fix grimmory repo

This reverts commit ee5bfb66f6.

.sops.yaml

@@ -0,0 +1,3 @@
+creation_rules:
+  - encrypted_regex: ^(data|stringData)$
+    age: age1s0206tnfaaw849x5xmt95axgu8qhxzlu5ywrwz09tpt8lwpx858q089nq9

apps/actual/deployment.yaml

@@ -0,0 +1,32 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: actual
+  namespace: actual
+spec:
+  selector:
+    matchLabels:
+      app: actual
+  template:
+    metadata:
+      labels:
+        app: actual
+    spec:
+      containers:
+      - name: actual
+        image: docker.io/actualbudget/actual-server:latest
+        imagePullPolicy: Always
+        env:
+          - name: ACTUAL_PORT
+            value: "5006"
+        ports:
+        - containerPort: 5006
+          name: http
+          protocol: TCP
+        volumeMounts:
+        - mountPath: /data
+          name: data
+      volumes:
+      - name: data
+        persistentVolumeClaim: 
+          claimName: actual-data

apps/actual/ingress.yaml

@@ -0,0 +1,28 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: actual
+  namespace: actual
+  annotations:
+    cert-manager.io/cluster-issuer: "letsencrypt-prod"
+    cert-manager.io/cluster-issuer: "letsencrypt-prod"
+    external-dns.alpha.kubernetes.io/target: michaelthomson.ddns.net
+    external-dns.alpha.kubernetes.io/cloudflare-proxied: "true"
+    traefik.ingress.kubernetes.io/router.entrypoints: websecure
+    traefik.ingress.kubernetes.io/router.tls: "true"
+spec:
+  rules:
+  - host: actual.michaelthomson.dev
+    http:
+      paths:
+      - pathType: ImplementationSpecific
+        path: /
+        backend:
+          service:
+            name: actual
+            port: 
+              name: http
+  tls:
+  - hosts:
+    - actual.michaelthomson.dev
+    secretName: actual-tls

apps/actual/pvc-data.yaml

@@ -1,12 +1,12 @@
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
-  name: roundcubemail-temp-pvc
-  namespace: roundcube
+  name: actual-data
+  namespace: actual
 spec:
-  storageClassName: longhorn
-  accessModes:
-    - ReadWriteOnce
   resources:
     requests:
       storage: 10Gi
+  storageClassName: longhorn
+  accessModes:
+    - ReadWriteOnce

apps/actual/service.yaml

@@ -1,11 +1,11 @@
 apiVersion: v1
 kind: Service
 metadata:
-  name: readarr
-  namespace: media
+  name: actual
+  namespace: actual
 spec:
   selector:
-    app: readarr
+    app: actual
   ports:
   - port: 80
     targetPort: http

apps/gitea/actions/release.yaml

@@ -0,0 +1,23 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: actions
+  namespace: gitea
+spec:
+  chart:
+    spec:
+      chart: actions
+      version: 
+      sourceRef:
+        kind: HelmRepository
+        name: gitea
+  interval: 15m
+  releaseName: actions
+  values:
+    enabled: true
+    existingSecret: actions-secret
+    existingSecretKey: token
+    giteaRootURL: http://gitea-http:3000
+    statefulset:
+      persistence:
+        size: 1Gi

apps/gitea/actions/secret.yaml

@@ -0,0 +1,22 @@
+apiVersion: v1
+data:
+    token: ENC[AES256_GCM,data:k6dhRoR3XCITRikJStLu1+gkW8Xcrt/EnKtq/LtMOdDOC906nyDbLbLXo4yWkUPb4wOT7/FHtjM=,iv:v/7sYpp//k4NgIHIxrSgUCK0ddTS2knRXt7bv/tK6BQ=,tag:t8yskoe9Q+T1UFhzmdEgSQ==,type:str]
+kind: Secret
+metadata:
+    name: actions-secret
+    namespace: gitea
+sops:
+    age:
+        - recipient: age1s0206tnfaaw849x5xmt95axgu8qhxzlu5ywrwz09tpt8lwpx858q089nq9
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYUWxLU2Z5bmJSYUs2YS9q
+            bFFCSEJlTGtuNEFjVGtsMDFySW5TNnF6RTBzClpMdk9CRU9kTHoyVEJZU1JITnRS
+            aVhjMm9ndTBXYklkWUpMV0hYNWtrVFkKLS0tIEJLRmF5NVNNamlkSWNjam1lY1pF
+            MmtSTTJET3VWQStHN25DeDV6aGRrVkkKcMOwuTZY/meJjQZgzmAU37mUS4VjG7H/
+            q8c+keASqJI511XhWi8K938U8YREge7sDw8sa+RrXpoiy3zyipZOLQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-12-17T20:36:08Z"
+    mac: ENC[AES256_GCM,data:wr1ngpRm44ueRUsfITsQa9tuWffScHsz66QCfilsc8fO8gprb0eicYAgJ6J7JygGO7hZdnLB4z1Q/5bZFmdsvK2Oz3tV/NX/gZVGbFDqPFHfjDU+5rl7lrBnRh6D1RwvYqJzNL38dDO5oUXTOfDGijS574qB4EpyUnu7+AbJwtE=,iv:7kXdBFzz/M0Kynuk3fmnWWRV7VLN0BXELrYqt/VtQ9s=,tag:FqCzxPTwnL0yBX0+SrWbZA==,type:str]
+    encrypted_regex: ^(data|stringData)$
+    version: 3.11.0

apps/gitea/admin-secret.yaml

@@ -0,0 +1,23 @@
+apiVersion: v1
+data:
+    password: ENC[AES256_GCM,data:wcJdmRnN4nFOaIiM/Lyp8fceSRKpJW9laUYsZU/9UCmreJP3YHGFdw==,iv:35aJWV/ReimElkgHDEvd1VMi1+fL8ayB2YO5Ej6Iqrs=,tag:Vl665zuBbhsU28zXH+Madw==,type:str]
+    username: ENC[AES256_GCM,data:vnhGaPemu1i1kpHOPvRg8w==,iv:Ika50tGu/d6m6UxzUpZFhK/SxLsUMmB/GNeeFPmszdU=,tag:wC5CLp+5OhzLKYolmr1aTg==,type:str]
+kind: Secret
+metadata:
+    name: admin-secret
+    namespace: gitea
+sops:
+    age:
+        - recipient: age1s0206tnfaaw849x5xmt95axgu8qhxzlu5ywrwz09tpt8lwpx858q089nq9
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLMFNmREJGMStuTEhyRi9w
+            OTc4RTlrWWJwNlc2Z3liOXQrd1Jmc0VMQ3hJCjlJMzJDdDYvNWhtUVF6ZlBmR0Nx
+            RGNrZWlBcnpjSjZLaU95aGZjcXZVNWcKLS0tIHk0UkFnWkxFRHB3THQ1UytRSzdL
+            ZTB2WVBmWnZLT3FsekFhSHFkQ1RLNlkKbQfo7CDYk/EadaE6SEmsCZX5ubOTcbD3
+            lj4rj1v2dYME/wDj9rFp5IwESalXwKzUVzC8e1GuzbY6pDQPx5EW4Q==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-12-17T20:36:08Z"
+    mac: ENC[AES256_GCM,data:ApUlG4FA/KYrwm6u/6qNU2Cqz08MxRNmiBmiwCZgNF4aX0CWzRZ9+VbO/jIJUpzKB3W7EdpbiyuT7Ie3h0lwYIZY5xUXP4CDxsZ+TozAFJq/CgXs/BacTZIVhSEL93W+O4ett/UuIL66rtuiZcBY0CdM80j7aTy20ilse8wwusM=,iv:UWdNu4hW6OcMHkqQcrzmLZlU4gevBwAMInbjtC9R3hI=,tag:W+SgpfrOvR9HnGRfnGSgwQ==,type:str]
+    encrypted_regex: ^(data|stringData)$
+    version: 3.11.0

