chore(deps): update redis docker tag to v20.11.4

Migrate minecraft
Enable gitea metrics
2025-04-08 01:01:07 +00:00 · 2025-04-07 15:37:04 +02:00 · 2025-04-07 14:35:11 +02:00 · 2025-04-07 13:59:10 +02:00 · 2025-04-07 13:42:14 +02:00 · 2025-04-07 12:46:52 +02:00
146 changed files with 2347 additions and 921 deletions
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@ -8,9 +8,10 @@ repos:
    hooks:
      - id: yamlfmt
        exclude: |
-          (?x)^(
+          (?x)(
-            .*secrets.*yaml
+            ^charts/|
-          )$
+            ^.*secrets.*yaml|
          )
          #  - repo: https://github.com/codespell-project/codespell
          #    rev: v2.2.4
          #    hooks:
--- a/.sops.yaml
+++ b/.sops.yaml
@ -8,3 +8,7 @@ creation_rules:
    key_groups:
      - age:
          - age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8
  - path_regex: common/values/secrets.*
    key_groups:
      - age:
          - age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8
--- a/charts/issuer/templates/issuer.yaml
+++ b/charts/issuer/templates/issuer.yaml
@ -1,10 +1,23 @@
 {{- range $name, $issuer := .Values.clusterIssuers }}
 ---
 apiVersion: cert-manager.io/v1
 kind: ClusterIssuer
 metadata:
  labels:
-    {{- include "issuer.labels" . | nindent 4 }}
+    {{- include "issuer.labels" $ | nindent 4 }}
-  name: "{{ .Values.name }}"
+  name: "{{ $name }}"
 spec:
-  acme:
+{{ $issuer.spec | toYaml | indent 2 }}
-{{ .Values.spec | toYaml | indent 2 }}
+{{- end }}
 {{- range $name, $issuer := .Values.issuers }}
 ---
 apiVersion: cert-manager.io/v1
 kind: Issuer
 metadata:
  labels:
    {{- include "issuer.labels" $ | nindent 4 }}
  name: "{{ $name }}"
  namespace: {{ $issuer.namespace }}
 spec:
 {{ $issuer.spec | toYaml | indent 2 }}
 {{- end }}
--- a/charts/metallb-resources/.helmignore
+++ b/charts/metallb-resources/.helmignore
--- a/charts/metallb-resources/Chart.yaml
+++ b/charts/metallb-resources/Chart.yaml
@ -0,0 +1,24 @@
 apiVersion: v2
 name: metallb-resources
 description: A Helm chart for Kubernetes
 # A chart can be either an 'application' or a 'library' chart.
 #
 # Application charts are a collection of templates that can be packaged into versioned archives
 # to be deployed.
 #
 # Library charts provide useful utilities or functions for the chart developer. They're included as
 # a dependency of application charts to inject those utilities and functions into the rendering
 # pipeline. Library charts do not define any templates and therefore cannot be deployed.
 type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
 version: 0.1.0
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
 appVersion: "1.16.0"
--- a/charts/metallb-resources/templates/_helpers.tpl
+++ b/charts/metallb-resources/templates/_helpers.tpl
@ -1,7 +1,7 @@
 {{/*
 Expand the name of the chart.
 */}}
-{{- define "root.name" -}}
+{{- define "metallb-resources.name" -}}
 {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
 {{- end }}
@ -10,7 +10,7 @@ Create a default fully qualified app name.
 We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
 If release name contains chart name it will be used as a full name.
 */}}
-{{- define "root.fullname" -}}
+{{- define "metallb-resources.fullname" -}}
 {{- if .Values.fullnameOverride }}
 {{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
 {{- else }}
@ -26,16 +26,16 @@ If release name contains chart name it will be used as a full name.
 {{/*
 Create chart name and version as used by the chart label.
 */}}
-{{- define "root.chart" -}}
+{{- define "metallb-resources.chart" -}}
 {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
 {{- end }}
 {{/*
 Common labels
 */}}
-{{- define "root.labels" -}}
+{{- define "metallb-resources.labels" -}}
-helm.sh/chart: {{ include "root.chart" . }}
+helm.sh/chart: {{ include "metallb-resources.chart" . }}
-{{ include "root.selectorLabels" . }}
+{{ include "metallb-resources.selectorLabels" . }}
 {{- if .Chart.AppVersion }}
 app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
 {{- end }}
@ -45,17 +45,17 @@ app.kubernetes.io/managed-by: {{ .Release.Service }}
 {{/*
 Selector labels
 */}}
-{{- define "root.selectorLabels" -}}
+{{- define "metallb-resources.selectorLabels" -}}
-app.kubernetes.io/name: {{ include "root.name" . }}
+app.kubernetes.io/name: {{ include "metallb-resources.name" . }}
 app.kubernetes.io/instance: {{ .Release.Name }}
 {{- end }}
 {{/*
 Create the name of the service account to use
 */}}
-{{- define "root.serviceAccountName" -}}
+{{- define "metallb-resources.serviceAccountName" -}}
 {{- if .Values.serviceAccount.create }}
-{{- default (include "root.fullname" .) .Values.serviceAccount.name }}
+{{- default (include "metallb-resources.fullname" .) .Values.serviceAccount.name }}
 {{- else }}
 {{- default "default" .Values.serviceAccount.name }}
 {{- end }}
--- a/charts/metallb-resources/templates/ip_address_pool.tpl
+++ b/charts/metallb-resources/templates/ip_address_pool.tpl
@ -0,0 +1,7 @@
 apiVersion: metallb.io/v1beta1
 kind: IPAddressPool
 metadata:
  name: {{ include "metallb-resources.fullname" . }}
 spec:
  addresses:
  - {{ .Values.addresses}}
--- a/charts/metallb-resources/values.yaml
+++ b/charts/metallb-resources/values.yaml
@ -0,0 +1 @@
 addresses: 1.1.1.1-1.1.1.1
--- a/charts/namespaces/.helmignore
+++ b/charts/namespaces/.helmignore
--- a/charts/namespaces/chart/Chart.yaml
+++ b/charts/namespaces/chart/Chart.yaml
--- a/charts/namespaces/kustomize/flux-system.yml
+++ b/charts/namespaces/kustomize/flux-system.yml
@ -1,6 +0,0 @@
 apiVersion: v1
 kind: Namespace
 metadata:
  name: flux-system
  labels:
    name: flux-system
--- a/charts/namespaces/kustomize/giantswarm-flux.yml
+++ b/charts/namespaces/kustomize/giantswarm-flux.yml
@ -1,6 +0,0 @@
 apiVersion: v1
 kind: Namespace
 metadata:
  name: giantswarm-flux
  labels:
    name: giantswarm-flux
--- a/charts/namespaces/kustomize/giantswarm.yml
+++ b/charts/namespaces/kustomize/giantswarm.yml
@ -1,6 +0,0 @@
 apiVersion: v1
 kind: Namespace
 metadata:
  name: giantswarm
  labels:
    name: giantswarm
--- a/charts/namespaces/kustomize/kustomization.yaml
+++ b/charts/namespaces/kustomize/kustomization.yaml
@ -1,5 +0,0 @@
 resources:
  - ./giantswarm-flux.yml
  - ./giantswarm.yml
  - ./monitoring.yml
  - ./org-giantswarm.yml
--- a/charts/namespaces/kustomize/monitoring.yml
+++ b/charts/namespaces/kustomize/monitoring.yml
@ -1,6 +0,0 @@
 apiVersion: v1
 kind: Namespace
 metadata:
  name: monitoring
  labels:
    name: monitoring
--- a/charts/namespaces/kustomize/org-giantswarm.yml
+++ b/charts/namespaces/kustomize/org-giantswarm.yml
@ -1,6 +0,0 @@
 apiVersion: v1
 kind: Namespace
 metadata:
  name: org-giantswarm
  labels:
    name: org-giantswarm
--- a/charts/namespaces/chart/templates/_helpers.tpl
+++ b/charts/namespaces/chart/templates/_helpers.tpl
--- a/charts/namespaces/chart/templates/namespaces.yaml
+++ b/charts/namespaces/chart/templates/namespaces.yaml
@ -15,5 +15,24 @@ metadata:
    {{- with $ns.annotations}}
    {{- toYaml . | nindent 4 }}
  {{- end }}
 {{- if $ns.defaultRegcred }}
 ---
 apiVersion: v1
 kind: Secret
 type: kubernetes.io/dockerconfigjson
 metadata:
  name: regcred
  namespace: {{ $ns.name }}
 data:
  .dockerconfigjson: {{ $.Values.defaultRegcred }}
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: default
  namespace: {{ $ns.name }}
 imagePullSecrets:
  - name: regcred
 {{- end }}
 {{- end }}
 {{- end }}
--- a/charts/namespaces/chart/values.yaml
+++ b/charts/namespaces/chart/values.yaml
--- a/charts/root/Chart.yaml
+++ b/charts/root/Chart.yaml
@ -1,6 +0,0 @@
 apiVersion: v2
 name: root
 description: A Helm chart for Kubernetes
 type: application
 version: 0.1.5
 appVersion: "1.16.0"
--- a/charts/root/templates/root.yaml
+++ b/charts/root/templates/root.yaml
@ -1,25 +0,0 @@
 {{ if .Capabilities.APIVersions.Has "source.toolkit.fluxcd.io/v1" }}
 apiVersion: source.toolkit.fluxcd.io/v1
 kind: GitRepository
 metadata:
  name: root
 spec:
  interval: 30s
  url: {{ .Values.url }}
  ref:
    branch: {{ .Values.branch }}
 ---
 apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:
  name: root
 spec:
  interval: 30s
  targetNamespace: flux-system
  sourceRef:
    kind: GitRepository
    name: root
  path: "."
  prune: false
  timeout: 1m
 {{- end }}
--- a/charts/root/templates/self.yaml
+++ b/charts/root/templates/self.yaml
@ -1,25 +0,0 @@
 {{ if .Capabilities.APIVersions.Has "source.toolkit.fluxcd.io/v1" }}
 apiVersion: source.toolkit.fluxcd.io/v1
 kind: GitRepository
 metadata:
  name: root-self
 spec:
  interval: 30s
  url: {{ .Values.self.url }}
  ref:
    branch: {{ .Values.self.branch }}
 ---
 apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:
  name: root-self
 spec:
  interval: 30s
  targetNamespace: flux-system
  sourceRef:
    kind: GitRepository
    name: root-self
  path: "."
  prune: false
  timeout: 1m
 {{- end }}
--- a/charts/root/values.yaml
+++ b/charts/root/values.yaml
@ -1,5 +0,0 @@
 url: https://git.badhouseplants.net/giantswarm/cluster-example.git
 branch: main
 self:
  url: git@git.badhouseplants.net:giantswarm/root-config.git
  branch: master
--- a/charts/tf-ocloud/.helmignore
+++ b/charts/tf-ocloud/.helmignore
@ -1,23 +0,0 @@
 # Patterns to ignore when building packages.
 # This supports shell glob matching, relative path matching, and
 # negation (prefixed with !). Only one pattern per line.
 .DS_Store
 # Common VCS dirs
 .git/
 .gitignore
 .bzr/
 .bzrignore
 .hg/
 .hgignore
 .svn/
 # Common backup files
 *.swp
 *.bak
 *.tmp
 *.orig
 *~
 # Various IDEs
 .project
 .idea/
 *.tmproj
 .vscode/
--- a/charts/tf-ocloud/Chart.lock
+++ b/charts/tf-ocloud/Chart.lock
@ -1,6 +0,0 @@
 dependencies:
 - name: helm-library
  repository: oci://ghcr.io/allanger/allangers-helm-library
  version: 0.1.4
 digest: sha256:6306a6a8d3c51b2b5f37cffa88c3731550da789d1ce2317a83a3f9a657310f8e
 generated: "2024-10-16T20:01:59.337767+02:00"
--- a/charts/tf-ocloud/Chart.yaml
+++ b/charts/tf-ocloud/Chart.yaml
@ -1,15 +0,0 @@
 apiVersion: v2
 name: tf-ocloud
 type: application
 version: 0.1.0
 appVersion: 0.1.5
 maintainers:
  - name: allanger
    email: allanger@zohomail.com
    url: https://badhouseplants.net
 dependencies:
  - name: helm-library
    version: 0.2.3
    repository: oci://ghcr.io/allanger/allangers-helm-library
 annotations:
  allowed_workload_kinds: "Deployment"
--- a/charts/tf-ocloud/charts/helm-library-0.1.4.tgz
+++ b/charts/tf-ocloud/charts/helm-library-0.1.4.tgz
--- a/charts/tf-ocloud/templates/install.yaml
+++ b/charts/tf-ocloud/templates/install.yaml
@ -1,3 +0,0 @@
 {{ include "lib.component.workload" . }}
 {{ include "lib.component.files" . }}
 {{ include "lib.component.env" . }}
--- a/charts/tf-ocloud/values.yaml
+++ b/charts/tf-ocloud/values.yaml
@ -1,67 +0,0 @@
 ---
 workload:
  kind: Deployment
  strategy:
    type: RollingUpdate
  securityContext: {}
  containers:
    tf:
      securityContext: {}
      image:
        registry: zot.badhouseplants.net
        repository: badhouseplants/terraform-ocloud
        tag: 7eae6ec805bc99618a196abf9d4d2e0fd19f75e6
        pullPolicy: Always
      envFrom:
        - main
      mounts:
        files:
          ocloudkey:
            path: /src/key.pem
            subPath: key.pem
          publickey:
            path: /src/public_key
            subPath: public-key
          privatekey:
            path: /src/ssh_key
            subPath: ssh-key
          tfvars:
            path: /src/terraform.tfvars
            subPath: terraform.tfvars
        extraVolumes:
          dottf:
            path: /src/.terraform
 extraVolumes:
  dottf:
    emptyDir: {}
 files:
  ocloudkey:
    enabled: true
    sensitive: false
    remove: []
    entries:
      key.pem:
        data: dummy
  publickey:
    enabled: true
    sensitive: false
    remove: []
    entries:
      public-key:
        data: dummy
  privatekey:
    enabled: true
    sensitive: false
    remove: []
    entries:
      ssh-key:
        data: dummy
  tfvars:
    enabled: true
    sensitive: false
    remove: []
    entries:
      terraform.tfvars:
        data: dummy
--- a/common/environments.yaml
+++ b/common/environments.yaml
@ -2,6 +2,7 @@ environments:
  badhouseplants:
    kubeContext: badhouseplants
    values:
      - ./common/values/values.badhouseplants.yaml
      - base:
          enabled: true
      - velero:
@ -25,6 +26,7 @@ environments:
  etersoft:
    kubeContext: etersoft
    values:
      - ./common/values/values.etersoft.yaml
      - base:
          enabled: true
      - velero:
--- a/common/templates.yaml
+++ b/common/templates.yaml
@ -1,3 +1,6 @@
 helmDefaults:
  kubeContext: {{ .StateValues.kubeContext }}
 templates:
  # ---------------------------
  # -- Hooks
@ -37,12 +40,21 @@ templates:
  default-env-secrets:
    secrets:
      - '{{ requiredEnv "PWD" }}/values/{{ .Environment.Name }}/secrets.{{ `{{ .Release.Name }}` }}.yaml'
  common-values:
    values:
      - '../values/common/{{ `{{ .Release.Namespace }}` }}/{{ `{{ .Release.Name }}` }}/values.yaml'
  common-values-tpl:
    values:
      - '../values/common/{{ `{{ .Release.Namespace }}` }}/{{ `{{ .Release.Name }}` }}/values.gotmpl'
  env-values:
    values:
-      - '{{ requiredEnv "PWD" }}/values/{{ .Environment.Name }}/{{ `{{ .Release.Namespace }}` }}/{{ `{{ .Release.Name }}` }}/values.yaml'
+      - '../values/{{ .Environment.Name }}/{{ `{{ .Release.Namespace }}` }}/{{ `{{ .Release.Name }}` }}/values.yaml'
  env-values-tpl:
    values:
      - '../values/{{ .Environment.Name }}/{{ `{{ .Release.Namespace }}` }}/{{ `{{ .Release.Name }}` }}/values.gotmpl'
  env-secrets:
    secrets:
-      - '{{ requiredEnv "PWD" }}/values/{{ .Environment.Name }}/{{ `{{ .Release.Namespace }}` }}/{{ `{{ .Release.Name }}` }}/secrets.yaml'
+      - '../values/{{ .Environment.Name }}/{{ `{{ .Release.Namespace }}` }}/{{ `{{ .Release.Name }}` }}/secrets.yaml'
  # ----------------------------
  # -- Extensions
  # ----------------------------
@ -59,7 +71,7 @@ templates:
        version: 2.0.0
        alias: traefik
    values:
-      - '{{ requiredEnv "PWD" }}/values/common/values.tcp-route.yaml'
+      - '../values/common/values.tcp-route.yaml'
  ext-udp-routes:
    dependencies:
      - chart: bedag/raw
@ -116,7 +128,7 @@ templates:
        version: 2.0.0
        alias: ext-database
    values:
-      - '{{ requiredEnv "PWD" }}/values/common/values.database.yaml'
+      - '../values/common/values.database.yaml'
  ext-secret:
    dependencies:
      - chart: bedag/raw
--- a/common/values/values.badhouseplants.yaml
+++ b/common/values/values.badhouseplants.yaml
@ -1,4 +1,6 @@
-namespaces:
+registry: registry.badhouseplants.net/containers
-  kubeSystem: kube-system
+registry_url: registry.badhouseplants.net
-  kubePublic: kube-public
+main_ip: 195.201.249.91
-  
+tools:
  openebs:
    enabled: true
--- a/common/values/values.etersoft.yaml
+++ b/common/values/values.etersoft.yaml
@ -0,0 +1,6 @@
 registry: registry.ru.badhouseplants.net/containers
 registry_url: registry.ru.badhouseplants.net
 main_ip: 91.232.225.63
 tools:
  openebs:
    enabled: false
--- a/helmfile.yaml
+++ b/helmfile.yaml
@ -1,11 +0,0 @@
 bases:
  - ./common/environments.yaml
  - ./common/templates.yaml
 helmfiles:
  - ./installations/system/
  - ./installations/databases/
  - ./installations/platform/
  - ./installations/pipelines/
  - ./installations/monitoring/
  - ./installations/applications/helmfile-{{ .Environment.Name }}.yaml
  - ./installations/games/
--- a/helmfile.yaml.gotmpl
+++ b/helmfile.yaml.gotmpl
@ -0,0 +1,26 @@
 ---
 bases:
  - ./common/environments.yaml
 ---
 helmfiles:
  - path: ./helmfiles/base.yaml
    values:
      - kubeContext: "{{ .Environment.KubeContext }}"
      - {{ toYaml .Environment.Values | nindent 8 }}
  - path: ./helmfiles/system.yaml
    values:
      - kubeContext: "{{ .Environment.KubeContext }}"
      - {{ toYaml .Environment.Values | nindent 8 }}
  - path: ./helmfiles/platform.yaml
    values:
      - kubeContext: "{{ .Environment.KubeContext }}"
      - {{ toYaml .Environment.Values | nindent 8 }}
  - path: ./helmfiles/databases.yaml
    values:
      - kubeContext: "{{ .Environment.KubeContext }}"
      - {{ toYaml .Environment.Values | nindent 8 }}
  - path: ./helmfiles/applications.yaml
    values:
      - kubeContext: "{{ .Environment.KubeContext }}"
      - {{ toYaml .Environment.Values | nindent 8 }}
--- a/helmfiles/applications.yaml
+++ b/helmfiles/applications.yaml
@ -0,0 +1,28 @@
 bases:
  - ../common/templates.yaml
 repositories:
  - name: gitea
    url: https://dl.gitea.io/charts/
  - name: bedag
    url: https://bedag.github.io/helm-charts/
  - name: minecraft
    url: https://itzg.github.io/minecraft-server-charts/
 releases:
  - name: app-gitea
    chart: gitea/gitea
    version: 11.0.0
    namespace: org-badhouseplants
    inherit:
      - template: env-values
      - template: env-secrets
  - name: minecraft
    chart: minecraft/minecraft
    namespace: games
    version: 4.26.1
    inherit:
      - template: common-values-tpl
      - template: env-values
      - template: env-secrets
--- a/helmfiles/base.yaml
+++ b/helmfiles/base.yaml
@ -0,0 +1,21 @@
 bases:
  - ../common/templates.yaml
 releases:
  # -- This one must be executed with --take-ownership at least once
  - name: namespaces
    chart: ../charts/namespaces
    namespace: kube-system
    createNamespace: false
    inherit:
      - template: env-values
      - template: env-secrets
  - name: roles
    chart: ../charts/roles
    namespace: kube-system
    createNamespace: false
    needs:
      - kube-system/namespaces
    inherit:
      - template: env-values
--- a/installations/databases/helmfile.yaml
+++ b/installations/databases/helmfile.yaml
@ -1,12 +1,14 @@
 bases:
-  - ../../common/environments.yaml
+  - ../common/templates.yaml
-  - ../../common/templates.yaml
+
 repositories:
  - name: bitnami
    url: registry-1.docker.io/bitnamicharts
    oci: true
  - name: bedag
    url: https://bedag.github.io/helm-charts/
 commonLabels:
  installation: databases
 releases:
  - name: redis
    chart: bitnami/redis
@ -14,8 +16,10 @@ releases:
    condition: redis.enabled
    version: 20.11.4
    inherit:
-      - template: default-env-values
+      - template: common-values-tpl
-      - template: default-env-secrets
+      - template: env-values
      - template: env-secrets
  - name: postgres16
    labels:
      bundle: postgres
@ -24,8 +28,10 @@ releases:
    condition: postgres16.enabled
    version: 15.5.38
    inherit:
-      - template: default-env-values
+      - template: common-values-tpl
-      - template: default-env-secrets
+      - template: env-values
      - template: env-secrets
  - name: postgres17
    labels:
      bundle: postgres
@ -34,5 +40,6 @@ releases:
    condition: postgres17.enabled
    version: 16.3.4
    inherit:
-      - template: default-env-values
+      - template: common-values-tpl
-      - template: default-env-secrets
+      - template: env-values
      - template: env-secrets
--- a/installations/platform/helmfile.yaml
+++ b/installations/platform/helmfile.yaml
@ -1,36 +1,70 @@
 bases:
-  - ../../common/environments.yaml
+  - ../common/templates.yaml
  - ../../common/templates.yaml
 repositories:
  - name: argo
    url: https://argoproj.github.io/argo-helm
  - name: db-operator
    url: https://db-operator.github.io/charts
  - name: zot
    url: https://zotregistry.dev/helm-charts/
  - name: bedag
    url: https://bedag.github.io/helm-charts/
  - name: crossplane-stable
    url: https://charts.crossplane.io/stable
  - name: goauthentik
    url: https://charts.goauthentik.io/
  - name: minio-standalone
    url: https://charts.min.io/
  - name: kyverno
    url: https://kyverno.github.io/kyverno/
  - name: external-dns
    url: https://kubernetes-sigs.github.io/external-dns/
  - name: keel
    url: https://keel-hq.github.io/keel/
  - name: uptime-kuma
    url: https://helm.irsigler.cloud
  - name: external-dns
    url: https://kubernetes-sigs.github.io/external-dns/
  - name: minio-standalone
    url: https://charts.min.io/
  - name: db-operator
    url: https://db-operator.github.io/charts
  - name: zot
    url: https://zotregistry.dev/helm-charts/
  - name: goauthentik
    url: https://charts.goauthentik.io/
 releases:
  - name: external-dns
    chart: external-dns/external-dns
    labels:
      layer: platform
    version: 1.15.2
    namespace: platform
    inherit:
      - template: common-values-tpl
      - template: env-values
      - template: env-secrets
  - name: keel
    chart: keel/keel
    version: v1.0.5
    labels:
      layer: platform
    namespace: platform
    inherit:
      - template: common-values-tpl
  - name: uptime-kuma
    chart: uptime-kuma/uptime-kuma
    version: 2.21.2
    namespace: platform
    labels:
      layer: platform
    inherit:
      - template: common-values-tpl
      - template: env-values
  - name: minio
    chart: minio-standalone/minio
    version: 5.4.0
    namespace: platform
    labels:
      layer: platform
    inherit:
      - template: common-values-tpl
      - template: env-values
      - template: env-secrets
  - name: db-operator
    namespace: platform
    chart: db-operator/db-operator
    version: 1.34.0
    inherit:
      - template: common-values-tpl
  - name: db-instances
    chart: db-operator/db-instances
@ -39,19 +73,18 @@ releases:
      - platform/db-operator
    version: 2.4.0
    inherit:
-      - template: default-env-values
+      - template: env-values
-      - template: default-env-secrets
+      - template: env-secrets
  - name: zot
    chart: zot/zot
    version: 0.1.67
    createNamespace: false
    installed: true
    namespace: platform
    condition: workload.enabled
    inherit:
-      - template: default-env-values
+      - template: common-values-tpl
-      - template: default-env-secrets
+      - template: env-values
      - template: env-secrets
  - name: authentik
    chart: goauthentik/authentik
@ -62,58 +95,7 @@ releases:
    needs:
      - platform/db-operator
    inherit:
-      - template: default-env-values
+      - template: common-values-tpl
-      - template: default-env-secrets
+      - template: env-values
      - template: env-secrets
      - template: ext-database
  - name: minio
    chart: minio-standalone/minio
    version: 5.4.0
    namespace: platform
    inherit:
      - template: default-env-values
      - template: default-env-secrets
  - name: kyverno
    chart: kyverno/kyverno
    namespace: kyverno
    labels:
      bootstrap: true
    version: 3.3.7
  - name: kyverno-policies
    chart: kyverno/kyverno-policies
    namespace: kyverno
    labels:
      bootstrap: true
    version: 3.3.4
    needs:
      - kyverno/kyverno
  - name: custom-kyverno-policies
    chart: "../../kustomizations/kyverno/{{ .Environment.Name }}"
    namespace: kyverno
    labels:
      bootstrap: true
    needs:
      - kyverno/kyverno
  - name: external-dns
    chart: external-dns/external-dns
    version: 1.15.2
    namespace: platform
    inherit:
      - template: default-env-values
      - template: default-env-secrets
  - name: keel
    chart: keel/keel
    version: v1.0.5
    namespace: platform
  - name: uptime-kuma
    chart: uptime-kuma/uptime-kuma
    version: 2.21.2
    namespace: platform
    inherit:
      - template: default-env-values
--- a/installations/system/helmfile.yaml
+++ b/installations/system/helmfile.yaml
@ -1,10 +1,13 @@
 bases:
-  - ../../common/environments.yaml
+  - ../common/templates.yaml
  - ../../common/templates.yaml
 repositories:
-  - name: bedag
+  - name: coredns
-    url: https://bedag.github.io/helm-charts/
+    url: https://coredns.github.io/helm
  - name: zot
    url: https://zotregistry.dev/helm-charts/
  - name: cilium
    url: https://helm.cilium.io/
  - name: metrics-server
    url: https://kubernetes-sigs.github.io/metrics-server/
  - name: jetstack
@ -13,84 +16,82 @@ repositories:
    url: https://metallb.github.io/metallb
  - name: traefik
    url: https://traefik.github.io/charts
-  - name: coredns
+  - name: local-path-provisioner
-    url: https://coredns.github.io/helm
+    url: git+https://github.com/rancher/local-path-provisioner@deploy/chart?ref=master
-  - name: cilium
+  - name: kyverno
-    url: https://helm.cilium.io/
+    url: https://kyverno.github.io/kyverno/
  - name: vmware-tanzu
    url: https://vmware-tanzu.github.io/helm-charts/
  - name: openebs
    url: https://openebs.github.io/openebs
  - name: local-path-provisioner
    url: git+https://github.com/rancher/local-path-provisioner@deploy/chart?ref=master
  - name: istio
    url: https://istio-release.storage.googleapis.com/charts
 releases:
  - name: namespaces
    chart: '{{ requiredEnv "PWD" }}/charts/namespaces/chart'
    namespace: kube-public
    createNamespace: false
    inherit:
      - template: default-env-values
  - name: roles
    chart: '{{ requiredEnv "PWD" }}/charts/roles'
    namespace: kube-public
    createNamespace: false
    needs:
      - kube-public/namespaces
    inherit:
      - template: default-env-values
  - name: coredns
    chart: coredns/coredns
    version: 1.39.1
    namespace: kube-system
    inherit:
-      - template: default-common-values
+      - template: common-values-tpl
  - name: cilium
    chart: cilium/cilium
    version: 1.17.2
    condition: base.enabled
    namespace: kube-system
    needs:
      - kube-system/coredns
    inherit:
-      - template: default-env-values
+      - template: common-values
      - template: common-values-tpl
  - name: cert-manager
    chart: jetstack/cert-manager
    version: v1.17.1
    namespace: kube-system
    condition: base.enabled
    missingFileHandler: Warn
    needs:
      - kube-system/cilium
    inherit:
-      - template: default-common-values
+      - template: common-values
-      - template: default-env-values
+      - template: common-values-tpl
  - name: issuer
-    chart: '{{ requiredEnv "PWD" }}/charts/issuer'
+    chart: ../charts/issuer
-    namespace: kube-public
+    namespace: kube-system
    missingFileHandler: Warn
    condition: base.enabled
    needs:
      - kube-system/cert-manager
    inherit:
-      - template: default-common-values
+      - template: common-values
      - template: default-env-values
-  - name: metrics-server
+  - name: local-path-provisioner
-    chart: metrics-server/metrics-server
+    chart: local-path-provisioner/local-path-provisioner
    version: 3.12.2
    namespace: kube-system
    inherit:
      - template: common-values-tpl
  - name: kyverno
    chart: kyverno/kyverno
    namespace: kyverno
    version: 3.3.7
    needs:
      - kube-system/cilium
    inherit:
-      - template: default-common-values
+      - template: common-values-tpl
  - name: kyverno-policies
    chart: kyverno/kyverno-policies
    namespace: kyverno
    version: 3.3.4
    needs:
      - kyverno/kyverno
  - name: custom-kyverno-policies
    chart: ../kustomizations/kyverno/{{ .Environment.Name }}
    namespace: kyverno
    needs:
      - kyverno/kyverno
  - name: metallb
    chart: metallb/metallb
@ -98,86 +99,83 @@ releases:
    condition: base.enabled
    version: 0.14.9
    needs:
-      - kube-system/cilium
+      - registry/cluster-mirror
    inherit:
-      - template: default-common-values
+      - template: common-values
