Merge pull request 'Update matrixdotorg/synapse Docker tag to v1.94.0' (#111 ) from renovate/matrixdotorg-synapse-1.x into master

Reviewed-on: #111
Update matrixdotorg/synapse Docker tag to v1.94.0
2023-10-10 12:09:26 +00:00 · 2023-10-10 12:03:05 +00:00 · 2023-10-10 09:19:07 +00:00 · 2023-10-10 09:02:22 +00:00 · 2023-10-09 07:55:47 +00:00 · 2023-10-06 18:01:29 +00:00
166 changed files with 10646 additions and 5762 deletions
--- a/manifests/_apps/auth-proxy.yaml
+++ b/manifests/_apps/auth-proxy.yaml
@@ -0,0 +1,24 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: auth-proxy
+  namespace: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: cluster.fun
+  destination:
+    namespace: auth-proxy
+    name: cluster-fun (scaleway)
+  source:
+    path: manifests/auth-proxy
+    repoURL: "https://git.cluster.fun/AverageMarcus/cluster.fun.git"
+    targetRevision: HEAD
+  syncPolicy:
+    automated: {}
+    syncOptions:
+      - CreateNamespace=true
+  ignoreDifferences:
+  - kind: Secret
+    jsonPointers:
+    - /data
--- a/manifests/_apps/base64.yaml
+++ b/manifests/_apps/base64.yaml
@@ -0,0 +1,28 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: base64
+  namespace: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: cluster.fun
+  destination:
+    namespace: base64
+    name: civo
+  source:
+    path: manifests/base64
+    repoURL: "https://git.cluster.fun/AverageMarcus/cluster.fun.git"
+    targetRevision: HEAD
+  syncPolicy:
+    automated: {}
+    syncOptions:
+      - CreateNamespace=true
+  ignoreDifferences:
+  - kind: Secret
+    jsonPointers:
+    - /data
+  - group: apps
+    kind: Deployment
+    jqPathExpressions:
+    - .spec.template.spec.containers[]?.image
--- a/manifests/_apps/blackhole.yaml
+++ b/manifests/_apps/blackhole.yaml
@@ -0,0 +1,24 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: blackhole
+  namespace: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: cluster.fun
+  destination:
+    namespace: kube-system
+    name: cluster-fun (scaleway)
+  source:
+    path: manifests/blackhole
+    repoURL: "https://git.cluster.fun/AverageMarcus/cluster.fun.git"
+    targetRevision: HEAD
+  syncPolicy:
+    automated: {}
+    syncOptions:
+      - CreateNamespace=true
+  ignoreDifferences:
+  - kind: Secret
+    jsonPointers:
+    - /data
--- a/manifests/_apps/blog.yaml
+++ b/manifests/_apps/blog.yaml
@@ -0,0 +1,28 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: blog
+  namespace: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: cluster.fun
+  destination:
+    namespace: blog
+    name: cluster-fun (scaleway)
+  source:
+    path: manifests/blog
+    repoURL: "https://git.cluster.fun/AverageMarcus/cluster.fun.git"
+    targetRevision: HEAD
+  syncPolicy:
+    automated: {}
+    syncOptions:
+      - CreateNamespace=true
+  ignoreDifferences:
+  - kind: Secret
+    jsonPointers:
+    - /data
+  - group: apps
+    kind: Deployment
+    jqPathExpressions:
+    - .spec.template.spec.containers[]?.image
--- a/manifests/_apps/cel-tester.yaml
+++ b/manifests/_apps/cel-tester.yaml
@@ -0,0 +1,24 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: cel-tester
+  namespace: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: cluster.fun
+  destination:
+    namespace: cel-tester
+    name: civo
+  source:
+    path: manifests/cel-tester
+    repoURL: "https://git.cluster.fun/AverageMarcus/cluster.fun.git"
+    targetRevision: HEAD
+  syncPolicy:
+    automated: {}
+    syncOptions:
+      - CreateNamespace=true
+  ignoreDifferences:
+  - kind: Secret
+    jsonPointers:
+    - /data
--- a/manifests/_apps/certmanager_chart.yaml
+++ b/manifests/_apps/certmanager_chart.yaml
@@ -0,0 +1,74 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: cert-manager
+  namespace: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: cluster.fun
+  destination:
+    namespace: cert-manager
+    name: cluster-fun (scaleway)
+  source:
+    path: manifests/certmanager_chart
+    repoURL: "https://git.cluster.fun/AverageMarcus/cluster.fun.git"
+    targetRevision: HEAD
+  syncPolicy:
+    automated: {}
+  ignoreDifferences:
+  - kind: Secret
+    jsonPointers:
+    - /data
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: cert-manager-civo
+  namespace: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: cluster.fun
+  destination:
+    namespace: cert-manager
+    name: civo
+  source:
+    path: manifests/certmanager-civo
+    repoURL: "https://git.cluster.fun/AverageMarcus/cluster.fun.git"
+    targetRevision: HEAD
+  syncPolicy:
+    automated: {}
+  ignoreDifferences:
+  - kind: Secret
+    jsonPointers:
+    - /data
+---
+
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: cert-manager-cert-manager
+  namespace: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: cluster.fun
+  destination:
+    namespace: cert-manager
+    name: cluster-fun (scaleway)
+  source:
+    repoURL: 'https://charts.jetstack.io'
+    targetRevision: 1.11.0
+    chart: cert-manager
+    helm:
+      version: v3
+      values: |-
+        installCRDs: "true"
+        resources:
+          requests:
+            memory: 32Mi
+          limits:
+            memory: 64Mi
+  syncPolicy:
+    automated: {}
--- a/manifests/_apps/civo-versions.yaml
+++ b/manifests/_apps/civo-versions.yaml
@@ -0,0 +1,28 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: civo-versions
+  namespace: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: cluster.fun
+  destination:
+    namespace: civo-versions
+    name: civo
+  source:
+    path: manifests/civo-versions
+    repoURL: "https://git.cluster.fun/AverageMarcus/cluster.fun.git"
+    targetRevision: HEAD
+  syncPolicy:
+    automated: {}
+    syncOptions:
+      - CreateNamespace=true
+  ignoreDifferences:
+  - kind: Secret
+    jsonPointers:
+    - /data
+  - group: apps
+    kind: Deployment
+    jqPathExpressions:
+    - .spec.template.spec.containers[]?.image
--- a/manifests/_apps/cors-proxy.yaml
+++ b/manifests/_apps/cors-proxy.yaml
@@ -0,0 +1,28 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: cors-proxy
+  namespace: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: cluster.fun
+  destination:
+    namespace: cors-proxy
+    name: cluster-fun (scaleway)
+  source:
+    path: manifests/cors-proxy
+    repoURL: "https://git.cluster.fun/AverageMarcus/cluster.fun.git"
+    targetRevision: HEAD
+  syncPolicy:
+    automated: {}
+    syncOptions:
+      - CreateNamespace=true
+  ignoreDifferences:
+  - kind: Secret
+    jsonPointers:
+    - /data
+  - group: apps
+    kind: Deployment
+    jqPathExpressions:
+    - .spec.template.spec.containers[]?.image
--- a/manifests/_apps/cv.yaml
+++ b/manifests/_apps/cv.yaml
@@ -0,0 +1,28 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: cv
+  namespace: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: cluster.fun
+  destination:
+    namespace: cv
+    name: civo
+  source:
+    path: manifests/cv
+    repoURL: "https://git.cluster.fun/AverageMarcus/cluster.fun.git"
+    targetRevision: HEAD
+  syncPolicy:
+    automated: {}
+    syncOptions:
+      - CreateNamespace=true
+  ignoreDifferences:
+  - kind: Secret
+    jsonPointers:
+    - /data
+  - group: apps
+    kind: Deployment
+    jqPathExpressions:
+    - .spec.template.spec.containers[]?.image
--- a/manifests/_apps/dashboard.yaml
+++ b/manifests/_apps/dashboard.yaml
@@ -0,0 +1,28 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: dashboard
+  namespace: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: cluster.fun
+  destination:
+    namespace: dashboard
+    name: cluster-fun (scaleway)
+  source:
+    path: manifests/dashboard
+    repoURL: "https://git.cluster.fun/AverageMarcus/cluster.fun.git"
+    targetRevision: HEAD
+  syncPolicy:
+    automated: {}
+    syncOptions:
+      - CreateNamespace=true
+  ignoreDifferences:
+  - kind: Secret
+    jsonPointers:
+    - /data
+  - group: apps
+    kind: Deployment
+    jqPathExpressions:
+    - .spec.template.spec.containers[]?.image
--- a/manifests/_apps/feed-fetcher.yaml
+++ b/manifests/_apps/feed-fetcher.yaml
@@ -0,0 +1,28 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: feed-fetcher
+  namespace: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: cluster.fun
+  destination:
+    namespace: feed-fetcher
+    name: civo
+  source:
+    path: manifests/feed-fetcher
+    repoURL: "https://git.cluster.fun/AverageMarcus/cluster.fun.git"
+    targetRevision: HEAD
+  syncPolicy:
+    automated: {}
+    syncOptions:
+      - CreateNamespace=true
+  ignoreDifferences:
+  - kind: Secret
+    jsonPointers:
+    - /data
+  - group: apps
+    kind: Deployment
+    jqPathExpressions:
+    - .spec.template.spec.containers[]?.image
--- a/manifests/_apps/focalboard.yaml
+++ b/manifests/_apps/focalboard.yaml
@@ -0,0 +1,24 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: focalboard
+  namespace: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: cluster.fun
+  destination:
+    namespace: focalboard
+    name: cluster-fun (scaleway)
+  source:
+    path: manifests/focalboard
+    repoURL: "https://git.cluster.fun/AverageMarcus/cluster.fun.git"
+    targetRevision: HEAD
+  syncPolicy:
+    automated: {}
+    syncOptions:
+      - CreateNamespace=true
+  ignoreDifferences:
+  - kind: Secret
+    jsonPointers:
+    - /data
--- a/manifests/_apps/git-sync.yaml
+++ b/manifests/_apps/git-sync.yaml
@@ -0,0 +1,24 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: git-sync
+  namespace: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: cluster.fun
+  destination:
+    namespace: git-sync
+    name: cluster-fun (scaleway)
+  source:
+    path: manifests/git-sync
+    repoURL: "https://git.cluster.fun/AverageMarcus/cluster.fun.git"
+    targetRevision: HEAD
+  syncPolicy:
+    automated: {}
+    syncOptions:
+      - CreateNamespace=true
+  ignoreDifferences:
+  - kind: Secret
+    jsonPointers:
+    - /data
--- a/manifests/_apps/gitea.yaml
+++ b/manifests/_apps/gitea.yaml
@@ -0,0 +1,24 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: gitea
+  namespace: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: cluster.fun
+  destination:
+    namespace: gitea
+    name: cluster-fun (scaleway)
+  source:
+    path: manifests/gitea
+    repoURL: "https://git.cluster.fun/AverageMarcus/cluster.fun.git"
+    targetRevision: HEAD
+  syncPolicy:
+    automated: {}
+    syncOptions:
+      - CreateNamespace=true
+  ignoreDifferences:
+  - kind: Secret
+    jsonPointers:
+    - /data
--- a/manifests/_apps/goplayground.yaml
+++ b/manifests/_apps/goplayground.yaml
@@ -0,0 +1,24 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: goplayground
+  namespace: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: cluster.fun
+  destination:
+    namespace: goplayground
+    name: civo
+  source:
+    path: manifests/goplayground
+    repoURL: "https://git.cluster.fun/AverageMarcus/cluster.fun.git"
+    targetRevision: HEAD
+  syncPolicy:
+    automated: {}
+    syncOptions:
+      - CreateNamespace=true
+  ignoreDifferences:
+  - kind: Secret
+    jsonPointers:
+    - /data
--- a/manifests/_apps/link.yaml
+++ b/manifests/_apps/link.yaml
@@ -0,0 +1,20 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: link
+  namespace: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: cluster.fun
+  destination:
+    namespace: link
+    name: civo
+  source:
+    path: manifests/link
+    repoURL: "https://git.cluster.fun/AverageMarcus/cluster.fun.git"
+    targetRevision: HEAD
+  syncPolicy:
+    automated: {}
+    syncOptions:
+      - CreateNamespace=true
--- a/manifests/_apps/marcusnoble.yaml
+++ b/manifests/_apps/marcusnoble.yaml
@@ -0,0 +1,28 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: marcusnoble
+  namespace: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: cluster.fun
+  destination:
+    namespace: marcusnoble
+    name: cluster-fun (scaleway)
+  source:
+    path: manifests/marcusnoble
+    repoURL: "https://git.cluster.fun/AverageMarcus/cluster.fun.git"
+    targetRevision: HEAD
+  syncPolicy:
+    automated: {}
+    syncOptions:
+      - CreateNamespace=true
+  ignoreDifferences:
+  - kind: Secret
+    jsonPointers:
+    - /data
+  - group: apps
+    kind: Deployment
+    jqPathExpressions:
+    - .spec.template.spec.containers[]?.image
--- a/manifests/_apps/mastodon-digest.yaml
+++ b/manifests/_apps/mastodon-digest.yaml
@@ -0,0 +1,28 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: mastodon-digest
+  namespace: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: cluster.fun
+  destination:
+    namespace: mastodon-digest
+    name: cluster-fun (scaleway)
+  source:
+    path: manifests/mastodon-digest
+    repoURL: "https://git.cluster.fun/AverageMarcus/cluster.fun.git"
+    targetRevision: HEAD
+  syncPolicy:
+    automated: {}
+    syncOptions:
+      - CreateNamespace=true
+  ignoreDifferences:
+  - kind: Secret
+    jsonPointers:
+    - /data
+  - group: apps
+    kind: Deployment
+    jqPathExpressions:
+    - .spec.template.spec.containers[]?.image
--- a/manifests/_apps/mastodon-to-airtable.yaml
+++ b/manifests/_apps/mastodon-to-airtable.yaml
@@ -0,0 +1,28 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: mastodon-to-airtable
+  namespace: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: cluster.fun
+  destination:
+    namespace: mastodon-to-airtable
+    name: civo
+  source:
+    path: manifests/mastodon-to-airtable
+    repoURL: "https://git.cluster.fun/AverageMarcus/cluster.fun.git"
+    targetRevision: HEAD
+  syncPolicy:
+    automated: {}
+    syncOptions:
+      - CreateNamespace=true
+  ignoreDifferences:
+  - kind: Secret
+    jsonPointers:
+    - /data
+  - group: apps
+    kind: Deployment
+    jqPathExpressions:
+    - .spec.template.spec.containers[]?.image
--- a/manifests/_apps/matrix_chart.yaml
+++ b/manifests/_apps/matrix_chart.yaml
@@ -0,0 +1,26 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: matrix
+  namespace: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: cluster.fun
+  destination:
+    namespace: chat
+    name: cluster-fun (scaleway)
+  source:
+    path: manifests/matrix_chart
+    repoURL: "https://git.cluster.fun/AverageMarcus/cluster.fun.git"
+    targetRevision: HEAD
+  syncPolicy:
+    syncOptions:
+      - CreateNamespace=true
+    automated: {}
+  ignoreDifferences:
+  - kind: Secret
+    jsonPointers:
+    - /data
+
+---
--- a/manifests/_apps/mealie.yaml
+++ b/manifests/_apps/mealie.yaml
@@ -0,0 +1,28 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: mealie
+  namespace: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: cluster.fun
+  destination:
+    namespace: mealie
+    name: cluster-fun (scaleway)
+  source:
+    path: manifests/mealie
+    repoURL: "https://git.cluster.fun/AverageMarcus/cluster.fun.git"
+    targetRevision: HEAD
+  syncPolicy:
+    automated: {}
+    syncOptions:
+      - CreateNamespace=true
+  ignoreDifferences:
+  - kind: Secret
+    jsonPointers:
+    - /data
+  - group: apps
+    kind: Deployment
+    jqPathExpressions:
+    - .spec.template.spec.containers[]?.image
--- a/manifests/_apps/monitoring-civo.yaml
+++ b/manifests/_apps/monitoring-civo.yaml
@@ -0,0 +1,24 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: monitoring-civo
+  namespace: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: cluster.fun
+  destination:
+    namespace: monitoring
+    name: civo
+  source:
+    path: manifests/monitoring-civo
+    repoURL: "https://git.cluster.fun/AverageMarcus/cluster.fun.git"
+    targetRevision: HEAD
+  syncPolicy:
+    automated: {}
+    syncOptions:
+      - CreateNamespace=true
+  ignoreDifferences:
+  - kind: Secret
+    jsonPointers:
+    - /data
--- a/manifests/_apps/monitoring.yaml
+++ b/manifests/_apps/monitoring.yaml
@@ -0,0 +1,24 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: monitoring
+  namespace: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: cluster.fun
+  destination:
+    namespace: monitoring
+    name: cluster-fun (scaleway)
+  source:
+    path: manifests/monitoring
+    repoURL: "https://git.cluster.fun/AverageMarcus/cluster.fun.git"
+    targetRevision: HEAD
+  syncPolicy:
+    automated: {}
+    syncOptions:
+      - CreateNamespace=true
+  ignoreDifferences:
+  - kind: Secret
+    jsonPointers:
+    - /data
--- a/manifests/_apps/nextcloud_chart.yaml
+++ b/manifests/_apps/nextcloud_chart.yaml
@@ -0,0 +1,24 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: nextcloud
+  namespace: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: cluster.fun
+  destination:
+    namespace: nextcloud
+    name: cluster-fun (scaleway)
+  source:
+    path: manifests/nextcloud_chart
+    repoURL: "https://git.cluster.fun/AverageMarcus/cluster.fun.git"
+    targetRevision: HEAD
+  syncPolicy:
+    syncOptions:
+      - CreateNamespace=true
+    automated: {}
+  ignoreDifferences:
+  - kind: Secret
+    jsonPointers:
+    - /data
--- a/manifests/_apps/nginx-lb.yaml
+++ b/manifests/_apps/nginx-lb.yaml
@@ -0,0 +1,24 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: nginx-lb
+  namespace: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: cluster.fun
+  destination:
+    namespace: kube-system
+    name: cluster-fun (scaleway)
+  source:
+    path: manifests/nginx-lb
+    repoURL: "https://git.cluster.fun/AverageMarcus/cluster.fun.git"
+    targetRevision: HEAD
+  syncPolicy:
+    automated: {}
+    syncOptions:
+      - CreateNamespace=true
+  ignoreDifferences:
+  - kind: Secret
+    jsonPointers:
+    - /data
--- a/manifests/_apps/nodered.yaml
+++ b/manifests/_apps/nodered.yaml
@@ -0,0 +1,24 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: nodered
+  namespace: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: cluster.fun
+  destination:
+    namespace: node-red
+    name: cluster-fun (scaleway)
+  source:
+    path: manifests/nodered
+    repoURL: "https://git.cluster.fun/AverageMarcus/cluster.fun.git"
+    targetRevision: HEAD
+  syncPolicy:
+    automated: {}
+    syncOptions:
+      - CreateNamespace=true
+  ignoreDifferences:
+  - kind: Secret
+    jsonPointers:
+    - /data
--- a/manifests/_apps/opengraph-image-gen.yaml
+++ b/manifests/_apps/opengraph-image-gen.yaml
@@ -0,0 +1,28 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: opengraph
+  namespace: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: cluster.fun
+  destination:
+    namespace: opengraph
+    name: civo
+  source:
+    path: manifests/opengraph
+    repoURL: "https://git.cluster.fun/AverageMarcus/cluster.fun.git"
+    targetRevision: HEAD
+  syncPolicy:
+    automated: {}
+    syncOptions:
+      - CreateNamespace=true
+  ignoreDifferences:
+  - kind: Secret
+    jsonPointers:
+    - /data
+  - group: apps
+    kind: Deployment
+    jqPathExpressions:
+    - .spec.template.spec.containers[]?.image
--- a/manifests/_apps/outline.yaml
+++ b/manifests/_apps/outline.yaml
@@ -0,0 +1,24 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: outline
+  namespace: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: cluster.fun
+  destination:
+    namespace: outline
+    name: cluster-fun (scaleway)
+  source:
+    path: manifests/outline
+    repoURL: "https://git.cluster.fun/AverageMarcus/cluster.fun.git"
+    targetRevision: HEAD
+  syncPolicy:
+    automated: {}
+    syncOptions:
+      - CreateNamespace=true
+  ignoreDifferences:
+  - kind: Secret
+    jsonPointers:
+    - /data
--- a/manifests/_apps/paradoxfox.yaml
+++ b/manifests/_apps/paradoxfox.yaml
@@ -0,0 +1,29 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: paradoxfox
+  namespace: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: cluster.fun
+  destination:
+    namespace: paradoxfox
+    name: cluster-fun (scaleway)
+  source:
+    path: manifests/paradoxfox
+    repoURL: "https://git.cluster.fun/AverageMarcus/cluster.fun.git"
+    targetRevision: HEAD
+  syncPolicy:
+    automated: {}
+    syncOptions:
+      - CreateNamespace=true
+  ignoreDifferences:
+  - kind: Secret
+    jsonPointers:
+    - /data
+    - /stringData
+  - group: apps
+    kind: Deployment
+    jqPathExpressions:
+    - .spec.template.spec.containers[]?.image
--- a/manifests/_apps/proxy-civo.yaml
+++ b/manifests/_apps/proxy-civo.yaml
@@ -0,0 +1,24 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: proxy-civo
+  namespace: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: cluster.fun
+  destination:
+    namespace: proxy-civo
+    name: civo
+  source:
+    path: manifests/proxy-civo
+    repoURL: "https://git.cluster.fun/AverageMarcus/cluster.fun.git"
+    targetRevision: HEAD
+  syncPolicy:
+    automated: {}
+    syncOptions:
+      - CreateNamespace=true
+  ignoreDifferences:
+  - kind: Secret
+    jsonPointers:
+    - /data
--- a/manifests/_apps/qr.yaml
+++ b/manifests/_apps/qr.yaml
@@ -0,0 +1,28 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: qr
+  namespace: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: cluster.fun
+  destination:
+    namespace: qr
+    name: civo
+  source:
+    path: manifests/qr
+    repoURL: "https://git.cluster.fun/AverageMarcus/cluster.fun.git"
+    targetRevision: HEAD
+  syncPolicy:
+    automated: {}
+    syncOptions:
+      - CreateNamespace=true
+  ignoreDifferences:
+  - kind: Secret
+    jsonPointers:
+    - /data
+  - group: apps
+    kind: Deployment
+    jqPathExpressions:
+    - .spec.template.spec.containers[]?.image
--- a/manifests/_apps/redis.yaml
+++ b/manifests/_apps/redis.yaml
@@ -0,0 +1,24 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: redis
+  namespace: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: cluster.fun
+  destination:
+    namespace: redis
+    name: cluster-fun (scaleway)
+  source:
+    path: manifests/redis
+    repoURL: "https://git.cluster.fun/AverageMarcus/cluster.fun.git"
+    targetRevision: HEAD
+  syncPolicy:
+    automated: {}
+    syncOptions:
+      - CreateNamespace=true
+  ignoreDifferences:
+  - kind: Secret
+    jsonPointers:
+    - /data
--- a/manifests/_apps/reloader.yaml
+++ b/manifests/_apps/reloader.yaml
@@ -0,0 +1,22 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: reloader
+  namespace: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: cluster.fun
+  destination:
+    namespace: kube-system
+    name: cluster-fun (scaleway)
+  source:
+    repoURL: 'https://stakater.github.io/stakater-charts'
+    targetRevision: v0.0.89
+    chart: reloader
+  syncPolicy:
+    automated: {}
+  ignoreDifferences:
+  - kind: Secret
+    jsonPointers:
+    - /data
--- a/manifests/_apps/rss.yaml
+++ b/manifests/_apps/rss.yaml
@@ -0,0 +1,28 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: rss
+  namespace: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: cluster.fun
+  destination:
+    namespace: rss
+    name: cluster-fun (scaleway)
+  source:
+    path: manifests/rss
+    repoURL: "https://git.cluster.fun/AverageMarcus/cluster.fun.git"
+    targetRevision: HEAD
+  syncPolicy:
+    automated: {}
+    syncOptions:
+      - CreateNamespace=true
+  ignoreDifferences:
+  - kind: Secret
+    jsonPointers:
+    - /data
+  - group: apps
+    kind: Deployment
+    jqPathExpressions:
+    - .spec.template.spec.containers[]?.image
--- a/manifests/_apps/skooner.yaml
+++ b/manifests/_apps/skooner.yaml
@@ -0,0 +1,24 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: skooner
+  namespace: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: cluster.fun
+  destination:
+    namespace: skooner
+    name: cluster-fun (scaleway)
+  source:
+    path: manifests/skooner
+    repoURL: "https://git.cluster.fun/AverageMarcus/cluster.fun.git"
+    targetRevision: HEAD
+  syncPolicy:
+    automated: {}
+    syncOptions:
+      - CreateNamespace=true
+  ignoreDifferences:
+  - kind: Secret
+    jsonPointers:
+    - /data
--- a/manifests/_apps/starling.yaml
+++ b/manifests/_apps/starling.yaml
@@ -0,0 +1,28 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: starling
+  namespace: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: cluster.fun
+  destination:
+    namespace: starling
+    name: cluster-fun (scaleway)
+  source:
+    path: manifests/starling
+    repoURL: "https://git.cluster.fun/AverageMarcus/cluster.fun.git"
+    targetRevision: HEAD
+  syncPolicy:
+    automated: {}
+    syncOptions:
+      - CreateNamespace=true
+  ignoreDifferences:
+  - kind: Secret
+    jsonPointers:
+    - /data
+  - group: apps
+    kind: Deployment
+    jqPathExpressions:
+    - .spec.template.spec.containers[]?.image
--- a/manifests/_apps/svg-to-dxf.yaml
+++ b/manifests/_apps/svg-to-dxf.yaml
@@ -0,0 +1,28 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: svg-to-dxf
+  namespace: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: cluster.fun
+  destination:
+    namespace: svg-to-dxf
+    name: civo
+  source:
+    path: manifests/svg-to-dxf
+    repoURL: "https://git.cluster.fun/AverageMarcus/cluster.fun.git"
+    targetRevision: HEAD
+  syncPolicy:
+    automated: {}
+    syncOptions:
+      - CreateNamespace=true
+  ignoreDifferences:
+  - kind: Secret
+    jsonPointers:
+    - /data
+  - group: apps
+    kind: Deployment
+    jqPathExpressions:
+    - .spec.template.spec.containers[]?.image
--- a/manifests/_apps/talks.yaml
+++ b/manifests/_apps/talks.yaml
@@ -0,0 +1,28 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: talks
+  namespace: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: cluster.fun
+  destination:
+    namespace: talks
+    name: civo
+  source:
+    path: manifests/talks
+    repoURL: "https://git.cluster.fun/AverageMarcus/cluster.fun.git"
+    targetRevision: HEAD
+  syncPolicy:
+    automated: {}
+    syncOptions:
+      - CreateNamespace=true
+  ignoreDifferences:
+  - kind: Secret
+    jsonPointers:
+    - /data
+  - group: apps
+    kind: Deployment
+    jqPathExpressions:
+    - .spec.template.spec.containers[]?.image
--- a/manifests/_apps/tank.yaml
+++ b/manifests/_apps/tank.yaml
@@ -0,0 +1,28 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: tank
+  namespace: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: cluster.fun
+  destination:
+    namespace: tank
+    name: cluster-fun (scaleway)
+  source:
+    path: manifests/tank
+    repoURL: "https://git.cluster.fun/AverageMarcus/cluster.fun.git"
+    targetRevision: HEAD
+  syncPolicy:
+    automated: {}
+    syncOptions:
+      - CreateNamespace=true
+  ignoreDifferences:
+  - kind: Secret
+    jsonPointers:
+    - /data
+  - group: apps
+    kind: Deployment
+    jqPathExpressions:
+    - .spec.template.spec.containers[]?.image
--- a/manifests/_apps/text-to-dxf.yaml
+++ b/manifests/_apps/text-to-dxf.yaml
@@ -0,0 +1,28 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: text-to-dxf
+  namespace: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: cluster.fun
+  destination:
+    namespace: text-to-dxf
+    name: civo
+  source:
+    path: manifests/text-to-dxf
+    repoURL: "https://git.cluster.fun/AverageMarcus/cluster.fun.git"
+    targetRevision: HEAD
+  syncPolicy:
+    automated: {}
+    syncOptions:
+      - CreateNamespace=true
+  ignoreDifferences:
+  - kind: Secret
+    jsonPointers:
+    - /data
+  - group: apps
+    kind: Deployment
+    jqPathExpressions:
+    - .spec.template.spec.containers[]?.image
--- a/manifests/_apps/til.yaml
+++ b/manifests/_apps/til.yaml
@@ -0,0 +1,28 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: til
+  namespace: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: cluster.fun
+  destination:
+    namespace: til
+    name: civo
+  source:
+    path: manifests/til
+    repoURL: "https://git.cluster.fun/AverageMarcus/cluster.fun.git"
+    targetRevision: HEAD
+  syncPolicy:
+    automated: {}
+    syncOptions:
+      - CreateNamespace=true
+  ignoreDifferences:
+  - kind: Secret
+    jsonPointers:
+    - /data
+  - group: apps
+    kind: Deployment
+    jqPathExpressions:
+    - .spec.template.spec.containers[]?.image
--- a/manifests/_apps/traefik.yaml
+++ b/manifests/_apps/traefik.yaml
@@ -0,0 +1,24 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: traefik-civo
+  namespace: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: cluster.fun
+  destination:
+    namespace: kube-system
+    name: civo
+  source:
+    path: manifests/traefik
+    repoURL: "https://git.cluster.fun/AverageMarcus/cluster.fun.git"
+    targetRevision: HEAD
+  syncPolicy:
+    automated: {}
+    syncOptions:
+      - CreateNamespace=true
+  ignoreDifferences:
+  - kind: Secret
+    jsonPointers:
+    - /data
--- a/manifests/_apps/tweetsvg.yaml
+++ b/manifests/_apps/tweetsvg.yaml
@@ -0,0 +1,28 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: tweetsvg
+  namespace: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: cluster.fun
+  destination:
+    namespace: tweetsvg
+    name: civo
+  source:
+    path: manifests/tweetsvg
+    repoURL: "https://git.cluster.fun/AverageMarcus/cluster.fun.git"
+    targetRevision: HEAD
+  syncPolicy:
+    automated: {}
+    syncOptions:
+      - CreateNamespace=true
+  ignoreDifferences:
+  - kind: Secret
+    jsonPointers:
+    - /data
+  - group: apps
+    kind: Deployment
+    jqPathExpressions:
+    - .spec.template.spec.containers[]?.image
--- a/manifests/_apps/twitter-profile-pic.yaml
+++ b/manifests/_apps/twitter-profile-pic.yaml
@@ -0,0 +1,28 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: twitter-profile-pic
+  namespace: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: cluster.fun
+  destination:
+    namespace: twitter-profile-pic
+    name: cluster-fun (scaleway)
+  source:
+    path: manifests/twitter-profile-pic
+    repoURL: "https://git.cluster.fun/AverageMarcus/cluster.fun.git"
+    targetRevision: HEAD
+  syncPolicy:
+    automated: {}
+    syncOptions:
+      - CreateNamespace=true
+  ignoreDifferences:
+  - kind: Secret
+    jsonPointers:
+    - /data
+  - group: apps
+    kind: Deployment
+    jqPathExpressions:
+    - .spec.template.spec.containers[]?.image
--- a/manifests/_apps/twitter-to-airtable.yaml
+++ b/manifests/_apps/twitter-to-airtable.yaml
@@ -0,0 +1,28 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: twitter-to-airtable
+  namespace: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: cluster.fun
+  destination:
+    namespace: twitter-to-airtable
+    name: civo
+  source:
+    path: manifests/twitter-to-airtable
+    repoURL: "https://git.cluster.fun/AverageMarcus/cluster.fun.git"
+    targetRevision: HEAD
+  syncPolicy:
+    automated: {}
+    syncOptions:
+      - CreateNamespace=true
+  ignoreDifferences:
+  - kind: Secret
+    jsonPointers:
+    - /data
+  - group: apps
+    kind: Deployment
+    jqPathExpressions:
+    - .spec.template.spec.containers[]?.image
--- a/manifests/_apps/wallabag.yaml
+++ b/manifests/_apps/wallabag.yaml
@@ -0,0 +1,24 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: wallabag
+  namespace: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: cluster.fun
+  destination:
+    namespace: wallabag
+    name: cluster-fun (scaleway)
+  source:
+    path: manifests/wallabag
+    repoURL: "https://git.cluster.fun/AverageMarcus/cluster.fun.git"
+    targetRevision: HEAD
+  syncPolicy:
+    syncOptions:
+      - CreateNamespace=true
+    automated: {}
+  ignoreDifferences:
+  - kind: Secret
+    jsonPointers:
+    - /data
--- a/manifests/_apps/weave-net.yaml
+++ b/manifests/_apps/weave-net.yaml
@@ -0,0 +1,18 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: weave-net
+  namespace: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: cluster.fun
+  destination:
+    namespace: kube-system
+    name: cluster-fun (scaleway)
+  source:
+    path: manifests/weave-net
+    repoURL: "https://git.cluster.fun/AverageMarcus/cluster.fun.git"
+    targetRevision: HEAD
+  syncPolicy:
+    automated: {}
--- a/manifests/auth-proxy/auth-proxy.yaml
+++ b/manifests/auth-proxy/auth-proxy.yaml
@@ -0,0 +1,202 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: auth-proxy
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: auth-proxy
+  namespace: auth-proxy
+  annotations:
+    kube-1password: mr6spkkx7n3memkbute6ojaarm
+    kube-1password/vault: Kubernetes
+type: Opaque
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: tailscale-auth
+  namespace: auth-proxy
+  annotations:
+    kube-1password: 2cqycmsgv5r7vcyvjpblcl2l4y
+    kube-1password/vault: Kubernetes
+type: Opaque
+---
+
+apiVersion: v1
+kind: Secret
+metadata:
+  name: tailscale-auth-proxy
+type: Opaque
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: tailscale-auth-proxy
+  labels:
+    app.kubernetes.io/name: tailscale
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: tailscale-auth-proxy
+  labels:
+    app.kubernetes.io/name: tailscale
+subjects:
+- kind: ServiceAccount
+  name: "tailscale-auth-proxy"
+roleRef:
+  kind: Role
+  name: tailscale-auth-proxy
+  apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: tailscale-auth-proxy
+  labels:
+    app.kubernetes.io/name: tailscale
+rules:
+- apiGroups: [""]
+  resources: ["secrets"]
+  verbs: ["create"]
+- apiGroups: [""]
+  resourceNames: ["tailscale-auth-proxy"]
+  resources: ["secrets"]
+  verbs: ["get", "update"]
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: auth-proxy
+  namespace: auth-proxy
+  labels:
+    app: auth-proxy
+  annotations:
+    secret.reloader.stakater.com/reload: "tailscale-auth"
+spec:
+  replicas: 1
+  strategy:
+    type: Recreate
+  selector:
+    matchLabels:
+      app: auth-proxy
+  template:
+    metadata:
+      labels:
+        app: auth-proxy
+    spec:
+      serviceAccountName: tailscale-auth-proxy
+      dnsPolicy: ClusterFirst
+      dnsConfig:
+        nameservers:
+          - 100.100.100.100
+      initContainers:
+      - name: sysctler
+        image: busybox
+        securityContext:
+          privileged: true
+        command: ["/bin/sh"]
+        args:
+          - -c
+          - |
+            sysctl -w net.ipv4.ip_forward=1
+            sysctl -w net.ipv6.conf.all.forwarding=1
+            sysctl -w net.ipv6.conf.all.disable_ipv6=0
+        resources:
+          requests:
+            cpu: 1m
+            memory: 1Mi
+      containers:
+      - name: oauth-proxy
+        image: quay.io/oauth2-proxy/oauth2-proxy:v7.5.1
+        args:
+        - --cookie-secure=false
+        - --provider=oidc
+        - --provider-display-name=Auth0
+        - --upstream=http://talos.averagemarcus.github.beta.tailscale.net
+        - --http-address=0.0.0.0:8080
+        - --email-domain=*
+        - --pass-basic-auth=false
+        - --pass-access-token=false
+        - --oidc-issuer-url=https://marcusnoble.eu.auth0.com/
+        - --cookie-secret=KDGD6rrK6cBmryyZ4wcJ9xAUNW9AQNFT
+        - --cookie-expire=336h0m0s
+        env:
+        - name: HOST_IP
+          valueFrom:
+            fieldRef:
+              apiVersion: v1
+              fieldPath: status.podIP
+        - name: OAUTH2_PROXY_CLIENT_ID
+          valueFrom:
+            secretKeyRef:
+              key: username
+              name: auth-proxy
+        - name: OAUTH2_PROXY_CLIENT_SECRET
+          valueFrom:
+            secretKeyRef:
+              key: password
+              name: auth-proxy
+        ports:
+        - containerPort: 8080
+          protocol: TCP
+        resources:
+          limits:
+            memory: 50Mi
+          requests:
+            memory: 50Mi
+      - name: tailscale
+        image: ghcr.io/tailscale/tailscale:v1.50
+        imagePullPolicy: Always
+        env:
+        - name: TS_AUTH_KEY
+          valueFrom:
+            secretKeyRef:
+              name: tailscale-auth
+              key: password
+        - name: TS_KUBE_SECRET
+          value: tailscale-auth-proxy
+        - name: TS_ACCEPT_DNS
+          value: "true"
+        - name: TS_EXTRA_ARGS
+          value: "--hostname=auth-proxy-oauth2"
+        securityContext:
+          capabilities:
+            add:
+            - NET_ADMIN
+        command:
+        - sh
+        - -c
+        - |
+          export PATH=$PATH:/tailscale/bin
+          if [[ ! -d /dev/net ]]; then mkdir -p /dev/net; fi
+          if [[ ! -c /dev/net/tun ]]; then mknod /dev/net/tun c 10 200; fi
+          echo "Starting tailscaled"
+          tailscaled --state=kube:${TS_KUBE_SECRET} --socket=/tmp/tailscaled.sock &
+          PID=$!
+          echo "Running tailscale up"
+          tailscale --socket=/tmp/tailscaled.sock up \
+            --accept-dns=${TS_ACCEPT_DNS} \
+            --authkey=${TS_AUTH_KEY} \
+            ${TS_EXTRA_ARGS}
+          echo "Re-enabling incoming traffic from the cluster"
+          wait ${PID}
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: auth-proxy
+  namespace: auth-proxy
+  labels:
+    app: auth-proxy
+spec:
+  ports:
+  - name: http
+    port: 80
+    protocol: TCP
+    targetPort: 8080
+  selector:
+    app: auth-proxy
+  type: ClusterIP
--- a/manifests/auth-proxy/ingress.yaml
+++ b/manifests/auth-proxy/ingress.yaml
@@ -0,0 +1,179 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: auth-proxy
+  namespace: auth-proxy
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt
+    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
+spec:
+  ingressClassName: nginx
+  tls:
+  - hosts:
+    - downloads.cluster.fun
+    - argo.cluster.fun
+    - code.cluster.fun
+    - jackett.cluster.fun
+    - printer.cluster.fun
+    - ender3pro.printer.cluster.fun
+    - flsunq5.printer.cluster.fun
+    - elegoomars2.printer.cluster.fun
+    - radarr.cluster.fun
+    - readarr.cluster.fun
+    - sonarr.cluster.fun
+    - lidarr.cluster.fun
+    - prowlarr.cluster.fun
+    - transmission.cluster.fun
+    - tekton.cluster.fun
+    secretName: auth-proxy-ingress
+  rules:
+  - host: downloads.cluster.fun
+    http:
+      paths:
+      - path: /
+        pathType: ImplementationSpecific
+        backend:
+          service:
+            name: auth-proxy
+            port:
+              name: http
+  - host: argo.cluster.fun
+    http:
+      paths:
+      - path: /
+        pathType: ImplementationSpecific
+        backend:
+          service:
+            name: auth-proxy
+            port:
+              name: http
+  - host: code.cluster.fun
+    http:
+      paths:
+      - path: /
+        pathType: ImplementationSpecific
+        backend:
+          service:
+            name: auth-proxy
+            port:
+              name: http
+  - host: jackett.cluster.fun
+    http:
+      paths:
+      - path: /
+        pathType: ImplementationSpecific
+        backend:
+          service:
+            name: auth-proxy
+            port:
+              name: http
+  - host: printer.cluster.fun
+    http:
+      paths:
+      - path: /
+        pathType: ImplementationSpecific
+        backend:
+          service:
+            name: auth-proxy
+            port:
+              name: http
+  - host: ender3pro.printer.cluster.fun
+    http:
+      paths:
+      - path: /
+        pathType: ImplementationSpecific
+        backend:
+          service:
+            name: auth-proxy
+            port:
+              name: http
+  - host: flsunq5.printer.cluster.fun
+    http:
+      paths:
+      - path: /
+        pathType: ImplementationSpecific
+        backend:
+          service:
+            name: auth-proxy
+            port:
+              name: http
+  - host: elegoomars2.printer.cluster.fun
+    http:
+      paths:
+      - path: /
+        pathType: ImplementationSpecific
+        backend:
+          service:
+            name: auth-proxy
+            port:
+              name: http
+  - host: radarr.cluster.fun
+    http:
+      paths:
+      - path: /
+        pathType: ImplementationSpecific
+        backend:
+          service:
+            name: auth-proxy
+            port:
+              name: http
+  - host: readarr.cluster.fun
+    http:
+      paths:
+      - path: /
+        pathType: ImplementationSpecific
+        backend:
+          service:
+            name: auth-proxy
+            port:
+              name: http
+  - host: sonarr.cluster.fun
+    http:
+      paths:
+      - path: /
+        pathType: ImplementationSpecific
+        backend:
+          service:
+            name: auth-proxy
+            port:
+              name: http
+  - host: lidarr.cluster.fun
+    http:
+      paths:
+      - path: /
+        pathType: ImplementationSpecific
+        backend:
+          service:
+            name: auth-proxy
+            port:
+              name: http
+  - host: prowlarr.cluster.fun
+    http:
+      paths:
+      - path: /
+        pathType: ImplementationSpecific
+        backend:
+          service:
+            name: auth-proxy
+            port:
+              name: http
+  - host: transmission.cluster.fun
+    http:
+      paths:
+      - path: /
+        pathType: ImplementationSpecific
+        backend:
+          service:
+            name: auth-proxy
+            port:
+              name: http
+  - host: tekton.cluster.fun
+    http:
+      paths:
+      - path: /
+        pathType: ImplementationSpecific
+        backend:
+          service:
+            name: auth-proxy
+            port:
+              name: http
--- a/manifests/auth-proxy/internal-proxy.yaml
+++ b/manifests/auth-proxy/internal-proxy.yaml
@@ -0,0 +1,232 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: host-mappings
+  namespace: auth-proxy
+  labels:
+    app: proxy
+data:
+  mapping.json: |
+    {
+      "tekton-el.auth-proxy.svc": "tekton-el.cluster.local",
+      "home.auth-proxy.svc": "home.cluster.local",
+      "home.cluster.fun": "home.cluster.local",
+      "vmcluster.auth-proxy.svc": "vmcluster.cluster.local",
+      "loki.auth-proxy.svc": "loki-write.cluster.local",
+      "loki.auth-proxy.svc:80": "loki-write.cluster.local",
+      "loki-distributed.auth-proxy.svc": "loki-loki.cluster.local",
+      "loki-distributed.auth-proxy.svc:80": "loki-loki.cluster.local"
+    }
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: tailscale-internal-proxy
+  namespace: auth-proxy
+type: Opaque
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: tailscale-internal-proxy
+  labels:
+    app.kubernetes.io/name: tailscale
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: tailscale-internal-proxy
+  labels:
+    app.kubernetes.io/name: tailscale
+subjects:
+- kind: ServiceAccount
+  name: "tailscale-internal-proxy"
+roleRef:
+  kind: Role
+  name: tailscale-internal-proxy
+  apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: tailscale-internal-proxy
+  labels:
+    app.kubernetes.io/name: tailscale
+rules:
+- apiGroups: [""]
+  resources: ["secrets"]
+  verbs: ["create"]
+- apiGroups: [""]
+  resourceNames: ["tailscale-internal-proxy"]
+  resources: ["secrets"]
+  verbs: ["get", "update"]
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: internal-proxy
+  namespace: auth-proxy
+  labels:
+    app: internal-proxy
+  annotations:
+    configmap.reloader.stakater.com/reload: "host-mappings"
+    secret.reloader.stakater.com/reload: "tailscale-internal-proxy"
+spec:
+  replicas: 1
+  strategy:
+    type: Recreate
+  selector:
+    matchLabels:
+      app: internal-proxy
+  template:
+    metadata:
+      labels:
+        app: internal-proxy
+    spec:
+      serviceAccountName: tailscale-internal-proxy
+      dnsPolicy: ClusterFirst
+      dnsConfig:
+        nameservers:
+          - 100.100.100.100
+      containers:
+      - name: proxy
+        image: rg.fr-par.scw.cloud/averagemarcus/proxy:latest
+        imagePullPolicy: Always
+        env:
+        - name: PROXY_DESTINATION
+          value: talos.averagemarcus.github.beta.tailscale.net
+        - name: PORT
+          value: "8080"
+        ports:
+        - containerPort: 8080
+          protocol: TCP
+        volumeMounts:
+        - name: host-mappings
+          mountPath: /config/
+      - name: tailscale
+        image: ghcr.io/tailscale/tailscale:v1.50
+        imagePullPolicy: Always
+        tty: true
+        env:
+        - name: TS_AUTH_KEY
+          valueFrom:
+            secretKeyRef:
+              name: tailscale-auth
+              key: password
+        - name: TS_KUBE_SECRET
+          value: tailscale-internal-proxy
+        - name: TS_ACCEPT_DNS
+          value: "true"
+        - name: TS_EXTRA_ARGS
+          value: "--hostname=auth-proxy-internal-proxy"
+        securityContext:
+          capabilities:
+            add:
+            - NET_ADMIN
+        command:
+        - sh
+        - -c
+        - |
+          export PATH=$PATH:/tailscale/bin
+          if [[ ! -d /dev/net ]]; then mkdir -p /dev/net; fi
+          if [[ ! -c /dev/net/tun ]]; then mknod /dev/net/tun c 10 200; fi
+          echo "Starting tailscaled"
+          tailscaled --state=kube:${TS_KUBE_SECRET} --socket=/tmp/tailscaled.sock &
+          PID=$!
+          echo "Running tailscale up"
+          tailscale --socket=/tmp/tailscaled.sock up \
+            --accept-dns=${TS_ACCEPT_DNS} \
+            --authkey=${TS_AUTH_KEY} \
+            ${TS_EXTRA_ARGS}
+          echo "Re-enabling incoming traffic from the cluster"
+          wait ${PID}
+      volumes:
+      - name: host-mappings
+        configMap:
+          name: host-mappings
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: tekton-el
+  namespace: auth-proxy
+  labels:
+    app: internal-proxy
+spec:
+  ports:
+  - name: http
+    port: 80
+    protocol: TCP
+    targetPort: 8080
+  selector:
+    app: internal-proxy
+  type: ClusterIP
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: loki
+  namespace: auth-proxy
+  labels:
+    app: internal-proxy
+spec:
+  ports:
+  - name: http
+    port: 80
+    protocol: TCP
+    targetPort: 8080
+  selector:
+    app: internal-proxy
+  type: ClusterIP
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: loki-distributed
+  namespace: auth-proxy
+  labels:
+    app: internal-proxy
+spec:
+  ports:
+  - name: http
+    port: 80
+    protocol: TCP
+    targetPort: 8080
+  selector:
+    app: internal-proxy
+  type: ClusterIP
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: prometheus
+  namespace: auth-proxy
+  labels:
+    app: internal-proxy
+spec:
+  ports:
+  - name: http
+    port: 80
+    protocol: TCP
+    targetPort: 8080
+  selector:
+    app: internal-proxy
+  type: ClusterIP
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: vmcluster
+  namespace: auth-proxy
+  labels:
+    app: internal-proxy
+spec:
+  ports:
+  - name: http
+    port: 80
+    protocol: TCP
+    targetPort: 8080
+  selector:
+    app: internal-proxy
+  type: ClusterIP
+---
--- a/manifests/auth-proxy/non-auth-proxy.yaml
+++ b/manifests/auth-proxy/non-auth-proxy.yaml
@@ -0,0 +1,213 @@
+
+apiVersion: v1
+kind: Secret
+metadata:
+  name: tailscale-non-auth-proxy
+  namespace: auth-proxy
+type: Opaque
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: tailscale-non-auth-proxy
+  labels:
+    app.kubernetes.io/name: tailscale
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: tailscale-non-auth-proxy
+  labels:
+    app.kubernetes.io/name: tailscale
+subjects:
+- kind: ServiceAccount
+  name: "tailscale-non-auth-proxy"
+roleRef:
+  kind: Role
+  name: tailscale-non-auth-proxy
+  apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: tailscale-non-auth-proxy
+  labels:
+    app.kubernetes.io/name: tailscale
+rules:
+- apiGroups: [""]
+  resources: ["secrets"]
+  verbs: ["create"]
+- apiGroups: [""]
+  resourceNames: ["tailscale-non-auth-proxy"]
+  resources: ["secrets"]
+  verbs: ["get", "update"]
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: non-auth-proxy
+  namespace: auth-proxy
+  labels:
+    app: non-auth-proxy
+  annotations:
+    secret.reloader.stakater.com/reload: "tailscale-non-auth-proxy"
+spec:
+  replicas: 1
+  strategy:
+    type: Recreate
+  selector:
+    matchLabels:
+      app: non-auth-proxy
+  template:
+    metadata:
+      labels:
+        app: non-auth-proxy
+    spec:
+      serviceAccountName: tailscale-non-auth-proxy
+      dnsPolicy: ClusterFirst
+      dnsConfig:
+        nameservers:
+          - 100.100.100.100
+      containers:
+      - name: oauth-proxy
+        image: quay.io/oauth2-proxy/oauth2-proxy:v7.5.1
+        args:
+        - --cookie-secure=false
+        - --provider=oidc
+        - --provider-display-name=Auth0
+        - --upstream=http://talos.averagemarcus.github.beta.tailscale.net
+        - --http-address=0.0.0.0:8080
+        - --email-domain=*
+        - --pass-basic-auth=false
+        - --pass-access-token=false
+        - --oidc-issuer-url=https://marcusnoble.eu.auth0.com/
+        - --cookie-secret=KDGD6rrK6cBmryyZ4wcJ9xAUNW9AQNFT
+        - --cookie-expire=336h0m0s
+        - --trusted-ip=0.0.0.0/0
+        env:
+        - name: HOST_IP
+          valueFrom:
+            fieldRef:
+              apiVersion: v1
+              fieldPath: status.podIP
+        - name: OAUTH2_PROXY_CLIENT_ID
+          valueFrom:
+            secretKeyRef:
+              key: username
+              name: auth-proxy
+        - name: OAUTH2_PROXY_CLIENT_SECRET
+          valueFrom:
+            secretKeyRef:
+              key: password
+              name: auth-proxy
+        ports:
+        - containerPort: 8080
+          protocol: TCP
+        resources:
+          limits:
+            memory: 50Mi
+          requests:
+            memory: 50Mi
+      - name: tailscale
+        image: ghcr.io/tailscale/tailscale:v1.50
+        imagePullPolicy: Always
+        tty: true
+        env:
+        - name: TS_AUTH_KEY
+          valueFrom:
+            secretKeyRef:
+              name: tailscale-auth
+              key: password
+        - name: TS_KUBE_SECRET
+          value: tailscale-non-auth-proxy
+        - name: TS_ACCEPT_DNS
+          value: "true"
+        - name: TS_EXTRA_ARGS
+          value: "--hostname=non-auth-proxy"
+        securityContext:
+          capabilities:
+            add:
+            - NET_ADMIN
+        command:
+        - sh
+        - -c
+        - |
+          export PATH=$PATH:/tailscale/bin
+          if [[ ! -d /dev/net ]]; then mkdir -p /dev/net; fi
+          if [[ ! -c /dev/net/tun ]]; then mknod /dev/net/tun c 10 200; fi
+          echo "Starting tailscaled"
+          tailscaled --state=kube:${TS_KUBE_SECRET} --socket=/tmp/tailscaled.sock &
+          PID=$!
