Update grafana/promtail Docker tag to v3

2024-12-14 03:12:08 +00:00
91 changed files with 3057 additions and 854 deletions
--- a/manifests/_apps/base64.yaml
+++ b/manifests/_apps/base64.yaml
@@ -9,7 +9,7 @@ spec:
  project: cluster.fun
  destination:
    namespace: base64
-    name: cluster-fun (v2)
+    name: civo
  source:
    path: manifests/base64
    repoURL: "https://git.cluster.fun/AverageMarcus/cluster.fun.git"
@@ -22,4 +22,7 @@ spec:
  - kind: Secret
    jsonPointers:
    - /data
-
+  - group: apps
+    kind: Deployment
+    jqPathExpressions:
+    - .spec.template.spec.containers[]?.image
--- a/manifests/_apps/blog.yaml
+++ b/manifests/_apps/blog.yaml
@@ -22,5 +22,8 @@ spec:
  - kind: Secret
    jsonPointers:
    - /data
-
+  - group: apps
+    kind: Deployment
+    jqPathExpressions:
+    - .spec.template.spec.containers[]?.image
 ---
--- a/manifests/_apps/cel-tester.yaml
+++ b/manifests/_apps/cel-tester.yaml
@@ -9,7 +9,7 @@ spec:
  project: cluster.fun
  destination:
    namespace: cel-tester
-    name: cluster-fun (v2)
+    name: civo
  source:
    path: manifests/cel-tester
    repoURL: "https://git.cluster.fun/AverageMarcus/cluster.fun.git"
--- a/manifests/_apps/certmanager_chart.yaml
+++ b/manifests/_apps/certmanager_chart.yaml
@@ -1,3 +1,27 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: cert-manager-civo
+  namespace: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: cluster.fun
+  destination:
+    namespace: cert-manager
+    name: civo
+  source:
+    path: manifests/certmanager-civo
+    repoURL: "https://git.cluster.fun/AverageMarcus/cluster.fun.git"
+    targetRevision: HEAD
+  syncPolicy:
+    automated: {}
+  ignoreDifferences:
+  - kind: Secret
+    jsonPointers:
+    - /data
+---
+
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
--- a/manifests/_apps/civo-versions.yaml
+++ b/manifests/_apps/civo-versions.yaml
@@ -9,7 +9,7 @@ spec:
  project: cluster.fun
  destination:
    namespace: civo-versions
-    name: cluster-fun (v2)
+    name: civo
  source:
    path: manifests/civo-versions
    repoURL: "https://git.cluster.fun/AverageMarcus/cluster.fun.git"
@@ -22,4 +22,7 @@ spec:
  - kind: Secret
    jsonPointers:
    - /data
-
+  - group: apps
+    kind: Deployment
+    jqPathExpressions:
+    - .spec.template.spec.containers[]?.image
--- a/manifests/_apps/cv.yaml
+++ b/manifests/_apps/cv.yaml
@@ -9,7 +9,7 @@ spec:
  project: cluster.fun
  destination:
    namespace: cv
-    name: cluster-fun (v2)
+    name: civo
  source:
    path: manifests/cv
    repoURL: "https://git.cluster.fun/AverageMarcus/cluster.fun.git"
@@ -22,4 +22,7 @@ spec:
  - kind: Secret
    jsonPointers:
    - /data
-
+  - group: apps
+    kind: Deployment
+    jqPathExpressions:
+    - .spec.template.spec.containers[]?.image
--- a/manifests/_apps/dashboard.yaml
+++ b/manifests/_apps/dashboard.yaml
@@ -22,5 +22,8 @@ spec:
  - kind: Secret
    jsonPointers:
    - /data
-
+  - group: apps
+    kind: Deployment
+    jqPathExpressions:
+    - .spec.template.spec.containers[]?.image
 ---
--- a/manifests/_apps/devstats-viewer.yaml
+++ b/manifests/_apps/devstats-viewer.yaml
@@ -22,5 +22,8 @@ spec:
  - kind: Secret
    jsonPointers:
    - /data
-
+  - group: apps
+    kind: Deployment
+    jqPathExpressions:
+    - .spec.template.spec.containers[]?.image
 ---
--- a/manifests/_apps/feed-fetcher.yaml
+++ b/manifests/_apps/feed-fetcher.yaml
@@ -9,7 +9,7 @@ spec:
  project: cluster.fun
  destination:
    namespace: feed-fetcher
-    name: cluster-fun (v2)
+    name: civo
  source:
    path: manifests/feed-fetcher
    repoURL: "https://git.cluster.fun/AverageMarcus/cluster.fun.git"
@@ -22,4 +22,7 @@ spec:
  - kind: Secret
    jsonPointers:
    - /data
-
+  - group: apps
+    kind: Deployment
+    jqPathExpressions:
+    - .spec.template.spec.containers[]?.image
--- a/manifests/_apps/goldilocks.yaml
+++ b/manifests/_apps/goldilocks.yaml
@@ -1,35 +0,0 @@
-
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: cluster-fun-goldilocks
-  namespace: argocd
-  finalizers:
-  - resources-finalizer.argocd.argoproj.io
-spec:
-  project: cluster.fun
-  destination:
-    namespace: goldilocks
-    name: cluster-fun (v2)
-  source:
-    repoURL: 'https://charts.fairwinds.com/stable'
-    targetRevision: 10.1.0
-    chart: goldilocks
-    helm:
-      version: v3
-      values: |-
-        vpa:
-          enabled: true
-        controller:
-          flags:
-            on-by-default: true
-        dashboard:
-          flags:
-            on-by-default: true
-          replicaCount: 1
-  syncPolicy:
-    automated: {}
-    syncOptions:
-      - CreateNamespace=true
-
---
--- a/manifests/_apps/goplayground.yaml
+++ b/manifests/_apps/goplayground.yaml
@@ -9,7 +9,7 @@ spec:
  project: cluster.fun
  destination:
    namespace: goplayground
-    name: cluster-fun (v2)
+    name: civo
  source:
    path: manifests/goplayground
    repoURL: "https://git.cluster.fun/AverageMarcus/cluster.fun.git"
--- a/manifests/_apps/grist.yaml
+++ b/manifests/_apps/grist.yaml
@@ -22,4 +22,8 @@ spec:
  - kind: Secret
    jsonPointers:
    - /data
+  - group: apps
+    kind: Deployment
+    jqPathExpressions:
+    - .spec.template.spec.containers[]?.image
 ---
--- a/manifests/_apps/link.yaml
+++ b/manifests/_apps/link.yaml
@@ -9,7 +9,7 @@ spec:
  project: cluster.fun
  destination:
    namespace: link
-    name: cluster-fun (v2)
+    name: civo
  source:
    path: manifests/link
    repoURL: "https://git.cluster.fun/AverageMarcus/cluster.fun.git"
--- a/manifests/_apps/marcusnoble.yaml
+++ b/manifests/_apps/marcusnoble.yaml
@@ -22,5 +22,8 @@ spec:
  - kind: Secret
    jsonPointers:
    - /data
-
+  - group: apps
+    kind: Deployment
+    jqPathExpressions:
+    - .spec.template.spec.containers[]?.image
 ---
--- a/manifests/_apps/mastodon-digest.yaml
+++ b/manifests/_apps/mastodon-digest.yaml
@@ -22,4 +22,8 @@ spec:
  - kind: Secret
    jsonPointers:
    - /data
+  - group: apps
+    kind: Deployment
+    jqPathExpressions:
+    - .spec.template.spec.containers[]?.image
 ---
--- a/manifests/_apps/matrix_chart.yaml
+++ b/manifests/_apps/matrix_chart.yaml
@@ -1,17 +1,17 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
-  name: yay-or-nay
+  name: cluster-fun-matrix
  namespace: argocd
  finalizers:
  - resources-finalizer.argocd.argoproj.io
 spec:
  project: cluster.fun
  destination:
-    namespace: yay-or-nay
+    namespace: chat
    name: cluster-fun (v2)
  source:
-    path: manifests/yay-or-nay
+    path: manifests/matrix_chart
    repoURL: "https://git.cluster.fun/AverageMarcus/cluster.fun.git"
    targetRevision: HEAD
  syncPolicy:
--- a/manifests/_apps/mealie.yaml
+++ b/manifests/_apps/mealie.yaml
@@ -22,4 +22,8 @@ spec:
  - kind: Secret
    jsonPointers:
    - /data
+  - group: apps
+    kind: Deployment
+    jqPathExpressions:
+    - .spec.template.spec.containers[]?.image
 ---
--- a/manifests/_apps/social-to-rolodex.yaml
+++ b/manifests/_apps/social-to-rolodex.yaml
@@ -1,17 +1,17 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
-  name: social-to-rolodex
+  name: monitoring-civo
  namespace: argocd
  finalizers:
  - resources-finalizer.argocd.argoproj.io
 spec:
  project: cluster.fun
  destination:
-    namespace: social-to-rolodex
-    name: cluster-fun (v2)
+    namespace: monitoring
+    name: civo
  source:
-    path: manifests/social-to-rolodex
+    path: manifests/monitoring-civo
    repoURL: "https://git.cluster.fun/AverageMarcus/cluster.fun.git"
    targetRevision: HEAD
  syncPolicy:
@@ -22,4 +22,3 @@ spec:
  - kind: Secret
    jsonPointers:
    - /data
-
--- a/manifests/_apps/opengraph-image-gen.yaml
+++ b/manifests/_apps/opengraph-image-gen.yaml
@@ -9,7 +9,7 @@ spec:
  project: cluster.fun
  destination:
    namespace: opengraph
-    name: cluster-fun (v2)
+    name: civo
  source:
    path: manifests/opengraph
    repoURL: "https://git.cluster.fun/AverageMarcus/cluster.fun.git"
@@ -22,4 +22,7 @@ spec:
  - kind: Secret
    jsonPointers:
    - /data
-
+  - group: apps
+    kind: Deployment
+    jqPathExpressions:
+    - .spec.template.spec.containers[]?.image
--- a/manifests/_apps/proxy-civo.yaml
+++ b/manifests/_apps/proxy-civo.yaml
@@ -0,0 +1,24 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: proxy-civo
+  namespace: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: cluster.fun
+  destination:
+    namespace: proxy-civo
+    name: civo
+  source:
+    path: manifests/proxy-civo
+    repoURL: "https://git.cluster.fun/AverageMarcus/cluster.fun.git"
+    targetRevision: HEAD
+  syncPolicy:
+    automated: {}
+    syncOptions:
+      - CreateNamespace=true
+  ignoreDifferences:
+  - kind: Secret
+    jsonPointers:
+    - /data
--- a/manifests/_apps/qr.yaml
+++ b/manifests/_apps/qr.yaml
@@ -9,7 +9,7 @@ spec:
  project: cluster.fun
  destination:
    namespace: qr
-    name: cluster-fun (v2)
+    name: civo
  source:
    path: manifests/qr
    repoURL: "https://git.cluster.fun/AverageMarcus/cluster.fun.git"
@@ -22,4 +22,7 @@ spec:
  - kind: Secret
    jsonPointers:
    - /data
-
+  - group: apps
+    kind: Deployment
+    jqPathExpressions:
+    - .spec.template.spec.containers[]?.image
--- a/manifests/_apps/reloader.yaml
+++ b/manifests/_apps/reloader.yaml
@@ -21,3 +21,26 @@ spec:
    jsonPointers:
    - /data
 ---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: cluster-fun-reloader-civo
+  namespace: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: cluster.fun
+  destination:
+    namespace: kube-system
+    name: civo
+  source:
+    repoURL: 'https://stakater.github.io/stakater-charts'
+    targetRevision: v0.0.89
+    chart: reloader
+  syncPolicy:
+    automated: {}
+  ignoreDifferences:
+  - kind: Secret
+    jsonPointers:
+    - /data
+---
--- a/manifests/_apps/rss.yaml
+++ b/manifests/_apps/rss.yaml
@@ -22,4 +22,8 @@ spec:
  - kind: Secret
    jsonPointers:
    - /data
+  - group: apps
+    kind: Deployment
+    jqPathExpressions:
+    - .spec.template.spec.containers[]?.image
 ---
--- a/manifests/_apps/social-to-grist.yaml
+++ b/manifests/_apps/social-to-grist.yaml
@@ -0,0 +1,28 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: social-to-grist
+  namespace: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: cluster.fun
+  destination:
+    namespace: social-to-grist
+    name: civo
+  source:
+    path: manifests/social-to-grist
+    repoURL: "https://git.cluster.fun/AverageMarcus/cluster.fun.git"
+    targetRevision: HEAD
+  syncPolicy:
+    automated: {}
+    syncOptions:
+      - CreateNamespace=true
+  ignoreDifferences:
+  - kind: Secret
+    jsonPointers:
+    - /data
+  - group: apps
+    kind: Deployment
+    jqPathExpressions:
+    - .spec.template.spec.containers[]?.image
--- a/manifests/_apps/cors-proxy.yaml
+++ b/manifests/_apps/cors-proxy.yaml
@@ -1,17 +1,17 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
-  name: cors-proxy
+  name: cluster-fun-starling
  namespace: argocd
  finalizers:
  - resources-finalizer.argocd.argoproj.io
 spec:
  project: cluster.fun
  destination:
-    namespace: cors-proxy
+    namespace: starling
    name: cluster-fun (v2)
  source:
-    path: manifests/cors-proxy
+    path: manifests/starling
    repoURL: "https://git.cluster.fun/AverageMarcus/cluster.fun.git"
    targetRevision: HEAD
  syncPolicy:
--- a/manifests/_apps/svg-to-dxf.yaml
+++ b/manifests/_apps/svg-to-dxf.yaml
@@ -9,7 +9,7 @@ spec:
  project: cluster.fun
  destination:
    namespace: svg-to-dxf
-    name: cluster-fun (v2)
+    name: civo
  source:
    path: manifests/svg-to-dxf
    repoURL: "https://git.cluster.fun/AverageMarcus/cluster.fun.git"
@@ -22,4 +22,7 @@ spec:
  - kind: Secret
    jsonPointers:
    - /data
-
+  - group: apps
+    kind: Deployment
+    jqPathExpressions:
+    - .spec.template.spec.containers[]?.image
--- a/manifests/_apps/talks.yaml
+++ b/manifests/_apps/talks.yaml
@@ -9,7 +9,7 @@ spec:
  project: cluster.fun
  destination:
    namespace: talks
-    name: cluster-fun (v2)
+    name: civo
  source:
    path: manifests/talks
    repoURL: "https://git.cluster.fun/AverageMarcus/cluster.fun.git"
@@ -22,4 +22,7 @@ spec:
  - kind: Secret
    jsonPointers:
    - /data
-
+  - group: apps
+    kind: Deployment
+    jqPathExpressions:
+    - .spec.template.spec.containers[]?.image
--- a/manifests/_apps/tank.yaml
+++ b/manifests/_apps/tank.yaml
@@ -22,5 +22,8 @@ spec:
  - kind: Secret
    jsonPointers:
    - /data
-
+  - group: apps
+    kind: Deployment
+    jqPathExpressions:
+    - .spec.template.spec.containers[]?.image
 ---
--- a/manifests/_apps/text-to-dxf.yaml
+++ b/manifests/_apps/text-to-dxf.yaml
@@ -9,7 +9,7 @@ spec:
  project: cluster.fun
  destination:
    namespace: text-to-dxf
-    name: cluster-fun (v2)
+    name: civo
  source:
    path: manifests/text-to-dxf
    repoURL: "https://git.cluster.fun/AverageMarcus/cluster.fun.git"
