60 changed files with 356 additions and 966 deletions
--- a/.sops.yaml
+++ b/.sops.yaml
--- a/AGENTS.md
+++ b/AGENTS.md
@ -1,31 +1,11 @@
-NAME                    STATUS   ROLES           AGE   VERSION        INTERNAL-IP   EXTERNAL-IP   OS-IMAGE                           KERNEL-VERSION           CONTAINER-RUNTIME
+NAME         STATUS   ROLES           AGE     VERSION        INTERNAL-IP      EXTERNAL-IP   OS-IMAGE                           KERNEL-VERSION                        CONTAINER-RUNTIME
-localhost.localdomain   Ready    control-plane         v1.34.6+k3s1   10.0.1.2      <none>        Fedora Linux 43 (Server Edition)   6.17.1-300.fc43.x86_64   containerd://2.2.2-bd1.34
+dogbox       Ready    control-plane   3h31m   v1.34.6+k3s1   10.0.1.2         <none>        Fedora Linux 40 (Server Edition)   6.9.6-200.fc40.x86_64                 containerd://2.2.2-bd1.34
-lima-mac-worker         Ready    <none>                v1.34.6+k3s1   10.0.1.58     <none>        Ubuntu 25.10                       6.17.0-22-generic        containerd://2.2.2-bd1.34
+mac-worker   Ready    <none>          3h13m   v1.34.6+k3s1   192.168.139.12   <none>        Ubuntu 25.10                       6.17.8-orbstack-00308-g8f9c941121b1   containerd://2.2.2-bd1.34
-The mac-worker is running inside a Lima VM on macOS.
+The mac-worker is running inside orbstack linux VM if that matters.
 I have a DNS rewrite pointing *.internal to 10.0.1.250 which is traefik-internal.
 /dogstore/ is a NFS path that's available to all nodes
 secrets are managed by sops
 ## Load balancers
 Two LB implementations coexist: k3s klipper (servicelb) and MetalLB. They are
 separated by `loadBalancerClass` so they don't conflict.
 - **klipper** handles services with NO `loadBalancerClass`. It creates svclb
  DaemonSet pods that bind host ports directly on every node.
 - **MetalLB** handles services with `loadBalancerClass: metallb`. Its pool has
  `autoAssign: false`, so it only assigns IPs to services that explicitly
  request a pool via the `metallb.io/address-pool` annotation.
 | Service          | loadBalancerClass | LB       | External IPs              |
 |------------------|-------------------|----------|---------------------------|
 | traefik          | (none)            | klipper  | 10.0.1.2, 10.0.1.58      |
 | traefik-internal | metallb           | MetalLB  | 10.0.1.250                |
 `loadBalancerClass` is immutable on k8s Services. Changing it requires deleting
 the Service first, then redeploying (`kubectl delete svc … && helm upgrade`).
--- a/Headlamp.md
+++ b/Headlamp.md
@ -1,22 +0,0 @@
 # Headlamp — Manual Token Access
 The `charts/headlamp` Helm chart deploys Headlamp with its own in-cluster
 ServiceAccount (`headlamp`) and a `cluster-admin` ClusterRoleBinding. That
 SA is used by the running pod and does not require manual setup.
 To generate a **bearer token** for logging in to the Headlamp UI (e.g. from
 a browser), create a separate short-lived token:
 ```bash
 kubectl -n apps create token headlamp --duration=48h
 ```
 If you need a dedicated SA for external/long-lived access instead:
 ```bash
 kubectl -n apps create serviceaccount headlamp-admin
 kubectl create clusterrolebinding headlamp-admin \
  --serviceaccount=apps:headlamp-admin \
  --clusterrole=cluster-admin
 kubectl -n apps create token headlamp-admin
 ```
--- a/MetalLB.md
+++ b/MetalLB.md
@ -1,17 +0,0 @@
 # MetalLB — Manual Setup
 MetalLB is **not** included in `bootstrap.sh deploy`. It must be installed
 manually before deploying `traefik-internal` (which depends on the MetalLB
 `loadBalancerClass`).
 ```bash
 helm repo add metallb https://metallb.github.io/metallb
 helm repo update
 helm dependency build charts/metallb
 helm upgrade --install metallb charts/metallb -n kube-system --wait
 ```
 The chart wraps the upstream MetalLB subchart and adds a custom
 `IPAddressPool` + `L2Advertisement` (defined in `charts/metallb/templates/pool.yaml`).
 The pool assigns a single IP (`10.0.1.250`) with `autoAssign: false`, so only
 services that explicitly request the `internal` pool via annotation get that IP.
--- a/README.md
+++ b/README.md
@ -1,6 +1,6 @@
 # Homelab — k3s Cluster
-2-node k3s cluster (1 control-plane, 1 worker) running a self-hosted homelab stack on `ratboo.me`.
+2-node k3s cluster (1 manager, 1 worker) running a self-hosted homelab stack on `ratboo.me`.
 ## Architecture
@ -8,8 +8,8 @@
 | Node | Role | OS | IP | Runtime |
 |------|------|----|----|---------|
-| **localhost.localdomain** (dogbox) | control-plane | Fedora Linux 43 (Server Edition) | `10.0.1.2` | k3s v1.34.6 + containerd |
+| **dogbox** | control-plane | Fedora 40 Server | `10.0.1.2` | k3s server + containerd |
-| **lima-mac-worker** | worker | Ubuntu 25.10 (Lima VM on macOS) | `10.0.1.58` | k3s v1.34.6 + containerd |
+| **mac-worker** | worker | Ubuntu 25.10 (OrbStack VM) | `192.168.139.12` | k3s agent + containerd |
 ### Overview
@ -20,70 +20,61 @@
                      *.ratboo.me
                             │
  ┌──────────────────────────┼──────────────────────────┐
-  │            localhost.localdomain (dogbox)             │
+  │                    dogbox (manager)                  │
-  │               Fedora 43 · 10.0.1.2                   │
+  │               Fedora 40 · 10.0.1.2                  │
  │                                                     │
  │  ┌─────────────────┐   ┌──────────────────────┐    │
  │  │  k3s server      │   │  Traefik (k3s)       │    │
  │  │  control-plane   │   │  :443 websecure      │    │
  │  └─────────────────┘   │  Let's Encrypt + CF   │    │
  │                         └──────────┬───────────┘    │
  │  ┌─────────────────┐              │                 │
  │  │ traefik-internal │   Routes to pods across       │
  │  │ :80 LB 10.0.1.250│   both nodes via CNI          │
  │  │ (MetalLB L2)     │              │                 │
  │  └─────────────────┘              │                 │
  │         Longhorn                   │                 │
  └──────────────┬─────────────────────┼─────────────────┘
                 │                     │
            NFS /dogstore         k3s cluster
                 │                     │
  ┌──────────────┴─────────────────────┼─────────────────┐
  │              mac-worker (worker)                      │
  │         Ubuntu 25.10 · OrbStack VM                   │
  │               192.168.139.12                         │
  │                                                      │
-  │  ┌─────────────────┐   ┌──────────────────────┐     │
+  │         Longhorn · workload pods                     │
-  │  │  k3s server      │   │  Traefik (k3s)       │     │
+  └──────────────────────────────────────────────────────┘
  │  │  control-plane   │   │  :443 websecure      │     │
  │  └─────────────────┘   │  Let's Encrypt + CF   │     │
  │                         └──────────┬───────────┘     │
  │  ┌──────────────────┐             │                  │
  │  │ traefik-internal  │  Routes to pods across        │
  │  │ :80/:443 MetalLB  │  both nodes via CNI           │
  │  │ LB 10.0.1.250    │             │                  │
  │  └──────────────────┘             │                  │
  └───────────────┬───────────────────┼──────────────────┘
                  │                   │
             NFS /dogstore       k3s cluster
                  │                   │
  ┌───────────────┴───────────────────┼──────────────────┐
  │              lima-mac-worker (worker)                  │
  │         Ubuntu 25.10 · Lima VM on macOS               │
  │                    10.0.1.58                          │
  │                                                       │
  │              workload pods                            │
  └───────────────────────────────────────────────────────┘
 ```
 ### Networking
-**Public ingress** — k3s bundles Traefik, configured via `HelmChartConfig` in `traefik-config`. TLS terminates at Traefik using Let's Encrypt with Cloudflare DNS-01 challenge. HTTP automatically redirects to HTTPS. klipper (servicelb) exposes the public Traefik on every node IP.
+**Public ingress** — k3s bundles Traefik, configured via `HelmChartConfig` in `traefik-config`. TLS terminates at Traefik using Let's Encrypt with Cloudflare DNS-01 challenge. HTTP automatically redirects to HTTPS.
 | Public hostname | Service |
 |-----------------|---------|
 | `plex.ratboo.me` | Plex |
-| `watch.ratboo.me` | Seerr |
+| `sonarr.ratboo.me` | Sonarr |
 | `radarr.ratboo.me` | Radarr |
 | `paperless.ratboo.me` | Paperless-ngx |
 | `mealie.ratboo.me` | Mealie |
 | `watch.ratboo.me` | Seerr |
-**Internal ingress** — A separate Traefik instance (`traefik-internal`) listens on `10.0.1.250` (ports 80 and 443), served by MetalLB L2. A DNS rewrite points `*.internal` to that IP. Internal services use Traefik `IngressRoute` CRDs with `ingressClass: traefik-internal`. Every service with a `*-ingressroute.yaml` template gets an `*.dog` hostname on this Traefik.
+**Internal ingress** — A separate Traefik instance (`traefik-internal`) listens on `10.0.1.250:80`, served by MetalLB L2. A DNS rewrite points `*.internal` to that IP. Internal services use Traefik `IngressRoute` CRDs with `ingressClass: traefik-internal`.
 | Internal hostname | Service |
 |-------------------|---------|
-| `plex.dog` | Plex |
+| `homepage.rat` | Homepage |
-| `sonarr.dog` | Sonarr |
+| `glance.rat` | Glance |
 | `radarr.dog` | Radarr |
 | `bazarr.dog` | Bazarr |
 | `prowlarr.dog` | Prowlarr |
 | `qbittorrent.dog` | qBittorrent |
 | `seerr.dog` | Seerr |
 | `paperless.dog` | Paperless-ngx |
 | `mealie.dog` | Mealie |
 | `homepage.dog` | Homepage |
 | `glance.dog` | Glance |
 | `headlamp.dog` | Headlamp |
 | `zerobyte.dog` | Zerobyte |
-**No ingress:** unpackerr (background download-extraction daemon, no web UI).
+**Cluster-only (no ingress):** Prowlarr, Bazarr, qBittorrent, Zerobyte.
