add shoko server

2024-11-07 15:47:40 -06:00
90 changed files with 342 additions and 255 deletions
--- a/.archive/default/plex/ks.yaml
+++ b/.archive/default/plex/ks.yaml
@ -1,55 +0,0 @@
---
-# yaml-language-server: $schema=https://ks.hsn.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
-apiVersion: kustomize.toolkit.fluxcd.io/v1
-kind: Kustomization
-metadata:
-  name: &app plex
-  namespace: flux-system
-spec:
-  targetNamespace: default
-  commonMetadata:
-    labels:
-      app.kubernetes.io/name: *app
-  path: ./kubernetes/apps/default/plex/app
-  prune: true
-  sourceRef:
-    kind: GitRepository
-    name: theshire
-  wait: true
-  dependsOn:
-    - name: rook-ceph-cluster
-    - name: volsync
-    - name: external-secrets-stores
-  interval: 30m
-  timeout: 5m
-  postBuild:
-    substitute:
-      APP: *app
-      GATUS_PATH: /web/index.html
-      VOLSYNC_CAPACITY: 30Gi
---
-# yaml-language-server: $schema=https://ks.hsn.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
-apiVersion: kustomize.toolkit.fluxcd.io/v1
-kind: Kustomization
-metadata:
-  name: &app kometa-image-maid
-  namespace: flux-system
-spec:
-  targetNamespace: default
-  commonMetadata:
-    labels:
-      app.kubernetes.io/name: *app
-  interval: 30m
-  timeout: 5m
-  path: "./kubernetes/apps/default/plex/kometa-image-maid"
-  prune: true
-  sourceRef:
-    kind: GitRepository
-    name: theshire
-  wait: false
-  dependsOn:
-    - name: external-secrets-stores
-    - name: plex
-  postBuild:
-    substitute:
-      APP: *app
--- a/.gitignore
+++ b/.gitignore
@ -24,6 +24,3 @@ omniconfig.yaml
 *.pem
 *.secrets
 config.xml
-
-# syncthing
-**/*sync-conflict*
--- a/.vscode/settings.json
+++ b/.vscode/settings.json
@ -1,41 +1,32 @@
 {
  "ansible.validation.lint.arguments": "-c .ansible-lint",
  "files.associations": {
-    "*.json5": "jsonc",
-    "**/ansible/**/*.yaml": "ansible",
-    "**/ansible/**/*.sops.yaml": "yaml",
-    "**/ansible/**/inventory/**/*.yaml": "yaml",
-    "**/kubernetes/**/*.sops.toml": "plaintext",
-    "*.hujson": "jsonc"
+      "*.json5": "jsonc",
+      "**/ansible/**/*.yaml": "ansible",
+      "**/ansible/**/*.sops.yaml": "yaml",
+      "**/ansible/**/inventory/**/*.yaml": "yaml",
+      "**/kubernetes/**/*.sops.toml": "plaintext"
  },
  "material-icon-theme.folders.associations": {
-    ".taskfiles": "utils",
-    "bootstrap": "import",
-    "charts": "kubernetes",
-    "hack": "scripts",
-    "repositories": "database",
-    "vars": "other",
-    // namespaces
-    "cert-manager": "guard",
-    "external-secrets": "keys",
-    "kube-system": "kubernetes",
-    "monitoring": "event",
-    "networking": "connection",
-    "rook-ceph": "dump"
+      ".taskfiles": "utils",
+      "bootstrap": "import",
+      "charts": "kubernetes",
+      "hack": "scripts",
+      "repositories": "database",
+      "vars": "other",
+      // namespaces
+      "cert-manager": "guard",
+      "external-secrets": "keys",
+      "kube-system": "kubernetes",
+      "monitoring": "event",
+      "networking": "connection",
+      "rook-ceph": "dump",
  },
  "yaml.schemaStore.enable": true,
  "yaml.schemas": {
    "ansible": "ansible/**/*.yaml",
    "kubernetes": "kubernetes/**/*.yaml"
  },
-  "json.schemas": [
-    {
-      "fileMatch": ["*.hujson"],
-      "schema": {
-        "allowTrailingCommas": true
-      }
-    }
-  ],
  "editor.fontFamily": "FiraCode Nerd Font",
  "editor.fontLigatures": true,
  "editor.bracketPairColorization.enabled": true,
@ -44,7 +35,9 @@
  "editor.guides.highlightActiveBracketPair": true,
  "editor.hover.delay": 1500,
  "editor.stickyScroll.enabled": false,
-  "editor.rulers": [100],
+  "editor.rulers": [
+    100
+  ],
  "explorer.autoReveal": false,
  "files.trimTrailingWhitespace": true,
  "ansible.python.interpreterPath": "/usr/bin/python3",
@ -53,5 +46,5 @@
  "prettier.quoteProps": "preserve",
  "[jsonc]": {
    "editor.defaultFormatter": "esbenp.prettier-vscode"
-  }
+  },
 }
--- a/kubernetes/apps/ai/kustomization.yaml
+++ b/kubernetes/apps/ai/kustomization.yaml
@ -6,4 +6,5 @@ resources:
  # Pre Flux-Kustomizations
  - ./namespace.yaml
  # Flux-Kustomizations
+  - ./ollama/ks.yaml
  - ./open-webui/ks.yaml
--- a/kubernetes/apps/ai/ollama/app/helmrelease.yaml
+++ b/kubernetes/apps/ai/ollama/app/helmrelease.yaml
@ -35,7 +35,7 @@ spec:
          app:
            image:
              repository: docker.io/ollama/ollama
-              tag: 0.4.2
+              tag: 0.4.0
            env:
              - name: OLLAMA_HOST
                value: 0.0.0.0
--- a/kubernetes/apps/ai/ollama/app/kustomization.yaml
+++ b/kubernetes/apps/ai/ollama/app/kustomization.yaml
--- a/kubernetes/apps/ai/ollama/app/pvc.yaml
+++ b/kubernetes/apps/ai/ollama/app/pvc.yaml
--- a/kubernetes/apps/ai/ollama/ks.yaml
+++ b/kubernetes/apps/ai/ollama/ks.yaml
--- a/kubernetes/apps/ai/open-webui/app/helmrelease.yaml
+++ b/kubernetes/apps/ai/open-webui/app/helmrelease.yaml
@ -33,10 +33,10 @@ spec:
          app:
            image:
              repository: ghcr.io/open-webui/open-webui
-              tag: v0.4.4
+              tag: 0.3.35
            env:
              - name: OLLAMA_BASE_URL
-                value: http://10.1.1.61:11434
+                value: http://ollama.ai.svc.cluster.local:11434
              - name: ENABLE_RAG_WEB_SEARCH
                value: true
              - name: RAG_WEB_SEARCH_ENGINE
--- a/kubernetes/apps/ai/open-webui/ks.yaml
+++ b/kubernetes/apps/ai/open-webui/ks.yaml
@ -12,6 +12,7 @@ spec:
      app.kubernetes.io/name: *app
  dependsOn:
    - name: volsync
+    - name: ollama
  path: ./kubernetes/apps/ai/open-webui/app
  prune: true
  sourceRef:
--- a/kubernetes/apps/anime/jellyfin/app/helmrelease.yaml
+++ b/kubernetes/apps/anime/jellyfin/app/helmrelease.yaml
@ -40,7 +40,7 @@ spec:
