A lot of untrackable changes

2024-09-03 14:15:47 +02:00 · 2024-09-03 14:15:47 +02:00 · 4daf2f24f7
commit 4daf2f24f7
parent 32429140d2
46 changed files with 1311 additions and 549 deletions
--- a/common/environments.yaml
+++ b/common/environments.yaml
@ -1,5 +1,21 @@
+
 environments:
  badhouseplants:
    kubeContext: badhouseplants
+    values:
+      - velero:
+          enabled: true
+      - workload:
+          enabled: true
+      - backups:
+          enabled: false
+
  etersoft:
    kubeContext: etersoft
+    values:
+      - velero:
+          enabled: false
+      - workload:
+          enabled: false
+      - backups:
+          enabled: true
--- a/helmfile.yaml
+++ b/helmfile.yaml
--- a/installations/applications/helmfile.yaml
+++ b/installations/applications/helmfile.yaml
@ -5,7 +5,10 @@ bases:

 repositories:
  - name: softplayer-oci
-    url: registry.badhouseplants.net/softplayer/helm
+    url: zot.badhouseplants.net/softplayer/helm
+    oci: true
+  - name: allanger-oci
+    url: zot.badhouseplants.net/allanger/helm
    oci: true
  - name: requarks
    url: https://charts.js.wiki
@ -28,6 +31,8 @@ repositories:
  - name: allangers-charts
    url: ghcr.io/allanger/allangers-charts
    oci: true
+  - name: robjuz 
+    url: https://robjuz.github.io/helm-charts/

 releases:
  - name: authentik
@ -80,16 +85,16 @@ releases:
    
  - name: nrodionov
    chart: bitnami/wordpress
-    version: 22.4.20
+    version: 23.1.7
    namespace: applications
    inherit:
      - template: default-env-values
      - template: default-env-secrets
      - template: ext-database
    
-  - name: openvpn-xor
-    chart: softplayer-oci/openvpn-xor
-    version: 1.2.0
+  - name: openvpn
+    chart: allanger-oci/openvpn
+    version: 0.0.1
    namespace: applications
    inherit:
      - template: default-env-values
@ -152,3 +157,12 @@ releases:
    inherit:
      - template: default-env-values
      - template: default-env-secrets
+  
+  - name: kimai
+    chart: robjuz/kimai2
+    namespace: applications
+    version: 4.2.3
+    inherit:
+      - template: default-env-values
+      #- template: default-env-secrets
+      - template: ext-database
--- a/installations/games/helmfile.yaml
+++ b/installations/games/helmfile.yaml
@ -14,7 +14,7 @@ releases:
  - name: minecraft
    chart: minecraft/minecraft
    namespace: games
-    version: 4.20.0
+    version: 4.21.0
    inherit:
      - template: ext-tcp-routes
      - template: default-env-values
--- a/installations/platform/helmfile.yaml
+++ b/installations/platform/helmfile.yaml
@ -12,26 +12,41 @@ repositories:
    url: https://zotregistry.dev/helm-charts/
  - name: bedag
    url: https://bedag.github.io/helm-charts/
-  - name: percona 
-    url: https://percona.github.io/percona-helm-charts/
+  - name: minio-standalone
+    url: https://charts.min.io/
+  - name: minio 
+    url: https://operator.min.io/
+  - name: fluxcd-community 
+    url: https://fluxcd-community.github.io/helm-charts
+  - name: crossplane-stable 
+    url: https://charts.crossplane.io/stable

 releases:
  - name: argocd
    chart: argo/argo-cd
    namespace: platform
-    version: 7.3.6
+    condition: workload.enabled
+    version: 7.5.2
    inherit:
      - template: default-env-values
      - template: default-env-secrets
+  
+  - name: flux
+    chart: fluxcd-community/flux2
+    namespace: platform
+    condition: workload.enabled
+    version: 2.13.0

  - name: db-operator
    namespace: platform
    chart: db-operator/db-operator
-    version: 1.27.2
+    condition: workload.enabled
+    version: 1.28.0

  - name: db-instances
    chart: db-operator/db-instances
    namespace: platform
+    condition: workload.enabled
    needs:
      - platform/db-operator
    version: 2.3.4
@ -41,16 +56,44 @@ releases:
  
  - name: zot
    chart: zot/zot
-    version: 0.1.57
+    version: 0.1.60
    createNamespace: false
    namespace: platform
+    condition: workload.enabled
    inherit:
      - template: default-env-values
      - template: default-env-secrets

-  - name: pg-operator
-    chart: percona/pg-operator
-    installed: false
-    version: 2.4.0
-    createNamespace: false
+  - name: minio
+    chart: minio-standalone/minio
+    version: 5.2.0
    namespace: platform
+    condition: backups.enabled
+    inherit:
+      - template: default-env-values
+      - template: default-env-secrets
+  
+  - name: minio-operator
+    chart: minio/operator
+    version: 6.0.3
+    namespace: platform
+    condition: workload.enabled
+    inherit:
+      - template: default-env-values
+  
+  - name: minio-tenant
+    chart: minio/tenant
+    version: 6.0.3
+    namespace: platform
+    condition: workload.enabled
+    inherit:
+      - template: default-env-values
+  #     - template: default-env-secrets
+
+  - name: crossplane
+    chart: crossplane-stable/crossplane
+    version: 1.17.0
+    namespace: platform
+    condition: workload.enabled
+    inherit:
+      - template: default-env-values
--- a/installations/storage/helmfile.yaml
+++ b/installations/storage/helmfile.yaml
@ -8,15 +8,13 @@ repositories:
    url: https://charts.longhorn.io
  - name: rook-release 
    url: https://charts.rook.io/release
-  - name: local-path-provisioner
-    url: git+https://github.com/rancher/local-path-provisioner@deploy/chart?ref=v0.0.28

 releases:
  - name: rook-ceph
    chart: rook-release/rook-ceph
    installed: true
    namespace: rook-ceph
-    version: v1.14.9
+    version: v1.14.6
    inherit:
      - template: default-env-values
  
@ -24,7 +22,7 @@ releases:
    chart: rook-release/rook-ceph-cluster
    installed: true
    namespace: rook-ceph
-    version: v1.14.9
+    version: v1.14.6
    needs:
      - rook-ceph/rook-ceph
    inherit:
@ -40,10 +38,3 @@ releases:
      - template: default-env-secrets
      - template: ext-secret

-  - name: local-path-provisioner
-    chart: local-path-provisioner/local-path-provisioner
-    installed: false
-    createNamespace: false
-    namespace: kube-system
-    inherit:
-      - template: default-env-values
--- a/installations/system/helmfile.yaml
+++ b/installations/system/helmfile.yaml
@ -24,8 +24,7 @@ repositories:
    url: https://piraeus.io/helm-charts/
  - name: vmware-tanzu 
    url: https://vmware-tanzu.github.io/helm-charts/
-  - name: local-path-provisioner
-    url: git+https://github.com/rancher/local-path-provisioner@deploy/chart?ref=v0.0.28
+
 releases:
  - name: namespaces
    chart: '{{ requiredEnv "PWD" }}/charts/namespaces/chart'
@ -45,7 +44,7 @@ releases:

  - name: coredns
    chart: coredns/coredns
-    version: 1.31.0
+    version: 1.32.0
    namespace: kube-system
    inherit:
      - template: default-env-values
@ -55,6 +54,7 @@ releases:
    installed: true
    version: 3.0.5
    namespace: kube-system
+    condition: velero.enabled
    needs:
      - kube-system/cilium
    inherit:
@ -62,7 +62,7 @@ releases:

  - name: cilium
    chart: cilium/cilium
-    version: 1.16.0
+    version: 1.16.1
    namespace: kube-system
    needs:
      - kube-system/coredns
@ -71,7 +71,7 @@ releases:

  - name: cert-manager
    chart: jetstack/cert-manager
-    version: 1.15.2
+    version: 1.15.3
    namespace: kube-system
    needs:
      - kube-system/cilium
@ -116,7 +116,7 @@ releases:

  - name: traefik
    chart: traefik/traefik
-    version: 30.0.2
+    version: 30.1.0
    namespace: kube-system
    needs:
      - kube-system/cilium
@ -126,16 +126,11 @@ releases:
  - name: velero
    chart: vmware-tanzu/velero
    namespace: kube-system
-    version: 7.1.4
+    version: 7.1.5
+    condition: velero.enabled
    needs:
      - kube-system/cilium
    inherit:
      - template: default-env-values
      - template: default-env-secrets
-  
-  - name: local-path-provisioner
-    chart: local-path-provisioner/local-path-provisioner
-    createNamespace: false
-    namespace: kube-system
-    inherit:
-      - template: default-env-values
+      - template: crd-management-hook
--- a/manifests/app.yaml
+++ b/manifests/app.yaml
@ -0,0 +1,18 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: test-apps
+  namespace: platform
+spec:
+  destination:
+    namespace: default
+    server: https://kubernetes.default.svc
+  project: default
+  syncPolicy:
+    automated:
+      prune: true
+  source:
+    path: manifests/postgresql-15.5.21.tgz
+    repoURL: https://gitea.badhouseplants.net/allanger/k8s-deployment.git
+    targetRevision: main
+    helm: {}
--- a/manifests/bucket.yaml
+++ b/manifests/bucket.yaml
@ -0,0 +1,12 @@
+apiVersion: minio.crossplane.io/v1
+kind: Bucket
+metadata:
+  creationTimestamp: null
+  name: bucket-local-dev
+spec:
+  forProvider:
+    region: us-east-1
+  providerConfigRef:
+    name: provider-config
+status:
+  atProvider: {}
--- a/manifests/minio-secret.yaml
+++ b/manifests/minio-secret.yaml
@ -0,0 +1,7 @@
+apiVersion: v1
+stringData:
+  AWS_ACCESS_KEY_ID: minio
+  AWS_SECRET_ACCESS_KEY: minio123
+kind: Secret
+metadata:
+  name: minio-secret
--- a/manifests/minio-tf-workspace.yaml
+++ b/manifests/minio-tf-workspace.yaml
@ -0,0 +1,164 @@
+apiVersion: tf.upbound.io/v1beta1
+kind: ProviderConfig
+metadata:
+  name: minio
+spec:
+  configuration: |
+    provider minio {
+      // required
+      minio_server   = "s3-new.badhouseplants.net:443"
+      minio_region   = "us-east-1"
+      minio_ssl      = "true"
+    }
+
+    terraform {
+      backend "kubernetes" {
+        secret_suffix     = "minio-tf-state"
+        namespace         = "platform"
+        in_cluster_config = true
+      }
+      required_providers {
+         minio = {
+           source = "aminueza/minio"
+           version = "2.4.3"
+         }
+      }
+    }
+---
+apiVersion: tf.upbound.io/v1beta1
+kind: Workspace
+metadata:
+  name: example-bucket-creation
+spec:
+  providerConfigRef:
+    name: minio
+  writeConnectionSecretToRef:
+    namespace: platform
+    name: tf-minio-state-output
+  forProvider:
+    source: Inline
+    env:
+      - name: MINIO_PASSWORD
+        secretKeyRef:
+          namespace: platform
+          name: minio-secret
+          key: AWS_SECRET_ACCESS_KEY
+      - name: MINIO_USER
+        secretKeyRef:
+          namespace: platform
+          name: minio-secret
+          key: AWS_ACCESS_KEY_ID
+    module: |
+      resource "minio_s3_bucket" "states" {
+        bucket = "states"
+      }
+
+      resource "minio_iam_user" "terraform" {
+         name = "terraform"
+         force_destroy = true
+         tags = {
+          service = "terraform"
+        }
+      }
+      resource "minio_iam_policy" "terraform" {
+        name = "state-terraform"
+        policy= <<EOF
+      {
+        "Version":"2012-10-17",
+        "Statement": [
+          {
+            "Sid":"terraform",
+            "Effect": "Allow",
+            "Action": ["s3:PutObject"],
+            "Resource": "arn:aws:s3:::state-terraform-s3/*"
+          }
+        ]
+      }
+      EOF
+      }
+      
+      resource "minio_iam_user_policy_attachment" "terraform" {
+        user_name   = minio_iam_user.terraform.id
+        policy_name = minio_iam_policy.terraform.id
+      }
+    
+      output "MINIO_USERNAME" {
+        value       = minio_iam_user.terraform.id
+      }
+
+      output "MINIO_PASSWORD" {
+        value       = minio_iam_user.terraform.secret
+        sensitive   = true
+      }
+---
+apiVersion: tf.upbound.io/v1beta1
+kind: ProviderConfig
+metadata:
+  name: minio-backend
+spec:
+  configuration: |
+    provider minio {
+      // required
+      minio_server   = "s3-new.badhouseplants.net:443"
+      minio_region   = "us-east-1"
+      minio_ssl      = "true"
+    }
+
+    terraform {
+      backend "s3" {
+        bucket = "states"
+        key    = "test"
+        region = "us-east-1"
+        endpoint = "https://s3-new.badhouseplants.net"
+      }
+      required_providers {
+         minio = {
+           source = "aminueza/minio"
+           version = "2.4.3"
+         }
+      }
+      skip_credentials_validation = true
+      skip_metadata_api_check     = true
+      skip_region_validation      = true
+      use_path_style              = true
+      skip_requesting_account_id  = true
+    }
+---
+apiVersion: tf.upbound.io/v1beta1
+kind: Workspace
+metadata:
+  name: try-backend
+spec:
+  providerConfigRef:
+    name: minio-backend
+  writeConnectionSecretToRef:
+    namespace: platform
+    name: tf-minio-state-output
+  forProvider:
+    source: Inline
+    env:
+      - name: MINIO_PASSWORD
+        secretKeyRef:
+          namespace: platform
+          name: tf-minio-state-output
+          key: MINIO_PASSWORD
+      - name: MINIO_USER
+        secretKeyRef:
+          namespace: platform
+          name: tf-minio-state-output
+          key: MINIO_USERNAME
+      - name: AWS_ACCESS_KEY_ID
+        secretKeyRef:
+          namespace: platform
+          name: minio-secret
+          key: AWS_ACCESS_KEY_ID
+      - name: AWS_SECRET_ACCESS_KEY
+        secretKeyRef:
+          namespace: platform
+          name: minio-secret
+          key: AWS_SECRET_ACCESS_KEY
+    module: |
+      resource "minio_s3_bucket" "states" {
+        bucket = "states-test"
+      }
+
--- a/manifests/postgresql-15.5.21.tgz
+++ b/manifests/postgresql-15.5.21.tgz
--- a/values.yaml
+++ b/values.yaml
@ -1,333 +0,0 @@
-# Default values for longhorn.
-# This is a YAML-formatted file.
-# Declare variables to be passed into your templates.
-global:
-  cattle:
-    systemDefaultRegistry: ""
-    windowsCluster:
-      # Enable this to allow Longhorn to run on the Rancher deployed Windows cluster
-      enabled: false
-      # Tolerate Linux node taint
-      tolerations:
-      - key: "cattle.io/os"
-        value: "linux"
-        effect: "NoSchedule"
-        operator: "Equal"
-      # Select Linux nodes
-      nodeSelector:
-        kubernetes.io/os: "linux"
-      # Recognize toleration and node selector for Longhorn run-time created components
-      defaultSetting:
-        taintToleration: cattle.io/os=linux:NoSchedule
-        systemManagedComponentsNodeSelector: kubernetes.io/os:linux
-
-image:
-  longhorn:
-    engine:
-      repository: longhornio/longhorn-engine
-      tag: v1.4.0
-    manager:
-      repository: longhornio/longhorn-manager
-      tag: v1.4.0
-    ui:
-      repository: longhornio/longhorn-ui
-      tag: v1.4.0
-    instanceManager:
-      repository: longhornio/longhorn-instance-manager
-      tag: v1.4.0
-    shareManager:
-      repository: longhornio/longhorn-share-manager
-      tag: v1.4.0
-    backingImageManager:
-      repository: longhornio/backing-image-manager
-      tag: v1.4.0
-    supportBundleKit:
-      repository: longhornio/support-bundle-kit
-      tag: v0.0.17
-  csi:
-    attacher:
-      repository: longhornio/csi-attacher
-      tag: v3.4.0
-    provisioner:
-      repository: longhornio/csi-provisioner
-      tag: v2.1.2
-    nodeDriverRegistrar:
-      repository: longhornio/csi-node-driver-registrar
-      tag: v2.5.0
-    resizer:
-      repository: longhornio/csi-resizer
-      tag: v1.3.0
-    snapshotter:
-      repository: longhornio/csi-snapshotter
-      tag: v5.0.1
-    livenessProbe:
-      repository: longhornio/livenessprobe
-      tag: v2.8.0
-  pullPolicy: IfNotPresent
-
-service:
-  ui:
-    type: ClusterIP
-    nodePort: null
-  manager:
-    type: ClusterIP
-    nodePort: ""
-    loadBalancerIP: ""
-    loadBalancerSourceRanges: ""
-
-persistence:
-  defaultClass: true
-  defaultFsType: ext4
-  defaultMkfsParams: ""
-  defaultClassReplicaCount: 3
-  defaultDataLocality: disabled # best-effort otherwise
-  defaultReplicaAutoBalance: ignored # "disabled", "least-effort" or "best-effort" otherwise
-  reclaimPolicy: Delete
-  migratable: false
-  recurringJobSelector:
-    enable: false
-    jobList: []
-  backingImage:
-    enable: false
-    name: ~
-    dataSourceType: ~
-    dataSourceParameters: ~
-    expectedChecksum: ~
