Update Docker images

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

.claude/settings.local.json

@@ -0,0 +1,16 @@
+{
+  "permissions": {
+    "allow": [
+      "Bash(git -C /Users/alice/Projects/private/homelab/apps log --oneline -10)",
+      "Bash(git -C /Users/alice/Projects/private/homelab/apps remote -v)",
+      "Bash(git -C /Users/alice/Projects/private/homelab/apps config --list)",
+      "Bash(ls:*)",
+      "Bash(git -C /Users/alice/Projects/private/homelab/apps log --all --oneline --decorate -15)",
+      "Bash(git -C /Users/alice/Projects/private/homelab/apps branch -a)",
+      "Bash(helm dependency:*)",
+      "Bash(helm lint:*)",
+      "Bash(helm template:*)",
+      "Bash(kubectl get:*)"
+    ]
+  }
+}

.gitignore

@@ -0,0 +1,11 @@
+# Helm chart dependencies (packaged library charts)
+# These are generated by 'helm dependency update' and should not be committed
+**/charts/*.tgz
+charts/*.tgz
+
+**/__pycache__/
+__pycache__/
+
+**/Chart.lock
+
+*-local-secret.yaml

.yamllint

@@ -0,0 +1,16 @@
+---
+extends: default
+
+rules:
+  line-length:
+    max: 120
+    level: warning
+  indentation:
+    spaces: 2
+    indent-sequences: true
+  comments:
+    min-spaces-from-content: 1
+  document-start: disable
+  truthy:
+    allowed-values: ['true', 'false', 'on', 'off']
+

AGENTS.md

@@ -0,0 +1,79 @@
+# Application Helm Charts Guide
+
+This document provides guidelines for creating and maintaining Helm charts in this homelab project.
+
+## Project Structure
+
+```
+apps/
+├── charts/           # Individual application Helm charts
+│   ├── app-name/
+│   │   ├── Chart.yaml
+│   │   ├── values.yaml
+│   │   └── templates/
+│   │       ├── deployment.yaml
+│   │       ├── service.yaml
+│   │       ├── pvc.yaml
+│   │       ├── client.yaml      # OIDC client configuration
+│   │       ├── database.yaml    # Database provisioning
+│   │       ├── secret.yaml      # Secret generation
+│   │       └── external-http-service.yaml
+│   └── ...
+└── root/            # ArgoCD ApplicationSet for auto-discovery
+    ├── Chart.yaml
+    ├── values.yaml
+    └── templates/
+        ├── applicationset.yaml
+        └── project.yaml
+
+foundation/
+├── charts/          # Foundation service Helm charts
+│   └── ...
+└── root/            # ArgoCD ApplicationSet for foundation services
+
+shared/
+├── charts/          # Shared service Helm charts
+│   └── ...
+└── root/            # ArgoCD ApplicationSet for shared services
+```
+
+## ArgoCD ApplicationSets
+
+This project uses three separate ArgoCD ApplicationSets to manage different categories of services:
+
+1. **apps/** - Individual applications (web apps, tools, services)
+2. **foundation/** - Core infrastructure for the cluster (monitoring, certificates, operators)
+3. **shared/** - Infrastructure shared between applications (databases, message queues, caches)
+
+Each category has its own `root/` chart containing an ApplicationSet that auto-discovers and deploys charts from its respective `charts/` directory.
+
+## Creating a New Application Chart
+
+### 1. Basic Chart Structure
+
+Create a new directory under `apps/charts/` with the following structure:
+
+```bash
+mkdir -p apps/charts/my-app/templates
+```
+
+#### Chart.yaml
+
+```yaml
+apiVersion: v2
+version: 1.0.0
+name: my-app
+```
+
+#### values.yaml
+
+```yaml
+image:
+  repository: docker.io/org/my-app
+  tag: v1.0.0
+  pullPolicy: IfNotPresent
+subdomain: my-app
+```
+
+See ./apps/common/README.md for guide on writing charts
+

CLAUDE.md

@@ -0,0 +1,100 @@
+# CLAUDE.md
+
+This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository.
+
+## Project Overview
+
+Kubernetes Helm-based homelab application deployment system using ArgoCD for GitOps. Contains 40+ containerized applications deployed via Helm charts with a shared common library to minimize template duplication.
+
+## Commands
+
+```bash
+# Validate YAML files
+yamllint .
+
+# Helm chart operations (run from chart directory)
+helm dependency build           # Fetch common library dependency
+helm lint .                     # Validate chart syntax
+helm template <release> . --set globals.environment=prod --set globals.domain=example.com
+
+# Utility scripts
+./scripts/migrate_database.py <source_db> <dest_db> [--clean]  # PostgreSQL migration
+./scripts/sync_pvc_with_host.sh <host-path> <namespace> <pvc>  # PVC sync
+```
+
+## Architecture
+
+### Directory Structure
+- `apps/charts/` - Individual application Helm charts (deployed to `prod` namespace)
+- `apps/common/` - Shared Helm library chart with standardized templates
+- `apps/root/` - ArgoCD ApplicationSet for auto-discovery
+- `shared/charts/` - Shared infrastructure services (authentik, nats)
+- `scripts/` - Python/Bash utility scripts for database migration and PVC sync
+
+### Deployment Model
+Three ArgoCD ApplicationSets auto-discover charts from their respective `charts/` directories. Folders suffixed with `.disabled` are excluded from deployment.
+
+### Common Library Pattern
+Most charts use the common library (`apps/common/`) which provides standardized templates. A minimal chart needs:
+
+1. `Chart.yaml` with common library dependency:
+```yaml
+apiVersion: v2
+version: 1.0.0
+name: my-app
+dependencies:
+  - name: common
+    version: 1.0.0
+    repository: file://../../common
+```
+
+2. Standardized `values.yaml` (see `apps/common/README.md` for full structure)
+
+3. Template files that include common helpers:
+```yaml
+# templates/deployment.yaml
+{{ include "common.deployment" . }}
+```
+
+Or use single file with `{{ include "common.all" . }}` to render all resources automatically.
+
+### Key Templates
+- `common.deployment` - Deployment with health probes, volumes, init containers
+- `common.service` - Service(s) with port mapping
+- `common.pvc` - Persistent volume claims
+- `common.virtualService` - Istio routing (public/private gateways)
+- `common.oidc` - Authentik OIDC client registration
+- `common.database` - PostgreSQL database provisioning
+- `common.externalSecrets` - Password generators and secret templates
+
+### Placeholders in values.yaml
+- `{release}` - Release name
+- `{namespace}` - Release namespace
+- `{fullname}` - Full app name
+- `{subdomain}` - App subdomain (from `subdomain` value)
+- `{domain}` - Global domain
+- `{timezone}` - Global timezone
+
+### Secret Naming Conventions
+- OIDC credentials: `{release}-oidc-credentials` (clientId, clientSecret, issuer)
+- Database connection: `{release}-connection` (url, host, port, user, password)
+- Generated secrets: `{release}-secrets`
+
+## Conventions
+
+- Chart and release names use kebab-case
+- All container images pinned by SHA256 digest (Renovate manages updates)
+- Storage uses `persistent` storageClassName
+- Istio VirtualServices route via public/private gateways
+- Deployment strategy: `Recreate` for stateful apps, `RollingUpdate` for stateless
+
+## YAML Style
+- Max line length: 120 characters
+- Indentation: 2 spaces
+- Truthy values: `true`, `false`, `on`, `off`
+
+## Documentation
+- `AGENTS.md` - Chart creation guidelines
+- `apps/common/README.md` - Complete common library reference
+- `apps/common/MIGRATION.md` - Guide for migrating charts to common library
+- `apps/common/TEMPLATING.md` - Placeholder system documentation

apps.yaml

@@ -0,0 +1,30 @@
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: apps-data
+  labels:
+    type: local
+spec:
+  capacity:
+    storage: 5Gi # Adjust this to your desired size
+  accessModes:
+    - ReadWriteMany
+  persistentVolumeReclaimPolicy: Retain # Retain the data even if the PV is deleted
+  storageClassName: "manual-app-data"
+  hostPath:
+    path: "/data/volumes" # The specific host path for your 'apps' volume
+    type: DirectoryOrCreate # Ensures the directory exists on the host
+
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: apps-data
+  namespace: prod # Specify the namespace
+spec:
+  storageClassName: "manual-app-data"
+  accessModes:
+    - ReadWriteMany
+  resources:
+    requests:
+      storage: 5Gi # Must match or be less than the PV's capacity

apps/charts/audiobookshelf/Chart.yaml

@@ -0,0 +1,7 @@
+apiVersion: v2
+version: 1.0.0
+name: audiobookshelf
+dependencies:
+  - name: common
+    version: 1.0.0
+    repository: file://../../common

