publish operator yaml

2026-02-08 01:36:28 +01:00 · 2025-08-13 00:04:22 +02:00
221 changed files with 63162 additions and 4536 deletions
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -79,8 +79,6 @@ jobs:
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      - uses: actions/checkout@v4
      - name: Upload Release Asset
        id: upload-release-asset 
        uses: actions/upload-release-asset@v1
--- a/.gitignore
+++ b/.gitignore
@@ -33,6 +33,4 @@ report.[0-9]_.[0-9]_.[0-9]_.[0-9]_.json
 # Finder (MacOS) folder config
 .DS_Store
-/data/
+/data/
 /cloudflare.yaml
--- a/.python-version
+++ b/.python-version
@@ -1 +0,0 @@
 3.13
--- a/4
+++ b/4
@@ -1,6 +1,6 @@
-FROM node:23-slim
+FROM node:23-alpine
 RUN corepack enable
 COPY package.json pnpm-lock.yaml ./
 RUN pnpm install --frozen-lockfile --prod
 COPY . .
-CMD ["node", "src/index.ts"]
+CMD ["node", "src/index.ts"]
--- a/2
+++ b/2
@@ -4,7 +4,7 @@ dev-destroy:
 	colima delete -f
 dev-recreate: dev-destroy
-	colima start --network-address --kubernetes -m 8 --k3s-arg="--disable helm-controller,local-storage,traefik --docker" # --mount ${PWD}/data:/data:w 
+	colima start --network-address --kubernetes -m 8 --k3s-arg="--disable=helm-controller,local-storage,traefik" # --mount ${PWD}/data:/data:w 
 	flux install --components="source-controller,helm-controller"
 setup-flux:
--- a/README.md
+++ b/README.md
@@ -0,0 +1,6 @@
 ## Bootstrap repo
 ```
 brew install fluxcd/tap/flux
 make setup-server
 ```
--- a/TODO.md
+++ b/TODO.md
@@ -0,0 +1 @@
 - Fix issue with incompatible spec breaking the server
--- a/cert-issuer.yaml
+++ b/cert-issuer.yaml
@@ -0,0 +1,19 @@
 apiVersion: cert-manager.io/v1
 kind: ClusterIssuer
 metadata:
  name: letsencrypt-prod
  annotations:
    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
 spec:
  acme:
    server: https://acme-v02.api.letsencrypt.org/directory
    email: alice@alice.com
    privateKeySecretRef:
      name: letsencrypt-prod-account-key
    solvers:
      - dns01:
          cloudflare:
            email: alice@alice.com
            apiTokenSecretRef:
              name: cloudflare-api-token
              key: api-token
--- a/charts/apps/charts/audiobookshelf/Chart.yaml
+++ b/charts/apps/charts/audiobookshelf/Chart.yaml
@@ -1,3 +0,0 @@
 apiVersion: v2
 version: 1.0.0
 name: audiobookshelf
--- a/charts/apps/charts/audiobookshelf/templates/client.yaml
+++ b/charts/apps/charts/audiobookshelf/templates/client.yaml
@@ -1,13 +0,0 @@
 apiVersion: homelab.mortenolsen.pro/v1
 kind: OidcClient
 metadata:
  name: '{{ .Release.Name }}'
 spec:
  environment: '{{ .Values.globals.environment }}'
  redirectUris:
    - path: /audiobookshelf/auth/openid/callback
      subdomain: '{{ .Values.subdomain }}'
      matchingMode: strict
    - path: /audiobookshelf/auth/openid/mobile-redirect
      subdomain: '{{ .Values.subdomain }}'
      matchingMode: strict
--- a/charts/apps/charts/audiobookshelf/templates/deployment.yaml
+++ b/charts/apps/charts/audiobookshelf/templates/deployment.yaml
@@ -1,52 +0,0 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: '{{ .Release.Name }}'
 spec:
  strategy:
    type: Recreate
  replicas: 1
  selector:
    matchLabels:
      app: '{{ .Release.Name }}'
  template:
    metadata:
      labels:
        app: '{{ .Release.Name }}'
    spec:
      containers:
        - name: '{{ .Release.Name }}'
          image: '{{ .Values.image.repository }}:{{ .Values.image.tag }}'
          imagePullPolicy: '{{ .Values.image.pullPolicy }}'
          ports:
            - name: http
              containerPort: 80
              protocol: TCP
          livenessProbe:
            tcpSocket:
              port: http
          readinessProbe:
            tcpSocket:
              port: http
          volumeMounts:
            - mountPath: /config
              name: config
            - mountPath: /metadata
              name: metadata
            - mountPath: /audiobooks
              name: audiobooks
            - mountPath: /podcasts
              name: podcasts
      volumes:
        - name: config
          persistentVolumeClaim:
            claimName: '{{ .Release.Name }}-config'
        - name: metadata
          persistentVolumeClaim:
            claimName: '{{ .Release.Name }}-metadata'
        - name: audiobooks
          persistentVolumeClaim:
            claimName: books
        - name: podcasts
          persistentVolumeClaim:
            claimName: podcasts
--- a/charts/apps/charts/audiobookshelf/templates/external-http-service.yaml
+++ b/charts/apps/charts/audiobookshelf/templates/external-http-service.yaml
@@ -1,11 +0,0 @@
 apiVersion: homelab.mortenolsen.pro/v1
 kind: ExternalHttpService
 metadata:
  name: '{{ .Release.Name }}'
 spec:
  environment: '{{ .Values.globals.environment }}'
  subdomain: '{{ .Values.subdomain }}'
  destination:
    host: '{{ .Release.Name }}.{{ .Release.Namespace }}.svc.cluster.local'
    port:
      number: 80
--- a/charts/apps/charts/audiobookshelf/templates/pvc.yaml
+++ b/charts/apps/charts/audiobookshelf/templates/pvc.yaml
@@ -1,24 +0,0 @@
 kind: PersistentVolumeClaim
 apiVersion: v1
 metadata:
  name: '{{ .Release.Name }}-config'
 spec:
  accessModes:
    - 'ReadWriteOnce'
  resources:
    requests:
      storage: '1Gi'
  storageClassName: '{{ .Values.globals.environment }}'
 ---
 kind: PersistentVolumeClaim
 apiVersion: v1
 metadata:
  name: '{{ .Release.Name }}-metadata'
 spec:
  accessModes:
    - 'ReadWriteOnce'
  resources:
    requests:
      storage: '1Gi'
  storageClassName: '{{ .Values.globals.environment }}'
--- a/charts/apps/charts/audiobookshelf/templates/service.yaml
+++ b/charts/apps/charts/audiobookshelf/templates/service.yaml
@@ -1,15 +0,0 @@
 apiVersion: v1
 kind: Service
 metadata:
  name: '{{ .Release.Name }}'
  labels:
    app: '{{ .Release.Name }}'
 spec:
  type: ClusterIP
  ports:
    - port: 80
      targetPort: 80
      protocol: TCP
      name: http
  selector:
    app: '{{ .Release.Name }}'
--- a/charts/apps/charts/audiobookshelf/values.yaml
+++ b/charts/apps/charts/audiobookshelf/values.yaml
@@ -1,7 +0,0 @@
 globals:
  environment: prod
 image:
  repository: ghcr.io/advplyr/audiobookshelf
  tag: 2.26.1
  pullPolicy: IfNotPresent
 subdomain: audiobookshelf
--- a/charts/apps/charts/bytestash/Chart.yaml
+++ b/charts/apps/charts/bytestash/Chart.yaml
@@ -1,3 +0,0 @@
 apiVersion: v2
 version: 1.0.0
 name: ByteStash
--- a/charts/apps/charts/bytestash/templates/_headless-service.yaml
+++ b/charts/apps/charts/bytestash/templates/_headless-service.yaml
@@ -1,13 +0,0 @@
 apiVersion: v1
 kind: Service
 metadata:
  name: '{{ .Release.Name }}-headless'
  labels:
    app: '{{ .Release.Name }}'
 spec:
  clusterIP: None
  ports:
    - port: 5000
      name: http
  selector:
    app: '{{ .Release.Name }}'
--- a/charts/apps/charts/bytestash/templates/_http-service.yaml
+++ b/charts/apps/charts/bytestash/templates/_http-service.yaml
@@ -1,11 +0,0 @@
 apiVersion: homelab.mortenolsen.pro/v1
 kind: HttpService
 metadata:
  name: '{{ .Release.Name }}'
 spec:
  environment: '{{ .Values.environment }}'
  subdomain: '{{ .Values.subdomain }}'
  destination:
    host: '{{ .Release.Name }}'
    port:
      number: 80
--- a/charts/apps/charts/bytestash/templates/client.yaml
+++ b/charts/apps/charts/bytestash/templates/client.yaml
@@ -1,10 +0,0 @@
 apiVersion: homelab.mortenolsen.pro/v1
 kind: OidcClient
 metadata:
  name: '{{ .Release.Name }}'
 spec:
  environment: '{{ .Values.globals.environment }}'
  redirectUris:
    - path: /api/auth/oidc/callback
      subdomain: '{{ .Values.subdomain }}'
      matchingMode: strict
--- a/charts/apps/charts/bytestash/templates/deployment.yaml
+++ b/charts/apps/charts/bytestash/templates/deployment.yaml
@@ -1,55 +0,0 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: '{{ .Release.Name }}'
  labels:
    app: '{{ .Release.Name }}'
 spec:
  serviceName: '{{ .Release.Name }}-headless'
  replicas: 1
  selector:
    matchLabels:
      app: '{{ .Release.Name }}'
  template:
    metadata:
      labels:
        app: '{{ .Release.Name }}'
    spec:
      containers:
        - name: '{{ .Release.Name }}'
          image: ghcr.io/jordan-dalby/bytestash:latest
          ports:
            - containerPort: 5000
              name: http
          env:
            - name: ALLOW_NEW_ACCOUNTS
              value: 'true'
            - name: DISABLE_INTERNAL_ACCOUNTS
              value: 'true'
            - name: OIDC_ENABLED
              value: 'true'
            - name: OIDC_DISPLAY_NAME
              value: OIDC
            - name: OIDC_CLIENT_ID
              valueFrom:
                secretKeyRef:
                  name: '{{ .Release.Name }}-client'
                  key: clientId
            - name: OIDC_CLIENT_SECRET
              valueFrom:
                secretKeyRef:
                  name: '{{ .Release.Name }}-client'
                  key: clientSecret
            - name: OIDC_ISSUER_URL
              valueFrom:
                secretKeyRef:
                  name: '{{ .Release.Name }}-client'
                  key: configuration
          volumeMounts:
            - mountPath: /data/snippets
              name: data
      volumes:
        - name: data
          persistentVolumeClaim:
            claimName: '{{ .Release.Name }}-data'
--- a/charts/apps/charts/bytestash/templates/external-http-service.yaml
+++ b/charts/apps/charts/bytestash/templates/external-http-service.yaml
@@ -1,11 +0,0 @@
 apiVersion: homelab.mortenolsen.pro/v1
 kind: ExternalHttpService
 metadata:
  name: '{{ .Release.Name }}'
 spec:
  environment: '{{ .Values.globals.environment }}'
  subdomain: '{{ .Values.subdomain }}'
  destination:
    host: '{{ .Release.Name }}.{{ .Release.Namespace }}.svc.cluster.local'
    port:
      number: 80