          app:
            image:
              repository: ghcr.io/jellyfin/jellyfin
-              tag: 10.10.3@sha256:17c3a8d9dddb97789b5f37112840ebf96566442c14d4754193a6c2eb154bc221
+              tag: 10.10.1@sha256:12b7aa2c8086e5566badc35370fab41b8cc8774dc3a80b07a1d6eb14f282b816
            env:
              DOTNET_SYSTEM_IO_DISABLEFILELOCKING: "true"
              JELLYFIN_FFmpeg__probesize: 50000000
--- a/kubernetes/apps/anime/jellyfin/app/kustomization.yaml
+++ b/kubernetes/apps/anime/jellyfin/app/kustomization.yaml
--- a/kubernetes/apps/anime/jellyfin/ks.yaml
+++ b/kubernetes/apps/anime/jellyfin/ks.yaml
--- a/kubernetes/apps/anime/jellyseerr/app/helmrelease.yaml
+++ b/kubernetes/apps/anime/jellyseerr/app/helmrelease.yaml
@ -36,7 +36,7 @@ spec:
          app:
            image:
              repository: fallenbagel/jellyseerr
-              tag: 2.1.0
+              tag: 2.0.1
            env:
              TZ: America/Chicago
              LOG_LEVEL: "info"
--- a/kubernetes/apps/anime/kustomization.yaml
+++ b/kubernetes/apps/anime/kustomization.yaml
@ -6,6 +6,8 @@ resources:
  # Pre Flux-Kustomizations
  - ./namespace.yaml
  # Flux-Kustomizations
+  - ./jellyfin/ks.yaml    # sqlite
  - ./jellyseerr/ks.yaml  # sqlite
  - ./radarr/ks.yaml      # postgres
+  - ./shoko/ks.yaml       # sqlite
  - ./sonarr/ks.yaml      # postgres
--- a/kubernetes/apps/anime/radarr/app/helmrelease.yaml
+++ b/kubernetes/apps/anime/radarr/app/helmrelease.yaml
@ -31,7 +31,7 @@ spec:
          app:
            image:
              repository: ghcr.io/onedr0p/radarr-develop
-              tag: 5.15.1.9463
+              tag: 5.15.0.9412
            env:
              RADARR__APP__INSTANCENAME: Radarr-Anime
              RADARR__APP__THEME: dark
--- a/kubernetes/apps/anime/shoko/app/externalsecret.yaml
+++ b/kubernetes/apps/anime/shoko/app/externalsecret.yaml
@ -0,0 +1,31 @@
+---
+# yaml-language-server: $schema=https://ks.hsn.dev/external-secrets.io/externalsecret_v1beta1.json
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: shokoserver
+spec:
+  refreshInterval: 5m
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: onepassword-connect
+  target:
+    name: shokoserver-secret
+    creationPolicy: Owner
+  data:
+    - secretKey: WIREGUARD_ENDPOINT_IP
+      remoteRef:
+        key: ProtonVPN
+        property: shokoserver_vpn_endpoint_ip
+    - secretKey: WIREGUARD_PUBLIC_KEY
+      remoteRef:
+        key: ProtonVPN
+        property: shokoserver_wireguard_public_key
+    - secretKey: WIREGUARD_PRIVATE_KEY
+      remoteRef:
+        key: ProtonVPN
+        property: shokoserver_wireguard_private_key
+    - secretKey: WIREGUARD_ADDRESSES
+      remoteRef:
+        key: ProtonVPN
+        property: wireguard_addresses
--- a/kubernetes/apps/anime/shoko/app/helmrelease.yaml
+++ b/kubernetes/apps/anime/shoko/app/helmrelease.yaml
@ -0,0 +1,125 @@
+---
+# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2.schema.json
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: &app shokoserver
+spec:
+  interval: 30m
+  chart:
+    spec:
+      chart: app-template
+      version: 3.5.1
+      sourceRef:
+        kind: HelmRepository
+        name: bjw-s
+        namespace: flux-system
+  install:
+    remediation:
+      retries: 3
+  upgrade:
+    cleanupOnFail: true
+    remediation:
+      strategy: rollback
+      retries: 3
+  dependsOn:
+    - name: rook-ceph-cluster
+      namespace: rook-ceph
+    - name: volsync
+      namespace: volsync-system
+  values:
+    controllers:
+      shokoserver:
+        annotations:
+          reloader.stakater.com/auto: "true"
+        initContainers:
+          gluetun:
+            image:
+              repository: ghcr.io/qdm12/gluetun
+              tag: v3.39.1
+            env:
+              DOT: "off"
+              VPN_SERVICE_PROVIDER: protonvpn
+              VPN_TYPE: wireguard
+              VPN_INTERFACE: wg0
+              FIREWALL_INPUT_PORTS: "80"
+            envFrom:
+              - secretRef:
+                  name: shokoserver-secret
+            resources:
+              limits:
+                kernel.org/tun: 1
+            restartPolicy: Always
+            securityContext:
+              capabilities:
+                add: ["NET_ADMIN"]
+              allowPrivilegeEscalation: false
+        containers:
+          app:
+            image:
+              repository: ghcr.io/jahanson/shokoserver
+              tag: v5.0.0@sha256:193aedf3e3f2d7031a76274d5bae0004c3d920c24831d688d991f85d4bb24ce2
+            env:
+              TZ: America/Chicago
+              PORT: &port 80
+            # probes:
+            #   liveness: &probes
+            #     enabled: true
+            #     custom: true
+            #     spec:
+            #       httpGet:
+            #         path: /status
+            #         port: *port
+            #       initialDelaySeconds: 0
+            #       periodSeconds: 10
+            #       timeoutSeconds: 1
+            #       failureThreshold: 3
+            #   readiness: *probes
+            #   startup:
+            #     enabled: false
+            securityContext:
+              allowPrivilegeEscalation: false
+              readOnlyRootFilesystem: true
+              capabilities: { drop: ["ALL"] }
+    defaultPodOptions:
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 568
+        runAsGroup: 568
+        fsGroup: 568
+        fsGroupChangePolicy: OnRootMismatch
+        seccompProfile: { type: RuntimeDefault }
+    service:
+      app:
+        controller: shokoserver
+        ports:
+          http:
+            port: *port
+            targetPort: 8111
+    ingress:
+      app:
+        className: internal-nginx
+        hosts:
+          - host: "${APP}.jahanson.tech"