@@ -22,4 +22,7 @@ spec:
  - kind: Secret
    jsonPointers:
    - /data
-
+  - group: apps
+    kind: Deployment
+    jqPathExpressions:
+    - .spec.template.spec.containers[]?.image
--- a/manifests/_apps/til.yaml
+++ b/manifests/_apps/til.yaml
@@ -9,7 +9,7 @@ spec:
  project: cluster.fun
  destination:
    namespace: til
-    name: cluster-fun (v2)
+    name: civo
  source:
    path: manifests/til
    repoURL: "https://git.cluster.fun/AverageMarcus/cluster.fun.git"
@@ -22,4 +22,7 @@ spec:
  - kind: Secret
    jsonPointers:
    - /data
-
+  - group: apps
+    kind: Deployment
+    jqPathExpressions:
+    - .spec.template.spec.containers[]?.image
--- a/manifests/_apps/priority-classes.yaml
+++ b/manifests/_apps/priority-classes.yaml
@@ -1,7 +1,7 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
-  name: cluster-fun-priority-classes
+  name: traefik-civo
  namespace: argocd
  finalizers:
  - resources-finalizer.argocd.argoproj.io
@@ -9,9 +9,9 @@ spec:
  project: cluster.fun
  destination:
    namespace: kube-system
-    name: cluster-fun (v2)
+    name: civo
  source:
-    path: manifests/priority-classes
+    path: manifests/traefik
    repoURL: "https://git.cluster.fun/AverageMarcus/cluster.fun.git"
    targetRevision: HEAD
  syncPolicy:
@@ -22,4 +22,3 @@ spec:
  - kind: Secret
    jsonPointers:
    - /data
---
--- a/manifests/_apps/tweetsvg.yaml
+++ b/manifests/_apps/tweetsvg.yaml
@@ -0,0 +1,28 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: tweetsvg
+  namespace: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: cluster.fun
+  destination:
+    namespace: tweetsvg
+    name: civo
+  source:
+    path: manifests/tweetsvg
+    repoURL: "https://git.cluster.fun/AverageMarcus/cluster.fun.git"
+    targetRevision: HEAD
+  syncPolicy:
+    automated: {}
+    syncOptions:
+      - CreateNamespace=true
+  ignoreDifferences:
+  - kind: Secret
+    jsonPointers:
+    - /data
+  - group: apps
+    kind: Deployment
+    jqPathExpressions:
+    - .spec.template.spec.containers[]?.image
--- a/manifests/_apps/twitter-profile-pic.yaml
+++ b/manifests/_apps/twitter-profile-pic.yaml
@@ -0,0 +1,29 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: cluster-fun-twitter-profile-pic
+  namespace: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: cluster.fun
+  destination:
+    namespace: twitter-profile-pic
+    name: cluster-fun (v2)
+  source:
+    path: manifests/twitter-profile-pic
+    repoURL: "https://git.cluster.fun/AverageMarcus/cluster.fun.git"
+    targetRevision: HEAD
+  syncPolicy:
+    automated: {}
+    syncOptions:
+      - CreateNamespace=true
+  ignoreDifferences:
+  - kind: Secret
+    jsonPointers:
+    - /data
+  - group: apps
+    kind: Deployment
+    jqPathExpressions:
+    - .spec.template.spec.containers[]?.image
+---
--- a/manifests/_apps/bsky-screenshot.yaml
+++ b/manifests/_apps/bsky-screenshot.yaml
@@ -1,24 +1,25 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
-  name: bsky-screenshot
+  name: cluster-fun-wallabag
  namespace: argocd
  finalizers:
  - resources-finalizer.argocd.argoproj.io
 spec:
  project: cluster.fun
  destination:
-    namespace: bsky-screenshot
+    namespace: wallabag
    name: cluster-fun (v2)
  source:
-    path: manifests/bsky-screenshot
+    path: manifests/wallabag
    repoURL: "https://git.cluster.fun/AverageMarcus/cluster.fun.git"
    targetRevision: HEAD
  syncPolicy:
-    automated: {}
    syncOptions:
      - CreateNamespace=true
+    automated: {}
  ignoreDifferences:
  - kind: Secret
    jsonPointers:
    - /data
+---
--- a/manifests/auth-proxy/auth-ingress.yaml
+++ b/manifests/auth-proxy/auth-ingress.yaml
@@ -23,13 +23,10 @@ spec:
    - sonarr.cluster.fun
    - lidarr.cluster.fun
    - prowlarr.cluster.fun
-    - mylarr.cluster.fun
    - transmission.cluster.fun
    - tekton.cluster.fun
    - changedetection.cluster.fun
    - grafana.cluster.fun
-    - podgrab.cluster.fun
-    - stablediffusion.cluster.fun
    secretName: auth-proxy-ingress
  rules:
  - host: downloads.cluster.fun
@@ -202,33 +199,3 @@ spec:
            name: tailscale-proxy
            port:
              name: auth
-  - host: podgrab.cluster.fun
-    http:
-      paths:
-      - path: /
-        pathType: ImplementationSpecific
-        backend:
-          service:
-            name: tailscale-proxy
-            port:
-              name: auth
-  - host: mylarr.cluster.fun
-    http:
-      paths:
-      - path: /
-        pathType: ImplementationSpecific
-        backend:
-          service:
-            name: tailscale-proxy
-            port:
-              name: auth
-  - host: stablediffusion.cluster.fun
-    http:
-      paths:
-      - path: /
-        pathType: ImplementationSpecific
-        backend:
-          service:
-            name: tailscale-proxy
-            port:
-              name: auth
--- a/manifests/auth-proxy/non-auth-ingress.yaml
+++ b/manifests/auth-proxy/non-auth-ingress.yaml
@@ -6,18 +6,11 @@ metadata:
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt
    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
-    nginx.ingress.kubernetes.io/proxy-read-timeout: "3600"
-    nginx.ingress.kubernetes.io/proxy-send-timeout: "3600"
-    nginx.ingress.kubernetes.io/proxy-body-size: 25m
-    nginx.ingress.kubernetes.io/client-body-buffer-size: 25m
 spec:
  ingressClassName: nginx
  tls:
  - hosts:
    - hello-world.cluster.fun
-    - ombi.cluster.fun
-    - bsky-feeds.cluster.fun
-    - ai.cluster.fun
    secretName: non-auth-proxy-ingress
  rules:
  - host: hello-world.cluster.fun
@@ -30,33 +23,3 @@ spec:
            name: tailscale-proxy
            port:
              name: non-auth
-  - host: ombi.cluster.fun
-    http:
-      paths:
-      - path: /
-        pathType: ImplementationSpecific
-        backend:
-          service:
-            name: tailscale-proxy
-            port:
-              name: non-auth
-  - host: bsky-feeds.cluster.fun
-    http:
-      paths:
-      - path: /
-        pathType: ImplementationSpecific
-        backend:
-          service:
-            name: tailscale-proxy
-            port:
-              name: non-auth
-  - host: ai.cluster.fun
-    http:
-      paths:
-      - path: /
-        pathType: ImplementationSpecific
-        backend:
-          service:
-            name: tailscale-proxy
-            port:
-              name: non-auth
--- a/manifests/auth-proxy/proxy.yaml
+++ b/manifests/auth-proxy/proxy.yaml
@@ -38,7 +38,6 @@ spec:
      labels:
        app: internal-proxy
    spec:
-      priorityClassName: critical
      serviceAccountName: default
      dnsPolicy: ClusterFirst
      dnsConfig:
@@ -68,7 +67,7 @@ spec:
          mountPath: /config/

      - name: oauth-proxy
-        image: quay.io/oauth2-proxy/oauth2-proxy:v7.12.0
+        image: quay.io/oauth2-proxy/oauth2-proxy:v7.7.1
        args:
        - --cookie-secure=false
        - --provider=oidc
@@ -102,9 +101,9 @@ spec:
          protocol: TCP
        resources:
          limits:
-            memory: 80Mi
+            memory: 50Mi
          requests:
-            memory: 80Mi
+            memory: 50Mi
      volumes:
      - name: host-mappings
        configMap:
--- a/manifests/base64/base64.yaml
+++ b/manifests/base64/base64.yaml
@@ -29,7 +29,6 @@ spec:
    spec:
      imagePullSecrets:
        - name: docker-config
-      priorityClassName: low
      containers:
      - name: web
        image: rg.fr-par.scw.cloud/averagemarcus/base64:latest
@@ -50,10 +49,11 @@ metadata:
  namespace: base64
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt
+    kubernetes.io/ingress.class: traefik
+    traefik.ingress.kubernetes.io/router.tls: "true"
    ingress.kubernetes.io/ssl-redirect: "true"
-    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
+    traefik.ingress.kubernetes.io/router.entrypoints: websecure
 spec:
-  ingressClassName: nginx
  tls:
  - hosts:
    - base64.cluster.fun
--- a/manifests/bsky-screenshot/bsky-screenshot.yaml
+++ b/manifests/bsky-screenshot/bsky-screenshot.yaml
@@ -1,69 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
-  name: bsky-screenshot
-  namespace: bsky-screenshot
-spec:
-  type: ClusterIP
-  ports:
-  - port: 80
-    targetPort: web
-    name: web
-  selector:
-    app: bsky-screenshot
---
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: bsky-screenshot
-  namespace: bsky-screenshot
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: bsky-screenshot
-  template:
-    metadata:
-      labels:
-        app: bsky-screenshot
-    spec:
-      containers:
-      - name: web
-        image: rg.fr-par.scw.cloud/averagemarcus/bsky-screenshot:latest
-        imagePullPolicy: Always
-        ports:
-        - containerPort: 80
-          name: web
-        resources:
-          limits:
-            memory: 20Mi
-          requests:
-            memory: 20Mi
---
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  name: bsky-screenshot
-  namespace: bsky-screenshot
-  annotations:
-    cert-manager.io/cluster-issuer: letsencrypt
-    ingress.kubernetes.io/ssl-redirect: "true"
-    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
-spec:
-  ingressClassName: nginx
-  tls:
-  - hosts:
-    - bsky-screenshot.cluster.fun
-    secretName: bsky-screenshot-ingress
-  rules:
-  - host: bsky-screenshot.cluster.fun
-    http:
-      paths:
-      - path: /
-        pathType: ImplementationSpecific
-        backend:
-          service:
-            name: bsky-screenshot
-            port:
-              number: 80
-
--- a/manifests/cel-tester/cel-tester.yaml
+++ b/manifests/cel-tester/cel-tester.yaml
@@ -47,10 +47,11 @@ metadata:
  namespace: cel-tester
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt
+    kubernetes.io/ingress.class: traefik
+    traefik.ingress.kubernetes.io/router.tls: "true"
    ingress.kubernetes.io/ssl-redirect: "true"
-    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
+    traefik.ingress.kubernetes.io/router.entrypoints: websecure
 spec:
-  ingressClassName: nginx
  tls:
  - hosts:
    - cel-tester.cluster.fun
--- a/manifests/certmanager-civo/certmanager_chart.yaml
+++ b/manifests/certmanager-civo/certmanager_chart.yaml
@@ -0,0 +1,23 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: cert-manager
+  labels:
+    certmanager.k8s.io/disable-validation: "true"
+
+---
+
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt
+spec:
+  acme:
+    server: https://acme-v02.api.letsencrypt.org/directory
+    email: letsencrypt@marcusnoble.co.uk
+    privateKeySecretRef:
+      name: letsencrypt
+    solvers:
+    - http01:
+        ingress:
+          class: traefik
--- a/manifests/civo-versions/civo-versions.yaml
+++ b/manifests/civo-versions/civo-versions.yaml
@@ -38,7 +38,6 @@ spec:
      labels:
        app: civo-versions
    spec:
-      priorityClassName: low
      containers:
      - name: web
        image: rg.fr-par.scw.cloud/averagemarcus/civo-versions:latest
@@ -67,10 +66,11 @@ metadata:
  namespace: civo-versions
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt
+    kubernetes.io/ingress.class: traefik
+    traefik.ingress.kubernetes.io/router.tls: "true"
    ingress.kubernetes.io/ssl-redirect: "true"
-    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
+    traefik.ingress.kubernetes.io/router.entrypoints: websecure
 spec:
-  ingressClassName: nginx
  tls:
  - hosts:
    - civo-versions.cluster.fun
--- a/manifests/cors-proxy/cors-proxy.yaml
+++ b/manifests/cors-proxy/cors-proxy.yaml
@@ -1,76 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
-  name: cors-proxy
-  namespace: cors-proxy
-spec:
-  type: ClusterIP
-  ports:
-  - port: 80
-    targetPort: 8000
-    name: web
-  selector:
-    app: cors-proxy
---
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: cors-proxy
-  namespace: cors-proxy
-spec:
-  replicas: 2
-  selector:
-    matchLabels:
-      app: cors-proxy
-  template:
-    metadata:
-      labels:
-        app: cors-proxy
-    spec:
-      containers:
-      - name: web
-        image: rg.fr-par.scw.cloud/averagemarcus/cors-proxy:latest
-        imagePullPolicy: Always
-        ports:
-        - containerPort: 8000
-          name: web
-        env:
-        - name: ALLOWLIST
-          value: cdn.bsky.app
---
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  name: cors-proxy
-  namespace: cors-proxy
-  annotations:
-    cert-manager.io/cluster-issuer: letsencrypt
-    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
-spec:
-  ingressClassName: nginx
-  tls:
-  - hosts:
-    - cors-proxy.cluster.fun
-    - cors-proxy.marcusnoble.co.uk
-    secretName: cors-proxy-ingress
-  rules:
-  - host: cors-proxy.cluster.fun
-    http:
-      paths:
-      - path: /
-        pathType: ImplementationSpecific
-        backend:
-          service:
-            name: cors-proxy
-            port:
