namespace: authentik
+sops:
+    age:
+        - recipient: age1s0206tnfaaw849x5xmt95axgu8qhxzlu5ywrwz09tpt8lwpx858q089nq9
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkZFlqTWZzTVNOV294bXF5
+            MEFFWGNXZkN6YjgrdGx2NkZyMHVWN25KSm5rCmxBQzNsSk53bDZiK3RQUCtYbjRu
+            NVUwZHJPSUhZTnEvdmNYNENSR1NSTTgKLS0tIFlmMTRSOWlKU1dYT0ZQQW1yTGx5
+            dWt0TXRDZ2VVVjREYjIvdTFUcVNxYjAKVYa8GZoKORII5nN0590OWzdbyoXe6Eyi
+            mRKUxtVsbhCPtfabQGn/tu40g7A9CFcWh51geIGewkTVmVlx0ulv/Q==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-12-17T20:32:24Z"
+    mac: ENC[AES256_GCM,data:N81ubg0zmCZpZKa+Z/IJZunsUUT8dZrWfp48cBNLg5GPr1O2SrvFUPo+ZWSDLRWWgea5E00kU1luDHcnTuHtjSF457anCc1LpezJnIIfPHQBE7wIrWkZMW1QYsScZhtNvkDf1LhXuo2JZnRkAZ249JzzPEYxy+GjLXU3hNaaeyw=,iv:V6Op3ZA9Rw2g20gzZapZt7GfnW7TW988psIIDlwxzaE=,tag:anOAkNKfUFhmntDH/i/v2w==,type:str]
+    encrypted_regex: ^(data|stringData)$
+    version: 3.11.0

apps/authentik/authentik-secret-key.yaml

@@ -0,0 +1,22 @@
+apiVersion: v1
+data:
+    key: ENC[AES256_GCM,data:0YHxGccmrLh2LFfAeySEqdfuE35FfzsAVI/XNcKKWKUS4HZ5sKUVy8PLSrl99nZRtC66Vj2Vsj/Zj+Ir/3/n8Vzhy04=,iv:whuMt5eTvp962tNisNDc5ygBaCzRs1MwBtOxWP+atv8=,tag:mcerAaPbzujtI25tPLETnQ==,type:str]
+kind: Secret
+metadata:
+    name: authentik-secret-key
+    namespace: authentik
+sops:
+    age:
+        - recipient: age1s0206tnfaaw849x5xmt95axgu8qhxzlu5ywrwz09tpt8lwpx858q089nq9
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhRlB4Vjg5cU1QWWovRTFW
+            M1Q0cmpaWkNUek54T1VheGxMbVlIeUlybjMwCnVTY2VLTXVSbEpUc0lTRUtETUV3
+            TGRmVDB5cnhpU2k2YkNuL3d6OTVETW8KLS0tIDZoNjlTVERvR1FSczB5d09IVnpl
+            QnloYTFKNGdyR3FuS3N2WjVVVGFKRWsKd8MPL8raiwfz/fLsjL76tdeCBDu/cirV
+            DKFx+Tu8KTugK6gGteXA2/PHZPEB/U9Zh1OD3t6AdPZMQJaiNKq/4Q==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-12-17T20:36:08Z"
+    mac: ENC[AES256_GCM,data:RlZUTVt/3acp5BX92MI3USohXoAlZy8QAgr0HwLu0IMc+gUcykCXV/voYSJgIQlHhKDo/Jwa0+KhU3DLT/9GS4UF/E2GCJhj9t9DlagnchLxxJXYyP/7FPUkoOfDKmG1Sc2Gq3i/gTVklzQ0DpwQflF0F50BLDv1FqxUD84jVoI=,iv:T/Hd0kenM4LikCB9mkSrFMVD1UeA+Dvwi+3TLziwsdI=,tag:rfosFTQZo695lnznWC8JcQ==,type:str]
+    encrypted_regex: ^(data|stringData)$
+    version: 3.11.0

apps/authentik/cluster.yaml

@@ -0,0 +1,57 @@
+apiVersion: postgresql.cnpg.io/v1
+kind: Cluster
+metadata:
+  name: postgres-cluster
+  namespace: authentik
+  annotations:
+    # needed to allow for recovery from same name cluster backup
+    cnpg.io/skipEmptyWalArchiveCheck: enabled
+spec:
+  instances: 2
+
+  managed:
+    roles:
+      - name: authentik
+        superuser: true
+        login: true
+
+  bootstrap:
+    # initdb:
+    #   database: authentik
+    #   owner: authentik
+    #   secret:
+    #     name: authentik-postgres-credentials
+    # NOTE: uncomment this and commend the above initdb when recovering
+    recovery:
+      source: postgres-cluster
+
+  storage:
+    size: 8Gi
+    storageClass: longhorn-pg
+
+  externalClusters:
+    - name: postgres-cluster
+      barmanObjectStore:
+        destinationPath: "s3://mthomson-cnpg-backup/authentik/"
+        endpointURL: "https://s3.ca-central-1.wasabisys.com"
+        s3Credentials:
+          accessKeyId:
+            name: wasabi-secret
+            key: ACCESS_KEY_ID
+          secretAccessKey:
+            name: wasabi-secret
+            key: ACCESS_SECRET_KEY
+
+  backup:
+    barmanObjectStore:
+      destinationPath: "s3://mthomson-cnpg-backup/authentik/"
+      endpointURL: "https://s3.ca-central-1.wasabisys.com"
+      s3Credentials:
+        accessKeyId:
+          name: wasabi-secret
+          key: ACCESS_KEY_ID
+        secretAccessKey:
+          name: wasabi-secret
+          key: ACCESS_SECRET_KEY
+    retentionPolicy: "10d"
+

apps/authentik/release.yaml

@@ -0,0 +1,69 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: authentik
+  namespace: authentik
+spec:
+  chart:
+    spec:
+      chart: authentik
+      version: 2025.8.4
+      sourceRef:
+        kind: HelmRepository
+        name: authentik
+  interval: 15m
+  releaseName: authentik
+  values:
+    authentik:
+      secret_key: file:///secret-key/key
+      postgresql:
+        host: postgres-cluster-rw
+        user: file:///postgres-creds/username
+        password: file:///postgres-creds/password
+    server:
+      ingress:
+        enabled: true
+        ingressClassName: traefik
+        annotations:
+          cert-manager.io/cluster-issuer: "letsencrypt-prod"
+          external-dns.alpha.kubernetes.io/target: michaelthomson.ddns.net
+          external-dns.alpha.kubernetes.io/cloudflare-proxied: "true"
+          traefik.ingress.kubernetes.io/router.tls: "true"
+          traefik.ingress.kubernetes.io/router.entrypoints: websecure
+        hosts:
+          - authentik.michaelthomson.dev
+        tls:
+          - secretName: authentik-tls
+            hosts:
+              - authentik.michaelthomson.dev
+      volumes:
+        - name: postgres-creds
+          secret:
+            secretName: authentik-postgres-credentials
+        - name: secret-key
+          secret:
+            secretName: authentik-secret-key
+      volumeMounts:
+        - name: postgres-creds
+          mountPath: /postgres-creds
+          readOnly: true
+        - name: secret-key
+          mountPath: /secret-key
+          readOnly: true
+    worker:
+      env:
+        - name: AUTHENTIK_SECRET_KEY
+          valueFrom:
+            secretKeyRef:
+              name: authentik-secret-key
+              key: key
+      volumes:
+        - name: postgres-creds
+          secret:
+            secretName: authentik-postgres-credentials
+      volumeMounts:
+        - name: postgres-creds
+          mountPath: /postgres-creds
+          readOnly: true
+    redis:
+      enabled: true

apps/authentik/repository.yaml

@@ -1,8 +1,8 @@
 apiVersion: source.toolkit.fluxcd.io/v1
 kind: HelmRepository
 metadata:
-  name: plane
-  namespace: flux-system
+  name: authentik
+  namespace: authentik
 spec:
   interval: 15m
-  url: https://helm.plane.so/
+  url: https://charts.goauthentik.io/

