From 8e9d6ed52630c86fd6d3794d4351004ab43e340d Mon Sep 17 00:00:00 2001
From: mafyuh <mafyuh@noreply.localhost>
Date: Tue, 18 Feb 2025 17:55:18 -0500
Subject: [PATCH 01/38] Update
 kubernetes/apps/production/arr/radarr/helmrelease.yaml

---
 kubernetes/apps/production/arr/radarr/helmrelease.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/kubernetes/apps/production/arr/radarr/helmrelease.yaml b/kubernetes/apps/production/arr/radarr/helmrelease.yaml
index 8c6916e..5e2df45 100644
--- a/kubernetes/apps/production/arr/radarr/helmrelease.yaml
+++ b/kubernetes/apps/production/arr/radarr/helmrelease.yaml
@@ -64,7 +64,7 @@ spec:
               RADARR__PORT: &port 7878
               RADARR__APPLICATION_URL: "https://radarr.${LOCAL_DOMAIN}"
               RADARR__THEME: dark
-              RADARR__LOG_LEVEL: debug
+              RADARR__LOG_LEVEL: info
 
             probes:
               liveness:

From 652ad58fab27e9c4e9cc45f314161cbff29d7c5e Mon Sep 17 00:00:00 2001
From: Matt Reeves <admin@mafyuh.io>
Date: Tue, 18 Feb 2025 18:00:16 -0500
Subject: [PATCH 02/38] test change permissions

---
 kubernetes/apps/production/arr/radarr/helmrelease.yaml | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/kubernetes/apps/production/arr/radarr/helmrelease.yaml b/kubernetes/apps/production/arr/radarr/helmrelease.yaml
index 5e2df45..c9a7340 100644
--- a/kubernetes/apps/production/arr/radarr/helmrelease.yaml
+++ b/kubernetes/apps/production/arr/radarr/helmrelease.yaml
@@ -46,6 +46,11 @@ spec:
                 - path: /config
         
         pod:
+          securityContext:
+            runAsUser: 1026
+            runAsGroup: &group 100
+            fsGroup: *group
+            fsGroupChangePolicy: "OnRootMismatch"
           dnsPolicy: None
           dnsConfig:
             nameservers:

From 39620075747d63665ce290f5661bc586bc804fed Mon Sep 17 00:00:00 2001
From: Matt Reeves <admin@mafyuh.io>
Date: Tue, 18 Feb 2025 20:29:14 -0500
Subject: [PATCH 03/38] Update radarr

---
 kubernetes/apps/production/arr/radarr/helmrelease.yaml | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/kubernetes/apps/production/arr/radarr/helmrelease.yaml b/kubernetes/apps/production/arr/radarr/helmrelease.yaml
index c9a7340..18931c2 100644
--- a/kubernetes/apps/production/arr/radarr/helmrelease.yaml
+++ b/kubernetes/apps/production/arr/radarr/helmrelease.yaml
@@ -47,8 +47,8 @@ spec:
         
         pod:
           securityContext:
-            runAsUser: 1026
-            runAsGroup: &group 100
+            runAsUser: 1000
+            runAsGroup: &group 1000
             fsGroup: *group
             fsGroupChangePolicy: "OnRootMismatch"
           dnsPolicy: None
@@ -77,8 +77,8 @@ spec:
 
             resources:
               requests:
-                cpu: 200m
-                memory: 300Mi
+                cpu: 50m
+                memory: 150Mi
               limits:
                 memory: 512Mi
 

From 0c3d035aa34e05e7c6c80eb85d02241d7d34bf39 Mon Sep 17 00:00:00 2001
From: Matt Reeves <admin@mafyuh.io>
Date: Tue, 18 Feb 2025 20:45:45 -0500
Subject: [PATCH 04/38] update helmreleases

---
 kubernetes/apps/production/arr/radarr/helmrelease.yaml    | 6 ++++++
 kubernetes/apps/production/arr/recyclarr/helmrelease.yaml | 7 ++++++-
 kubernetes/apps/production/arr/sonarr/helmrelease.yaml    | 6 +++---
 kubernetes/secrets/recyclarr.yaml                         | 6 +++---
 4 files changed, 18 insertions(+), 7 deletions(-)

diff --git a/kubernetes/apps/production/arr/radarr/helmrelease.yaml b/kubernetes/apps/production/arr/radarr/helmrelease.yaml
index 18931c2..c00d474 100644
--- a/kubernetes/apps/production/arr/radarr/helmrelease.yaml
+++ b/kubernetes/apps/production/arr/radarr/helmrelease.yaml
@@ -75,6 +75,12 @@ spec:
               liveness:
                 enabled: false
 
+            securityContext:
+              allowPrivilegeEscalation: false
+              capabilities:
+                drop:
+                  - ALL
+
             resources:
               requests:
                 cpu: 50m
diff --git a/kubernetes/apps/production/arr/recyclarr/helmrelease.yaml b/kubernetes/apps/production/arr/recyclarr/helmrelease.yaml
index 20546cb..1056fb6 100644
--- a/kubernetes/apps/production/arr/recyclarr/helmrelease.yaml
+++ b/kubernetes/apps/production/arr/recyclarr/helmrelease.yaml
@@ -44,10 +44,15 @@ spec:
 
         pod:
           securityContext:
-            runAsUser: &context 65534
+            runAsUser: &context 1000
             runAsGroup: *context
             fsGroup: *context
             fsGroupChangePolicy: "OnRootMismatch"
+          dnsPolicy: None
+          dnsConfig:
+            nameservers:
+              - 1.1.1.1
+              - 8.8.8.8
 
         containers:
           app:
diff --git a/kubernetes/apps/production/arr/sonarr/helmrelease.yaml b/kubernetes/apps/production/arr/sonarr/helmrelease.yaml
index e328b27..bd01088 100644
--- a/kubernetes/apps/production/arr/sonarr/helmrelease.yaml
+++ b/kubernetes/apps/production/arr/sonarr/helmrelease.yaml
@@ -39,7 +39,7 @@ spec:
         statefulset:
           volumeClaimTemplates:
             - name: config
-              accessMode: ReadWriteMany
+              accessMode: ReadWriteOnce
               size: 3Gi
               storageClass: longhorn
               globalMounts:
@@ -47,8 +47,8 @@ spec:
 
         pod:
           securityContext:
-            runAsUser: 65534
-            runAsGroup: &group 65534
+            runAsUser: 1000
+            runAsGroup: &group 1000
             fsGroup: *group
             fsGroupChangePolicy: "OnRootMismatch"
 
diff --git a/kubernetes/secrets/recyclarr.yaml b/kubernetes/secrets/recyclarr.yaml
index 2399efe..5cdcb60 100644
--- a/kubernetes/secrets/recyclarr.yaml
+++ b/kubernetes/secrets/recyclarr.yaml
@@ -5,7 +5,7 @@ metadata:
     namespace: arr
 type: Opaque
 stringData:
-    RADARR_API_KEY: ENC[AES256_GCM,data:7TG0ku1JbJ2u4SuoCOJTIYbaNipuw+4ZVIkvkdIvcGM=,iv:AABASIeiNPi76yxvVIHFqzOHgkdn5fg2r2NCnRS9Eqk=,tag:QV35b8Yo345rFnf29oYLMA==,type:str]
+    RADARR_API_KEY: ENC[AES256_GCM,data:eMGcEuKJxh0ZW9TFOSEeBSaJkLiT1A/rZpZYs2rq7vs=,iv:eYPVbiYKKBc8rYcd8yqIpT01g2SZuMHdpv5Dh/sWO5o=,tag:qyqR2YYcKY7FLa+97cvThg==,type:str]
     SONARR_API_KEY: ENC[AES256_GCM,data:0FfjBWrWHrQJWjki5nXZG+nuM35jEq4DMOi0wzKVU8M=,iv:dlgFto0t+ED33jQkZ0GVyUhcEZnqPHMspAYOQ2FN5g0=,tag:B2RDZ+qdofxCcQaxFQNPog==,type:str]
 sops:
     kms: []
@@ -22,8 +22,8 @@ sops:
             KzdOczVjakovQlE1TkF4VUJORk5IdWsKx12AioJfcpmzCAbI+RwrJW1607YYsQbf
             N8EKX70kyhdlwyCMDwr7B0+eFAWsJAjsR+2Z91peXCxlfeVXu28eFQ==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-02-18T05:24:59Z"
-    mac: ENC[AES256_GCM,data:Fr6LRYW21WjwyWlQLY3V3KqmM6JrQvfs4kVSgLr+a4RhlYp1qWFP7EbFvcdJbCCuvHi5f1xRDsW7s01nKth0Qw97h14aJVxsyEgD7R/OoI4sfJMQBEryV8JZWwzUqr2lnZ5dqow4kxdw/LTakVxDzDcSF4jOUFV1vRKcncB+zRA=,iv:DtoO7ewd43R3TnenfvDTMJfZi4GxupDQody/v3BzMT8=,tag:ahaN3mRHfB7IjtdhihkBGw==,type:str]
+    lastmodified: "2025-02-19T01:45:24Z"
+    mac: ENC[AES256_GCM,data:9GIRsHdrO8YxPii5Nbgt3VZi6JhGcu+B8St7msnD4eHNIVx0i5JcStGEVfTVHcnsw/T9omK0NT/00hvcX4thIQ944sVis8f8ivUN88+/Lj5J5rroZrrUJMf0QdOiVkOhqT1mpXbh8OeIX7NxzZYnnx066/KVYFT7sDlkrkzHnPY=,iv:B77rM+KWTxAbLWLLTycemdqzXc8HrxrXWwT2r0evunk=,tag:1YNjAXZwSYPLTUguDLDSfA==,type:str]
     pgp: []
     encrypted_regex: ^(data|stringData)$
     version: 3.9.4

From 97bce71d51c93d546f71b3f29787356195acbe06 Mon Sep 17 00:00:00 2001
From: Matt Reeves <admin@mafyuh.io>
Date: Tue, 18 Feb 2025 21:07:45 -0500
Subject: [PATCH 05/38] update sonarr helmrelease

---
 kubernetes/apps/production/arr/sonarr/helmrelease.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/kubernetes/apps/production/arr/sonarr/helmrelease.yaml b/kubernetes/apps/production/arr/sonarr/helmrelease.yaml
index bd01088..90d1c7e 100644
--- a/kubernetes/apps/production/arr/sonarr/helmrelease.yaml
+++ b/kubernetes/apps/production/arr/sonarr/helmrelease.yaml
@@ -38,7 +38,7 @@ spec:
 
         statefulset:
           volumeClaimTemplates:
-            - name: config
+            - name: sonarr-config
               accessMode: ReadWriteOnce
               size: 3Gi
               storageClass: longhorn

From 928e59767edf7b21c939cbec86bcbc73910fd0ef Mon Sep 17 00:00:00 2001
From: Matt Reeves <admin@mafyuh.io>
Date: Tue, 18 Feb 2025 21:10:09 -0500
Subject: [PATCH 06/38] update sonarr api key

---
 kubernetes/secrets/recyclarr.yaml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/kubernetes/secrets/recyclarr.yaml b/kubernetes/secrets/recyclarr.yaml
index 5cdcb60..f7d0f2d 100644
--- a/kubernetes/secrets/recyclarr.yaml
+++ b/kubernetes/secrets/recyclarr.yaml
@@ -6,7 +6,7 @@ metadata:
 type: Opaque
 stringData:
     RADARR_API_KEY: ENC[AES256_GCM,data:eMGcEuKJxh0ZW9TFOSEeBSaJkLiT1A/rZpZYs2rq7vs=,iv:eYPVbiYKKBc8rYcd8yqIpT01g2SZuMHdpv5Dh/sWO5o=,tag:qyqR2YYcKY7FLa+97cvThg==,type:str]
-    SONARR_API_KEY: ENC[AES256_GCM,data:0FfjBWrWHrQJWjki5nXZG+nuM35jEq4DMOi0wzKVU8M=,iv:dlgFto0t+ED33jQkZ0GVyUhcEZnqPHMspAYOQ2FN5g0=,tag:B2RDZ+qdofxCcQaxFQNPog==,type:str]
+    SONARR_API_KEY: ENC[AES256_GCM,data:PjU7Qse/GzarQa3PPp8BB6G2AWz4ib3Y6Dqq6YV8QLI=,iv:QkGlkG9yOi4w9ZEc0Pkice8MZXqKFctnKMAxkdJ8FTY=,tag:/P2U2tgAMZIZ8IeqG9l9jA==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -22,8 +22,8 @@ sops:
             KzdOczVjakovQlE1TkF4VUJORk5IdWsKx12AioJfcpmzCAbI+RwrJW1607YYsQbf
             N8EKX70kyhdlwyCMDwr7B0+eFAWsJAjsR+2Z91peXCxlfeVXu28eFQ==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-02-19T01:45:24Z"
-    mac: ENC[AES256_GCM,data:9GIRsHdrO8YxPii5Nbgt3VZi6JhGcu+B8St7msnD4eHNIVx0i5JcStGEVfTVHcnsw/T9omK0NT/00hvcX4thIQ944sVis8f8ivUN88+/Lj5J5rroZrrUJMf0QdOiVkOhqT1mpXbh8OeIX7NxzZYnnx066/KVYFT7sDlkrkzHnPY=,iv:B77rM+KWTxAbLWLLTycemdqzXc8HrxrXWwT2r0evunk=,tag:1YNjAXZwSYPLTUguDLDSfA==,type:str]
+    lastmodified: "2025-02-19T02:10:01Z"
+    mac: ENC[AES256_GCM,data:JRDy6M1idGEX9M5Xn0Tli+ojStM94H756vDWPJamde1Wl3F9r0YVzcgtnHBl6NO0RnSSjQhEuTkZnSp737uEBizStTddKwDQ3L2MNFHYQ9c56PVkdXaFFmhnV7YYoX6YjlvsBPfitm8skKo9OE0B1Zkv0Jkr3W4uOzwF8tz1Opo=,iv:Plj+bp028byD38RrBqo8JC0z7f3cfdw3pforCt9MW80=,tag:OG2cLmaw//nVWLR3xSg3DQ==,type:str]
     pgp: []
     encrypted_regex: ^(data|stringData)$
     version: 3.9.4

From 32f645f51feec052b50460edc7040cd5d4597912 Mon Sep 17 00:00:00 2001
From: Matt Reeves <admin@mafyuh.io>
Date: Tue, 18 Feb 2025 22:19:44 -0500
Subject: [PATCH 07/38] update qbitty, sonarr,sab