-              number: 80
-  - host: cors-proxy.marcusnoble.co.uk
-    http:
-      paths:
-      - path: /
-        pathType: ImplementationSpecific
-        backend:
-          service:
-            name: cors-proxy
-            port:
-              number: 80
--- a/manifests/cv/cv.yaml
+++ b/manifests/cv/cv.yaml
@@ -62,10 +62,11 @@ metadata:
  namespace: cv
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt
+    kubernetes.io/ingress.class: traefik
+    traefik.ingress.kubernetes.io/router.tls: "true"
    ingress.kubernetes.io/ssl-redirect: "true"
-    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
+    traefik.ingress.kubernetes.io/router.entrypoints: websecure
 spec:
-  ingressClassName: nginx
  tls:
  - hosts:
    - cv.marcusnoble.co.uk
--- a/manifests/dashboard/dashboard.yaml
+++ b/manifests/dashboard/dashboard.yaml
@@ -81,7 +81,7 @@ spec:
            secretKeyRef:
              key: password
              name: dashboard-auth
-        image: quay.io/oauth2-proxy/oauth2-proxy:v7.12.0
+        image: quay.io/oauth2-proxy/oauth2-proxy:v7.7.1
        name: oauth-proxy
        ports:
        - containerPort: 8000
--- a/manifests/feed-fetcher/feed-fetcher.yaml
+++ b/manifests/feed-fetcher/feed-fetcher.yaml
@@ -42,10 +42,11 @@ metadata:
  namespace: feed-fetcher
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt
+    kubernetes.io/ingress.class: traefik
+    traefik.ingress.kubernetes.io/router.tls: "true"
    ingress.kubernetes.io/ssl-redirect: "true"
-    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
+    traefik.ingress.kubernetes.io/router.entrypoints: websecure
 spec:
-  ingressClassName: nginx
  tls:
  - hosts:
    - feed-fetcher.cluster.fun
--- a/manifests/gitea/gitea.yaml
+++ b/manifests/gitea/gitea.yaml
@@ -40,10 +40,9 @@ spec:
      labels:
        app: git
    spec:
-      priorityClassName: critical
      containers:
      - name: git
-        image: gitea/gitea:1.24.6
+        image: gitea/gitea:1.22.5
        env:
        - name: APP_NAME
          value: "Git"
--- a/manifests/goplayground/goplayground.yaml
+++ b/manifests/goplayground/goplayground.yaml
@@ -29,7 +29,7 @@ spec:
    spec:
      containers:
      - name: web
-        image: x1unix/go-playground:2.5.7
+        image: x1unix/go-playground:2.3.0
        imagePullPolicy: IfNotPresent
        ports:
        - containerPort: 8000
@@ -47,10 +47,11 @@ metadata:
  namespace: goplayground
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt
+    kubernetes.io/ingress.class: traefik
+    traefik.ingress.kubernetes.io/router.tls: "true"
    ingress.kubernetes.io/ssl-redirect: "true"
-    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
+    traefik.ingress.kubernetes.io/router.entrypoints: websecure
 spec:
-  ingressClassName: nginx
  tls:
  - hosts:
    - go.cluster.fun
--- a/manifests/grist/grist.yaml
+++ b/manifests/grist/grist.yaml
@@ -70,10 +70,9 @@ spec:
        app.kubernetes.io/name: grist
    spec:
      serviceAccountName: grist
-      priorityClassName: critical
      containers:
        - name: grist
-          image: gristlabs/grist-oss:1.7.3
+          image: gristlabs/grist-oss:1.3.0
          imagePullPolicy: IfNotPresent
          ports:
            - name: http
--- a/manifests/link/link.yaml
+++ b/manifests/link/link.yaml
@@ -27,14 +27,6 @@ data:
    kcduk24: https://speaking.marcusnoble.co.uk/0qcuN9/from-fragile-to-resilient-validatingadmissionpolicies-strengthen-kubernetes
    rejektsna24: https://speaking.marcusnoble.co.uk/dALiFY/from-fragile-to-resilient-validatingadmissionpolicies-strengthen-kubernetes
    kcddk24: https://speaking.marcusnoble.co.uk/FU4W7x/from-fragile-to-resilient-validatingadmissionpolicies-strengthen-kubernetes
-    cndoslo: https://speaking.marcusnoble.co.uk/j5M53P/from-fragile-to-resilient-validatingadmissionpolicies-strengthen-kubernetes
-    rejekts25: https://speaking.marcusnoble.co.uk/AXARFf/pod-deep-dive-everything-you-didnt-know-you-needed-to-know
-    kcdbudapest: https://speaking.marcusnoble.co.uk/43QLpx/the-future-of-kubernetes-admission-logic
-    kcdczechslovak: https://speaking.marcusnoble.co.uk/Np2xUv/pod-deep-dive-the-interesting-bits
-    cnsmunich: https://speaking.marcusnoble.co.uk/HqYcp2/pod-deep-dive-the-interesting-bits
-    cnsmunich-feedback: https://yay-or-nay.cluster.fun/feedback/20UETBI0
-    containerdays25: https://speaking.marcusnoble.co.uk/HARSlE/the-future-of-kubernetes-admission-logic
-    containerdays25-feedback: https://yay-or-nay.cluster.fun/feedback/F8P351QK
 ---
 apiVersion: v1
 kind: Service
@@ -69,7 +61,6 @@ spec:
      labels:
        app: link
    spec:
-      priorityClassName: critical
      containers:
      - name: web
        image: rg.fr-par.scw.cloud/averagemarcus/link:latest
@@ -92,10 +83,11 @@ metadata:
  namespace: link
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt
+    kubernetes.io/ingress.class: traefik
+    traefik.ingress.kubernetes.io/router.tls: "true"
    ingress.kubernetes.io/ssl-redirect: "true"
-    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
+    traefik.ingress.kubernetes.io/router.entrypoints: websecure
 spec:
-  ingressClassName: nginx
  tls:
  - hosts:
    - go-get.link
--- a/manifests/mastodon-digest/mastodon_digest.yaml
+++ b/manifests/mastodon-digest/mastodon_digest.yaml
@@ -123,7 +123,6 @@ spec:
    spec:
      imagePullSecrets:
        - name: docker-config
-      priorityClassName: low
      containers:
      - args:
        - --cookie-secure=false
@@ -153,7 +152,7 @@ spec:
            secretKeyRef:
              key: password
              name: mastodon-digest-auth
-        image: quay.io/oauth2-proxy/oauth2-proxy:v7.12.0
+        image: quay.io/oauth2-proxy/oauth2-proxy:v7.7.1
        name: oauth-proxy
        ports:
        - containerPort: 8000
--- a/manifests/matrix_chart/matrix_chart.yaml
+++ b/manifests/matrix_chart/matrix_chart.yaml
@@ -0,0 +1,554 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: matrix
+  namespace: chat
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt
+    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
+    nginx.ingress.kubernetes.io/proxy-body-size: "0"
+spec:
+  ingressClassName: nginx
+  tls:
+  - hosts:
+    - matrix.cluster.fun
+    secretName: matrix-ingress
+  rules:
+  - host: matrix.cluster.fun
+    http:
+      paths:
+      - path: /.well-known/matrix
+        pathType: ImplementationSpecific
+        backend:
+          service:
+            name: well-known
+            port:
+              number: 80
+      - path: /
+        pathType: ImplementationSpecific
+        backend:
+          service:
+            name: matrix-synapse
+            port:
+              number: 80
+
+---
+
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: riot
+  namespace: chat
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt
+    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
+    nginx.ingress.kubernetes.io/proxy-body-size: "0"
+spec:
+  ingressClassName: nginx
+  tls:
+  - hosts:
+    - chat.cluster.fun
+    secretName: riot-ingress
+  rules:
+  - host: chat.cluster.fun
+    http:
+      paths:
+      - path: /
+        pathType: ImplementationSpecific
+        backend:
+          service:
+            name: matrix-riot
+            port:
+              number: 80
+
+---
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: well-known
+  namespace: chat
+  annotations:
+    configmap.reloader.stakater.com/reload: "well-known"
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: well-known
+  template:
+    metadata:
+      labels:
+        app: well-known
+    spec:
+      containers:
+      - name: web
+        image: nginx
+        imagePullPolicy: IfNotPresent
+        ports:
+        - containerPort: 80
+          name: web
+        volumeMounts:
+        - name: well-known
+          mountPath: /usr/share/nginx/html/.well-known/matrix
+        resources:
+          limits:
+            memory: 15Mi
+          requests:
+            memory: 15Mi
+      volumes:
+      - name: well-known
+        configMap:
+          name: well-known
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: well-known
+  namespace: chat
+spec:
+  type: ClusterIP
+  ports:
+  - port: 80
+    targetPort: 80
+    name: web
+  selector:
+    app: well-known
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: well-known
+  namespace: chat
+data:
+  server: |-
+    {
+      "m.server": "matrix.cluster.fun:443"
+    }
+  client: |-
+    {
+      "m.homeserver": {
+        "base_url": "https://matrix.cluster.fun"
+      },
+      "org.matrix.msc3575.proxy": {
+        "url": "https://syncv3.matrix.cluster.fun"
+      }
+    }
+
+
+---
+
+
+# Source: matrix/templates/riot/configmap.yaml
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: matrix-riot-config
+  namespace: chat
+  labels:
+    app.kubernetes.io/name: "matrix"
+    component: element
+data:
+  config.json: |
+    {
+      "default_server_config": {
+        "m.homeserver": {
+          "base_url": "https://matrix.cluster.fun"
+        }
+      },
+      "brand": "Element",
+      "branding": {},
+      "integrations_ui_url": "https://scalar.vector.im/",
+      "integrations_rest_url": "https://scalar.vector.im/api",
+      "integrations_widgets_urls": [
+        "https://scalar.vector.im/_matrix/integrations/v1",
+        "https://scalar.vector.im/api",
+        "https://scalar-staging.vector.im/_matrix/integrations/v1",
+        "https://scalar-staging.vector.im/api",
+        "https://scalar-staging.riot.im/scalar/api"
+      ],
+      "showLabsSettings": true,
+      "features": {
+        "feature_pinning": true,
+        "feature_custom_status": "labs",
+        "feature_state_counters": "labs",
+        "feature_many_integration_managers": "labs",
+        "feature_mjolnir": "labs",
+        "feature_dm_verification": "labs",
+        "feature_bridge_state": "labs",
+        "feature_presence_in_room_list": true,
+        "feature_custom_themes": "labs",
+        "feature_new_spinner": "labs",
+        "feature_jump_to_date": "labs",
+        "feature_location_share_pin_drop": "labs",
+        "feature_location_share_live": "labs",
+        "feature_thread": true,
+        "feature_video_rooms": true,
+        "feature_favourite_messages": "labs"
+      },
+      "roomDirectory": {
+        "servers": []
+      },
+      "permalinkPrefix": "https://chat.cluster.fun",
+      "enable_presence_by_hs_url": {
+        "https://matrix.org": false,
+        "https://matrix-client.matrix.org": false
+      },
+      "map_style_url": "https://api.maptiler.com/maps/streets/style.json?key=2IerXP2a5g1e7hxxBbzs"
+    }
+  nginx.conf: |
+    worker_processes  auto;
+
+    error_log  /var/log/nginx/error.log warn;
+    pid        /var/run/pid/nginx.pid;
+
+    events {
+      worker_connections  1024;
+    }
+
+    http {
+      include       /etc/nginx/mime.types;
+      default_type  application/octet-stream;
+
+      log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
+      '$status $body_bytes_sent "$http_referer" '
+      '"$http_user_agent" "$http_x_forwarded_for"';
+
+      access_log  /var/log/nginx/access.log  main;
+
+      sendfile        on;
+
+      keepalive_timeout  65;
+
+      include /etc/nginx/conf.d/*.conf;
+    }
+  default.conf: |
+    server {
+      listen       8080;
+      server_name  localhost;
+
+      location / {
+          root   /usr/share/nginx/html;
+          index  index.html index.htm;
+      }
+
+      # redirect server error pages to the static page /50x.html
+      #
+      error_page   500 502 503 504  /50x.html;
+      location = /50x.html {
+          root   /usr/share/nginx/html;
+      }
+    }
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: matrix-synapse-config
+  namespace: chat
+  annotations:
+    kube-1password: wbj4oozwyx6m2zz5m42pgcmymy
+    kube-1password/vault: Kubernetes
+    kube-1password/secret-text-key: homeserver.yaml
+  labels:
+    app.kubernetes.io/name: "matrix"
+    component: synapse
+type: Opaque
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: matrix-synapse-config
+  namespace: chat
+  labels:
+    app.kubernetes.io/name: "matrix"
+    component: element
+data:
+  matrix.cluster.fun.log.config: |
+    version: 1
+
+    formatters:
+      precise:
+        format: '%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s - %(message)s'
+
+    filters:
+      context:
+        (): synapse.util.logcontext.LoggingContextFilter
+        request: ""
+
+    handlers:
+      console:
+        class: logging.StreamHandler
+        formatter: precise
+        filters: [context]
+
+    loggers:
+      synapse:
+        level: WARNING
+      synapse.storage.SQL:
+        # beware: increasing this to DEBUG will make synapse log sensitive
+        # information such as access tokens.