apps/gitea/mailer-config-secret.yaml

@@ -0,0 +1,22 @@
+apiVersion: v1
+stringData:
+    mailer: ENC[AES256_GCM,data:IrYl0ghmMpe7LCGuHFAv8OOnnYPnxed8M86qEnXct/d3Xlf+vQ==,iv:d/Egq7dRzNbx/5cEL5lKxD+ZsDhTLCB1EGnP6RXok00=,tag:aiQoSAMKQ1b0mXUT0lw8+w==,type:str]
+kind: Secret
+metadata:
+    name: gitea-mailer-config-secret
+    namespace: gitea
+sops:
+    age:
+        - recipient: age1s0206tnfaaw849x5xmt95axgu8qhxzlu5ywrwz09tpt8lwpx858q089nq9
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJMmxwWGZUb2JRK0FHdFd6
+            SFN5MGdZR3puUDNhMElTTy96SnVRUzJwYjFvCkJsdlJCRG9zVXdzOEY1REQ4NWRw
+            R05taHVZMlpySXVXWmNIc25VYng4WWsKLS0tIERoL0tUVmUvbG5ha0h0cWIvZDND
+            NkI0eUlmYjg3Zk9iVmNkZVpXWkh2TW8K/coOzGAPF42522cM6DZVAEEv3LmZaIhu
+            BVyl8ijATNLMIfiFpP5bHpljPHrn3lGP70RzwoCV15t1fC6pjeParA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2026-05-12T01:59:49Z"
+    mac: ENC[AES256_GCM,data:TSNyIUQIRaX27K9ZbyiMCayFFIeUKmfD4Bz9Zu7Apa7NGqXmAWabzY3KHyjL14LDxmv4XJpA5W3DLI920DfOEUq2iW9EogMfSV7nEMMA6lzYMf+ca5W0BCwPE0MDBkTIL2nREoZh0FGDmq1M2syRIfaBrFKq97ZozQqz4AA8iZc=,iv:wCjERwABseOGN7LWiLzoT4VGHk9vnGdN0yl2eeQTAho=,tag:j/bDGqPoTm5FFGhERh1KJQ==,type:str]
+    encrypted_regex: ^(data|stringData)$
+    version: 3.12.2

apps/gitea/release.yaml

@@ -7,32 +7,31 @@ spec:
   chart:
     spec:
       chart: gitea
-      version: 11.x
+      version: 12.x
       sourceRef:
         kind: HelmRepository
         name: gitea
-        namespace: flux-system
   interval: 15m
-  timeout: 5m
   releaseName: gitea
   values:
     global:
       storageClass: longhorn
 
-    replicaCount: 1
-
     service:
       ssh:
         type: LoadBalancer
         port: 2222
         clusterIP:
         annotations:
-          metallb.universe.tf/loadBalancerIPs: 192.168.2.248
+          metallb.io/loadBalancerIPs: 192.168.18.248
 
     ingress:
       enabled: true
       className: traefik
       annotations:
+        cert-manager.io/cluster-issuer: "letsencrypt-prod"
+        external-dns.alpha.kubernetes.io/target: michaelthomson.ddns.net
+        external-dns.alpha.kubernetes.io/cloudflare-proxied: "false"
         traefik.ingress.kubernetes.io/router.entrypoints: websecure
         traefik.ingress.kubernetes.io/router.tls: "true"
       hosts:
@@ -43,17 +42,17 @@ spec:
       tls:
         - hosts:
             - gitea.michaelthomson.dev
-          secretName: letsencrypt-wildcard-cert-michaelthomson.dev
+          secretName: gitea-tls
 
     persistence:
-      claimName: gitea-shared-storage
       size: 10Gi
-      storageClass: longhorn
 
     gitea:
       config:
         server:
           SSH_PORT: 2222
+        actions:
+          ENABLED: true
         service:
           DISABLE_REGISTRATION: true
           REGISTER_EMAIL_CONFIRM: true
@@ -62,35 +61,29 @@ spec:
           ALLOWED_HOST_LIST: external,loopback,private
         mailer:
           ENABLED: true
-          FROM: gitea@michaelthomson.dev
+          FROM: server@michaelthomson.dev
           PROTOCOL: smtps
           SMTP_ADDR: mail.michaelthomson.dev
           SMTP_PORT: 465
-          USER: gitea@michaelthomson.dev
+          USER: server@michaelthomson.dev
       admin:
-        existingSecret: gitea-admin-secret
+        existingSecret: admin-secret
         email: "gitea@michaelthomson.dev"
       additionalConfigSources:
         - secret:
             secretName: gitea-mailer-config-secret
 
-    redis-cluster:
+    valkey-cluster:
       enabled: false
 
+    valkey:
+      enabled: true
+
     postgresql-ha:
       enabled: false
 
     postgresql:
       enabled: true
-      global:
-        postgresql:
-          auth:
-            password: gitea
-            database: gitea
-            username: gitea
-          service:
-            ports:
-              postgresql: 5432
       primary:
         persistence:
           size: 10Gi

apps/gitea/repository.yaml

@@ -2,7 +2,7 @@ apiVersion: source.toolkit.fluxcd.io/v1
 kind: HelmRepository
 metadata:
   name: gitea
-  namespace: flux-system
+  namespace: gitea
 spec:
   interval: 15m
   url: https://dl.gitea.io/charts

apps/grimmory/mariadb-credentials.yaml

@@ -0,0 +1,23 @@
+apiVersion: v1
+stringData:
+    mariadb-password: ENC[AES256_GCM,data:sRg+BqCvSWe/I9vLLRcgPyMs87BttZAejfKPI7kIej6L3sXasYE700jr9tw=,iv:VMnb9a72TYYBdC2RCD9wwpRdUZiiD+SFOZOl0ZIHjbU=,tag:eXRgY1VO0PDRJPUAr4RYXw==,type:str]
+    mariadb-root-password: ENC[AES256_GCM,data:86cu/5fSD2h7yQSt0b9cp15a56LYiyhdUfFVdhla7cs0GsIyDul2A4TuSQA=,iv:U+JPt6UUc70MzYAQBODEzl/wMQ+TEVBYZHxxMZf4xyw=,tag:CAdI37E9cj07yoltPxLjWg==,type:str]
+kind: Secret
+metadata:
+    name: mariadb-credentials
+    namespace: grimmory
+sops:
+    age:
+        - recipient: age1s0206tnfaaw849x5xmt95axgu8qhxzlu5ywrwz09tpt8lwpx858q089nq9
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvOEhieFpaNU5CRElYRFRx
+            VjJqUm9Zbk44M3QvVlNqcUFGUnRjNlUvUERZCjA2VjJXdlJmSDdYeW5BbEF2RElV
+            QXZ6YVl3REVFRzY5RG81YzVyaWpBWTgKLS0tIEdITTBCUm1tZGhZVzFwbGszbDF6
+            ZzhZOEU2SUFUWllqOHZCS1c5YW5TQjQKbQqmVAWZq7aqBaFt+51oY7PZ2BcLc7Wa
+            neOgcwRTq2x27yoWNPlcWSsqFss5RLldriEer4QdwdIDlWEj8Js7uA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2026-05-24T18:40:49Z"
+    mac: ENC[AES256_GCM,data:URvFnjTBRU17FIJTLjggheWWI63UcktsyMgrKP5Ib7/F4HcSbZySGis6Ty/y2Cn5uessjpf12IQ1EZ0Vybnm7w58/nb3+ZiEow5XtJ91OAw2iCJv00YyKtWgFqkymCHJu2a/SuuG3ibH5+MbucQKHUSXuxsRvYaJaigw1Gzi80I=,iv:3H2NNqh8eBqNvKybtsKYujjDeDlvmlwXxdzRoazU46E=,tag:tgYlwl0K7GbSX1pBtlD/xg==,type:str]
+    encrypted_regex: ^(data|stringData)$
+    version: 3.12.2