apps/authentik/scheduled-backup.yaml

@@ -0,0 +1,11 @@
+apiVersion: postgresql.cnpg.io/v1
+kind: ScheduledBackup
+metadata:
+  name: scheduled-backup
+  namespace: authentik
+spec:
+  schedule: "0 0 0 * * *"
+  backupOwnerReference: self
+  #immediate: true
+  cluster:
+    name: postgres-cluster

apps/authentik/wasabi-secret.yaml

@@ -0,0 +1,23 @@
+apiVersion: v1
+data:
+    ACCESS_KEY_ID: ENC[AES256_GCM,data:cJS1WkKlhgbWGqgOhFs9xjqriMIyGwaSq2W1tQ==,iv:5qj9+BjOPGvVFg9gIH9128nlOaQ27KMgjlIPIMF51IE=,tag:m80qHYyAbXGt1AGe+cXUuQ==,type:str]
+    ACCESS_SECRET_KEY: ENC[AES256_GCM,data:E1/lSR0Crdjt/N0BV0d7PgKSn00sKkNd9s4qsknK3MO4W3JSkwE2g4HyJvbjwDEmWZck7dB//WE=,iv:VoLSzFxrdGKKOVVNE8iiQtGS67yJYjknlxz4fs/DDJI=,tag:aPJEsutmqMobr+vXSCJ62g==,type:str]
+kind: Secret
+metadata:
+    name: wasabi-secret
+    namespace: authentik
+sops:
+    age:
+        - recipient: age1s0206tnfaaw849x5xmt95axgu8qhxzlu5ywrwz09tpt8lwpx858q089nq9
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEQzVzc1EzaWsvWWlXa2tu
+            U1NXVFh4TDhuUXZZcXNHVVBBeUR5Y2RvT2pRCnZPL0t5RVMyVzRVeTluYVhZNkJT
+            ZjF0S2lsUWFvdTdFaXVGZ2NlOHVGUm8KLS0tIGZVR3lUT2ltR0pLUU4yT1BTWTZW
+            UkZiNmNPbUMvRUs3dDVDNjBnb0htM2cKvsfEiaSE2A5R+pvb0UoaPmvSFMQR2GDi
+            DBJ+OyMFhz0HxQO31/yrlZGcVxBKq/Q4DXD1zDtWapQ3ds/OBjxHlg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-12-17T20:36:08Z"
+    mac: ENC[AES256_GCM,data:s9DcnPm61QEc8v+VxeCMYlpbEY5XkgciP1f1Mrprix23FoBJOnLn3sJlCc1Ew6tZE4ilyhr6rK6CJA0Aqsvfro5dS0wQUI1CuDjS4+yx1ANfZzxICYNSIHXVhQiSIQ5g0ANaUVvzaj7pBKA/FvV+BTav2UbdDRUGNVsmZY5NZ5g=,iv:oJ8THhyCaB7+sBwqh9fpLIulKMWTDHdLKSZjMAZFDxo=,tag:IhpmqbLYUE9QCS1B28pdZQ==,type:str]
+    encrypted_regex: ^(data|stringData)$
+    version: 3.11.0

apps/baikal/ingress.yaml

@@ -4,6 +4,9 @@ metadata:
   name: baikal
   namespace: baikal
   annotations:
+    cert-manager.io/cluster-issuer: "letsencrypt-prod"
+    external-dns.alpha.kubernetes.io/target: michaelthomson.ddns.net
+    external-dns.alpha.kubernetes.io/cloudflare-proxied: "true"
     traefik.ingress.kubernetes.io/router.entrypoints: websecure
     traefik.ingress.kubernetes.io/router.tls: "true"
 spec:
@@ -21,4 +24,4 @@ spec:
   tls:
     - hosts:
         - baikal.michaelthomson.dev
-      secretName: letsencrypt-wildcard-cert-michaelthomson.dev
+      secretName: baikal-tls

apps/booklore/basic-auth.yaml

@@ -0,0 +1,23 @@
+apiVersion: v1
+data:
+    password: ENC[AES256_GCM,data:WJbyXSCQ2qUtXBtv,iv:h3L3BeSaGQqU+nzlunl3BUOk2dei3Ra60IgNP2sCDQg=,tag:BoooixO1SpnvK7Jvxw56cg==,type:str]
+    user: ENC[AES256_GCM,data:6D78pKeGDJI=,iv:fl2MNa+EZXKwAOjRGglwPGFGMSc+uSfUJ6vn8U5aPvE=,tag:PU179YKHwlEfJ7OLI68nIQ==,type:str]
+kind: Secret
+metadata:
+    name: basic-auth
+    namespace: booklore
+sops:
+    age:
+        - recipient: age1s0206tnfaaw849x5xmt95axgu8qhxzlu5ywrwz09tpt8lwpx858q089nq9
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpbmVWT3pRaTFrYXNyLys1
+            OEZxUTltSUpYaGgySCtzalA3SG9mVktlSzNrClNJNTBibUx4WWFZdDh1UUFXd2pu
+            ck9kVm1VckgxOVZUYjdTUHB4Uy9meGsKLS0tIHpJbk1yZU1jMzFPM2VZWkFWc21o
+            N2xLS0svZkd5MS9HRVUvN2MrWUhPK0kKC6SFkfSBu3CQKdt3+g+5JOjRLtwbxZS/
+            LQzDjeTqTKZHmrgxKwKsU15QtI0B1ie7f544KCuIAjvEeeBZb8AoRg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-12-17T17:34:49Z"
+    mac: ENC[AES256_GCM,data:ZJrymPllZvecBBeMTR1T1FZpHztqpsZ8SVqStshQMSd9Brf0F0KHNr9xd+dTrSuaeqR8rchLZ89hN+7an/JhkFm+4ffXWtdg5m6ES+Lbu6qGf3QczcQ4bssUhL4kuvTdM+7zVwD6XnyGF2G2hvSvJ2L8V364CX0ZOUCX+Cyk7Ss=,iv:GrVHO0vUz0pgloai/4KlCM/eCQSI1eEF59kuPVjG4y0=,tag:AXcIcDSD8DZOxbcrvvHMyQ==,type:str]
+    encrypted_regex: ^(data|stringData)$
+    version: 3.11.0

apps/booklore/release.yaml

@@ -0,0 +1,50 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: booklore
+  namespace: booklore
+spec:
+  chart:
+    spec:
+      chart: ./example-chart
+      sourceRef:
+        kind: GitRepository
+        name: booklore
+  interval: 15m
+  releaseName: booklore
+  values:
+    mariadb:
+      enabled: true
+      image:
+        tag: latest
+      auth:
+        database: booklore
+        username: booklore-user
+
+    ingress:
+      enabled: true
+      annotations:
+        cert-manager.io/cluster-issuer: "letsencrypt-prod"
+        external-dns.alpha.kubernetes.io/target: michaelthomson.ddns.net
+        external-dns.alpha.kubernetes.io/cloudflare-proxied: "true"
+        traefik.ingress.kubernetes.io/router.entrypoints: websecure
+        traefik.ingress.kubernetes.io/router.tls: "true"
+      hosts:
+        - host: booklore.michaelthomson.dev
+          paths:
+            - path: "/"
+              pathType: ImplementationSpecific
+      tls:
+        - hosts:
+            - booklore.michaelthomson.dev
+          secretName: booklore-tls
+
+    # If you want to bring your own persistence (such as a hostPath),
+    # disable these and do so in extraVolumes/extraVolumeMounts
+    persistence:
+      dataVolume:
+        enabled: true
+        size: 1Gi
+      booksVolume:
+        enabled: true
+        size: 10Gi

apps/booklore/repository.yaml

@@ -0,0 +1,10 @@
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: GitRepository
+metadata:
+  name: booklore
+  namespace: booklore
+spec:
+  interval: 15m
+  url: https://github.com/booklore-app/booklore.git
+  ref:
+    branch: develop

apps/gitea/actions/release.yaml

@@ -0,0 +1,23 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: actions
+  namespace: gitea
+spec:
+  chart:
+    spec:
+      chart: actions
+      version: 
+      sourceRef:
+        kind: HelmRepository
+        name: gitea
+  interval: 15m
+  releaseName: actions
+  values:
+    enabled: true
+    existingSecret: actions-secret
+    existingSecretKey: token
+    giteaRootURL: http://gitea-http:3000
+    statefulset:
+      persistence:
+        size: 1Gi