+          echo "Running tailscale up"
+          tailscale --socket=/tmp/tailscaled.sock up \
+            --accept-dns=${TS_ACCEPT_DNS} \
+            --authkey=${TS_AUTH_KEY} \
+            ${TS_EXTRA_ARGS}
+          echo "Re-enabling incoming traffic from the cluster"
+          wait ${PID}
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: non-auth-proxy
+  namespace: auth-proxy
+  labels:
+    app: non-auth-proxy
+spec:
+  ports:
+  - name: http
+    port: 80
+    protocol: TCP
+    targetPort: 8080
+  selector:
+    app: non-auth-proxy
+  type: ClusterIP
+---
+
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: non-auth-proxy
+  namespace: auth-proxy
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt
+    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
+spec:
+  ingressClassName: nginx
+  tls:
+  - hosts:
+    - home.cluster.fun
+    - tasks.cluster.fun
+    - api.tasks.cluster.fun
+    secretName: non-auth-proxy-ingress
+  rules:
+  - host: home.cluster.fun
+    http:
+      paths:
+      - path: /
+        pathType: ImplementationSpecific
+        backend:
+          service:
+            name: non-auth-proxy
+            port:
+              name: http
+  - host: tasks.cluster.fun
+    http:
+      paths:
+      - path: /
+        pathType: ImplementationSpecific
+        backend:
+          service:
+            name: non-auth-proxy
+            port:
+              name: http
+  - host: api.tasks.cluster.fun
+    http:
+      paths:
+      - path: /
+        pathType: ImplementationSpecific
+        backend:
+          service:
+            name: non-auth-proxy
+            port:
+              name: http
--- a/manifests/base64/base64.yaml
+++ b/manifests/base64/base64.yaml
@@ -0,0 +1,71 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: base64
+  namespace: base64
+spec:
+  type: ClusterIP
+  ports:
+  - port: 80
+    targetPort: web
+    name: web
+  selector:
+    app: base64
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: base64
+  namespace: base64
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: base64
+  template:
+    metadata:
+      labels:
+        app: base64
+    spec:
+      imagePullSecrets:
+        - name: docker-config
+      containers:
+      - name: web
+        image: rg.fr-par.scw.cloud/averagemarcus/base64:latest
+        imagePullPolicy: Always
+        ports:
+        - containerPort: 80
+          name: web
+        resources:
+          limits:
+            memory: 5Mi
+          requests:
+            memory: 5Mi
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: base64
+  namespace: base64
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt
+    kubernetes.io/ingress.class: traefik
+    traefik.ingress.kubernetes.io/router.tls: "true"
+    ingress.kubernetes.io/ssl-redirect: "true"
+    traefik.ingress.kubernetes.io/router.entrypoints: websecure
+spec:
+  tls:
+  - hosts:
+    - base64.cluster.fun
+    secretName: base64-ingress
+  rules:
+  - host: base64.cluster.fun
+    http:
+      paths:
+      - path: /
+        pathType: ImplementationSpecific
+        backend:
+          service:
+            name: base64
+            port:
+              number: 80
--- a/manifests/blackhole/blackhole.yaml
+++ b/manifests/blackhole/blackhole.yaml
@@ -37,12 +37,11 @@ spec:
        resources:
          limits:
            memory: 10Mi
-
          requests:
            memory: 10Mi

 ---
-apiVersion: extensions/v1beta1
+apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
  name: black-hole
@@ -52,6 +51,9 @@ spec:
  - http:
      paths:
      - path: /
+        pathType: ImplementationSpecific
        backend:
-          serviceName: black-hole
-          servicePort: 80
+          service:
+            name: black-hole
+            port:
+              number: 80
--- a/manifests/blog/blog.yaml
+++ b/manifests/blog/blog.yaml
@@ -1,9 +1,4 @@
 apiVersion: v1
-kind: Namespace
-metadata:
-  name: blog
---
-apiVersion: v1
 kind: Service
 metadata:
  name: blog
@@ -34,7 +29,7 @@ spec:
    spec:
      containers:
      - name: web
-        image: docker.cluster.fun/averagemarcus/blog:latest
+        image: rg.fr-par.scw.cloud/averagemarcus/blog:latest
        imagePullPolicy: Always
        ports:
        - containerPort: 8000
@@ -44,18 +39,27 @@ spec:
            memory: 200Mi
          requests:
            memory: 200Mi
+        livenessProbe:
+          httpGet:
+            path: /healthz
+            port: web
+          initialDelaySeconds: 10
+        readinessProbe:
+          httpGet:
+            path: /healthz
+            port: web
+          initialDelaySeconds: 10
 ---
-apiVersion: extensions/v1beta1
+apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
  name: blog
  namespace: blog
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt
-    traefik.ingress.kubernetes.io/frontend-entry-points: http,https
-    traefik.ingress.kubernetes.io/redirect-entry-point: https
-    traefik.ingress.kubernetes.io/redirect-permanent: "true"
+    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
 spec:
+  ingressClassName: nginx
  tls:
  - hosts:
    - marcusnoble.co.uk
@@ -65,22 +69,24 @@ spec:
    http:
      paths:
      - path: /
+        pathType: ImplementationSpecific
        backend:
-          serviceName: blog
-          servicePort: 80
+          service:
+            name: blog
+            port:
+              number: 80

 ---
-apiVersion: extensions/v1beta1
+apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
  name: blog-www
  namespace: blog
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt
-    traefik.ingress.kubernetes.io/frontend-entry-points: http,https
-    traefik.ingress.kubernetes.io/redirect-entry-point: https
-    traefik.ingress.kubernetes.io/redirect-permanent: "true"
+    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
 spec:
+  ingressClassName: nginx
  tls:
  - hosts:
    - www.marcusnoble.co.uk
@@ -90,22 +96,24 @@ spec:
    http:
      paths:
      - path: /
+        pathType: ImplementationSpecific
        backend:
-          serviceName: blog
-          servicePort: 80
+          service:
+            name: blog
+            port:
+              number: 80

 ---
-apiVersion: extensions/v1beta1
+apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
  name: blog-blog
  namespace: blog
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt
-    traefik.ingress.kubernetes.io/frontend-entry-points: http,https
-    traefik.ingress.kubernetes.io/redirect-entry-point: https
-    traefik.ingress.kubernetes.io/redirect-permanent: "true"
+    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
 spec:
+  ingressClassName: nginx
  tls:
  - hosts:
    - blog.marcusnoble.co.uk
@@ -115,7 +123,10 @@ spec:
    http:
      paths:
      - path: /
+        pathType: ImplementationSpecific
        backend:
-          serviceName: blog
-          servicePort: 80
+          service:
+            name: blog
+            port:
+              number: 80

--- a/manifests/buzzers.yaml
+++ b/manifests/buzzers.yaml
@@ -1,70 +0,0 @@
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: buzzers
---
-apiVersion: v1
-kind: Service
-metadata:
-  name: buzzers
-  namespace: buzzers
-spec:
-  type: ClusterIP
-  ports:
-  - port: 80
-    targetPort: web
-    name: web
-  selector:
-    app: buzzers
---
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: buzzers
-  namespace: buzzers
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: buzzers
-  template:
-    metadata:
-      labels:
-        app: buzzers
-    spec:
-      containers:
-      - name: web
-        image: docker.cluster.fun/averagemarcus/buzzers:latest
-        imagePullPolicy: Always
-        ports:
-        - containerPort: 80
-          name: web
-        resources:
-          limits:
-            memory: 283Mi
-          requests:
-            memory: 283Mi
---
-apiVersion: extensions/v1beta1
-kind: Ingress
-metadata:
-  name: buzzers
-  namespace: buzzers
-  annotations:
-    cert-manager.io/cluster-issuer: letsencrypt
-    traefik.ingress.kubernetes.io/frontend-entry-points: http,https
-    traefik.ingress.kubernetes.io/redirect-entry-point: https
-    traefik.ingress.kubernetes.io/redirect-permanent: "true"
-spec:
-  tls:
-  - hosts:
-    - buzzers.cluster.fun
-    secretName: buzzers-ingress
-  rules:
-  - host: buzzers.cluster.fun
-    http:
-      paths:
-      - path: /
-        backend:
-          serviceName: buzzers
-          servicePort: 80
--- a/manifests/cctv.yaml
+++ b/manifests/cctv.yaml
@@ -1,114 +0,0 @@
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: cctv
---
-apiVersion: v1
-kind: Secret
-metadata:
-  name: cctv-auth
-  namespace: cctv
-  annotations:
-    kube-1password: mr6spkkx7n3memkbute6ojaarm
-    kube-1password/vault: Kubernetes
-type: Opaque
---
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: cctv-auth
-  namespace: cctv
-  labels:
-    app: cctv-auth
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: cctv-auth
-  template:
-    metadata:
-      labels:
-        app: cctv-auth
-    spec:
-      containers:
-      - args:
-        - --cookie-secure=false
-        - --provider=oidc
-        - --provider-display-name=Auth0
-        - --upstream=http://inlets.inlets.svc.cluster.local
-        - --http-address=$(HOST_IP):8080
-        - --redirect-url=https://cctv.cluster.fun/oauth2/callback
-        - --email-domain=*
-        - --pass-basic-auth=false
-        - --pass-access-token=false
-        - --oidc-issuer-url=https://marcusnoble.eu.auth0.com/
-        - --cookie-secret=KDGD6rrK6cBmryyZ4wcJ9xAUNW9AQN
-        env:
-        - name: HOST_IP
-          valueFrom:
-            fieldRef:
-              apiVersion: v1
-              fieldPath: status.podIP
-        - name: OAUTH2_PROXY_CLIENT_ID
-          valueFrom:
-            secretKeyRef:
-              key: username
-              name: cctv-auth
-        - name: OAUTH2_PROXY_CLIENT_SECRET
-          valueFrom:
-            secretKeyRef:
-              key: password
-              name: cctv-auth
-        image: quay.io/oauth2-proxy/oauth2-proxy:v5.1.1
-        name: oauth-proxy
-        ports:
-        - containerPort: 8080
-          protocol: TCP
-        resources:
-          limits:
-            memory: 50Mi
-          requests:
-            memory: 50Mi
---
-apiVersion: v1
-kind: Service
-metadata:
-  name: cctv-auth
-  namespace: cctv
-  labels:
-    app: cctv-auth
-spec:
-  ports:
-  - name: http
-    port: 80
-    protocol: TCP
-    targetPort: 8080
-  selector:
-    app: cctv-auth
-  type: ClusterIP
---
-apiVersion: extensions/v1beta1
-kind: Ingress
-metadata:
-  name: cctv-auth
-  namespace: cctv
-  labels:
-    app: cctv-auth
-  annotations:
-    cert-manager.io/cluster-issuer: letsencrypt
-    traefik.ingress.kubernetes.io/frontend-entry-points: http,https
-    traefik.ingress.kubernetes.io/redirect-entry-point: https
-    traefik.ingress.kubernetes.io/redirect-permanent: "true"
-spec:
-  tls:
-  - hosts:
-    - cctv.cluster.fun
-    secretName: cctv-ingress
-  rules:
-  - host: cctv.cluster.fun
-    http:
-      paths:
-      - path: /
-        backend:
-          serviceName: cctv-auth
-          servicePort: 80
--- a/manifests/cel-tester/cel-tester.yaml
+++ b/manifests/cel-tester/cel-tester.yaml
@@ -0,0 +1,70 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: cel-tester
+  namespace: cel-tester
+spec:
+  type: ClusterIP
+  ports:
+  - port: 80
+    targetPort: web
+    name: web
+  selector:
+    app: cel-tester
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: cel-tester
+  namespace: cel-tester
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: cel-tester
+  template:
+    metadata:
+      labels:
+        app: cel-tester
+    spec:
+      containers:
+      - name: web
+        image: rg.fr-par.scw.cloud/averagemarcus/cel-tester:latest
+        imagePullPolicy: Always
+        ports:
+        - containerPort: 80
+          name: web
+        resources:
+          limits:
+            memory: 20Mi
+          requests:
+            memory: 20Mi
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: cel-tester
+  namespace: cel-tester
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt
+    kubernetes.io/ingress.class: traefik
+    traefik.ingress.kubernetes.io/router.tls: "true"
+    ingress.kubernetes.io/ssl-redirect: "true"
+    traefik.ingress.kubernetes.io/router.entrypoints: websecure
+spec:
+  tls:
+  - hosts:
+    - cel-tester.cluster.fun
+    secretName: cel-tester-ingress
+  rules:
+  - host: cel-tester.cluster.fun
+    http:
+      paths:
+      - path: /
+        pathType: ImplementationSpecific
+        backend:
+          service:
+            name: cel-tester
+            port:
+              number: 80
+
--- a/manifests/certmanager-civo/certmanager_chart.yaml
+++ b/manifests/certmanager-civo/certmanager_chart.yaml
@@ -0,0 +1,23 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: cert-manager
+  labels:
+    certmanager.k8s.io/disable-validation: "true"
+
+---
+
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt
+spec:
+  acme:
+    server: https://acme-v02.api.letsencrypt.org/directory
+    email: letsencrypt@marcusnoble.co.uk
+    privateKeySecretRef:
+      name: letsencrypt
+    solvers:
+    - http01:
+        ingress:
+          class: traefik
--- a/manifests/certmanager_chart.yaml
+++ b/manifests/certmanager_chart.yaml
@@ -1,47 +0,0 @@
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: cert-manager
-  labels:
-    certmanager.k8s.io/disable-validation: "true"
-
---
-
-apiVersion: helm.fluxcd.io/v1
-kind: HelmRelease
-metadata:
-  name: cert-manager
-  namespace: cert-manager
-spec:
-  chart:
-    repository: https://charts.jetstack.io
-    name: cert-manager
-    version: v0.15.0
-  maxHistory: 5
-  values:
-    installCRDs: "true"
-    resources:
-      requests:
-
-        memory: 32Mi
-      limits:
-
-        memory: 64Mi
-
---
-
-apiVersion: cert-manager.io/v1alpha2
-kind: ClusterIssuer
-metadata:
-  name: letsencrypt
-spec:
-  acme:
-    server: https://acme-v02.api.letsencrypt.org/directory
-    email: letsencrypt@marcusnoble.co.uk
-    privateKeySecretRef:
-      name: letsencrypt
-    solvers:
-    - selector: {}
-      http01:
-        ingress:
-          class: traefik
--- a/manifests/certmanager_chart/certmanager_chart.yaml
+++ b/manifests/certmanager_chart/certmanager_chart.yaml
@@ -0,0 +1,23 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: cert-manager
+  labels:
+    certmanager.k8s.io/disable-validation: "true"
+
+---
+
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt
+spec:
+  acme:
+    server: https://acme-v02.api.letsencrypt.org/directory
+    email: letsencrypt@marcusnoble.co.uk
+    privateKeySecretRef:
+      name: letsencrypt
+    solvers:
+    - http01:
+        ingress:
+          class: nginx
--- a/manifests/civo-versions/civo-versions.yaml
+++ b/manifests/civo-versions/civo-versions.yaml
@@ -0,0 +1,88 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: civo-versions
+  namespace: civo-versions
+  annotations:
+    kube-1password: ybo7axn7wpks4z3u3gjhibnu5i
+    kube-1password/vault: Kubernetes
+    kube-1password/secret-text-parse: "true"
+type: Opaque
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: civo-versions
+  namespace: civo-versions
+spec:
+  type: ClusterIP
+  ports:
+  - port: 80
+    targetPort: web
+    name: web
+  selector:
+    app: civo-versions
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: civo-versions
+  namespace: civo-versions
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: civo-versions
+  template:
+    metadata:
+      labels:
+        app: civo-versions
+    spec:
+      containers:
+      - name: web
+        image: rg.fr-par.scw.cloud/averagemarcus/civo-versions:latest
+        imagePullPolicy: Always
+        ports:
+        - containerPort: 8000
+          name: web
+        env:
+        - name: PORT
+          value: "8000"
+        - name: API_KEY
+          valueFrom:
+            secretKeyRef:
+              name: civo-versions
+              key: API_KEY
+        resources:
+          limits:
+            memory: 30Mi
+          requests:
+            memory: 30Mi
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: civo-versions
+  namespace: civo-versions
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt
+    kubernetes.io/ingress.class: traefik
+    traefik.ingress.kubernetes.io/router.tls: "true"
+    ingress.kubernetes.io/ssl-redirect: "true"
+    traefik.ingress.kubernetes.io/router.entrypoints: websecure
+spec:
+  tls:
+  - hosts:
+    - civo-versions.cluster.fun
+    secretName: civo-versions-ingress
+  rules:
+  - host: civo-versions.cluster.fun
+    http:
+      paths:
+      - path: /
+        pathType: ImplementationSpecific
+        backend:
+          service:
+            name: civo-versions
+            port:
+              number: 80
--- a/manifests/cors-proxy/cors-proxy.yaml
+++ b/manifests/cors-proxy/cors-proxy.yaml
@@ -1,9 +1,4 @@
 apiVersion: v1
-kind: Namespace
-metadata:
-  name: cors-proxy
---
-apiVersion: v1
 kind: Service
 metadata:
  name: cors-proxy
@@ -34,57 +29,45 @@ spec:
    spec:
      containers:
      - name: web
-        image: docker.cluster.fun/averagemarcus/cors-proxy:latest
+        image: rg.fr-par.scw.cloud/averagemarcus/cors-proxy:latest
        imagePullPolicy: Always
        ports:
        - containerPort: 8000
          name: web
 ---
-apiVersion: extensions/v1beta1
+apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
  name: cors-proxy
  namespace: cors-proxy
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt
-    traefik.ingress.kubernetes.io/frontend-entry-points: http,https
-    traefik.ingress.kubernetes.io/redirect-entry-point: https
-    traefik.ingress.kubernetes.io/redirect-permanent: "true"
+    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
 spec:
+  ingressClassName: nginx
  tls:
  - hosts:
    - cors-proxy.cluster.fun
+    - cors-proxy.marcusnoble.co.uk
    secretName: cors-proxy-ingress
  rules:
  - host: cors-proxy.cluster.fun
    http:
      paths:
      - path: /
+        pathType: ImplementationSpecific
        backend:
-          serviceName: cors-proxy
-          servicePort: 80
-
---
-apiVersion: extensions/v1beta1
-kind: Ingress
-metadata:
-  name: cors-proxy-mn
-  namespace: cors-proxy
-  annotations:
-    cert-manager.io/cluster-issuer: letsencrypt
-    traefik.ingress.kubernetes.io/frontend-entry-points: http,https
-    traefik.ingress.kubernetes.io/redirect-entry-point: https
-    traefik.ingress.kubernetes.io/redirect-permanent: "true"
-spec:
-  tls:
-  - hosts:
-    - cors-proxy.marcusnoble.co.uk
-    secretName: cors-proxy-mn-ingress
-  rules:
+          service:
+            name: cors-proxy
+            port:
+              number: 80
  - host: cors-proxy.marcusnoble.co.uk
    http:
      paths:
      - path: /
+        pathType: ImplementationSpecific
        backend:
-          serviceName: cors-proxy
-          servicePort: 80
+          service:
+            name: cors-proxy
+            port:
+              number: 80
--- a/manifests/dashboard.yaml
+++ b/manifests/dashboard.yaml
@@ -1,13 +1,8 @@
 apiVersion: v1
-kind: Namespace
-metadata:
-  name: dashboard
---
-apiVersion: v1
 kind: Secret
 metadata:
  name: docker-config
-  namespace: dashboard
+  namespace: cv
  annotations:
    kube-1password: i6ngbk5zf4k52xgwdwnfup5bby
    kube-1password/vault: Kubernetes
@@ -19,8 +14,8 @@ data:
 apiVersion: v1
 kind: Service
 metadata:
-  name: dashboard
-  namespace: dashboard
+  name: cv
+  namespace: cv
 spec:
  type: ClusterIP
  ports:
@@ -28,58 +23,62 @@ spec:
    targetPort: web
    name: web
  selector:
-    app: dashboard
+    app: cv
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  name: dashboard
-  namespace: dashboard
+  name: cv
+  namespace: cv
 spec:
  replicas: 1
  selector:
    matchLabels:
-      app: dashboard
+      app: cv
  template:
    metadata:
      labels:
-        app: dashboard
+        app: cv
    spec:
      imagePullSecrets:
        - name: docker-config
      containers:
      - name: web
-        image: docker.cluster.fun/private/dashboard:latest
+        image: rg.fr-par.scw.cloud/averagemarcus-private/cv:latest
        imagePullPolicy: Always
        ports:
        - containerPort: 80
          name: web
        resources:
          limits:
-            memory: 50Mi
+            memory: 10Mi
          requests:
-            memory: 50Mi
+            memory: 10Mi
 ---
-apiVersion: extensions/v1beta1
+apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
-  name: dashboard
-  namespace: dashboard
+  name: cv
+  namespace: cv
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt
-    traefik.ingress.kubernetes.io/frontend-entry-points: http,https
-    traefik.ingress.kubernetes.io/redirect-entry-point: https
-    traefik.ingress.kubernetes.io/redirect-permanent: "true"
+    kubernetes.io/ingress.class: traefik
+    traefik.ingress.kubernetes.io/router.tls: "true"
+    ingress.kubernetes.io/ssl-redirect: "true"
+    traefik.ingress.kubernetes.io/router.entrypoints: websecure
 spec:
  tls:
  - hosts:
-    - dash.cluster.fun
-    secretName: dashboard-ingress
+    - cv.marcusnoble.co.uk
+    secretName: cv-ingress
  rules:
-  - host: dash.cluster.fun
+  - host: cv.marcusnoble.co.uk
    http:
      paths:
      - path: /
+        pathType: ImplementationSpecific
        backend:
-          serviceName: dashboard
-          servicePort: 80
+          service:
+            name: cv
+            port:
+              number: 80
--- a/manifests/dashboard/dashboard.yaml
+++ b/manifests/dashboard/dashboard.yaml
@@ -0,0 +1,131 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: docker-config
+  namespace: dashboard
+  annotations:
+    kube-1password: i6ngbk5zf4k52xgwdwnfup5bby
+    kube-1password/vault: Kubernetes
+    kube-1password/secret-text-key: .dockerconfigjson
+type: kubernetes.io/dockerconfigjson
+data:
+  .dockerconfigjson: e30=
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: dashboard-auth
+  namespace: dashboard
+  annotations:
+    kube-1password: mr6spkkx7n3memkbute6ojaarm
+    kube-1password/vault: Kubernetes
+type: Opaque
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: dashboard
+  namespace: dashboard
+spec:
+  type: ClusterIP
+  ports:
+  - port: 80
+    targetPort: auth
+    name: web
+  selector:
+    app: dashboard
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: dashboard
+  namespace: dashboard
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: dashboard
+  template:
+    metadata:
+      labels:
+        app: dashboard
+    spec:
+      imagePullSecrets:
+        - name: docker-config
+      containers:
+      - args:
+        - --cookie-secure=false
+        - --provider=oidc
+        - --provider-display-name=Auth0
+        - --upstream=http://localhost:80
+        - --http-address=$(HOST_IP):8000
+        - --redirect-url=https://dash.cluster.fun/oauth2/callback
+        - --email-domain=marcusnoble.co.uk
+        - --pass-basic-auth=false
+        - --pass-access-token=false
+        - --oidc-issuer-url=https://marcusnoble.eu.auth0.com/
+        - --cookie-secret=KDGD6rrK6cBmryyZ4wcJ9xAUNW9AQNFT
+        env:
+        - name: HOST_IP
+          valueFrom:
+            fieldRef:
+              apiVersion: v1
+              fieldPath: status.podIP
+        - name: OAUTH2_PROXY_CLIENT_ID
+          valueFrom:
+            secretKeyRef:
+              key: username