apps/grimmory/release.yaml

@@ -0,0 +1,47 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: grimmory
+  namespace: grimmory
+spec:
+  chart:
+    spec:
+      chart: grimmory
+      version: 3.x
+      sourceRef:
+        kind: HelmRepository
+        name: grimmory
+  interval: 15m
+  releaseName: grimmory
+  values:
+    mariadb:
+      auth:
+        existingSecret: mariadb-credentials
+        secretKeys:
+          rootPasswordKey: mariadb-root-password
+          userPasswordKey: mariadb-password
+    ingress:
+      enabled: true
+      annotations:
+        cert-manager.io/cluster-issuer: "letsencrypt-prod"
+        traefik.ingress.kubernetes.io/router.entrypoints: websecure
+        traefik.ingress.kubernetes.io/router.tls: "true"
+      hosts:
+        - host: grimmory.michaelthomson.dev
+          paths:
+            - path: /
+              pathType: ImplementationSpecific
+      tls:
+        - hosts:
+            - grimmory.michaelthomson.dev
+          secretName: grimmory-tls
+    persistence:
+      dataVolume:
+        enabled: true
+        size: 100Mi
+        existingClaim: ""
+      booksVolume:
+        enabled: true
+        size: 10Gi
+        existingClaim: ""
+    

apps/grimmory/repository.yaml

@@ -0,0 +1,9 @@
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: grimmory
+  namespace: grimmory
+spec:
+  type: "oci"
+  interval: 15m
+  url: oci://ghcr.io/grimmory-tools/helm-charts

apps/homeassistant/ingress.yaml

@@ -4,6 +4,7 @@ metadata:
   name: homeassistant
   namespace: homeassistant
   annotations:
+    cert-manager.io/cluster-issuer: "letsencrypt-prod"
     traefik.ingress.kubernetes.io/router.entrypoints: websecure
     traefik.ingress.kubernetes.io/router.tls: "true"
 spec:
@@ -21,4 +22,4 @@ spec:
   tls:
     - hosts:
         - ha.michaelthomson.dev
-      secretName: letsencrypt-wildcard-cert-michaelthomson.dev
+      secretName: homeassistant-tls

apps/homeassistant/networkresource.yaml

@@ -0,0 +1,13 @@
+apiVersion: netbird.io/v1alpha1
+kind: NetworkResource
+metadata:
+  name: homeassistant
+  namespace: homeassistant
+spec:
+  networkRouterRef:
+    name: homelab
+    namespace: netbird
+  serviceRef:
+    name: homeassistant
+  groups:
+    - name: All

apps/immich/cluster.yaml

@@ -0,0 +1,64 @@
+apiVersion: postgresql.cnpg.io/v1
+kind: Cluster
+metadata:
+  name: immich-postgres
+  namespace: immich
+  annotations:
+    # needed to allow for recovery from same name cluster backup
+    cnpg.io/skipEmptyWalArchiveCheck: enabled
+spec:
+  imageName: ghcr.io/tensorchord/cloudnative-vectorchord:17-0.3.0
+  instances: 3
+
+  postgresql:
+    shared_preload_libraries:
+      - "vchord.so"
+
+  managed:
+    roles:
+      - name: immich
+        superuser: true
+        login: true
+
+  bootstrap:
+    # initdb:
+    #   database: immich
+    #   owner: immich
+    #   secret:
+    #     name: immich-postgres-user
+    #   postInitSQL:
+    #     - CREATE EXTENSION IF NOT EXISTS "vchord" CASCADE;
+    #     - CREATE EXTENSION IF NOT EXISTS "earthdistance" CASCADE;
+    # NOTE: uncomment this and commend the above initdb when recovering
+    recovery:
+      source: immich-postgres
+
+  storage:
+    size: 8Gi
+    storageClass: longhorn-pg
+
+  externalClusters:
+    - name: immich-postgres
+      barmanObjectStore:
+        destinationPath: "s3://mthomson-cnpg-backup/immich/"
+        endpointURL: "https://s3.ca-central-1.wasabisys.com"
+        s3Credentials:
+          accessKeyId:
+            name: wasabi-secret
+            key: ACCESS_KEY_ID
+          secretAccessKey:
+            name: wasabi-secret
+            key: ACCESS_SECRET_KEY
+
+  backup:
+    barmanObjectStore:
+      destinationPath: "s3://mthomson-cnpg-backup/immich/"
+      endpointURL: "https://s3.ca-central-1.wasabisys.com"
+      s3Credentials:
+        accessKeyId:
+          name: wasabi-secret
+          key: ACCESS_KEY_ID
+        secretAccessKey:
+          name: wasabi-secret
+          key: ACCESS_SECRET_KEY
+    retentionPolicy: "10d"

apps/immich/podmonitor.yaml

@@ -0,0 +1,11 @@
+apiVersion: monitoring.coreos.com/v1
+kind: PodMonitor
+metadata:
+  name: immich-postgres
+  namespace: immich
+spec:
+  selector:
+    matchLabels:
+      cnpg.io/cluster: immich-postgres
+  podMetricsEndpoints:
+  - port: metrics

apps/immich/release.yaml

@@ -11,25 +11,27 @@ spec:
       sourceRef:
         kind: HelmRepository
         name: immich
-        namespace: flux-system
   interval: 15m
-  timeout: 5m
   releaseName: immich
   values:
-    env:
-      DB_HOSTNAME: "immich-postgres-rw"
-      DB_USERNAME: "immich"
-      DB_DATABASE_NAME: "immich"
-      DB_PASSWORD: "immich"
-    image:
-      tag: v1.134.0
+    controllers:
+      main:
+        containers:
+          main:
+            image:
+              tag: v2.1.0
+            env:
+              DB_HOSTNAME: "immich-postgres-rw"
+              DB_USERNAME: "immich"
+              DB_DATABASE_NAME: "immich"
+              DB_PASSWORD: "immich"
 
     immich:
       persistence:
         library:
           existingClaim: immich-data
 
-    redis:
+    valkey:
       enabled: true
 
     server:
@@ -38,6 +40,9 @@ spec:
         main:
           enabled: true
           annotations:
+            cert-manager.io/cluster-issuer: "letsencrypt-prod"
+            external-dns.alpha.kubernetes.io/target: michaelthomson.ddns.net
+            external-dns.alpha.kubernetes.io/cloudflare-proxied: "true"
             traefik.ingress.kubernetes.io/router.entrypoints: websecure
             traefik.ingress.kubernetes.io/router.tls: "true"
           hosts:
@@ -47,7 +52,7 @@ spec:
           tls:
             - hosts:
                 - immich.michaelthomson.dev
-              secretName: letsencrypt-wildcard-cert-michaelthomson.dev
+              secretName: immich-tls
 
     machine-learning:
       enabled: true

apps/immich/repository.yaml

@@ -2,7 +2,7 @@ apiVersion: source.toolkit.fluxcd.io/v1
 kind: HelmRepository
 metadata:
   name: immich
-  namespace: flux-system
+  namespace: immich
 spec:
   interval: 15m
   url: https://immich-app.github.io/immich-charts

apps/immich/scheduled-backup.yaml

@@ -0,0 +1,11 @@
+apiVersion: postgresql.cnpg.io/v1
+kind: ScheduledBackup
+metadata:
+  name: scheduled-backup
+  namespace: immich
+spec:
+  schedule: "0 0 0 * * *"
+  backupOwnerReference: self
+  #immediate: true
+  cluster:
+    name: immich-postgres