+        level: WARNING
+
+    root:
+      level: WARNING
+      handlers: [console]
+---
+# Source: matrix/templates/riot/service.yaml
+apiVersion: v1
+kind: Service
+metadata:
+  name: matrix-riot
+  namespace: chat
+  labels:
+    app.kubernetes.io/name: "matrix"
+    component: element
+spec:
+  type: ClusterIP
+  ports:
+    - port: 80
+      targetPort: http
+      protocol: TCP
+      name: http
+  selector:
+    app.kubernetes.io/name: matrix-riot
+---
+# Source: matrix/templates/synapse/service.yaml
+apiVersion: v1
+kind: Service
+metadata:
+  name: matrix-synapse
+  namespace: chat
+  labels:
+    app.kubernetes.io/name: "matrix"
+    component: synapse
+  annotations:
+    prometheus.io/scrape: "true"
+    prometheus.io/path: "/_synapse/metrics"
+    prometheus.io/port: "9000"
+spec:
+  type: ClusterIP
+  ports:
+    - port: 80
+      targetPort: http
+      protocol: TCP
+      name: http
+    - port: 9000
+      targetPort: metrics
+      protocol: TCP
+      name: metrics
+  selector:
+    app.kubernetes.io/name: matrix-synapse
+---
+# Source: matrix/templates/riot/deployment.yaml
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: matrix-riot
+  namespace: chat
+  labels:
+    app.kubernetes.io/name: "matrix"
+    component: element
+spec:
+  replicas: 2
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: matrix-riot
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: matrix-riot
+    spec:
+      securityContext:
+        runAsUser: 1000
+        runAsGroup: 1000
+        fsGroup: 1000
+      containers:
+        - name: "riot"
+          image: "vectorim/element-web:v1.11.87"
+          imagePullPolicy: IfNotPresent
+          ports:
+            - name: http
+              containerPort: 8080
+              protocol: TCP
+          volumeMounts:
+            - mountPath: /app/config.json
+              name: riot-config
+              subPath: config.json
+              readOnly: true
+            - mountPath: /etc/nginx/nginx.conf
+              name: riot-config
+              subPath: nginx.conf
+              readOnly: true
+            - mountPath: /etc/nginx/conf.d/default.conf
+              name: riot-config
+              subPath: default.conf
+              readOnly: true
+            - mountPath: /var/cache/nginx
+              name: ephemeral
+              subPath: cache
+            - mountPath: /var/run/pid
+              name: ephemeral
+              subPath: pid
+          readinessProbe:
+            httpGet:
+              path: /
+              port: http
+          startupProbe:
+            httpGet:
+              path: /
+              port: http
+          livenessProbe:
+            httpGet:
+              path: /
+              port: http
+          securityContext:
+            capabilities:
+              drop:
+                - ALL
+            readOnlyRootFilesystem: true
+            allowPrivilegeEscalation: false
+      volumes:
+        - name: riot-config
+          configMap:
+            name: matrix-riot-config
+        - name: ephemeral
+          emptyDir: {}
+---
+# Source: matrix/templates/synapse/deployment.yaml
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: matrix-synapse
+  namespace: chat
+  labels:
+    app.kubernetes.io/name: "matrix"
+    component: synapse
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: matrix-synapse
+  strategy:
+    type: Recreate
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: matrix-synapse
+    spec:
+      securityContext:
+        runAsUser: 1000
+        runAsGroup: 1000
+        fsGroup: 1000
+      initContainers:
+        - name: generate-signing-key
+          image: "ghcr.io/element-hq/synapse:v1.121.1"
+          imagePullPolicy: IfNotPresent
+          env:
+            - name: SYNAPSE_SERVER_NAME
+              value: matrix.cluster.fun
+            - name: SYNAPSE_REPORT_STATS
+              value: "no"
+          command: ["python"]
+          args:
+            - "-m"
+            - "synapse.app.homeserver"
+            - "--config-path"
+            - "/data/homeserver.yaml"
+            - "--keys-directory"
+            - "/data/keys"
+            - "--generate-keys"
+          volumeMounts:
+            - name: synapse-config-homeserver
+              mountPath: /data/homeserver.yaml
+              subPath: homeserver.yaml
+            - name: synapse-config-logging
+              mountPath: /data/matrix.cluster.fun.log.config
+              subPath: matrix.cluster.fun.log.config
+            - name: signing-key
+              mountPath: /data/keys
+      containers:
+        - name: "synapse"
+          image: "ghcr.io/element-hq/synapse:v1.121.1"
+          imagePullPolicy: IfNotPresent
+          ports:
+            - name: http
+              containerPort: 8008
+              protocol: TCP
+            - name: metrics
+              containerPort: 9000
+              protocol: TCP
+          volumeMounts:
+            - name: synapse-config-homeserver
+              mountPath: /data/homeserver.yaml
+              subPath: homeserver.yaml
+            - name: mautrix-whatsapp-registration
+              mountPath: /data/mautrix-whatsapp-registration.yaml
+              subPath: registration.yaml
+            # - name: mautrix-signal-registration
+            #   mountPath: /data/mautrix-signal-registration.yaml
+            #   subPath: registration.yaml
+            # - name: mautrix-telegram-registration
+            #   mountPath: /data/mautrix-telegram-registration.yaml
+            #   subPath: registration.yaml
+            - name: synapse-config-logging
+              mountPath: /data/matrix.cluster.fun.log.config
+              subPath: matrix.cluster.fun.log.config
+            - name: signing-key
+              mountPath: /data/keys
+            - name: user-media
+              mountPath: /data/media_store
+            - name: uploads
+              mountPath: /data/uploads
+            - name: tmp
+              mountPath: /tmp
+          readinessProbe:
+            httpGet:
+              path: /_matrix/static/
+              port: http
+            periodSeconds: 10
+            timeoutSeconds: 5
+          startupProbe:
+            httpGet:
+              path: /_matrix/static/
+              port: http
+            failureThreshold: 6
+            periodSeconds: 5
+            timeoutSeconds: 5
+          livenessProbe:
+            httpGet:
+              path: /_matrix/static/
+              port: http
+            periodSeconds: 10
+            timeoutSeconds: 5
+          securityContext:
+            capabilities:
+              drop:
+                - ALL
+            readOnlyRootFilesystem: true
+            allowPrivilegeEscalation: false
+      volumes:
+        - name: synapse-config-logging
+          configMap:
+            name: matrix-synapse-config
+        - name: synapse-config-homeserver
+          secret:
+            secretName: matrix-synapse-config
+        - name: mautrix-whatsapp-registration
+          secret:
+            secretName: mautrix-whatsapp-registration
+        # - name: mautrix-signal-registration
+        #   secret:
+        #     secretName: mautrix-signal-registration
+        # - name: mautrix-telegram-registration
+        #   secret:
+        #     secretName: mautrix-telegram-registration
+        - name: signing-key
+          persistentVolumeClaim:
+            claimName: chat-matrix-signing-key
+        - name: user-media
+          persistentVolumeClaim:
+            claimName: chat-matrix-user-media
+        - name: uploads
+          emptyDir: {}
+        - name: tmp
+          emptyDir: {}
+---
--- a/manifests/matrix_chart/pvs.yaml
+++ b/manifests/matrix_chart/pvs.yaml
@@ -0,0 +1,32 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: chat-matrix-user-media
+  namespace: chat
+  labels:
+    app.kubernetes.io/name: "matrix"
+    component: synapse
+spec:
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 12Gi
+  storageClassName: sbs-default-retain
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: chat-matrix-signing-key
+  namespace: chat
+  labels:
+    app.kubernetes.io/name: "matrix"
+    component: synapse
+spec:
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 1Gi
+  storageClassName: sbs-default-retain
+---
--- a/manifests/matrix_chart/signal_bridge.yaml
+++ b/manifests/matrix_chart/signal_bridge.yaml
@@ -0,0 +1,153 @@
+# apiVersion: v1
+# kind: Secret
+# metadata:
+#   name: mautrix-signal-registration
+#   namespace: chat
+#   annotations:
+#     kube-1password: z6tylu2br724gttcpfyi5egaui
+#     kube-1password/vault: Kubernetes
+#     kube-1password/secret-text-key: registration.yaml
+#   labels:
+#     app.kubernetes.io/name: "mautrix-signal"
+#     component: registration
+# type: Opaque
+
+# ---
+
+# apiVersion: v1
+# kind: Secret
+# metadata:
+#   name: mautrix-signal-config
+#   namespace: chat
+#   annotations:
+#     kube-1password: 5vfaorcudozlq4clkzgmzzszqe
+#     kube-1password/vault: Kubernetes
+#     kube-1password/secret-text-key: config.yaml
+#   labels:
+#     app.kubernetes.io/name: "mautrix-signal"
+#     component: config
+# type: Opaque
+
+# ---
+
+# apiVersion: v1
+# kind: Service
+# metadata:
+#   name: mautrix-signal
+#   namespace: chat
+#   labels:
+#     app.kubernetes.io/name: mautrix-signal
+#   annotations:
+#     prometheus.io/scrape: "true"
+#     prometheus.io/path: "/metrics"
+#     prometheus.io/port: "9000"
+# spec:
+#   type: ClusterIP
+#   ports:
+#   - port: 29328
+#     targetPort: http
+#     protocol: TCP
+#     name: http
+#   selector:
+#     app.kubernetes.io/name: mautrix-signal
+
+# ---
+
+# apiVersion: apps/v1
+# kind: Deployment
+# metadata:
+#   name: mautrix-signal
+#   labels:
+#     app.kubernetes.io/name: mautrix-signal
+# spec:
+#   revisionHistoryLimit: 3
+#   replicas: 1
+#   strategy:
+#     type: Recreate
+#   selector:
+#     matchLabels:
+#       app.kubernetes.io/name: mautrix-signal
+#   template:
+#     metadata:
+#       labels:
+#         app.kubernetes.io/name: mautrix-signal
+#     spec:
+#       serviceAccountName: default
+#       automountServiceAccountToken: true
+#       dnsPolicy: ClusterFirst
+#       enableServiceLinks: true
+#       initContainers:
+#       - name: config-copy
+#         image: bash:latest
+#         imagePullPolicy: IfNotPresent
+#         args:
+#           - -c
+#           - |
+#             cp /secrets/* /data/
+#         volumeMounts:
+#           - name: mautrix-signal-config
+#             mountPath: /secrets/config.yaml
+#             subPath: config.yaml
+#           - name: mautrix-signal-registration
+#             mountPath: /secrets/registration.yaml
+#             subPath: registration.yaml
+#           - name: data
+#             mountPath: /data
+#       containers:
+#         - name: signald
+#           image: docker.io/signald/signald:stable
+#           imagePullPolicy: Always
+#           volumeMounts:
+#           - name: signald
+#             mountPath: /signald
+#         - name: mautrix-signal
+#           image: "dock.mau.dev/mautrix/signal:v0.4.3"
+#           imagePullPolicy: IfNotPresent
+#           env:
+#             - name: "TZ"
+#               value: "UTC"
+#           ports:
+#             - name: http
+#               containerPort: 29328
+#               protocol: TCP
+#             - name: metrics
+#               containerPort: 9000
+#               protocol: TCP
+#           volumeMounts:
+#           - name: signald
+#             mountPath: /signald
+#           - name: data
+#             mountPath: /data
+#           livenessProbe:
+#             tcpSocket:
+#               port: 29318
+#             initialDelaySeconds: 0
+#             failureThreshold: 3
+#             timeoutSeconds: 1
+#             periodSeconds: 10
+#           readinessProbe:
+#             tcpSocket:
+#               port: 29318
+#             initialDelaySeconds: 0
+#             failureThreshold: 3
+#             timeoutSeconds: 1
+#             periodSeconds: 10
+#           startupProbe:
+#             tcpSocket:
+#               port: 29318
+#             initialDelaySeconds: 0
+#             failureThreshold: 30
+#             timeoutSeconds: 1
+#             periodSeconds: 5
+#       volumes:
+#         - name: data
+#           emptyDir: {}
+#         - name: signald
+#           emptyDir: {}
+#         - name: mautrix-signal-config
+#           secret:
+#             secretName: mautrix-signal-config
+#         - name: mautrix-signal-registration
+#           secret:
+#             secretName: mautrix-signal-registration
+# ---
--- a/manifests/matrix_chart/sliding-sync.yaml
+++ b/manifests/matrix_chart/sliding-sync.yaml
@@ -0,0 +1,119 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: matrix-sliding-sync
+  namespace: chat
+  annotations:
+    kube-1password: 7kvyfcszfaavj2d7uvl4troagm
+    kube-1password/vault: Kubernetes
+    kube-1password/secret-text-parse: "true"
+  labels:
+    app.kubernetes.io/name: "matrix"
+    component: sliding-sync
+type: Opaque
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: sliding-sync
+  namespace: chat
+  labels:
+    app.kubernetes.io/name: "matrix"
+    component: sliding-sync
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: sliding-sync
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: sliding-sync
+    spec:
+      securityContext:
+        runAsUser: 1000
+        runAsGroup: 1000
+        fsGroup: 1000
+      containers:
+        - name: "sliding-sync"
+          image: "ghcr.io/matrix-org/sliding-sync:v0.99.19"
+          imagePullPolicy: IfNotPresent
+          ports:
+            - name: http
+              containerPort: 8008
+              protocol: TCP
+            - name: metrics
+              containerPort: 9090
+              protocol: TCP
+          env:
+          - name: SYNCV3_SERVER
+            value: https://matrix.cluster.fun
+          - name: SYNCV3_BINDADDR
+            value: ":8008"
+          - name: SYNCV3_PROM
+            value: ":9090"
+          - name: SYNCV3_SECRET
+            valueFrom:
+              secretKeyRef:
+                name: matrix-sliding-sync
+                key: SYNCV3_SECRET
+          - name: SYNCV3_DB
+            valueFrom:
+              secretKeyRef:
+                name: matrix-sliding-sync
+                key: SYNCV3_DB
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: sliding-sync
+  namespace: chat
+  labels:
+    app.kubernetes.io/name: "matrix"
+    component: sliding-sync
+  annotations:
+    prometheus.io/scrape: "true"
+    prometheus.io/port: "9090"
+spec:
+  type: ClusterIP
+  ports:
+  - port: 80
+    targetPort: http
+    name: web
+  - port: 9090
+    targetPort: metrics
+    protocol: TCP
+    name: metrics
+  selector:
+    app.kubernetes.io/name: sliding-sync
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: sliding-sync
+  namespace: chat
+  labels:
+    app.kubernetes.io/name: "matrix"
+    component: sliding-sync
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt
+    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
+    nginx.ingress.kubernetes.io/proxy-body-size: "0"
+spec:
+  ingressClassName: nginx
+  tls:
+  - hosts:
+    - syncv3.matrix.cluster.fun
+    secretName: sliding-sync-ingress
+  rules:
+  - host: syncv3.matrix.cluster.fun
+    http:
+      paths:
+      - path: /
+        pathType: ImplementationSpecific
+        backend:
+          service:
+            name: sliding-sync
+            port:
+              number: 80
+---
--- a/manifests/matrix_chart/telegram_bridge.yaml
+++ b/manifests/matrix_chart/telegram_bridge.yaml
@@ -0,0 +1,143 @@
+# apiVersion: v1
+# kind: Secret
+# metadata:
+#   name: mautrix-telegram-registration
+#   namespace: chat
+#   annotations:
+#     kube-1password: dancy7ogc4gjlxhfntqejgudwi
+#     kube-1password/vault: Kubernetes
+#     kube-1password/secret-text-key: registration.yaml
+#   labels:
+#     app.kubernetes.io/name: "mautrix-telegram"
+#     component: registration
+# type: Opaque
+
+# ---
+
+# apiVersion: v1
+# kind: Secret
+# metadata:
+#   name: mautrix-telegram-config
+#   namespace: chat
+#   annotations:
+#     kube-1password: nilzdpfum35hhwijnwvasbzmcq
+#     kube-1password/vault: Kubernetes
+#     kube-1password/secret-text-key: config.yaml
+#   labels:
+#     app.kubernetes.io/name: "mautrix-telegram"
+#     component: config
+# type: Opaque
+
+# ---
+
+# apiVersion: v1
+# kind: Service
+# metadata:
+#   name: mautrix-telegram
+#   namespace: chat
+#   labels:
+#     app.kubernetes.io/name: mautrix-telegram
+#   annotations:
+#     prometheus.io/scrape: "true"
+#     prometheus.io/path: "/metrics"
+#     prometheus.io/port: "9000"
+# spec:
+#   type: ClusterIP
+#   ports:
+#   - port: 29318
+#     targetPort: http
+#     protocol: TCP
+#     name: http
+#   selector:
+#     app.kubernetes.io/name: mautrix-telegram
+
+# ---
+
+# apiVersion: apps/v1
+# kind: Deployment
+# metadata:
+#   name: mautrix-telegram
+#   labels:
+#     app.kubernetes.io/name: mautrix-telegram
+# spec:
+#   revisionHistoryLimit: 3
+#   replicas: 1
+#   strategy:
+#     type: Recreate
+#   selector:
+#     matchLabels:
+#       app.kubernetes.io/name: mautrix-telegram
+#   template:
+#     metadata:
+#       labels:
+#         app.kubernetes.io/name: mautrix-telegram
+#     spec:
+#       serviceAccountName: default
+#       automountServiceAccountToken: true
+#       dnsPolicy: ClusterFirst
+#       enableServiceLinks: true
+#       initContainers:
+#       - name: config-copy
+#         image: bash:latest