---
 .../production/arr/prowlarr/deployment.yaml   |  53 -------
 .../production/arr/prowlarr/helmrelease.yaml  | 123 +++++++++++++++
 .../apps/production/arr/prowlarr/ingress.yaml |  22 ---
 .../arr/prowlarr/kustomization.yaml           |   4 +-
 .../apps/production/arr/prowlarr/service.yaml |  13 --
 .../production/arr/qbitty/deployment.yaml     |  99 ------------
 .../production/arr/qbitty/helmrelease.yaml    | 143 ++++++++++++++++++
 .../apps/production/arr/qbitty/ingress.yaml   |  22 ---
 .../production/arr/qbitty/kustomization.yaml  |   4 +-
 .../apps/production/arr/qbitty/service.yaml   |  13 --
 .../production/arr/sabnzbd/helmrelease.yaml   |  27 +++-
 .../production/arr/sonarr/helmrelease.yaml    |   5 +
 12 files changed, 293 insertions(+), 235 deletions(-)
 delete mode 100644 kubernetes/apps/production/arr/prowlarr/deployment.yaml
 create mode 100644 kubernetes/apps/production/arr/prowlarr/helmrelease.yaml
 delete mode 100644 kubernetes/apps/production/arr/prowlarr/ingress.yaml
 delete mode 100644 kubernetes/apps/production/arr/prowlarr/service.yaml
 delete mode 100644 kubernetes/apps/production/arr/qbitty/deployment.yaml
 create mode 100644 kubernetes/apps/production/arr/qbitty/helmrelease.yaml
 delete mode 100644 kubernetes/apps/production/arr/qbitty/ingress.yaml
 delete mode 100644 kubernetes/apps/production/arr/qbitty/service.yaml

diff --git a/kubernetes/apps/production/arr/prowlarr/deployment.yaml b/kubernetes/apps/production/arr/prowlarr/deployment.yaml
deleted file mode 100644
index 14c5a16..0000000
--- a/kubernetes/apps/production/arr/prowlarr/deployment.yaml
+++ /dev/null
@@ -1,53 +0,0 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-    name: prowlarr
-    namespace: arr
-    labels:
-        app: prowlarr
-spec:
-    replicas: 1
-    selector:
-        matchLabels:
-            app: prowlarr
-    template:
-        metadata:
-            labels:
-                app: prowlarr
-        spec:
-            securityContext:
-                runAsUser: 65534
-                runAsGroup: 65534
-                fsGroup: 65534
-                fsGroupChangePolicy: OnRootMismatch
-            containers:
-                - name: prowlarr
-                  image: ghcr.io/onedr0p/prowlarr:rolling@sha256:7234ae8ca5b14153baddf42257cc2ddc928695ce604d11a9616b635eca0e43e7
-                  imagePullPolicy: IfNotPresent
-                  resources:
-                    requests:
-                        memory: 512Mi
-                        cpu: 150m
-                    limits:
-                        memory: 2Gi
-                        cpu: 500m
-                  volumeMounts:
-                    - mountPath: /config
-                      name: prowlarr-config
-            volumes:
-                - name: prowlarr-config
-                  persistentVolumeClaim:
-                    claimName: prowlarr-config
----
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  name: prowlarr-config
-  namespace: arr
-spec:
-  accessModes:
-    - ReadWriteOnce
-  resources:
-    requests:
-      storage: 1Gi
-  storageClassName: longhorn
\ No newline at end of file
diff --git a/kubernetes/apps/production/arr/prowlarr/helmrelease.yaml b/kubernetes/apps/production/arr/prowlarr/helmrelease.yaml
new file mode 100644
index 0000000..651d332
--- /dev/null
+++ b/kubernetes/apps/production/arr/prowlarr/helmrelease.yaml
@@ -0,0 +1,123 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: &app prowlarr
+  namespace: arr
+spec:
+  interval: 15m
+  chart:
+    spec:
+      chart: app-template
+      version: 3.7.1
+      interval: 30m
+      sourceRef:
+        kind: HelmRepository
+        name: bjw-s
+        namespace: flux-system
+
+  install:
+    remediation:
+      retries: 3
+  upgrade:
+    remediation:
+      retries: 3
+
+  values:
+    global:
+      fullnameOverride: *app
+      namespace: arr
+
+    controllers:
+      prowlarr:
+        enabled: true
+        type: statefulset
+        annotations:
+          reloader.stakater.com/auto: "true"
+
+        replicas: 1
+
+        statefulset:
+          volumeClaimTemplates:
+            - name: prowlarr-config
+              accessMode: ReadWriteOnce
+              size: 3Gi
+              storageClass: longhorn
+              globalMounts:
+                - path: /config
+        
+        pod:
+          securityContext:
+            runAsUser: 1000
+            runAsGroup: &group 1000
+            fsGroup: *group
+            fsGroupChangePolicy: "OnRootMismatch"
+          dnsPolicy: None
+          dnsConfig:
+            nameservers:
+              - 1.1.1.1
+              - 8.8.8.8
+
+        containers:
+          app:
+            image:
+              repository: ghcr.io/onedr0p/prowlarr
+              tag: 1.30.2.4939
+              pullPolicy: IfNotPresent
+            env:
+              TZ: "${TZ}"
+              PROWLARR__INSTANCE_NAME: *app
+              PROWLARR__PORT: &port 7878
+              PROWLARR__APPLICATION_URL: "https://prowlarr.${LOCAL_DOMAIN}"
+              PROWLARR__THEME: dark
+              PROWLARR__LOG_LEVEL: info
+
+            probes:
+              liveness:
+                enabled: false
+
+            securityContext:
+              allowPrivilegeEscalation: false
+              capabilities:
+                drop:
+                  - ALL
+
+            resources:
+              requests:
+                cpu: 50m
+                memory: 150Mi
+              limits:
+                memory: 512Mi
+
+    service:
+      app:
+        primary: true
+        controller: prowlarr
+        ports:
+          http:
+            port: *port
+
+    ingress:
+      internal:
+        enabled: true
+        className: nginx
+        hosts:
+          - host: "prowlarr.${LOCAL_DOMAIN}"
+            paths:
+              - path: /
+                pathType: Prefix
+                service:
+                  identifier: app
+                  port: http
+        tls:
+          - hosts:
+              - "prowlarr.${LOCAL_DOMAIN}"
+            secretName: local-mafyuh-dev-production-tls
+
+    persistence:
+      data:
+        enabled: true
+        type: nfs
+        server: "${NAS_IP}"
+        path: /mnt/thePool/thePoolShare
+        globalMounts:
+          - path: /data
diff --git a/kubernetes/apps/production/arr/prowlarr/ingress.yaml b/kubernetes/apps/production/arr/prowlarr/ingress.yaml
deleted file mode 100644
index b926573..0000000
--- a/kubernetes/apps/production/arr/prowlarr/ingress.yaml
+++ /dev/null
@@ -1,22 +0,0 @@
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  name: prowlarr
-  namespace: arr
-spec:
-  ingressClassName: nginx
-  rules:
-    - host: "prowlarr.local.mafyuh.dev"
-      http:
-        paths:
-          - path: /
-            pathType: Prefix
-            backend:
-              service:
-                name: headless-prowlarr
-                port:
-                  number: 9696
-  tls:
-    - hosts:
-        - "prowlarr.local.mafyuh.dev"
-      secretName: local-mafyuh-dev-production-tls
\ No newline at end of file
diff --git a/kubernetes/apps/production/arr/prowlarr/kustomization.yaml b/kubernetes/apps/production/arr/prowlarr/kustomization.yaml
index 5f7a4f4..4377f60 100644
--- a/kubernetes/apps/production/arr/prowlarr/kustomization.yaml
+++ b/kubernetes/apps/production/arr/prowlarr/kustomization.yaml
@@ -1,6 +1,4 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-  - deployment.yaml
-  - service.yaml
-  - ingress.yaml
\ No newline at end of file
+  - helmrelease.yaml
\ No newline at end of file
diff --git a/kubernetes/apps/production/arr/prowlarr/service.yaml b/kubernetes/apps/production/arr/prowlarr/service.yaml
deleted file mode 100644
index e005ac6..0000000
--- a/kubernetes/apps/production/arr/prowlarr/service.yaml
+++ /dev/null
@@ -1,13 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
-  name: headless-prowlarr
-  namespace: arr
-spec:
-  selector:
-    app: prowlarr
-  ports:
-    - port: 9696
-      targetPort: 9696
-      protocol: TCP
-  type: ClusterIP
\ No newline at end of file
diff --git a/kubernetes/apps/production/arr/qbitty/deployment.yaml b/kubernetes/apps/production/arr/qbitty/deployment.yaml
deleted file mode 100644
index 1e39cbb..0000000
--- a/kubernetes/apps/production/arr/qbitty/deployment.yaml
+++ /dev/null
@@ -1,99 +0,0 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: qbitty
-  namespace: arr
-  labels:
-    app: qbitty
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: qbitty
-  template:
-    metadata:
-      labels:
-        app: qbitty
-    spec:
-      containers:
-        - name: qbitty
-          image: ghcr.io/hotio/qbittorrent@sha256:43312cb59ec3054d99848481f0913336275b7afa18ef814d2091e0b87509fc23
-          imagePullPolicy: IfNotPresent
-          env:
-            - name: VPN_ENABLED
-              value: "true"
-            - name: VPN_CONF
-              value: "wg0"
-            - name: VPN_PROVIDER
-              value: "proton"
-            - name: VPN_KEEP_LOCAL_DNS
-              value: "false"
-            - name: VPN_AUTO_PORT_FORWARD
-              value: "true"
-            - name: VPN_LAN_NETWORK
-              valueFrom:
-                secretKeyRef:
-                  name: lan-network
-                  key: lan-network
-            - name: VPN_LAN_LEAK_ENABLED
-              value: "false"
-            - name: VPN_FIREWALL_TYPE
-              value: "auto"
-            - name: PRIVOXY_ENABLED
-              value: "false"
-            - name: WEBUI_PORT
-              value: "8080"
-            - name: VPN_HEALTHCHECK_ENABLED
-              value: "false"
-            - name: UNBOUND_ENABLED
-              value: "false"
-          resources:
-            requests:
-              memory: "256Mi"
-              cpu: "100m"
-            limits:
-              memory: "1Gi"
-              cpu: "5000m"
-          volumeMounts:
-            - mountPath: /config
-              name: qbitty-conf
-            - mountPath: /data
-              name: nas
-            - mountPath: /config/wireguard/
-              name: wireguard-config
-            - mountPath: /incomplete
-              name: qbitty-incomplete
-          securityContext:
-            capabilities:
-              add: ["NET_ADMIN"]
-          ports:
-            - containerPort: 8080
-              name: webui
-              protocol: TCP
-      volumes:
-        - name: nas
-          nfs:
-            path: /mnt/thePool/thePoolShare
-            server: 10.0.0.10
-        - name: qbitty-conf
-          persistentVolumeClaim:
-            claimName: qbitty-conf
-        - name: wireguard-config
-          secret:
-            secretName: qbitty-wireguard
-        - name: qbitty-incomplete
-          emptyDir:
-            sizeLimit: 100Gi
----
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  name: qbitty-conf
-  namespace: arr
-spec:
-  accessModes:
-    - ReadWriteMany
-  resources:
-    requests:
-      storage: 1Gi
-  storageClassName: longhorn
\ No newline at end of file
diff --git a/kubernetes/apps/production/arr/qbitty/helmrelease.yaml b/kubernetes/apps/production/arr/qbitty/helmrelease.yaml
new file mode 100644
index 0000000..d1a150d
--- /dev/null
+++ b/kubernetes/apps/production/arr/qbitty/helmrelease.yaml
@@ -0,0 +1,143 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: &app qbitty
+  namespace: arr
+spec:
+  interval: 15m
+  chart:
+    spec:
+      chart: app-template
+      version: 3.7.1
+      interval: 30m
+      sourceRef:
+        kind: HelmRepository
+        name: bjw-s
+        namespace: flux-system
+
+  install:
+    remediation:
+      retries: 3
+  upgrade:
+    remediation:
+      retries: 3
+
+  values:
+    global:
+      fullnameOverride: *app
+      namespace: arr
+
+    controllers:
+      qbitty:
+        enabled: true
+        type: statefulset
+        annotations:
+          reloader.stakater.com/auto: "true"
+
+        replicas: 1
+
+        statefulset:
+          volumeClaimTemplates:
+            - name: qbitty-config
+              accessMode: ReadWriteOnce
+              size: 500Mi
+              storageClass: longhorn
+              globalMounts:
+                - path: /config
+
+        pod:
+          securityContext:
+            runAsUser: 1000
+            runAsGroup: &group 1000
+            fsGroup: *group
+            fsGroupChangePolicy: "OnRootMismatch"
+
+        containers:
+          app:
+            image:
+              repository: ghcr.io/hotio/qbittorrent
+              digest: "sha256:d97080a8a978d7705297dc44bcd6c599b3b47631fec8dcfc0cb7039279d05b02"
+              pullPolicy: IfNotPresent
+            env:
+              TZ: "${TZ}"
+              WEBUI_PORT: &port 8080
+              VPN_ENABLED: "true"
+              VPN_CONF: "wg0"
+              VPN_PROVIDER: "proton"
+              VPN_KEEP_LOCAL_DNS: "false"
+              VPN_AUTO_PORT_FORWARD: "true"
+              VPN_LAN_NETWORK:
+                valueFrom:
+                  secretKeyRef:
+                    name: lan-network
+                    key: lan-network
+              VPN_LAN_LEAK_ENABLED: "false"
+              VPN_FIREWALL_TYPE: "auto"
+              PRIVOXY_ENABLED: "false"
+              VPN_HEALTHCHECK_ENABLED: "false"
+              UNBOUND_ENABLED: "false"
+            
+            probes:
+              liveness:
+                enabled: false
+
+            securityContext:
+              capabilities:
+                add:
+                  - NET_ADMIN
+
+            resources:
+              requests:
+                cpu: 20m
+                memory: 200Mi
+              limits:
+                memory: 4000Mi
+
+    service:
+      app:
+        primary: true
+        controller: qbitty
+        ports:
+          http:
+            port: *port
+
+    ingress:
+      internal:
+        enabled: true
+        className: nginx
+        hosts:
+          - host: "qbitty.${LOCAL_DOMAIN}"
+            paths:
+              - path: /
+                pathType: Prefix
+                service:
+                  identifier: app
+                  port: http
+        tls:
+          - hosts:
+              - "qbitty.${LOCAL_DOMAIN}"
+            secretName: local-mafyuh-dev-production-tls
+
+    persistence:
+      data:
+        enabled: true
+        type: nfs
+        server: "${NAS_IP}"
+        path: /mnt/thePool/thePoolShare
+        globalMounts:
+          - path: /data
+
+      incomplete:
+        enabled: true
+        type: emptyDir
+        sizeLimit: 100Gi
+        globalMounts:
+          - path: /incomplete
+
+      wireguard-config:
+        enabled: true
+        type: secret
+        name: qbitty-wireguard
+        defaultMode: 0400
+        globalMounts:
+          - path: /config/wireguard/
diff --git a/kubernetes/apps/production/arr/qbitty/ingress.yaml b/kubernetes/apps/production/arr/qbitty/ingress.yaml
deleted file mode 100644
index ffa8d06..0000000
--- a/kubernetes/apps/production/arr/qbitty/ingress.yaml
+++ /dev/null
@@ -1,22 +0,0 @@
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  name: qbitty
-  namespace: arr
-spec:
-  ingressClassName: nginx
-  rules:
-    - host: "qbitty.local.mafyuh.dev"
-      http:
-        paths:
-          - path: /
-            pathType: Prefix
-            backend:
-              service:
-                name: qbitty
-                port:
-                  number: 8080
-  tls:
-    - hosts:
-        - "qbitty.local.mafyuh.dev"
-      secretName: local-mafyuh-dev-production-tls
diff --git a/kubernetes/apps/production/arr/qbitty/kustomization.yaml b/kubernetes/apps/production/arr/qbitty/kustomization.yaml
index 5f7a4f4..4377f60 100644
--- a/kubernetes/apps/production/arr/qbitty/kustomization.yaml
+++ b/kubernetes/apps/production/arr/qbitty/kustomization.yaml
@@ -1,6 +1,4 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-  - deployment.yaml
-  - service.yaml
-  - ingress.yaml
\ No newline at end of file
+  - helmrelease.yaml
\ No newline at end of file
diff --git a/kubernetes/apps/production/arr/qbitty/service.yaml b/kubernetes/apps/production/arr/qbitty/service.yaml
deleted file mode 100644
index bfcd933..0000000
--- a/kubernetes/apps/production/arr/qbitty/service.yaml
+++ /dev/null
@@ -1,13 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
-  name: qbitty
-  namespace: arr
-spec:
-  selector:
-    app: qbitty
-  ports:
-    - port: 8080
-      targetPort: 8080
-      protocol: TCP
-  type: ClusterIP
\ No newline at end of file
diff --git a/kubernetes/apps/production/arr/sabnzbd/helmrelease.yaml b/kubernetes/apps/production/arr/sabnzbd/helmrelease.yaml
index 087cf4e..c06838a 100644
--- a/kubernetes/apps/production/arr/sabnzbd/helmrelease.yaml
+++ b/kubernetes/apps/production/arr/sabnzbd/helmrelease.yaml
@@ -38,8 +38,8 @@ spec:
 