+              name: dashboard-auth
+        - name: OAUTH2_PROXY_CLIENT_SECRET
+          valueFrom:
+            secretKeyRef:
+              key: password
+              name: dashboard-auth
+        image: quay.io/oauth2-proxy/oauth2-proxy:v7.5.1
+        name: oauth-proxy
+        ports:
+        - containerPort: 8000
+          protocol: TCP
+          name: auth
+        resources:
+          limits:
+            memory: 50Mi
+          requests:
+            memory: 50Mi
+      - name: web
+        image: rg.fr-par.scw.cloud/averagemarcus-private/dashboard:latest
+        imagePullPolicy: Always
+        ports:
+        - containerPort: 80
+          name: web
+        resources:
+          limits:
+            memory: 50Mi
+          requests:
+            memory: 50Mi
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: dashboard
+  namespace: dashboard
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt
+    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
+spec:
+  ingressClassName: nginx
+  tls:
+  - hosts:
+    - dash.cluster.fun
+    secretName: dashboard-ingress
+  rules:
+  - host: dash.cluster.fun
+    http:
+      paths:
+      - path: /
+        pathType: ImplementationSpecific
+        backend:
+          service:
+            name: dashboard
+            port:
+              number: 80
--- a/manifests/downloads.yaml
+++ b/manifests/downloads.yaml
@@ -1,115 +0,0 @@
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: downloads
---
-apiVersion: v1
-kind: Secret
-metadata:
-  name: downloads-auth
-  namespace: downloads
-  annotations:
-    kube-1password: mr6spkkx7n3memkbute6ojaarm
-    kube-1password/vault: Kubernetes
-type: Opaque
---
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: downloads-auth
-  namespace: downloads
-  labels:
-    app: downloads-auth
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: downloads-auth
-  template:
-    metadata:
-      labels:
-        app: downloads-auth
-    spec:
-      containers:
-      - args:
-        - --cookie-secure=false
-        - --provider=oidc
-        - --provider-display-name=Auth0
-        - --upstream=http://inlets.inlets.svc.cluster.local
-        - --http-address=$(HOST_IP):8080
-        - --redirect-url=https://downloads.cluster.fun/oauth2/callback
-        - --email-domain=*
-        - --pass-basic-auth=false
-        - --pass-access-token=false
-        - --oidc-issuer-url=https://marcusnoble.eu.auth0.com/
-        - --cookie-secret=KDGD6rrK6cBmryyZ4wcJ9xAUNW9AQN
-        env:
-        - name: HOST_IP
-          valueFrom:
-            fieldRef:
-              apiVersion: v1
-              fieldPath: status.podIP
-        - name: OAUTH2_PROXY_CLIENT_ID
-          valueFrom:
-            secretKeyRef:
-              key: username
-              name: downloads-auth
-        - name: OAUTH2_PROXY_CLIENT_SECRET
-          valueFrom:
-            secretKeyRef:
-              key: password
-              name: downloads-auth
-        image: quay.io/oauth2-proxy/oauth2-proxy:v5.1.1
-        name: oauth-proxy
-        ports:
-        - containerPort: 8080
-          protocol: TCP
-        resources:
-          limits:
-            memory: 250Mi
-          requests:
-            memory: 250Mi
---
-apiVersion: v1
-kind: Service
-metadata:
-  name: downloads-auth
-  namespace: downloads
-  labels:
-    app: downloads-auth
-spec:
-  ports:
-  - name: http
-    port: 80
-    protocol: TCP
-    targetPort: 8080
-  selector:
-    app: downloads-auth
-  type: ClusterIP
---
-apiVersion: extensions/v1beta1
-kind: Ingress
-metadata:
-  name: downloads-auth
-  namespace: downloads
-  labels:
-    app: downloads-auth
-  annotations:
-    cert-manager.io/cluster-issuer: letsencrypt
-    traefik.ingress.kubernetes.io/frontend-entry-points: http,https
-    traefik.ingress.kubernetes.io/redirect-entry-point: https
-    traefik.ingress.kubernetes.io/redirect-permanent: "true"
-spec:
-  tls:
-  - hosts:
-    - downloads.cluster.fun
-    secretName: downloads-ingress
-  rules:
-  - host: downloads.cluster.fun
-    http:
-      paths:
-      - path: /
-        backend:
-          serviceName: downloads-auth
-          servicePort: 80
-
--- a/manifests/feed-fetcher/feed-fetcher.yaml
+++ b/manifests/feed-fetcher/feed-fetcher.yaml
@@ -0,0 +1,65 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: feed-fetcher
+  namespace: feed-fetcher
+spec:
+  type: ClusterIP
+  ports:
+  - port: 80
+    targetPort: web
+    name: web
+  selector:
+    app: feed-fetcher
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: feed-fetcher
+  namespace: feed-fetcher
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: feed-fetcher
+  template:
+    metadata:
+      labels:
+        app: feed-fetcher
+    spec:
+      containers:
+      - name: web
+        image: rg.fr-par.scw.cloud/averagemarcus/feed-fetcher:latest
+        imagePullPolicy: Always
+        ports:
+        - containerPort: 8080
+          name: web
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: feed-fetcher
+  namespace: feed-fetcher
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt
+    kubernetes.io/ingress.class: traefik
+    traefik.ingress.kubernetes.io/router.tls: "true"
+    ingress.kubernetes.io/ssl-redirect: "true"
+    traefik.ingress.kubernetes.io/router.entrypoints: websecure
+spec:
+  tls:
+  - hosts:
+    - feed-fetcher.cluster.fun
+    secretName: feed-fetcher-ingress
+  rules:
+  - host: feed-fetcher.cluster.fun
+    http:
+      paths:
+      - path: /
+        pathType: ImplementationSpecific
+        backend:
+          service:
+            name: feed-fetcher
+            port:
+              number: 80
+
--- a/manifests/focalboard/focalboard.yaml
+++ b/manifests/focalboard/focalboard.yaml
@@ -0,0 +1,116 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: focalboard
+  namespace: focalboard
+  labels:
+    app.kubernetes.io/name: focalboard
+  annotations:
+    kube-1password: dpszqviipd5tkls5bajzeb56ui
+    kube-1password/vault: Kubernetes
+    kube-1password/secret-text-key: config.json
+type: Opaque
+
+---
+
+apiVersion: v1
+kind: Service
+metadata:
+  name: focalboard
+  namespace: focalboard
+  labels:
+    app.kubernetes.io/name: focalboard
+  annotations:
+    prometheus.io/scrape: "true"
+    prometheus.io/path: "/metrics"
+    prometheus.io/port: "9000"
+spec:
+  type: ClusterIP
+  ports:
+  - port: 80
+    targetPort: web
+    name: web
+  selector:
+    app.kubernetes.io/name: focalboard
+---
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: focalboard
+  namespace: focalboard
+  labels:
+    app.kubernetes.io/name: focalboard
+  annotations:
+    secret.reloader.stakater.com/reload: "focalboard"
+spec:
+  replicas: 1
+  strategy:
+    type: Recreate
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: focalboard
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: focalboard
+    spec:
+      containers:
+      - name: focalboard
+        image: mattermost/focalboard:7.11.4
+        imagePullPolicy: IfNotPresent
+        ports:
+        - containerPort: 8000
+          name: web
+        env:
+        - name: FOCALBOARD_PORT
+          value: "8000"
+        - name: VIRTUAL_HOST
+          value: "localhost"
+        - name: VIRTUAL_PORT
+          value: "8000"
+        - name: VIRTUAL_PROTO
+          value: "http"
+        volumeMounts:
+        - name: data
+          mountPath: /data
+        - name: config
+          mountPath: /opt/focalboard/config.json
+          subPath: config.json
+      volumes:
+      - name: data
+        persistentVolumeClaim:
+          claimName: focalboard
+      - name: config
+        secret:
+          secretName: focalboard
+
+---
+
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: focalboard
+  namespace: focalboard
+  labels:
+    app.kubernetes.io/name: focalboard
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt
+    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
+    nginx.ingress.kubernetes.io/proxy-body-size: "0"
+spec:
+  tls:
+    - hosts:
+      - focalboard.cluster.fun
+      secretName: focalboard-ingress
+  rules:
+  - host: focalboard.cluster.fun
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: focalboard
+            port:
+              number: 80
--- a/manifests/focalboard/pvs.yaml
+++ b/manifests/focalboard/pvs.yaml
@@ -0,0 +1,41 @@
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  annotations:
+    pv.kubernetes.io/provisioned-by: csi.scaleway.com
+  finalizers:
+  - kubernetes.io/pv-protection
+  - external-attacher/csi-scaleway-com
+  name: pvc-df17f08f-a966-40a0-bc72-26cf2adb89a1
+spec:
+  accessModes:
+  - ReadWriteOnce
+  capacity:
+    storage: 2Gi
+  csi:
+    driver: csi.scaleway.com
+    fsType: ext4
+    volumeAttributes:
+      encrypted: "false"
+      storage.kubernetes.io/csiProvisionerIdentity: 1658355449315-8081-csi.scaleway.com
+    volumeHandle: fr-par-1/d823f97e-7ef0-4fb0-97ac-5a838356c355
+  persistentVolumeReclaimPolicy: Retain
+  storageClassName: scw-bssd
+  volumeMode: Filesystem
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: focalboard
+  namespace: focalboard
+  labels:
+    app.kubernetes.io/name: focalboard
+spec:
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 2Gi
+  volumeName: pvc-df17f08f-a966-40a0-bc72-26cf2adb89a1
+
+---
--- a/manifests/git-sync/git-sync.yaml
+++ b/manifests/git-sync/git-sync.yaml
@@ -0,0 +1,109 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: git-sync-github
+  namespace: git-sync
+  annotations:
+    kube-1password: cfo2ufhgem57clbscxetxgevue
+    kube-1password/vault: Kubernetes
+    kube-1password/password-key: token
+type: Opaque
+data:
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: git-sync-gitea
+  namespace: git-sync
+  annotations:
+    kube-1password: b7kpdlcvt7y63bozu3i4j4lojm
+    kube-1password/vault: Kubernetes
+    kube-1password/password-key: token
+type: Opaque
+data:
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: git-sync-gitlab
+  namespace: git-sync
+  annotations:
+    kube-1password: t47v3xdgadiifgoi4wmqibrlty
+    kube-1password/vault: Kubernetes
+    kube-1password/password-key: token
+type: Opaque
+data:
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: git-sync-bitbucket
+  namespace: git-sync
+  annotations:
+    kube-1password: adrki45krr2tq34sug7dhdk5iy
+    kube-1password/vault: Kubernetes
+    kube-1password/password-key: token
+type: Opaque
+data:
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: git-sync-codeberg
+  namespace: git-sync
+  annotations:
+    kube-1password: 5ynzgk6qcgshztkjbddwalixfq
+    kube-1password/vault: Kubernetes
+    kube-1password/password-key: token
+type: Opaque
+data:
+---
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: git-sync
+  namespace: git-sync
+spec:
+  schedule: "0 */1 * * *"
+  concurrencyPolicy: Forbid
+  failedJobsHistoryLimit: 1
+  successfulJobsHistoryLimit: 1
+  jobTemplate:
+    metadata:
+      labels:
+        cronjob: git-sync
+    spec:
+      backoffLimit: 1
+      template:
+        spec:
+          containers:
+          - name: sync
+            image: rg.fr-par.scw.cloud/averagemarcus/git-sync:latest
+            imagePullPolicy: Always
+            env:
+            - name: GITHUB_TOKEN
+              valueFrom:
+                secretKeyRef:
+                  name: git-sync-github
+                  key: token
+            - name: GITEA_TOKEN
+              valueFrom:
+                secretKeyRef:
+                  name: git-sync-gitea
+                  key: token
+            - name: GITLAB_TOKEN
+              valueFrom:
+                secretKeyRef:
+                  name: git-sync-gitlab
+                  key: token
+            - name: BITBUCKET_TOKEN
+              valueFrom:
+                secretKeyRef:
+                  name: git-sync-bitbucket
+                  key: token
+            - name: CODEBERG_TOKEN
+              valueFrom:
+                secretKeyRef:
+                  name: git-sync-codeberg
+                  key: token
+          restartPolicy: Never
--- a/manifests/gitea/gitea.yaml
+++ b/manifests/gitea/gitea.yaml
@@ -1,9 +1,4 @@
 apiVersion: v1
-kind: Namespace
-metadata:
-  name: gitea
---
-apiVersion: v1
 kind: Secret
 metadata:
  name: gitea-secret-key
@@ -47,7 +42,7 @@ spec:
    spec:
      containers:
      - name: git
-        image: gitea/gitea:1.11
+        image: gitea/gitea:1.20.5
        env:
        - name: APP_NAME
          value: "Git"
@@ -69,6 +64,8 @@ spec:
          value: "20"
        - name: DEFAULT_THEME
          value: arc-green
+        - name: ALLOWED_HOST_LIST
+          value: "*"
        - name: SECRET_KEY
          valueFrom:
            secretKeyRef:
@@ -80,7 +77,6 @@ spec:
        resources:
          requests:
            memory: 400Mi
-
        volumeMounts:
        - mountPath: /data
          name: git-data
@@ -94,17 +90,17 @@ spec:
        requests:
          storage: 20Gi
 ---
-apiVersion: extensions/v1beta1
+apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
  name: git
  namespace: gitea
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt
-    traefik.ingress.kubernetes.io/frontend-entry-points: http,https
-    traefik.ingress.kubernetes.io/redirect-entry-point: https
-    traefik.ingress.kubernetes.io/redirect-permanent: "true"
+    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
+    nginx.ingress.kubernetes.io/proxy-body-size: "0"
 spec:
+  ingressClassName: nginx
  tls:
  - hosts:
    - git.cluster.fun
@@ -114,6 +110,9 @@ spec:
    http:
      paths:
      - path: /
+        pathType: ImplementationSpecific
        backend:
-          serviceName: git
-          servicePort: 80
+          service:
+            name: git
+            port:
+              number: 80
--- a/manifests/gitea/pvs.yaml
+++ b/manifests/gitea/pvs.yaml
@@ -0,0 +1,47 @@
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  annotations:
+    pv.kubernetes.io/provisioned-by: csi.scaleway.com
+  creationTimestamp: "2020-05-02T15:38:54Z"
+  finalizers:
+  - kubernetes.io/pv-protection
+  - external-attacher/csi-scaleway-com
+  name: pvc-02bd903f-e5ac-4c9f-a976-9fe995a352b2
+spec:
+  accessModes:
+  - ReadWriteOnce
+  capacity:
+    storage: 20Gi
+  csi:
+    driver: csi.scaleway.com
+    fsType: ext4
+    volumeAttributes:
+      storage.kubernetes.io/csiProvisionerIdentity: 1588413765965-1847-csi.scaleway.com
+    volumeHandle: fr-par-1/2ef4f017-2d41-4662-bfa4-df0dcf2085a1
+  persistentVolumeReclaimPolicy: Retain
+  storageClassName: scw-bssd-retain
+  volumeMode: Filesystem
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  annotations:
+    pv.kubernetes.io/bind-completed: "yes"
+    pv.kubernetes.io/bound-by-controller: "yes"
+    volume.beta.kubernetes.io/storage-provisioner: csi.scaleway.com
+  finalizers:
+  - kubernetes.io/pvc-protection
+  labels:
+    app: git
+  name: git-data-git-0
+  namespace: gitea
+spec:
+  accessModes:
+  - ReadWriteOnce
+  resources:
+    requests:
+      storage: 20Gi
+  storageClassName: scw-bssd-retain
+  volumeMode: Filesystem
+  volumeName: pvc-02bd903f-e5ac-4c9f-a976-9fe995a352b2
--- a/manifests/goplayground/goplayground.yaml
+++ b/manifests/goplayground/goplayground.yaml
@@ -0,0 +1,70 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: goplayground
+  namespace: goplayground
+spec:
+  type: ClusterIP
+  ports:
+  - port: 80
+    targetPort: web
+    name: web
+  selector:
+    app: goplayground
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: goplayground
+  namespace: goplayground
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: goplayground
+  template:
+    metadata:
+      labels:
+        app: goplayground
+    spec:
+      containers:
+      - name: web
+        image: x1unix/go-playground:1.13.4
+        imagePullPolicy: IfNotPresent
+        ports:
+        - containerPort: 8000
+          name: web
+        resources:
+          limits:
+            memory: 20Mi
+          requests:
+            memory: 20Mi
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: goplayground
+  namespace: goplayground
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt
+    kubernetes.io/ingress.class: traefik
+    traefik.ingress.kubernetes.io/router.tls: "true"
+    ingress.kubernetes.io/ssl-redirect: "true"
+    traefik.ingress.kubernetes.io/router.entrypoints: websecure
+spec:
+  tls:
+  - hosts:
+    - go.cluster.fun
+    secretName: goplayground-ingress
+  rules:
+  - host: go.cluster.fun
+    http:
+      paths:
+      - path: /
+        pathType: ImplementationSpecific
+        backend:
+          service:
+            name: goplayground
+            port:
+              number: 80
+
--- a/manifests/harbor_chart.yaml
+++ b/manifests/harbor_chart.yaml
@@ -1,57 +0,0 @@
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: harbor
---
-apiVersion: v1
-kind: Secret
-metadata:
-  name: harbor-values
-  namespace: harbor
-  annotations:
-    kube-1password: igey7vjjiqmj25v64eck7cyj34
-    kube-1password/vault: Kubernetes
-    kube-1password/secret-text-key: values.yaml
-type: Opaque
---
-apiVersion: helm.fluxcd.io/v1
-kind: HelmRelease
-metadata:
-  name: harbor
-  namespace: harbor
-spec:
-  chart:
-    repository: https://helm.goharbor.io
-    name: harbor
-    version: 1.3.2
-  maxHistory: 4
-  skipCRDs: false
-  valuesFrom:
-  - secretKeyRef:
-      name: harbor-values
-      namespace: harbor
-      key: values.yaml
-      optional: false
-  values:
-    portal:
-      resources:
-        requests:
-          memory: 64Mi
-    core:
-      resources:
-        requests:
-          memory: 64Mi
-    jobservice:
-      resources:
-        requests:
-          memory: 64Mi
-    registry:
-      registry:
-        resources:
-          requests:
-            memory: 64Mi
-      controller:
-        resources:
-          requests:
-            memory: 64Mi
-
--- a/manifests/inlets.yaml
+++ b/manifests/inlets.yaml
@@ -1,103 +0,0 @@
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: inlets
---
-apiVersion: v1
-kind: Secret
-metadata:
-  name: inlets
-  namespace: inlets
-  annotations:
-    kube-1password: podju6t2s2osc3vbkimyce25ti
-    kube-1password/vault: Kubernetes
-    kube-1password/password-key: token
-type: Opaque
---
-apiVersion: v1
-kind: Service
-metadata:
-  name: inlets
-  namespace: inlets
-  labels:
-    app: inlets
-spec:
-  type: ClusterIP
-  ports:
-    - port: 80
-      protocol: TCP
-      targetPort: 8000
-  selector:
-    app: inlets
---
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: inlets
-  namespace: inlets
-  labels:
-    app: inlets
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: inlets
-  template:
-    metadata:
-      labels:
-        app: inlets
-    spec:
-      containers:
-      - name: inlets
-        image: inlets/inlets:2.7.0
-        imagePullPolicy: Always
-        command: ["inlets"]
-        args:
-        - "server"
-        - "--token-from=/var/inlets/token"
-        volumeMounts:
-          - name: inlets-token-volume
-            mountPath: /var/inlets/
-      volumes:
-        - name: inlets-token-volume
-          secret:
-            secretName: inlets
---
-apiVersion: extensions/v1beta1
-kind: Ingress
-metadata:
-  name: inlets
-  namespace: inlets
-spec:
-  rules:
-  - host: inlets.cluster.fun
-    http:
-      paths:
-      - path: /
-        backend:
-          serviceName: inlets
-          servicePort: 80
---
-apiVersion: extensions/v1beta1
-kind: Ingress
-metadata:
-  name: pyload
-  namespace: inlets
-  annotations:
-    cert-manager.io/cluster-issuer: letsencrypt
-    traefik.ingress.kubernetes.io/frontend-entry-points: http,https
-    traefik.ingress.kubernetes.io/redirect-entry-point: https
-    traefik.ingress.kubernetes.io/redirect-permanent: "true"
-spec:
-  tls:
-  - hosts:
-    - pyload.cluster.fun
-    secretName: pyload-ingress
-  rules:
-  - host: pyload.cluster.fun
-    http:
-      paths:
-      - path: /
-        backend:
-          serviceName: inlets
-          servicePort: 80
--- a/manifests/kube-janitor.yaml
+++ b/manifests/kube-janitor.yaml
@@ -1,107 +0,0 @@
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: kube-janitor
---
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: kube-janitor
-  namespace: kube-janitor
---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: kube-janitor
-rules:
- apiGroups:
-  - ""
-  resources:
-  - events
-  verbs:
-  - create
- apiGroups:
-  - "*"
-  resources:
-  - "*"
-  verbs:
-  - get
-  - watch
-  - list
-  - delete
---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: kube-janitor
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: kube-janitor
-subjects:
- kind: ServiceAccount
-  name: kube-janitor
-  namespace: kube-janitor
---
-
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: kube-janitor
-  namespace: kube-janitor
-data:
-  rules.yaml: |-
-    rules:
-      - id: tekton-tasks
-        resources:
-          - pods
-          - pipelineruns
-        jmespath: "(metadata.labels.\"tekton.dev/pipeline\")"
-        ttl: 3h
-
---
-
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  labels:
-    application: kube-janitor
-    version: v20.4.1
-  name: kube-janitor
-  namespace: kube-janitor
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      application: kube-janitor
-  template:
-    metadata:
-      labels:
-        application: kube-janitor
-        version: v20.4.1
-    spec:
-      serviceAccountName: kube-janitor
-      containers:
-      - name: janitor
-        image: hjacobs/kube-janitor:20.4.1
-        args:
-          - --interval=15
-          - --rules-file=/config/rules.yaml
-          - --include-namespaces=tekton-pipelines
-          - --include-resources=pods
-        resources:
-          limits:
-            memory: 100Mi
-          requests:
-            memory: 100Mi
-        securityContext:
-          readOnlyRootFilesystem: true
-          runAsNonRoot: true
-          runAsUser: 1000
-        volumeMounts:
-          - name: config-volume
-            mountPath: /config
-      volumes:
-      - name: config-volume
-        configMap:
-          name: kube-janitor
--- a/manifests/link/link.yaml
+++ b/manifests/link/link.yaml
@@ -0,0 +1,99 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: urls-map
+  namespace: link
+  labels:
+    app: link
+data:
+  urls.yaml: |
+    mn: https://marcusnoble.co.uk
+    whites: https://twitter.com/whites11/status/1484053621448785920
+    devopsnotts22: https://noti.st/averagemarcus/E8Ldoh/managing-kubernetes-without-losing-your-cool
+    kubernetes-cool: https://noti.st/averagemarcus/E8Ldoh/managing-kubernetes-without-losing-your-cool
+    klustered: https://gist.githubusercontent.com/AverageMarcus/e58301ecf3455caa1638c3ffe70ed138/raw/klustered.sh
+    wonders-and-woes: https://noti.st/averagemarcus/sWywEJ/the-wonders-and-woes-of-webhooks
+    kubehuddle: https://noti.st/averagemarcus/TqCEd4/the-wonders-and-woes-of-webhooks
+    kcduk: https://noti.st/averagemarcus/fxN4gl/managing-kubernetes-without-losing-your-cool
+    wonders-and-woes-webinar: https://noti.st/averagemarcus/Hw2IXG/the-wonders-and-woes-of-webhooks
+    kcdukraine: https://noti.st/averagemarcus/quuysq/managing-kubernetes-without-losing-your-cool
+    devopsox23: https://noti.st/averagemarcus/quuysq/managing-kubernetes-without-losing-your-cool
+    dddem23: https://noti.st/averagemarcus/Rt4hFh/managing-kubernetes-without-losing-your-cool
+    kube-london: https://noti.st/averagemarcus/SFD1bY/the-wonders-and-woes-of-webhooks