--- a/charts/apps/charts/bytestash/templates/pvc.yaml
+++ b/charts/apps/charts/bytestash/templates/pvc.yaml
@@ -1,11 +0,0 @@
 kind: PersistentVolumeClaim
 apiVersion: v1
 metadata:
  name: '{{ .Release.Name }}-data'
 spec:
  accessModes:
    - 'ReadWriteOnce'
  resources:
    requests:
      storage: '1Gi'
  storageClassName: '{{ .Values.globals.environment }}'
--- a/charts/apps/charts/bytestash/templates/service.yaml
+++ b/charts/apps/charts/bytestash/templates/service.yaml
@@ -1,15 +0,0 @@
 apiVersion: v1
 kind: Service
 metadata:
  name: '{{ .Release.Name }}'
  labels:
    app: '{{ .Release.Name }}'
 spec:
  type: ClusterIP
  ports:
    - port: 80
      targetPort: 5000
      protocol: TCP
      name: http
  selector:
    app: '{{ .Release.Name }}'
--- a/charts/apps/charts/bytestash/values.yaml
+++ b/charts/apps/charts/bytestash/values.yaml
@@ -1,3 +0,0 @@
 globals:
  environment: prod
 subdomain: bytestash
--- a/charts/apps/charts/gitea/Chart.yaml
+++ b/charts/apps/charts/gitea/Chart.yaml
@@ -1,3 +0,0 @@
 apiVersion: v2
 version: 1.0.0
 name: gitea
--- a/charts/apps/charts/gitea/templates/client.yaml
+++ b/charts/apps/charts/gitea/templates/client.yaml
@@ -1,10 +0,0 @@
 apiVersion: homelab.mortenolsen.pro/v1
 kind: OidcClient
 metadata:
  name: '{{ .Release.Name }}'
 spec:
  environment: '{{ .Values.globals.environment }}'
  redirectUris:
    - path: /user/oauth2/Authentik/callback
      subdomain: '{{ .Values.subdomain }}'
      matchingMode: strict
--- a/charts/apps/charts/gitea/templates/database.yaml
+++ b/charts/apps/charts/gitea/templates/database.yaml
@@ -1,6 +0,0 @@
 apiVersion: homelab.mortenolsen.pro/v1
 kind: PostgresDatabase
 metadata:
  name: '{{ .Release.Name }}'
 spec:
  environment: '{{ .Values.globals.environment }}'
--- a/charts/apps/charts/gitea/templates/deployment.yaml
+++ b/charts/apps/charts/gitea/templates/deployment.yaml
@@ -1,96 +0,0 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: '{{ .Release.Name }}'
 spec:
  strategy:
    type: Recreate
  replicas: 1
  selector:
    matchLabels:
      app: '{{ .Release.Name }}'
  template:
    metadata:
      labels:
        app: '{{ .Release.Name }}'
    spec:
      containers:
        - name: '{{ .Release.Name }}'
          image: '{{ .Values.image.repository }}:{{ .Values.image.tag }}'
          imagePullPolicy: '{{ .Values.image.pullPolicy }}'
          ports:
            - name: http
              containerPort: 3000
              protocol: TCP
          livenessProbe:
            tcpSocket:
              port: http
          readinessProbe:
            tcpSocket:
              port: http
          volumeMounts:
            - mountPath: /data
              name: data
          env:
            - name: TZ
              value: '{{ .Values.globals.timezone }}'
            - name: USER_UID
              value: '1000'
            - name: USER_GID
              value: '1000'
            - name: GITEA__service__REQUIRE_EXTERNAL_REGISTRATION_PASSWORD
              value: 'true'
            - name: GITEA__service__ENABLE_BASIC_AUTHENTICATION
              value: 'true'
            - name: GITEA__service__ENABLE_PASSWORD_SIGNIN_FORM
              value: 'false'
            - name: GITEA__service__DEFAULT_KEEP_EMAIL_PRIVATE
              value: 'true'
            - name: GITEA__service__DEFAULT_USER_IS_RESTRICTED
              value: 'true'
            - name: GITEA__service__DEFAULT_USER_VISIBILITY
              value: 'private'
            - name: GITEA__service__DEFAULT_ORG_VISIBILITY
              value: 'private'
            - name: GITEA__service__ALLOW_ONLY_EXTERNAL_REGISTRATION
              value: 'true'
            - name: GITEA__other__SHOW_FOOTER_POWERED_BY
              value: 'false'
            - name: GITEA__other__SHOW_FOOTER_TEMPLATE_LOAD_TIME
              value: 'false'
            - name: GITEA__other__SHOW_FOOTER_VERSION
              value: 'false'
            - name: GITEA__repository__ENABLE_PUSH_CREATE_USER
              value: 'true'
            - name: GITEA__repository__ENABLE_PUSH_CREATE_ORG
              value: 'true'
            - name: GITEA__openid__ENABLE_OPENID_SIGNIN
              value: 'false'
            - name: GITEA__openid__ENABLE_OPENID_SIGNUP
              value: 'false'
            - name: GITEA__database__DB_TYPE
              value: postgres
            - name: GITEA__database__NAME
              valueFrom:
                secretKeyRef:
                  name: '{{ .Release.Name }}-pg-connection'
                  key: database
            - name: GITEA__database__HOST
              valueFrom:
                secretKeyRef:
                  name: '{{ .Release.Name }}-pg-connection'
                  key: host
            - name: GITEA__database__USER
              valueFrom:
                secretKeyRef:
                  name: '{{ .Release.Name }}-pg-connection'
                  key: user
            - name: GITEA__database__PASSWD
              valueFrom:
                secretKeyRef:
                  name: '{{ .Release.Name }}-pg-connection'
                  key: password
      volumes:
        - name: data
          persistentVolumeClaim:
            claimName: '{{ .Release.Name }}-data'
--- a/charts/apps/charts/gitea/templates/external-http-service.yaml
+++ b/charts/apps/charts/gitea/templates/external-http-service.yaml
@@ -1,11 +0,0 @@
 apiVersion: homelab.mortenolsen.pro/v1
 kind: ExternalHttpService
 metadata:
  name: '{{ .Release.Name }}'
 spec:
  environment: '{{ .Values.globals.environment }}'
  subdomain: '{{ .Values.subdomain }}'
  destination:
    host: '{{ .Release.Name }}.{{ .Release.Namespace }}.svc.cluster.local'
    port:
      number: 80
--- a/charts/apps/charts/gitea/templates/pvc.yaml
+++ b/charts/apps/charts/gitea/templates/pvc.yaml
@@ -1,11 +0,0 @@
 kind: PersistentVolumeClaim
 apiVersion: v1
 metadata:
  name: '{{ .Release.Name }}-data'
 spec:
  accessModes:
    - 'ReadWriteOnce'
  resources:
    requests:
      storage: '1Gi'
  storageClassName: '{{ .Values.globals.environment }}'
--- a/charts/apps/charts/gitea/templates/service.yaml
+++ b/charts/apps/charts/gitea/templates/service.yaml
@@ -1,15 +0,0 @@
 apiVersion: v1
 kind: Service
 metadata:
  name: '{{ .Release.Name }}'
  labels:
    app: '{{ .Release.Name }}'
 spec:
  type: ClusterIP
  ports:
    - port: 80
      targetPort: 3000
      protocol: TCP
      name: http
  selector:
    app: '{{ .Release.Name }}'
--- a/charts/apps/charts/gitea/values.yaml
+++ b/charts/apps/charts/gitea/values.yaml
@@ -1,8 +0,0 @@
 globals:
  environment: prod
  timezone: Europe/Amsterdam
 image:
  repository: docker.gitea.com/gitea
  tag: latest
  pullPolicy: IfNotPresent
 subdomain: gitea
--- a/charts/apps/charts/headscale/Chart.yaml
+++ b/charts/apps/charts/headscale/Chart.yaml
@@ -1,3 +0,0 @@
 apiVersion: v2
 version: 1.0.0
 name: headscale
--- a/charts/apps/charts/headscale/templates/client.yaml
+++ b/charts/apps/charts/headscale/templates/client.yaml
@@ -1,10 +0,0 @@
 apiVersion: homelab.mortenolsen.pro/v1
 kind: OidcClient
 metadata:
  name: '{{ .Release.Name }}'
 spec:
  environment: '{{ .Values.globals.environment }}'
  redirectUris:
    - path: /oidc/callback
      subdomain: '{{ .Values.subdomain }}'
      matchingMode: strict
--- a/charts/apps/charts/headscale/templates/config-map.yaml
+++ b/charts/apps/charts/headscale/templates/config-map.yaml
@@ -1,70 +0,0 @@
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: '{{ .Release.Name }}-config-template'
 data:
  config.yaml.template: |
    server_url: ${PUBLIC_URL}
    listen_addr: 0.0.0.0:8080
    metrics_listen_addr: 0.0.0.0:9090
    grpc_listen_addr: 0.0.0.0:50443
    private_key_path: /var/lib/headscale/private_key # Path inside the container
    noise:
      private_key_path: /var/lib/headscale/noise_private_key # Path inside the container
    listen_routes: false 
    base_domain: "${PUBLIC_URL}" # For client routes and DNS push.
    derp:
      server:
        enabled: false
        region_id: 999
        region_code: "headscale"
        region_name: "Headscale Embedded DERP"
        stun_listen_addr: "0.0.0.0:3478"
        automatically_add_embedded_derp_region: true
      urls:
        - https://controlplane.tailscale.com/derpmap/default
      auto_update_enabled: true
      update_frequency: 24h
    oidc:
      enabled: true
      only_start_if_oidc_is_available: true
      issuer: "${OIDC_ISSUER_URL}"
      client_id: "${OIDC_CLIENT_ID}"
      client_secret: "${OIDC_CLIENT_SECRET}"
      scopes: ["openid", "profile", "email"]
      redirect_url: "${PUBLIC_URL}/oidc/callback"
      pkce:
        enabled: true
        method: S256
    # DNS configuration
    dns:
      magic_dns: false
      override_local_dns: true # Push Headscale's DNS settings to clients
      ttl: 60
      nameservers:
        global:
          - 1.1.1.1 # Cloudflare DNS
          #- 10.43.0.10 # Replace with your ClusterIP for kube-dns/CoreDNS
      # Domains to search for (e.g., for Kubernetes services)
      search_domains:
        - svc.cluster.local
        - cluster.local
    auto_create_users: true
    oidc_user_property: preferred_username # Or 'email' or 'sub'
    prefixes:
      v4: 10.20.20.0/24 # Example: A /24 subnet for your VPN clients
    database:
      type: sqlite
      sqlite:
        path: /var/lib/headscale/db.sqlite
--- a/charts/apps/charts/headscale/templates/deployment.yaml
+++ b/charts/apps/charts/headscale/templates/deployment.yaml
@@ -1,97 +0,0 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: '{{ .Release.Name }}'
  labels:
    app: '{{ .Release.Name }}'
 spec:
  replicas: 1
  selector:
    matchLabels:
      app: '{{ .Release.Name }}'
  template:
    metadata:
      labels:
        app: '{{ .Release.Name }}'
    spec:
      # To expose WireGuard UDP directly, we need a NodePort service.
      # The Pod needs to be aware of the external port it's being exposed on.
      # The easiest way to get WireGuard to listen on the correct port and make it
      # externally accessible is to use `hostNetwork: true` for the UDP component,
      # or by directly specifying the listen port in Headscale config if the NodePort is stable.
      # OPTION 1: Best for simple homelab on bare metal where host network traffic isn't an issue
      # hostNetwork: true # This makes the pod listen directly on the node's IPs
      # dnsPolicy: ClusterFirstWithHostNet # Required if using hostNetwork
      initContainers:
        - name: generate-config
          image: alpine/git # A small image with 'envsubst' available or easily installable
          imagePullPolicy: IfNotPresent
          command: ['sh', '-c']
          args:
            - |
              # Install envsubst if it's not present (alpine/git may not have it by default)
              apk update && apk add bash gettext
              # Substitute environment variables into the template
              # The vars are passed via `env` section below
              envsubst < /config-template/config.yaml.template > /etc/headscale/config.yaml
              mkdir -p /etc/headscale
              # Optional: Verify the generated config
              echo "--- Generated Headscale Configuration ---"
              cat /etc/headscale/config.yaml
              echo "---------------------------------------"
          env:
            # These are the variables that `envsubst` will look for and replace
            - name: PUBLIC_URL
              value: 'https://{{ .Values.subdomain }}.olsen.cloud'
            - name: OIDC_ISSUER_URL
              valueFrom:
                secretKeyRef:
                  name: '{{ .Release.Name }}-client'
                  key: configurationIssuer
            - name: OIDC_CLIENT_ID
              valueFrom:
                secretKeyRef:
                  name: '{{ .Release.Name }}-client'
                  key: clientId
            - name: OIDC_CLIENT_SECRET
              valueFrom:
                secretKeyRef:
                  name: '{{ .Release.Name }}-client'
                  key: clientSecret
            # Add any other variables used in config.yaml.template here
          volumeMounts:
            - name: config-template
              mountPath: /config-template # Mount the ConfigMap as a volume
              readOnly: true
            - name: headscale-config
              mountPath: /etc/headscale # Destination for the generated config
      containers:
        - name: '{{ .Release.Name }}'
          image: headscale/headscale:latest # Use the official image
          command: ['headscale', 'serve']
          ports:
            - name: http-api
              containerPort: 8080
              protocol: TCP
            - name: wireguard-udp
              containerPort: 41641
              protocol: UDP
          volumeMounts:
            - name: headscale-data
              mountPath: /var/lib/headscale
            - name: headscale-config
              mountPath: /etc/headscale
      volumes:
        - name: config-template
          configMap:
            name: '{{ .Release.Name }}-config-template'
        - name: headscale-config
          emptyDir: {}
        - name: headscale-data
          persistentVolumeClaim:
            claimName: '{{ .Release.Name }}-data'
--- a/charts/apps/charts/headscale/templates/external-http-service.yaml
+++ b/charts/apps/charts/headscale/templates/external-http-service.yaml
@@ -1,11 +0,0 @@
 apiVersion: homelab.mortenolsen.pro/v1
 kind: ExternalHttpService
 metadata:
  name: '{{ .Release.Name }}'
 spec:
  environment: '{{ .Values.globals.environment }}'
  subdomain: '{{ .Values.subdomain }}'
  destination:
    host: '{{ .Release.Name }}.{{ .Release.Namespace }}.svc.cluster.local'
    port:
      number: 80
--- a/charts/apps/charts/headscale/templates/pvc.yaml
+++ b/charts/apps/charts/headscale/templates/pvc.yaml
@@ -1,11 +0,0 @@
 kind: PersistentVolumeClaim
 apiVersion: v1
 metadata:
  name: '{{ .Release.Name }}-data'
 spec:
  accessModes:
    - 'ReadWriteOnce'
  resources:
    requests:
      storage: '1Gi'
  storageClassName: '{{ .Values.globals.environment }}'
--- a/charts/apps/charts/headscale/templates/service.yaml
+++ b/charts/apps/charts/headscale/templates/service.yaml
@@ -1,19 +0,0 @@
 apiVersion: v1
 kind: Service
 metadata:
  name: '{{ .Release.Name }}'
  labels:
    app: '{{ .Release.Name }}'
 spec:
  type: ClusterIP
  ports:
    - port: 80
      targetPort: 8080
      protocol: TCP
      name: http
    - name: wireguard-udp # TODO: should this be a LB service?
      port: 41641
      targetPort: 41641
      protocol: UDP
  selector:
    app: '{{ .Release.Name }}'
--- a/charts/apps/charts/headscale/values.yaml
+++ b/charts/apps/charts/headscale/values.yaml
@@ -1,7 +0,0 @@
 globals:
  environment: prod
 image:
  repository: headscale/headscale
  tag: latest
  pullPolicy: IfNotPresent
 subdomain: headscale
--- a/charts/apps/charts/jellyfin/Chart.yaml
+++ b/charts/apps/charts/jellyfin/Chart.yaml
@@ -1,3 +0,0 @@
 apiVersion: v2
 version: 1.0.0
 name: Jellyfin
--- a/charts/apps/charts/jellyfin/notes.md
+++ b/charts/apps/charts/jellyfin/notes.md
@@ -1 +0,0 @@
 https://www.authelia.com/integration/openid-connect/clients/jellyfin/
--- a/charts/apps/charts/jellyfin/templates/client.yaml
+++ b/charts/apps/charts/jellyfin/templates/client.yaml
@@ -1,10 +0,0 @@
 apiVersion: homelab.mortenolsen.pro/v1
 kind: OidcClient
 metadata:
  name: '{{ .Release.Name }}'
 spec:
  environment: '{{ .Values.environment }}'
  redirectUris:
    - path: /sso/OID/redirect/Authentik
      subdomain: '{{ .Values.globals.subdomain }}'
      matchingMode: strict
--- a/charts/apps/charts/jellyfin/templates/config-pvc.yaml
+++ b/charts/apps/charts/jellyfin/templates/config-pvc.yaml
@@ -1,11 +0,0 @@
 kind: PersistentVolumeClaim
 apiVersion: v1
 metadata:
  name: '{{ .Release.Name }}-config'
 spec:
  accessModes:
    - 'ReadWriteOnce'
  resources:
    requests:
      storage: '1Gi'
  storageClassName: '{{ .Values.environment }}'
--- a/charts/apps/charts/jellyfin/templates/deployment.yaml
+++ b/charts/apps/charts/jellyfin/templates/deployment.yaml
@@ -1,52 +0,0 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: '{{ .Release.Name }}'
 spec:
  strategy:
    type: Recreate
  replicas: 1
  selector:
    matchLabels:
      app: '{{ .Release.Name }}'
  template:
    metadata:
      labels:
        app: '{{ .Release.Name }}'
    spec:
      containers:
        - name: '{{ .Release.Name }}'
          image: '{{ .Values.image.repository }}:{{ .Values.image.tag }}'
          imagePullPolicy: '{{ .Values.image.pullPolicy }}'
          ports:
            - name: http
              containerPort: 8096
              protocol: TCP
          livenessProbe:
            tcpSocket:
              port: http
          readinessProbe:
            tcpSocket:
              port: http
          volumeMounts:
            - mountPath: /config
              name: config
            - mountPath: /media/movies
              name: movies
            - mountPath: /media/tv-shows
              name: tvshows
            - mountPath: /media/music
              name: music
      volumes:
        - name: config
          persistentVolumeClaim:
            claimName: '{{ .Release.Name }}-config'
        - name: movies
          persistentVolumeClaim:
            claimName: movies
        - name: tvshows
          persistentVolumeClaim:
            claimName: tvshows
        - name: music
          persistentVolumeClaim:
            claimName: music
--- a/charts/apps/charts/jellyfin/templates/external-http-service.yaml
+++ b/charts/apps/charts/jellyfin/templates/external-http-service.yaml
@@ -1,11 +0,0 @@
 apiVersion: homelab.mortenolsen.pro/v1
 kind: ExternalHttpService
 metadata:
  name: '{{ .Release.Name }}'
 spec:
  environment: '{{ .Values.globals.environment }}'
  subdomain: '{{ .Values.subdomain }}'
  destination:
    host: '{{ .Release.Name }}.{{ .Release.Namespace }}.svc.cluster.local'
    port:
      number: 80
--- a/charts/apps/charts/jellyfin/templates/service.yaml
+++ b/charts/apps/charts/jellyfin/templates/service.yaml
@@ -1,15 +0,0 @@
 apiVersion: v1
 kind: Service
 metadata:
  name: '{{ .Release.Name }}'
  labels:
    app: '{{ .Release.Name }}'
 spec:
  type: ClusterIP
  ports:
    - port: 80
      targetPort: 8096
      protocol: TCP
      name: http
  selector:
    app: '{{ .Release.Name }}'
--- a/charts/apps/charts/jellyfin/values.yaml
+++ b/charts/apps/charts/jellyfin/values.yaml
@@ -1,7 +0,0 @@
 globals:
  environment: prod
 image:
  repository: docker.io/jellyfin/jellyfin
  tag: latest
  pullPolicy: IfNotPresent
 subdomain: jellyfin
--- a/charts/apps/charts/metamcp/Chart.yaml
+++ b/charts/apps/charts/metamcp/Chart.yaml
@@ -1,3 +0,0 @@
 apiVersion: v2
 version: 1.0.0
 name: metamcp
--- a/charts/apps/charts/metamcp/templates/database.yaml
+++ b/charts/apps/charts/metamcp/templates/database.yaml
@@ -1,6 +0,0 @@
 apiVersion: homelab.mortenolsen.pro/v1
 kind: PostgresDatabase
 metadata:
  name: '{{ .Release.Name }}'
 spec:
  environment: '{{ .Values.globals.environment }}'
--- a/charts/apps/charts/metamcp/templates/deployment.yaml
+++ b/charts/apps/charts/metamcp/templates/deployment.yaml
@@ -1,79 +0,0 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: '{{ .Release.Name }}'
 spec:
  strategy:
    type: Recreate
  replicas: 1
  selector:
    matchLabels:
      app: '{{ .Release.Name }}'
  template:
    metadata:
      labels:
        app: '{{ .Release.Name }}'
    spec:
      containers:
        - name: '{{ .Release.Name }}'
          image: '{{ .Values.image.repository }}:{{ .Values.image.tag }}'
          imagePullPolicy: '{{ .Values.image.pullPolicy }}'
          ports:
            - name: http
              containerPort: 12008
              protocol: TCP
          livenessProbe:
            tcpSocket:
              port: http
          readinessProbe:
            tcpSocket:
              port: http