         statefulset:
           volumeClaimTemplates:
-            - name: config
-              accessMode: ReadWriteMany
+            - name: sabnzbd-config
+              accessMode: ReadWriteOnce
               size: 500Mi
               storageClass: longhorn
               globalMounts:
@@ -47,8 +47,8 @@ spec:
 
         pod:
           securityContext:
-            runAsUser: 65534
-            runAsGroup: &group 65534
+            runAsUser: 1000
+            runAsGroup: &group 1000
             fsGroup: *group
             fsGroupChangePolicy: "OnRootMismatch"
 
@@ -61,6 +61,12 @@ spec:
             env:
               TZ: "${TZ}"
               SABNZBD__PORT: &port 8080
+              SABNZBD__HOST_WHITELIST_ENTRIES: >-
+                {{ .Release.Name }},
+                {{ .Release.Name }}.arr,
+                {{ .Release.Name }}.arr.svc,
+                {{ .Release.Name }}.arr.svc.cluster.local,
+                sab.${LOCAL_DOMAIN}
 
             probes:
               liveness:
@@ -92,7 +98,7 @@ spec:
         enabled: true
         className: nginx
         hosts:
-          - host: "sabnzbd.${LOCAL_DOMAIN}"
+          - host: "sab.${LOCAL_DOMAIN}"
             paths:
               - path: /
                 pathType: Prefix
@@ -101,7 +107,7 @@ spec:
                   port: http
         tls:
           - hosts:
-              - "sabnzbd.${LOCAL_DOMAIN}"
+              - "sab.${LOCAL_DOMAIN}"
             secretName: local-mafyuh-dev-production-tls
 
     persistence:
@@ -111,4 +117,11 @@ spec:
         server: "${NAS_IP}"
         path: /mnt/thePool/thePoolShare
         globalMounts:
-          - path: /data
\ No newline at end of file
+          - path: /data
+      
+      incomplete:
+        enabled: true
+        type: emptyDir
+        sizeLimit: 100Gi
+        globalMounts:
+          - path: /incomplete
\ No newline at end of file
diff --git a/kubernetes/apps/production/arr/sonarr/helmrelease.yaml b/kubernetes/apps/production/arr/sonarr/helmrelease.yaml
index 90d1c7e..714f5e0 100644
--- a/kubernetes/apps/production/arr/sonarr/helmrelease.yaml
+++ b/kubernetes/apps/production/arr/sonarr/helmrelease.yaml
@@ -51,6 +51,11 @@ spec:
             runAsGroup: &group 1000
             fsGroup: *group
             fsGroupChangePolicy: "OnRootMismatch"
+          dnsPolicy: None
+          dnsConfig:
+            nameservers:
+              - 1.1.1.1
+              - 8.8.8.8
 
         containers:
           app:

From bd5c0830df1d6eeebbfd8ac8697720663584d6c8 Mon Sep 17 00:00:00 2001
From: Matt Reeves <admin@mafyuh.io>
Date: Tue, 18 Feb 2025 22:33:10 -0500
Subject: [PATCH 08/38] fix qbitty

---
 kubernetes/apps/production/arr/qbitty/helmrelease.yaml | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/kubernetes/apps/production/arr/qbitty/helmrelease.yaml b/kubernetes/apps/production/arr/qbitty/helmrelease.yaml
index d1a150d..2db6c5d 100644
--- a/kubernetes/apps/production/arr/qbitty/helmrelease.yaml
+++ b/kubernetes/apps/production/arr/qbitty/helmrelease.yaml
@@ -55,8 +55,7 @@ spec:
         containers:
           app:
             image:
-              repository: ghcr.io/hotio/qbittorrent
-              digest: "sha256:d97080a8a978d7705297dc44bcd6c599b3b47631fec8dcfc0cb7039279d05b02"
+              repository: ghcr.io/hotio/qbittorrent@sha256:d97080a8a978d7705297dc44bcd6c599b3b47631fec8dcfc0cb7039279d05b02
               pullPolicy: IfNotPresent
             env:
               TZ: "${TZ}"

From 90c830e0e21619de04b66ef5f99a42052cb6dda3 Mon Sep 17 00:00:00 2001
From: Matt Reeves <admin@mafyuh.io>
Date: Tue, 18 Feb 2025 22:36:47 -0500
Subject: [PATCH 09/38] fix qbitty

---
 kubernetes/apps/production/arr/qbitty/helmrelease.yaml | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/kubernetes/apps/production/arr/qbitty/helmrelease.yaml b/kubernetes/apps/production/arr/qbitty/helmrelease.yaml
index 2db6c5d..430cc5b 100644
--- a/kubernetes/apps/production/arr/qbitty/helmrelease.yaml
+++ b/kubernetes/apps/production/arr/qbitty/helmrelease.yaml
@@ -54,9 +54,8 @@ spec:
 
         containers:
           app:
-            image:
-              repository: ghcr.io/hotio/qbittorrent@sha256:d97080a8a978d7705297dc44bcd6c599b3b47631fec8dcfc0cb7039279d05b02
-              pullPolicy: IfNotPresent
+            image: ghcr.io/hotio/qbittorrent@sha256:d97080a8a978d7705297dc44bcd6c599b3b47631fec8dcfc0cb7039279d05b02
+            pullPolicy: IfNotPresent
             env:
               TZ: "${TZ}"
               WEBUI_PORT: &port 8080

From d1d3a43903ccd574f330c5f7b39cd5e9cc9c20ba Mon Sep 17 00:00:00 2001
From: Matt Reeves <admin@mafyuh.io>
Date: Tue, 18 Feb 2025 22:39:23 -0500
Subject: [PATCH 10/38] fix qbitty

---
 kubernetes/apps/production/arr/qbitty/helmrelease.yaml | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/kubernetes/apps/production/arr/qbitty/helmrelease.yaml b/kubernetes/apps/production/arr/qbitty/helmrelease.yaml
index 430cc5b..7260092 100644
--- a/kubernetes/apps/production/arr/qbitty/helmrelease.yaml
+++ b/kubernetes/apps/production/arr/qbitty/helmrelease.yaml
@@ -54,8 +54,10 @@ spec:
 
         containers:
           app:
-            image: ghcr.io/hotio/qbittorrent@sha256:d97080a8a978d7705297dc44bcd6c599b3b47631fec8dcfc0cb7039279d05b02
-            pullPolicy: IfNotPresent
+            image:
+              repository: ghcr.io/hotio/qbittorrent
+              tag: release-5.0.4
+              pullPolicy: IfNotPresent
             env:
               TZ: "${TZ}"
               WEBUI_PORT: &port 8080

From 109ea662694012412ddca78180547d2192893c82 Mon Sep 17 00:00:00 2001
From: Matt Reeves <admin@mafyuh.io>
Date: Tue, 18 Feb 2025 22:45:04 -0500
Subject: [PATCH 11/38] remove security context from qbitty helm release

---
 kubernetes/apps/production/arr/qbitty/helmrelease.yaml | 7 -------
 1 file changed, 7 deletions(-)

diff --git a/kubernetes/apps/production/arr/qbitty/helmrelease.yaml b/kubernetes/apps/production/arr/qbitty/helmrelease.yaml
index 7260092..f5b0450 100644
--- a/kubernetes/apps/production/arr/qbitty/helmrelease.yaml
+++ b/kubernetes/apps/production/arr/qbitty/helmrelease.yaml
@@ -45,13 +45,6 @@ spec:
               globalMounts:
                 - path: /config
 
-        pod:
-          securityContext:
-            runAsUser: 1000
-            runAsGroup: &group 1000
-            fsGroup: *group
-            fsGroupChangePolicy: "OnRootMismatch"
-
         containers:
           app:
             image:

From 7f7299c4438e9c66b62fde6137f320bc52dd8132 Mon Sep 17 00:00:00 2001
From: Matt Reeves <admin@mafyuh.io>
Date: Tue, 18 Feb 2025 22:58:56 -0500
Subject: [PATCH 12/38] update qbitty helm release to specify subPath for
 wireguard configuration

---
 kubernetes/apps/production/arr/qbitty/helmrelease.yaml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/kubernetes/apps/production/arr/qbitty/helmrelease.yaml b/kubernetes/apps/production/arr/qbitty/helmrelease.yaml
index f5b0450..8215c8d 100644
--- a/kubernetes/apps/production/arr/qbitty/helmrelease.yaml
+++ b/kubernetes/apps/production/arr/qbitty/helmrelease.yaml
@@ -133,4 +133,5 @@ spec:
         name: qbitty-wireguard
         defaultMode: 0400
         globalMounts:
-          - path: /config/wireguard/
+          - path: /config/wireguard/wg0.conf
+            subPath: wg0.conf

From 03a64791b7dadfc955d8ac07bd93a40e2e8ad97b Mon Sep 17 00:00:00 2001
From: Matt Reeves <admin@mafyuh.io>
Date: Tue, 18 Feb 2025 23:06:41 -0500
Subject: [PATCH 13/38] add NET_ADMIN capability to qbitty pod security context

---
 kubernetes/apps/production/arr/qbitty/helmrelease.yaml | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/kubernetes/apps/production/arr/qbitty/helmrelease.yaml b/kubernetes/apps/production/arr/qbitty/helmrelease.yaml
index 8215c8d..37e90c4 100644
--- a/kubernetes/apps/production/arr/qbitty/helmrelease.yaml
+++ b/kubernetes/apps/production/arr/qbitty/helmrelease.yaml
@@ -45,6 +45,12 @@ spec:
               globalMounts:
                 - path: /config
 
+        pod:
+          securityContext:
+              capabilities:
+                add:
+                  - NET_ADMIN
+
         containers:
           app:
             image:

From 82932972f2c7a8e8432999ce63b96b56f7114daf Mon Sep 17 00:00:00 2001
From: Matt Reeves <admin@mafyuh.io>
Date: Tue, 18 Feb 2025 23:08:05 -0500
Subject: [PATCH 14/38] revert

---
 kubernetes/apps/production/arr/qbitty/helmrelease.yaml | 6 ------
 1 file changed, 6 deletions(-)

diff --git a/kubernetes/apps/production/arr/qbitty/helmrelease.yaml b/kubernetes/apps/production/arr/qbitty/helmrelease.yaml
index 37e90c4..8215c8d 100644
--- a/kubernetes/apps/production/arr/qbitty/helmrelease.yaml
+++ b/kubernetes/apps/production/arr/qbitty/helmrelease.yaml
@@ -45,12 +45,6 @@ spec:
               globalMounts:
                 - path: /config
 
-        pod:
-          securityContext:
-              capabilities:
-                add:
-                  - NET_ADMIN
-
         containers:
           app:
             image:

From 9a5433277bdca6415470d50cdab4246ab4a1c376 Mon Sep 17 00:00:00 2001
From: Matt Reeves <admin@mafyuh.io>
Date: Tue, 18 Feb 2025 23:39:55 -0500
Subject: [PATCH 15/38] update prowlarr port

---
 kubernetes/apps/production/arr/prowlarr/helmrelease.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/kubernetes/apps/production/arr/prowlarr/helmrelease.yaml b/kubernetes/apps/production/arr/prowlarr/helmrelease.yaml
index 651d332..8e56b09 100644
--- a/kubernetes/apps/production/arr/prowlarr/helmrelease.yaml
+++ b/kubernetes/apps/production/arr/prowlarr/helmrelease.yaml
@@ -66,7 +66,7 @@ spec:
             env:
               TZ: "${TZ}"
               PROWLARR__INSTANCE_NAME: *app
-              PROWLARR__PORT: &port 7878
+              PROWLARR__PORT: &port 9696
               PROWLARR__APPLICATION_URL: "https://prowlarr.${LOCAL_DOMAIN}"
               PROWLARR__THEME: dark
               PROWLARR__LOG_LEVEL: info

From 3937d118140a78ed644a72f7b4d6a4a126a9b59e Mon Sep 17 00:00:00 2001
From: Matt Reeves <admin@mafyuh.io>
Date: Tue, 18 Feb 2025 23:58:54 -0500
Subject: [PATCH 16/38] test cluster first dns

---
 kubernetes/apps/production/arr/radarr/helmrelease.yaml | 6 +-----
 1 file changed, 1 insertion(+), 5 deletions(-)

diff --git a/kubernetes/apps/production/arr/radarr/helmrelease.yaml b/kubernetes/apps/production/arr/radarr/helmrelease.yaml
index c00d474..cb08d13 100644
--- a/kubernetes/apps/production/arr/radarr/helmrelease.yaml
+++ b/kubernetes/apps/production/arr/radarr/helmrelease.yaml
@@ -51,11 +51,7 @@ spec:
             runAsGroup: &group 1000
             fsGroup: *group
             fsGroupChangePolicy: "OnRootMismatch"
-          dnsPolicy: None
-          dnsConfig:
-            nameservers:
-              - 1.1.1.1
-              - 8.8.8.8
+          dnsPolicy: ClusterFirst
 
         containers:
           app:

From cb7163c123f313dae9d4a8b2f32f3a6754aaf908 Mon Sep 17 00:00:00 2001
From: Matt Reeves <admin@mafyuh.io>
Date: Wed, 19 Feb 2025 00:03:43 -0500
Subject: [PATCH 17/38] add CoreDNS to DNS config test

---
 kubernetes/apps/production/arr/radarr/helmrelease.yaml | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/kubernetes/apps/production/arr/radarr/helmrelease.yaml b/kubernetes/apps/production/arr/radarr/helmrelease.yaml
index cb08d13..ebe8d77 100644
--- a/kubernetes/apps/production/arr/radarr/helmrelease.yaml
+++ b/kubernetes/apps/production/arr/radarr/helmrelease.yaml
@@ -51,7 +51,12 @@ spec:
             runAsGroup: &group 1000
             fsGroup: *group
             fsGroupChangePolicy: "OnRootMismatch"
-          dnsPolicy: ClusterFirst
+          dnsPolicy: None
+          dnsConfig:
+            nameservers:
+              - 10.43.0.10
+              - 1.1.1.1
+              - 8.8.8.8
 
         containers:
           app:

From 1755ac4e1bd29f6171f65b8d32406dd9d1d52422 Mon Sep 17 00:00:00 2001
From: Matt Reeves <admin@mafyuh.io>
Date: Wed, 19 Feb 2025 00:05:56 -0500
Subject: [PATCH 18/38] add custom DNS nameserver to prowlarr and sonarr
 configurations

---
 kubernetes/apps/production/arr/prowlarr/helmrelease.yaml | 1 +
 kubernetes/apps/production/arr/sonarr/helmrelease.yaml   | 1 +
 2 files changed, 2 insertions(+)

diff --git a/kubernetes/apps/production/arr/prowlarr/helmrelease.yaml b/kubernetes/apps/production/arr/prowlarr/helmrelease.yaml
index 8e56b09..eb19f33 100644
--- a/kubernetes/apps/production/arr/prowlarr/helmrelease.yaml
+++ b/kubernetes/apps/production/arr/prowlarr/helmrelease.yaml
@@ -54,6 +54,7 @@ spec:
           dnsPolicy: None
           dnsConfig:
             nameservers:
+              - 10.43.0.10
               - 1.1.1.1
               - 8.8.8.8
 
diff --git a/kubernetes/apps/production/arr/sonarr/helmrelease.yaml b/kubernetes/apps/production/arr/sonarr/helmrelease.yaml
index 714f5e0..ff6dd0b 100644
--- a/kubernetes/apps/production/arr/sonarr/helmrelease.yaml
+++ b/kubernetes/apps/production/arr/sonarr/helmrelease.yaml
@@ -54,6 +54,7 @@ spec:
           dnsPolicy: None
           dnsConfig:
             nameservers:
+              - 10.43.0.10
               - 1.1.1.1
               - 8.8.8.8
 

From 6d1188ddfe1db58e4831c5491afc7c524bbca026 Mon Sep 17 00:00:00 2001
From: Matt Reeves <admin@mafyuh.io>
Date: Wed, 19 Feb 2025 00:48:31 -0500
Subject: [PATCH 19/38] fix renovate

---
 .github/renovate.json | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/.github/renovate.json b/.github/renovate.json
index aa75251..1109a5c 100644
--- a/.github/renovate.json
+++ b/.github/renovate.json
@@ -37,6 +37,14 @@
       "registryUrls": [
         "https://emberstack.github.io/helm-charts"
       ]
+    },
+    {
+      "matchPackageNames": [
+        "app-template"
+      ],
+      "registryUrls": [
+        "https://bjw-s.github.io/helm-charts"
+      ]
     }
   ],
   "kubernetes": {

From bbfb108c9e2e981631086d77e2ee4f4508a44f3b Mon Sep 17 00:00:00 2001
From: Matt Reeves <admin@mafyuh.io>
Date: Wed, 19 Feb 2025 12:37:56 -0500
Subject: [PATCH 20/38] update flaresolverr

---
 .../apps/production/arr/flaresolverr/deployment.yaml      | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/kubernetes/apps/production/arr/flaresolverr/deployment.yaml b/kubernetes/apps/production/arr/flaresolverr/deployment.yaml
index 4306049..94ada73 100644
--- a/kubernetes/apps/production/arr/flaresolverr/deployment.yaml
+++ b/kubernetes/apps/production/arr/flaresolverr/deployment.yaml
@@ -30,4 +30,10 @@ spec:
               cpu: "100m"
             limits:
               memory: "300Mi"
-              cpu: "200m"
\ No newline at end of file
+              cpu: "200m"
+      dnsPolicy: None
+      dnsConfig:
+        nameservers:
+          - 10.43.0.10
+          - 1.1.1.1
+          - 8.8.8.8
\ No newline at end of file

From e4510912aa6fefce3408984a83ca50cc2bebf684 Mon Sep 17 00:00:00 2001
From: Matt Reeves <admin@mafyuh.io>
Date: Wed, 19 Feb 2025 12:46:59 -0500
Subject: [PATCH 21/38] test add jellyseerr

---
 .../arr/jellyseerr/helmrelease.yaml           | 111 ++++++++++++++++++
 .../arr/jellyseerr/kustomization.yaml         |   4 +
 2 files changed, 115 insertions(+)
 create mode 100644 kubernetes/apps/production/arr/jellyseerr/helmrelease.yaml
 create mode 100644 kubernetes/apps/production/arr/jellyseerr/kustomization.yaml

diff --git a/kubernetes/apps/production/arr/jellyseerr/helmrelease.yaml b/kubernetes/apps/production/arr/jellyseerr/helmrelease.yaml
new file mode 100644
index 0000000..59ef4ce
--- /dev/null
+++ b/kubernetes/apps/production/arr/jellyseerr/helmrelease.yaml
@@ -0,0 +1,111 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: &app jellyseerr
+  namespace: arr
+spec:
+  interval: 15m
+  chart:
+    spec:
+      chart: app-template
+      version: 3.7.1
+      interval: 30m
+      sourceRef:
+        kind: HelmRepository
+        name: bjw-s
+        namespace: flux-system
+
+  install:
+    remediation:
+      retries: 3
+  upgrade:
+    remediation:
+      retries: 3
+
+  values:
+    global:
+      fullnameOverride: *app
+      namespace: arr
+
+    controllers:
+      jellyseerr:
+        enabled: true
+        type: statefulset
+        annotations:
+          reloader.stakater.com/auto: "true"
+
+        replicas: 1
+
+        statefulset:
+          volumeClaimTemplates:
+            - name: jellyseerr-config
+              accessMode: ReadWriteOnce
+              size: 3Gi
+              storageClass: longhorn
+              globalMounts:
+                - path: /config
+        
+        pod:
+          securityContext:
+            runAsUser: 1000
+            runAsGroup: &group 1000
+            fsGroup: *group
+            fsGroupChangePolicy: "OnRootMismatch"
+          dnsPolicy: None
+          dnsConfig:
+            nameservers:
+              - 10.43.0.10
+              - 1.1.1.1
+              - 8.8.8.8
+
+        containers:
+          app:
+            image:
+              repository: fallenbagel/jellyseerr
+              tag: 2.3.0
+              pullPolicy: IfNotPresent
+            env:
+              TZ: "${TZ}"
+              LOG_LEVEL: info
+
+            probes:
+              liveness:
+                enabled: false
+
+            securityContext:
+              allowPrivilegeEscalation: false
+              capabilities:
+                drop:
+                  - ALL
+
+            resources:
+              requests:
+                cpu: 50m
+                memory: 150Mi
+              limits:
+                memory: 512Mi
+
+    service:
+      app:
+        primary: true
+        controller: jellyseerr
+        ports:
+          http:
+            port: 5055
+
+    ingress:
+      internal:
+        enabled: true
+        className: nginx
+        hosts:
+          - host: "request.${LOCAL_DOMAIN}"
+            paths:
+              - path: /
+                pathType: Prefix
+                service:
+                  identifier: app
+                  port: http
+        tls:
+          - hosts:
+              - "request.${LOCAL_DOMAIN}"
+            secretName: local-mafyuh-dev-production-tls
diff --git a/kubernetes/apps/production/arr/jellyseerr/kustomization.yaml b/kubernetes/apps/production/arr/jellyseerr/kustomization.yaml
new file mode 100644
index 0000000..4377f60
--- /dev/null
+++ b/kubernetes/apps/production/arr/jellyseerr/kustomization.yaml
@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - helmrelease.yaml
\ No newline at end of file

From ee9ad86e8c29671d68db54d5aeccb76b2b7af4d6 Mon Sep 17 00:00:00 2001
From: Matt Reeves <admin@mafyuh.io>
Date: Wed, 19 Feb 2025 16:01:08 -0500
Subject: [PATCH 22/38] add jellyseerr to kustomization

---
 kubernetes/apps/production/arr/kustomization.yaml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/kubernetes/apps/production/arr/kustomization.yaml b/kubernetes/apps/production/arr/kustomization.yaml
index cba6849..412aaaf 100644
--- a/kubernetes/apps/production/arr/kustomization.yaml
+++ b/kubernetes/apps/production/arr/kustomization.yaml
@@ -4,6 +4,7 @@ resources:
   - bazarr/
   - flaresolverr/
   - prowlarr/
+  - jellyseerr/
   - qbitty/
   - radarr/
   - recyclarr/

From 88993847807e674ebb3738977e45499bf51bd756 Mon Sep 17 00:00:00 2001
From: Matt Reeves <admin@mafyuh.io>
Date: Wed, 19 Feb 2025 16:04:32 -0500
Subject: [PATCH 23/38] update jellyseerr path

---
 kubernetes/apps/production/arr/jellyseerr/helmrelease.yaml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/kubernetes/apps/production/arr/jellyseerr/helmrelease.yaml b/kubernetes/apps/production/arr/jellyseerr/helmrelease.yaml
index 59ef4ce..e5f03a3 100644
--- a/kubernetes/apps/production/arr/jellyseerr/helmrelease.yaml
+++ b/kubernetes/apps/production/arr/jellyseerr/helmrelease.yaml
@@ -40,10 +40,10 @@ spec:
           volumeClaimTemplates:
             - name: jellyseerr-config
               accessMode: ReadWriteOnce
-              size: 3Gi
+              size: 2Gi
               storageClass: longhorn
               globalMounts:
-                - path: /config
+                - path: /app/config
         
         pod:
           securityContext:

From 0bac0c01006d440e605c220ac13d01736dd2df95 Mon Sep 17 00:00:00 2001
From: Matt Reeves <admin@mafyuh.io>
Date: Wed, 19 Feb 2025 21:46:43 -0500
Subject: [PATCH 24/38] update jellyseerr + pub domain

---
 .../production/arr/jellyseerr/helmrelease.yaml | 12 ++++++------
 .../cert-manager/certificates/public.yaml      | 18 ++++++++++++++++++
 .../cert-manager/issuers/letsencrypt.yaml      |  1 +
 3 files changed, 25 insertions(+), 6 deletions(-)
 create mode 100644 kubernetes/apps/production/cert-manager/certificates/public.yaml

diff --git a/kubernetes/apps/production/arr/jellyseerr/helmrelease.yaml b/kubernetes/apps/production/arr/jellyseerr/helmrelease.yaml
index e5f03a3..c1ced8d 100644
--- a/kubernetes/apps/production/arr/jellyseerr/helmrelease.yaml
+++ b/kubernetes/apps/production/arr/jellyseerr/helmrelease.yaml
@@ -80,10 +80,10 @@ spec:
 
             resources:
               requests:
-                cpu: 50m
-                memory: 150Mi
+                cpu: 20m
+                memory: 50Mi
               limits:
-                memory: 512Mi
+                memory: 128Mi
 
     service:
       app:
@@ -98,7 +98,7 @@ spec:
         enabled: true
         className: nginx
         hosts:
-          - host: "request.${LOCAL_DOMAIN}"
+          - host: "request.${PUBLIC_DOMAIN}"
             paths:
               - path: /
                 pathType: Prefix
@@ -107,5 +107,5 @@ spec:
                   port: http
         tls:
           - hosts:
-              - "request.${LOCAL_DOMAIN}"
-            secretName: local-mafyuh-dev-production-tls
+              - "request.${PUBLIC_DOMAIN}"
+            secretName: mafyuh-dev-production-tls
diff --git a/kubernetes/apps/production/cert-manager/certificates/public.yaml b/kubernetes/apps/production/cert-manager/certificates/public.yaml
new file mode 100644
index 0000000..255c5d1
--- /dev/null
+++ b/kubernetes/apps/production/cert-manager/certificates/public.yaml
@@ -0,0 +1,18 @@
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: mafyuh-dev
+  namespace: cert-manager
+spec:
+  secretName: mafyuh-dev-production-tls
+  secretTemplate:
+    annotations:
+      reflector.v1.k8s.emberstack.com/reflection-auto-enabled: "true"
+      reflector.v1.k8s.emberstack.com/reflection-allowed: "true"
+  issuerRef:
+    name: letsencrypt-production
+    kind: ClusterIssuer
+  commonName: "*.mafyuh.dev"
+  dnsNames:
+  - "*.mafyuh.dev"
\ No newline at end of file
diff --git a/kubernetes/apps/production/cert-manager/issuers/letsencrypt.yaml b/kubernetes/apps/production/cert-manager/issuers/letsencrypt.yaml
index 3ea59d9..8bc66e6 100644
--- a/kubernetes/apps/production/cert-manager/issuers/letsencrypt.yaml
+++ b/kubernetes/apps/production/cert-manager/issuers/letsencrypt.yaml
@@ -18,3 +18,4 @@ spec:
               selector:
                 dnsZones:
                     - local.mafyuh.dev
+                    - mafyuh.dev

From b7913d1aa8c836fc3214081d5fb57bce9425b83c Mon Sep 17 00:00:00 2001
From: Matt Reeves <admin@mafyuh.io>
Date: Wed, 19 Feb 2025 22:00:28 -0500
Subject: [PATCH 25/38] add more resources jellyseerr