+    kcduk23: https://noti.st/averagemarcus/4YvpTx/webhooks-whats-the-worst-that-could-happen
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: link
+  namespace: link
+  labels:
+    app: link
+spec:
+  type: ClusterIP
+  ports:
+  - port: 80
+    targetPort: web
+    name: web
+  selector:
+    app: link
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: link
+  namespace: link
+  labels:
+    app: link
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: link
+  template:
+    metadata:
+      labels:
+        app: link
+    spec:
+      containers:
+      - name: web
+        image: rg.fr-par.scw.cloud/averagemarcus/link:latest
+        imagePullPolicy: Always
+        ports:
+        - containerPort: 5050
+          name: web
+        volumeMounts:
+          - name: config
+            mountPath: /config
+      volumes:
+        - name: config
+          configMap:
+            name: urls-map
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: link
+  namespace: link
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt
+    kubernetes.io/ingress.class: traefik
+    traefik.ingress.kubernetes.io/router.tls: "true"
+    ingress.kubernetes.io/ssl-redirect: "true"
+    traefik.ingress.kubernetes.io/router.entrypoints: websecure
+spec:
+  tls:
+  - hosts:
+    - go-get.link
+    secretName: link-ingress
+  rules:
+  - host: go-get.link
+    http:
+      paths:
+      - path: /
+        pathType: ImplementationSpecific
+        backend:
+          service:
+            name: link
+            port:
+              number: 80
--- a/manifests/linx-server.yaml
+++ b/manifests/linx-server.yaml
@@ -1,114 +0,0 @@
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: linx-server
---
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: linx-server
-  namespace: linx-server
-data:
-  linx-server.conf: |-
-    sitename = share
-    maxsize = 524288000
-    maxexpiry = 0
-    selifpath = f
-    nologs = false
-    force-random-filename = false
-    s3-endpoint = https://s3.fr-par.scw.cloud
-    s3-region = fr-par
-    s3-bucket = cluster.fun-linx
---
-apiVersion: v1
-kind: Secret
-metadata:
-  name: linx-server-s3
-  namespace: linx-server
-  annotations:
-    kube-1password: d5dgclm3qrxd4fntivv26ec3ee
-    kube-1password/vault: Kubernetes
-type: Opaque
-
---
-apiVersion: v1
-kind: Service
-metadata:
-  name: linx-server
-  namespace: linx-server
-spec:
-  type: ClusterIP
-  ports:
-  - port: 80
-    targetPort: web
-    name: web
-  selector:
-    app: linx-server
---
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: linx-server
-  namespace: linx-server
-spec:
-  replicas: 2
-  selector:
-    matchLabels:
-      app: linx-server
-  template:
-    metadata:
-      labels:
-        app: linx-server
-    spec:
-      containers:
-      - name: web
-        image: andreimarcu/linx-server:version-2.3.5
-        imagePullPolicy: Always
-        args:
-          - -config
-          - /config/linx-server.conf
-        ports:
-        - containerPort: 8080
-          name: web
-        env:
-          - name: AWS_ACCESS_KEY_ID
-            valueFrom:
-              secretKeyRef:
-                name: linx-server-s3
-                key: username
-          - name: AWS_SECRET_ACCESS_KEY
-            valueFrom:
-              secretKeyRef:
-                name: linx-server-s3
-                key: password
-        volumeMounts:
-          - name: config
-            mountPath: /config
-      volumes:
-        - name: config
-          configMap:
-            name: linx-server
---
-apiVersion: extensions/v1beta1
-kind: Ingress
-metadata:
-  name: linx-server
-  namespace: linx-server
-  annotations:
-    cert-manager.io/cluster-issuer: letsencrypt
-    traefik.ingress.kubernetes.io/frontend-entry-points: http,https
-    traefik.ingress.kubernetes.io/redirect-entry-point: https
-    traefik.ingress.kubernetes.io/redirect-permanent: "true"
-spec:
-  tls:
-  - hosts:
-    - share.cluster.fun
-    secretName: linx-server-ingress
-  rules:
-  - host: share.cluster.fun
-    http:
-      paths:
-      - path: /
-        backend:
-          serviceName: linx-server
-          servicePort: 80
--- a/manifests/loki_chart.yaml
+++ b/manifests/loki_chart.yaml
@@ -1,175 +0,0 @@
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: logging
---
-apiVersion: v1
-kind: Secret
-metadata:
-  name: grafana-credentials
-  namespace: logging
-  annotations:
-    kube-1password: wpynfxkdipeeacyfxkvtdsuj54
-    kube-1password/vault: Kubernetes
-type: Opaque
---
-apiVersion: helm.fluxcd.io/v1
-kind: HelmRelease
-metadata:
-  name: loki
-  namespace: logging
-spec:
-  chart:
-    repository: https://grafana.github.io/loki/charts
-    name: loki-stack
-    version: 0.36.2
-  maxHistory: 4
-  skipCRDs: false
-  values:
-    fluent-bit:
-      enabled: "true"
-    promtail:
-      enabled: "true"
-    loki:
-      persistence:
-        enabled: "true"
-        size: 10Gi
-
---
-apiVersion: helm.fluxcd.io/v1
-kind: HelmRelease
-metadata:
-  name: grafana
-  namespace: logging
-spec:
-  chart:
-    repository: https://kubernetes-charts.storage.googleapis.com
-    name: grafana
-    version: 5.0.22
-  maxHistory: 4
-  skipCRDs: false
-  values:
-    image:
-      tag: 7.0.0
-    admin:
-      existingSecret: "grafana-credentials"
-      userKey: username
-      passwordKey: password
-    persistence:
-      enabled: "false"
-    datasources:
-      datasources.yaml:
-        apiVersion: 1
-        datasources:
-        - name: Loki
-          type: loki
-          url: http://logging-loki.logging:3100
-          access: proxy
-          jsonData:
-            maxLines: 1000
-
---
-apiVersion: v1
-kind: Secret
-metadata:
-  name: grafana-auth
-  namespace: logging
-  annotations:
-    kube-1password: mr6spkkx7n3memkbute6ojaarm
-    kube-1password/vault: Kubernetes
-type: Opaque
---
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: grafana-auth
-  namespace: logging
-  labels:
-    app: grafana-auth
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: grafana-auth
-  template:
-    metadata:
-      labels:
-        app: grafana-auth
-    spec:
-      containers:
-      - args:
-        - --cookie-secure=false
-        - --provider=oidc
-        - --provider-display-name=Auth0
-        - --upstream=http://logging-grafana.logging.svc.cluster.local
-        - --http-address=$(HOST_IP):8080
-        - --redirect-url=https://grafana.cluster.fun/oauth2/callback
-        - --email-domain=marcusnoble.co.uk
-        - --pass-basic-auth=false
-        - --pass-access-token=false
-        - --oidc-issuer-url=https://marcusnoble.eu.auth0.com/
-        - --cookie-secret=KDGD6rrK6cBmryyZ4wcJ9xAUNW9AQN
-        env:
-        - name: HOST_IP
-          valueFrom:
-            fieldRef:
-              apiVersion: v1
-              fieldPath: status.podIP
-        - name: OAUTH2_PROXY_CLIENT_ID
-          valueFrom:
-            secretKeyRef:
-              key: username
-              name: grafana-auth
-        - name: OAUTH2_PROXY_CLIENT_SECRET
-          valueFrom:
-            secretKeyRef:
-              key: password
-              name: grafana-auth
-        image: quay.io/oauth2-proxy/oauth2-proxy:v5.1.1
-        name: oauth-proxy
-        ports:
-        - containerPort: 8080
-          protocol: TCP
---
-apiVersion: v1
-kind: Service
-metadata:
-  name: grafana-auth
-  namespace: logging
-  labels:
-    app: grafana-auth
-spec:
-  ports:
-  - name: http
-    port: 80
-    protocol: TCP
-    targetPort: 8080
-  selector:
-    app: grafana-auth
-  type: ClusterIP
---
-apiVersion: extensions/v1beta1
-kind: Ingress
-metadata:
-  name: grafana-auth
-  namespace: logging
-  labels:
-    app: grafana-auth
-  annotations:
-    cert-manager.io/cluster-issuer: letsencrypt
-    traefik.ingress.kubernetes.io/frontend-entry-points: http,https
-    traefik.ingress.kubernetes.io/redirect-entry-point: https
-    traefik.ingress.kubernetes.io/redirect-permanent: "true"
-spec:
-  tls:
-  - hosts:
-    - grafana.cluster.fun
-    secretName: grafana-ingress
-  rules:
-  - host: grafana.cluster.fun
-    http:
-      paths:
-      - path: /
-        backend:
-          serviceName: grafana-auth
-          servicePort: 80
--- a/manifests/marcusnoble/marcusnoble.yaml
+++ b/manifests/marcusnoble/marcusnoble.yaml
@@ -0,0 +1,90 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: marcusnoble
+  namespace: marcusnoble
+spec:
+  type: ClusterIP
+  ports:
+  - port: 80
+    targetPort: 8080
+    name: web
+  selector:
+    app: marcusnoble
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: marcusnoble
+  namespace: marcusnoble
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: marcusnoble
+  template:
+    metadata:
+      labels:
+        app: marcusnoble
+    spec:
+      containers:
+      - name: web
+        image: rg.fr-par.scw.cloud/averagemarcus/marcusnoble:latest
+        imagePullPolicy: Always
+        ports:
+        - containerPort: 8080
+          name: web
+        resources:
+          limits:
+            memory: 50Mi
+          requests:
+            memory: 50Mi
+        # livenessProbe:
+        #   httpGet:
+        #     path: /healthz
+        #     port: web
+        #   initialDelaySeconds: 10
+        # readinessProbe:
+        #   httpGet:
+        #     path: /healthz
+        #     port: web
+        #   initialDelaySeconds: 10
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: marcusnoble
+  namespace: marcusnoble
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt
+    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
+spec:
+  ingressClassName: nginx
+  tls:
+  - hosts:
+    - marcusnoble.com
+    - www.marcusnoble.com
+    secretName: marcusnoble-ingress
+  rules:
+  - host: marcusnoble.com
+    http:
+      paths:
+      - path: /
+        pathType: ImplementationSpecific
+        backend:
+          service:
+            name: marcusnoble
+            port:
+              number: 80
+  - host: www.marcusnoble.com
+    http:
+      paths:
+      - path: /
+        pathType: ImplementationSpecific
+        backend:
+          service:
+            name: marcusnoble
+            port:
+              number: 80
+
+---
--- a/manifests/mastodon-digest/mastodon_digest.yaml
+++ b/manifests/mastodon-digest/mastodon_digest.yaml
@@ -0,0 +1,229 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: docker-config
+  namespace: mastodon-digest
+  annotations:
+    kube-1password: i6ngbk5zf4k52xgwdwnfup5bby
+    kube-1password/vault: Kubernetes
+    kube-1password/secret-text-key: .dockerconfigjson
+type: kubernetes.io/dockerconfigjson
+data:
+  .dockerconfigjson: e30=
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: mastodon-digest-auth
+  namespace: mastodon-digest
+  annotations:
+    kube-1password: mr6spkkx7n3memkbute6ojaarm
+    kube-1password/vault: Kubernetes
+type: Opaque
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: mastodon-digest
+  namespace: mastodon-digest
+  annotations:
+    kube-1password: bfklz3yi3dn4e7xtsbttcvhata
+    kube-1password/vault: Kubernetes
+    kube-1password/secret-text-parse: "true"
+type: Opaque
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: config
+  namespace: mastodon-digest
+  labels:
+    app: mastodon-digest
+data:
+  config.json: |
+    [
+      {
+        "timeline": "home",
+        "hours": 12,
+        "scorer": "ExtendedSimpleWeighted",
+        "threshold": "lax",
+        "output": "/usr/share/nginx/html/home/"
+      },
+      {
+        "timeline": "federated",
+        "hours": 12,
+        "scorer": "ExtendedSimpleWeighted",
+        "threshold": "lax",
+        "output": "/usr/share/nginx/html/federated/"
+      }
+    ]
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: index
+  namespace: mastodon-digest
+  labels:
+    app: mastodon-digest
+data:
+  index.html: |
+    <!DOCTYPE html>
+    <html lang="en">
+    <head>
+        <meta chartset="utf-8" />
+        <meta name="viewport" content="width=device-width, initial-scale=1" />
+        <title>Mastodon Digest</title>
+        <style>
+        body { background-color: #292c36; font-family: "Arial", sans-serif; }
+        div#container { margin: auto; max-width: 640px; padding: 10px; text-align: center; margin: 0 auto; }
+        .links { align: center; }
+        h1 { color: white; }
+        a.button { background: #595aff; color: #fff; line-height: 1.2; min-height: 38px; min-width: 88px; padding: 0 30px; border: 0; border-radius: 6px;; display: inline-flex; justify-content: center; align-items: center; }
+    </style>
+    </head>
+    <body>
+        <div id="container">
+            <h1>Mastodon Digest</h1>
+            <section class="links">
+                <a href="home/" class="button">Home</a>
+                <a href="federated/" class="button">Federated</a>
+            </section>
+        </div>
+    </body>
+    </html>
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: mastodon-digest
+  namespace: mastodon-digest
+spec:
+  type: ClusterIP
+  ports:
+  - port: 80
+    targetPort: auth
+    name: web
+  selector:
+    app: mastodon-digest
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: mastodon-digest
+  namespace: mastodon-digest
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: mastodon-digest
+  template:
+    metadata:
+      labels:
+        app: mastodon-digest
+    spec:
+      imagePullSecrets:
+        - name: docker-config
+      containers:
+      - args:
+        - --cookie-secure=false
+        - --provider=oidc
+        - --provider-display-name=Auth0
+        - --upstream=http://localhost:80
+        - --http-address=$(HOST_IP):8000
+        - --redirect-url=https://mastodon-digest.cluster.fun/oauth2/callback
+        - --email-domain=marcusnoble.co.uk
+        - --pass-basic-auth=false
+        - --pass-access-token=false
+        - --oidc-issuer-url=https://marcusnoble.eu.auth0.com/
+        - --cookie-secret=KDGD6rrK6cBmryyZ4wcJ9xAUNW9AQNFT
+        env:
+        - name: HOST_IP
+          valueFrom:
+            fieldRef:
+              apiVersion: v1
+              fieldPath: status.podIP
+        - name: OAUTH2_PROXY_CLIENT_ID
+          valueFrom:
+            secretKeyRef:
+              key: username
+              name: mastodon-digest-auth
+        - name: OAUTH2_PROXY_CLIENT_SECRET
+          valueFrom:
+            secretKeyRef:
+              key: password
+              name: mastodon-digest-auth
+        image: quay.io/oauth2-proxy/oauth2-proxy:v7.5.1
+        name: oauth-proxy
+        ports:
+        - containerPort: 8000
+          protocol: TCP
+          name: auth
+        resources:
+          limits:
+            memory: 50Mi
+          requests:
+            memory: 50Mi
+
+      - name: web
+        image: nginx:stable
+        imagePullPolicy: IfNotPresent
+        ports:
+        - containerPort: 80
+          name: web
+        volumeMounts:
+        - name: html
+          mountPath: /usr/share/nginx/html
+        - name: index
+          mountPath: /usr/share/nginx/html/index.html
+          subPath: index.html
+
+      - name: digest
+        image: rg.fr-par.scw.cloud/averagemarcus-private/mastodon-digest:latest
+        imagePullPolicy: Always
+        env:
+        - name: CONFIG_FILE
+          value: /config.json
+        envFrom:
+        - secretRef:
+            name: mastodon-digest
+        volumeMounts:
+        - name: config
+          mountPath: /config.json
+          subPath: config.json
+        - name: html
+          mountPath: /usr/share/nginx/html
+      volumes:
+      - name: html
+        emptyDir: {}
+      - name: config
+        configMap:
+          name: config
+      - name: index
+        configMap:
+          name: index
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: mastodon-digest
+  namespace: mastodon-digest
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt
+    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
+spec:
+  ingressClassName: nginx
+  tls:
+  - hosts:
+    - mastodon-digest.cluster.fun
+    secretName: mastodon-digest-ingress
+  rules:
+  - host: mastodon-digest.cluster.fun
+    http:
+      paths:
+      - path: /
+        pathType: ImplementationSpecific
+        backend:
+          service:
+            name: mastodon-digest
+            port:
+              number: 80
--- a/manifests/mastodon-to-airtable/twitter-to-airtable.yaml
+++ b/manifests/mastodon-to-airtable/twitter-to-airtable.yaml
@@ -0,0 +1,151 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: docker-config
+  namespace: mastodon-to-airtable
+  annotations:
+    kube-1password: i6ngbk5zf4k52xgwdwnfup5bby
+    kube-1password/vault: Kubernetes
+    kube-1password/secret-text-key: .dockerconfigjson
+type: kubernetes.io/dockerconfigjson
+data:
+  .dockerconfigjson: e30=
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: mastodon-to-airtable-auth
+  namespace: mastodon-to-airtable
+  annotations:
+    kube-1password: mr6spkkx7n3memkbute6ojaarm
+    kube-1password/vault: Kubernetes
+type: Opaque
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: mastodon-to-airtable
+  namespace: mastodon-to-airtable
+  annotations:
+    kube-1password: kizmkmbndgu3ryrox3csev4mim
+    kube-1password/vault: Kubernetes
+    kube-1password/secret-text-parse: "true"
+type: Opaque
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: mastodon-to-airtable
+  namespace: mastodon-to-airtable
+spec:
+  type: ClusterIP
+  ports:
+  - port: 80
+    targetPort: auth
+    name: web
+  selector:
+    app: mastodon-to-airtable
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: mastodon-to-airtable
+  namespace: mastodon-to-airtable
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: mastodon-to-airtable
+  template:
+    metadata:
+      labels:
+        app: mastodon-to-airtable
+    spec:
+      imagePullSecrets:
+        - name: docker-config
+      containers:
+      - args:
+        - --cookie-secure=false
+        - --provider=oidc
+        - --provider-display-name=Auth0
+        - --upstream=http://localhost:8080
+        - --http-address=$(HOST_IP):8000
+        - --redirect-url=https://mastodon-to-airtable.cluster.fun/oauth2/callback
+        - --email-domain=marcusnoble.co.uk
+        - --pass-basic-auth=false
+        - --pass-access-token=false
+        - --oidc-issuer-url=https://marcusnoble.eu.auth0.com/
+        - --cookie-secret=KDGD6rrK6cBmryyZ4wcJ9xAUNW9AQNFT
+        env:
+        - name: HOST_IP
+          valueFrom:
+            fieldRef:
+              apiVersion: v1
+              fieldPath: status.podIP
+        - name: OAUTH2_PROXY_CLIENT_ID
+          valueFrom:
+            secretKeyRef:
+              key: username
+              name: mastodon-to-airtable-auth
+        - name: OAUTH2_PROXY_CLIENT_SECRET
+          valueFrom:
+            secretKeyRef:
+              key: password
+              name: mastodon-to-airtable-auth
+        image: quay.io/oauth2-proxy/oauth2-proxy:v7.5.1
+        name: oauth-proxy
+        ports:
+        - containerPort: 8000
+          protocol: TCP
+          name: auth
+        resources:
+          limits:
+            memory: 50Mi
+          requests:
+            memory: 50Mi
+      - name: web
+        image: rg.fr-par.scw.cloud/averagemarcus-private/mastodon-to-airtable:latest
+        imagePullPolicy: Always
+        env:
+        - name: PORT
+          value: "8080"
+        envFrom:
+        - secretRef:
+            name: "mastodon-to-airtable"
+        ports:
+        - containerPort: 8080
+          name: web
+        resources:
+          limits:
+            memory: 50Mi
+          requests:
+            memory: 50Mi
+
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: mastodon-to-airtable
+  namespace: mastodon-to-airtable
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt
+    kubernetes.io/ingress.class: traefik
+    traefik.ingress.kubernetes.io/router.tls: "true"
+    ingress.kubernetes.io/ssl-redirect: "true"
+    traefik.ingress.kubernetes.io/router.entrypoints: websecure
+spec:
+  tls:
+  - hosts:
+    - mastodon-to-airtable.cluster.fun
+    secretName: mastodon-to-airtable-ingress
+  rules:
+  - host: mastodon-to-airtable.cluster.fun
+    http:
+      paths:
+      - path: /
+        pathType: ImplementationSpecific
+        backend:
+          service:
+            name: mastodon-to-airtable
+            port:
+              number: 80
--- a/manifests/matrix_chart.yaml
+++ b/manifests/matrix_chart.yaml
@@ -1,255 +0,0 @@
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: chat
-
---
-
-apiVersion: helm.fluxcd.io/v1
-kind: HelmRelease
-metadata:
-  name: matrix
-  namespace: chat
-spec:
-  chart:
-    repository: https://dacruz21.github.io/helm-charts
-    name: matrix
-    version: 1.1.2
-  maxHistory: 4
-  values:
-    matrix:
-      serverName: "matrix.cluster.fun"
-      telemetry: false
-      hostname: "matrix.cluster.fun"
-      presence: true
-      blockNonAdminInvites: false
-      search: true
-      adminEmail: "matrix@marcusnoble.co.uk"
-      uploads:
-        maxSize: 100M
-        maxPixels: 32M
-      federation:
-        enabled: false
-        allowPublicRooms: false
-        blacklist:
-          - '127.0.0.0/8'
-          - '10.0.0.0/8'
-          - '172.16.0.0/12'
-          - '192.168.0.0/16'
-          - '100.64.0.0/10'
-          - '169.254.0.0/16'
-          - '::1/128'
-          - 'fe80::/64'
-          - 'fc00::/7'
-      registration:
-        enabled: false
-        allowGuests: false
-      urlPreviews:
-        enabled: true
-        rules:
-          maxSize: 4M
-          ip:
-            blacklist:
-              - '127.0.0.0/8'
-              - '10.0.0.0/8'
-              - '172.16.0.0/12'
-              - '192.168.0.0/16'
-              - '100.64.0.0/10'
-              - '169.254.0.0/16'
-              - '::1/128'
-              - 'fe80::/64'
-              - 'fc00::/7'
-
-    volumes:
-      media:
-        capacity: 4Gi
-      signingKey:
-        capacity: 1Gi
-
-    postgresql:
-      enabled: true
-      persistence:
-        size: 4Gi
-
-    synapse:
-      image:
-        repository: "matrixdotorg/synapse"
-        tag: v1.12.4
-        pullPolicy: IfNotPresent
-      service:
-        type: ClusterIP
-        port: 80
-      replicaCount: 1
-      resources: {}
-
-    riot:
-      enabled: true
-      integrations:
-        enabled: true
-        ui: "https://scalar.vector.im/"
-        api: "https://scalar.vector.im/api"
-        widgets:
-          - "https://scalar.vector.im/_matrix/integrations/v1"
-          - "https://scalar.vector.im/api"
-          - "https://scalar-staging.vector.im/_matrix/integrations/v1"
-          - "https://scalar-staging.vector.im/api"
-          - "https://scalar-staging.riot.im/scalar/api"
-      # Experimental features in riot-web, see https://github.com/vector-im/riot-web/blob/develop/docs/labs.md
-      labs:
-        - feature_pinning
-        - feature_custom_status
-        - feature_state_counters
-        - feature_many_integration_managers
-        - feature_mjolnir
-        - feature_dm_verification
-        - feature_bridge_state
-        - feature_presence_in_room_list
-        - feature_custom_themes
-      # Servers to show in the Explore menu (the current server is always shown)
-      roomDirectoryServers: []
-      # Prefix before permalinks generated when users share links to rooms, users, or messages. If running an unfederated Synapse, set the below to the URL of your Riot instance.