          volumeMounts:
            - mountPath: /data
              name: data
          env:
            - name: TZ
              value: '{{ .Values.globals.timezone }}'
            - name: APP_URL
              value: https://metamcp.olsen.cloud # TODO: Change
            - name: NEXT_PUBLIC_APP_URL
              value: https://metamcp.olsen.cloud # TODO: Change
            - name: BETTER_AUTH_SECRET
              valueFrom:
                secretKeyRef:
                  name: '{{ .Release.Name }}-secrets'
                  key: betterauth
            - name: DATABASE_URL
              valueFrom:
                secretKeyRef:
                  name: '{{ .Release.Name }}-pg-connection'
                  key: url
            - name: POSTGRES_DB
              valueFrom:
                secretKeyRef:
                  name: '{{ .Release.Name }}-pg-connection'
                  key: database
            - name: POSTGRES_HOST
              valueFrom:
                secretKeyRef:
                  name: '{{ .Release.Name }}-pg-connection'
                  key: host
            - name: POSTGRES_PORT
              valueFrom:
                secretKeyRef:
                  name: '{{ .Release.Name }}-pg-connection'
                  key: port
            - name: POSTGRES_USER
              valueFrom:
                secretKeyRef:
                  name: '{{ .Release.Name }}-pg-connection'
                  key: user
            - name: POSTGRES_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: '{{ .Release.Name }}-pg-connection'
                  key: password
      volumes:
        - name: data
          persistentVolumeClaim:
            claimName: '{{ .Release.Name }}-data'
--- a/charts/apps/charts/metamcp/templates/external-http-service.yaml
+++ b/charts/apps/charts/metamcp/templates/external-http-service.yaml
@@ -1,11 +0,0 @@
 apiVersion: homelab.mortenolsen.pro/v1
 kind: ExternalHttpService
 metadata:
  name: '{{ .Release.Name }}'
 spec:
  environment: '{{ .Values.globals.environment }}'
  subdomain: '{{ .Values.subdomain }}'
  destination:
    host: '{{ .Release.Name }}.{{ .Release.Namespace }}.svc.cluster.local'
    port:
      number: 80
--- a/charts/apps/charts/metamcp/templates/pvc.yaml
+++ b/charts/apps/charts/metamcp/templates/pvc.yaml
@@ -1,11 +0,0 @@
 kind: PersistentVolumeClaim
 apiVersion: v1
 metadata:
  name: '{{ .Release.Name }}-data'
 spec:
  accessModes:
    - 'ReadWriteOnce'
  resources:
    requests:
      storage: '1Gi'
  storageClassName: '{{ .Values.globals.environment }}'
--- a/charts/apps/charts/metamcp/templates/secret.yaml
+++ b/charts/apps/charts/metamcp/templates/secret.yaml
@@ -1,9 +0,0 @@
 apiVersion: homelab.mortenolsen.pro/v1
 kind: GenerateSecret
 metadata:
  name: '{{ .Release.Name }}-secrets'
 spec:
  fields:
    - name: betterauth
      encoding: base64
      length: 64
--- a/charts/apps/charts/metamcp/templates/service.yaml
+++ b/charts/apps/charts/metamcp/templates/service.yaml
@@ -1,15 +0,0 @@
 apiVersion: v1
 kind: Service
 metadata:
  name: '{{ .Release.Name }}'
  labels:
    app: '{{ .Release.Name }}'
 spec:
  type: ClusterIP
  ports:
    - port: 80
      targetPort: 12008
      protocol: TCP
      name: http
  selector:
    app: '{{ .Release.Name }}'
--- a/charts/apps/charts/metamcp/values.yaml
+++ b/charts/apps/charts/metamcp/values.yaml
@@ -1,8 +0,0 @@
 globals:
  environment: prod
  timezone: Europe/Amsterdam
 image:
  repository: ghcr.io/metatool-ai/metamcp
  tag: latest
  pullPolicy: IfNotPresent
 subdomain: metamcp
--- a/charts/apps/charts/miniflux.disable/Chart.yaml
+++ b/charts/apps/charts/miniflux.disable/Chart.yaml
@@ -1,3 +0,0 @@
 apiVersion: v2
 version: 1.0.0
 name: ByteStash
--- a/charts/apps/charts/miniflux.disable/templates/client.yaml
+++ b/charts/apps/charts/miniflux.disable/templates/client.yaml
@@ -1,10 +0,0 @@
 apiVersion: homelab.mortenolsen.pro/v1
 kind: OidcClient
 metadata:
  name: '{{ .Release.Name }}'
 spec:
  environment: '{{ .Values.globals.environment }}'
  redirectUris:
    - path: /api/auth/oidc/callback
      subdomain: bytestash
      matchingMode: strict
--- a/charts/apps/charts/miniflux.disable/templates/deployment.yaml
+++ b/charts/apps/charts/miniflux.disable/templates/deployment.yaml
@@ -1,55 +0,0 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: '{{ .Release.Name }}'
  labels:
    app: '{{ .Release.Name }}'
 spec:
  serviceName: '{{ .Release.Name }}-headless'
  replicas: 1
  selector:
    matchLabels:
      app: '{{ .Release.Name }}'
  template:
    metadata:
      labels:
        app: '{{ .Release.Name }}'
    spec:
      containers:
        - name: '{{ .Release.Name }}'
          image: ghcr.io/miniflux/miniflux:latest
          ports:
            - containerPort: 8080
              name: http
          env:
            - name: ALLOW_NEW_ACCOUNTS
              value: 'true'
            - name: DISABLE_INTERNAL_ACCOUNTS
              value: 'true'
            - name: OIDC_ENABLED
              value: 'true'
            - name: OIDC_DISPLAY_NAME
              value: OIDC
            - name: OIDC_CLIENT_ID
              valueFrom:
                secretKeyRef:
                  name: '{{ .Release.Name }}-client'
                  key: clientId
            - name: OIDC_CLIENT_SECRET
              valueFrom:
                secretKeyRef:
                  name: '{{ .Release.Name }}-client'
                  key: clientSecret
            - name: OIDC_ISSUER_URL
              valueFrom:
                secretKeyRef:
                  name: '{{ .Release.Name }}-client'
                  key: configuration
          volumeMounts:
            - mountPath: /data/snippets
              name: data
      volumes:
        - name: data
          persistentVolumeClaim:
            claimName: '{{ .Release.Name }}-data'
--- a/charts/apps/charts/miniflux.disable/templates/external-http-service.yaml
+++ b/charts/apps/charts/miniflux.disable/templates/external-http-service.yaml
@@ -1,11 +0,0 @@
 apiVersion: homelab.mortenolsen.pro/v1
 kind: ExternalHttpService
 metadata:
  name: '{{ .Release.Name }}'
 spec:
  environment: '{{ .Values.globals.environment }}'
  subdomain: '{{ .Values.subdomain }}'
  destination:
    host: '{{ .Release.Name }}.{{ .Release.Namespace }}.svc.cluster.local'
    port:
      number: 80
--- a/charts/apps/charts/miniflux.disable/templates/pvc.yaml
+++ b/charts/apps/charts/miniflux.disable/templates/pvc.yaml
@@ -1,11 +0,0 @@
 kind: PersistentVolumeClaim
 apiVersion: v1
 metadata:
  name: '{{ .Release.Name }}-data'
 spec:
  accessModes:
    - 'ReadWriteOnce'
  resources:
    requests:
      storage: '1Gi'
  storageClassName: '{{ .Values.globals.environment }}'
--- a/charts/apps/charts/miniflux.disable/templates/service.yaml
+++ b/charts/apps/charts/miniflux.disable/templates/service.yaml
@@ -1,15 +0,0 @@
 apiVersion: v1
 kind: Service
 metadata:
  name: '{{ .Release.Name }}'
  labels:
    app: '{{ .Release.Name }}'
 spec:
  type: ClusterIP
  ports:
    - port: 80
      targetPort: 8080
      protocol: TCP
      name: http
  selector:
    app: '{{ .Release.Name }}'
--- a/charts/apps/charts/miniflux.disable/values.yaml
+++ b/charts/apps/charts/miniflux.disable/values.yaml
@@ -1,3 +0,0 @@
 globals:
  environment: prod
 subdomain: miniflux
--- a/charts/apps/charts/n8n/Chart.yaml
+++ b/charts/apps/charts/n8n/Chart.yaml
@@ -1,3 +0,0 @@
 apiVersion: v2
 version: 1.0.0
 name: Jellyfin
--- a/charts/apps/charts/n8n/templates/database.yaml
+++ b/charts/apps/charts/n8n/templates/database.yaml
@@ -1,6 +0,0 @@
 apiVersion: homelab.mortenolsen.pro/v1
 kind: PostgresDatabase
 metadata:
  name: '{{ .Release.Name }}'
 spec:
  environment: '{{ .Values.globals.environment }}'
--- a/charts/apps/charts/n8n/templates/deployment.yaml
+++ b/charts/apps/charts/n8n/templates/deployment.yaml
@@ -1,73 +0,0 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: '{{ .Release.Name }}'
 spec:
  strategy:
    type: Recreate
  replicas: 1
  selector:
    matchLabels:
      app: '{{ .Release.Name }}'
  template:
    metadata:
      labels:
        app: '{{ .Release.Name }}'
    spec:
      containers:
        - name: '{{ .Release.Name }}'
          image: '{{ .Values.image.repository }}:{{ .Values.image.tag }}'
          imagePullPolicy: '{{ .Values.image.pullPolicy }}'
          ports:
            - name: http
              containerPort: 5678
              protocol: TCP
          livenessProbe:
            tcpSocket:
              port: http
          readinessProbe:
            tcpSocket:
              port: http
          volumeMounts:
            - mountPath: /home/node/.n8n
              name: data
          env:
            - name: TZ
              value: '{{ .Values.globals.timezone }}'
            - name: GENERIC_TIMEZONE
              value: '{{ .Values.globals.timezone }}'
            - name: N8N_ENFORCE_SETTINGS_FILE_PERMISSIONS
              value: 'true'
            - name: N8N_RUNNERS_ENABLED
              value: 'true'
            - name: DB_TYPE
              value: postgresdb
            - name: DB_POSTGRESDB_DATABASE
              valueFrom:
                secretKeyRef:
                  name: '{{ .Release.Name }}-pg-connection'
                  key: database
            - name: DB_POSTGRESDB_HOST
              valueFrom:
                secretKeyRef:
                  name: '{{ .Release.Name }}-pg-connection'
                  key: host
            - name: DB_POSTGRESDB_PORT
              valueFrom:
                secretKeyRef:
                  name: '{{ .Release.Name }}-pg-connection'
                  key: port
            - name: DB_POSTGRESDB_USER
              valueFrom:
                secretKeyRef:
                  name: '{{ .Release.Name }}-pg-connection'
                  key: user
            - name: DB_POSTGRESDB_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: '{{ .Release.Name }}-pg-connection'
                  key: password
      volumes:
        - name: data
          persistentVolumeClaim:
            claimName: '{{ .Release.Name }}-data'
--- a/charts/apps/charts/n8n/templates/external-http-service.yaml
