Deploy teleport-cluster instance

I won't use it atm because it requires an external account, and it doesn't play well with my understanding of self-hosting and indie culture.
2024-11-20 12:22:45 +01:00
238 changed files with 3483 additions and 3444 deletions
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@ -8,14 +8,13 @@ repos:
    hooks:
      - id: yamlfmt
        exclude: |
-          (?x)(
+          (?x)^(
-            ^charts/|
+            .*secrets.*yaml
-            ^.*secrets.*yaml|
+          )$
-          )
+  - repo: https://github.com/codespell-project/codespell
-          #  - repo: https://github.com/codespell-project/codespell
+    rev: v2.2.4
-          #    rev: v2.2.4
+    hooks:
-          #    hooks:
+      - id: codespell
          #      - id: codespell
  - repo: local
    hooks:
      - id: check-sops-secrets
--- a/.sops.yaml
+++ b/.sops.yaml
@ -8,7 +8,3 @@ creation_rules:
    key_groups:
      - age:
          - age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8
  - path_regex: common/values/secrets.*
    key_groups:
      - age:
          - age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8
--- a/charts/issuer/templates/issuer.yaml
+++ b/charts/issuer/templates/issuer.yaml
@ -1,23 +1,10 @@
 {{- range $name, $issuer := .Values.clusterIssuers }}
 ---
 apiVersion: cert-manager.io/v1
 kind: ClusterIssuer
 metadata:
  labels:
-    {{- include "issuer.labels" $ | nindent 4 }}
+    {{- include "issuer.labels" . | nindent 4 }}
-  name: "{{ $name }}"
+  name: "{{ .Values.name }}"
 spec:
-{{ $issuer.spec | toYaml | indent 2 }}
+  acme:
-{{- end }}
+{{ .Values.spec | toYaml | indent 2 }}
 {{- range $name, $issuer := .Values.issuers }}
 ---
 apiVersion: cert-manager.io/v1
 kind: Issuer
 metadata:
  labels:
    {{- include "issuer.labels" $ | nindent 4 }}
  name: "{{ $name }}"
  namespace: {{ $issuer.namespace }}
 spec:
 {{ $issuer.spec | toYaml | indent 2 }}
 {{- end }}
--- a/charts/metallb-resources/Chart.yaml
+++ b/charts/metallb-resources/Chart.yaml
@ -1,24 +0,0 @@
 apiVersion: v2
 name: metallb-resources
 description: A Helm chart for Kubernetes
 # A chart can be either an 'application' or a 'library' chart.
 #
 # Application charts are a collection of templates that can be packaged into versioned archives
 # to be deployed.
 #
 # Library charts provide useful utilities or functions for the chart developer. They're included as
 # a dependency of application charts to inject those utilities and functions into the rendering
 # pipeline. Library charts do not define any templates and therefore cannot be deployed.
 type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
 version: 0.1.0
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
 appVersion: "1.16.0"
--- a/charts/metallb-resources/templates/ip_address_pool.tpl
+++ b/charts/metallb-resources/templates/ip_address_pool.tpl
@ -1,7 +0,0 @@
 apiVersion: metallb.io/v1beta1
 kind: IPAddressPool
 metadata:
  name: {{ include "metallb-resources.fullname" . }}
 spec:
  addresses:
  - {{ .Values.addresses}}
--- a/charts/metallb-resources/values.yaml
+++ b/charts/metallb-resources/values.yaml
@ -1 +0,0 @@
 addresses: 1.1.1.1-1.1.1.1
--- a/charts/metallb-resources/.helmignore
+++ b/charts/metallb-resources/.helmignore
--- a/charts/namespaces/chart/Chart.yaml
+++ b/charts/namespaces/chart/Chart.yaml
--- a/charts/namespaces/chart/templates/_helpers.tpl
+++ b/charts/namespaces/chart/templates/_helpers.tpl
--- a/charts/namespaces/chart/templates/namespaces.yaml
+++ b/charts/namespaces/chart/templates/namespaces.yaml
@ -15,24 +15,5 @@ metadata:
    {{- with $ns.annotations}}
    {{- toYaml . | nindent 4 }}
  {{- end }}
 {{- if $ns.defaultRegcred }}
 ---
 apiVersion: v1
 kind: Secret
 type: kubernetes.io/dockerconfigjson
 metadata:
  name: regcred
  namespace: {{ $ns.name }}
 data:
  .dockerconfigjson: {{ $.Values.defaultRegcred }}
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: default
  namespace: {{ $ns.name }}
 imagePullSecrets:
  - name: regcred
 {{- end }}
 {{- end }}
 {{- end }}
--- a/charts/namespaces/chart/values.yaml
+++ b/charts/namespaces/chart/values.yaml
--- a/charts/namespaces/kustomize/flux-system.yml
+++ b/charts/namespaces/kustomize/flux-system.yml
@ -0,0 +1,6 @@
 apiVersion: v1
 kind: Namespace
 metadata:
  name: flux-system
  labels:
    name: flux-system
--- a/charts/namespaces/kustomize/giantswarm-flux.yml
+++ b/charts/namespaces/kustomize/giantswarm-flux.yml
@ -0,0 +1,6 @@
 apiVersion: v1
 kind: Namespace
 metadata:
  name: giantswarm-flux
  labels:
    name: giantswarm-flux
--- a/charts/namespaces/kustomize/giantswarm.yml
+++ b/charts/namespaces/kustomize/giantswarm.yml
@ -0,0 +1,6 @@
 apiVersion: v1
 kind: Namespace
 metadata:
  name: giantswarm
  labels:
    name: giantswarm
--- a/charts/namespaces/kustomize/kustomization.yaml
+++ b/charts/namespaces/kustomize/kustomization.yaml
@ -0,0 +1,5 @@
 resources:
  - ./giantswarm-flux.yml
  - ./giantswarm.yml
  - ./monitoring.yml
  - ./org-giantswarm.yml
--- a/charts/namespaces/kustomize/monitoring.yml
+++ b/charts/namespaces/kustomize/monitoring.yml
@ -0,0 +1,6 @@
 apiVersion: v1
 kind: Namespace
 metadata:
  name: monitoring
  labels:
    name: monitoring
--- a/charts/namespaces/kustomize/org-giantswarm.yml
+++ b/charts/namespaces/kustomize/org-giantswarm.yml
@ -0,0 +1,6 @@
 apiVersion: v1
 kind: Namespace
 metadata:
  name: org-giantswarm
  labels:
    name: org-giantswarm
--- a/charts/namespaces/.helmignore
+++ b/charts/namespaces/.helmignore
--- a/charts/root/Chart.yaml
+++ b/charts/root/Chart.yaml
@ -0,0 +1,6 @@
 apiVersion: v2
 name: root
 description: A Helm chart for Kubernetes
 type: application
 version: 0.1.5
 appVersion: "1.16.0"
--- a/charts/metallb-resources/templates/_helpers.tpl
+++ b/charts/metallb-resources/templates/_helpers.tpl
@ -1,7 +1,7 @@
 {{/*
 Expand the name of the chart.
 */}}
-{{- define "metallb-resources.name" -}}
+{{- define "root.name" -}}
 {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
 {{- end }}
@ -10,7 +10,7 @@ Create a default fully qualified app name.
 We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
 If release name contains chart name it will be used as a full name.
 */}}
-{{- define "metallb-resources.fullname" -}}
+{{- define "root.fullname" -}}
 {{- if .Values.fullnameOverride }}
 {{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
 {{- else }}
@ -26,16 +26,16 @@ If release name contains chart name it will be used as a full name.
 {{/*
 Create chart name and version as used by the chart label.
 */}}
-{{- define "metallb-resources.chart" -}}
+{{- define "root.chart" -}}
 {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
 {{- end }}
 {{/*
 Common labels
 */}}
-{{- define "metallb-resources.labels" -}}
+{{- define "root.labels" -}}
-helm.sh/chart: {{ include "metallb-resources.chart" . }}
+helm.sh/chart: {{ include "root.chart" . }}
-{{ include "metallb-resources.selectorLabels" . }}
+{{ include "root.selectorLabels" . }}
 {{- if .Chart.AppVersion }}
 app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
 {{- end }}
@ -45,17 +45,17 @@ app.kubernetes.io/managed-by: {{ .Release.Service }}
 {{/*
 Selector labels
 */}}
-{{- define "metallb-resources.selectorLabels" -}}
+{{- define "root.selectorLabels" -}}
-app.kubernetes.io/name: {{ include "metallb-resources.name" . }}
+app.kubernetes.io/name: {{ include "root.name" . }}
 app.kubernetes.io/instance: {{ .Release.Name }}
 {{- end }}
 {{/*
 Create the name of the service account to use
 */}}
-{{- define "metallb-resources.serviceAccountName" -}}
+{{- define "root.serviceAccountName" -}}
 {{- if .Values.serviceAccount.create }}
-{{- default (include "metallb-resources.fullname" .) .Values.serviceAccount.name }}
+{{- default (include "root.fullname" .) .Values.serviceAccount.name }}
 {{- else }}
 {{- default "default" .Values.serviceAccount.name }}
 {{- end }}
--- a/charts/root/templates/root.yaml
+++ b/charts/root/templates/root.yaml
@ -0,0 +1,25 @@
 {{ if .Capabilities.APIVersions.Has "source.toolkit.fluxcd.io/v1" }}
 apiVersion: source.toolkit.fluxcd.io/v1
 kind: GitRepository
 metadata:
  name: root
 spec:
  interval: 30s
  url: {{ .Values.url }}
  ref:
    branch: {{ .Values.branch }}
 ---
 apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:
  name: root
 spec:
  interval: 30s
  targetNamespace: flux-system
  sourceRef:
    kind: GitRepository
    name: root
  path: "."
  prune: false
  timeout: 1m
 {{- end }}
--- a/charts/root/templates/self.yaml
+++ b/charts/root/templates/self.yaml
@ -0,0 +1,25 @@
 {{ if .Capabilities.APIVersions.Has "source.toolkit.fluxcd.io/v1" }}
 apiVersion: source.toolkit.fluxcd.io/v1
 kind: GitRepository
 metadata:
  name: root-self
 spec:
  interval: 30s
  url: {{ .Values.self.url }}
  ref:
    branch: {{ .Values.self.branch }}
 ---
 apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:
  name: root-self
 spec:
  interval: 30s
  targetNamespace: flux-system
  sourceRef:
    kind: GitRepository
    name: root-self
  path: "."
  prune: false
  timeout: 1m
 {{- end }}
--- a/charts/root/values.yaml
+++ b/charts/root/values.yaml
@ -0,0 +1,5 @@
 url: https://git.badhouseplants.net/giantswarm/cluster-example.git
 branch: main
 self:
  url: git@git.badhouseplants.net:giantswarm/root-config.git
  branch: master
--- a/charts/tf-ocloud/.helmignore
+++ b/charts/tf-ocloud/.helmignore
@ -0,0 +1,23 @@
 # Patterns to ignore when building packages.
 # This supports shell glob matching, relative path matching, and
 # negation (prefixed with !). Only one pattern per line.
 .DS_Store
 # Common VCS dirs
 .git/
 .gitignore
 .bzr/
 .bzrignore
 .hg/
 .hgignore
 .svn/
 # Common backup files
 *.swp
 *.bak
 *.tmp
 *.orig
 *~
 # Various IDEs
 .project
 .idea/
 *.tmproj
 .vscode/
--- a/charts/tf-ocloud/Chart.lock
+++ b/charts/tf-ocloud/Chart.lock
@ -0,0 +1,6 @@
 dependencies:
 - name: helm-library
  repository: oci://ghcr.io/allanger/allangers-helm-library
  version: 0.1.4
 digest: sha256:6306a6a8d3c51b2b5f37cffa88c3731550da789d1ce2317a83a3f9a657310f8e
 generated: "2024-10-16T20:01:59.337767+02:00"
--- a/charts/tf-ocloud/Chart.yaml
+++ b/charts/tf-ocloud/Chart.yaml
@ -0,0 +1,15 @@
 apiVersion: v2
 name: tf-ocloud
 type: application
 version: 0.1.0
 appVersion: 0.1.5
 maintainers:
  - name: allanger
    email: allanger@zohomail.com
    url: https://badhouseplants.net
 dependencies:
  - name: helm-library
    version: 0.1.4
    repository: oci://ghcr.io/allanger/allangers-helm-library
 annotations:
  allowed_workload_kinds: "Deployment"
--- a/charts/tf-ocloud/charts/helm-library-0.1.4.tgz
+++ b/charts/tf-ocloud/charts/helm-library-0.1.4.tgz
--- a/charts/tf-ocloud/templates/install.yaml
+++ b/charts/tf-ocloud/templates/install.yaml
@ -0,0 +1,3 @@
 {{ include "lib.component.workload" . }}
 {{ include "lib.component.files" . }}
 {{ include "lib.component.env" . }}
--- a/charts/tf-ocloud/values.yaml
+++ b/charts/tf-ocloud/values.yaml
@ -0,0 +1,67 @@
 ---
 workload:
  kind: Deployment
  strategy:
    type: RollingUpdate
  securityContext: {}
  containers:
    tf:
      securityContext: {}
      image:
        registry: zot.badhouseplants.net
        repository: badhouseplants/terraform-ocloud
        tag: 7eae6ec805bc99618a196abf9d4d2e0fd19f75e6
        pullPolicy: Always
      envFrom:
        - main
      mounts:
        files:
          ocloudkey:
            path: /src/key.pem
            subPath: key.pem
          publickey:
            path: /src/public_key
            subPath: public-key
          privatekey:
            path: /src/ssh_key
            subPath: ssh-key
          tfvars:
            path: /src/terraform.tfvars
            subPath: terraform.tfvars
        extraVolumes:
          dottf:
            path: /src/.terraform
 extraVolumes:
  dottf:
    emptyDir: {}
 files:
  ocloudkey:
    enabled: true
    sensitive: false
    remove: []
    entries:
      key.pem:
        data: dummy
  publickey:
    enabled: true
    sensitive: false
    remove: []
    entries:
      public-key:
        data: dummy
  privatekey:
    enabled: true
    sensitive: false
    remove: []
    entries:
      ssh-key:
        data: dummy
  tfvars:
    enabled: true
    sensitive: false
    remove: []
    entries:
      terraform.tfvars:
        data: dummy
--- a/common/environments.yaml
+++ b/common/environments.yaml
@ -2,7 +2,6 @@ environments:
  badhouseplants:
    kubeContext: badhouseplants
    values:
      - ./common/values/values.badhouseplants.yaml
      - base:
          enabled: true
      - velero:
@ -22,15 +21,12 @@ environments:
      - redis:
          enabled: true
      - istio:
-          enabled: true
+          enabled: false
-      - dbOperator:
+      - teleport:
          enabled: true
      - monitoring:
          enabled: true
  etersoft:
    kubeContext: etersoft
    values:
      - ./common/values/values.etersoft.yaml
      - base:
          enabled: true
      - velero:
@ -47,11 +43,59 @@ environments:
          enabled: false
      - redis:
          enabled: false
      - postgres16:
          enabled: true
      - istio:
          enabled: false
      - teleport:
          enabled: false
  xray-1:
    kubeContext: xray-1
    values:
      - base:
          enabled: false
      - velero:
          enabled: false
      - workload:
          enabled: false
      - backups:
          enabled: false
      - openebs:
          enabled: false
      - localpath:
          enabled: false
      - postgres17:
          enabled: false
      - redis:
          enabled: false
      - postgres16:
          enabled: false
      - istio:
          enabled: false
-      - dbOperator:
+      - teleport:
          enabled: false
-      - monitoring:
+  xray-2:
    kubeContext: xray-2
    values:
      - base:
          enabled: false
      - velero:
          enabled: false
      - workload:
          enabled: false
      - backups:
          enabled: false
      - openebs:
          enabled: false
      - localpath:
          enabled: false
      - postgres17:
          enabled: false
      - redis:
          enabled: false
      - postgres16:
          enabled: false
      - istio:
          enabled: false
      - teleport:
          enabled: false
--- a/common/templates.gotmpl
+++ b/common/templates.gotmpl
@ -1,6 +1,3 @@
 helmDefaults:
  kubeContext: {{ .StateValues.kubeContext }}
 templates:
  # ---------------------------
  # -- Hooks
@ -40,21 +37,6 @@ templates:
  default-env-secrets:
    secrets:
      - '{{ requiredEnv "PWD" }}/values/{{ .Environment.Name }}/secrets.{{ `{{ .Release.Name }}` }}.yaml'
  common-values:
    values:
      - '../values/common/{{ `{{ .Release.Namespace }}` }}/{{ `{{ .Release.Name }}` }}/values.yaml'
  common-values-tpl:
    values:
      - '../values/common/{{ `{{ .Release.Namespace }}` }}/{{ `{{ .Release.Name }}` }}/values.gotmpl'
  env-values:
    values:
      - '../values/{{ .Environment.Name }}/{{ `{{ .Release.Namespace }}` }}/{{ `{{ .Release.Name }}` }}/values.yaml'
  env-values-tpl:
    values:
      - '../values/{{ .Environment.Name }}/{{ `{{ .Release.Namespace }}` }}/{{ `{{ .Release.Name }}` }}/values.gotmpl'
  env-secrets:
    secrets:
      - '../values/{{ .Environment.Name }}/{{ `{{ .Release.Namespace }}` }}/{{ `{{ .Release.Name }}` }}/secrets.yaml'
  # ----------------------------
  # -- Extensions
  # ----------------------------
@ -71,7 +53,7 @@ templates:
        version: 2.0.0
        alias: traefik
    values:
-      - '../values/common/values.tcp-route.yaml'
+      - '{{ requiredEnv "PWD" }}/values/common/values.tcp-route.yaml'
  ext-udp-routes:
    dependencies:
      - chart: bedag/raw
@ -128,7 +110,7 @@ templates:
        version: 2.0.0
        alias: ext-database
    values:
-      - '../values/common/values.database.yaml'
+      - '{{ requiredEnv "PWD" }}/values/common/values.database.yaml'
  ext-secret:
    dependencies:
      - chart: bedag/raw
--- a/common/values/values.badhouseplants.yaml
+++ b/common/values/values.badhouseplants.yaml
@ -1,6 +1,4 @@
-registry: registry.badhouseplants.net/containers
+namespaces:
-registry_url: registry.badhouseplants.net
+  kubeSystem: kube-system
-main_ip: 195.201.249.91
+  kubePublic: kube-public
-tools:
+  
  openebs:
    enabled: true
--- a/common/values/values.etersoft.yaml
+++ b/common/values/values.etersoft.yaml
@ -1,6 +0,0 @@
 registry: registry.ru.badhouseplants.net/containers
 registry_url: registry.ru.badhouseplants.net
 main_ip: 91.232.225.63
 tools:
  openebs:
    enabled: false
--- a/helmfile.yaml
+++ b/helmfile.yaml
@ -0,0 +1,11 @@
 bases:
  - ./common/environments.yaml
  - ./common/templates.yaml
 helmfiles:
  - ./installations/system/
  - ./installations/databases/
  - ./installations/platform/
  - ./installations/pipelines/
  - ./installations/monitoring/
  - ./installations/applications/helmfile-{{ .Environment.Name }}.yaml
  - ./installations/games/
--- a/helmfile.yaml.gotmpl
+++ b/helmfile.yaml.gotmpl
@ -1,29 +0,0 @@
 ---
 bases:
  - ./common/environments.yaml
 ---
 helmfiles:
  - path: ./helmfiles/base.yaml
    values:
      - kubeContext: "{{ .Environment.KubeContext }}"
      - {{ toYaml .Environment.Values | nindent 8 }}
  - path: ./helmfiles/system.yaml
    values:
      - kubeContext: "{{ .Environment.KubeContext }}"
      - {{ toYaml .Environment.Values | nindent 8 }}
  - path: ./helmfiles/platform.yaml