-      permalinkPrefix: "https://chat.cluster.fun"
-      image:
-        repository: "vectorim/riot-web"
-        tag: v1.6.0
-        pullPolicy: IfNotPresent
-      service:
-        type: ClusterIP
-        port: 80
-      replicaCount: 1
-      resources: {}
-
-    # Settings for Coturn TURN relay, used for routing voice calls
-    coturn:
-      enabled: false
-
-    mail:
-      enabled: false
-      relay:
-        enabled: false
-
-    bridges:
-      irc:
-        enabled: false
-      whatsapp:
-        enabled: false
-      discord:
-        enabled: false
-
-    networkPolicies:
-      enabled: false
-
-    ingress:
-      enabled: false
---
-
-apiVersion: extensions/v1beta1
-kind: Ingress
-metadata:
-  name: matrix
-  namespace: chat
-  annotations:
-    cert-manager.io/cluster-issuer: letsencrypt
-    traefik.ingress.kubernetes.io/frontend-entry-points: http,https
-    traefik.ingress.kubernetes.io/redirect-entry-point: https
-    traefik.ingress.kubernetes.io/redirect-permanent: "true"
-spec:
-  tls:
-  - hosts:
-    - matrix.cluster.fun
-    secretName: matrix-ingress
-  rules:
-  - host: matrix.cluster.fun
-    http:
-      paths:
-      - path: /.well-known/matrix
-        backend:
-          serviceName: well-known
-          servicePort: 80
-      - path: /
-        backend:
-          serviceName: chat-matrix-synapse
-          servicePort: 80
-
---
-
-apiVersion: extensions/v1beta1
-kind: Ingress
-metadata:
-  name: riot
-  namespace: chat
-  annotations:
-    cert-manager.io/cluster-issuer: letsencrypt
-    traefik.ingress.kubernetes.io/frontend-entry-points: http,https
-    traefik.ingress.kubernetes.io/redirect-entry-point: https
-    traefik.ingress.kubernetes.io/redirect-permanent: "true"
-spec:
-  tls:
-  - hosts:
-    - chat.cluster.fun
-    secretName: riot-ingress
-  rules:
-  - host: chat.cluster.fun
-    http:
-      paths:
-      - path: /
-        backend:
-          serviceName: chat-matrix-riot
-          servicePort: 80
-
---
-
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: well-known
-  namespace: chat
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: well-known
-  template:
-    metadata:
-      labels:
-        app: well-known
-    spec:
-      containers:
-      - name: web
-        image: nginx
-        imagePullPolicy: IfNotPresent
-        ports:
-        - containerPort: 80
-          name: web
-        volumeMounts:
-        - name: well-known
-          mountPath: /usr/share/nginx/html/.well-known/matrix
-      volumes:
-      - name: well-known
-        configMap:
-          name: well-known
---
-apiVersion: v1
-kind: Service
-metadata:
-  name: well-known
-  namespace: chat
-spec:
-  type: ClusterIP
-  ports:
-  - port: 80
-    targetPort: 80
-    name: web
-  selector:
-    app: well-known
---
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: well-known
-  namespace: chat
-data:
-  server: |-
-    {
-      "m.server": "matrix.cluster.fun:443"
-    }
--- a/manifests/matrix_chart/matrix_chart.yaml
+++ b/manifests/matrix_chart/matrix_chart.yaml
@@ -0,0 +1,545 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: matrix
+  namespace: chat
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt
+    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
+    nginx.ingress.kubernetes.io/proxy-body-size: "0"
+spec:
+  ingressClassName: nginx
+  tls:
+  - hosts:
+    - matrix.cluster.fun
+    secretName: matrix-ingress
+  rules:
+  - host: matrix.cluster.fun
+    http:
+      paths:
+      - path: /.well-known/matrix
+        pathType: ImplementationSpecific
+        backend:
+          service:
+            name: well-known
+            port:
+              number: 80
+      - path: /
+        pathType: ImplementationSpecific
+        backend:
+          service:
+            name: matrix-synapse
+            port:
+              number: 80
+
+---
+
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: riot
+  namespace: chat
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt
+    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
+    nginx.ingress.kubernetes.io/proxy-body-size: "0"
+spec:
+  ingressClassName: nginx
+  tls:
+  - hosts:
+    - chat.cluster.fun
+    secretName: riot-ingress
+  rules:
+  - host: chat.cluster.fun
+    http:
+      paths:
+      - path: /
+        pathType: ImplementationSpecific
+        backend:
+          service:
+            name: matrix-riot
+            port:
+              number: 80
+
+---
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: well-known
+  namespace: chat
+  annotations:
+    configmap.reloader.stakater.com/reload: "well-known"
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: well-known
+  template:
+    metadata:
+      labels:
+        app: well-known
+    spec:
+      containers:
+      - name: web
+        image: nginx
+        imagePullPolicy: IfNotPresent
+        ports:
+        - containerPort: 80
+          name: web
+        volumeMounts:
+        - name: well-known
+          mountPath: /usr/share/nginx/html/.well-known/matrix
+        resources:
+          limits:
+            memory: 15Mi
+          requests:
+            memory: 15Mi
+      volumes:
+      - name: well-known
+        configMap:
+          name: well-known
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: well-known
+  namespace: chat
+spec:
+  type: ClusterIP
+  ports:
+  - port: 80
+    targetPort: 80
+    name: web
+  selector:
+    app: well-known
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: well-known
+  namespace: chat
+data:
+  server: |-
+    {
+      "m.server": "matrix.cluster.fun:443"
+    }
+
+
+---
+
+
+# Source: matrix/templates/riot/configmap.yaml
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: matrix-riot-config
+  namespace: chat
+  labels:
+    app.kubernetes.io/name: "matrix"
+    component: element
+data:
+  config.json: |
+    {
+      "default_server_config": {
+        "m.homeserver": {
+          "base_url": "https://matrix.cluster.fun"
+        }
+      },
+      "brand": "Element",
+      "branding": {},
+      "integrations_ui_url": "https://scalar.vector.im/",
+      "integrations_rest_url": "https://scalar.vector.im/api",
+      "integrations_widgets_urls": [
+        "https://scalar.vector.im/_matrix/integrations/v1",
+        "https://scalar.vector.im/api",
+        "https://scalar-staging.vector.im/_matrix/integrations/v1",
+        "https://scalar-staging.vector.im/api",
+        "https://scalar-staging.riot.im/scalar/api"
+      ],
+      "showLabsSettings": true,
+      "features": {
+        "feature_pinning": true,
+        "feature_custom_status": "labs",
+        "feature_state_counters": "labs",
+        "feature_many_integration_managers": "labs",
+        "feature_mjolnir": "labs",
+        "feature_dm_verification": "labs",
+        "feature_bridge_state": "labs",
+        "feature_presence_in_room_list": true,
+        "feature_custom_themes": "labs",
+        "feature_new_spinner": "labs",
+        "feature_jump_to_date": "labs",
+        "feature_location_share_pin_drop": "labs",
+        "feature_location_share_live": "labs",
+        "feature_thread": true,
+        "feature_video_rooms": true,
+        "feature_favourite_messages": "labs"
+      },
+      "roomDirectory": {
+        "servers": []
+      },
+      "permalinkPrefix": "https://chat.cluster.fun",
+      "enable_presence_by_hs_url": {
+        "https://matrix.org": false,
+        "https://matrix-client.matrix.org": false
+      },
+      "map_style_url": "https://api.maptiler.com/maps/streets/style.json?key=2IerXP2a5g1e7hxxBbzs"
+    }
+  nginx.conf: |
+    worker_processes  auto;
+
+    error_log  /var/log/nginx/error.log warn;
+    pid        /var/run/pid/nginx.pid;
+
+    events {
+      worker_connections  1024;
+    }
+
+    http {
+      include       /etc/nginx/mime.types;
+      default_type  application/octet-stream;
+
+      log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
+      '$status $body_bytes_sent "$http_referer" '
+      '"$http_user_agent" "$http_x_forwarded_for"';
+
+      access_log  /var/log/nginx/access.log  main;
+
+      sendfile        on;
+
+      keepalive_timeout  65;
+
+      include /etc/nginx/conf.d/*.conf;
+    }
+  default.conf: |
+    server {
+      listen       8080;
+      server_name  localhost;
+
+      location / {
+          root   /usr/share/nginx/html;
+          index  index.html index.htm;
+      }
+
+      # redirect server error pages to the static page /50x.html
+      #
+      error_page   500 502 503 504  /50x.html;
+      location = /50x.html {
+          root   /usr/share/nginx/html;
+      }
+    }
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: matrix-synapse-config
+  namespace: chat
+  annotations:
+    kube-1password: wbj4oozwyx6m2zz5m42pgcmymy
+    kube-1password/vault: Kubernetes
+    kube-1password/secret-text-key: homeserver.yaml
+  labels:
+    app.kubernetes.io/name: "matrix"
+    component: synapse
+type: Opaque
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: matrix-synapse-config
+  namespace: chat
+  labels:
+    app.kubernetes.io/name: "matrix"
+    component: element
+data:
+  matrix.cluster.fun.log.config: |
+    version: 1
+
+    formatters:
+      precise:
+        format: '%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s - %(message)s'
+
+    filters:
+      context:
+        (): synapse.util.logcontext.LoggingContextFilter
+        request: ""
+
+    handlers:
+      console:
+        class: logging.StreamHandler
+        formatter: precise
+        filters: [context]
+
+    loggers:
+      synapse:
+        level: WARNING
+      synapse.storage.SQL:
+        # beware: increasing this to DEBUG will make synapse log sensitive
+        # information such as access tokens.
+        level: WARNING
+
+    root:
+      level: WARNING
+      handlers: [console]
+---
+# Source: matrix/templates/riot/service.yaml
+apiVersion: v1
+kind: Service
+metadata:
+  name: matrix-riot
+  namespace: chat
+  labels:
+    app.kubernetes.io/name: "matrix"
+    component: element
+spec:
+  type: ClusterIP
+  ports:
+    - port: 80
+      targetPort: http
+      protocol: TCP
+      name: http
+  selector:
+    app.kubernetes.io/name: matrix-riot
+---
+# Source: matrix/templates/synapse/service.yaml
+apiVersion: v1
+kind: Service
+metadata:
+  name: matrix-synapse
+  namespace: chat
+  labels:
+    app.kubernetes.io/name: "matrix"
+    component: synapse
+  annotations:
+    prometheus.io/scrape: "true"
+    prometheus.io/path: "/_synapse/metrics"
+    prometheus.io/port: "9000"
+spec:
+  type: ClusterIP
+  ports:
+    - port: 80
+      targetPort: http
+      protocol: TCP
+      name: http
+    - port: 9000
+      targetPort: metrics
+      protocol: TCP
+      name: metrics
+  selector:
+    app.kubernetes.io/name: matrix-synapse
+---
+# Source: matrix/templates/riot/deployment.yaml
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: matrix-riot
+  namespace: chat
+  labels:
+    app.kubernetes.io/name: "matrix"
+    component: element
+spec:
+  replicas: 2
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: matrix-riot
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: matrix-riot
+    spec:
+      securityContext:
+        runAsUser: 1000
+        runAsGroup: 1000
+        fsGroup: 1000
+      containers:
+        - name: "riot"
+          image: "vectorim/element-web:v1.11.46"
+          imagePullPolicy: IfNotPresent
+          ports:
+            - name: http
+              containerPort: 8080
+              protocol: TCP
+          volumeMounts:
+            - mountPath: /app/config.json
+              name: riot-config
+              subPath: config.json
+              readOnly: true
+            - mountPath: /etc/nginx/nginx.conf
+              name: riot-config
+              subPath: nginx.conf
+              readOnly: true
+            - mountPath: /etc/nginx/conf.d/default.conf
+              name: riot-config
+              subPath: default.conf
+              readOnly: true
+            - mountPath: /var/cache/nginx
+              name: ephemeral
+              subPath: cache
+            - mountPath: /var/run/pid
+              name: ephemeral
+              subPath: pid
+          readinessProbe:
+            httpGet:
+              path: /
+              port: http
+          startupProbe:
+            httpGet:
+              path: /
+              port: http
+          livenessProbe:
+            httpGet:
+              path: /
+              port: http
+          securityContext:
+            capabilities:
+              drop:
+                - ALL
+            readOnlyRootFilesystem: true
+            allowPrivilegeEscalation: false
+      volumes:
+        - name: riot-config
+          configMap:
+            name: matrix-riot-config
+        - name: ephemeral
+          emptyDir: {}
+---
+# Source: matrix/templates/synapse/deployment.yaml
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: matrix-synapse
+  namespace: chat
+  labels:
+    app.kubernetes.io/name: "matrix"
+    component: synapse
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: matrix-synapse
+  strategy:
+    type: Recreate
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: matrix-synapse
+    spec:
+      securityContext:
+        runAsUser: 1000
+        runAsGroup: 1000
+        fsGroup: 1000
+      initContainers:
+        - name: generate-signing-key
+          image: "matrixdotorg/synapse:v1.94.0"
+          imagePullPolicy: IfNotPresent
+          env:
+            - name: SYNAPSE_SERVER_NAME
+              value: matrix.cluster.fun
+            - name: SYNAPSE_REPORT_STATS
+              value: "no"
+          command: ["python"]
+          args:
+            - "-m"
+            - "synapse.app.homeserver"
+            - "--config-path"
+            - "/data/homeserver.yaml"
+            - "--keys-directory"
+            - "/data/keys"
+            - "--generate-keys"
+          volumeMounts:
+            - name: synapse-config-homeserver
+              mountPath: /data/homeserver.yaml
+              subPath: homeserver.yaml
+            - name: synapse-config-logging
+              mountPath: /data/matrix.cluster.fun.log.config
+              subPath: matrix.cluster.fun.log.config
+            - name: signing-key
+              mountPath: /data/keys
+      containers:
+        - name: "synapse"
+          image: "matrixdotorg/synapse:v1.94.0"
+          imagePullPolicy: IfNotPresent
+          ports:
+            - name: http
+              containerPort: 8008
+              protocol: TCP
+            - name: metrics
+              containerPort: 9000
+              protocol: TCP
+          volumeMounts:
+            - name: synapse-config-homeserver
+              mountPath: /data/homeserver.yaml
+              subPath: homeserver.yaml
+            - name: mautrix-whatsapp-registration
+              mountPath: /data/mautrix-whatsapp-registration.yaml
+              subPath: registration.yaml
+            # - name: mautrix-signal-registration
+            #   mountPath: /data/mautrix-signal-registration.yaml
+            #   subPath: registration.yaml
+            # - name: mautrix-telegram-registration
+            #   mountPath: /data/mautrix-telegram-registration.yaml
+            #   subPath: registration.yaml
+            - name: synapse-config-logging
+              mountPath: /data/matrix.cluster.fun.log.config
+              subPath: matrix.cluster.fun.log.config
+            - name: signing-key
+              mountPath: /data/keys
+            - name: user-media
+              mountPath: /data/media_store
+            - name: uploads
+              mountPath: /data/uploads
+            - name: tmp
+              mountPath: /tmp
+          readinessProbe:
+            httpGet:
+              path: /_matrix/static/
+              port: http
+            periodSeconds: 10
+            timeoutSeconds: 5
+          startupProbe:
+            httpGet:
+              path: /_matrix/static/
+              port: http
+            failureThreshold: 6
+            periodSeconds: 5
+            timeoutSeconds: 5
+          livenessProbe:
+            httpGet:
+              path: /_matrix/static/
+              port: http
+            periodSeconds: 10
+            timeoutSeconds: 5
+          securityContext:
+            capabilities:
+              drop:
+                - ALL
+            readOnlyRootFilesystem: true
+            allowPrivilegeEscalation: false
+      volumes:
+        - name: synapse-config-logging
+          configMap:
+            name: matrix-synapse-config
+        - name: synapse-config-homeserver
+          secret:
+            secretName: matrix-synapse-config
+        - name: mautrix-whatsapp-registration
+          secret:
+            secretName: mautrix-whatsapp-registration
+        # - name: mautrix-signal-registration
+        #   secret:
+        #     secretName: mautrix-signal-registration
+        # - name: mautrix-telegram-registration
+        #   secret:
+        #     secretName: mautrix-telegram-registration
+        - name: signing-key
+          persistentVolumeClaim:
+            claimName: chat-matrix-signing-key
+        - name: user-media
+          persistentVolumeClaim:
+            claimName: chat-matrix-user-media
+        - name: uploads
+          emptyDir: {}
+        - name: tmp
+          emptyDir: {}
+---
--- a/manifests/matrix_chart/pvs.yaml
+++ b/manifests/matrix_chart/pvs.yaml
@@ -0,0 +1,80 @@
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  annotations:
+    pv.kubernetes.io/provisioned-by: csi.scaleway.com
+  finalizers:
+  - kubernetes.io/pv-protection
+  - external-attacher/csi-scaleway-com
+  name: pvc-470f5860-49e0-414c-bb36-329970afc44b
+spec:
+  accessModes:
+  - ReadWriteOnce
+  capacity:
+    storage: 12Gi
+  csi:
+    driver: csi.scaleway.com
+    fsType: ext4
+    volumeAttributes:
+      storage.kubernetes.io/csiProvisionerIdentity: 1676472026170-8081-csi.scaleway.com
+    volumeHandle: fr-par-1/5e73e304-11e8-42cb-90fe-361889089d2d
+  persistentVolumeReclaimPolicy: Retain
+  storageClassName: scw-bssd
+  volumeMode: Filesystem
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: chat-matrix-user-media
+  namespace: chat
+  labels:
+    app.kubernetes.io/name: "matrix"
+    component: synapse
+spec:
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 12Gi
+  volumeName: pvc-470f5860-49e0-414c-bb36-329970afc44b
+---
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  annotations:
+    pv.kubernetes.io/provisioned-by: csi.scaleway.com
+  finalizers:
+  - kubernetes.io/pv-protection
+  - external-attacher/csi-scaleway-com
+  name: pvc-00a8cf81-9453-4014-aa09-9fdbcc42abf2
+spec:
+  accessModes:
+  - ReadWriteOnce
+  capacity:
+    storage: 1Gi
+  csi:
+    driver: csi.scaleway.com
+    fsType: ext4
+    volumeAttributes:
+      storage.kubernetes.io/csiProvisionerIdentity: 1588413765965-1847-csi.scaleway.com
+    volumeHandle: fr-par-1/e7437eda-59e8-43f5-af49-540618f1bd95
+  persistentVolumeReclaimPolicy: Retain
+  storageClassName: scw-bssd
+  volumeMode: Filesystem
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: chat-matrix-signing-key
+  namespace: chat
+  labels:
+    app.kubernetes.io/name: "matrix"
+    component: synapse
+spec:
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 1Gi
+  volumeName: pvc-00a8cf81-9453-4014-aa09-9fdbcc42abf2
+---
--- a/manifests/matrix_chart/signal_bridge.yaml
+++ b/manifests/matrix_chart/signal_bridge.yaml
@@ -0,0 +1,153 @@
+# apiVersion: v1
+# kind: Secret
+# metadata:
+#   name: mautrix-signal-registration
+#   namespace: chat
+#   annotations:
+#     kube-1password: z6tylu2br724gttcpfyi5egaui
+#     kube-1password/vault: Kubernetes
+#     kube-1password/secret-text-key: registration.yaml
+#   labels:
+#     app.kubernetes.io/name: "mautrix-signal"
+#     component: registration
+# type: Opaque
+
+# ---
+
+# apiVersion: v1
+# kind: Secret
+# metadata:
+#   name: mautrix-signal-config
+#   namespace: chat
+#   annotations:
+#     kube-1password: 5vfaorcudozlq4clkzgmzzszqe
+#     kube-1password/vault: Kubernetes
+#     kube-1password/secret-text-key: config.yaml
+#   labels:
+#     app.kubernetes.io/name: "mautrix-signal"
+#     component: config
+# type: Opaque
+
+# ---
+
+# apiVersion: v1
+# kind: Service
+# metadata:
+#   name: mautrix-signal
+#   namespace: chat
+#   labels:
+#     app.kubernetes.io/name: mautrix-signal
+#   annotations:
+#     prometheus.io/scrape: "true"
+#     prometheus.io/path: "/metrics"
+#     prometheus.io/port: "9000"
+# spec:
+#   type: ClusterIP
+#   ports:
+#   - port: 29328
+#     targetPort: http
+#     protocol: TCP
+#     name: http
+#   selector:
+#     app.kubernetes.io/name: mautrix-signal
+
+# ---
+
+# apiVersion: apps/v1
+# kind: Deployment
+# metadata:
+#   name: mautrix-signal
+#   labels:
+#     app.kubernetes.io/name: mautrix-signal
+# spec:
+#   revisionHistoryLimit: 3
+#   replicas: 1
+#   strategy:
+#     type: Recreate
+#   selector:
+#     matchLabels:
+#       app.kubernetes.io/name: mautrix-signal
+#   template:
+#     metadata:
+#       labels:
+#         app.kubernetes.io/name: mautrix-signal
+#     spec:
+#       serviceAccountName: default
+#       automountServiceAccountToken: true
+#       dnsPolicy: ClusterFirst
+#       enableServiceLinks: true
+#       initContainers:
+#       - name: config-copy
+#         image: bash:latest
+#         imagePullPolicy: IfNotPresent
+#         args:
+#           - -c
+#           - |
+#             cp /secrets/* /data/
+#         volumeMounts:
+#           - name: mautrix-signal-config
+#             mountPath: /secrets/config.yaml
+#             subPath: config.yaml
+#           - name: mautrix-signal-registration
+#             mountPath: /secrets/registration.yaml
+#             subPath: registration.yaml
+#           - name: data
+#             mountPath: /data
+#       containers:
+#         - name: signald
+#           image: docker.io/signald/signald:stable
+#           imagePullPolicy: Always
+#           volumeMounts:
+#           - name: signald
+#             mountPath: /signald
+#         - name: mautrix-signal
+#           image: "dock.mau.dev/mautrix/signal:v0.4.1"
+#           imagePullPolicy: IfNotPresent
+#           env:
+#             - name: "TZ"
+#               value: "UTC"
+#           ports:
+#             - name: http
+#               containerPort: 29328
+#               protocol: TCP
+#             - name: metrics
+#               containerPort: 9000
+#               protocol: TCP
+#           volumeMounts:
+#           - name: signald
+#             mountPath: /signald
+#           - name: data
+#             mountPath: /data
+#           livenessProbe:
+#             tcpSocket:
+#               port: 29318
+#             initialDelaySeconds: 0
+#             failureThreshold: 3
+#             timeoutSeconds: 1
+#             periodSeconds: 10
+#           readinessProbe:
+#             tcpSocket:
+#               port: 29318
+#             initialDelaySeconds: 0
+#             failureThreshold: 3
+#             timeoutSeconds: 1
+#             periodSeconds: 10
+#           startupProbe:
+#             tcpSocket:
+#               port: 29318
+#             initialDelaySeconds: 0
+#             failureThreshold: 30
+#             timeoutSeconds: 1
+#             periodSeconds: 5
+#       volumes:
+#         - name: data
+#           emptyDir: {}
+#         - name: signald
+#           emptyDir: {}
+#         - name: mautrix-signal-config
+#           secret:
+#             secretName: mautrix-signal-config
+#         - name: mautrix-signal-registration
+#           secret:
+#             secretName: mautrix-signal-registration
+# ---
--- a/manifests/matrix_chart/telegram_bridge.yaml
+++ b/manifests/matrix_chart/telegram_bridge.yaml
@@ -0,0 +1,143 @@
+# apiVersion: v1
+# kind: Secret
+# metadata:
+#   name: mautrix-telegram-registration
+#   namespace: chat
+#   annotations:
+#     kube-1password: dancy7ogc4gjlxhfntqejgudwi
+#     kube-1password/vault: Kubernetes
+#     kube-1password/secret-text-key: registration.yaml
+#   labels:
+#     app.kubernetes.io/name: "mautrix-telegram"
+#     component: registration
+# type: Opaque
+
+# ---
+
+# apiVersion: v1
+# kind: Secret
+# metadata:
+#   name: mautrix-telegram-config
+#   namespace: chat
+#   annotations:
+#     kube-1password: nilzdpfum35hhwijnwvasbzmcq
+#     kube-1password/vault: Kubernetes
+#     kube-1password/secret-text-key: config.yaml
+#   labels:
+#     app.kubernetes.io/name: "mautrix-telegram"
+#     component: config
+# type: Opaque
+
+# ---
+
+# apiVersion: v1
+# kind: Service
+# metadata:
+#   name: mautrix-telegram
+#   namespace: chat
+#   labels:
+#     app.kubernetes.io/name: mautrix-telegram
+#   annotations:
+#     prometheus.io/scrape: "true"
+#     prometheus.io/path: "/metrics"
+#     prometheus.io/port: "9000"
+# spec:
+#   type: ClusterIP
+#   ports:
+#   - port: 29318
+#     targetPort: http
+#     protocol: TCP
+#     name: http
+#   selector:
+#     app.kubernetes.io/name: mautrix-telegram
+
+# ---
+
+# apiVersion: apps/v1
+# kind: Deployment
+# metadata:
+#   name: mautrix-telegram
+#   labels:
+#     app.kubernetes.io/name: mautrix-telegram
+# spec:
+#   revisionHistoryLimit: 3
+#   replicas: 1
+#   strategy:
+#     type: Recreate
+#   selector:
+#     matchLabels:
+#       app.kubernetes.io/name: mautrix-telegram
+#   template:
+#     metadata:
+#       labels:
+#         app.kubernetes.io/name: mautrix-telegram
+#     spec:
+#       serviceAccountName: default
+#       automountServiceAccountToken: true
+#       dnsPolicy: ClusterFirst
+#       enableServiceLinks: true
+#       initContainers:
+#       - name: config-copy
+#         image: bash:latest
+#         imagePullPolicy: IfNotPresent
+#         args:
+#           - -c
+#           - |
+#             cp /secrets/* /data/
+#         volumeMounts:
+#           - name: mautrix-telegram-config
+#             mountPath: /secrets/config.yaml
+#             subPath: config.yaml
+#           - name: mautrix-telegram-registration
+#             mountPath: /secrets/registration.yaml
+#             subPath: registration.yaml
+#           - name: data
+#             mountPath: /data
+#       containers:
+#         - name: mautrix-telegram
+#           image: "dock.mau.dev/mautrix/telegram:v0.12.1"
+#           imagePullPolicy: IfNotPresent
+#           env:
+#             - name: "TZ"
+#               value: "UTC"
+#           ports:
+#             - name: http