      - template: common-values-tpl
  - name: metallb-resources
-    chart: bedag/raw
+    chart: ../charts/metallb-resources
    version: 2.0.0
    condition: base.enabled
    namespace: kube-system
    needs:
      - kube-system/metallb
    inherit:
-      - template: ext-metallb
+      - template: common-values-tpl
      - template: default-env-values
  - name: traefik
    chart: traefik/traefik
    version: 34.4.1
    condition: base.enabled
    namespace: kube-system
    inherit:
      - template: common-values-tpl
      - template: common-values
      - template: env-values
  - name: cluster-mirror
    chart: zot/zot
    version: 0.1.67
    createNamespace: false
    installed: true
    namespace: registry
    needs:
      - kube-system/cilium
    inherit:
-      - template: default-common-values
+      - template: common-values-tpl
-      - template: default-env-values
+      - template: env-secrets
  - name: metrics-server
    chart: metrics-server/metrics-server
    version: 3.12.2
    namespace: kube-system
    needs:
      - registry/cluster-mirror
    inherit:
      - template: common-values-tpl
  - name: openebs
    chart: openebs/openebs
    condition: tools.openebs.enabled
    namespace: kube-system
    version: 4.2.0
    inherit:
      - template: common-values-tpl
      - template: env-values
  - name: velero
    chart: vmware-tanzu/velero
    namespace: velero
-    version: 8.5.0
+    version: 8.7.0
    condition: velero.enabled
    needs:
      - kube-system/cilium
    inherit:
-      - template: default-env-values
+      - template: common-values-tpl
-      - template: default-env-secrets
+      - template: env-values
-      - template: crd-management-hook
+      - template: env-secrets
  - name: openebs
    chart: openebs/openebs
    condition: openebs.enabled
    namespace: kube-system
    version: 4.2.0
    needs:
      - kube-system/cilium
    inherit:
      - template: default-env-values
  # -- Not versions since it's idnstalled from git
  - name: local-path-provisioner
    chart: local-path-provisioner/local-path-provisioner
    condition: localpath.enabled
    namespace: kube-system
    needs:
      - kube-system/cilium
    inherit:
      - template: default-env-values
  - name: istio-base
    chart: istio/base
    condition: istio.enabled
    namespace: istio-system
    version: 1.25.1
    inherit:
-      - template: crd-management-hook
+      - template: common-values
  - name: istio-ingressgateway
    chart: istio/gateway
    condition: istio.enabled
    installed: false
    namespace: istio-system
    needs:
      - istio-system/istio-base
    inherit:
      - template: default-env-values
  - name: istiod
    chart: istio/istiod
    condition: istio.enabled
    namespace: istio-system
    version: 1.25.1
    inherit:
-      - template: default-env-values
+      - template: common-values-tpl
    needs:
      - istio-system/istio-base
--- a/installations/applications/helmfile-badhouseplants.yaml
+++ b/installations/applications/helmfile-badhouseplants.yaml
@ -20,6 +20,7 @@ releases:
    chart: gitea/gitea
    version: 11.0.0
    namespace: applications
    installed: false
    inherit:
      - template: default-env-values
      - template: default-env-secrets
@ -43,6 +44,7 @@ releases:
      - template: env-secrets
  - name: app-tandoor-recipes
    installed: false
    chart: allangers-charts/tandoor-recipes
    version: 0.2.0
    namespace: org-badhouseplants
@ -51,6 +53,15 @@ releases:
      - template: env-secrets
      - template: ext-database
  - name: app-tandoor-recipes
    chart: allangers-charts/tandoor-recipes
    version: 0.2.0
    namespace: org-allanger
    inherit:
      - template: env-values
      - template: env-secrets
      - template: ext-database
  - name: app-navidrome
    chart: allangers-charts/navidrome
    namespace: org-badhouseplants
@ -67,23 +78,13 @@ releases:
      - template: env-values
      - template: env-secrets
-  - name: navidrome
+  - name: app-gitea
-    chart: allangers-charts/navidrome
+    chart: gitea/gitea
-    namespace: applications
+    version: 11.0.0
-    installed: false
+    namespace: org-badhouseplants
    version: 0.5.0
    inherit:
-      - template: default-env-values
+      - template: env-values
-      - template: ext-traefik-middleware
+      - template: env-secrets
  - name: navidrome-private
    chart: allangers-charts/navidrome
    namespace: applications
    version: 0.5.0
    installed: false
    inherit:
      - template: default-env-values
      - template: default-env-secrets
  - name: server-xray-public
    chart: allangers-charts/server-xray
@ -110,7 +111,7 @@ releases:
  - name: memos
    chart: allangers-charts/memos
-    version: 0.2.0
+    version: 0.3.0
    namespace: applications
    inherit:
      - template: default-env-values
--- a/installations/applications/helmfile-etersoft.yaml
+++ b/installations/applications/helmfile-etersoft.yaml
@ -27,6 +27,14 @@ releases:
      - template: default-env-values
      - template: default-env-secrets
  - name: memos
    chart: allangers-charts/memos
    version: 0.3.0
    namespace: applications
    inherit:
      - template: default-env-values
  - name: external-service-xray
    chart: ../../kustomizations/external-service-xray
    installed: true
--- a/installations/development/helmfile.yaml
+++ b/installations/development/helmfile.yaml
@ -1,9 +0,0 @@
 bases:
  - ../../common/environments.yaml
  - ../../common/templates.yaml
 repositories:
  - name: argo
    url: https://argoproj.github.io/argo-helm
 releases:
  - name: badhouseplants
    namespace: platform
--- a/installations/games/helmfile.yaml
+++ b/installations/games/helmfile.yaml
@ -13,16 +13,7 @@ releases:
  - name: minecraft
    chart: minecraft/minecraft
    namespace: games
-    version: 4.25.1
+    version: 4.26.1
    inherit:
      - template: ext-tcp-routes
      - template: default-env-values
      - template: default-env-secrets
  - name: team-fortress-2
    chart: allangers-charts/team-fortress-2
    namespace: team-fortress-2
    version: 0.1.2
    inherit:
      - template: ext-tcp-routes
      - template: default-env-values
--- a/installations/pipelines/helmfile.yaml
+++ b/installations/pipelines/helmfile.yaml
@ -26,7 +26,7 @@ releases:
      - template: default-env-secrets
  - name: renovate-github
    chart: renovate/renovate
-    installed: false
+    installed: true
    namespace: pipelines
    version: 39.208.1
    inherit:
--- a/kustomizations/kyverno/badhouseplants/pvc-patch.yaml
+++ b/kustomizations/kyverno/badhouseplants/pvc-patch.yaml
@ -4,6 +4,19 @@ metadata:
  name: replace-storage-class-by-openebs
 spec:
  rules:
    - name: local-path-fix
      match:
        any:
          - resources:
              kinds:
                - PersistentVolumeClaim
              namespaces:
                - registry
      mutate:
        patchStrategicMerge:
          metadata:
            annotations:
              volume.kubernetes.io/selected-node: bordeaux
    - name: replace-storage-class
      match:
        any:
@ -24,22 +37,22 @@ spec:
            storageClassName: openebs-hostpath
            accessModes:
              - ReadWriteOnce
-    - name: remove-unwanted-annotations
+    #- name: remove-unwanted-annotations
-      match:
+    #  match:
-        any:
+    #    any:
-          - resources:
+    #      - resources:
-              kinds:
+    #          kinds:
-                - PersistentVolumeClaim
+    #            - PersistentVolumeClaim
-              namespaces:
+    #          namespaces:
-                - games
+    #            - games
-      mutate:
+    #  mutate:
-        patchesJson6902: |-
+    #    patchesJson6902: |-
-          - path: "/metadata/annotations/volume.beta.kubernetes.io~1storage-class"
+    #      - path: "/metadata/annotations/volume.beta.kubernetes.io~1storage-class"
-            op: replace
+    #        op: replace
-            value: openebs-hostpath
+    #        value: openebs-hostpath
-          - path: "/metadata/annotations/volume.beta.kubernetes.io~1storage-provisioner"
+    #      - path: "/metadata/annotations/volume.beta.kubernetes.io~1storage-provisioner"
-            op: replace
+    #        op: replace
-            value: openebs.io/local
+    #        value: openebs.io/local
-          - path: "/metadata/annotations/volume.kubernetes.io~1storage-provisioner"
+    #      - path: "/metadata/annotations/volume.kubernetes.io~1storage-provisioner"
-            op: replace
+    #        op: replace
-            value: openebs.io/local
+    #        value: openebs.io/local
--- a/kustomizations/kyverno/etersoft/pvc-patch.yaml
+++ b/kustomizations/kyverno/etersoft/pvc-patch.yaml
@ -13,6 +13,7 @@ spec:
              namespaces:
                - applications
                - platform
                - registry
      mutate:
        patchStrategicMerge:
          metadata:
--- a/values/badhouseplants/databases/postgres16/secrets.yaml
+++ b/values/badhouseplants/databases/postgres16/secrets.yaml
--- a/values/badhouseplants/databases/postgres16/values.yaml
+++ b/values/badhouseplants/databases/postgres16/values.yaml
--- a/values/badhouseplants/databases/postgres17/secrets.yaml
+++ b/values/badhouseplants/databases/postgres17/secrets.yaml
--- a/values/badhouseplants/databases/postgres17/values.yaml
+++ b/values/badhouseplants/databases/postgres17/values.yaml
--- a/values/badhouseplants/databases/redis/secrets.yaml
+++ b/values/badhouseplants/databases/redis/secrets.yaml
@ -0,0 +1,26 @@
 global:
    redis:
        #ENC[AES256_GCM,data:INOZ17f72Qf6D+drbcvmnZRBRIeXLSAV9RmfOLZFp45qt8GWSHMnevqq9ge4Zlydtsd3BDek/JLUNl6YHPPq9qM1EFujY2htbOHyf0Cn,iv:zZDMizNKFllCyNH/bUF+vuB9YOikjo3q5ebzu3LYvCc=,tag:H0XX/D9xh0HS0Xnqgs/aag==,type:comment]
        #ENC[AES256_GCM,data:JiLOpJanuZnMpN5dMvw2,iv:YEVZSdRHez1lCb61hWLvalLq8F67l7KF0WXmmuj9bck=,tag:KnpfgwUYBQLZsj4Jk13RtQ==,type:comment]
        #ENC[AES256_GCM,data:mzDGjHlXUunu1yA=,iv:LOOU/QGaHKeDrssbk1haYd0lPclbFak9GygEbbN0gFs=,tag:4cUubeiY6aJj5KVKVkdFUA==,type:comment]
        password: ENC[AES256_GCM,data:kN93kIMiVTGWbaYgMC1n1MWqdl8s3cbZS5vvYTa2,iv:Qy+GQchC6s2PoarPWtquipF9gAVYZR6mn0GeHABRogE=,tag:V/xbfm9u51UUG+we/3nNLQ==,type:str]
 sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault: []
    age:
        - recipient: age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrOHRuN1J1ODYvc0Z3OW5H
            NFhVM0dWWGZETU0vTzVkeUk1NFVWc2FSaGprCm5NalJKUWxtLzA5VTU3YjR5VWtx
            NExtbTZZZUZteVBTYnNWTVZvbnF5VFUKLS0tIEpBTDhPbkVLVytaY29aUktmZGF2
            bnVKWmI4RWpLaGU5WTIwblJRcDFDMlUK2BHkUNbpRMo0jm2Sk+Qcf4giufJtaJyM
            xuoG41AqGs4+KEDS8/rF9HK7z+2Wk9H5b8L+/W0n+J5EPOvwvFePTA==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2025-03-26T12:23:02Z"
    mac: ENC[AES256_GCM,data:xrA6hCFIH/R/j/V1T60xx5Eix5Z5ETREQP4zYriLkZQ4hEzL2WdJFExK1VXSfX4KmIR8215XHmHnWu70eIoAnFUaozBosIFtJz0YNrNNok6MeDGD5fy5mcBQfCqLw+rwbW/uxY7DQrchgVT9iFAkpRSoVPUzn6ku/xCmTmSlv3E=,iv:lNLR5QHKPUWb1Mz8mIFCHnjpuQVF7ttNTOy9+jEzLyo=,tag:G4iZ/9nWKh97JLGOxbgSQg==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.9.4
--- a/values/badhouseplants/databases/redis/values.yaml
+++ b/values/badhouseplants/databases/redis/values.yaml
--- a/values/badhouseplants/games/minecraft/secrets.yaml
+++ b/values/badhouseplants/games/minecraft/secrets.yaml
--- a/values/badhouseplants/games/minecraft/values.yaml
+++ b/values/badhouseplants/games/minecraft/values.yaml
@ -1,33 +1,15 @@
 service-account:
  enabled: true
  resources:
    - name: minecraft-exporter
      label:
        app: minecraft-minecraft-metrics
      endpoints:
        port: metrics
 traefik:
  enabled: true
  tcpRoutes:
    - name: minecraft-tcp
      entrypoint: minecraft
      gateway: istio-system/badhouseplants-minecraft
      match: HostSNI(`*`)
      service: minecraft-minecraft
      port: 25565
 # --------------------------------------------------
 # -- Main values
 # --------------------------------------------------
 image:
-  #tag: java21-graalvm
+  tag: java23-graalvm
  tag: java21-jdk
  pullPolicy: Always
 resources:
  requests:
-    memory: 3.5Gi
+    memory: 2.5Gi
    cpu: 2.5
  limits:
-    memory: 3.5Gi
+    memory: 2.5Gi
 lifecycle:
  postStart:
    - bash
@ -52,32 +34,23 @@ readinessProbe:
  successThreshold: 1
  timeoutSeconds: 20
 minecraftServer:
-  memory: 3000M
+  memory: 2000M
  jvmOpts: |
    -server
  jvmXXOpts: |
-    -Xms3000G -Xmx3500G -XX:+UseG1GC -XX:+UnlockExperimentalVMOptions -XX:G1NewSizePercent=20 -XX:G1ReservePercent=20 -XX:MaxGCPauseMillis=50 -XX:G1HeapRegionSize=32M
+    -Xms2000G -Xmx2500G -XX:+UseG1GC -XX:+UnlockExperimentalVMOptions -XX:G1NewSizePercent=20 -XX:G1ReservePercent=20 -XX:MaxGCPauseMillis=50 -XX:G1HeapRegionSize=32M
  overrideServerProperties: true
  eula: "TRUE"
  onlineMode: false
  difficulty: hard
  hardcore: true
-  version: "1.21.1"
+  version: "1.21.4"
  maxWorldSize: 90000
  type: "FABRIC"
  gameMode: survival
  pvp: true
  modUrls: []
  serviceType: NodePort
  #- https://github.com/CaffeineMC/lithium-fabric/releases/download/mc1.20.1-0.11.2/lithium-fabric-mc1.20.1-0.11.2-api.jar
  #- https://github.com/CaffeineMC/sodium-fabric/releases/download/mc1.20.1-0.5.11/sodium-fabric-0.5.11+mc1.20.1.jar
  #- https://github.com/CaffeineMC/lithium-fabric/releases/download/mc1.20.1-0.11.2/lithium-fabric-mc1.20.1-0.11.2.jar
  #pluginUrls:
  #  - https://github.com/dmulloy2/ProtocolLib/releases/download/5.2.0/ProtocolLib.jar
  #  - https://mediafilez.forgecdn.net/files/3789/833/GravityControl-2.0.0.jar
  #  - https://mediafilez.forgecdn.net/files/3151/915/CrackShot.jar
  #  - https://s3.badhouseplants.net/public-download/MechanicsCore-3.4.8.jar
  #  - https://s3.badhouseplants.net/public-download/WeaponMechanics-3.4.9.jar
  rcon:
    enabled: true
    withGeneratedPassword: false
@ -85,7 +58,7 @@ minecraftServer:
    serviceType: ClusterIP
  extraPorts:
    - name: metrics
-      containerPort: 9225
+      containerPort: 19565
      protocol: TCP
      service:
        enabled: true
@ -93,12 +66,11 @@ minecraftServer:
        labels:
          exporter: minecraft
        type: ClusterIP
-        port: 9925
+        port: 19565
      ingress:
        enabled: false
 persistence:
  storageClass: openebs-hostpath
  #storageClass: local-path
  dataDir:
    enabled: true
    Size: 9Gi
@ -121,35 +93,6 @@ mcbackup:
  persistence:
    backupDir:
      enabled: false
 # ---------------------------------------------
 # -- Install Plugins
 # ---------------------------------------------
 initContainers:
  - name: 0-download-mods
    image: alpine/curl
    command:
      - curl
      - -L
      - "https://s3.badhouseplants.net/minecraft-mods/server_mods.tar"
      - -o
      - /download/server_mods.tar
    volumeMounts:
      - name: download
        mountPath: /download
        readOnly: false
  - name: 1-copy-plugins-to-minecraft
    image: ubuntu
    command:
      - sh
      - -c
      - cd /mods  && tar -xvf /download/server_mods.tar || true
    volumeMounts:
      - name: plugins
        mountPath: /mods
        readOnly: false
      - name: download
        mountPath: /download
        readOnly: false
 extraVolumes:
  - volumeMounts:
      - name: plugins
@ -162,3 +105,36 @@ extraVolumes:
      - name: download
        emptyDir:
          sizeLimit: 500Mi
 extraDeploy:
  - |-
      apiVersion: monitoring.coreos.com/v1
      kind: ServiceMonitor
      metadata:
        name: minecraft
      spec:
        endpoints:
        - interval: 30s
          port: metrics
          scrapeTimeout: 10s
          path: '/'
        namespaceSelector:
          matchNames:
          - games
        selector:
          matchLabels:
            app.kubernetes.io/instance: minecraft
  - |-
      apiVersion: traefik.io/v1alpha1
      kind: IngressRouteTCP
      metadata:
        name: minecraft-tcp
      spec:
        entryPoints:
        - minecraft
        routes:
        - match: HostSNI(`*`)
          services:
          - name: minecraft
            nativeLB: true
            port: 25565
--- a/values/badhouseplants/kube-system/namespaces/secrets.yaml
+++ b/values/badhouseplants/kube-system/namespaces/secrets.yaml
@ -0,0 +1,21 @@
 defaultRegcred: ENC[AES256_GCM,data:lsqr2fBEosOQqYLBwps1hmgFs90zkzbdHpO8UwJWcMl1/CGkyzroACqHkL8taaOnnvwWwadIL8FU3382jamw0Xk5O51bFSBbCxTs3xd4ibwe39ha5YI6YQDHADDb/u1Yw4TctJ/h9xykXHDOL4foE5Z860e16vtMiVvniLD9OGfR6utb9gvZHE2QqZTlHR9U4PY2vLWWQMN3VRvipT7hulmOUzXMVcuBswmyDF39PvTba6Ea7A83V9h6HpqNeSA1ewKREIDOFqjhl7tIit8aQnuee58bJCTVIdg6gyR6yfu6sF22wdUlsJ7CAHtd41sbhEhWGyzJIqg=,iv:J1CfAJmNpI7lgQalYJlXs+JX5I0e6COGrsenMhvDGLA=,tag:nHkq8VF47I/9FS8uGcEyuw==,type:str]
 sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault: []
    age:
        - recipient: age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwWHpPUkZqbC9LaEtJYzhF
            L0hIZUtOa3E4KzJDOFlwaFRVWDdJRnBtR1ZjCnVLNzhyQkdxS2dtK2lFaWRJUkJq
            dThURHRTRG5GT1BqaTZRbzlUbXYzWHMKLS0tIFRSa1lkSGQrN1RGdklzYzZNU3BH
            ZE0wMk1sRGg1M1lrNVFMTityK3cwK00Kbhugumz27RVo1SJjaljEbklHY6CW7xGD
            UCbN0LGh5PPpN6eCbZW8dB1+/lLR9AnyYr6okrGM2iztaJQdlwRvww==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2025-03-27T10:24:56Z"
    mac: ENC[AES256_GCM,data:xGqmh1TPg0OJLSycbnjsF4Ai844ZzlCzawQXmROpORJEiSL/3R1W+2PsBT5KcAfG7y2+Ovyk+l1FeorIPuqnbcezX9zUxMOaFXJylmwvNYXCwoihU6Yx2hg9SuFhnwINAhCLqOaRKIh8xPUaK8nRVqwJJa0jW6eCyZ5lsLtpz90=,iv:pmPfpSv3VfVz/MvTGTWoMxzkF3BvCMhK+HxEeN5pzNI=,tag:WkLcTz/WlLXmq8EojHfdlA==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.9.4
--- a/values/badhouseplants/kube-system/namespaces/values.yaml
+++ b/values/badhouseplants/kube-system/namespaces/values.yaml
@ -0,0 +1,37 @@
 namespaces:
  - name: registry
  - name: kube-system
    defaultRegcred: true
  - name: production
    defaultRegcred: true
  - name: kyverno
    defaultRegcred: true
  - name: velero
    defaultRegcred: true
  - name: observability
    defaultRegcred: true
  - name: databases
    defaultRegcred: true
  - name: istio-system
    defaultRegcred: true
  - name: applications
    defaultRegcred: true
    labels:
      istio-injection: enabled
  - name: platform
    defaultRegcred: true
  - name: games
    defaultRegcred: true
  - name: team-fortress-2
    defaultRegcred: true
  - name: pipelines
    defaultRegcred: true
  - name: public-xray
    defaultRegcred: true
    labels:
      istio-injection: disabled
  - name: org-badhouseplants
    defaultRegcred: true
  - name: org-allanger
    labels:
      istio-injection: enabled
--- a/values/badhouseplants/kube-system/openebs/values.yaml
+++ b/values/badhouseplants/kube-system/openebs/values.yaml
@ -1,6 +1,7 @@
 localpv-provisioner:
  hostpathClass:
    isDefaultClass: true
 zfs-localpv:
  crds:
    zfsLocalPv:
--- a/values/badhouseplants/kube-system/roles/values.yaml
+++ b/values/badhouseplants/kube-system/roles/values.yaml
@ -0,0 +1,24 @@
 roles:
  - name: xray-admin
    namespace: public-xray
    kind: Role
    rules:
      - apiGroups: ["*"]
        resources: ["*"]
        verbs: ["*"]
        namespace: ["public-xray"]
 bindings:
  - name: woodpecker-ci
    namespace: pipelines
    kind: ClusterRoleBinding
    subjects:
      - kind: ServiceAccount
        namespace: pipelines
        name: woodpecker-ci
    roleRef:
      kind: ClusterRole
      name: cluster-admin
      apiGroup: rbac.authorization.k8s.io
 sa:
  - name: woodpecker-ci
    namespace: pipelines
--- a/values/badhouseplants/kube-system/traefik/values.yaml
+++ b/values/badhouseplants/kube-system/traefik/values.yaml
--- a/values/badhouseplants/org-allanger/app-tandoor-recipes/secrets.yaml
+++ b/values/badhouseplants/org-allanger/app-tandoor-recipes/secrets.yaml
@ -0,0 +1,25 @@
 env:
    secrets:
        data:
            SECRET_KEY: ENC[AES256_GCM,data:bLecWaJafPbXT2/dvKt3R2KNfuxxgQ6yLxviYbOf,iv:liuexfgYScH+eg/qSO23SQxE7hKpudgkOH3JRDkaa+A=,tag:DEcAbY6rg7mQnhsnukWtFA==,type:str]
            SOCIALACCOUNT_PROVIDERS: ENC[AES256_GCM,data:kx9ziZhxWcWTu1UG7BPi/sdG1tHhzugq65xxL3IPVx8i1oHXwy+00KaOEsIYP+TJqX5516Zq6JqtXe9dQwI4uVIy538FdXeEQDHKNS0xesSx8jG0tKa71GiqyQGBrBBxiy144za9y1QHB9k1pvuaza8mVEQOoktmMFfiHzEOhYDQxIzTulOMWxN2ImTsYSupHS6HLR13gDCyROVDzj1Io/U1VHxN5RZBPiqthNiB+/Aj+2FuCwAaxgEE6VVNFJlghi2yiZbl/PvZ3MDT+dAx/NijawVt0qdBBmPvB3jKZkgRN2tyystGiu47hnLosuzjrOjAMA6rP7XkT2gQ5e6hoLlJxWD5IiAHI+gQK7REbyJrEmSwwH0aCVsd1H4FOBNk+rfKpTIr7sRZFTVcZLtUdTZW6EW0XWmrBBPr5jodmouoFZY+dGlWP1vQkG+2eymw5aJCan0oq+x+J9dB+CVZc/2M1zBeRa6Crg7w3smCqOr46jkaRxfoDxV2NdRSla5zkwwFSS7MqPYlqre2oW+pgP7lvRa4MW9++5q+Zg==,iv:RZMNm66PhTWvjJG5jtpJW22TFInHw8LT04qui3fMLgA=,tag:ETMqmFO/8Kve/W55WP21dA==,type:str]
 sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault: []
    age:
        - recipient: age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKcTM5RTNIakwwZHNrQXE2
            U2FsK1gwMDhUTDd1MVorbENtQXdnZjYrM1c4CmNQaG5TcU9wK25qQUg5a29UUXBK
            WlZHK0M0dHEvZWVyZmJzR0RLU1pGWmMKLS0tIGk4TFArQnJyTWJJa3FJRlJhY0do
            ZE81bENWM3ZUdlR0N2RKMnJkUnJxSG8Ky2ngwj6ZnToGhnAJChU8NXUG+XPPZc2F
            fOD35BFO5bUNe+V8MkDLae+GQ1hr55r4WnvFpSWywRIjCFYmUJHTgQ==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2025-02-22T12:32:43Z"
    mac: ENC[AES256_GCM,data:khcLV/lPaY6J5QQmX8466jx9bsXn+NwA3TLIUYs9ipKa539OjIWstwyydVxILSBCwEWGEW86c8EzLBwptBBgg6gehfRJAax5TAn0lBd1lAAiAxZhdNpc2tfoaMaUWfWdpwYjdrtnvAlAkN3/16nvx+TIq7WdU/cWsic96PqhU0A=,iv:I81QvtZ7S+mSAzoXhU0YBMN0L4K+SRHW3UtcSLxwK5s=,tag:gAeAIjyJ13A8gfE7ppBeRg==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.9.4
--- a/values/badhouseplants/org-allanger/app-tandoor-recipes/values.yaml
+++ b/values/badhouseplants/org-allanger/app-tandoor-recipes/values.yaml
@ -0,0 +1,57 @@
 shortcuts:
  hostname: tandoor.badhouseplants.net
 ext-database:
  enabled: true
  name: tandoor-postgres17
  instance: postgres17
  credentials:
    POSTGRES_HOST: "{{ .Hostname }}"
    POSTGRES_PORT: "{{ .Port }}"
 workload:
  kind: Deployment
  strategy:
    type: RollingUpdate
  containers:
    tandoor:
      securityContext:
        runAsUser: 1001
        runAsGroup: 1001
        fsGroup: 1001
      envFrom:
        - main
        - secrets
        - secretRef:
            name: tandoor-postgres17-creds
          extraVolumes:
            common:
              path: /opt/recipes
      livenessProbe:
        httpGet:
          path: /
          port: 8080
        initialDelaySeconds: 10
        failureThreshold: 30
        periodSeconds: 10
 ingress:
  main:
    class: traefik
    annotations:
      kubernetes.io/ingress.class: traefik
      traefik.ingress.kubernetes.io/router.entrypoints: web,websecure
      kubernetes.io/tls-acme: "true"
      kubernetes.io/ingress.allow-http: "false"
      kubernetes.io/ingress.global-static-ip-name: ""
      cert-manager.io/cluster-issuer: badhouseplants-issuer-http01
 extraVolumes:
  common:
    emptyDir: {}
 env:
  main:
    enabled: true
    sensitive: false
    data:
      DB_ENGINE: django.db.backends.postgresql
      SOCIAL_PROVIDERS: allauth.socialaccount.providers.openid_connect
      REMOTE_USER_AUTH: 1
      SOCIAL_DEFAULT_ACCESS: 1
      SOCIAL_DEFAULT_GROUP: guest
--- a/values/badhouseplants/org-badhouseplants/app-gitea/secrets.yaml
+++ b/values/badhouseplants/org-badhouseplants/app-gitea/secrets.yaml
@ -0,0 +1,50 @@
 gitea:
    admin:
        username: ENC[AES256_GCM,data:U230S8544mg=,iv:yL45Opnqp5T4h7erEv0pRHWtH1th8uu1Y4wfeY2aJcQ=,tag:a4vsJEOxlmHj1mwqcUGbiw==,type:str]
        password: ENC[AES256_GCM,data:IpwOetFEvxt0/tGkiJ8bBI+OR/E=,iv:8OA48CiWeMyqZVs2lp+UzfyymUNQfdgmAQV33+AVQ+s=,tag:stgAMSnB5dCzFu4zvZeVRA==,type:str]
    config:
        storage:
            MINIO_SECRET_ACCESS_KEY: ENC[AES256_GCM,data:cn3NsFx0TH0fw6mJt6cArMRyQ6Qng3gIPQ==,iv:Jv+rweQzEXfVWuWycjGSi54jRAm0XEEcNxZ6flbUZWM=,tag:6O9KvcnaVEME5lXl6msZLw==,type:str]
        mailer:
            PASSWD: ENC[AES256_GCM,data:3UL0uvz49J3GIOo/eVWKYLrDG+u/lvCr8Q==,iv:HBQKF42R3tHFQxkUoRzsiPCUkFM40qpjM0SYrQSxugE=,tag:iua/nXoogjxnkj9T6UB/Sw==,type:str]
        database:
            PASSWD: ENC[AES256_GCM,data:DbL7wryYRQAEzujWNL4I0AwEq6Cr2r78FXQOAw==,iv:Oc2IYwD7iy7AlYVnhvSc61ttOf20qJyuuDnx4yF3/YE=,tag:aLa8+r0kYvzFSuF3hvhL2w==,type:str]
        session:
            PROVIDER_CONFIG: ENC[AES256_GCM,data:owsHUHdmzGiFgtD3+nRBmHYKcsNQXblbuCO8V0tLAAMvJBRHSA5YG1TL3Quy2186yoZCPiAdeQwg/o2Iutk2Mlc6/NmeurZbxomV8dWBuqJfn6t44xnDgFnEXpxE5kB5lNCtcjKXmpxC4fkoUVscOyZFmKp9uTgH,iv:evmTZH5NzMB3nhqLhuBmTTF4ztJX9a/ZMTOmYMqSaxs=,tag:dLnk9xt+moGoBhx7tqazig==,type:str]
        cache:
            HOST: ENC[AES256_GCM,data:feiTcBqztm76LZgNShj0Go0IRNgG9UwCQP9KrdexosP2XCnSe+giyKoIcADiHQFYVbnnkpw7/UqNxgM0Tx+EQ9eyFKY+PaFyCSFmQwikmAWakDJ+hQNM1VaNaDKdeLiGIeI7nO2MH9hGDMzPWtUgMNBxc9tTS38l,iv:Rcr+uiZMWbG9IPeMm+eiNf3W3yz2L7yqSkJSKUhWHtk=,tag:3cLuUAEU6CZvvUYKF1cCAQ==,type:str]
        queue:
            CONN_STR: ENC[AES256_GCM,data:Mw7W72M3HitiAEG1ihWctXyYqHJuSiKBZvQDDRjA4O9Yg9Zsbq+/HVcnh074zbiTjCO/496FLiy88HuAw8lksZ7MXXVvRI7rIcFKFZLpHcjAqkBnB301SGalK/R4bSisECsYIFPjKuh+s4PIuPEIgFtZuiEvYdbT,iv:uYwjzUObav2Hs/JgRIYbGBFNcZm++qS2QqKpz6Ma6EA=,tag:0okDz0yzL4eSat/0roYJ2A==,type:str]
    oauth:
        - name: ENC[AES256_GCM,data:sN+DzBKd,iv:0HNSbQEDLsV76DIRHdWnPs9SI/bHRZz6Fw+8B8Hhuns=,tag:mwTWy9VSXapPu3uLk7LgSQ==,type:str]
          provider: ENC[AES256_GCM,data:m74moJ8h,iv:QfE5F3vpIlEzIftHlX/qpNvsnAab8gTd4CHyECHNcmQ=,tag:JefFm9mfYJSKzBDOb/l6BA==,type:str]
          key: ENC[AES256_GCM,data:7ScP3oXE0zTnaqL3AigHby39fMk=,iv:sXllPawkQ5BcKmC1iBUJ2WOEPK2lm6W3q+GrprHZhAc=,tag:vSCB9w5x6jjPNu5b5ZEMzw==,type:str]
          secret: ENC[AES256_GCM,data:XG9D5IUX4MqJzKf+aB7MCeDJAQlIzMxSv3ByAZQAdZCI+5my+cMfeg==,iv:s3e0wFznoX55MeEQj+dK0QrzzatGzDBKfT4xDD00cOA=,tag:vk32YQcPs0kAIOj61YwHww==,type:str]
        - name: ENC[AES256_GCM,data:eBSL9xrBDN50,iv:TiC3jjpfwS6A9x6PAkMIorwJ9CecxblzEFt5+ZmSW6I=,tag:XA6UrnJbkUyDBgOY9xfIPw==,type:str]
          provider: ENC[AES256_GCM,data:yh4TBYDI2R0a4f1qSg==,iv:hx8pAuo//U+YY5a2cq/KyoK4qcKbSXWtkrDvACWLU2c=,tag:uJ9JNWdDjb0eTS0ZJXHDaw==,type:str]
          skip_local_2fa: ENC[AES256_GCM,data:8YwpOw==,iv:2R3Zc4HK/U31SVcXR3xi9J/kJySR3osA8xN3YhvRxBk=,tag:SzBFOwEmczW59SHLGCMb5Q==,type:str]
          key: ENC[AES256_GCM,data:rLR8ve4=,iv:qOVIBiFjsOrrRg/mca5l7SHc2GdVAdyz0TV3Q7lJlQg=,tag:tYEzx7SoeoAC9/lgWU91uA==,type:str]
          secret: ENC[AES256_GCM,data:r7sWVeqWTnqbt7ArzpADD5A1fYU6+KSpLohWJuSbEUyPAzOSxfZGxSYNfAwaxACOgmJJnxUeQ9l71nyUDWzGMrFkLr+o+WcQmSTPV3+3iMHDsTdgjEb+tIZFdi0Z5PJ8DCBxjckmbG5cx3O3Kyrjc24SNHCVb62lhduZH1fIlT0=,iv:kvtMCpiOUx10zTKt/ZYQh3leYaY9+v169Sq+sYIScHQ=,tag:t8txjt3xuVKWA7QgBJYuiw==,type:str]
          autoDiscoverUrl: ENC[AES256_GCM,data:SG2ev/BshOBP0NQnpZRQErZDAEWdReiwp2pb2JJBWZmFvC67//t8WZu1/wilfQjJvJdsDGwk9Rwncoxya5Fb9uKYDAQKzqULJk70Er9pyNaowFbMxiMm+ws=,iv:B9GM9MLIrKTtRfyDxltlFvvm01aRCTQnyiemH4qzjGs=,tag:Wqji+fKliEGJRZ4inTmbXw==,type:str]
          iconUrl: ENC[AES256_GCM,data:lcW3npgyrc50GIYCyTh5Gpht2CU6hX67j13XNOvGQybU2dsA9BtqpmH0OMQz4b1g/XkuHAp5j3I0wLnGvhXXf4mEugzt8g==,iv:X/kHS77OJLDuNN2lTAWLqPARJ1QZMY1ImuS+xmkUlgM=,tag:0ZRh7eH6dYdZd250Lb/+xA==,type:str]
          scopes: ENC[AES256_GCM,data:GtTGDrDZwU1r5vEsxg==,iv:/7yMuJpxlML3R1X8onDSFbJVwpYFtnLamaI+X148Tlk=,tag:e8HkvzdpkhDvedVzm7jG3w==,type:str]
 sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault: []
    age:
        - recipient: age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6d2JneUUzM1VkM1lvclA3