 ### Storage
 | Mechanism | Use |
 |-----------|-----|
-| **NFS via hostPath `/dogstore`** | Large/shared data — Plex media + transcode, Sonarr/Radarr/qBittorrent/unpackerr data trees, Paperless documents, Homepage/Glance configs, ACME cert storage |
+| **Longhorn** (`storageClass: longhorn`, replica count 2) | Small config/state PVCs — Traefik ACME (128Mi), app configs (1–20Gi), Paperless Postgres/Redis, Mealie data, Seerr, Zerobyte |
-| **hostPath `/home/alvin/service-data`** | App config directories on dogbox (Seerr, etc.) |
+| **NFS via hostPath `/dogstore`** | Large/shared data — Plex media + transcode, Sonarr/Radarr/qBittorrent/unpackerr data trees, Paperless documents, Homepage/Glance configs |
 | **local-path (default StorageClass)** | k3s built-in provisioner for any PVCs (rancher.io/local-path) |
 ### Secrets
@ -93,23 +84,24 @@ SOPS + age encryption. All secrets live in `secrets/secrets.enc.yaml`, encrypted
 | Namespace | Contents |
 |-----------|----------|
-| `kube-system` | k3s Traefik + `traefik-config` (HelmChartConfig + redirect middleware), `traefik-internal`, MetalLB controller + speakers, CoreDNS, metrics-server |
+| `kube-system` | k3s Traefik, `traefik-config` (HelmChartConfig + redirect middleware) |
-| `media` | Plex, Sonarr, Radarr, Bazarr, Prowlarr, qBittorrent, unpackerr, Seerr |
+| `longhorn-system` | Longhorn storage |
-| `apps` | Paperless-ngx + Postgres + Redis, Mealie, Homepage, Glance, Headlamp, Zerobyte |
+| `media` | Plex, Sonarr, Radarr, Bazarr, Prowlarr, qBittorrent, unpackerr |
 | `paperless` | Paperless-ngx, Redis, PostgreSQL |
 | `apps` | Mealie, Homepage, Glance, Seerr, Zerobyte |
 ## Services
 | Chart | Namespace | Services | Notes |
 |-------|-----------|----------|-------|
-| traefik-config | kube-system | Traefik HelmChartConfig overlay | Cloudflare DNS-01, ACME on hostPath `/dogstore` |
+| traefik-config | kube-system | Traefik HelmChartConfig overlay | Cloudflare DNS-01, ACME on Longhorn |
-| traefik-internal | kube-system | Internal Traefik instance | LB via MetalLB at `10.0.1.250`, ports 80/443/9095 |
+| traefik-internal | — | Internal Traefik instance | LB via MetalLB at `10.0.1.250` |
-| metallb | kube-system | MetalLB L2 pool | Single-IP pool (`10.0.1.250`) for internal LB |
+| metallb | — | MetalLB L2 pool | Single-IP pool for internal LB |
-| media | media | Plex, Sonarr, Radarr, Bazarr, Prowlarr, qBittorrent, unpackerr, Seerr | Media stack with `/dogstore` data paths |
+| media | media | Plex, Sonarr, Radarr, Bazarr, Prowlarr, qBittorrent, unpackerr | Media stack with `/dogstore` data paths |
-| paperless | apps | Paperless-ngx, Redis, PostgreSQL | Postgres 15, Redis 7 |
+| paperless | paperless | Paperless-ngx, Redis, PostgreSQL | Postgres 15, Redis 7 |
-| mealie | apps | Mealie (v3.16.0) | Gemini API integration for recipes |
+| mealie | apps | Mealie (v3.14.0) | Gemini API integration for recipes |
 | dashboards | apps | Homepage, Glance | Internal-only via `traefik-internal` |
-| headlamp | apps | Headlamp | K8s dashboard, internal-only via `traefik-internal` |
+| utils | apps | Seerr, Zerobyte | Seerr public, Zerobyte cluster-only |
 | utils | apps | Zerobyte | Backup service, internal-only via `traefik-internal` |
 ## Prerequisites
@ -133,7 +125,13 @@ This prints the worker join command at the end.
 K3S_URL="https://<manager-ip>:6443" K3S_TOKEN="<token>" ./scripts/bootstrap.sh agent
 ```
-### 3. Set up SOPS encryption
+### 3. Install Longhorn
 ```bash
 ./scripts/bootstrap.sh longhorn
 ```
 ### 4. Set up SOPS encryption
 Generate an age keypair (run on each node):
@ -148,54 +146,34 @@ Copy the public key into `.sops.yaml`, replacing the placeholder. Then encrypt y
 sops -e -i secrets/secrets.enc.yaml
 ```
-### 4. Apply secrets
+### 5. Apply secrets
 ```bash
 ./scripts/bootstrap.sh apply-secrets
 ```
-### 5. Deploy MetalLB and internal Traefik (manual)
+### 6. Deploy all charts
 These are deployed separately before the main charts because other services depend on them:
 ```bash
 helm dependency build charts/metallb
 helm upgrade --install metallb charts/metallb -n kube-system --wait
 helm upgrade --install traefik-internal charts/traefik-internal -n kube-system --wait
 ```
 ### 6. Deploy all application charts
 ```bash
 ./scripts/bootstrap.sh deploy
 ```
 This installs (in order): `traefik-config`, `media`, `paperless`, `mealie`, `dashboards`, `utils`, `headlamp`.
 Or deploy individually:
 ```bash
 # Traefik config goes in kube-system (managed by k3s)
 helm upgrade --install traefik-config charts/traefik-config -n kube-system
 kubectl create namespace apps
 helm upgrade --install headlamp charts/headlamp -n apps
 helm upgrade --install dashboards charts/dashboards -n apps
 helm upgrade --install paperless charts/paperless -n apps
 helm upgrade --install mealie charts/mealie -n apps
 helm upgrade --install utils charts/utils -n apps
 helm upgrade --install gitea charts/gitea -n apps
 kubectl create namespace media
 helm upgrade --install media charts/media -n media
 ```
-### Optional: Install Longhorn
+kubectl create namespace paperless
 helm upgrade --install paperless charts/paperless -n paperless
-The bootstrap script includes a Longhorn install command, but it is not currently deployed:
+kubectl create namespace apps
 helm upgrade --install mealie charts/mealie -n apps
 helm upgrade --install dashboards charts/dashboards -n apps
 helm upgrade --install utils charts/utils -n apps
-```bash
+# Traefik config goes in kube-system (managed by k3s)
-./scripts/bootstrap.sh longhorn
+helm upgrade --install traefik-config charts/traefik-config -n kube-system
 ```
 ## Verifying
@ -206,7 +184,6 @@ kubectl get pods -A
 # Check ingress routes
 kubectl get ingress -A
 kubectl get ingressroute -A
 # Test a specific service
 curl -I https://mealie.ratboo.me
@ -233,12 +210,12 @@ homelab/
 │   ├── traefik-config/      # k3s Traefik overrides (HelmChartConfig)
 │   ├── traefik-internal/    # Separate internal Traefik instance
 │   ├── metallb/             # MetalLB L2 for internal LB IP
-│   ├── media/               # Plex, Sonarr, Radarr, Bazarr, Prowlarr, qBittorrent, unpackerr, Seerr
+│   ├── media/               # Plex, *arr stack, qBittorrent, unpackerr
 │   ├── paperless/           # Paperless-ngx + Postgres + Redis
 │   ├── mealie/              # Mealie recipe manager
 │   ├── dashboards/          # Homepage + Glance (internal only)
-│   ├── headlamp/            # Headlamp K8s dashboard (internal only)
+│   └── utils/               # Seerr + Zerobyte
 │   └── utils/               # Zerobyte backup
 └── secrets/
    └── secrets.enc.yaml
 ```
--- a/charts/dashboards/Chart.yaml
+++ b/charts/dashboards/Chart.yaml
--- a/charts/dashboards/templates/glance-ingressroute.yaml
+++ b/charts/dashboards/templates/glance-ingressroute.yaml
--- a/charts/dashboards/templates/glance.yaml
+++ b/charts/dashboards/templates/glance.yaml
--- a/charts/dashboards/templates/homepage-ingressroute.yaml
+++ b/charts/dashboards/templates/homepage-ingressroute.yaml
--- a/charts/dashboards/templates/homepage.yaml
+++ b/charts/dashboards/templates/homepage.yaml
--- a/charts/dashboards/values.yaml
+++ b/charts/dashboards/values.yaml
--- a/charts/gitea/Chart.yaml
+++ b/charts/gitea/Chart.yaml
@ -1,5 +0,0 @@
 apiVersion: v2
 name: gitea
 description: Gitea self-hosted Git service
 version: 0.1.0
 type: application
--- a/charts/gitea/templates/gitea-ingressroute.yaml
+++ b/charts/gitea/templates/gitea-ingressroute.yaml
@ -1,32 +0,0 @@
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
  name: gitea
  annotations:
    kubernetes.io/ingress.class: traefik-internal
 spec:
  entryPoints:
    - web
  routes:
    - match: Host(`gitea.{{ .Values.internalDomain }}`)
      kind: Rule
      services:
        - name: gitea
          port: 3000
 ---
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
  name: gitea-tls
  annotations:
    kubernetes.io/ingress.class: traefik-internal
 spec:
  entryPoints:
    - websecure
  routes:
    - match: Host(`gitea.{{ .Values.internalDomain }}`)
      kind: Rule
      services:
        - name: gitea
          port: 3000
  tls: {}
--- a/charts/gitea/templates/gitea.yaml
+++ b/charts/gitea/templates/gitea.yaml
@ -1,102 +0,0 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: gitea
  labels:
    app: gitea
 spec:
  replicas: 1
  strategy:
    type: Recreate
  selector:
    matchLabels:
      app: gitea
  template:
    metadata:
      labels:
        app: gitea
    spec:
      nodeSelector:
        homelab/node-role: worker
      containers:
        - name: gitea
          image: {{ .Values.image }}
          ports:
            - name: http
              containerPort: 3000
            - name: ssh
              containerPort: 2222
          resources:
            limits:
              memory: {{ .Values.resources.limits.memory }}
          env:
            - name: USER_UID
              value: {{ .Values.puid | quote }}
            - name: USER_GID
              value: {{ .Values.pgid | quote }}
            - name: GITEA__server__DOMAIN
              value: gitea.{{ .Values.domain }}
            - name: GITEA__server__ROOT_URL
              value: https://gitea.{{ .Values.domain }}
            - name: GITEA__server__SSH_PORT
              value: "2222"
            - name: GITEA__server__SSH_LISTEN_PORT
              value: "2222"
            - name: GITEA__database__DB_TYPE
              value: postgres
            - name: GITEA__database__HOST
              value: gitea-postgres:5432
            - name: GITEA__database__NAME
              value: {{ .Values.postgres.database }}
            - name: GITEA__database__USER
              value: {{ .Values.postgres.user }}
            - name: GITEA__database__PASSWD
              valueFrom:
                secretKeyRef:
                  name: {{ .Values.secretName }}
                  key: GITEA_DB_PASS
            - name: GITEA__service__DISABLE_REGISTRATION
              value: "true"
          volumeMounts:
            - name: data
              mountPath: /data
      volumes:
        - name: data
          hostPath:
            path: /dogstore/service-data/gitea
            type: DirectoryOrCreate
 ---
 apiVersion: v1
 kind: Service
 metadata:
  name: gitea
 spec:
  selector:
    app: gitea
  ports:
    - name: http
      port: 3000
      targetPort: 3000
    - name: ssh
      port: 2222
      targetPort: 2222
 ---
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
  name: gitea
  annotations:
    traefik.ingress.kubernetes.io/router.entrypoints: websecure
    traefik.ingress.kubernetes.io/router.tls.certresolver: {{ .Values.certResolver }}
 spec:
  rules:
    - host: gitea.{{ .Values.domain }}
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: gitea
                port:
                  number: 3000
--- a/charts/gitea/templates/postgres.yaml
+++ b/charts/gitea/templates/postgres.yaml
@ -1,59 +0,0 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: gitea-postgres
  labels:
    app: gitea-postgres
 spec:
  replicas: 1
  strategy:
    type: Recreate
  selector:
    matchLabels:
      app: gitea-postgres
  template:
    metadata:
      labels:
        app: gitea-postgres
    spec:
      initContainers:
        - name: fix-permissions
          image: busybox
          command: ["sh", "-c", "chown -R 999:999 /data"]
          volumeMounts:
            - name: data
              mountPath: /data
      containers:
        - name: postgres
          image: {{ .Values.postgres.image }}
          ports:
            - containerPort: 5432
          env:
            - name: POSTGRES_DB
              value: {{ .Values.postgres.database }}
            - name: POSTGRES_USER
              value: {{ .Values.postgres.user }}
            - name: POSTGRES_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: {{ .Values.secretName }}
                  key: GITEA_DB_PASS
          volumeMounts:
            - name: data
              mountPath: /var/lib/postgresql/data
      volumes:
        - name: data
          hostPath:
            path: /dogstore/service-data/gitea/pgdata
            type: DirectoryOrCreate
 ---
 apiVersion: v1
 kind: Service
 metadata:
  name: gitea-postgres
 spec:
  selector:
    app: gitea-postgres
  ports:
    - port: 5432
      targetPort: 5432
--- a/charts/gitea/values.yaml
+++ b/charts/gitea/values.yaml
@ -1,19 +0,0 @@
 domain: ratboo.me
 internalDomain: dog
 certResolver: myresolver
 tz: America/Los_Angeles
 puid: "1000"
 pgid: "1000"
 image: gitea/gitea:1.23
 secretName: gitea-secrets
 resources:
  limits:
    memory: 512Mi
 postgres:
  image: docker.io/library/postgres:17
  database: gitea
  user: gitea
--- a/charts/headlamp/Chart.yaml
+++ b/charts/headlamp/Chart.yaml
@ -1,5 +0,0 @@
 apiVersion: v2
 name: headlamp
 description: Headlamp Kubernetes dashboard
 version: 0.1.0
 type: application
--- a/charts/headlamp/templates/headlamp-ingressroute.yaml
+++ b/charts/headlamp/templates/headlamp-ingressroute.yaml
@ -1,32 +0,0 @@
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
  name: headlamp
  annotations:
    kubernetes.io/ingress.class: traefik-internal
 spec:
  entryPoints:
    - web
  routes:
    - match: Host(`headlamp.{{ .Values.internalDomain }}`)
      kind: Rule
      services:
        - name: headlamp
          port: 4466
 ---
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
  name: headlamp-tls
  annotations:
    kubernetes.io/ingress.class: traefik-internal
 spec:
  entryPoints:
    - websecure
  routes:
    - match: Host(`headlamp.{{ .Values.internalDomain }}`)
      kind: Rule
      services:
        - name: headlamp
          port: 4466
  tls: {}
--- a/charts/headlamp/templates/headlamp.yaml
+++ b/charts/headlamp/templates/headlamp.yaml
@ -1,59 +0,0 @@
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: headlamp
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
  name: headlamp
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
 subjects:
  - kind: ServiceAccount
    name: headlamp
    namespace: {{ .Release.Namespace }}
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: headlamp
  labels:
    app: headlamp
 spec:
  replicas: 1
  strategy:
    type: Recreate
  selector:
    matchLabels:
      app: headlamp
  template:
    metadata:
      labels:
        app: headlamp
    spec:
      serviceAccountName: headlamp
      nodeSelector:
        homelab/node-role: worker
      containers:
        - name: headlamp
          image: {{ .Values.image }}
          args:
            - -in-cluster
            - -plugins-dir=/headlamp/plugins
            - -enable-helm
          ports:
            - containerPort: 4466
 ---
 apiVersion: v1
 kind: Service
 metadata:
  name: headlamp
 spec:
  selector:
    app: headlamp
  ports:
    - port: 4466
      targetPort: 4466
--- a/charts/headlamp/values.yaml
+++ b/charts/headlamp/values.yaml
@ -1,2 +0,0 @@
 image: ghcr.io/headlamp-k8s/headlamp:latest
 internalDomain: dog
--- a/charts/mealie/Chart.yaml
+++ b/charts/mealie/Chart.yaml
--- a/charts/mealie/templates/mealie-ingressroute.yaml
+++ b/charts/mealie/templates/mealie-ingressroute.yaml
@ -1,32 +0,0 @@
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
  name: mealie
  annotations:
    kubernetes.io/ingress.class: traefik-internal
 spec:
  entryPoints:
    - web
  routes:
    - match: Host(`mealie.{{ .Values.internalDomain }}`)
      kind: Rule
      services:
        - name: mealie
          port: 9000
 ---
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
  name: mealie-tls
  annotations:
    kubernetes.io/ingress.class: traefik-internal
 spec:
  entryPoints:
    - websecure
  routes:
    - match: Host(`mealie.{{ .Values.internalDomain }}`)
      kind: Rule
      services:
        - name: mealie
          port: 9000
  tls: {}
--- a/charts/mealie/templates/mealie.yaml
+++ b/charts/mealie/templates/mealie.yaml
@ -1,3 +1,16 @@
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
  name: mealie-data
  labels:
    app: mealie
 spec:
  accessModes: [ReadWriteOnce]
  storageClassName: {{ .Values.storageClass }}
  resources:
    requests:
      storage: {{ .Values.storageSize }}
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@ -16,8 +29,6 @@ spec:
      labels:
        app: mealie
    spec:
      nodeSelector:
        homelab/node-role: worker
      containers:
        - name: mealie
          image: {{ .Values.image }}
@ -55,9 +66,8 @@ spec:
              mountPath: /app/data
      volumes:
        - name: data
-          hostPath:
+          persistentVolumeClaim:
-            path: /dogstore/service-data/mealie
+            claimName: mealie-data
            type: DirectoryOrCreate
 ---
 apiVersion: v1
 kind: Service
--- a/charts/mealie/values.yaml
+++ b/charts/mealie/values.yaml
@ -1,13 +1,14 @@
 domain: ratboo.me
 internalDomain: dog
 certResolver: myresolver
 tz: America/Los_Angeles
 puid: "1000"
 pgid: "1000"
-image: ghcr.io/mealie-recipes/mealie:v3.16.0
+image: ghcr.io/mealie-recipes/mealie:v3.14.0
 secretName: mealie-secrets
 storageClass: longhorn
 storageSize: 5Gi
 resources:
  limits:
--- a/charts/media/Chart.yaml
+++ b/charts/media/Chart.yaml
--- a/charts/media/templates/_helpers.tpl
+++ b/charts/media/templates/_helpers.tpl
@ -11,8 +11,3 @@ app.kubernetes.io/part-of: media
 - name: TZ
  value: {{ .Values.tz | quote }}
 {{- end -}}
 {{- define "media.requireMacWorker" -}}
 nodeSelector:
  homelab/node-role: worker
 {{- end -}}
--- a/charts/media/templates/bazarr.yaml
+++ b/charts/media/templates/bazarr.yaml
@ -1,3 +1,17 @@
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