apps/immich/wasabi-secret.yaml

@@ -0,0 +1,23 @@
+apiVersion: v1
+data:
+    ACCESS_KEY_ID: ENC[AES256_GCM,data:ad1Xc2tUS5JCGiaOoL5udd058QxG592R7a+66A==,iv:erHAPm5E5w2B0fZ/sagwTsT16MTLnbYzmamT9OS3fEE=,tag:TMRosj0L+u3JL3o6ig0/rw==,type:str]
+    ACCESS_SECRET_KEY: ENC[AES256_GCM,data:QJ3RkLWP8QNPt+JoD1B3ZCQkZKH82ImgnR8ZgfPPnEDFYj2rRuTbZva33yL/wAz95ll8YbjxtQw=,iv:cO96syX0ZdukwhKvvtrTzQcy0qQGEiL3NSxigcop+EQ=,tag:JS9sT+iFgdFMkTM74ore2w==,type:str]
+kind: Secret
+metadata:
+    name: wasabi-secret
+    namespace: immich
+sops:
+    age:
+        - recipient: age1s0206tnfaaw849x5xmt95axgu8qhxzlu5ywrwz09tpt8lwpx858q089nq9
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPa1lwSXVIM0ZRa1NhZ3lv
+            U05sZi9WbkVidVVDYVdXWWNZejRHNW9MNUF3CkNFVjc2bjFUZXhuQzAxUDBDVGxi
+            VGpZcHdZMHVWVW40NDRvY2RURFJ5OEUKLS0tIGlwRmNTZi9WWEhuWnB5TW1leVZt
+            eWpOMDdyakJEcWxYaFZiZ05nbCtWU00KmfoVxNBH7N44v/Xxcmjw/D/YQ93DA7yU
+            6/kk/7R2ya2JWtuqkOx9QPU8/TKaucU5V/IxPhoWquytevHkL5QhUw==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-12-17T20:36:08Z"
+    mac: ENC[AES256_GCM,data:1iNzgy+OKP7tZXkiMLr/9oFLjLnEEKAkQdzceFkGUYiq7gHmujuplt9vU2JS+Kc7l5m9FyB7cFOjHpJec08owJf7gDXcHBkUQmGGIU6eso/n/G5lj2bDKoQgrZcS3+cgpDGY/oiFh34ZapSL1uEbgQudRWsfQZr7o8iHLGEir4s=,iv:md9IZ9n2ecQDnBHIkBGZHhc34uIi9aWzbsDbZo2hx/U=,tag:U3m6q5TfHiii7cGPsK0MOw==,type:str]
+    encrypted_regex: ^(data|stringData)$
+    version: 3.11.0

apps/karakeep/chrome-deployment.yaml

@@ -2,7 +2,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: chrome
-  namespace: hoarder
+  namespace: karakeep
 spec:
   replicas: 1
   selector:

apps/karakeep/chrome-service.yaml

@@ -2,7 +2,7 @@ apiVersion: v1
 kind: Service
 metadata:
   name: chrome
-  namespace: hoarder
+  namespace: karakeep
 spec:
   selector:
     app: chrome

apps/karakeep/data-pvc.yaml

@@ -2,7 +2,7 @@ apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
   name: data-pvc
-  namespace: hoarder
+  namespace: karakeep
 spec:
   accessModes:
     - ReadWriteOnce

apps/karakeep/ingress.yaml

@@ -1,14 +1,17 @@
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
-  name: hoarder-web-ingress
-  namespace: hoarder
+  name: karakeep-web-ingress
+  namespace: karakeep
   annotations:
+    cert-manager.io/cluster-issuer: "letsencrypt-prod"
+    external-dns.alpha.kubernetes.io/target: michaelthomson.ddns.net
+    external-dns.alpha.kubernetes.io/cloudflare-proxied: "true"
     traefik.ingress.kubernetes.io/router.entrypoints: websecure
     traefik.ingress.kubernetes.io/router.tls: "true"
 spec:
   rules:
-  - host: "hoarder.michaelthomson.dev"
+  - host: "karakeep.michaelthomson.dev"
     http:
       paths:
       - path: "/"
@@ -20,5 +23,5 @@ spec:
               number: 3000
   tls:
     - hosts:
-        - hoarder.michaelthomson.dev
-      secretName: letsencrypt-wildcard-cert-michaelthomson.dev
+        - karakeep.michaelthomson.dev
+      secretName: karakeep-web-ingress-tls

apps/karakeep/karakeep-secrets.yaml

@@ -0,0 +1,30 @@
+apiVersion: v1
+data:
+    MEILI_MASTER_KEY: ENC[AES256_GCM,data:hGTazo5p3b+k9c1FsCzV8lkCKFqEv/pXbAF0FqnYK0euPusL20skBIBP/hZQCllL9ZIpHuHAK8ZA57TMrnBtBA==,iv:E/1DsMVmQ6r3IgF0g4UBvW0rLTUmc4OOBx7FJh0/fP8=,tag:I9NzdG8hkndQEEa+RwHGJA==,type:str]
+    NEXT_PUBLIC_SECRET: ENC[AES256_GCM,data:x0lLGcfMX4o76y+wpSUh4oTh4bm0CIw8+epVX3uO8BpN79xYFLMV3EzbUOi4Isldb0zdPzK6xlnF7tqCvTDY9Wq/SUs=,iv:vIfucp8BM9FaXUtoUUTXCQuRWTngFokKFpIwhA/IpXI=,tag:RykRRY1q2iV9zqe3rvxSkA==,type:str]
+    NEXTAUTH_SECRET: ENC[AES256_GCM,data:Z9GlM3phYB9WtU2K2HH9oAU7F7xZP48IsbK1JrwE72GZP53MiZmGDzTTzU/aP9DfG71PWqEgCPC56bQFr7UtvQ==,iv:SNNpv6J44Q4hxRvgzNNgt7NMUAoNMDAy3Ff7jrFAimQ=,tag:kvp3H+DgVAtXMwKzIPTJRA==,type:str]
+    OAUTH_ALLOW_DANGEROUS_EMAIL_ACCOUNT_LINKING: ENC[AES256_GCM,data:qQAQg6sCJO0=,iv:EqNG67j5uII6+TBnMY9wt6E1jq52vevccfs+pmn4zs8=,tag:UP2omHyj5qCw/jIErW8GVw==,type:str]
+    OAUTH_CLIENT_ID: ENC[AES256_GCM,data:IK87xFx5N0he669UzhYLeFbpfAcZB039p8bgw+6AGDi17MIRBmoQkVJ1bvnGM+EaG7A7ezdrEQk=,iv:OG2HE2ubV/2ZIllyKIFnA7nRNEZfCoyh7AX+M8rLqtk=,tag:uCf8YI9RymbjLzVR2h/btQ==,type:str]
+    OAUTH_CLIENT_SECRET: ENC[AES256_GCM,data:OA6t3SU4uhD3AXFYxk06dhYdQhESr2LaWJ58jTGDCIGS2hIb6Sx7tS1nlDK/7G2LB8IZbRDfLSXc+DoYlQ/WwIlFSi9gDbiBYpk0ZYtfuo0hapc0MMCOpdvh7nc9d1p5/tMkX/ZbO0N2BHSBVbtwWaXntDDUd5YJxRubE6pnN3jKRbqY6BGfSdWytf47n8SEK6O2NWIgxnvlkKPLX0H/iKOxaTKHpasyEVv9xw==,iv:31nVzU3o4TuIGlH35oD5PRXbWWIX8FZ2u0OnYorM7sY=,tag:5Y8YFbt28UPDKr7EVJjApQ==,type:str]
+    OAUTH_PROVIDER_NAME: ENC[AES256_GCM,data:lcMWx1XJ/86FVyB4,iv:jVH7sDJo7Gag+hWNbUf9FC+jGqjts7liXomeOeW0eJ0=,tag:ISkJ2s/ZMOdLsxKh1Iauqg==,type:str]
+    OAUTH_WELLKNOWN_URL: ENC[AES256_GCM,data:/29zd+yLKKPQs9KfYCDOOPLqpay3Hd/+6YE3NcufDCiBCGEzHE9YtqrwyYGhq/Z3RPBNB85aYgCZbEVVgTezOvMGeoOUWzrQirD0ZF7JYPQt+jbpLRKMgsD9YF9iySRCPickdp17Hh6ukwhPfcf1ucT5tT9sjXm6JVFJFg==,iv:hzF9F9btpP/7Add/g/E0RlPDO5npIbVaj0JoJ0Na/SA=,tag:c2rigTpq0vtct4FCIBPE6Q==,type:str]
+    OPENAI_API_KEY: ENC[AES256_GCM,data:am/9P6389pS9IrxX2oAiMP5NawG8oj77rY8mgfJCjaXfGOPARIGtOSkmFVyY1oQR51oi3jDAg++JR72IW5k1NFkQp9JehMZeNXgLIc3aBIVIjJ+8G+q4AZ63TJrPAnDd+XiXf0aOAyyMzwmRY/j9Gu4cZXGxvqdz5HAmQMwcBfpWRXpEA1+YnDea2YhXW796JHI6WPBD4dzFMUZ1q5PGWwMOsAi6ArIXTN30EK1AqM8EIlK5quubbRxbJCI16DGDzIbXnuLB7MW8mvzm93Yz1Q39Q01reO3XZbihLw==,iv:G9XIKNcqUIizhgzj0POi0tQ/nHOne3DLeDtRaP0lXUg=,tag:o1zZ8ZoYbQZad3ciV9lqjg==,type:str]
+kind: Secret
+metadata:
+    name: karakeep-secrets
+    namespace: karakeep
+sops:
+    age:
+        - recipient: age1s0206tnfaaw849x5xmt95axgu8qhxzlu5ywrwz09tpt8lwpx858q089nq9
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAreXJUVW5FVUsrc2k0RUk0
+            ZkZRS3pZUXFaTUdManhKVWp1S0JiaHRQV200CjVUYlAwN09TelNsK1l4aTQzSEF0
+            SFVkQnUwaFAvbGN5Z0dVTVdMdmRXR1kKLS0tIEk4S2FINWU1ZmtSYWFsVm94UTVS
+            RTBKZEtZMUhLMEFlejNEek5iL0J5Q28Kk07rkAd/qNVyS40Iz7yfSJMpa2pGtvrj
+            0YBKgyDoKmQ1aNzPo5aiaKyaUdh1PYrkAI7q5J+rmXj/70DR662nSA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-12-17T20:36:08Z"
+    mac: ENC[AES256_GCM,data:4gHyTL/1DH/s4S/GdQOS7THzXNwo0xvMGdUqtEwgsjTSnoEZQMiUFLGOSnCy3LVG6JiPvCrJKDRrralrdaoSSWcmwy3pA/EG2eS58ooa02Hum2DgJ9XO25ZNSj16/gGJwgnEscGHSsAjRA3guAPAIbGip6DrhJJ3EfgVXT+J0OI=,iv:gV6QwYfTXiz4bfJNmW5yiZflspI3zULTEtVsWxirjvE=,tag:388de9lUv88lH3JoGsnlug==,type:str]
+    encrypted_regex: ^(data|stringData)$
+    version: 3.11.0