apps/gitea/actions/secret.yaml

@@ -0,0 +1,22 @@
+apiVersion: v1
+data:
+    token: ENC[AES256_GCM,data:k6dhRoR3XCITRikJStLu1+gkW8Xcrt/EnKtq/LtMOdDOC906nyDbLbLXo4yWkUPb4wOT7/FHtjM=,iv:v/7sYpp//k4NgIHIxrSgUCK0ddTS2knRXt7bv/tK6BQ=,tag:t8yskoe9Q+T1UFhzmdEgSQ==,type:str]
+kind: Secret
+metadata:
+    name: actions-secret
+    namespace: gitea
+sops:
+    age:
+        - recipient: age1s0206tnfaaw849x5xmt95axgu8qhxzlu5ywrwz09tpt8lwpx858q089nq9
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYUWxLU2Z5bmJSYUs2YS9q
+            bFFCSEJlTGtuNEFjVGtsMDFySW5TNnF6RTBzClpMdk9CRU9kTHoyVEJZU1JITnRS
+            aVhjMm9ndTBXYklkWUpMV0hYNWtrVFkKLS0tIEJLRmF5NVNNamlkSWNjam1lY1pF
+            MmtSTTJET3VWQStHN25DeDV6aGRrVkkKcMOwuTZY/meJjQZgzmAU37mUS4VjG7H/
+            q8c+keASqJI511XhWi8K938U8YREge7sDw8sa+RrXpoiy3zyipZOLQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-12-17T20:36:08Z"
+    mac: ENC[AES256_GCM,data:wr1ngpRm44ueRUsfITsQa9tuWffScHsz66QCfilsc8fO8gprb0eicYAgJ6J7JygGO7hZdnLB4z1Q/5bZFmdsvK2Oz3tV/NX/gZVGbFDqPFHfjDU+5rl7lrBnRh6D1RwvYqJzNL38dDO5oUXTOfDGijS574qB4EpyUnu7+AbJwtE=,iv:7kXdBFzz/M0Kynuk3fmnWWRV7VLN0BXELrYqt/VtQ9s=,tag:FqCzxPTwnL0yBX0+SrWbZA==,type:str]
+    encrypted_regex: ^(data|stringData)$
+    version: 3.11.0

apps/gitea/admin-secret.yaml

@@ -0,0 +1,23 @@
+apiVersion: v1
+data:
+    password: ENC[AES256_GCM,data:wcJdmRnN4nFOaIiM/Lyp8fceSRKpJW9laUYsZU/9UCmreJP3YHGFdw==,iv:35aJWV/ReimElkgHDEvd1VMi1+fL8ayB2YO5Ej6Iqrs=,tag:Vl665zuBbhsU28zXH+Madw==,type:str]
+    username: ENC[AES256_GCM,data:vnhGaPemu1i1kpHOPvRg8w==,iv:Ika50tGu/d6m6UxzUpZFhK/SxLsUMmB/GNeeFPmszdU=,tag:wC5CLp+5OhzLKYolmr1aTg==,type:str]
+kind: Secret
+metadata:
+    name: admin-secret
+    namespace: gitea
+sops:
+    age:
+        - recipient: age1s0206tnfaaw849x5xmt95axgu8qhxzlu5ywrwz09tpt8lwpx858q089nq9
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLMFNmREJGMStuTEhyRi9w
+            OTc4RTlrWWJwNlc2Z3liOXQrd1Jmc0VMQ3hJCjlJMzJDdDYvNWhtUVF6ZlBmR0Nx
+            RGNrZWlBcnpjSjZLaU95aGZjcXZVNWcKLS0tIHk0UkFnWkxFRHB3THQ1UytRSzdL
+            ZTB2WVBmWnZLT3FsekFhSHFkQ1RLNlkKbQfo7CDYk/EadaE6SEmsCZX5ubOTcbD3
+            lj4rj1v2dYME/wDj9rFp5IwESalXwKzUVzC8e1GuzbY6pDQPx5EW4Q==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-12-17T20:36:08Z"
+    mac: ENC[AES256_GCM,data:ApUlG4FA/KYrwm6u/6qNU2Cqz08MxRNmiBmiwCZgNF4aX0CWzRZ9+VbO/jIJUpzKB3W7EdpbiyuT7Ie3h0lwYIZY5xUXP4CDxsZ+TozAFJq/CgXs/BacTZIVhSEL93W+O4ett/UuIL66rtuiZcBY0CdM80j7aTy20ilse8wwusM=,iv:UWdNu4hW6OcMHkqQcrzmLZlU4gevBwAMInbjtC9R3hI=,tag:W+SgpfrOvR9HnGRfnGSgwQ==,type:str]
+    encrypted_regex: ^(data|stringData)$
+    version: 3.11.0

apps/gitea/mailer-config-secret.yaml

@@ -0,0 +1,22 @@
+apiVersion: v1
+data:
+    mailer: ENC[AES256_GCM,data:baGCpPHJejjMFeiBcgSroJWqmUj/8PzvwAdzZ+nLacen2I91iaIRIgztvsk=,iv:6M2+sKRc1ZC5CqY4X43xgGO/CeWOfjMVzNgelYd0V6c=,tag:I15tnxf8CQaLu+/0GNdeOA==,type:str]
+kind: Secret
+metadata:
+    name: gitea-mailer-config-secret
+    namespace: gitea
+sops:
+    age:
+        - recipient: age1s0206tnfaaw849x5xmt95axgu8qhxzlu5ywrwz09tpt8lwpx858q089nq9
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJMmxwWGZUb2JRK0FHdFd6
+            SFN5MGdZR3puUDNhMElTTy96SnVRUzJwYjFvCkJsdlJCRG9zVXdzOEY1REQ4NWRw
+            R05taHVZMlpySXVXWmNIc25VYng4WWsKLS0tIERoL0tUVmUvbG5ha0h0cWIvZDND
+            NkI0eUlmYjg3Zk9iVmNkZVpXWkh2TW8K/coOzGAPF42522cM6DZVAEEv3LmZaIhu
+            BVyl8ijATNLMIfiFpP5bHpljPHrn3lGP70RzwoCV15t1fC6pjeParA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-12-17T20:36:08Z"
+    mac: ENC[AES256_GCM,data:QBxnUAGg6xchZ9iqKK8gAmdJhDfma5BZlJVRZcfzGM57diuO2OE4JDbjW5gqf21OACL4d2funVlXRVlioLoe0tfZJY3AAedOmyQVXdrr0PwarbPztbWAFVvIMeQWPZUyPd3GxgaAATeBVCanSEgVTIOVqCN/DXNSHY2XcQ9x9Y0=,iv:ugLYt5NxsTIy0wUul748IGIzayG+zPQ/z5kH3T9IfiE=,tag:3yTjZ+MMMVNmi/8p321fFg==,type:str]
+    encrypted_regex: ^(data|stringData)$
+    version: 3.11.0

apps/gitea/release.yaml

@@ -7,13 +7,11 @@ spec:
   chart:
     spec:
       chart: gitea
-      version: 11.x
+      version: 12.x
       sourceRef:
         kind: HelmRepository
         name: gitea
-        namespace: flux-system
   interval: 15m
-  timeout: 5m
   releaseName: gitea
   values:
     global:
@@ -27,12 +25,15 @@ spec:
         port: 2222
         clusterIP:
         annotations:
-          metallb.universe.tf/loadBalancerIPs: 192.168.2.248
+          metallb.io/loadBalancerIPs: 192.168.18.248
 
     ingress:
       enabled: true
       className: traefik
       annotations:
+        cert-manager.io/cluster-issuer: "letsencrypt-prod"
+        external-dns.alpha.kubernetes.io/target: michaelthomson.ddns.net
+        external-dns.alpha.kubernetes.io/cloudflare-proxied: "false"
         traefik.ingress.kubernetes.io/router.entrypoints: websecure
         traefik.ingress.kubernetes.io/router.tls: "true"
       hosts:
@@ -43,7 +44,7 @@ spec:
       tls:
         - hosts:
             - gitea.michaelthomson.dev
-          secretName: letsencrypt-wildcard-cert-michaelthomson.dev
+          secretName: gitea-tls
 