  name: bazarr-config
  labels:
    app: bazarr
    {{- include "media.labels" . | nindent 4 }}
 spec:
  accessModes: [ReadWriteOnce]
  storageClassName: {{ .Values.storageClass }}
  resources:
    requests:
      storage: {{ .Values.bazarr.configSize }}
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@ -17,7 +31,6 @@ spec:
      labels:
        app: bazarr
    spec:
      {{- include "media.requireMacWorker" . | nindent 6 }}
      containers:
        - name: bazarr
          image: {{ .Values.bazarr.image }}
@ -34,16 +47,15 @@ spec:
              mountPath: /tv
      volumes:
        - name: config
-          hostPath:
+          persistentVolumeClaim:
-            path: {{ .Values.serviceData }}/bazarr/config
+            claimName: bazarr-config
            type: DirectoryOrCreate
        - name: movies
          hostPath:
-            path: /dogstore/sonarr/data/radarr-library
+            path: {{ .Values.dogstore }}/sonarr/data/radarr-library
            type: DirectoryOrCreate
        - name: tv
          hostPath:
-            path: /dogstore/sonarr/data/library
+            path: {{ .Values.dogstore }}/sonarr/data/library
            type: DirectoryOrCreate
 ---
 apiVersion: v1
@ -58,36 +70,3 @@ spec:
  ports:
    - port: 6767
      targetPort: 6767
 ---
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
  name: bazarr-internal
  annotations:
    kubernetes.io/ingress.class: traefik-internal
 spec:
  entryPoints:
    - web
  routes:
    - match: Host(`bazarr.{{ .Values.internalDomain }}`)
      kind: Rule
      services:
        - name: bazarr
          port: 6767
 ---
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
  name: bazarr-internal-tls
  annotations:
    kubernetes.io/ingress.class: traefik-internal
 spec:
  entryPoints:
    - websecure
  routes:
    - match: Host(`bazarr.{{ .Values.internalDomain }}`)
      kind: Rule
      services:
        - name: bazarr
          port: 6767
  tls: {}
--- a/charts/media/templates/plex.yaml
+++ b/charts/media/templates/plex.yaml
@ -1,3 +1,17 @@
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
  name: plex-config
  labels:
    app: plex
    {{- include "media.labels" . | nindent 4 }}
 spec:
  accessModes: [ReadWriteOnce]
  storageClassName: {{ .Values.storageClass }}
  resources:
    requests:
      storage: {{ .Values.plex.configSize }}
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@ -17,7 +31,6 @@ spec:
      labels:
        app: plex
    spec:
      {{- include "media.requireMacWorker" . | nindent 6 }}
      containers:
        - name: plex
          image: {{ .Values.plex.image }}
@ -48,16 +61,15 @@ spec:
              mountPath: /data
      volumes:
        - name: config
-          hostPath:
+          persistentVolumeClaim:
-            path: /plex/database
+            claimName: plex-config
            type: Directory
        - name: transcode
          hostPath:
-            path: /plex/transcode
+            path: {{ .Values.dogstore }}/plex/transcode
-            type: Directory
+            type: DirectoryOrCreate
        - name: data
          hostPath:
-            path: /dogstore
+            path: {{ .Values.dogstore }}
            type: Directory
 ---
 apiVersion: v1
@ -94,36 +106,3 @@ spec:
                name: plex
                port:
                  number: 32400
 ---
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
  name: plex-internal
  annotations:
    kubernetes.io/ingress.class: traefik-internal
 spec:
  entryPoints:
    - web
  routes:
    - match: Host(`plex.{{ .Values.internalDomain }}`)
      kind: Rule
      services:
        - name: plex
          port: 32400
 ---
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
  name: plex-internal-tls
  annotations:
    kubernetes.io/ingress.class: traefik-internal
 spec:
  entryPoints:
    - websecure
  routes:
    - match: Host(`plex.{{ .Values.internalDomain }}`)
      kind: Rule
      services:
        - name: plex
          port: 32400
  tls: {}
--- a/charts/media/templates/prowlarr.yaml
+++ b/charts/media/templates/prowlarr.yaml
@ -1,3 +1,17 @@
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
  name: prowlarr-config
  labels:
    app: prowlarr
    {{- include "media.labels" . | nindent 4 }}
 spec:
  accessModes: [ReadWriteOnce]
  storageClassName: {{ .Values.storageClass }}
  resources:
    requests:
      storage: {{ .Values.prowlarr.configSize }}
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@ -17,7 +31,6 @@ spec:
      labels:
        app: prowlarr
    spec:
      {{- include "media.requireMacWorker" . | nindent 6 }}
      containers:
        - name: prowlarr
          image: {{ .Values.prowlarr.image }}
@ -30,9 +43,8 @@ spec:
              mountPath: /config
      volumes:
        - name: config
-          hostPath:
+          persistentVolumeClaim:
-            path: {{ .Values.serviceData }}/prowlarr/config
+            claimName: prowlarr-config
            type: DirectoryOrCreate
 ---
 apiVersion: v1
 kind: Service
@ -46,36 +58,3 @@ spec:
  ports:
    - port: 9696
      targetPort: 9696
 ---
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
  name: prowlarr-internal
  annotations:
    kubernetes.io/ingress.class: traefik-internal
 spec:
  entryPoints:
    - web
  routes:
    - match: Host(`prowlarr.{{ .Values.internalDomain }}`)
      kind: Rule
      services:
        - name: prowlarr
          port: 9696
 ---
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
  name: prowlarr-internal-tls
  annotations:
    kubernetes.io/ingress.class: traefik-internal
 spec:
  entryPoints:
    - websecure
  routes:
    - match: Host(`prowlarr.{{ .Values.internalDomain }}`)
      kind: Rule
      services:
        - name: prowlarr
          port: 9696
  tls: {}
--- a/charts/media/templates/qbittorrent.yaml
+++ b/charts/media/templates/qbittorrent.yaml
@ -1,3 +1,17 @@
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
  name: qbittorrent-config
  labels:
    app: qbittorrent
    {{- include "media.labels" . | nindent 4 }}
 spec:
  accessModes: [ReadWriteOnce]
  storageClassName: {{ .Values.storageClass }}
  resources:
    requests:
      storage: {{ .Values.qbittorrent.configSize }}
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@ -17,7 +31,6 @@ spec:
      labels:
        app: qbittorrent
    spec:
      {{- include "media.requireMacWorker" . | nindent 6 }}
      containers:
        - name: qbittorrent
          image: {{ .Values.qbittorrent.image }}
@ -39,12 +52,11 @@ spec:
              mountPath: /data
      volumes:
        - name: config
-          hostPath:
+          persistentVolumeClaim:
-            path: {{ .Values.serviceData }}/qbittorrent/config
+            claimName: qbittorrent-config
            type: DirectoryOrCreate
        - name: data
          hostPath:
-            path: /dogstore/sonarr/data
+            path: {{ .Values.dogstore }}/sonarr/data
            type: DirectoryOrCreate
 ---
 apiVersion: v1
@ -68,36 +80,3 @@ spec:
      port: 34034
      targetPort: 34034
      protocol: UDP
 ---
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
  name: qbittorrent-internal
  annotations:
    kubernetes.io/ingress.class: traefik-internal
 spec:
  entryPoints:
    - web
  routes:
    - match: Host(`qbittorrent.{{ .Values.internalDomain }}`)
      kind: Rule
      services:
        - name: qbittorrent
          port: {{ .Values.qbittorrent.webuiPort }}
 ---
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
  name: qbittorrent-internal-tls
  annotations:
    kubernetes.io/ingress.class: traefik-internal
 spec:
  entryPoints:
    - websecure
  routes:
    - match: Host(`qbittorrent.{{ .Values.internalDomain }}`)
      kind: Rule
      services:
        - name: qbittorrent
          port: {{ .Values.qbittorrent.webuiPort }}
  tls: {}
--- a/charts/media/templates/radarr.yaml
+++ b/charts/media/templates/radarr.yaml
@ -1,3 +1,17 @@
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
  name: radarr-config
  labels:
    app: radarr
    {{- include "media.labels" . | nindent 4 }}
 spec:
  accessModes: [ReadWriteOnce]
  storageClassName: {{ .Values.storageClass }}
  resources:
    requests:
      storage: {{ .Values.radarr.configSize }}
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@ -17,7 +31,6 @@ spec:
      labels:
        app: radarr
    spec:
      {{- include "media.requireMacWorker" . | nindent 6 }}
      containers:
        - name: radarr
          image: {{ .Values.radarr.image }}
@ -32,12 +45,11 @@ spec:
              mountPath: /data
      volumes:
        - name: config
-          hostPath:
+          persistentVolumeClaim:
-            path: {{ .Values.serviceData }}/radarr/config
+            claimName: radarr-config
            type: DirectoryOrCreate
        - name: data
          hostPath:
-            path: /dogstore/sonarr/data # Media
+            path: {{ .Values.dogstore }}/sonarr/data
            type: DirectoryOrCreate
 ---
 apiVersion: v1
@ -53,35 +65,22 @@ spec:
    - port: 7878
      targetPort: 7878
 ---
-apiVersion: traefik.io/v1alpha1
+apiVersion: networking.k8s.io/v1
-kind: IngressRoute
+kind: Ingress
 metadata:
-  name: radarr-internal
+  name: radarr
  annotations:
-    kubernetes.io/ingress.class: traefik-internal
+    traefik.ingress.kubernetes.io/router.entrypoints: websecure
    traefik.ingress.kubernetes.io/router.tls.certresolver: {{ .Values.certResolver }}
 spec:
-  entryPoints:
+  rules:
-    - web
+    - host: radarr.{{ .Values.domain }}
-  routes:
+      http:
-    - match: Host(`radarr.{{ .Values.internalDomain }}`)
+        paths:
-      kind: Rule
+          - path: /
-      services:
+            pathType: Prefix
-        - name: radarr
+            backend:
-          port: 7878
+              service:
---
+                name: radarr
-apiVersion: traefik.io/v1alpha1
+                port:
-kind: IngressRoute
+                  number: 7878
 metadata:
  name: radarr-internal-tls
  annotations:
    kubernetes.io/ingress.class: traefik-internal
 spec:
  entryPoints:
    - websecure
  routes:
    - match: Host(`radarr.{{ .Values.internalDomain }}`)
      kind: Rule
      services:
        - name: radarr
          port: 7878
  tls: {}
--- a/charts/media/templates/sonarr.yaml
+++ b/charts/media/templates/sonarr.yaml
@ -1,3 +1,17 @@
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
  name: sonarr-config
  labels:
    app: sonarr
    {{- include "media.labels" . | nindent 4 }}
 spec:
  accessModes: [ReadWriteOnce]
  storageClassName: {{ .Values.storageClass }}
  resources:
    requests:
      storage: {{ .Values.sonarr.configSize }}
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@ -17,7 +31,6 @@ spec:
      labels:
        app: sonarr
    spec:
      {{- include "media.requireMacWorker" . | nindent 6 }}
      containers:
        - name: sonarr
          image: {{ .Values.sonarr.image }}
@ -32,12 +45,11 @@ spec:
              mountPath: /data
      volumes:
        - name: config
-          hostPath:
+          persistentVolumeClaim:
-            path: {{ .Values.serviceData }}/sonarr/config
+            claimName: sonarr-config
            type: DirectoryOrCreate
        - name: data
          hostPath:
-            path: /dogstore/sonarr/data # TV + Movies Library
+            path: {{ .Values.dogstore }}/sonarr/data
            type: DirectoryOrCreate
 ---
 apiVersion: v1
@ -53,35 +65,22 @@ spec:
    - port: 8989
      targetPort: 8989
 ---
-apiVersion: traefik.io/v1alpha1
+apiVersion: networking.k8s.io/v1
-kind: IngressRoute
+kind: Ingress
 metadata:
-  name: sonarr-internal
+  name: sonarr
  annotations:
-    kubernetes.io/ingress.class: traefik-internal
+    traefik.ingress.kubernetes.io/router.entrypoints: websecure
    traefik.ingress.kubernetes.io/router.tls.certresolver: {{ .Values.certResolver }}
 spec:
-  entryPoints:
+  rules:
-    - web
+    - host: sonarr.{{ .Values.domain }}
-  routes:
+      http:
-    - match: Host(`sonarr.{{ .Values.internalDomain }}`)
+        paths:
-      kind: Rule
+          - path: /
-      services:
+            pathType: Prefix
-        - name: sonarr
+            backend:
-          port: 8989
+              service:
---
+                name: sonarr
-apiVersion: traefik.io/v1alpha1
+                port:
-kind: IngressRoute
+                  number: 8989
 metadata:
  name: sonarr-internal-tls
  annotations:
    kubernetes.io/ingress.class: traefik-internal
 spec:
  entryPoints:
    - websecure
  routes:
    - match: Host(`sonarr.{{ .Values.internalDomain }}`)
      kind: Rule
      services:
        - name: sonarr
          port: 8989
  tls: {}
--- a/charts/media/templates/unpackerr.yaml
+++ b/charts/media/templates/unpackerr.yaml
@ -17,7 +17,6 @@ spec:
      labels:
        app: unpackerr
    spec:
      {{- include "media.requireMacWorker" . | nindent 6 }}
      containers:
        - name: unpackerr
          image: {{ .Values.unpackerr.image }}
@ -86,9 +85,9 @@ spec:
      volumes:
        - name: data
          hostPath:
-            path: /dogstore/sonarr/data
+            path: {{ .Values.dogstore }}/sonarr/data
            type: DirectoryOrCreate
        - name: logs
          hostPath:
-            path: {{ .Values.serviceData }}/unpackerr/logs
+            path: {{ .Values.dogstore }}/logs/unpackerr
            type: DirectoryOrCreate
--- a/charts/media/values.yaml
+++ b/charts/media/values.yaml
@ -1,15 +1,16 @@
 domain: ratboo.me
 internalDomain: dog
 certResolver: myresolver
 tz: America/Los_Angeles
 puid: "1000"
 pgid: "1000"
-dogboxServiceData: /home/alvin/service-data
+dogstore: /dogstore
 serviceData: /service-data
 secretName: media-secrets
 storageClass: longhorn
 configStorageSize: 2Gi
 plex:
  image: plexinc/pms-docker:latest
  advertiseIp: "https://plex.ratboo.me:443"
@ -17,22 +18,24 @@ plex:
 sonarr:
  image: ghcr.io/hotio/sonarr:latest
  configSize: 2Gi
 radarr:
  image: ghcr.io/hotio/radarr:latest
  configSize: 2Gi
 bazarr:
  image: lscr.io/linuxserver/bazarr:latest
  configSize: 1Gi
 prowlarr:
  image: ghcr.io/hotio/prowlarr:latest
  configSize: 1Gi
 qbittorrent:
  image: ghcr.io/hotio/qbittorrent:latest
  configSize: 1Gi
  webuiPort: 9191
 unpackerr:
  image: golift/unpackerr
 seerr:
  image: ghcr.io/seerr-team/seerr:latest
--- a/charts/metallb/Chart.lock
+++ b/charts/metallb/Chart.lock
--- a/charts/metallb/Chart.yaml
+++ b/charts/metallb/Chart.yaml
--- a/charts/metallb/templates/pool.yaml
+++ b/charts/metallb/templates/pool.yaml
@ -3,11 +3,7 @@ apiVersion: metallb.io/v1beta1
 kind: IPAddressPool
 metadata:
  name: {{ .Values.pool.name }}
  annotations:
    "helm.sh/hook": post-install,post-upgrade
    "helm.sh/hook-weight": "0"
 spec:
  autoAssign: false
  addresses:
    {{- range .Values.pool.addresses }}
    - {{ . }}
@ -17,9 +13,6 @@ apiVersion: metallb.io/v1beta1
 kind: L2Advertisement
 metadata:
  name: {{ .Values.pool.name }}
  annotations:
    "helm.sh/hook": post-install,post-upgrade
    "helm.sh/hook-weight": "1"
 spec:
  ipAddressPools:
    - {{ .Values.pool.name }}
--- a/charts/metallb/values.yaml
+++ b/charts/metallb/values.yaml
@ -1,5 +1,4 @@
 metallb:
  loadBalancerClass: metallb
  controller:
    nodeSelector:
      node-role.kubernetes.io/control-plane: "true"
@ -8,7 +7,7 @@ metallb:
        effect: NoSchedule
 pool:
-  enabled: true
+  enabled: false
  name: internal
  addresses:
    - "10.0.1.250-10.0.1.250"
--- a/charts/paperless/Chart.yaml
+++ b/charts/paperless/Chart.yaml
--- a/charts/paperless/templates/paperless-ingressroute.yaml
+++ b/charts/paperless/templates/paperless-ingressroute.yaml
@ -1,32 +0,0 @@
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
  name: paperless
  annotations:
    kubernetes.io/ingress.class: traefik-internal
 spec:
  entryPoints:
    - web
  routes:
    - match: Host(`paperless.{{ .Values.internalDomain }}`)
      kind: Rule
      services:
        - name: paperless-webserver
          port: 8000
 ---
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
  name: paperless-tls
  annotations:
    kubernetes.io/ingress.class: traefik-internal
 spec:
  entryPoints:
    - websecure
  routes:
    - match: Host(`paperless.{{ .Values.internalDomain }}`)
      kind: Rule
      services:
        - name: paperless-webserver
          port: 8000
  tls: {}
--- a/charts/paperless/templates/postgres.yaml
+++ b/charts/paperless/templates/postgres.yaml
@ -1,3 +1,16 @@
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
  name: paperless-postgres-data
  labels:
    app: paperless-postgres
 spec:
  accessModes: [ReadWriteOnce]
  storageClassName: {{ .Values.storageClass }}
  resources:
    requests:
      storage: {{ .Values.postgres.storageSize }}
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@ -16,13 +29,6 @@ spec:
      labels:
        app: paperless-postgres
    spec:
      initContainers:
        - name: fix-permissions
          image: busybox
          command: ["sh", "-c", "chown -R 999:999 /data"]
          volumeMounts:
            - name: data
              mountPath: /data
      containers:
        - name: postgres
          image: {{ .Values.postgres.image }}
@ -37,15 +43,14 @@ spec:
              valueFrom:
                secretKeyRef:
                  name: {{ .Values.secretName }}
-                  key: PAPERLESS_DB_PASS
+                  key: POSTGRES_PASSWORD
          volumeMounts:
            - name: data
              mountPath: /var/lib/postgresql/data
      volumes:
        - name: data
-          hostPath:
+          persistentVolumeClaim:
-            path: {{ .Values.dogstore }}/service-data/paperless/pgdata