apps/charts/audiobookshelf/templates/deployment.yaml

@@ -0,0 +1 @@
+{{ include "common.deployment" . }}

apps/charts/audiobookshelf/templates/dns.yaml

@@ -0,0 +1 @@
+{{ include "common.dns" . }}

apps/charts/audiobookshelf/templates/oidc.yaml

@@ -0,0 +1 @@
+{{ include "common.oidc" . }}

apps/charts/audiobookshelf/templates/pvc.yaml

@@ -0,0 +1 @@
+{{ include "common.pvc" . }}

apps/charts/audiobookshelf/templates/service.yaml

@@ -0,0 +1 @@
+{{ include "common.service" . }}

apps/charts/audiobookshelf/templates/virtual-service.yaml

@@ -0,0 +1 @@
+{{ include "common.virtualService" . }}

apps/charts/audiobookshelf/values.yaml

@@ -0,0 +1,68 @@
+image:
+  repository: ghcr.io/advplyr/audiobookshelf
+  tag: 2.32.1@sha256:a52dc5db694a5bf041ce38f285dd6c6a660a4b1b21e37ad6b6746433263b2ae5
+  pullPolicy: IfNotPresent
+
+subdomain: audiobookshelf
+
+# Deployment configuration
+deployment:
+  strategy: Recreate
+  replicas: 1
+
+# Container configuration
+container:
+  port: 80
+  healthProbe:
+    type: httpGet
+    path: /ping
+
+# Service configuration
+service:
+  port: 80
+  type: ClusterIP
+
+# Volume configuration
+volumes:
+  - name: config
+    mountPath: /config
+    persistentVolumeClaim: config # Will be prefixed with release name in template
+  - name: metadata
+    mountPath: /metadata
+    persistentVolumeClaim: metadata # Will be prefixed with release name in template
+  - name: audiobooks
+    mountPath: /audiobooks
+    persistentVolumeClaim: books
+  - name: podcasts
+    mountPath: /podcasts
+    persistentVolumeClaim: podcasts
+
+# Persistent volume claims
+persistentVolumeClaims:
+  - name: config
+    size: 1Gi
+    storageClassName: persistent
+  - name: metadata
+    size: 5Gi
+    storageClassName: persistent
+
+# DNS configuration
+dns:
+  enabled: true
+  type: A
+  dnsClassRef:
+    name: private-dns
+
+# OIDC/Authentik configuration
+oidc:
+  enabled: true
+  redirectUris:
+    - "/audiobookshelf/auth/openid/callback"
+    - "/audiobookshelf/auth/openid/mobile-redirect"
+
+# VirtualService configuration
+virtualService:
+  enabled: true
+  gateways:
+    public: true
+    private: true

apps/charts/baikal/Chart.yaml

@@ -0,0 +1,7 @@
+apiVersion: v2
+version: 1.0.0
+name: baikal
+dependencies:
+  - name: common
+    version: 1.0.0
+    repository: file://../../common

apps/charts/baikal/templates/database.yaml

@@ -0,0 +1 @@
+{{ include "common.database" . }}

apps/charts/baikal/templates/deployment.yaml

@@ -0,0 +1 @@
+{{ include "common.deployment" . }}

apps/charts/baikal/templates/pvc.yaml

@@ -0,0 +1 @@
+{{ include "common.pvc" . }}

apps/charts/baikal/templates/service.yaml

@@ -0,0 +1 @@
+{{ include "common.service" . }}

apps/charts/baikal/templates/virtual-service.yaml

@@ -0,0 +1 @@
+{{ include "common.virtualService" . }}

apps/charts/baikal/values.yaml

@@ -0,0 +1,50 @@
+image:
+  repository: docker.io/ckulka/baikal
+  tag: 0.10.1-nginx@sha256:434bdd162247cc6aa6f878c9b4dce6216e39e79526b980453b13812d5f8ebf4b
+  pullPolicy: IfNotPresent
+
+subdomain: baikal
+
+# Deployment configuration
+deployment:
+  strategy: Recreate
+  replicas: 1
+
+# Container configuration
+container:
+  port: 80
+  healthProbe:
+    type: tcpSocket
+    port: http # Use named port
+
+# Database configuration
+database:
+  enabled: true
+
+# Service configuration
+service:
+  port: 80
+  type: ClusterIP
+
+# Volume configuration
+volumes:
+  - name: data
+    mountPath: /var/www/baikal/Specific
+    persistentVolumeClaim: data
+  - name: config
+    mountPath: /var/www/baikal/config
+    persistentVolumeClaim: config
+
+# Persistent volume claims
+persistentVolumeClaims:
+  - name: data
+    size: 1Gi
+  - name: config
+    size: 1Gi
+
+# VirtualService configuration
+virtualService:
+  enabled: true
+  gateways:
+    public: true
+    private: true

apps/charts/bytestash/Chart.yaml

@@ -0,0 +1,7 @@
+apiVersion: v2
+version: 1.0.0
+name: bytestash
+dependencies:
+  - name: common
+    version: 1.0.0
+    repository: file://../../common

apps/charts/bytestash/templates/deployment.yaml

@@ -0,0 +1 @@
+{{ include "common.deployment" . }}

apps/charts/bytestash/templates/oidc.yaml

@@ -0,0 +1 @@
+{{ include "common.oidc" . }}

apps/charts/bytestash/templates/pvc.yaml

@@ -0,0 +1 @@
+{{ include "common.pvc" . }}

apps/charts/bytestash/templates/service.yaml

@@ -0,0 +1 @@
+{{ include "common.service" . }}

apps/charts/bytestash/templates/virtual-service.yaml

@@ -0,0 +1 @@
+{{ include "common.virtualService" . }}

apps/charts/bytestash/values.yaml

@@ -0,0 +1,74 @@
+image:
+  repository: ghcr.io/jordan-dalby/bytestash
+  tag: 1.5.9@sha256:9c17b5510ca45c976fe23b0d4705ad416aa58d4bf756a70e03ef1f08cf7801fd
+  pullPolicy: IfNotPresent
+
+subdomain: bytestash
+
+# Deployment configuration
+deployment:
+  strategy: Recreate
+  replicas: 1
+
+# Container configuration
+container:
+  ports:
+    - name: http
+      port: 5000
+      protocol: TCP
+  healthProbe:
+    type: tcpSocket
+    port: http
+
+# Service configuration
+service:
+  port: 80
+  type: ClusterIP
+
+# Volume configuration
+volumes:
+  - name: data
+    mountPath: /data/snippets
+    persistentVolumeClaim: data
+
+# Persistent volume claims
+persistentVolumeClaims:
+  - name: data
+    size: 1Gi
+    storageClassName: persistent
+
+# VirtualService configuration
+virtualService:
+  enabled: true
+  gateways:
+    public: true
+    private: true
+
+# OIDC/Authentik configuration
+oidc:
+  enabled: true
+  redirectUris:
+    - "/api/auth/oidc/callback"
+  subjectMode: user_username
+
+# Environment variables
+env:
+  ALLOW_NEW_ACCOUNTS: "true"
+  DISABLE_INTERNAL_ACCOUNTS: "true"
+  OIDC_ENABLED: "true"
+  OIDC_DISPLAY_NAME: OIDC
+  OIDC_CLIENT_ID:
+    valueFrom:
+      secretKeyRef:
+        name: "{release}-oidc-credentials"
+        key: clientId
+  OIDC_CLIENT_SECRET:
+    valueFrom:
+      secretKeyRef:
+        name: "{release}-oidc-credentials"
+        key: clientSecret
+  OIDC_ISSUER_URL:
+    valueFrom:
+      secretKeyRef:
+        name: "{release}-oidc-credentials"
+        key: issuer

apps/charts/calibre-web/Chart.yaml

@@ -0,0 +1,7 @@
+apiVersion: v2
+version: 1.0.0
+name: calibre-web
+dependencies:
+  - name: common
+    version: 1.0.0
+    repository: file://../../common