apps/karakeep/meilisearch-deployment.yaml

@@ -2,7 +2,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: meilisearch
-  namespace: hoarder
+  namespace: karakeep
 spec:
   replicas: 1
   selector:
@@ -24,7 +24,7 @@ spec:
               name: meilisearch
           envFrom:
             - secretRef:
-                name: hoarder-secrets
+                name: karakeep-secrets
       volumes:
         - name: meilisearch
           persistentVolumeClaim:

apps/karakeep/meilisearch-pvc.yaml

@@ -2,7 +2,7 @@ apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
   name: meilisearch-pvc
-  namespace: hoarder
+  namespace: karakeep
 spec:
   accessModes:
     - ReadWriteOnce

apps/karakeep/meilisearch-service.yaml

@@ -2,7 +2,7 @@ apiVersion: v1
 kind: Service
 metadata:
   name: meilisearch
-  namespace: hoarder
+  namespace: karakeep
 spec:
   selector:
     app: meilisearch

apps/karakeep/web-deployment.yaml

@@ -2,24 +2,26 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: web
-  namespace: hoarder
+  namespace: karakeep
 spec:
   replicas: 1
   selector:
     matchLabels:
-      app: hoarder-web
+      app: karakeep-web
   template:
     metadata:
       labels:
-        app: hoarder-web
+        app: karakeep-web
     spec:
       containers:
         - name: web
-          image: ghcr.io/hoarder-app/hoarder:release
+          image: ghcr.io/karakeep-app/karakeep
           imagePullPolicy: Always
           ports:
             - containerPort: 3000
           env:
+            - name: NEXTAUTH_URL
+              value: https://karakeep.michaelthomson.dev
             - name: MEILI_ADDR
               value: http://meilisearch:7700
             - name: BROWSER_WEB_URL
@@ -27,13 +29,13 @@ spec:
             - name: DATA_DIR
               value: /data
             - name: DISABLE_SIGNUPS
-              value: "true"
+              value: "false"
           volumeMounts:
             - mountPath: /data
               name: data
           envFrom:
             - secretRef:
-                name: hoarder-secrets
+                name: karakeep-secrets
       volumes:
         - name: data
           persistentVolumeClaim:

apps/karakeep/web-service.yaml

@@ -2,10 +2,10 @@ apiVersion: v1
 kind: Service
 metadata:
   name: web
-  namespace: hoarder
+  namespace: karakeep
 spec:
   selector:
-    app: hoarder-web
+    app: karakeep-web
   ports:
     - protocol: TCP
       port: 3000

apps/kube-prometheus-stack/admin-secret.yaml

@@ -0,0 +1,23 @@
+apiVersion: v1
+data:
+    admin-password: ENC[AES256_GCM,data:FXusij+QSZCfG5Cp1VFTsDXmzYc=,iv:KuscQB1tHeTY4d7EPEozOO9FqlhBwZL2hNix7gGpu6s=,tag:wX7us8uCsHlfudM6sx/vAw==,type:str]
+    admin-user: ENC[AES256_GCM,data:aOqM1iNeX30=,iv:iwxNPSNsrxEr7zTmKRWmLK3BNu5UIj055l1p3I24xKo=,tag:eUfhUyD8vHh8YKFZpAX2ww==,type:str]
+kind: Secret
+metadata:
+    name: admin-secret
+    namespace: kube-prometheus-stack
+sops:
+    age:
+        - recipient: age1s0206tnfaaw849x5xmt95axgu8qhxzlu5ywrwz09tpt8lwpx858q089nq9
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyU2FJWjVseDY5ZGlJd2xs
+            OHBPQUpiS1ZocTZVeWVOVFdEaGt3dkN4OFFJCmd4M1lYbGYzelNhaDl0Tm5IUGww
+            OVc3M2Z5U3JGYVpuV21UQnJlZzM3Nk0KLS0tIDlma0J4amZKYWo4enpMdTI1YUZJ
+            aXBLVnBtMFpLc3B3djdzZDBiWXhwdmMKSlkc7MFkV6lDJ0J+k2GdIlpbNa438bre
+            2QOOgd3QeomniAmM0pemCR9PIVA3Uf+3DhMs1foZ6uYugJMMsd6esQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-12-19T20:36:08Z"
+    mac: ENC[AES256_GCM,data:KocjA27Zp0Y/DVemOVvjOATT7QIQjydpJIYQpjr1UnB8l748E+VGkvra2vLyV11BQz3uLija/2v0WNmQs5f+ZLvoTuQro6l9HxSk4zkkgfMzkqzlWIVFsj2Z0SrNtLl+bQMkDeOuMeeB+hAtOtwoc04X9n78PIW+2SGsq2Z94Co=,iv:KfRKGFC0geEburKxnXJJJqZUmVXhET2WnEON+gxlQp8=,tag:cTnOwHZNcP3Z5aCvF+IS3Q==,type:str]
+    encrypted_regex: ^(data|stringData)$
+    version: 3.11.0