    values:
      - kubeContext: "{{ .Environment.KubeContext }}"
      - {{ toYaml .Environment.Values | nindent 8 }}
  - path: ./helmfiles/databases.yaml
    values:
      - kubeContext: "{{ .Environment.KubeContext }}"
      - {{ toYaml .Environment.Values | nindent 8 }}
  - path: ./helmfiles/monitoring.yaml
    values:
      - kubeContext: "{{ .Environment.KubeContext }}"
      - {{ toYaml .Environment.Values | nindent 8 }}
  - path: ./helmfiles/{{ .Environment.Name }}-applications.yaml
    values:
      - kubeContext: "{{ .Environment.KubeContext }}"
      - {{ toYaml .Environment.Values | nindent 8 }}
--- a/helmfiles/badhouseplants-applications.yaml
+++ b/helmfiles/badhouseplants-applications.yaml
@ -1,135 +0,0 @@
 bases:
  - ../common/templates.gotmpl
 repositories:
  - name: gitea
    url: https://dl.gitea.io/charts/
  - name: bedag
    url: https://bedag.github.io/helm-charts/
  - name: minecraft
    url: https://itzg.github.io/minecraft-server-charts/
  - name: allangers-charts
    url: ghcr.io/allanger/allangers-charts
    oci: true
  - name: woodpecker
    url: https://woodpecker-ci.org
  - name: renovate
    url: https://docs.renovatebot.com/helm-charts
  - name: badhouseplants-helm
    url: git+https://gitea.badhouseplants.net/badhouseplants/badhouseplants-helm@charts?ref=main
 releases:
  - name: app-gitea
    chart: gitea/gitea
    version: 11.0.1
    namespace: org-badhouseplants
    inherit:
      - template: env-values
      - template: env-secrets
  - name: minecraft
    chart: minecraft/minecraft
    namespace: games
    version: 4.26.3
    inherit:
      - template: common-values-tpl
      - template: env-values
      - template: env-secrets
  - name: app-vaultwarden
    chart: allangers-charts/vaultwarden
    version: 3.1.1
    namespace: org-badhouseplants
    inherit:
      - template: env-values
      - template: env-secrets
  - name: app-stalwart
    chart: allangers-charts/stalwart
    version: 1.2.0
    namespace: org-badhouseplants
    inherit:
      - template: env-values
      - template: env-secrets
  - name: app-navidrome
    chart: allangers-charts/navidrome
    namespace: org-badhouseplants
    version: 0.56.0
    inherit:
      - template: env-values
      - template: ext-traefik-middleware
  - name: app-navidrome-private
    chart: allangers-charts/navidrome
    namespace: org-badhouseplants
    version: 0.56.0
    inherit:
      - template: env-values
      - template: env-secrets
  - name: app-memos
    chart: allangers-charts/memos
    version: 0.4.0
    namespace: org-allanger
    inherit:
      - template: env-values
      - template: ext-database
  - name: badhouseplants-net
    chart: badhouseplants-helm/badhouseplants-net
    namespace: production
    values:
      - deployAnnotations:
          keel.sh/policy: force
          keel.sh/trigger: poll
          keel.sh/initContainers: 'true'
  - name: server-xray-public-edge
    chart: allangers-charts/server-xray
    installed: true
    namespace: public-xray
    version: 0.7.0
    inherit:
      - template: env-secrets
      - template: env-values
      - template: ext-tcp-routes
      - template: ext-cilium
      - template: ext-certificate
  - name: server-xray-public
    chart: allangers-charts/server-xray
    namespace: public-xray
    version: 0.7.0
    inherit:
      - template: env-secrets
      - template: env-values
      - template: ext-tcp-routes
      - template: ext-cilium
      - template: ext-certificate
  - name: woodpecker-ci
    chart: woodpecker/woodpecker
    namespace: pipelines
    version: 3.1.0
    inherit:
      - template: ext-database
      - template: env-values
      - template: env-secrets
  - name: renovate-gitea
    chart: renovate/renovate
    namespace: pipelines
    version: 39.264.0
    inherit:
      - template: env-values
      - template: env-secrets
  - name: renovate-github
    chart: renovate/renovate
    installed: false
    namespace: pipelines
    version: 39.264.0
    inherit:
      - template: env-values
      - template: env-secrets
--- a/helmfiles/base.yaml
+++ b/helmfiles/base.yaml
@ -1,21 +0,0 @@
 bases:
  - ../common/templates.gotmpl
 releases:
  # -- This one must be executed with --take-ownership at least once
  - name: namespaces
    chart: ../charts/namespaces
    namespace: kube-system
    createNamespace: false
    inherit:
      - template: env-values
      - template: env-secrets
  - name: roles
    chart: ../charts/roles
    namespace: kube-system
    createNamespace: false
    needs:
      - kube-system/namespaces
    inherit:
      - template: env-values
--- a/helmfiles/databases.yaml
+++ b/helmfiles/databases.yaml
@ -1,33 +0,0 @@
 bases:
  - ../common/templates.gotmpl
 repositories:
  - name: bitnami
    url: registry-1.docker.io/bitnamicharts
    oci: true
  - name: bedag
    url: https://bedag.github.io/helm-charts/
 commonLabels:
  installation: databases
 releases:
  - name: redis
    chart: bitnami/redis
    namespace: databases
    condition: redis.enabled
    version: 20.13.4
    inherit:
      - template: common-values-tpl
      - template: env-values
      - template: env-secrets
  - name: postgres17
    labels:
      bundle: postgres
    namespace: databases
    chart: bitnami/postgresql
    condition: postgres17.enabled
    version: 16.3.4
    inherit:
      - template: common-values-tpl
      - template: env-values
      - template: env-secrets
--- a/helmfiles/etersoft-applications.yaml
+++ b/helmfiles/etersoft-applications.yaml
@ -1,58 +0,0 @@
 bases:
  - ../common/templates.gotmpl
 repositories:
  - name: allangers-charts
    url: ghcr.io/allanger/allangers-charts
    oci: true
  - name: gabe565
    url: ghcr.io/gabe565/charts
    oci: true
  - name: xray-docs
    url: git+https://gitea.badhouseplants.net/badhouseplants/xray-docs.git@helm?ref=main
 releases:
  - name: qbittorrent
    chart: gabe565/qbittorrent
    version: 0.4.1
    namespace: applications
    inherit:
      - template: env-values
      - template: ext-secret
      - template: ext-traefik-middleware
  - name: vaultwardentest
    chart: allangers-charts/vaultwarden
    version: 3.1.1
    namespace: applications
    inherit:
      - template: env-values
      - template: env-secrets
  - name: memos
    chart: allangers-charts/memos
    version: 0.4.0
    namespace: applications
    inherit:
      - template: env-values
  - name: external-service-xray
    chart: ../kustomizations/external-service-xray
    installed: true
    namespace: public-xray
  - name: server-xray-public
    chart: allangers-charts/server-xray
    namespace: public-xray
    version: 0.7.0
    inherit:
      - template: env-secrets
      - template: env-values
      - template: ext-tcp-routes
      - template: ext-cilium
      - template: ext-certificate
  - name: xray-docs
    chart: xray-docs/xray-docs
    installed: true
    namespace: public-xray
    inherit:
      - template: env-values
--- a/helmfiles/platform.yaml
+++ b/helmfiles/platform.yaml
@ -1,125 +0,0 @@
 bases:
  - ../common/templates.gotmpl
 repositories:
  - name: keel
    url: https://keel-hq.github.io/keel/
  - name: uptime-kuma
    url: https://helm.irsigler.cloud
  - name: external-dns
    url: https://kubernetes-sigs.github.io/external-dns/
  - name: minio-standalone
    url: https://charts.min.io/
  - name: db-operator
    url: https://db-operator.github.io/charts
  - name: zot
    url: https://zotregistry.dev/helm-charts/
  - name: goauthentik
    url: https://charts.goauthentik.io/
  - name: flux-community
    url: ghcr.io/fluxcd-community/charts
    oci: true
  - name: bedag
    url: https://bedag.github.io/helm-charts/
  - name: argo
    url: https://argoproj.github.io/argo-helm
 releases:
  - name: external-dns
    chart: external-dns/external-dns
    version: 1.16.1
    namespace: platform
    inherit:
      - template: common-values-tpl
      - template: env-values
      - template: env-secrets
  - name: flux2
    chart: flux-community/flux2
    installed: false
    version: 2.15.0
    namespace: flux-system
    inherit:
      - template: common-values-tpl
  - name: argocd
    chart: argo/argo-cd
    version: 7.9.0
    namespace: argocd
    installed: false
    inherit:
      - template: env-values
      - template: env-secrets
  - name: keel
    chart: keel/keel
    version: v1.0.5
    labels:
      layer: platform
    namespace: platform
    inherit:
      - template: common-values-tpl
  - name: uptime-kuma
    chart: uptime-kuma/uptime-kuma
    version: 2.21.2
    namespace: platform
    labels:
      layer: platform
    inherit:
      - template: common-values-tpl
      - template: env-values
  - name: minio
    chart: minio-standalone/minio
    version: 5.4.0
    namespace: platform
    labels:
      layer: platform
    inherit:
      - template: common-values-tpl
      - template: env-values
      - template: env-secrets
  - name: db-operator
    namespace: platform
    chart: db-operator/db-operator
    condition: dbOperator.enabled
    version: 1.35.0
    inherit:
      - template: common-values-tpl
  - name: db-instances
    chart: db-operator/db-instances
    condition: dbOperator.enabled
    namespace: platform
    needs:
      - platform/db-operator
    version: 2.4.0
    inherit:
      - template: env-values
      - template: env-secrets
  - name: zot
    chart: zot/zot
    version: 0.1.68
    namespace: platform
    condition: workload.enabled
    inherit:
      - template: common-values-tpl
      - template: env-values
      - template: env-secrets
  - name: authentik
    chart: goauthentik/authentik
    version: 2025.4.0
    namespace: platform
    createNamespace: false
    condition: workload.enabled
    needs:
      - platform/db-operator
    inherit:
      - template: common-values-tpl
      - template: env-values
      - template: env-secrets
      - template: ext-database
--- a/installations/applications/helmfile-badhouseplants.yaml
+++ b/installations/applications/helmfile-badhouseplants.yaml
@ -0,0 +1,115 @@
 bases:
  - ../../common/environments.yaml
  - ../../common/templates.yaml
 repositories:
  - name: softplayer-oci
    url: zot.badhouseplants.net/softplayer/helm
    oci: true
  - name: allanger-oci
    url: zot.badhouseplants.net/allanger/helm
    oci: true
  - name: requarks
    url: https://charts.js.wiki
  - name: ananace-charts
    url: https://ananace.gitlab.io/charts
  - name: gitea
    url: https://dl.gitea.io/charts/
  - name: mailu
    url: https://mailu.github.io/helm-charts/
  - name: bedag
    url: https://bedag.github.io/helm-charts/
  - name: bitnami
    url: https://charts.bitnami.com/bitnami
  - name: allangers-charts
    url: ghcr.io/allanger/allangers-charts
    oci: true
  - name: robjuz
    url: https://robjuz.github.io/helm-charts/
  - name: badhouseplants-helm
    url: git+https://gitea.badhouseplants.net/badhouseplants/badhouseplants-helm@charts?ref=main
 releases:
  - name: funkwhale
    chart: ananace-charts/funkwhale
    namespace: applications
    version: 2.0.5
    inherit:
      - template: default-env-values
      - template: default-env-secrets
      - template: ext-database
  - name: gitea
    chart: gitea/gitea
    version: 10.6.0
    namespace: applications
    inherit:
      - template: default-env-values
      - template: default-env-secrets
      - template: ext-database
      - template: ext-tcp-routes
  - name: openvpn
    chart: allangers-charts/openvpn
    version: 0.0.2
    namespace: applications
    inherit:
      - template: default-env-values
      - template: ext-tcp-routes
  - name: vaultwarden
    chart: allangers-charts/vaultwarden
    version: 2.3.0
    namespace: applications
    inherit:
      - template: default-env-values
      - template: default-env-secrets
      - template: ext-database
  - name: stalwart
    chart: allangers-charts/stalwart
    version: 0.4.0
    namespace: applications
    inherit:
      - template: default-env-values
      - template: default-env-secrets
      - template: ext-tcp-routes
  - name: navidrome
    chart: allangers-charts/navidrome
    namespace: applications
    version: 0.2.0
    inherit:
      - template: default-env-values
      - template: ext-traefik-middleware
  - name: server-xray-public
    chart: allangers-charts/server-xray
    namespace: public-xray
    version: 0.4.0
    inherit:
      - template: default-env-secrets
      - template: default-env-values
      - template: ext-tcp-routes
      - template: ext-cilium
      - template: ext-certificate
  - name: server-xray-public-edge
    chart: allangers-charts/server-xray
    installed: false
    namespace: public-xray
    version: 0.4.0
    inherit:
      - template: default-env-secrets
      - template: default-env-values
      - template: ext-tcp-routes
      - template: ext-cilium
  - name: vaultwardentest
    chart: allangers-charts/vaultwarden
    version: 2.4.0
    namespace: applications
    installed: false
    inherit:
      - template: default-env-values
      - template: default-env-secrets
      - template: ext-database
  - name: badhouseplants-net
    chart: badhouseplants-helm/badhouseplants-net
    namespace: production
    values:
      - deployAnnotations:
          keel.sh/policy: force
          keel.sh/trigger: poll
          keel.sh/initContainers: 'true'
--- a/installations/applications/helmfile-etersoft.yaml
+++ b/installations/applications/helmfile-etersoft.yaml
@ -0,0 +1,49 @@
 bases:
  - ../../common/environments.yaml
  - ../../common/templates.yaml
 repositories:
  - name: allangers-charts
    url: ghcr.io/allanger/allangers-charts
    oci: true
  - name: gabe565
    url: ghcr.io/gabe565/charts
    oci: true
 releases:
  - name: openvpn
    chart: allangers-charts/openvpn
    version: 0.0.2
    namespace: applications
    inherit:
      - template: default-env-values
      - template: ext-tcp-routes
  - name: qbittorrent
    chart: gabe565/qbittorrent
    version: 0.3.7
    namespace: applications
    inherit:
      - template: default-env-values
      - template: ext-secret
      - template: ext-traefik-middleware
  - name: vaultwardentest
    chart: allangers-charts/vaultwarden
    version: 2.4.0
    namespace: applications
    inherit:
      - template: default-env-values
      - template: default-env-secrets
      - template: ext-database
  - name: tf-ocloud
    chart: ../../charts/tf-ocloud
    namespace: pipelines
    installed: false
    inherit:
      - template: default-env-secrets
  - name: nrodionov
    chart: bitnami/wordpress
    version: 23.1.28
    namespace: applications
    installed: true
    inherit:
      - template: default-env-values
      - template: default-env-secrets
--- a/installations/applications/helmfile-xray-1.yaml
+++ b/installations/applications/helmfile-xray-1.yaml
@ -0,0 +1,23 @@
 bases:
  - ../../common/environments.yaml
  - ../../common/templates.yaml
 repositories:
  - name: allangers-charts
    url: ghcr.io/allanger/allangers-charts
    oci: true
 releases:
  - name: server-xray-public
    chart: allangers-charts/server-xray
    namespace: public-xray
    version: 0.4.0
    inherit:
      - template: default-env-secrets
      - template: default-env-values
      - template: ext-self-signed-cert
  - name: promtail
    chart: grafana/promtail
    namespace: promtail
    version: 6.16.6
    inherit:
      - template: default-env-values
      - template: default-env-secrets
--- a/installations/applications/helmfile-xray-2.yaml
+++ b/installations/applications/helmfile-xray-2.yaml
@ -0,0 +1,16 @@
 bases:
  - ../../common/environments.yaml
  - ../../common/templates.yaml
 repositories:
  - name: allangers-charts
    url: ghcr.io/allanger/allangers-charts
    oci: true
 releases:
  - name: server-xray-public
    chart: allangers-charts/server-xray
    namespace: public-xray
    version: 0.4.0
    inherit:
      - template: default-env-secrets
      - template: default-env-values
      - template: ext-self-signed-cert
--- a/installations/applications/helmfile.yaml
+++ b/installations/applications/helmfile.yaml
@ -0,0 +1,6 @@
 bases:
  - ../../common/environments.yaml
  - ../../common/templates.yaml
 helmfiles:
  - ./helmfile-{{ `{{ .Environment.Name }}` }}.yaml
--- a/installations/databases/helmfile.yaml
+++ b/installations/databases/helmfile.yaml
@ -0,0 +1,37 @@
 bases:
  - ../../common/environments.yaml
  - ../../common/templates.yaml
 repositories:
  - name: bitnami
    url: https://charts.bitnami.com/bitnami
  - name: bedag
    url: https://bedag.github.io/helm-charts/
 releases:
  - name: redis
    chart: bitnami/redis
    namespace: databases
    condition: redis.enabled
    version: 20.3.0
    inherit:
      - template: default-env-values
      - template: default-env-secrets
  - name: postgres16
    labels:
      bundle: postgres
    namespace: databases
    chart: bitnami/postgresql
    condition: postgres16.enabled
    version: 15.5.38
    inherit:
      - template: default-env-values
      - template: default-env-secrets
  - name: postgres17
    labels:
      bundle: postgres
    namespace: databases
    chart: bitnami/postgresql
    condition: postgres17.enabled
    version: 16.0.6
    inherit:
      - template: default-env-values
      - template: default-env-secrets
--- a/installations/development/helmfile.yaml
+++ b/installations/development/helmfile.yaml
@ -0,0 +1,9 @@