+            claimName: paperless-postgres-data
            type: DirectoryOrCreate
 ---
 apiVersion: v1
 kind: Service
--- a/charts/paperless/templates/redis.yaml
+++ b/charts/paperless/templates/redis.yaml
@ -1,3 +1,16 @@
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
  name: paperless-redis-data
  labels:
    app: paperless-redis
 spec:
  accessModes: [ReadWriteOnce]
  storageClassName: {{ .Values.storageClass }}
  resources:
    requests:
      storage: {{ .Values.redis.storageSize }}
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@ -26,9 +39,8 @@ spec:
              mountPath: /data
      volumes:
        - name: data
-          hostPath:
+          persistentVolumeClaim:
-            path: {{ .Values.dogstore }}/service-data/paperless/redisdata
+            claimName: paperless-redis-data
            type: DirectoryOrCreate
 ---
 apiVersion: v1
 kind: Service
--- a/charts/paperless/templates/webserver.yaml
+++ b/charts/paperless/templates/webserver.yaml
--- a/charts/paperless/values.yaml
+++ b/charts/paperless/values.yaml
@ -1,5 +1,4 @@
 domain: ratboo.me
 internalDomain: dog
 certResolver: myresolver
 tz: America/Los_Angeles
 puid: "1000"
@ -8,15 +7,18 @@ pgid: "1000"
 dogstore: /dogstore
 secretName: paperless-secrets
 storageClass: longhorn
 webserver:
  image: ghcr.io/paperless-ngx/paperless-ngx:latest
-  csrfTrustedOrigins: "https://paperless.ratboo.me,http://paperless.dog,https://paperless.dog"
+  csrfTrustedOrigins: "https://paperless.ratboo.me"
 redis:
  image: docker.io/library/redis:7
  storageSize: 1Gi
 postgres:
  image: docker.io/library/postgres:15
  storageSize: 5Gi
  database: paperless
  user: paperless
--- a/charts/traefik-config/Chart.yaml
+++ b/charts/traefik-config/Chart.yaml
--- a/charts/traefik-config/templates/helmchartconfig.yaml
+++ b/charts/traefik-config/templates/helmchartconfig.yaml
@ -5,11 +5,9 @@ metadata:
  namespace: kube-system
 spec:
  valuesContent: |-
-    nodeSelector:
+    service:
-      node-role.kubernetes.io/control-plane: "true"
+      spec:
-    tolerations:
+        loadBalancerClass: io.k3s.klipper
      - key: node-role.kubernetes.io/control-plane
        effect: NoSchedule
    logs:
      general:
        level: WARN
@ -23,7 +21,7 @@ spec:
      websecure:
        tls:
          certResolver: {{ .Values.certResolver }}
-    certificatesResolvers:
+    certResolvers:
      {{ .Values.certResolver }}:
        acme:
          email: {{ .Values.acmeEmail }}
@ -37,12 +35,7 @@ spec:
          secretKeyRef:
            name: {{ .Values.cloudflare.secretName }}
            key: {{ .Values.cloudflare.secretKey }}
-    deployment:
+    persistence:
-      additionalVolumes:
+      enabled: true
-        - name: acme
+      storageClass: longhorn
-          hostPath:
+      size: 128Mi
            path: /dogstore/service-data/.letsencrypt
            type: Directory
    additionalVolumeMounts:
      - name: acme
        mountPath: /letsencrypt
--- a/charts/traefik-config/templates/middleware-redirect.yaml
+++ b/charts/traefik-config/templates/middleware-redirect.yaml
--- a/charts/traefik-config/values.yaml
+++ b/charts/traefik-config/values.yaml
@ -9,4 +9,4 @@ cloudflare:
  secretKey: CF_DNS_API_TOKEN
 letsencrypt:
-  storagePath: /letsencrypt/acme.json
+  storagePath: /data/acme.json
--- a/charts/traefik-internal/Chart.yaml
+++ b/charts/traefik-internal/Chart.yaml
--- a/charts/traefik-internal/templates/tls-store.yaml
+++ b/charts/traefik-internal/templates/tls-store.yaml
--- a/charts/traefik-internal/templates/traefik-internal.yaml
+++ b/charts/traefik-internal/templates/traefik-internal.yaml
@ -82,7 +82,6 @@ metadata:
    metallb.io/address-pool: internal
 spec:
  type: LoadBalancer
  loadBalancerClass: metallb
  loadBalancerIP: {{ .Values.loadBalancerIP }}
  selector:
    app: traefik-internal
--- a/charts/traefik-internal/values.yaml
+++ b/charts/traefik-internal/values.yaml
--- a/charts/utils/Chart.yaml
+++ b/charts/utils/Chart.yaml
@ -1,5 +1,5 @@
 apiVersion: v2
 name: utils
-description: Utility services -- Zerobyte backup
+description: Utility services -- Zerobyte backup and Seerr media requests
 version: 0.1.0
 type: application
--- a/charts/utils/templates/seerr.yaml
+++ b/charts/utils/templates/seerr.yaml
@ -1,10 +1,22 @@
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
  name: seerr-config
  labels:
    app: seerr
 spec:
  accessModes: [ReadWriteOnce]
  storageClassName: {{ .Values.storageClass }}
  resources:
    requests:
      storage: {{ .Values.seerr.storageSize }}
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: seerr
  labels:
    app: seerr
    {{- include "media.labels" . | nindent 4 }}
 spec:
  replicas: 1
  strategy:
@ -17,15 +29,14 @@ spec:
      labels:
        app: seerr
    spec:
      nodeSelector:
        node-role.kubernetes.io/control-plane: "true"
      containers:
        - name: seerr
          image: {{ .Values.seerr.image }}
          ports:
            - containerPort: 5055
          env:
-            {{- include "media.commonEnv" . | nindent 12 }}
+            - name: TZ
              value: {{ .Values.tz | quote }}
          readinessProbe:
            httpGet:
              path: /api/v1/settings/public
@ -45,16 +56,13 @@ spec:
              mountPath: /app/config
      volumes:
        - name: config
-          hostPath:
+          persistentVolumeClaim:
-            path: {{ .Values.dogboxServiceData }}/seerr/config
+            claimName: seerr-config
            type: Directory
 ---
 apiVersion: v1
 kind: Service
 metadata:
  name: seerr
  labels:
    app: seerr
 spec:
  selector:
    app: seerr
@ -81,36 +89,3 @@ spec:
                name: seerr
                port:
                  number: 5055
 ---
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
  name: seerr-internal
  annotations:
    kubernetes.io/ingress.class: traefik-internal
 spec:
  entryPoints:
    - web
  routes:
    - match: Host(`seerr.{{ .Values.internalDomain }}`)
      kind: Rule
      services:
        - name: seerr
          port: 5055
 ---
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
  name: seerr-internal-tls
  annotations:
    kubernetes.io/ingress.class: traefik-internal
 spec:
  entryPoints:
    - websecure
  routes:
    - match: Host(`seerr.{{ .Values.internalDomain }}`)
      kind: Rule
      services:
        - name: seerr
          port: 5055
  tls: {}
--- a/charts/utils/templates/zerobyte-ingressroute.yaml
+++ b/charts/utils/templates/zerobyte-ingressroute.yaml
@ -1,32 +0,0 @@
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
  name: zerobyte
  annotations:
    kubernetes.io/ingress.class: traefik-internal
 spec:
  entryPoints:
    - web
  routes:
    - match: Host(`zerobyte.{{ .Values.internalDomain }}`)
      kind: Rule
      services:
        - name: zerobyte
          port: 4096
 ---
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
  name: zerobyte-tls
  annotations:
    kubernetes.io/ingress.class: traefik-internal
 spec:
  entryPoints:
    - websecure
  routes:
    - match: Host(`zerobyte.{{ .Values.internalDomain }}`)
      kind: Rule
      services:
        - name: zerobyte
          port: 4096
  tls: {}
--- a/charts/utils/templates/zerobyte.yaml
+++ b/charts/utils/templates/zerobyte.yaml
@ -1,3 +1,16 @@
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
  name: zerobyte-data
  labels:
    app: zerobyte
 spec:
  accessModes: [ReadWriteOnce]
  storageClassName: {{ .Values.storageClass }}
  resources:
    requests:
      storage: {{ .Values.zerobyte.storageSize }}
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@ -25,12 +38,12 @@ spec:
            - name: TZ
              value: {{ .Values.tz | quote }}
            - name: BASE_URL
-              value: http://zerobyte.dog
+              value: http://{{ .Values.hostIp }}:4096
            - name: APP_SECRET
              valueFrom:
                secretKeyRef:
                  name: {{ .Values.zerobyte.secretName }}
-                  key: ZEROBYTE_APP_SECRET
+                  key: APP_SECRET
          volumeMounts:
            - name: data
              mountPath: /var/lib/zerobyte
@ -39,9 +52,8 @@ spec:
              readOnly: true
      volumes:
        - name: data
-          hostPath:
+          persistentVolumeClaim:
-            path: /home/alvin/service-data/zerobyte
+            claimName: zerobyte-data
            type: DirectoryOrCreate
        - name: localtime
          hostPath:
            path: /etc/localtime
--- a/charts/utils/values.yaml
+++ b/charts/utils/values.yaml
@ -1,10 +1,14 @@
 domain: ratboo.me
 internalDomain: dog
 certResolver: myresolver
 tz: America/Los_Angeles
 hostIp: "10.0.1.2"
 storageClass: longhorn
 zerobyte:
  image: ghcr.io/nicotsx/zerobyte:v0.33
  storageSize: 1Gi
  secretName: zerobyte-secrets