            aC9wMGpKSGU5ZnVaUTNlVDNsMlNaOVRNYVdzCkpzVUJzNHN2TmhHektzOC93Vjlj
            SVU3cUxVUm4wWjJQRWZRdWlRMEU1eUEKLS0tIHRLOEJERXBMd0NFajNjbHhPVVNl
            b1cyT0RYa3hzbFJjc254bHJMcDIzeTgK/aX6f60NBz6w1TaOFSZDRE7rPniebb75
            iwO74fJtl5g9WxAG5yByxJ455Uhc2R/+VBbK5BcYFt9cboIgkUrS2A==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2025-03-25T19:15:08Z"
    mac: ENC[AES256_GCM,data:ySAOo8j+p9O0v8xYFcjuD6e/pc9LtLxLWC4TdP7mjhdfwwaaoJW96DLEbSYxYN7Co8zHFqdMp5e76SgvhWwP2LNmHLunJ3LNU6u6NSMEFLCSyjAM8KiqB4bTNq7Kf9H2FZbAN58YKXpZEFECJpxoLg2Q9MdRp+BvgURDa2QLZRc=,iv:Ay5vMdrKbNpFyir/N4+mPuOwKwIVupZbeJFKA+DWFDA=,tag:+YUSXQYMfu59oF+hjg0XMg==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.9.4
--- a/values/badhouseplants/org-badhouseplants/app-gitea/values.yaml
+++ b/values/badhouseplants/org-badhouseplants/app-gitea/values.yaml
@ -0,0 +1,176 @@
 # ------------------------------------------
 # -- Kubernetes related values
 # ------------------------------------------
 ingress:
  enabled: true
  annotations:
    kubernetes.io/ingress.class: traefik
    kubernetes.io/tls-acme: "true"
    kubernetes.io/ingress.allow-http: "false"
    kubernetes.io/ingress.global-static-ip-name: ""
    cert-manager.io/cluster-issuer: badhouseplants-issuer-http01
    traefik.ingress.kubernetes.io/router.entrypoints: web,websecure
    external-dns.alpha.kubernetes.io/ingress-hostname-source: defined-hosts-only
  hosts:
    - host: gitea.badhouseplants.net
      paths:
        - path: /
          pathType: Prefix
  tls:
    - secretName: gitea.badhouseplants.net
      hosts:
        - gitea.badhouseplants.net
 replicaCount: 1
 clusterDomain: cluster.local
 resources:
  limits:
    memory: 1024Mi
    cpu: 1
  requests:
    cpu: 1
    memory: 1024Mi
 persistence:
  enabled: true
  size: 15Gi
  accessModes:
    - ReadWriteOnce
 # ------------------------------------------
 # -- Main Gitea settings
 # ------------------------------------------
 gitea:
  metrics:
    enabled: true
    serviceMonitor:
      enabled: true
  config:
    database:
      DB_TYPE: postgres
      HOST: postgres17-postgresql.databases.svc.cluster.local
      NAME: org-badhouseplants-app-gitea
      USER: org-badhouseplants-app-gitea
    APP_NAME: Bad Houseplants Gitea
    ui:
      meta:
        AUTHOR: Bad Houseplants
        DESCRIPTION: '...by allanger'
    repository:
      DEFAULT_BRANCH: main
      MAX_CREATION_LIMIT: 0
      DISABLED_REPO_UNITS: repo.wiki
    service:
      DISABLE_REGISTRATION: true
    server:
      DOMAIN: gitea.badhouseplants.net
      ROOT_URL: https://gitea.badhouseplants.net
      LFS_START_SERVER: true
      LANDING_PAGE: explore
      START_SSH_SERVER: true
      ENABLE_PPROF: true
    storage:
      STORAGE_TYPE: minio
      MINIO_ENDPOINT: "s3.badhouseplants.net:443"
      MINIO_ACCESS_KEY_ID: gitea
      MINIO_BUCKET: gitea
      MINIO_LOCATION: us-east-1
      MINIO_USE_SSL: true
    admin:
      DISABLE_REGULAR_ORG_CREATION: true
    packages:
      ENABLED: true
    cron:
      enabled: true
    attachment:
      MAX_SIZE: 100
    actions:
      ENABLED: true
    oauth2_client:
      REGISTER_EMAIL_CONFIRM: false
      ENABLE_AUTO_REGISTRATION: true
    session:
      PROVIDER: redis
    cache:
      ENABLED: true
      ADAPTER: redis
    queue:
      TYPE: redis
    mailer:
      ENABLED: true
      FROM: bot@badhouseplants.net
      PROTOCOL: smtp+startls
      SMTP_ADDR: stalwart.badhouseplants.net
      SMTP_PORT: 587
      USER: bot
    indexer:
      REPO_INDEXER_ENABLED: true
      REPO_INDEXER_PATH: indexers/repos.bleve
      MAX_FILE_SIZE: 1048576
      REPO_INDEXER_EXCLUDE: resources/bin/**
    picture:
      ENABLE_FEDERATED_AVATAR: false
 service:
  ssh:
    type: ClusterIP
    port: 22
    clusterIP:
 extraDeploy:
  - |-
    apiVersion: kinda.rocks/v1beta1
    kind: Database
    metadata:
      generation: 1
      labels:
        app.kubernetes.io/managed-by: Helm
      name: {{ include "gitea.fullname" $ }}
    spec:
      backup:
        cron: 0 0 * * *
        enable: false
      credentials:
        templates:
        - name: CONNECTION_STRING
          secret: true
          template: {{` '{{ .Protocol }}://{{ .Username }}:{{ .Password }}@{{ .Hostname }}:{{.Port }}/{{ .Database }}' `}}
      deletionProtected: true
      instance: postgres17
      postgres: {}
      secretName: {{ include "gitea.fullname" $ }}-db-creds
  - |-
    apiVersion: traefik.io/v1alpha1
    kind: IngressRouteTCP
    metadata:
      name: {{ include "gitea.fullname" $ }}-ssh
    spec:
      entryPoints:
      - ssh
      routes:
      - match: HostSNI(`*`)
        services:
        - name: {{ include "gitea.fullname" $ }}-ssh
          nativeLB: true
          port: 22
 # ------------------------------------------
 # -- Disabled dependencies
 # ------------------------------------------
 postgresql-ha:
  enabled: false
 redis-cluster:
  enabled: false
 # extraDeploy:
 #   - |
 #       {{- if $.Capabilities.APIVersions.Has "traefik.io/v1alpha1/IngressRouteTCP" }}
 #       apiVersion: traefik.io/v1alpha1
 #       kind: IngressRouteTCP
 #       metadata:
 #         name: {{ include "gitea.fullname" . }}-ssh
 #       spec:
 #         entryPoints:
 #           - ssh
 #         routes:
 #           - match: HostSNI('*')
 #             services:
 #               - name: "{{ include "gitea.fullname" . }}-ssh"
 #                 port: 22
 #                 nativeLB: true
 #       {{- end }}
--- a/values/badhouseplants/org-badhouseplants/app-stalwart/values.yaml
+++ b/values/badhouseplants/org-badhouseplants/app-stalwart/values.yaml
@ -50,13 +50,14 @@ extraVolumes:
    emptyDir: {}
 ingress:
  main:
-    annotations:
+    metadata:
-      cert-manager.io/cluster-issuer: badhouseplants-issuer-http01
+      annotations:
-      kubernetes.io/ingress.allow-http: "false"
+        cert-manager.io/cluster-issuer: badhouseplants-issuer-http01
-      kubernetes.io/ingress.class: traefik
+        kubernetes.io/ingress.allow-http: "false"
-      kubernetes.io/ingress.global-static-ip-name: ""
+        kubernetes.io/ingress.class: traefik
-      kubernetes.io/tls-acme: "true"
+        kubernetes.io/ingress.global-static-ip-name: ""
-      traefik.ingress.kubernetes.io/router.entrypoints: web,websecure
+        kubernetes.io/tls-acme: "true"
        traefik.ingress.kubernetes.io/router.entrypoints: web,websecure
 config:
  files:
    config:
--- a/values/badhouseplants/org-badhouseplants/app-tandoor-recipes/values.yaml
+++ b/values/badhouseplants/org-badhouseplants/app-tandoor-recipes/values.yaml
@ -2,8 +2,8 @@ shortcuts:
  hostname: tandoor.badhouseplants.net
 ext-database:
  enabled: true
-  name: tandoor-postgres16
+  name: tandoor-postgres17
-  instance: postgres16
+  instance: postgres17
  credentials:
    POSTGRES_HOST: "{{ .Hostname }}"
    POSTGRES_PORT: "{{ .Port }}"
--- a/values/badhouseplants/org-badhouseplants/app-vaultwarden/secrets.yaml
+++ b/values/badhouseplants/org-badhouseplants/app-vaultwarden/secrets.yaml
@ -1,31 +1,26 @@
 config:
    env:
        secrets:
-            enabled: ENC[AES256_GCM,data:C4TSoQ==,iv:kG2QtaNWHSc2sdhzo8HnMnPE0Mixqs1dvFsAcke/Gw4=,tag:HhbVmIw5RQ9hipQqZ5J2pw==,type:bool]
+            enabled: ENC[AES256_GCM,data:bai2CQ==,iv:NG7q1ZsDpCW9Lu00fGsibpTEHGtew+l5TFOLOpljlwU=,tag:Z2/fXmsEEqhDzCdTWS/Qhw==,type:bool]
-            sensitive: ENC[AES256_GCM,data:0wVOUg==,iv:FGxAd9h2e0LeWukZR/THhCscF3FWoK4dnkrX1mqSC+A=,tag:0rpeedT6x2V79WB5xRNbuA==,type:bool]
+            sensitive: ENC[AES256_GCM,data:n+dNXA==,iv:iFM0+5G5Bsw4NI+JH1vMMrty3Zo0El0HE9F6PEDsJrY=,tag:EcbzQHVeOHVLVC7kgaRPXw==,type:bool]
            data:
-                SMTP_USERNAME: ENC[AES256_GCM,data:82zb,iv:Z89+Wt6jGMQTZ73ghk1Ey504WYt2Li9XQ2gaH0SB8tI=,tag:RmqHxghik75E9LAABzyVxA==,type:str]
+                SMTP_USERNAME: ENC[AES256_GCM,data:eQ4c,iv:4vX/ioHWEA6DzMwZ+23dgUN4PJ7Asz7bbufG5Fy80iI=,tag:1Mq0Hj/23T4fvGEXuNUtxA==,type:str]
-                ADMIN_PASSWORD: ENC[AES256_GCM,data:ELi8dtNa/OhQKgrXbrgwHK95ntZjyzRSvQ==,iv:IVZbXZlFyCRMc3bW81Ak9UdjeGke0px9mGqrmaW7EHk=,tag:9xli08c0pqnxu2ktTbCMcg==,type:str]
+                ADMIN_PASSWORD: ENC[AES256_GCM,data:B08urSqwYgekI6I5LDYGHbPK5n3r+woRZw==,iv:K2O9aSJLRMbK+N2lfX4ojSqhbmb9KbWsuW2DtYZHCOA=,tag:Qz0OJ7aWwC+/9d1oc38ySw==,type:str]
-                ADMIN_TOKEN: ENC[AES256_GCM,data:CAAalqRcu9vsM1bjC76enJCSX/tc7yOd48mxGV0d5rTFxQz08b4JVhKyMzl7BRog7+PMtJkkTnRIXZHgj31FqhRylmHyuAn3iPc=,iv:PpZvZMhOEt6ecdkBcvAOSz+eZktPAzaAlYNjBSgiN/w=,tag:apHKw66HG7TYnpBNVyM7xA==,type:str]
+                ADMIN_TOKEN: ENC[AES256_GCM,data:sKVugfrrR9L5LtozHPibGiPULiwv8pAot925Z/rQ0V/mW+DVvNPEw4odgfX596Ddmd8oV5zo5Mz8WIPUCmrVmfdoz+3YzVywEy8=,iv:npthfz4xcW6fF10RhHCF6uXH/6526l3gjZGRu+Xpylg=,tag:vsPsRZ7EIQ7FMvqJga3hhg==,type:str]
                DATABASE_URL: null
-                SMTP_PASSWORD: ENC[AES256_GCM,data:g212PzN9/4hxBKMAWFNiR0qAnPPK/tkffg==,iv:1l6dikIQGSjznW9MsaCTdz0wLJmAhiL0ZOdN2J4Q0yA=,tag:tNbPdORUa6IBWgh0HHaNjA==,type:str]
+                SMTP_PASSWORD: ENC[AES256_GCM,data:quvcZQKauXeW+l8xkYgVBElBQveoRWKDBA==,iv:KpQH+Ef87jl/M9XpBtIKNhn7ATHoV+Jgjpzg2Li28Kg=,tag:jniePrO7UVp/cz/eIh19mg==,type:str]
 sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault: []
    age:
        - recipient: age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoLys3dkJDK2lrQ0d4ZlJi
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGNnFwbWFpTWgxRk45S240
-            eFRTSmx1RUtZRnpxdkNvVFFCeXl6dDcvWXdvCitoNkcwVFFxRVJ6dkNUbGVPb1pU
+            cVI5ekJXdVIwaG5NcGRPa2xTN2pFV2tyN1JBClNVMGhNL2FaM2pCK0sxbjgyalJN
-            b3E4ZjZibFF6QytNdUhXNDFLZXRpSEUKLS0tIHpZTmFXNnptVzJmZFhIU2haRWhR
+            MnpQeHBxY2RtWkI2c1htV3oyQmNnbVUKLS0tIGg4ZXNwaFRKNTlIRDluT3k0VDRD
-            UjNEN1BlREFVak1xdmQzaFY1dHVyM3cKuvMIrQUL1cuw3Odz/Cv+kZV9ZZzBozSW
+            Y3pIaEdFb1JwMnVrYnJ4UkpWMERmZFUKa45EvUqkvjaL85xh3gyxTeJ02IxPJf9a
-            XimhDSkxNrH5OsGC1Jxz/8JOv8abBs4NROzffVdyqtZZzXOLzw3mJQ==
+            TGjAvpjBrym9v++OrHn2otw1NOeZwSP1hmSCc+sa6/0yFqcU031xjQ==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-03-02T08:58:16Z"
+    lastmodified: "2025-04-01T10:29:47Z"
-    mac: ENC[AES256_GCM,data:px+D6tlAZU6GzlE8/jLc0BaPyRwsfE1jRROy2mX7bhFTIW3lZqt/zangO46fFH5hXZjY5wLNIktCDbawIbUFwAp0vrmXxctZoAftl9hpdtW6ann3yfyv3pdcs7/BKu3s5QUswx6D13iLU0dvzyG4vGcQNmKpxuPQYLuDp2o74hM=,iv:2Y+wsS7QcgQ/8umZ+a21QjU25Yq24Y7UWjXVy9Gmvoo=,tag:APVtby5NCOQxrPAjIbMJ+w==,type:str]
+    mac: ENC[AES256_GCM,data:VmYotoR4BJJv2mZ+kt+NNn+oXLKWHed0o/TkJO93/4eLUm8Wg9SPMA1ZYYe9YRfgbIhYxPlQbPPKQBv95XeOS1FFL24VyenTTP3TXWroeXxOWubko/Fp88U3glJXs5jfL5DLYKvGwTXG3tchFDwH9m6QOABX+aRxvNBEP5zXUxs=,iv:HMzuvl8YCPj9ZA5tKfExQfSbvwu4IEHz6sMLAe8g7vo=,tag:lI2fh1b7prHsBS8Snrbdtw==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
-    version: 3.9.4
+    version: 3.10.0
--- a/values/badhouseplants/platform/authentik/secrets.yaml
+++ b/values/badhouseplants/platform/authentik/secrets.yaml
--- a/values/badhouseplants/platform/authentik/values.yaml
+++ b/values/badhouseplants/platform/authentik/values.yaml
@ -14,10 +14,10 @@ ext-database:
    database: "{{ .Database }}"
 authentik:
  email:
-    host: email.badhouseplants.net
+    host: stalwart.badhouseplants.net
    port: 587
    username: bot@badhouseplants.net
-    use_tls: false
+    use_tls: true
    use_ssl: false
    timeout: 30
    from: bot@badhouseplants.net
@ -26,7 +26,6 @@ authentik:
    user: file:///postgres-creds/username
    password: file:///postgres-creds/password
    name: file:///postgres-creds/database
  secret_key: "2Scv6ivCfV6uGRTx9Kg5CYJ2KjBRHpR8GqSBearnBYvBFZBwR7"
  # This sends anonymous usage-data, stack traces on errors and
  # performance data to authentik.error-reporting.a7k.io, and is fully opt-in
  error_reporting:
--- a/values/badhouseplants/platform/db-instances/secrets.yaml
+++ b/values/badhouseplants/platform/db-instances/secrets.yaml
@ -0,0 +1,29 @@
 dbinstances:
    postgres16:
        secrets:
            adminUser: ENC[AES256_GCM,data:uuu/xvwJkHk=,iv:Pk+i8bf7AeeG9wKVh1RDJy7Dt3r5b1UKy4SJijlZfq0=,tag:QO3gwYXAG0sBBuHcKfTNQg==,type:str]
            adminPassword: ENC[AES256_GCM,data:tjWATjuJT+C97D4TLQgk55BZOwVv,iv:1MWYtksmrEBQtOdGvtc6MZyLP4yBKA88eIpQ4mZCULM=,tag:3hOlT5n2Wd81ebxeEgW5tw==,type:str]
    postgres17:
        secrets:
            adminUser: ENC[AES256_GCM,data:4w2EItIM++Q=,iv:cQLryeBskm2Y9OlbMFgQEWEBi7z/VxucLWbwZXsRtto=,tag:Ir2Q7KZv/sSDdA1MX/Niqw==,type:str]
            adminPassword: ENC[AES256_GCM,data:wHUL2p8CXYwoEFu3ffCCsQO9xn/GqOZ6JPrcHKzy,iv:khoogPPFHSd+4xyp+jf1w0RfOUgrKzAmFjLnisQ8HXU=,tag:GRnkCQ0uOlUt2AiEAceFRQ==,type:str]
 sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault: []
    age:
        - recipient: age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuL1lwdVNHMm9nZHRld2lO
            Rm4xVnVHWG9hNDc1cUVyakxzUU1PcFJhalM4CkNicEdUV2lEYWMwaWNqeGcrQ2p1
            Qmw1b1FzRllqYW85bjF0cmRGcW1MbjQKLS0tIENUcG1oOXFNV3REaFU0aUEyd2k4
            RDgzRmlKT1ArblpOV1plcFpyMnJXZTQKgm8Eaw591+EHZWofXAADTXRHPOdOvdOM
            jYne1szB/V9UJz+pmLa10tNgruga+P5yP/j+DGcYrTj0pVh5IJLjTA==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2024-10-30T19:59:46Z"
    mac: ENC[AES256_GCM,data:3KrwiArDx/bPAHbFGgb9BdDVHC+uC1IHp4LZXlYRZzWSKtX1t+ODQVzUW97kigGFG1sx6WXddl/w3XeNOoT9JbS5iPXJQe6KAPleNV50S/oab+U53WeloO8uL68Wrk9v/NwMhCKwE9cCqBBhqk7wCb6N9ivt45mLrUf06L8fok0=,iv:bOWhyIm8FhKtZAZH/78bukkeDp5P4XShSD20mgr4Neo=,tag:RZMx9bi+ZEcLwTzk+Gm8RQ==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.9.1
--- a/values/badhouseplants/platform/db-instances/values.yaml
+++ b/values/badhouseplants/platform/db-instances/values.yaml
@ -0,0 +1,21 @@
 dbinstances:
  postgres16:
    monitoring:
      enabled: false
