chore(deps): update helm release woodpecker to v3

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

.yamllint

@@ -0,0 +1,16 @@
+---
+extends: default
+
+rules:
+  line-length:
+    max: 120
+    level: warning
+  indentation:
+    spaces: 2
+    indent-sequences: true
+  comments:
+    min-spaces-from-content: 1
+  document-start: disable
+  truthy:
+    allowed-values: ['true', 'false', 'on', 'off']
+

AGENTS.md

@@ -0,0 +1,453 @@
+# Application Helm Charts Guide
+
+This document provides guidelines for creating and maintaining Helm charts in this homelab project.
+
+## Project Structure
+
+```
+apps/
+├── charts/           # Individual application Helm charts
+│   ├── app-name/
+│   │   ├── Chart.yaml
+│   │   ├── values.yaml
+│   │   └── templates/
+│   │       ├── deployment.yaml
+│   │       ├── service.yaml
+│   │       ├── pvc.yaml
+│   │       ├── client.yaml      # OIDC client configuration
+│   │       ├── database.yaml    # Database provisioning
+│   │       ├── secret.yaml      # Secret generation
+│   │       └── external-http-service.yaml
+│   └── ...
+└── root/            # ArgoCD ApplicationSet for auto-discovery
+    ├── Chart.yaml
+    ├── values.yaml
+    └── templates/
+        ├── applicationset.yaml
+        └── project.yaml
+
+foundation/
+├── charts/          # Foundation service Helm charts
+│   └── ...
+└── root/            # ArgoCD ApplicationSet for foundation services
+
+shared/
+├── charts/          # Shared service Helm charts
+│   └── ...
+└── root/            # ArgoCD ApplicationSet for shared services
+```
+
+## ArgoCD ApplicationSets
+
+This project uses three separate ArgoCD ApplicationSets to manage different categories of services:
+
+1. **apps/** - Individual applications (web apps, tools, services)
+2. **foundation/** - Core infrastructure for the cluster (monitoring, certificates, operators)
+3. **shared/** - Infrastructure shared between applications (databases, message queues, caches)
+
+Each category has its own `root/` chart containing an ApplicationSet that auto-discovers and deploys charts from its respective `charts/` directory.
+
+## Creating a New Application Chart
+
+### 1. Basic Chart Structure
+
+Create a new directory under `apps/charts/` with the following structure:
+
+```bash
+mkdir -p apps/charts/my-app/templates
+```
+
+#### Chart.yaml
+```yaml
+apiVersion: v2
+version: 1.0.0
+name: my-app
+```
+
+#### values.yaml
+```yaml
+image:
+  repository: docker.io/org/my-app
+  tag: v1.0.0
+  pullPolicy: IfNotPresent
+subdomain: my-app
+```
+
+### 2. Core Templates
+
+#### Deployment Template
+Create `templates/deployment.yaml`:
+```yaml
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: "{{ .Release.Name }}"
+spec:
+  strategy:
+    type: Recreate
+  replicas: 1
+  revisionHistoryLimit: 0
+  selector:
+    matchLabels:
+      app: "{{ .Release.Name }}"
+  template:
+    metadata:
+      labels:
+        app: "{{ .Release.Name }}"
+    spec:
+      containers:
+        - name: "{{ .Release.Name }}"
+          image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
+          imagePullPolicy: "{{ .Values.image.pullPolicy }}"
+          ports:
+            - name: http
+              containerPort: 8080
+              protocol: TCP
+          livenessProbe:
+            tcpSocket:
+              port: http
+          readinessProbe:
+            tcpSocket:
+              port: http
+          volumeMounts:
+            - mountPath: /data
+              name: data
+      volumes:
+        - name: data
+          persistentVolumeClaim:
+            claimName: "{{ .Release.Name }}-data"
+```
+
+#### Service Template
+Create `templates/service.yaml`:
+```yaml
+apiVersion: v1
+kind: Service
+metadata:
+  name: "{{ .Release.Name }}"
+spec:
+  ports:
+    - port: 80
+      targetPort: http
+      protocol: TCP
+      name: http
+  selector:
+    app: "{{ .Release.Name }}"
+```
+
+#### Persistent Volume Claim
+Create `templates/pvc.yaml`:
+```yaml
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: "{{ .Release.Name }}-data"
+spec:
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 10Gi
+```
+
+## Custom Resource Definitions (CRDs)
+
+This project uses several custom resources that are managed by operators in the cluster:
+
+### 1. OIDC Client (OpenID Connect Authentication)
+
+The `OidcClient` resource automatically provisions OAuth2/OIDC clients with your identity provider.
+
+Create `templates/client.yaml`:
+```yaml
+apiVersion: homelab.mortenolsen.pro/v1
+kind: OidcClient
+metadata:
+  name: '{{ .Release.Name }}'
+spec:
+  environment: '{{ .Values.globals.environment }}'
+  redirectUris:
+    - path: /oauth/oidc/callback
+      subdomain: '{{ .Values.subdomain }}'
+      matchingMode: strict
+```
+
+**What it does:**
+- Creates an OIDC client in your identity provider (e.g., Authentik)
+- Generates a Kubernetes secret named `{{ .Release.Name }}-client` containing:
+  - `clientId`: The OAuth client ID
+  - `clientSecret`: The OAuth client secret
+  - `configuration`: The OIDC provider URL
+
+**Using in deployment:**
+```yaml
+env:
+  - name: OAUTH_CLIENT_ID
+    valueFrom:
+      secretKeyRef:
+        name: "{{ .Release.Name }}-client"
+        key: clientId
+  - name: OAUTH_CLIENT_SECRET
+    valueFrom:
+      secretKeyRef:
+        name: "{{ .Release.Name }}-client"
+        key: clientSecret
+  - name: OPENID_PROVIDER_URL
+    valueFrom:
+      secretKeyRef:
+        name: "{{ .Release.Name }}-client"
+        key: configuration
+```
+
+### 2. PostgreSQL Database
+
+The `PostgresDatabase` resource automatically provisions PostgreSQL databases.
+
+Create `templates/database.yaml`:
+```yaml
+apiVersion: homelab.mortenolsen.pro/v1
+kind: PostgresDatabase
+metadata:
+  name: '{{ .Release.Name }}'
+spec:
+  environment: '{{ .Values.globals.environment }}'
+```
+
+**What it does:**
+- Creates a PostgreSQL database with the same name as your release
+- Creates a user with appropriate permissions
+- Generates a Kubernetes secret named `{{ .Release.Name }}-database` containing:
+  - `url`: Complete PostgreSQL connection URL
+  - `host`: Database hostname
+  - `port`: Database port
+  - `database`: Database name
+  - `username`: Database username
+  - `password`: Database password
+
+**Using in deployment:**
+```yaml
+env:
+  - name: DATABASE_URL
+    valueFrom:
+      secretKeyRef:
+        name: "{{ .Release.Name }}-database"
+        key: url
+```
+
+### 3. Secret Generation
+
+The `GenerateSecret` resource creates secure random secrets.
+
+Create `templates/secret.yaml`:
+```yaml
+apiVersion: homelab.mortenolsen.pro/v1
+kind: GenerateSecret
+metadata:
+  name: "{{ .Release.Name }}-secrets"
+spec:
+  fields:
+    - name: encryptionkey