---
 kubernetes/apps/production/arr/jellyseerr/helmrelease.yaml | 4 ++--
 kubernetes/apps/production/cert-manager/kustomization.yaml | 1 +
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/kubernetes/apps/production/arr/jellyseerr/helmrelease.yaml b/kubernetes/apps/production/arr/jellyseerr/helmrelease.yaml
index c1ced8d..42d955d 100644
--- a/kubernetes/apps/production/arr/jellyseerr/helmrelease.yaml
+++ b/kubernetes/apps/production/arr/jellyseerr/helmrelease.yaml
@@ -81,9 +81,9 @@ spec:
             resources:
               requests:
                 cpu: 20m
-                memory: 50Mi
-              limits:
                 memory: 128Mi
+              limits:
+                memory: 256Mi
 
     service:
       app:
diff --git a/kubernetes/apps/production/cert-manager/kustomization.yaml b/kubernetes/apps/production/cert-manager/kustomization.yaml
index f404a37..ebc67f8 100644
--- a/kubernetes/apps/production/cert-manager/kustomization.yaml
+++ b/kubernetes/apps/production/cert-manager/kustomization.yaml
@@ -2,6 +2,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
   - certificates/local.yaml
+  - certificates/public.yaml
   - helmrelease.yaml
   - helmrepo.yaml
   - issuers/letsencrypt.yaml

From 652e54c82e5b9e80828904ed515cfbbf44ef3043 Mon Sep 17 00:00:00 2001
From: Matt Reeves <admin@mafyuh.io>
Date: Thu, 20 Feb 2025 15:10:47 -0500
Subject: [PATCH 26/38] update authentik config

---
 kubernetes/apps/production/authentik/configmap.yaml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/kubernetes/apps/production/authentik/configmap.yaml b/kubernetes/apps/production/authentik/configmap.yaml
index 818c334..96c66ec 100644
--- a/kubernetes/apps/production/authentik/configmap.yaml
+++ b/kubernetes/apps/production/authentik/configmap.yaml
@@ -4,7 +4,7 @@ metadata:
     name: authentik-values
     namespace: authentik
 data:
-    values.yaml: ENC[AES256_GCM,data:vdNxG8ySftHb/nSx7OyGs87Nk3nmy7WYJ4xJt5AHce/x1T6zShgbTrqB7uU7I/lG3C83bjQXuNSANdRdEWyEoTDPunWZ9gBftaM+6N4z30ndo/095RGlguG+0Llhz9Y1fLEEIVCtom9Pv9IdadL7dDayb3lvyQHsYYcLE93/eJXcaZo0ENYNtNq0nliRTx6Vt0HfKhCu0MzPbkoOS3nx0wBzJ6IRNqBHZShcbsRHT7Ud7Ohb2jRw9jwplqktkTrd6t/Q/Nq66wwuvKSokxkwb/JYCmvsEHrfl72YCSeP9cbXyiuYLvr8l+ganyas/XpaTkrjS3TWqfzQJA4XWARkSFZE80rfrmPCrIDbSt1UkdHkaM+S1MV8nRTbx3q9vbErT/GiyGgOFMUNSAPdRTtEh2roSz8fgrlsd56ZyLCYcbv2olQTvo9Gggr25taCONX3b2AbVkYpAThVTQe5eCl+SlxeDPDhSjx9aFI8J2SZnZ2wsbGo95Pmf8mmulcant7NuK5JnQMh+z9dzTimhJXkpBusMPk59KU7pMNbhqzQfOJ3HRR+srnFOzRHrcUrAiojAMasDoU+lBJZznqe9dQv5+/Qexci/oWLd39bTvxVTY0btd0bKrLlQYNRULKZktvm4Qg6p8kktJNkEuTHUaNBotHKuIBfqmJdhUd2clso4PHz93jJXUTWWeGbtmTUkZuelzYTs/MRFIXeOvJUJAJa1QyTz6GK5So5VNsRxdUq+12oEmUd8RDtt7Ft0vzgEkDp4eND/AuX8Ex3llvz74K4cY59ldgWJSVpLrYJGzIQZKjdX6DHvavsqKCM7AvYrrybNF1ct43yC/janL/ELV1nOTQSAVLn9osQ8k5sbuZ1wOE76PjSZPsrubHbc85T5ejVORCtjRK/xmRVK3WjNZhD1Cnk1b6aTydEx60sHPEr7Mhx3Z5+t4Szf15x+QqhJnY4hshbj62kXsYcdRg35LhwEPNABXkfv+1ekjJ2tmzobi7foxfIB7oyI2GOtHYA37jGsR03zPdwjRIv5XNwao6RpOtGvcXHEUH9gBctGWYw6RNHQ7trKr2i4Du3gj8/qH9Eg/E3NBPU4NLjJNMq3Y1WFoPGxu9yzM8KZjlE4ZIPPSS8Bp93oN1YXgesrmXv1kFnvcD19sOh6cCsBmknP8RFTkWOKYiEea6DYwg8A+kc/YNSrikVzUqQTZEew89dziW7+9L7GlLsGuXycYxW4IZHxMaKlzfXc9AzAb4BuANsYHaML4Ymy/Vtha3qdB/Nss9VQjXe00YUvifMmIWMS9ea1kb6qTIzBzYoNTTt+9tXUNwAleAWN2rQJo9ifpzfQuptHZ2C9IKgNQQmRGF2zAkpoTDtqx/IUKvxuTHGh8W3g2ZNHc4j2mhGx7QG8bYtJ6FrzrVEslK6u1StuU1WzIhzir8A1CmkuLTRSihymKmM0fAF9VJ0bydxPbn0QTsMrgsGwz6JtPAeOW2Umh3IpcvkbeyRy0X3eZaj,iv:EWpc+nAIXNqVpPn2DC3EL/bfEzM6PTtRXdLtYF5OqgY=,tag:a50CftQxTxy6mOLAxi//Ow==,type:str]
+    values.yaml: ENC[AES256_GCM,data:AYBMlneWsZWKDdNAE+PdrdY6P3dKk0kdV1+wnq5cdJxite2ZVwqOVxchuOnN1QCHHJqTmm6W1E2LgCsVowBpDSMne7utQ8tSffE5khkD9mR9g82GH0Wu5cO0h/4wDI7pqk4utOdE8PuDbRXjkmAU0bs43/uhhcRFA6fc+EjaHRFNFbr7qJ/R9fadTSpGdxwr8WXkgVGXQ+IwSy3SttR2b7KPEGzo4+/y4L6lvSN6+aY3HPywl6HzKpPeWoMub7CUWVnea3Fz5ANIZVkrPFr/lFMj+8EablU5qC1LdXr9neY98SeT8L9DH7SexP/aWGXt8D6bhJZtbPU/Fa06xk+PpJ4Zdup5GlDEoQXaOgtfM/TOEHlI17OY1oc0GaE1/4xcZBbwVKFy9QXSAbMpM4XNEXWgF02PgTkSn6/fY7Z111yXh68JD99hDACRibwVAZtY0IEGBlRBiZGlV6Tv2w33EtUto41dFkjIvbMOixH7Bd5cOZt92AGkJ+kfd+MFx/9/0QMPBWoEcLSNJD5BzFN6QU7rKw/oCNJVTBEWSSh0bR6IPcoczZJnas6ijnDBxJuullWzADoXCEIJMmf2JPaCILHUUl1LbCHz1LpTwA5mRolFUSiQLLoCPKy4kQlXTlTjyezhcrgBXge5WfEUOWqRuD/fVee18oMzAQLh2qxuvHIBa0JHfJul18cj0Xt80TQICfJvXcOsHSqJi1Bfi4VkqPsKsf/r2UnK7pX88mDaBTmEbC15i3miaVDLreLjvw2GKTjeLULWnnUYuIZsdz4d4n8a4ZN9y2TsYCT2LrYsRBu+EYRr4hvxngKtSOYg7gZtIjFAqtq30vy/ximwNF4XIC3M01n3ABYDoZ0fSfhFMF+dQz4oRK2tW93ooVOCx5Vd+8QJjNip37DctK/nd+fRmyYA13KfVA6vmEJw1tpptEtgsQoCsXLnduTKydkWTsM+qESQN7v3qIM89nie8XmPMWAz7xmUBXwwgmJq5pH2A7Dxzbgs7SufIBSb1bdTAtKqX7Nkdhio02Brdqo9rUOzv1nqXbQvTMKQNajlM87u6b/0CSR1GWcjoyP/AVnJ4S1EWdGlqzBC1tDmgVqC0T0oMeCQ4FVBqfQLPLhgOJTqKAQp5ghs1zmpTW0+8O6efP6M3ukABr/SfsCcGQk1l8YF09HDUUDBgBSj25e6uGIwSz40qjj9StdZd1qagLAL8Hsc3PHcBhQUAyFI3bk2XeKbQoalJPnOHhnRWZvZl9iyO4A/+IoxwmNq8Ax9dSCZhRsiEca2Dya1yAV0bVpmnMEbAbnpgrRS4Ot9xNYi9CF9FT5dxsKesvmnuWjXcrcLfSGC1gaJ/Wday80bu0c7NHWEaFoemenoK/vAS5LJyPDQXEtL4HgtyZAtWEaUxehykxn59ajKg8QUsVgpg4arVHSlU/cJXqJ9zybpy+c9vgbEDMrBeWzZmFZaV68cHygrhUF4RDD9LB53NKK79XeDr3nKCJcAZQQbqes2Oxak2IKqTDTyBLQnr9I6ClLJU1jdtDw=,iv:elMg5iqrneY19BRXWa9jLDdMEmmyb9IKOWvqUCtCcfA=,tag:6TTmFE/FV/6P9CR2bjPf7w==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -20,8 +20,8 @@ sops:
             RndrQ2JxZnMxZlBIM3RHS0E1WTlZQzQK7oTkv/PG3poAdYnqXnzX3j5ZUgMa3GFB
             aQtceF96jKRltwPrnUgZZ5EadTaLyGAD30fqvUJ9/oP6NLe7kmsTWg==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-02-17T01:33:23Z"
-    mac: ENC[AES256_GCM,data:cz25q40TD7XWnJWIu9FgS55LsfORvfFRpNgp0Zju66i6IBF3NakUjfo48rD/Nu9ebEC8iIpo8P3Y2YT6w0wPDWGDLkww0iLzFIr8IMWzCS1wrIyaq/BZmzh26jd4r2qY1knqQAqlVdOJ9grPqjBxKxed/o3Lu++Irp7n7dOY0rA=,iv:HUCgrKlLC1u/3/oeQLM3alBRWc0hf3YhhsuMYowKYCU=,tag:pUWKkQ2sy0sPPWAcK0yqnQ==,type:str]
+    lastmodified: "2025-02-20T20:10:37Z"
+    mac: ENC[AES256_GCM,data:Te7uFFsySPTItK6WL4yD6cNEoAsFN1znTwdhHVr75Ss9uT913RMGcmLD5gLF3RwrqOChaAAFcF7gha3v74f+s3OZezS/YMqFUI2pokaIQk21qkfG/psyveBZP+wNhku7hvxQb0nYexnPRGN9XZ0sKqC6uXZX1BFR2lFWgnNBoSQ=,iv:jpwAtAXf2eqNsg9TWtPUNhQDaDhou4oKWzLH15kG9S0=,tag:oX2Puz/V4WclrWH+Rq4PLQ==,type:str]
     pgp: []
     encrypted_regex: ^(data|stringData|secret_key|password|hosts)$
     version: 3.9.4

From 2f95a0926adb835dfc66ba296d79cb0cef6b6c63 Mon Sep 17 00:00:00 2001
From: Renovate Bot <bot@mafyuh.dev>
Date: Sun, 16 Feb 2025 06:01:45 +0000
Subject: [PATCH 27/38] :arrow_up: Update ollama/ollama Docker tag to v0.5.11

---
 docker/AI/docker-compose.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docker/AI/docker-compose.yml b/docker/AI/docker-compose.yml
index 541ad3f..ea6963f 100644
--- a/docker/AI/docker-compose.yml
+++ b/docker/AI/docker-compose.yml
@@ -1,6 +1,6 @@
 services:
   ollama:
-    image: ollama/ollama:0.5.10
+    image: ollama/ollama:0.5.11
     container_name: ollama
     restart: unless-stopped
     networks:

From 472c77ac69e1c41e7232d0ff0db8cad7dbdbb400 Mon Sep 17 00:00:00 2001
From: Renovate Bot <bot@mafyuh.dev>
Date: Thu, 20 Feb 2025 17:01:51 +0000
Subject: [PATCH 28/38] :arrow_up: Update searxng/searxng Docker digest to
 0da476f

---
 docker/AI/docker-compose.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docker/AI/docker-compose.yml b/docker/AI/docker-compose.yml
index ea6963f..ad9dd5e 100644
--- a/docker/AI/docker-compose.yml
+++ b/docker/AI/docker-compose.yml
@@ -39,7 +39,7 @@ services:
       - host.docker.internal:host-gateway
 
   searxng:
-    image: searxng/searxng@sha256:e22d8617effc484649d01fa80614b4859e134c6b77a5d2a2cff9236789aa1749
+    image: searxng/searxng@sha256:0da476ff64bf801e3b36fd3c79c50f30f7041ab78b27cbc8c189c4c6f8c696d6
     container_name: searxng
     networks:
       - ai-stack

From 085e6899358c799d12b66f08885c6e9934cd9e24 Mon Sep 17 00:00:00 2001
From: Renovate Bot <bot@mafyuh.dev>
Date: Mon, 17 Feb 2025 00:01:43 +0000
Subject: [PATCH 29/38] :arrow_up: Update ghcr.io/linuxserver/jellyfin Docker
 digest to 075bc77

---
 docker/jellyfin/docker-compose.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docker/jellyfin/docker-compose.yml b/docker/jellyfin/docker-compose.yml
index c614b74..eb5b585 100644
--- a/docker/jellyfin/docker-compose.yml
+++ b/docker/jellyfin/docker-compose.yml
@@ -1,7 +1,7 @@
 ---
 services:
   jellyfin:
-    image: ghcr.io/linuxserver/jellyfin@sha256:7cdcd4b6b60765290af7a2740960ce30c1f5548313ae60f7e23f6995ed4d147e
+    image: ghcr.io/linuxserver/jellyfin@sha256:075bc77361e6466f5cd546c9d97646428cc1f26d4b355991e8f66d0ffbc7c15a
     container_name: jellyfin
     devices:
       - /dev/dri/renderD129:/dev/dri/renderD129

From ff8f47ae942e16b85601697a111f716e0e89e5ae Mon Sep 17 00:00:00 2001
From: Matt Reeves <admin@mafyuh.io>
Date: Thu, 20 Feb 2025 15:21:25 -0500
Subject: [PATCH 30/38] update authentik host