 bases:
  - ../../common/environments.yaml
  - ../../common/templates.yaml
 repositories:
  - name: argo
    url: https://argoproj.github.io/argo-helm
 releases:
  - name: badhouseplants
    namespace: platform
--- a/installations/games/helmfile.yaml
+++ b/installations/games/helmfile.yaml
@ -0,0 +1,17 @@
 bases:
  - ../../common/environments.yaml
  - ../../common/templates.yaml
 repositories:
  - name: bedag
    url: https://bedag.github.io/helm-charts/
  - name: minecraft
    url: https://itzg.github.io/minecraft-server-charts/
 releases:
  - name: minecraft
    chart: minecraft/minecraft
    namespace: games
    version: 4.23.2
    inherit:
      - template: ext-tcp-routes
      - template: default-env-values
      - template: default-env-secrets
--- a/installations/monitoring/helmfile.yaml
+++ b/installations/monitoring/helmfile.yaml
@ -1,6 +1,6 @@
 bases:
-  - ../common/templates.gotmpl
+  - ../../common/environments.yaml
-
+  - ../../common/templates.yaml
 repositories:
  - name: bedag
    url: https://bedag.github.io/helm-charts/
@ -8,39 +8,34 @@ repositories:
    url: https://prometheus-community.github.io/helm-charts
  - name: grafana
    url: https://grafana.github.io/helm-charts
 releases:
  - name: prometheus
    chart: prometheus-community/kube-prometheus-stack
    namespace: observability
-    condition: monitoring.enabled
+    version: 66.2.1
    version: 71.2.0
    inherit:
-      - template: env-values
+      - template: default-env-values
-      - template: env-secrets
+      - template: default-env-secrets
      - template: crd-management-hook
  - name: grafana
    chart: grafana/grafana
    namespace: observability
-    condition: monitoring.enabled
+    version: 8.6.0
    version: 8.14.2
    installed: true
    inherit:
-      - template: env-values
+      - template: default-env-values
-      - template: env-secrets
+      - template: default-env-secrets
  - name: loki
    chart: grafana/loki
    condition: monitoring.enabled
    namespace: observability
-    version: 6.29.0
+    version: 6.19.0
    inherit:
-      - template: env-values
+      - template: default-env-values
      - template: ext-secret
      - template: ext-traefik-middleware
  - name: promtail
    chart: grafana/promtail
    condition: monitoring.enabled
    namespace: observability
    version: 6.16.6
    inherit:
-      - template: env-values
+      - template: default-env-values
--- a/installations/pipelines/helmfile.yaml
+++ b/installations/pipelines/helmfile.yaml
@ -1,6 +1,6 @@
 bases:
-  - ../common/templates.gotmpl
+  - ../../common/environments.yaml
-
+  - ../../common/templates.yaml
 repositories:
  - name: woodpecker
    url: https://woodpecker-ci.org
@ -8,28 +8,26 @@ repositories:
    url: https://docs.renovatebot.com/helm-charts
  - name: bedag
    url: https://bedag.github.io/helm-charts/
 releases:
  - name: woodpecker-ci
    chart: woodpecker/woodpecker
    namespace: pipelines
-    version: 3.1.0
+    version: 1.6.2
    inherit:
      - template: ext-database
-      - template: env-values
+      - template: default-env-values
-      - template: env-secrets
+      - template: default-env-secrets
  - name: renovate-gitea
    chart: renovate/renovate
    namespace: pipelines
-    version: 39.264.0
+    version: 39.18.2
    inherit:
-      - template: env-values
+      - template: default-env-values
-      - template: env-secrets
+      - template: default-env-secrets
  - name: renovate-github
    chart: renovate/renovate
    installed: true
    namespace: pipelines
-    version: 39.264.0
+    version: 39.18.2
    inherit:
-      - template: env-values
+      - template: default-env-values
-      - template: env-secrets
+      - template: default-env-secrets
--- a/installations/platform/helmfile.yaml
+++ b/installations/platform/helmfile.yaml
@ -0,0 +1,125 @@
 bases:
  - ../../common/environments.yaml
  - ../../common/templates.yaml
 repositories:
  - name: argo
    url: https://argoproj.github.io/argo-helm
  - name: db-operator
    url: https://db-operator.github.io/charts
  - name: zot
    url: https://zotregistry.dev/helm-charts/
  - name: bedag
    url: https://bedag.github.io/helm-charts/
  - name: crossplane-stable
    url: https://charts.crossplane.io/stable
  - name: goauthentik
    url: https://charts.goauthentik.io/
  - name: minio-standalone
    url: https://charts.min.io/
  - name: kyverno
    url: https://kyverno.github.io/kyverno/
  - name: external-dns
    url: https://kubernetes-sigs.github.io/external-dns/
  - name: keel
    url: https://keel-hq.github.io/keel/
  - name: teleport
    url: https://charts.releases.teleport.dev
 releases:
  - name: db-operator
    namespace: platform
    chart: db-operator/db-operator
    version: 1.29.0
  - name: db-instances
    chart: db-operator/db-instances
    namespace: platform
    needs:
      - platform/db-operator
    version: 2.4.0
    inherit:
      - template: default-env-values
      - template: default-env-secrets
  - name: zot
    chart: zot/zot
    version: 0.1.65
    createNamespace: false
    installed: true
    namespace: platform
    condition: workload.enabled
    inherit:
      - template: default-env-values
      - template: default-env-secrets
  - name: authentik
    chart: goauthentik/authentik
    version: 2024.10.2
    namespace: platform
    createNamespace: false
    condition: workload.enabled
    needs:
      - platform/db-operator
    inherit:
      - template: default-env-values
      - template: default-env-secrets
      - template: ext-database
  - name: minio
    chart: minio-standalone/minio
    version: 5.3.0
    namespace: platform
    inherit:
      - template: default-env-values
      - template: default-env-secrets
  - name: kyverno
    chart: kyverno/kyverno
    namespace: kyverno
    condition: workload.enabled
    labels:
      bootstrap: true
    version: 3.3.3
  - name: kyverno-policies
    chart: kyverno/kyverno-policies
    namespace: kyverno
    condition: workload.enabled
    labels:
      bootstrap: true
    version: 3.3.1
    needs:
      - kyverno/kyverno
  - name: custom-kyverno-policies
    chart: ../../kustomizations/kyverno/
    namespace: kyverno
    condition: workload.enabled
    labels:
      bootstrap: true
    needs:
      - kyverno/kyverno
  - name: external-dns
    chart: external-dns/external-dns
    version: 1.15.0
    namespace: platform
    inherit:
      - template: default-env-values
      - template: default-env-secrets
  - name: keel
    chart: keel/keel
    version: 1.0.4
    namespace: platform
    condition: workload.enabled
  - name: teleport-cluster
    installed: true
    version: 16.4.2
    chart: teleport/teleport-cluster
    namespace: teleport-cluster
    condition: teleport.enabled
    inherit:
      - template: default-env-values
--- a/installations/storage/helmfile.yaml
+++ b/installations/storage/helmfile.yaml
@ -0,0 +1,34 @@
 bases:
  - ../../common/environments.yaml
  - ../../common/templates.yaml
 repositories:
  - name: longhorn
    url: https://charts.longhorn.io
  - name: rook-release
    url: https://charts.rook.io/release
 releases:
  - name: rook-ceph
    chart: rook-release/rook-ceph
    installed: true
    namespace: rook-ceph
    version: v1.14.6
    inherit:
      - template: default-env-values
  - name: rook-ceph-cluster
    chart: rook-release/rook-ceph-cluster
    installed: false
    namespace: rook-ceph
    version: v1.14.6
    needs:
      - rook-ceph/rook-ceph
    inherit:
      - template: default-env-values
  - name: longhorn
    chart: longhorn/longhorn
    namespace: longhorn-system
    installed: true
    version: 1.7.2
    inherit:
      - template: default-env-values
      - template: default-env-secrets
      - template: ext-secret
--- a/installations/system/helmfile.yaml
+++ b/installations/system/helmfile.yaml
@ -1,13 +1,10 @@
 bases:
-  - ../common/templates.gotmpl
+  - ../../common/environments.yaml
  - ../../common/templates.yaml
 repositories:
-  - name: coredns
+  - name: bedag
-    url: https://coredns.github.io/helm
+    url: https://bedag.github.io/helm-charts/
  - name: zot
    url: https://zotregistry.dev/helm-charts/
  - name: cilium
    url: https://helm.cilium.io/
  - name: metrics-server
    url: https://kubernetes-sigs.github.io/metrics-server/
  - name: jetstack
@ -16,166 +13,183 @@ repositories:
    url: https://metallb.github.io/metallb
  - name: traefik
    url: https://traefik.github.io/charts
-  - name: local-path-provisioner
+  - name: coredns
-    url: git+https://github.com/rancher/local-path-provisioner@deploy/chart?ref=master
+    url: https://coredns.github.io/helm
-  - name: kyverno
+  - name: cilium
-    url: https://kyverno.github.io/kyverno/
+    url: https://helm.cilium.io/
  - name: piraeus-charts
    url: https://piraeus.io/helm-charts/
  - name: vmware-tanzu
    url: https://vmware-tanzu.github.io/helm-charts/
  - name: openebs
    url: https://openebs.github.io/openebs
  - name: local-path-provisioner
    url: git+https://github.com/rancher/local-path-provisioner@deploy/chart?ref=master
  - name: istio
    url: https://istio-release.storage.googleapis.com/charts
 releases:
  - name: namespaces
    chart: '{{ requiredEnv "PWD" }}/charts/namespaces/chart'
    namespace: kube-public
    createNamespace: false
    inherit:
      - template: default-env-values
  - name: roles
    chart: '{{ requiredEnv "PWD" }}/charts/roles'
    namespace: kube-public
    createNamespace: false
    needs:
      - kube-public/namespaces
    inherit:
      - template: default-env-values
  - name: coredns
    chart: coredns/coredns
-    version: 1.41.0
+    version: 1.36.1
    namespace: kube-system
    inherit:
-      - template: common-values-tpl
+      - template: default-common-values
  - name: snapshot-controller
    chart: piraeus-charts/snapshot-controller
    installed: true
    version: 3.0.6
    namespace: kube-system
    condition: velero.enabled
    needs:
      - kube-system/cilium
    inherit:
      - template: crd-management-hook
  - name: cilium
    chart: cilium/cilium
-    version: 1.17.3
+    version: 1.16.3
    condition: base.enabled
    namespace: kube-system
    needs:
      - kube-system/coredns
    inherit:
-      - template: common-values
+      - template: default-env-values
      - template: common-values-tpl
  - name: cert-manager
    chart: jetstack/cert-manager
-    version: v1.17.2
+    version: v1.16.1
    namespace: kube-system
    condition: base.enabled
    missingFileHandler: Warn
    needs:
      - kube-system/cilium
    inherit:
-      - template: common-values
+      - template: default-common-values
-      - template: common-values-tpl
+      - template: default-env-values
  - name: issuer
-    chart: ../charts/issuer
+    chart: '{{ requiredEnv "PWD" }}/charts/issuer'
-    namespace: kube-system
+    namespace: kube-public
    missingFileHandler: Warn
    condition: base.enabled
    needs:
      - kube-system/cert-manager
    inherit:
-      - template: common-values
+      - template: default-common-values
-
+      - template: default-env-values
  - name: local-path-provisioner
    chart: local-path-provisioner/local-path-provisioner
    namespace: kube-system
    inherit:
      - template: common-values-tpl
  - name: kyverno
    chart: kyverno/kyverno
    namespace: kyverno
    version: 3.4.1
    needs:
      - kube-system/cilium
    inherit:
      - template: common-values-tpl
  - name: kyverno-policies
    chart: kyverno/kyverno-policies
    namespace: kyverno
    version: 3.4.1
    needs:
      - kyverno/kyverno
  - name: custom-kyverno-policies
    chart: ../kustomizations/kyverno/{{ .Environment.Name }}
    namespace: kyverno
    needs:
      - kyverno/kyverno
  - name: metallb
    chart: metallb/metallb
    namespace: kube-system
    condition: base.enabled
    version: 0.14.9
    needs:
      - registry/cluster-mirror
    inherit:
      - template: common-values
      - template: common-values-tpl
  - name: metallb-resources
    chart: ../charts/metallb-resources
    version: 2.0.0
    condition: base.enabled
    namespace: kube-system
    needs:
      - kube-system/metallb
    inherit:
      - template: common-values-tpl
  - name: traefik
    chart: traefik/traefik
    version: 35.2.0
    condition: base.enabled
    namespace: kube-system
    inherit:
      - template: common-values-tpl
      - template: common-values
      - template: env-values
  - name: cluster-mirror
    chart: zot/zot
    version: 0.1.68
    createNamespace: false
    installed: true
    namespace: registry
    needs:
      - kube-system/cilium
    inherit:
      - template: common-values-tpl
      - template: env-secrets
  - name: metrics-server
    chart: metrics-server/metrics-server
    version: 3.12.2
    namespace: kube-system
    needs:
-      - registry/cluster-mirror
+      - kube-system/cilium
    inherit:
-      - template: common-values-tpl
+      - template: default-common-values
-  - name: openebs
+  - name: metallb
-    chart: openebs/openebs
+    chart: metallb/metallb
    condition: tools.openebs.enabled
    namespace: kube-system
-    version: 4.2.0
+    condition: base.enabled
    version: 0.14.8
    needs:
      - kube-system/cilium
    inherit:
-      - template: common-values-tpl
+      - template: default-common-values
-      - template: env-values
+
  - name: metallb-resources
    chart: bedag/raw
    version: 2.0.0
    condition: base.enabled
    namespace: kube-system
    needs:
      - kube-system/metallb
    inherit:
      - template: ext-metallb
      - template: default-env-values
  - name: traefik
    chart: traefik/traefik
    version: 33.0.0
    condition: base.enabled
    namespace: kube-system
    needs:
      - kube-system/cilium
    inherit:
      - template: default-common-values
      - template: default-env-values
  - name: velero
    chart: vmware-tanzu/velero
-    namespace: velero
+    namespace: kube-system
-    version: 9.0.4
+    version: 8.0.0
    condition: velero.enabled
    needs:
      - kube-system/cilium
    inherit:
-      - template: common-values-tpl
+      - template: default-env-values
-      - template: env-values
+      - template: default-env-secrets
-      - template: env-secrets
+      - template: crd-management-hook
  - name: openebs
    chart: openebs/openebs
    condition: openebs.enabled
    namespace: kube-system
    version: 4.1.1
    needs:
      - kube-system/cilium
    inherit:
      - template: default-env-values
  # -- Not versions since it's idnstalled from git
  - name: local-path-provisioner
    chart: local-path-provisioner/local-path-provisioner
    condition: localpath.enabled
    namespace: kube-system
    needs:
      - kube-system/cilium
    inherit:
      - template: default-env-values
  - name: istio-base
    chart: istio/base
    condition: istio.enabled
    namespace: istio-system
    version: 1.25.2
    inherit:
-      - template: common-values
+      - template: crd-management-hook
  - name: istio-ingressgateway
    chart: istio/gateway
    condition: istio.enabled
    namespace: istio-system
    needs:
      - istio-system/istio-base
    inherit:
      - template: default-env-values
  - name: istiod
    chart: istio/istiod
    condition: istio.enabled
    namespace: istio-system
    version: 1.25.2
    inherit:
-      - template: common-values-tpl
+      - template: default-env-values
    needs:
      - istio-system/istio-base
--- a/kustomizations/external-service-xray/service.yaml
+++ b/kustomizations/external-service-xray/service.yaml
@ -1,23 +0,0 @@
 apiVersion: v1
 kind: Service
 metadata:
  name: xray-external-proxy
 spec:
  externalName: xray-public.badhouseplants.net
  sessionAffinity: None
  type: ExternalName
 ---
 apiVersion: traefik.io/v1alpha1
 kind: IngressRouteTCP
 metadata:
  name: xray-external-proxy
 spec:
  entryPoints:
    - xray-public
  routes:
    - match: HostSNI(`*`)
      services:
        - name: xray-external-proxy
          nativeLB: true
          port: 27015
--- a/kustomizations/kyverno/add-applied-by.yaml
+++ b/kustomizations/kyverno/add-applied-by.yaml
@ -1,20 +0,0 @@
 apiVersion: kyverno.io/v1
 kind: ClusterPolicy
 metadata:
  name: add-applied-by
 spec:
  background: false
  rules:
    - name: add-applied-by
      match:
        any:
          - resources:
              kinds:
                - '*'
              namespaces:
                - org-*
      mutate:
        patchStrategicMerge:
          metadata:
            annotations:
              applied-by: "{{ request.userInfo.username }}"
--- a/kustomizations/kyverno/badhouseplants/pvc-patch.yaml
+++ b/kustomizations/kyverno/badhouseplants/pvc-patch.yaml
@ -1,58 +0,0 @@
 apiVersion: kyverno.io/v1
 kind: ClusterPolicy
 metadata:
  name: replace-storage-class-by-openebs
 spec:
  rules:
    - name: local-path-fix
      match:
        any:
          - resources:
              kinds:
                - PersistentVolumeClaim
              namespaces:
                - registry
      mutate:
        patchStrategicMerge:
          metadata:
            annotations:
              volume.kubernetes.io/selected-node: bordeaux
    - name: replace-storage-class
      match:
        any:
          - resources:
              kinds:
                - PersistentVolumeClaim
              namespaces:
                - games