    adminSecretRef:
      Name: postgres16-secret
      Namespace: databases
    engine: postgres
    generic:
      host: postgres16-postgresql.databases.svc.cluster.local
      port: 5432
  postgres17:
    monitoring:
      enabled: false
    adminSecretRef:
      Name: postgres17-secret
      Namespace: databases
    engine: postgres
    generic:
      host: postgres17-postgresql.databases.svc.cluster.local
      port: 5432
--- a/values/badhouseplants/platform/external-dns/secrets.yaml
+++ b/values/badhouseplants/platform/external-dns/secrets.yaml
--- a/values/badhouseplants/platform/external-dns/values.yaml
+++ b/values/badhouseplants/platform/external-dns/values.yaml
--- a/values/badhouseplants/platform/minio/secrets.yaml
+++ b/values/badhouseplants/platform/minio/secrets.yaml
--- a/values/badhouseplants/platform/minio/values.yaml
+++ b/values/badhouseplants/platform/minio/values.yaml
@ -56,7 +56,7 @@ consoleService:
  port: '9001'
 resources:
  requests:
-    memory: 2Gi
+    memory: 1Gi
 buckets:
  - name: badhouseplants-net
    policy: download
--- a/values/badhouseplants/platform/uptime-kuma/values.yaml
+++ b/values/badhouseplants/platform/uptime-kuma/values.yaml
--- a/values/badhouseplants/platform/zot/secrets.yaml
+++ b/values/badhouseplants/platform/zot/secrets.yaml
--- a/values/badhouseplants/platform/zot/values.yaml
+++ b/values/badhouseplants/platform/zot/values.yaml
@ -0,0 +1,27 @@
 image:
  repository: ghcr.io/project-zot/zot
  tag: v2.1.3-rc4
 ingress:
  enabled: true
  className: traefik
  annotations:
    traefik.ingress.kubernetes.io/router.entrypoints: web,websecure
    kubernetes.io/tls-acme: "true"
    kubernetes.io/ingress.allow-http: "false"
    cert-manager.io/cluster-issuer: badhouseplants-issuer-http01
  pathtype: Prefix
  hosts:
    - host: zot.badhouseplants.net
      paths:
        - path: /
  tls:
    - secretName: zot.badhouseplants.net
      hosts:
        - zot.badhouseplants.net
 service:
  type: ClusterIP
 persistence: false
 pvc:
  create: false
 mountConfig: true
 mountSecret: true
--- a/values/badhouseplants/registry/cluster-mirror/secrets.yaml
+++ b/values/badhouseplants/registry/cluster-mirror/secrets.yaml
@ -0,0 +1,22 @@
 authHeader: ENC[AES256_GCM,data:BWmu4bpFjlIDStIcWfpsgbm1hfxlvZAK9LabhXuAdArJzflc4VA+Dy5fJRAMu9Mv,iv:+rwtfnjJCZKPmdcUkTfklq19uSgavOKaySK/O/xd2PE=,tag:3yXa+0LbIqMDk6KLWAAN0Q==,type:str]
 _mirror_password: ENC[AES256_GCM,data:0aa6fqR3+0ZY5KhRKJa0SKBcBnF/KizHXTIm2NQB,iv:DUB8ItYbT+K31XLbWzi5909RPVn9DG9HRDU120VxbdY=,tag:DniRwku2rQX44ffMn4mU6Q==,type:str]
 sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault: []
    age:
        - recipient: age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsQ0U5L01iNFo5Y0t5SFo2
            MXlwVDhQZ2R5QnVlUndmQ0x5L2ppU1h6aEVZCmhaUW1JY0RDMEM0T1JkZkk3TGVD
            R0JjaEN0MGxVV1RIZUxkbjgzMTlTMmsKLS0tIFdDNW8xaWsxamFvUGRFaVZsVUV4
            S3ZiYTJGOUFzZlNwSUZvNGtmSFNpczQK/npaHLqHSxMnCXNvDFw0eB9KfMJ7bWfV
            ZuteeaXG+eZNX4l1ZY1pLNUv9kui4oXI8payp7sTZJI6WYZCQz6Oaw==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2025-03-27T20:50:16Z"
    mac: ENC[AES256_GCM,data:XtX4NUZ9PCdAFckdlygywFQ8vJRAszOjqPItr0MNRM0ndk/PkYYGzY0phMan7FgxY3Cz5XMJcv/MEogLedM+uH5vMbsOpRY49jpILMORL3Ni1tZFG5Px5NbfExGQmjFyefotRzCHlsUSTZEHlBIp4+FeBI41CgBbLw45rEoneL8=,iv:Ilk7TXqKSSV5WYnptLRaOk/lwwHHLesbSslOCarlVEA=,tag:vWXe+r3tHXoMtWYeJN9T0g==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.9.4
--- a/values/badhouseplants/secrets.gitea.yaml
+++ b/values/badhouseplants/secrets.gitea.yaml
@ -1,50 +1,50 @@
 gitea:
-  admin:
+    admin:
-    username: ENC[AES256_GCM,data:1yKnMnzbHno=,iv:AWqprQPRloJhZEtyhF8+5dgxyHXtK+2HLxHa+gU+Aw0=,tag:Irk65xjOWgFBfPUJGVcQcg==,type:str]
+        username: ENC[AES256_GCM,data:u1KcCwDNplU=,iv:s9mWKPTz+8rFKS2RmFPxCGOIPXFHLvLX3v0t+DemDEU=,tag:MmGR2LqDmHw10uJdPe/tSw==,type:str]
-    password: ENC[AES256_GCM,data:8hbWwHlNyxzNe6PCYJ2w5b8oUi0=,iv:GtkHDZFUzk9rVh7ASmk+Qb/litPD5QX38hWLR24pgSU=,tag:bmdNTBDt2Mrxp1cVXmJwcQ==,type:str]
+        password: ENC[AES256_GCM,data:mBhL52UJwOwWpRGRfc5WNAvYwHo=,iv:hGt1kGA2miwzMidwD0AT62oXs1CAwAFpKk3XltqsCz8=,tag:bfhsQxef8cKEes1JkTQw/w==,type:str]
-  config:
+    config:
-    storage:
+        storage:
-      MINIO_SECRET_ACCESS_KEY: ENC[AES256_GCM,data:tLHwP5ZsoxKnaG38hNNXvXoy4PTuxlUT3w==,iv:bR0eL0MHOdT3CnsQrjdlEfwCEye41/ts/vsQf3ju1cU=,tag:XxpkrS88muDolMcB0r9rWg==,type:str]
+            MINIO_SECRET_ACCESS_KEY: ENC[AES256_GCM,data:5VjeSHLIDvZB/VE7OJ1eqWOnT5NU64om0g==,iv:OFK7MYlb9QfV4ZHIECa3vHG9pBp1TCGSqqUJX3D7uGE=,tag:Ibmihyp3TXarFtr/tDtEEQ==,type:str]
-    mailer:
+        mailer:
-      PASSWD: ENC[AES256_GCM,data:tw+vJSoedon/a3VhXkcpupumdbBnyMbSzQ==,iv:xoxIm855BhNsNfq+5L33yIDFKx8igNuEV71IDt0WNzQ=,tag:i9FJe0x4PqaMb/SBN0yXCg==,type:str]
+            PASSWD: ENC[AES256_GCM,data:lIv1/BEEkouDVqNy4u+u7WCY4zz3ow7fWg==,iv:we77bHyHyAYCMxFGG13sE/M+5Tv2VeYfrg9bsa3leec=,tag:TOltFQbhrXMJW5w5x27YjQ==,type:str]
-    database:
+        database:
-      PASSWD: ENC[AES256_GCM,data:pB7YPucwcXwD9fzJsckZshz7ZLM=,iv:23k90tX465WltrQwSyx8Hixe2hnya/dx6aIvr3ti1wA=,tag:NvgN1g181yCBu5Mf7uYmGQ==,type:str]
+            PASSWD: ENC[AES256_GCM,data:a3AV8QMYOxlWiU7G1DRCaOSdHKA=,iv:3ZCwEMo3/3rmGJXgDr/Pw+rNQBU14rUKQ7330otX1qQ=,tag:KjwexsLkYaHsTdXoHwXBJA==,type:str]
-    session:
+        session:
-      PROVIDER_CONFIG: ENC[AES256_GCM,data:Ipcta9fyfGCygYqpisgiy0rCckP5Ma5bNs2ClFNn0lnm1LQOJDdDLiQDr5u9L/WG6Bs2WhHbeSrdjxyZdCKv9pd1CfmB7S9eNcp2w+4hhofwUVcKW89rj9HYEHSLuY8C4Y5KbJKKl6PkY/JmTzyVSpSMDHYadf3j,iv:YsMR3zwZODENuy+WvKy8AdByKTuI7ng0hf1AJT+CMQk=,tag:9hOo08OLybdNgr7wvRPvyw==,type:str]
+            PROVIDER_CONFIG: ENC[AES256_GCM,data:nPtmi3wG3+wVkyb+IV832he9rUo2TRRx6cTqvGdVSIZMfcfUvS4rmSH7CQ28OYK6f+WEKs8PkjfrBzEP1mPFHC5eRQfg4ryaqM7eWmHaJipcg4h2nzH9ii6FXyYtmm2zFsTnodOJryEo0T/nMaGhEt7+eylCL+L4,iv:8UFjsAEtMjMqyC9Ib3ipoqpshFrsdE9d3dg7Cewv7dU=,tag:gGVNGk66/Kr/dZ6B3wbD4A==,type:str]
-    cache:
+        cache:
-      HOST: ENC[AES256_GCM,data:K0FpmrMo1TlUnHHHRKcKVQ8NYeOr+YEeQjajEIM1x5XPjkxYUmywyVL8f5qNLkvotAtD941Rw9CQ7NRof0NketkYyC8gJsndfznGPjhfqH5a0MUWDu9tAfGUzWGzXxC0uq4Ne1eRhu4SjZljZybqk5qQR00Zc/qX,iv:izMvr/kdes3+Gl1a6URnWyQ5TwYqTDMOBskHxPZZpgo=,tag:MWdLA5PV/+bEPWgXHw9OQA==,type:str]
+            HOST: ENC[AES256_GCM,data:tXEIBKqGyeuAc/adO6DjcyAAGgcIuwxJ8T0Zsi1xMy3I3gXbzeTG6XwyAesiUoHifoYTpn3wWbf+pIh8KtGFXb58UcEOgHmnADPWALiXKFoZmvtHDL+JEjOjd0tyoskJNf4Oi4BckJDnfpYuMqJW9qcQbsxlB1My,iv:kJ7XRqvUVEGUC9aAPYO+1oZA3QPc/SE9apaeTgLf3wA=,tag:525IBTPiuZIkAxAIiRE35w==,type:str]
-    queue:
+        queue:
-      CONN_STR: ENC[AES256_GCM,data:MsKkRcKpCGmvcL2lP5N+WuCNGp68gPw5HCpvCjEbYPoJcl5j6mAV5bBGqmiaIpvRbBu1EL1riHMmFD55efSJ6XueOXPG997iwE7KISdPjAWA92ZFe/zFzSW5EfBz3BvgsxzkMk3gR2usid0BvKXLPztLSvAYOR1l,iv:S4BunQMCS33JZUL8x4dRSbMtKQoI0f3Iw9IQ663hqfw=,tag:G7Xpp4d0VKzHRb0ju+F+WA==,type:str]
+            CONN_STR: ENC[AES256_GCM,data:Z1+u7JAcgNXkrO80YC2bMDk5VMyTFRAxDPc75ZPKbaD5+nsWQusvnHTS68rAu/WT21xAFpny7geERIOEZIewpucNoCTlqHVfJu/tsl40qMoBfjEWuwfaRM+AlNaXm5USTXkk+alQ3eJ2KIIhfhY1cd1yohRoKvAd,iv:bmLkzWqR8SwHLgWG6SWdeNr1w0fcZP8qNRlhfQfvJqs=,tag:QY5A8YGy0+3BnWSLBcsK5w==,type:str]
-  oauth:
+    oauth:
-    - name: ENC[AES256_GCM,data:ruqXMi7A,iv:hzOf08m5WO/0ZLrsDdco2RuWquiR9n5hwZqcug7Gx1E=,tag:hwumITH28nq0z5i4Z4FvcQ==,type:str]
+        - name: ENC[AES256_GCM,data:7KhuIzC/,iv:nn4bNQ1/tBiqjnQxcyocZd0h/54mH+LlRtiAjWuPCOc=,tag:e+55SHN49Q6NzT7KSsh52A==,type:str]
-      provider: ENC[AES256_GCM,data:Sx2HqTQ/,iv:DDhq7jVZdgD5MAFFeSt6KdsC0FSrpQWA+gu9gOg6Iwo=,tag:kOnrbDlwGLMrgKsF8hTGdA==,type:str]
+          provider: ENC[AES256_GCM,data:+TrDQq3Z,iv:AAwjnHG40IKAkSPO5gzwEC745NH+Y5BgZIiJJ5Z2+AE=,tag:DENE8aAHAG9DZhkPmZWYVQ==,type:str]
-      key: ENC[AES256_GCM,data:itycutnIMsO2lb8M5UysL72Iq9k=,iv:E1b1zBGfew3bf72OxLoKQoosgPDqy8my1JMWvwBGpcE=,tag:iJGrMKbrqTD5NHYWvFxqxQ==,type:str]
+          key: ENC[AES256_GCM,data:uOY9iM/dAkhGbWSsUbmN5rnbqUY=,iv:BQ3KjcHN1jJG28RkjjhsTgWm+lHmHzYS4/P4Vlp89hs=,tag:HY3fZysu7sCdyoR0TuRd6A==,type:str]
-      secret: ENC[AES256_GCM,data:mOpFm2yKl1aBu3TcJkO/Gm69XQh36le4ohsueq9t58cIHDucrksBmA==,iv:zW3zde+XcD3wmJcOKZ0lrPCBA2OPHoF+8/T+6PJpP5w=,tag:27ssfjvp2oX9yglNJLalFQ==,type:str]
+          secret: ENC[AES256_GCM,data:5s12mFDJJLPRg/IsypTx/BpvobX0hluTSddTaCQ0SgYjt4lthZDGGg==,iv:ojiXiVQ7BFUNO2ukAK0ygUTu6KVDKu8AMVmHfBw8Ii0=,tag:0zcD8iNT8iutij1C+Hk7Hg==,type:str]
-    - name: ENC[AES256_GCM,data:8LPw6LKoUcMf,iv:/jNSUD9jcGxghxexh5063Le+t+xAbirHlc/1oG3JCq0=,tag:OA1LpeMNRi+Pkhr4cdseAw==,type:str]
+        - name: ENC[AES256_GCM,data:S/RV60Bc3/lH,iv:xIG+UJnmkEvuo2mgu904Hdn18BhsOCtWVl/eL6ybcZs=,tag:nFKPEisO3U3hPJZASrytiw==,type:str]
-      provider: ENC[AES256_GCM,data:aqLm3vOS5b+cDBjnaA==,iv:/3teGaszsJEo9ya1Uy51xAxPC4zyMO08qm1Ag6sFb2A=,tag:iByKJjRGQcEiT8Zoe4cRnA==,type:str]
+          provider: ENC[AES256_GCM,data:eZOq2jNeqLM7BzePXA==,iv:vHhMOtF/mqUorcKSe2djtWKcyc5F2c+udWclcOkxK/A=,tag:6yKwQj/9oDDIdHcRtIgW3A==,type:str]
-      skip_local_2fa: ENC[AES256_GCM,data:YZMe+A==,iv:VE8i+fA/xbv4Ii6vDjsclbuzHp9lva+jOBIYE0vsKNA=,tag:OXAZnoa/zISVBmhaojVB+w==,type:str]
+          skip_local_2fa: ENC[AES256_GCM,data:B8ObUg==,iv:mmfGkA+8HK6H3DS+Hl5Hz3s/pwGBoYcXQfJiPiBKYFs=,tag:ErmgC/mcQZJ5sI5eEtLHzg==,type:str]
-      key: ENC[AES256_GCM,data:6mbjR2k=,iv:8zRBVFyF7XyTA96yfaWX8NtOC2f2abbyv7qUzizB+dc=,tag:BeBR+bijZFHepscsXJkoNw==,type:str]
+          key: ENC[AES256_GCM,data:+w1/goQ=,iv:cIOxkdP38IaiNZ3dig5xo2kYrXdAwqerojCXcBifYds=,tag:5/+QimbfqpfnaFgFT3gfLg==,type:str]
-      secret: ENC[AES256_GCM,data:vM4LI6MFwF9co+qCzZwl+q7pKDtIiMj7jMwckleijtVOgnfafrMTKZsA4LbeKICm1p3kuj1qmdRzDgyCzGyCejwMwsd8Yze4gMKZb6wfnhOhaj11Yby40+xHHb8ogCzPfAH7TkOi+99Y2yMpfiw2i5UZvQK1oTjZLzMfJ0fK15k=,iv:F01nIJjOiZCueOaIa1p//ND4XA1wvNow9Crq73nHUVQ=,tag:KifiHsOa49Iah4SW28YMVA==,type:str]
+          secret: ENC[AES256_GCM,data:Rg4rEk9j8zZcUCWbm6xmuEbRb107f5HaU8ClbUkXWKnnERkN91QYtSNlAEWfHBk30xmBObm/O2LlypYJWT5wO7LNw4G6q9yv5JaIc7vS1pjicDi2QNxAW89euELdlthFa2fXj4lNlKLgQr8TbC5wpX0oysC261MM9kgjLuTQnw8=,iv:ft8IMPIu2JuzeWdM53qN5kJQQR5Oq9d2yyNbAQdtdY4=,tag:cBMEqmoP3KAuOhuX364hew==,type:str]
-      autoDiscoverUrl: ENC[AES256_GCM,data:k1O5weiok0ybMfEwDfEaXu76AvUmgRHz3vGy5bShvdGxf/SQZVJJv0XntF9ifbfhYRKzJCt1BpVGkXQnHhMWntkolLUsv/r6OKZPjpwOtEozhI95fcjax1Y=,iv:2LFUB07dWs2tcCSibhoiJ8w3NoPMrpfEhAqb28TbdxY=,tag:iJtqPNf8nsjMVzF2Du+DVw==,type:str]
+          autoDiscoverUrl: ENC[AES256_GCM,data:IlykewahSerO46QAqJrvryzHkZONrEDHYBgwq9Nkg1pja9X1l3YaMbsg9DYWUkod/ZlzrGUA8Qyi58WW07chkFDPvy/Cfbp7GZSosr9ZVv7LI7TlpZHxeaA=,iv:rp05dCHRMnysz98G3EbKBZWsBzHrGzSuC6FCr/S8evw=,tag:6UtCbpVoWLbv5W/cB1+qBg==,type:str]
-      iconUrl: ENC[AES256_GCM,data:Jr8Ej4zfe319HX4ruXrDSB5ZuuEfbuvEeIVHt13E7xx3NvPF9qrOZip40hmAR7dc1nW5m6aX6GxP5gbonr90wZRCf8HA9A==,iv:ykfp9vlCZnjR+7H9NTokW8AOr0EHEq6vkwWDSMYiU5Q=,tag:MbX/8yRj6XwBgU+MbylAKg==,type:str]
+          iconUrl: ENC[AES256_GCM,data:Tp16796JFzlYfOSfI+ld+Lf7hCeS74ZDz0kA/I9P3v6G+3LQAUGOtfFTzx5mTsfpP1eQN4HgD2uU3lfLhSozril1qq3AZA==,iv:dQSq+IiRcepUZqLipRr6DOHH7Hg6h45gnr9LH9dWYdU=,tag:zeq3tVobXsOasCkIAw/riw==,type:str]
-      scopes: ENC[AES256_GCM,data:Lr+kdYTfCVQE25ZGeA==,iv:O6OYdDg/PGj0p2A9vjxPaDBRtUctS1j4TO/5V1gSQ88=,tag:tlDUKeGRIL3Rqep/mpdRZQ==,type:str]
+          scopes: ENC[AES256_GCM,data:3qwG8sYZER/p9GgnuA==,iv:hvJvc1pwUgeatq9R8GBde1EQDJunwZBl+cmsqJr1PBY=,tag:ov+WHCFaNaA40PPvOzVPqQ==,type:str]
 sops:
-  kms: []
+    kms: []
-  gcp_kms: []
+    gcp_kms: []
-  azure_kv: []
+    azure_kv: []
-  hc_vault: []
+    hc_vault: []
-  age:
+    age:
-    - recipient: age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8
+        - recipient: age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8
-      enc: |
+          enc: |
-        -----BEGIN AGE ENCRYPTED FILE-----
+            -----BEGIN AGE ENCRYPTED FILE-----
-        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2V1RNMmlZaDJDMzBXekF1
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRZ0IxQnpLSmJjTm1jTkI4
-        YmdlYjNBTEhaYU5YYTZ6U1pHckl5YVZ4WVV3Cml5RzkyeHVCV3FlbEpoanlZOWk4
+            NkhuMUN3RVp0TEFSNHhtTkFvWDFaUXVpUlIwCkxWbkxnQkY2R3g0cUY5VG1Kb251
-        RlVoL1VISDEzODRaYUs0N3JldXE4Q28KLS0tIDdqK3IxcHpQdWJoNHR4VCt4MVNm
+            VUhYZlNCWC82Z0h3SHpaSnVST2h0WTAKLS0tIHJWR2FuT1ArRFhMWnV4cW9EcnZw
-        M25EVzZsS21OajdEKytoc2VBYm5SMU0K1wvfQOqBbAPyh1SxiONFSFO+a591HG/2
+            UHpBeWgyN21CUThydi9XdFc2V2c0TTQK38CQDRnFpUmWjyvDGGQ3vQxhBvy2Xva+
-        DJvP643yXIWBOiNTxjbQDygYmxwk9GbFmGlVf0pQoUEuH9D4SgCwJA==
+            SCd8sJZc/bnVDOEidvV9oxJz4y0nj6RvgzcsU+M99YBJcuV12xPqag==
-        -----END AGE ENCRYPTED FILE-----
+            -----END AGE ENCRYPTED FILE-----
-  lastmodified: "2024-10-14T08:08:22Z"
+    lastmodified: "2025-03-26T11:56:44Z"
-  mac: ENC[AES256_GCM,data:Mel9AWdHERKt5xsDI7KmgINBCMAsfYrs/jgwQol+UVuiFXU73tAFeUqOZRDFwuzKBfxQExv8etBlgV8Q6Pdg0VojBLLz75BYZdqz5RD1VnllJ7y5/jCwCTyTbWxYQZpgj8dle0KA2NxoMraLIQY+gnvunqlAcIJgPZG9KY1UB3w=,iv:Nozpe5X8kwSrb2sturuCQBA8XhEQSI5nLRzBuCDFfz0=,tag:8kVcjwLDNTBmvDRPj2ELyQ==,type:str]
+    mac: ENC[AES256_GCM,data:cc0H+6P0uTl5kpMR0B9o5BP8l1KHjLHdMetPlmNEVQo3NCzm+0SBjGYOqNhr0EG2Gd6RKdsAADrZAwyH+pXA2pmNVdIehDBu4Xncwi8nrUY3gm3jBIG/01H5VLqtZCoLfbqQ4ANHrGhn7JE5bwrXbbmD4t/7E2i7qHLukPj4S8w=,iv:3+llbgLRU2tMr+S2nvyA8hGfCnnWnqprGSW9H3VSCH0=,tag:gzMc8wSjZfa4h0eN3V5Ylw==,type:str]
-  pgp: []
+    pgp: []
-  unencrypted_suffix: _unencrypted
+    unencrypted_suffix: _unencrypted
-  version: 3.9.1
+    version: 3.9.4
--- a/values/badhouseplants/secrets.redis.yaml
+++ b/values/badhouseplants/secrets.redis.yaml
@ -1,26 +0,0 @@
 global:
  redis:
    #ENC[AES256_GCM,data:d/vtscwAkAPFyRz6Ap29M/oZGEcX3POnzAd6GCkHIiTLFinXzOAn/ruMSiMsnL9lJxj50foVeLIXnmtFDGxUPsxNU9jePD037t6vbtja,iv:ALXE7IPi2d79rOpBMwlfi9IPtcvfoSAxsDHwiVItk8U=,tag:cMoKK0zkagLc3uC8Ry5hBw==,type:comment]