---
 kubernetes/apps/production/authentik/configmap.yaml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/kubernetes/apps/production/authentik/configmap.yaml b/kubernetes/apps/production/authentik/configmap.yaml
index 96c66ec..09ceafc 100644
--- a/kubernetes/apps/production/authentik/configmap.yaml
+++ b/kubernetes/apps/production/authentik/configmap.yaml
@@ -4,7 +4,7 @@ metadata:
     name: authentik-values
     namespace: authentik
 data:
-    values.yaml: ENC[AES256_GCM,data:AYBMlneWsZWKDdNAE+PdrdY6P3dKk0kdV1+wnq5cdJxite2ZVwqOVxchuOnN1QCHHJqTmm6W1E2LgCsVowBpDSMne7utQ8tSffE5khkD9mR9g82GH0Wu5cO0h/4wDI7pqk4utOdE8PuDbRXjkmAU0bs43/uhhcRFA6fc+EjaHRFNFbr7qJ/R9fadTSpGdxwr8WXkgVGXQ+IwSy3SttR2b7KPEGzo4+/y4L6lvSN6+aY3HPywl6HzKpPeWoMub7CUWVnea3Fz5ANIZVkrPFr/lFMj+8EablU5qC1LdXr9neY98SeT8L9DH7SexP/aWGXt8D6bhJZtbPU/Fa06xk+PpJ4Zdup5GlDEoQXaOgtfM/TOEHlI17OY1oc0GaE1/4xcZBbwVKFy9QXSAbMpM4XNEXWgF02PgTkSn6/fY7Z111yXh68JD99hDACRibwVAZtY0IEGBlRBiZGlV6Tv2w33EtUto41dFkjIvbMOixH7Bd5cOZt92AGkJ+kfd+MFx/9/0QMPBWoEcLSNJD5BzFN6QU7rKw/oCNJVTBEWSSh0bR6IPcoczZJnas6ijnDBxJuullWzADoXCEIJMmf2JPaCILHUUl1LbCHz1LpTwA5mRolFUSiQLLoCPKy4kQlXTlTjyezhcrgBXge5WfEUOWqRuD/fVee18oMzAQLh2qxuvHIBa0JHfJul18cj0Xt80TQICfJvXcOsHSqJi1Bfi4VkqPsKsf/r2UnK7pX88mDaBTmEbC15i3miaVDLreLjvw2GKTjeLULWnnUYuIZsdz4d4n8a4ZN9y2TsYCT2LrYsRBu+EYRr4hvxngKtSOYg7gZtIjFAqtq30vy/ximwNF4XIC3M01n3ABYDoZ0fSfhFMF+dQz4oRK2tW93ooVOCx5Vd+8QJjNip37DctK/nd+fRmyYA13KfVA6vmEJw1tpptEtgsQoCsXLnduTKydkWTsM+qESQN7v3qIM89nie8XmPMWAz7xmUBXwwgmJq5pH2A7Dxzbgs7SufIBSb1bdTAtKqX7Nkdhio02Brdqo9rUOzv1nqXbQvTMKQNajlM87u6b/0CSR1GWcjoyP/AVnJ4S1EWdGlqzBC1tDmgVqC0T0oMeCQ4FVBqfQLPLhgOJTqKAQp5ghs1zmpTW0+8O6efP6M3ukABr/SfsCcGQk1l8YF09HDUUDBgBSj25e6uGIwSz40qjj9StdZd1qagLAL8Hsc3PHcBhQUAyFI3bk2XeKbQoalJPnOHhnRWZvZl9iyO4A/+IoxwmNq8Ax9dSCZhRsiEca2Dya1yAV0bVpmnMEbAbnpgrRS4Ot9xNYi9CF9FT5dxsKesvmnuWjXcrcLfSGC1gaJ/Wday80bu0c7NHWEaFoemenoK/vAS5LJyPDQXEtL4HgtyZAtWEaUxehykxn59ajKg8QUsVgpg4arVHSlU/cJXqJ9zybpy+c9vgbEDMrBeWzZmFZaV68cHygrhUF4RDD9LB53NKK79XeDr3nKCJcAZQQbqes2Oxak2IKqTDTyBLQnr9I6ClLJU1jdtDw=,iv:elMg5iqrneY19BRXWa9jLDdMEmmyb9IKOWvqUCtCcfA=,tag:6TTmFE/FV/6P9CR2bjPf7w==,type:str]
+    values.yaml: ENC[AES256_GCM,data:m3Fgd+8VSLLLs+K4hqj7vhzSTFJ8mx02o01+sZ9mBtQn1JVqAHuOCW/md6J0VEyVRmbZ+hjMOo+dgs08vBuc6RexCcAVyzpLiJ+nuyhMb0kLbRfo6EyfelBFvvy5zKlkusv7deXpYE6VvTVawtXb8usENyAGoaP43MQcKF1fNatmemiPuFNNdRFu6zKlyLjE1cC8ndwCvx4ovwjP9g0s4zQ4c7wrptkVNzncoTBVrQbd2U4xe47EJehnLeLmBbL7nFKBRA8aFVcYYxcIEkokyCvc5tN3sZI78z5f0lpm4BM0N01o7HoRfuAvz3IYG2gqEFQfeyyKO+KLk4v0d1qIOosNhdb9d1eqKL9+aCzcW4ZhFOLmx9pfTcKLwWbkWiVaQya14nVM72GTX82fE4yLTOJGAxc5MjoTAjJmz3GH12/puWqsld+Uw76sHBS6GAV/4ZI5qHioEDSll6Vi0j/8UynlqNlEirgjkUHFSmwZvWGJaZ1fwiLqeKvNG5oaF9IZp2hRA3OZD85i/zBCg5I3dLSIz/uxsqI6XiU+/ukSlza3tU6bqQppHe82/aCKX2D7ivCFTee8cTUO3ZOdC11Nrlb1Fh7I2lxOVeslPpILx3WMZNlvw3duvB0JQkzMFiDPEDUGZrGH3Qw7gzovdiuOBAxmA2uX6lHKkJyxkM7VnkOWTqv8TEt3MClQn0yI/kV7pXdWCswDZm+QIYPwF7fWOYv/vHKyhFgcSyBNmqP1XF7abkGRbu/a+ivTkWzOIhCbTXBT691hSR9WcN1uXQYzRcxWhoh+hklH6xQ+4Nw5WnN3p+DalExlgdbYUg0GQOT4FIZ19uCXFz5d7K5KQPecnkwSQn/Ka/j+tXqCiE7ZrtxppxbYErg1p1RmG8DCG4iq2Am4y8AYtJfKFei3wVelvezpMl9MzCU0u15bTspCqSHsfdwrg+JUG2ZxnLi9ntdTAmJzsmywB7hXIIobXe92umsIXsk449LauKtUalJsE16kUOEBumKHD8uv0xOpu2VRdKlVix2Bg2c9NMIslZO9qnDkyb7L6SnUDGKCyhNa0DDxRg3WARtCJWT7JKeVt1GdpLrG+4K0r6MFKb4O7tX5pCIoSN2mK9+lisrt4eoCvAXqvW1aywYsuNktPOV9sV4LrsYc26h/jElNHy7bcBrLC6GaT02Qg7JP+thcIVvzUuOkbN6NRwbAH0ffhcK1EEg5L/BjXolztVNKxSloXpDYWE9jkllOuikbXdW2Fm0u1EBd61LbGducig1YZdZdk/gR8oVQtdGfEEhWw3ij7s0RaH4Uc75LrtX4pU5wF83DRdkkHbuf2mjzmnqdEsjnOdqd7OkGWwazbgicvbeGPwkh7YpJ7Hs8nvkej4dctPbVZyoEYSR3Y0ftw4LThfOGJIQ9+t0jPZpA0eKrlZd+ZtEdKwT7HgNjVPws52tcOPyY70czqQjrA20yuKi0w5Ss2jWImmZOzw+NA7XR1ooUduTzoIiy9DRsz1kx8c6iEjWE3Y3H1cqWpA1VQOYHOCWjqR4P,iv:TvHjkTBRGwLgNvOab2JuPKYmqo9AlwhSdO5jlhLHcsk=,tag:touv1uEvupZkL6XyPJkmBw==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -20,8 +20,8 @@ sops:
             RndrQ2JxZnMxZlBIM3RHS0E1WTlZQzQK7oTkv/PG3poAdYnqXnzX3j5ZUgMa3GFB
             aQtceF96jKRltwPrnUgZZ5EadTaLyGAD30fqvUJ9/oP6NLe7kmsTWg==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-02-20T20:10:37Z"
-    mac: ENC[AES256_GCM,data:Te7uFFsySPTItK6WL4yD6cNEoAsFN1znTwdhHVr75Ss9uT913RMGcmLD5gLF3RwrqOChaAAFcF7gha3v74f+s3OZezS/YMqFUI2pokaIQk21qkfG/psyveBZP+wNhku7hvxQb0nYexnPRGN9XZ0sKqC6uXZX1BFR2lFWgnNBoSQ=,iv:jpwAtAXf2eqNsg9TWtPUNhQDaDhou4oKWzLH15kG9S0=,tag:oX2Puz/V4WclrWH+Rq4PLQ==,type:str]
+    lastmodified: "2025-02-20T20:21:08Z"
+    mac: ENC[AES256_GCM,data:pYr2dT7tv6slo0B2iumc+tT5Ub5ubXNhKTMFCxJdz5VhQgemO5CqFCpsDvmNBfJOLGvYOO47zBEUlOva2r6e6sr7oukieWPmvpSKOZBTZLRzaZsppgpoFEowxZxtsV68tZqxI2j1LAiL4tIwj89jt5jDxDjlFpVHdw75vyYGrCM=,iv:4sIabgOnSjiAvvdUprhKi+GDd+8MlbWUxcN+FbymxWI=,tag:s5FSM19lJT+ZXuNQImHRcg==,type:str]
     pgp: []
     encrypted_regex: ^(data|stringData|secret_key|password|hosts)$
     version: 3.9.4

From 271dd195e6aac7a9c620fba3758e30d63c12dd84 Mon Sep 17 00:00:00 2001
From: Matt Reeves <admin@mafyuh.io>
Date: Thu, 20 Feb 2025 15:33:51 -0500
Subject: [PATCH 31/38] update authentik cm

---
 kubernetes/apps/production/authentik/configmap.yaml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/kubernetes/apps/production/authentik/configmap.yaml b/kubernetes/apps/production/authentik/configmap.yaml
index 09ceafc..70f092d 100644
--- a/kubernetes/apps/production/authentik/configmap.yaml
+++ b/kubernetes/apps/production/authentik/configmap.yaml
@@ -4,7 +4,7 @@ metadata:
     name: authentik-values
     namespace: authentik
 data:
-    values.yaml: ENC[AES256_GCM,data:m3Fgd+8VSLLLs+K4hqj7vhzSTFJ8mx02o01+sZ9mBtQn1JVqAHuOCW/md6J0VEyVRmbZ+hjMOo+dgs08vBuc6RexCcAVyzpLiJ+nuyhMb0kLbRfo6EyfelBFvvy5zKlkusv7deXpYE6VvTVawtXb8usENyAGoaP43MQcKF1fNatmemiPuFNNdRFu6zKlyLjE1cC8ndwCvx4ovwjP9g0s4zQ4c7wrptkVNzncoTBVrQbd2U4xe47EJehnLeLmBbL7nFKBRA8aFVcYYxcIEkokyCvc5tN3sZI78z5f0lpm4BM0N01o7HoRfuAvz3IYG2gqEFQfeyyKO+KLk4v0d1qIOosNhdb9d1eqKL9+aCzcW4ZhFOLmx9pfTcKLwWbkWiVaQya14nVM72GTX82fE4yLTOJGAxc5MjoTAjJmz3GH12/puWqsld+Uw76sHBS6GAV/4ZI5qHioEDSll6Vi0j/8UynlqNlEirgjkUHFSmwZvWGJaZ1fwiLqeKvNG5oaF9IZp2hRA3OZD85i/zBCg5I3dLSIz/uxsqI6XiU+/ukSlza3tU6bqQppHe82/aCKX2D7ivCFTee8cTUO3ZOdC11Nrlb1Fh7I2lxOVeslPpILx3WMZNlvw3duvB0JQkzMFiDPEDUGZrGH3Qw7gzovdiuOBAxmA2uX6lHKkJyxkM7VnkOWTqv8TEt3MClQn0yI/kV7pXdWCswDZm+QIYPwF7fWOYv/vHKyhFgcSyBNmqP1XF7abkGRbu/a+ivTkWzOIhCbTXBT691hSR9WcN1uXQYzRcxWhoh+hklH6xQ+4Nw5WnN3p+DalExlgdbYUg0GQOT4FIZ19uCXFz5d7K5KQPecnkwSQn/Ka/j+tXqCiE7ZrtxppxbYErg1p1RmG8DCG4iq2Am4y8AYtJfKFei3wVelvezpMl9MzCU0u15bTspCqSHsfdwrg+JUG2ZxnLi9ntdTAmJzsmywB7hXIIobXe92umsIXsk449LauKtUalJsE16kUOEBumKHD8uv0xOpu2VRdKlVix2Bg2c9NMIslZO9qnDkyb7L6SnUDGKCyhNa0DDxRg3WARtCJWT7JKeVt1GdpLrG+4K0r6MFKb4O7tX5pCIoSN2mK9+lisrt4eoCvAXqvW1aywYsuNktPOV9sV4LrsYc26h/jElNHy7bcBrLC6GaT02Qg7JP+thcIVvzUuOkbN6NRwbAH0ffhcK1EEg5L/BjXolztVNKxSloXpDYWE9jkllOuikbXdW2Fm0u1EBd61LbGducig1YZdZdk/gR8oVQtdGfEEhWw3ij7s0RaH4Uc75LrtX4pU5wF83DRdkkHbuf2mjzmnqdEsjnOdqd7OkGWwazbgicvbeGPwkh7YpJ7Hs8nvkej4dctPbVZyoEYSR3Y0ftw4LThfOGJIQ9+t0jPZpA0eKrlZd+ZtEdKwT7HgNjVPws52tcOPyY70czqQjrA20yuKi0w5Ss2jWImmZOzw+NA7XR1ooUduTzoIiy9DRsz1kx8c6iEjWE3Y3H1cqWpA1VQOYHOCWjqR4P,iv:TvHjkTBRGwLgNvOab2JuPKYmqo9AlwhSdO5jlhLHcsk=,tag:touv1uEvupZkL6XyPJkmBw==,type:str]
+    values.yaml: ENC[AES256_GCM,data:n/ITNeK+JVQB5AI5MiDDcxu5RapIPTuDxqJLIHysopawa5gCHwgppnLKv9tW6Sg9B4Tqb3FT8e2zgoVVhQ3+lRvC6HRVhB9+Em+gB8zu7aeOnfd3l3Cj6oSQkjVLxjDCdHHGU/9KFm5YToJER0tzMBXS3M/apvN9+B/VKDI+D/1FDz2bG66QoK+oWd0pq/BShZ1nMhvZXxQ8TFkpQKORnF8qwYq+ArY2ucAsoWbbs4QzEYxqVVa6BmRrpoXlK9i8ak9zTTRn6iPgWf5dhBkvexCI///jZODTYWWiiDo7XQBjS8C4xA4rOK99cav1QhA5j6tPGEKhdNNk2z/ViolFfpzEj4KBdvRSmu/fFBCIka9aP6ZFWU7efIcP2qS3KrIibosQ1Wr4va+P9wzmDA+wSGxKsxeA1BkUhrs9t/+hc6fdsXT30+4sM70zZOJ0+nH9UwNDpJjBfOpc9soAItPzXzWTlX7JCei8CGnloAMrekc3ShQI2L2pHRNLsTDMXJq6Goc3Xk5OF4PC/jjVxSVisXki7qEVZoUKZeoM81i1MXfIOFcGUBfRnntVPK8dBw44KVlPaD4iamRwh3juhy4X/bKWpKs9o5mIB+eQIOiNH5Nxm9g0oI5Ck1A6h/KtJwiHYFc7SH+qhzSubym9x52l960ar18N5zt6oqWz6peFmYY7lGxqBh5muHobWTJ/4QF7Lr3KDZvK5C5ppnxb0/AENbH+t6bQ1ZavOhMs2ojELnL2sG/eXWDXQ8+5OlN0/uCOWHTZ7FtgBhfFXJ/SsU/nquk6aC4smv/boKP1JKJBihAs7yhJMbWBDTHUSNPUef39E7FzyMYqYYU5hxmEfytlt3ZD0Y62rF4zPJBmA2cZzqYAWK2qXhXvpdMcEvTbUEJ3ez6cgHQvEyXutZUiyoN+3YesK8VyXHzq5A6VX/AX7nl5G+P3Afwi/+a6SkkmJ6Q9dVAeEe7CsIrJheNNlweA5aT+GzUD2dNtsjb6/1yQGYejfu/3Ve/0qyHkykBJDwMTLbb3W13/BRzXPhrUIz+nglBlWB3zzVOIQ5Gdx2X9htcvIyiYTZ0epUFEGjZYUzd8/d4WazwjvUFACFpooDSQgMWd5ODTmSn/kvWd+IR6Zxr/cg0UiGnDDUmbhRy/uwSGvkmb/evodweBvij1bbilgGmuO0X9TWVtXQkw7Vii/SS69+Imy/iap07zJJBobfyTU7hZvgrc/BWHqW2oHPYu4tTuKgbOopjPX+vkylu+FYC4seqOXUNvCczF0l712+RWXQpFF/iKBDbviI0twTFF4Qmn,iv:Xsg10IX3Q+UjyoaMGrqbf1i9zsTOndZ3IvBatViwBV4=,tag:FPDrUpu5KM0S7TxLVNxIfA==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -20,8 +20,8 @@ sops:
             RndrQ2JxZnMxZlBIM3RHS0E1WTlZQzQK7oTkv/PG3poAdYnqXnzX3j5ZUgMa3GFB
             aQtceF96jKRltwPrnUgZZ5EadTaLyGAD30fqvUJ9/oP6NLe7kmsTWg==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-02-20T20:21:08Z"
-    mac: ENC[AES256_GCM,data:pYr2dT7tv6slo0B2iumc+tT5Ub5ubXNhKTMFCxJdz5VhQgemO5CqFCpsDvmNBfJOLGvYOO47zBEUlOva2r6e6sr7oukieWPmvpSKOZBTZLRzaZsppgpoFEowxZxtsV68tZqxI2j1LAiL4tIwj89jt5jDxDjlFpVHdw75vyYGrCM=,iv:4sIabgOnSjiAvvdUprhKi+GDd+8MlbWUxcN+FbymxWI=,tag:s5FSM19lJT+ZXuNQImHRcg==,type:str]
+    lastmodified: "2025-02-20T20:33:40Z"
+    mac: ENC[AES256_GCM,data:rL+ugPPHcRzpHA70mmn7BLdhO0PG63EMqaHq7eJfBguIcdREGrQCpGQbbw6YN2GGCuE8NWB6sLHaUVn09LMywNfcUT4Hw1kInXRxzZ+L4M4UdqjUCCQj69UGGPnXoyM5GopCIA60/JVTtsQ9EPmJHJJI8LYQrQEtT6O+5FnlaMo=,iv:Jnst3uaJArcxM29hqrVPHKSSAW7Ac84xG6LJP2lz0+g=,tag:J/OAZq4dHXOOiE243Xo0LA==,type:str]
     pgp: []
     encrypted_regex: ^(data|stringData|secret_key|password|hosts)$
     version: 3.9.4