-  defaultNodeSelector:
-    enable: false # disable by default
-    selector: []
-  removeSnapshotsDuringFilesystemTrim: ignored # "enabled" or "disabled" otherwise
-
-csi:
-  kubeletRootDir: ~
-  attacherReplicaCount: ~
-  provisionerReplicaCount: ~
-  resizerReplicaCount: ~
-  snapshotterReplicaCount: ~
-
-defaultSettings:
-  backupTarget: ~
-  backupTargetCredentialSecret: ~
-  allowRecurringJobWhileVolumeDetached: ~
-  createDefaultDiskLabeledNodes: ~
-  defaultDataPath: ~
-  defaultDataLocality: ~
-  replicaSoftAntiAffinity: ~
-  replicaAutoBalance: ~
-  storageOverProvisioningPercentage: ~
-  storageMinimalAvailablePercentage: ~
-  upgradeChecker: ~
-  defaultReplicaCount: ~
-  defaultLonghornStaticStorageClass: ~
-  backupstorePollInterval: ~
-  failedBackupTTL: ~
-  restoreVolumeRecurringJobs: ~
-  recurringSuccessfulJobsHistoryLimit: ~
-  recurringFailedJobsHistoryLimit: ~
-  supportBundleFailedHistoryLimit: ~
-  taintToleration: ~
-  systemManagedComponentsNodeSelector: ~
-  priorityClass: ~
-  autoSalvage: ~
-  autoDeletePodWhenVolumeDetachedUnexpectedly: ~
-  disableSchedulingOnCordonedNode: ~
-  replicaZoneSoftAntiAffinity: ~
-  nodeDownPodDeletionPolicy: ~
-  allowNodeDrainWithLastHealthyReplica: ~
-  mkfsExt4Parameters: ~
-  disableReplicaRebuild: ~
-  replicaReplenishmentWaitInterval: ~
-  concurrentReplicaRebuildPerNodeLimit: ~
-  concurrentVolumeBackupRestorePerNodeLimit: ~
-  disableRevisionCounter: ~
-  systemManagedPodsImagePullPolicy: ~
-  allowVolumeCreationWithDegradedAvailability: ~
-  autoCleanupSystemGeneratedSnapshot: ~
-  concurrentAutomaticEngineUpgradePerNodeLimit: ~
-  backingImageCleanupWaitInterval: ~
-  backingImageRecoveryWaitInterval: ~
-  guaranteedEngineManagerCPU: ~
-  guaranteedReplicaManagerCPU: ~
-  kubernetesClusterAutoscalerEnabled: ~
-  orphanAutoDeletion: ~
-  storageNetwork: ~
-  deletingConfirmationFlag: ~
-  engineReplicaTimeout: ~
-  snapshotDataIntegrity: ~
-  snapshotDataIntegrityImmediateCheckAfterSnapshotCreation: ~
-  snapshotDataIntegrityCronjob: ~
-  removeSnapshotsDuringFilesystemTrim: ~
-  fastReplicaRebuildEnabled: ~
-  replicaFileSyncHttpClientTimeout: ~
-privateRegistry:
-  createSecret: ~
-  registryUrl: ~
-  registryUser: ~
-  registryPasswd: ~
-  registrySecret: ~
-
-longhornManager:
-  log:
-    ## Allowed values are `plain` or `json`.
-    format: plain
-  priorityClass: ~
-  tolerations: []
-  ## If you want to set tolerations for Longhorn Manager DaemonSet, delete the `[]` in the line above
-  ## and uncomment this example block
-  # - key: "key"
-  #   operator: "Equal"
-  #   value: "value"
-  #   effect: "NoSchedule"
-  nodeSelector: {}
-  ## If you want to set node selector for Longhorn Manager DaemonSet, delete the `{}` in the line above
-  ## and uncomment this example block
-  #  label-key1: "label-value1"
-  #  label-key2: "label-value2"
-  serviceAnnotations: {}
-  ## If you want to set annotations for the Longhorn Manager service, delete the `{}` in the line above
-  ## and uncomment this example block
-  #  annotation-key1: "annotation-value1"
-  #  annotation-key2: "annotation-value2"
-
-longhornDriver:
-  priorityClass: ~
-  tolerations: []
-  ## If you want to set tolerations for Longhorn Driver Deployer Deployment, delete the `[]` in the line above
-  ## and uncomment this example block
-  # - key: "key"
-  #   operator: "Equal"
-  #   value: "value"
-  #   effect: "NoSchedule"
-  nodeSelector: {}
-  ## If you want to set node selector for Longhorn Driver Deployer Deployment, delete the `{}` in the line above
-  ## and uncomment this example block
-  #  label-key1: "label-value1"
-  #  label-key2: "label-value2"
-
-longhornUI:
-  replicas: 2
-  priorityClass: ~
-  tolerations: []
-  ## If you want to set tolerations for Longhorn UI Deployment, delete the `[]` in the line above
-  ## and uncomment this example block
-  # - key: "key"
-  #   operator: "Equal"
-  #   value: "value"
-  #   effect: "NoSchedule"
-  nodeSelector: {}
-  ## If you want to set node selector for Longhorn UI Deployment, delete the `{}` in the line above
-  ## and uncomment this example block
-  #  label-key1: "label-value1"
-  #  label-key2: "label-value2"
-
-longhornConversionWebhook:
-  replicas: 2
-  priorityClass: ~
-  tolerations: []
-  ## If you want to set tolerations for Longhorn conversion webhook Deployment, delete the `[]` in the line above
-  ## and uncomment this example block
-  # - key: "key"
-  #   operator: "Equal"
-  #   value: "value"
-  #   effect: "NoSchedule"
-  nodeSelector: {}
-  ## If you want to set node selector for Longhorn conversion webhook Deployment, delete the `{}` in the line above
-  ## and uncomment this example block
-  #  label-key1: "label-value1"
-  #  label-key2: "label-value2"
-
-longhornAdmissionWebhook:
-  replicas: 2
-  priorityClass: ~
-  tolerations: []
-  ## If you want to set tolerations for Longhorn admission webhook Deployment, delete the `[]` in the line above
-  ## and uncomment this example block
-  # - key: "key"
-  #   operator: "Equal"
-  #   value: "value"
-  #   effect: "NoSchedule"
-  nodeSelector: {}
-  ## If you want to set node selector for Longhorn admission webhook Deployment, delete the `{}` in the line above
-  ## and uncomment this example block
-  #  label-key1: "label-value1"
-  #  label-key2: "label-value2"
-
-longhornRecoveryBackend:
-  replicas: 2
-  priorityClass: ~
-  tolerations: []
-  ## If you want to set tolerations for Longhorn recovery backend Deployment, delete the `[]` in the line above
-  ## and uncomment this example block
-  # - key: "key"
-  #   operator: "Equal"
-  #   value: "value"
-  #   effect: "NoSchedule"
-  nodeSelector: {}
-  ## If you want to set node selector for Longhorn recovery backend Deployment, delete the `{}` in the line above
-  ## and uncomment this example block
-  #  label-key1: "label-value1"
-  #  label-key2: "label-value2"
-
-ingress:
-  ## Set to true to enable ingress record generation
-  enabled: false
-
-  ## Add ingressClassName to the Ingress
-  ## Can replace the kubernetes.io/ingress.class annotation on v1.18+
-  ingressClassName: ~
-
-  host: sslip.io
-
-  ## Set this to true in order to enable TLS on the ingress record
-  tls: false
-
-  ## Enable this in order to enable that the backend service will be connected at port 443
-  secureBackends: false
-
-  ## If TLS is set to true, you must declare what secret will store the key/certificate for TLS
-  tlsSecret: longhorn.local-tls
-
-  ## If ingress is enabled you can set the default ingress path
-  ## then you can access the UI by using the following full path {{host}}+{{path}}
-  path: /
-
-  ## Ingress annotations done as key:value pairs
-  ## If you're using kube-lego, you will want to add:
-  ## kubernetes.io/tls-acme: true
-  ##
-  ## For a full list of possible ingress annotations, please see
-  ## ref: https://github.com/kubernetes/ingress-nginx/blob/master/docs/annotations.md
-  ##
-  ## If tls is set to true, annotation ingress.kubernetes.io/secure-backends: "true" will automatically be set
-  annotations:
-  #  kubernetes.io/ingress.class: nginx
-  #  kubernetes.io/tls-acme: true
-
-  secrets:
-  ## If you're providing your own certificates, please use this to add the certificates as secrets
-  ## key and certificate should start with -----BEGIN CERTIFICATE----- or
-  ## -----BEGIN RSA PRIVATE KEY-----
-  ##
-  ## name should line up with a tlsSecret set further up
-  ## If you're using kube-lego, this is unneeded, as it will create the secret for you if it is not set
-  ##
-  ## It is also possible to create and manage the certificates outside of this helm chart
-  ## Please see README.md for more information
-  # - name: longhorn.local-tls
-  #   key:
-  #   certificate:
-
-#  For Kubernetes < v1.25, if your cluster enables Pod Security Policy admission controller,
-#  set this to `true` to ship longhorn-psp which allow privileged Longhorn pods to start
-enablePSP: false
-
-## Specify override namespace, specifically this is useful for using longhorn as sub-chart
-## and its release namespace is not the `longhorn-system`
-namespaceOverride: ""
-
-# Annotations to add to the Longhorn Manager DaemonSet Pods. Optional.
-annotations: {}
-
-serviceAccount:
-  # Annotations to add to the service account
-  annotations: {}
--- a/values/badhouseplants/secrets.minio.yaml
+++ b/values/badhouseplants/secrets.minio.yaml
@ -1,18 +1,18 @@
-rootPassword: ENC[AES256_GCM,data:xRKU4TSiXrxO24ngzxv9WXMT+Zk=,iv:IjhFM4bqeuBQK7f5qdoVi1d09JkaGXBxw6sQ0UluQdI=,tag:6UNdCNDP7m/NHciYNcM0FQ==,type:str]
+rootPassword: ENC[AES256_GCM,data:590lWmGK19hcFCuTIXgV5aXyJH0=,iv:T3KHE21UnDNiePZskMyf0FKiPlHEr9tO/QoRO9W3M/A=,tag:HvZFdLADzd99POGZeUx4zg==,type:str]