apps/charts/calibre-web/templates/deployment.yaml

@@ -0,0 +1 @@
+{{ include "common.deployment" . }}

apps/charts/calibre-web/templates/pvc.yaml

@@ -0,0 +1 @@
+{{ include "common.pvc" . }}

apps/charts/calibre-web/templates/service.yaml

@@ -0,0 +1 @@
+{{ include "common.service" . }}

apps/charts/calibre-web/templates/virtual-service.yaml

@@ -0,0 +1 @@
+{{ include "common.virtualService" . }}

apps/charts/calibre-web/values.yaml

@@ -0,0 +1,50 @@
+image:
+  repository: crocodilestick/calibre-web-automated
+  tag: latest@sha256:c31a738b6d5ec6982c050063dd3f063b6943eb1051fc81144789f840d9093a8d
+  pullPolicy: IfNotPresent
+
+subdomain: calibre-web
+
+# Deployment configuration
+deployment:
+  strategy: Recreate
+  replicas: 1
+
+# Container configuration
+container:
+  port: 8083
+  healthProbe:
+    type: tcpSocket
+
+# Service configuration
+service:
+  port: 80
+  type: ClusterIP
+
+# Volume configuration
+volumes:
+  - name: data
+    mountPath: /config
+    persistentVolumeClaim: data # Will be prefixed with release name
+  - name: books
+    mountPath: /calibre-library
+    persistentVolumeClaim: books # External PVC, used as-is
+
+# Persistent volume claims
+persistentVolumeClaims:
+  - name: data
+    size: 1Gi
+    storageClassName: persistent
+
+# VirtualService configuration
+virtualService:
+  enabled: true
+  gateways:
+    public: true
+    private: true
+
+# Environment variables
+env:
+  NETWORK_SHARE_MODE: "true"
+  PUID: "1000"
+  PGID: "1000"

apps/charts/coder/Chart.yaml

@@ -0,0 +1,7 @@
+apiVersion: v2
+version: 1.0.0
+name: coder
+dependencies:
+  - name: common
+    version: 1.0.0
+    repository: file://../../common

apps/charts/coder/templates/deployment.yaml

@@ -0,0 +1 @@
+{{ include "common.deployment" . }}

apps/charts/coder/templates/oidc.yaml

@@ -0,0 +1 @@
+{{ include "common.oidc" . }}

apps/charts/coder/templates/pvc.yaml

@@ -0,0 +1 @@
+{{ include "common.pvc" . }}

apps/charts/coder/templates/service.yaml

@@ -0,0 +1 @@
+{{ include "common.service" . }}

apps/charts/coder/templates/virtual-service.yaml

@@ -0,0 +1 @@
+{{ include "common.virtualService" . }}

apps/charts/coder/values.yaml

@@ -0,0 +1,80 @@
+image:
+  repository: ghcr.io/coder/coder
+  tag: v2.29.1@sha256:19b3ecd02510b4ee91ba488c61a3f40a6c164c9aeef38999c855e55fd653097c
+  pullPolicy: IfNotPresent
+
+subdomain: coder
+
+# Deployment configuration
+deployment:
+  strategy: Recreate
+  replicas: 1
+  serviceAccountName: "{release}-serviceaccount" # Will be templated
+
+# Container configuration
+container:
+  port: 7080
+  healthProbe:
+    type: tcpSocket
+    port: http # Use named port
+
+# Service configuration
+service:
+  port: 80
+  type: ClusterIP
+
+# OIDC client
+oidc:
+  enabled: true
+  redirectUris:
+    - "/api/v2/users/oidc/callback"
+
+# Volume configuration
+volumes:
+  - name: data
+    mountPath: /home/coder/.config
+    persistentVolumeClaim: data
+    storageClassName: persistent
+
+# Persistent volume claims
+persistentVolumeClaims:
+  - name: data
+    size: 1Gi
+
+# VirtualService configuration
+virtualService:
+  enabled: true
+  allowWildcard: true
+  gateways:
+    public: false
+    private: true
+
+# Environment variables
+env:
+  CODER_HTTP_ADDRESS: "0.0.0.0:7080"
+  CODER_OIDC_ALLOWED_GROUPS: admin
+  CODER_OIDC_GROUP_FIELD: groups
+  CODER_ACCESS_URL:
+    value: "https://{subdomain}.{domain}"
+  CODER_WILDCARD_ACCESS_URL:
+    value: "*.{subdomain}.{domain}"
+  CODER_OIDC_ICON_URL: "https://{subdomain}.{domain}/static/dist/assets/icons/icon.png"
+  CODER_DISABLE_PASSWORD_AUTH: "true"
+  CODER_OAUTH2_GITHUB_ALLOW_SIGNUPS: "false"
+  CODER_OIDC_SIGN_IN_TEXT: "Sign in with OIDC"
+  CODER_OIDC_SCOPES: "openid,profile,email,offline_access"
+  CODER_OIDC_ISSUER_URL:
+    valueFrom:
+      secretKeyRef:
+        name: "{release}-oidc-credentials"
+        key: issuer
+  CODER_OIDC_CLIENT_ID:
+    valueFrom:
+      secretKeyRef:
+        name: "{release}-oidc-credentials"
+        key: clientId
+  CODER_OIDC_CLIENT_SECRET:
+    valueFrom:
+      secretKeyRef:
+        name: "{release}-oidc-credentials"
+        key: clientSecret

apps/charts/esphome/Chart.yaml

@@ -0,0 +1,7 @@
+apiVersion: v2
+version: 1.0.0
+name: esphome
+dependencies:
+  - name: common
+    version: 1.0.0
+    repository: file://../../common

apps/charts/esphome/templates/deployment.yaml

@@ -0,0 +1 @@
+{{ include "common.deployment" . }}

apps/charts/esphome/templates/pvc.yaml

@@ -0,0 +1 @@
+{{ include "common.pvc" . }}

apps/charts/esphome/templates/service.yaml

@@ -0,0 +1 @@
+{{ include "common.service" . }}

apps/charts/esphome/templates/virtual-service.yaml

@@ -0,0 +1 @@
+{{ include "common.virtualService" . }}

apps/charts/esphome/values.yaml

@@ -0,0 +1,43 @@
+image:
+  repository: ghcr.io/esphome/esphome
+  tag: 2025.12.4@sha256:a7915def0a60c76506db766b7b733760f09b47ab6a511d5052a6d38bc3f424e3
+  pullPolicy: IfNotPresent
+
+subdomain: esphome
+
+# Deployment configuration
+deployment:
+  strategy: Recreate
+  replicas: 1
+  hostNetwork: true # ESPHome needs hostNetwork for device discovery
+
+# Container configuration
+container:
+  port: 6052
+  healthProbe:
+    type: tcpSocket
+    port: http # Use named port
+
+# Service configuration
+service:
+  port: 80
+  type: ClusterIP
+
+# Volume configuration
+volumes:
+  - name: data
+    mountPath: /config
+    persistentVolumeClaim: data
+
+# Persistent volume claims
+persistentVolumeClaims:
+  - name: data
+    size: 10Gi
+    storageClassName: persistent
+
+# VirtualService configuration
+virtualService:
+  enabled: true
+  gateways:
+    public: false
+    private: true

apps/charts/forgejo/Chart.yaml

@@ -0,0 +1,7 @@
+apiVersion: v2
+version: 1.0.0
+name: forgejo
+dependencies:
+  - name: common
+    version: 1.0.0
+    repository: file://../../common

apps/charts/forgejo/templates/database.yaml

@@ -0,0 +1,2 @@
+{{ include "common.database" . }}
+

apps/charts/forgejo/templates/deployment.yaml

@@ -0,0 +1,76 @@
+{{- if .Values.actions.enabled }}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "common.fullname" . }}
+  labels:
+    {{- include "common.labels" . | nindent 4 }}
+spec:
+  strategy:
+    type: {{ include "common.deploymentStrategy" . }}
+  replicas: {{ .Values.deployment.replicas | default 1 }}
+  {{- if .Values.deployment.revisionHistoryLimit }}
+  revisionHistoryLimit: {{ .Values.deployment.revisionHistoryLimit }}
+  {{- end }}
+  selector:
+    matchLabels:
+      {{- include "common.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      labels:
+        {{- include "common.selectorLabels" . | nindent 8 }}
+    spec:
+      {{- if .Values.deployment.serviceAccountName }}
+      serviceAccountName: {{ .Values.deployment.serviceAccountName | replace "{release}" .Release.Name | replace "{fullname}" (include "common.fullname" .) }}
+      {{- end }}
+      {{- if .Values.deployment.hostNetwork }}
+      hostNetwork: {{ .Values.deployment.hostNetwork }}
+      {{- end }}
+      containers:
+        - name: {{ .Chart.Name }}
+          image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
+          imagePullPolicy: {{ .Values.image.pullPolicy | default "IfNotPresent" }}
+          ports:
+{{ include "common.containerPorts" . | indent 12 }}
+          {{- if .Values.container.healthProbe }}
+          livenessProbe:
+{{ include "common.healthProbe" . | indent 12 }}
+          readinessProbe:
+{{ include "common.healthProbe" . | indent 12 }}
+          {{- end }}
+          lifecycle:
+            postStart:
+              exec:
+                command:
+                  - /bin/sh
+                  - -c
+                  - |
+                    sleep 10
+                    su -c "forgejo forgejo-cli actions register --keep-labels --secret ${FORGEJO_RUNNER_SHARED_SECRET}" git || true
+          {{- if .Values.volumes }}
+          volumeMounts:
+{{ include "common.volumeMounts" . | indent 12 }}
+          {{- end }}
+          {{- if or .Values.env .Values.globals.timezone }}
+          env:
+{{ include "common.env" . | indent 12 }}
+            - name: FORGEJO_RUNNER_SHARED_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Release.Name }}-runner-secrets"
+                  key: shared-secret
+          {{- else }}
+          env:
+            - name: FORGEJO_RUNNER_SHARED_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Release.Name }}-runner-secrets"
+                  key: shared-secret
+          {{- end }}
+      {{- if .Values.volumes }}
+      volumes:
+        {{- include "common.volumes" . | nindent 8 }}
+      {{- end }}
+{{- else }}
+{{ include "common.deployment" . }}
+{{- end }}