+      encoding: hex      # Options: hex, base64, alphanumeric
+      length: 64        # Length in bytes (before encoding)
+    - name: apitoken
+      encoding: base64
+      length: 32
+```
+
+**What it does:**
+- Generates cryptographically secure random values
+- Creates a Kubernetes secret with the specified fields
+- Supports different encoding formats for different use cases
+
+**Using in deployment:**
+```yaml
+env:
+  - name: ENCRYPTION_KEY
+    valueFrom:
+      secretKeyRef:
+        name: "{{ .Release.Name }}-secrets"
+        key: encryptionkey
+```
+
+### 4. External HTTP Service
+
+The `ExternalHttpService` resource configures ingress routing for your application.
+
+Create `templates/external-http-service.yaml`:
+```yaml
+apiVersion: homelab.mortenolsen.pro/v1
+kind: ExternalHttpService
+metadata:
+  name: '{{ .Release.Name }}'
+spec:
+  environment: '{{ .Values.globals.environment }}'
+  subdomain: '{{ .Values.subdomain }}'
+  destination:
+    host: '{{ .Release.Name }}.{{ .Release.Namespace }}.svc.cluster.local'
+    port:
+      number: 80
+```
+
+**What it does:**
+- Creates ingress routes for your application
+- Configures subdomain routing (e.g., `myapp.yourdomain.com`)
+- Handles TLS termination automatically
+- Integrates with your service mesh (if applicable)
+
+## Best Practices
+
+### 1. Naming Conventions
+- Use `{{ .Release.Name }}` consistently for all resource names
+- Suffix resource names appropriately: `-data`, `-secrets`, `-client`, `-database`
+
+### 2. Container Configuration
+- Always specify health checks (liveness and readiness probes)
+- Use named ports (e.g., `http`, `grpc`) instead of port numbers
+- Set `revisionHistoryLimit: 0` to prevent accumulation of old ReplicaSets
+
+### 3. Environment Variables
+- Never hardcode secrets in values.yaml
+- Use secretKeyRef to reference generated secrets
+- Group related environment variables together
+
+### 4. Persistent Storage
+- Always use PVCs for stateful data
+- Consider storage requirements carefully (start with reasonable defaults)
+- Mount data at standard paths for the application
+
+### 5. OIDC Integration
+- Set `ENABLE_SIGNUP: "false"` if using OIDC
+- Enable OIDC signup with `ENABLE_OAUTH_SIGNUP: "true"`
+- Configure email merging if needed with `OAUTH_MERGE_ACCOUNTS_BY_EMAIL`
+
+### 6. Database Usage
+- Only include database.yaml if the app needs PostgreSQL
+- Applications should support DATABASE_URL environment variable
+- Consider connection pooling settings for production
+
+## Disabling Applications
+
+To temporarily disable an application, rename its directory with `.disabled` suffix:
+```bash
+mv apps/charts/my-app apps/charts/my-app.disabled
+```
+
+The ArgoCD ApplicationSet will automatically exclude directories matching `*.disabled`.
+
+## Testing Your Chart
+
+1. **Lint your chart:**
+   ```bash
+   helm lint apps/charts/my-app
+   ```
+
+2. **Render templates locally:**
+   ```bash
+   helm template my-app apps/charts/my-app
+   ```
+
+3. **Dry run installation:**
+   ```bash
+   helm install my-app apps/charts/my-app --dry-run --debug
+   ```
+
+## Deployment Workflow
+
+**IMPORTANT:** There is no test environment. When creating or modifying applications:
+
+1. **Make changes directly to the files** - The agent will write changes to the actual chart files
+2. **User deploys the changes** - After changes are made, the user must deploy them to the cluster
+3. **Debug with kubectl** - If issues arise after deployment, agents can use kubectl to:
+   - Check pod status and logs
+   - Inspect generated resources
+   - Verify secret creation
+   - Troubleshoot configuration issues
+
+**Note:** Agents cannot deploy applications themselves. They can only:
+- Create and modify chart files
+- Use kubectl to investigate deployment issues
+- Provide debugging assistance and recommendations
+
+## Common Patterns
+
+### Application with OIDC + Database
+For apps requiring both authentication and database:
+- Include `client.yaml` for OIDC
+- Include `database.yaml` for PostgreSQL
+- Reference both secrets in deployment
+
+### Stateless Applications
+For simple stateless apps:
+- Omit `pvc.yaml`
+- Remove volume mounts from deployment
+- Consider using `Deployment` scaling if appropriate
+
+### Background Services
+For services without web interface:
+- Omit `external-http-service.yaml`
+- Omit `client.yaml` (no OIDC needed)
+- Focus on service discovery within cluster
+
+## Troubleshooting
+
+### Secret Not Found
+If secrets are not being created:
+1. Check that the CRD controller is running
+2. Verify the `environment` value matches your setup
+3. Check controller logs for provisioning errors
+
+### OIDC Issues
+1. Verify redirect URIs match exactly
+2. Check that the identity provider is accessible
+3. Ensure the client secret is being properly mounted
+
+### Database Connection
+1. Verify the database operator is running
+2. Check network policies between namespaces
+3. Ensure the database server has capacity
+
+## Global Values
+
+Applications can access global values through `{{ .Values.globals }}`:
+- `environment`: The deployment environment (e.g., "production", "staging")
+- Additional values can be added at the root chart level
+
+## Maintenance
+
+### Updating Images
+1. Update the tag in `values.yaml`:
+   ```yaml
+   tag: v1.0.0  # Use semantic version tags only
+   ```
+2. **Note:** Do not include SHA digests in tags. Immutable digests are automatically added later by Renovate
+
+### Renovate Integration
+The project uses Renovate for automated dependency updates. Configure in `renovate.json5` to:
+- Auto-update container images
+- Create pull requests for updates
+- Group related updates
+
+### Backup Considerations
+For applications with persistent data:
+1. Consider implementing backup CronJobs
+2. Use volume snapshots if available
+3. Export data regularly for critical applications
+
+## Contributing
+
+When adding new applications:
+1. Follow the existing patterns and conventions
+2. Document any special requirements in the chart's README
+3. Consider security implications of all configurations
+4. Update this document if introducing new patterns
+
+## Maintaining This Document
+
+**IMPORTANT:** When making changes to the project structure, patterns, or custom resources:
+- Keep this AGENTS.md file up to date with any changes
+- Document new CRDs or custom resources as they are added
+- Update examples if the patterns change
+- Add new sections for significant new features or patterns
+- Ensure all code examples remain accurate and tested
+
+This document serves as the primary reference for creating and maintaining applications in this project. Keeping it current ensures consistency and helps onboard new contributors.