+++ b/charts/apps/charts/n8n/templates/external-http-service.yaml
@@ -1,11 +0,0 @@
 apiVersion: homelab.mortenolsen.pro/v1
 kind: ExternalHttpService
 metadata:
  name: '{{ .Release.Name }}'
 spec:
  environment: '{{ .Values.globals.environment }}'
  subdomain: '{{ .Values.subdomain }}'
  destination:
    host: '{{ .Release.Name }}.{{ .Release.Namespace }}.svc.cluster.local'
    port:
      number: 80
--- a/charts/apps/charts/n8n/templates/pvc.yaml
+++ b/charts/apps/charts/n8n/templates/pvc.yaml
@@ -1,11 +0,0 @@
 kind: PersistentVolumeClaim
 apiVersion: v1
 metadata:
  name: '{{ .Release.Name }}-data'
 spec:
  accessModes:
    - 'ReadWriteOnce'
  resources:
    requests:
      storage: '1Gi'
  storageClassName: '{{ .Values.globals.environment }}'
--- a/charts/apps/charts/n8n/templates/service.yaml
+++ b/charts/apps/charts/n8n/templates/service.yaml
@@ -1,15 +0,0 @@
 apiVersion: v1
 kind: Service
 metadata:
  name: '{{ .Release.Name }}'
  labels:
    app: '{{ .Release.Name }}'
 spec:
  type: ClusterIP
  ports:
    - port: 80
      targetPort: 5678
      protocol: TCP
      name: http
  selector:
    app: '{{ .Release.Name }}'
--- a/charts/apps/charts/n8n/values.yaml
+++ b/charts/apps/charts/n8n/values.yaml
@@ -1,8 +0,0 @@
 globals:
  environment: prod
  timezone: Europe/Amsterdam
 image:
  repository: docker.n8n.io/n8nio/n8n
  tag: latest
  pullPolicy: IfNotPresent
 subdomain: n8n
--- a/charts/apps/charts/ollama/Chart.yaml
+++ b/charts/apps/charts/ollama/Chart.yaml
@@ -1,3 +0,0 @@
 apiVersion: v2
 version: 1.0.0
 name: ollama
--- a/charts/apps/charts/ollama/templates/client.yaml
+++ b/charts/apps/charts/ollama/templates/client.yaml
@@ -1,10 +0,0 @@
 apiVersion: homelab.mortenolsen.pro/v1
 kind: OidcClient
 metadata:
  name: '{{ .Release.Name }}'
 spec:
  environment: '{{ .Values.globals.environment }}'
  redirectUris:
    - path: /oauth/oidc/callback
      subdomain: '{{ .Values.subdomain }}'
      matchingMode: strict
--- a/charts/apps/charts/ollama/templates/deployment.yaml
+++ b/charts/apps/charts/ollama/templates/deployment.yaml
@@ -1,38 +0,0 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: '{{ .Release.Name }}'
 spec:
  strategy:
    type: Recreate
  replicas: 1
  selector:
    matchLabels:
      app: '{{ .Release.Name }}'
  template:
    metadata:
      labels:
        app: '{{ .Release.Name }}'
    spec:
      containers:
        - name: '{{ .Release.Name }}'
          image: '{{ .Values.image.repository }}:{{ .Values.image.tag }}'
          imagePullPolicy: '{{ .Values.image.pullPolicy }}'
          ports:
            - name: http
              containerPort: 11434
              protocol: TCP
          livenessProbe:
            tcpSocket:
              port: http
          readinessProbe:
            tcpSocket:
              port: http
          volumeMounts:
            - mountPath: /root/.ollama
              name: data
      volumes:
        - name: data
          persistentVolumeClaim:
            claimName: '{{ .Release.Name }}-data'
--- a/charts/apps/charts/ollama/templates/pvc.yaml
+++ b/charts/apps/charts/ollama/templates/pvc.yaml
@@ -1,11 +0,0 @@
 kind: PersistentVolumeClaim
 apiVersion: v1
 metadata:
  name: '{{ .Release.Name }}-data'
 spec:
  accessModes:
    - 'ReadWriteOnce'
  resources:
    requests:
      storage: '1Gi'
  storageClassName: '{{ .Values.globals.environment }}'
--- a/charts/apps/charts/ollama/templates/service.yaml
+++ b/charts/apps/charts/ollama/templates/service.yaml
@@ -1,15 +0,0 @@
 apiVersion: v1
 kind: Service
 metadata:
  name: '{{ .Release.Name }}'
  labels:
    app: '{{ .Release.Name }}'
 spec:
  type: ClusterIP
  ports:
    - port: 80
      targetPort: 11434
      protocol: TCP
      name: http
  selector:
    app: '{{ .Release.Name }}'
--- a/charts/apps/charts/ollama/values.yaml
+++ b/charts/apps/charts/ollama/values.yaml
@@ -1,7 +0,0 @@
 globals:
  environment: prod
 image:
  repository: ollama/ollama
  tag: 0.11.8
  pullPolicy: IfNotPresent
 subdomain: openwebui
--- a/charts/apps/charts/openwebui/Chart.yaml
+++ b/charts/apps/charts/openwebui/Chart.yaml
@@ -1,3 +0,0 @@
 apiVersion: v2
 version: 1.0.0
 name: openwebui
--- a/charts/apps/charts/openwebui/templates/client.yaml
+++ b/charts/apps/charts/openwebui/templates/client.yaml
@@ -1,10 +0,0 @@
 apiVersion: homelab.mortenolsen.pro/v1
 kind: OidcClient
 metadata:
  name: '{{ .Release.Name }}'
 spec:
  environment: '{{ .Values.globals.environment }}'
  redirectUris:
    - path: /oauth/oidc/callback
      subdomain: '{{ .Values.subdomain }}'
      matchingMode: strict
--- a/charts/apps/charts/openwebui/templates/deployment.yaml
+++ b/charts/apps/charts/openwebui/templates/deployment.yaml
@@ -1,70 +0,0 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: '{{ .Release.Name }}'
 spec:
  strategy:
    type: Recreate
  replicas: 1
  selector:
    matchLabels:
      app: '{{ .Release.Name }}'
  template:
    metadata:
      labels:
        app: '{{ .Release.Name }}'
    spec:
      containers:
        - name: '{{ .Release.Name }}'
          image: '{{ .Values.image.repository }}:{{ .Values.image.tag }}'
          imagePullPolicy: '{{ .Values.image.pullPolicy }}'
          ports:
            - name: http
              containerPort: 8080
              protocol: TCP
          livenessProbe:
            tcpSocket:
              port: http
          readinessProbe:
            tcpSocket:
              port: http
          volumeMounts:
            - mountPath: /app/backend/data
              name: data
          env:
            - name: ENABLE_SIGNUP
              value: 'false'
            - name: WEBUI_URL # TODO: remove
              value: https://openwebui.olsen.cloud
            - name: ENABLE_OAUTH_PERSISTENT_CONFIG
              value: 'false'
            - name: ENABLE_OAUTH_SIGNUP
              value: 'true'
            - name: OAUTH_MERGE_ACCOUNTS_BY_EMAIL
              value: 'true'
            - name: OAUTH_PROVIDER_NAME
              value: authentik
            - name: OPENID_PROVIDER_URL
              valueFrom:
                secretKeyRef:
                  name: '{{ .Release.Name }}-client'
                  key: configuration
            - name: OAUTH_CLIENT_ID
              valueFrom:
                secretKeyRef:
                  name: '{{ .Release.Name }}-client'
                  key: clientId
            - name: OAUTH_CLIENT_SECRET
              valueFrom:
                secretKeyRef:
                  name: '{{ .Release.Name }}-client'
                  key: clientSecret
            - name: ENABLE_LOGIN_FORM
              value: 'false'
            - name: OPENID_REDIRECT
              value: https://openwebui.olsen.cloud/oauth/oidc/callback
      volumes:
        - name: data
          persistentVolumeClaim:
            claimName: '{{ .Release.Name }}-data'
--- a/charts/apps/charts/openwebui/templates/external-http-service.yaml
+++ b/charts/apps/charts/openwebui/templates/external-http-service.yaml
@@ -1,11 +0,0 @@
 apiVersion: homelab.mortenolsen.pro/v1
 kind: ExternalHttpService
 metadata:
  name: '{{ .Release.Name }}'
 spec:
  environment: '{{ .Values.globals.environment }}'
  subdomain: '{{ .Values.subdomain }}'
  destination:
    host: '{{ .Release.Name }}.{{ .Release.Namespace }}.svc.cluster.local'
    port:
      number: 80
--- a/charts/apps/charts/openwebui/templates/pvc.yaml
+++ b/charts/apps/charts/openwebui/templates/pvc.yaml
@@ -1,11 +0,0 @@
 kind: PersistentVolumeClaim
 apiVersion: v1
 metadata:
  name: '{{ .Release.Name }}-data'
 spec:
  accessModes:
    - 'ReadWriteOnce'
  resources:
    requests:
      storage: '1Gi'
  storageClassName: '{{ .Values.globals.environment }}'
--- a/charts/apps/charts/openwebui/templates/service.yaml
+++ b/charts/apps/charts/openwebui/templates/service.yaml
@@ -1,15 +0,0 @@
 apiVersion: v1
 kind: Service
 metadata:
  name: '{{ .Release.Name }}'
  labels:
    app: '{{ .Release.Name }}'
 spec:
  type: ClusterIP
  ports:
    - port: 80
      targetPort: 8080
      protocol: TCP
      name: http
  selector:
    app: '{{ .Release.Name }}'
--- a/charts/apps/charts/openwebui/values.yaml
+++ b/charts/apps/charts/openwebui/values.yaml
@@ -1,7 +0,0 @@
 globals:
  environment: prod
 image:
  repository: ghcr.io/open-webui/open-webui
  tag: main
  pullPolicy: IfNotPresent
 subdomain: openwebui
--- a/charts/apps/charts/values.yaml
+++ b/charts/apps/charts/values.yaml
--- a/charts/apps/charts/volumes/Chart.yaml
+++ b/charts/apps/charts/volumes/Chart.yaml
@@ -1,3 +0,0 @@
 apiVersion: v2
 version: 1.0.0
 name: Resources
--- a/charts/apps/charts/volumes/templates/books-pvc.yaml
+++ b/charts/apps/charts/volumes/templates/books-pvc.yaml
@@ -1,28 +0,0 @@
 apiVersion: v1
 kind: PersistentVolume
 metadata:
  name: books
  labels:
    type: nfs
 spec:
  capacity:
    storage: 10Gi
  accessModes:
    - ReadWriteMany
  persistentVolumeReclaimPolicy: Retain
  storageClassName: manual-books
  nfs:
    path: '{{ .Values.books.path }}'
    server: '{{ .Values.host }}'
 ---
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
  name: books
 spec:
  storageClassName: manual-books
  accessModes:
    - ReadWriteMany
  resources:
    requests:
      storage: 10Gi
--- a/charts/apps/charts/volumes/templates/movies-pvc.yaml
+++ b/charts/apps/charts/volumes/templates/movies-pvc.yaml
@@ -1,28 +0,0 @@
 apiVersion: v1
 kind: PersistentVolume
 metadata:
  name: movies
  labels:
    type: nfs
 spec:
  capacity:
    storage: 10Gi
  accessModes:
    - ReadWriteMany
  persistentVolumeReclaimPolicy: Retain
  storageClassName: manual-movies
  nfs:
    path: '{{ .Values.movies.path }}'
    server: '{{ .Values.host }}'
 ---
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
  name: movies
 spec:
  storageClassName: manual-movies
  accessModes:
    - ReadWriteMany
  resources:
    requests:
      storage: 10Gi
--- a/charts/apps/charts/volumes/templates/music-pvc.yaml
+++ b/charts/apps/charts/volumes/templates/music-pvc.yaml
@@ -1,28 +0,0 @@
 apiVersion: v1
 kind: PersistentVolume
 metadata:
  name: music
  labels:
    type: nfs
 spec:
  capacity:
    storage: 10Gi
  accessModes:
    - ReadWriteMany
  persistentVolumeReclaimPolicy: Retain