apps/kube-prometheus-stack/release.yaml

@@ -7,38 +7,47 @@ spec:
   chart:
     spec:
       chart: kube-prometheus-stack
-      version: 63.x
+      version: 79.x
       sourceRef:
         kind: HelmRepository
         name: prometheus-community
-        namespace: flux-system
   interval: 15m
-  timeout: 5m
   releaseName: kube-prometheus-stack
   values:
     grafana:
+      admin:
+        existingSecret: admin-secret
+        userKey: admin-user
+        passwordKey: admin-password
       ingress:
         enabled: true
         annotations:
+          cert-manager.io/cluster-issuer: "letsencrypt-prod"
           traefik.ingress.kubernetes.io/router.tls: "true"
           traefik.ingress.kubernetes.io/router.entrypoints: websecure
         hosts:
         - grafana.michaelthomson.dev
         path: /
         tls:
-          - secretName: letsencrypt-wildcard-cert-michaelthomson.dev
+          - secretName: grafana-tls
             hosts:
               - grafana.michaelthomson.dev
     prometheus:
+      prometheusSpec:
+        podMonitorSelectorNilUsesHelmValues: false
+        ruleSelectorNilUsesHelmValues: false
+        serviceMonitorSelectorNilUsesHelmValues: false
+        probeSelectorNilUsesHelmValues: false
       ingress:
         enabled: true
         annotations:
+          cert-manager.io/cluster-issuer: "letsencrypt-prod"
           traefik.ingress.kubernetes.io/router.tls: "true"
           traefik.ingress.kubernetes.io/router.entrypoints: websecure
         hosts:
         - prometheus.michaelthomson.dev
         path: /
         tls:
-          - secretName: letsencrypt-wildcard-cert-michaelthomson.dev
+          - secretName: prometheus-tls
             hosts:
               - prometheus.michaelthomson.dev

apps/kube-prometheus-stack/repository-grafana.yaml

@@ -0,0 +1,8 @@
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: grafana
+  namespace: kube-prometheus-stack
+spec:
+  interval: 15m
+  url: https://grafana.github.io/helm-charts

apps/kube-prometheus-stack/repository.yaml

@@ -2,7 +2,7 @@ apiVersion: source.toolkit.fluxcd.io/v1
 kind: HelmRepository
 metadata:
   name: prometheus-community
-  namespace: flux-system
+  namespace: kube-prometheus-stack
 spec:
   interval: 15m
   url: https://prometheus-community.github.io/helm-charts

apps/media/bazarr/ingress.yaml

@@ -4,9 +4,9 @@ metadata:
   name: bazarr
   namespace: media
   annotations:
+    cert-manager.io/cluster-issuer: "letsencrypt-prod"
     traefik.ingress.kubernetes.io/router.entrypoints: websecure
     traefik.ingress.kubernetes.io/router.tls: "true"
-    # traefik.ingress.kubernetes.io/router.middlewares: authentik-bazarr@kubernetescrd
 spec:
   rules:
   - host: bazarr.michaelthomson.dev
@@ -22,4 +22,4 @@ spec:
   tls:
     - hosts:
         - bazarr.michaelthomson.dev
-      secretName: letsencrypt-wildcard-cert-michaelthomson.dev
+      secretName: bazarr-tls

apps/media/jellyfin/deployment.yaml

@@ -12,7 +12,6 @@ spec:
       labels:
         app: jellyfin
     spec:
-      runtimeClassName: nvidia
       containers:
       - name: jellyfin
         image: lscr.io/linuxserver/jellyfin:latest
@@ -29,16 +28,12 @@ spec:
         - mountPath: /data/media
           name: data
           subPath: media
-        # - name: dev-dri
-        #   mountPath: /dev/dri
-        env:
-        - name: NVIDIA_VISIBLE_DEVICES
-          value: all
-        - name: NVIDIA_DRIVER_CAPABILITIES
-          value: all
-        resources:
-          limits:
-            nvidia.com/gpu: 1
+        - name: transcode
+          mountPath: /transcode
+        - name: cache
+          mountPath: /cache
+        - name: dev-dri
+          mountPath: /dev/dri
       volumes:
       - name: config
         persistentVolumeClaim: 
@@ -46,6 +41,13 @@ spec:
       - name: data
         persistentVolumeClaim: 
           claimName: media-data
-      # - name: dev-dri
-      #   hostPath:
-      #     path: /dev/dri
+      - name: transcode
+        emptyDir:
+          sizeLimit: 50Gi
+      - name: cache
+        emptyDir:
+          medium: Memory
+          sizeLimit: 2Gi
+      - name: dev-dri
+        hostPath:
+          path: /dev/dri

apps/media/jellyfin/ingress.yaml

@@ -4,6 +4,9 @@ metadata:
   name: jellyfin
   namespace: media
   annotations:
+    cert-manager.io/cluster-issuer: "letsencrypt-prod"
+    external-dns.alpha.kubernetes.io/target: michaelthomson.ddns.net
+    external-dns.alpha.kubernetes.io/cloudflare-proxied: "true"
     traefik.ingress.kubernetes.io/router.entrypoints: websecure
     traefik.ingress.kubernetes.io/router.tls: "true"
 spec:
@@ -21,4 +24,4 @@ spec:
   tls:
     - hosts:
         - jellyfin.michaelthomson.dev
-      secretName: letsencrypt-wildcard-cert-michaelthomson.dev
+      secretName: jellyfin-tls

apps/media/jellyfin/networkresource.yaml

@@ -0,0 +1,13 @@
+apiVersion: netbird.io/v1alpha1
+kind: NetworkResource
+metadata:
+  name: jellyfin
+  namespace: media
+spec:
+  networkRouterRef:
+    name: homelab
+    namespace: netbird
+  serviceRef:
+    name: jellyfin
+  groups:
+    - name: All

apps/media/jellyseerr/release.yaml

@@ -0,0 +1,36 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: seerr
+  namespace: media
+spec:
+  chart:
+    spec:
+      chart: seerr-chart
+      version: 3.x
+      sourceRef:
+        kind: HelmRepository
+        name: seerr
+  interval: 15m
+  releaseName: seerr
+  values:
+    config:
+      persistence:
+        existingClaim: 'jellyseerr-config'
+    ingress:
+      enabled: true
+      annotations:
+        cert-manager.io/cluster-issuer: "letsencrypt-prod"
+        external-dns.alpha.kubernetes.io/target: michaelthomson.ddns.net
+        external-dns.alpha.kubernetes.io/cloudflare-proxied: "true"
+        traefik.ingress.kubernetes.io/router.entrypoints: websecure
+        traefik.ingress.kubernetes.io/router.tls: "true"
+      hosts:
+        - host: jellyseerr.michaelthomson.dev
+          paths:
+            - path: /
+              pathType: ImplementationSpecific
+      tls:
+        - hosts:
+            - jellyseerr.michaelthomson.dev
+          secretName: jellyseerr-tls

apps/media/jellyseerr/repository.yaml

@@ -0,0 +1,9 @@
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: seerr
+  namespace: media
+spec:
+  type: "oci"
+  interval: 15m
+  url: oci://ghcr.io/seerr-team/seerr

apps/media/prowlarr/ingress.yaml

@@ -4,9 +4,9 @@ metadata:
   name: prowlarr
   namespace: media
   annotations:
+    cert-manager.io/cluster-issuer: "letsencrypt-prod"
     traefik.ingress.kubernetes.io/router.entrypoints: websecure
     traefik.ingress.kubernetes.io/router.tls: "true"
-    # traefik.ingress.kubernetes.io/router.middlewares: authentik-prowlarr@kubernetescrd
 spec:
   rules:
   - host: prowlarr.michaelthomson.dev
@@ -22,4 +22,4 @@ spec:
   tls:
     - hosts:
         - prowlarr.michaelthomson.dev
-      secretName: letsencrypt-wildcard-cert-michaelthomson.dev
+      secretName: prowlarr-tls

apps/media/radarr/ingress.yaml

@@ -4,9 +4,9 @@ metadata:
   name: radarr
   namespace: media
   annotations:
+    cert-manager.io/cluster-issuer: "letsencrypt-prod"
     traefik.ingress.kubernetes.io/router.entrypoints: websecure
     traefik.ingress.kubernetes.io/router.tls: "true"
-    # traefik.ingress.kubernetes.io/router.middlewares: authentik-radarr@kubernetescrd
 spec:
   rules:
   - host: radarr.michaelthomson.dev
@@ -22,4 +22,4 @@ spec:
   tls:
     - hosts:
         - radarr.michaelthomson.dev
-      secretName: letsencrypt-wildcard-cert-michaelthomson.dev
+      secretName: radarr-tls