                - application
                - platform
                - pipelines
      mutate:
        patchStrategicMerge:
          metadata:
            annotations:
              volume.beta.kubernetes.io/storage-class: openebs-hostpath
          spec:
            storageClassName: openebs-hostpath
            accessModes:
              - ReadWriteOnce
    #- name: remove-unwanted-annotations
    #  match:
    #    any:
    #      - resources:
    #          kinds:
    #            - PersistentVolumeClaim
    #          namespaces:
    #            - games
    #  mutate:
    #    patchesJson6902: |-
    #      - path: "/metadata/annotations/volume.beta.kubernetes.io~1storage-class"
    #        op: replace
    #        value: openebs-hostpath
    #      - path: "/metadata/annotations/volume.beta.kubernetes.io~1storage-provisioner"
    #        op: replace
    #        value: openebs.io/local
    #      - path: "/metadata/annotations/volume.kubernetes.io~1storage-provisioner"
    #        op: replace
    #        value: openebs.io/local
--- a/kustomizations/kyverno/etersoft/pvc-patch.yaml
+++ b/kustomizations/kyverno/etersoft/pvc-patch.yaml
@ -1,21 +0,0 @@
 apiVersion: kyverno.io/v1
 kind: ClusterPolicy
 metadata:
  name: append-node-name-to-pvc
 spec:
  rules:
    - name: replace-storage-class
      match:
        any:
          - resources:
              kinds:
                - PersistentVolumeClaim
              namespaces:
                - applications
                - platform
                - registry
      mutate:
        patchStrategicMerge:
          metadata:
            annotations:
              volume.kubernetes.io/selected-node: yekaterinburg
--- a/kustomizations/kyverno/pvc-patch.yaml
+++ b/kustomizations/kyverno/pvc-patch.yaml
@ -0,0 +1,40 @@
 apiVersion: kyverno.io/v1
 kind: ClusterPolicy
 metadata:
  name: replace-storage-class-by-openebs
 spec:
  rules:
    - name: replace-storage-class
      match:
        any:
          - resources:
              kinds:
                - PersistentVolumeClaim
      mutate:
        patchStrategicMerge:
          metadata:
            annotations:
              volume.beta.kubernetes.io/storage-class: openebs-hostpath
          spec:
            storageClassName: openebs-hostpath
            accessModes:
              - ReadWriteOnce
    - name: remove-unwanted-annotations
      match:
        any:
          - resources:
              kinds:
                - PersistentVolumeClaim
              namespaces:
                - games
      mutate:
        patchesJson6902: |-
          - path: "/metadata/annotations/volume.beta.kubernetes.io~1storage-class"
            op: replace
            value: openebs-hostpath
          - path: "/metadata/annotations/volume.beta.kubernetes.io~1storage-provisioner"
            op: replace
            value: openebs.io/local
          - path: "/metadata/annotations/volume.kubernetes.io~1storage-provisioner"
            op: replace
            value: openebs.io/local
--- a/manifests/peerauth.yaml
+++ b/manifests/peerauth.yaml
@ -1,8 +0,0 @@
 apiVersion: security.istio.io/v1
 kind: PeerAuthentication
 metadata:
  name: default
  namespace: public-xray
 spec:
  mtls:
    mode: STRICT
--- a/values/badhouseplants/argocd/argocd/secrets.yaml
+++ b/values/badhouseplants/argocd/argocd/secrets.yaml
@ -1,21 +0,0 @@
 configs:
    cm:
        dex.config: ENC[AES256_GCM,data:U+BKH82hTX8a08ZVJM8WJ2NuwIJR2Diax4VUxziFhHlZWMJKWCl2BNSquKxaFincmoR3Lqn95wyfsoGKwjPxINqYw0F3zbZttlfpyG84Jg2Y4E3+NDE0YtPv1stE47aW8ZWDycjcvrW9UGANEQWHGoEMVC7sIDmSEKc4zZYVOrDPnIDOl8Fdt+7oQb9XcITvkt28DJymMvm2FLJPEB9Iz/M9V72r8QhA9ASYEWnhjYUnv63A92YH7FBr+5rdlaRSW/jJfnTWViHdi9F0fYyPmjgcyAitSXZNbPs3bd8uV7ZZTWIQGMb1IpB9SFHxMBHLNv510kFmdn0RpThIrSiDrbau4OiXcFj3N3JOStlz/AlWBkAj/zNfCcdZfsSvICARcAuw4Jowh0fGSzi3uJrr9CezWTj5t3SN+KoKGs2vO5DoD8dmjtI3vStICVs9jN8QXiPb4WpUALyM9AT41Eg+oo/58SnxNjovJ2xw/DV4GTQxpzaPCC1yagR4vSR+/qlRYU9SUinw53kzm2tZjabAVbfpTlbq7F7Ld/GuW3IQh/fULBTxYGys9s++72GdG/P0elLjvCV0Xt3vIona//uVKQFXQB8rxAMWLnTHFbM9Y6uWlZkN/W63ceJAYzXNBtC/uzfMV8GRZQpbb/QVO9U/F54yefoB7XJ8BSrHYiCvIeV/SwWINNw9Lo/Cy4nsC6UrqYdanz32HrwawSGikfGjQGXDE1n3DcPXbA6rGR2N7bbxZnIeI7TLP+pNxEg8Apr550Vh1qM9oCDx7cYgFkAEb/X/P4PYqRe1yRn+jzomAPidhGCuHibtihCXU8bht4i3uwT91SJDNEmJI9yBSxAMY9pgjmSuVTO22tI=,iv:D+KOoEOhvNSEbx4h8ltF0Kj8XBp5B6ipCXFtREvqXdw=,tag:jVZjICBTlwEUAeaH7Rgkbg==,type:str]
    credentialTemplates:
        ssh-creds:
            sshPrivateKey: ENC[AES256_GCM,data:NFkcWS4nL0KOtNaXU+InVIoVJhCiasJWN2JTJ2AP9WH9caU5pDw2mpT1mF0zZuRw/hvwJTrkSjA2pV6hiCEVwJegEWqWIKgnakEeF6XZPJK+ryWSLA2jg3Ba8BCMZxMTq9olZEt4ap/irKhvkoDxERdvGp/bsWYwNsy/lo92xNqAeGAWlyS4H5bBPx8RtzJx7MrVmGsOGmtPhaX9AxGtot13FZ07Y0lW0PZ75VgQzNS05Y9obO99hrdJ2sfGdmZtvqtENJGQh9sLzAKKbZFj5bE+A7TA54qVItmePEg6JhWdJ+0QMoyGXUaX1b1XsdwV8TOZEFOj9KI1RwsrOhwlD1sqkKJC1l498mOwP+xeFXJkGOtT2DB+Ds6LU4byXKMkvhwNQho2BBkQ/+W59IIL1+4a6RHMJwO1dhK94AsQDjy0TNyKKTSk8erotlwefR5ny+ZnARe2V5mLObmAZWdbni+AzvfHCrOQcmk3dxwLBCc98/hDzAMlbjsE34GWUEI5rcp+uHhFgnLaTNJE/PJOwP1WlFiyoDIpi2lj,iv:3XAh3cSFA2r1PMlXMo/1ubpIIgyGDDMhpni7hlinSBg=,tag:9po/JY+NFnOz3Xaw5L60PQ==,type:str]
 sops:
    age:
        - recipient: age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoZzFUTVVQNit4eTNiYWcw
            Z2JsNEVGcm9Qa2NkWnQ3Ym1RSmV5ang4dGt3CkJhdSsyeHJlZWdtbkx3alhqemxD
            NWdHdGV2K1ZOeGpqSS84SHVWMUN3OGMKLS0tIFhNWXBHcFg5VDNVUWVaY3RhY0dz
            aXNSKzVjZEZRZlBaelk1TTNYcTkxcWMKC1gn1y9T0PsFOE4hKYS7m4OgHGkFcK/p
            SSFtTltvEs6jEeXitHhGcn1IWy4hxEvUBnVMGwTkweIKefwxkHi9/A==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2025-04-14T12:08:28Z"
    mac: ENC[AES256_GCM,data:YzmFndPEnQAs9LDD41xQPGTUvU2zUup7J3dTUPLVmBZVHbV2Ml2xAmxMLXJ0G1VOM6h+TEQasU/ZUadLc41GM4m8aZfvxnQtMxPJEP9L1g4zhE3zzXAGXixcQ9xDY3aDhVwdoipyMo23kQqaHageVIfoBxE5ClI+ci0FepeBO/I=,iv:8hAfCtpoecVU8WgAStfqFArAMqBAiPJQGgKMJhJnDBE=,tag:lbJOH1IAf6Enl8g/Pe2I+Q==,type:str]
    unencrypted_suffix: _unencrypted
    version: 3.10.1
--- a/values/badhouseplants/databases/redis/secrets.yaml
+++ b/values/badhouseplants/databases/redis/secrets.yaml
@ -1,26 +0,0 @@
 global:
    redis:
        #ENC[AES256_GCM,data:INOZ17f72Qf6D+drbcvmnZRBRIeXLSAV9RmfOLZFp45qt8GWSHMnevqq9ge4Zlydtsd3BDek/JLUNl6YHPPq9qM1EFujY2htbOHyf0Cn,iv:zZDMizNKFllCyNH/bUF+vuB9YOikjo3q5ebzu3LYvCc=,tag:H0XX/D9xh0HS0Xnqgs/aag==,type:comment]
        #ENC[AES256_GCM,data:JiLOpJanuZnMpN5dMvw2,iv:YEVZSdRHez1lCb61hWLvalLq8F67l7KF0WXmmuj9bck=,tag:KnpfgwUYBQLZsj4Jk13RtQ==,type:comment]
        #ENC[AES256_GCM,data:mzDGjHlXUunu1yA=,iv:LOOU/QGaHKeDrssbk1haYd0lPclbFak9GygEbbN0gFs=,tag:4cUubeiY6aJj5KVKVkdFUA==,type:comment]
        password: ENC[AES256_GCM,data:kN93kIMiVTGWbaYgMC1n1MWqdl8s3cbZS5vvYTa2,iv:Qy+GQchC6s2PoarPWtquipF9gAVYZR6mn0GeHABRogE=,tag:V/xbfm9u51UUG+we/3nNLQ==,type:str]
 sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault: []
    age:
        - recipient: age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrOHRuN1J1ODYvc0Z3OW5H
            NFhVM0dWWGZETU0vTzVkeUk1NFVWc2FSaGprCm5NalJKUWxtLzA5VTU3YjR5VWtx
            NExtbTZZZUZteVBTYnNWTVZvbnF5VFUKLS0tIEpBTDhPbkVLVytaY29aUktmZGF2
            bnVKWmI4RWpLaGU5WTIwblJRcDFDMlUK2BHkUNbpRMo0jm2Sk+Qcf4giufJtaJyM
            xuoG41AqGs4+KEDS8/rF9HK7z+2Wk9H5b8L+/W0n+J5EPOvwvFePTA==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2025-03-26T12:23:02Z"
    mac: ENC[AES256_GCM,data:xrA6hCFIH/R/j/V1T60xx5Eix5Z5ETREQP4zYriLkZQ4hEzL2WdJFExK1VXSfX4KmIR8215XHmHnWu70eIoAnFUaozBosIFtJz0YNrNNok6MeDGD5fy5mcBQfCqLw+rwbW/uxY7DQrchgVT9iFAkpRSoVPUzn6ku/xCmTmSlv3E=,iv:lNLR5QHKPUWb1Mz8mIFCHnjpuQVF7ttNTOy9+jEzLyo=,tag:G4iZ/9nWKh97JLGOxbgSQg==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.9.4
--- a/values/badhouseplants/kube-system/namespaces/secrets.yaml
+++ b/values/badhouseplants/kube-system/namespaces/secrets.yaml
@ -1,21 +0,0 @@
 defaultRegcred: ENC[AES256_GCM,data:lsqr2fBEosOQqYLBwps1hmgFs90zkzbdHpO8UwJWcMl1/CGkyzroACqHkL8taaOnnvwWwadIL8FU3382jamw0Xk5O51bFSBbCxTs3xd4ibwe39ha5YI6YQDHADDb/u1Yw4TctJ/h9xykXHDOL4foE5Z860e16vtMiVvniLD9OGfR6utb9gvZHE2QqZTlHR9U4PY2vLWWQMN3VRvipT7hulmOUzXMVcuBswmyDF39PvTba6Ea7A83V9h6HpqNeSA1ewKREIDOFqjhl7tIit8aQnuee58bJCTVIdg6gyR6yfu6sF22wdUlsJ7CAHtd41sbhEhWGyzJIqg=,iv:J1CfAJmNpI7lgQalYJlXs+JX5I0e6COGrsenMhvDGLA=,tag:nHkq8VF47I/9FS8uGcEyuw==,type:str]
 sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault: []
    age:
        - recipient: age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwWHpPUkZqbC9LaEtJYzhF
            L0hIZUtOa3E4KzJDOFlwaFRVWDdJRnBtR1ZjCnVLNzhyQkdxS2dtK2lFaWRJUkJq
            dThURHRTRG5GT1BqaTZRbzlUbXYzWHMKLS0tIFRSa1lkSGQrN1RGdklzYzZNU3BH
            ZE0wMk1sRGg1M1lrNVFMTityK3cwK00Kbhugumz27RVo1SJjaljEbklHY6CW7xGD
            UCbN0LGh5PPpN6eCbZW8dB1+/lLR9AnyYr6okrGM2iztaJQdlwRvww==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2025-03-27T10:24:56Z"
    mac: ENC[AES256_GCM,data:xGqmh1TPg0OJLSycbnjsF4Ai844ZzlCzawQXmROpORJEiSL/3R1W+2PsBT5KcAfG7y2+Ovyk+l1FeorIPuqnbcezX9zUxMOaFXJylmwvNYXCwoihU6Yx2hg9SuFhnwINAhCLqOaRKIh8xPUaK8nRVqwJJa0jW6eCyZ5lsLtpz90=,iv:pmPfpSv3VfVz/MvTGTWoMxzkF3BvCMhK+HxEeN5pzNI=,tag:WkLcTz/WlLXmq8EojHfdlA==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.9.4
--- a/values/badhouseplants/kube-system/namespaces/values.yaml
+++ b/values/badhouseplants/kube-system/namespaces/values.yaml
@ -1,36 +0,0 @@
 namespaces:
  - name: registry
  - name: flux-system
    defaultRegcred: true
  - name: argocd
    defaultRegcred: true
  - name: kube-system
    defaultRegcred: true
  - name: production
    defaultRegcred: true
  - name: kyverno
    defaultRegcred: true
  - name: velero
    defaultRegcred: true
  - name: observability
    defaultRegcred: true
  - name: databases
    defaultRegcred: true
  - name: istio-system
    defaultRegcred: true
  - name: platform
    defaultRegcred: true
  - name: games
    defaultRegcred: true
  - name: pipelines
    defaultRegcred: true
  - name: public-xray
    defaultRegcred: true
    labels:
      istio-injection: disabled
  - name: org-badhouseplants
    defaultRegcred: true
  - name: org-allanger
    defaultRegcred: true
    labels:
      istio-injection: enabled
--- a/values/badhouseplants/org-allanger/app-memos/values.yaml
+++ b/values/badhouseplants/org-allanger/app-memos/values.yaml
@ -1,35 +0,0 @@
 shortcuts:
  hostname: notes.badhouseplants.net
 ext-database:
  enabled: true
  name: memos-postgres17
  instance: postgres17
  credentials:
    MEMOS_DRIVER: postgres
    MEMOS_DSN: "{{ .Protocol }}://{{ .Username }}:{{ .Password }}@{{ .Hostname }}:{{ .Port }}/{{ .Database }}?sslmode=disable"
 base:
  workload:
    containers:
      memos:
        envFrom:
          main: {}
          raw:
            - secretRef:
                name: memos-postgres17-creds
 storage:
  data:
    metadata:
      annotations:
        volume.kubernetes.io/selected-node: bordeaux
    storageClassName: openebs-hostpath
 ingress:
  main:
    metadata:
      annotations:
        kubernetes.io/ingress.class: traefik
        kubernetes.io/tls-acme: "true"
        kubernetes.io/ingress.allow-http: "false"
        kubernetes.io/ingress.global-static-ip-name: ""
        cert-manager.io/cluster-issuer: badhouseplants-issuer-http01
        traefik.ingress.kubernetes.io/router.entrypoints: web,websecure
--- a/values/badhouseplants/org-badhouseplants/app-gitea/secrets.yaml
+++ b/values/badhouseplants/org-badhouseplants/app-gitea/secrets.yaml
@ -1,50 +0,0 @@
 gitea:
    admin:
        username: ENC[AES256_GCM,data:U230S8544mg=,iv:yL45Opnqp5T4h7erEv0pRHWtH1th8uu1Y4wfeY2aJcQ=,tag:a4vsJEOxlmHj1mwqcUGbiw==,type:str]
        password: ENC[AES256_GCM,data:IpwOetFEvxt0/tGkiJ8bBI+OR/E=,iv:8OA48CiWeMyqZVs2lp+UzfyymUNQfdgmAQV33+AVQ+s=,tag:stgAMSnB5dCzFu4zvZeVRA==,type:str]
    config:
        storage:
            MINIO_SECRET_ACCESS_KEY: ENC[AES256_GCM,data:cn3NsFx0TH0fw6mJt6cArMRyQ6Qng3gIPQ==,iv:Jv+rweQzEXfVWuWycjGSi54jRAm0XEEcNxZ6flbUZWM=,tag:6O9KvcnaVEME5lXl6msZLw==,type:str]
        mailer:
            PASSWD: ENC[AES256_GCM,data:3UL0uvz49J3GIOo/eVWKYLrDG+u/lvCr8Q==,iv:HBQKF42R3tHFQxkUoRzsiPCUkFM40qpjM0SYrQSxugE=,tag:iua/nXoogjxnkj9T6UB/Sw==,type:str]
        database:
            PASSWD: ENC[AES256_GCM,data:DbL7wryYRQAEzujWNL4I0AwEq6Cr2r78FXQOAw==,iv:Oc2IYwD7iy7AlYVnhvSc61ttOf20qJyuuDnx4yF3/YE=,tag:aLa8+r0kYvzFSuF3hvhL2w==,type:str]
        session:
            PROVIDER_CONFIG: ENC[AES256_GCM,data:owsHUHdmzGiFgtD3+nRBmHYKcsNQXblbuCO8V0tLAAMvJBRHSA5YG1TL3Quy2186yoZCPiAdeQwg/o2Iutk2Mlc6/NmeurZbxomV8dWBuqJfn6t44xnDgFnEXpxE5kB5lNCtcjKXmpxC4fkoUVscOyZFmKp9uTgH,iv:evmTZH5NzMB3nhqLhuBmTTF4ztJX9a/ZMTOmYMqSaxs=,tag:dLnk9xt+moGoBhx7tqazig==,type:str]
        cache:
            HOST: ENC[AES256_GCM,data:feiTcBqztm76LZgNShj0Go0IRNgG9UwCQP9KrdexosP2XCnSe+giyKoIcADiHQFYVbnnkpw7/UqNxgM0Tx+EQ9eyFKY+PaFyCSFmQwikmAWakDJ+hQNM1VaNaDKdeLiGIeI7nO2MH9hGDMzPWtUgMNBxc9tTS38l,iv:Rcr+uiZMWbG9IPeMm+eiNf3W3yz2L7yqSkJSKUhWHtk=,tag:3cLuUAEU6CZvvUYKF1cCAQ==,type:str]
        queue:
            CONN_STR: ENC[AES256_GCM,data:Mw7W72M3HitiAEG1ihWctXyYqHJuSiKBZvQDDRjA4O9Yg9Zsbq+/HVcnh074zbiTjCO/496FLiy88HuAw8lksZ7MXXVvRI7rIcFKFZLpHcjAqkBnB301SGalK/R4bSisECsYIFPjKuh+s4PIuPEIgFtZuiEvYdbT,iv:uYwjzUObav2Hs/JgRIYbGBFNcZm++qS2QqKpz6Ma6EA=,tag:0okDz0yzL4eSat/0roYJ2A==,type:str]
    oauth:
        - name: ENC[AES256_GCM,data:sN+DzBKd,iv:0HNSbQEDLsV76DIRHdWnPs9SI/bHRZz6Fw+8B8Hhuns=,tag:mwTWy9VSXapPu3uLk7LgSQ==,type:str]
          provider: ENC[AES256_GCM,data:m74moJ8h,iv:QfE5F3vpIlEzIftHlX/qpNvsnAab8gTd4CHyECHNcmQ=,tag:JefFm9mfYJSKzBDOb/l6BA==,type:str]
          key: ENC[AES256_GCM,data:7ScP3oXE0zTnaqL3AigHby39fMk=,iv:sXllPawkQ5BcKmC1iBUJ2WOEPK2lm6W3q+GrprHZhAc=,tag:vSCB9w5x6jjPNu5b5ZEMzw==,type:str]
          secret: ENC[AES256_GCM,data:XG9D5IUX4MqJzKf+aB7MCeDJAQlIzMxSv3ByAZQAdZCI+5my+cMfeg==,iv:s3e0wFznoX55MeEQj+dK0QrzzatGzDBKfT4xDD00cOA=,tag:vk32YQcPs0kAIOj61YwHww==,type:str]
        - name: ENC[AES256_GCM,data:eBSL9xrBDN50,iv:TiC3jjpfwS6A9x6PAkMIorwJ9CecxblzEFt5+ZmSW6I=,tag:XA6UrnJbkUyDBgOY9xfIPw==,type:str]
          provider: ENC[AES256_GCM,data:yh4TBYDI2R0a4f1qSg==,iv:hx8pAuo//U+YY5a2cq/KyoK4qcKbSXWtkrDvACWLU2c=,tag:uJ9JNWdDjb0eTS0ZJXHDaw==,type:str]
          skip_local_2fa: ENC[AES256_GCM,data:8YwpOw==,iv:2R3Zc4HK/U31SVcXR3xi9J/kJySR3osA8xN3YhvRxBk=,tag:SzBFOwEmczW59SHLGCMb5Q==,type:str]
          key: ENC[AES256_GCM,data:rLR8ve4=,iv:qOVIBiFjsOrrRg/mca5l7SHc2GdVAdyz0TV3Q7lJlQg=,tag:tYEzx7SoeoAC9/lgWU91uA==,type:str]
          secret: ENC[AES256_GCM,data:r7sWVeqWTnqbt7ArzpADD5A1fYU6+KSpLohWJuSbEUyPAzOSxfZGxSYNfAwaxACOgmJJnxUeQ9l71nyUDWzGMrFkLr+o+WcQmSTPV3+3iMHDsTdgjEb+tIZFdi0Z5PJ8DCBxjckmbG5cx3O3Kyrjc24SNHCVb62lhduZH1fIlT0=,iv:kvtMCpiOUx10zTKt/ZYQh3leYaY9+v169Sq+sYIScHQ=,tag:t8txjt3xuVKWA7QgBJYuiw==,type:str]
          autoDiscoverUrl: ENC[AES256_GCM,data:SG2ev/BshOBP0NQnpZRQErZDAEWdReiwp2pb2JJBWZmFvC67//t8WZu1/wilfQjJvJdsDGwk9Rwncoxya5Fb9uKYDAQKzqULJk70Er9pyNaowFbMxiMm+ws=,iv:B9GM9MLIrKTtRfyDxltlFvvm01aRCTQnyiemH4qzjGs=,tag:Wqji+fKliEGJRZ4inTmbXw==,type:str]
          iconUrl: ENC[AES256_GCM,data:lcW3npgyrc50GIYCyTh5Gpht2CU6hX67j13XNOvGQybU2dsA9BtqpmH0OMQz4b1g/XkuHAp5j3I0wLnGvhXXf4mEugzt8g==,iv:X/kHS77OJLDuNN2lTAWLqPARJ1QZMY1ImuS+xmkUlgM=,tag:0ZRh7eH6dYdZd250Lb/+xA==,type:str]
          scopes: ENC[AES256_GCM,data:GtTGDrDZwU1r5vEsxg==,iv:/7yMuJpxlML3R1X8onDSFbJVwpYFtnLamaI+X148Tlk=,tag:e8HkvzdpkhDvedVzm7jG3w==,type:str]
 sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault: []
    age:
        - recipient: age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6d2JneUUzM1VkM1lvclA3
            aC9wMGpKSGU5ZnVaUTNlVDNsMlNaOVRNYVdzCkpzVUJzNHN2TmhHektzOC93Vjlj
            SVU3cUxVUm4wWjJQRWZRdWlRMEU1eUEKLS0tIHRLOEJERXBMd0NFajNjbHhPVVNl
            b1cyT0RYa3hzbFJjc254bHJMcDIzeTgK/aX6f60NBz6w1TaOFSZDRE7rPniebb75
            iwO74fJtl5g9WxAG5yByxJ455Uhc2R/+VBbK5BcYFt9cboIgkUrS2A==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2025-03-25T19:15:08Z"
    mac: ENC[AES256_GCM,data:ySAOo8j+p9O0v8xYFcjuD6e/pc9LtLxLWC4TdP7mjhdfwwaaoJW96DLEbSYxYN7Co8zHFqdMp5e76SgvhWwP2LNmHLunJ3LNU6u6NSMEFLCSyjAM8KiqB4bTNq7Kf9H2FZbAN58YKXpZEFECJpxoLg2Q9MdRp+BvgURDa2QLZRc=,iv:Ay5vMdrKbNpFyir/N4+mPuOwKwIVupZbeJFKA+DWFDA=,tag:+YUSXQYMfu59oF+hjg0XMg==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.9.4
--- a/values/badhouseplants/org-badhouseplants/app-navidrome-private/secrets.yaml
+++ b/values/badhouseplants/org-badhouseplants/app-navidrome-private/secrets.yaml
@ -1,28 +0,0 @@
 files:
    rclone-config:
        enabled: ENC[AES256_GCM,data:3y4DCg==,iv:n+Pfj4j405WR17aY7RbF6lpOQ58ZQmWrH6dgUTQ0jX4=,tag:xbKEnPnASJTl27ch1Hi00g==,type:bool]
        sensitive: ENC[AES256_GCM,data:DGby8Q==,iv:nibU4CkdcYlT1F7OkgqE1apUuyJA5M9Vj5x40F9zt3w=,tag:oW+jPP7F1vWY5gf0JyrPdw==,type:bool]
        remove: []
        entries:
            rclone.conf:
                data: ENC[AES256_GCM,data:m4K3yt7no9mnUOzn/iGtaKqBrDXoLCgxEWV8NacXlOvh7c5ngmTmwoxzTaNxbsCQA7dECYb0dFtPvhF33AqgpcbRnqGrK54v8V+NaldQrgT2up4iQfdYA+sh+yNG3QAXU7eOEBvyFctJ+9dEaBII1sF/xFSkcTwrWkQFTQKLDdNIYU9a8ttEysz0cBWWXL3h9Y7C/mBjPdWIhpaf6Z63hy5P0hnYFftZsVM=,iv:qBBk9xMlZl3FriY2oYk4DQB1EKTsl7/qUj4s8naVvts=,tag:tDUKvK8ZuIxVeJjyUUqeXQ==,type:str]
 sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault: []
    age:
        - recipient: age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxalE3bUtCWmFVejBJMlZq
            dUg0U0R2VytsZHZ5QlQ4UGdrRmdsWGhWbEI4Clk1WEZ4U1lEdTJoRVBTbEFXaE1O
            TW1wb0dycS9HeWdQcUx3KzJKb2kwTVUKLS0tIDU1bE9JWnp3Q3U4V0pVOGs4Z3Rq