 seerr:
  image: ghcr.io/seerr-team/seerr:latest
  storageSize: 1Gi
--- a/scripts/bootstrap.sh
+++ b/scripts/bootstrap.sh
@ -108,16 +108,14 @@ cmd_deploy() {
  local charts_dir
  charts_dir="$(cd "$(dirname "$0")/.." && pwd)/charts"
-  local -a chart_order=(traefik-config media paperless mealie dashboards utils headlamp gitea)
+  local -a chart_order=(traefik-config media paperless mealie dashboards utils)
  local -A chart_ns=(
    [traefik-config]=kube-system
    [media]=media
-    [paperless]=apps
+    [paperless]=paperless
    [mealie]=apps
    [dashboards]=apps
    [utils]=apps
    [headlamp]=apps
    [gitea]=apps
  )
  for chart in "${chart_order[@]}"; do
--- a/secrets/secrets.enc.yaml
+++ b/secrets/secrets.enc.yaml
@ -6,12 +6,12 @@
 #ENC[AES256_GCM,data:y3lu8sygTZJ+TSJOyrFXShJGBu5gHYLT4A==,iv:xmugUAyc116U4nESzKAYcvz76BBGwHLK7HE61gnS2gE=,tag:1LTSMRi+Aat4hk2N7c+2gw==,type:comment]
 #ENC[AES256_GCM,data:/ny7h4o0XSF1kROKuEUD9xrZJYOJ7mTZGIgTtIWHdclmdd9vYTLNl2+Hb9kHzCCWUgPXRg6pOww=,iv:47xT9Fct8sJrfIf8qRGD1xUTEkgdGf+KC9hWQ3XJG44=,tag:yix6VVO+g10cLbUwLWdTeA==,type:comment]
 #ENC[AES256_GCM,data:du0a4InEiMTw4mg5EqVPpANM3j0FNpDSle2na/7Q0vM1Z4SE52Jvvz3ZIV99b1pY30QlFdnTGO/4grVJd7xiUYC5wCUNY/uGNYGX2HzOWZjByEb5p9VCOPS2Czl/pPGM9+9d08mn2u1Ww4Wt6a/hrFOUWQddjTNz7HwG66xT/YVTnCN++mTnkCbgQKIjV1YhpSQKWA5jNfgSqSVKwbEA60JvESavT51HSZnrAGKWIepaJc7S14jTp+tUdqA=,iv:SZKsksvhtXCcKByjV85stfmt/DGHSsSh+PTGuCfe874=,tag:IQWtYVrLFx8EfPtKb1tK9g==,type:comment]
-apiVersion: ENC[AES256_GCM,data:F6o=,iv:8McPTAtRKlG0wpF1DUXRrhkzNuoD97Vu4OFyI8Opy28=,tag:DgEjMs6yXKFEv6Uu8A8WDg==,type:str]
+apiVersion: ENC[AES256_GCM,data:3lY=,iv:MBpXRZ3rElkVBxAlvxmzORMCq0G87jB3Ik11tWMfz64=,tag:oPPwCxOiK3ePCWRhtHmN2w==,type:str]
-kind: ENC[AES256_GCM,data:eVSn4ODQ,iv:iDOb7kRnWbW1CYKILAZwbtlhbAqwi/I+YXFbHsmz2KI=,tag:dcWY/PdP2eMRv1HxmfyHoQ==,type:str]
+kind: ENC[AES256_GCM,data:8+Toxlr5,iv:DTaS/GEKGLtZsHQBYTGaQZYSp9mr/A5Vbuqi7uq46rU=,tag:1YvMaF1/eLNkZv0F3Du0zA==,type:str]
 metadata:
    name: ENC[AES256_GCM,data:RgUAwk6jY7DHv+CbTtyXx5nzEQQ=,iv:FeAx14K1od0ehMnbcpnD4FW1bpEF/3M+dq8NGoJwTJA=,tag:SziXyyeAgShOgsandPQD7A==,type:str]
    namespace: ENC[AES256_GCM,data:IgxkBPTfQ8rEWzA=,iv:56aP5rBeH9aupBi338/9r4fXZ1ova8ubO7N8elr2/qM=,tag:vfFTXJrQ2J5vln/rBGl/og==,type:str]
-type: ENC[AES256_GCM,data:YMUJyMI2,iv:o++4jFOch8C8g5iKCzot/AcHnERRO/Yqn/uHuCAIFEI=,tag:ReJgAAajctyGo7xYr2Yc8w==,type:str]
+type: ENC[AES256_GCM,data:Efo/5l3N,iv:moQ775VrJkfQFO3YPM3ZT77i0IzcWy/G7b5E4/XOyJY=,tag:zfEMZgXgO+qMQIvPrLeMsA==,type:str]
 stringData:
    CF_DNS_API_TOKEN: ENC[AES256_GCM,data:74wQ12RQ9M7BckVfPjbRUnEbeaFB0aOPIhZHrFo=,iv:SIS0dJBpXkcJLjqEGnM1mtD1CB76MN2rZObyG8bCVe4=,tag:Rac0lPa5J2JSkdKcVc1PtQ==,type:str]
 sops:
@ -25,18 +25,18 @@ sops:
            eGZTZ0VSUElFZVpqWlVISjNYdnA4UFUK/uOyj7CKU0XLHHdPNKByO2c56JWQfhk5
            oauimeYrkNE+06dhXgVcJiQH+HcB33tB9u3YS9LxFYs3R98zKAHG6g==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2026-04-22T23:40:49Z"
+    lastmodified: "2026-04-19T21:05:51Z"
-    mac: ENC[AES256_GCM,data:WJrfgMP6ioP/GU65sv6tWIjYe//TgAwUDowG1mOqm5UlJ1LT31vs7vmmm+1tYO+jpjCoQlVM0S2e1z+CgrqSMye4+x3VhRTiQKW8DQAN7x8ILoDB+RVcmq8wlqMsubdUtBHray43YtGdeDj4f+Rr4FC84uf9Qgl4ywkiq5CKnc0=,iv:hkQ+QRw1VBbNzJEWx/pdbq7eZ5TrYie0xofzXWIgZDw=,tag:xcnSUQtiF407DHTG5NCALA==,type:str]
+    mac: ENC[AES256_GCM,data:GQx4YuPIIfZxRpWtHCa8pCtidtmdYoIdMsK0dQJO42XT9KR5lbwNaP3v4GoaDoeM+L7iAn2OprpE54KkwIwRfb3NAjTeUvXO+J/Yi4ZJnLtuTOlAZrC8YvjmiZ6DaL8pvpRz7VUCfzNOoyrbjSJ2Qv/PWAUENcDEU7yOHNv7RBA=,iv:FqYd2F4vBqSCeKPsrWY/a8RePgkU2aP9cadB6nMyWaQ=,tag:FC75r3bMOQDZZwO0qJi4xg==,type:str]
    unencrypted_suffix: _unencrypted
    version: 3.12.2
 ---
 #ENC[AES256_GCM,data:ibx/1sx8LotfzeKT/rRsedIOoYD+F6aXbrA3QEqjfSrFAXWchGiLX9ddAY0q0DOGi7tFcty1rwWUj1Iiy+vd88zZDRhLSVgs0hIdqqPaHVubOWA7gAmxvZdb1faLU4cOAe7gL9bUdaBlGzQKat6miytnWBXL8qidoFl/Ps1wNNDXRBpe+TsQfVAp5T5jirq35s7GTeXUbQO3bNkKx/ZNHmV7ASctKeRv5TLuAJIwyU6UIGSSnx6Sdr43mZlm6iJjdoT6jQxeH7yB1Gut7g==,iv:wAtBwQNTI56JLHISsA1W00M3X+v6R6vEkNK1SVULsTg=,tag:Jk/4OdnXyV6/5VwFcXpX/A==,type:comment]
-apiVersion: ENC[AES256_GCM,data:F6o=,iv:8McPTAtRKlG0wpF1DUXRrhkzNuoD97Vu4OFyI8Opy28=,tag:DgEjMs6yXKFEv6Uu8A8WDg==,type:str]
+apiVersion: ENC[AES256_GCM,data:jNM=,iv:dt+kXGEjK6yS09KRE5I3uAXNLGN05RbO0GyjNTHYHtk=,tag:7z93Yh4m2SpZLHdxVIr1hw==,type:str]
-kind: ENC[AES256_GCM,data:eVSn4ODQ,iv:iDOb7kRnWbW1CYKILAZwbtlhbAqwi/I+YXFbHsmz2KI=,tag:dcWY/PdP2eMRv1HxmfyHoQ==,type:str]
+kind: ENC[AES256_GCM,data:ORSVG3Tn,iv:gqhsNppUalHTDcKa7q/P3TR5t4VZC1gLc2MgY8V6xEw=,tag:vr764iOVWPJujZd4rxRYKA==,type:str]
 metadata:
    name: ENC[AES256_GCM,data:1ngffZeDVnrLbux2pg==,iv:OXYS/A5PBvmIVw5qDu+Um7J/JhM8shVfP3KDIXNBCU0=,tag:wfmayiCBy22O+WIPBC3PPQ==,type:str]
    namespace: ENC[AES256_GCM,data:xCM+W3I=,iv:0KLfoYx8Q+NVsm84KZX3tClbWdwuTpI6/pD7HQMK3Fk=,tag:hSFwqHfnHWOPvesUhWyo+Q==,type:str]
-type: ENC[AES256_GCM,data:YMUJyMI2,iv:o++4jFOch8C8g5iKCzot/AcHnERRO/Yqn/uHuCAIFEI=,tag:ReJgAAajctyGo7xYr2Yc8w==,type:str]
+type: ENC[AES256_GCM,data:K3TlGbY8,iv:ZKm+PyQ4IAP0K1ymcMvWPOEUgUGzH93UkmH+rheJk7A=,tag:8tMEVI895tOOt8/tjiKRuw==,type:str]
 stringData:
    PLEX_CLAIM: ENC[AES256_GCM,data:A+dwGU//qfy6sBoww5c36xs2WcwdbQY=,iv:S6wOadxaC4ITyZN/7u5Lcu8AeBFdQLRqRlCHH3oSj28=,tag:hlNKdZGzURuFgcSrUrZyJA==,type:str]
    SONARR_API_KEY: ENC[AES256_GCM,data:VvU91ZNxv6tauBEyK9j8THxT8zw0mTLEmTTSRgYDEek=,iv:DZr5JL9T4f7XwQ03jkwVKfWA/xyAZlo4f/BKAzIIsQo=,tag:mCh8ExJvuoltcMlzAk6jpw==,type:str]
@ -52,18 +52,18 @@ sops:
            eGZTZ0VSUElFZVpqWlVISjNYdnA4UFUK/uOyj7CKU0XLHHdPNKByO2c56JWQfhk5
            oauimeYrkNE+06dhXgVcJiQH+HcB33tB9u3YS9LxFYs3R98zKAHG6g==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2026-04-22T23:40:49Z"
+    lastmodified: "2026-04-19T21:05:51Z"
-    mac: ENC[AES256_GCM,data:WJrfgMP6ioP/GU65sv6tWIjYe//TgAwUDowG1mOqm5UlJ1LT31vs7vmmm+1tYO+jpjCoQlVM0S2e1z+CgrqSMye4+x3VhRTiQKW8DQAN7x8ILoDB+RVcmq8wlqMsubdUtBHray43YtGdeDj4f+Rr4FC84uf9Qgl4ywkiq5CKnc0=,iv:hkQ+QRw1VBbNzJEWx/pdbq7eZ5TrYie0xofzXWIgZDw=,tag:xcnSUQtiF407DHTG5NCALA==,type:str]
+    mac: ENC[AES256_GCM,data:GQx4YuPIIfZxRpWtHCa8pCtidtmdYoIdMsK0dQJO42XT9KR5lbwNaP3v4GoaDoeM+L7iAn2OprpE54KkwIwRfb3NAjTeUvXO+J/Yi4ZJnLtuTOlAZrC8YvjmiZ6DaL8pvpRz7VUCfzNOoyrbjSJ2Qv/PWAUENcDEU7yOHNv7RBA=,iv:FqYd2F4vBqSCeKPsrWY/a8RePgkU2aP9cadB6nMyWaQ=,tag:FC75r3bMOQDZZwO0qJi4xg==,type:str]
    unencrypted_suffix: _unencrypted
    version: 3.12.2
 ---
 #ENC[AES256_GCM,data:rmGnwFT8rj+qcuyiuf4VdY5KJP5m4bMt9a1znHpQ+uYyrfzNoAH0eqn6yHMB3xAwFJtFOkzEdd0E1PaL5C30UbqtpwDNyzD0QYipIwDkQBGwRnkXXI8xw1ftE1zHcFWnPmnSH70hCJa+/Xu425pIyJeVlJhUqoOGkG5/gV0DQoVMnJXFXnh5a64Ggv7UzB92o9/iyUFMgi/7j4ePNQCc7Um1VePXc5mkRl8cQBbvwAgyMZo+IxDJ8hpS2HgbRGey5/RAxaDvRbwkyRU=,iv:Cl77wg8+J3D6QrIgbjRS/lzbJLf2qGkK/AtnIOoKG+E=,tag:m4TfMvHm5W612rrJJ+ytkA==,type:comment]
-apiVersion: ENC[AES256_GCM,data:F6o=,iv:8McPTAtRKlG0wpF1DUXRrhkzNuoD97Vu4OFyI8Opy28=,tag:DgEjMs6yXKFEv6Uu8A8WDg==,type:str]
+apiVersion: ENC[AES256_GCM,data:fyA=,iv:lkH+XfaHDNUNE3+oUW5lkA3ev0AEQZGe2y/J5H5G4AI=,tag:QCGr4Ia7Ea+CRWWoWSFaug==,type:str]
-kind: ENC[AES256_GCM,data:eVSn4ODQ,iv:iDOb7kRnWbW1CYKILAZwbtlhbAqwi/I+YXFbHsmz2KI=,tag:dcWY/PdP2eMRv1HxmfyHoQ==,type:str]
+kind: ENC[AES256_GCM,data:GS9uiEv6,iv:9VAdvjoF7thUVtJRpyaDnBOVlZ9so1p5f4iaw1WxJ0w=,tag:gDCWZfn4zCdyRdMup9Vs3Q==,type:str]
 metadata:
    name: ENC[AES256_GCM,data:XLV37KdISRoLUp4yo44=,iv:Hb2AQVYhhu5erfg+41edOfB4cT6O6e2k1ytEixVaZDk=,tag:2qP4C7sxSdkdnsTVRhsXcg==,type:str]
-    namespace: ENC[AES256_GCM,data:O6kz8Q==,iv:ZMv7m+YLaIChgNTM4Riopt2VUNg5HwUwdLR6bRA1Nf0=,tag:undk4ODEabPJbQKoa1He7A==,type:str]
+    namespace: ENC[AES256_GCM,data:S/sYVQ==,iv:SuUw6GPbT7YF66+O2w8al89NcJBr3oi8C12nZIbNWWc=,tag:NBVJrXnAhVJqx325MQnOTQ==,type:str]
-type: ENC[AES256_GCM,data:YMUJyMI2,iv:o++4jFOch8C8g5iKCzot/AcHnERRO/Yqn/uHuCAIFEI=,tag:ReJgAAajctyGo7xYr2Yc8w==,type:str]
+type: ENC[AES256_GCM,data:suP66pVq,iv:RrLuX+MOixEaR3iw4EMBCqkT03TW3xvmzdXsTf8kl2c=,tag:Id8xGXmFcmN+gYyZsohp3g==,type:str]
 stringData:
    OPENAI_API_KEY: ENC[AES256_GCM,data:1QtOURL+C0DcB4AQhvmQP2PqeNQm2VQWTr/alY4FQzbhCnpxSFLS,iv:hy+a7cAcUNYr1XkKK1JoG8imjh5kT7B2tr5FWfHgAds=,tag:72zQFszAQpPEzZ0v24V5yg==,type:str]
 sops:
@ -77,18 +77,18 @@ sops:
            eGZTZ0VSUElFZVpqWlVISjNYdnA4UFUK/uOyj7CKU0XLHHdPNKByO2c56JWQfhk5
            oauimeYrkNE+06dhXgVcJiQH+HcB33tB9u3YS9LxFYs3R98zKAHG6g==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2026-04-22T23:40:49Z"
+    lastmodified: "2026-04-19T21:05:51Z"
-    mac: ENC[AES256_GCM,data:WJrfgMP6ioP/GU65sv6tWIjYe//TgAwUDowG1mOqm5UlJ1LT31vs7vmmm+1tYO+jpjCoQlVM0S2e1z+CgrqSMye4+x3VhRTiQKW8DQAN7x8ILoDB+RVcmq8wlqMsubdUtBHray43YtGdeDj4f+Rr4FC84uf9Qgl4ywkiq5CKnc0=,iv:hkQ+QRw1VBbNzJEWx/pdbq7eZ5TrYie0xofzXWIgZDw=,tag:xcnSUQtiF407DHTG5NCALA==,type:str]
+    mac: ENC[AES256_GCM,data:GQx4YuPIIfZxRpWtHCa8pCtidtmdYoIdMsK0dQJO42XT9KR5lbwNaP3v4GoaDoeM+L7iAn2OprpE54KkwIwRfb3NAjTeUvXO+J/Yi4ZJnLtuTOlAZrC8YvjmiZ6DaL8pvpRz7VUCfzNOoyrbjSJ2Qv/PWAUENcDEU7yOHNv7RBA=,iv:FqYd2F4vBqSCeKPsrWY/a8RePgkU2aP9cadB6nMyWaQ=,tag:FC75r3bMOQDZZwO0qJi4xg==,type:str]