apps.yaml

@@ -0,0 +1,30 @@
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: apps-data
+  labels:
+    type: local
+spec:
+  capacity:
+    storage: 5Gi # Adjust this to your desired size
+  accessModes:
+    - ReadWriteMany
+  persistentVolumeReclaimPolicy: Retain # Retain the data even if the PV is deleted
+  storageClassName: "manual-app-data"
+  hostPath:
+    path: "/data/volumes" # The specific host path for your 'apps' volume
+    type: DirectoryOrCreate # Ensures the directory exists on the host
+
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: apps-data
+  namespace: prod # Specify the namespace
+spec:
+  storageClassName: "manual-app-data"
+  accessModes:
+    - ReadWriteMany
+  resources:
+    requests:
+      storage: 5Gi # Must match or be less than the PV's capacity

apps/charts/appsmith.disabled/Chart.yaml

@@ -1,3 +1,3 @@
 apiVersion: v2
 version: 1.0.0
-name: monitoring
+name: appsmith

apps/charts/appsmith.disabled/templates/deployment.yaml

@@ -0,0 +1,31 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: "{{ .Release.Name }}"
+  labels:
+    app: "{{ .Release.Name }}"
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: "{{ .Release.Name }}"
+  template:
+    metadata:
+      labels:
+        app: "{{ .Release.Name }}"
+    spec:
+      containers:
+        - name: "{{ .Release.Name }}"
+          image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
+          ports:
+            - containerPort: 80
+              name: http
+          env:
+
+          volumeMounts:
+            - mountPath: /appsmith-stacks
+              name: data
+      volumes:
+        - name: data
+          persistentVolumeClaim:
+            claimName: "{{ .Release.Name }}-data"

apps/charts/appsmith.disabled/templates/virtual-service.yaml

@@ -0,0 +1,18 @@
+apiVersion: networking.istio.io/v1
+kind: VirtualService
+metadata:
+  name: "{{ .Release.Name }}"
+  namespace: "{{ .Release.Namespace }}"
+spec:
+  gateways:
+    - "{{ .Values.globals.istio.gateway }}"
+    - mesh
+  hosts:
+    - "{{ .Values.subdomain }}.{{ .Values.globals.domain }}"
+    - mesh
+  http:
+    - route:
+        - destination:
+            host: "{{ .Release.Name }}"
+            port:
+              number: 80

apps/charts/appsmith.disabled/values.yaml

@@ -0,0 +1,4 @@
+subdomain: appsmith
+image:
+  repository: index.docker.io/appsmith/appsmith-ce
+  tag: latest@sha256:0776a0a9665919800d22fc736956ec54fedd16a9a30f9d4ad3f3fc0fd8ac8694

apps/charts/audiobookshelf/templates/service.yaml

@@ -8,7 +8,7 @@ spec:
   type: ClusterIP
   ports:
     - port: 80
-      targetPort: 5678
+      targetPort: 80
       protocol: TCP
       name: http
   selector:

apps/charts/audiobookshelf/templates/virtual-service.yaml

@@ -0,0 +1,18 @@
+apiVersion: networking.istio.io/v1
+kind: VirtualService
+metadata:
+  name: "{{ .Release.Name }}"
+  namespace: "{{ .Release.Namespace }}"
+spec:
+  gateways:
+    - "{{ .Values.globals.istio.gateway }}"
+    - mesh
+  hosts:
+    - "{{ .Values.subdomain }}.{{ .Values.globals.domain }}"
+    - mesh
+  http:
+    - route:
+        - destination:
+            host: "{{ .Release.Name }}"
+            port:
+              number: 80

apps/charts/audiobookshelf/values.yaml

@@ -0,0 +1,5 @@
+image:
+  repository: ghcr.io/advplyr/audiobookshelf
+  tag: 2.31.0@sha256:e23adb24848d99d19cd1e251aee4e1e12ed4f5effc8ccb21754b062b6a06cf66
+  pullPolicy: IfNotPresent
+subdomain: audiobookshelf

apps/charts/backup.disabled/values.yaml

@@ -4,7 +4,7 @@ globals:
   domain: olsen.cloud
 image:
   repository: garethgeorge/backrest
-  tag: latest@sha256:f8306faef0a3cbedc7daa55756f1d4c105d8c104aa773656bdad4fa8553dab5a
+  tag: latest@sha256:1308397161321b3c5aeca8acc6bf26eccb990df385f2532d3ce0eaa8b483dedf
   pullPolicy: IfNotPresent
 subdomain: restic
 password:

apps/charts/baikal/templates/virtual-service copy.yaml

@@ -0,0 +1,18 @@
+apiVersion: networking.istio.io/v1
+kind: VirtualService
+metadata:
+  name: "{{ .Release.Name }}"
+  namespace: "{{ .Release.Namespace }}"
+spec:
+  gateways:
+    - "{{ .Values.globals.istio.gateway }}"
+    - mesh
+  hosts:
+    - "{{ .Values.subdomain }}.{{ .Values.globals.domain }}"
+    - mesh
+  http:
+    - route:
+        - destination:
+            host: "{{ .Release.Name }}"
+            port:
+              number: 80

apps/charts/baikal/templates/virtual-service.yaml

@@ -0,0 +1,18 @@
+apiVersion: networking.istio.io/v1
+kind: VirtualService
+metadata:
+  name: "{{ .Release.Name }}"
+  namespace: "{{ .Release.Namespace }}"
+spec:
+  gateways:
+    - "{{ .Values.globals.istio.gateway }}"
+    - mesh
+  hosts:
+    - "{{ .Values.subdomain }}.{{ .Values.globals.domain }}"
+    - mesh
+  http:
+    - route:
+        - destination:
+            host: "{{ .Release.Name }}"
+            port:
+              number: 80

apps/charts/baikal/values.yaml

@@ -0,0 +1,5 @@
+image:
+  repository: docker.io/ckulka/baikal
+  tag: 0.10.1-nginx@sha256:434bdd162247cc6aa6f878c9b4dce6216e39e79526b980453b13812d5f8ebf4b
+  pullPolicy: IfNotPresent
+subdomain: baikal

apps/charts/blinko/Chart.yaml

@@ -1,3 +1,3 @@
 apiVersion: v2
 version: 1.0.0
-name: apprise
+name: blinko

apps/charts/blinko/templates/client.yaml

@@ -0,0 +1,10 @@
+apiVersion: homelab.mortenolsen.pro/v1
+kind: OidcClient
+metadata:
+  name: "{{ .Release.Name }}"
+spec:
+  environment: "{{ .Values.globals.environment }}"
+  redirectUris:
+    - path: api/auth/callback/authentik
+      subdomain: "{{ .Values.subdomain }}"
+      matchingMode: strict

apps/charts/blinko/templates/deployment.yaml

@@ -0,0 +1,57 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: "{{ .Release.Name }}"
+spec:
+  strategy:
+    type: RollingUpdate
+  replicas: 1
+  revisionHistoryLimit: 0
+  selector:
+    matchLabels:
+      app: "{{ .Release.Name }}"
+  template:
+    metadata:
+      labels:
+        app: "{{ .Release.Name }}"
+    spec:
+      containers:
+        - name: "{{ .Release.Name }}"
+          image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
+          imagePullPolicy: "{{ .Values.image.pullPolicy }}"
+          ports:
+            - name: http
+              containerPort: 1111
+              protocol: TCP
+          livenessProbe:
+            tcpSocket:
+              port: http
+          readinessProbe:
+            tcpSocket:
+              port: http
+          volumeMounts:
+            - mountPath: /data
+              name: data
+          env:
+            - name: TZ
+              value: "{{ .Values.globals.timezone }}"
+            - name: NODE_ENV
+              value: "production"
+            - name: NEXTAUTH_URL
+              value: "https://{{ .Values.subdomain }}.{{ .Values.globals.domain }}"
+            - name: NEXT_PUBLIC_BASE_URL
+              value: "https://{{ .Values.subdomain }}.{{ .Values.globals.domain }}"
+            - name: NEXTAUTH_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Release.Name }}-secrets"
+                  key: betterauth
+            - name: DATABASE_URL
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Release.Name }}-pg-connection"
+                  key: url
+      volumes:
+        - name: data
+          persistentVolumeClaim:
+            claimName: "{{ .Release.Name }}-data"

apps/charts/blinko/templates/service.yaml

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: '{{ .Release.Name }}'
+  labels:
+    app: '{{ .Release.Name }}'
+spec:
+  type: ClusterIP
+  ports:
+    - port: 80
+      targetPort: 1111
+      protocol: TCP
+      name: http
+  selector:
+    app: '{{ .Release.Name }}'