 users:
-    - accessKey: ENC[AES256_GCM,data:rKj7B4kq7N4=,iv:kw4tXzFM/Ff1qu1oKc5kwUG2cxaF3fMbQ1uvWkKuPFU=,tag:63Ci7t6X7uhoIg68wzZEjw==,type:str]
-      secretKey: ENC[AES256_GCM,data:GZeM/jGs1tHJMHhD54hibWiHAg==,iv:ddaPxZ5HX/KCuOFB0fGEPWF06xo5f/mct/3qXcrUoU0=,tag:rYlgfRLSLana0/0DD2ixhg==,type:str]
-      policy: ENC[AES256_GCM,data:y35Cf/1PDD4=,iv:l2HpLgBHH2P15bNiBVAK9KDnGv8qD7m5Fk3ppOLmXsM=,tag:FFRS6rUoiIy9uwbGV+zsJg==,type:str]
+    - accessKey: ENC[AES256_GCM,data:C8j0BB47C+U=,iv:9YwkZO6QtJXJ2vo6HF13BOJ3kjueEFGt+L/yHTLykKo=,tag:u4Ec+XC/JMjAkAVMNaiuCQ==,type:str]
+      secretKey: ENC[AES256_GCM,data:Tf5vlbvmZT1XPKbAOPW8IcuXqA==,iv:GTKyoyCCqcZkF6VFeutMQwdtL1EbkMHTs50LDTc/Yyc=,tag:3jxedHmuH/RdYzLIDag1OA==,type:str]
+      policy: ENC[AES256_GCM,data:7R9brCdGZWI=,iv:JPgs+Pe8yluwG4YcY2Zo4yFL0DCIdCVrosRgDODIUao=,tag:NnBPmPzYSjh8ClEnMc711A==,type:str]
 oidc:
-    enabled: ENC[AES256_GCM,data:AULTFg==,iv:bKvMfypv40rmWcOMT24r3C1i2taJmf520sAo1tsl5tg=,tag:vTp1Wjxyxn0bRy6o7GP8Hg==,type:bool]
-    configUrl: ENC[AES256_GCM,data:WWJo/0V1n9oBfWAnq2k6MXvKEQu1lfXj2dKWyJAdv5AYkXd0CYSYBTSjKeD6WcrJTM3EZmMOdEvlZXoc2GP01uSnHzYlOD44oWK0qyxyiO8fsKbfn8aQIUY=,iv:cuR4u/8QxlYAm7TzHZMOEy6CzPfUiEhBVV7hi5cpfMA=,tag:/nUzcQPVE9BaN+uDLpPEkg==,type:str]
-    clientId: ENC[AES256_GCM,data:xPzyvDU=,iv:HUKtVXQAyufvqjOlodme2PfVplw3fZo5CboZwj7p7Qw=,tag:oHsHh2U/CyVU1Okz129JqQ==,type:str]
-    clientSecret: ENC[AES256_GCM,data:jnNQX0BZYaDnCHOhO1fY1bmZbAh5yyjCdSc47CZboku79u5ZkUdZSg8yCHyy9OU2ne6e9fc2bwCzUCAlrxQDqKOn0fF9M3jARmMhFwdTS+cF2EE2jH25+eV6Px0/UFaQ5zEy7nsp225wFrW8NwXn21hGQH5HNqo7Yo7tjzgzgRs=,iv:Tq7XPom4uGuaWtSjZ2aEw5ngyljAZg8qYQp85MrUYEQ=,tag:zuRyqFAI5PPRjRk4DtmRsw==,type:str]
-    claimName: ENC[AES256_GCM,data:BR6a7Ps4,iv:x219aNeYdfvUUmMh7Vcax/BAWs2jYzi8SFibszJA4bw=,tag:9xnaWC2Ih3eBgf70FqXRZg==,type:str]
-    redirectUri: ENC[AES256_GCM,data:TS9kOya1UT1DXXZqmB7DfC6l2p4kE2+rl/kTJ2+r6oyKg0pEfz6pRR5WOycDuJU=,iv:2bHQ1bP/YdcPGd4RVLB1SIolKL0yO7aprf0228FBdSY=,tag:vpNAReeyMCTQkjy8AsmV/A==,type:str]
-    comment: ENC[AES256_GCM,data:pFMsVTLEeHGSpHUBqWcLT6NdFvM=,iv:cecmL3rCVgNFdHl51/OOWj+n0dsAldznhgVflhEuW8E=,tag:u/epLP/ctnqjrzZAZhCSWA==,type:str]
+    enabled: ENC[AES256_GCM,data:v7bnBw==,iv:JJCvuhtrSYrjznP5iktZ3IQ2fNGy5heuiFPrTiEXRjc=,tag:K3dZHT0WtM8eQXPnD4mcHQ==,type:bool]
+    configUrl: ENC[AES256_GCM,data:8Q3qOVbAwKhDjoGGcmALPpIaJSpP3JHTRD2WooZdVbr74j21zVOJLAfiWIEtYfKa2sjPAVsmEIA2Pi7bddPrHHm9Tbiai3x7GgjWezSnJMYRko64rHaWcks=,iv:WrI3sy5KkOjHaJn4kHVRtqkTMoJ27eni0a7njN9LkdE=,tag:Kb/AneWQ6ilkKQsKneWUmg==,type:str]
+    clientId: ENC[AES256_GCM,data:qmSdmlY=,iv:m8I/9JJ+GUdHC+oLqQm8Bd03V0HDpotfCWMVFQUZkIg=,tag:4CI7n9zl+fuddvvCFy0WBg==,type:str]
+    clientSecret: ENC[AES256_GCM,data:p861qML6DA7dmJMct6HUTjp24lB55nK2XP4bz1XJRoA9jJ6pHK51ZO3AZTu6uPJzGbEPOlS9IseHXfFhrm+/qsOX8kBKd+KNxgpEei5DX9VrWPYXUVEUnAWChePhcLaNQmOGbDaYQL02jvhtxWyhU2y9acQK82XUJvZ4fphJXkY=,iv:m99GKBMRa9/NZ3CnNEhK6OETNkwvEWk5pgsMq0D1JHU=,tag:bXyUCw37TO+2TbfI2OCDlw==,type:str]
+    claimName: ENC[AES256_GCM,data:TTcLpDYT,iv:UB4CnJzBAhZoQebnw+lwnyU/VblUp9ZIJAvBm5tcFlQ=,tag:rpA9bUmAwrkjNwWmm/fKSw==,type:str]
+    redirectUri: ENC[AES256_GCM,data:Z0mo2BbMWBp/kfBaplkQzzFdktjTvLTB3c50yMU2IfqQVta5Q2vQ9UJeIB16JX0=,iv:avVDsu8I3es4SMMocVk+HZfTHC7hovmBsKREn+nl4ZI=,tag:Pr3s4NJyaI7ptm0hET4pfA==,type:str]
+    comment: ENC[AES256_GCM,data:gfJ47KgduHgkAo/Xybg0YSNOqXg=,iv:pihROTdckwv9cehzIyYyhjwpgMurBMx57NbpqMDKu7k=,tag:Bf7saFGs/Iq71x739Q+zDQ==,type:str]
    claimPrefix: ""
-    scopes: ENC[AES256_GCM,data:KMSRU3jsWknn29TmdRUS+gVfLDa+8qQviK5X,iv:xu1Va/LfhfZo1QjTNbSTvI8INmUd4vKE34jSAFMXoWM=,tag:Hz5JPpo71xkCHzRgR5JCaA==,type:str]
+    scopes: ENC[AES256_GCM,data:Rql6kXzWAIkE5xcb6dwbNd2sa+mCGD2uuXkT,iv:9xccj1iHtkcpY2GbNoVdggrvX3sDO88M2dsoIVIhSPU=,tag:P/2ITVvGJhmwhmhPtT6Itg==,type:str]
 sops:
    kms: []
    gcp_kms: []
@ -22,14 +22,14 @@ sops:
        - recipient: age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1cVlEckJ4cWNyYnZxaDVa
-            ai9NeXpWMzU3a0xEanhyaGNKY2gzd3hVdUM4CmxGQ1B3em1vcUw4czNsejdEbnZz
-            T3BhR1R3UVVScXNaT1lRRHFTOGhCck0KLS0tIE9VOW1BK1lxVVkzbFp0RzZnb0VR
-            bElLVkNlOHJpMEkwVnFWUktHOE0vcU0Kc/oFKbItQDM3skgD/Ez4TafwBSoEUKsD
-            kYYGexUQG1GkdG5HPiABFNQu6zVDSYDjeEPOh5DRzzFvudQmy5NeyQ==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmbE5TNzEwY2l3VE5EcHU0
+            cnNBazdHM0ZUd1ZJV0NMcDhPZUdrZVhuL1dNCkRHUzB5T1N3NFpUZ1JQalg0elA0
+            K1J6SE9ML2svT2ovYjY3dnJnY20wMEEKLS0tIDZ1MldTanduV3FjaWNsSFdhdGRB
+            b2dkWUVReEtJSXFRSTVLVFJzVmU5Ym8KrIBGe2RNCHGBNDk9TIPTFL8ge1WukG/D
+            nzE+Gh0PiJrxJDzE/sWFtYgkzthMRBhDNjieZUmbgtpDULDe/9Q9ow==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-08-01T15:41:45Z"
-    mac: ENC[AES256_GCM,data:yO91CR14zwhaNSXKkCUuJt7WqnJVREzh5XoSKX1tJ0+XvAyTGPYL/IxnbgTHwtYB0BgF/srQzV5rCNg6KhmA/T29BLRI5obIvmmLhf6AZe0QCCvrhYRr0SrgIngOgG0hMKIg22f2BKagzi7kSVF5BysdD0EtUeDvLaoa3ckWjRc=,iv:+mY9hZaZUyImWKx8cFX5FlwhMOr3u9ttAdlV3dCij2A=,tag:npJlSBxu1uVUvZ9+YFRrkw==,type:str]
+    lastmodified: "2024-08-19T11:07:01Z"
+    mac: ENC[AES256_GCM,data:IU9IoU1gpwwnrEVLeMAC4B33lZcpCmoOectiavKBOuSnS5agEi5eR2V7TScO8MYpfOuLfM5dypAmL7I8CIcR0VESizUd4dbc34RUZ4VstjI6qiS43tbGgHxq1hAKaUbDCh1j743uK+bAe3NSG5LJfy1mfGIWEaOWRcu8elaJisk=,iv:6bDw+lViJEJjHd6P4s7shz6Y6lO6rR8YZ/2mSaf785c=,tag:7sZi+/JrjZhX4erCpMqhtg==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.9.0
--- a/values/badhouseplants/secrets.nrodionov.yaml
+++ b/values/badhouseplants/secrets.nrodionov.yaml
@ -1,5 +1,5 @@
-wordpressPassword: ENC[AES256_GCM,data:0JSm0szXtZwNPw==,iv:ohVbIeIqhwdoJkPhEta+3sXopGkoL6Z3PVsWthZ2RGM=,tag:9a8xiWdWgyEc7u6ek856yA==,type:str]
-wordpressEmail: ENC[AES256_GCM,data:mCbGYDbY37zHVqYo2ZacGWbtVxud,iv:w3La8QpCs1GKWspjVe5XTZ6zcLSnApJw9i6MtYI8rP8=,tag:H+4M42u/5lE64LqyD5JEbw==,type:str]
+wordpressPassword: ENC[AES256_GCM,data:S/RmNSAaSZSrsw==,iv:Q5n+72jgUJKIpwblr8/VfBqPDfJZclipDKVTjt4BWWw=,tag:4hP0lUvKcphciEFxBQJCYw==,type:str]
+wordpressEmail: ENC[AES256_GCM,data:Ln2ISr/c7vESVumK7LGH12w2x7fF,iv:AZX5Gzd4vde+sM5XBuiKjAc72GWHfL46OoG6XMaKrq0=,tag:4ogLagGYSx0xYRWJU66//Q==,type:str]
 sops:
    kms: []
    gcp_kms: []
@ -9,14 +9,14 @@ sops:
        - recipient: age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4elh3ZjU2Z1JPckRmRi9Q
-            ZURUaHNuMk9wQ0JWMktBZ08vZXpkQi9sNnhNCmxudXBIcDh5WGpJSTdXOUcxRGpx
-            S3RobjJwV01zamozeUJGWjZ2SkJnNHMKLS0tIHE4NlVCZnVqUTByT0xtVlpBNUZk
-            T2NTYWFZRkQxSzdTN3ppOWtaeHBxWU0KPH4OOrTptzmv9+QzSc6Kvq2leVc0/H2X
-            3bwsZK0/0toEEPGyrpJFcof1G9Y6GmW2JT2O79K5hm9R9FP1lqaxJA==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxcUFLdEw4S3pHZmFiRlFB
+            M2JsSGRaS21SWG9CYU9uaVcyMjRJaVRNeEE0Cmh4Mks2c2pZVkZoeXAvZEJLazdR
+            aDdKdXVSWllzdGw4am9POURGZWhxTmMKLS0tIGVqTzFia3cvdEVFaXI5REN5U2ZP
+            VjJBSnFrNm5lNldJK1RMZEtaZDAweDgKME1XCeE6hBP8T+tpocfisLA1RMVF0aDm
+            PJnJ+YzdmX28CgEkcZgJ97+Gvgpz2M/e99YTcwTa6rETRkWhlsCF4Q==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-07-21T12:13:26Z"
-    mac: ENC[AES256_GCM,data:lBIOKXgW5EDzYGdXUP5c0OzdsyOVTbPhpNshlarm7UozDdnEW7brB0izRCp0+FjDxcDlhuBcpR69kel4x0O9NvDvCQHO6TfbEdFy43IgIg6bZAEAa55KNCeaXa9x+lyNWkTNJ066bcQYu8yFj2aOqwrksU96xsBqMk7t0CPgrDc=,iv:e5bjuz9ii50r22Dd7EHPqC71CJAA+jCW1VDQnyqk7TQ=,tag:eHW9xmzVASBGadSfTQwquQ==,type:str]
+    lastmodified: "2024-08-22T22:11:45Z"
+    mac: ENC[AES256_GCM,data:pj9YTjQkn9PmQrlTvwpHHEaExjO1v4JYEihBHxObwhboM9qrwaIzweS0fREXRFcTh3EdShF/uvj7fRbQ20mP8kTDbzby55qlRVZPL3nb3fU748t8neL7kQuLTtj7JPYdk8ZgEBouatSOEjtCNCo7OIL2nKX4xJ8jNdWW/w5K8ik=,iv:x/IXD482UsXYvOMELHMMkacQSWxeKXGjYw4sY1yrYck=,tag:RKyQ1PpR9khmz/LkOlVdtA==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.9.0
--- a/values/badhouseplants/secrets.velero.yaml
+++ b/values/badhouseplants/secrets.velero.yaml
@ -1,8 +1,8 @@
 credentials:
-    useSecret: ENC[AES256_GCM,data:zn9jOw==,iv:lEdpRvbV9vfwcWvImAg2yapCNgYwGxN37jrsrY3WBCs=,tag:50CBlc3UZQEbCDLXCOVgaw==,type:bool]
-    name: ENC[AES256_GCM,data:6jkV0vyc+qAO/iT6jZ6z,iv:GbWE1biI7+qZfqEnlG5tQNKvSBe0WpYApcg3RnYXYts=,tag:0K5vKZrAHhO7xNNRkguEFw==,type:str]
+    useSecret: ENC[AES256_GCM,data:synuEQ==,iv:DoTxRvHamHSPh6Fy7f2/lQbIXVQP7bg0+gRDNLK5ExI=,tag:IMxGc67WNUWtyv7xeqLKDw==,type:bool]
+    name: ENC[AES256_GCM,data:iOdJiWlezjgsI1NsET8Q,iv:dt3Ugyi1/B2pHhPlUUfJZ8lT57OUZZhXdQ8qbm0D/20=,tag:N4mxjl0NGNxNDtwEZjvrpg==,type:str]
    secretContents:
-        data: ENC[AES256_GCM,data:hFvL51EwLkX/sx0FL4PNRxFdK/jMjOVchgFK7GGtANBK9ZwzktAt1vd2YMp7gFgueltjC3qQYy6oHc0WnKgOo3XayBIstJNT,iv:Gwymmy0/M5B35qYOZOqW7g5MmfeDciAqIJbohU533Ng=,tag:tKi1amgZkyKcU4VkaPEWZA==,type:str]