From 8ae927e1f5cb3b83b8ed6178f95d119045d2af11 Mon Sep 17 00:00:00 2001
From: Renovate Bot <bot@mafyuh.dev>
Date: Wed, 19 Feb 2025 04:01:38 +0000
Subject: [PATCH 32/38] :arrow_up: Update ghcr.io/linuxserver/kasm Docker
 digest to 64da6db

---
 docker/kasm/docker-compose.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docker/kasm/docker-compose.yml b/docker/kasm/docker-compose.yml
index e092299..72133dc 100644
--- a/docker/kasm/docker-compose.yml
+++ b/docker/kasm/docker-compose.yml
@@ -1,7 +1,7 @@
 ---
 services:
   kasm:
-    image: ghcr.io/linuxserver/kasm@sha256:5ff0ef8bd7f279cb6806aae9caabe5457eaadd89fb0f02e63ce26dcdac747d10
+    image: ghcr.io/linuxserver/kasm@sha256:64da6db15ab574d67f9fbdcc812796f00f259be543e6dc2e60ad4f5d6c05d005
     container_name: kasm
     privileged: true
     environment:

From 5dff719ba73dca764e52a05ac1f57d451c739689 Mon Sep 17 00:00:00 2001
From: mafyuh <mafyuh@noreply.localhost>
Date: Fri, 21 Feb 2025 18:14:57 -0500
Subject: [PATCH 33/38] Update
 kubernetes/apps/production/arr/sabnzbd/helmrelease.yaml

---
 kubernetes/apps/production/arr/sabnzbd/helmrelease.yaml | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/kubernetes/apps/production/arr/sabnzbd/helmrelease.yaml b/kubernetes/apps/production/arr/sabnzbd/helmrelease.yaml
index c06838a..45fd884 100644
--- a/kubernetes/apps/production/arr/sabnzbd/helmrelease.yaml
+++ b/kubernetes/apps/production/arr/sabnzbd/helmrelease.yaml
@@ -51,6 +51,12 @@ spec:
             runAsGroup: &group 1000
             fsGroup: *group
             fsGroupChangePolicy: "OnRootMismatch"
+          dnsPolicy: None
+          dnsConfig:
+            nameservers:
+              - 10.43.0.10
+              - 1.1.1.1
+              - 8.8.8.8
 
         containers:
           app:

From a273335c9709e6c24e3027584ce3ea4b3dd0ee50 Mon Sep 17 00:00:00 2001
From: mafyuh <mafyuh@noreply.localhost>
Date: Sat, 22 Feb 2025 02:46:27 -0500
Subject: [PATCH 34/38] Update README.md

---
 README.md | 43 ++++++++++++++++++++++++++++++++++++++++---
 1 file changed, 40 insertions(+), 3 deletions(-)

diff --git a/README.md b/README.md
index cf53a17..8a24de3 100644
--- a/README.md
+++ b/README.md
@@ -9,19 +9,56 @@
 
 # iac (wip)
 
-Currently migrating [Auto-Homelab](https://git.mafyuh.dev/mafyuh/Auto-Homelab), [Iac-Homelab](https://git.mafyuh.dev/mafyuh/IaC-Homelab), [ansible-playbooks](https://git.mafyuh.dev/mafyuh/ansible-playbooks) and [kub](https://git.mafyuh.dev/mafyuh/kub) repos into this one.
+This is my homelab infrastructure, defined in code.
 
-This is my homelab, defined in code.
 </div>
 
+---
+
 <div align="center">
 
 | Hypervisor | OS | Tools | VPS (arm) | Firewall | Misc. Automations |
 |---|---|---|---|---|---|
-| [![Proxmox](https://img.shields.io/badge/-Proxmox-%23c9d1d9?logo=Proxmox)](https://www.proxmox.com) | [![Ubuntu](https://img.shields.io/badge/Ubuntu_22.04-%23c9d1d9?&logo=ubuntu&logoColor=red)](https://releases.ubuntu.com/jammy/) [![Ubuntu](https://img.shields.io/badge/Ubuntu_24-%23c9d1d9?&logo=ubuntu&logoColor=red)](https://releases.ubuntu.com/noble/) | [![Forgejo](https://img.shields.io/badge/-Forgejo-%23c9d1d9?logo=forgejo&logoColor=orange)](https://forgejo.org/) [![Docker](https://img.shields.io/badge/-Docker-%23c9d1d9?logo=docker)](https://www.docker.com/) [![Renovate](https://img.shields.io/badge/-Renovate-%23c9d1d9?logo=renovate&logoColor=blue)](https://github.com/renovatebot/renovate) [![OpenTofu](https://img.shields.io/badge/-OpenTofu-%23c9d1d9?logo=opentofu&logoColor=black)](https://opentofu.org/) [![Packer](https://img.shields.io/badge/-Packer-%23c9d1d9?logo=packer)](https://www.packer.io/) [![Ansible](https://img.shields.io/badge/-Ansible-%23c9d1d9?logo=ansible&logoColor=red)](https://www.ansible.com/) | [![Oracle](https://img.shields.io/badge/-Oracle_Cloud-%23c9d1d9?logo=oracle&logoColor=red)](https://www.oracle.com/cloud/) | [![pfSense](https://img.shields.io/badge/-pfSense-%23c9d1d9?logo=pfsense&logoColor=blue)](https://www.pfsense.org/) | [![n8n](https://img.shields.io/badge/-n8n-%23c9d1d9?logo=n8n)](https://n8n.io/)
+| [![Proxmox](https://img.shields.io/badge/-Proxmox-%23c9d1d9?logo=Proxmox)](https://www.proxmox.com) | [![Debian](https://img.shields.io/badge/Debian-%23c9d1d9?&logo=debian&logoColor=black)](https://www.debian.org/) [![Ubuntu](https://img.shields.io/badge/Ubuntu-%23c9d1d9?&logo=ubuntu&logoColor=red)](https://releases.ubuntu.com/noble/) | [![Forgejo](https://img.shields.io/badge/-Forgejo-%23c9d1d9?logo=forgejo&logoColor=orange)](https://forgejo.org/) [![Docker](https://img.shields.io/badge/-Docker-%23c9d1d9?logo=docker)](https://www.docker.com/) [![Kubernetes](https://img.shields.io/badge/-Kubernetes-%23c9d1d9?logo=kubernetes)](https://k3s.io/) [![Renovate](https://img.shields.io/badge/-Renovate-%23c9d1d9?logo=renovate&logoColor=blue)](https://github.com/renovatebot/renovate) [![OpenTofu](https://img.shields.io/badge/-OpenTofu-%23c9d1d9?logo=opentofu)](https://opentofu.org/) [![Packer](https://img.shields.io/badge/-Packer-%23c9d1d9?logo=packer)](https://www.packer.io/) [![Ansible](https://img.shields.io/badge/-Ansible-%23c9d1d9?logo=ansible&logoColor=red)](https://www.ansible.com/) | [![Oracle](https://img.shields.io/badge/-Oracle_Cloud-%23c9d1d9?logo=oracle&logoColor=red)](https://www.oracle.com/cloud/) | [![pfSense](https://img.shields.io/badge/-pfSense-%23c9d1d9?logo=pfsense&logoColor=blue)](https://www.pfsense.org/) | [![n8n](https://img.shields.io/badge/-n8n-%23c9d1d9?logo=n8n)](https://n8n.io/) [![Actions](https://img.shields.io/badge/-Actions-%23c9d1d9?logo=forgejo&logoColor=orange)](https://forgejo.org/docs/latest/user/actions/)
 
 </div>
 
+## 📖 Overview
+This repository contains the IaC ([Infrastructure as Code](https://en.wikipedia.org/wiki/Infrastructure_as_code)) configuration for my homelab.  
+
+Most of my homelab runs on **Proxmox**, with VMs managed and maintained using [OpenTofu](https://opentofu.org/). All VMs are cloned from templates I created with [Packer](https://www.packer.io/).  
+
+All services are **containerized**, either managed with **Docker Compose** or **orchestrated with Kubernetes ([K3s](https://k3s.io/))**. Over time, I’ve been migrating everything to Kubernetes using **[GitOps](https://en.wikipedia.org/wiki/DevOps) practices**, which is my long-term goal.  
+
+To automate infrastructure updates, I use **Forgejo Actions**, which trigger workflows upon changes to this repo. This ensures seamless deployment and maintenance across my homelab:  
+
+- **[Flux](https://fluxcd.io/)** manages Continuous Deployment (CD) for Kubernetes, bootstrapped via [OpenTofu](https://git.mafyuh.dev/mafyuh/iac/src/branch/main/terraform/flux/main.tf).
+- **[Docker CD Workflow](https://git.mafyuh.dev/mafyuh/iac/src/branch/main/.forgejo/workflows/CD.yml)** handles Continuous Deployment for Docker services.   
+- **[Renovate](https://github.com/renovatebot/renovate)** keeps services updated by opening PRs for new versions.  
+- **[Yamllint](https://github.com/adrienverge/yamllint)** ensures configuration files are properly structured.
+
+For Secret management I use [Bitwarden Secrets](https://bitwarden.com/products/secrets-manager/) and their various integrations into the tools used.
+> Kubernetes is using SOPS with Age encryption until migration over to Bitwarden Secrets.
+
+I use **Oracle Cloud** for their [Always-Free](https://www.oracle.com/cloud/free/) VM's and deploy Docker services that require uptime here (Uptime Kuma, this website). [Twingate](https://www.twingate.com/) is used to connect my home network to the various VPS's securely using [Zero Trust architecture](https://en.wikipedia.org/wiki/Zero_trust_architecture).
+
+I use **Cloudflare** for my DNS provider with **Cloudflare Tunnels** to expose some of the services to the world. **Cloudflare Access** is used to restrict the access to some of the services, this is paired with **Fail2Ban** looking through all my reverse proxy logs for malicious actors who made it through Access and banning them via **Cloudflare WAF**.
+
+## 🧑‍💻 Getting Started
+This repo is not structured like a project you can easily replicate. Although if you are new to any of the tools used I encourage you to read through the directories that make up each tool to see how I am using them.
+
+Over time I will try to add more detailed instructions in each directories README.
+
+
+## 🖥️ Hardware
+
+| Name        | Device         | CPU             | RAM          | Storage                                      | Purpose                          |
+|------------|--------------|----------------|-------------|--------------------------------|--------------------------------|
+| Arc-Ripper | Optiplex 3050 | Intel i5-6500  | 32 GB DDR4  | 1TB NVMe                      | Jellyfin Server, Blu-ray Ripper |
+| PVE Node 1 | Custom        | Intel i7-9700K | 64 GB DDR4  | NVMe for boot and VMs, 4x4TB HDD RaidZ10 | Main node with most VMs, NAS   |
+| PVE Node 2 | Custom        | Intel i7-8700K | 64 GB DDR4  | 1x2TB NVMe                    | More VMs                        |
+
+
 ## To-Do
 See [Project Board](https://git.mafyuh.dev/mafyuh/iac/projects/2)
 

From fd488b67ba0a90e87f8bba57630ba0a9000c915a Mon Sep 17 00:00:00 2001
From: mafyuh <mafyuh@noreply.localhost>
Date: Sat, 22 Feb 2025 03:02:36 -0500
Subject: [PATCH 35/38] Update README.md

---
 README.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/README.md b/README.md
index 8a24de3..c71a796 100644
--- a/README.md
+++ b/README.md
@@ -36,6 +36,7 @@ To automate infrastructure updates, I use **Forgejo Actions**, which trigger wor
 - **[Docker CD Workflow](https://git.mafyuh.dev/mafyuh/iac/src/branch/main/.forgejo/workflows/CD.yml)** handles Continuous Deployment for Docker services.   
 - **[Renovate](https://github.com/renovatebot/renovate)** keeps services updated by opening PRs for new versions.  
 - **[Yamllint](https://github.com/adrienverge/yamllint)** ensures configuration files are properly structured.
+- **[Ansible](https://github.com/ansible/ansible)** is used to execute playbooks on all of my VMs, automating management and configurations
 
 For Secret management I use [Bitwarden Secrets](https://bitwarden.com/products/secrets-manager/) and their various integrations into the tools used.
 > Kubernetes is using SOPS with Age encryption until migration over to Bitwarden Secrets.