apps/charts/blinko/templates/virtual-service.yaml

@@ -0,0 +1,18 @@
+apiVersion: networking.istio.io/v1
+kind: VirtualService
+metadata:
+  name: "{{ .Release.Name }}"
+  namespace: "{{ .Release.Namespace }}"
+spec:
+  gateways:
+    - "{{ .Values.globals.istio.gateway }}"
+    - mesh
+  hosts:
+    - "{{ .Values.subdomain }}.{{ .Values.globals.domain }}"
+    - mesh
+  http:
+    - route:
+        - destination:
+            host: "{{ .Release.Name }}"
+            port:
+              number: 80

apps/charts/blinko/values.yaml

@@ -0,0 +1,5 @@
+image:
+  repository: blinkospace/blinko
+  tag: latest@sha256:04ad2a67f617e122db98425d39c2d0d901492729b3aee5a7e8c4d351009ee9e9
+  pullPolicy: IfNotPresent
+subdomain: blinko

apps/charts/bytestash/templates/deployment.yaml

@@ -16,7 +16,7 @@ spec:
     spec:
       containers:
         - name: "{{ .Release.Name }}"
-          image: ghcr.io/jordan-dalby/bytestash:latest
+          image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
           ports:
             - containerPort: 5000
               name: http

apps/charts/bytestash/templates/virtual-service.yaml

@@ -0,0 +1,18 @@
+apiVersion: networking.istio.io/v1
+kind: VirtualService
+metadata:
+  name: "{{ .Release.Name }}"
+  namespace: "{{ .Release.Namespace }}"
+spec:
+  gateways:
+    - "{{ .Values.globals.istio.gateway }}"
+    - mesh
+  hosts:
+    - "{{ .Values.subdomain }}.{{ .Values.globals.domain }}"
+    - mesh
+  http:
+    - route:
+        - destination:
+            host: "{{ .Release.Name }}"
+            port:
+              number: 80

apps/charts/bytestash/values.yaml

@@ -0,0 +1,4 @@
+subdomain: bytestash
+image:
+  repository: ghcr.io/jordan-dalby/bytestash
+  tag: 1.5.9@sha256:9c17b5510ca45c976fe23b0d4705ad416aa58d4bf756a70e03ef1f08cf7801fd

apps/charts/calibre-web/templates/deployment.yaml

@@ -24,6 +24,8 @@ spec:
           env:
             - name: TZ
               value: "{{ .Values.globals.timezone }}"
+            - name: NETWORK_SHARE_MODE
+              value: "true"
             - name: PUID
               value: "1000"
             - name: PGID
@@ -31,7 +33,7 @@ spec:
           volumeMounts:
             - mountPath: /config
               name: data
-            - mountPath: /books
+            - mountPath: /calibre-library
               name: books
       volumes:
         - name: data

apps/charts/calibre-web/templates/virtual-service.yaml

@@ -0,0 +1,18 @@
+apiVersion: networking.istio.io/v1
+kind: VirtualService
+metadata:
+  name: "{{ .Release.Name }}"
+  namespace: "{{ .Release.Namespace }}"
+spec:
+  gateways:
+    - "{{ .Values.globals.istio.gateway }}"
+    - mesh
+  hosts:
+    - "{{ .Values.subdomain }}.{{ .Values.globals.domain }}"
+    - mesh
+  http:
+    - route:
+        - destination:
+            host: "{{ .Release.Name }}"
+            port:
+              number: 80

apps/charts/calibre-web/values.yaml

@@ -0,0 +1,5 @@
+image:
+  repository: crocodilestick/calibre-web-automated
+  tag: latest@sha256:577e846f104fd21453ef306eefb4a95dd95b3b9ddd2463a150944494284da0fd
+  pullPolicy: IfNotPresent
+subdomain: calibre-web

apps/charts/coder/templates/deployment.yaml

@@ -1,24 +1,25 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  name: '{{ .Release.Name }}'
+  name: "{{ .Release.Name }}"
 spec:
   strategy:
     type: Recreate
   replicas: 1
+  revisionHistoryLimit: 0
   selector:
     matchLabels:
-      app: '{{ .Release.Name }}'
+      app: "{{ .Release.Name }}"
   template:
     metadata:
       labels:
-        app: '{{ .Release.Name }}'
+        app: "{{ .Release.Name }}"
     spec:
-      serviceAccountName: '{{ .Release.Name }}-serviceaccount'
+      serviceAccountName: "{{ .Release.Name }}-serviceaccount"
       containers:
-        - name: '{{ .Release.Name }}'
-          image: '{{ .Values.image.repository }}:{{ .Values.image.tag }}'
-          imagePullPolicy: '{{ .Values.image.pullPolicy }}'
+        - name: "{{ .Release.Name }}"
+          image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
+          imagePullPolicy: "{{ .Values.image.pullPolicy }}"
           ports:
             - name: http
               containerPort: 7080
@@ -34,7 +35,7 @@ spec:
               name: data
           env:
             - name: CODER_HTTP_ADDRESS
-              value: '0.0.0.0:7080'
+              value: "0.0.0.0:7080"
             - name: CODER_OIDC_ALLOWED_GROUPS
               value: admin
             - name: CODER_OIDC_GROUP_FIELD
@@ -44,30 +45,30 @@ spec:
             - name: CODER_OIDC_ICON_URL
               value: https://authentik.olsen.cloud/static/dist/assets/icons/icon.png
             - name: CODER_DISABLE_PASSWORD_AUTH
-              value: 'true'
+              value: "true"
             - name: CODER_OAUTH2_GITHUB_ALLOW_SIGNUPS
-              value: 'false'
+              value: "false"
             - name: CODER_OIDC_SIGN_IN_TEXT
-              value: 'Sign in with OIDC'
+              value: "Sign in with OIDC"
             - name: CODER_OIDC_SCOPES
               value: openid,profile,email,offline_access
             - name: CODER_OIDC_ISSUER_URL
               valueFrom:
                 secretKeyRef:
-                  name: '{{ .Release.Name }}-client'
+                  name: "{{ .Release.Name }}-client"
                   key: configurationIssuer
             - name: CODER_OIDC_CLIENT_ID
               valueFrom:
                 secretKeyRef:
-                  name: '{{ .Release.Name }}-client'
+                  name: "{{ .Release.Name }}-client"
                   key: clientId
             - name: CODER_OIDC_CLIENT_SECRET
               valueFrom:
                 secretKeyRef:
-                  name: '{{ .Release.Name }}-client'
+                  name: "{{ .Release.Name }}-client"
                   key: clientSecret
 