  storageClassName: manual-music
  nfs:
    path: '{{ .Values.music.path }}'
    server: '{{ .Values.host }}'
 ---
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
  name: music
 spec:
  storageClassName: manual-music
  accessModes:
    - ReadWriteMany
  resources:
    requests:
      storage: 10Gi
--- a/charts/apps/charts/volumes/templates/podcasts-pvc.yaml
+++ b/charts/apps/charts/volumes/templates/podcasts-pvc.yaml
@@ -1,28 +0,0 @@
 apiVersion: v1
 kind: PersistentVolume
 metadata:
  name: podcasts
  labels:
    type: nfs
 spec:
  capacity:
    storage: 10Gi
  accessModes:
    - ReadWriteMany
  persistentVolumeReclaimPolicy: Retain
  storageClassName: manual-podcasts
  nfs:
    path: '{{ .Values.podcasts.path }}'
    server: '{{ .Values.host }}'
 ---
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
  name: podcasts
 spec:
  storageClassName: manual-podcasts
  accessModes:
    - ReadWriteMany
  resources:
    requests:
      storage: 10Gi
--- a/charts/apps/charts/volumes/templates/tv-pvc.yaml
+++ b/charts/apps/charts/volumes/templates/tv-pvc.yaml
@@ -1,28 +0,0 @@
 apiVersion: v1
 kind: PersistentVolume
 metadata:
  name: tvshows
  labels:
    type: nfs
 spec:
  capacity:
    storage: 10Gi
  accessModes:
    - ReadWriteMany
  persistentVolumeReclaimPolicy: Retain
  storageClassName: manual-tvshows
  nfs:
    path: '{{ .Values.tvshows.path }}'
    server: '{{ .Values.host }}'
 ---
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
  name: tvshows
 spec:
  storageClassName: manual-tvshows
  accessModes:
    - ReadWriteMany
  resources:
    requests:
      storage: 10Gi
--- a/charts/apps/charts/volumes/values.yaml
+++ b/charts/apps/charts/volumes/values.yaml
@@ -1,11 +0,0 @@
 host: 192.168.20.106
 movies:
  path: /mnt/HDD/Movies
 tvshows:
  path: /mnt/HDD/TV-Shows
 music:
  path: /mnt/HDD/Music2
 books:
  path: /mnt/HDD/Books
 podcasts:
  path: /mnt/HDD/Podcasts
--- a/charts/apps/root/Chart.yaml
+++ b/charts/apps/root/Chart.yaml
@@ -1,3 +0,0 @@
 apiVersion: v2
 version: 1.0.0
 name: root
--- a/charts/apps/root/templates/apps.yaml
+++ b/charts/apps/root/templates/apps.yaml
@@ -1,33 +0,0 @@
 apiVersion: argoproj.io/v1alpha1
 kind: ApplicationSet
 metadata:
  name: homelab-apps
  namespace: '{{ .Values.env }}-argo'
 spec:
  generators:
    - git:
      repoURL: '{{ .Values.repo }}'
      revision: '{{ .Values.ref }}'
      directories:
        - path: charts/apps/*
          include: '.*'
          exclude: '.*.disabled'
  template:
    metadata:
      name: '{{`{{path.basename}}`}}'
    spec:
      project: default
      source:
        repoURL: '{{ .Values.repo }}'
        targetRevision: '{{ .Values.ref }}'
        path: charts/apps/{{`{{path.basename}}`}}
        helm:
          values: |
            globals: {{ .Values.globals | toYaml | nindent 14 }}
      destination:
        server: https://kubernetes.default.svc
        namespace: '{{ .Values.globals.env }}'
      syncPolicy:
        automated:
          prune: true
          selfHeal: true
--- a/charts/apps/root/templates/root.yaml
+++ b/charts/apps/root/templates/root.yaml
@@ -1,21 +0,0 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: homelab-root
  namespace: '{{ .Values.globals.env }}-argo'
 spec:
  project: default
  source:
    repoURL: '{{ .Values.repo }}'
    targetRevision: '{{ .Values.ref }}'
    path: charts/root
    helm:
      valueFiles:
        - values.yaml
  destination:
    server: https://kubernetes.default.svc
    namespace: '{{ .Values.globals.env }}-argo'
  syncPolicy:
    automated:
      prune: true
      selfHeal: true
--- a/charts/apps/root/values.yaml
+++ b/charts/apps/root/values.yaml
@@ -1,4 +0,0 @@
 globals:
  env: prod
 repo: https://github.com/morten-olsen/homelab-operator.git
 ref: HEAD
--- a/charts/operator/templates/clusterrole.yaml
+++ b/charts/operator/templates/clusterrole.yaml
@@ -6,9 +6,6 @@ rules:
 - apiGroups: [""]
  resources: ["secrets"]
  verbs: ["create", "get", "watch", "list"]
 - apiGroups: [""]
  resources: ["namespaces"]
  verbs: ["get", "list", "watch", "create", "update", "patch"]
 - apiGroups: [""]
  resources: ["persistentvolumes"]
  verbs: ["get", "list", "watch", "create", "delete", "patch", "update"]
@@ -26,7 +23,7 @@ rules:
  verbs: ["get", "list", "watch"]
 - apiGroups: ["*"]
  resources: ["*"]
-  verbs: ["get", "watch", "list", "patch", "create", "update", "replace"]
+  verbs: ["get", "watch", "list", "patch"]
 - apiGroups: ["apiextensions.k8s.io"]
  resources: ["customresourcedefinitions"]
-  verbs: ["get", "create", "update", "replace", "patch"]
+  verbs: ["get", "create", "replace"]
--- a/charts/operator/values.yaml
+++ b/charts/operator/values.yaml
@@ -4,7 +4,7 @@
 image:
  repository: ghcr.io/morten-olsen/homelab-operator
-  pullPolicy: IfNotPresent
+  pullPolicy: Always
  # Overrides the image tag whose default is the chart appVersion.
  tag: main
--- a/docker-compose.dev.yaml
+++ b/docker-compose.dev.yaml
@@ -0,0 +1,12 @@
 name: homelab
 services:
  postgres:
    image: postgres:17
    ports:
      - 5432:5432
    environment:
      POSTGRES_USER: $POSTGRES_USER
      POSTGRES_PASSWORD: $POSTGRES_PASSWORD
      POSTGRES_DB: ${POSTGRES_DB:-postgres}
    volumes:
      - $PWD/.data/local/postgres:/var/lib/postgresql/data
--- a/docs/writing-custom-resources.md
+++ b/docs/writing-custom-resources.md
@@ -0,0 +1,901 @@
 # Writing Custom Resources
 This guide explains how to create and implement custom resources in the
 homelab-operator.
 ## Overview
 Custom resources in this operator follow a structured pattern that includes:
 - **Specification schemas** using Zod for runtime validation
 - **Resource implementations** that extend the base `CustomResource` class
 - **Manifest creation** helpers for generating Kubernetes resources
 - **Reconciliation logic** to manage the desired state
 ## Project Structure
 Each custom resource should be organized in its own directory under
 `src/custom-resouces/` with the following structure:
 ```
 src/custom-resouces/{resource-name}/
 ├── {resource-name}.ts              # Main definition file
 ├── {resource-name}.schemas.ts      # Zod validation schemas
 ├── {resource-name}.resource.ts     # Resource implementation
 └── {resource-name}.create-manifests.ts # Manifest generation helpers
 ```
 ## Quick Start
 This section walks through creating a complete custom resource from scratch.
 We'll build a `MyResource` that manages a web application with a deployment and
 service.
 ### 1. Define Your Resource
 The main definition file registers your custom resource with the operator
 framework. This file serves as the entry point that ties together your schemas,
 implementation, and Kubernetes CRD definition.
 Create the main definition file (`{resource-name}.ts`):
 ```typescript
 import { createCustomResourceDefinition } from "../../services/custom-resources/custom-resources.ts";
 import { GROUP } from "../../utils/consts.ts";
 import { MyResourceResource } from "./my-resource.resource.ts";
 import { myResourceSpecSchema } from "./my-resource.schemas.ts";
 const myResourceDefinition = createCustomResourceDefinition({
  group: GROUP, // Uses your operator's API group (homelab.mortenolsen.pro)
  version: "v1", // API version for this resource
  kind: "MyResource", // The Kubernetes kind name (PascalCase)
  names: {
    plural: "myresources", // Plural name for kubectl (lowercase)
    singular: "myresource", // Singular name for kubectl (lowercase)
  },
  spec: myResourceSpecSchema, // Zod schema for validation
  create: (options) => new MyResourceResource(options), // Factory function
 });
 export { myResourceDefinition };
 ```
 **Key Points:**
 - The `group` should always use the `GROUP` constant to maintain consistency
 - `kind` should be descriptive and follow Kubernetes naming conventions
  (PascalCase)
 - `names.plural` is used in kubectl commands (`kubectl get myresources`)
 - The `create` function instantiates your resource implementation when a CR is
  detected
 ### 2. Create Validation Schemas
 Schemas define the structure and validation rules for your custom resource's
 specification. Using Zod provides runtime type safety and automatic validation
 of user input.
 Define your spec schema (`{resource-name}.schemas.ts`):
 ```typescript
 import { z } from "zod";
 const myResourceSpecSchema = z.object({
  // Required fields - these must be provided by users
  hostname: z.string(), // Base hostname for the application
  port: z.number().min(1).max(65535), // Container port (validated range)
  // Optional fields with defaults - provide sensible fallbacks
  replicas: z.number().min(1).default(1), // Number of pod replicas
  // Enums - restrict to specific values with defaults
  protocol: z.enum(["http", "https"]).default("https"),
  // Nested objects - for complex configuration
  database: z.object({
    host: z.string(), // Database hostname
    port: z.number(), // Database port
    name: z.string(), // Database name
  }).optional(), // Entire database config is optional
 });
 // Additional schemas for secrets, status, etc.
 // Separate schemas help organize different data types
 const myResourceSecretSchema = z.object({
  apiKey: z.string(), // API key for external services
  password: z.string(), // Database or service password
 });
 export { myResourceSecretSchema, myResourceSpecSchema };
 ```
 **Schema Design Best Practices:**
 - **Required vs Optional**: Make fields required only when absolutely necessary
 - **Defaults**: Provide sensible defaults to reduce user configuration burden
 - **Validation**: Use Zod's built-in validators (`.min()`, `.max()`, `.email()`,
  etc.)
 - **Enums**: Restrict values to prevent invalid configurations
 - **Nested Objects**: Group related configuration together
 - **Separate Schemas**: Create different schemas for different purposes (spec,
  secrets, status)
 ### 3. Implement the Resource
 The resource implementation is the core of your custom resource. It contains the
 business logic for managing Kubernetes resources and maintains the desired
 state. This class extends `CustomResource` and implements the reconciliation
 logic.