From 930b4708a2afcc2bf24f4ca768aacd87647839cb Mon Sep 17 00:00:00 2001
From: Matt Reeves <admin@mafyuh.io>
Date: Sat, 22 Feb 2025 05:10:58 -0500
Subject: [PATCH 36/38] update README

---
 README.md | 19 +++++++++++++++----
 1 file changed, 15 insertions(+), 4 deletions(-)

diff --git a/README.md b/README.md
index c71a796..7c69af7 100644
--- a/README.md
+++ b/README.md
@@ -17,9 +17,9 @@ This is my homelab infrastructure, defined in code.
 
 <div align="center">
 
-| Hypervisor | OS | Tools | VPS (arm) | Firewall | Misc. Automations |
-|---|---|---|---|---|---|
-| [![Proxmox](https://img.shields.io/badge/-Proxmox-%23c9d1d9?logo=Proxmox)](https://www.proxmox.com) | [![Debian](https://img.shields.io/badge/Debian-%23c9d1d9?&logo=debian&logoColor=black)](https://www.debian.org/) [![Ubuntu](https://img.shields.io/badge/Ubuntu-%23c9d1d9?&logo=ubuntu&logoColor=red)](https://releases.ubuntu.com/noble/) | [![Forgejo](https://img.shields.io/badge/-Forgejo-%23c9d1d9?logo=forgejo&logoColor=orange)](https://forgejo.org/) [![Docker](https://img.shields.io/badge/-Docker-%23c9d1d9?logo=docker)](https://www.docker.com/) [![Kubernetes](https://img.shields.io/badge/-Kubernetes-%23c9d1d9?logo=kubernetes)](https://k3s.io/) [![Renovate](https://img.shields.io/badge/-Renovate-%23c9d1d9?logo=renovate&logoColor=blue)](https://github.com/renovatebot/renovate) [![OpenTofu](https://img.shields.io/badge/-OpenTofu-%23c9d1d9?logo=opentofu)](https://opentofu.org/) [![Packer](https://img.shields.io/badge/-Packer-%23c9d1d9?logo=packer)](https://www.packer.io/) [![Ansible](https://img.shields.io/badge/-Ansible-%23c9d1d9?logo=ansible&logoColor=red)](https://www.ansible.com/) | [![Oracle](https://img.shields.io/badge/-Oracle_Cloud-%23c9d1d9?logo=oracle&logoColor=red)](https://www.oracle.com/cloud/) | [![pfSense](https://img.shields.io/badge/-pfSense-%23c9d1d9?logo=pfsense&logoColor=blue)](https://www.pfsense.org/) | [![n8n](https://img.shields.io/badge/-n8n-%23c9d1d9?logo=n8n)](https://n8n.io/) [![Actions](https://img.shields.io/badge/-Actions-%23c9d1d9?logo=forgejo&logoColor=orange)](https://forgejo.org/docs/latest/user/actions/)
+| Hypervisor | OS | Tools | Firewall | Misc. Automations |
+|---|---|---|---|---|
+| [![Proxmox](https://img.shields.io/badge/-Proxmox-%23c9d1d9?logo=Proxmox)](https://www.proxmox.com) | [![Debian](https://img.shields.io/badge/Debian-%23c9d1d9?&logo=debian&logoColor=black)](https://www.debian.org/) [![Ubuntu](https://img.shields.io/badge/Ubuntu-%23c9d1d9?&logo=ubuntu&logoColor=red)](https://releases.ubuntu.com/noble/) | [![Forgejo](https://img.shields.io/badge/-Forgejo-%23c9d1d9?logo=forgejo&logoColor=orange)](https://forgejo.org/) [![Docker](https://img.shields.io/badge/-Docker-%23c9d1d9?logo=docker)](https://www.docker.com/) [![Kubernetes](https://img.shields.io/badge/-Kubernetes-%23c9d1d9?logo=kubernetes)](https://k3s.io/) [![Renovate](https://img.shields.io/badge/-Renovate-%23c9d1d9?logo=renovate&logoColor=blue)](https://github.com/renovatebot/renovate) [![OpenTofu](https://img.shields.io/badge/-OpenTofu-%23c9d1d9?logo=opentofu)](https://opentofu.org/) [![Packer](https://img.shields.io/badge/-Packer-%23c9d1d9?logo=packer)](https://www.packer.io/) [![Ansible](https://img.shields.io/badge/-Ansible-%23c9d1d9?logo=ansible&logoColor=red)](https://www.ansible.com/) | [![pfSense](https://img.shields.io/badge/-pfSense-%23c9d1d9?logo=pfsense&logoColor=blue)](https://www.pfsense.org/) | [![n8n](https://img.shields.io/badge/-n8n-%23c9d1d9?logo=n8n)](https://n8n.io/) [![Actions](https://img.shields.io/badge/-Actions-%23c9d1d9?logo=forgejo&logoColor=orange)](https://forgejo.org/docs/latest/user/actions/)
 
 </div>
 
@@ -38,18 +38,29 @@ To automate infrastructure updates, I use **Forgejo Actions**, which trigger wor
 - **[Yamllint](https://github.com/adrienverge/yamllint)** ensures configuration files are properly structured.
 - **[Ansible](https://github.com/ansible/ansible)** is used to execute playbooks on all of my VMs, automating management and configurations
 
-For Secret management I use [Bitwarden Secrets](https://bitwarden.com/products/secrets-manager/) and their various integrations into the tools used.
+### Security & Networking
+For Secret management I use [Bitwarden Secrets](https://bitwarden.com/products/secrets-manager/) and their various [integrations](https://bitwarden.com/help/ansible-integration/) into the tools used.
 > Kubernetes is using SOPS with Age encryption until migration over to Bitwarden Secrets.
 
 I use **Oracle Cloud** for their [Always-Free](https://www.oracle.com/cloud/free/) VM's and deploy Docker services that require uptime here (Uptime Kuma, this website). [Twingate](https://www.twingate.com/) is used to connect my home network to the various VPS's securely using [Zero Trust architecture](https://en.wikipedia.org/wiki/Zero_trust_architecture).
 
 I use **Cloudflare** for my DNS provider with **Cloudflare Tunnels** to expose some of the services to the world. **Cloudflare Access** is used to restrict the access to some of the services, this is paired with **Fail2Ban** looking through all my reverse proxy logs for malicious actors who made it through Access and banning them via **Cloudflare WAF**.
 
+For my home network I use **PfSense** with VLAN segmentation and strict firewall rules to isolate public-facing machines, ensuring they can only communicate with the necessary services and nothing else.
+
 ## 🧑‍💻 Getting Started
 This repo is not structured like a project you can easily replicate. Although if you are new to any of the tools used I encourage you to read through the directories that make up each tool to see how I am using them.
 
 Over time I will try to add more detailed instructions in each directories README.
 
+Some good references for how I learned this stuff (other than RTM)
+- [Kubernetes Cluster Setup](https://technotim.live/posts/k3s-etcd-ansible/)
+- [Kubernetes + Flux](https://technotim.live/posts/flux-devops-gitops/)
+- [Kubernetes Secrets with SOPS](https://technotim.live/posts/secret-encryption-sops/)
+- [Packer with Proxmox](https://www.youtube.com/watch?v=1nf3WOEFq1Y)
+- [Terraform with Proxmox](https://www.youtube.com/watch?v=dvyeoDBUtsU)
+- [Docker](https://www.youtube.com/watch?v=eGz9DS-aIeY)
+- [Ansible](https://www.youtube.com/watch?v=goclfp6a2IQ)
 
 ## 🖥️ Hardware
 

From 571aa7d5c07b0ca1e5d8a8b4f4510606f774064e Mon Sep 17 00:00:00 2001
From: Matt Reeves <admin@mafyuh.io>
Date: Sat, 22 Feb 2025 06:57:18 -0500
Subject: [PATCH 37/38] update README

---
 README.md | 20 ++++++++++++++------
 1 file changed, 14 insertions(+), 6 deletions(-)

diff --git a/README.md b/README.md
index 7c69af7..749da0a 100644
--- a/README.md
+++ b/README.md
@@ -23,7 +23,7 @@ This is my homelab infrastructure, defined in code.
 
 </div>
 
-## 📖 Overview
+## 📖 **Overview**
 This repository contains the IaC ([Infrastructure as Code](https://en.wikipedia.org/wiki/Infrastructure_as_code)) configuration for my homelab.  
 
 Most of my homelab runs on **Proxmox**, with VMs managed and maintained using [OpenTofu](https://opentofu.org/). All VMs are cloned from templates I created with [Packer](https://www.packer.io/).  
@@ -38,17 +38,25 @@ To automate infrastructure updates, I use **Forgejo Actions**, which trigger wor
 - **[Yamllint](https://github.com/adrienverge/yamllint)** ensures configuration files are properly structured.
 - **[Ansible](https://github.com/ansible/ansible)** is used to execute playbooks on all of my VMs, automating management and configurations
 
-### Security & Networking
+### 🔒 **Security & Networking**
 For Secret management I use [Bitwarden Secrets](https://bitwarden.com/products/secrets-manager/) and their various [integrations](https://bitwarden.com/help/ansible-integration/) into the tools used.
 > Kubernetes is using SOPS with Age encryption until migration over to Bitwarden Secrets.
 
 I use **Oracle Cloud** for their [Always-Free](https://www.oracle.com/cloud/free/) VM's and deploy Docker services that require uptime here (Uptime Kuma, this website). [Twingate](https://www.twingate.com/) is used to connect my home network to the various VPS's securely using [Zero Trust architecture](https://en.wikipedia.org/wiki/Zero_trust_architecture).
 
-I use **Cloudflare** for my DNS provider with **Cloudflare Tunnels** to expose some of the services to the world. **Cloudflare Access** is used to restrict the access to some of the services, this is paired with **Fail2Ban** looking through all my reverse proxy logs for malicious actors who made it through Access and banning them via **Cloudflare WAF**.
+I use **Cloudflare** for my DNS provider with **Cloudflare Tunnels** to expose some of the services to the world. **Cloudflare Access** is used to restrict the access to some of the services, this is paired with **Fail2Ban** looking through all my reverse proxy logs for malicious actors who made it through **Access** and banning them via **Cloudflare WAF**.
 
 For my home network I use **PfSense** with VLAN segmentation and strict firewall rules to isolate public-facing machines, ensuring they can only communicate with the necessary services and nothing else.
 
-## 🧑‍💻 Getting Started
+### **📊 Monitoring & Observability**  
+I use a combination of **Grafana, Loki, and Prometheus** with various exporters to collect and visualize system metrics, logs, and alerts. This helps maintain visibility into my infrastructure and detect issues proactively.  
+
+- **Prometheus** – Metrics collection and alerting  
+- **Loki** – Centralized logging for containers and VMs  
+- **Grafana** – Dashboarding and visualization  
+- **Exporters** – Node Exporter, cAdvisor, Blackbox Exporter, etc.  
+
+## 🧑‍💻 **Getting Started**
 This repo is not structured like a project you can easily replicate. Although if you are new to any of the tools used I encourage you to read through the directories that make up each tool to see how I am using them.
 
 Over time I will try to add more detailed instructions in each directories README.
@@ -62,7 +70,7 @@ Some good references for how I learned this stuff (other than RTM)
 - [Docker](https://www.youtube.com/watch?v=eGz9DS-aIeY)
 - [Ansible](https://www.youtube.com/watch?v=goclfp6a2IQ)
 
-## 🖥️ Hardware
+## 🖥️ **Hardware**
 
 | Name        | Device         | CPU             | RAM          | Storage                                      | Purpose                          |
 |------------|--------------|----------------|-------------|--------------------------------|--------------------------------|
@@ -71,6 +79,6 @@ Some good references for how I learned this stuff (other than RTM)
 | PVE Node 2 | Custom        | Intel i7-8700K | 64 GB DDR4  | 1x2TB NVMe                    | More VMs                        |
 
 
-## To-Do
+## 📌 **To-Do**
 See [Project Board](https://git.mafyuh.dev/mafyuh/iac/projects/2)
 

From c08ae2e3348050b79d0b26590fc3280bbb9e80fb Mon Sep 17 00:00:00 2001
From: Renovate Bot <bot@mafyuh.dev>
Date: Sat, 22 Feb 2025 21:01:35 +0000
Subject: [PATCH 38/38] :arrow_up: Update ghcr.io/linuxserver/code-server
 Docker digest to 95a811f

---
 docker/arrs/docker-compose.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docker/arrs/docker-compose.yml b/docker/arrs/docker-compose.yml
index c56d639..8ff8173 100644
--- a/docker/arrs/docker-compose.yml
+++ b/docker/arrs/docker-compose.yml
@@ -148,7 +148,7 @@ services:
 
   ## Should move this to Ubu
   code-server:
-    image: ghcr.io/linuxserver/code-server@sha256:11f009e81643d28f4527e3aa23f64bcd672be5ec2046be46c84755c82b5ad471
+    image: ghcr.io/linuxserver/code-server@sha256:95a811ff3262083bbbc2b14fc03d4b65271140be904a8e0cabc2e320233474a7
     container_name: code-server
     environment:
       - PUID=1000