+            paths:
+              - path: /
+                service:
+                  identifier: app
+                  port: http
+    persistence:
+      config:
+        existingClaim: "${APP}"
+        globalMounts:
+          - path: /.shoko
+      media:
+        type: nfs
+        server: 10.1.1.61
+        path: /moria/media/
+        globalMounts:
+          - path: /data/moria-media
+      # logs:
+      #   type: emptyDir
+      #   globalMounts:
+      #     - path: /app/config/logs
+      tmp:
+        type: emptyDir
--- a/kubernetes/apps/kube-system/generic-device-plugin/app/kustomization.yaml
+++ b/kubernetes/apps/kube-system/generic-device-plugin/app/kustomization.yaml
@ -3,10 +3,7 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
+  - ./externalsecret.yaml
  - ./helmrelease.yaml
-configMapGenerator:
-  - name: generic-device-plugin-configmap
-    files:
-      - ./resources/config.yml
-generatorOptions:
-  disableNameSuffixHash: true
+  - ../../../../templates/gatus/internal
+  - ../../../../templates/volsync
--- a/kubernetes/apps/kube-system/generic-device-plugin/ks.yaml
+++ b/kubernetes/apps/kube-system/generic-device-plugin/ks.yaml
@ -3,18 +3,22 @@
 apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:
-  name: &app generic-device-plugin
+  name: &app shoko
  namespace: flux-system
 spec:
-  targetNamespace: kube-system
+  targetNamespace: anime
  commonMetadata:
    labels:
      app.kubernetes.io/name: *app
-  path: "./kubernetes/apps/kube-system/generic-device-plugin/app"
+  path: ./kubernetes/apps/anime/shoko/app
  prune: true
  sourceRef:
    kind: GitRepository
    name: theshire
-  wait: true
+  wait: false
  interval: 30m
  timeout: 5m
+  postBuild:
+    substitute:
+      APP: *app
+      VOLSYNC_CAPACITY: 5Gi
--- a/kubernetes/apps/anime/sonarr/app/helmrelease.yaml
+++ b/kubernetes/apps/anime/sonarr/app/helmrelease.yaml
@ -31,7 +31,7 @@ spec:
          app:
            image:
              repository: ghcr.io/onedr0p/sonarr-develop
-              tag: 4.0.10.2656
+              tag: 4.0.10.2624
            env:
              SONARR__APP__INSTANCENAME: Sonarr-Anime
              SONARR__APP__THEME: dark
--- a/kubernetes/apps/cert-manager/cert-manager/app/helmrelease.yaml
+++ b/kubernetes/apps/cert-manager/cert-manager/app/helmrelease.yaml
@ -10,7 +10,7 @@ spec:
  chart:
    spec:
      chart: cert-manager
-      version: v1.16.2
+      version: v1.16.1
      sourceRef:
        kind: HelmRepository
        name: jetstack
--- a/kubernetes/apps/ci-runners/forgejo/app/helmrelease.yaml
+++ b/kubernetes/apps/ci-runners/forgejo/app/helmrelease.yaml
@ -30,7 +30,7 @@ spec:
          runner-register:
            image:
              repository: code.forgejo.org/forgejo/runner
-              tag: 5.0.2
+              tag: 4.0.1
            command:
              - "forgejo-runner"
              - "register"
@ -72,7 +72,7 @@ spec:
          app:
            image:
              repository: code.forgejo.org/forgejo/runner
-              tag: 5.0.2
+              tag: 4.0.1
            command:
              - "sh"
              - "-c"
--- a/kubernetes/apps/database/dragonfly/app/helmrelease.yaml
+++ b/kubernetes/apps/database/dragonfly/app/helmrelease.yaml
@ -30,7 +30,7 @@ spec:
          app:
            image:
              repository: ghcr.io/dragonflydb/operator
-              tag: v1.1.8
+              tag: v1.1.7
            command: ["/manager"]
            args:
              - --health-probe-bind-address=:8081
--- a/kubernetes/apps/database/dragonfly/app/kustomization.yaml
+++ b/kubernetes/apps/database/dragonfly/app/kustomization.yaml
@ -4,6 +4,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
  # renovate: datasource=github-releases depName=dragonflydb/dragonfly-operator
-  - https://raw.githubusercontent.com/dragonflydb/dragonfly-operator/v1.1.8/manifests/crd.yaml
+  - https://raw.githubusercontent.com/dragonflydb/dragonfly-operator/v1.1.7/manifests/crd.yaml
  - ./helmrelease.yaml
  - ./rbac.yaml
--- a/kubernetes/apps/database/dragonfly/cluster/dragonfly.yaml
+++ b/kubernetes/apps/database/dragonfly/cluster/dragonfly.yaml
@ -5,7 +5,7 @@ kind: Dragonfly
 metadata:
  name: dragonfly
 spec:
-  image: ghcr.io/dragonflydb/dragonfly:v1.25.2
+  image: ghcr.io/dragonflydb/dragonfly:v1.24.0
  replicas: 3
  env:
    - name: MAX_MEMORY
--- a/kubernetes/apps/database/emqx/cluster/cluster.yaml
+++ b/kubernetes/apps/database/emqx/cluster/cluster.yaml
@ -5,7 +5,7 @@ kind: EMQX
 metadata:
  name: emqx
 spec:
-  image: public.ecr.aws/emqx/emqx:5.8.2
+  image: public.ecr.aws/emqx/emqx:5.8.1
  config:
    mode: Merge
  coreTemplate:
--- a/kubernetes/apps/default/autobrr/app/helmrelease.yaml
+++ b/kubernetes/apps/default/autobrr/app/helmrelease.yaml
@ -31,7 +31,7 @@ spec:
          app:
            image:
              repository: ghcr.io/autobrr/autobrr
-              tag: v1.50.0@sha256:6a6f23570ab6b418318ab12bf2558712714e2f243cf18b139afa414f8417e97d
+              tag: v1.48.0@sha256:0ae19e3beedf491396e450b024c23e9e24df4d692286c0442a81fa699493def0
            env:
              AUTOBRR__CHECK_FOR_UPDATES: "false"
              AUTOBRR__HOST: 0.0.0.0
--- a/kubernetes/apps/default/home-assistant/app/helmrelease.yaml
+++ b/kubernetes/apps/default/home-assistant/app/helmrelease.yaml
@ -36,7 +36,7 @@ spec:
          app:
            image:
              repository: ghcr.io/onedr0p/home-assistant
-              tag: 2024.11.3@sha256:f45f502b1738e46eb435fbc8947cdcc2574f3713b156c6738129ea2ea9b49018
+              tag: 2024.11.0@sha256:23a1ba70e7d5518527e6324d28ccb07f1cbf7c334dbb6326a0b413ef8fe5fafd
            env:
              TZ: America/Chicago
            envFrom:
@ -54,7 +54,7 @@ spec:
          code-server:
            image:
              repository: ghcr.io/coder/code-server