 Create the resource implementation (`{resource-name}.resource.ts`):
 ```typescript
 import type { KubernetesObject } from "@kubernetes/client-node";
 import deepEqual from "deep-equal";
 import {
  CustomResource,
  type CustomResourceOptions,
  type SubresourceResult,
 } from "../../services/custom-resources/custom-resources.custom-resource.ts";
 import {
  ResourceReference,
  ResourceService,
 } from "../../services/resources/resources.ts";
 import type { myResourceSpecSchema } from "./my-resource.schemas.ts";
 import {
  createDeploymentManifest,
  createServiceManifest,
 } from "./my-resource.create-manifests.ts";
 class MyResourceResource extends CustomResource<typeof myResourceSpecSchema> {
  #deploymentResource = new ResourceReference();
  #serviceResource = new ResourceReference();
  constructor(options: CustomResourceOptions<typeof myResourceSpecSchema>) {
    super(options);
    const resourceService = this.services.get(ResourceService);
    // Initialize resource references
    this.#deploymentResource.current = resourceService.get({
      apiVersion: "apps/v1",
      kind: "Deployment",
      name: this.name,
      namespace: this.namespace,
    });
    this.#serviceResource.current = resourceService.get({
      apiVersion: "v1",
      kind: "Service",
      name: this.name,
      namespace: this.namespace,
    });
    // Set up event handlers for reconciliation
    this.#deploymentResource.on("changed", this.queueReconcile);
    this.#serviceResource.on("changed", this.queueReconcile);
  }
  #reconcileDeployment = async (): Promise<SubresourceResult> => {
    const manifest = createDeploymentManifest({
      name: this.name,
      namespace: this.namespace,
      ref: this.ref,
      spec: this.spec,
    });
    if (!this.#deploymentResource.current?.exists) {
      await this.#deploymentResource.current?.patch(manifest);
      return {
        ready: false,
        syncing: true,
        reason: "Creating",
        message: "Creating deployment",
      };
    }
    if (!deepEqual(this.#deploymentResource.current.spec, manifest.spec)) {
      await this.#deploymentResource.current.patch(manifest);
      return {
        ready: false,
        syncing: true,
        reason: "Updating",
        message: "Deployment needs updates",
      };
    }
    // Check if deployment is ready
    const deployment = this.#deploymentResource.current;
    const isReady =
      deployment.status?.readyReplicas === deployment.status?.replicas;
    return {
      ready: isReady,
      reason: isReady ? "Ready" : "Pending",
      message: isReady ? "Deployment is ready" : "Waiting for pods to be ready",
    };
  };
  #reconcileService = async (): Promise<SubresourceResult> => {
    const manifest = createServiceManifest({
      name: this.name,
      namespace: this.namespace,
      ref: this.ref,
      spec: this.spec,
    });
    if (!deepEqual(this.#serviceResource.current?.spec, manifest.spec)) {
      await this.#serviceResource.current?.patch(manifest);
      return {
        ready: false,
        syncing: true,
        reason: "Updating",
        message: "Service needs updates",
      };
    }
    return { ready: true };
  };
  public reconcile = async () => {
    if (!this.exists || this.metadata.deletionTimestamp) {
      return;
    }
    // Reconcile subresources
    await this.reconcileSubresource("Deployment", this.#reconcileDeployment);
    await this.reconcileSubresource("Service", this.#reconcileService);
    // Update overall ready condition
    const deploymentReady =
      this.conditions.get("Deployment")?.status === "True";
    const serviceReady = this.conditions.get("Service")?.status === "True";
    await this.conditions.set("Ready", {
      status: deploymentReady && serviceReady ? "True" : "False",
      reason: deploymentReady && serviceReady ? "Ready" : "Pending",
      message: deploymentReady && serviceReady
        ? "All resources are ready"
        : "Waiting for resources to be ready",
    });
  };
 }
 export { MyResourceResource };
 ```
 **Resource Implementation Breakdown:**
 **Constructor Setup:**
 - **Resource References**: Create `ResourceReference` objects to track managed
  Kubernetes resources
 - **Service Access**: Use dependency injection to access operator services
  (`ResourceService`)
 - **Event Handlers**: Listen for changes in managed resources to trigger
  reconciliation
 - **Resource Registration**: Register references for Deployment and Service that
  will be managed
 **Reconciliation Methods:**
 - **`#reconcileDeployment`**: Manages the application's Deployment resource
  - Creates manifests using helper functions
  - Checks if resource exists and creates/updates as needed
  - Uses `deepEqual` to avoid unnecessary updates
  - Returns status indicating readiness state
 - **`#reconcileService`**: Manages the Service resource for network access
  - Similar pattern to deployment but typically simpler
  - Services are usually ready immediately after creation
 **Main Reconcile Loop:**
 - **Deletion Check**: Early return if resource is being deleted
 - **Subresource Management**: Calls individual reconciliation methods
 - **Condition Updates**: Aggregates status from all subresources
 - **Status Reporting**: Updates the overall "Ready" condition
 **Key Design Patterns:**
 - **Private Methods**: Use `#` for private reconciliation methods
 - **Async/Await**: All reconciliation is asynchronous
 - **Resource References**: Track external resources with type safety
 - **Condition Management**: Provide clear status through Kubernetes conditions
 - **Event-Driven**: React to changes in managed resources automatically
 ### 4. Create Manifest Helpers
 Manifest helpers are pure functions that generate Kubernetes resource
 definitions. They transform your custom resource's specification into standard
 Kubernetes objects. This separation keeps your reconciliation logic clean and
 makes manifests easy to test and modify.
 Define manifest creation functions (`{resource-name}.create-manifests.ts`):
 ```typescript
 type CreateDeploymentManifestOptions = {
  name: string;
  namespace: string;
  ref: any; // Owner reference
  spec: {
    hostname: string;
    port: number;
    replicas: number;
  };
 };
 const createDeploymentManifest = (
  options: CreateDeploymentManifestOptions,
 ) => ({
  apiVersion: "apps/v1",
  kind: "Deployment",
  metadata: {
    name: options.name,
    namespace: options.namespace,
    ownerReferences: [options.ref],
  },
  spec: {
    replicas: options.spec.replicas,
    selector: {
      matchLabels: {
        app: options.name,
      },
    },
    template: {
      metadata: {
        labels: {
          app: options.name,
        },
      },
      spec: {
        containers: [
          {
            name: options.name,
            image: "nginx:latest",
            ports: [
              {
                containerPort: options.spec.port,
              },
            ],
            env: [
              {
                name: "HOSTNAME",
                value: options.spec.hostname,
              },
            ],
          },
        ],
      },
    },
  },
 });
 type CreateServiceManifestOptions = {
  name: string;
  namespace: string;
  ref: any;
  spec: {
    port: number;
  };
 };
 const createServiceManifest = (options: CreateServiceManifestOptions) => ({
  apiVersion: "v1",
  kind: "Service",
  metadata: {
    name: options.name,
    namespace: options.namespace,
    ownerReferences: [options.ref],
  },
  spec: {
    selector: {
      app: options.name,
    },
    ports: [
      {
        port: 80,
        targetPort: options.spec.port,
      },
    ],
  },
 });
 export { createDeploymentManifest, createServiceManifest };
 ```
 **Manifest Helper Patterns:**
 **Type Definitions:**
 - **Options Types**: Define clear interfaces for function parameters
 - **Structured Input**: Group related parameters in nested objects
 - **Type Safety**: Leverage TypeScript to catch configuration errors at compile
  time
 **Deployment Manifest:**
 - **Owner References**: Ensures garbage collection when parent resource is
  deleted
 - **Labels & Selectors**: Consistent labeling for pod selection and organization
 - **Container Configuration**: Maps custom resource spec to container settings
 - **Environment Variables**: Passes configuration from spec to running
  containers
 - **Port Configuration**: Exposes application ports based on spec
 **Service Manifest:**
 - **Service Discovery**: Creates stable network endpoint for the deployment
 - **Port Mapping**: Routes external traffic to container ports
 - **Selector Matching**: Uses same labels as deployment for proper routing
 - **Owner References**: Links service lifecycle to custom resource
 **Best Practices for Manifest Helpers:**
 - **Pure Functions**: No side effects, same input always produces same output
 - **Immutable Objects**: Return new objects rather than modifying inputs
 - **Validation**: Let TypeScript catch type mismatches
 - **Consistent Naming**: Use predictable patterns for resource names
 - **Owner References**: Always set for proper cleanup
 - **Documentation**: Comment non-obvious configuration choices
 ### 5. Register Your Resource
 Add your resource to `src/custom-resouces/custom-resources.ts`:
 ```typescript
 import { myResourceDefinition } from "./my-resource/my-resource.ts";
 const customResources = [
  // ... existing resources
  myResourceDefinition,
 ];
 ```
 ## Core Concepts
 These fundamental patterns are used throughout the operator framework.
 Understanding them is essential for building robust custom resources.
 ### Resource References
 `ResourceReference` objects provide a strongly-typed way to track and manage
 Kubernetes resources that your custom resource creates or depends on. They
 automatically handle resource watching, caching, and change notifications.
 Use `ResourceReference` to manage related Kubernetes resources:
 ```typescript
 import {
  ResourceReference,
  ResourceService,
 } from "../../services/resources/resources.ts";
 class MyResource extends CustomResource<typeof myResourceSpecSchema> {
  #deploymentResource = new ResourceReference();
  constructor(options: CustomResourceOptions<typeof myResourceSpecSchema>) {
    super(options);
    const resourceService = this.services.get(ResourceService);
    this.#deploymentResource.current = resourceService.get({
      apiVersion: "apps/v1",
      kind: "Deployment",
      name: this.name,
      namespace: this.namespace,
    });
    // Listen for changes
    this.#deploymentResource.on("changed", this.queueReconcile);
  }
 }
 ```
 **Why Resource References Matter:**
 - **Automatic Watching**: Changes to referenced resources trigger reconciliation
 - **Type Safety**: Get compile-time checking for resource properties
 - **Lifecycle Management**: Easily check if resources exist and their current
  state
 - **Event Handling**: React to external changes without polling
 - **Caching**: Avoid repeated API calls for the same resource data
 ### Conditions
 Kubernetes conditions provide a standardized way to communicate resource status.
 They follow the Kubernetes convention of expressing current state, reasons for
 that state, and human-readable messages. Conditions are crucial for operators
 and users to understand what's happening with resources.
 Use conditions to track the status of your resource:
 ```typescript
 // Set a condition
 await this.conditions.set("Ready", {
  status: "True",
  reason: "AllResourcesReady",
  message: "All subresources are ready",
 });
 // Get a condition
 const isReady = this.conditions.get("Ready")?.status === "True";
 ```
 **Condition Best Practices:**
 - **Standard Names**: Use common condition types like "Ready", "Available",
  "Progressing"
 - **Clear Status**: Use "True", "False", or "Unknown" following Kubernetes
  conventions
 - **Descriptive Reasons**: Provide specific reason codes for troubleshooting
 - **Helpful Messages**: Include actionable information for users
 - **Consistent Updates**: Always update conditions during reconciliation
 ### Subresource Reconciliation
 The `reconcileSubresource` method provides a standardized way to manage
 individual components of your custom resource. It automatically handles
 condition updates, error management, and status aggregation. This pattern keeps
 your main reconciliation loop clean and ensures consistent error handling.