apps/media/sabnzbd/ingress.yaml

@@ -4,6 +4,7 @@ metadata:
   name: sabnzbd
   namespace: media
   annotations:
+    cert-manager.io/cluster-issuer: "letsencrypt-prod"
     traefik.ingress.kubernetes.io/router.entrypoints: websecure
     traefik.ingress.kubernetes.io/router.tls: "true"
 spec:
@@ -21,4 +22,4 @@ spec:
   tls:
     - hosts:
         - sabnzbd.michaelthomson.dev
-      secretName: letsencrypt-wildcard-cert-michaelthomson.dev
+      secretName: sabnzbd-tls

apps/media/sonarr/ingress.yaml

@@ -4,9 +4,9 @@ metadata:
   name: sonarr
   namespace: media
   annotations:
+    cert-manager.io/cluster-issuer: "letsencrypt-prod"
     traefik.ingress.kubernetes.io/router.entrypoints: websecure
     traefik.ingress.kubernetes.io/router.tls: "true"
-    # traefik.ingress.kubernetes.io/router.middlewares: authentik-sonarr@kubernetescrd
 spec:
   rules:
   - host: sonarr.michaelthomson.dev
@@ -22,4 +22,4 @@ spec:
   tls:
     - hosts:
         - sonarr.michaelthomson.dev
-      secretName: letsencrypt-wildcard-cert-michaelthomson.dev
+      secretName: sonarr-tls

apps/michaelthomson/ingress.yaml

@@ -4,6 +4,9 @@ metadata:
   name: michaelthomson.dev
   namespace: michaelthomson
   annotations:
+    cert-manager.io/cluster-issuer: "letsencrypt-prod"
+    external-dns.alpha.kubernetes.io/target: michaelthomson.ddns.net
+    external-dns.alpha.kubernetes.io/cloudflare-proxied: "true"
     traefik.ingress.kubernetes.io/router.entrypoints: websecure
     traefik.ingress.kubernetes.io/router.tls: "true"
 spec:
@@ -21,4 +24,4 @@ spec:
   tls:
     - hosts:
         - michaelthomson.dev
-      secretName: letsencrypt-wildcard-cert-michaelthomson.dev
+      secretName: michaelthomson-tls

apps/nextcloud/collabora-secret.yaml

@@ -0,0 +1,23 @@
+apiVersion: v1
+data:
+    password: ENC[AES256_GCM,data:jFpz9bSZvldMHrXZWPEFLCZk+WU=,iv:Gr01uTyy1LLodCrr+e+QPCaosA0ad9qg+51vxQKu7nM=,tag:mQC7HYeycSdnVi8QXKgqhA==,type:str]
+    username: ENC[AES256_GCM,data:ODJU7cK+lrQ=,iv:biwQxLX4xjZMVWF2phEuOrR0s+oWoiTw6at1YlLIdGU=,tag:oA3/NPM/tFJBfclJDJUP6A==,type:str]
+kind: Secret
+metadata:
+    name: collabora-secret
+    namespace: nextcloud
+sops:
+    age:
+        - recipient: age1s0206tnfaaw849x5xmt95axgu8qhxzlu5ywrwz09tpt8lwpx858q089nq9
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFdm9XakdSZFF3ZWhsaktu
+            Tm9aWU45ekhQeTdEc2FXbmVZZ2FYa3hrTWowCnkrM1hxSkNkTTFuVlh1NEZDbHBp
+            cWppL1lCMlpaZ3I3ZHVmRS9kQkwxM2MKLS0tIGF2bFh3SzJ3azVpWlhHOUo1Zzhp
+            QVhKelUvY1hiR2FiR004YnQzMEFIN1EKa1JN+ra3csHPICDfyOS/DtE6SyRrGveW
+            9KigyHoAzOAjvr7Cjzirl9J7tgA9iasfbVE4mfcuqwJGR14ANJ7OPw==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-12-17T20:36:08Z"
+    mac: ENC[AES256_GCM,data:sFjlG7K93WOS4QZXV/bcdVC2YwcCzzZ2lS6vtsR6v6SK0Lmw2neR5rc5SF6IESrUU4G3M/Y4VFTmb8Zttk0Tlk2nRlqXo35MIN6S+KTL/ssiCHSN4+J20Yp7HeQ+3DkLLY5+RiYAhrfzy/yUVRPWeAF3KKGwwfjknCR+avtLL44=,iv:QmesKHhkXUAD+lFS/ijYmsNVF8FFnmxiHk7IDJF5kmk=,tag:K4COX2z99gGuO2PBKUz7Zw==,type:str]
+    encrypted_regex: ^(data|stringData)$
+    version: 3.11.0

apps/nextcloud/nextcloud-redis-secret.yaml

@@ -0,0 +1,22 @@
+apiVersion: v1
+data:
+    password: ENC[AES256_GCM,data:sczdgF2gOu+NkUmPPS3ipwRPSkgsL69QwA4zUFGV70GRTpC+,iv:0sA/fN7M4Gg7FuOAH/+j8PhY26wT94UNCfbdJ36JKg0=,tag:V3G9nSJOtVh0yzNZkX3Uzg==,type:str]
+kind: Secret
+metadata:
+    name: nextcloud-redis-secret
+    namespace: nextcloud
+sops:
+    age:
+        - recipient: age1s0206tnfaaw849x5xmt95axgu8qhxzlu5ywrwz09tpt8lwpx858q089nq9
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1aDEzNEFlUUNIekRib1hv
+            NGZITHZMTjhlWlQ3MHk1djlUVk1GeFRVRzBNCm12bWhPaHk2REo1RCtZUDhnLzF3
+            SXFOMzlVaDdyZk9FQVhiZmV3ZEo3RlkKLS0tIHVrZGZ4cFp2SkVubCtxUWQ1aXBw
+            Y095N2YrRTZBdFBlOWlPYXpWS0R3dk0KTUGr2gfHK5NszjDWSJObcGNdvjiBQ0lt
+            ujeskIYbKzRoY8cCRxiGc17SFTYnp+2q0hBm8V9H+ywI74Chc1gOgA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-12-17T20:36:08Z"
+    mac: ENC[AES256_GCM,data:wISm9FeJ4cyF0I+QAMjte3/nwzwtk8c5VQltYzPlcsqUqOjLkmD6iLqtaOteZ3pZQOf9AylRTGaoow1kZ44X5dk/fx6Sy/JrQuhuc2JK7llgBqITp3S/sRK1Dtvb4r0y8x6iiKs8+sd/PA9TUqekPtmrC4dVcHKGzd1bX0DopU8=,iv:2bmJIOt1JUUk2TJbcQIg6/FwpvLpYTwpzKaSd39Lo9c=,tag:FbURmraQwP2NaB8CEVArww==,type:str]
+    encrypted_regex: ^(data|stringData)$
+    version: 3.11.0

apps/nextcloud/postgres-secret.yaml

@@ -0,0 +1,23 @@
+apiVersion: v1
+data:
+    password: ENC[AES256_GCM,data:+gp5N+elMS/vn3N6u8z7+/IDVl6w3VDnE6UrIsRMak3f1qag,iv:TY+iRf28IvZzpc3wJtIVkflgzuSyQxpucUttce71iTo=,tag:A/LsCq31oVsjINhi2BH7Cw==,type:str]
+    username: ENC[AES256_GCM,data:LFfYK587FmlJy8Gl,iv:CtTz38aswJ87iWp8GslxFH6PMS9ZJ7puGprrURhidSE=,tag:5vSMUAyjjxpbHlx1/2h9IA==,type:str]
+kind: Secret
+metadata:
+    name: postgres-secret
+    namespace: nextcloud
+sops:
+    age:
+        - recipient: age1s0206tnfaaw849x5xmt95axgu8qhxzlu5ywrwz09tpt8lwpx858q089nq9
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRemtSSkl2K01QSUlSbDha
+            dEdsa0JEWVZUeEtYSXM1OXRDQ3R1U01Zd0RNCnFKOWJRTElZRWxvdW94ZWRvUmNY
+            Y1IxM216MUhLWjhKcFJJSE1YQjlTTlUKLS0tIExFSDdnVWZEZG43VFJwUGVPT1Bu
+            ZWljcWVZcXpOUjJnOStvbmgwVHRsT28KMF4lDFhHbI+yqXDhiIuDe2NeuhPaReS9
+            Z6wiLrOWcXfbNN6DnLSBNAt0IqQzIYWHAlZayGPqA+JJCS/gkZnA1Q==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-12-17T20:36:08Z"
+    mac: ENC[AES256_GCM,data:TTAiIjKHCnA+mQ1fM0J3TEdqZkTRZKSHjRI4SsaiUut+uwWxN3nxUUlcBpyo3m62ff9WkyYvGtxfLsOXevrshN8WFB2H49NYA6TjyQgAzJ1XFeJZhFfSLM1nd/46a5KU/6mSBN9ZqUmnhXmBNo7wZdDKSJUlZ8tFwTtwDJve2o4=,iv:2idsk3hZOOWKGVZ+4Z9C82/+lF/tjokm3uBPMsE+WEw=,tag:UxQ6XtP9+iNaAn++IDYaHQ==,type:str]
+    encrypted_regex: ^(data|stringData)$
+    version: 3.11.0