-              tag: 4.95.3@sha256:6d74583d68179cbb6ddadc2518b450d2ac3eaec2d342474fe1941e03371cd2cf
+              tag: 4.93.1@sha256:c69e398d1b64589b3b77a7becfd03f4ec524982def20e6bffbb51b1b839e72ba
            args: [
              "--auth", "none",
              "--user-data-dir", "/config/.vscode",
--- a/kubernetes/apps/default/kustomization.yaml
+++ b/kubernetes/apps/default/kustomization.yaml
@ -16,12 +16,14 @@ resources:
  - ./morphos/ks.yaml
  - ./omegabrr/ks.yaml
  - ./overseerr/ks.yaml
+  - ./piped/ks.yaml
  - ./plex/ks.yaml
  - ./prowlarr/ks.yaml
  - ./radarr/ks.yaml
  - ./recyclarr/ks.yaml
  - ./redlib/ks.yaml
  - ./sabnzbd/ks.yaml
+  - ./scrypted/ks.yaml
  - ./searxng/ks.yaml
  - ./sonarr/ks.yaml
  - ./stirling-pdf/ks.yaml
--- a/kubernetes/apps/default/linkwarden/app/helmrelease.yaml
+++ b/kubernetes/apps/default/linkwarden/app/helmrelease.yaml
@ -31,7 +31,7 @@ spec:
          app:
            image:
              repository: ghcr.io/linkwarden/linkwarden
-              tag: v2.8.3@sha256:7f80a03d688c3e5d9ec6b34f5b65cd861ff8c9eb08d12932dc8fc7482991f238
+              tag: v2.7.1@sha256:bbd22798ee726184d4571ea4f4d831d57475c86c4965c2bb1c3c2d3de88c728a
            env:
              TIMEZONE: "America/Chicago"
              NEXTAUTH_URL: "https://{{ .Release.Name }}.jahanson.tech/api/v1/auth"
--- a/kubernetes/apps/default/maintainerr/app/helmrelease.yaml
+++ b/kubernetes/apps/default/maintainerr/app/helmrelease.yaml
@ -32,7 +32,7 @@ spec:
          app:
            image:
              repository: ghcr.io/jorenn92/maintainerr
-              tag: 2.2.1@sha256:13121a8292ef6db7560a931bf19b601cf3cc12df0a9dea9086b757798eea5b6d
+              tag: 2.2.0@sha256:fbb2c0341b8af502e4488f3664e34992f24947708c7dac10dcbee592f99a946c
            env:
              TZ: America/Chicago
            resources:
--- a/kubernetes/apps/default/omegabrr/app/helmrelease.yaml
+++ b/kubernetes/apps/default/omegabrr/app/helmrelease.yaml
@ -31,7 +31,7 @@ spec:
          app:
            image:
              repository: ghcr.io/autobrr/omegabrr
-              tag: v1.15.0@sha256:4f6099a76ff9d248e9f032e29c04a92b483f21456e46f3b01eb20399f4732ad0
+              tag: v1.14.0@sha256:6f65c7967609746662815933ecc8168c8c25a3b82d909f49833fcce2b47ee052
            env:
              TZ: America/Chicago
            securityContext:
--- a/kubernetes/apps/default/piped/app/externalsecret.yaml
+++ b/kubernetes/apps/default/piped/app/externalsecret.yaml
--- a/kubernetes/apps/default/piped/app/helmrelease.yaml
+++ b/kubernetes/apps/default/piped/app/helmrelease.yaml
--- a/kubernetes/apps/default/piped/app/kustomization.yaml
+++ b/kubernetes/apps/default/piped/app/kustomization.yaml
--- a/kubernetes/apps/default/piped/ks.yaml
+++ b/kubernetes/apps/default/piped/ks.yaml
--- a/kubernetes/apps/default/plex/app/helmrelease.yaml
+++ b/kubernetes/apps/default/plex/app/helmrelease.yaml
@ -38,7 +38,7 @@ spec:
          app:
            image:
              repository: ghcr.io/onedr0p/plex
-              tag: 1.41.2.9200-c6bbc1b53@sha256:47c6f3d85f4e739210860934a0bb24126170fa2f6a602fb909467f17a035c311
+              tag: 1.41.1.9057-af5eaea7a@sha256:5926b77196bb7c9f75b52f431d0483abea0fef1f576b7201592b385449201456
            env:
              TZ: America/Chicago
              PLEX_ADVERTISE_URL: https://plex.hsn.dev:443,http://10.1.1.39:32400
--- a/kubernetes/apps/default/plex/app/kustomization.yaml
+++ b/kubernetes/apps/default/plex/app/kustomization.yaml
--- a/kubernetes/apps/default/plex/app/pvc.yaml
+++ b/kubernetes/apps/default/plex/app/pvc.yaml
--- a/kubernetes/apps/default/plex/kometa-image-maid/externalsecret.yaml
+++ b/kubernetes/apps/default/plex/kometa-image-maid/externalsecret.yaml
--- a/kubernetes/apps/default/plex/kometa-image-maid/helmrelease.yaml
+++ b/kubernetes/apps/default/plex/kometa-image-maid/helmrelease.yaml
--- a/kubernetes/apps/default/plex/kometa-image-maid/kustomization.yaml
+++ b/kubernetes/apps/default/plex/kometa-image-maid/kustomization.yaml
--- a/kubernetes/apps/default/plex/ks.yaml
+++ b/kubernetes/apps/default/plex/ks.yaml
@ -2,6 +2,35 @@
 # yaml-language-server: $schema=https://ks.hsn.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
 apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
+metadata:
+  name: &app plex
+  namespace: flux-system
+spec:
+  targetNamespace: default
+  commonMetadata:
+    labels:
+      app.kubernetes.io/name: *app
+  path: ./kubernetes/apps/default/plex/app
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: theshire
+  wait: true
+  dependsOn:
+    - name: rook-ceph-cluster
+    - name: volsync
+    - name: external-secrets-stores
+  interval: 30m
+  timeout: 5m
+  postBuild:
+    substitute:
+      APP: *app
+      GATUS_PATH: /web/index.html
+      VOLSYNC_CAPACITY: 30Gi
+---
+# yaml-language-server: $schema=https://ks.hsn.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
 metadata:
  name: &app plex-trakt-sync
  namespace: flux-system
@ -22,7 +51,34 @@ spec:
    - name: rook-ceph-cluster
    - name: volsync
    - name: external-secrets-stores
+    - name: plex
  postBuild:
    substitute:
      APP: *app
      VOLSYNC_CAPACITY: 1Gi
+---
+# yaml-language-server: $schema=https://ks.hsn.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: &app kometa-image-maid
+  namespace: flux-system
+spec:
+  targetNamespace: default
+  commonMetadata:
+    labels:
+      app.kubernetes.io/name: *app
+  interval: 30m
+  timeout: 5m
+  path: "./kubernetes/apps/default/plex/kometa-image-maid"
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: theshire
+  wait: false
+  dependsOn:
+    - name: external-secrets-stores
+    - name: plex
+  postBuild:
+    substitute:
+      APP: *app
--- a/kubernetes/apps/default/plex/trakt-sync/helmrelease.yaml