 Use `reconcileSubresource` to manage individual components:
 ```typescript
 public reconcile = async () => {
  // This automatically manages conditions and error handling
  await this.reconcileSubresource("Deployment", this.#reconcileDeployment);
  await this.reconcileSubresource("Service", this.#reconcileService);
 };
 ```
 **Subresource Reconciliation Benefits:**
 - **Automatic Condition Management**: Sets conditions based on reconciliation
  results
 - **Error Isolation**: Failures in one subresource don't stop others
 - **Status Aggregation**: Combines individual component status into overall
  status
 - **Consistent Patterns**: Same error handling and retry logic across all
  components
 - **Observability**: Clear visibility into which components are having issues
 ### Deep Equality Checks
 Deep equality checks prevent unnecessary API calls and resource churn.
 Kubernetes resources should only be updated when their desired state actually
 differs from their current state. This improves performance and reduces cluster
 load.
 Use `deepEqual` to avoid unnecessary updates:
 ```typescript
 import deepEqual from "deep-equal";
 if (!deepEqual(currentResource.spec, desiredManifest.spec)) {
  await currentResource.patch(desiredManifest);
 }
 ```
 **Deep Equality Benefits:**
 - **Performance**: Avoids unnecessary API calls to Kubernetes
 - **Reduced Churn**: Prevents resource version conflicts and unnecessary events
 - **Stability**: Reduces reconciliation loops and system noise
 - **Efficiency**: Lets you focus compute on actual changes
 - **Observability**: Cleaner audit logs with only meaningful changes
 **When to Use Deep Equality:**
 - **Spec Comparisons**: Before updating any Kubernetes resource
 - **Status Updates**: Only update status when values actually change
 - **Metadata Updates**: Check labels and annotations before patching
 - **Complex Objects**: Especially useful for nested configuration objects
 ## Advanced Patterns
 These patterns handle more complex scenarios like secret management, resource
 dependencies, and sophisticated error handling. Use these when building
 production-ready operators that need to handle real-world complexity.
 ### Working with Secrets
 Many resources need to manage secrets. Here's a pattern for secret management:
 ```typescript
 import { SecretService } from "../../services/secrets/secrets.ts";
 class MyResource extends CustomResource<typeof myResourceSpecSchema> {
  constructor(options: CustomResourceOptions<typeof myResourceSpecSchema>) {
    super(options);
    const secretService = this.services.get(SecretService);
    // Get or create a secret
    this.secretRef = secretService.get({
      name: `${this.name}-secret`,
      namespace: this.namespace,
    });
  }
  #ensureSecret = async () => {
    const secretData = {
      apiKey: generateApiKey(),
      password: generatePassword(),
    };
    if (!this.secretRef.current?.exists) {
      await this.secretRef.current?.patch({
        apiVersion: "v1",
        kind: "Secret",
        metadata: {
          name: this.secretRef.current.name,
          namespace: this.secretRef.current.namespace,
          ownerReferences: [this.ref],
        },
        data: secretData,
      });
    }
  };
 }
 ```
 ### Cross-Resource Dependencies
 When your resource depends on other custom resources:
 ```typescript
 class MyResource extends CustomResource<typeof myResourceSpecSchema> {
  #dependentResource = new ResourceReference();
  constructor(options: CustomResourceOptions<typeof myResourceSpecSchema>) {
    super(options);
    const resourceService = this.services.get(ResourceService);
    // Reference another custom resource
    this.#dependentResource.current = resourceService.get({
      apiVersion: "homelab.mortenolsen.pro/v1",
      kind: "PostgresDatabase",
      name: this.spec.database,
      namespace: this.namespace,
    });
    this.#dependentResource.on("changed", this.queueReconcile);
  }
  #reconcileApp = async (): Promise<SubresourceResult> => {
    // Check if dependency is ready
    const dependency = this.#dependentResource.current;
    if (!dependency?.exists) {
      return {
        ready: false,
        failed: true,
        reason: "MissingDependency",
        message: `PostgresDatabase ${this.spec.database} not found`,
      };
    }
    const dependencyReady = dependency.status?.conditions?.find(
      (c) => c.type === "Ready" && c.status === "True",
    );
    if (!dependencyReady) {
      return {
        ready: false,
        reason: "WaitingForDependency",
        message:
          `Waiting for PostgresDatabase ${this.spec.database} to be ready`,
      };
    }
    // Continue with reconciliation...
  };
 }
 ```
 ### Error Handling
 Proper error handling in reconciliation:
 ```typescript
 #reconcileDeployment = async (): Promise<SubresourceResult> => {
  try {
    // Reconciliation logic...
    return { ready: true };
  } catch (error) {
    return {
      ready: false,
      failed: true,
      reason: 'ReconciliationError',
      message: `Failed to reconcile deployment: ${error.message}`,
    };
  }
 };
 ```
 ## Example Usage
 Once your custom resource is implemented and registered, users can create
 instances using standard Kubernetes manifests. The operator will automatically
 detect new resources and begin reconciliation based on your implementation
 logic.
 ```yaml
 apiVersion: homelab.mortenolsen.pro/v1
 kind: MyResource
 metadata:
  name: my-app
  namespace: default
 spec:
  hostname: my-app.example.com
  port: 8080
  replicas: 3
  protocol: https
  database:
    host: postgres.default.svc.cluster.local
    port: 5432
    name: myapp
 ```
 **What happens when this resource is created:**
 1. **Validation**: The operator validates the spec against your Zod schema
 2. **Resource Creation**: Your `MyResourceResource` class is instantiated
 3. **Reconciliation**: The operator creates a Deployment with 3 replicas and a
   Service
 4. **Status Updates**: Conditions are set to track deployment and service
   readiness
 5. **Event Handling**: The operator watches for changes and re-reconciles as
   needed
 Users can then monitor the resource status with:
 ```bash
 kubectl get myresources my-app -o yaml
 kubectl describe myresource my-app
 ```
 ## Real Examples
 These examples show how the patterns described above are used in practice within
 the homelab-operator.
 ### Simple Resource: Domain
 The `Domain` resource demonstrates a straightforward custom resource that
 manages external dependencies. It creates and manages TLS certificates through
 cert-manager and configures Istio gateways for HTTPS traffic routing.
 **What it does:**
 - Creates a cert-manager Certificate for TLS termination
 - Configures an Istio Gateway for traffic routing
 - Manages the lifecycle of both resources through owner references
 - Provides wildcard certificate support for subdomains
 ```yaml
 apiVersion: homelab.mortenolsen.pro/v1
 kind: Domain
 metadata:
  name: homelab
  namespace: homelab
 spec:
  hostname: local.olsen.cloud # Domain for certificate and gateway
  issuer: letsencrypt-prod # cert-manager ClusterIssuer to use
 ```
 **Key Implementation Features:**
 - **CRD Dependency Checking**: Validates that cert-manager and Istio CRDs exist
 - **Cross-Namespace Resources**: Certificate is created in the istio-ingress
  namespace
 - **Status Aggregation**: Combines certificate and gateway readiness into
  overall status
 - **Wildcard Support**: Automatically configures `*.hostname` for subdomains
 ### Complex Resource: AuthentikServer
 The `AuthentikServer` resource showcases a complex custom resource with multiple
 dependencies and sophisticated reconciliation logic. It deploys a complete
 identity provider solution with database and Redis dependencies.
 **What it does:**
 - Deploys Authentik identity provider with proper configuration
 - Manages database schema and user creation
 - Configures Redis connection for session storage
 - Sets up domain integration for SSO endpoints
 - Handles secret generation and rotation
 ```yaml
 apiVersion: homelab.mortenolsen.pro/v1
 kind: AuthentikServer
 metadata:
  name: homelab
  namespace: homelab
 spec:
  domain: homelab # References a Domain resource
  database: test2 # References a PostgresDatabase resource
  redis: redis # References a Redis connection
 ```
 **Key Implementation Features:**
 - **Resource Dependencies**: Waits for Domain, PostgresDatabase, and Redis
  resources
 - **Secret Management**: Generates and manages API keys, passwords, and tokens
 - **Service Configuration**: Creates comprehensive Kubernetes manifests
  (Deployment, Service, Ingress)
 - **Health Checking**: Monitors application readiness and database connectivity
 - **Cross-Resource Communication**: Uses other custom resources' status and
  outputs
 ### Database Resource: PostgresDatabase
 The `PostgresDatabase` resource illustrates how to manage stateful resources and
 external system integration. It creates databases within an existing PostgreSQL
 instance and manages user permissions.
 **What it does:**
 - Creates a new database in an existing PostgreSQL server
 - Generates dedicated database user with appropriate permissions
 - Manages connection secrets for applications
 - Handles database cleanup and user removal
 ```yaml
 apiVersion: homelab.mortenolsen.pro/v1
 kind: PostgresDatabase
 metadata:
  name: test2
  namespace: homelab
 spec:
  connection: homelab/db # References PostgreSQL connection (namespace/name)
 ```
 **Key Implementation Features:**
 - **External System Integration**: Connects to existing PostgreSQL instances
 - **User Management**: Creates database-specific users with minimal required
  permissions
 - **Secret Generation**: Provides connection details to consuming applications
 - **Cleanup Handling**: Safely removes databases and users when resource is
  deleted
 - **Connection Validation**: Verifies connectivity before marking as ready
 **Common Patterns Across Examples:**
 - **Owner References**: All managed resources have proper ownership for garbage
  collection
 - **Condition Management**: Consistent status reporting through Kubernetes
  conditions
 - **Resource Dependencies**: Graceful handling of missing or unready
  dependencies
 - **Secret Management**: Secure generation and storage of credentials
 - **Cross-Resource Integration**: Resources reference and depend on each other
  appropriately
 ## Best Practices
 1. **Validation**: Always use Zod schemas for comprehensive spec validation
 2. **Idempotency**: Use `deepEqual` checks to avoid unnecessary updates
 3. **Conditions**: Provide clear status information through conditions
 4. **Owner References**: Always set owner references for created resources
 5. **Error Handling**: Provide meaningful error messages and failure reasons
 6. **Dependencies**: Handle missing dependencies gracefully
 7. **Cleanup**: Leverage Kubernetes garbage collection through owner references
 8. **Testing**: Create test manifests in `test-manifests/` for your resources
 ## Troubleshooting
 - **Resource not reconciling**: Check if the resource is properly registered in
  `custom-resources.ts`
 - **Validation errors**: Ensure your Zod schema matches the expected spec
  structure
 - **Missing dependencies**: Verify that referenced resources exist and are ready
 - **Owner reference issues**: Make sure `ownerReferences` are set correctly for
  garbage collection
 - **Condition not updating**: Ensure you're calling `this.conditions.set()` with
  proper status values
 For more examples, refer to the existing custom resources in
 `src/custom-resouces/`.
--- a/istio-test.yaml
+++ b/istio-test.yaml
@@ -1,22 +0,0 @@
 apiVersion: networking.istio.io/v1beta1
 kind: ServiceEntry
 metadata:
  name: dev-authentik-override
  namespace: dev
 spec:
  hosts:
    - authentik.mortenolsen.nett
  ports:
    - number: 443
      name: https
      protocol: HTTPS
    - number: 80
      name: http
      protocol: HTTP
  location: MESH_EXTERNAL
  resolution: STATIC
  endpoints:
    - address: 1.1.1.1
      ports:
        https: 443
        http: 80
--- a/Show More
+++ b/Show More
		`@@ -0,0 +1 @@`
							`- Fix issue with incompatible spec breaking the server`
		`@@ -1 +0,0 @@`
			`https://www.authelia.com/integration/openid-connect/clients/jellyfin/`