+        data: ENC[AES256_GCM,data:x2kwYP7i0Nz0YhjaoOLY7mYdXchdYwy2wZDypePGyS18dfBttmrzgp4JCPpFbL3QbkmK4u+Cs1+/Gyz1Zk3I7lnzW+T0rp4t,iv:zYfGPyGe5fDHI2MbSjrxFqRmjSChzA9KrKXCGoEyzrw=,tag:AGOh63/OVROHo5VYXV9tzg==,type:str]
 sops:
    kms: []
    gcp_kms: []
@ -12,14 +12,14 @@ sops:
        - recipient: age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTNjhYcnAxOW9Ib1lyTlFJ
-            NFF3cWhYSU94UXA2N3ZPN3ZoWWRaRjE5aEVzCkdLbk1uUVEwNjdKVVRlTUNNbmpw
-            SWR0Vkt5QkVtZnhqdGhTSUlYaXdNWTgKLS0tIG9DNzUwdktmN3FHVWtLWFNuakps
-            RVVKTDlWZ0ZNaVg3bXFmN0FhK1FaSnMKyOqdgYzP1QP3FcZat+8pZHjMxmUJs7vn
-            0LlnPd8hMg1nmM9P3kkE1/4X5z13yiuE2wdMV3iT7RqiexGlCi43Vw==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2QVJqcDUrSll4ZkJGZXFF
+            dWIybkc4QlduakIvSzM2eHkzNHdUWTdibFZJClROdDZmRU5NcE1TbjZnTDhZNEdY
+            dytnU1l4Z3BUUk9NNVprK2o2UDZ6d3MKLS0tIG5EVHpZaThPYmkzcVZWaFgvbW5r
+            MnkvbjY1dzV1cU5BNjU4aG1EekNsWFEKZavz2hNlogTfUH2oz6ovfv9vmlmbBy7C
+            fIrWnBzmO+bl2GIb3mNXUPv8HjfuVN6YzFdew5Kxhls1P5op/8cEVQ==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-08-04T11:36:43Z"
-    mac: ENC[AES256_GCM,data:5Vyq/jGjKbeONBkzFWCjdecoxMGSemY1EQJOeLgncmM+VW+hvck8m0PcHmZYLz5BNyzw8lfnFYdfBARtwD6wv2BvD4p5A/8iZUUd7BxmrCCtlm5P39Abi0E5OZkOgr+js6rGzmRM5vBUyE86hOHc9yXtD1F2isOPkHhlXH7atJs=,iv:eN9NgFn95tku7BEvlYNK5v6kAktyWPwG6Zomirx2W9E=,tag:PBZFykWJKKw6J7kAZn3H0A==,type:str]
+    lastmodified: "2024-08-22T13:52:31Z"
+    mac: ENC[AES256_GCM,data:/tPHVPEigjHM3nmoNKcyF+v2rjFKPgMA0OVdjNtuPE6zkg/W2U59CqmFaqSfLkswH9OZdtC8ObyKELhEqPOAYdMzFpyOGAtYB0wpY6ghsza9O4qFhuvpHp0Nv2qFT4BtEvbIofn1tVAAfRiRvQo2oV18hW116HAcyoTLBsLAzPo=,iv:plcyO/TXxXgmuy8YA0bmCYWdEmWXhHydLQYZxr/bDpU=,tag:xAk6qnS2ju61Nhpi5gvWYw==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.9.0
--- a/values/badhouseplants/secrets.woodpecker-ci.yaml
+++ b/values/badhouseplants/secrets.woodpecker-ci.yaml
@ -1,10 +1,10 @@
 server:
    env:
-        WOODPECKER_GITEA_SECRET: ENC[AES256_GCM,data:mGYEvlIeQC3mg+kxy3ZX6gAVf88DXLVdeSdgpQa8wixsb2rDoj4+l2ET2saquK+lVhjvv8ZKdvg=,iv:VlPgDYPj1xpxnpWnEHj+slBi0H2nWKeScclPItUaG9A=,tag:ox/Ur5vsOARXRT3g0hCgsg==,type:str]
-        WOODPECKER_AGENT_SECRET: ENC[AES256_GCM,data:WXwsmLmb37clb5xgv+2DeKfhk7cwaIJpaCW8/Kq/CmgfwCmrarPDDQGXZoLwOjGj3mh/ciDj7V5WgHfyxuIDhA==,iv:NhGlPyPrTrTbz1DjOZEieWAfOQHqSqhdLiqMspex1j0=,tag:vOfo+XiCUW6MhtJemkZPMA==,type:str]
+        WOODPECKER_GITEA_SECRET: ENC[AES256_GCM,data:YCK++7hNKOQ9cuXTdRsN/x6nt76PNqvM16XaLnw4O0Uh5LQGv8nZt+Oighd7KIXFhsUfgCfPUU0=,iv:WrTNlxO+6rMa1uxv58k74L1udl7r7XSw5yzOZHBJuAk=,tag:lsHvrNTsoq1aCl5Q/rzkdA==,type:str]
+        WOODPECKER_AGENT_SECRET: ENC[AES256_GCM,data:o3w9/9UJtKEHcsKz7lfTl/zboYAQjYZLQUpOs4i3UPxsSaOy1AvezQZauHwYJZoVsJwWFE0XtOLhnd8bx3UlHA==,iv:CD5lgqFY/cJFewbPJqo+lniMCQaZK8PY4CmL1IsC6IQ=,tag:R8GU3HgZXcSLqOedYuMeGg==,type:str]
 agent:
    env:
-        WOODPECKER_AGENT_SECRET: ENC[AES256_GCM,data:4lTZ16jbrorU4B9gTAoWmgiGggrMWD7K5O/5R47OIDMdRInwXtaWviofFD8WJQMduiGvANxMVNs0J1DLvFKi9Q==,iv:Y0AsW63vdVEwKvpVYeMVLFmwYlsQSwnz602QjDgj/ZQ=,tag:aO9xh3psy/bRCCQEFUp75A==,type:str]
+        WOODPECKER_AGENT_SECRET: ENC[AES256_GCM,data:aHTziUzut6goUZR2JtNaqRTC1mvdA1HS1OLJRHdXtI6coVGcLahxl14Kun4JqsKEXLHeAyU9WEijoRRgixOHsA==,iv:txYRgyO2XHbWnp81ow1EyT4VbzxW+Q3d/NzzclNGT6U=,tag:8nEPzQNPi2bXTDYa81M/aw==,type:str]
 sops:
    kms: []
    gcp_kms: []
@ -14,14 +14,14 @@ sops:
        - recipient: age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlQjZqNE9iMDl6MlhnSUp5
-            QTBSOG83WFBqZFZIU2dEMzlpengrUFg4alZFCld4MkI4WW8xMUZnMm1SU2hmMCtn
-            bTZSVTIxTk5aZmo3OEJJdlJwL2xhV3MKLS0tIGJraERVZTNyMWFCVE1TbEhRR3J4
-            WXh3NGd4UG9OODhHNEp0cDVoQkM5dWMKcz4h0O4J2WlB+L9+/U8Rl+zzd87hsJo8
-            ThPZgnUNDGpdRrU2IYiXo03fZOhBoqBJe1ZG+Ol8z9bvTeyeMZxRIg==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqOXBuOG1WaFc2cGVPeEp2
+            bkxTWWJYcFJMdjM4S01wTjRYY2RlZldSbTFRCks1TVlwS3BTTnUySDVjMGpobG43
+            YWU3eHlLcGJMcEIvMUZiVmIyU1NnK28KLS0tIGlwZ3NLQndac0F0QTB1azJHQUlT
+            TmNXN1BYQ1JDOFRJV1A3WWFYQkR5R0kK+dSdoRdeiJBrhU6YnWb9P489dpTvhjBW
+            GFPuTrQxqy3C6frb5K0huI1anarmdirwglD+/3UvTSQ0CEbUk95EMQ==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-11-18T17:43:53Z"
-    mac: ENC[AES256_GCM,data:u8iu+Ia1u5c5AkdyKbGT//G/Zp+yDNv3TQIElSBA6qCTBu0lKAii3ywXrqdpQ1kYtytjazcwkOa7vKmVy1UoCNda+8wGGHfhfOIQlll+TKBNvgUO73lF5P7X5q6CcgFMvTazXKElESEC3G04uVLEOdG1W6d0ArVRnh8gFOY6Jgg=,iv:VT0pFoOcLPK14I1doJi+52wtCfUuqh2nxdSVu0ufVOY=,tag:SwAOYLxOYaouteqXdgP2Hg==,type:str]
+    lastmodified: "2024-08-08T20:44:23Z"
+    mac: ENC[AES256_GCM,data:dMXGJRe5/k5+XFuvORJHGCmcSL2fsP9Pim2w1k3sUdJZslqptdDm+lk01mjPBMrQkgMyX7GHIwaqMU2hK5i8nBKYz6SSq91MgD+vtVHQoum5DtmAFwBOdT+m3VVo395OnLvXT1SvskgMU6ddy7uDD7UBrkVe/DxQjX3s0/IntRY=,iv:6v6j8U7nRlQ+YEs9wiPRpnkoGjCMPbfMp/ecrNgksis=,tag:P0aGi7qBJdTz90CNGF10dA==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
-    version: 3.8.1
+    version: 3.9.0
--- a/values/badhouseplants/secrets.zot.yaml
+++ b/values/badhouseplants/secrets.zot.yaml
@ -1,8 +1,8 @@
 configFiles:
-    config.json: ENC[AES256_GCM,data:pTTLT0Tncq3asDud0P+EMg33lPP3wmJEkMgLV+5yAwYdc3evK3FiifxcbLup3hu4XWIn0LSpGKvW6tLzHjq6exeejyrn5G3/FfLNwWsTXZ6Yi6V/MLH/8xOpE/kXB6IOpAEz/TQXLFY+A6UJ2+4OQmacQ+PTVacZO64mnH1ZmF662vw7+XlFZixYaREUv9RaCHPO/c5J8lAGpL73ltylWrpGI5tozEg8bzYtvTNpVjwbffrAx2OJ4uVxaEEWJ6hXf+aH4KVmsFkX2q4N6qcIZSr/JMQiuzizMdcEs0liiHbNThahsNyIjH5yTODX0Q6l0JYiD3F1t0PQzH6NxvADB95lTbfWjJ3Rqd2UkUXsAhSZt7IzcCE+M4v3wbitPrnTVfVJidHzHlBq3hENfBgVl8012Wf2ZzMclkG2PM1Nf1sKx2yiX9RGF9m7cju2FIG7cdbJxDonj9zyfnFdJBsc6W9XY3Yk2sFwpHGLyrloZlsV/33p+REPDjRBOr2Q2LU+SqwFHYPV5Um1h04SyoMO6jwrc22emTH66zLqgf5lp9P0IE5DEp7UqW6bBVL0UsK0gD39l1xFJYiYnstC2kWtiR7RNU1Lj+lHxPcEmpSpH96EVLdjCogMModRlz482pO3in/j9Ip+RwVfYpHz64q2StkArQiUkbK15YJDyd0YQlW176tQl8wsEfK5nXsShyVzy5jLnypHaCkcPxOBycJLIOocnObCgHe7/g7h27rFxHki0Y/fQIAWKhMSgDiIFaX5e/iawn2VQ0KUp/oeTYtCYfsk0FvsUSG4zruXa+Qy0lutHNWuwrOefYbY9yyOXBZRrm2S1uzTokoCii/tOyUkzp9Yclk4iEpjC2CS4YvykqUYdUtQA065WcScSboSf8QlmlAP69ck6VRbyETI4kBgQOannVTtBC3fGSHXGUJ7Vq3Gk53iB8dsogsga2JLUzBf0NtsYp8ts8+d9XfWxQNY5eq7AsoUgQoFJXxEpIrAXXDKwPNZztU6MEV4FP7H3WZGUWIfbwfJbak2wFwIYewSSUWxD3kPdFmDCx8GZqs4KXv7onk3y479HjyI/EI7ShfPtKTvadk5JeEpfyt8Qo86CBTFtTZJDe4EPEK2GfSkXnZr6Fjw8Mi3K3NJ1syY8LxoUrNm7zndDQKilFrtKNf1DrhmtUsGZJcsO8eWEl9cHtqH8enF75ZtiVS4p/WMVX4pRYSyJkQVWqmjeXe9ec6ZpZcghU5zh7HHjU+54d6lcmSquCKjWGQ2dfTMYca5gnA9qKCdWHulXHGRs51Zag7yK/viZ3/kqFDNiBuuTci0YjPMBvOM0P1nFgF3laIKiClr+A/1gEdU+4EN257t+YgaGyHmGjP4081Dxh1er3hfsR4TCBBUBNVeRX6wH0F2ftihSqb4fwvyEE9sddAUT3D9tCwa8v81iLxfjkUbW9qo92VIUn8gTXsWgYN3743D9k3Rmen1Uwpvz5P/rN9UufGgbxHKHWGzMqdXJnD63QLm+d7JsSAOB7uCxsF5Pusi1C+LBBuSmVGz+RH8yXBos1vkhXepAkKIAC+QZRTOau4Qde5gnRW5FdacF4QNJaa8C6KlRggPFft0/RnW4hlym64IN+/IYcOpuTPENuJzYI3P9b4GUP99/hE7bVWFmCl4Y4TiZThrUUS/FSDBpfVHhM7SBiPqoCgeAhZKRMA35wYswb+e5wDqAAxXyERbciT05v7D4nZkQN28bimXtFlUliy1v3+3MMJaNh6B6o1+Q07z5qq3MOtDJ6KtFYNLD3ykoraEPUYRUW3RwYdbUhCwIeL2FWYYoESDcplrOxErf+x9WjG474ZiDDUuWXHhr+F5OAdVwH8WcM3hzAWBVsHZY2+PW9b6UpODNGJAezhVht8jDhCLAx+FWLmCFRbRibPjuFNi8EQhSEeAvBUqRX+6yxensC/hPdL0ZSA02W4P0AEVBM6cIWjsSQ9hjopThe4hGKJp0ugaRb/GfndDiTNb5N2dH4ES+k8JIwMs8t8xkRnqtiV1QJ2eTP9cuA0QxinLxOfCz1QknZbPGdUqHytL1k/cXiL4fWgLgi95bdWhV9iDjo+RLBQyuKcyfMseOy/4cS7LaRCLRc6qWBtJYC39wQVxEFaP97D6Th+1u39Z8V2qH6Jn+Y2jkykAz78/tfPHtCqN4a688pC8VqwXS+GyMzCCDPrWStKRFdLY19iuyoMZpfyN3DuwfS9I6jhxfMgPPBcMAdzR0iEL6bahYuhBQjjFsC1lapRc6c8xvibU2sZvZhUM/5ESuvD+o+o2lrzGkZd6a2X/GUOoj86nVisPS9qewrqOdZX2QWENBiA0XxohHSY4nUmUmSxVQzM3K0+pJYc8lLRppeoOAg8QbcP6M1KHsgWqlimB9UMG/ONYL/hjBeUZ2KXmEtSZILoO6dQYpofej8pYY+MZycRWUzA8e6cng5APvlV7TAFWgXkjFDA4x13zQdFbC0uEaOwMk8k6RI97XE7NqRsNqpm50T8oQyuuQEG23iOaPUp3Yg50S/BjmPyqSg9G0h2LhLoH9j08sm3mX/MjJ656/52h+jnCsagZdrec7coMh2oqPMosdh+73Nk3spWCQLe82peoVW7reGeqMSlLrsr5U9uFgW+ISdYfQxgF9rTHN3iCDpvvi6z56oeGALfdMCOC2KKz508DdEYOD/bQ60oNv2nxDmdL5AmMN83iKVvym2uRabispot4scXA/cO/eVW4lDKYBjiV/zU6KpFG3T4ecG7DE4ezP9dPfsw3e7KCzN02ggP0kj0=,iv:cIjqYtBfWUJtNTN1+lZq9lEviErqvkmFhhWV7w6URsY=,tag:UGu10tH7SfemTk+L/+xb9g==,type:str]