+#         imagePullPolicy: IfNotPresent
+#         args:
+#           - -c
+#           - |
+#             cp /secrets/* /data/
+#         volumeMounts:
+#           - name: mautrix-telegram-config
+#             mountPath: /secrets/config.yaml
+#             subPath: config.yaml
+#           - name: mautrix-telegram-registration
+#             mountPath: /secrets/registration.yaml
+#             subPath: registration.yaml
+#           - name: data
+#             mountPath: /data
+#       containers:
+#         - name: mautrix-telegram
+#           image: "dock.mau.dev/mautrix/telegram:v0.12.1"
+#           imagePullPolicy: IfNotPresent
+#           env:
+#             - name: "TZ"
+#               value: "UTC"
+#           ports:
+#             - name: http
+#               containerPort: 29318
+#               protocol: TCP
+#             - name: metrics
+#               containerPort: 9000
+#               protocol: TCP
+#           volumeMounts:
+#           - name: data
+#             mountPath: /data
+#           livenessProbe:
+#             tcpSocket:
+#               port: 29318
+#             initialDelaySeconds: 0
+#             failureThreshold: 3
+#             timeoutSeconds: 1
+#             periodSeconds: 10
+#           readinessProbe:
+#             tcpSocket:
+#               port: 29318
+#             initialDelaySeconds: 0
+#             failureThreshold: 3
+#             timeoutSeconds: 1
+#             periodSeconds: 10
+#           startupProbe:
+#             tcpSocket:
+#               port: 29318
+#             initialDelaySeconds: 0
+#             failureThreshold: 30
+#             timeoutSeconds: 1
+#             periodSeconds: 5
+#       volumes:
+#         - name: data
+#           emptyDir: {}
+#         - name: mautrix-telegram-config
+#           secret:
+#             secretName: mautrix-telegram-config
+#         - name: mautrix-telegram-registration
+#           secret:
+#             secretName: mautrix-telegram-registration
+# ---
--- a/manifests/matrix_chart/whatsapp_bridge.yaml
+++ b/manifests/matrix_chart/whatsapp_bridge.yaml
@@ -0,0 +1,143 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: mautrix-whatsapp-registration
+  namespace: chat
+  annotations:
+    kube-1password: x6lzkpyov4dem5jtk2kimyrnvy
+    kube-1password/vault: Kubernetes
+    kube-1password/secret-text-key: registration.yaml
+  labels:
+    app.kubernetes.io/name: "mautrix-whatsapp"
+    component: registration
+type: Opaque
+
+---
+
+apiVersion: v1
+kind: Secret
+metadata:
+  name: mautrix-whatsapp-config
+  namespace: chat
+  annotations:
+    kube-1password: ji3e2el66bu56bml3kq3ghyojq
+    kube-1password/vault: Kubernetes
+    kube-1password/secret-text-key: config.yaml
+  labels:
+    app.kubernetes.io/name: "mautrix-whatsapp"
+    component: config
+type: Opaque
+
+---
+
+apiVersion: v1
+kind: Service
+metadata:
+  name: mautrix-whatsapp
+  namespace: chat
+  labels:
+    app.kubernetes.io/name: mautrix-whatsapp
+  # annotations:
+  #   prometheus.io/scrape: "true"
+  #   prometheus.io/path: "/metrics"
+  #   prometheus.io/port: "9000"
+spec:
+  type: ClusterIP
+  ports:
+  - port: 29318
+    targetPort: http
+    protocol: TCP
+    name: http
+  selector:
+    app.kubernetes.io/name: mautrix-whatsapp
+
+---
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: mautrix-whatsapp
+  labels:
+    app.kubernetes.io/name: mautrix-whatsapp
+spec:
+  revisionHistoryLimit: 3
+  replicas: 1
+  strategy:
+    type: Recreate
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: mautrix-whatsapp
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: mautrix-whatsapp
+    spec:
+      serviceAccountName: default
+      automountServiceAccountToken: true
+      dnsPolicy: ClusterFirst
+      enableServiceLinks: true
+      initContainers:
+      - name: config-copy
+        image: bash:latest
+        imagePullPolicy: IfNotPresent
+        args:
+          - -c
+          - |
+            cp /secrets/* /data/
+        volumeMounts:
+          - name: mautrix-whatsapp-config
+            mountPath: /secrets/config.yaml
+            subPath: config.yaml
+          - name: mautrix-whatsapp-registration
+            mountPath: /secrets/registration.yaml
+            subPath: registration.yaml
+          - name: data
+            mountPath: /data
+      containers:
+        - name: mautrix-whatsapp
+          image: "dock.mau.dev/mautrix/whatsapp:v0.11.0"
+          imagePullPolicy: IfNotPresent
+          env:
+            - name: "TZ"
+              value: "UTC"
+          ports:
+            - name: http
+              containerPort: 29318
+              protocol: TCP
+            # - name: metrics
+            #   containerPort: 9000
+            #   protocol: TCP
+          volumeMounts:
+          - name: data
+            mountPath: /data
+          livenessProbe:
+            tcpSocket:
+              port: 29318
+            initialDelaySeconds: 0
+            failureThreshold: 3
+            timeoutSeconds: 1
+            periodSeconds: 10
+          readinessProbe:
+            tcpSocket:
+              port: 29318
+            initialDelaySeconds: 0
+            failureThreshold: 3
+            timeoutSeconds: 1
+            periodSeconds: 10
+          startupProbe:
+            tcpSocket:
+              port: 29318
+            initialDelaySeconds: 0
+            failureThreshold: 30
+            timeoutSeconds: 1
+            periodSeconds: 5
+      volumes:
+        - name: data
+          emptyDir: {}
+        - name: mautrix-whatsapp-config
+          secret:
+            secretName: mautrix-whatsapp-config
+        - name: mautrix-whatsapp-registration
+          secret:
+            secretName: mautrix-whatsapp-registration
+---
--- a/manifests/mealie/mealie.yaml
+++ b/manifests/mealie/mealie.yaml
@@ -28,10 +28,9 @@ spec:
      labels:
        app: mealie
    spec:
-      priorityClassName: critical
      containers:
      - name: frontend
-        image: ghcr.io/mealie-recipes/mealie:v3.2.1
+        image: ghcr.io/mealie-recipes/mealie:v2.3.0
        imagePullPolicy: Always
        envFrom:
        - secretRef:
@@ -42,7 +41,7 @@ spec:
        - name: PGID
          value: "1000"
        - name: TOKEN_TIME
-          value: "720"
+          value: "168"
        - name: DB_ENGINE
          value: postgres
        - name: POSTGRES_DB
@@ -69,18 +68,12 @@ spec:
        volumeMounts:
          - mountPath: /app/data
            name: data
-        resources:
-          requests:
-            cpu: 200m
-            memory: 650M
-          limits:
-            cpu: 1000m
-            memory: 650M
      volumes:
      - name: data
        persistentVolumeClaim:
          claimName: mealie

+
 ---

 apiVersion: v1
@@ -98,6 +91,7 @@ spec:
    app: mealie
 ---

+
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
--- a/manifests/monitoring-civo/kube-state-metrics.yaml
+++ b/manifests/monitoring-civo/kube-state-metrics.yaml
@@ -0,0 +1,255 @@
+
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: kube-state-metrics
+  namespace: monitoring
+  labels:
+    app.kubernetes.io/name: kube-state-metrics
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app.kubernetes.io/name: kube-state-metrics
+  name: kube-state-metrics
+rules:
+  - apiGroups: ["certificates.k8s.io"]
+    resources:
+    - certificatesigningrequests
+    verbs: ["list", "watch"]
+
+  - apiGroups: [""]
+    resources:
+    - configmaps
+    verbs: ["list", "watch"]
+
+  - apiGroups: ["batch"]
+    resources:
+    - cronjobs
+    verbs: ["list", "watch"]
+
+  - apiGroups: ["extensions", "apps"]
+    resources:
+    - daemonsets
+    verbs: ["list", "watch"]
+
+  - apiGroups: ["extensions", "apps"]
+    resources:
+    - deployments
+    verbs: ["list", "watch"]
+
+  - apiGroups: [""]
+    resources:
+    - endpoints
+    verbs: ["list", "watch"]
+
+  - apiGroups: ["autoscaling"]
+    resources:
+    - horizontalpodautoscalers
+    verbs: ["list", "watch"]
+
+  - apiGroups: ["extensions", "networking.k8s.io"]
+    resources:
+    - ingresses
+    verbs: ["list", "watch"]
+
+  - apiGroups: ["batch"]
+    resources:
+    - jobs
+    verbs: ["list", "watch"]
+
+  - apiGroups: [""]
+    resources:
+    - limitranges
+    verbs: ["list", "watch"]
+
+  - apiGroups: ["admissionregistration.k8s.io"]
+    resources:
+      - mutatingwebhookconfigurations
+    verbs: ["list", "watch"]
+
+  - apiGroups: [""]
+    resources:
+    - namespaces
+    verbs: ["list", "watch"]
+
+  - apiGroups: ["networking.k8s.io"]
+    resources:
+    - networkpolicies
+    verbs: ["list", "watch"]
+
+  - apiGroups: [""]
+    resources:
+    - nodes
+    verbs: ["list", "watch"]
+
+  - apiGroups: [""]
+    resources:
+    - persistentvolumeclaims
+    verbs: ["list", "watch"]
+
+  - apiGroups: [""]
+    resources:
+    - persistentvolumes
+    verbs: ["list", "watch"]
+
+  - apiGroups: ["policy"]
+    resources:
+      - poddisruptionbudgets
+    verbs: ["list", "watch"]
+
+  - apiGroups: [""]
+    resources:
+    - pods
+    verbs: ["list", "watch"]
+
+  - apiGroups: ["extensions", "apps"]
+    resources:
+    - replicasets
+    verbs: ["list", "watch"]
+
+  - apiGroups: [""]
+    resources:
+    - replicationcontrollers
+    verbs: ["list", "watch"]
+
+  - apiGroups: [""]
+    resources:
+    - resourcequotas
+    verbs: ["list", "watch"]
+
+  - apiGroups: [""]
+    resources:
+    - secrets
+    verbs: ["list", "watch"]
+
+  - apiGroups: [""]
+    resources:
+    - services
+    verbs: ["list", "watch"]
+
+  - apiGroups: ["apps"]
+    resources:
+    - statefulsets
+    verbs: ["list", "watch"]
+
+  - apiGroups: ["storage.k8s.io"]
+    resources:
+      - storageclasses
+    verbs: ["list", "watch"]
+
+  - apiGroups: ["admissionregistration.k8s.io"]
+    resources:
+      - validatingwebhookconfigurations
+    verbs: ["list", "watch"]
+
+  - apiGroups: ["storage.k8s.io"]
+    resources:
+      - volumeattachments
+    verbs: ["list", "watch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/name: kube-state-metrics
+  name: kube-state-metrics
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: kube-state-metrics
+subjects:
+- kind: ServiceAccount
+  name: kube-state-metrics
+  namespace: monitoring
+---
+
+apiVersion: v1
+kind: Service
+metadata:
+  name: kube-state-metrics
+  namespace: monitoring
+  labels:
+    app.kubernetes.io/name: kube-state-metrics
+  annotations:
+    prometheus.io/scrape: 'true'
+spec:
+  type: "ClusterIP"
+  ports:
+  - name: "http"
+    protocol: TCP
+    port: 8080
+    targetPort: 8080
+  selector:
+    app.kubernetes.io/name: kube-state-metrics
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: kube-state-metrics
+  namespace: monitoring
+  labels:
+    app.kubernetes.io/name: kube-state-metrics
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: kube-state-metrics
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: kube-state-metrics
+    spec:
+      serviceAccountName: kube-state-metrics
+      securityContext:
+        fsGroup: 65534
+        runAsGroup: 65534
+        runAsUser: 65534
+      containers:
+      - name: kube-state-metrics
+        args:
+        #- --resources=certificatesigningrequests
+        - --resources=configmaps
+        - --resources=cronjobs
+        - --resources=daemonsets
+        - --resources=deployments
+        #- --resources=endpoints
+        #- --resources=horizontalpodautoscalers
+        - --resources=ingresses
+        - --resources=jobs
+        #- --resources=limitranges
+        - --resources=mutatingwebhookconfigurations
+        - --resources=namespaces
+        #- --resources=networkpolicies
+        - --resources=nodes
+        - --resources=persistentvolumeclaims
+        - --resources=persistentvolumes
+        - --resources=poddisruptionbudgets
+        - --resources=pods
+        - --resources=replicasets
+        #- --resources=replicationcontrollers
+        #- --resources=resourcequotas
+        - --resources=secrets
+        - --resources=services
+        - --resources=statefulsets
+        - --resources=storageclasses
+        - --resources=validatingwebhookconfigurations
+        #- --resources=volumeattachments
+        imagePullPolicy: IfNotPresent
+        image: "registry.k8s.io/kube-state-metrics/kube-state-metrics:v2.14.0"
+        ports:
+        - containerPort: 8080
+        livenessProbe:
+          httpGet:
+            path: /healthz
+            port: 8080
+          initialDelaySeconds: 5
+          timeoutSeconds: 5
+        readinessProbe:
+          httpGet:
+            path: /
+            port: 8080
+          initialDelaySeconds: 5
+          timeoutSeconds: 5
+---
--- a/manifests/monitoring-civo/prometheus-server.yaml
+++ b/manifests/monitoring-civo/prometheus-server.yaml
@@ -0,0 +1,64 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: prometheus-server
+  namespace: monitoring
+  labels:
+    app.kubernetes.io/name: prometheus
+    app.kubernetes.io/component: server
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app.kubernetes.io/name: prometheus
+    app.kubernetes.io/component: server
+  name: prometheus-server
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - nodes
+      - nodes/proxy
+      - nodes/metrics
+      - services
+      - endpoints
+      - pods
+      - ingresses
+      - configmaps
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - "extensions"
+      - "networking.k8s.io"
+    resources:
+      - ingresses/status
+      - ingresses
+    verbs:
+      - get
+      - list
+      - watch
+  - nonResourceURLs:
+      - "/metrics"
+    verbs:
+      - get
+---
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/name: prometheus
+    app.kubernetes.io/component: server
+  name: prometheus-server
+subjects:
+  - kind: ServiceAccount
+    name: prometheus-server
+    namespace: monitoring
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: prometheus-server
+---
--- a/manifests/monitoring-civo/promtail.yaml
+++ b/manifests/monitoring-civo/promtail.yaml
@@ -0,0 +1,292 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: promtail
+  namespace: monitoring
+  labels:
+    app.kubernetes.io/name: promtail
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: promtail
+  namespace: monitoring
+  labels:
+    app.kubernetes.io/name: promtail
+data:
+  promtail.yaml: |
+    client:
+      backoff_config:
+        max_period: 5m
+        max_retries: 10
+        min_period: 500ms
+      batchsize: 1048576
+      batchwait: 1s
+      external_labels: {}
+      timeout: 10s
+    positions:
+      filename: /run/promtail/positions.yaml
+    server:
+      http_listen_port: 3101
+    clients:
+    - url: http://loki-distributed.proxy-civo.svc:80/loki/api/v1/push
+      external_labels:
+        kubernetes_cluster: civo
+    target_config:
+      sync_period: 10s
+    scrape_configs:
+    - job_name: kubernetes-pods
+      pipeline_stages:
+        - docker: {}
+        - cri: {}
+        - match:
+            selector: '{app="weave-net"}'
+            action: drop
+        - match:
+            selector: '{filename=~".*konnectivity.*"}'
+            action: drop
+        - match:
+            selector: '{name=~".*"} |~ ".*/healthz.*"'
+            action: drop
+        - match:
+            selector: '{name=~".*"} |~ ".*/api/health.*"'
+            action: drop
+        - match:
+            selector: '{name=~".*"} |~ ".*kube-probe/.*"'
+            action: drop
+        - match:
+            selector: '{app="internal-proxy"}'
+            action: drop
+        - match:
+            selector: '{app="non-auth-proxy"}'
+            action: drop
+        - match:
+            selector: '{app="vpa"}'
+            action: drop
+        - match:
+            selector: '{app="promtail"}'
+            action: drop
+        - match:
+            selector: '{app="csi-node"}'
+            action: drop
+        - match:
+            selector: '{app="victoria-metrics"}'
+            action: drop
+        - match:
+            selector: '{app="git-sync"}'
+            action: drop
+        - match:
+            selector: '{app="ingress-nginx"}'
+            stages:
+            - json:
+                expressions:
+                  request_host: host
+                  request_path: path
+                  request_method: method
+                  response_status: status
+            - drop:
+                source: "request_path"
+                value:  "/healthz"
+            - drop:
+                source: "request_path"
+                value:  "/health"
+            - labels:
+                request_host:
+                request_method:
+                response_status:
+        - match:
+            selector: '{app="traefik"}'
+            stages:
+            - json:
+                expressions:
+                  request_host: RequestHost
+                  request_path: RequestPath
+                  request_method: RequestMethod
+                  response_status: OriginStatus
+            - drop:
+                source: "request_path"
+                value:  "/healthz"
+            - drop:
+                source: "request_path"
+                value:  "/health"
+            - drop:
+                source: "request_path"
+                value:  "/ping"
+            - labels:
+                request_host:
+                request_method:
+                response_status:
+      kubernetes_sd_configs:
+        - role: pod
+      relabel_configs:
+        - source_labels:
+            - __meta_kubernetes_pod_controller_name
+          regex: ([0-9a-z-.]+?)(-[0-9a-f]{8,10})?