apps/charts/forgejo/templates/dns.yaml

@@ -0,0 +1 @@
+{{ include "common.dns" . }}

apps/charts/forgejo/templates/oidc.yaml

@@ -0,0 +1 @@
+{{ include "common.oidc" . }}

apps/charts/forgejo/templates/pvc.yaml

@@ -0,0 +1 @@
+{{ include "common.pvc" . }}

apps/charts/forgejo/templates/runner-configmap.yaml

@@ -0,0 +1,25 @@
+{{- if .Values.actions.enabled }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: "{{ .Release.Name }}-runner-config"
+data:
+  config.yml: |
+    log:
+      level: warn
+      format: text
+    
+    runner:
+      file: .runner
+    
+    container:
+      network: host
+      options: -v /certs/client:/certs/client -e DOCKER_HOST=tcp://localhost:2376 -e DOCKER_TLS_VERIFY=1 -e DOCKER_CERT_PATH=/certs/client
+      valid_volumes:
+        - /certs/client
+    
+    envs:
+      DOCKER_HOST: tcp://localhost:2376
+      DOCKER_TLS_VERIFY: "1"
+      DOCKER_CERT_PATH: /certs/client
+{{- end }}

apps/charts/forgejo/templates/runner-deployment.yaml

@@ -0,0 +1,189 @@
+{{- if .Values.actions.enabled }}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: "{{ .Release.Name }}-runner"
+  labels:
+    app: "{{ .Release.Name }}-runner"
+spec:
+  replicas: {{ .Values.actions.runner.replicas | default 1 }}
+  revisionHistoryLimit: 2
+  selector:
+    matchLabels:
+      app: "{{ .Release.Name }}-runner"
+  template:
+    metadata:
+      labels:
+        app: "{{ .Release.Name }}-runner"
+    spec:
+      hostname: docker
+      initContainers:
+        - name: install-jq
+          image: curlimages/curl:latest
+          command:
+            - sh
+            - -c
+            - |
+              # Download static jq binary for Linux amd64
+              curl -L -o /shared/jq https://github.com/jqlang/jq/releases/download/jq-1.7.1/jq-linux-amd64
+              chmod +x /shared/jq
+              # Verify it works
+              /shared/jq --version || echo "Warning: jq download may have failed"
+          volumeMounts:
+            - name: shared-tools
+              mountPath: /shared
+      containers:
+        - name: docker-in-docker
+          image: "{{ .Values.actions.runner.dind.image.repository }}:{{ .Values.actions.runner.dind.image.tag }}"
+          imagePullPolicy: "{{ .Values.actions.runner.dind.image.pullPolicy }}"
+          env:
+            - name: DOCKER_TLS_CERTDIR
+              value: /certs
+            - name: DOCKER_HOST
+              value: docker-in-docker
+          securityContext:
+            privileged: true
+          ports:
+            - name: docker
+              containerPort: 2376
+              protocol: TCP
+          volumeMounts:
+            - name: docker-certs
+              mountPath: /certs
+        - name: "{{ .Release.Name }}-runner"
+          image: "{{ .Values.actions.runner.image.repository }}:{{ .Values.actions.runner.image.tag }}"
+          imagePullPolicy: "{{ .Values.actions.runner.image.pullPolicy }}"
+          command:
+            - /bin/sh
+            - -c
+            - |
+              cd /data
+              # Use jq from shared volume (installed by initContainer)
+              export PATH="/shared:${PATH}"
+              export LD_LIBRARY_PATH="/shared/lib:${LD_LIBRARY_PATH}"
+              if ! /shared/jq --version >/dev/null 2>&1; then
+                echo "Error: jq is not working (checking dependencies...)"
+                ldd /shared/jq 2>&1 || true
+                exit 1
+              fi
+              echo "jq is available at /shared/jq"
+              # Wait for shared secret to be available
+              while [ -z "${FORGEJO_RUNNER_SHARED_SECRET}" ]; do
+                echo "Waiting for shared secret..."
+                sleep 1
+              done
+              # Always ensure runner file exists and is up to date
+              if [ ! -f .runner ]; then
+                echo "Creating runner file..."
+                forgejo-runner create-runner-file \
+                  --connect \
+                  --instance "https://{{ .Values.subdomain }}.{{ .Values.globals.domain }}" \
+                  --name "{{ .Values.actions.runner.name | default "default" }}" \
+                  --secret "${FORGEJO_RUNNER_SHARED_SECRET}" || {
+                    echo "Failed to create runner file, will retry..."
+                    sleep 5
+                    exit 1
+                  }
+              fi
+              # Always update labels to match configuration
+              {{- if .Values.actions.runner.labels }}
+              # Verify jq is available
+              if ! command -v jq >/dev/null 2>&1; then
+                echo "Error: jq is not available"
+                exit 1
+              fi
+              LABELS_JSON='[{{- range $index, $label := .Values.actions.runner.labels }}{{- if $index }},{{- end }}"{{ $label }}"{{- end }}]'
+              echo "Updating runner labels to match configuration..."
+              echo "New labels: ${LABELS_JSON}"
+              # Ensure .runner file exists and is readable
+              if [ ! -f .runner ]; then
+                echo "Error: .runner file does not exist"
+                exit 1
+              fi
+              # Show current labels before update
+              CURRENT_LABELS_BEFORE=$(jq -r '.labels // "null"' .runner 2>/dev/null || echo "error reading file")
+              echo "Current labels before update: ${CURRENT_LABELS_BEFORE}"
+              # Update labels
+              if jq --argjson labels "${LABELS_JSON}" '.labels = $labels' .runner > .runner.tmp; then
+                mv .runner.tmp .runner
+                echo "Labels updated successfully"
+                # Verify the update
+                CURRENT_LABELS_AFTER=$(jq -r '.labels // "null"' .runner)
+                echo "Current labels after update: ${CURRENT_LABELS_AFTER}"
+              else
+                echo "Error: Failed to update labels with jq"
+                exit 1
+              fi
+              {{- end }}
+              # Always copy config from ConfigMap to ensure it's up to date
+              echo "Copying config from ConfigMap..."
+              cp /config/config.yml config.yml || {
+                echo "Warning: Failed to copy config from ConfigMap, generating default..."
+                forgejo-runner generate-config > config.yml
+              }
+              # Wait for docker-in-docker TCP to be ready
+              echo "Waiting for docker-in-docker to be ready..."
+              while ! nc -z localhost 2376 2>/dev/null; do
+                echo "Docker daemon not ready, waiting..."
+                sleep 2
+              done
+              # Wait for TLS certificates to be available
+              while [ ! -f /certs/client/ca.pem ]; do
+                echo "Waiting for TLS certificates..."
+                sleep 1
+              done
+              echo "Docker daemon and certificates ready"
+              # Verify runner file exists before starting daemon
+              if [ ! -f .runner ] || [ ! -w .runner ]; then
+                echo "Error: .runner file is missing or not writable"
+                exit 1
+              fi
+              # Run daemon
+              echo "Starting runner daemon..."
+              while : ; do
+                forgejo-runner --config config.yml daemon || {
+                  echo "Daemon exited, restarting in 5 seconds..."
+                  sleep 5
+                }
+              done
+          env:
+            - name: FORGEJO_INSTANCE_URL
+              value: "https://{{ .Values.subdomain }}.{{ .Values.globals.domain }}"
+            - name: FORGEJO_RUNNER_NAME
+              value: {{ .Values.actions.runner.name | default "default" | quote }}
+            - name: FORGEJO_RUNNER_SHARED_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Release.Name }}-runner-secrets"
+                  key: shared-secret
+            - name: DOCKER_HOST
+              value: tcp://localhost:2376
+            - name: DOCKER_TLS_VERIFY
+              value: "1"
+            - name: DOCKER_CERT_PATH
+              value: /certs/client
+          securityContext:
+            runAsUser: 1000
+            runAsGroup: 1000
+          volumeMounts:
+            - name: runner-data
+              mountPath: /data
+            - name: docker-certs
+              mountPath: /certs
+            - name: runner-config
+              mountPath: /config
+              readOnly: true
+            - name: shared-tools
+              mountPath: /shared
+      volumes:
+        - name: runner-data
+          persistentVolumeClaim:
+            claimName: "{{ .Release.Name }}-runner-data"
+        - name: docker-certs
+          emptyDir: {}
+        - name: shared-tools
+          emptyDir: {}
+        - name: runner-config
+          configMap:
+            name: "{{ .Release.Name }}-runner-config"
+{{- end }}