+#               containerPort: 29318
+#               protocol: TCP
+#             - name: metrics
+#               containerPort: 9000
+#               protocol: TCP
+#           volumeMounts:
+#           - name: data
+#             mountPath: /data
+#           livenessProbe:
+#             tcpSocket:
+#               port: 29318
+#             initialDelaySeconds: 0
+#             failureThreshold: 3
+#             timeoutSeconds: 1
+#             periodSeconds: 10
+#           readinessProbe:
+#             tcpSocket:
+#               port: 29318
+#             initialDelaySeconds: 0
+#             failureThreshold: 3
+#             timeoutSeconds: 1
+#             periodSeconds: 10
+#           startupProbe:
+#             tcpSocket:
+#               port: 29318
+#             initialDelaySeconds: 0
+#             failureThreshold: 30
+#             timeoutSeconds: 1
+#             periodSeconds: 5
+#       volumes:
+#         - name: data
+#           emptyDir: {}
+#         - name: mautrix-telegram-config
+#           secret:
+#             secretName: mautrix-telegram-config
+#         - name: mautrix-telegram-registration
+#           secret:
+#             secretName: mautrix-telegram-registration
+# ---
--- a/manifests/matrix_chart/whatsapp_bridge.yaml
+++ b/manifests/matrix_chart/whatsapp_bridge.yaml
@@ -0,0 +1,143 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: mautrix-whatsapp-registration
+  namespace: chat
+  annotations:
+    kube-1password: x6lzkpyov4dem5jtk2kimyrnvy
+    kube-1password/vault: Kubernetes
+    kube-1password/secret-text-key: registration.yaml
+  labels:
+    app.kubernetes.io/name: "mautrix-whatsapp"
+    component: registration
+type: Opaque
+
+---
+
+apiVersion: v1
+kind: Secret
+metadata:
+  name: mautrix-whatsapp-config
+  namespace: chat
+  annotations:
+    kube-1password: ji3e2el66bu56bml3kq3ghyojq
+    kube-1password/vault: Kubernetes
+    kube-1password/secret-text-key: config.yaml
+  labels:
+    app.kubernetes.io/name: "mautrix-whatsapp"
+    component: config
+type: Opaque
+
+---
+
+apiVersion: v1
+kind: Service
+metadata:
+  name: mautrix-whatsapp
+  namespace: chat
+  labels:
+    app.kubernetes.io/name: mautrix-whatsapp
+  annotations:
+    prometheus.io/scrape: "true"
+    prometheus.io/path: "/metrics"
+    prometheus.io/port: "9000"
+spec:
+  type: ClusterIP
+  ports:
+  - port: 29318
+    targetPort: http
+    protocol: TCP
+    name: http
+  selector:
+    app.kubernetes.io/name: mautrix-whatsapp
+
+---
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: mautrix-whatsapp
+  labels:
+    app.kubernetes.io/name: mautrix-whatsapp
+spec:
+  revisionHistoryLimit: 3
+  replicas: 1
+  strategy:
+    type: Recreate
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: mautrix-whatsapp
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: mautrix-whatsapp
+    spec:
+      serviceAccountName: default
+      automountServiceAccountToken: true
+      dnsPolicy: ClusterFirst
+      enableServiceLinks: true
+      initContainers:
+      - name: config-copy
+        image: bash:latest
+        imagePullPolicy: IfNotPresent
+        args:
+          - -c
+          - |
+            cp /secrets/* /data/
+        volumeMounts:
+          - name: mautrix-whatsapp-config
+            mountPath: /secrets/config.yaml
+            subPath: config.yaml
+          - name: mautrix-whatsapp-registration
+            mountPath: /secrets/registration.yaml
+            subPath: registration.yaml
+          - name: data
+            mountPath: /data
+      containers:
+        - name: mautrix-whatsapp
+          image: "dock.mau.dev/mautrix/whatsapp:v0.10.2"
+          imagePullPolicy: IfNotPresent
+          env:
+            - name: "TZ"
+              value: "UTC"
+          ports:
+            - name: http
+              containerPort: 29318
+              protocol: TCP
+            - name: metrics
+              containerPort: 9000
+              protocol: TCP
+          volumeMounts:
+          - name: data
+            mountPath: /data
+          livenessProbe:
+            tcpSocket:
+              port: 29318
+            initialDelaySeconds: 0
+            failureThreshold: 3
+            timeoutSeconds: 1
+            periodSeconds: 10
+          readinessProbe:
+            tcpSocket:
+              port: 29318
+            initialDelaySeconds: 0
+            failureThreshold: 3
+            timeoutSeconds: 1
+            periodSeconds: 10
+          startupProbe:
+            tcpSocket:
+              port: 29318
+            initialDelaySeconds: 0
+            failureThreshold: 30
+            timeoutSeconds: 1
+            periodSeconds: 5
+      volumes:
+        - name: data
+          emptyDir: {}
+        - name: mautrix-whatsapp-config
+          secret:
+            secretName: mautrix-whatsapp-config
+        - name: mautrix-whatsapp-registration
+          secret:
+            secretName: mautrix-whatsapp-registration
+---
--- a/manifests/mealie/mealie.yaml
+++ b/manifests/mealie/mealie.yaml
@@ -0,0 +1,167 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: mealie
+  namespace: mealie
+  annotations:
+    kube-1password: 7ibib7oafxbxkvofnd4oxcr3qy
+    kube-1password/vault: Kubernetes
+    kube-1password/secret-text-parse: "true"
+type: Opaque
+
+---
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: mealie
+  namespace: mealie
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: mealie
+  template:
+    metadata:
+      labels:
+        app: mealie
+    spec:
+      containers:
+      - name: frontend
+        image: hkotel/mealie:frontend-nightly
+        imagePullPolicy: Always
+        envFrom:
+        - secretRef:
+            name: mealie
+        env:
+        - name: API_URL
+          value: "http://localhost:9000"
+        - name: PUID
+          value: "1000"
+        - name: PGID
+          value: "1000"
+        - name: TOKEN_TIME
+          value: "168"
+        - name: DB_ENGINE
+          value: postgres
+        - name: POSTGRES_DB
+          value: mealie
+        - name: RECIPE_PUBLIC
+          value: "false"
+        - name: RECIPE_SHOW_NUTRITION
+          value: "true"
+        - name: RECIPE_SHOW_ASSETS
+          value: "true"
+        - name: RECIPE_LANDSCAPE_VIEW
+          value: "true"
+        - name: RECIPE_DISABLE_COMMENTS
+          value: "false"
+        - name: RECIPE_DISABLE_AMOUNT
+          value: "false"
+        ports:
+        - containerPort: 3000
+          name: web
+        volumeMounts:
+          - mountPath: /app/data
+            name: data
+      - name: api
+        image: hkotel/mealie:api-nightly
+        imagePullPolicy: Always
+        envFrom:
+        - secretRef:
+            name: mealie
+        env:
+        - name: PUID
+          value: "1000"
+        - name: PGID
+          value: "1000"
+        - name: DB_ENGINE
+          value: postgres
+        - name: POSTGRES_DB
+          value: mealie
+        - name: DEFAULT_EMAIL
+          value: "mealie@marcusnoble.co.uk"
+        - name: TOKEN_TIME
+          value: "168"
+        - name: BASE_URL
+          value: "https://mealie.cluster.fun"
+        ports:
+        - containerPort: 9000
+          name: api
+        volumeMounts:
+          - mountPath: /app/data
+            name: data
+      volumes:
+      - name: data
+        persistentVolumeClaim:
+          claimName: mealie
+
+
+---
+
+apiVersion: v1
+kind: Service
+metadata:
+  name: mealie
+  namespace: mealie
+spec:
+  type: ClusterIP
+  ports:
+  - port: 80
+    targetPort: web
+    name: web
+  selector:
+    app: mealie
+---
+
+apiVersion: v1
+kind: Service
+metadata:
+  name: mealie-api
+  namespace: mealie
+spec:
+  type: ClusterIP
+  ports:
+  - port: 80
+    targetPort: api
+    name: api
+  selector:
+    app: mealie
+
+---
+
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: mealie
+  namespace: mealie
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt
+    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
+spec:
+  ingressClassName: nginx
+  tls:
+  - hosts:
+    - mealie.cluster.fun
+    secretName: mealie-ingress
+  rules:
+  - host: mealie.cluster.fun
+    http:
+      paths:
+      - path: /
+        pathType: ImplementationSpecific
+        backend:
+          service:
+            name: mealie
+            port:
+              name: web
+  - host: mealie.cluster.fun
+    http:
+      paths:
+      - path: /api
+        pathType: ImplementationSpecific
+        backend:
+          service:
+            name: mealie-api
+            port:
+              name: api
--- a/manifests/mealie/pvs.yaml
+++ b/manifests/mealie/pvs.yaml
@@ -0,0 +1,39 @@
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  annotations:
+    pv.kubernetes.io/provisioned-by: csi.scaleway.com
+  finalizers:
+  - kubernetes.io/pv-protection
+  - external-attacher/csi-scaleway-com
+  name: pvc-afe7fbb6-1f5a-4169-bad1-c9d43752ee7a
+spec:
+  accessModes:
+  - ReadWriteOnce
+  capacity:
+    storage: 2Gi
+  csi:
+    driver: csi.scaleway.com
+    fsType: ext4
+    volumeAttributes:
+      encrypted: "false"
+      storage.kubernetes.io/csiProvisionerIdentity: 1646426415842-8081-csi.scaleway.com
+    volumeHandle: fr-par-1/efbe7dc1-4660-4db8-a3b4-42114075a318
+  persistentVolumeReclaimPolicy: Retain
+  storageClassName: scw-bssd
+  volumeMode: Filesystem
+
+---
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: mealie
+  namespace: mealie
+spec:
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 2Gi
+  volumeName: pvc-afe7fbb6-1f5a-4169-bad1-c9d43752ee7a
+---
--- a/manifests/monitoring-civo/kube-state-metrics.yaml
+++ b/manifests/monitoring-civo/kube-state-metrics.yaml
@@ -0,0 +1,255 @@
+
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: kube-state-metrics
+  namespace: monitoring
+  labels:
+    app.kubernetes.io/name: kube-state-metrics
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app.kubernetes.io/name: kube-state-metrics
+  name: kube-state-metrics
+rules:
+  - apiGroups: ["certificates.k8s.io"]
+    resources:
+    - certificatesigningrequests
+    verbs: ["list", "watch"]
+
+  - apiGroups: [""]
+    resources:
+    - configmaps
+    verbs: ["list", "watch"]
+
+  - apiGroups: ["batch"]
+    resources:
+    - cronjobs
+    verbs: ["list", "watch"]
+
+  - apiGroups: ["extensions", "apps"]
+    resources:
+    - daemonsets
+    verbs: ["list", "watch"]
+
+  - apiGroups: ["extensions", "apps"]
+    resources:
+    - deployments
+    verbs: ["list", "watch"]
+
+  - apiGroups: [""]
+    resources:
+    - endpoints
+    verbs: ["list", "watch"]
+
+  - apiGroups: ["autoscaling"]
+    resources:
+    - horizontalpodautoscalers
+    verbs: ["list", "watch"]
+
+  - apiGroups: ["extensions", "networking.k8s.io"]
+    resources:
+    - ingresses
+    verbs: ["list", "watch"]
+
+  - apiGroups: ["batch"]
+    resources:
+    - jobs
+    verbs: ["list", "watch"]
+
+  - apiGroups: [""]
+    resources:
+    - limitranges
+    verbs: ["list", "watch"]
+
+  - apiGroups: ["admissionregistration.k8s.io"]
+    resources:
+      - mutatingwebhookconfigurations
+    verbs: ["list", "watch"]
+
+  - apiGroups: [""]
+    resources:
+    - namespaces
+    verbs: ["list", "watch"]
+
+  - apiGroups: ["networking.k8s.io"]
+    resources:
+    - networkpolicies
+    verbs: ["list", "watch"]
+
+  - apiGroups: [""]
+    resources:
+    - nodes
+    verbs: ["list", "watch"]
+
+  - apiGroups: [""]
+    resources:
+    - persistentvolumeclaims
+    verbs: ["list", "watch"]
+
+  - apiGroups: [""]
+    resources:
+    - persistentvolumes
+    verbs: ["list", "watch"]
+
+  - apiGroups: ["policy"]
+    resources:
+      - poddisruptionbudgets
+    verbs: ["list", "watch"]
+
+  - apiGroups: [""]
+    resources:
+    - pods
+    verbs: ["list", "watch"]
+
+  - apiGroups: ["extensions", "apps"]
+    resources:
+    - replicasets
+    verbs: ["list", "watch"]
+
+  - apiGroups: [""]
+    resources:
+    - replicationcontrollers
+    verbs: ["list", "watch"]
+
+  - apiGroups: [""]
+    resources:
+    - resourcequotas
+    verbs: ["list", "watch"]
+
+  - apiGroups: [""]
+    resources:
+    - secrets
+    verbs: ["list", "watch"]
+
+  - apiGroups: [""]
+    resources:
+    - services
+    verbs: ["list", "watch"]
+
+  - apiGroups: ["apps"]
+    resources:
+    - statefulsets
+    verbs: ["list", "watch"]
+
+  - apiGroups: ["storage.k8s.io"]
+    resources:
+      - storageclasses
+    verbs: ["list", "watch"]
+
+  - apiGroups: ["admissionregistration.k8s.io"]
+    resources:
+      - validatingwebhookconfigurations
+    verbs: ["list", "watch"]
+
+  - apiGroups: ["storage.k8s.io"]
+    resources:
+      - volumeattachments
+    verbs: ["list", "watch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/name: kube-state-metrics
+  name: kube-state-metrics
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: kube-state-metrics
+subjects:
+- kind: ServiceAccount
+  name: kube-state-metrics
+  namespace: monitoring
+---
+
+apiVersion: v1
+kind: Service
+metadata:
+  name: kube-state-metrics
+  namespace: monitoring
+  labels:
+    app.kubernetes.io/name: kube-state-metrics
+  annotations:
+    prometheus.io/scrape: 'true'
+spec:
+  type: "ClusterIP"
+  ports:
+  - name: "http"
+    protocol: TCP
+    port: 8080
+    targetPort: 8080
+  selector:
+    app.kubernetes.io/name: kube-state-metrics
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: kube-state-metrics
+  namespace: monitoring
+  labels:
+    app.kubernetes.io/name: kube-state-metrics
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: kube-state-metrics
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: kube-state-metrics
+    spec:
+      serviceAccountName: kube-state-metrics
+      securityContext:
+        fsGroup: 65534
+        runAsGroup: 65534
+        runAsUser: 65534
+      containers:
+      - name: kube-state-metrics
+        args:
+        #- --resources=certificatesigningrequests
+        - --resources=configmaps
+        - --resources=cronjobs
+        - --resources=daemonsets
+        - --resources=deployments
+        #- --resources=endpoints
+        #- --resources=horizontalpodautoscalers
+        - --resources=ingresses
+        - --resources=jobs
+        #- --resources=limitranges
+        - --resources=mutatingwebhookconfigurations
+        - --resources=namespaces
+        #- --resources=networkpolicies
+        - --resources=nodes
+        - --resources=persistentvolumeclaims
+        - --resources=persistentvolumes
+        - --resources=poddisruptionbudgets
+        - --resources=pods
+        - --resources=replicasets
+        #- --resources=replicationcontrollers
+        #- --resources=resourcequotas
+        - --resources=secrets
+        - --resources=services
+        - --resources=statefulsets
+        - --resources=storageclasses
+        - --resources=validatingwebhookconfigurations
+        #- --resources=volumeattachments
+        imagePullPolicy: IfNotPresent
+        image: "registry.k8s.io/kube-state-metrics/kube-state-metrics:v2.10.0"
+        ports:
+        - containerPort: 8080
+        livenessProbe:
+          httpGet:
+            path: /healthz
+            port: 8080
+          initialDelaySeconds: 5
+          timeoutSeconds: 5
+        readinessProbe:
+          httpGet:
+            path: /
+            port: 8080
+          initialDelaySeconds: 5
+          timeoutSeconds: 5
+---
--- a/manifests/monitoring-civo/prometheus-server.yaml
+++ b/manifests/monitoring-civo/prometheus-server.yaml
@@ -0,0 +1,64 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: prometheus-server
+  namespace: monitoring
+  labels:
+    app.kubernetes.io/name: prometheus
+    app.kubernetes.io/component: server
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app.kubernetes.io/name: prometheus
+    app.kubernetes.io/component: server
+  name: prometheus-server
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - nodes
+      - nodes/proxy
+      - nodes/metrics
+      - services
+      - endpoints
+      - pods
+      - ingresses
+      - configmaps
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - "extensions"
+      - "networking.k8s.io"
+    resources:
+      - ingresses/status
+      - ingresses
+    verbs:
+      - get
+      - list
+      - watch
+  - nonResourceURLs:
+      - "/metrics"
+    verbs:
+      - get
+---
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/name: prometheus
+    app.kubernetes.io/component: server
+  name: prometheus-server
+subjects:
+  - kind: ServiceAccount
+    name: prometheus-server
+    namespace: monitoring
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: prometheus-server
+---
--- a/manifests/monitoring-civo/promtail.yaml
+++ b/manifests/monitoring-civo/promtail.yaml
@@ -0,0 +1,292 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: promtail
+  namespace: monitoring
+  labels:
+    app.kubernetes.io/name: promtail
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: promtail
+  namespace: monitoring
+  labels:
+    app.kubernetes.io/name: promtail
+data:
+  promtail.yaml: |
+    client:
+      backoff_config:
+        max_period: 5m
+        max_retries: 10
+        min_period: 500ms
+      batchsize: 1048576
+      batchwait: 1s
+      external_labels: {}
+      timeout: 10s
+    positions:
+      filename: /run/promtail/positions.yaml
+    server:
+      http_listen_port: 3101
+    clients:
+    - url: http://loki-distributed.proxy-civo.svc:80/loki/api/v1/push
+      external_labels:
+        kubernetes_cluster: civo
+    target_config:
+      sync_period: 10s
+    scrape_configs:
+    - job_name: kubernetes-pods
+      pipeline_stages:
+        - docker: {}
+        - cri: {}
+        - match:
+            selector: '{app="weave-net"}'
+            action: drop
+        - match:
+            selector: '{filename=~".*konnectivity.*"}'
+            action: drop
+        - match:
+            selector: '{name=~".*"} |~ ".*/healthz.*"'
+            action: drop
+        - match:
+            selector: '{name=~".*"} |~ ".*/api/health.*"'
+            action: drop
+        - match:
+            selector: '{name=~".*"} |~ ".*kube-probe/.*"'
+            action: drop
+        - match:
+            selector: '{app="internal-proxy"}'
+            action: drop
+        - match:
+            selector: '{app="non-auth-proxy"}'
+            action: drop
+        - match:
+            selector: '{app="vpa"}'
+            action: drop
+        - match:
+            selector: '{app="promtail"}'
+            action: drop
+        - match:
+            selector: '{app="csi-node"}'
+            action: drop
+        - match:
+            selector: '{app="victoria-metrics"}'
+            action: drop
+        - match:
+            selector: '{app="git-sync"}'
+            action: drop
+        - match:
+            selector: '{app="ingress-nginx"}'
+            stages:
+            - json:
+                expressions:
+                  request_host: host
+                  request_path: path
+                  request_method: method
+                  response_status: status
+            - drop:
+                source: "request_path"
+                value:  "/healthz"
+            - drop:
+                source: "request_path"
+                value:  "/health"
+            - labels:
+                request_host:
+                request_method:
+                response_status:
+        - match:
+            selector: '{app="traefik"}'
+            stages:
+            - json:
+                expressions:
+                  request_host: RequestHost
+                  request_path: RequestPath
+                  request_method: RequestMethod
+                  response_status: OriginStatus
+            - drop:
+                source: "request_path"
+                value:  "/healthz"
+            - drop:
+                source: "request_path"
+                value:  "/health"
+            - drop:
+                source: "request_path"
+                value:  "/ping"
+            - labels:
+                request_host:
+                request_method:
+                response_status:
+      kubernetes_sd_configs:
+        - role: pod
+      relabel_configs:
+        - source_labels:
+            - __meta_kubernetes_pod_controller_name
+          regex: ([0-9a-z-.]+?)(-[0-9a-f]{8,10})?
+          action: replace
+          target_label: __tmp_controller_name
+        - source_labels:
+            - __meta_kubernetes_pod_label_app_kubernetes_io_name
+            - __meta_kubernetes_pod_label_app
+            - __tmp_controller_name
+            - __meta_kubernetes_pod_name
+          regex: ^;*([^;]+)(;.*)?$
+          action: replace
+          target_label: app
+        - source_labels:
+            - __meta_kubernetes_pod_label_app_kubernetes_io_component
+            - __meta_kubernetes_pod_label_component
+          regex: ^;*([^;]+)(;.*)?$
+          action: replace
+          target_label: component
+        - action: replace
+          source_labels:
+            - __meta_kubernetes_pod_node_name
+          target_label: node_name
+        - action: replace
+          source_labels:
+            - __meta_kubernetes_namespace
+          target_label: namespace
+        - action: replace
+          replacement: $1
+          separator: /
+          source_labels:
+            - namespace
+            - app
+          target_label: job
+        - action: replace
+          source_labels:
+            - __meta_kubernetes_pod_name
+          target_label: pod
+        - action: replace
+          source_labels:
+            - __meta_kubernetes_pod_container_name
+          target_label: container
+        - action: replace
+          replacement: /var/log/pods/*$1/*.log
+          separator: /
+          source_labels:
+            - __meta_kubernetes_pod_uid
+            - __meta_kubernetes_pod_container_name
+          target_label: __path__
+        - action: replace
+          replacement: /var/log/pods/*$1/*.log
+          regex: true/(.*)
+          separator: /
+          source_labels:
+            - __meta_kubernetes_pod_annotationpresent_kubernetes_io_config_hash
+            - __meta_kubernetes_pod_annotation_kubernetes_io_config_hash
+            - __meta_kubernetes_pod_container_name
+          target_label: __path__
+        - action: labelmap
+          regex: __meta_kubernetes_pod_label_(.+)
+
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: promtail-clusterrole
+  labels:
+    app.kubernetes.io/name: promtail
+rules:
+- apiGroups: [""] # "" indicates the core API group
+  resources:
+  - nodes
+  - nodes/proxy
+  - services
+  - endpoints
+  - pods
+  verbs: ["get", "watch", "list"]
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: promtail-clusterrolebinding
+  labels:
+    app.kubernetes.io/name: promtail
+subjects:
+  - kind: ServiceAccount
+    name: promtail
+    namespace: monitoring
+roleRef:
+  kind: ClusterRole
+  name: promtail-clusterrole
+  apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: promtail
+  namespace: monitoring
+  labels:
+    app.kubernetes.io/name: promtail
+  annotations:
+    configmap.reloader.stakater.com/reload: "promtail"
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: promtail
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: promtail
+      annotations:
+        prometheus.io/port: http-metrics
+        prometheus.io/scrape: "true"
+    spec:
+      serviceAccountName: promtail
+      containers:
+        - name: promtail
+          image: "grafana/promtail:2.9.1"
+          imagePullPolicy: IfNotPresent
+          args:
+            - "-config.file=/etc/promtail/promtail.yaml"
+          volumeMounts:
+            - name: config
+              mountPath: /etc/promtail
+            - name: run
+              mountPath: /run/promtail
+            - mountPath: /var/lib/docker/containers
+              name: docker
+              readOnly: true
+            - mountPath: /var/log/pods
+              name: pods
+              readOnly: true
+          env:
+            - name: HOSTNAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: spec.nodeName
+          ports:
+            - containerPort: 3101
+              name: http-metrics
+          securityContext:
+            readOnlyRootFilesystem: true
+            runAsGroup: 0
+            runAsUser: 0
+          readinessProbe:
+            failureThreshold: 5
+            httpGet:
+              path: /ready
+              port: http-metrics
+            initialDelaySeconds: 10
+            periodSeconds: 10
+            successThreshold: 1
+            timeoutSeconds: 1
+      tolerations:
+        - effect: NoSchedule
+          key: node-role.kubernetes.io/master
+          operator: Exists
+      volumes:
+        - name: config
+          configMap:
+            name: promtail
+        - name: run
+          hostPath:
+            path: /run/promtail
+        - hostPath:
+            path: /var/lib/docker/containers
+          name: docker
+        - hostPath:
+            path: /var/log/pods
+          name: pods
+---
--- a/manifests/monitoring-civo/vmagent.yaml
+++ b/manifests/monitoring-civo/vmagent.yaml
@@ -0,0 +1,163 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: vmagent
+  namespace: monitoring
+  labels:
+    app.kubernetes.io/name: victoria-metrics
+    app.kubernetes.io/component: agent
+data:
+  prometheus.yml: |
+    global:
+      scrape_interval: 1m
+      external_labels:
+        source: civo
+        agent: vmagent
+    scrape_configs:
+    - job_name: 'vmagent'
+      static_configs:
+        - targets: ['localhost:8429']
+    - bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
+      job_name: kubernetes-nodes
+      kubernetes_sd_configs:
+      - role: node
+      relabel_configs:
+      - action: labelmap
+        regex: __meta_kubernetes_node_label_(.+)
+      - replacement: kubernetes.default.svc:443
+        target_label: __address__
+      - regex: (.+)
+        replacement: /api/v1/nodes/$1/proxy/metrics
+        source_labels:
+        - __meta_kubernetes_node_name
+        target_label: __metrics_path__
+      scheme: https
+      tls_config:
+        ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
+        insecure_skip_verify: true
+    - job_name: kubernetes-service-endpoints
+      kubernetes_sd_configs:
+      - role: endpoints
+      relabel_configs:
+      - action: keep
+        regex: true
+        source_labels:
+        - __meta_kubernetes_service_annotation_prometheus_io_scrape
+      - action: replace
+        regex: (https?)