+          action: replace
+          target_label: __tmp_controller_name
+        - source_labels:
+            - __meta_kubernetes_pod_label_app_kubernetes_io_name
+            - __meta_kubernetes_pod_label_app
+            - __tmp_controller_name
+            - __meta_kubernetes_pod_name
+          regex: ^;*([^;]+)(;.*)?$
+          action: replace
+          target_label: app
+        - source_labels:
+            - __meta_kubernetes_pod_label_app_kubernetes_io_component
+            - __meta_kubernetes_pod_label_component
+          regex: ^;*([^;]+)(;.*)?$
+          action: replace
+          target_label: component
+        - action: replace
+          source_labels:
+            - __meta_kubernetes_pod_node_name
+          target_label: node_name
+        - action: replace
+          source_labels:
+            - __meta_kubernetes_namespace
+          target_label: namespace
+        - action: replace
+          replacement: $1
+          separator: /
+          source_labels:
+            - namespace
+            - app
+          target_label: job
+        - action: replace
+          source_labels:
+            - __meta_kubernetes_pod_name
+          target_label: pod
+        - action: replace
+          source_labels:
+            - __meta_kubernetes_pod_container_name
+          target_label: container
+        - action: replace
+          replacement: /var/log/pods/*$1/*.log
+          separator: /
+          source_labels:
+            - __meta_kubernetes_pod_uid
+            - __meta_kubernetes_pod_container_name
+          target_label: __path__
+        - action: replace
+          replacement: /var/log/pods/*$1/*.log
+          regex: true/(.*)
+          separator: /
+          source_labels:
+            - __meta_kubernetes_pod_annotationpresent_kubernetes_io_config_hash
+            - __meta_kubernetes_pod_annotation_kubernetes_io_config_hash
+            - __meta_kubernetes_pod_container_name
+          target_label: __path__
+        - action: labelmap
+          regex: __meta_kubernetes_pod_label_(.+)
+
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: promtail-clusterrole
+  labels:
+    app.kubernetes.io/name: promtail
+rules:
+- apiGroups: [""] # "" indicates the core API group
+  resources:
+  - nodes
+  - nodes/proxy
+  - services
+  - endpoints
+  - pods
+  verbs: ["get", "watch", "list"]
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: promtail-clusterrolebinding
+  labels:
+    app.kubernetes.io/name: promtail
+subjects:
+  - kind: ServiceAccount
+    name: promtail
+    namespace: monitoring
+roleRef:
+  kind: ClusterRole
+  name: promtail-clusterrole
+  apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: promtail
+  namespace: monitoring
+  labels:
+    app.kubernetes.io/name: promtail
+  annotations:
+    configmap.reloader.stakater.com/reload: "promtail"
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: promtail
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: promtail
+      annotations:
+        prometheus.io/port: http-metrics
+        prometheus.io/scrape: "true"
+    spec:
+      serviceAccountName: promtail
+      containers:
+        - name: promtail
+          image: "grafana/promtail:3.3.1"
+          imagePullPolicy: IfNotPresent
+          args:
+            - "-config.file=/etc/promtail/promtail.yaml"
+          volumeMounts:
+            - name: config
+              mountPath: /etc/promtail
+            - name: run
+              mountPath: /run/promtail
+            - mountPath: /var/lib/docker/containers
+              name: docker
+              readOnly: true
+            - mountPath: /var/log/pods
+              name: pods
+              readOnly: true
+          env:
+            - name: HOSTNAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: spec.nodeName
+          ports:
+            - containerPort: 3101
+              name: http-metrics
+          securityContext:
+            readOnlyRootFilesystem: true
+            runAsGroup: 0
+            runAsUser: 0
+          readinessProbe:
+            failureThreshold: 5
+            httpGet:
+              path: /ready
+              port: http-metrics
+            initialDelaySeconds: 10
+            periodSeconds: 10
+            successThreshold: 1
+            timeoutSeconds: 1
+      tolerations:
+        - effect: NoSchedule
+          key: node-role.kubernetes.io/master
+          operator: Exists
+      volumes:
+        - name: config
+          configMap:
+            name: promtail
+        - name: run
+          hostPath:
+            path: /run/promtail
+        - hostPath:
+            path: /var/lib/docker/containers
+          name: docker
+        - hostPath:
+            path: /var/log/pods
+          name: pods
+---
--- a/manifests/monitoring-civo/vmagent.yaml
+++ b/manifests/monitoring-civo/vmagent.yaml
@@ -0,0 +1,163 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: vmagent
+  namespace: monitoring
+  labels:
+    app.kubernetes.io/name: victoria-metrics
+    app.kubernetes.io/component: agent
+data:
+  prometheus.yml: |
+    global:
+      scrape_interval: 1m
+      external_labels:
+        source: civo
+        agent: vmagent
+    scrape_configs:
+    - job_name: 'vmagent'
+      static_configs:
+        - targets: ['localhost:8429']
+    - bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
+      job_name: kubernetes-nodes
+      kubernetes_sd_configs:
+      - role: node
+      relabel_configs:
+      - action: labelmap
+        regex: __meta_kubernetes_node_label_(.+)
+      - replacement: kubernetes.default.svc:443
+        target_label: __address__
+      - regex: (.+)
+        replacement: /api/v1/nodes/$1/proxy/metrics
+        source_labels:
+        - __meta_kubernetes_node_name
+        target_label: __metrics_path__
+      scheme: https
+      tls_config:
+        ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
+        insecure_skip_verify: true
+    - job_name: kubernetes-service-endpoints
+      kubernetes_sd_configs:
+      - role: endpoints
+      relabel_configs:
+      - action: keep
+        regex: true
+        source_labels:
+        - __meta_kubernetes_service_annotation_prometheus_io_scrape
+      - action: replace
+        regex: (https?)
+        source_labels:
+        - __meta_kubernetes_service_annotation_prometheus_io_scheme
+        target_label: __scheme__
+      - action: replace
+        regex: (.+)
+        source_labels:
+        - __meta_kubernetes_service_annotation_prometheus_io_path
+        target_label: __metrics_path__
+      - action: replace
+        regex: ([^:]+)(?::\d+)?;(\d+)
+        replacement: $1:$2
+        source_labels:
+        - __address__
+        - __meta_kubernetes_service_annotation_prometheus_io_port
+        target_label: __address__
+      - action: labelmap
+        regex: __meta_kubernetes_service_label_(.+)
+      - action: replace
+        source_labels:
+        - __meta_kubernetes_namespace
+        target_label: kubernetes_namespace
+      - action: replace
+        source_labels:
+        - __meta_kubernetes_service_name
+        target_label: kubernetes_name
+      - action: replace
+        source_labels:
+        - __meta_kubernetes_endpoint_port_name
+        target_label: kubernetes_endpoint_port_name
+      - action: replace
+        source_labels:
+        - __meta_kubernetes_pod_node_name
+        target_label: kubernetes_node
+    - job_name: kubernetes-pods
+      kubernetes_sd_configs:
+      - role: pod
+      relabel_configs:
+      - action: keep
+        regex: true
+        source_labels:
+        - __meta_kubernetes_pod_annotation_prometheus_io_scrape
+      - action: replace
+        regex: (.+)
+        source_labels:
+        - __meta_kubernetes_pod_annotation_prometheus_io_path
+        target_label: __metrics_path__
+      - action: replace
+        regex: ([^:]+)(?::\d+)?;(\d+)
+        replacement: $1:$2
+        source_labels:
+        - __address__
+        - __meta_kubernetes_pod_annotation_prometheus_io_port
+        target_label: __address__
+      - action: labelmap
+        regex: __meta_kubernetes_pod_label_(.+)
+      - action: replace
+        source_labels:
+        - __meta_kubernetes_namespace
+        target_label: kubernetes_namespace
+      - action: replace
+        source_labels:
+        - __meta_kubernetes_pod_name
+        target_label: kubernetes_pod_name
+      - action: replace
+        source_labels:
+        - __meta_kubernetes_pod_container_port_name
+        target_label: kubernetes_port_name
+      - action: drop
+        regex: Pending|Succeeded|Failed
+        source_labels:
+        - __meta_kubernetes_pod_phase
+
+
+---
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: vmagent
+  namespace: monitoring
+  labels:
+    app.kubernetes.io/name: victoria-metrics
+    app.kubernetes.io/component: agent
+  annotations:
+    configmap.reloader.stakater.com/reload: "vmagent"
+spec:
+  strategy:
+    type: Recreate
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: victoria-metrics
+      app.kubernetes.io/component: agent
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: victoria-metrics
+        app.kubernetes.io/component: agent
+    spec:
+      serviceAccountName: prometheus-server
+      containers:
+        - name: vmagent
+          image: "victoriametrics/vmagent:v1.107.0"
+          imagePullPolicy: "IfNotPresent"
+          args:
+            - -remoteWrite.url=http://vmcluster.proxy-civo.svc/insert/0/prometheus/
+            - -remoteWrite.showURL
+            - -promscrape.config=/config/prometheus.yml
+          volumeMounts:
+            - name: config-volume
+              mountPath: /config
+      volumes:
+        - name: config-volume
+          configMap:
+            name: vmagent
+---
--- a/manifests/monitoring/cadvisor.yaml
+++ b/manifests/monitoring/cadvisor.yaml
@@ -1,87 +0,0 @@
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  labels:
-    app: cadvisor
-    app.kubernetes.io/name: cadvisor
-  name: cadvisor
-  namespace: monitoring
---
-apiVersion: apps/v1
-kind: DaemonSet
-metadata:
-  annotations:
-    seccomp.security.alpha.kubernetes.io/pod: docker/default
-  labels:
-    app: cadvisor
-    app.kubernetes.io/name: cadvisor
-  name: cadvisor
-  namespace: monitoring
-spec:
-  selector:
-    matchLabels:
-      app: cadvisor
-      app.kubernetes.io/name: cadvisor
-      name: cadvisor
-  template:
-    metadata:
-      labels:
-        app: cadvisor
-        app.kubernetes.io/name: cadvisor
-        name: cadvisor
-      annotations:
-        scheduler.alpha.kubernetes.io/critical-pod: ''
-    spec:
-      priorityClassName: system-node-critical
-      tolerations:
-        - key: "CriticalAddonsOnly"
-          operator: "Exists"
-      automountServiceAccountToken: false
-      containers:
-      - image: ghcr.io/google/cadvisor:v0.53.0
-        name: cadvisor
-        ports:
-        - containerPort: 8080
-          name: http
-          protocol: TCP
-        resources:
-          limits:
-            cpu: 800m
-            memory: 2000Mi
-          requests:
-            cpu: 400m
-            memory: 400Mi
-        volumeMounts:
-        - mountPath: /rootfs
-          name: rootfs
-          readOnly: true
-        - mountPath: /var/run
-          name: var-run
-          readOnly: true
-        - mountPath: /sys
-          name: sys
-          readOnly: true
-        - mountPath: /var/lib/docker
-          name: docker
-          readOnly: true
-        - mountPath: /dev/disk
-          name: disk
-          readOnly: true
-      serviceAccountName: cadvisor
-      terminationGracePeriodSeconds: 30
-      volumes:
-      - hostPath:
-          path: /
-        name: rootfs
-      - hostPath:
-          path: /var/run
-        name: var-run
-      - hostPath:
-          path: /sys
-        name: sys
-      - hostPath:
-          path: /var/lib/docker
-        name: docker
-      - hostPath:
-          path: /dev/disk
-        name: disk
--- a/manifests/monitoring/ephemeral-storage-exporter.yaml
+++ b/manifests/monitoring/ephemeral-storage-exporter.yaml
@@ -1,142 +0,0 @@
---
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  labels:
-    app.kubernetes.io/name: k8s-ephemeral-storage-metrics
-  name: k8s-ephemeral-storage-metrics
-  namespace: monitoring
---
-kind: ClusterRole
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: k8s-ephemeral-storage-metrics
-  labels:
-    app.kubernetes.io/name: k8s-ephemeral-storage-metrics
-rules:
-  - apiGroups: [""]
-    resources: ["nodes","nodes/proxy", "nodes/stats", "pods"]
-    verbs: ["get","list", "watch"]
---
-kind: ClusterRoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: k8s-ephemeral-storage-metrics
-  labels:
-    app.kubernetes.io/name: k8s-ephemeral-storage-metrics
-subjects:
-  - kind: ServiceAccount
-    name: k8s-ephemeral-storage-metrics
-    namespace: monitoring
-roleRef:
-  kind: ClusterRole
-  name: k8s-ephemeral-storage-metrics
-  apiGroup: rbac.authorization.k8s.io
---
-apiVersion: v1
-kind: Service
-metadata:
-  name: k8s-ephemeral-storage-metrics
-  namespace: monitoring
-  labels:
-    app.kubernetes.io/name: k8s-ephemeral-storage-metrics
-  annotations:
-    prometheus.io/scrape: "true"
-    prometheus.io/port: "9100"
-spec:
-  type: ClusterIP
-  selector:
-    app.kubernetes.io/name: k8s-ephemeral-storage-metrics
-  ports:
-    - name: metrics
-      port: 9100
-      protocol: TCP
-      targetPort: metrics
---
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: k8s-ephemeral-storage-metrics
-  namespace: monitoring
-  labels:
-    app.kubernetes.io/name: k8s-ephemeral-storage-metrics
-spec:
-  replicas: 1
-  revisionHistoryLimit: 3
-  selector:
-    matchLabels:
-      app.kubernetes.io/name: k8s-ephemeral-storage-metrics
-  template:
-    metadata:
-      labels:
-        app.kubernetes.io/name: k8s-ephemeral-storage-metrics
-    spec:
-      serviceAccountName: k8s-ephemeral-storage-metrics
-      securityContext:
-        runAsNonRoot: true
-        seccompProfile:
-          type: RuntimeDefault
-      containers:
-        - name: metrics
-          image: ghcr.io/jmcgrath207/k8s-ephemeral-storage-metrics:1.18.2
-          imagePullPolicy: IfNotPresent
-          ports:
-            - name: metrics
-              containerPort: 9100
-              protocol: TCP
-          livenessProbe:
-            failureThreshold: 10
-            httpGet:
-              path: /metrics
-              port: 9100
-              scheme: HTTP
-            initialDelaySeconds: 10
-            periodSeconds: 10
-            successThreshold: 1
-            timeoutSeconds: 30
-          readinessProbe:
-            failureThreshold: 10
-            httpGet:
-              path: /metrics
-              port: 9100
-              scheme: HTTP
-            periodSeconds: 10
-            successThreshold: 1
-            timeoutSeconds: 1
-          securityContext:
-            allowPrivilegeEscalation: false
-            capabilities:
-              drop:
-              - ALL