apps/nextcloud/release.yaml

@@ -7,13 +7,11 @@ spec:
   chart:
     spec:
       chart: nextcloud
-      version: 6.x
+      version: 9.x
       sourceRef:
         kind: HelmRepository
         name: nextcloud
-        namespace: flux-system
   interval: 15m
-  timeout: 5m
   releaseName: nextcloud
   values:
     image:
@@ -23,12 +21,15 @@ spec:
       enabled: true
       className: traefik
       annotations:
+        cert-manager.io/cluster-issuer: "letsencrypt-prod"
+        external-dns.alpha.kubernetes.io/target: michaelthomson.ddns.net
+        external-dns.alpha.kubernetes.io/cloudflare-proxied: "true"
         traefik.ingress.kubernetes.io/router.entrypoints: websecure
         traefik.ingress.kubernetes.io/router.tls: "true"
       tls:
         - hosts:
             - nextcloud.michaelthomson.dev
-          secretName: letsencrypt-wildcard-cert-michaelthomson.dev
+          secretName: nextclout-tls
       labels: {}
       path: /
       pathType: Prefix
@@ -91,6 +92,8 @@ spec:
 
     postgresql:
       enabled: true
+      image:
+        tag: 16.6.0
       global:
         postgresql:
           auth:
@@ -123,44 +126,6 @@ spec:
       global:
         storageClass: longhorn
 
-    collabora:
-      enabled: true
-
-      image:
-        tag: 24.04.11.1.1
-
-      collabora:
-        extra_params: --o:ssl.enable=false --o:ssl.termination=true
-
-        existingSecret:
-          enabled: true
-          secretName: "collabora-secret"
-          usernameKey: "username"
-          passwordKey: "password"
-
-      # securityContext:
-      #   runAsNonRoot: true
-      #   privileged: true
-      #   capabilities:
-      #     add:
-      #       - SYS_ADMIN
-      #       - MKNOD
-
-      ingress:
-        enabled: true
-        annotations:
-          traefik.ingress.kubernetes.io/router.entrypoints: websecure
-          traefik.ingress.kubernetes.io/router.tls: "true"
-        hosts:
-          - host: collabora.michaelthomson.dev
-            paths:
-            - path: /
-              pathType: ImplementationSpecific
-        tls:
-          - hosts:
-              - collabora.michaelthomson.dev
-            secretName: letsencrypt-wildcard-cert-michaelthomson.dev
-
     cronjob:
       enabled: true
 

apps/nextcloud/repository.yaml

@@ -2,7 +2,7 @@ apiVersion: source.toolkit.fluxcd.io/v1
 kind: HelmRepository
 metadata:
   name: nextcloud
-  namespace: flux-system
+  namespace: nextcloud
 spec:
   interval: 15m
   url: https://nextcloud.github.io/helm/

apps/ollama/release.yaml

@@ -0,0 +1,43 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: ollama
+  namespace: ollama
+spec:
+  chart:
+    spec:
+      chart: ollama
+      version: 1.x
+      sourceRef:
+        kind: HelmRepository
+        name: ollama
+  interval: 15m
+  releaseName: ollama
+  values:
+    runtimeClassName: nvidia
+    ollama:
+      gpu:
+        enabled: true
+        type: nvidia
+        nvidiaResource: nvidia.com/gpu
+        number: 1
+      models:
+        pull:
+          - qwen3.5:9b
+        run:
+          - qwen3.5:9b
+    ingress:
+      enabled: true
+      annotations:
+        cert-manager.io/cluster-issuer: "letsencrypt-prod"
+        traefik.ingress.kubernetes.io/router.entrypoints: websecure
+        traefik.ingress.kubernetes.io/router.tls: "true"
+      hosts:
+        - host: ollama.michaelthomson.dev
+          paths:
+            - path: /
+              pathType: Prefix
+      tls:
+        - hosts:
+            - ollama.michaelthomson.dev
+          secretName: ollama-tls

apps/ollama/repository.yaml

@@ -1,8 +1,8 @@
 apiVersion: source.toolkit.fluxcd.io/v1
 kind: HelmRepository
 metadata:
-  name: plane
-  namespace: flux-system
+  name: ollama
+  namespace: ollama
 spec:
   interval: 15m
-  url: https://helm.plane.so/
+  url: https://helm.otwld.com/

apps/pihole/release.yaml

@@ -11,17 +11,15 @@ spec:
       sourceRef:
         kind: HelmRepository
         name: mojo2600
-        namespace: flux-system
   interval: 15m
-  timeout: 5m
   releaseName: pihole
   values:
     # -- Configuration for the DNS service on port 53
     serviceDns:
       type: LoadBalancer
       annotations:
-        metallb.universe.tf/loadBalancerIPs: 192.168.2.250
-        metallb.universe.tf/allow-shared-ip: pihole-svc
+        metallb.io/loadBalancerIPs: 192.168.18.250
+        metallb.io/allow-shared-ip: pihole-svc
 
     # -- Configuration for the Ingress
     ingress:
@@ -33,6 +31,7 @@ spec:
 
       # -- Annotations for the ingress
       annotations:
+        cert-manager.io/cluster-issuer: "letsencrypt-prod"
         traefik.ingress.kubernetes.io/router.entrypoints: websecure
         traefik.ingress.kubernetes.io/router.tls: "true"
       path: /
@@ -41,7 +40,7 @@ spec:
       tls:
         - hosts:
             - pihole.michaelthomson.dev
-          secretName: letsencrypt-wildcard-cert-michaelthomson.dev
+          secretName: pihole-tls
 
     # -- `spec.PersitentVolumeClaim` configuration
     persistentVolumeClaim:

apps/pihole/repository.yaml

@@ -2,7 +2,7 @@ apiVersion: source.toolkit.fluxcd.io/v1
 kind: HelmRepository
 metadata:
   name: mojo2600
-  namespace: flux-system
+  namespace: pihole
 spec:
   interval: 15m
   url: https://mojo2600.github.io/pihole-kubernetes/

apps/syncthing/ingress.yaml

@@ -4,6 +4,9 @@ metadata:
   name: syncthing
   namespace: syncthing
   annotations:
+    cert-manager.io/cluster-issuer: "letsencrypt-prod"
+    external-dns.alpha.kubernetes.io/target: michaelthomson.ddns.net
+    external-dns.alpha.kubernetes.io/cloudflare-proxied: "true"
     traefik.ingress.kubernetes.io/router.entrypoints: websecure
     traefik.ingress.kubernetes.io/router.tls: "true"
 spec:
@@ -21,4 +24,4 @@ spec:
   tls:
     - hosts:
         - syncthing.michaelthomson.dev
-      secretName: letsencrypt-wildcard-cert-michaelthomson.dev
+      secretName: syncthing-tls

apps/syncthing/service-lb.yaml

@@ -4,7 +4,7 @@ metadata:
   name: syncthing-lb
   namespace: syncthing
   annotations:
-    metallb.universe.tf/loadBalancerIPs: 192.168.2.247
+    metallb.io/loadBalancerIPs: 192.168.18.247
 spec:
   selector:
     app: syncthing