apps/charts/forgejo/templates/runner-pvc.yaml

@@ -0,0 +1,12 @@
+{{- if .Values.actions.enabled }}
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: "{{ .Release.Name }}-runner-data"
+spec:
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: {{ .Values.actions.runner.storage.size | default "10Gi" }}
+{{- end }}

apps/charts/forgejo/templates/runner-secret-external-secrets.yaml

@@ -0,0 +1,3 @@
+{{- if .Values.actions.enabled }}
+{{ include "common.externalSecrets.externalSecrets" . }}
+{{- end }}

apps/charts/forgejo/templates/runner-secret-password-generators.yaml

@@ -0,0 +1,3 @@
+{{- if .Values.actions.enabled }}
+{{ include "common.externalSecrets.passwordGenerators" . }}
+{{- end }}

apps/charts/forgejo/templates/service.yaml

@@ -0,0 +1 @@
+{{ include "common.service" . }}

apps/charts/forgejo/templates/virtual-service.yaml

@@ -0,0 +1 @@
+{{ include "common.virtualService" . }}

apps/charts/forgejo/values.yaml

@@ -0,0 +1,166 @@
+image:
+  repository: codeberg.org/forgejo/forgejo
+  tag: 13@sha256:d05b9e587f02a746784d42c815c486b1d4f138646128f990a841833f513fe088
+  pullPolicy: IfNotPresent
+
+subdomain: code
+
+# Deployment configuration
+deployment:
+  strategy: Recreate
+  replicas: 1
+  revisionHistoryLimit: 2
+
+# Container configuration - multiple ports
+container:
+  ports:
+    - name: http
+      port: 3000
+      protocol: TCP
+    - name: ssh
+      port: 22
+      protocol: TCP
+  healthProbe:
+    type: tcpSocket
+    port: http # Use named port
+
+# DNS configuration
+dns:
+  enabled: true
+  type: A
+  dnsClassRef:
+    name: private-dns
+
+# OIDC/Authentik configuration
+oidc:
+  enabled: true
+  redirectUris:
+    - "/user/oauth2/Authentik/callback"
+
+# Database configuration
+database:
+  enabled: true
+
+# Service configuration - multiple services
+service:
+  ports:
+    - name: http
+      port: 80
+      targetPort: 3000
+      protocol: TCP
+      type: ClusterIP
+    - name: ssh
+      port: 2206
+      targetPort: 22
+      protocol: TCP
+      type: LoadBalancer
+      serviceName: ssh # Will be prefixed with release name: {release}-ssh
+
+# Volume configuration
+volumes:
+  - name: data
+    mountPath: /data
+    persistentVolumeClaim: data
+
+# Persistent volume claims
+persistentVolumeClaims:
+  - name: data
+    size: 10Gi
+    storageClassName: persistent
+
+# VirtualService configuration
+virtualService:
+  enabled: true
+  gateways:
+    public: true
+    private: true
+  servicePort: 80 # Route to the http service port
+
+# Environment variables
+env:
+  USER_UID: "1000"
+  USER_GID: "1000"
+  FORGEJO__server__SSH_DOMAIN:
+    value: "ssh-{subdomain}.{domain}" # Will be templated: ssh-{subdomain}.{domain}
+  FORGEJO__server__SSH_PORT: "2206"
+  FORGEJO__service__REQUIRE_EXTERNAL_REGISTRATION_PASSWORD: "true"
+  FORGEJO__service__ENABLE_PASSWORD_SIGNIN_FORM: "false"
+  FORGEJO__service__DEFAULT_KEEP_EMAIL_PRIVATE: "true"
+  FORGEJO__service__DEFAULT_USER_IS_RESTRICTED: "true"
+  FORGEJO__service__DEFAULT_USER_VISIBILITY: "private"
+  FORGEJO__service__DEFAULT_ORG_VISIBILITY: "private"
+  FORGEJO__service__ALLOW_ONLY_EXTERNAL_REGISTRATION: "true"
+  FORGEJO__other__SHOW_FOOTER_POWERED_BY: "false"
+  FORGEJO__other__SHOW_FOOTER_TEMPLATE_LOAD_TIME: "false"
+  FORGEJO__other__SHOW_FOOTER_VERSION: "false"
+  FORGEJO__repository__ENABLE_PUSH_CREATE_USER: "true"
+  FORGEJO__repository__ENABLE_PUSH_CREATE_ORG: "true"
+  FORGEJO__openid__ENABLE_OPENID_SIGNIN: "false"
+  FORGEJO__openid__ENABLE_OPENID_SIGNUP: "false"
+  FORGEJO__database__DB_TYPE: postgres
+  FORGEJO__database__DB_PORT: "5432"
+  FORGEJO__database__NAME:
+    valueFrom:
+      secretKeyRef:
+        name: "{release}-connection"
+        key: database
+  FORGEJO__database__HOST:
+    valueFrom:
+      secretKeyRef:
+        name: "{release}-connection"
+        key: host
+  FORGEJO__database__USER:
+    valueFrom:
+      secretKeyRef:
+        name: "{release}-connection"
+        key: user
+  FORGEJO__database__PASSWD:
+    valueFrom:
+      secretKeyRef:
+        name: "{release}-connection"
+        key: password
+  # Actions configuration
+  FORGEJO__actions__ENABLED: "true"
+  FORGEJO__actions__ENABLED_FOR_REPOSITORIES: "true"
+  FORGEJO__actions__ENABLED_FOR_DEFAULT_BRANCH: "true"
+  FORGEJO__actions__SHARED_SECRET:
+    valueFrom:
+      secretKeyRef:
+        name: "{release}-runner-secrets"
+        key: shared-secret
+
+# External Secrets configuration for Actions runner
+externalSecrets:
+  - name: "{release}-runner-secrets"
+    passwords:
+      - name: shared-secret
+        length: 20
+        allowRepeat: true
+        noUpper: false
+        encoding: hex
+        secretKeys:
+          - shared-secret
+
+# Actions runner configuration
+actions:
+  enabled: true
+  runner:
+    image:
+      repository: code.forgejo.org/forgejo/runner
+      tag: "12.3.1"
+      pullPolicy: IfNotPresent
+    dind:
+      image:
+        repository: code.forgejo.org/oci/docker
+        tag: dind@sha256:8bcbad4b45f0bff9d3e809d85a7ac589390f0be8acbc526850c998c35c1243fd
+        pullPolicy: IfNotPresent
+    name: default
+    replicas: 1
+    storage:
+      size: 10Gi
+    labels:
+      - "ubuntu-latest:docker://gitea/runner-images:ubuntu-latest-slim"
+      - "ubuntu-slim-latest:docker://gitea/runner-images:ubuntu-latest-slim"
+      - "ubuntu-full-latest:docker://gitea/runner-images:ubuntu-latest-full"
+      - "docker-cli:docker://code.forgejo.org/oci/docker:cli"
+      - "node-bookworm:docker://code.forgejo.org/oci/node:20-bookworm"

apps/charts/gitea/Chart.yaml

@@ -0,0 +1,7 @@
+apiVersion: v2
+version: 1.0.0
+name: gitea
+dependencies:
+  - name: common
+    version: 1.0.0
+    repository: file://../../common

apps/charts/gitea/templates/client.yaml

@@ -0,0 +1 @@
+{{ include "common.oidc" . }}

apps/charts/gitea/templates/database.yaml

@@ -0,0 +1 @@
+{{ include "common.database" . }}

apps/charts/gitea/templates/deployment.yaml

@@ -0,0 +1 @@
+{{ include "common.deployment" . }}

apps/charts/gitea/templates/pvc.yaml

@@ -0,0 +1 @@
+{{ include "common.pvc" . }}

apps/charts/gitea/templates/runner-deployment.yaml

@@ -1,36 +1,37 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  name: '{{ .Release.Name }}-runner'
+  name: "{{ .Release.Name }}-runner"
   labels:
-    app: '{{ .Release.Name }}-runner'
+    app: "{{ .Release.Name }}-runner"
 spec:
   replicas: 1
   selector:
     matchLabels:
-      app: '{{ .Release.Name }}-runner'
+      app: "{{ .Release.Name }}-runner"
   template:
     metadata:
       labels:
-        app: '{{ .Release.Name }}-runner'
+        app: "{{ .Release.Name }}-runner"
     spec:
       containers:
-        - name: '{{ .Release.Name }}-runner'
+        - name: "{{ .Release.Name }}-runner"
           image: docker.io/gitea/act_runner:latest-dind-rootless
           env:
             - name: GITEA_INSTANCE_URL
-              value: '{{ .Release.Name }}'
+              value: "https://{{ .Release.Name }}.{{ .Values.globals.domain }}"
             - name: GITEA_RUNNER_NAME
+              value: default
             - name: GITEA_RUNNER_REGISTRATION_TOKEN
               valueFrom:
                 secretKeyRef:
-                  name: '{{ .Release.Name }}-runner'
+                  name: "{{ .Release.Name }}-runner"
                   key: registration_token
             - name: DOCKER_HOST
               value: tcp://localhost:2376
             - name: DOCKER_CERT_PATH
               value: /certs/client
             - name: DOCKER_TLS_VERIFY
-              value: '1'
+              value: "1"
           securityContext:
             privileged: true