-            privileged: false
-            readOnlyRootFilesystem: false
-            runAsNonRoot: true
-          env:
-            - name: DEPLOY_TYPE
-              value: "Deployment"
-            - name: SCRAPE_INTERVAL
-              value: "15"
-            - name: MAX_NODE_CONCURRENCY
-              value: "10"
-            - name: CLIENT_GO_QPS
-              value: "5"
-            - name: CLIENT_GO_BURST
-              value: "10"
-            - name: LOG_LEVEL
-              value: "info"
-            - name: EPHEMERAL_STORAGE_POD_USAGE
-              value: "true"
-            - name: EPHEMERAL_STORAGE_NODE_AVAILABLE
-              value: "true"
-            - name: EPHEMERAL_STORAGE_NODE_CAPACITY
-              value: "true"
-            - name: EPHEMERAL_STORAGE_NODE_PERCENTAGE
-              value: "true"
-            - name: EPHEMERAL_STORAGE_CONTAINER_LIMIT_PERCENTAGE
-              value: "true"
-            - name: EPHEMERAL_STORAGE_CONTAINER_VOLUME_USAGE
-              value: "true"
-            - name: EPHEMERAL_STORAGE_CONTAINER_VOLUME_LIMITS_PERCENTAGE
-              value: "true"
-            - name: EPHEMERAL_STORAGE_INODES
-              value: "true"
--- a/manifests/monitoring/kube-state-metrics.yaml
+++ b/manifests/monitoring/kube-state-metrics.yaml
@@ -201,7 +201,6 @@ spec:
      labels:
        app.kubernetes.io/name: kube-state-metrics
    spec:
-      priorityClassName: system-cluster-critical
      serviceAccountName: kube-state-metrics
      securityContext:
        fsGroup: 65534
@@ -238,7 +237,7 @@ spec:
        - --resources=validatingwebhookconfigurations
        #- --resources=volumeattachments
        imagePullPolicy: IfNotPresent
-        image: "registry.k8s.io/kube-state-metrics/kube-state-metrics:v2.17.0"
+        image: "registry.k8s.io/kube-state-metrics/kube-state-metrics:v2.14.0"
        ports:
        - containerPort: 8080
        livenessProbe:
--- a/manifests/monitoring/node-exporter.yaml
+++ b/manifests/monitoring/node-exporter.yaml
@@ -51,11 +51,10 @@ spec:
        app.kubernetes.io/name: prometheus
        app.kubernetes.io/component: node-exporter
    spec:
-      priorityClassName: system-node-critical
      serviceAccountName: prometheus-node-exporter
      containers:
        - name: prometheus-node-exporter
-          image: "prom/node-exporter:v1.9.1"
+          image: "prom/node-exporter:v1.8.2"
          imagePullPolicy: "IfNotPresent"
          args:
            - --path.procfs=/host/proc
--- a/manifests/monitoring/promtail.yaml
+++ b/manifests/monitoring/promtail.yaml
@@ -212,11 +212,10 @@ spec:
        prometheus.io/port: http-metrics
        prometheus.io/scrape: "true"
    spec:
-      priorityClassName: system-node-critical
      serviceAccountName: promtail
      containers:
        - name: promtail
-          image: "grafana/promtail:2.9.15"
+          image: "grafana/promtail:3.3.1"
          imagePullPolicy: IfNotPresent
          args:
            - "-config.file=/etc/promtail/promtail.yaml"
--- a/manifests/monitoring/vmagent.yaml
+++ b/manifests/monitoring/vmagent.yaml
@@ -17,11 +17,6 @@ data:
    - job_name: 'vmagent'
      static_configs:
        - targets: ['localhost:8429']
-      relabel_configs:
-      - action: drop
-        source_labels: [__name__]
-        regex: "flag"
-
    - bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
      job_name: kubernetes-nodes
      kubernetes_sd_configs:
@@ -41,38 +36,6 @@ data:
        ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
        insecure_skip_verify: true

-    - job_name: cadvisor
-      bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
-      scheme: https
-      tls_config:
-        ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
-        insecure_skip_verify: true
-      kubernetes_sd_configs:
-      - role: node
-      relabel_configs:
-      - action: labelmap
-        regex: __meta_kubernetes_node_label_(.+)
-      - replacement: kubernetes.default.svc:443
-        target_label: __address__
-      - source_labels: [__meta_kubernetes_node_name]
-        regex: (.+)
-        target_label: __metrics_path__
-        replacement: /api/v1/nodes/$1/proxy/metrics/cadvisor
-      # Drop high cardinality labels
-      - action: labeldrop
-        regex: id
-      # Drop unneeded labels
-      - action: labeldrop
-        regex: beta_kubernetes_io_os
-      - action: labeldrop
-        regex: beta_kubernetes_io_arch
-      - action: labeldrop
-        regex: kubernetes_io_arch
-      - action: labeldrop
-        regex: kubernetes_io_os
-      - action: labeldrop
-        regex: topology_jiva_openebs_io_nodeName
-
    - job_name: kubernetes-service-endpoints
      kubernetes_sd_configs:
      - role: endpoints
@@ -115,21 +78,6 @@ data:
        source_labels:
        - __meta_kubernetes_pod_node_name
        target_label: kubernetes_node
-      # We don't care about the flag metrics from VM
-      - action: drop
-        source_labels: [__name__]
-        regex: "flag"
-      # Drop unneeded labels
-      - action: labeldrop
-        regex: beta_kubernetes_io_os
-      - action: labeldrop
-        regex: beta_kubernetes_io_arch
-      - action: labeldrop
-        regex: kubernetes_io_arch
-      - action: labeldrop
-        regex: kubernetes_io_os
-      - action: labeldrop
-        regex: topology_jiva_openebs_io_nodeName

    - job_name: kubernetes-pods
      kubernetes_sd_configs:
@@ -168,17 +116,6 @@ data:
        regex: Pending|Succeeded|Failed
        source_labels:
        - __meta_kubernetes_pod_phase
-      # Drop unneeded labels
-      - action: labeldrop
-        regex: beta_kubernetes_io_os
-      - action: labeldrop
-        regex: beta_kubernetes_io_arch
-      - action: labeldrop
-        regex: kubernetes_io_arch
-      - action: labeldrop
-        regex: kubernetes_io_os
-      - action: labeldrop
-        regex: topology_jiva_openebs_io_nodeName

    - job_name: 'node-exporter'
      kubernetes_sd_configs:
@@ -213,11 +150,10 @@ spec:
        app.kubernetes.io/name: victoria-metrics
        app.kubernetes.io/component: agent
    spec:
-      priorityClassName: system-cluster-critical
      serviceAccountName: prometheus-server
      containers:
        - name: vmagent
-          image: "victoriametrics/vmagent:v1.126.0"
+          image: "victoriametrics/vmagent:v1.107.0"
          imagePullPolicy: "IfNotPresent"
          args:
            - -remoteWrite.url=http://vmcluster.auth-proxy.svc/insert/0/prometheus/
--- a/manifests/nextcloud_chart/manifest.yaml
+++ b/manifests/nextcloud_chart/manifest.yaml
@@ -201,10 +201,9 @@ spec:
        app.kubernetes.io/component: app
        nextcloud-nextcloud-redis-client: "true"
    spec:
-      priorityClassName: critical
      containers:
      - name: nextcloud
-        image: "nextcloud:31.0.9-apache"
+        image: "nextcloud:30.0.4-apache"
        imagePullPolicy: IfNotPresent
        env:
        - name: SQLITE_DATABASE
@@ -283,10 +282,7 @@ spec:
          periodSeconds: 10
        resources:
          requests:
-            cpu: 1038m
-            memory: 512M
-          limits:
-            cpu: 1200m
+            memory: 450Mi
        volumeMounts:
        - name: nextcloud-data
          mountPath: /var/www/
@@ -378,7 +374,7 @@ spec:
          restartPolicy: Never
          containers:
            - name: nextcloud
-              image: "nextcloud:31.0.9-apache"
+              image: "nextcloud:30.0.4-apache"
              imagePullPolicy: IfNotPresent
              command: [ "curl" ]
              args:
--- a/manifests/nginx-lb/nginx-lb.yaml
+++ b/manifests/nginx-lb/nginx-lb.yaml
@@ -15,6 +15,7 @@ metadata:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.5.1
  name: ingress-nginx
  namespace: ingress-nginx
 ---
@@ -26,6 +27,7 @@ metadata:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.5.1
  name: ingress-nginx-admission
  namespace: ingress-nginx
 ---
@@ -37,6 +39,7 @@ metadata:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.5.1
  name: ingress-nginx
  namespace: ingress-nginx
 rules:
@@ -141,6 +144,7 @@ metadata:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.5.1
  name: ingress-nginx-admission
  namespace: ingress-nginx
 rules:
@@ -159,6 +163,7 @@ metadata:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.5.1
  name: ingress-nginx
 rules:
 - apiGroups:
@@ -240,6 +245,7 @@ metadata:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.5.1
  name: ingress-nginx-admission
 rules:
 - apiGroups:
@@ -258,6 +264,7 @@ metadata:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.5.1
  name: ingress-nginx
  namespace: ingress-nginx
 roleRef:
@@ -277,6 +284,7 @@ metadata:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.5.1
  name: ingress-nginx-admission
  namespace: ingress-nginx
 roleRef:
@@ -295,6 +303,7 @@ metadata:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.5.1
  name: ingress-nginx
 roleRef:
  apiGroup: rbac.authorization.k8s.io
@@ -313,6 +322,7 @@ metadata:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.5.1
  name: ingress-nginx-admission
 roleRef:
  apiGroup: rbac.authorization.k8s.io
@@ -325,7 +335,6 @@ subjects:
 ---
 apiVersion: v1
 data:
-  annotations-risk-level: Critical
  allow-snippet-annotations: "true"
  use-proxy-protocol: "true"
  log-format-upstream: '{"time": "$time_iso8601", "request_id": "$req_id", "remote_user": "$remote_user", "remote_addr_masked": "$remote_addr_masked", "bytes_sent": $bytes_sent, "request_time": $request_time, "status": $status, "host": "$host", "request_proto": "$server_protocol", "path": "$uri", "request_query": "$args", "request_length": $request_length, "duration": $request_time,"method": "$request_method", "http_referrer": "$http_referer", "http_user_agent": "$http_user_agent", "redirect_location": "$redirect_location" }'
@@ -360,6 +369,7 @@ metadata:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.5.1
  name: ingress-nginx-controller
  namespace: ingress-nginx
 ---
@@ -395,6 +405,7 @@ metadata:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.5.1
  name: ingress-nginx-controller
  namespace: ingress-nginx
 spec:
@@ -427,6 +438,7 @@ metadata:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.5.1
  name: ingress-nginx-controller-admission
  namespace: ingress-nginx
 spec:
@@ -449,6 +461,7 @@ metadata:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
+    app.kubernetes.io/version: 1.5.1
  name: ingress-nginx-controller
  namespace: ingress-nginx
 spec:
@@ -492,7 +505,7 @@ spec:
              fieldPath: metadata.namespace
        - name: LD_PRELOAD
          value: /usr/local/lib/libmimalloc.so
-        image: registry.k8s.io/ingress-nginx/controller:v1.13.2@sha256:1f7eaeb01933e719c8a9f4acd8181e555e582330c7d50f24484fb64d2ba9b2ef
+        image: registry.k8s.io/ingress-nginx/controller:v1.11.3@sha256:d56f135b6462cfc476447cfe564b83a45e8bb7da2774963b00d12161112270b7
        imagePullPolicy: IfNotPresent
        lifecycle:
          preStop:
@@ -533,7 +546,7 @@ spec:
        resources:
          requests:
            cpu: 100m
-            memory: 150Mi
+            memory: 90Mi
        securityContext:
          allowPrivilegeEscalation: true
          capabilities:
@@ -702,20 +715,3 @@ webhooks:
    resources:
    - ingresses
  sideEffects: None
---
-apiVersion: policy/v1
-kind: PodDisruptionBudget
-metadata:
-  labels:
-    app.kubernetes.io/component: controller
-    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/part-of: ingress-nginx
-  name: ingress-nginx
-spec:
-  selector:
-    matchLabels:
-      app.kubernetes.io/component: controller
-      app.kubernetes.io/instance: ingress-nginx
-      app.kubernetes.io/name: ingress-nginx
-  minAvailable: 1
--- a/manifests/nodered/nodered.yaml
+++ b/manifests/nodered/nodered.yaml
@@ -57,7 +57,7 @@ spec:
          - name: data
            mountPath: /data
      - name: update-native-modules
-        image: nodered/node-red:4.1.0-18
+        image: nodered/node-red:4.0.5-18
        imagePullPolicy: IfNotPresent
        command:
          - bash
@@ -66,14 +66,12 @@ spec:
            cd /data
            npm rebuild
            npm install tldts
-            npm install @atproto/api
-            npm install node-fetch
        volumeMounts:
          - name: data
            mountPath: /data
      containers:
      - name: web
-        image: nodered/node-red:4.1.0-18
+        image: nodered/node-red:4.0.5-18
        imagePullPolicy: Always
        ports:
        - containerPort: 1880
--- a/manifests/opengraph/opengraph.yaml
+++ b/manifests/opengraph/opengraph.yaml
@@ -47,10 +47,11 @@ metadata:
  namespace: opengraph
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt
+    kubernetes.io/ingress.class: traefik
+    traefik.ingress.kubernetes.io/router.tls: "true"
    ingress.kubernetes.io/ssl-redirect: "true"
-    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
+    traefik.ingress.kubernetes.io/router.entrypoints: websecure
 spec:
-  ingressClassName: nginx
  tls:
  - hosts:
    - opengraph.cluster.fun
--- a/manifests/outline/outline.yaml
+++ b/manifests/outline/outline.yaml
@@ -43,10 +43,9 @@ spec:
      labels:
        app.kubernetes.io/name: outline
    spec:
-      priorityClassName: critical
      containers:
      - name: outline
-        image: outlinewiki/outline:0.87.4
+        image: outlinewiki/outline:0.81.1
        imagePullPolicy: IfNotPresent
        env:
        - name: ALLOWED_DOMAINS
@@ -73,7 +72,7 @@ spec:
        resources:
          requests:
            cpu: 8m
-            memory: 1024Mi
+            memory: 800Mi
        volumeMounts:
          - mountPath: /opt/outline/.env
            subPath: .env
--- a/manifests/priority-classes/critical.yaml
+++ b/manifests/priority-classes/critical.yaml
@@ -1,7 +0,0 @@
-apiVersion: scheduling.k8s.io/v1
-kind: PriorityClass
-metadata:
-  name: critical
-value: 1000
-globalDefault: false
-preemptionPolicy: PreemptLowerPriority
--- a/manifests/priority-classes/low.yaml
+++ b/manifests/priority-classes/low.yaml
@@ -1,7 +0,0 @@
-apiVersion: scheduling.k8s.io/v1
-kind: PriorityClass
-metadata:
-  name: low
-value: 10
-globalDefault: false
-preemptionPolicy: Never
--- a/manifests/priority-classes/normal.yaml
+++ b/manifests/priority-classes/normal.yaml
@@ -1,7 +0,0 @@
-apiVersion: scheduling.k8s.io/v1
-kind: PriorityClass
-metadata:
-  name: normal
-value: 100
-globalDefault: true
-preemptionPolicy: PreemptLowerPriority
--- a/manifests/proxy-civo/non-auth-proxy.yaml
+++ b/manifests/proxy-civo/non-auth-proxy.yaml
@@ -0,0 +1,149 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: tailscale-auth
+  namespace: proxy-civo
+  annotations:
+    kube-1password: 2cqycmsgv5r7vcyvjpblcl2l4y
+    kube-1password/vault: Kubernetes
+type: Opaque
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: host-mappings
+  namespace: proxy-civo
+  labels:
+    app: proxy
+data:
+  mapping.json: |
+    {
+      "vmcluster.proxy-civo.svc": "vmcluster.cluster.local",
+      "loki.proxy-civo.svc": "loki-write.cluster.local",
+      "loki.proxy-civo.svc:80": "loki-write.cluster.local",