            Q1VsM3orOUZmS3lDaFpNN2g0cnllVWMKqZlPfiIFKn8h56gspbbUhpv9RkL5gF73
            NzqtFJJwQOGaD3lk2ocaLLkvywJ/DKNf7JupTWlmggHijId4hmpytw==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2024-11-20T15:04:15Z"
    mac: ENC[AES256_GCM,data:XRmw86oJLHXMAY/SPv6ptQLV1Eocbig6CQSG1SdOO9scMpfgD3tMY43z5aB16DkW+6AG1ti+TS4JRgXKLaSsAmORqRN0yTwGEktiLs0GxhtDvMYwnclj/Cx76WbZyMkgVzCHe7ZsAI+9DrejSFYbB/CzA+8yq1KmMf/L5NWcv7o=,iv:AcYK48ywr2pzNw/HEY5hWOcjdnmnG2/eWp+r/o15Lbk=,tag:HLKLFYFV+7SWUaFYiNUS3g==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.9.1
--- a/values/badhouseplants/org-badhouseplants/app-navidrome-private/values.yaml
+++ b/values/badhouseplants/org-badhouseplants/app-navidrome-private/values.yaml
@ -1,49 +0,0 @@
 shortcuts:
  hostname: navidrome.badhouseplants.net
 ingress:
  main:
    annotations:
      kubernetes.io/ingress.class: traefik
      kubernetes.io/tls-acme: "true"
      kubernetes.io/ingress.allow-http: "false"
      kubernetes.io/ingress.global-static-ip-name: ""
      cert-manager.io/cluster-issuer: badhouseplants-issuer-http01
      traefik.ingress.kubernetes.io/router.entrypoints: web,websecure
 env:
  main:
    enabled: true
    sensitive: false
    remove: []
    data:
      ND_MUSICFOLDER: /app/music
      ND_DATAFOLDER: /app/data
      ND_LOGLEVEL: info
      ND_BASEURL: 'https://{{ .Values.shortcuts.hostname }}'
 files:
  rclone-config:
    enabled: true
    sensitive: true
    remove: []
    entries:
      rclone.conf:
        data: |
          [music-data]
          type = s3
          provider = Minio
          endpoint = s3.badhouseplants.net
          location_constraint = us-west-1
          access_key_id = allanger
          secret_access_key = fPN3Nv6yDWVnZ7V7eRZ
  rclone-script:
    enabled: true
    sensitive: false
    remove: []
    entries:
      rclone-script:
        data: |
          #!/usr/bin/sh
          while true; do
            rclone --config /app/rclone.conf sync -P music-data:/music /app/music
            sleep 10
          done
--- a/values/badhouseplants/org-badhouseplants/app-open-strike-2/values.yaml
+++ b/values/badhouseplants/org-badhouseplants/app-open-strike-2/values.yaml
@ -1,20 +0,0 @@
 deployAnnotations:
  keel.sh/policy: force
  keel.sh/trigger: poll
  keel.sh/initContainers: 'true'
 extra:
  templates:
    - |-
      apiVersion: traefik.io/v1alpha1
      kind: IngressRouteUDP
      metadata:
        name: "{{ .Release.Name }}-game"
      spec:
        entryPoints:
        - game-udp
        routes:
        - services:
          - name: app-open-strike-2-main
            nativeLB: true
            port: 27015
--- a/values/badhouseplants/org-badhouseplants/app-stalwart/secrets.yaml
+++ b/values/badhouseplants/org-badhouseplants/app-stalwart/secrets.yaml
@ -1,27 +0,0 @@
 config:
    env:
        secrets:
            data:
                SW_ADMIN_SECRET: ENC[AES256_GCM,data:dG2zVmvycL7TZM922XADQ/SwWMBrUvXd+BPwpxIvmaDnjejpEaHUfB0xhpkhZqhAB8M=,iv:5hDpUFLLGLf4VLj8h3weOZhiwJKYORg5uKVgXVXKbgM=,tag:9FQru61B5hDPcIoIUDvUtg==,type:str]
                MINIO_ACCESS_ID: ENC[AES256_GCM,data:HvZa/kOy8ZI=,iv:T2433k3OmZTmPTx2QWEAELlN7zY37LUynapVWpASrJ0=,tag:Kvr4wIgq5dMmXRJDoxqGxA==,type:str]
                MINIO_SECRET_KEY: ENC[AES256_GCM,data:Tv5VWQprCKtJCghzhZ8YD8/9,iv:hioZ+d0ns+Hr3pBVyfFWgcuRKDrPQmskSnU0XOMwhzA=,tag:nuFn0qV9UMy2ywiFfx5gHg==,type:str]
 sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault: []
    age:
        - recipient: age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGMTZGN2NSYXUzcXNJVUx2
            YXE3Nk5MbnV1dyttUEtmUExabFYvOGdHcTBRCkM1WE9uNlF1OGh4NnNDL3NabXhi
            OW1NcDlydUMraTVQV2tjLzVla2tpSnMKLS0tIHN6RXVJTzNvZlkyTmdDb09UTUNy
            TVJyRVI5U2NmV1VIQTk4cjlYM1htMFkKkxsXzn+7nFiTs3mANqO0+f7/TTGKogFk
            8ix4OpiA9b33kuqi4Z7bXx4ucyCmlDwtxuHvmOEOyW4yJ9F1cgm+Uw==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2025-02-15T23:05:04Z"
    mac: ENC[AES256_GCM,data:Kix/IdONJ79Lj1dc/gigpM7BUPyg7EIsPQzkhtu8+nbIQZQsm0CYqlqPx1V7w0r9vef+rCd/8GX8RdKw0o5ZaDZY5l0nXEi9E7dEtcHTYlrr8fqljcsGRAKmOiBRMkPh0jGTEPlFRtb0Inrn85rWUiMJP12hwIIS0t7GpAydKdI=,iv:1pMdzj1x0Hf65nmZ28Lv7yu6Y+suQKxv274nYl8J3HI=,tag:GQL8HOSswz2N56iNAS9l9w==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.9.4
--- a/values/badhouseplants/org-badhouseplants/app-stalwart/values.yaml
+++ b/values/badhouseplants/org-badhouseplants/app-stalwart/values.yaml
@ -1,318 +0,0 @@
 shortcuts:
  hostname: stalwart.badhouseplants.net
 base:
  workload:
    initContainers:
      prepare-config:
        image:
          registry: registry.hub.docker.com
          repository: library/alpine
          tag: latest
          pullPolicy: Always
        volumeMounts:
          files:
            config:
              path: /app/config/config.toml
              subPath: config.toml
          extraVolumes:
            config:
              path: /app/etc
        command:
          - sh
        args:
          - -c
          - cp /app/config/config.toml /app/etc/config.toml && echo "" >> /app/etc/config.toml
    containers:
      stalwart:
        volumeMounts:
          extraVolumes:
            certs:
              path: /app/certs
            stalwart:
              path: /opt/stalwart-mail
            config:
              path: /opt/stalwart-mail/etc
        envFrom:
          secrets: {}
          raw:
            - secretRef:
                name: app-stalwart-db-creds-17
 extraVolumes:
  certs:
    secret:
      secretName: stalwart.badhouseplants.net
  stalwart:
    emptyDir: {}
  config:
    emptyDir: {}
 ingress:
  main:
    metadata:
      annotations:
        cert-manager.io/cluster-issuer: badhouseplants-issuer-http01
        kubernetes.io/ingress.allow-http: "false"
        kubernetes.io/ingress.class: traefik
        kubernetes.io/ingress.global-static-ip-name: ""
        kubernetes.io/tls-acme: "true"
        traefik.ingress.kubernetes.io/router.entrypoints: web,websecure
 config:
  files:
    config:
      enabled: true
      sensitive: false
      remove: []
      entries:
        # Ref: https://github.com/stalwartlabs/mail-server/blob/main/resources/config/config.toml
        config.toml:
          data: |-
            [lookup.default]
            hostname = "{{ .Values.shortcuts.hostname }}"
            [server.listener."smtp"]
            bind = ["[::]:25"]
            protocol = "smtp"
            proxy.override = true
            proxy.trusted-networks.0 = "192.168.0.0/16"
            [server.listener."smtp-startls"]
            bind = ["[::]:587"]
            protocol = "smtp"
            proxy.override = true
            proxy.trusted-networks.0 = "192.168.0.0/16"
            [server.listener."smtps"]
            bind = ["[::]:465"]
            protocol = "smtp"
            tls.implicit = true
            proxy.override = true
            proxy.trusted-networks.0 = "192.168.0.0/16"
            [server.listener."imap"]
            bind = ["[::]:143"]
            protocol = "imap"
            proxy.override = true
            proxy.trusted-networks.0 = "192.168.0.0/16"
            [server.listener."imaptls"]
            bind = ["[::]:993"]
            protocol = "imap"
            tls.implicit = true
            proxy.override = true
            proxy.trusted-networks.0 = "192.168.0.0/16"
            [server.listener.pop3]
            bind = "[::]:110"
            protocol = "pop3"
            proxy.override = true
            proxy.trusted-networks.0 = "192.168.0.0/16"
            [server.listener.pop3s]
            bind = "[::]:995"
            protocol = "pop3"
            tls.implicit = true
            proxy.override = true
            proxy.trusted-networks.0 = "192.168.0.0/16"
            [server.listener."sieve"]
            bind = ["[::]:4190"]
            protocol = "managesieve"
            proxy.override = true
            proxy.trusted-networks.0 = "192.168.0.0/16"
            [server.listener."https"]
            protocol = "https"
            bind = ["[::]:443"]
            tls.implicit = false
            [server.listener."http"]
            bind = "[::]:8080"
            protocol = "http"
            hsts = true
            [store."minio"]
            type = "s3"
            bucket = "stalwart"
            region = "eu-central-1"
            access-key = "%{env:MINIO_ACCESS_ID}%"
            secret-key = "%{env:MINIO_SECRET_KEY}%"
            endpoint = "https://s3.badhouseplants.net:443"
            timeout = "30s"
            key-prefix = "/"
            [store."postgresql"]
            type = "postgresql"
            host = "postgres17-postgresql.databases.svc.cluster.local"
            port = 5432
            database = "%{env:POSTGRES_DB}%"
            user = "%{env:POSTGRES_USER}%"
            password = "%{env:POSTGRES_PASSWORD}%"
            timeout = "15s"
            [storage]
            data = "postgresql"
            fts = "postgresql"
            blob = "minio"
            lookup = "postgresql"
            directory = "internal"
            [directory."internal"]
            type = "internal"
            store = "postgresql"
            [authentication.fallback-admin]
            user = "overlord"
            secret = "%{env:SW_ADMIN_SECRET}%"
            [tracer.console]
            type = "console"
            level = "info"
            ansi = true
            enable = true
            [certificate."default"]
            cert = "%{file:/app/certs/tls.crt}%"
            private-key = "%{file:/app/certs/tls.key}%"
  env:
    secrets:
      enabled: true
      sensitive: true
 extra:
  templates:
    - |
      apiVersion: traefik.io/v1alpha1
      kind: IngressRouteTCP
      metadata:
        name: "{{ .Release.Name }}-smtp"
      spec:
        entryPoints:
        - smtp
        routes:
        - match: HostSNI(`*`)
          services:
          - name: app-stalwart-mail
            nativeLB: true
            port: 25
            proxyProtocol:
              version: 2
    - |
      apiVersion: traefik.io/v1alpha1
      kind: IngressRouteTCP
      metadata:
        name: "{{ .Release.Name }}-smtps"
      spec:
        entryPoints:
        - smtps
        routes:
        - match: HostSNI(`*`)
          services:
          - name: app-stalwart-mail
            nativeLB: true
            port: 465
            proxyProtocol:
              version: 2
    - |
      apiVersion: traefik.io/v1alpha1
      kind: IngressRouteTCP
      metadata:
        name: "{{ .Release.Name }}-smtp-startls"
      spec:
        entryPoints:
        - smtp-startls
        routes:
        - match: HostSNI(`*`)
          services:
          - name: app-stalwart-mail
            nativeLB: true
            port: 587
            proxyProtocol:
              version: 2
    - |
      apiVersion: traefik.io/v1alpha1
      kind: IngressRouteTCP
      metadata:
        name: "{{ .Release.Name }}-imap"
      spec:
        entryPoints:
        - imap
        routes:
        - match: HostSNI(`*`)
          services:
          - name: app-stalwart-mail
            nativeLB: true
            port: 143
            proxyProtocol:
              version: 2
    - |
      apiVersion: traefik.io/v1alpha1
      kind: IngressRouteTCP
      metadata:
        name: "{{ .Release.Name }}-imaps"
      spec:
        entryPoints:
        - imaps
        routes:
        - match: HostSNI(`*`)
          services:
          - name: app-stalwart-mail
            nativeLB: true
            port: 993
            proxyProtocol:
              version: 2
    - |
      apiVersion: traefik.io/v1alpha1
      kind: IngressRouteTCP
      metadata:
        name: "{{ .Release.Name }}-pop3"
      spec:
        entryPoints:
        - pop3
        routes:
        - match: HostSNI(`*`)
          services:
          - name: app-stalwart-mail
            nativeLB: true
            port: 110
            proxyProtocol:
              version: 2
    - |
      apiVersion: traefik.io/v1alpha1
      kind: IngressRouteTCP
      metadata:
        name: "{{ .Release.Name }}-pop3s"
      spec:
        entryPoints:
        - pop3s
        routes:
        - match: HostSNI(`*`)
          services:
          - name: app-stalwart-mail
            nativeLB: true
            port: 995
            proxyProtocol:
              version: 2
    - |
      apiVersion: kinda.rocks/v1beta1
      kind: Database
      metadata:
        name: "{{ .Release.Name }}-postgres17"
      spec:
        secretName: {{ .Release.Name  }}-db-creds-17
        backup:
          cron: 0 0 * * *
          enable: false
        credentials:
          templates:
            - name: POSTGRES_HOST
              secret: true
              template: "{{` {{ .Hostname }} `}}"
            - name: POSTGRES_PORT
              secret: true
              template: "{{` {{ .Port }} `}}"
        deletionProtected: true
        instance: postgres17
        postgres: {}
--- a/values/badhouseplants/org-badhouseplants/app-tandoor-recipes/secrets.yaml
+++ b/values/badhouseplants/org-badhouseplants/app-tandoor-recipes/secrets.yaml
@ -1,25 +0,0 @@
 env:
    secrets:
        data:
            SECRET_KEY: ENC[AES256_GCM,data:bLecWaJafPbXT2/dvKt3R2KNfuxxgQ6yLxviYbOf,iv:liuexfgYScH+eg/qSO23SQxE7hKpudgkOH3JRDkaa+A=,tag:DEcAbY6rg7mQnhsnukWtFA==,type:str]
            SOCIALACCOUNT_PROVIDERS: ENC[AES256_GCM,data:kx9ziZhxWcWTu1UG7BPi/sdG1tHhzugq65xxL3IPVx8i1oHXwy+00KaOEsIYP+TJqX5516Zq6JqtXe9dQwI4uVIy538FdXeEQDHKNS0xesSx8jG0tKa71GiqyQGBrBBxiy144za9y1QHB9k1pvuaza8mVEQOoktmMFfiHzEOhYDQxIzTulOMWxN2ImTsYSupHS6HLR13gDCyROVDzj1Io/U1VHxN5RZBPiqthNiB+/Aj+2FuCwAaxgEE6VVNFJlghi2yiZbl/PvZ3MDT+dAx/NijawVt0qdBBmPvB3jKZkgRN2tyystGiu47hnLosuzjrOjAMA6rP7XkT2gQ5e6hoLlJxWD5IiAHI+gQK7REbyJrEmSwwH0aCVsd1H4FOBNk+rfKpTIr7sRZFTVcZLtUdTZW6EW0XWmrBBPr5jodmouoFZY+dGlWP1vQkG+2eymw5aJCan0oq+x+J9dB+CVZc/2M1zBeRa6Crg7w3smCqOr46jkaRxfoDxV2NdRSla5zkwwFSS7MqPYlqre2oW+pgP7lvRa4MW9++5q+Zg==,iv:RZMNm66PhTWvjJG5jtpJW22TFInHw8LT04qui3fMLgA=,tag:ETMqmFO/8Kve/W55WP21dA==,type:str]
 sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault: []
    age:
        - recipient: age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKcTM5RTNIakwwZHNrQXE2
            U2FsK1gwMDhUTDd1MVorbENtQXdnZjYrM1c4CmNQaG5TcU9wK25qQUg5a29UUXBK
            WlZHK0M0dHEvZWVyZmJzR0RLU1pGWmMKLS0tIGk4TFArQnJyTWJJa3FJRlJhY0do
            ZE81bENWM3ZUdlR0N2RKMnJkUnJxSG8Ky2ngwj6ZnToGhnAJChU8NXUG+XPPZc2F
            fOD35BFO5bUNe+V8MkDLae+GQ1hr55r4WnvFpSWywRIjCFYmUJHTgQ==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2025-02-22T12:32:43Z"
    mac: ENC[AES256_GCM,data:khcLV/lPaY6J5QQmX8466jx9bsXn+NwA3TLIUYs9ipKa539OjIWstwyydVxILSBCwEWGEW86c8EzLBwptBBgg6gehfRJAax5TAn0lBd1lAAiAxZhdNpc2tfoaMaUWfWdpwYjdrtnvAlAkN3/16nvx+TIq7WdU/cWsic96PqhU0A=,iv:I81QvtZ7S+mSAzoXhU0YBMN0L4K+SRHW3UtcSLxwK5s=,tag:gAeAIjyJ13A8gfE7ppBeRg==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.9.4
--- a/values/badhouseplants/org-badhouseplants/app-tandoor-recipes/values.yaml
+++ b/values/badhouseplants/org-badhouseplants/app-tandoor-recipes/values.yaml
@ -1,57 +0,0 @@
 shortcuts:
  hostname: tandoor.badhouseplants.net
 ext-database:
  enabled: true
  name: tandoor-postgres17
  instance: postgres17
  credentials:
    POSTGRES_HOST: "{{ .Hostname }}"
    POSTGRES_PORT: "{{ .Port }}"
 workload:
  kind: Deployment
  strategy:
    type: RollingUpdate
  containers:
    tandoor:
      securityContext:
        runAsUser: 1001
        runAsGroup: 1001
        fsGroup: 1001
      envFrom:
        - main
        - secrets
        - secretRef:
            name: tandoor-postgres16-creds
          extraVolumes:
            common:
              path: /opt/recipes
      livenessProbe:
        httpGet:
          path: /
          port: 8080
        initialDelaySeconds: 10
        failureThreshold: 30
        periodSeconds: 10
 ingress:
  main:
    class: traefik
    annotations:
      kubernetes.io/ingress.class: traefik
      traefik.ingress.kubernetes.io/router.entrypoints: web,websecure
      kubernetes.io/tls-acme: "true"
      kubernetes.io/ingress.allow-http: "false"
      kubernetes.io/ingress.global-static-ip-name: ""
      cert-manager.io/cluster-issuer: badhouseplants-issuer-http01
 extraVolumes:
  common:
    emptyDir: {}
 env:
  main:
    enabled: true
    sensitive: false
    data:
      DB_ENGINE: django.db.backends.postgresql
      SOCIAL_PROVIDERS: allauth.socialaccount.providers.openid_connect
      REMOTE_USER_AUTH: 1
      SOCIAL_DEFAULT_ACCESS: 1
      SOCIAL_DEFAULT_GROUP: guest
--- a/values/badhouseplants/org-badhouseplants/app-vaultwarden/secrets.yaml
+++ b/values/badhouseplants/org-badhouseplants/app-vaultwarden/secrets.yaml
@ -1,26 +0,0 @@
 config:
    env:
        secrets:
            enabled: ENC[AES256_GCM,data:bai2CQ==,iv:NG7q1ZsDpCW9Lu00fGsibpTEHGtew+l5TFOLOpljlwU=,tag:Z2/fXmsEEqhDzCdTWS/Qhw==,type:bool]
            sensitive: ENC[AES256_GCM,data:n+dNXA==,iv:iFM0+5G5Bsw4NI+JH1vMMrty3Zo0El0HE9F6PEDsJrY=,tag:EcbzQHVeOHVLVC7kgaRPXw==,type:bool]
            data:
                SMTP_USERNAME: ENC[AES256_GCM,data:eQ4c,iv:4vX/ioHWEA6DzMwZ+23dgUN4PJ7Asz7bbufG5Fy80iI=,tag:1Mq0Hj/23T4fvGEXuNUtxA==,type:str]
                ADMIN_PASSWORD: ENC[AES256_GCM,data:B08urSqwYgekI6I5LDYGHbPK5n3r+woRZw==,iv:K2O9aSJLRMbK+N2lfX4ojSqhbmb9KbWsuW2DtYZHCOA=,tag:Qz0OJ7aWwC+/9d1oc38ySw==,type:str]