apps/charts/gitea/templates/service.yaml

@@ -0,0 +1 @@
+{{ include "common.service" . }}

apps/charts/gitea/templates/virtual-service.yaml

@@ -0,0 +1 @@
+{{ include "common.virtualService" . }}

apps/charts/gitea/values.yaml

@@ -0,0 +1,114 @@
+image:
+  repository: docker.gitea.com/gitea
+  tag: 1.25.3@sha256:fee0e5e55da6d2d11186bf39023a772fe63d9deffc0a83283e3d8e5d11c2716a
+  pullPolicy: IfNotPresent
+
+subdomain: gitea
+
+# Deployment configuration
+deployment:
+  strategy: Recreate
+  replicas: 1
+
+# Container configuration - multiple ports
+container:
+  ports:
+    - name: http
+      port: 3000
+      protocol: TCP
+    - name: ssh
+      port: 22
+      protocol: TCP
+  healthProbe:
+    type: tcpSocket
+    port: http # Use named port
+
+# Service configuration - multiple services
+service:
+  ports:
+    - name: http
+      port: 80
+      targetPort: 3000
+      protocol: TCP
+      type: ClusterIP
+    - name: ssh
+      port: 2205
+      targetPort: 22
+      protocol: TCP
+      type: LoadBalancer
+      serviceName: ssh # Results in: {release}-ssh
+
+# Volume configuration
+volumes:
+  - name: data
+    mountPath: /data
+    persistentVolumeClaim: data
+
+# Persistent volume claims
+persistentVolumeClaims:
+  - name: data
+    size: 10Gi
+    storageClassName: persistent
+
+# VirtualService configuration
+virtualService:
+  enabled: true
+  gateways:
+    public: true
+    private: true
+  servicePort: 80 # Route to the http service port
+
+# OIDC client configuration
+oidc:
+  enabled: true
+  redirectUris:
+    - "/user/oauth2/Authentik/callback"
+  subjectMode: user_username
+
+# Database configuration
+database:
+  enabled: true
+
+# Environment variables
+env:
+  USER_UID: "1000"
+  USER_GID: "1000"
+  GITEA__server__SSH_DOMAIN:
+    value: "ssh-{subdomain}.{domain}"
+  GITEA__server__SSH_PORT: "2205"
+  GITEA__service__REQUIRE_EXTERNAL_REGISTRATION_PASSWORD: "true"
+  GITEA__service__ENABLE_PASSWORD_SIGNIN_FORM: "false"
+  GITEA__service__DEFAULT_KEEP_EMAIL_PRIVATE: "true"
+  GITEA__service__DEFAULT_USER_IS_RESTRICTED: "true"
+  GITEA__service__DEFAULT_USER_VISIBILITY: "private"
+  GITEA__service__DEFAULT_ORG_VISIBILITY: "private"
+  GITEA__service__ALLOW_ONLY_EXTERNAL_REGISTRATION: "true"
+  GITEA__other__SHOW_FOOTER_POWERED_BY: "false"
+  GITEA__other__SHOW_FOOTER_TEMPLATE_LOAD_TIME: "false"
+  GITEA__other__SHOW_FOOTER_VERSION: "false"
+  GITEA__repository__ENABLE_PUSH_CREATE_USER: "true"
+  GITEA__repository__ENABLE_PUSH_CREATE_ORG: "true"
+  GITEA__openid__ENABLE_OPENID_SIGNIN: "false"
+  GITEA__openid__ENABLE_OPENID_SIGNUP: "false"
+  GITEA__database__DB_TYPE: postgres
+  GITEA__database__DB_PORT: "5432"
+  GITEA__database__NAME:
+    valueFrom:
+      secretKeyRef:
+        name: "{release}-connection"
+        key: database
+  GITEA__database__HOST:
+    valueFrom:
+      secretKeyRef:
+        name: "{release}-connection"
+        key: host
+  GITEA__database__USER:
+    valueFrom:
+      secretKeyRef:
+        name: "{release}-connection"
+        key: user
+  GITEA__database__PASSWD:
+    valueFrom:
+      secretKeyRef:
+        name: "{release}-connection"
+        key: password

apps/charts/glados/Chart.yaml

@@ -0,0 +1,7 @@
+apiVersion: v2
+version: 1.0.0
+name: glados
+dependencies:
+  - name: common
+    version: 1.0.0
+    repository: file://../../common

apps/charts/glados/templates/deployment.yaml

@@ -0,0 +1 @@
+{{ include "common.deployment" . }}

apps/charts/glados/templates/pvc.yaml

@@ -0,0 +1 @@
+{{ include "common.pvc" . }}

apps/charts/glados/values.yaml

@@ -0,0 +1,69 @@
+image:
+  repository: ghcr.io/morten-olsen/agentic
+  tag: 0.0.39
+  pullPolicy: Always
+
+subdomain: glados
+
+deployment:
+  strategy: Recreate
+  replicas: 1
+
+container:
+  ports:
+    - name: http
+      port: 8080
+      protocol: TCP
+
+initContainers:
+  - name: fix-permissions
+    image: busybox@sha256:b3255e7dfbcd10cb367af0d409747d511aeb66dfac98cf30e97e87e4207dd76f
+    command: ["sh", "-c", "chown -R 1000:1000 /data"]
+    volumeMounts:
+      - name: data
+        mountPath: /data
+    securityContext:
+      runAsUser: 0
+
+volumes:
+  - name: data
+    mountPath: /data
+    persistentVolumeClaim: data
+
+persistentVolumeClaims:
+  - name: data
+    size: 10Gi
+
+env:
+  GLADOS_LLM_MODEL:
+    valueFrom:
+      secretKeyRef:
+        name: glados-secrets
+        key: GLADOS_LLM_MODEL
+  GLADOS_LLM_API_KEY:
+    valueFrom:
+      secretKeyRef:
+        name: glados-secrets
+        key: GLADOS_LLM_API_KEY
+  GLADOS_TELEGRAM_BOT_TOKEN:
+    valueFrom:
+      secretKeyRef:
+        name: glados-secrets
+        key: GLADOS_TELEGRAM_BOT_TOKEN
+  GLADOS_TELEGRAM_OWNER_ID:
+    valueFrom:
+      secretKeyRef:
+        name: glados-secrets
+        key: GLADOS_TELEGRAM_OWNER_ID
+  GLADOS_HOMEASSISTANT_URL:
+    valueFrom:
+      secretKeyRef:
+        name: glados-secrets
+        key: GLADOS_HOMEASSISTANT_URL
+  GLADOS_HOMEASSISTANT_TOKEN:
+    valueFrom:
+      secretKeyRef:
+        name: glados-secrets
+        key: GLADOS_HOMEASSISTANT_TOKEN
+  GLADOS_HOMEASSISTANT_CALENDARS: "calendar.cecilie_og_morten,calendar.morten_olsen_zeronorth_com"
+  GLADOS_HOMEASSISTANT_PERSON_ENTITY: "person.morten"

apps/charts/homarr.disabled/Chart.yaml

@@ -0,0 +1,7 @@
+apiVersion: v2
+version: 1.0.0
+name: homarr
+dependencies:
+  - name: common
+    version: 1.0.0
+    repository: file://../../common