    #ENC[AES256_GCM,data:XQ6nK+hlKfFOBDye9a2a,iv:ptA0TWsjVjOQGOCe8leC7ZjRX8gSnbjb94NWZMccxSs=,tag:9vw4k4N1wI/C7jf7ZPxi7w==,type:comment]
    #ENC[AES256_GCM,data:eTsTA07O2Y/468A=,iv:ZWOZO3GAYbU/Bq5ejdzDUsrYpkfwNtK23zH+XS5PUsk=,tag:KL1Z0a+BxBW4Y+aeJb78lA==,type:comment]
    password: ENC[AES256_GCM,data:kFbVUyKL0B9GhOapmqOS/FyTaXZEGUmSFFLxYIzX,iv:sLue4AmkT12DoPrWH3VxpvXFBHYhYRUTWcNoC+ojhGY=,tag:ikQsyximPvONoANv/61GXA==,type:str]
 sops:
  kms: []
  gcp_kms: []
  azure_kv: []
  hc_vault: []
  age:
    - recipient: age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8
      enc: |
        -----BEGIN AGE ENCRYPTED FILE-----
        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBORUEvSlFCTzh4N2NGVkhO
        SlJXQlNvYjdCQmVjQWVpZ2YyUjlmWkZrWVdVCk1FK1VjVmpCWEVScVo0YldZQWxE
        L2I1RnNsVWJGRll5MXNjam1zMzU5OWcKLS0tIFI0eUFEYTdyWkFEb0xQeTBaZi9J
        aUJ0Umg5T1BFN1lEbThJTXErUkxKaGsK1Vvk45dshvEGF3OZfrLJPabHgvWFT8ps
        f7Ygd+3XhZUBUBi50Em/xzmKQXL0I0Ps9JetSbQ/Amlmp9gU8VqRGw==
        -----END AGE ENCRYPTED FILE-----
  lastmodified: "2024-10-14T08:08:22Z"
  mac: ENC[AES256_GCM,data:9dykGJs5NFjahNZ+4orzMh2u7UBRHMVCv5J9QxRqAzE2aT556W6bZoV9n0V5b7Z6jhVGHFxA4do9RoFT2lq7aMVpQ4nl4iSXuavPiuoBeq8aIwykpCF0cs5dHxQP7R5US2A8rzsSScIBbB2i1LhRtpiVVGmekVp1YSZJWcNhMNk=,iv:tWf4DjEcAff4LupkpFiR/Ss3iYBqtvcQGW/xAeCDIvw=,tag:nbWpyxzNKKrbo8HjMBbeMg==,type:str]
  pgp: []
  unencrypted_suffix: _unencrypted
  version: 3.9.1
--- a/values/badhouseplants/secrets.renovate-github.yaml
+++ b/values/badhouseplants/secrets.renovate-github.yaml
@ -1,22 +1,17 @@
 secrets:
-  RENOVATE_TOKEN: ENC[AES256_GCM,data:NwkAP50vrUc7dVB0wyWTgFDd+axltTqdyXuXFHHkmO2VF4QyV/svsw==,iv:kr53r5w7lVo9luC36mHghZ8fabo6/da8vLFEzhEOgDE=,tag:UnGnSXuvwlSzVuL6pEUXsw==,type:str]
+    RENOVATE_TOKEN: ENC[AES256_GCM,data:ohd4EhTlhRpQ+IXVf1Nb73+h0VHrMZduPhkbm53s3/+HRKUZd7JepA==,iv:qtbH0lz9Li+jjWcef6JGRpbcsOGlG+e3TNHDukAK2HE=,tag:KVmari0LUGHVb61VSFtgXw==,type:str]
 sops:
-  kms: []
+    age:
-  gcp_kms: []
+        - recipient: age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8
-  azure_kv: []
+          enc: |
-  hc_vault: []
+            -----BEGIN AGE ENCRYPTED FILE-----
-  age:
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4TGozODRjVzQvdzlvSE5s
-    - recipient: age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8
+            RTlReWNSWDlzUVVLVmZXV1c3dWVwUU9hbWw4CnJUL20yTFpHMUJFWTdYQ2JWUisx
-      enc: |
+            Y0djU2FhaEtVSTlRWEY3Z0RnOUhVVjAKLS0tIEZEUjhqUTRtTEo0L3haWFlRT2JS
-        -----BEGIN AGE ENCRYPTED FILE-----
+            QTFVWU5RSTBldzBjalg1TFBDY3hGUEEKCH1rY+tGtRNGMYrfSjqXbVsrPAleVHDO
-        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtZDVVZm1UallMRzJpRVF0
+            Altiz0ceC5ODo01zwBf63vDVqjZtbIQNZ8oQ8Pjlktp3jCpL7JNK9A==
-        b2dHaUJlQldOeHN5RVhydm5oaG52ZG95SVVzCkZ0enk4Mit4KzV6Z0ErTmxhU29W
+            -----END AGE ENCRYPTED FILE-----
-        R0p6NVBiRjFSU0NWUjNKdGU2WXdrcFUKLS0tIHFURlFVLzJ5NkJVRVpCV2I5U2E4
+    lastmodified: "2025-04-01T08:52:26Z"
-        dE1VWExmY0xEdVlrZW8wRzlPRkVrRzAKVZHyy3AGktGuv7KEQX/M0xjyU/7FpgSB
+    mac: ENC[AES256_GCM,data:6PyWgR3f7lnen5Jun04Tsw1P7rcAgTSuF+YEh0fq3r3xHvQYFGesfEO4PHLfCGYtjyyCeyzpwBUIoUHTmI5tRYjLwjwRiIu/GH75eSLOx0y0gYMl8JUeaPxSpPvElpii3XAm7vKEJhTR9QzNuzduf0Q1JdlR6TM68XM8g78zeSc=,iv:CqTrPYoLg4IgW5zTsIcmGQUg5RfK+IQmxeQIQbd6oqk=,tag:P8Je5EhAv5TqqT77nPwlHw==,type:str]
-        OrWzXXds9h8PWC/19FU2puvdIER1G/2CajEq0PQmaC9YMvb8nLMv0w==
+    unencrypted_suffix: _unencrypted
-        -----END AGE ENCRYPTED FILE-----
+    version: 3.10.1
  lastmodified: "2024-10-14T08:08:22Z"
  mac: ENC[AES256_GCM,data:5FV7wwVyhB1UQOLW+iYyeImXAPv3dtTlw3Qjg2rBVBmbC8vHNpXFWloBhFeTSN4VAEjxm5tqACdP3IfNkrVT1SnYeySh6Xl/sdcAuAIao7uMjLDT/MK02AcS55T9pt7h+H4nkdNatMAX7jLKbHJwNoAnL5a/FgX+gKizAg4PRHc=,iv:7HRq2xMClJXYF2S9SQeYLZwCn2EOEc4JkEFzgze2e20=,tag:Fb3fm+wlnywr0hBfw5xyQQ==,type:str]
  pgp: []
  unencrypted_suffix: _unencrypted
  version: 3.9.1
--- a/values/badhouseplants/secrets.server-xray-public-edge.yaml
+++ b/values/badhouseplants/secrets.server-xray-public-edge.yaml
--- a/values/badhouseplants/secrets.server-xray-public.yaml
+++ b/values/badhouseplants/secrets.server-xray-public.yaml
--- a/values/badhouseplants/secrets.velero.yaml
+++ b/values/badhouseplants/secrets.velero.yaml
@ -1,26 +0,0 @@
 credentials:
    useSecret: ENC[AES256_GCM,data:7gOgTQ==,iv:Wiutik5u1CZ3jkI5lL4JLwvKDQrjNPSfmnyet7SBVzo=,tag:SYm+fm393zhqNMKejQfYKw==,type:bool]
    name: ENC[AES256_GCM,data:NKs3qbFPKGIhXI7lzGTq,iv:MWumBc7eHro/P1oLZxQArvfoWmdJN+S0d/Qxb+ohI9E=,tag:pxJQzB82Us+UflGc271wGg==,type:str]
    secretContents:
        hetzner: ENC[AES256_GCM,data:tlumlKIfwugQj5Dj8Lu9HuEcKRv8v/JhTTz4oOvRavxmeBIGElfn/MyWbK68pagfDatyKsrYjqPTutYykJWVOWdHFOCIXunnI8vkDbzpxAH0BqyZQrek3s4mkTOPJkjfW6V1MNr5AvWMYLwptcIp2Q==,iv:E3jBlMgIXzuLCNVxEBlTiiVpLCdEolJuv96bSYamwLI=,tag:4zkhZUu+on0K1zF4/8tiWQ==,type:str]
        etersoft: ENC[AES256_GCM,data:/kQ9eCnHIfDSzHxy2tbVgwe7C0cF+l5LaKCgksodxUJgxTQs2pJHyx4cluoW62RwOQKHxMCy3IaqphD2zZOIVKbR0q3xVmBoxcBxrKE5UIlSxbQ=,iv:YcJF8OMiFMz147c8lXVU+ccjq1okYnHiwUvJLmJHi20=,tag:hnwtfAkBCpZUy4TEGtMOOw==,type:str]
 sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault: []
    age:
        - recipient: age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiaW9NQVR6OGtLV3ZqMThn
            bWsrcGZKNVk1cXB2aDc5RnRNbTMwZVoyRERVCnEyQ2tFSlZmTnhRdGQxNW1BVGNs
            QzBjM2tXWnhQYTBaR1pUZnUzMWpYTmMKLS0tIGQ1emdDNlVGdzNWRlRQcU5xSWxB
            bWdPdVF3RjU0Z0RQWXZWVUVocVBTeWsKogQ3kmwrShfBOwMC+JHNiavRHryv+WNY
            dkUkONkUH5HEWN/6M7bsMMqjkH0D/upD5UXOXr4fiibcM/w+XI/BpA==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2024-12-16T14:51:45Z"
    mac: ENC[AES256_GCM,data:65vGxoFLwH9WpxvqKYi1FEb8DhRWpq4K5cTjfqQEXDxbzKDk/RjTtHpFZ2iLnAOcL2ECvL+JU9yPeM7fS06nTW/TC/oP3yNGfyJp84IWNzrBVBE8HCTaXthxcRSIbGwvdCihViT4gZU7VkMaDt1WnEesjq/KQqcK/TSpCxhSyjI=,iv:HPfV3MRyeilrAFprdsLT6H//V74YzRiGM8O7TmU/g5c=,tag:tQHA6JW5ELAUXzIlJdLYFA==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.9.2
--- a/values/badhouseplants/secrets.zot-mirror.yaml
+++ b/values/badhouseplants/secrets.zot-mirror.yaml
@ -0,0 +1,22 @@
 authHeader: ENC[AES256_GCM,data:nmlP0vRoKJRivvwJArnEO26sqIwFtnK5MYVPJBBCmAGCPpe/U00gYu6JET0gPqGV,iv:+GZwWrxoWw0mAZxZdITBLtHgRKYIyaj/NQwHbD8KppA=,tag:MAer3FiaBxyNwJr0BbDtow==,type:str]
 _mirror_password: ENC[AES256_GCM,data:W2xy2RMmD4d6N+DNceIgtDGUpygOGEbWgGa9Icsy,iv:YsQfm/EmBYY35q2irlZ2rmzkbJzlFnfgMSEKq0G1I5o=,tag:7rNG02Wm9g8GUXeM4nTHqA==,type:str]
 sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault: []
    age:
        - recipient: age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPVUlyVFZWcWFuWnEyS2Nv
            Tkx6aTZKY1czQ25RTHhKNWNNQ0xIaWJLb1VFCkdoT0RBTW9EWG8zbzYxekdsUEY2
            bE9nQUthV3NCa0kzRnBwZ2U2MWlVNzAKLS0tIFY4RVJDM05ZVmR3NEt5YUlpOWZa
            ZVc1bmJnU1o4U3NGaGN0Sk90YTR0ckkK8gmkHty4Gwt4vuVK3xhWWg4h/EgvJULh
            Trgn0lzx2pCThg/+82u5J1T/QLXdbbDFFFwGldiMwNjZQfpOmrZpVw==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2025-03-26T21:04:45Z"
    mac: ENC[AES256_GCM,data:cTN6wq1m1XtsfNujCfQ4nKtX1Pkc8MFCipUeScDLJUuZZwg4St0h1OkYtYJBWeVSt3CSjjexQpb7Oi9K8wukboIVevaIj0BTT1hkf2ZUFeIV8W62mtftfdRex0yJ/4h1gTZaYBhHEw+qD6r+XvavDs1m22FF5RuF+5qfGUEWA4I=,iv:RsVuXbLVfZSJ7AkIvEdf7H2auFTiqXgpXLe/LbATAo8=,tag:1V5eIiJzjzv4C1JNNf5Quw==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.9.4
--- a/values/badhouseplants/secrets.zot.yaml
+++ b/values/badhouseplants/secrets.zot.yaml
@ -1,25 +0,0 @@
 configFiles:
    config.json: ENC[AES256_GCM,data:AmfyqvKW4RhxD3mbFNP9Qt6oKzvpPY78ysCwCDoQAHW2exl9p7JtQh/8M66HyE5dogTyKYfl5cpKrgafWu7ndfN6gCF6puHPC5uELFmJLpla/hrhivpBBjcSj5n4Nc3mgJVSndJvyvkOa4c8N7NInr41LDh+Ndv6kbEelyTOQw9gng5eeI/jSzYX6y3Zrt7oc+5FBbOABihBbz8Yfxww1QHnY6YDyuoSVrjf9Z3kQKxW4sJRviBNJGE+OCWB9oJ3RQ2RecamlX0XkmZyuqDCXU52OAIm8c5qDVd6QJR2so5wvrN0o2OWC8BMKLDWLw/TLO4AS9K4OWoJUlOGE2z3qxUG8moMxzHw2rCzBq1rMJaeho0/CZGiVPQWWzoruRurVCQoLXt6L5+oQSQj4ibpeJkP/Wnq3inT0EzEr41uas8kj7DdEJ+pKKy5tUdJXm5CRQfgFB8QdSbq/VE0alrsZ43iYNCj+CKWwnjPJ4ZGQJkNQKpRaBqrhnaGpuRDbJASSffSksrRxCunv1O2aqzY/gyrRieTU11SpCnQZ4ll/mhW6lhyuvLb741rV6vAHzaRnranhzLBECVIo/dy84tqNZ5OXUdXHBPRMzr+UX+2GdvcfGgzfaAJIeMul5Nl+nQAS/PmQOfejNTBGNQKKbz/i0+Mv/AwJvdpWA2laYjABPubFVM4671LPjVhEcFRsjnfYWs2MY43woTXVrjKZFghH5h4frwFAs/OhsYcPR0bOHMhF8brQgPHCsPWp5NhyhwRq7310krGyca1xdBvj+2oZHOohIvXk6hEHO7MFTOrn9iAeiGOnCn22GQZaK7EE2aKMleMJwfIo2Dyy6X+s007K+3Jjbt4yvUruB7hHkcVYyfHUABJLbkXPNUJ7xLgbcRXIaHJHlZ11prhBp2UDUgw9oSt/1kUHI2ZU46AfglWlGyd4xd4SgGmhs4R++P/O6GviVJXbIDGEA7UA5h6hlMNx3vuKRnjRl4OpSZbWQZh23dK1Kh1E5hV8TqbaPI8Wv7mvGd5QVRWMhwJp5dW004waifhrZNlZm4xEld1GFupK+ForBX0QLkk8juD1GBuYbawO8YTKDg5xlAKQtlVUmEPvVsAiGArYuPWuN34OqazWLvzXM1UFK9sztEPHwXgA+sOitOAOjEBfnFY0tYe6m3xrnHRNqLV2L1YK1F1V6g/+j60YHc3lofw87KpaaVJD7xF+HR9Ly2VskOmu2KTVD+j/ZIJWjGw96Asf0K5mKzBkyFGaFFYNpeHw9A3cGVYCYy7S9bFMVlPhoCJzAY4fyTw9GtpYKrXzL/u6hSOa0FRW5uvfvbCcK0spfT/CqFHkeRhNxleCvAkONZUfdKWdwvySUuRlV8rZfLOHX6IgosepvyH0WVaJpp6GBD1jyricfvp3eLocEY9Ih2eTB3j6IML10qMItdWv377B4Jnch/e3enNruivvptxAvq+rseiN+IHA/m6+xB9ZNmhIphTCfLyn1/pNb4uLfcMCldKqjzaIkAWcO+BhHJWLWvbms40uWsQ5tzdaZRcmvKonPGSKiOfouCOKZvos7uVmyTsXDFZu/2JweYu7DqrrxcJ4+dVzwcPA+FXI7DSV08n2DyOAMY8KjWkCw4pXIrT4BRCXjZaJbU5YE/25P/u9o3wjyv0+MICiGKGnNj869VG58CHjx+cjQegAAxC6XAk7egCXkRGZMJS0vnIlIAU7bDf6fYsTiOZ5BUtnjflFOA+z0apdzDjtA3aMdhzYjNmk2kLMo5w5h8k3k/GJKJFes/FiGJGQInaYizJDU1NewKZbm9kMNZsjUCVJG9aH2gXTngfRBGhgYAZG3ENBHR0wexsbBu8YpSzHduyzvrhvIlYFkdHVL4Pj6kdBeqA6FMWb9pVbIMlqW8tJeo+6TgBWUR9mWzEtGcUVpm9VxHorE9A7ten40ZR1nOpIDv4549LbxsqCrX3+VMUgVl/8eVj0iLCsKvThhuCRWB9gUfNBlHw4bxvteXMLiqhiuHY4X+8y9N9IlJKLtW6Pf2SedvrPNuTbJvPBog5YaKN63au7q6MNQZdAWhkKgcpgSwPwT4bK/uTsvrk0VAChThsMYUvgGY9NnN0qLlgZzQspFAhnBbnM3kCMjV8zgw8sPh3m8jfei+Hxz3CVF2gFGgcgG259hNjORZDqTXRiRZkVc/TtFXJKsPCuOK1ieGc4m+yqPUMp58tjL09tfAO3jmS4FY/FW4YohLPgtlvs+IFsJ+gh2VHGNNDuHUMwjRsBG/Mg9Ayz37jEphtRbE5Z09BN2b9v9aqzVrmMPW5N1DcaF5+aO8qqumUg3GC1dP7meybanfSF0qGtPH9VE8upqFqUWmaNDlPgPZ6KNwEDJyiAdRtnb2CA9B9ejM1A3BizjzcXMK/nTOs2+b79lmpXs0ziesNvDHuB3hyW8JePmmgBQF0GWx1lPNErBLYCeGKINSpUXn87OE7egKNlhjIEm//GqmPFA565uVkyhFgx/k0yw1FKLFP9M2ToJGScwV/wfIRXtcPioZ92uvrchKK2b756SDNIIR624jeHZioYmXvQMeG+S4vRPFz/QXKKdQ2OVaLhhWz3nocv9FivKb4rGRLm9FxcuGsY6DsiAjyYKkXIfcT/qXgMOnyj1BHBReFcrDHWb8CwMNSJ/tOewmToyIbe/lwbDUB5fOKO11tiXmLvaoSIJDU6k3Ls5z+A3IY/7wQbfwQb7Dnd+4w414ajfdJDJ7SqlBpTCjlrhJzmUXsqd14mlgmcmPBu4I9x8/kiYaIzHXUh3vS9URX2+3ifoXJm+KaiPTiGPJQIhoEH1kDFGm3PTxeFizgqlmQd3nPSDSUDaeE1fg3H2fn4/QxCJYTK2MZhTl52aswDwa8UWiv1zfCmtVLW2/MasVyjcPxu1PfCdGF59VKUQHQg1QJKSCYZ2tZmd+JiRLVSyXoUtyqJ5V4u4lSzhaUv+8ApaHRCVOEh5HwPtaDYVLrdcigxKmiMiqCAGdYEpPD6pn1N+KKCSQx/nhUTRBQ+4CEIEJBz7Yv+LLgkWD0T8tZb9pTAjt8MLNzeglomsAPX/LRkxgXbLUIvlcTH0jvDMPmvLCshzDvtckIzOj4bFdxVEdLo0JA8URFp3oP5pTqZGJXR4fx4Kgl/cXJwyX43VttNDPyc96KIBF33oy8c+z17OyQplcoFzFBpvaqA0cvmcl2BBtI1On4jYsx0VSbqKyOU4JawLcLcAOOTjYyYAC2iGxnn8gSoZF1DK83G/GRF1y23XDeoWSl9WMVgOiK35od3ZRjeaH/5Rq0Nq54bbJE4sN4DyjFJXkDbP10Rj3/BZp88AlFMCZk+9O2bUCbTzyqP9YO9QrgsnWxnms92BRXu/KBL+G9Ya3MH8DOMjXuFkuhN47PeZpMohW9ECVx1jHuC4eIpihh0oZKVBd2mULx48pYIHf8Fp2Ab4fafqUD7Tka4pN9apcZo/u04z5DW9q2S3T+c4G+r4O0y0R1GLDcTvTzVRxyzm2D1t87C9tZ1X3uPkQlechr86l5I4ylNghutX5wPlFSwjxKMy+ZUd09cKKDeG1GMvf5dXmhY4dvxxynFue1Ykq+ymLETogIdn7MZigUs0hjd2QgaQ5H/uarpjb8apovRPqyXUgfGQ06JjZcSCVLTuBeGahi1mI/WR2eM399idK5arUYhmjBIINVu2Wm47tgKiwYYJYdoV3MwbbNudMZDr4MP8HK+TTHmf03CXQId9htKOgJDosnNMiB+QcGGPaV2W5hv4bQ/QwGeFE7ZR+4h4NnrezE1OGfiqLYnCGZcmUl5G8WjMj5DW0nyQ5gHJwS1kitwxYzFwwKPYUv7Y5Sq182HdQ7Ox8wP74XAjlW+1ha5+tcJymNe8H9viPU/Z1QipmuZTgpNop/tLH6gc0qNkTlT2qpM0EY81lqQAB4j3IB9AFk91x+gOBszTXp/w+T1ZgfJ9+btxQnK03EqAPaI6G1n1ifpRg=,iv:O08z9Dz3ywRjsFu3Uu22+87/ZoElw0hmvsYPKYaBFuY=,tag:ph4Zi+Br9cdGIlldKw4TGg==,type:str]
 secretFiles:
    htpasswd: ENC[AES256_GCM,data:qdx8p+CfYhStN+gKUI5Zt5KD5R0AfZQUiERw+SVXgp7+zxYbcj/ZcdKgxLi06U2HJs1QTNdoTx5eDW5QY0CNUMxKdoGM7JSZwr0dckRAT3xGKyMUbzz4CTdi5UOSRX3EtI8F65tCDLWlneFWrWRzGgIOq6gNQV0TqGyzNfQClZ470AanPcpWFg==,iv:vZJF925Zq7xPsV9OLOF5eSMqNwtCc7FNfWNV/AQFdjQ=,tag:P/IezO7b4vYKA82OJUusVw==,type:str]
 authHeader: ENC[AES256_GCM,data:pa9BRXRwPJHQyD0vzQjkgKu8YCbQwFAFgz3swq+Ofl12r5t5JFfKkU35zEKb7wJq,iv:xL2e/6sFxO4/FZRDsBxgzNujsLnIXO4LeEHsscjMIXk=,tag:oeb368hj+PWh9y4pLN2mNg==,type:str]
 sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault: []
    age:
        - recipient: age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5QkNnYjFxN0xVVUFHOEJB
            NnZicWVWOTg1Z1hGSmNjQU43RG9PNTR5Y2lnCmJLOTQvQndxN1dKV3pyZWdKOFpo
            V0ZZbjRhK0tIaXVERnBFSFpybUEvNWsKLS0tIEY3d25aTlNCaVpxUCtkdGduN056
            VFRWdXhMYmd6am9aTXNUYXRaWllpYncKxYAq1sg0mAvAjX7mfekZOcR9y9e5gSF1
            L74UaXFN/OeQwzqlA0W+EuBeMvj5Xrp7ENconJ0P3ecAFa/t8VujPg==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2025-02-12T16:13:40Z"
    mac: ENC[AES256_GCM,data:N6uiTszn+I+L2HmWDLG9/h1sttQQltvfM/7Lq3tdRei6fn6Erog6u8IKbr0guRe/sJdt0SMB0xE9gB46Ldwyv7U+Ut5gMSxrxz7FEZSBeH5ZKegGvmkPIqafwL8frZqwlR/3Kmbegs9yAM9VEZ/qcprx2M4gpffiKTATxbm0rI4=,iv:8OMSYrUxcOeuVnbOXoPgs42QPTXLOICnLvXuSbQBz6k=,tag:QPqwsHn1ktM9O2rsohMIIA==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.9.4
--- a/values/badhouseplants/values.gitea.yaml
+++ b/values/badhouseplants/values.gitea.yaml
@ -40,11 +40,11 @@ replicaCount: 1
 clusterDomain: cluster.local
 resources:
  limits:
-    memory: 1024Mi
+    memory: 1.5Gi
    cpu: 1
  requests:
    cpu: 1
-    memory: 1024Mi
+    memory: 1.5Gi
 persistence:
  enabled: true
  size: 15Gi
@ -57,8 +57,7 @@ gitea:
  metrics:
    enabled: true
    serviceMonitor:
-      # -- TODO(@allanger): Enable it once prometheus is configured
+      enabled: true
      enabled: false
  config:
    database:
      DB_TYPE: postgres
@ -82,6 +81,7 @@ gitea:
      LFS_START_SERVER: true
      LANDING_PAGE: explore
      START_SSH_SERVER: true
      ENABLE_PPROF: true
    storage:
      STORAGE_TYPE: minio
      MINIO_ENDPOINT: "s3.badhouseplants.net:443"
@ -128,6 +128,7 @@ service:
    type: ClusterIP
    port: 22
    clusterIP:
 # ------------------------------------------
 # -- Disabled dependencies
 # ------------------------------------------
--- a/values/badhouseplants/values.istiod.yaml
+++ b/values/badhouseplants/values.istiod.yaml
@ -1,13 +0,0 @@
 pilot:
  resources:
    requests:
      cpu: 50m
      memory: 2048Mi
 global:
  proxy:
    resources:
      requests:
        cpu: 20m
        memory: 128Mi
      limits:
        memory: 128Mi
--- a/values/badhouseplants/values.memos.yaml
+++ b/values/badhouseplants/values.memos.yaml
@ -7,20 +7,29 @@ ext-database:
  credentials:
    MEMOS_DRIVER: postgres
    MEMOS_DSN: "{{ .Protocol }}://{{ .Username }}:{{ .Password }}@{{ .Hostname }}:{{ .Port }}/{{ .Database }}?sslmode=disable"
 base:
  workload:
    containers:
      memos:
        envFrom:
          main: {}
          raw:
            - secretRef:
                name: memos-postgres16-creds
-workload:
+storage:
-  containers:
+  data:
-    memos:
+    metadata:
-      envFrom:
+      annotations:
-        - main
+        volume.kubernetes.io/selected-node: bordeaux
-        - secretRef:
+    storageClassName: openebs-hostpath
            name: memos-postgres16-creds
 ingress:
  main:
-    annotations:
+    metadata:
-      kubernetes.io/ingress.class: traefik
+      annotations:
-      kubernetes.io/tls-acme: "true"
+        kubernetes.io/ingress.class: traefik
-      kubernetes.io/ingress.allow-http: "false"
+        kubernetes.io/tls-acme: "true"
-      kubernetes.io/ingress.global-static-ip-name: ""
+        kubernetes.io/ingress.allow-http: "false"
-      cert-manager.io/cluster-issuer: badhouseplants-issuer-http01
+        kubernetes.io/ingress.global-static-ip-name: ""
-      traefik.ingress.kubernetes.io/router.entrypoints: web,websecure
+        cert-manager.io/cluster-issuer: badhouseplants-issuer-http01
        traefik.ingress.kubernetes.io/router.entrypoints: web,websecure
--- a/values/badhouseplants/values.namespaces.yaml
+++ b/values/badhouseplants/values.namespaces.yaml
@ -1,18 +0,0 @@
 namespaces:
  - name: kyverno
  - name: velero
  - name: observability
  - name: databases
  - name: istio-system
  - name: applications
    labels:
      istio-injection: disabled
  - name: platform
  - name: games
  - name: team-fortress-2
  - name: pipelines
  - name: public-xray
    labels:
      istio-injection: disabled
  - name: org-badhouseplants
  - name: org-onpier
--- a/values/badhouseplants/values.prometheus.yaml
+++ b/values/badhouseplants/values.prometheus.yaml
@ -1,7 +1,3 @@
 # ------------------------------------------
 # -- Istio extenstion. Just because I'm
 # --  not using ingress nginx
 # ------------------------------------------
 coreDns:
  enabled: false
 kubeEtcd:
--- a/values/badhouseplants/values.woodpecker-ci.yaml
+++ b/values/badhouseplants/values.woodpecker-ci.yaml
@ -4,8 +4,8 @@
 # ------------------------------------------
 ext-database:
  enabled: true
-  name: woodpecker-postgres16
+  name: woodpecker-postgres17
-  instance: postgres16
+  instance: postgres17
  credentials:
    WOODPECKER_DATABASE_DATASOURCE: "postgres://{{ .Username }}:{{ .Password }}@{{ .Hostname }}:{{ .Port }}/{{ .Database }}?sslmode=disable"
 server:
@ -41,7 +41,7 @@ server:
    WOODPECKER_ESCALATE: true
    WOODPECKER_BACKEND_K8S_NAMESPACE: pipelines
  extraSecretNamesForEnvFrom:
-    - woodpecker-postgres16-creds
+    - woodpecker-postgres17-creds
 agent:
  enabled: true
  extraSecretNamesForEnvFrom: []
--- a/values/badhouseplants/values.zot-mirror.yaml
+++ b/values/badhouseplants/values.zot-mirror.yaml
@ -0,0 +1,160 @@
 image:
  repository: ghcr.io/project-zot/zot
  tag: v2.1.3-rc4
 ingress:
  enabled: true
  className: traefik
  annotations:
    traefik.ingress.kubernetes.io/router.entrypoints: web,websecure
    kubernetes.io/tls-acme: "true"
    kubernetes.io/ingress.allow-http: "false"
    cert-manager.io/cluster-issuer: badhouseplants-issuer-http01
  pathtype: Prefix
  hosts:
    - host: registry.badhouseplants.net
      paths:
        - path: /
  tls:
    - secretName: registry.badhouseplants.net
      hosts:
        - registry.badhouseplants.net
 service:
  type: ClusterIP
 persistence: false
 pvc:
  create: true
  lavels:
    velero.io/exclude-from-backup: true
 mountConfig: true
 mountSecret: true
 configFiles:
  config.json: |-
    {
      "distSpecVersion": "1.1.1",
      "storage": {
        "dedupe": true,
        "gc": true,
        "rootDirectory": "/var/lib/registry",
        "retention": {
          "dryRun": false,
          "delay": "24h",
          "policies": [
            {
              "repositories": [
                "**"
              ],
              "deleteReferrers": false,
              "deleteUntagged": true,
              "keepTags": [
                {
                  "mostRecentlyPulledCount": 2
                }
              ]
            }
          ]
        }
      },
      "http": {
        "address": "0.0.0.0",
        "port": "5000",
        "externalUrl": "https://registry.badhouseplants.net",
        "auth": {
          "htpasswd": {
            "path": "/secret/htpasswd"
          }
        },
        "accessControl": {
          "metrics": {
            "users": [
              "admin"
            ]
          },
          "repositories": {
            "**": {
              "anonymousPolicy": [],
              "policies": [
                {
                  "users": [
                    "mirror_user",
                    "overlord"
                  ],
                  "actions": [
                    "read",
                    "create",
                    "update",
                    "delete"
                  ]
                }
              ]
            }
          }
        }
      },
      "log": {
        "level": "info"
      },
      "extensions": {
        "scrub": {
          "enable": true
        },
        "metrics": {
          "enable": true,
          "prometheus": {
            "path": "/metrics"
          }
        },
        "mgmt": {
          "enable": false
        },
        "sync": {
          "enable": true,
          "registries": [
            {
              "urls": [
                "https://docker.io/library",
                "https://docker.io"
              ],
              "content": [
                {
                  "prefix": "**",
                  "destination": "/dockerhub"
                }
              ],
              "onDemand": true,
              "tlsVerify": true
            },
            {
              "urls": [
                "https://registry.k8s.io"
              ],
              "content": [
                {
                  "prefix": "**",
                  "destination": "/k8s"
                }
              ],
              "onDemand": true,
              "tlsVerify": true
            },
            {
              "urls": [
                "https://quay.io"
              ],
              "content": [
                {
                  "prefix": "**",
                  "destination": "/quay"
                }
              ],
              "onDemand": true,
              "tlsVerify": true
            }
          ]
        }
      }
    }
 secretFiles:
  htpasswd: |-
    overlord:$2y$05$RhAeAsFY32y8h0japhT72.SQTPXgHc54RCp4CZ4Udsg2.iQxJVeZ.
    mirror_user:$2y$05$PkvVMY04ZGvuGUXkrez7peyXevl63ugFbdxZ.ON1G/Tof/0Uf5vZi
--- a/values/badhouseplants/values.zot.yaml
+++ b/values/badhouseplants/values.zot.yaml
@ -1,5 +1,6 @@
 image:
  repository: ghcr.io/project-zot/zot
  tag: v2.1.3-rc4
 ingress:
  enabled: true
  className: traefik
--- a/values/badhouseplants/velero/velero/secrets.yaml
+++ b/values/badhouseplants/velero/velero/secrets.yaml
@ -0,0 +1,21 @@
 credentials:
    useSecret: ENC[AES256_GCM,data:JeoOyQ==,iv:fu/UL5pN+RfYRluV1ipqbJ7AMmb6mBzo9Cs8MEaH90g=,tag:SXueO8IzwQ12MjSQUx5K4A==,type:bool]
    name: ENC[AES256_GCM,data:jHBOoXdfbcm9/tWworFG,iv:EZdqinT6tBFS2t7/l3bA2A5OspmmXVBhlM4ENIMlWeI=,tag:ltP1tFsWxRiQV8GgNe2RmA==,type:str]
    secretContents:
        hetzner: ENC[AES256_GCM,data:cLAnAdz3RlBE4YOVDIcQ+gjWxsA2jsNJgh2zkBV9LbPHU2eJDaLmQIzGov28vQK0tpdGBk8uncjg7eLVpqQFnn/+4mbMrCICLNqeNYJNG9sTRhBoA8EqODRQ7mJoHMdvSqk8dp+9nGXrgO/HCKZCbg==,iv:pEQbq9pqWcuUG3Jj93QNbD4N9a/NxLPc1XqmfYNdOoc=,tag:Ss8hyMYYm24UG2aVXw6MQQ==,type:str]
        etersoft: ENC[AES256_GCM,data:f7opp9R8bLoOSqpzJdjUXiVHF0hxH3uE+fRQfgEA/G0wDrPio6SPNUG+ROeZCrLJgizFTR6x4/r/yTIglEeaa9aefF1OG9dEdlpko7AALnf3DYQ=,iv:NGXNl5BbQS5dgVn5wNqN7ba11AeDgHXPloYTBC95l2E=,tag:kA/7bvS9h20/a7se5e1zUg==,type:str]
 sops:
    age:
        - recipient: age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2emd4d1gyWjlYL3dYRmw4
            Y2J0UkJaMTR6b0NsNTVzcTBHMXJ3WnNRdWlJCnB0ZEJmclRzY0Y1WEsvQmRWYU9k
            cDRtQ3J4azNBUnN5bVUvdm9EbEo1ZHcKLS0tIGN6L0VpTWlQNm1sVnA4UldBbk9C
            Q1dWek5PVjNkZUdJYllJSTZhQ1p0QU0K4LFd1ITs38M101fqy6KZGZ43x4Ou3VtB
            EN1uxBEt5AdfX4F+FbOnA5qAOUdRRN31TjIXs948E/1vgm8zRxSx1Q==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2025-04-02T21:11:55Z"
    mac: ENC[AES256_GCM,data:ArJNDbctyrzJIVo9CojFPAKlhW9xCBYvfpA27iG2YGWYfCRQ0uAIVmUn0jVsbfYWdtQ5WZD7p05itXMobQMMlFlv3twi7B7taXYXQQzZghhOCVJBYo8I3gFl9wxVpKHNc+WxuerFCQUCOXyBMI9CLmXsKBwlciLl78OSU6SMe/s=,iv:wHFF4yhYLs6QjOcvcU4WDpNyjQZl0dI42mouVR/43Eo=,tag:notDIF/S/r7MlYogftz9aA==,type:str]
    unencrypted_suffix: _unencrypted
    version: 3.10.1
--- a/values/badhouseplants/velero/velero/values.yaml
+++ b/values/badhouseplants/velero/velero/values.yaml
@ -1,10 +1,3 @@
 initContainers:
  - name: velero-plugin-for-aws
    image: velero/velero-plugin-for-aws:v1.11.0
    imagePullPolicy: IfNotPresent
    volumeMounts:
      - mountPath: /target
        name: plugins
 configuration:
  logLevel: error
  repositoryMaintenanceJob:
@ -17,7 +10,7 @@ configuration:
  backupStorageLocation:
    - name: hetzner
      provider: aws
-      plugin: velero/velero-plugin-for-aws:v1.11.0
+      plugin: velero/velero-plugin-for-aws:v1.11.1
      bucket: badhouseplants-backups
      accessMode: ReadWrite
      credential:
@ -29,9 +22,10 @@ configuration:
        s3Url: https://nbg1.your-objectstorage.com
        publicUrl: https://nbg1.your-objectstorage.com
        checksumAlgorithm: ""
    - name: etersoft
      provider: aws
-      plugin: velero/velero-plugin-for-aws:v1.11.0
+      plugin: velero/velero-plugin-for-aws:v1.11.1
      bucket: velero
      accessMode: ReadWrite
      credential:
@ -73,6 +67,7 @@ schedules:
        - games
        - databases
        - org-badhouseplants
        - org-allanger
  weekly:
    disabled: false
    labels:
--- a/values/common/databases/postgres16/values.gotmpl
+++ b/values/common/databases/postgres16/values.gotmpl
@ -0,0 +1,6 @@
 global:
  imageRegistry: {{ .Values.registry }}
  imagePullSecrets:
    - regcred
  security:
    allowInsecureImages: true
--- a/values/common/databases/postgres17/values.gotmpl
+++ b/values/common/databases/postgres17/values.gotmpl
@ -0,0 +1,6 @@
 global:
  imageRegistry: {{ .Values.registry }}
  imagePullSecrets:
    - regcred
  security:
    allowInsecureImages: true
--- a/values/common/databases/redis/values.gotmpl
+++ b/values/common/databases/redis/values.gotmpl
@ -0,0 +1,6 @@
 global:
  imageRegistry: {{ .Values.registry}}
  imagePullSecrets:
    - regcred
  security:
    allowInsecureImages: true
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Devops Bot	21732f4715	chore(deps): update redis docker tag to v20.11.4	2025-04-08 01:01:07 +00:00
Nikolai Rodionov	8a595bfdbc	Migrate minecraft	2025-04-07 15:37:04 +02:00
Nikolai Rodionov	6855a5c43c	Enable gitea metrics	2025-04-07 14:35:11 +02:00
Nikolai Rodionov	ea306ece64	Migrate platform	2025-04-07 13:59:10 +02:00
Nikolai Rodionov	64d523f302	Migrate databases	2025-04-07 13:42:14 +02:00
Nikolai Rodionov	b2f546f0b7	Fix stalwart ingress	2025-04-07 12:46:52 +02:00
Nikolai Rodionov	5c0aaa1e30	Keep migrating things	2025-04-07 12:45:51 +02:00
Nikolai Rodionov	fa6791c9d4	Some important changes	2025-04-04 22:45:01 +02:00
Nikolai Rodionov	53faa51b51	Upgrade minecraft	2025-04-03 11:56:33 +02:00
Devops Bot	56737d59a6	chore(deps): update helm release velero to v8.7.0	2025-04-02 21:07:20 +00:00
Devops Bot	e5aa79abe8	chore(deps): update helm release minecraft to v4.26.1	2025-04-02 19:44:00 +00:00
Nikolai Rodionov	c46bfd88e2	Configure the github renovate again	2025-04-01 13:09:31 +02:00
Nikolai Rodionov	c6d0973522	Fox production ns	2025-04-01 12:42:59 +02:00
Nikolai Rodionov	8deb163e0d	Fix certs	2025-04-01 12:23:49 +02:00
Nikolai Rodionov	2c0f498611	Update memos lib	2025-03-30 18:18:28 +02:00
Nikolai Rodionov	bb45328532	Trying to migrate istio	2025-03-30 16:10:40 +02:00
Nikolai Rodionov	a8693f41ee	Keep migrating things	2025-03-30 15:51:26 +02:00
Nikolai Rodionov	a659611d6f	Keep migrating things	2025-03-30 15:13:48 +02:00
Nikolai Rodionov	dbd69180e4	Keep migrating things	2025-03-29 14:16:34 +01:00
Nikolai Rodionov	992463b8cd	Keep migrating things	2025-03-29 13:55:44 +01:00
Nikolai Rodionov	4e2a71ebfb	Migrate metallb	2025-03-28 17:18:17 +01:00
Nikolai Rodionov	c32705ffa0	Keep migrating things	2025-03-27 22:54:32 +01:00
Nikolai Rodionov	f8684df5a9	Started a big refactoring again	2025-03-27 21:13:13 +01:00
Nikolai Rodionov	cd6a200591	Fix helmfile	2025-03-26 22:25:38 +01:00
Nikolai Rodionov	173af0f7f8	Start using registry mirror	2025-03-26 22:23:54 +01:00
Nikolai Rodionov	1184e6cd89	Migrate woodpecked and tandoor	2025-03-25 21:08:47 +01:00
Nikolai Rodionov	e3f77b6bee	Migrate gitea to the org-badhouseplants ns	2025-03-25 20:39:09 +01:00