+++ b/kubernetes/apps/default/plex/trakt-sync/helmrelease.yaml
@ -33,12 +33,12 @@ spec:
          app:
            image:
              repository: ghcr.io/taxel/plextraktsync
-              tag: 0.32.2
+              tag: 0.32.0
            args:
              - sync
            env:
-              PLEX_BASEURL: http://10.1.1.61:32400
-              PLEX_LOCALURL: http://10.1.1.61:32400
+              PLEX_BASEURL: http://plex.default.svc.cluster.local:32400
+              PLEX_LOCALURL: http://plex.default.svc.cluster.local:32400
              PLEX_USERNAME: veriwind
              TRAKT_USERNAME: jahanson
            probes:
--- a/kubernetes/apps/default/prowlarr/app/helmrelease.yaml
+++ b/kubernetes/apps/default/prowlarr/app/helmrelease.yaml
@ -31,7 +31,7 @@ spec:
          app:
            image:
              repository: ghcr.io/onedr0p/prowlarr-develop
-              tag: 1.26.1.4844@sha256:dd6ab1a0c8f2d780b990f1034f2da6ffb0b4d3e3ca6042b656f691f06d4c9397
+              tag: 1.26.0.4833@sha256:face4aa669a4eb68b041dcf73ed4848cfe8f673826ef3032398a5e267eb1eac0
            env:
              # Ref: https://github.com/Radarr/Radarr/issues/7030#issuecomment-1039689518
              # Ref: https://github.com/dotnet/runtime/issues/9336
--- a/kubernetes/apps/default/radarr/app/helmrelease.yaml
+++ b/kubernetes/apps/default/radarr/app/helmrelease.yaml
@ -31,7 +31,7 @@ spec:
          app:
            image:
              repository: ghcr.io/onedr0p/radarr-develop
-              tag: 5.15.1.9463
+              tag: 5.15.0.9412
            env:
              RADARR__APP__INSTANCENAME: Radarr
              RADARR__APP__THEME: dark
--- a/kubernetes/apps/default/recyclarr/app/helmrelease.yaml
+++ b/kubernetes/apps/default/recyclarr/app/helmrelease.yaml
@ -34,7 +34,7 @@ spec:
          app:
            image:
              repository: ghcr.io/recyclarr/recyclarr
-              tag: 7.4.0@sha256:619c3b8920a179f2c578acd0f54e9a068f57c049aff840469eed66e93a4be2cf
+              tag: 7.3.0@sha256:2aaa0205a93171b93a159e4665004ccee1a5aacd60359fb8d7683db0ae7e774b
            env:
              # Ref: https://github.com/Radarr/Radarr/issues/7030#issuecomment-1039689518
              # Ref: https://github.com/dotnet/runtime/issues/9336
--- a/kubernetes/apps/default/redlib/app/helmrelease.yaml
+++ b/kubernetes/apps/default/redlib/app/helmrelease.yaml
@ -38,7 +38,7 @@ spec:
          app:
            image:
              repository: quay.io/redlib/redlib
-              tag: latest@sha256:d350eebf055527e2f2189aa0ef3a1e5a178a427ff6ae65a9d3ecbe7f43e83f71
+              tag: latest@sha256:42db7afd24d3e55ceccb38f6e91ecfd44d78f381a04848bb4de67dae1836a3e4
            env:
              REDLIB_DEFAULT_SHOW_NSFW: on
              REDLIB_DEFAULT_WIDE: on
--- a/kubernetes/apps/default/sabnzbd/app/helmrelease.yaml
+++ b/kubernetes/apps/default/sabnzbd/app/helmrelease.yaml
@ -75,9 +75,12 @@ spec:
              allowPrivilegeEscalation: false
              readOnlyRootFilesystem: true
              capabilities: { drop: ["ALL"] }
+            resources:
+              requests:
+                cpu: 100m
+              limits:
+                memory: 16Gi
    defaultPodOptions:
-      nodeSelector: # ~~testing~~
-        kubernetes.io/hostname: gandalf-01
      securityContext:
        runAsNonRoot: true
        runAsUser: 568
--- a/kubernetes/apps/default/scrypted/app/helmrelease.yaml
+++ b/kubernetes/apps/default/scrypted/app/helmrelease.yaml
@ -32,7 +32,7 @@ spec:
          app:
            image:
              repository: ghcr.io/koush/scrypted
-              tag: v0.123.31-jammy-nvidia
+              tag: v0.123.0-jammy-nvidia
            probes:
              liveness:
                enabled: true
--- a/kubernetes/apps/default/scrypted/app/kustomization.yaml
+++ b/kubernetes/apps/default/scrypted/app/kustomization.yaml
--- a/kubernetes/apps/default/scrypted/ks.yaml
+++ b/kubernetes/apps/default/scrypted/ks.yaml
--- a/kubernetes/apps/default/sonarr/app/helmrelease.yaml
+++ b/kubernetes/apps/default/sonarr/app/helmrelease.yaml
@ -31,7 +31,7 @@ spec:
          app:
            image:
              repository: ghcr.io/onedr0p/sonarr-develop
-              tag: 4.0.10.2656
+              tag: 4.0.10.2624
            env:
              SONARR__APP__INSTANCENAME: Sonarr
              SONARR__APP__THEME: dark
--- a/kubernetes/apps/default/stirling-pdf/app/helmrelease.yaml
+++ b/kubernetes/apps/default/stirling-pdf/app/helmrelease.yaml
@ -31,7 +31,7 @@ spec:
          app:
            image:
              repository: ghcr.io/stirling-tools/s-pdf
-              tag: 0.33.1@sha256:d30bf0b2826f0e71cf6fe1b806d918db6d90121ac70b3384569e3b49edf51b3f
+              tag: 0.31.1@sha256:fefbcbdc851bfdb29e172df03d8ac280efdd3eada92b16c46b0fc15932152c6c
              pullPolicy: IfNotPresent
            env:
              TZ: America/Chicago
--- a/kubernetes/apps/default/zwave/app/helmrelease.yaml
+++ b/kubernetes/apps/default/zwave/app/helmrelease.yaml
@ -36,7 +36,7 @@ spec:
          app:
            image:
              repository: ghcr.io/zwave-js/zwave-js-ui
-              tag: 9.27.7@sha256:b7327c74e9cb228af9fc2817330319d4e57e041767dc40e550fd6577a436ad7d
+              tag: 9.26.0@sha256:dd945bf63aca8c31763d90addf36db1f0d809c232b806d193173c329c03a183f
            env:
              TZ: America/Chicago
              PORT: &port 80
--- a/kubernetes/apps/kube-system/fstrim.yaml
+++ b/kubernetes/apps/kube-system/fstrim.yaml
@ -7,7 +7,7 @@ spec:
  #  nodeName: nenya
  containers:
    - name: fstrim
-      image: ghcr.io/onedr0p/kubanetics:2024.11.1
+      image: ghcr.io/onedr0p/kubanetics:2024.10.7
      securityContext:
        privileged: true
      command: ["/bin/bash", "-c", "while true; do sleep 10; done"]
--- a/kubernetes/apps/kube-system/fstrim/app/helmrelease.yaml