                ADMIN_TOKEN: ENC[AES256_GCM,data:sKVugfrrR9L5LtozHPibGiPULiwv8pAot925Z/rQ0V/mW+DVvNPEw4odgfX596Ddmd8oV5zo5Mz8WIPUCmrVmfdoz+3YzVywEy8=,iv:npthfz4xcW6fF10RhHCF6uXH/6526l3gjZGRu+Xpylg=,tag:vsPsRZ7EIQ7FMvqJga3hhg==,type:str]
                DATABASE_URL: null
                SMTP_PASSWORD: ENC[AES256_GCM,data:quvcZQKauXeW+l8xkYgVBElBQveoRWKDBA==,iv:KpQH+Ef87jl/M9XpBtIKNhn7ATHoV+Jgjpzg2Li28Kg=,tag:jniePrO7UVp/cz/eIh19mg==,type:str]
 sops:
    age:
        - recipient: age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGNnFwbWFpTWgxRk45S240
            cVI5ekJXdVIwaG5NcGRPa2xTN2pFV2tyN1JBClNVMGhNL2FaM2pCK0sxbjgyalJN
            MnpQeHBxY2RtWkI2c1htV3oyQmNnbVUKLS0tIGg4ZXNwaFRKNTlIRDluT3k0VDRD
            Y3pIaEdFb1JwMnVrYnJ4UkpWMERmZFUKa45EvUqkvjaL85xh3gyxTeJ02IxPJf9a
            TGjAvpjBrym9v++OrHn2otw1NOeZwSP1hmSCc+sa6/0yFqcU031xjQ==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2025-04-01T10:29:47Z"
    mac: ENC[AES256_GCM,data:VmYotoR4BJJv2mZ+kt+NNn+oXLKWHed0o/TkJO93/4eLUm8Wg9SPMA1ZYYe9YRfgbIhYxPlQbPPKQBv95XeOS1FFL24VyenTTP3TXWroeXxOWubko/Fp88U3glJXs5jfL5DLYKvGwTXG3tchFDwH9m6QOABX+aRxvNBEP5zXUxs=,iv:HMzuvl8YCPj9ZA5tKfExQfSbvwu4IEHz6sMLAe8g7vo=,tag:lI2fh1b7prHsBS8Snrbdtw==,type:str]
    unencrypted_suffix: _unencrypted
    version: 3.10.0
--- a/values/badhouseplants/org-badhouseplants/app-vaultwarden/values.yaml
+++ b/values/badhouseplants/org-badhouseplants/app-vaultwarden/values.yaml
@ -1,63 +0,0 @@
 shortcuts:
  hostname: vaultwarden.badhouseplants.net
 base:
  workload:
    kind: Deployment
    strategy:
      type: RollingUpdate
    containers:
      vaultwarden:
        envFrom:
          raw:
            - secretRef:
                name: app-vaultwarden-db-creds-17
 ingress:
  main:
    class: traefik
    metadata:
      annotations:
        kubernetes.io/ingress.class: traefik
        traefik.ingress.kubernetes.io/router.entrypoints: web,websecure
        kubernetes.io/tls-acme: "true"
        kubernetes.io/ingress.allow-http: "false"
        kubernetes.io/ingress.global-static-ip-name: ""
        cert-manager.io/cluster-issuer: badhouseplants-issuer-http01
 config:
  env:
    main:
      enabled: true
      sensitive: false
      data:
        SMTP_HOST: stalwart.badhouseplants.net
        SMTP_SECURITY: "starttls"
        SMTP_PORT: 587
        SMTP_FROM: bot@badhouseplants.net
        SMTP_FROM_NAME: Vault Warden
        SMTP_AUTH_MECHANISM: "Plain"
        SMTP_ACCEPT_INVALID_HOSTNAMES: "false"
        SMTP_ACCEPT_INVALID_CERTS: "false"
        SMTP_DEBUG: false
        DOMAIN: "{{ .Values.shortcuts.hostname }}"
        LOG_FILE: /app/logs/log.txt
 extra:
  templates:
    - |-
      apiVersion: kinda.rocks/v1beta1
      kind: Database
      metadata:
        name: "{{ .Release.Name }}-postgres17"
      spec:
        secretName: "{{ .Release.Name  }}-db-creds-17"
        instance: postgres17
        deletionProtected: true
        backup:
          enable: false
          cron: 0 0 * * *
        credentials:
          templates:
            - name: DATABASE_URL
              template: "{{ `{{ .Protocol }}://{{ .Username }}:{{ .Password }}@{{ .Hostname }}:{{ .Port }}/{{ .Database }}` }}"
              secret: true
--- a/values/badhouseplants/pipelines/renovate-github/secrets.yaml
+++ b/values/badhouseplants/pipelines/renovate-github/secrets.yaml
@ -1,17 +0,0 @@
 secrets:
    RENOVATE_TOKEN: ENC[AES256_GCM,data:ohd4EhTlhRpQ+IXVf1Nb73+h0VHrMZduPhkbm53s3/+HRKUZd7JepA==,iv:qtbH0lz9Li+jjWcef6JGRpbcsOGlG+e3TNHDukAK2HE=,tag:KVmari0LUGHVb61VSFtgXw==,type:str]
 sops:
    age:
        - recipient: age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4TGozODRjVzQvdzlvSE5s
            RTlReWNSWDlzUVVLVmZXV1c3dWVwUU9hbWw4CnJUL20yTFpHMUJFWTdYQ2JWUisx
            Y0djU2FhaEtVSTlRWEY3Z0RnOUhVVjAKLS0tIEZEUjhqUTRtTEo0L3haWFlRT2JS
            QTFVWU5RSTBldzBjalg1TFBDY3hGUEEKCH1rY+tGtRNGMYrfSjqXbVsrPAleVHDO
            Altiz0ceC5ODo01zwBf63vDVqjZtbIQNZ8oQ8Pjlktp3jCpL7JNK9A==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2025-04-01T08:52:26Z"
    mac: ENC[AES256_GCM,data:6PyWgR3f7lnen5Jun04Tsw1P7rcAgTSuF+YEh0fq3r3xHvQYFGesfEO4PHLfCGYtjyyCeyzpwBUIoUHTmI5tRYjLwjwRiIu/GH75eSLOx0y0gYMl8JUeaPxSpPvElpii3XAm7vKEJhTR9QzNuzduf0Q1JdlR6TM68XM8g78zeSc=,iv:CqTrPYoLg4IgW5zTsIcmGQUg5RfK+IQmxeQIQbd6oqk=,tag:P8Je5EhAv5TqqT77nPwlHw==,type:str]
    unencrypted_suffix: _unencrypted
    version: 3.10.1
--- a/values/badhouseplants/platform/authentik/secrets.yaml
+++ b/values/badhouseplants/platform/authentik/secrets.yaml
@ -1,19 +0,0 @@
 authentik:
    email:
        password: ENC[AES256_GCM,data:Ai0jLsHymPDXBkTC8+IG0tLeFw4=,iv:Ev0LCJQtHxwiAPwPKih0Yay9TpenoKkNizpNAN85un4=,tag:kWdMGjzyiZAMq+cyahX9hg==,type:str]
    secret_key: ENC[AES256_GCM,data:jYOrFumK2SatpvhrAtdkznNjOZfELIXVvavu0Kx+njBoOu28lFk+3A==,iv:4RL8UnBvPk5gZCuEyJZ39AFEMukOTu6QsjciNmofYOs=,tag:d87HNop+AlOB31XuKD7iDA==,type:str]
 sops:
    age:
        - recipient: age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1WkpPcy9BM0hiVDF1Q0x2
            NTBFRnNjTk1HWktUZ0k2SjdjRE9EU1YyT1FrCk9zZDhzM0FyU2tKMmxjVXArUDdk
            eEpFaVdWWm44dG9mazBwNTRIQ0JucGcKLS0tIGhSNmRBNzVHTm5mZlAyTGdZTFpU
            a0N0TGViZnlXOEVFZkxwTWJDL2p1eWcKrhSyt4j7pjIE+GZyttCO9MC145J2V8I4
            fya4hMVEr5w/i3mibQIsHWszofnMO/pex8oYmsq0zBeBchQbt5xdCA==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2025-05-05T13:18:25Z"
    mac: ENC[AES256_GCM,data:JHOeGn984F1Yvfn1eUqqVxnQKF7SL6yXXVvM32FvHzLKIFRlOMwAh0Qa2DTB55nRkZA4AazGM0AhyvNJ4ggX8eftpOrTvMOPReaQ//X7VRXcsJnimVuxNanj3E2wJ6J3nuVjTN4pM0FxH8zlr/DqWzIZSBXHNxOWVaJsbhqUXcs=,iv:XTKudFFEgtKfbvG31McmIyorsMwFFrPkb0YNWxTTvrg=,tag:jd3L4TSuDJxRLd33FyBc7Q==,type:str]
    unencrypted_suffix: _unencrypted
    version: 3.10.2
--- a/values/badhouseplants/platform/db-instances/secrets.yaml
+++ b/values/badhouseplants/platform/db-instances/secrets.yaml
@ -1,20 +0,0 @@
 dbinstances:
    postgres17:
        secrets:
            adminUser: ENC[AES256_GCM,data:fzNOuvTLnLk=,iv:3rZSUx1r6sPhtA6Uj5db1JUvhSNE4nzvuaRSAc3kbmo=,tag:jITuAPaPMeviG7NxptFGXw==,type:str]
            adminPassword: ENC[AES256_GCM,data:L+x7P+lbezrOYCA0+BbS3g7jJjkkuPgGJ4MuP94D,iv:xDpopUYJmm3JNYNSKQwbAR0qJ3eXZW7nGsXkVbxMna8=,tag:INlZlvAdb5nhI7qC6++DKA==,type:str]
 sops:
    age:
        - recipient: age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1NlY2WVp5UlhRZmxGVm9i
            UHM1cVZzR2QrakRiaFNxQUQ3R09GRTNrRHhrClBwUG14WTZQaklIZWZ4RmRkdW8y
            ZEN1R0tTUDdwT3ZrU0VBUGp5UUQwNUEKLS0tIFJNQnFQdFVySVkrdUIyNC9Vc1pK
            WVVMaDE3dVBvRmJCUUlsMVc1SC9GWGMKEnyXXE58x4Ni0Ze6dXray0Yk2OPJKDqm
            qZmHnVOnSZxsV4roFWqI+BSgD1mZub07tLhNWKubUJnAMQfIWtJ3vQ==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2025-05-05T13:27:36Z"
    mac: ENC[AES256_GCM,data:bJ5Jt0BUYGAEZTvY7CTiktqeuqjYmAMhEhO67Avw+HaajMcwORavi746X6eCas7+JsafkwllOKs/j3VjJ3tXsk0wti1cCliBHyz31Gxa+pGGRVDcJ3RwntWkkSCQzjft/b+2XCqB7Qa5et693rDs8c2EX9v9OCpztSeIA1ErPsI=,iv:iKo8/eku5K4t/4OKPy/Mz8XPHMuzaSFttdxZaV0X/uU=,tag:yuEhdYXC+yVMv9wKLcd36Q==,type:str]
    unencrypted_suffix: _unencrypted
    version: 3.10.2
--- a/values/badhouseplants/platform/external-dns/secrets.yaml
+++ b/values/badhouseplants/platform/external-dns/secrets.yaml
@ -1,23 +0,0 @@
 env:
    - name: ENC[AES256_GCM,data:iUkU/BNlitD6f6RQ,iv:x5aENGi0aw9gDh2a7h92DfxwQgdbacM3hHtnPVdIKWA=,tag:4vyOlP7XcC1F6pjnUieAuA==,type:str]
      value: ENC[AES256_GCM,data:cFypu5mF+ktwjNFCBcy0U/1UIt4Fc/CAtH/SngvaaBXY0yinYzaiOQ==,iv:2VQ1Cpmppkz2ylt5NMP84o+0EQkI43jz267HNRjMugg=,tag:co3LJzwxbmxT09km65MVuw==,type:str]
 sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault: []
    age:
        - recipient: age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwMXNsQjEwYXdaR0Y3bktt
            UGFYS09Nc29IR0w0YmpweUtyV2pPbXFPeFJnCjZkclRSVjREanorbk5MKzJybWJI
            UDlwdlVqWGZockVVeFVrNnZlZGp1NUkKLS0tIDhnUzgxdlFWa1NicVJEUk81cXp5
            M2xvSjRrNUx5OFRqbUFpSXdyZ04xVzgKMsBwKA8dVSW9BR2jSTBxMPKevual5P8I
            V+YUcIIUAP1sFjs4jVhTduBSMI/ZSArWYIEX+dQ46oGDLcRzODm9xQ==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2025-02-16T14:21:33Z"
    mac: ENC[AES256_GCM,data:5nE5vx69ESp0HW0/uxYGp8Lq35Cjb5UpSmNkx1H4ux67K3xs3zEBSrupDuUqzrrj/WFFgTf8fIAnfu//bEUvRqtqkIOb7eTqBlQTCzdKWLMvfwhv3WnfXLljJvZZH+e430z7ayw6psfNbwm5sPr+/sPSijg31xv8x9wN8LfZqno=,iv:BKyKMqQ/eLiDspSlvMh0/I7hKb3xn2BUQhuHwrl+Pfc=,tag:is4SHDuAT2c3Ip2O5ifgWw==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.9.4
--- a/values/badhouseplants/platform/external-dns/values.yaml
+++ b/values/badhouseplants/platform/external-dns/values.yaml
@ -1,15 +0,0 @@
 provider:
  name: cloudflare
 domainFilters:
  - badhouseplants.net
 excludeDomains:
  - ru.badhouseplants.net
 policy: sync
 txtOwnerId: badhp
 txtPrefix: badhp-ext-dns-
 logFormat: json
 logLevel: info
 sources:
  - service
  - ingress
  - crd
--- a/values/badhouseplants/platform/minio/secrets.yaml
+++ b/values/badhouseplants/platform/minio/secrets.yaml
@ -1,50 +0,0 @@
 rootPassword: ENC[AES256_GCM,data:edKknfs0kqBVSTQ4CQUdRdKH22c=,iv:PcSajWchrPOfdPek9OP5s0nfWlFWToHTfLZ89iBZeSs=,tag:5kK4eHmNza1arao76EVHzA==,type:str]
 users:
    - accessKey: ENC[AES256_GCM,data:mjmjYJCJofI=,iv:4nN3dt4CKACC7C1/Zfn76SixKmTW4NUxDj+WWbp4DSo=,tag:4lNCTXo+isM+/crCNRtEyA==,type:str]
      secretKey: ENC[AES256_GCM,data:qkQbZVszNgwmjSvtMtNlEjVBKw==,iv:k+xYu3RFJNovJMBrNqO7QICIvkhe0niHnbGSEwaXe9s=,tag:A2j4EgUB4+3ywZMbroydUw==,type:str]
      policy: ENC[AES256_GCM,data:KOG9rF5sQtA=,iv:g+KBqLtKBmuj8saUomFjewp1/MiTqXNqxOua2rL19yc=,tag:ibsvSJsGbNuqp5Q8azpcog==,type:str]
    - accessKey: ENC[AES256_GCM,data:JvnF,iv:T2eXmfOvFInwpsHzrV4oY9vTsJkdHKvb4+UEriunGQw=,tag:MEudOOKBDi42DU+w7K8MEQ==,type:str]
      secretKey: ENC[AES256_GCM,data:NVFcExw9K2Xw5SbtvXLh3OfoGXNe0IhGmA==,iv:lW0gJ/l3v6BWGCKK/W8B/T2cWq9i6akk2gcsxqPAJpU=,tag:4hxkcaOBc8lHwkMQbzXCbg==,type:str]
      policy: ENC[AES256_GCM,data:TzNg,iv:/5IRuuS/lO0eo9dos0nNjFoar9PPYlDna5G0dezORvg=,tag:5vyT7jsmU561wFh5NXXG7w==,type:str]
    - accessKey: ENC[AES256_GCM,data:42SdqYzhNp6Q,iv:pzLnTOITSXJQ8mSNEE+H7EMpa/KO3+W2WJndRgs96Ps=,tag:fZBGTCRPvjRny9FcpvUEmg==,type:str]
      secretKey: ENC[AES256_GCM,data:J7qAgeWCk6ASt5xBqyrlRNbzQWc=,iv:KC2rpT+lZMyWCch32ycvDtCtqtEWPst/xt5KE1kfYuQ=,tag:9K/Aj54OrbC2qeRWE1bXYg==,type:str]
      policy: ENC[AES256_GCM,data:DOlqPrIkMCai,iv:q6lULKICvr74qPC/hp90E0XBOFNEs9sYZGfMkcfGZx8=,tag:grNwZst6JUXTpirYIz2XAw==,type:str]
    - accessKey: ENC[AES256_GCM,data:sy6+E6w=,iv:oHZeQp3BwjB94V/sYxqH5d2L60QMI9m4ZrbolKLRBC4=,tag:7huBXPr027Sn3agLTMd28A==,type:str]
      secretKey: ENC[AES256_GCM,data:BD4AjbQj9EEK9tKuyaD2OQ2Xrdjg0OlYpw==,iv:52AzwMOA97K40T+QbJ+0Pr4yNdNLw+yfWDEXsEWyIpM=,tag:j+CUMCoUykq05i81C8kEiw==,type:str]
      policy: ENC[AES256_GCM,data:+BUO1Qo=,iv:kH4rHe5wb0xqOfI2vBGXcyMSCzuSEOCYZ1D8P+7KcnY=,tag:l3twpA6C+gvDZv4qeevVsQ==,type:str]
    - accessKey: ENC[AES256_GCM,data:FAtE8kxRyrLC,iv:M2O1MPh1s0r1gNof/2oUybxQxDIOTR3HNfFOLyi6kPA=,tag:gf5HJZbfmn2XTutqeAo0uw==,type:str]
      secretKey: ENC[AES256_GCM,data:GV4Hrq5p1mh3chle1XrvlTpPn7EGQFy1tQ==,iv:xYTNNavejVJmtKLPS9OzFbamcZaz+eRtAn68gGddby0=,tag:HkareuwAwA7QWE6mLO4Bug==,type:str]
      policy: ENC[AES256_GCM,data:iHNhp3SM29lZ,iv:/y927HxGNOVuayMc1hl8DB/l8l5ioMXb0Fkf7RAA2qw=,tag:w0oC4RgAmYKaWq5sredNTQ==,type:str]
    - accessKey: ENC[AES256_GCM,data:u2jY6VH7W3c=,iv:vR5C1FqK5wxY2QXxKKxaaadoWqPptxtLUGsjmyq0q/E=,tag:enHvPhEd6KahnVq6KjFhQw==,type:str]
      secretKey: ENC[AES256_GCM,data:BQTRMAKezwRAtLE3jhFK71Cp,iv:M1VmxliYG0+VNuiDr++hJPe2fa/X32ZJCYAD/VDwYNU=,tag:8jIzJHhE5k7QAjm8vnlYrQ==,type:str]
      policy: ENC[AES256_GCM,data:6qgyKj01Big=,iv:wB3Adf71VPXTu668fq+yLT2gCPru6nDVqqdnh63OfCs=,tag:d5xLh1eLZEXxksg/DxfVHQ==,type:str]
 oidc:
    enabled: ENC[AES256_GCM,data:IotxfQ==,iv:vi5Fn3a7My9nyOb67zTTEzHLoFS8IsEQMcQ2i8f2Nns=,tag:/DMVcbOb0s5mZH3uuStXXQ==,type:bool]
    configUrl: ENC[AES256_GCM,data:Y7/Qzdy1RLbFgX3ynK6v8KIP5D5qKmwtRx3VCFWVJoch+q5tqHYnENgTcagkOwkHEhQY8DFcSJRrj7VwSGU6f/Rd4LrPdVboe8IRGFdaaZHXobwVooHGlCs=,iv:urkXua9hA6dVcltwwD2ZAb1ysZjU5eKegM2ifWtO5wc=,tag:zgs9I0aVVyAbuyd80ajlZQ==,type:str]
    clientId: ENC[AES256_GCM,data:aZraoow=,iv:XhlAZly8Pb4LFzt4K1XWyvdeEQnU9VEpn9jHvwdm+34=,tag:T5CvtIU6SJ/hUM69GUfSHg==,type:str]
    clientSecret: ENC[AES256_GCM,data:WtIcgBfFGvfswBTRAp8IqUV5o6HAklMs8C6Yu9xNjadqtcvuUARMeVLGddioZJZFDu9e9wrX/O9Z5nAZrPjSNLVjjlC6hZL3OhqkMYhkowD7g0lLlTcBtWrQ0gzzKzgEv3AxldHlpGvsj7xKFzrH9Og0Dpw6ysYSV2pdRT654zE=,iv:JyHrOmIhP8yf/X5cI9kLNrvPPWhtTiSqj7id2/qE9Hc=,tag:MhApKAE5DVjGihxzqQPZBQ==,type:str]
    claimName: ENC[AES256_GCM,data:Brw0M+jN,iv:V4YgI6J+QD2TnlQwBekS1PBI/Hgc0n/iIttPzNPK3eA=,tag:cDSu70i0QkVDHjoa+wKEvw==,type:str]
    redirectUri: ENC[AES256_GCM,data:Hrg/3/GLHX2vEQwSuRJi2rtFekVNN0Idtt4IQ5fHxdRzLkKiBGi7kesHfquju8Q=,iv:OMeIhw8DWKJN2RZLxv/14+nI363tLjzKniffjT5t204=,tag:AokFVHtetOF0vLMBFpvuHQ==,type:str]
    comment: ENC[AES256_GCM,data:ILnDkL8NNhKHkpZABUmpJ3nsxRY=,iv:Q6Ndcr7LzyViOKmtfX6ZSf0O5/6+ehRRn0V9Alrec7w=,tag:dxZxfUIEEMTHTHwQNHOHgg==,type:str]
    claimPrefix: ""
    scopes: ENC[AES256_GCM,data:ZP6O/NVbf67rZujeJVpgHsxjN2jtuP6rmjFB,iv:6DSLl24QqUZVD3hbd9Khxah1yEyri0FUTSVEceZTkDw=,tag:/C+y4oP7cOibwalDPzpv6w==,type:str]
 sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault: []
    age:
        - recipient: age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpbVVjMlVGckdFazhPWVov
            a2NTQWU5RGlmTGFSeFZqaW04MU1rVXQ3blhBCnNwQ1daNzY3L1JPK3FCVDFETU00
            SnAxM0dNM0RlaEpJc21WamtJV0ZsNzQKLS0tIFdFK3pvemtJa1FyRnl5TnBZdjdh
            aVR2T3dIQkFOSWV5S0QzZE51RGNPYmMKGTDousxnJn8mBe4AiYSz+zApYEQVQU0e
            DQMlPYEQbmeT25G3C8XksSvEslTtPs9jwZv+mPTDXgzihxe8V6VQDQ==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2025-03-01T19:07:25Z"
    mac: ENC[AES256_GCM,data:4PN2B86mG1Vy4BhV3hI0ec7nBowJnz1PDgDz1SGdKIzshxkEl9tAAt4eGnT5dwndO78R+cmmpbKOdSZXecE1PAHmGyp8e4vi/Y0F8EXTTl2rXcST3Lg5ivuIswKxpNhn7ZMZaUiJMFqOJUK5liGR8vzrNhJc6oPi65LJR8XgnII=,iv:XSm8C570MqHELojSxUUHmNppEVvHX0033BOXWxP4Bhk=,tag:hwWJuHYMdZd+OH2HJG3CIw==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.9.4
--- a/values/badhouseplants/platform/uptime-kuma/values.yaml
+++ b/values/badhouseplants/platform/uptime-kuma/values.yaml
@ -1,20 +0,0 @@
 ingress:
  enabled: true
  annotations:
    kubernetes.io/ingress.class: traefik
    kubernetes.io/tls-acme: "true"
    kubernetes.io/ingress.allow-http: "false"
    kubernetes.io/ingress.global-static-ip-name: ""
    cert-manager.io/cluster-issuer: badhouseplants-issuer-http01
    traefik.ingress.kubernetes.io/router.entrypoints: web,websecure
    external-dns.alpha.kubernetes.io/ingress-hostname-source: defined-hosts-only
  hosts:
    - host: uptime.badhouseplants.net
      paths:
        - path: /
          pathType: ImplementationSpecific
  tls:
    - secretName: uptime.badhouseplants.net
      hosts:
        - uptime.badhouseplants.net
--- a/values/badhouseplants/platform/zot/secrets.yaml
+++ b/values/badhouseplants/platform/zot/secrets.yaml
--- a/values/badhouseplants/public-xray/server-xray-public-edge/secrets.yaml
+++ b/values/badhouseplants/public-xray/server-xray-public-edge/secrets.yaml
--- a/values/badhouseplants/public-xray/server-xray-public-edge/values.yaml
+++ b/values/badhouseplants/public-xray/server-xray-public-edge/values.yaml
@ -1,302 +0,0 @@
 certificate:
  enabled: true
  certificate:
    - name: xray-public-edge.badhouseplants.net
      secretName: xray-public-edge.badhouseplants.net
      issuer:
        kind: ClusterIssuer
        name: badhouseplants-issuer-http01
      dnsNames:
        - xray-public-edge.badhouseplants.net
 workload:
  replicas: 1
  containers:
    server-xray:
      ports:
        shadowsocks-tcp: tcp
        shadowsocks-udp: udp
 traefik:
  enabled: true
  tcpRoutes:
    - name: server-xray-public-edge
      service: server-xray-public-edge-xray-https
      match: HostSNI(`*`)
      entrypoint: xray-edge
      port: 443
    - name: server-shadowsocks-public-edge-tcp
      service: server-xray-public-edge-shadowsocks-tcp
      match: HostSNI(`*`)
      entrypoint: ssocks-etcp
      port: 8443
  udpRoutes:
    - name: server-shadowsocks-public-edge-udp
      service: server-xray-public-edge-shadowsocks-udp
      match: HostSNI(`*`)
      entrypoint: ssocks-eudp
      port: 8443
 shortcuts:
  hostname: xray-public-edge.badhouseplants.net
 ingress:
  main:
    enabled: true
    annotations:
      kubernetes.io/ingress.allow-http: "false"
      kubernetes.io/ingress.class: traefik
      kubernetes.io/ingress.global-static-ip-name: ""
      kubernetes.io/tls-acme: "true"
      traefik.ingress.kubernetes.io/router.entrypoints: web,websecure
 extraVolumes:
  certs:
    secret:
      secretName: xray-public-edge.badhouseplants.net
 service:
  shadowsocks-tcp:
    enabled: true
    type: ClusterIP
    ports:
      tcp:
        port: 8443
        targetPort: 8443
        protocol: TCP
  shadowsocks-udp:
    enabled: true
    type: ClusterIP
    ports:
      udp:
        port: 8443
        targetPort: 8443
        protocol: UDP
 ext-cilium:
  enabled: true
  ciliumNetworkPolicies:
    - name: xray-public
      endpointSelectors:
        app.kubernetes.io/instance: server-xray-public-edge
        app.kubernetes.io/name: server-xray
      egress:
        - toEntities:
            - cluster
        - toPorts:
            - ports:
                - port: "53"
                  protocol: ANY
        - toEntities:
            - world
      egressDeny:
        - toEntities:
            - cluster
        - toCIDR:
            - 93.158.213.92/32
            - 93.158.213.92/32
            - 185.243.218.213/32
            - 91.216.110.53/32
            - 23.157.120.14/32
            - 94.243.222.100/32
            - 208.83.20.20/32
            - 156.234.201.18/32
            - 209.141.59.16/32
            - 34.89.51.235/32
            - 109.201.134.183/32
            - 83.102.180.21/32
            - 185.230.4.150/32
            - 45.9.60.30/32
            - 5.181.156.41/32
            - 156.234.201.18/32
            - 34.89.51.235/32
            - 83.6.102.25/32
            - 51.222.82.36/32
            - 125.227.79.123/32
            - 193.42.111.57/32
            - 135.125.202.143/32
            - 176.56.7.44/32
            - 185.87.45.163/32
            - 181.214.58.63/32
            - 143.198.64.177/32
            - 5.255.124.190/32
            - 52.58.128.163/32
            - 15.204.57.168/32
            - 34.94.76.146/32
            - 211.23.142.127/32
            - 64.23.195.62/32
            - 23.153.248.83/32
            - 82.156.24.219/32
            - 37.235.176.37/32
            - 176.123.1.180/32
            - 35.227.59.57/32
            - 62.210.114.129/32
            - 185.216.179.62/32
            - 34.94.76.146/32
            - 121.199.16.229/32
            - 23.163.56.66/32
            - 176.99.7.59/32
            - 207.241.231.226/32
            - 207.241.226.111/32
            - 27.151.84.136/32
            - 104.244.77.14/32
            - 5.102.159.190/32
            - 184.61.17.58/32
            - 125.227.79.123/32
            - 181.214.58.63/32
            - 95.217.167.10/32
            - 159.148.57.222/32
            - 15.204.57.168/32
            - 211.23.142.127/32
            - 34.94.76.146/32
            - 187.56.163.73/32
            - 109.71.253.37/32
            - 5.182.86.242/32
            - 104.244.77.14/32
            - 190.146.242.81/32
            - 89.110.76.229/32
            - 138.124.183.78/32
            - 209.126.11.233/32
            - 167.99.185.219/32
            - 37.59.48.81/32
            - 27.151.84.136/32
            - 142.132.183.104/32
            - 193.53.126.151/32
            - 74.48.17.122/32
            - 93.158.213.92/32
            - 156.234.201.18/32
            - 35.227.59.57/32
            - 34.89.51.235/32
            - 34.94.76.146/32
            - 184.61.17.58/32
            - 125.227.79.123/32
            - 104.21.58.176/32
            - 172.67.162.102/32
            - 181.214.58.63/32
            - 93.185.165.29/32
            - 95.217.167.10/32
            - 159.148.57.222/32
            - 15.204.57.168/32
            - 211.75.210.220/32
            - 125.227.79.123/32
            - 211.23.142.127/32
            - 172.67.165.72/32
            - 104.21.57.182/32
            - 35.227.59.57/32
            - 34.89.51.235/32
            - 34.94.76.146/32
            - 187.56.163.73/32
            - 109.71.253.37/32
            - 5.182.86.242/32
            - 104.244.77.14/32
            - 193.53.126.151/32
            - 104.19.22.31/32
            - 104.19.22.22/32
            - 104.19.22.27/32
            - 104.19.22.23/32
            - 104.19.22.30/32
            - 104.19.22.24/32
            - 104.19.22.26/32
            - 104.19.22.29/32
            - 104.19.22.32/32
            - 104.19.22.28/32
            - 104.19.22.25/32
            - 74.48.17.122/32
            - 184.61.17.58/32
            - 104.21.62.230/32
            - 172.67.139.235/32
            - 172.67.135.244/32
            - 104.21.26.114/32
            - 104.21.72.244/32
            - 172.67.136.175/32
            - 172.67.183.130/32
            - 104.21.64.112/32
            - 104.26.10.105/32
            - 104.26.11.105/32
            - 172.67.70.119/32
            - 172.67.144.128/32
            - 104.21.71.114/32
            - 172.67.161.130/32
            - 104.21.65.89/32
            - 172.67.156.75/32
            - 104.21.40.186/32
            - 65.21.91.32/32
            - 184.61.17.58/32
            - 104.21.82.111/32
            - 172.67.200.173/32
            - 104.21.13.129/32
            - 172.67.200.14/32
            - 104.21.89.147/32
            - 172.67.160.224/32
            - 172.67.139.235/32
            - 104.21.62.230/32
            - 93.158.213.92/32
            - 185.243.218.213/32
            - 91.216.110.53/32
            - 23.157.120.14/32
            - 94.243.222.100/32
            - 208.83.20.20/32
            - 156.234.201.18/32
            - 209.141.59.16/32
            - 34.94.76.146/32
            - 35.227.59.57/32
            - 34.89.51.235/32
            - 109.201.134.183/32
            - 83.102.180.21/32
            - 185.230.4.150/32
            - 45.9.60.30/32
            - 5.181.156.41/32
            - 83.6.102.25/32
            - 54.39.48.3/32
            - 51.222.82.36/32
            - 125.227.79.123/32
            - 193.42.111.57/32
            - 135.125.202.143/32
            - 176.56.7.44/32
            - 185.87.45.163/32
            - 93.185.165.29/32
            - 181.214.58.63/32
            - 143.198.64.177/32
            - 5.255.124.190/32
            - 52.58.128.163/32
            - 15.204.57.168/32
            - 35.227.59.57/32
            - 34.89.51.235/32
            - 34.94.76.146/32
            - 211.23.142.127/32
            - 211.75.210.220/32
            - 125.227.79.123/32
            - 64.23.195.62/32
            - 51.81.222.188/32
            - 23.153.248.83/32
            - 82.156.24.219/32
            - 37.235.176.37/32
            - 51.15.41.46/32
            - 176.123.1.180/32
            - 104.244.77.87/32
            - 34.94.76.146/32
            - 34.89.51.235/32
            - 35.227.59.57/32
            - 62.210.114.129/32
            - 185.216.179.62/32
            - 34.94.76.146/32
            - 34.89.51.235/32
            - 35.227.59.57/32
            - 121.199.16.229/32
            - 35.227.59.57/32
            - 34.89.51.235/32
            - 34.94.76.146/32
            - 23.163.56.66/32
            - 176.99.7.59/32
            - 207.241.231.226/32
            - 207.241.226.111/32
            - 27.151.84.136/32
            - 51.159.54.68/32
            - 104.244.77.14/32
            - 5.102.159.190/32
            - 190.146.242.81/32
            - 89.110.76.229/32
            - 89.47.160.50/32
            - 138.124.183.78/32
            - 209.126.11.233/32
            - 167.99.185.219/32
            - 27.151.84.136/32
            - 37.59.48.81/32
            - 27.151.84.136/32
            - 142.132.183.104/32
            - 159.148.57.222/32
            - 159.148.57.222/32
--- a/values/badhouseplants/public-xray/server-xray-public/secrets.yaml
+++ b/values/badhouseplants/public-xray/server-xray-public/secrets.yaml
--- a/values/badhouseplants/registry/cluster-mirror/secrets.yaml
+++ b/values/badhouseplants/registry/cluster-mirror/secrets.yaml
@ -1,22 +0,0 @@
 authHeader: ENC[AES256_GCM,data:BWmu4bpFjlIDStIcWfpsgbm1hfxlvZAK9LabhXuAdArJzflc4VA+Dy5fJRAMu9Mv,iv:+rwtfnjJCZKPmdcUkTfklq19uSgavOKaySK/O/xd2PE=,tag:3yXa+0LbIqMDk6KLWAAN0Q==,type:str]
 _mirror_password: ENC[AES256_GCM,data:0aa6fqR3+0ZY5KhRKJa0SKBcBnF/KizHXTIm2NQB,iv:DUB8ItYbT+K31XLbWzi5909RPVn9DG9HRDU120VxbdY=,tag:DniRwku2rQX44ffMn4mU6Q==,type:str]
 sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault: []
    age:
        - recipient: age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsQ0U5L01iNFo5Y0t5SFo2
            MXlwVDhQZ2R5QnVlUndmQ0x5L2ppU1h6aEVZCmhaUW1JY0RDMEM0T1JkZkk3TGVD
            R0JjaEN0MGxVV1RIZUxkbjgzMTlTMmsKLS0tIFdDNW8xaWsxamFvUGRFaVZsVUV4
            S3ZiYTJGOUFzZlNwSUZvNGtmSFNpczQK/npaHLqHSxMnCXNvDFw0eB9KfMJ7bWfV
            ZuteeaXG+eZNX4l1ZY1pLNUv9kui4oXI8payp7sTZJI6WYZCQz6Oaw==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2025-03-27T20:50:16Z"
    mac: ENC[AES256_GCM,data:XtX4NUZ9PCdAFckdlygywFQ8vJRAszOjqPItr0MNRM0ndk/PkYYGzY0phMan7FgxY3Cz5XMJcv/MEogLedM+uH5vMbsOpRY49jpILMORL3Ni1tZFG5Px5NbfExGQmjFyefotRzCHlsUSTZEHlBIp4+FeBI41CgBbLw45rEoneL8=,iv:Ilk7TXqKSSV5WYnptLRaOk/lwwHHLesbSslOCarlVEA=,tag:vWXe+r3tHXoMtWYeJN9T0g==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.9.4
--- a/values/badhouseplants/secrets.argocd.yaml
+++ b/values/badhouseplants/secrets.argocd.yaml
@ -0,0 +1,26 @@
 configs:
  cm:
    dex.config: ENC[AES256_GCM,data:bSlWRFGEJG2minUCqhi822rrOd/oiYtiiH6+qN58W1ZgWED8Fk2v6BfH4oIircNOKi57SDl/LU9L6ZtjN4rE1WApRUrffdvfVEz9n6wSfz3IZAzr0X4QXqqybpsj0M02yJYYmu/BQn2HBI6mCuARZRo9XN14+qamF59fg+/uPYQ0ZYPemgU0xPaCKBt2YAPLZEJdxOi1lBTFSNnJ1bLSC5aaW3/C4RqRIwAlEn0EEoimiBXaVSiCvqEqgvtTFjq8PCu+zmZ9wy1Kw/BvfLDXIRNZzR3uV/8TnUy2+joU5wlYKHNUxehE/tIn9T1hOoFKKmBbVKHs6Wh8Nwo5iIy0x0EatZP/5KrgRZPc7ZF03ZlGjOKk6Ap5AvhWQgO9JFJ94dgCdmk9gzCuuHjiZh9qat7alkFBnEYsOrprEvLkpavxFj9om3pY61Qg/i9fk9gFtxoM7yTaxHTuIUsXpto+/ofviFPTm7dgrIMPbERJYaN7ETcrHglJPp/zizQkaKNspOcBCMkAnFCaVn257/an7iLhm7orcdDt7nVLGlCQyq4GBEdy5+x4JVIF9H27R2d9774TTHrFYWo68pDndrT5OCviZebuVqPj0W9LASkUcIwB2mPj6Gi3OBAuQLX48f5s9uGLfNh4UXdz4Rp6zKJJ0IImly7ut5yglrwFxDpXcLoku8/lyEeQlkOADP3+bBcpB36rBLm9gZ77CjHMNsu2zCNx3pMu6W2GAWJbv7FysAMASHfikhaCDx6oxlJdaGnYk8LJeWhSLERsP2qwkSEDr42A4YRsmsvkKohcZy4Ub3xQWE3dwTrc6vr8wJ8Sqj0cK8y7RaM79SulBJ8WExg6nzvZRfOcp8I=,iv:/xI16L5fvHC2IPAsEpg5QR4vz7Tnjlnl0C7cEDSSnek=,tag:5XLlpaauuQQuy3SrPdYZNw==,type:str]
  credentialTemplates:
    ssh-creds:
      sshPrivateKey: ENC[AES256_GCM,data:iIxxWhxfKhcHoTOfECWhOP+725xbUWIlq+cIoehrxMBP6XfHvxZpN3tQegeH5geYlbYWy5/kvJ5aLWVPEtWy19GjwoGk0ozS5l3AufIroWm3W/zkD+bcCgG+4wKTI6YQq0KVQDYY2ZMyxFnKLPXWdKDJSIS0y0dQB8G9fQeANUvtozXAcMpLfoAPKEUpZQhY5e3vMut3lUDF12u3S0kWJJF8xTjTNjmR0IrLWILc8TH5EKTHrLGfFB8M+T3P8+zatIFE9w+RInp1t0yU+OHFWeu0WSt+tLOc+DBTQhdugKd62nnmRAav/O3DJqCVGe7/JP6ZwGdHw8f/zEf+FnDJq6I8LnHQl35KGYH8FftzA0uG5UCoXPkTz69HRa2gDsuY4YSuAoWkDIFIrf85hfC+pl//1McjIExkY2fW+t4FWWZSoCAGRzQymXetDh6KColRGNMk1LOjUXFTV+AHB8rm7ZQ4+mGw5IVdBLE/TcmmHOyQq9fHQaUZMvj/9/p2DIS39rQbRRplR9JJIA7OrlwZUZLuLxXshUjP3hB8TJHXdo1eJWEWB8XaCwOX8mI4xVa+tVC4GazHvpvhOxWAgBhG/Ba6eXSFY+bQz6tySg3WEESEZ+ihC20AjAn1kFKQz55vxI9/NLcUw++LmwV5f0f0Qk91HLkQR16/P6h8ce71P8knhDP5gDBVuPHM94NJ3TW9klzfhMFwNZXwtEqwiTUBSbYwzYs5AMwLhYjLDHrWodulmVFfhw6qCekDkMup/PPim/Khk/6yZPDW/Re4MNpRWsfM+AT5SomhRBf3VFI0PRyXaPHXNU62OwjCs6+Z0SBjdx357qt8q3G35eF1Ido79U5W7YtPN8V/lgNJxGCZsOgX6+Mgq1JIlrHkU//emgRXVQnAtQDr9SGf9NR4L4qwzGpdbhzYNlQ3756ycdjFZ+itaBP6vaq2Eszj6EzTODunMonFWCAyxlgeAMXpQAhlJVvu02cdipK6mkwC++nPqCknCnLEKJNHKEBlzcmJ7Bg09HiS4IXkXryEQ+BU0YLJWDIDTVFRG8tleATDJ6uFhBoryS52SVbfXPK88SGL1bAFdtvNXF4bsefQC3gI/pBKW4gS5EyCr11joocAsHX+CIe54K+UQdGF3cvIAjwbBRDjzW8+JTnZWdb0z5joWi2pQGpg9aB6XddBww5VJhRoiOOJrc+RKzg4WMwNDm1Th8QaTrAHpO+ILiDFXTviexk+Ggg9m0MpqKX25EHQVmjL68D03lyJ99xlU7Ee9Uvk5DeamPpdvuwWTSm6NUrJ1LeKt1Sw7wIAwbVan45G7yRahIH/+BJPm6byMAyB109jTJdfEqzNgowN4rJXd+1g7K6+jMCbgv0pA3aqHLbWZt0n1ZCA4BztwxuT3zvzXZnLpe0HJeauZls49YEGhvWpcxXDRNoZ5nXKZ94K0hbaLVzpx1mWp0lGxSTlGFyBQVhhAKF0MClVuyGVLRuuYCHcPdx521pK4qeEQo3gr6XTM4H3fkqhKsxsJVx43gjtj8bhEmlScHX839+D8rlVYQZwupSmSCYfnUnk9Izm5hcEGkpzemribmv/pD7Lqu72TbqpI7dj4GKFjfeG8gIwKlqHhBY64YBeYGVRjJrxYIQBkLswA5yrIeu9UZJMF4uc2s90sYye8jrI6FNV4C5EhD2HDUGOvjDwgIlV6RyDJCuPeuR6Qm6OO9NMby9Xi5xQdg/tGtkghTQzgRUGMW+bpurr1IplYpJfY8mQBz38ibvKp6Xjl7bTlc8IUanugG9HKETiXhNDDQVhhfZrsfwIwx6ejCNombMrMlV3k9ZSvKyvg/dpUQPxayKMolE11b2mA71dkNUVt0LjhjIO2PA1Das5PRAqu6QBevXSoBSb2A5VLok2BtqZo4kKhboL8vl2FcJO9lGB3ZuxQaNX7c30H4n57Ri/JgXG22L1IJMfAvw4e1HlLvop0sgoGkz0Ngz+U2VzPRMuUwPjKTUSN/tq4FpXvUCA5g/YmNhCnDH/LGTJsN26zEjqjYvALtTprmFqSN1I+8QM3ZA3ZaE+EcquhD4CNfcN1kvkz/4Yv+9sQym2fqbLGKzSSEXKVtnJnIlttfiDD/4wU3ARDqnzwWq+SJe3aEnnz05i13m5TGdQV1QQ3NwHIpk0leRIu9X9afvR/uInjkSNKhB00JWPhYzp7htnFo0uVvqHGBKRuK2KQOnANjaQweesoIHM+bj/v1ryr/i6Owf8D+Go5ESMPVTUD6xVTvdkE2gn+DN6mYZH3G2vIjbze5PNJ1GA11Mzhekh+1QxyBpbHPlDaaVzF+sEyCPdnvlAYZ4bycae2eIrToxmSv1EBTmBRJEq42RcC16xB9I+uxBFEJFM0A8lVOW/7J4qbMfyYb7+naptsNN3wgPg5E2iQI6kLLAy1cDtkbDLhczm4w9sz+4SRLcAt0jXMx8422BjxuuwEApyyVjTwtzL3p0z1fCNlBBfwOBlUfTR42Z04Q6XnQFmCUMaL9ZZQHHjVYlQTvY/61eLcADFxu77Y1pYh8NP6jJyuAynJmy6IRMMoYw1mhvZWxnqxgyvPZQ6a952yd24GArB8YRTcKM1d6cbVTvyOrHns+rNeviwqb2c1446/mdUvHurYfnxbc/NTzNTaKWnwRMcnPRkpqbH0XkIAooQLKgmTvDs4IdK89Ja5iHu408TMZUgNkXqCjJ7WsZQZ2I3ogZPdMCxpZdcRNhcS98Sf6BlF3zxbBtLSc5Jv5buXPYYOFGrDJa09LG6YEU4Sk1P62Sm1KtR8XgaKWbx+jXQSbgBKavGC8Wh1C0OHVlJzDirskjSs6Unr2lUpyp75IaGDaWin1we3J+kxfpFKZDBh147Bf9XoTXVvi/GtSMYGmv77r7kZHuNTriXlW+lrak6wnATo9+Bi4bT3B6KurTcEROM2RC+fnG8Az9eUOSg/SUtaV3swmN6g/9DfeYCZY06zpXpmDV1Ib3hexidrnu5FvQcUofr/FzwP+Md2KZ3rapDXcFxRGG1Pggf/N3bXpGkHJXkeAghWXn6UWObrssbcCEsTKBI9vnioP0a62tObwrLKJQMvEZDm6WDGcFmZIWmpHAXakpxdGiqqOe/NMJAneGZWTdLYFs5OUKiMVAf4UUCdM/j4W2i/h1uluqJvRlZxOsM1XK0tj3KMveWqVsJeT8MK6QESLVa7o03ZVvv92KBamNy/16N66U4imzo+23FKPJupPnaMuhYCt5nVK+2DerhtismXBrWKyIPpoAW/8L9KXPW/UzMuClDSZ7Uo2e5pZ3PTHH+EBpjbCQj1veIskTXog2KFbv0bgiXzX3oWrmlFh1D9pwg752V9ZSGOP/eZdQ/cxdOURhu+ZWPG7WgxyyX/ZVh1aZRaBRuw5FAsqhZtjhkqiWtUHznaBRgn55poux+GFkN7XxHxO7idum6ecPLF6xPNyqkvPm5lUNdfml6qP6tQfO0uQ==,iv:cswd5iTvERSH5JQUz6IT7U9+agzsS3PheG4Md71hSrY=,tag:QeBr865/eWBrZtcrE3QRYQ==,type:str]
 sops:
  kms: []
  gcp_kms: []
  azure_kv: []
  hc_vault: []
  age:
    - recipient: age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8
      enc: |
        -----BEGIN AGE ENCRYPTED FILE-----
        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlOVJweE5UeUlhUkNId0w2
        a1kwM1dsWjJtZUt1QmNTZmlJNHkxRHdwaFhjCnoySGZDYUVJdzNGYUNyRnRKOXIr
        SktxNlNBbmRDRXdZTDFFRnRnSVpwNXcKLS0tIHJaOUwya0pqRlBRVFZvaERjQk5N
        aWVQUFo3bDJpK1R6SEJpMVdmWks1dkkK50KPI/hji2aJ1CLYqtxU87oE2tsBcl+I
        d+Vs4aKRjY/mpdO7NWhmeguH1boGhMaKpZlSV+TZGBtEsl7RQ6mbtQ==
        -----END AGE ENCRYPTED FILE-----
  lastmodified: "2024-10-14T08:08:21Z"
  mac: ENC[AES256_GCM,data:pRtlf2AnmG9ztZyXwbxR2foagCMBX8BwfhLrsoLeEpSyFLbNMKIGKMSZKaJ3r9IU7gErXh4KoUGXcg31LB80B1G+YFlICvxmlXX0MB3MmedzTi6I6N7ydFse11n3WF/XaRUhpZVE9sCyZgNxgyuhf0LTnS0FU7tauVgAERAazYE=,iv:zwojdj+/HIglNNdS/lYokVqiAvH0pTZIk5jK20oiA7c=,tag:rRi0uEIP8ag/45cv8/4FYg==,type:str]
  pgp: []
  unencrypted_suffix: _unencrypted
  version: 3.9.1
--- a/values/badhouseplants/secrets.authentik.yaml
+++ b/values/badhouseplants/secrets.authentik.yaml
@ -0,0 +1,24 @@
 authentik:
  email:
    password: ENC[AES256_GCM,data:OtaK90UmvOkSjHYe/37W5aSlZo0=,iv:WQR0YIz4U5QIxc7YSQ2JZRLnA3ZF0JouZtnggTW674g=,tag:Us163wc95RbiN8XdXogt3g==,type:str]
  secret_key: ENC[AES256_GCM,data:/6gM3ZUb6mIYaJO2CyCuVxLFOxdogTMbKb4c3HYXpvxZIqoFt0t9fHY+XU/mC0OGue4=,iv:TfGI7jXixrI/YBp++AFHz+rCliuo6zhbgXeMviw7rHY=,tag:G52eT7OlxDub1pL27LWHKw==,type:str]
 sops:
  kms: []
  gcp_kms: []
  azure_kv: []
  hc_vault: []
  age:
    - recipient: age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8
      enc: |
        -----BEGIN AGE ENCRYPTED FILE-----
        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwNG9RVzltVnZraWNnTW1q
        aUIvWDNWcEovWC9yWU5OdmxjamFyREgwSFhvCjNwM3FLNmZUV0tHK25tNDRsNGpn
        UTZDUFIrVmQyRUNZa3d4R2NpbFZqM2cKLS0tIFVoMnBtSUNRd1VHVmx2RXVvdDN2
        UzFDZDRJRzV6cUVpY0NNWmR5aU9qRlkK6dudxILhTOjvNi2Pwo5jg13GqRG52igd
        3yXhaIzRp+fcgAXMlTTTwe2jBNRYCv84+wLvV2NkfHyPeE0t9Wh/ow==
        -----END AGE ENCRYPTED FILE-----
  lastmodified: "2024-10-14T08:08:22Z"
  mac: ENC[AES256_GCM,data:qHD7CYM7sFBiJtGADcFeBHSFlmvEZaEVRGXTr02Tk+uLGWn9lP5CuOX1sU4x3Gd8nilwZy0fRAL523HDLvYQBPwsi26Vbp6OgZ9shjp5CvrQMUTg1qRCfjWAw66Y5NHHUJrrYc0sOPlTWXxRyU1Xk9aMvtRQi1ooum9wF3vhuoA=,iv:ADzHjgi72Ureve1CxQhkySvLZ07//Q1oBMKpvgXfNy4=,tag:RAIEupIsOviKYlQJO/rgsg==,type:str]
  pgp: []
  unencrypted_suffix: _unencrypted
  version: 3.9.1
--- a/values/badhouseplants/secrets.db-instances.yaml
+++ b/values/badhouseplants/secrets.db-instances.yaml
@ -0,0 +1,29 @@
 dbinstances:
    postgres16:
        secrets:
            adminUser: ENC[AES256_GCM,data:uuu/xvwJkHk=,iv:Pk+i8bf7AeeG9wKVh1RDJy7Dt3r5b1UKy4SJijlZfq0=,tag:QO3gwYXAG0sBBuHcKfTNQg==,type:str]
            adminPassword: ENC[AES256_GCM,data:tjWATjuJT+C97D4TLQgk55BZOwVv,iv:1MWYtksmrEBQtOdGvtc6MZyLP4yBKA88eIpQ4mZCULM=,tag:3hOlT5n2Wd81ebxeEgW5tw==,type:str]
    postgres17:
        secrets:
            adminUser: ENC[AES256_GCM,data:4w2EItIM++Q=,iv:cQLryeBskm2Y9OlbMFgQEWEBi7z/VxucLWbwZXsRtto=,tag:Ir2Q7KZv/sSDdA1MX/Niqw==,type:str]
            adminPassword: ENC[AES256_GCM,data:wHUL2p8CXYwoEFu3ffCCsQO9xn/GqOZ6JPrcHKzy,iv:khoogPPFHSd+4xyp+jf1w0RfOUgrKzAmFjLnisQ8HXU=,tag:GRnkCQ0uOlUt2AiEAceFRQ==,type:str]
 sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault: []
    age:
        - recipient: age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuL1lwdVNHMm9nZHRld2lO
            Rm4xVnVHWG9hNDc1cUVyakxzUU1PcFJhalM4CkNicEdUV2lEYWMwaWNqeGcrQ2p1
            Qmw1b1FzRllqYW85bjF0cmRGcW1MbjQKLS0tIENUcG1oOXFNV3REaFU0aUEyd2k4
            RDgzRmlKT1ArblpOV1plcFpyMnJXZTQKgm8Eaw591+EHZWofXAADTXRHPOdOvdOM
            jYne1szB/V9UJz+pmLa10tNgruga+P5yP/j+DGcYrTj0pVh5IJLjTA==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2024-10-30T19:59:46Z"
    mac: ENC[AES256_GCM,data:3KrwiArDx/bPAHbFGgb9BdDVHC+uC1IHp4LZXlYRZzWSKtX1t+ODQVzUW97kigGFG1sx6WXddl/w3XeNOoT9JbS5iPXJQe6KAPleNV50S/oab+U53WeloO8uL68Wrk9v/NwMhCKwE9cCqBBhqk7wCb6N9ivt45mLrUf06L8fok0=,iv:bOWhyIm8FhKtZAZH/78bukkeDp5P4XShSD20mgr4Neo=,tag:RZMx9bi+ZEcLwTzk+Gm8RQ==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.9.1
--- a/values/badhouseplants/secrets.external-dns.yaml
+++ b/values/badhouseplants/secrets.external-dns.yaml
@ -0,0 +1,23 @@
 env:
  - name: ENC[AES256_GCM,data:RLLp8toAkoWLWRjp,iv:UUP3i5QkNBw/pgYmxHtRUDx0E6i42e/Ioh1z6WnLESk=,tag:+PEinrzkisEQx5gVCpdJ3g==,type:str]