    unencrypted_suffix: _unencrypted
    version: 3.12.2
 ---
 #ENC[AES256_GCM,data:3I2e5Uv2dvWtDWXnVh0AULaS9z2Pcd/iUHjvycTsfxhDpzEJfc0a0dISctuLpELEyBv1PtYemFZ/XeTqGJswTF4vvzM7UL6scPezIm674aOtjVqPj7/C3nQgfnuY1qgVY7duawWZeaozf8hBKef1JJ1qR1T3Mati3YBIaw3fp1qjYyKo47/F19UT/qtL6mlu8CE3/zIVbzZGsKwfqhYf6oLg2I7aNlvJ0/yWz8RSjwmtWj8WzUD1wZh+DnFRiTlbE+kLdgw=,iv:i+4OhA58TOv1pzPInqu9qi9zunYzpNbvHrELXVsXis8=,tag:XJyBP8nci2u5X7THGox3CQ==,type:comment]
-apiVersion: ENC[AES256_GCM,data:F6o=,iv:8McPTAtRKlG0wpF1DUXRrhkzNuoD97Vu4OFyI8Opy28=,tag:DgEjMs6yXKFEv6Uu8A8WDg==,type:str]
+apiVersion: ENC[AES256_GCM,data:RdI=,iv:YlI7VI5Tk6f99ZhiJEI/LaGgmYejt6/8k0wo+n8G19E=,tag:WY473Ft6vXo0NkpGlnGq/w==,type:str]
-kind: ENC[AES256_GCM,data:eVSn4ODQ,iv:iDOb7kRnWbW1CYKILAZwbtlhbAqwi/I+YXFbHsmz2KI=,tag:dcWY/PdP2eMRv1HxmfyHoQ==,type:str]
+kind: ENC[AES256_GCM,data:5fh5Zy1D,iv:1qApXn+j2LFNs1fzrH8j6M84espcQz4cHwquEmsHDSU=,tag:MnWyue/omxF6Emrpsz9eEw==,type:str]
 metadata:
    name: ENC[AES256_GCM,data:ZYLasrZQ1Bu0jcLbRQjmjCo=,iv:O0uBw2j+X0CPaUkYQvnTVRgl9nNZBDF058/hZB/WFwY=,tag:xuwCgyi5VT9enQ3HlYzW1g==,type:str]
-    namespace: ENC[AES256_GCM,data:O6kz8Q==,iv:ZMv7m+YLaIChgNTM4Riopt2VUNg5HwUwdLR6bRA1Nf0=,tag:undk4ODEabPJbQKoa1He7A==,type:str]
+    namespace: ENC[AES256_GCM,data:Xr9+LDzWK7z+,iv:6iXdpkcUho23jU2BZLHKkxONTtQIYkZem9NVlyB/Ltk=,tag:3wV3EMtmqXr0yTUcfbqxCA==,type:str]
-type: ENC[AES256_GCM,data:YMUJyMI2,iv:o++4jFOch8C8g5iKCzot/AcHnERRO/Yqn/uHuCAIFEI=,tag:ReJgAAajctyGo7xYr2Yc8w==,type:str]
+type: ENC[AES256_GCM,data:+5bc8NF8,iv:JpVUvDJZdk++m1K5pyuPTF1p17X62Mlwv6GKK9Hqoz8=,tag:Kdihg3qXXHD0ieypkcvWSg==,type:str]
 stringData:
    PAPERLESS_DB_PASS: ENC[AES256_GCM,data:5/oF170q34nO,iv:y09u1KOZaIoUNtDog0sEbkj5gKD8C3JQyvNDSy0ElkI=,tag:WvIMb0Z0l7XXC6wB59ZTtg==,type:str]
 sops:
@ -102,18 +102,18 @@ sops:
            eGZTZ0VSUElFZVpqWlVISjNYdnA4UFUK/uOyj7CKU0XLHHdPNKByO2c56JWQfhk5
            oauimeYrkNE+06dhXgVcJiQH+HcB33tB9u3YS9LxFYs3R98zKAHG6g==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2026-04-22T23:40:49Z"
+    lastmodified: "2026-04-19T21:05:51Z"
-    mac: ENC[AES256_GCM,data:WJrfgMP6ioP/GU65sv6tWIjYe//TgAwUDowG1mOqm5UlJ1LT31vs7vmmm+1tYO+jpjCoQlVM0S2e1z+CgrqSMye4+x3VhRTiQKW8DQAN7x8ILoDB+RVcmq8wlqMsubdUtBHray43YtGdeDj4f+Rr4FC84uf9Qgl4ywkiq5CKnc0=,iv:hkQ+QRw1VBbNzJEWx/pdbq7eZ5TrYie0xofzXWIgZDw=,tag:xcnSUQtiF407DHTG5NCALA==,type:str]
+    mac: ENC[AES256_GCM,data:GQx4YuPIIfZxRpWtHCa8pCtidtmdYoIdMsK0dQJO42XT9KR5lbwNaP3v4GoaDoeM+L7iAn2OprpE54KkwIwRfb3NAjTeUvXO+J/Yi4ZJnLtuTOlAZrC8YvjmiZ6DaL8pvpRz7VUCfzNOoyrbjSJ2Qv/PWAUENcDEU7yOHNv7RBA=,iv:FqYd2F4vBqSCeKPsrWY/a8RePgkU2aP9cadB6nMyWaQ=,tag:FC75r3bMOQDZZwO0qJi4xg==,type:str]
    unencrypted_suffix: _unencrypted
    version: 3.12.2
 ---
 #ENC[AES256_GCM,data:txDOIoubztyTgbgUC4MMNxNIwDkjtF/m+H5YAZ6hdaHTCBjVZSVKhHjYJzLFPeHE2EL02SEgJaXSkyF0bWwWw/QfR/yCkiGPdZ0fAFDKtJJBtITkM4O5rwRCTEXsQXleWK5NM6M55s5ElWIlBE//uLt2+hPlDQv26EOwwAa9I7kW2bUPDGvYNJVc7mJSfjMQb6aOx1MzrA+PUryeBVdK0xdmBmiQaZyGC0MexEjBwAycVnCM,iv:u4rMeGWy1J779Z7JNFvWTsxDREbTWAS+bXFxQhPTyGA=,tag:mVoS7lSVAHcqPcQ6iqhjvA==,type:comment]
-apiVersion: ENC[AES256_GCM,data:F6o=,iv:8McPTAtRKlG0wpF1DUXRrhkzNuoD97Vu4OFyI8Opy28=,tag:DgEjMs6yXKFEv6Uu8A8WDg==,type:str]
+apiVersion: ENC[AES256_GCM,data:JGU=,iv:vr1Lkm9BBG2u8Ay0PGAIMTYUUKhMHIho3mVP1lY6it0=,tag:12JH+n4nUsYqmiy1+CnwfA==,type:str]
-kind: ENC[AES256_GCM,data:eVSn4ODQ,iv:iDOb7kRnWbW1CYKILAZwbtlhbAqwi/I+YXFbHsmz2KI=,tag:dcWY/PdP2eMRv1HxmfyHoQ==,type:str]
+kind: ENC[AES256_GCM,data:VLdoeXnN,iv:eH+/KpTMtpclAxFnjX5mXxkF73HUMJlskNSS/iW+g+U=,tag:NE/Xdc9qsfFmXAyZ4y+3HQ==,type:str]
 metadata:
    name: ENC[AES256_GCM,data:dKvmrGqwCK+KvfdBxcs=,iv:3B71qX/mVAJGMcKlxTrnfub3rp/o7PJ+mquxo+V6svY=,tag:gnvbDBvZexdbOHkQQNUInw==,type:str]
-    namespace: ENC[AES256_GCM,data:O6kz8Q==,iv:ZMv7m+YLaIChgNTM4Riopt2VUNg5HwUwdLR6bRA1Nf0=,tag:undk4ODEabPJbQKoa1He7A==,type:str]
+    namespace: ENC[AES256_GCM,data:93lKXQ==,iv:TQq2ZC7l1uQBc0FNRg6sQRfLuLIokQHpgAzRTcFmGsE=,tag:Mv+ih+YMDfYIihWNgnztow==,type:str]
-type: ENC[AES256_GCM,data:YMUJyMI2,iv:o++4jFOch8C8g5iKCzot/AcHnERRO/Yqn/uHuCAIFEI=,tag:ReJgAAajctyGo7xYr2Yc8w==,type:str]
+type: ENC[AES256_GCM,data:Ep25FUNF,iv:ZCzL99uhG0SYRXlu9j3GmgWtIxcfe6C9lEkP5EFr6SY=,tag:ANEtn7vXJisqoUlX7rEBAQ==,type:str]
 stringData:
    ADGUARD_PASSWORD: ENC[AES256_GCM,data:Keh2GHhvfSyp9Q==,iv:bJ2CdmjqMZUSVw2T1jerqT1gkiP6k+aL9VyGCVJ10wI=,tag:cfR6jRn6NyrZ3/2WM5SdKg==,type:str]
 sops:
@ -127,8 +127,8 @@ sops:
            eGZTZ0VSUElFZVpqWlVISjNYdnA4UFUK/uOyj7CKU0XLHHdPNKByO2c56JWQfhk5
            oauimeYrkNE+06dhXgVcJiQH+HcB33tB9u3YS9LxFYs3R98zKAHG6g==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2026-04-22T23:40:49Z"
+    lastmodified: "2026-04-19T21:05:51Z"
-    mac: ENC[AES256_GCM,data:WJrfgMP6ioP/GU65sv6tWIjYe//TgAwUDowG1mOqm5UlJ1LT31vs7vmmm+1tYO+jpjCoQlVM0S2e1z+CgrqSMye4+x3VhRTiQKW8DQAN7x8ILoDB+RVcmq8wlqMsubdUtBHray43YtGdeDj4f+Rr4FC84uf9Qgl4ywkiq5CKnc0=,iv:hkQ+QRw1VBbNzJEWx/pdbq7eZ5TrYie0xofzXWIgZDw=,tag:xcnSUQtiF407DHTG5NCALA==,type:str]
+    mac: ENC[AES256_GCM,data:GQx4YuPIIfZxRpWtHCa8pCtidtmdYoIdMsK0dQJO42XT9KR5lbwNaP3v4GoaDoeM+L7iAn2OprpE54KkwIwRfb3NAjTeUvXO+J/Yi4ZJnLtuTOlAZrC8YvjmiZ6DaL8pvpRz7VUCfzNOoyrbjSJ2Qv/PWAUENcDEU7yOHNv7RBA=,iv:FqYd2F4vBqSCeKPsrWY/a8RePgkU2aP9cadB6nMyWaQ=,tag:FC75r3bMOQDZZwO0qJi4xg==,type:str]
    unencrypted_suffix: _unencrypted
    version: 3.12.2
 ---
@ -152,32 +152,7 @@ sops:
            eGZTZ0VSUElFZVpqWlVISjNYdnA4UFUK/uOyj7CKU0XLHHdPNKByO2c56JWQfhk5
            oauimeYrkNE+06dhXgVcJiQH+HcB33tB9u3YS9LxFYs3R98zKAHG6g==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2026-04-22T23:40:49Z"
+    lastmodified: "2026-04-19T21:05:51Z"
-    mac: ENC[AES256_GCM,data:WJrfgMP6ioP/GU65sv6tWIjYe//TgAwUDowG1mOqm5UlJ1LT31vs7vmmm+1tYO+jpjCoQlVM0S2e1z+CgrqSMye4+x3VhRTiQKW8DQAN7x8ILoDB+RVcmq8wlqMsubdUtBHray43YtGdeDj4f+Rr4FC84uf9Qgl4ywkiq5CKnc0=,iv:hkQ+QRw1VBbNzJEWx/pdbq7eZ5TrYie0xofzXWIgZDw=,tag:xcnSUQtiF407DHTG5NCALA==,type:str]
+    mac: ENC[AES256_GCM,data:GQx4YuPIIfZxRpWtHCa8pCtidtmdYoIdMsK0dQJO42XT9KR5lbwNaP3v4GoaDoeM+L7iAn2OprpE54KkwIwRfb3NAjTeUvXO+J/Yi4ZJnLtuTOlAZrC8YvjmiZ6DaL8pvpRz7VUCfzNOoyrbjSJ2Qv/PWAUENcDEU7yOHNv7RBA=,iv:FqYd2F4vBqSCeKPsrWY/a8RePgkU2aP9cadB6nMyWaQ=,tag:FC75r3bMOQDZZwO0qJi4xg==,type:str]
    unencrypted_suffix: _unencrypted
    version: 3.12.2
 ---
 #ENC[AES256_GCM,data:nMA2+3xncC8MS36NjOh8hFQazy+v/nGIFIqSbnSFd/YtVOUsAPW46GMZrz6x0rrw4aCM5+E0j/nj9qhgNh3br2krltR5Owl0eNwn+xR36C5aPNgHdwtkVRtHPnv+j+d3nGKbgEvrvCpT83PDEdb2clt2ajrxffrrE3pGu2HDB4T2ogidDXFsl6i8bMxo/1zDYUoGS587aH93USGZ+s5BmHOlRVAg3W+Xg5FqepggiwJzSfvguIQtpH65JDmcuEjiwFvTbB3+WqHhWSJ5NQ==,iv:5Try5OdOks3JKpQ6A1wAS4wfwBcoBnqJAJGJ0pmdjZw=,tag:3/n5Uxf+zBLed0KhT4YvMg==,type:comment]
 apiVersion: ENC[AES256_GCM,data:F6o=,iv:8McPTAtRKlG0wpF1DUXRrhkzNuoD97Vu4OFyI8Opy28=,tag:DgEjMs6yXKFEv6Uu8A8WDg==,type:str]
 kind: ENC[AES256_GCM,data:eVSn4ODQ,iv:iDOb7kRnWbW1CYKILAZwbtlhbAqwi/I+YXFbHsmz2KI=,tag:dcWY/PdP2eMRv1HxmfyHoQ==,type:str]
 metadata:
    name: ENC[AES256_GCM,data:NXxSRxqzrL1BsWku/g==,iv:xCfwy3bNxd0wDyVEyWa6bgdcxZDIws+fdHPqUCNzMAs=,tag:xoFYlZ63vs8qdIC1XjObFw==,type:str]
    namespace: ENC[AES256_GCM,data:O6kz8Q==,iv:ZMv7m+YLaIChgNTM4Riopt2VUNg5HwUwdLR6bRA1Nf0=,tag:undk4ODEabPJbQKoa1He7A==,type:str]
 type: ENC[AES256_GCM,data:YMUJyMI2,iv:o++4jFOch8C8g5iKCzot/AcHnERRO/Yqn/uHuCAIFEI=,tag:ReJgAAajctyGo7xYr2Yc8w==,type:str]
 stringData:
    GITEA_DB_PASS: ENC[AES256_GCM,data:NcCI1tJCZEGLzE/Gj39zUPUVUWG65kWz7+/vk24TxgM=,iv:oXMBDmaPOoZiw9B9PKjCyRdON0jJaA0l6MBLrpEtdmU=,tag:1HzvvmvSOgkcWcl+Uy+dOQ==,type:str]
 sops:
    age:
        - recipient: age12gv2cu66v80khwse5jgwcaukf3juvufkm2kw507gfnvecdpwt3hsjra7te
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNWFcrTlYrOW1Tb0xGUmVS
            Q3VPb3VPMS9hRWQ4aDQzRGtFTXp4SU90YWlrCng5NkN3TUFEUGIrWkRCK1NMeVND
            Z2RwV0JKVnRTMWUvWlpDRzhBQWtsNVkKLS0tIHZ2NkZaVTJSaE1vTjVVMXhzTmYz
            eGZTZ0VSUElFZVpqWlVISjNYdnA4UFUK/uOyj7CKU0XLHHdPNKByO2c56JWQfhk5
            oauimeYrkNE+06dhXgVcJiQH+HcB33tB9u3YS9LxFYs3R98zKAHG6g==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2026-04-22T23:40:49Z"
    mac: ENC[AES256_GCM,data:WJrfgMP6ioP/GU65sv6tWIjYe//TgAwUDowG1mOqm5UlJ1LT31vs7vmmm+1tYO+jpjCoQlVM0S2e1z+CgrqSMye4+x3VhRTiQKW8DQAN7x8ILoDB+RVcmq8wlqMsubdUtBHray43YtGdeDj4f+Rr4FC84uf9Qgl4ywkiq5CKnc0=,iv:hkQ+QRw1VBbNzJEWx/pdbq7eZ5TrYie0xofzXWIgZDw=,tag:xcnSUQtiF407DHTG5NCALA==,type:str]
    unencrypted_suffix: _unencrypted
    version: 3.12.2
--- a/tasks.TODO
+++ b/tasks.TODO
@ -1,6 +0,0 @@
 [] Backup zerobyte restic
 [] setup litestream vs litefs https://chatgpt.com/c/69e93964-aa84-83ea-83f1-2cbd0125b748
 []
 migrate sqllite to postgres
 add gitea
		`@ -1,2 +0,0 @@`
			`image: ghcr.io/headlamp-k8s/headlamp:latest`
			`internalDomain: dog`