+++ b/kubernetes/apps/kube-system/fstrim/app/helmrelease.yaml
@ -33,7 +33,7 @@ spec:
          app:
            image:
              repository: ghcr.io/onedr0p/kubanetics
-              tag: 2024.11.1@sha256:875b7c22fbb046958ae0116b4a7e9ea81062cf60f54d5b27e53ebf29078bdcc4
+              tag: 2024.10.7@sha256:f1abb7d38bb45b2eeace4eba1c44763134d6e88c377deb9928f93c5d042ea9af
            env:
              SCRIPT_NAME: fstrim.sh
            probes:
--- a/kubernetes/apps/kube-system/generic-device-plugin/app/helmrelease.yaml
+++ b/kubernetes/apps/kube-system/generic-device-plugin/app/helmrelease.yaml
@ -1,67 +0,0 @@
---
-# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2.schema.json
-apiVersion: helm.toolkit.fluxcd.io/v2
-kind: HelmRelease
-metadata:
-  name: generic-device-plugin
-spec:
-  interval: 30m
-  chart:
-    spec:
-      chart: app-template
-      version: 3.5.1
-      sourceRef:
-        kind: HelmRepository
-        name: bjw-s
-        namespace: flux-system
-  driftDetection:
-    mode: enabled
-  install:
-    remediation:
-      retries: 3
-  upgrade:
-    cleanupOnFail: true
-    remediation:
-      strategy: rollback
-      retries: 3
-  values:
-    defaultPodOptions:
-      priorityClassName: system-node-critical
-    controllers:
-      generic-device-plugin:
-        type: daemonset
-        strategy: RollingUpdate
-        annotations:
-          reloader.stakater.com/auto: "true"
-        containers:
-          generic-device-plugin:
-            image:
-              repository: ghcr.io/squat/generic-device-plugin
-              tag: latest@sha256:ba6f0b4cf6c858d6ad29ba4d32e4da11638abbc7d96436bf04f582a97b2b8821
-            args:
-              - --config=/config/config.yml
-            ports:
-              - containerPort: 8080
-                name: http
-            securityContext:
-              allowPrivilegeEscalation: false
-              readOnlyRootFilesystem: true
-              capabilities: { drop: ["ALL"] }
-    persistence:
-      config:
-        type: configMap
-        name: generic-device-plugin-configmap
-        globalMounts:
-          - path: /config/config.yml
-            subPath: config.yml
-            readOnly: true
-      dev:
-        type: hostPath
-        hostPath: /dev
-        globalMounts:
-          - path: /dev
-      device-plugin:
-        type: hostPath
-        hostPath: /var/lib/kubelet/device-plugins
-        globalMounts:
-          - path: /var/lib/kubelet/device-plugins
--- a/kubernetes/apps/kube-system/generic-device-plugin/app/resources/config.yml
+++ b/kubernetes/apps/kube-system/generic-device-plugin/app/resources/config.yml
@ -1,9 +0,0 @@
---
-log-level: info
-domain: kernel.org
-devices:
-  - name: tun
-    groups:
-      - count: 1000
-        paths:
-          - path: /dev/net/tun
--- a/kubernetes/apps/kube-system/kubelet-csr-approver/app/helm-values.yml
+++ b/kubernetes/apps/kube-system/kubelet-csr-approver/app/helm-values.yml
@ -1,2 +1,2 @@
 ---
-providerRegex: ^bilbo|^frodo|^sam|^merry|^pippin|^rosie|^gandalf-01$
+providerRegex: ^bilbo|^frodo|^sam|^merry|^pippin|^rosie|^shadowfax-01|^gandalf-01$
--- a/kubernetes/apps/kube-system/kustomization.yaml
+++ b/kubernetes/apps/kube-system/kustomization.yaml
@ -12,7 +12,6 @@ resources:
  - ./descheduler/ks.yaml
  - ./dnsimple-webhook-rbac.yaml
  - ./fstrim/ks.yaml
-  - ./generic-device-plugin/ks.yaml
  - ./kubelet-csr-approver/ks.yaml
  - ./metrics-server/ks.yaml
  - ./node-feature-discovery/ks.yaml
--- a/kubernetes/apps/kyverno/kustomization.yaml
+++ b/kubernetes/apps/kyverno/kustomization.yaml
--- a/kubernetes/apps/kyverno/kyverno/app/helmrelease.yaml
+++ b/kubernetes/apps/kyverno/kyverno/app/helmrelease.yaml
--- a/kubernetes/apps/kyverno/kyverno/app/kustomization.yaml
+++ b/kubernetes/apps/kyverno/kyverno/app/kustomization.yaml
--- a/kubernetes/apps/kyverno/kyverno/ks.yaml
+++ b/kubernetes/apps/kyverno/kyverno/ks.yaml
--- a/kubernetes/apps/kyverno/kyverno/policies/kustomization.yaml
+++ b/kubernetes/apps/kyverno/kyverno/policies/kustomization.yaml
--- a/kubernetes/apps/kyverno/kyverno/policies/remove-cpu-limits.yaml
+++ b/kubernetes/apps/kyverno/kyverno/policies/remove-cpu-limits.yaml
--- a/kubernetes/apps/kyverno/kyverno/policies/schematic-to-pod.yaml
+++ b/kubernetes/apps/kyverno/kyverno/policies/schematic-to-pod.yaml
--- a/kubernetes/apps/kyverno/kyverno/policies/volsync-movers.yaml
+++ b/kubernetes/apps/kyverno/kyverno/policies/volsync-movers.yaml
--- a/kubernetes/apps/kyverno/namespace.yaml
+++ b/kubernetes/apps/kyverno/namespace.yaml
--- a/kubernetes/apps/network/cloudflared/app/helmrelease.yaml
+++ b/kubernetes/apps/network/cloudflared/app/helmrelease.yaml
@ -36,7 +36,7 @@ spec:
          app:
            image:
              repository: docker.io/cloudflare/cloudflared
-              tag: 2024.11.1@sha256:665dda65335e35a782ed9319aa63e8404f88b34d2644d30adf3e91253604ffa0
+              tag: 2024.11.0@sha256:2c78df02e1f23ab19d4c636921f05b9ebec163b887e946f98e22e56254a5540f
            env:
              NO_AUTOUPDATE: "true"
              TUNNEL_CRED_FILE: /etc/cloudflared/creds/credentials.json
--- a/kubernetes/apps/observability/alertmanager/silencer/helmrelease.yaml
+++ b/kubernetes/apps/observability/alertmanager/silencer/helmrelease.yaml
@ -35,7 +35,7 @@ spec:
          app:
            image:
              repository: ghcr.io/onedr0p/kubanetics
-              tag: 2024.11.1
+              tag: 2024.10.7
            env:
              SCRIPT_NAME: alertmanager-silencer.sh
              ALERTMANAGER_URL: http://alertmanager.observability.svc.cluster.local:9093
--- a/kubernetes/apps/observability/grafana/app/helmrelease.yaml
+++ b/kubernetes/apps/observability/grafana/app/helmrelease.yaml
@ -196,6 +196,9 @@ spec:
        cert-manager:
          url: https://gitlab.com/uneeq-oss/cert-manager-mixin/-/raw/master/dashboards/cert-manager.json?ref_type=heads
          datasource: Prometheus
+        dcgm-exporter:
+          url: https://raw.githubusercontent.com/NVIDIA/dcgm-exporter/main/grafana/dcgm-exporter-dashboard.json
+          datasource: Prometheus
        external-secrets:
          url: https://raw.githubusercontent.com/external-secrets/external-secrets/main/docs/snippets/dashboard.json
          datasource: Prometheus
@ -249,7 +252,7 @@ spec:
        victoria-alert:
          # renovate: depName="VictoriaMetrics - vmalert"
          gnetId: 14950
-          revision: 13
+          revision: 12
          datasource: Prometheus
        victoria-operator:
          # renovate: depName="VictoriaMetrics - operator"
--- a/kubernetes/apps/observability/prometheus-operator-crds/app/helmrelease.yaml
+++ b/kubernetes/apps/observability/prometheus-operator-crds/app/helmrelease.yaml
@ -9,7 +9,7 @@ spec:
  chart:
    spec:
      chart: prometheus-operator-crds
-      version: 16.0.0
+      version: 15.0.0
      sourceRef:
        kind: HelmRepository
        name: prometheus-community
--- a/kubernetes/apps/qbittorrent/cross-seed/app/externalsecret.yaml
+++ b/kubernetes/apps/qbittorrent/cross-seed/app/externalsecret.yaml
@ -35,8 +35,8 @@ spec:
            skipRecheck: true,
            sonarr: ["http://sonarr.default.svc.cluster.local/?apikey={{ .SONARR_API_KEY }}"],
            torrentDir: "/qbittorrent/qBittorrent/BT_backup",
-            torznab: []
-            /* torznab: [
+            // torznab: []
+            torznab: [
                  6,  // ANT
                  8,  // BLU
                  9,  // TL
@ -44,7 +44,6 @@ spec:
                  12, // FNP
                  14, // TD
            ].map(i => `http://prowlarr.default.svc.cluster.local/$${i}/api?apikey={{ .PROWLARR_API_KEY }}`),
-            */
          };
  dataFrom:
    - extract:
--- a/kubernetes/apps/qbittorrent/flood/app/helmrelease.yaml
+++ b/kubernetes/apps/qbittorrent/flood/app/helmrelease.yaml
@ -43,7 +43,7 @@ spec:
          app:
            image:
              repository: jesec/flood
-              tag: master@sha256:7b0f2b863434946260621b037d293130acb9f5d9248071408c641b858ffacccf
+              tag: master@sha256:8d04ec24abcc879f14e744e809520f7a7ec3c66395e1f6efa4179c9399803fbe
            envFrom:
              - secretRef:
                  name: flood-secret
--- a/kubernetes/apps/qbittorrent/qbittorrent/app/helmrelease.yaml
+++ b/kubernetes/apps/qbittorrent/qbittorrent/app/helmrelease.yaml
@ -34,7 +34,7 @@ spec:
            nameOverride: qbittorrent
            image:
              repository: ghcr.io/onedr0p/qbittorrent-beta
-              tag: 5.0.2@sha256:adfd625f9cc7226eabad8aa117a551d42d5818c914850ef7fa3be60111383107
+              tag: 5.0.1@sha256:684422cab9fe3cba04812cf4207398bb72aa0f0283c92fddecd833648ac3f7bf
            env:
              UMASK: "022"
              QBT_WEBUI_PORT: &port 80
@ -66,9 +66,15 @@ spec:
              capabilities:
                drop:
                  - ALL
+            resources:
+              requests:
+                cpu: 100m
+                memory: 1024Mi
+              limits:
+                memory: 8Gi
    defaultPodOptions:
      nodeSelector: # ~~testing~~
-        kubernetes.io/hostname: gandalf-01
+        kubernetes.io/hostname: shadowfax-01
      securityContext:
        runAsNonRoot: true
        runAsUser: 568
--- a/kubernetes/apps/qbittorrent/qbittorrent/tools/helmrelease.yaml
+++ b/kubernetes/apps/qbittorrent/qbittorrent/tools/helmrelease.yaml
@ -39,7 +39,7 @@ spec:
          tagging: &container
            image:
              repository: ghcr.io/buroa/qbtools
-              tag: v0.19.9@sha256:f5405e3c00256d7911d2abb839084a5147c108586adb281e97587cf93729c89b
+              tag: v0.19.7@sha256:ceb38f6794b10a8f1147dbc8a4df24857e0dae72341eaf2d435796937d77ba3a
            env:
              TZ: *timeZone
              POD_NAMESPACE:
--- a/kubernetes/apps/rook-ceph/rook-ceph/app/helmrelease.yaml
+++ b/kubernetes/apps/rook-ceph/rook-ceph/app/helmrelease.yaml
@ -10,7 +10,7 @@ spec:
  chart:
    spec:
      chart: rook-ceph
-      version: v1.15.6
+      version: v1.15.5
      sourceRef:
        kind: HelmRepository
        name: rook-ceph
--- a/kubernetes/apps/rook-ceph/rook-ceph/cluster/helmrelease.yaml
+++ b/kubernetes/apps/rook-ceph/rook-ceph/cluster/helmrelease.yaml
@ -10,7 +10,7 @@ spec:
  chart:
    spec:
      chart: rook-ceph-cluster
-      version: v1.15.6
+      version: v1.15.5
      sourceRef:
        kind: HelmRepository
        name: rook-ceph
--- a/kubernetes/apps/security/external-secrets/app/helmrelease.yaml
+++ b/kubernetes/apps/security/external-secrets/app/helmrelease.yaml
@ -10,7 +10,7 @@ spec:
  chart:
    spec:
      chart: external-secrets
-      version: 0.10.7
+      version: 0.10.5
      interval: 30m
      sourceRef:
        kind: HelmRepository
--- a/kubernetes/apps/volsync-system/volsync/app/helmrelease.yaml
+++ b/kubernetes/apps/volsync-system/volsync/app/helmrelease.yaml
@ -22,6 +22,8 @@ spec:
      strategy: rollback
      retries: 3
  dependsOn:
+    - name: kyverno
+      namespace: kyverno
    - name: snapshot-controller
      namespace: volsync-system
  values:
--- a/kubernetes/apps/volsync-system/volsync/ks.yaml
+++ b/kubernetes/apps/volsync-system/volsync/ks.yaml
@ -10,6 +10,8 @@ spec:
  commonMetadata:
    labels:
      app.kubernetes.io/name: *app
+  dependsOn:
+    - name: cluster-policies
  path: ./kubernetes/apps/volsync-system/volsync/app
  prune: true
  sourceRef:
--- a/kubernetes/bootstrap/helmfile.yaml
+++ b/kubernetes/bootstrap/helmfile.yaml
@ -19,7 +19,7 @@ releases:
  - name: prometheus-operator-crds
    namespace: observability