       volumes:
         - name: data
           persistentVolumeClaim:
-            claimName: '{{ .Release.Name }}-data'
+            claimName: "{{ .Release.Name }}-data"

apps/charts/coder/templates/virtual-service.yaml

@@ -0,0 +1,18 @@
+apiVersion: networking.istio.io/v1
+kind: VirtualService
+metadata:
+  name: "{{ .Release.Name }}"
+  namespace: "{{ .Release.Namespace }}"
+spec:
+  gateways:
+    - "{{ .Values.globals.istio.gateway }}"
+    - mesh
+  hosts:
+    - "{{ .Values.subdomain }}.{{ .Values.globals.domain }}"
+    - mesh
+  http:
+    - route:
+        - destination:
+            host: "{{ .Release.Name }}"
+            port:
+              number: 80

apps/charts/coder/values.yaml

@@ -0,0 +1,5 @@
+image:
+  repository: ghcr.io/coder/coder
+  tag: v2.29.1@sha256:19b3ecd02510b4ee91ba488c61a3f40a6c164c9aeef38999c855e55fd653097c
+  pullPolicy: IfNotPresent
+subdomain: coder

apps/charts/data/values.yaml

@@ -0,0 +1 @@
+{}

apps/charts/drip.disabled/Chart.yaml

@@ -0,0 +1,3 @@
+apiVersion: v2
+version: 1.0.0
+name: drip

apps/charts/drip.disabled/templates/deployment.yaml

@@ -0,0 +1,80 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: "{{ .Release.Name }}"
+spec:
+  strategy:
+    type: Recreate
+  replicas: 1
+  revisionHistoryLimit: 0
+  selector:
+    matchLabels:
+      app: "{{ .Release.Name }}"
+  template:
+    metadata:
+      labels:
+        app: "{{ .Release.Name }}"
+    spec:
+      containers:
+        - name: "{{ .Release.Name }}"
+          image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
+          imagePullPolicy: "{{ .Values.image.pullPolicy }}"
+          ports:
+            - name: http
+              containerPort: {{ .Values.service.port }}
+              protocol: TCP
+            - name: tcp-tunnel-min
+              containerPort: {{ .Values.service.tcpPortMin }}
+              protocol: TCP
+            - name: tcp-tunnel-max
+              containerPort: {{ .Values.service.tcpPortMax }}
+              protocol: TCP
+
+          volumeMounts:
+            - mountPath: /app/data
+              name: data
+          env:
+            - name: TZ
+              value: UTC
+            - name: AUTH_TOKEN
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Release.Name }}-secrets"
+                  key: authtoken
+            - name: DOMAIN
+              value: "{{ .Values.subdomain }}.{{ .Values.globals.environment }}"
+          command:
+            - drip-server
+            - --domain
+            - "{{ .Values.subdomain }}.{{ .Values.globals.environment }}"
+            - --port
+            - "{{ .Values.service.port }}"
+            - --token
+            - "$(AUTH_TOKEN)"
+            - --tcp-port-min
+            - "{{ .Values.service.tcpPortMin }}"
+            - --tcp-port-max
+            - "{{ .Values.service.tcpPortMax }}"
+          livenessProbe:
+            exec:
+              command: {{ .Values.healthcheck.test }}
+            initialDelaySeconds: {{ .Values.healthcheck.startPeriod | default 0 | trimSuffix "s" | int }}
+            periodSeconds: {{ .Values.healthcheck.interval | default 10 | trimSuffix "s" | int }}
+            timeoutSeconds: {{ .Values.healthcheck.timeout | default 1 | trimSuffix "s" | int }}
+            failureThreshold: {{ .Values.healthcheck.retries | default 3 }}
+          readinessProbe:
+            exec:
+              command: {{ .Values.healthcheck.test }}
+            initialDelaySeconds: {{ .Values.healthcheck.startPeriod | default 0 | trimSuffix "s" | int }}
+            periodSeconds: {{ .Values.healthcheck.interval | default 10 | trimSuffix "s" | int }}
+            timeoutSeconds: {{ .Values.healthcheck.timeout | default 1 | trimSuffix "s" | int }}
+            failureThreshold: {{ .Values.healthcheck.retries | default 3 }}
+
+          resources:
+            limits:
+              cpu: "{{ .Values.resources.limits.cpu }}"
+              memory: "{{ .Values.resources.limits.memory }}"
+      volumes:
+        - name: data
+          persistentVolumeClaim:
+            claimName: "{{ .Release.Name }}-data"

apps/charts/drip.disabled/templates/external-http-service.yaml

@@ -0,0 +1,11 @@
+apiVersion: homelab.mortenolsen.pro/v1
+kind: ExternalHttpService
+metadata:
+  name: '{{ .Release.Name }}'
+spec:
+  environment: '{{ .Values.globals.environment }}'
+  subdomain: '{{ .Values.subdomain }}'
+  destination:
+    host: '{{ .Release.Name }}.{{ .Release.Namespace }}.svc.cluster.local'
+    port:
+      number: {{ .Values.service.port }}