+    config.json: ENC[AES256_GCM,data:4fWBCzOvPeimQVO0xRF+dnIuG7rYNIQujDTdHD+E4SWRb7xsNpYLw5ugJq8RgkZZT/DVCevSQDYD9TaqKFPn9Gs3k32Z7Or3gQrx35ew5XFXFs66VT8gvqyKAjf8nXSn61Rsd1PCFvSNRxT04qvclsoFNLDjb/pr8rIlZVSyBRQ606WToVW5es85pDUFcNS3vT1rFLe46lPi2oIRCV7mVt2sXTb67jryuxUTMfjbboOE9JVwFPTgyPTwVvm9yP2tC3Czv+hUGKzQeJAFbFzLiVQz5ieY9KwHWv02N3gzKrNvzr325dxxrTuO+mzHHM2Ax8xELc8iTKApP4t4/4pAPB1cVg/ARWbcTIabZ9ygn6QtnTBTLK1r8nJSXcQ1mza7sOhVafq8U7e1XYID2QHb7/1FjZNzB1/fMaTPZXMr2kJlbc8HwOoirDJ3zQvzYRs0FO3fEYjktSXO04+FEPySc22dAy1eOASg0xn2s7SwyWs0yEBIHkfbsgDk9ykfOXZ2YZVHSPDFR8DYwBO2HJx9ONnZwBBjolSRYOktM8YZf+bhK4eorRu4/XPPxkmTSbHk9HrzeRuKlsv/mCIGjM3EbUNkHUljol9cxS7l8pc3F74mte7XC2TT4aoEnwt2ZxQhl8o8V3iZKlv9ZpzQDy/y5NZ+eC/lUoNgGORF/lT0IW1O63eAsNrTJwk5SFy1zaVNSiBJH86PYwCuI2Q7o5McZdo4Y/m8Pm5CiwKooo6D7vdpOIh3suOxK1kNTO3lYzEEF0KC4FpFmUZT2jr2Uu0iVmK46VPHeOjEz1pfIXiFDUtpxP/qbDw0HBipNouQDVCrrveK9RwrnNs9f0lGQ4Zjb346l+0FQTXOIwTM5ji9zxztLuHp2YhyBEaoZLJNdTimjbzBphiWsuuhndMWnAn89gzVZH4VrFYvDv10KtSXuV4XQSpgeBCwjPx0CjeuStfXn7/PRRMk00BFT3/RkHw5cRFlVU/WzWTeVboC/2aSEwgQIc9PPo5qtVCAPvNNiHyXfcq/zPbAH4u6lk1SivJm2PVUBDfdb+78EbQ53rZgQ0AcsQYqMuUVglUM7x6EC1Q0l+bXhUIPJ1NCu2Uf0qNCHtjOKBTSbnNdgsrWkNjpbhjVP/dhSweTijpXejeyiFWyr/8DEPfRABeqDQ7wHpq+HSo4xqqaB1ychrMxZ1DygMaX47dn7zImoDwXSYcF+Fgv1WIli6Pa7dl70PtkDxQCZj6FtDeVv2yJEIaA7+KuldSKfc4AquA+8619TmSEZ7VVqTvoHDCKCU9IC4jLqjMAvtueD23ILGzPeh4/bATisL8DGzBMTBsNC58sEAYRJaMf7lfHt8p+XYxaqU3C1onqPzh6/D5Ic+7bXhOOhjEul+6TOkUM+kbPZHRJ2RHMkfTFN6Ny8agTyq3Y6QGisFCu0hRcz06PzVCVg5bLMOhbqvv1rrhUC+jDntlQHwkuwVco66tLvwGR48mz1J7upuYPXdN9FWXBQvXinOEf+9vTOGApocVO6ckvvIkFycHPAuK2PmF73ZlMA1EoHi8SFc+LfIOqz1xZGBWrihsXsQ/M13jz1eOtuRXvzRa7MZn9jWe/6SPEDLzUVuwA5j71Tcfvaf0hcSqEp3mQ3QIbsLGA4u1/nhVVgHgYNPPqwSO3CdwT5hg4mAJiYtmqevs/AaohZ/gpo6JUsNtOIfClO0cMfEtvLfkT9aeI5asu5D638edTpu6+M3qepV7vvre/XmpyQPXMoB4Uta9GxIdxG5Df1qzzIF8UxsP2gm82vDfjM77hQxDWbioGMMMmQieUCFF4tzEJgoI7MaYB/c6E2BvDx4BFcHs+kSqBTtx+PqcDIKrUETQxQeyUJ0gguI8DGsEnaAxF4oROLhGyMYjNzyG2IxMPN76UusZaE7g2/yVBud+vt+EMFZW1212EghysWN2GI6jyNvF6+rWSRCPjVZsxB4MumuauTmSo+uaOv/VYFEgKolyxeain34oJFAd6rkOcPjjVEfE=,iv:ckg25YFoRwiCblA1WcPC3RL9duKOgCzW4BrofqdWVxY=,tag:YfovWhDDYeMN8nzARjjANg==,type:str]
 secretFiles:
-    htpasswd: ENC[AES256_GCM,data:R4eaeMqux4X+z8HOgRYfNGNrtUSEhBbrp6nXgrK9naGCMP5+RuW10quG2XT+a1fXYTzNFk2UhKr4mbhargNQXNM33adQR7VesEK3cFE6r5DWgL8QZ3Ok7cvPMs2GoBR4OopxlBZvY0Il0wPQ5jnFDRb6m9inFSUCvz1c+dtsuWCI6PFdGVpHMg==,iv:v8eFslayA1mFLJR9oGqnavLutzHU6EbTVinQ2B9BkWY=,tag:0preIu+1DxnBxirNsgPBbw==,type:str]
-authHeader: ENC[AES256_GCM,data:rF66ayPCsNqIE3q9GqlE9I7Z+/J4XEZ770oBw8x29dlFA6QOuR6XanF92eOx4xFl,iv:LnIbj8lJ6cO9wyPPIv4KIvFOvxrnoyUXgLGk6UCZS38=,tag:fR1AqnGDvjIwnn9ZWzRjvQ==,type:str]
+    htpasswd: ENC[AES256_GCM,data:DjBPh4ycj3Cr8pmjlnkOPsLrA6joney4vfkZMQJzq3+Bo8ERECyV3Ttc193c3DAfJCd9/Vj2HGDHBhxyqR/mT85NT2LuMueFl6XgdrvWIm76sOts1hmfmstGBUT3o9UOk7B3JXgRyXe2hqA312lIrBswncsy1RQOJvUQyhEOcD/Li6R3CQFPFQ==,iv:C/F3vg9dcmS1uSlJkbOkOoj04ZvIVuHJ/IkIqGkYUgs=,tag:I/c8V9DF+xiuHYdnAyl3KQ==,type:str]
+authHeader: ENC[AES256_GCM,data:xiqhgK8yQUtpOBUMDVWD7JxAi5xjz4HDsV4wveMBoDEp60lrZugT+23i9m4cifdl,iv:73GsdwwZHkhZvbaGQhKoHykLvvVwYrIuZSKJMWOUd8Q=,tag:3g8H1IACoqmC7mndixb+7Q==,type:str]
 sops:
    kms: []
    gcp_kms: []
@ -12,14 +12,14 @@ sops:
        - recipient: age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2byszZ2I4RE40ZTZBRHZs
-            RjFxUjd0MFJ6SmFBZUYwZTAxL0cwdTl1U253ClpGWUhrVmpCZmorMDRtdjVEa1Vo
-            T1VQTHNXZy9wWkNxY05FZFRLaTBkNjQKLS0tIEl1dlVkNnRGZ0F0aXpiVnRycDdH
-            WklIc3FXODJkMklVUEdQZlJVOFFDZUEKzG0b0TfKoN88zuTCKgcs6CXl/2kHWm77
-            dO9rVMXRhohLTT66K/nFOqRVvHjN0rvTJNa7/WIAJr2AeA4nGtEBTQ==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvc2NjZ0J3eWljdzlqSVM1
+            N2pqQ1pXVmJxTjZzMlFMdWgrYS9OVVFFWkVJCnpnaW44Vmo5VGUvSjFRWmFlQ0FX
+            aEpQajVJNzdQeXJ2bzFBQkkycjFYeVkKLS0tIFh5SGxEbW93ckc1WnJydzFWcVBR
+            RjZMZHEwbHR2bzZJZEFqeWRlZXlFTHcK4Z0WwYIIdBZRt2RTlSbRHER9BJNolHLV
+            0EUjwcEnFQExF/uh2FTeoVudBhmlyfVjYvlI56QoeculVHPSS4YIhw==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-07-25T11:21:00Z"
-    mac: ENC[AES256_GCM,data:R2P5oMUnL3WCMdJ7a9hj/YQDc7SArLIUqeGVEd1BQYS9TYbuCULFUEBs9R6w0+PlM3safsMZ6kll5UIoYwk4/ewXIjJ+E5kgxo4BzREJLq9JIqJz5vMtCUN/Ejny5GsIw6rx+49YRYOVvwXtFG/2h1dizKzuwDQfeDtHctUMTYk=,iv:dT1i+F92NGZdvSdsdk3GkjRLsOYnqB7wmizWBYPHW5E=,tag:NH36reOpR8ptVy9gK63LRw==,type:str]
+    lastmodified: "2024-08-18T20:53:28Z"
+    mac: ENC[AES256_GCM,data:RTUkxdfFLcqSHUjNTTzGHYtZubydqm+9cZmW6gXj2PIn5I0GXQoJVwWT6sZFbARrDpaMyANLBYYeh2P40i9M1GKqz1HnnelvMDEqN036e/5dtSRclPhQokDxtRMZAqM2tGDG0E3UVzMo0I2hQL3BJiGSkdNjz+rRXlJCOnrtUyc=,iv:jUhrVQKT2YVn3K9sY13M8ymEHnQahs0gHe0IOEbdCw8=,tag:jEcelDJi8HQdLS7/fUHq/g==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.9.0
--- a/values/badhouseplants/values.authentik.yaml
+++ b/values/badhouseplants/values.authentik.yaml
@ -61,6 +61,35 @@ server:
      memory: 512Mi
    limits:
      memory: 512Mi
+  livenessProbe:
+    failureThreshold: 3
+    initialDelaySeconds: 5
+    periodSeconds: 10
+    successThreshold: 1
+    timeoutSeconds: 3
+    httpGet:
+      path: /-/health/live/
+      port: http
+
+  readinessProbe:
+    failureThreshold: 3
+    initialDelaySeconds: 5
+    periodSeconds: 10
+    successThreshold: 1
+    timeoutSeconds: 3
+    httpGet:
+      path: /-/health/ready/
+      port: http
+
+  startupProbe:
+    failureThreshold: 60
+    initialDelaySeconds: 5
+    periodSeconds: 10
+    successThreshold: 1
+    timeoutSeconds: 3
+    httpGet:
+      path: /-/health/live/
+      port: http
 worker:
  resources:
    requests:
@ -76,3 +105,35 @@ worker:
    - name: postgres-creds
      mountPath: /postgres-creds
      readOnly: true
+  livenessProbe:
+    failureThreshold: 3
+    initialDelaySeconds: 5
+    periodSeconds: 10
+    successThreshold: 1
+    timeoutSeconds: 3
+    exec:
+      command:
+        - ak
+        - healthcheck
+
+  readinessProbe:
+    failureThreshold: 3
+    initialDelaySeconds: 5
+    periodSeconds: 10
+    successThreshold: 1
+    timeoutSeconds: 3
+    exec:
+      command:
+        - ak
+        - healthcheck
+
+  startupProbe:
+    failureThreshold: 60
+    initialDelaySeconds: 30
+    periodSeconds: 10
+    successThreshold: 1
+    timeoutSeconds: 3
+    exec:
+      command:
+        - ak
+        - healthcheck
--- a/values/badhouseplants/values.crossplane.yaml
+++ b/values/badhouseplants/values.crossplane.yaml
@ -0,0 +1,3 @@
+provider:
+  packages:
+    - xpkg.upbound.io/upbound/provider-terraform:v0.17.0
--- a/values/badhouseplants/values.kimai.yaml
+++ b/values/badhouseplants/values.kimai.yaml
@ -0,0 +1,71 @@
+ext-database:
+  enabled: true
+  name: kimai-mariadb
+  instance: mariadb
+  credentials:
+    mariadb-password: '{{ .Password }}'
+
+global:
+  storageClass: ceph-filesystem
+kimaiEnvironment: prod
+kimaiAdminEmail: overlord@badhouseplants.net
+kimaiAdminPassword: 'ZYdsgd^X9LsjxmJ7i6Xjx6LEMDbK8EJ$JCtX$P$6SisEKGJaqL'
+kimaiMailerFrom: kimai@example.com
+kimaiMailerUrl: null://localhost
+kimaiTrustedProxies: ""
+kimaiRedisCache: false
+replicaCount: 1
+kimaiAppSecret: CVUwPmI9m6
+updateStrategy:
+  type: RollingUpdate
+resources:
+  limits:
+    memory: 200Mi
+  requests:
+    cpu: 200m
+service:
+  type: ClusterIP
+ingress:
+  enabled: true
+  pathType: ImplementationSpecific
+  apiVersion: ""
+  ingressClassName: traefik
+  hostname: kimai.badhouseplants.net
+  path: /
+  annotations:
+    kubernetes.io/tls-acme: "true"
+    kubernetes.io/ingress.allow-http: "false"
+    kubernetes.io/ingress.global-static-ip-name: ""
+    cert-manager.io/cluster-issuer: badhouseplants-issuer-http01
+    traefik.ingress.kubernetes.io/router.entrypoints: web,websecure
+  tls: true
+  selfSigned: false
+
+configuration: |-
+  monolog:
+      handlers:
+          main:
+              path: php://stderr
+
+persistence:
+  enabled: true
+  storageClass: ceph-filesystem
+  accessModes:
+    - ReadWriteMany
+  size: 512Mi
+  dataSource: {}
+  existingClaim: ""
+  selector: {}
+  annotations: {}
+
+mariadb:
+  enabled: false
+externalDatabase:
+  host: mariadb.databases.svc.cluster.local
+  port: 3306
+  serverVersion: '8.0'
+  user: applications_kimai_mariadb
+  database: applications_kimai_mariadb
+  ## NOTE: Must contain key `mariadb-password`
+  ## NOTE: When it's set, the `externalDatabase.password` parameter is ignored
+  existingSecret: kimai-mariadb-creds
--- a/values/badhouseplants/values.mariadb.yaml
+++ b/values/badhouseplants/values.mariadb.yaml
@ -1,17 +1,4 @@
-auth:
-  rootPassword: ""
-  database: ""
-  username: ""
-  password: ""
-  replicationUser: replicator
-  replicationPassword: ""
-  existingSecret: ""
-  forcePassword: false
-  usePasswordFiles: false
-  customPasswordFiles: {}
-initdbScripts: {}
 initdbScriptsConfigMap: ""
-
 primary:
  persistence:
    enabled: true
--- a/values/badhouseplants/values.metallb.yaml
+++ b/values/badhouseplants/values.metallb.yaml
@ -45,9 +45,9 @@ speaker:
  resources: 
    requests:
      cpu: 30m
-      memory: 130Mi
+      memory: 300Mi
    limits:
-      memory: 130Mi
+      memory: 300Mi
  livenessProbe:
    enabled: true
    failureThreshold: 3
--- a/values/badhouseplants/values.minecraft.yaml
+++ b/values/badhouseplants/values.minecraft.yaml
@ -27,30 +27,29 @@ traefik:
 # -- Main values
 # --------------------------------------------------
 image:
-  #tag: java21-graalvm
-  tag: java21
+  tag: java21-graalvm
+  #tag: java21-jdk
  pullPolicy: Always