    chart: oci://ghcr.io/prometheus-community/charts/prometheus-operator-crds
-    version: 16.0.0
+    version: 15.0.0
  - name: cilium
    namespace: kube-system
    chart: cilium/cilium
--- a/kubernetes/bootstrap/talos/talconfig.yaml
+++ b/kubernetes/bootstrap/talos/talconfig.yaml
@ -1,11 +1,9 @@
 ---
-# yaml-language-server: $schema=https://raw.githubusercontent.com/budimanjojo/talhelper/master/pkg/config/schemas/talconfig.json
+# yaml-language-server: $schema=https://ks.hsn.dev/talconfig.json
 clusterName: theshire

-# renovate: datasource=github-releases depName=siderolabs/talos
-talosVersion: v1.8.3
-# renovate: datasource=docker depName=ghcr.io/siderolabs/kubelet
-kubernetesVersion: 1.31.2
+talosVersion: v1.8.2
+kubernetesVersion: 1.31.1
 endpoint: "https://10.1.1.57:6444"

 additionalApiServerCertSans:
--- a/kubernetes/flux/repositories/oci/grafana.yaml
+++ b/kubernetes/flux/repositories/oci/grafana.yaml
@ -12,4 +12,4 @@ spec:
    operation: copy
  url: oci://ghcr.io/grafana/helm-charts/grafana
  ref:
-    tag: 8.6.1
+    tag: 8.5.12
--- a/kubernetes/templates/volsync/kustomization.yaml
+++ b/kubernetes/templates/volsync/kustomization.yaml
@ -4,5 +4,5 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
  - ./claim.yaml
-  - ./minio.yaml
+  - ./nfs.yaml
  - ./r2.yaml
--- a/renovate.json5
+++ b/renovate.json5
@ -23,9 +23,8 @@
      "(^|/)\\.taskfiles/.+\\.ya?ml(?:\\.j2)?$"
    ]
  },
-  "customManagers": [
+  "regexManagers": [
    {
-      "customType": "regex",
      "description": [
        "Process CRD dependencies - Chart and Github Release are the same version"
      ],
@ -36,17 +35,15 @@
      "datasourceTemplate": "helm"
    },
    {
-      "customType": "regex",
      "description": ["Generic Docker image Regex manager"],
      "fileMatch": ["infrastructure/.+\\.ya?ml$", "infrastructure/.+\\.tf$"],
      "matchStrings": [
-        "# renovate: docker-image( versioning=(?<versioning>.*=?))?\\\n .*[:|=] \"?(?<depName>.*?):(?<currentValue>[^\"\\n]*=?)\"?"
+        "# renovate: docker-image( versioning=(?<versioning>.*=?))?\n .*[:|=] \"?(?<depName>.*?):(?<currentValue>[^\"\n]*=?)\"?"
      ],
      "datasourceTemplate": "docker",
      "versioningTemplate": "{{#if versioning}}{{{versioning}}}{{else}}semver{{/if}}"
    },
    {
-      "customType": "regex",
      "description": ["Raw GitHub URL Regex manager"],
      "fileMatch": ["infrastructure/.+\\.ya?ml$", "kubernetes/.+\\.ya?ml$"],
      "matchStrings": [
@ -72,24 +69,24 @@
    {
      "description": "Flux Group",
      "groupName": "Flux",
+      "matchPackagePatterns": ["^flux", "^ghcr.io/fluxcd/"],
      "matchDatasources": ["docker", "github-tags"],
      "versioning": "semver",
      "group": {
        "commitMessageTopic": "{{{groupName}}} group"
      },
-      "separateMinorPatch": true,
-      "matchPackageNames": ["/^flux/", "/^ghcr.io/fluxcd//"]
+      "separateMinorPatch": true
    },
    {
      "description": "Mastodon images",
      "groupName": "Mastodon",
+      "matchPackagePatterns": ["mastodon", "^ghcr.io/mastodon/"],
      "matchDatasources": ["docker", "github-tags"],
      "versioning": "semver",
      "group": {
        "commitMessageTopic": "{{{groupName}}} group"
      },
-      "separateMinorPatch": true,
-      "matchPackageNames": ["/mastodon/", "/^ghcr.io/mastodon//"]
+      "separateMinorPatch": true
    },
    {
      "description": "1Password Connect images",
@ -107,12 +104,12 @@
    {
      "description": "Rook-Ceph image and chart",
      "groupName": "Rook Ceph",
+      "matchPackagePatterns": ["rook.ceph"],
      "matchDatasources": ["docker", "helm"],
      "group": {
        "commitMessageTopic": "{{{groupName}}} group"
      },
-      "separateMinorPatch": true,
-      "matchPackageNames": ["/rook.ceph/"]
+      "separateMinorPatch": true
    },
    {
      "description": "Cilium image and chart",
@ -131,7 +128,10 @@
    {
      "description": "External Snapshotter charts",
      "groupName": "External Snapshotter",
-      "matchPackageNames": ["snapshot-controller", "snapshot-validation-webhook"],
+      "matchPackageNames": [
+        "snapshot-controller",
+        "snapshot-validation-webhook"
+      ],
      "matchDatasources": ["helm"],
      "group": {
        "commitMessageTopic": "{{{groupName}}} group"
@ -141,22 +141,23 @@
    {
      "description": "Thanos image and chart - versions do not match",
      "groupName": "Thanos",
+      "matchPackagePatterns": ["quay.io/thanos/thanos", "thanos"],
      "matchDatasources": ["docker", "github-releases", "helm"],
      "matchUpdateTypes": ["minor", "patch"],
      "group": {
        "commitMessageTopic": "{{{groupName}}} group"
-      },
-      "matchPackageNames": ["/quay.io/thanos/thanos/", "/thanos/"]
+      }
    },
    {
      "description": "Vector image and chart - versions do not match",
      "groupName": "Vector",
+      "matchPackagePatterns": ["vector"],
      "matchDatasources": ["docker", "github-releases", "helm"],
      "matchUpdateTypes": ["minor", "patch"],
      "group": {
        "commitMessageTopic": "{{{groupName}}} group"
-      },
-      "matchPackageNames": ["/vector/"]
+      }
    }
+    // Version strategies
  ]
 }
--- a/shell.nix
+++ b/shell.nix
@ -3,11 +3,6 @@
 pkgs.mkShell {
  # Enable experimental features without having to specify the argument
  NIX_CONFIG = "experimental-features = nix-command flakes";
-  shellHook = ''
-    export TMP=$(mktemp -d "/tmp/nix-shell-XXXXXX")
-    export TEMP=$TMP
-    export TMPDIR=$TMP
-  '';

  nativeBuildInputs = with pkgs; [
    fluxcd
@ -15,6 +10,8 @@ pkgs.mkShell {
    gitleaks
    helmfile
    k9s
+    krew
+    kubectl
    kubevirt
    kubernetes-helm
    pre-commit
@ -23,6 +20,5 @@ pkgs.mkShell {
    mqttui
    kustomize
    yq-go
-    go-task
  ];
 }