+        source_labels:
+        - __meta_kubernetes_service_annotation_prometheus_io_scheme
+        target_label: __scheme__
+      - action: replace
+        regex: (.+)
+        source_labels:
+        - __meta_kubernetes_service_annotation_prometheus_io_path
+        target_label: __metrics_path__
+      - action: replace
+        regex: ([^:]+)(?::\d+)?;(\d+)
+        replacement: $1:$2
+        source_labels:
+        - __address__
+        - __meta_kubernetes_service_annotation_prometheus_io_port
+        target_label: __address__
+      - action: labelmap
+        regex: __meta_kubernetes_service_label_(.+)
+      - action: replace
+        source_labels:
+        - __meta_kubernetes_namespace
+        target_label: kubernetes_namespace
+      - action: replace
+        source_labels:
+        - __meta_kubernetes_service_name
+        target_label: kubernetes_name
+      - action: replace
+        source_labels:
+        - __meta_kubernetes_endpoint_port_name
+        target_label: kubernetes_endpoint_port_name
+      - action: replace
+        source_labels:
+        - __meta_kubernetes_pod_node_name
+        target_label: kubernetes_node
+    - job_name: kubernetes-pods
+      kubernetes_sd_configs:
+      - role: pod
+      relabel_configs:
+      - action: keep
+        regex: true
+        source_labels:
+        - __meta_kubernetes_pod_annotation_prometheus_io_scrape
+      - action: replace
+        regex: (.+)
+        source_labels:
+        - __meta_kubernetes_pod_annotation_prometheus_io_path
+        target_label: __metrics_path__
+      - action: replace
+        regex: ([^:]+)(?::\d+)?;(\d+)
+        replacement: $1:$2
+        source_labels:
+        - __address__
+        - __meta_kubernetes_pod_annotation_prometheus_io_port
+        target_label: __address__
+      - action: labelmap
+        regex: __meta_kubernetes_pod_label_(.+)
+      - action: replace
+        source_labels:
+        - __meta_kubernetes_namespace
+        target_label: kubernetes_namespace
+      - action: replace
+        source_labels:
+        - __meta_kubernetes_pod_name
+        target_label: kubernetes_pod_name
+      - action: replace
+        source_labels:
+        - __meta_kubernetes_pod_container_port_name
+        target_label: kubernetes_port_name
+      - action: drop
+        regex: Pending|Succeeded|Failed
+        source_labels:
+        - __meta_kubernetes_pod_phase
+
+
+---
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: vmagent
+  namespace: monitoring
+  labels:
+    app.kubernetes.io/name: victoria-metrics
+    app.kubernetes.io/component: agent
+  annotations:
+    configmap.reloader.stakater.com/reload: "vmagent"
+spec:
+  strategy:
+    type: Recreate
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: victoria-metrics
+      app.kubernetes.io/component: agent
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: victoria-metrics
+        app.kubernetes.io/component: agent
+    spec:
+      serviceAccountName: prometheus-server
+      containers:
+        - name: vmagent
+          image: "victoriametrics/vmagent:v1.94.0"
+          imagePullPolicy: "IfNotPresent"
+          args:
+            - -remoteWrite.url=http://vmcluster.proxy-civo.svc/insert/0/prometheus/
+            - -remoteWrite.showURL
+            - -promscrape.config=/config/prometheus.yml
+          volumeMounts:
+            - name: config-volume
+              mountPath: /config
+      volumes:
+        - name: config-volume
+          configMap:
+            name: vmagent
+---
--- a/manifests/monitoring/ingess.yaml
+++ b/manifests/monitoring/ingess.yaml
@@ -0,0 +1,69 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: grafana
+  namespace: auth-proxy
+  labels:
+    app: grafana
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt
+    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
+spec:
+  ingressClassName: nginx
+  tls:
+  - hosts:
+    - grafana.cluster.fun
+    secretName: grafana-ingress
+  rules:
+  - host: grafana.cluster.fun
+    http:
+      paths:
+      - path: /
+        pathType: ImplementationSpecific
+        backend:
+          service:
+            name: auth-proxy
+            port:
+              number: 80
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: prometheus-credentials
+  namespace: monitoring
+  annotations:
+    kube-1password: m7c2n5gqybiyxj6ylydju2nljm
+    kube-1password/vault: Kubernetes
+    kube-1password/password-key: auth
+type: Opaque
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: prometheus-cloud
+  namespace: monitoring
+  labels:
+    app: prometheus-cloud
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt
+    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
+    nginx.ingress.kubernetes.io/auth-type: basic
+    nginx.ingress.kubernetes.io/auth-secret: prometheus-credentials
+    nginx.ingress.kubernetes.io/auth-secret-type: auth-file
+spec:
+  ingressClassName: nginx
+  tls:
+  - hosts:
+    - prometheus-cloud.cluster.fun
+    secretName: prometheus-cloud-ingress
+  rules:
+  - host: prometheus-cloud.cluster.fun
+    http:
+      paths:
+      - path: /
+        pathType: ImplementationSpecific
+        backend:
+          service:
+            name: prometheus-server
+            port:
+              number: 80
--- a/manifests/monitoring/kube-state-metrics.yaml
+++ b/manifests/monitoring/kube-state-metrics.yaml
@@ -0,0 +1,255 @@
+
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: kube-state-metrics
+  namespace: monitoring
+  labels:
+    app.kubernetes.io/name: kube-state-metrics
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app.kubernetes.io/name: kube-state-metrics
+  name: kube-state-metrics
+rules:
+  - apiGroups: ["certificates.k8s.io"]
+    resources:
+    - certificatesigningrequests
+    verbs: ["list", "watch"]
+
+  - apiGroups: [""]
+    resources:
+    - configmaps
+    verbs: ["list", "watch"]
+
+  - apiGroups: ["batch"]
+    resources:
+    - cronjobs
+    verbs: ["list", "watch"]
+
+  - apiGroups: ["extensions", "apps"]
+    resources:
+    - daemonsets
+    verbs: ["list", "watch"]
+
+  - apiGroups: ["extensions", "apps"]
+    resources:
+    - deployments
+    verbs: ["list", "watch"]
+
+  - apiGroups: [""]
+    resources:
+    - endpoints
+    verbs: ["list", "watch"]
+
+  - apiGroups: ["autoscaling"]
+    resources:
+    - horizontalpodautoscalers
+    verbs: ["list", "watch"]
+
+  - apiGroups: ["extensions", "networking.k8s.io"]
+    resources:
+    - ingresses
+    verbs: ["list", "watch"]
+
+  - apiGroups: ["batch"]
+    resources:
+    - jobs
+    verbs: ["list", "watch"]
+
+  - apiGroups: [""]
+    resources:
+    - limitranges
+    verbs: ["list", "watch"]
+
+  - apiGroups: ["admissionregistration.k8s.io"]
+    resources:
+      - mutatingwebhookconfigurations
+    verbs: ["list", "watch"]
+
+  - apiGroups: [""]
+    resources:
+    - namespaces
+    verbs: ["list", "watch"]
+
+  - apiGroups: ["networking.k8s.io"]
+    resources:
+    - networkpolicies
+    verbs: ["list", "watch"]
+
+  - apiGroups: [""]
+    resources:
+    - nodes
+    verbs: ["list", "watch"]
+
+  - apiGroups: [""]
+    resources:
+    - persistentvolumeclaims
+    verbs: ["list", "watch"]
+
+  - apiGroups: [""]
+    resources:
+    - persistentvolumes
+    verbs: ["list", "watch"]
+
+  - apiGroups: ["policy"]
+    resources:
+      - poddisruptionbudgets
+    verbs: ["list", "watch"]
+
+  - apiGroups: [""]
+    resources:
+    - pods
+    verbs: ["list", "watch"]
+
+  - apiGroups: ["extensions", "apps"]
+    resources:
+    - replicasets
+    verbs: ["list", "watch"]
+
+  - apiGroups: [""]
+    resources:
+    - replicationcontrollers
+    verbs: ["list", "watch"]
+
+  - apiGroups: [""]
+    resources:
+    - resourcequotas
+    verbs: ["list", "watch"]
+
+  - apiGroups: [""]
+    resources:
+    - secrets
+    verbs: ["list", "watch"]
+
+  - apiGroups: [""]
+    resources:
+    - services
+    verbs: ["list", "watch"]
+
+  - apiGroups: ["apps"]
+    resources:
+    - statefulsets
+    verbs: ["list", "watch"]
+
+  - apiGroups: ["storage.k8s.io"]
+    resources:
+      - storageclasses
+    verbs: ["list", "watch"]
+
+  - apiGroups: ["admissionregistration.k8s.io"]
+    resources:
+      - validatingwebhookconfigurations
+    verbs: ["list", "watch"]
+
+  - apiGroups: ["storage.k8s.io"]
+    resources:
+      - volumeattachments
+    verbs: ["list", "watch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/name: kube-state-metrics
+  name: kube-state-metrics
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: kube-state-metrics
+subjects:
+- kind: ServiceAccount
+  name: kube-state-metrics
+  namespace: monitoring
+---
+
+apiVersion: v1
+kind: Service
+metadata:
+  name: kube-state-metrics
+  namespace: monitoring
+  labels:
+    app.kubernetes.io/name: kube-state-metrics
+  annotations:
+    prometheus.io/scrape: 'true'
+spec:
+  type: "ClusterIP"
+  ports:
+  - name: "http"
+    protocol: TCP
+    port: 8080
+    targetPort: 8080
+  selector:
+    app.kubernetes.io/name: kube-state-metrics
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: kube-state-metrics
+  namespace: monitoring
+  labels:
+    app.kubernetes.io/name: kube-state-metrics
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: kube-state-metrics
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: kube-state-metrics
+    spec:
+      serviceAccountName: kube-state-metrics
+      securityContext:
+        fsGroup: 65534
+        runAsGroup: 65534
+        runAsUser: 65534
+      containers:
+      - name: kube-state-metrics
+        args:
+        #- --resources=certificatesigningrequests
+        - --resources=configmaps
+        - --resources=cronjobs
+        - --resources=daemonsets
+        - --resources=deployments
+        #- --resources=endpoints
+        #- --resources=horizontalpodautoscalers
+        - --resources=ingresses
+        - --resources=jobs
+        #- --resources=limitranges
+        - --resources=mutatingwebhookconfigurations
+        - --resources=namespaces
+        #- --resources=networkpolicies
+        - --resources=nodes
+        - --resources=persistentvolumeclaims
+        - --resources=persistentvolumes
+        - --resources=poddisruptionbudgets
+        - --resources=pods
+        - --resources=replicasets
+        #- --resources=replicationcontrollers
+        #- --resources=resourcequotas
+        - --resources=secrets
+        - --resources=services
+        - --resources=statefulsets
+        - --resources=storageclasses
+        - --resources=validatingwebhookconfigurations
+        #- --resources=volumeattachments
+        imagePullPolicy: IfNotPresent
+        image: "registry.k8s.io/kube-state-metrics/kube-state-metrics:v2.10.0"
+        ports:
+        - containerPort: 8080
+        livenessProbe:
+          httpGet:
+            path: /healthz
+            port: 8080
+          initialDelaySeconds: 5
+          timeoutSeconds: 5
+        readinessProbe:
+          httpGet:
+            path: /
+            port: 8080
+          initialDelaySeconds: 5
+          timeoutSeconds: 5
+---
--- a/manifests/monitoring/node-exporter.yaml
+++ b/manifests/monitoring/node-exporter.yaml
@@ -0,0 +1,97 @@
+
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: prometheus-node-exporter
+  namespace: monitoring
+  labels:
+    app.kubernetes.io/name: prometheus
+    app.kubernetes.io/component: node-exporter
+---
+apiVersion: v1
+kind: Service
+metadata:
+  annotations:
+    prometheus.io/scrape: "true"
+  labels:
+    app.kubernetes.io/name: prometheus
+    app.kubernetes.io/component: node-exporter
+  name: prometheus-node-exporter
+  namespace: monitoring
+spec:
+  clusterIP: None
+  ports:
+    - name: metrics
+      port: 9100
+      protocol: TCP
+      targetPort: 9100
+  selector:
+    app.kubernetes.io/name: prometheus
+    app.kubernetes.io/component: node-exporter
+  type: "ClusterIP"
+---
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  labels:
+    app.kubernetes.io/name: prometheus
+    app.kubernetes.io/component: node-exporter
+  name: prometheus-node-exporter
+  namespace: monitoring
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: prometheus
+      app.kubernetes.io/component: node-exporter
+  updateStrategy:
+    type: RollingUpdate
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: prometheus
+        app.kubernetes.io/component: node-exporter
+    spec:
+      serviceAccountName: prometheus-node-exporter
+      containers:
+        - name: prometheus-node-exporter
+          image: "prom/node-exporter:v1.6.1"
+          imagePullPolicy: "IfNotPresent"
+          args:
+            - --path.procfs=/host/proc
+            - --path.sysfs=/host/sys
+            - --no-collector.wifi
+            - --no-collector.hwmon
+            - --no-collector.netclass
+            - --no-collector.arp
+            - --no-collector.bcache
+            - --no-collector.bonding
+            - --no-collector.btrfs
+            - --no-collector.dmi
+            - --no-collector.edac
+            - --no-collector.entropy
+            - --no-collector.fibrechannel
+            - --no-collector.infiniband
+            - --no-collector.tapestats
+            - --collector.filesystem.ignored-mount-points=^/(dev|proc|sys|var/lib/docker/.+|var/lib/kubelet/pods/.+)($|/)
+            - --web.listen-address=:9100
+          ports:
+            - name: metrics
+              containerPort: 9100
+              hostPort: 9100
+          volumeMounts:
+            - name: proc
+              mountPath: /host/proc
+              readOnly:  true
+            - name: sys
+              mountPath: /host/sys
+              readOnly: true
+      hostNetwork: true
+      hostPID: true
+      volumes:
+        - name: proc
+          hostPath:
+            path: /proc
+        - name: sys
+          hostPath:
+            path: /sys
+---
--- a/manifests/monitoring/prometheus-server.yaml
+++ b/manifests/monitoring/prometheus-server.yaml
@@ -0,0 +1,64 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: prometheus-server
+  namespace: monitoring
+  labels:
+    app.kubernetes.io/name: prometheus
+    app.kubernetes.io/component: server
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app.kubernetes.io/name: prometheus
+    app.kubernetes.io/component: server
+  name: prometheus-server
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - nodes
+      - nodes/proxy
+      - nodes/metrics
+      - services
+      - endpoints
+      - pods
+      - ingresses
+      - configmaps
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - "extensions"
+      - "networking.k8s.io"
+    resources:
+      - ingresses/status
+      - ingresses
+    verbs:
+      - get
+      - list
+      - watch
+  - nonResourceURLs:
+      - "/metrics"
+    verbs:
+      - get
+---
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/name: prometheus
+    app.kubernetes.io/component: server
+  name: prometheus-server
+subjects:
+  - kind: ServiceAccount
+    name: prometheus-server
+    namespace: monitoring
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: prometheus-server
+---
--- a/manifests/monitoring/promtail.yaml
+++ b/manifests/monitoring/promtail.yaml
@@ -0,0 +1,271 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: promtail
+  namespace: monitoring
+  labels:
+    app.kubernetes.io/name: promtail
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: promtail
+  namespace: monitoring
+  labels:
+    app.kubernetes.io/name: promtail
+data:
+  promtail.yaml: |
+    client:
+      backoff_config:
+        max_period: 5m
+        max_retries: 10
+        min_period: 500ms
+      batchsize: 1048576
+      batchwait: 1s
+      external_labels: {}
+      timeout: 10s
+    positions:
+      filename: /run/promtail/positions.yaml
+    server:
+      http_listen_port: 3101
+    clients:
+    - url: http://loki-distributed.auth-proxy.svc:80/loki/api/v1/push
+      external_labels:
+        kubernetes_cluster: scaleway
+    target_config:
+      sync_period: 10s
+    scrape_configs:
+    - job_name: kubernetes-pods
+      pipeline_stages:
+        - docker: {}
+        - cri: {}
+        - match:
+            selector: '{app="weave-net"}'
+            action: drop
+        - match:
+            selector: '{filename=~".*konnectivity.*"}'
+            action: drop
+        - match:
+            selector: '{name=~".*"} |~ ".*/healthz.*"'
+            action: drop
+        - match:
+            selector: '{name=~".*"} |~ ".*/api/health.*"'
+            action: drop
+        - match:
+            selector: '{name=~".*"} |~ ".*kube-probe/.*"'
+            action: drop
+        - match:
+            selector: '{app="internal-proxy"}'
+            action: drop
+        - match:
+            selector: '{app="non-auth-proxy"}'
+            action: drop
+        - match:
+            selector: '{app="vpa"}'
+            action: drop
+        - match:
+            selector: '{app="promtail"}'
+            action: drop
+        - match:
+            selector: '{app="csi-node"}'
+            action: drop
+        - match:
+            selector: '{app="victoria-metrics"}'
+            action: drop
+        - match:
+            selector: '{app="git-sync"}'
+            action: drop
+        - match:
+            selector: '{app="ingress-nginx"}'
+            stages:
+            - json:
+                expressions:
+                  request_host: host
+                  request_path: path
+                  request_method: method
+                  response_status: status
+            - drop:
+                source: "request_path"
+                value:  "/healthz"
+            - drop:
+                source: "request_path"
+                value:  "/health"
+            - labels:
+                request_host:
+                request_method:
+                response_status:
+      kubernetes_sd_configs:
+        - role: pod
+      relabel_configs:
+        - source_labels:
+            - __meta_kubernetes_pod_controller_name
+          regex: ([0-9a-z-.]+?)(-[0-9a-f]{8,10})?
+          action: replace
+          target_label: __tmp_controller_name
+        - source_labels:
+            - __meta_kubernetes_pod_label_app_kubernetes_io_name
+            - __meta_kubernetes_pod_label_app
+            - __tmp_controller_name
+            - __meta_kubernetes_pod_name
+          regex: ^;*([^;]+)(;.*)?$
+          action: replace
+          target_label: app
+        - source_labels:
+            - __meta_kubernetes_pod_label_app_kubernetes_io_component
+            - __meta_kubernetes_pod_label_component
+          regex: ^;*([^;]+)(;.*)?$
+          action: replace
+          target_label: component
+        - action: replace
+          source_labels:
+            - __meta_kubernetes_pod_node_name
+          target_label: node_name
+        - action: replace
+          source_labels:
+            - __meta_kubernetes_namespace
+          target_label: namespace
+        - action: replace
+          replacement: $1
+          separator: /
+          source_labels:
+            - namespace
+            - app
+          target_label: job
+        - action: replace
+          source_labels:
+            - __meta_kubernetes_pod_name
+          target_label: pod
+        - action: replace
+          source_labels:
+            - __meta_kubernetes_pod_container_name
+          target_label: container
+        - action: replace
+          replacement: /var/log/pods/*$1/*.log
+          separator: /
+          source_labels:
+            - __meta_kubernetes_pod_uid
+            - __meta_kubernetes_pod_container_name
+          target_label: __path__
+        - action: replace
+          replacement: /var/log/pods/*$1/*.log
+          regex: true/(.*)
+          separator: /
+          source_labels:
+            - __meta_kubernetes_pod_annotationpresent_kubernetes_io_config_hash
+            - __meta_kubernetes_pod_annotation_kubernetes_io_config_hash
+            - __meta_kubernetes_pod_container_name
+          target_label: __path__
+        - action: labelmap
+          regex: __meta_kubernetes_pod_label_(.+)
+
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: promtail-clusterrole
+  labels:
+    app.kubernetes.io/name: promtail
+rules:
+- apiGroups: [""] # "" indicates the core API group
+  resources:
+  - nodes
+  - nodes/proxy
+  - services
+  - endpoints
+  - pods
+  verbs: ["get", "watch", "list"]
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: promtail-clusterrolebinding
+  labels:
+    app.kubernetes.io/name: promtail
+subjects:
+  - kind: ServiceAccount
+    name: promtail
+    namespace: monitoring
+roleRef:
+  kind: ClusterRole
+  name: promtail-clusterrole
+  apiGroup: rbac.authorization.k8s.io
+---
+
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: promtail
+  namespace: monitoring
+  labels:
+    app.kubernetes.io/name: promtail
+  annotations:
+    configmap.reloader.stakater.com/reload: "promtail"
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: promtail
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: promtail
+      annotations:
+        prometheus.io/port: http-metrics
+        prometheus.io/scrape: "true"
+    spec:
+      serviceAccountName: promtail
+      containers:
+        - name: promtail
+          image: "grafana/promtail:2.9.1"
+          imagePullPolicy: IfNotPresent
+          args:
+            - "-config.file=/etc/promtail/promtail.yaml"
+          volumeMounts:
+            - name: config
+              mountPath: /etc/promtail
+            - name: run
+              mountPath: /run/promtail
+            - mountPath: /var/lib/docker/containers
+              name: docker
+              readOnly: true
+            - mountPath: /var/log/pods
+              name: pods
+              readOnly: true
+          env:
+            - name: HOSTNAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: spec.nodeName
+          ports:
+            - containerPort: 3101
+              name: http-metrics
+          securityContext:
+            readOnlyRootFilesystem: true
+            runAsGroup: 0
+            runAsUser: 0
+          readinessProbe:
+            failureThreshold: 5
+            httpGet:
+              path: /ready
+              port: http-metrics
+            initialDelaySeconds: 10
+            periodSeconds: 10
+            successThreshold: 1
+            timeoutSeconds: 1
+      tolerations:
+        - effect: NoSchedule
+          key: node-role.kubernetes.io/master
+          operator: Exists
+      volumes:
+        - name: config
+          configMap:
+            name: promtail
+        - name: run
+          hostPath:
+            path: /run/promtail
+        - hostPath:
+            path: /var/lib/docker/containers
+          name: docker
+        - hostPath:
+            path: /var/log/pods
+          name: pods
+---
--- a/manifests/monitoring/vmagent.yaml
+++ b/manifests/monitoring/vmagent.yaml
@@ -0,0 +1,170 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: vmagent
+  namespace: monitoring
+  labels:
+    app.kubernetes.io/name: victoria-metrics
+    app.kubernetes.io/component: agent
+data:
+  prometheus.yml: |
+    global:
+      scrape_interval: 1m
+      external_labels:
+        source: scaleway
+        agent: vmagent
+    scrape_configs:
+    - job_name: 'vmagent'
+      static_configs:
+        - targets: ['localhost:8429']
+    - bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
+      job_name: kubernetes-nodes
+      kubernetes_sd_configs:
+      - role: node
+      relabel_configs:
+      - action: labelmap
+        regex: __meta_kubernetes_node_label_(.+)
+      - replacement: kubernetes.default.svc:443
+        target_label: __address__
+      - regex: (.+)
+        replacement: /api/v1/nodes/$1/proxy/metrics
+        source_labels:
+        - __meta_kubernetes_node_name
+        target_label: __metrics_path__
+      scheme: https
+      tls_config:
+        ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
+        insecure_skip_verify: true
+
+    - job_name: kubernetes-service-endpoints
+      kubernetes_sd_configs:
+      - role: endpoints
+      relabel_configs:
+      - action: drop
+        source_labels: [__meta_kubernetes_pod_container_init]
+        regex: true
+      - action: keep
+        regex: true
+        source_labels:
+        - __meta_kubernetes_service_annotation_prometheus_io_scrape
+      - action: replace
+        regex: (https?)
+        source_labels:
+        - __meta_kubernetes_service_annotation_prometheus_io_scheme
+        target_label: __scheme__
+      - action: replace
+        regex: (.+)
+        source_labels:
+        - __meta_kubernetes_service_annotation_prometheus_io_path
+        target_label: __metrics_path__
+      - action: replace
+        regex: ([^:]+)(?::\d+)?;(\d+)
+        replacement: $1:$2
+        source_labels:
+        - __address__
+        - __meta_kubernetes_service_annotation_prometheus_io_port
+        target_label: __address__
+      - action: labelmap
+        regex: __meta_kubernetes_service_label_(.+)
+      - action: replace
+        source_labels:
+        - __meta_kubernetes_namespace
+        target_label: kubernetes_namespace
+      - action: replace
+        source_labels:
+        - __meta_kubernetes_service_name
+        target_label: kubernetes_name
+      - action: replace
+        source_labels:
+        - __meta_kubernetes_pod_node_name
+        target_label: kubernetes_node
+
+    - job_name: kubernetes-pods
+      kubernetes_sd_configs:
+      - role: pod
+      relabel_configs:
+      - action: drop
+        source_labels: [__meta_kubernetes_pod_container_init]
+        regex: true
+      - action: keep
+        regex: true
+        source_labels:
+        - __meta_kubernetes_pod_annotation_prometheus_io_scrape
+      - action: replace
+        regex: (.+)
+        source_labels:
+        - __meta_kubernetes_pod_annotation_prometheus_io_path
+        target_label: __metrics_path__
+      - action: replace
+        regex: ([^:]+)(?::\d+)?;(\d+)
+        replacement: $1:$2
+        source_labels:
+        - __address__
+        - __meta_kubernetes_pod_annotation_prometheus_io_port
+        target_label: __address__
+      - action: labelmap
+        regex: __meta_kubernetes_pod_label_(.+)
+      - action: replace
+        source_labels:
+        - __meta_kubernetes_namespace
+        target_label: kubernetes_namespace
+      - action: replace
+        source_labels:
+        - __meta_kubernetes_pod_name
+        target_label: kubernetes_pod_name
+      - action: drop
+        regex: Pending|Succeeded|Failed
+        source_labels:
+        - __meta_kubernetes_pod_phase
+
+    - job_name: 'node-exporter'
+      kubernetes_sd_configs:
+        - role: endpoints
+      relabel_configs:
+      - source_labels: [__meta_kubernetes_endpoints_name]
+        regex: 'prometheus-node-exporter'
+        action: keep
+---
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: vmagent
+  namespace: monitoring
+  labels:
+    app.kubernetes.io/name: victoria-metrics
+    app.kubernetes.io/component: agent
+  annotations:
+    configmap.reloader.stakater.com/reload: "vmagent"
+spec:
+  strategy:
+    type: Recreate
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: victoria-metrics
+      app.kubernetes.io/component: agent
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: victoria-metrics
+        app.kubernetes.io/component: agent
+    spec:
+      serviceAccountName: prometheus-server
+      containers:
+        - name: vmagent
+          image: "victoriametrics/vmagent:v1.94.0"
+          imagePullPolicy: "IfNotPresent"
+          args:
+            - -remoteWrite.url=http://vmcluster.auth-proxy.svc/insert/0/prometheus/
+            - -remoteWrite.showURL
+            - -promscrape.config=/config/prometheus.yml
+            - -promscrape.suppressDuplicateScrapeTargetErrors
+          volumeMounts:
+            - name: config-volume
+              mountPath: /config
+      volumes:
+        - name: config-volume
+          configMap:
+            name: vmagent
+---
--- a/manifests/nextcloud_chart.yaml
+++ b/manifests/nextcloud_chart.yaml
@@ -1,61 +0,0 @@
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: nextcloud
-
---
-apiVersion: v1
-kind: Secret
-metadata:
-  name: nextcloud-values
-  namespace: nextcloud
-  annotations:
-    kube-1password: v32a4zpuvhmxxrwmtmmv6526ry
-    kube-1password/vault: Kubernetes
-    kube-1password/secret-text-key: values.yaml
-type: Opaque
---
-
-apiVersion: helm.fluxcd.io/v1
-kind: HelmRelease
-metadata:
-  name: nextcloud
-  namespace: nextcloud
-spec:
-  chart:
-    repository: https://kubernetes-charts.storage.googleapis.com
-    name: nextcloud
-    version: 1.10.0
-  maxHistory: 5
-  valuesFrom:
-  - secretKeyRef:
-      name: nextcloud-values
-      namespace: nextcloud
-      key: values.yaml
-      optional: false
-  values:
-    image:
-      tag: 18-apache
-    ingress:
-      enabled: true
-      annotations:
-        cert-manager.io/cluster-issuer: letsencrypt
-        traefik.ingress.kubernetes.io/frontend-entry-points: http,https
-        traefik.ingress.kubernetes.io/redirect-entry-point: https
-        traefik.ingress.kubernetes.io/redirect-permanent: "true"
-      tls:
-      - hosts:
-        - nextcloud.cluster.fun
-        secretName: nextcloud-ingress
-    nextcloud:
-      host: nextcloud.cluster.fun
-    persistence:
-      enabled: true
-      storageClass: scw-bssd-retain
-      size: 5Gi
-    cronjob:
-      enabled: true
-    resources:
-      requests:
-        memory: 500Mi
-
--- a/Show More
+++ b/Show More