     persistence:
       claimName: gitea-shared-storage
@@ -54,6 +55,8 @@ spec:
       config:
         server:
           SSH_PORT: 2222
+        actions:
+          ENABLED: true
         service:
           DISABLE_REGISTRATION: true
           REGISTER_EMAIL_CONFIRM: true
@@ -68,7 +71,7 @@ spec:
           SMTP_PORT: 465
           USER: gitea@michaelthomson.dev
       admin:
-        existingSecret: gitea-admin-secret
+        existingSecret: admin-secret
         email: "gitea@michaelthomson.dev"
       additionalConfigSources:
         - secret:

apps/gitea/repository.yaml

@@ -2,7 +2,7 @@ apiVersion: source.toolkit.fluxcd.io/v1
 kind: HelmRepository
 metadata:
   name: gitea
-  namespace: flux-system
+  namespace: gitea
 spec:
   interval: 15m
   url: https://dl.gitea.io/charts

apps/homeassistant/ingress.yaml

@@ -4,6 +4,7 @@ metadata:
   name: homeassistant
   namespace: homeassistant
   annotations:
+    cert-manager.io/cluster-issuer: "letsencrypt-prod"
     traefik.ingress.kubernetes.io/router.entrypoints: websecure
     traefik.ingress.kubernetes.io/router.tls: "true"
 spec:
@@ -21,4 +22,4 @@ spec:
   tls:
     - hosts:
         - ha.michaelthomson.dev
-      secretName: letsencrypt-wildcard-cert-michaelthomson.dev
+      secretName: homeassistant-tls

apps/immich/cluster.yaml

@@ -0,0 +1,64 @@
+apiVersion: postgresql.cnpg.io/v1
+kind: Cluster
+metadata:
+  name: immich-postgres
+  namespace: immich
+  annotations:
+    # needed to allow for recovery from same name cluster backup
+    cnpg.io/skipEmptyWalArchiveCheck: enabled
+spec:
+  imageName: ghcr.io/tensorchord/cloudnative-vectorchord:17-0.3.0
+  instances: 2
+
+  postgresql:
+    shared_preload_libraries:
+      - "vchord.so"
+
+  managed:
+    roles:
+      - name: immich
+        superuser: true
+        login: true
+
+  bootstrap:
+    # initdb:
+    #   database: immich
+    #   owner: immich
+    #   secret:
+    #     name: immich-postgres-user
+    #   postInitSQL:
+    #     - CREATE EXTENSION IF NOT EXISTS "vchord" CASCADE;
+    #     - CREATE EXTENSION IF NOT EXISTS "earthdistance" CASCADE;
+    # NOTE: uncomment this and commend the above initdb when recovering
+    recovery:
+      source: immich-postgres
+
+  storage:
+    size: 8Gi
+    storageClass: longhorn-pg
+
+  externalClusters:
+    - name: immich-postgres
+      barmanObjectStore:
+        destinationPath: "s3://mthomson-cnpg-backup/immich/"
+        endpointURL: "https://s3.ca-central-1.wasabisys.com"
+        s3Credentials:
+          accessKeyId:
+            name: wasabi-secret
+            key: ACCESS_KEY_ID
+          secretAccessKey:
+            name: wasabi-secret
+            key: ACCESS_SECRET_KEY
+
+  backup:
+    barmanObjectStore:
+      destinationPath: "s3://mthomson-cnpg-backup/immich/"
+      endpointURL: "https://s3.ca-central-1.wasabisys.com"
+      s3Credentials:
+        accessKeyId:
+          name: wasabi-secret
+          key: ACCESS_KEY_ID
+        secretAccessKey:
+          name: wasabi-secret
+          key: ACCESS_SECRET_KEY
+    retentionPolicy: "10d"

apps/immich/podmonitor.yaml

@@ -0,0 +1,11 @@
+apiVersion: monitoring.coreos.com/v1
+kind: PodMonitor
+metadata:
+  name: immich-postgres
+  namespace: immich
+spec:
+  selector:
+    matchLabels:
+      cnpg.io/cluster: immich-postgres
+  podMetricsEndpoints:
+  - port: metrics

apps/immich/release.yaml

@@ -11,25 +11,27 @@ spec:
       sourceRef:
         kind: HelmRepository
         name: immich
-        namespace: flux-system
   interval: 15m
-  timeout: 5m
   releaseName: immich
   values:
-    env:
-      DB_HOSTNAME: "immich-postgres-rw"
-      DB_USERNAME: "immich"
-      DB_DATABASE_NAME: "immich"
-      DB_PASSWORD: "immich"
-    image:
-      tag: v1.134.0
+    controllers:
+      main:
+        containers:
+          main:
+            image:
+              tag: v2.1.0
+            env:
+              DB_HOSTNAME: "immich-postgres-rw"
+              DB_USERNAME: "immich"
+              DB_DATABASE_NAME: "immich"
+              DB_PASSWORD: "immich"
 
     immich:
       persistence:
         library:
           existingClaim: immich-data
 
-    redis:
+    valkey:
       enabled: true
 
     server:
@@ -38,6 +40,9 @@ spec:
         main:
           enabled: true
           annotations:
+            cert-manager.io/cluster-issuer: "letsencrypt-prod"
+            external-dns.alpha.kubernetes.io/target: michaelthomson.ddns.net
+            external-dns.alpha.kubernetes.io/cloudflare-proxied: "true"
             traefik.ingress.kubernetes.io/router.entrypoints: websecure
             traefik.ingress.kubernetes.io/router.tls: "true"
           hosts:
@@ -47,7 +52,7 @@ spec:
           tls:
             - hosts:
                 - immich.michaelthomson.dev
-              secretName: letsencrypt-wildcard-cert-michaelthomson.dev
+              secretName: immich-tls
 
     machine-learning:
       enabled: true

apps/immich/repository.yaml

@@ -2,7 +2,7 @@ apiVersion: source.toolkit.fluxcd.io/v1
 kind: HelmRepository
 metadata:
   name: immich
-  namespace: flux-system
+  namespace: immich
 spec:
   interval: 15m
   url: https://immich-app.github.io/immich-charts

apps/immich/scheduled-backup.yaml

@@ -0,0 +1,11 @@
+apiVersion: postgresql.cnpg.io/v1
+kind: ScheduledBackup
+metadata:
+  name: scheduled-backup
+  namespace: immich
+spec:
+  schedule: "0 0 0 * * *"
+  backupOwnerReference: self
+  #immediate: true
+  cluster:
+    name: immich-postgres

apps/immich/wasabi-secret.yaml

@@ -0,0 +1,23 @@
+apiVersion: v1
+data:
+    ACCESS_KEY_ID: ENC[AES256_GCM,data:ad1Xc2tUS5JCGiaOoL5udd058QxG592R7a+66A==,iv:erHAPm5E5w2B0fZ/sagwTsT16MTLnbYzmamT9OS3fEE=,tag:TMRosj0L+u3JL3o6ig0/rw==,type:str]
+    ACCESS_SECRET_KEY: ENC[AES256_GCM,data:QJ3RkLWP8QNPt+JoD1B3ZCQkZKH82ImgnR8ZgfPPnEDFYj2rRuTbZva33yL/wAz95ll8YbjxtQw=,iv:cO96syX0ZdukwhKvvtrTzQcy0qQGEiL3NSxigcop+EQ=,tag:JS9sT+iFgdFMkTM74ore2w==,type:str]
+kind: Secret
+metadata:
+    name: wasabi-secret
+    namespace: immich
+sops:
+    age:
+        - recipient: age1s0206tnfaaw849x5xmt95axgu8qhxzlu5ywrwz09tpt8lwpx858q089nq9
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPa1lwSXVIM0ZRa1NhZ3lv
+            U05sZi9WbkVidVVDYVdXWWNZejRHNW9MNUF3CkNFVjc2bjFUZXhuQzAxUDBDVGxi
+            VGpZcHdZMHVWVW40NDRvY2RURFJ5OEUKLS0tIGlwRmNTZi9WWEhuWnB5TW1leVZt
+            eWpOMDdyakJEcWxYaFZiZ05nbCtWU00KmfoVxNBH7N44v/Xxcmjw/D/YQ93DA7yU
+            6/kk/7R2ya2JWtuqkOx9QPU8/TKaucU5V/IxPhoWquytevHkL5QhUw==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-12-17T20:36:08Z"
+    mac: ENC[AES256_GCM,data:1iNzgy+OKP7tZXkiMLr/9oFLjLnEEKAkQdzceFkGUYiq7gHmujuplt9vU2JS+Kc7l5m9FyB7cFOjHpJec08owJf7gDXcHBkUQmGGIU6eso/n/G5lj2bDKoQgrZcS3+cgpDGY/oiFh34ZapSL1uEbgQudRWsfQZr7o8iHLGEir4s=,iv:md9IZ9n2ecQDnBHIkBGZHhc34uIi9aWzbsDbZo2hx/U=,tag:U3m6q5TfHiii7cGPsK0MOw==,type:str]
+    encrypted_regex: ^(data|stringData)$
+    version: 3.11.0