apps/charts/drip.disabled/templates/pvc.yaml

@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: "{{ .Release.Name }}-data"
+spec:
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 1Gi
+  storageClassName: '{{ .Values.globals.environment }}'

apps/charts/drip.disabled/templates/secret.yaml

@@ -0,0 +1,9 @@
+apiVersion: homelab.mortenolsen.pro/v1
+kind: GenerateSecret
+metadata:
+  name: "{{ .Release.Name }}-secrets"
+spec:
+  fields:
+    - name: authtoken
+      encoding: hex
+      length: 64

apps/charts/drip.disabled/templates/service.yaml

@@ -0,0 +1,20 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: "{{ .Release.Name }}"
+spec:
+  ports:
+    - port: {{ .Values.service.port }}
+      targetPort: http
+      protocol: TCP
+      name: http
+    - port: {{ .Values.service.tcpPortMin }}
+      targetPort: tcp-tunnel-min
+      protocol: TCP
+      name: tcp-tunnel-min
+    - port: {{ .Values.service.tcpPortMax }}
+      targetPort: tcp-tunnel-max
+      protocol: TCP
+      name: tcp-tunnel-max
+  selector:
+    app: "{{ .Release.Name }}"

apps/charts/drip.disabled/templates/virtual-service.yaml

@@ -0,0 +1,18 @@
+apiVersion: networking.istio.io/v1
+kind: VirtualService
+metadata:
+  name: "{{ .Release.Name }}"
+  namespace: "{{ .Release.Namespace }}"
+spec:
+  gateways:
+    - "{{ .Values.globals.istio.gateway }}"
+    - mesh
+  hosts:
+    - "{{ .Values.subdomain }}.{{ .Values.globals.domain }}"
+    - mesh
+  http:
+    - route:
+        - destination:
+            host: "{{ .Release.Name }}"
+            port:
+              number: 80

apps/charts/drip.disabled/values.yaml

@@ -0,0 +1,27 @@
+image:
+  repository: ghcr.io/gouryella/drip
+  tag: latest@sha256:440bcfd7eb75bf0b337d60346e44ae9e5be803e2504697ea7aa1b4f5fce568b9
+  pullPolicy: IfNotPresent
+subdomain: drip
+
+service:
+  port: 443
+  tcpPortMin: 20000
+  tcpPortMax: 20100
+
+resources:
+  limits:
+    cpu: 1
+    memory: 512Mi
+
+healthcheck:
+  test:
+    - wget
+    - --no-verbose
+    - --tries=1
+    - --spider
+    - http://localhost:443/health
+  interval: 30s
+  timeout: 3s
+  retries: 3
+  startPeriod: 10s

apps/charts/environment/Chart.yaml

@@ -0,0 +1,3 @@
+apiVersion: v2
+version: 1.0.0
+name: environment

apps/charts/environment/templates/environment.yaml

@@ -0,0 +1,9 @@
+apiVersion: homelab.mortenolsen.pro/v1
+kind: Environment
+metadata:
+  name: "{{ .Values.globals.environment }}"
+spec:
+  domain: "{{ .Values.globals.domain }}"
+  networkIp: 192.168.20.180
+  tls:
+    issuer: lets-encrypt-prod

apps/charts/environment/values.yaml

@@ -0,0 +1,4 @@
+globals:
+  environment: prod
+  timezone: Europe/Amsterdam
+  domain: olsen.cloud

apps/charts/esphome/templates/deployment.yaml

@@ -6,6 +6,7 @@ spec:
   strategy:
     type: Recreate
   replicas: 1
+  revisionHistoryLimit: 0
   selector:
     matchLabels:
       app: "{{ .Release.Name }}"

apps/charts/esphome/templates/virtual-service.yaml

@@ -0,0 +1,18 @@
+apiVersion: networking.istio.io/v1
+kind: VirtualService
+metadata:
+  name: "{{ .Release.Name }}"
+  namespace: "{{ .Release.Namespace }}"
+spec:
+  gateways:
+    - "{{ .Values.globals.istio.gateway }}"
+    - mesh
+  hosts:
+    - "{{ .Values.subdomain }}.{{ .Values.globals.domain }}"
+    - mesh
+  http:
+    - route:
+        - destination:
+            host: "{{ .Release.Name }}"
+            port:
+              number: 80

apps/charts/esphome/values.yaml

@@ -0,0 +1,5 @@
+image:
+  repository: ghcr.io/esphome/esphome
+  tag: 2025.12.1@sha256:3a81bf977aca174a74800e33baa11565a77c3f56b574206087555349c6f275bc
+  pullPolicy: IfNotPresent
+subdomain: esphome

apps/charts/forgejo/Chart.yaml

@@ -0,0 +1,8 @@
+apiVersion: v2
+version: 1.0.0
+name: forgejo
+dependencies:
+  - name: woodpecker
+    version: 3.4.2
+    repository: https://woodpecker-ci.org/
+