apps/charts/homarr.disabled/templates/common.yaml

@@ -0,0 +1 @@
+{{ include "common.all" . }}

apps/charts/homarr.disabled/values.yaml

@@ -0,0 +1,95 @@
+image:
+  repository: ghcr.io/homarr-labs/homarr
+  tag: v1.48.0@sha256:47f827c16e7a93435159f77ddb726d8dacdf8b6dd8fb7bb91777b933a915bf05
+  pullPolicy: IfNotPresent
+
+subdomain: homarr
+
+# Deployment configuration
+deployment:
+  strategy: Recreate
+  replicas: 1
+  revisionHistoryLimit: 0
+
+# Container configuration
+container:
+  port: 7575
+  healthProbe:
+    type: tcpSocket
+    port: http # Use named port
+
+# Service configuration
+service:
+  port: 80
+  type: ClusterIP
+
+# Volume configuration
+volumes:
+  - name: data
+    mountPath: /appdata
+    persistentVolumeClaim: data
+
+# Persistent volume claims
+persistentVolumeClaims:
+  - name: data
+    size: 1Gi
+    storageClassName: persistent
+
+# VirtualService configuration
+virtualService:
+  enabled: true
+  gateways:
+    public: true
+    private: true
+
+# OIDC client configuration
+oidc:
+  enabled: true
+  redirectUris:
+    - "/api/auth/callback/oidc"
+  subjectMode: user_username
+
+# External Secrets configuration
+externalSecrets:
+  - name: "{release}-secrets"
+    passwords:
+      - name: encryptionkey
+        length: 32
+        allowRepeat: true
+        encoding: hex
+        secretKeys:
+          - encryptionkey
+
+# Environment variables
+env:
+  BASE_URL:
+    value: "https://{subdomain}.{domain}"
+  NEXTAUTH_URL:
+    value: "https://{subdomain}.{domain}"
+  AUTH_PROVIDERS: oidc
+  AUTH_OIDC_CLIENT_NAME: Authentik
+  AUTH_OIDC_SCOPE_OVERWRITE: "openid email profile"
+  AUTH_OIDC_GROUPS_ATTRIBUTE: groups
+  AUTH_OIDC_AUTO_LOGIN: "true"
+  AUTH_OIDC_ADMIN_GROUP: "admin"
+  AUTH_OIDC_ENABLE_DANGEROUS_ACCOUNT_LINKING: "true"
+  SECRET_ENCRYPTION_KEY:
+    valueFrom:
+      secretKeyRef:
+        name: "{release}-secrets"
+        key: encryptionkey
+  AUTH_OIDC_ISSUER:
+    valueFrom:
+      secretKeyRef:
+        name: "{release}-oidc-credentials"
+        key: issuer
+  AUTH_OIDC_CLIENT_ID:
+    valueFrom:
+      secretKeyRef:
+        name: "{release}-oidc-credentials"
+        key: clientId
+  AUTH_OIDC_CLIENT_SECRET:
+    valueFrom:
+      secretKeyRef:
+        name: "{release}-oidc-credentials"
+        key: clientSecret

apps/charts/home-assistant/Chart.yaml

@@ -0,0 +1,7 @@
+apiVersion: v2
+version: 1.0.0
+name: home-assistant
+dependencies:
+  - name: common
+    version: 1.0.0
+    repository: file://../../common

apps/charts/home-assistant/templates/client.yaml

@@ -0,0 +1 @@
+{{ include "common.oidc" . }}

apps/charts/home-assistant/templates/deployment.yaml

@@ -0,0 +1 @@
+{{ include "common.deployment" . }}

apps/charts/home-assistant/templates/matter.yaml

@@ -0,0 +1,72 @@
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: "{{ .Release.Name }}-matter"
+spec:
+  accessModes:
+    - "ReadWriteOnce"
+  resources:
+    requests:
+      storage: "1Gi"
+  storageClassName: "{{ .Values.globals.environment }}"
+
+---
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: "{{ .Release.Name }}-matter"
+spec:
+  strategy:
+    type: Recreate
+  replicas: 1
+  selector:
+    matchLabels:
+      app: "{{ .Release.Name }}-matter"
+  template:
+    metadata:
+      labels:
+        app: "{{ .Release.Name }}-matter"
+    spec:
+      hostNetwork: true
+      containers:
+        - name: "{{ .Release.Name }}-matter"
+          image: "{{ .Values.matter.image.repository }}:{{ .Values.matter.image.tag }}"
+          imagePullPolicy: "{{ .Values.matter.image.pullPolicy }}"
+          env:
+            - name: TZ
+              value: "{{ .Values.globals.timezone }}"
+          ports:
+            - name: http
+              containerPort: 5580
+              protocol: TCP
+          livenessProbe:
+            tcpSocket:
+              port: http
+          readinessProbe:
+            tcpSocket:
+              port: http
+          volumeMounts:
+            - mountPath: /data
+              name: data
+      volumes:
+        - name: data
+          persistentVolumeClaim:
+            claimName: "{{ .Release.Name }}-matter"
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: "{{ .Release.Name }}-matter"
+  labels:
+    app: "{{ .Release.Name }}-matter"
+spec:
+  type: ClusterIP
+  ports:
+    - port: 80
+      targetPort: 5580
+      protocol: TCP
+      name: http
+  selector:
+    app: "{{ .Release.Name }}-matter"

apps/charts/home-assistant/templates/pvc.yaml

@@ -0,0 +1 @@
+{{ include "common.pvc" . }}

apps/charts/home-assistant/templates/service.yaml

@@ -0,0 +1 @@
+{{ include "common.service" . }}

apps/charts/home-assistant/templates/virtual-service.yaml

@@ -0,0 +1 @@
+{{ include "common.virtualService" . }}

apps/charts/home-assistant/templates/whisper.yaml

@@ -25,6 +25,8 @@ spec:
             - "{{ .Values.whisper.model }}"
             - --language
             - "{{ .Values.whisper.language }}"
+            - --data-dir
+            - /data
           env:
             - name: TZ
               value: "{{ .Values.globals.timezone }}"

apps/charts/home-assistant/values.yaml

@@ -0,0 +1,74 @@
+image:
+  repository: ghcr.io/home-assistant/home-assistant
+  tag: 2025.12.5@sha256:9a5a3eb4a213dfb25932dee9dc6815c9305f78cecb5afa716fa2483163d8fb5b
+  pullPolicy: IfNotPresent
+
+subdomain: home-assistant
+
+# Deployment configuration
+deployment:
+  strategy: Recreate
+  replicas: 1
+  hostNetwork: true
+  dnsPolicy: ClusterFirstWithHostNet
+
+# Container configuration
+container:
+  port: 8123
+  healthProbe:
+    type: tcpSocket
+    port: http # Use named port
+  securityContext:
+    privileged: true
+
+# Service configuration
+service:
+  port: 80
+  type: ClusterIP
+
+# VirtualService configuration
+virtualService:
+  enabled: true
+  gateways:
+    public: true
+    private: true
+
+# OIDC client configuration
+oidc:
+  enabled: true
+  redirectUris:
+    - "/auth/openid/callback"
+  subjectMode: user_username
+
+# Volume configuration
+volumes:
+  - name: config
+    mountPath: /config
+    persistentVolumeClaim: config
+  - name: misc
+    mountPath: /media/misc
+    persistentVolumeClaim: misc # External PVC, not prefixed
+
+# Persistent volume claims
+persistentVolumeClaims:
+  - name: config
+    size: 5Gi
+    storageClassName: persistent
+piper:
+  image:
+    repository: ghcr.io/morten-olsen/glados-voice
+    tag: main@sha256:8fcc19bd9e7e846bdfd9e9e569c8c944dcfb1d0b47e3f479cbaa7f5587c7206c
+    pullPolicy: Always
+  model: en_US-glados-medium
+whisper:
+  image:
+    repository: rhasspy/wyoming-whisper
+    tag: latest@sha256:9501d2659eee83b6eead98d53842193e5fed011eda6c5b1c3ad36f3146b28fed
+    pullPolicy: IfNotPresent
+  model: tiny-int8
+  language: us
+matter:
+  image:
+    repository: ghcr.io/home-assistant-libs/python-matter-server
+    tag: stable@sha256:170aa093ce91c76cde4cc390918307590f0f5558fcec93f913af3cb019e6562a
+    pullPolicy: IfNotPresent

apps/charts/homebox/Chart.yaml

@@ -0,0 +1,7 @@
+apiVersion: v2
+version: 1.0.0
+name: homebox
+dependencies:
+  - name: common
+    version: 1.0.0
+    repository: file://../../common