apps/karakeep/chrome-deployment.yaml

@@ -2,7 +2,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: chrome
-  namespace: hoarder
+  namespace: karakeep
 spec:
   replicas: 1
   selector:

apps/karakeep/chrome-service.yaml

@@ -2,7 +2,7 @@ apiVersion: v1
 kind: Service
 metadata:
   name: chrome
-  namespace: hoarder
+  namespace: karakeep
 spec:
   selector:
     app: chrome

apps/karakeep/data-pvc.yaml

@@ -2,7 +2,7 @@ apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
   name: data-pvc
-  namespace: hoarder
+  namespace: karakeep
 spec:
   accessModes:
     - ReadWriteOnce

apps/karakeep/ingress.yaml

@@ -1,14 +1,17 @@
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
-  name: hoarder-web-ingress
-  namespace: hoarder
+  name: karakeep-web-ingress
+  namespace: karakeep
   annotations:
+    cert-manager.io/cluster-issuer: "letsencrypt-prod"
+    external-dns.alpha.kubernetes.io/target: michaelthomson.ddns.net
+    external-dns.alpha.kubernetes.io/cloudflare-proxied: "true"
     traefik.ingress.kubernetes.io/router.entrypoints: websecure
     traefik.ingress.kubernetes.io/router.tls: "true"
 spec:
   rules:
-  - host: "hoarder.michaelthomson.dev"
+  - host: "karakeep.michaelthomson.dev"
     http:
       paths:
       - path: "/"
@@ -20,5 +23,5 @@ spec:
               number: 3000
   tls:
     - hosts:
-        - hoarder.michaelthomson.dev
-      secretName: letsencrypt-wildcard-cert-michaelthomson.dev
+        - karakeep.michaelthomson.dev
+      secretName: karakeep-web-ingress-tls

apps/karakeep/karakeep-secrets.yaml

@@ -0,0 +1,30 @@
+apiVersion: v1
+data:
+    MEILI_MASTER_KEY: ENC[AES256_GCM,data:hGTazo5p3b+k9c1FsCzV8lkCKFqEv/pXbAF0FqnYK0euPusL20skBIBP/hZQCllL9ZIpHuHAK8ZA57TMrnBtBA==,iv:E/1DsMVmQ6r3IgF0g4UBvW0rLTUmc4OOBx7FJh0/fP8=,tag:I9NzdG8hkndQEEa+RwHGJA==,type:str]
+    NEXT_PUBLIC_SECRET: ENC[AES256_GCM,data:x0lLGcfMX4o76y+wpSUh4oTh4bm0CIw8+epVX3uO8BpN79xYFLMV3EzbUOi4Isldb0zdPzK6xlnF7tqCvTDY9Wq/SUs=,iv:vIfucp8BM9FaXUtoUUTXCQuRWTngFokKFpIwhA/IpXI=,tag:RykRRY1q2iV9zqe3rvxSkA==,type:str]
+    NEXTAUTH_SECRET: ENC[AES256_GCM,data:Z9GlM3phYB9WtU2K2HH9oAU7F7xZP48IsbK1JrwE72GZP53MiZmGDzTTzU/aP9DfG71PWqEgCPC56bQFr7UtvQ==,iv:SNNpv6J44Q4hxRvgzNNgt7NMUAoNMDAy3Ff7jrFAimQ=,tag:kvp3H+DgVAtXMwKzIPTJRA==,type:str]
+    OAUTH_ALLOW_DANGEROUS_EMAIL_ACCOUNT_LINKING: ENC[AES256_GCM,data:qQAQg6sCJO0=,iv:EqNG67j5uII6+TBnMY9wt6E1jq52vevccfs+pmn4zs8=,tag:UP2omHyj5qCw/jIErW8GVw==,type:str]
+    OAUTH_CLIENT_ID: ENC[AES256_GCM,data:IK87xFx5N0he669UzhYLeFbpfAcZB039p8bgw+6AGDi17MIRBmoQkVJ1bvnGM+EaG7A7ezdrEQk=,iv:OG2HE2ubV/2ZIllyKIFnA7nRNEZfCoyh7AX+M8rLqtk=,tag:uCf8YI9RymbjLzVR2h/btQ==,type:str]
+    OAUTH_CLIENT_SECRET: ENC[AES256_GCM,data:OA6t3SU4uhD3AXFYxk06dhYdQhESr2LaWJ58jTGDCIGS2hIb6Sx7tS1nlDK/7G2LB8IZbRDfLSXc+DoYlQ/WwIlFSi9gDbiBYpk0ZYtfuo0hapc0MMCOpdvh7nc9d1p5/tMkX/ZbO0N2BHSBVbtwWaXntDDUd5YJxRubE6pnN3jKRbqY6BGfSdWytf47n8SEK6O2NWIgxnvlkKPLX0H/iKOxaTKHpasyEVv9xw==,iv:31nVzU3o4TuIGlH35oD5PRXbWWIX8FZ2u0OnYorM7sY=,tag:5Y8YFbt28UPDKr7EVJjApQ==,type:str]
+    OAUTH_PROVIDER_NAME: ENC[AES256_GCM,data:lcMWx1XJ/86FVyB4,iv:jVH7sDJo7Gag+hWNbUf9FC+jGqjts7liXomeOeW0eJ0=,tag:ISkJ2s/ZMOdLsxKh1Iauqg==,type:str]
+    OAUTH_WELLKNOWN_URL: ENC[AES256_GCM,data:/29zd+yLKKPQs9KfYCDOOPLqpay3Hd/+6YE3NcufDCiBCGEzHE9YtqrwyYGhq/Z3RPBNB85aYgCZbEVVgTezOvMGeoOUWzrQirD0ZF7JYPQt+jbpLRKMgsD9YF9iySRCPickdp17Hh6ukwhPfcf1ucT5tT9sjXm6JVFJFg==,iv:hzF9F9btpP/7Add/g/E0RlPDO5npIbVaj0JoJ0Na/SA=,tag:c2rigTpq0vtct4FCIBPE6Q==,type:str]
+    OPENAI_API_KEY: ENC[AES256_GCM,data:am/9P6389pS9IrxX2oAiMP5NawG8oj77rY8mgfJCjaXfGOPARIGtOSkmFVyY1oQR51oi3jDAg++JR72IW5k1NFkQp9JehMZeNXgLIc3aBIVIjJ+8G+q4AZ63TJrPAnDd+XiXf0aOAyyMzwmRY/j9Gu4cZXGxvqdz5HAmQMwcBfpWRXpEA1+YnDea2YhXW796JHI6WPBD4dzFMUZ1q5PGWwMOsAi6ArIXTN30EK1AqM8EIlK5quubbRxbJCI16DGDzIbXnuLB7MW8mvzm93Yz1Q39Q01reO3XZbihLw==,iv:G9XIKNcqUIizhgzj0POi0tQ/nHOne3DLeDtRaP0lXUg=,tag:o1zZ8ZoYbQZad3ciV9lqjg==,type:str]
+kind: Secret
+metadata:
+    name: karakeep-secrets
+    namespace: karakeep
+sops:
+    age:
+        - recipient: age1s0206tnfaaw849x5xmt95axgu8qhxzlu5ywrwz09tpt8lwpx858q089nq9
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAreXJUVW5FVUsrc2k0RUk0
+            ZkZRS3pZUXFaTUdManhKVWp1S0JiaHRQV200CjVUYlAwN09TelNsK1l4aTQzSEF0
+            SFVkQnUwaFAvbGN5Z0dVTVdMdmRXR1kKLS0tIEk4S2FINWU1ZmtSYWFsVm94UTVS
+            RTBKZEtZMUhLMEFlejNEek5iL0J5Q28Kk07rkAd/qNVyS40Iz7yfSJMpa2pGtvrj
+            0YBKgyDoKmQ1aNzPo5aiaKyaUdh1PYrkAI7q5J+rmXj/70DR662nSA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-12-17T20:36:08Z"
+    mac: ENC[AES256_GCM,data:4gHyTL/1DH/s4S/GdQOS7THzXNwo0xvMGdUqtEwgsjTSnoEZQMiUFLGOSnCy3LVG6JiPvCrJKDRrralrdaoSSWcmwy3pA/EG2eS58ooa02Hum2DgJ9XO25ZNSj16/gGJwgnEscGHSsAjRA3guAPAIbGip6DrhJJ3EfgVXT+J0OI=,iv:gV6QwYfTXiz4bfJNmW5yiZflspI3zULTEtVsWxirjvE=,tag:388de9lUv88lH3JoGsnlug==,type:str]
+    encrypted_regex: ^(data|stringData)$
+    version: 3.11.0