apps/charts/forgejo/templates/deployment.yaml

@@ -0,0 +1,106 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: "{{ .Release.Name }}"
+spec:
+  strategy:
+    type: Recreate
+  replicas: 1
+  revisionHistoryLimit: 0
+  selector:
+    matchLabels:
+      app: "{{ .Release.Name }}"
+  template:
+    metadata:
+      labels:
+        app: "{{ .Release.Name }}"
+    spec:
+      containers:
+        - name: "{{ .Release.Name }}"
+          image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
+          imagePullPolicy: "{{ .Values.image.pullPolicy }}"
+          ports:
+            - name: http
+              containerPort: 3000
+              protocol: TCP
+            - name: ssh
+              containerPort: 22
+              protocol: TCP
+          livenessProbe:
+            tcpSocket:
+              port: http
+          readinessProbe:
+            tcpSocket:
+              port: http
+          volumeMounts:
+            - mountPath: /data
+              name: data
+          env:
+            - name: TZ
+              value: "{{ .Values.globals.timezone }}"
+            - name: USER_UID
+              value: "1000"
+            - name: USER_GID
+              value: "1000"
+            - name: FORGEJO__server__SSH_DOMAIN
+              value: "ssh-{{ .Values.subdomain }}.{{ .Values.globals.domain }}"
+            - name: FORGEJO__server__SSH_PORT
+              value: "2206"
+            - name: FORGEJO__service__REQUIRE_EXTERNAL_REGISTRATION_PASSWORD
+              value: "true"
+            #- name: FORGEJO__service__ENABLE_BASIC_AUTHENTICATION
+            #  value: 'true'
+            - name: FORGEJO__service__ENABLE_PASSWORD_SIGNIN_FORM
+              value: "false"
+            - name: FORGEJO__service__DEFAULT_KEEP_EMAIL_PRIVATE
+              value: "true"
+            - name: FORGEJO__service__DEFAULT_USER_IS_RESTRICTED
+              value: "true"
+            - name: FORGEJO__service__DEFAULT_USER_VISIBILITY
+              value: "private"
+            - name: FORGEJO__service__DEFAULT_ORG_VISIBILITY
+              value: "private"
+            - name: FORGEJO__service__ALLOW_ONLY_EXTERNAL_REGISTRATION
+              value: "true"
+            - name: FORGEJO__other__SHOW_FOOTER_POWERED_BY
+              value: "false"
+            - name: FORGEJO__other__SHOW_FOOTER_TEMPLATE_LOAD_TIME
+              value: "false"
+            - name: FORGEJO__other__SHOW_FOOTER_VERSION
+              value: "false"
+            - name: FORGEJO__repository__ENABLE_PUSH_CREATE_USER
+              value: "true"
+            - name: FORGEJO__repository__ENABLE_PUSH_CREATE_ORG
+              value: "true"
+            - name: FORGEJO__openid__ENABLE_OPENID_SIGNIN
+              value: "false"
+            - name: FORGEJO__openid__ENABLE_OPENID_SIGNUP
+              value: "false"
+            - name: FORGEJO__database__DB_TYPE
+              value: postgres
+            - name: FORGEJO__database__NAME
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Release.Name }}-pg-connection"
+                  key: database
+            - name: FORGEJO__database__HOST
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Release.Name }}-pg-connection"
+                  key: host
+            - name: FORGEJO__database__DB_PORT
+              value: "5432"
+            - name: FORGEJO__database__USER
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Release.Name }}-pg-connection"
+                  key: user
+            - name: FORGEJO__database__PASSWD
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Release.Name }}-pg-connection"
+                  key: password
+      volumes:
+        - name: data
+          persistentVolumeClaim:
+            claimName: "{{ .Release.Name }}-data"

apps/charts/forgejo/templates/service.yaml

@@ -0,0 +1,32 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: "{{ .Release.Name }}"
+  labels:
+    app: "{{ .Release.Name }}"
+spec:
+  type: ClusterIP
+  ports:
+    - port: 80
+      targetPort: 3000
+      protocol: TCP
+      name: http
+  selector:
+    app: "{{ .Release.Name }}"
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: "{{ .Release.Name }}-ssh"
+  labels:
+    app: "{{ .Release.Name }}"
+spec:
+  type: LoadBalancer
+  ports:
+    - port: 2206
+      targetPort: 22
+      protocol: TCP
+      name: ssh
+  selector:
+    app: "{{ .Release.Name }}"

apps/charts/forgejo/templates/virtual-service.yaml

@@ -0,0 +1,18 @@
+apiVersion: networking.istio.io/v1
+kind: VirtualService
+metadata:
+  name: "{{ .Release.Name }}"
+  namespace: "{{ .Release.Namespace }}"
+spec:
+  gateways:
+    - "{{ .Values.globals.istio.gateway }}"
+    - mesh
+  hosts:
+    - "{{ .Values.subdomain }}.{{ .Values.globals.domain }}"
+    - mesh
+  http:
+    - route:
+        - destination:
+            host: "{{ .Release.Name }}"
+            port:
+              number: 80

apps/charts/forgejo/templates/woodpecker-external-http-service.yaml

@@ -0,0 +1,13 @@
+apiVersion: homelab.mortenolsen.pro/v1
+kind: ExternalHttpService
+metadata:
+  name: "{{ .Release.Name }}-woodpecker"
+
+spec:
+  environment: '{{ .Values.globals.environment }}'
+  subdomain: 'woodpecker'
+  destination:
+    host: '{{ .Release.Name }}-woodpecker-server.{{ .Release.Namespace }}.svc.cluster.local'
+
+    port:
+      number: 80

apps/charts/forgejo/values.yaml

@@ -0,0 +1,13 @@
+image:
+  repository: codeberg.org/forgejo/forgejo
+  tag: 13
+  pullPolicy: IfNotPresent
+subdomain: code
+
+woodpecker:
+  server:
+    env:
+      - name: WOODPECKER_GITEA
+        value: "true"
+  agent:
+    enabled: true

apps/charts/gitea/templates/client.yaml

@@ -5,6 +5,6 @@ metadata:
 spec:
   environment: '{{ .Values.globals.environment }}'
   redirectUris:
-    - path: /oauth/oidc/callback
+    - path: /user/oauth2/Authentik/callback
       subdomain: '{{ .Values.subdomain }}'
       matchingMode: strict