 resources:
  requests:
-    memory: 3.5Gi
-    cpu: 1
+    memory: 4.5Gi
+    cpu: 2.5
  limits:
-    memory: 3.5Gi
-    cpu: 2
-
-      #lifecycle:
-      #  postStart:
-      #    - bash
-      #    - -c
+    memory: 4.5Gi
+lifecycle:
+  postStart:
+    - bash
+    - -c
+    - for i in {1..100}; do mc-health && break || sleep 20; done && rcon-cli auth setGlobalPassword 11223345
 nodeSelector:
  node-role.kubernetes.io/minecraft: "true"
 livenessProbe:
  command:
    - mc-health
-  initialDelaySeconds: 30
+  initialDelaySeconds: 120
  periodSeconds: 5
-  failureThreshold: 20
+  failureThreshold: 50
  successThreshold: 1
  timeoutSeconds: 20
 readinessProbe:
@ -63,24 +62,30 @@ readinessProbe:
  timeoutSeconds: 20

 minecraftServer:
-  memory: 3072M
-  jvmXXOpts: "-Xms3072M -Xmx3072M --add-modules=jdk.incubator.vector -XX:+UseG1GC"
+  memory: 3584M
+  jvmXXOpts: |
+    -XX:+UnlockExperimentalVMOptions -XX:+UseG1GC -XX:MaxGCPauseMillis=37 -XX:+PerfDisableSharedMem -XX:G1HeapRegionSize=16M -XX:G1NewSizePercent=23 -XX:G1ReservePercent=20 -XX:SurvivorRatio=32 -XX:G1MixedGCCountTarget=3 -XX:G1HeapWastePercent=20 -XX:InitiatingHeapOccupancyPercent=10 -XX:G1RSetUpdatingPauseTimePercent=0 -XX:MaxTenuringThreshold=1 -XX:G1SATBBufferEnqueueingThresholdPercent=30 -XX:G1ConcMarkStepDurationMillis=5.0 -XX:G1ConcRSHotCardLimit=16 -XX:G1ConcRefinementServiceIntervalMillis=150 -XX:GCTimeRatio=99
  overrideServerProperties: true
  eula: "TRUE"
  onlineMode: false
  difficulty: hard
  hardcore: true
-  version: "1.20.1"
+  version: "1.21.1"
  maxWorldSize: 90000
-  type: "PAPER"
+  type: "FABRIC"
  gameMode: survival
  pvp: true
-  pluginUrls:
-    - https://github.com/dmulloy2/ProtocolLib/releases/download/5.2.0/ProtocolLib.jar
-    - https://mediafilez.forgecdn.net/files/3789/833/GravityControl-2.0.0.jar
-    - https://mediafilez.forgecdn.net/files/3151/915/CrackShot.jar
-    - https://s3.badhouseplants.net/public-download/MechanicsCore-3.4.8.jar
-    - https://s3.badhouseplants.net/public-download/WeaponMechanics-3.4.9.jar
+  modUrls: []
+  serviceType: NodePort
+    #- https://github.com/CaffeineMC/lithium-fabric/releases/download/mc1.20.1-0.11.2/lithium-fabric-mc1.20.1-0.11.2-api.jar
+    #- https://github.com/CaffeineMC/sodium-fabric/releases/download/mc1.20.1-0.5.11/sodium-fabric-0.5.11+mc1.20.1.jar
+    #- https://github.com/CaffeineMC/lithium-fabric/releases/download/mc1.20.1-0.11.2/lithium-fabric-mc1.20.1-0.11.2.jar
+    #pluginUrls:
+    #  - https://github.com/dmulloy2/ProtocolLib/releases/download/5.2.0/ProtocolLib.jar
+    #  - https://mediafilez.forgecdn.net/files/3789/833/GravityControl-2.0.0.jar
+    #  - https://mediafilez.forgecdn.net/files/3151/915/CrackShot.jar
+    #  - https://s3.badhouseplants.net/public-download/MechanicsCore-3.4.8.jar
+    #  - https://s3.badhouseplants.net/public-download/WeaponMechanics-3.4.9.jar
  rcon:
    enabled: true
    withGeneratedPassword: false
@ -127,41 +132,41 @@ mcbackup:
 # ---------------------------------------------
 # -- Install Plugins
 # ---------------------------------------------
-initContainers: {}
-  #  - name: 0-download-mods
-  #    image: alpine/curl
-  #    command:
-  #      - curl
-  #      - -L
-  #      - "https://s3.badhouseplants.net/public-download/server_mods.tar"
-  #      - -o
-  #      - /download/server_mods.tar
-  #    volumeMounts:
-  #      - name: download
-  #        mountPath: /download
-  #        readOnly: false
-  #  - name: 1-copy-plugins-to-minecraft
-  #    image: ubuntu
-  #    command:
-  #      - sh
-  #      - -c
-  #      - cd /mods  && tar -xvf /download/server_mods.tar || true
-  #    volumeMounts:
-  #      - name: plugins
-  #        mountPath: /mods
-  #        readOnly: false
-  #      - name: download
-  #        mountPath: /download
-  #        readOnly: false
-extraVolumes: {}
-  #  - volumeMounts:
-  #      - name: plugins
-  #        mountPath: /data/mods
-  #        readOnly: false
-  #    volumes:
-  #      - name: plugins
-  #        emptyDir:
-  #          sizeLimit: 500Mi
-  #      - name: download
-  #        emptyDir:
-  #          sizeLimit: 500Mi
+initContainers:
+  - name: 0-download-mods
+    image: alpine/curl
+    command:
+      - curl
+      - -L
+      - "https://s3.badhouseplants.net/public-download/server_mods.tar"
+      - -o
+      - /download/server_mods.tar
+    volumeMounts:
+      - name: download
+        mountPath: /download
+        readOnly: false
+  - name: 1-copy-plugins-to-minecraft
+    image: ubuntu
+    command:
+      - sh
+      - -c
+      - cd /mods  && tar -xvf /download/server_mods.tar || true
+    volumeMounts:
+      - name: plugins
+        mountPath: /mods
+        readOnly: false
+      - name: download
+        mountPath: /download
+        readOnly: false
+extraVolumes: 
+  - volumeMounts:
+      - name: plugins
+        mountPath: /data/mods
+        readOnly: false
+    volumes:
+      - name: plugins
+        emptyDir:
+          sizeLimit: 500Mi
+      - name: download
+        emptyDir:
+          sizeLimit: 500Mi
--- a/values/badhouseplants/values.minio-operator.yaml
+++ b/values/badhouseplants/values.minio-operator.yaml
@ -0,0 +1,2 @@
+operator:
+  replicaCount: 1
--- a/values/badhouseplants/values.minio-tenant.yaml
+++ b/values/badhouseplants/values.minio-tenant.yaml
@ -0,0 +1,136 @@
+secrets: null
+tenant:
+  name: minio
+  # The Kubernetes secret name that contains MinIO environment variable configurations.
+  # The secret is expected to have a key named config.env containing environment variables exports.
+  existingSecret: false
+  configSecret:
+    name: myminio-env-configuration
+    accessKey: minio
+    secretKey: minio123
+  pools:
+    - servers: 1
+      storageClassName: ceph-filesystem
+      name: main
+      volumesPerServer: 1
+      size: 5Gi
+      storageAnnotations: { }
+      annotations: { }
+      labels: { }
+      tolerations: [ ]
+      nodeSelector: { }
+      resources: { }
+      securityContext:
+        runAsUser: 1000
+        runAsGroup: 1000
+        fsGroup: 1000
+        fsGroupChangePolicy: "OnRootMismatch"
+        runAsNonRoot: true
+      containerSecurityContext:
+        runAsUser: 1000
+        runAsGroup: 1000
+        runAsNonRoot: true
+        allowPrivilegeEscalation: false
+        capabilities:
+          drop:
+            - ALL
+        seccompProfile:
+          type: RuntimeDefault
+      topologySpreadConstraints: [ ]
+  env:
+    - name: MINIO_IDENTITY_OPENID_CONFIG_URL
+      value: https://authentik.badhouseplants.net/application/o/minio/.well-known/openid-configuration
+    - name: MINIO_IDENTITY_OPENID_CLIENT_ID 
+      value: minio
+    - name: MINIO_IDENTITY_OPENID_CLIENT_SECRET
+      value: Z2vCo8rw5jsEVZlvc3wCjPjUIcN31PAxEJQvZvzfawUtWPRCefk8uCjzffsOlK61RImz7IRUeGOfBeDnt7Xa8hpnhkXe6Dq2kBF0lZaUh0v3Jm3HV9zNONdAjxWaUJrh
+    - name: MINIO_IDENTITY_OPENID_SCOPES
+      value: openid,profile,email,groups
+    - name: MINIO_IDENTITY_OPENID_CLAIM_NAME
+      value: groups
+    - name: MINIO_IDENTITY_OPENID_REDIRECT_URI
+      value: https://minio-new.badhouseplants.net/oauth_callback
+    - name: MINIO_IDENTITY_OPENID_DISPLAY_NAME
+      value: Authentik
+    - name: MINIO_SERVER_URL
+      value: https://s3-new.badhouseplants.net:443
+  mountPath: /export
+  subPath: /data
+  metrics:
+    enabled: false
+    port: 9000
+    protocol: http
+  certificate:
+    externalCaCertSecret: [ ]
+    externalCertSecret: [ ]
+    requestAutoCert: false
+    certConfig: { }
+  features:
+    bucketDNS: false
+    domains: { }
+    enableSFTP: false
+  ###
+  # Array of objects describing one or more buckets to create during tenant provisioning.
+  # Example:
+  # 
+  # .. code-block:: yaml
+  #
+  #    - name: my-minio-bucket
+  #         objectLock: false        # optional
+  #         region: us-east-1        # optional
+  buckets:
+    - name: test
+  users: [ ]
+  podManagementPolicy: Parallel
+  liveness: { }
+  readiness: { }
+  startup: { }
+  lifecycle: { }
+  prometheusOperator: false
+  additionalVolumes: [ ]
+  ###
+  # An array of volume mount points associated to each Tenant container.
+  # 
+  # Specify each item in the array as follows:
+  #
+  # .. code-block:: yaml
+  #
+  #    volumeMounts:
+  #    - name: volumename
+  #      mountPath: /path/to/mount
+  #
+  # The ``name`` field must correspond to an entry in the ``additionalVolumes`` array.
+  additionalVolumeMounts: [ ]
+ingress:
+  api:
+    enabled: true
+    ingressClassName: traefik
+    annotations:
+      kubernetes.io/tls-acme: "true"
+      kubernetes.io/ingress.allow-http: "false"
+      kubernetes.io/ingress.global-static-ip-name: ""
+      cert-manager.io/cluster-issuer: badhouseplants-issuer-http01
+      traefik.ingress.kubernetes.io/router.entrypoints: web,websecure
+    tls:
+      - secretName: s3-new.badhouseplants.net
+        hosts:
+          - s3-new.badhouseplants.net
+    host: s3-new.badhouseplants.net
+    path: /
+    pathType: Prefix
+  console:
+    enabled: true
+    ingressClassName: traefik
+    annotations:
+      kubernetes.io/tls-acme: "true"
+      kubernetes.io/ingress.allow-http: "false"
+      kubernetes.io/ingress.global-static-ip-name: ""
+      cert-manager.io/cluster-issuer: badhouseplants-issuer-http01
+      traefik.ingress.kubernetes.io/router.entrypoints: web,websecure
+    tls:
+      - secretName: minio-new.badhouseplants.net
+        hosts:
+          - minio-new.badhouseplants.net
+    host: minio-new.badhouseplants.net
+    path: /
+    pathType: Prefix
--- a/values/badhouseplants/values.minio.yaml
+++ b/values/badhouseplants/values.minio.yaml
@ -99,6 +99,10 @@ buckets:
  - name: allanger-music
    policy: download
    purge: false
+  - name: minecraft-mods
+    policy: download
+    purge: false
+    versioning: false
 metrics:
  serviceMonitor:
    enabled: false
--- a/values/badhouseplants/values.openvpn.yaml
+++ b/values/badhouseplants/values.openvpn.yaml
@ -0,0 +1,46 @@
+---
+# ------------------------------------------
+# -- Istio extenstion. Just because I'm
+# --  not using ingress nginx
+# ------------------------------------------
+# istio:
+  # enabled: true
+  # istio:
+    # - name: openvpn-tcp-xor
+      # gateway: istio-system/badhouseplants-vpn
+      # kind: tcp
+      # port_match: 1194
+      # hostname: "*"
+      # service: openvpn-xor
+      # port: 1194
+# ------------------------------------------
+traefik:
+  enabled: true
+  tcpRoutes:
+    - name: openvpn
+      service: openvpn
+      match: HostSNI(`*`)
+      entrypoint: openvpn
+      port: 1194
+tcproute:
+  enabled: false
+storage:
+  size: 128Mi
+
+openvpn:
+  proto: tcp
+  host: 195.201.249.91
+
+easyrsa:
+  cn: Bad Houseplants
+  country: Germany
+  province: NRW
+  city: Duesseldorf
+  org: Bad Houseplants
+  email: allanger@zohomail.com
+
+service:
+  type: ClusterIP
+  port: 1194
+  targetPort: 1194
+  protocol: TCP
--- a/values/badhouseplants/values.rook-ceph-cluster.yaml
+++ b/values/badhouseplants/values.rook-ceph-cluster.yaml
@ -83,9 +83,9 @@ cephClusterSpec:
    osd:
      requests:
        cpu: "500m"
-        memory: "1280Mi"
+        memory: "1408Mi"
      limits:
-        memory: "1280Mi"
+        memory: "1408Mi"
          #limits:
          #  cpu: "400m"
          #  memory: "1280Mi"
--- a/values/badhouseplants/values.stalwart.yaml
+++ b/values/badhouseplants/values.stalwart.yaml
@ -1,6 +1,54 @@
 shortcuts:
  hostname: stalwart.badhouseplants.net
+workload:
+  initContainers:
+    prepare-config:
+      image:
+        registry: registry.hub.docker.com
+        repository: stalwartlabs/mail-server
+        tag:
+        pullPolicy: Always
+      mounts:
+        files:
+          config:
+            path: /app/config/config.toml
+            subPath: config.toml
+        extraVolumes:
+          etc:
+            path: /app/etc
+      command:
+        - sh
+      args:
+        - -c
+        - cp /app/config/config.toml /app/etc/config.toml
+         
+  containers:
+    stalwart:
+      args:
+        - --config
+        - /app/etc/config.toml
+      mounts:
+        extraVolumes:
+          certs:
+            path: /app/certs
+          data:
+            path: /app/data
+          logs:
+            path: /app/logs
+          etc:
+            path: /app/etc