apps/karakeep/meilisearch-deployment.yaml

@@ -2,7 +2,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: meilisearch
-  namespace: hoarder
+  namespace: karakeep
 spec:
   replicas: 1
   selector:
@@ -24,7 +24,7 @@ spec:
               name: meilisearch
           envFrom:
             - secretRef:
-                name: hoarder-secrets
+                name: karakeep-secrets
       volumes:
         - name: meilisearch
           persistentVolumeClaim:

apps/karakeep/meilisearch-pvc.yaml

@@ -2,7 +2,7 @@ apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
   name: meilisearch-pvc
-  namespace: hoarder
+  namespace: karakeep
 spec:
   accessModes:
     - ReadWriteOnce

apps/karakeep/meilisearch-service.yaml

@@ -2,7 +2,7 @@ apiVersion: v1
 kind: Service
 metadata:
   name: meilisearch
-  namespace: hoarder
+  namespace: karakeep
 spec:
   selector:
     app: meilisearch

apps/karakeep/web-deployment.yaml

@@ -2,24 +2,26 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: web
-  namespace: hoarder
+  namespace: karakeep
 spec:
   replicas: 1
   selector:
     matchLabels:
-      app: hoarder-web
+      app: karakeep-web
   template:
     metadata:
       labels:
-        app: hoarder-web
+        app: karakeep-web
     spec:
       containers:
         - name: web
-          image: ghcr.io/hoarder-app/hoarder:release
+          image: ghcr.io/karakeep-app/karakeep
           imagePullPolicy: Always
           ports:
             - containerPort: 3000
           env:
+            - name: NEXTAUTH_URL
+              value: https://karakeep.michaelthomson.dev
             - name: MEILI_ADDR
               value: http://meilisearch:7700
             - name: BROWSER_WEB_URL
@@ -27,13 +29,13 @@ spec:
             - name: DATA_DIR
               value: /data
             - name: DISABLE_SIGNUPS
-              value: "true"
+              value: "false"
           volumeMounts:
             - mountPath: /data
               name: data
           envFrom:
             - secretRef:
-                name: hoarder-secrets
+                name: karakeep-secrets
       volumes:
         - name: data
           persistentVolumeClaim:

apps/karakeep/web-service.yaml

@@ -2,10 +2,10 @@ apiVersion: v1
 kind: Service
 metadata:
   name: web
-  namespace: hoarder
+  namespace: karakeep
 spec:
   selector:
-    app: hoarder-web
+    app: karakeep-web
   ports:
     - protocol: TCP
       port: 3000

apps/kube-prometheus-stack/admin-secret.yaml

@@ -0,0 +1,23 @@
+apiVersion: v1
+data:
+    admin-password: ENC[AES256_GCM,data:FXusij+QSZCfG5Cp1VFTsDXmzYc=,iv:KuscQB1tHeTY4d7EPEozOO9FqlhBwZL2hNix7gGpu6s=,tag:wX7us8uCsHlfudM6sx/vAw==,type:str]
+    admin-user: ENC[AES256_GCM,data:aOqM1iNeX30=,iv:iwxNPSNsrxEr7zTmKRWmLK3BNu5UIj055l1p3I24xKo=,tag:eUfhUyD8vHh8YKFZpAX2ww==,type:str]
+kind: Secret
+metadata:
+    name: admin-secret
+    namespace: kube-prometheus-stack
+sops:
+    age:
+        - recipient: age1s0206tnfaaw849x5xmt95axgu8qhxzlu5ywrwz09tpt8lwpx858q089nq9
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyU2FJWjVseDY5ZGlJd2xs
+            OHBPQUpiS1ZocTZVeWVOVFdEaGt3dkN4OFFJCmd4M1lYbGYzelNhaDl0Tm5IUGww
+            OVc3M2Z5U3JGYVpuV21UQnJlZzM3Nk0KLS0tIDlma0J4amZKYWo4enpMdTI1YUZJ
+            aXBLVnBtMFpLc3B3djdzZDBiWXhwdmMKSlkc7MFkV6lDJ0J+k2GdIlpbNa438bre
+            2QOOgd3QeomniAmM0pemCR9PIVA3Uf+3DhMs1foZ6uYugJMMsd6esQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-12-19T20:36:08Z"
+    mac: ENC[AES256_GCM,data:KocjA27Zp0Y/DVemOVvjOATT7QIQjydpJIYQpjr1UnB8l748E+VGkvra2vLyV11BQz3uLija/2v0WNmQs5f+ZLvoTuQro6l9HxSk4zkkgfMzkqzlWIVFsj2Z0SrNtLl+bQMkDeOuMeeB+hAtOtwoc04X9n78PIW+2SGsq2Z94Co=,iv:KfRKGFC0geEburKxnXJJJqZUmVXhET2WnEON+gxlQp8=,tag:cTnOwHZNcP3Z5aCvF+IS3Q==,type:str]
+    encrypted_regex: ^(data|stringData)$
+    version: 3.11.0

apps/kube-prometheus-stack/release.yaml

@@ -7,38 +7,47 @@ spec:
   chart:
     spec:
       chart: kube-prometheus-stack
-      version: 63.x
+      version: 79.x
       sourceRef:
         kind: HelmRepository
         name: prometheus-community
-        namespace: flux-system
   interval: 15m
-  timeout: 5m
   releaseName: kube-prometheus-stack
   values:
     grafana:
+      admin:
+        existingSecret: admin-secret
+        userKey: admin-user
+        passwordKey: admin-password
       ingress:
         enabled: true
         annotations:
+          cert-manager.io/cluster-issuer: "letsencrypt-prod"
           traefik.ingress.kubernetes.io/router.tls: "true"
           traefik.ingress.kubernetes.io/router.entrypoints: websecure
         hosts:
         - grafana.michaelthomson.dev
         path: /
         tls:
-          - secretName: letsencrypt-wildcard-cert-michaelthomson.dev
+          - secretName: grafana-tls
             hosts:
               - grafana.michaelthomson.dev
     prometheus:
+      prometheusSpec:
+        podMonitorSelectorNilUsesHelmValues: false
+        ruleSelectorNilUsesHelmValues: false
+        serviceMonitorSelectorNilUsesHelmValues: false
+        probeSelectorNilUsesHelmValues: false
       ingress:
         enabled: true
         annotations:
+          cert-manager.io/cluster-issuer: "letsencrypt-prod"
           traefik.ingress.kubernetes.io/router.tls: "true"
           traefik.ingress.kubernetes.io/router.entrypoints: websecure
         hosts:
         - prometheus.michaelthomson.dev
         path: /
         tls:
-          - secretName: letsencrypt-wildcard-cert-michaelthomson.dev
+          - secretName: prometheus-tls
             hosts:
               - prometheus.michaelthomson.dev

apps/kube-prometheus-stack/repository.yaml

@@ -2,7 +2,7 @@ apiVersion: source.toolkit.fluxcd.io/v1
 kind: HelmRepository
 metadata:
   name: prometheus-community
-  namespace: flux-system
+  namespace: kube-prometheus-stack
 spec:
   interval: 15m
   url: https://prometheus-community.github.io/helm-charts