apps/charts/homebox/templates/database.yaml

@@ -0,0 +1 @@
+{{ include "common.database" . }}

apps/charts/homebox/templates/deployment.yaml

@@ -0,0 +1 @@
+{{ include "common.deployment" . }}

apps/charts/homebox/templates/pvc.yaml

@@ -0,0 +1 @@
+{{ include "common.pvc" . }}

apps/charts/homebox/templates/service.yaml

@@ -0,0 +1 @@
+{{ include "common.service" . }}

apps/charts/homebox/templates/virtual-service.yaml

@@ -0,0 +1 @@
+{{ include "common.virtualService" . }}

apps/charts/homebox/values.yaml

@@ -0,0 +1,79 @@
+image:
+  repository: ghcr.io/sysadminsmedia/homebox
+  tag: latest@sha256:facd9b795952602d5c54eacfcd0f3533040e6b556f461e423a2d2445ed8736f9
+  pullPolicy: IfNotPresent
+
+subdomain: homebox
+
+# Deployment configuration
+deployment:
+  strategy: RollingUpdate
+  replicas: 1
+
+# Container configuration
+container:
+  port: 7745
+  healthProbe:
+    type: tcpSocket
+    port: http # Use named port
+
+# Service configuration
+service:
+  port: 80
+  type: ClusterIP
+
+# Volume configuration
+volumes:
+  - name: data
+    mountPath: /data
+    persistentVolumeClaim: data
+
+# Persistent volume claims
+persistentVolumeClaims:
+  - name: data
+    size: 1Gi
+    storageClassName: persistent
+
+# VirtualService configuration
+virtualService:
+  enabled: true
+  gateways:
+    public: true
+    private: true
+
+# Database configuration
+database:
+  enabled: true
+
+# Environment variables
+env:
+  TZ:
+    value: "{timezone}"
+  HBOX_OPTIONS_ALLOW_REGISTRATION: "false"
+  HBOX_DATABASE_DRIVER: postgres
+  HBOX_DATABASE_DATABASE:
+    valueFrom:
+      secretKeyRef:
+        name: "{release}-connection"
+        key: database
+  HBOX_DATABASE_HOST:
+    valueFrom:
+      secretKeyRef:
+        name: "{release}-connection"
+        key: host
+  HBOX_DATABASE_PORT:
+    valueFrom:
+      secretKeyRef:
+        name: "{release}-connection"
+        key: port
+  HBOX_DATABASE_SSL_MODE: "disable"
+  HBOX_DATABASE_USERNAME:
+    valueFrom:
+      secretKeyRef:
+        name: "{release}-connection"
+        key: user
+  HBOX_DATABASE_PASSWORD:
+    valueFrom:
+      secretKeyRef:
+        name: "{release}-connection"
+        key: password

apps/charts/immich/Chart.yaml

@@ -0,0 +1,7 @@
+apiVersion: v2
+version: 1.0.0
+name: immich
+dependencies:
+  - name: common
+    version: 1.0.0
+    repository: file://../../common

apps/charts/immich/templates/database.yaml

@@ -0,0 +1 @@
+{{ include "common.database" . }}

apps/charts/immich/templates/deployment.yaml

@@ -0,0 +1,201 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: "{{ .Release.Name }}-server"
+spec:
+  strategy:
+    type: Recreate
+  replicas: 1
+  selector:
+    matchLabels:
+      app: "{{ .Release.Name }}-server"
+  template:
+    metadata:
+      labels:
+        app: "{{ .Release.Name }}-server"
+    spec:
+      containers:
+        - name: "{{ .Release.Name }}-server"
+          image: "{{ .Values.server.image.repository }}:{{ .Values.server.image.tag }}"
+          imagePullPolicy: "{{ .Values.server.image.pullPolicy }}"
+          env:
+            - name: DB_URL
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Release.Name }}-connection"
+                  key: url
+            - name: DB_VECTOR_EXTENSION
+              value: pgvector
+            - name: REDIS_HOSTNAME
+              value: "{{ .Release.Name }}-valkey.{{ .Release.Namespace }}.svc.cluster.local"
+            - name: REDIS_HOST
+              value: "{{ .Release.Name }}-valkey.{{ .Release.Namespace }}.svc.cluster.local"
+            - name: REDIS_PORT
+              value: "6379"
+            - name: REDIS_URL
+              value: "redis://{{ .Release.Name }}-valkey.{{ .Release.Namespace }}.svc.cluster.local:6379"
+            - name: IMMICH_REDIS_HOSTNAME
+              value: "{{ .Release.Name }}-valkey.{{ .Release.Namespace }}.svc.cluster.local"
+            - name: IMMICH_PORT
+              value: "3003"
+            - name: IMMICH_UPLOAD_LOCATION
+              value: /usr/src/app/upload
+            - name: IMMICH_MACHINE_LEARNING_URL
+              value: http://{{ .Release.Name }}-ml.{{ .Release.Namespace }}.svc.cluster.local:3003
+            - name: OAUTH_AUTO_REGISTER
+              value: "true"
+            - name: OAUTH_AUTO_LAUNCH
+              value: "true"
+            - name: OAUTH_BUTTON_TEXT
+              value: "Login with OAuth"
+            - name: OAUTH_ENABLED
+              value: "true"
+            - name: OAUTH_ISSUER_URL
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Release.Name }}-oidc-credentials"
+                  key: issuer
+            - name: OAUTH_CLIENT_ID
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Release.Name }}-oidc-credentials"
+                  key: clientId
+            - name: OAUTH_CLIENT_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Release.Name }}-oidc-credentials"
+                  key: clientSecret
+            - name: OAUTH_SCOPE
+              value: "openid profile email"
+            - name: OAUTH_STORAGE_LABEL_CLAIM
+              value: "preferred_username"
+          ports:
+            - name: http
+              containerPort: 3003
+              protocol: TCP
+          resources:
+            limits:
+              cpu: "1500m"
+          volumeMounts:
+            - mountPath: /usr/src/app/upload
+              name: upload
+            - mountPath: /usr/src/app/library
+              name: library
+            - mountPath: /mnt/media/nas
+              name: nas
+          livenessProbe:
+            tcpSocket:
+              port: http
+          readinessProbe:
+            tcpSocket:
+              port: http
+      volumes:
+        - name: upload
+          persistentVolumeClaim:
+            claimName: "{{ .Release.Name }}-upload"
+        - name: library
+          persistentVolumeClaim:
+            claimName: "{{ .Release.Name }}-library"
+        - name: nas
+          persistentVolumeClaim:
+            claimName: images
+
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: "{{ .Release.Name }}-ml"
+spec:
+  strategy:
+    type: Recreate
+  replicas: 1
+  selector:
+    matchLabels:
+      app: "{{ .Release.Name }}-ml"
+  template:
+    metadata:
+      labels:
+        app: "{{ .Release.Name }}-ml"
+    spec:
+      containers:
+        - name: "{{ .Release.Name }}-ml"
+          image: "{{ .Values.ml.image.repository }}:{{ .Values.ml.image.tag }}"
+          imagePullPolicy: "{{ .Values.ml.image.pullPolicy }}"
+          env:
+            - name: DB_URL
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Release.Name }}-connection"
+                  key: url
+            - name: DB_VECTOR_EXTENSION
+              value: pgvector
+            - name: REDIS_HOSTNAME
+              value: "{{ .Release.Name }}-valkey.{{ .Release.Namespace }}.svc.cluster.local"
+            - name: REDIS_HOST
+              value: "{{ .Release.Name }}-valkey.{{ .Release.Namespace }}.svc.cluster.local"
+            - name: REDIS_PORT
+              value: "6379"
+            - name: REDIS_URL
+              value: "redis://{{ .Release.Name }}-valkey.{{ .Release.Namespace }}.svc.cluster.local:6379"
+            - name: IMMICH_REDIS_HOSTNAME
+              value: "{{ .Release.Name }}-valkey.{{ .Release.Namespace }}.svc.cluster.local"
+            - name: IMMICH_PORT
+              value: "3003"
+            - name: IMMICH_MACHINE_LEARNING_MODEL_PATH
+              value: /cache
+          ports:
+            - name: http
+              containerPort: 3003
+              protocol: TCP
+          resources:
+            limits:
+              cpu: "4000m"
+          volumeMounts:
+            - mountPath: /cache
+              name: model-cache
+          livenessProbe:
+            tcpSocket:
+              port: http
+          readinessProbe:
+            tcpSocket:
+              port: http
+      volumes:
+        - name: model-cache
+          persistentVolumeClaim:
+            claimName: "{{ .Release.Name }}-model-cache"
+
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: "{{ .Release.Name }}-valkey"
+spec:
+  strategy:
+    type: Recreate
+  replicas: 1
+  revisionHistoryLimit: 0
+  selector:
+    matchLabels:
+      app: "{{ .Release.Name }}-valkey"
+  template:
+    metadata:
+      labels:
+        app: "{{ .Release.Name }}-valkey"
+    spec:
+      containers:
+        - name: "{{ .Release.Name }}-valkey"
+          image: "{{ .Values.valkey.image.repository }}:{{ .Values.valkey.image.tag }}"
+          imagePullPolicy: "{{ .Values.valkey.image.pullPolicy }}"
+          ports:
+            - name: tcp
+              containerPort: 6379
+              protocol: TCP
+          resources:
+            limits:
+              cpu: "500m"
+          livenessProbe:
+            tcpSocket:
+              port: tcp
+          readinessProbe:
+            tcpSocket:
+              port: tcp