+
+extraVolumes:
+  certs:
+    secret:
+      secretName: stalwart.badhouseplants.net
+  etc:
+    emptyDir: {}
+  logs:
+    emptyDir: {}
+  data:
+    emptyDir: {}
 ingress:
  main:
    annotations:
@ -44,3 +92,100 @@ traefik:
      service: stalwart-pop3s
      entrypoint: pop3s
      port: 995
+
+storage:
+  data:
+    storageClassName: ceph-filesystem
+
+files:
+  config:
+    enabled: true
+    sensitive: true
+    remove: []
+    entries:
+      # Ref: https://github.com/stalwartlabs/mail-server/blob/main/resources/config/config.toml
+      config.toml:
+        data: |
+          [server.listener."smtp"]
+          bind = ["[::]:25"]
+          protocol = "smtp"
+          
+          [server.listener."submission"]
+          bind = ["[::]:587"]
+          protocol = "smtp"
+          
+          [server.listener."submissions"]
+          bind = ["[::]:465"]
+          protocol = "smtp"
+          tls.implicit = true
+          
+          [server.listener."imap"]
+          bind = ["[::]:143"]
+          protocol = "imap"
+          
+          [server.listener."imaptls"]
+          bind = ["[::]:993"]
+          protocol = "imap"
+          tls.implicit = true
+          
+          [server.listener.pop3]
+          bind = "[::]:110"
+          protocol = "pop3"
+          
+          [server.listener.pop3s]
+          bind = "[::]:995"
+          protocol = "pop3"
+          tls.implicit = true
+          
+          [server.listener."sieve"]
+          bind = ["[::]:4190"]
+          protocol = "managesieve"
+          
+          [server.listener."https"]
+          protocol = "https"
+          bind = ["[::]:443"]
+          tls.implicit = false
+
+          [server.listener."http"]
+          bind = "[::]:8080"
+          protocol = "http"
+          
+          [storage]
+          data = "rocksdb"
+          fts = "rocksdb"
+          blob = "rocksdb"
+          lookup = "rocksdb"
+          directory = "internal"
+          
+          [store."rocksdb"]
+          type = "rocksdb"
+          path = "/app/data"
+          compression = "lz4"
+          
+          [directory."internal"]
+          type = "internal"
+          store = "rocksdb"
+          
+          [tracer."stdout"]
+          type = "stdout"
+          level = "info"
+          ansi = false
+          enable = true
+          
+          #[server.run-as]
+          #user = "stalwart-mail"
+          #group = "stalwart-mail"
+          
+          [authentication.fallback-admin]
+          user = "admin"
+          secret = 'R@ndomToken$tring'
+          
+          [tracer.console]
+          type = "console"
+          level = "info"
+          ansi = true
+          enable = true
+          
+          [certificate."default"]
+          cert = "%{file:/app/certs/tls.crt}%"
+          private-key = "%{file:/app/certs/tls.key}%"
--- a/values/badhouseplants/values.velero.yaml
+++ b/values/badhouseplants/values.velero.yaml
@ -5,13 +5,14 @@ initContainers:
    volumeMounts:
      - mountPath: /target
        name: plugins
+
 configuration:
  features: EnableCSI
  backupStorageLocation:
  - name: default
    provider: aws
    plugin: velero/velero-plugin-for-aws:v1.2.1
-    bucket: restic
+    bucket: velero
    accessMode: ReadWrite
    credential:
      name: velero-s3-creds
@ -26,6 +27,7 @@ configuration:
    provider: aws
    config:
      region: us-east-1
+
 deployNodeAgent: true
 schedules:
  daily:
--- a/values/badhouseplants/values.woodpecker-ci.yaml
+++ b/values/badhouseplants/values.woodpecker-ci.yaml
@ -34,7 +34,7 @@ server:
    WOODPECKER_GITEA: true
    WOODPECKER_GITEA_URL: https://gitea.badhouseplants.net
    WOODPECKER_DATABASE_DRIVER: postgres
-    WOODPECKER_GITEA_CLIENT: ab5e4687-a476-4668-9fbc-288d54095634
+    WOODPECKER_GITEA_CLIENT: 4ea3d706-691e-4cec-a748-5108715cf72d
    WOODPECKER_OPEN: true
    WOODPECKER_ADMIN: "woodpecker,allanger"
    WOODPECKER_HOST: "https://ci.badhouseplants.net"
--- a/values/badhouseplants/values.zot.yaml
+++ b/values/badhouseplants/values.zot.yaml
@ -1,22 +1,20 @@
 ingress:
  enabled: true
-  className: ~
+  className: traefik
  annotations:
    traefik.ingress.kubernetes.io/router.entrypoints: web,websecure
-    kubernetes.io/ingress.class: traefik
    kubernetes.io/tls-acme: "true"
    kubernetes.io/ingress.allow-http: "false"
-    kubernetes.io/ingress.global-static-ip-name: ""
    cert-manager.io/cluster-issuer: badhouseplants-issuer-http01
-  pathtype: ImplementationSpecific
+  pathtype: Prefix
  hosts:
-    - host: registry.badhouseplants.net
+    - host: zot.badhouseplants.net
      paths:
        - path: /
  tls:
-    - secretName: registry.badhouseplants.net
+    - secretName: zot.badhouseplants.net
      hosts:
-        - registry.badhouseplants.net
+        - zot.badhouseplants.net
 service:
  type: ClusterIP
 persistence: true
@ -24,24 +22,8 @@ pvc:
  create: true
  accessMode: "ReadWriteMany"
  storage: 5Gi
+  storageClassName: ceph-filesystem
 mountConfig: true
 mountSecret: true
 strategy:
  type: Recreate
-  #configFiles:
-  #  ui.json: |-
-  #    {
-  #      "log": {
-  #        "level": "info"
-  #      },
-  #      "extensions": {
-  #        "search": {
-  #          "cve": {
-  #            "updateInterval": "2h"
-  #          }
-  #        },
-  #        "ui": {
-  #          "enable": true
-  #        }
-  #      }
-  #    }
--- a/values/etersoft/values.cert-manager.yaml
+++ b/values/etersoft/values.cert-manager.yaml
@ -0,0 +1,25 @@
+crds:
+  enabled: true
+networkPolicy:
+  enabled: true
+resources:
+  requests:
+    cpu: 30m
+    memory: 100Mi
+  limits: 
+    memory: 100Mi
+cainjector:
+  resources:
+    requests:
+      cpu: 20m
+      memory: 150Mi
+    limits: 
+      memory: 150Mi
+webhook:
+  resources:
+    requests:
+      cpu: 50m
+      memory: 150Mi
+    limits: 
+      memory: 150Mi
+
--- a/values/etersoft/values.cilium.yaml
+++ b/values/etersoft/values.cilium.yaml
@ -0,0 +1,8 @@
+operator:
+  replicas: 1
+endpointRoutes:
+  enabled: true
+ipam:
+  ciliumNodeUpdateRate: "15s"
+  operator:
+    clusterPoolIPv4PodCIDRList: ["192.168.0.0/16"]
--- a/values/etersoft/values.coredns.yaml
+++ b/values/etersoft/values.coredns.yaml
@ -0,0 +1,32 @@
+service:
+  clusterIP: 10.43.0.10
+
+servers:
+  - zones:
+      - zone: .
+    port: 53
+    plugins:
+    - name: errors
+    # Serves a /health endpoint on :8080, required for livenessProbe
+    - name: health
+      configBlock: |-
+        lameduck 5s
+    # Serves a /ready endpoint on :8181, required for readinessProbe
+    - name: ready
+    # Required to query kubernetes API for data
+    - name: kubernetes
+      parameters: cluster.local in-addr.arpa ip6.arpa
+      configBlock: |-
+        pods insecure
+        fallthrough in-addr.arpa ip6.arpa
+        ttl 30
+    # Serves a /metrics endpoint on :9153, required for serviceMonitor
+    - name: prometheus
+      parameters: 0.0.0.0:9153
+    - name: forward
+      parameters: . 1.1.1.1 1.0.0.1
+    - name: cache
+      parameters: 30
+    - name: loop
+    - name: reload
+    - name: loadbalance
--- a/values/etersoft/values.local-path-provisioner.yaml
+++ b/values/etersoft/values.local-path-provisioner.yaml
@ -0,0 +1,6 @@
+storageClass:
+  create: true
+  defaultClass: true
+  defaultVolumeType: local
+  reclaimPolicy: Delete
+  volumeBindingMode: Immediate
--- a/values/etersoft/values.metallb-resources.yaml
+++ b/values/etersoft/values.metallb-resources.yaml
@ -0,0 +1,5 @@
+metallb:
+  enabled: true
+  ippools:
+    - name: etersoft
+      addresses: 91.232.225.63-91.232.225.63
--- a/values/etersoft/values.metallb.yaml
+++ b/values/etersoft/values.metallb.yaml
@ -0,0 +1,71 @@
+controller:
+  enabled: true
+  logLevel: warn
+  image:
+    repository: quay.io/metallb/controller
+    tag:
+    pullPolicy:
+  strategy:
+    type: RollingUpdate
+  securityContext:
+    runAsNonRoot: true
+    # nobody
+    runAsUser: 65534
+    fsGroup: 65534
+  resources:
+    requests:
+      cpu: 20m
+      memory: 100Mi
+    limits:
+      memory: 100Mi
+  livenessProbe:
+    enabled: true
+    failureThreshold: 3
+    initialDelaySeconds: 10
+    periodSeconds: 10
+    successThreshold: 1
+    timeoutSeconds: 3
+  readinessProbe:
+    enabled: true
+    failureThreshold: 3
+    initialDelaySeconds: 10
+    periodSeconds: 10
+    successThreshold: 1
+    timeoutSeconds: 3
+
+speaker:
+  enabled: true
+  logLevel: warn
+  tolerateMaster: true
+  image:
+    repository: quay.io/metallb/speaker
+    tag:
+    pullPolicy:
+  securityContext: {}
+  resources: 
+    requests:
+      cpu: 100m
+      memory: 250Mi
+    limits:
+      memory: 250Mi
+  livenessProbe:
+    enabled: true
+    failureThreshold: 3
+    initialDelaySeconds: 10
+    periodSeconds: 10
+    successThreshold: 1
+    timeoutSeconds: 3
+  readinessProbe:
+    enabled: true
+    failureThreshold: 3
+    initialDelaySeconds: 10
+    periodSeconds: 10
+    successThreshold: 1
+    timeoutSeconds: 3
+  startupProbe:
+    enabled: true
+    failureThreshold: 30
+    periodSeconds: 5
+crds:
+  enabled: true
+  validationFailurePolicy: Fail
--- a/values/etersoft/values.minio.yaml
+++ b/values/etersoft/values.minio.yaml
@ -0,0 +1,131 @@
+---
+ingress:
+  enabled: true
+  ingressClassName: ~
+  annotations:
+    kubernetes.io/ingress.class: traefik
+    kubernetes.io/tls-acme: "true"
+    kubernetes.io/ingress.allow-http: "false"
+    kubernetes.io/ingress.global-static-ip-name: ""
+    cert-manager.io/cluster-issuer: badhouseplants-issuer-http01
+    traefik.ingress.kubernetes.io/router.entrypoints: web,websecure
+  path: /
+  hosts:
+    - s3.3.badhouseplants.net
+  tls:
+    - secretName: s3.e.badhouseplants.net
+      hosts:
+        - s3.e.badhouseplants.net
+consoleIngress:
+  enabled: true
+  ingressClassName: ~
+  annotations:
+    kubernetes.io/ingress.class: traefik
+    kubernetes.io/tls-acme: "true"
+    kubernetes.io/ingress.allow-http: "false"
+    kubernetes.io/ingress.global-static-ip-name: ""
+    cert-manager.io/cluster-issuer: badhouseplants-issuer-http01
+    traefik.ingress.kubernetes.io/router.entrypoints: web,websecure
+  path: /
+  hosts:
+    - minio.e.badhouseplants.net
+  tls:
+    - secretName: minio.e.badhouseplants.net
+      hosts:
+        - minio.e.badhouseplants.net
+
+rootUser: 'overlord'
+replicas: 1
+mode: standalone
+environment:
+  MINIO_SERVER_URL: "https://s3.e.badhouseplants.net:443"
+tls:
+  enabled: false
+  certSecret: ''
+  publicCrt: public.crt
+  privateKey: private.key
+persistence:
+  enabled: true
+  accessMode: ReadWriteOnce
+  size: 100Gi
+service:
+  type: ClusterIP
+  clusterIP: ~
+  port: '9000'
+consoleService:
+  type: ClusterIP
+  clusterIP: ~
+  port: '9001'
+resources:
+  requests:
+    memory: 2Gi
+buckets:
+  - name: badhouseplants-net
+    policy: download
+    purge: false
+    versioning: false
+  - name: badhouseplants-js
+    policy: download
+    purge: false
+    versioning: false
+  - name: badhouseplants-net-main
+    policy: download
+    purge: false
+    versioning: false
+  - name: sharing
+    policy: download
+    purge: false
+    versioning: false
+  - name: allanger-music
+    policy: download
+    purge: false
+metrics:
+  serviceMonitor:
+    enabled: false
+    public: true
+    additionalLabels: {}
+policies:
+  - name: allanger
+    statements:
+      - resources:
+          - 'arn:aws:s3:::*'
+        actions:
+          - "s3:*"
+      - resources: []
+        actions:
+          - "admin:*"
+      - resources: []
+        actions:
+          - "kms:*"
+  - name: Admins
+    statements:
+      - resources:
+          - 'arn:aws:s3:::*'
+        actions:
+          - "s3:*"
+      - resources: []
+        actions:
+          - "admin:*"
+      - resources: []
+        actions:
+          - "kms:*"
+  - name: DevOps
+    statements:
+      - resources:
+          - 'arn:aws:s3:::badhouseplants-net'
+        actions:
+          - "s3:*"
+      - resources:
+          - 'arn:aws:s3:::badhouseplants-net/*'
+        actions:
+          - "s3:*"
+  - name: sharing
+    statements:
+      - resources:
+          - 'arn:aws:s3:::sharing'
+        actions:
+          - "s3:*"
+      - resources:
+          - 'arn:aws:s3:::sharing/*'
+        actions:
+          - "s3:*"
--- a/values/etersoft/values.namespaces.yaml
+++ b/values/etersoft/values.namespaces.yaml
@ -0,0 +1,3 @@
+namespaces:
+  - name: applications
+  - name: platform
--- a/values/badhouseplants/values.openvpn-xor.yaml
+++ b/values/badhouseplants/values.openvpn-xor.yaml
@ -17,8 +17,8 @@
 traefik:
  enabled: true
  tcpRoutes:
-    - name: openvpn-xor
-      service: openvpn-xor
+    - name: openvpn
+      service: openvpn
      match: HostSNI(`*`)
      entrypoint: openvpn
      port: 1194
--- a/values/etersoft/values.openvpn.yaml
+++ b/values/etersoft/values.openvpn.yaml
@ -0,0 +1,35 @@
+storage:
+  class: microk8s-hostpath
+  size: 5Gi
+openvpn:
+  proto: tcp
+  host: 91.232.225.63
+service:
+  type: ClusterIP
+  port: 1194
+  targetPort: 1194
+  protocol: TCP
+easyrsa:
+  cn: Bad Houseplants
+  country: Germany
+  province: NRW
+  city: Duesseldorf
+  org: Bad Houseplants
+  email: allanger@zohomail.com
+istio-resources:
+  enabled: true
+  gateways:
+    - metadata:
+        name: etersoft-vpn
+        namespace: istio-system
+      spec:
+        selector: 
+          istio: ingressgateway
+        servers: 
+          - hosts:
+              - '*'
+            port:
+              name: openvpn
+              number: 1194
+              protocol: TCP
+
--- a/values/etersoft/values.roles.yaml
+++ b/values/etersoft/values.roles.yaml
@ -0,0 +1 @@
+roles: []
--- a/values/etersoft/values.traefik.yaml
+++ b/values/etersoft/values.traefik.yaml
@ -0,0 +1,84 @@
+globalArguments:
+  - "--serversTransport.insecureSkipVerify=true"
+ports:
+  web:
+    redirectTo:
+      port: websecure
+  ssh:
+    port: 22
+    expose:
+      default: true
+    exposedPort: 22
+    protocol: TCP
+  openvpn:
+    port: 1194
+    expose:
+      default: true
+    exposedPort: 1194
+    protocol: TCP
+  valve-server:
+    port: 27015
+    expose:
+      default: true
+    exposedPort: 27015
+    protocol: UDP
+  valve-rcon:
+    port: 27015
+    expose:
+      default: true
+    exposedPort: 27015
+    protocol: TCP
+  smtp:
+    port: 25
+    protocol: TCP
+    exposedPort: 25
+    expose:
+      default: true
+  smtps:
+    port: 465
+    protocol: TCP
+    exposedPort: 465
+    expose:
+      default: true
+  smtp-startls:
+    port: 587
+    protocol: TCP
+    exposedPort: 587
+    expose:
+      default: true  
+  imap:
+    port: 143
+    protocol: TCP
+    exposedPort: 143
+    expose:
+      default: true
+  imaps:
+    port: 993
+    protocol: TCP
+    exposedPort: 993
+    expose:
+      default: true
+  pop3:
+    port: 110
+    protocol: TCP
+    exposedPort: 110
+    expose:
+      default: true
+  pop3s:
+    port: 995
+    protocol: TCP
+    exposedPort: 995
+    expose:
+      default: true
+  minecraft:
+    port: 25565
+    protocol: TCP
+    exposedPort: 25565
+    expose:
+      default: true
+  shadowsocks:
+    port: 8388
+    protocol: TCP
+    exposedPort: 8388
+    expose:
+      default: true
--- a/velero-cm/change-storage-class.yaml
+++ b/velero-cm/change-storage-class.yaml
@ -1,10 +0,0 @@
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: change-storage-class-config
-  namespace: velero
-  labels:
-    velero.io/plugin-config: ""
-    velero.io/change-storage-class: RestoreItemAction
-data:
-  ceph-filesystem: local-path