apps/media/bazarr/ingress.yaml

@@ -4,6 +4,7 @@ metadata:
   name: bazarr
   namespace: media
   annotations:
+    cert-manager.io/cluster-issuer: "letsencrypt-prod"
     traefik.ingress.kubernetes.io/router.entrypoints: websecure
     traefik.ingress.kubernetes.io/router.tls: "true"
     # traefik.ingress.kubernetes.io/router.middlewares: authentik-bazarr@kubernetescrd
@@ -22,4 +23,4 @@ spec:
   tls:
     - hosts:
         - bazarr.michaelthomson.dev
-      secretName: letsencrypt-wildcard-cert-michaelthomson.dev
+      secretName: bazarr-tls

apps/media/jellyfin/deployment.yaml

@@ -12,7 +12,6 @@ spec:
       labels:
         app: jellyfin
     spec:
-      runtimeClassName: nvidia
       containers:
       - name: jellyfin
         image: lscr.io/linuxserver/jellyfin:latest
@@ -29,16 +28,12 @@ spec:
         - mountPath: /data/media
           name: data
           subPath: media
-        # - name: dev-dri
-        #   mountPath: /dev/dri
-        env:
-        - name: NVIDIA_VISIBLE_DEVICES
-          value: all
-        - name: NVIDIA_DRIVER_CAPABILITIES
-          value: all
-        resources:
-          limits:
-            nvidia.com/gpu: 1
+        - name: transcode
+          mountPath: /transcode
+        - name: cache
+          mountPath: /cache
+        - name: dev-dri
+          mountPath: /dev/dri
       volumes:
       - name: config
         persistentVolumeClaim: 
@@ -46,6 +41,13 @@ spec:
       - name: data
         persistentVolumeClaim: 
           claimName: media-data
-      # - name: dev-dri
-      #   hostPath:
-      #     path: /dev/dri
+      - name: transcode
+        emptyDir:
+          sizeLimit: 50Gi
+      - name: cache
+        emptyDir:
+          medium: Memory
+          sizeLimit: 2Gi
+      - name: dev-dri
+        hostPath:
+          path: /dev/dri

apps/media/jellyfin/ingress.yaml

@@ -4,6 +4,9 @@ metadata:
   name: jellyfin
   namespace: media
   annotations:
+    cert-manager.io/cluster-issuer: "letsencrypt-prod"
+    external-dns.alpha.kubernetes.io/target: michaelthomson.ddns.net
+    external-dns.alpha.kubernetes.io/cloudflare-proxied: "true"
     traefik.ingress.kubernetes.io/router.entrypoints: websecure
     traefik.ingress.kubernetes.io/router.tls: "true"
 spec:
@@ -21,4 +24,4 @@ spec:
   tls:
     - hosts:
         - jellyfin.michaelthomson.dev
-      secretName: letsencrypt-wildcard-cert-michaelthomson.dev
+      secretName: jellyfin-tls

apps/media/jellyseerr/ingress.yaml

@@ -4,6 +4,9 @@ metadata:
   name: jellyseerr
   namespace: media
   annotations:
+    cert-manager.io/cluster-issuer: "letsencrypt-prod"
+    external-dns.alpha.kubernetes.io/target: michaelthomson.ddns.net
+    external-dns.alpha.kubernetes.io/cloudflare-proxied: "true"
     traefik.ingress.kubernetes.io/router.entrypoints: websecure
     traefik.ingress.kubernetes.io/router.tls: "true"
 spec:
@@ -21,4 +24,4 @@ spec:
   tls:
     - hosts:
         - jellyseerr.michaelthomson.dev
-      secretName: letsencrypt-wildcard-cert-michaelthomson.dev
+      secretName: jellyseerr-tls

apps/media/prowlarr/ingress.yaml

@@ -4,6 +4,7 @@ metadata:
   name: prowlarr
   namespace: media
   annotations:
+    cert-manager.io/cluster-issuer: "letsencrypt-prod"
     traefik.ingress.kubernetes.io/router.entrypoints: websecure
     traefik.ingress.kubernetes.io/router.tls: "true"
     # traefik.ingress.kubernetes.io/router.middlewares: authentik-prowlarr@kubernetescrd
@@ -22,4 +23,4 @@ spec:
   tls:
     - hosts:
         - prowlarr.michaelthomson.dev
-      secretName: letsencrypt-wildcard-cert-michaelthomson.dev
+      secretName: prowlarr-tls

apps/media/radarr/ingress.yaml

@@ -4,6 +4,7 @@ metadata:
   name: radarr
   namespace: media
   annotations:
+    cert-manager.io/cluster-issuer: "letsencrypt-prod"
     traefik.ingress.kubernetes.io/router.entrypoints: websecure
     traefik.ingress.kubernetes.io/router.tls: "true"
     # traefik.ingress.kubernetes.io/router.middlewares: authentik-radarr@kubernetescrd
@@ -22,4 +23,4 @@ spec:
   tls:
     - hosts:
         - radarr.michaelthomson.dev
-      secretName: letsencrypt-wildcard-cert-michaelthomson.dev
+      secretName: radarr-tls

apps/media/sabnzbd/ingress.yaml

@@ -4,6 +4,7 @@ metadata:
   name: sabnzbd
   namespace: media
   annotations:
+    cert-manager.io/cluster-issuer: "letsencrypt-prod"
     traefik.ingress.kubernetes.io/router.entrypoints: websecure
     traefik.ingress.kubernetes.io/router.tls: "true"
 spec:
@@ -21,4 +22,4 @@ spec:
   tls:
     - hosts:
         - sabnzbd.michaelthomson.dev
-      secretName: letsencrypt-wildcard-cert-michaelthomson.dev
+      secretName: sabnzbd-tls

apps/media/sonarr/ingress.yaml

@@ -4,6 +4,7 @@ metadata:
   name: sonarr
   namespace: media
   annotations:
+    cert-manager.io/cluster-issuer: "letsencrypt-prod"
     traefik.ingress.kubernetes.io/router.entrypoints: websecure
     traefik.ingress.kubernetes.io/router.tls: "true"
     # traefik.ingress.kubernetes.io/router.middlewares: authentik-sonarr@kubernetescrd
@@ -22,4 +23,4 @@ spec:
   tls:
     - hosts:
         - sonarr.michaelthomson.dev
-      secretName: letsencrypt-wildcard-cert-michaelthomson.dev
+      secretName: sonarr-tls

apps/michaelthomson/ingress.yaml

@@ -4,6 +4,9 @@ metadata:
   name: michaelthomson.dev
   namespace: michaelthomson
   annotations:
+    cert-manager.io/cluster-issuer: "letsencrypt-prod"
+    external-dns.alpha.kubernetes.io/target: michaelthomson.ddns.net
+    external-dns.alpha.kubernetes.io/cloudflare-proxied: "true"
     traefik.ingress.kubernetes.io/router.entrypoints: websecure
     traefik.ingress.kubernetes.io/router.tls: "true"
 spec:
@@ -21,4 +24,4 @@ spec:
   tls:
     - hosts:
         - michaelthomson.dev
-      secretName: letsencrypt-wildcard-cert-michaelthomson.dev
+      secretName: michaelthomson-tls