    value: ENC[AES256_GCM,data:RKiCvUOctYha7fusMWNrOKHPgmMMjuejDCip470QMHQcxY1S+yJfXA==,iv:ESfZNZimJkD5T4tzRPMu53H+ushbhOuXaOdX73MaWV0=,tag:F516VFRCw6k589vClX8Jfw==,type:str]
 sops:
  kms: []
  gcp_kms: []
  azure_kv: []
  hc_vault: []
  age:
    - recipient: age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8
      enc: |
        -----BEGIN AGE ENCRYPTED FILE-----
        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3eE5LTURCa1pyRjBocVpP
        ZGxXMUZkUC9XK0xNb2duRnJiOHNzNGp0YXdrCkNvNWMvYWkyTHhQU1ZZeng2bmlz
        bGRrd3p2dmx6MjBuc0lYakhMNERMOVUKLS0tIGpsRHcxdUFtTHlXVGZLTEZ0c0ov
        b0RMSlFCM250MXJHbWhRTWtGbkxHc0kKpyzba8yp0xN1KjcUACcmlznH9vQtYAsL
        3bm7Cw2AZO7nkdCxky/ITd8N3rbqAVGeM2CeTAxpcMbEXKq66/yqDA==
        -----END AGE ENCRYPTED FILE-----
  lastmodified: "2024-10-15T15:21:16Z"
  mac: ENC[AES256_GCM,data:aIXlmeiqaFu9Jn0zI1qyU3iAkhLKgqMwwLcLDlr+LeYX/88cZtzgP683jW3MYC/LxnNh4LG7v8EK/HViNnCkrvZ5iC9cibRPQYZJrkR3B3oGk4L+RxPws2VUa72pJsG0bQ8M2DDCoDO2T9OuuflqYENPLyYLL7D7CaeSj9w8G0A=,iv:EDaGmWFUnzp0vkIeR1J8iZ9+PjOMuRi4YltoqJAN0P0=,tag:DsSd6Nplvy0nIWaCJgnhgg==,type:str]
  pgp: []
  unencrypted_suffix: _unencrypted
  version: 3.9.1
--- a/values/badhouseplants/secrets.funkwhale.yaml
+++ b/values/badhouseplants/secrets.funkwhale.yaml
@ -0,0 +1,27 @@
 djangoSecret: ENC[AES256_GCM,data:RSajXXpFcUmxBOpT48A=,iv:lIzUF8cgbKVMCOY5G/A4mpaviYwwLRvePj3lrhycLZ8=,tag:OSfyKAXCTHOssx+KkL4+ZA==,type:str]
 postgresql:
  auth:
    password: ENC[AES256_GCM,data:dFSSGPS1shNnJlxGIh9o9zfNVZsKp9Wv8A==,iv:lYxEpS+w+oTW07DPohyZ59UbcFKKtD6r2oSRSS3mw+s=,tag:uqLqzIoE43uS5y9UYVGDJg==,type:str]
 redis:
  auth:
    password: ENC[AES256_GCM,data:hR3tXeU05nfd7IeLvjOR2N1dieai0IFQ9kheuCOJ,iv:2j2oAemd8k5zP3zHTAmIQEQHlU+8VKQ0DqpEXoBBJX0=,tag:gjMJ4z0MCxgYpeEeA9NFPw==,type:str]
 sops:
  kms: []
  gcp_kms: []
  azure_kv: []
  hc_vault: []
  age:
    - recipient: age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8
      enc: |
        -----BEGIN AGE ENCRYPTED FILE-----
        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMc2xxZ1o2Q1RsT2ExNklq
        ajZZT0lxczBHTnRNcmNBc2RONk96ZkVZOTJBCm1YbUJ1bG1WTnJJVGJSbXI1cEc2
        bCtSM3lwd3lvNFhlZi9wZ1JyUklFK2sKLS0tIDB5RTBNTjhSeFYrUVZjS0xzZXlS
        VmNCRVhmMHZ0aVZXbURWVjZUVnlFck0KA/pMAwMDx3QsT0iF6u9AOoXnGyEIqtc1
        5iUW96UPhXIK+OyPqCt+07HaAZzavUT/zFSqPdJ3avvY1k3EHMfzBQ==
        -----END AGE ENCRYPTED FILE-----
  lastmodified: "2024-10-14T08:08:21Z"
  mac: ENC[AES256_GCM,data:kAj/KI4QQnDM4Ya/JQQ1QvjbEpHDkp3gAgtgBjjhyY6khSIlcZpG74YNfpD01dHQqk5/KTF9mKi6P68CKubTKQTF7a7qriwNmHcjg7IShJtSYWmzPCu1PIR2jAQTxCa0ETFbsQ14rhKbxpUeXvTvkx5wuRazXKFIwSjBddpO0b0=,iv:H1GmBgpEoHuMa1XdnmEW5jYP/FZyDty/ul3XSbZ2oEQ=,tag:NSaxPq5/dNizE6o7odoUMg==,type:str]
  pgp: []
  unencrypted_suffix: _unencrypted
  version: 3.9.1
--- a/values/badhouseplants/secrets.gitea.yaml
+++ b/values/badhouseplants/secrets.gitea.yaml
@ -0,0 +1,50 @@
 gitea:
  admin:
    username: ENC[AES256_GCM,data:1yKnMnzbHno=,iv:AWqprQPRloJhZEtyhF8+5dgxyHXtK+2HLxHa+gU+Aw0=,tag:Irk65xjOWgFBfPUJGVcQcg==,type:str]
    password: ENC[AES256_GCM,data:8hbWwHlNyxzNe6PCYJ2w5b8oUi0=,iv:GtkHDZFUzk9rVh7ASmk+Qb/litPD5QX38hWLR24pgSU=,tag:bmdNTBDt2Mrxp1cVXmJwcQ==,type:str]
  config:
    storage:
      MINIO_SECRET_ACCESS_KEY: ENC[AES256_GCM,data:tLHwP5ZsoxKnaG38hNNXvXoy4PTuxlUT3w==,iv:bR0eL0MHOdT3CnsQrjdlEfwCEye41/ts/vsQf3ju1cU=,tag:XxpkrS88muDolMcB0r9rWg==,type:str]
    mailer:
      PASSWD: ENC[AES256_GCM,data:tw+vJSoedon/a3VhXkcpupumdbBnyMbSzQ==,iv:xoxIm855BhNsNfq+5L33yIDFKx8igNuEV71IDt0WNzQ=,tag:i9FJe0x4PqaMb/SBN0yXCg==,type:str]
    database:
      PASSWD: ENC[AES256_GCM,data:pB7YPucwcXwD9fzJsckZshz7ZLM=,iv:23k90tX465WltrQwSyx8Hixe2hnya/dx6aIvr3ti1wA=,tag:NvgN1g181yCBu5Mf7uYmGQ==,type:str]
    session:
      PROVIDER_CONFIG: ENC[AES256_GCM,data:Ipcta9fyfGCygYqpisgiy0rCckP5Ma5bNs2ClFNn0lnm1LQOJDdDLiQDr5u9L/WG6Bs2WhHbeSrdjxyZdCKv9pd1CfmB7S9eNcp2w+4hhofwUVcKW89rj9HYEHSLuY8C4Y5KbJKKl6PkY/JmTzyVSpSMDHYadf3j,iv:YsMR3zwZODENuy+WvKy8AdByKTuI7ng0hf1AJT+CMQk=,tag:9hOo08OLybdNgr7wvRPvyw==,type:str]
    cache:
      HOST: ENC[AES256_GCM,data:K0FpmrMo1TlUnHHHRKcKVQ8NYeOr+YEeQjajEIM1x5XPjkxYUmywyVL8f5qNLkvotAtD941Rw9CQ7NRof0NketkYyC8gJsndfznGPjhfqH5a0MUWDu9tAfGUzWGzXxC0uq4Ne1eRhu4SjZljZybqk5qQR00Zc/qX,iv:izMvr/kdes3+Gl1a6URnWyQ5TwYqTDMOBskHxPZZpgo=,tag:MWdLA5PV/+bEPWgXHw9OQA==,type:str]
    queue:
      CONN_STR: ENC[AES256_GCM,data:MsKkRcKpCGmvcL2lP5N+WuCNGp68gPw5HCpvCjEbYPoJcl5j6mAV5bBGqmiaIpvRbBu1EL1riHMmFD55efSJ6XueOXPG997iwE7KISdPjAWA92ZFe/zFzSW5EfBz3BvgsxzkMk3gR2usid0BvKXLPztLSvAYOR1l,iv:S4BunQMCS33JZUL8x4dRSbMtKQoI0f3Iw9IQ663hqfw=,tag:G7Xpp4d0VKzHRb0ju+F+WA==,type:str]
  oauth:
    - name: ENC[AES256_GCM,data:ruqXMi7A,iv:hzOf08m5WO/0ZLrsDdco2RuWquiR9n5hwZqcug7Gx1E=,tag:hwumITH28nq0z5i4Z4FvcQ==,type:str]
      provider: ENC[AES256_GCM,data:Sx2HqTQ/,iv:DDhq7jVZdgD5MAFFeSt6KdsC0FSrpQWA+gu9gOg6Iwo=,tag:kOnrbDlwGLMrgKsF8hTGdA==,type:str]
      key: ENC[AES256_GCM,data:itycutnIMsO2lb8M5UysL72Iq9k=,iv:E1b1zBGfew3bf72OxLoKQoosgPDqy8my1JMWvwBGpcE=,tag:iJGrMKbrqTD5NHYWvFxqxQ==,type:str]
      secret: ENC[AES256_GCM,data:mOpFm2yKl1aBu3TcJkO/Gm69XQh36le4ohsueq9t58cIHDucrksBmA==,iv:zW3zde+XcD3wmJcOKZ0lrPCBA2OPHoF+8/T+6PJpP5w=,tag:27ssfjvp2oX9yglNJLalFQ==,type:str]
    - name: ENC[AES256_GCM,data:8LPw6LKoUcMf,iv:/jNSUD9jcGxghxexh5063Le+t+xAbirHlc/1oG3JCq0=,tag:OA1LpeMNRi+Pkhr4cdseAw==,type:str]
      provider: ENC[AES256_GCM,data:aqLm3vOS5b+cDBjnaA==,iv:/3teGaszsJEo9ya1Uy51xAxPC4zyMO08qm1Ag6sFb2A=,tag:iByKJjRGQcEiT8Zoe4cRnA==,type:str]
      skip_local_2fa: ENC[AES256_GCM,data:YZMe+A==,iv:VE8i+fA/xbv4Ii6vDjsclbuzHp9lva+jOBIYE0vsKNA=,tag:OXAZnoa/zISVBmhaojVB+w==,type:str]
      key: ENC[AES256_GCM,data:6mbjR2k=,iv:8zRBVFyF7XyTA96yfaWX8NtOC2f2abbyv7qUzizB+dc=,tag:BeBR+bijZFHepscsXJkoNw==,type:str]
      secret: ENC[AES256_GCM,data:vM4LI6MFwF9co+qCzZwl+q7pKDtIiMj7jMwckleijtVOgnfafrMTKZsA4LbeKICm1p3kuj1qmdRzDgyCzGyCejwMwsd8Yze4gMKZb6wfnhOhaj11Yby40+xHHb8ogCzPfAH7TkOi+99Y2yMpfiw2i5UZvQK1oTjZLzMfJ0fK15k=,iv:F01nIJjOiZCueOaIa1p//ND4XA1wvNow9Crq73nHUVQ=,tag:KifiHsOa49Iah4SW28YMVA==,type:str]
      autoDiscoverUrl: ENC[AES256_GCM,data:k1O5weiok0ybMfEwDfEaXu76AvUmgRHz3vGy5bShvdGxf/SQZVJJv0XntF9ifbfhYRKzJCt1BpVGkXQnHhMWntkolLUsv/r6OKZPjpwOtEozhI95fcjax1Y=,iv:2LFUB07dWs2tcCSibhoiJ8w3NoPMrpfEhAqb28TbdxY=,tag:iJtqPNf8nsjMVzF2Du+DVw==,type:str]
      iconUrl: ENC[AES256_GCM,data:Jr8Ej4zfe319HX4ruXrDSB5ZuuEfbuvEeIVHt13E7xx3NvPF9qrOZip40hmAR7dc1nW5m6aX6GxP5gbonr90wZRCf8HA9A==,iv:ykfp9vlCZnjR+7H9NTokW8AOr0EHEq6vkwWDSMYiU5Q=,tag:MbX/8yRj6XwBgU+MbylAKg==,type:str]
      scopes: ENC[AES256_GCM,data:Lr+kdYTfCVQE25ZGeA==,iv:O6OYdDg/PGj0p2A9vjxPaDBRtUctS1j4TO/5V1gSQ88=,tag:tlDUKeGRIL3Rqep/mpdRZQ==,type:str]
 sops:
  kms: []
  gcp_kms: []
  azure_kv: []
  hc_vault: []
  age:
    - recipient: age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8
      enc: |
        -----BEGIN AGE ENCRYPTED FILE-----
        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2V1RNMmlZaDJDMzBXekF1
        YmdlYjNBTEhaYU5YYTZ6U1pHckl5YVZ4WVV3Cml5RzkyeHVCV3FlbEpoanlZOWk4
        RlVoL1VISDEzODRaYUs0N3JldXE4Q28KLS0tIDdqK3IxcHpQdWJoNHR4VCt4MVNm
        M25EVzZsS21OajdEKytoc2VBYm5SMU0K1wvfQOqBbAPyh1SxiONFSFO+a591HG/2
        DJvP643yXIWBOiNTxjbQDygYmxwk9GbFmGlVf0pQoUEuH9D4SgCwJA==
        -----END AGE ENCRYPTED FILE-----
  lastmodified: "2024-10-14T08:08:22Z"
  mac: ENC[AES256_GCM,data:Mel9AWdHERKt5xsDI7KmgINBCMAsfYrs/jgwQol+UVuiFXU73tAFeUqOZRDFwuzKBfxQExv8etBlgV8Q6Pdg0VojBLLz75BYZdqz5RD1VnllJ7y5/jCwCTyTbWxYQZpgj8dle0KA2NxoMraLIQY+gnvunqlAcIJgPZG9KY1UB3w=,iv:Nozpe5X8kwSrb2sturuCQBA8XhEQSI5nLRzBuCDFfz0=,tag:8kVcjwLDNTBmvDRPj2ELyQ==,type:str]
  pgp: []
  unencrypted_suffix: _unencrypted
  version: 3.9.1
--- a/values/badhouseplants/observability/grafana/secrets.yaml
+++ b/values/badhouseplants/observability/grafana/secrets.yaml
--- a/values/badhouseplants/games/minecraft/secrets.yaml
+++ b/values/badhouseplants/games/minecraft/secrets.yaml
--- a/values/badhouseplants/secrets.minio.yaml
+++ b/values/badhouseplants/secrets.minio.yaml
@ -0,0 +1,47 @@
 rootPassword: ENC[AES256_GCM,data:GEqZhh9YWYxdezI+rDS7EL/Fa2A=,iv:pjinEGyjUfncqE+SX/a5YjojfjvUIaTVzp4I79+nNK0=,tag:3dx+oUo51OWDAu1FtjcypA==,type:str]
 users:
  - accessKey: ENC[AES256_GCM,data:QHs/0+txnek=,iv:M0lIhbdn27xFa0f/goOZbIzN00RBlVCsmZJS0x4QvoE=,tag:NrDFXGxWA1arY52l3a7Osw==,type:str]
    secretKey: ENC[AES256_GCM,data:zN25a8xFwea3GtAMMcyDYMRrIg==,iv:2CVp3ADF8RMsmXO/86ShTvb4ruS0jbIHxvBeQRahbzA=,tag:fhvM5yixaice2BCNoPgpLg==,type:str]
    policy: ENC[AES256_GCM,data:1XOH/+U/9uY=,iv:9/c98UTB4NBUFsxj86YUFxhiJenuNEZGiuMl9YFF53s=,tag:NUil97HloEMFS1x6ZxduMg==,type:str]
  - accessKey: ENC[AES256_GCM,data:aTKN,iv:SAxc5SRZMP8G7/SdW6IFZwC9SNcadwT3gGBvd3wh38c=,tag:Szno9wz255HyeRwyDPiJMg==,type:str]
    secretKey: ENC[AES256_GCM,data:PZ0ge+5Db7gnOodUlUDiDD0dZ6gckwOQRQ==,iv:Em9tBkzLbD5FPDMDXxjwC3PP4PUZVqoZI3xpLTIyCh0=,tag:o/S05Z0qmM9L9/BEFV2p0w==,type:str]
    policy: ENC[AES256_GCM,data:wJO4,iv:ZeoJKeczcS3B5+wKUx7XXytYH79bUgF2UvWgOlTunxc=,tag:xeUL9zdLyMCkya9F3gkldA==,type:str]
  - accessKey: ENC[AES256_GCM,data:ByU5F/5UzgHI,iv:+cLnf5oApiG9ZsR5TFeRfhnkPheMQxJ8sZKrhfxXfZ4=,tag:HwMAV4FkKRfEgNgzVlEfRA==,type:str]
    secretKey: ENC[AES256_GCM,data:Cqu6qHxj054sO6kv6VV4mfbbxZ8=,iv:TQlrh5aJDwRcU4b7vPPH9fWkQnB3ZD+zGlmBHIwdzME=,tag:lnNeclEvB85O1pZLm/5a2Q==,type:str]
    policy: ENC[AES256_GCM,data:G8Js4e7VdBlk,iv:Ur1+a0meAHtD7Whjf5wSL9M6ZT0USqp8lbeBWa6mE7I=,tag:f5qnTV/zyxpbTWNjhg4MJw==,type:str]
  - accessKey: ENC[AES256_GCM,data:LBjJl8U=,iv:h3Hncfvw44bi/3d+fUXgyH2gxjHu/WglSHBVlY9IY7I=,tag:U/FYmzdAoeHXI1FPKrvw/A==,type:str]
    secretKey: ENC[AES256_GCM,data:WE8Tgo5qjELpcmnPndNIDg1P2hMC0Su07w==,iv:bSSGbCNXdJFZi2ej5eavC/16a5YNuE4yHkCH+UiXfiA=,tag:BBu1uQWq7JURr1VBI+4aLA==,type:str]
    policy: ENC[AES256_GCM,data:6XCF/6M=,iv:5OkoexjDekMgJM1HHuWn1h+s9D87odUtOFlqBmusizA=,tag:/MZcxjK6SDonoPr7HLRIjg==,type:str]
  - accessKey: ENC[AES256_GCM,data:BLhlKdFIAbW9,iv:4okVf620xRYu6I6/Jd4ikNKO1NzsP2d8Md527hUrQZQ=,tag:NCV47PfvhHb2K3+rykI90Q==,type:str]
    secretKey: ENC[AES256_GCM,data:lNDMsuPm5taDUd9kdMPC8/7fG9tJmhZl2w==,iv:wXVq0oRe6E8XzR+X7XjwSGCiYoFfQBvTu4i2NRx3dBs=,tag:5+OsaFxPbS6tzK877SodHg==,type:str]
    policy: ENC[AES256_GCM,data:eOvVqkefvxa4,iv:u02DHDp5RogxLU+417KVNMyV6z8PU6Vj92Ut2Rxmb1k=,tag:qT2kjWxheinLSdLWzYC5JQ==,type:str]
 oidc:
  enabled: ENC[AES256_GCM,data:3tHt2Q==,iv:0FgDbZEuhW1Wkh9In/JVmsiuu78C/reapgdWW+U4nHw=,tag:GdCPBOdsaDoLj4jmH0+Hyw==,type:bool]
  configUrl: ENC[AES256_GCM,data:4W89kL0pq8uTsyXcZGLqjGL1tyquypWpMIbLSQzdep5keD7LolY6ywpyFIhVYO0VcQwoDoW8ISC+obKXruAk1QFuHgyNLhNq3YhrDqnwOdi63Zd1Mm/G6as=,iv:7fbK4s26w1Ijq0cxLBCO9YFh/qLL3biKI9vTgbH8yOQ=,tag:3nnORzg3oS7QKMn3bp5wlA==,type:str]
  clientId: ENC[AES256_GCM,data:lsiy1i0=,iv:M6+WHUOxPCmXAmAWG4HfVHQpHavMvIBq0BoI1B10Nbs=,tag:4VYwGCH0dnGbGK20UKLFpg==,type:str]
  clientSecret: ENC[AES256_GCM,data:S/yGKXyz0uhNKuiR+fYCuR+fy3/LkFphliJ34ocbJgnJnMwzayiknCTKxEcaOeK99fzpAmsEQL48Ow3Znm+WrUpsCleXavt1yck48eNFT53fnnCdlZv3eLoy0FHovDti9VgJmc4oxXDv3k54XLwy3ZhJkwihafdnjJSksU8dE9I=,iv:adCVwAO0ptkrkrhcfKoKpCKqd6nQIh0voeSvVHOt3BQ=,tag:wIi4N0N8gBrKh01FSu452w==,type:str]
  claimName: ENC[AES256_GCM,data:/pejm+pH,iv:mKK58CmCvMK+RYXdkOdDLNfrI1ThBDolrQCfyGQXYp0=,tag:HDS1Yds+3ymNCntcsfFGrw==,type:str]
  redirectUri: ENC[AES256_GCM,data:9I9YCP91QdYz70b7j1+ZZ94Cgx0qsI2l9HL6Vylcfg8a7sSn4XkHgWeevm19Kj4=,iv:1Vqmtk0Qa2AFalLnb+js6AbFQ8E+Br5ykHMWaZ4xOuE=,tag:msvWckcpfuTlGLxu05nrvA==,type:str]
  comment: ENC[AES256_GCM,data:stVuHIZCtW8RYzEjDrRg87rxyuM=,iv:eF+M2p8T7bI5pgP5kQSXGvhF58u4vaIueraCGIt7ims=,tag:RCq8yrIFLYE3ERayU7VFCg==,type:str]
  claimPrefix: ""
  scopes: ENC[AES256_GCM,data:J2OFtmd8guKLa11wMxIqssqMdpoB7P7NtejO,iv:LXr0zpnQ7p2DbSFsg6cI4AN9CqhFGwinjHU41auAfOw=,tag:2FKy+WHUbkteCsk7QFD6ug==,type:str]
 sops:
  kms: []
  gcp_kms: []
  azure_kv: []
  hc_vault: []
  age:
    - recipient: age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8
      enc: |
        -----BEGIN AGE ENCRYPTED FILE-----
        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmS0RuNGxQZm80TUx2VkpB
        MlRSWUdMWVBlRitPWWNmMVNPWjdlL1lvVFRZCnNKMm5TV01SQlgrQ1FZUkFaSDAy
        Vzhoci9uQ1dPR1lmeHFRa1Q5QXlzTVkKLS0tIGNXWnkyUjdsaVBJRnpscEt4dVc4
        Y2dldGZYNEs5KzVSWkR2bGpMQlIrc2cKRHiTbSMZtshXVq1fNWsXcQHfBUE++yQJ
        CWXSmgoSZhzj8vmU4kvMtbuKE+S7fsiUJibtIx1y/Tl2EFtpsiMMvg==
        -----END AGE ENCRYPTED FILE-----
  lastmodified: "2024-10-16T16:50:30Z"
  mac: ENC[AES256_GCM,data:VDJdUUtfLCw3ZD+IWgVh159zhUtjVfYTs9nWDNIUDVW26Jtaz00dDr30QCrCIHzRy5g88vYDfUrLdRE5+EfM5cZRKVV0TruF6KBYP+4Un7fQG/oRtHZu8CgDYVpEoUcVutRg4V6xJhT7mRPlPH48/8wt1aL1FId4HIl2jvO6MYA=,iv:eARUMEHSsUKhEm/7iMw8MRT1EWg9s4C9Qikk5uVuYpY=,tag:o2SgX2UE2VYNyvGVWT/OZg==,type:str]
  pgp: []
  unencrypted_suffix: _unencrypted
  version: 3.9.1
--- a/values/badhouseplants/secrets.postgres.yaml
+++ b/values/badhouseplants/secrets.postgres.yaml
@ -0,0 +1,24 @@
 global:
  postgresql:
    auth:
      postgresPassword: ENC[AES256_GCM,data:Pb5fkgK3VsPaBD35ng94FHAZuTs=,iv:qYBmZf29+ELL4d+E2QoF2EfxJHBsLfX4OtYdh986iHs=,tag:GfeKbe2JHi50LEwJ1do1qA==,type:str]
 sops:
  kms: []
  gcp_kms: []
  azure_kv: []
  hc_vault: []
  age:
    - recipient: age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8
      enc: |
        -----BEGIN AGE ENCRYPTED FILE-----
        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhZVdxMVVMeU13ZndLMVll
        dFFwQzBkaEZSR2p1MElJOHRVVkVVU3NCM2hFClQ1cXJlRGpoa1U0djc2N3NFN1Nz
        VHFIODBHd21kMmFBMmlDaDBwN0ViL0kKLS0tIHErVnpLTVJhc2U3S1U3S1huanc5
        bDFRaDB2M1Mxejc5Z1ZNL2xqU0tVWHMKNbZpG4iYQ8BI76Zbv8lbZqpuPX0qFHng
        6iEHF+e5FXk8KoFmELQ0masS/ewO2wRcHH5giISrxigHNutjkWh3Qg==
        -----END AGE ENCRYPTED FILE-----
  lastmodified: "2024-10-14T08:08:22Z"
  mac: ENC[AES256_GCM,data:A3QpJ+8BIN+6MdtaYkhxqoVrW/v34KZXXjWlPCjwTSKdu0Vf5BTKClyuSm+4Be1sj6kcp6zhEL5mG0DsXRZvhH+/LZqP0kw1BHRxyZ1McFFEQdvfdWz4m9F7SGyebxth6RAK5/RMp901Q1YqWJKxPjwajIGmy5stgBgDetQIOBk=,iv:uyE8wmYCvJzjz7zDas3weWoZj9BpZlpKgzMIAV0eQ4I=,tag:hRDa+xkI0GSZIWIoDg/YIA==,type:str]
  pgp: []
  unencrypted_suffix: _unencrypted
  version: 3.9.1
--- a/values/badhouseplants/secrets.postgres16.yaml
+++ b/values/badhouseplants/secrets.postgres16.yaml
@ -0,0 +1,24 @@
 global:
  postgresql:
    auth:
      postgresPassword: ENC[AES256_GCM,data:+YRWapVv08cZonBsTLtsMHxT7JJp,iv:LJBUmSX1vvmLDBuIdqmi+4UbuLL+yD6PO18kmwlyzpE=,tag:TmG2GQ5/87mIZPLY4uzkBA==,type:str]
 sops:
  kms: []
  gcp_kms: []
  azure_kv: []
  hc_vault: []
  age:
    - recipient: age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8
      enc: |
        -----BEGIN AGE ENCRYPTED FILE-----
        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJR1hzTUV3TzRFaHNTN3Fj
        Tkh0TW1VNng0WkZNdXdsOVozMDZ5T25uQmgwCkhSWXViUkNsZnExV0c5UXFsd2R4
        ZjNYYUFDbnpYYkRQbHdQUDA3cHBxa28KLS0tIFR4MGVWK2o1TFZlQ1FRbkIza3F6
        UWc5NzVMVkQ4UDNlSzRidWNzSnFWWkkKfnTaKxZoBFCj2l4QfI/BvG0eGOFX/seF
        DcpofYlg0hQFRSavqRjidLri1rzpOCdKlWh/h0nIRDFA7O55Q8QAnQ==
        -----END AGE ENCRYPTED FILE-----
  lastmodified: "2024-10-14T08:08:22Z"
  mac: ENC[AES256_GCM,data:fi4ewchdGDHm1YyVFD57IxSepsnP8K5kCY5klszKUA+swAkGS5BJb4/tsDQ2kefRgJ+RnbqeYfyaBrzrXQQBdYHsHIg4iR+NGl3ql8TzIze2Kc124BCjBs/eq+xyGRxjXjKr31c9dGGaWriO/jIO0ZBSDn5Uz7JcY6iv5Nu+cGI=,iv:SbZr06PcwTJduuxan4a9koKI7B8ZEZ1dQzwBbGQjO+w=,tag:RpTSWKBhUU4oH2m2g906Dw==,type:str]
  pgp: []
  unencrypted_suffix: _unencrypted
  version: 3.9.1
--- a/values/badhouseplants/databases/postgres17/secrets.yaml
+++ b/values/badhouseplants/databases/postgres17/secrets.yaml
--- a/values/badhouseplants/observability/prometheus/secrets.yaml
+++ b/values/badhouseplants/observability/prometheus/secrets.yaml
--- a/values/badhouseplants/secrets.redis.yaml
+++ b/values/badhouseplants/secrets.redis.yaml
@ -0,0 +1,26 @@
 global:
  redis:
    #ENC[AES256_GCM,data:d/vtscwAkAPFyRz6Ap29M/oZGEcX3POnzAd6GCkHIiTLFinXzOAn/ruMSiMsnL9lJxj50foVeLIXnmtFDGxUPsxNU9jePD037t6vbtja,iv:ALXE7IPi2d79rOpBMwlfi9IPtcvfoSAxsDHwiVItk8U=,tag:cMoKK0zkagLc3uC8Ry5hBw==,type:comment]
    #ENC[AES256_GCM,data:XQ6nK+hlKfFOBDye9a2a,iv:ptA0TWsjVjOQGOCe8leC7ZjRX8gSnbjb94NWZMccxSs=,tag:9vw4k4N1wI/C7jf7ZPxi7w==,type:comment]
    #ENC[AES256_GCM,data:eTsTA07O2Y/468A=,iv:ZWOZO3GAYbU/Bq5ejdzDUsrYpkfwNtK23zH+XS5PUsk=,tag:KL1Z0a+BxBW4Y+aeJb78lA==,type:comment]
    password: ENC[AES256_GCM,data:kFbVUyKL0B9GhOapmqOS/FyTaXZEGUmSFFLxYIzX,iv:sLue4AmkT12DoPrWH3VxpvXFBHYhYRUTWcNoC+ojhGY=,tag:ikQsyximPvONoANv/61GXA==,type:str]
 sops:
  kms: []
  gcp_kms: []
  azure_kv: []
  hc_vault: []
  age:
    - recipient: age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8
      enc: |
        -----BEGIN AGE ENCRYPTED FILE-----
        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBORUEvSlFCTzh4N2NGVkhO
        SlJXQlNvYjdCQmVjQWVpZ2YyUjlmWkZrWVdVCk1FK1VjVmpCWEVScVo0YldZQWxE
        L2I1RnNsVWJGRll5MXNjam1zMzU5OWcKLS0tIFI0eUFEYTdyWkFEb0xQeTBaZi9J
        aUJ0Umg5T1BFN1lEbThJTXErUkxKaGsK1Vvk45dshvEGF3OZfrLJPabHgvWFT8ps
        f7Ygd+3XhZUBUBi50Em/xzmKQXL0I0Ps9JetSbQ/Amlmp9gU8VqRGw==
        -----END AGE ENCRYPTED FILE-----
  lastmodified: "2024-10-14T08:08:22Z"
  mac: ENC[AES256_GCM,data:9dykGJs5NFjahNZ+4orzMh2u7UBRHMVCv5J9QxRqAzE2aT556W6bZoV9n0V5b7Z6jhVGHFxA4do9RoFT2lq7aMVpQ4nl4iSXuavPiuoBeq8aIwykpCF0cs5dHxQP7R5US2A8rzsSScIBbB2i1LhRtpiVVGmekVp1YSZJWcNhMNk=,iv:tWf4DjEcAff4LupkpFiR/Ss3iYBqtvcQGW/xAeCDIvw=,tag:nbWpyxzNKKrbo8HjMBbeMg==,type:str]
  pgp: []
  unencrypted_suffix: _unencrypted
  version: 3.9.1
--- a/Show More
+++ b/Show More