apps/minecraft/release.yaml

@@ -0,0 +1,50 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: minecraft
+  namespace: minecraft
+spec:
+  chart:
+    spec:
+      chart: minecraft
+      version: 5.x
+      sourceRef:
+        kind: HelmRepository
+        name: minecraft
+  interval: 15m
+  releaseName: minecraft
+  values:
+    serviceAnnotations:
+      metallb.io/loadBalancerIPs: 192.168.18.201
+
+    minecraftServer:
+      # This must be overridden, since we can't accept this for the user.
+      eula: true
+      # One of: LATEST, SNAPSHOT, or a specific version (ie: "1.7.9").
+      version: "LATEST"
+      ## The type of Minecraft server to run, check for related settings below
+      ## Common types: "VANILLA", "FABRIC", "FORGE", "SPIGOT", "BUKKIT", "PAPER",
+      ## "FTBA", "SPONGEVANILLA", "AUTO_CURSEFORGE"
+      ## ref: https://docker-minecraft-server.readthedocs.io/en/latest/types-and-platforms
+      type: "VANILLA"
+      # One of: peaceful, easy, normal, and hard
+      difficulty: normal
+      # A comma-separated list of player names to whitelist.
+      whitelist: DrDeww,lolobinbolo
+      # A comma-separated list of player names who should be admins.
+      ops: DrDeww
+      # A server icon URL for server listings. Auto-scaled and transcoded.
+      icon:
+      # Message of the Day
+      motd: "Welcome to Michael's Minecraft Server"
+      worldSaveName: world
+      # If you adjust this, you may need to adjust resources.requests above to match.
+      memory: 1024M
+      serviceType: LoadBalancer
+
+    persistence:
+      dataDir:
+        enabled: true
+        Size: 8Gi
+        accessModes:
+          - ReadWriteOnce

apps/minecraft/repository.yaml

@@ -0,0 +1,9 @@
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: minecraft
+  namespace: minecraft
+spec:
+  interval: 15m
+  url: https://itzg.github.io/minecraft-server-charts/
+

apps/nextcloud/collabora-secret.yaml

@@ -0,0 +1,23 @@
+apiVersion: v1
+data:
+    password: ENC[AES256_GCM,data:jFpz9bSZvldMHrXZWPEFLCZk+WU=,iv:Gr01uTyy1LLodCrr+e+QPCaosA0ad9qg+51vxQKu7nM=,tag:mQC7HYeycSdnVi8QXKgqhA==,type:str]
+    username: ENC[AES256_GCM,data:ODJU7cK+lrQ=,iv:biwQxLX4xjZMVWF2phEuOrR0s+oWoiTw6at1YlLIdGU=,tag:oA3/NPM/tFJBfclJDJUP6A==,type:str]
+kind: Secret
+metadata:
+    name: collabora-secret
+    namespace: nextcloud
+sops:
+    age:
+        - recipient: age1s0206tnfaaw849x5xmt95axgu8qhxzlu5ywrwz09tpt8lwpx858q089nq9
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFdm9XakdSZFF3ZWhsaktu
+            Tm9aWU45ekhQeTdEc2FXbmVZZ2FYa3hrTWowCnkrM1hxSkNkTTFuVlh1NEZDbHBp
+            cWppL1lCMlpaZ3I3ZHVmRS9kQkwxM2MKLS0tIGF2bFh3SzJ3azVpWlhHOUo1Zzhp
+            QVhKelUvY1hiR2FiR004YnQzMEFIN1EKa1JN+ra3csHPICDfyOS/DtE6SyRrGveW
+            9KigyHoAzOAjvr7Cjzirl9J7tgA9iasfbVE4mfcuqwJGR14ANJ7OPw==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-12-17T20:36:08Z"
+    mac: ENC[AES256_GCM,data:sFjlG7K93WOS4QZXV/bcdVC2YwcCzzZ2lS6vtsR6v6SK0Lmw2neR5rc5SF6IESrUU4G3M/Y4VFTmb8Zttk0Tlk2nRlqXo35MIN6S+KTL/ssiCHSN4+J20Yp7HeQ+3DkLLY5+RiYAhrfzy/yUVRPWeAF3KKGwwfjknCR+avtLL44=,iv:QmesKHhkXUAD+lFS/ijYmsNVF8FFnmxiHk7IDJF5kmk=,tag:K4COX2z99gGuO2PBKUz7Zw==,type:str]
+    encrypted_regex: ^(data|stringData)$
+    version: 3.11.0

apps/nextcloud/nextcloud-redis-secret.yaml

@@ -0,0 +1,22 @@
+apiVersion: v1
+data:
+    password: ENC[AES256_GCM,data:sczdgF2gOu+NkUmPPS3ipwRPSkgsL69QwA4zUFGV70GRTpC+,iv:0sA/fN7M4Gg7FuOAH/+j8PhY26wT94UNCfbdJ36JKg0=,tag:V3G9nSJOtVh0yzNZkX3Uzg==,type:str]
+kind: Secret
+metadata:
+    name: nextcloud-redis-secret
+    namespace: nextcloud
+sops:
+    age:
+        - recipient: age1s0206tnfaaw849x5xmt95axgu8qhxzlu5ywrwz09tpt8lwpx858q089nq9
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1aDEzNEFlUUNIekRib1hv
+            NGZITHZMTjhlWlQ3MHk1djlUVk1GeFRVRzBNCm12bWhPaHk2REo1RCtZUDhnLzF3
+            SXFOMzlVaDdyZk9FQVhiZmV3ZEo3RlkKLS0tIHVrZGZ4cFp2SkVubCtxUWQ1aXBw
+            Y095N2YrRTZBdFBlOWlPYXpWS0R3dk0KTUGr2gfHK5NszjDWSJObcGNdvjiBQ0lt
+            ujeskIYbKzRoY8cCRxiGc17SFTYnp+2q0hBm8V9H+ywI74Chc1gOgA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-12-17T20:36:08Z"
+    mac: ENC[AES256_GCM,data:wISm9FeJ4cyF0I+QAMjte3/nwzwtk8c5VQltYzPlcsqUqOjLkmD6iLqtaOteZ3pZQOf9AylRTGaoow1kZ44X5dk/fx6Sy/JrQuhuc2JK7llgBqITp3S/sRK1Dtvb4r0y8x6iiKs8+sd/PA9TUqekPtmrC4dVcHKGzd1bX0DopU8=,iv:2bmJIOt1JUUk2TJbcQIg6/FwpvLpYTwpzKaSd39Lo9c=,tag:FbURmraQwP2NaB8CEVArww==,type:str]
+    encrypted_regex: ^(data|stringData)$
+    version: 3.11.0

apps/nextcloud/postgres-secret.yaml

@@ -0,0 +1,23 @@
+apiVersion: v1
+data:
+    password: ENC[AES256_GCM,data:+gp5N+elMS/vn3N6u8z7+/IDVl6w3VDnE6UrIsRMak3f1qag,iv:TY+iRf28IvZzpc3wJtIVkflgzuSyQxpucUttce71iTo=,tag:A/LsCq31oVsjINhi2BH7Cw==,type:str]
+    username: ENC[AES256_GCM,data:LFfYK587FmlJy8Gl,iv:CtTz38aswJ87iWp8GslxFH6PMS9ZJ7puGprrURhidSE=,tag:5vSMUAyjjxpbHlx1/2h9IA==,type:str]
+kind: Secret
+metadata:
+    name: postgres-secret
+    namespace: nextcloud
+sops:
+    age:
+        - recipient: age1s0206tnfaaw849x5xmt95axgu8qhxzlu5ywrwz09tpt8lwpx858q089nq9
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRemtSSkl2K01QSUlSbDha
+            dEdsa0JEWVZUeEtYSXM1OXRDQ3R1U01Zd0RNCnFKOWJRTElZRWxvdW94ZWRvUmNY
+            Y1IxM216MUhLWjhKcFJJSE1YQjlTTlUKLS0tIExFSDdnVWZEZG43VFJwUGVPT1Bu
+            ZWljcWVZcXpOUjJnOStvbmgwVHRsT28KMF4lDFhHbI+yqXDhiIuDe2NeuhPaReS9
+            Z6wiLrOWcXfbNN6DnLSBNAt0IqQzIYWHAlZayGPqA+JJCS/gkZnA1Q==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-12-17T20:36:08Z"
+    mac: ENC[AES256_GCM,data:TTAiIjKHCnA+mQ1fM0J3TEdqZkTRZKSHjRI4SsaiUut+uwWxN3nxUUlcBpyo3m62ff9WkyYvGtxfLsOXevrshN8WFB2H49NYA6TjyQgAzJ1XFeJZhFfSLM1nd/46a5KU/6mSBN9ZqUmnhXmBNo7wZdDKSJUlZ8tFwTtwDJve2o4=,iv:2idsk3hZOOWKGVZ+4Z9C82/+lF/tjokm3uBPMsE+WEw=,tag:UxQ6XtP9+iNaAn++IDYaHQ==,type:str]
+    encrypted_regex: ^(data|stringData)$
+    version: 3.11.0