+      "loki-distributed.proxy-civo.svc": "loki-loki.cluster.local",
+      "loki-distributed.proxy-civo.svc:80": "loki-loki.cluster.local"
+    }
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: internal-proxy
+  namespace: proxy-civo
+  labels:
+    app: internal-proxy
+  annotations:
+    configmap.reloader.stakater.com/reload: "host-mappings"
+    secret.reloader.stakater.com/reload: "tailscale-auth"
+spec:
+  replicas: 1
+  strategy:
+    type: Recreate
+  selector:
+    matchLabels:
+      app: internal-proxy
+  template:
+    metadata:
+      labels:
+        app: internal-proxy
+    spec:
+      serviceAccountName: default
+      dnsPolicy: ClusterFirst
+      dnsConfig:
+        nameservers:
+          - 100.100.100.100
+      containers:
+      - name: proxy
+        image: rg.fr-par.scw.cloud/averagemarcus/proxy:latest
+        imagePullPolicy: Always
+        env:
+        - name: PROXY_DESTINATION
+          value: talos.tail4dfb.ts.net
+        - name: PORT
+          value: "8080"
+        - name: TS_AUTH_KEY
+          valueFrom:
+            secretKeyRef:
+              name: tailscale-auth
+              key: password
+        - name: TS_HOSTNAME
+          value: proxy-civo-internal-proxy
+        ports:
+        - containerPort: 8080
+          protocol: TCP
+        volumeMounts:
+        - name: host-mappings
+          mountPath: /config/
+      volumes:
+      - name: host-mappings
+        configMap:
+          name: host-mappings
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: loki
+  namespace: proxy-civo
+  labels:
+    app: internal-proxy
+spec:
+  ports:
+  - name: http
+    port: 80
+    protocol: TCP
+    targetPort: 8080
+  selector:
+    app: internal-proxy
+  type: ClusterIP
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: loki-distributed
+  namespace: proxy-civo
+  labels:
+    app: internal-proxy
+spec:
+  ports:
+  - name: http
+    port: 80
+    protocol: TCP
+    targetPort: 8080
+  selector:
+    app: internal-proxy
+  type: ClusterIP
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: prometheus
+  namespace: proxy-civo
+  labels:
+    app: internal-proxy
+spec:
+  ports:
+  - name: http
+    port: 80
+    protocol: TCP
+    targetPort: 8080
+  selector:
+    app: internal-proxy
+  type: ClusterIP
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: vmcluster
+  namespace: proxy-civo
+  labels:
+    app: internal-proxy
+spec:
+  ports:
+  - name: http
+    port: 80
+    protocol: TCP
+    targetPort: 8080
+  selector:
+    app: internal-proxy
+  type: ClusterIP
+---
--- a/manifests/qr/qr.yaml
+++ b/manifests/qr/qr.yaml
@@ -47,10 +47,11 @@ metadata:
  namespace: qr
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt
+    kubernetes.io/ingress.class: traefik
+    traefik.ingress.kubernetes.io/router.tls: "true"
    ingress.kubernetes.io/ssl-redirect: "true"
-    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
+    traefik.ingress.kubernetes.io/router.entrypoints: websecure
 spec:
-  ingressClassName: nginx
  tls:
  - hosts:
    - qr.cluster.fun
--- a/manifests/redis/redis.yaml
+++ b/manifests/redis/redis.yaml
@@ -327,10 +327,9 @@ spec:
              weight: 1
        nodeAffinity:
      terminationGracePeriodSeconds: 30
-      priorityClassName: critical
      containers:
        - name: redis
-          image: docker.io/bitnamilegacy/redis:7.2.4-debian-11-r11
+          image: docker.io/bitnami/redis:7.2.4-debian-11-r11
          imagePullPolicy: "IfNotPresent"
          securityContext:
            runAsUser: 1001
@@ -472,7 +471,7 @@ spec:
      terminationGracePeriodSeconds: 30
      containers:
        - name: redis
-          image: docker.io/bitnamilegacy/redis:7.2.4-debian-11-r11
+          image: docker.io/bitnami/redis:7.2.4-debian-11-r11
          imagePullPolicy: "IfNotPresent"
          securityContext:
            runAsUser: 1001
--- a/manifests/rss/miniflux.yaml
+++ b/manifests/rss/miniflux.yaml
@@ -25,8 +25,6 @@ data:
  POLLING_FREQUENCY: "15"
  BASE_URL: "https://miniflux.cluster.fun/"
  METRICS_COLLECTOR: "1"
-  CLEANUP_ARCHIVE_READ_DAYS: "365"
-  CLEANUP_ARCHIVE_UNREAD_DAYS: "365"
 ---
 apiVersion: v1
 kind: Service
@@ -68,7 +66,7 @@ spec:
    spec:
      containers:
      - name: web
-        image: ghcr.io/miniflux/miniflux:2.2.13
+        image: ghcr.io/miniflux/miniflux:2.2.3
        imagePullPolicy: IfNotPresent
        envFrom:
        - configMapRef:
--- a/manifests/social-to-rolodex/social-to-rolodex.yaml
+++ b/manifests/social-to-rolodex/social-to-rolodex.yaml
@@ -2,7 +2,7 @@ apiVersion: v1
 kind: Secret
 metadata:
  name: docker-config
-  namespace: social-to-rolodex
+  namespace: social-to-grist
  annotations:
    kube-1password: i6ngbk5zf4k52xgwdwnfup5bby
    kube-1password/vault: Kubernetes
@@ -14,8 +14,8 @@ data:
 apiVersion: v1
 kind: Secret
 metadata:
-  name: social-to-rolodex-auth
-  namespace: social-to-rolodex
+  name: social-to-grist-auth
+  namespace: social-to-grist
  annotations:
    kube-1password: mr6spkkx7n3memkbute6ojaarm
    kube-1password/vault: Kubernetes
@@ -24,8 +24,8 @@ type: Opaque
 apiVersion: v1
 kind: Secret
 metadata:
-  name: social-to-rolodex
-  namespace: social-to-rolodex
+  name: social-to-grist
+  namespace: social-to-grist
  annotations:
    kube-1password: oa3ycnui3ji4lc665bifaao63q
    kube-1password/vault: Kubernetes
@@ -35,8 +35,8 @@ type: Opaque
 apiVersion: v1
 kind: Service
 metadata:
-  name: social-to-rolodex
-  namespace: social-to-rolodex
+  name: social-to-grist
+  namespace: social-to-grist
 spec:
  type: ClusterIP
  ports:
@@ -44,22 +44,22 @@ spec:
    targetPort: auth
    name: web
  selector:
-    app: social-to-rolodex
+    app: social-to-grist
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  name: social-to-rolodex
-  namespace: social-to-rolodex
+  name: social-to-grist
+  namespace: social-to-grist
 spec:
  replicas: 1
  selector:
    matchLabels:
-      app: social-to-rolodex
+      app: social-to-grist
  template:
    metadata:
      labels:
-        app: social-to-rolodex
+        app: social-to-grist
    spec:
      imagePullSecrets:
        - name: docker-config
@@ -70,7 +70,7 @@ spec:
        - --provider-display-name=Auth0
        - --upstream=http://localhost:8080
        - --http-address=$(HOST_IP):8000
-        - --redirect-url=https://social-to-rolodex.cluster.fun/oauth2/callback
+        - --redirect-url=https://social-to-grist.cluster.fun/oauth2/callback
        - --email-domain=marcusnoble.co.uk
        - --pass-basic-auth=false
        - --pass-access-token=false
@@ -86,13 +86,13 @@ spec:
          valueFrom:
            secretKeyRef:
              key: username
-              name: social-to-rolodex-auth
+              name: social-to-grist-auth
        - name: OAUTH2_PROXY_CLIENT_SECRET
          valueFrom:
            secretKeyRef:
              key: password
-              name: social-to-rolodex-auth
-        image: quay.io/oauth2-proxy/oauth2-proxy:v7.12.0
+              name: social-to-grist-auth
+        image: quay.io/oauth2-proxy/oauth2-proxy:v7.7.1
        name: oauth-proxy
        ports:
        - containerPort: 8000
@@ -104,14 +104,14 @@ spec:
          requests:
            memory: 50Mi
      - name: web
-        image: rg.fr-par.scw.cloud/averagemarcus-private/social-to-rolodex:latest
+        image: rg.fr-par.scw.cloud/averagemarcus-private/social-to-grist:latest
        imagePullPolicy: Always
        env:
        - name: PORT
          value: "8080"
        envFrom:
        - secretRef:
-            name: "social-to-rolodex"
+            name: "social-to-grist"
        ports:
        - containerPort: 8080
          name: web
@@ -125,26 +125,27 @@ spec:
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
-  name: social-to-rolodex
-  namespace: social-to-rolodex
+  name: social-to-grist
+  namespace: social-to-grist
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt
+    kubernetes.io/ingress.class: traefik
+    traefik.ingress.kubernetes.io/router.tls: "true"
    ingress.kubernetes.io/ssl-redirect: "true"
-    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
+    traefik.ingress.kubernetes.io/router.entrypoints: websecure
 spec:
-  ingressClassName: nginx
  tls:
  - hosts:
-    - social-to-rolodex.cluster.fun
-    secretName: social-to-rolodex-ingress
+    - social-to-grist.cluster.fun
+    secretName: social-to-grist-ingress
  rules:
-  - host: social-to-rolodex.cluster.fun
+  - host: social-to-grist.cluster.fun
    http:
      paths:
      - path: /
        pathType: ImplementationSpecific
        backend:
          service:
-            name: social-to-rolodex
+            name: social-to-grist
            port:
              number: 80
--- a/manifests/starling/starling.yaml
+++ b/manifests/starling/starling.yaml
@@ -0,0 +1,106 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: docker-config
+  namespace: starling
+  annotations:
+    kube-1password: i6ngbk5zf4k52xgwdwnfup5bby
+    kube-1password/vault: Kubernetes
+    kube-1password/secret-text-key: .dockerconfigjson
+type: kubernetes.io/dockerconfigjson
+data:
+  .dockerconfigjson: e30=
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: starling
+  namespace: starling
+  annotations:
+    kube-1password: ufxpki65ffgprn2upksirweeie
+    kube-1password/vault: Kubernetes
+    kube-1password/secret-text-parse: "true"
+type: Opaque
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: starling
+  namespace: starling
+spec:
+  type: ClusterIP
+  ports:
+  - port: 80
+    targetPort: web
+    name: web
+  selector:
+    app: starling
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: starling
+  namespace: starling
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: starling
+  template:
+    metadata:
+      labels:
+        app: starling
+    spec:
+      imagePullSecrets:
+        - name: docker-config
+      containers:
+      - name: web
+        image: rg.fr-par.scw.cloud/averagemarcus-private/starling:latest
+        imagePullPolicy: Always
+        env:
+        - name: PORT
+          value: "3000"
+        - name: SHARED_SECRET
+          valueFrom:  
+            secretKeyRef:
+              name: starling
+              key: SHARED_SECRET
+        - name: ACCESS_TOKEN
+          valueFrom:  
+            secretKeyRef:
+              name: starling
+              key: ACCESS_TOKEN
+        ports:
+        - containerPort: 3000
+          name: web
+        resources:
+          limits:
+            memory: 50Mi
+          requests:
+            memory: 50Mi
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: starling
+  namespace: starling
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt
+    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
+spec:
+  ingressClassName: nginx
+  tls:
+  - hosts:
+    - starling.marcusnoble.co.uk
+    secretName: starling-ingress
+  rules:
+  - host: starling.marcusnoble.co.uk
+    http:
+      paths:
+      - path: /
+        pathType: ImplementationSpecific
+        backend:
+          service:
+            name: starling
+            port:
+              number: 80
--- a/manifests/svg-to-dxf/svg-to-dxf.yaml
+++ b/manifests/svg-to-dxf/svg-to-dxf.yaml
@@ -27,7 +27,6 @@ spec:
      labels:
        app: svg-to-dxf
    spec:
-      priorityClassName: low
      containers:
      - name: web
        image: rg.fr-par.scw.cloud/averagemarcus/svg-to-dxf:latest
@@ -46,11 +45,14 @@ metadata:
  namespace: svg-to-dxf
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt
+    kubernetes.io/ingress.class: traefik
+    traefik.ingress.kubernetes.io/router.tls: "true"
    ingress.kubernetes.io/ssl-redirect: "true"
-    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
-    nginx.ingress.kubernetes.io/proxy-body-size: "0"
+    traefik.ingress.kubernetes.io/router.entrypoints: websecure
+    traefik.ingress.kubernetes.io/buffering: |
+      maxrequestbodybytes: 31457280
+      memrequestbodybytes: 62914560
 spec:
-  ingressClassName: nginx
  tls:
  - hosts:
    - svg-to-dxf.cluster.fun
--- a/manifests/talks/talks.yaml
+++ b/manifests/talks/talks.yaml
@@ -1,3 +1,45 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: talks
+  namespace: talks
+spec:
+  type: ClusterIP
+  ports:
+  - port: 80
+    targetPort: web
+    name: web
+  selector:
+    app: talks
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: talks
+  namespace: talks
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: talks
+  template:
+    metadata:
+      labels:
+        app: talks
+    spec:
+      containers:
+      - name: web
+        image: rg.fr-par.scw.cloud/averagemarcus/talks:latest
+        imagePullPolicy: Always
+        ports:
+        - containerPort: 80
+          name: web
+        resources:
+          limits:
+            memory: 20Mi
+          requests:
+            memory: 20Mi
+---
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
@@ -5,13 +47,24 @@ metadata:
  namespace: talks
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt
+    kubernetes.io/ingress.class: traefik
+    traefik.ingress.kubernetes.io/router.tls: "true"
    ingress.kubernetes.io/ssl-redirect: "true"
-    nginx.ingress.kubernetes.io/permanent-redirect: https://speaking.marcusnoble.co.uk
+    traefik.ingress.kubernetes.io/router.entrypoints: websecure
 spec:
-  ingressClassName: nginx
  tls:
  - hosts:
    - talks.marcusnoble.co.uk
    secretName: talks-ingress
  rules:
  - host: talks.marcusnoble.co.uk
+    http:
+      paths:
+      - path: /
+        pathType: ImplementationSpecific
+        backend:
+          service:
+            name: talks
+            port:
+              number: 80
+
--- a/manifests/text-to-dxf/text-to-dxf.yaml
+++ b/manifests/text-to-dxf/text-to-dxf.yaml
@@ -27,7 +27,6 @@ spec:
      labels:
        app: text-to-dxf
    spec:
-      priorityClassName: low
      containers:
      - name: web
        image: rg.fr-par.scw.cloud/averagemarcus/text-to-dxf:latest
@@ -46,10 +45,11 @@ metadata:
  namespace: text-to-dxf
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt
+    kubernetes.io/ingress.class: traefik
+    traefik.ingress.kubernetes.io/router.tls: "true"
    ingress.kubernetes.io/ssl-redirect: "true"
-    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
+    traefik.ingress.kubernetes.io/router.entrypoints: websecure
 spec:
-  ingressClassName: nginx
  tls:
  - hosts:
    - text-to-dxf.cluster.fun
--- a/manifests/til/til.yaml
+++ b/manifests/til/til.yaml
@@ -1,3 +1,45 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: til
+  namespace: til
+spec:
+  type: ClusterIP
+  ports:
+  - port: 80
+    targetPort: web
+    name: web
+  selector:
+    app: til
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: til
+  namespace: til
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: til
+  template:
+    metadata:
+      labels:
+        app: til
+    spec:
+      containers:
+      - name: web
+        image: rg.fr-par.scw.cloud/averagemarcus/til:latest
+        imagePullPolicy: Always
+        ports:
+        - containerPort: 80
+          name: web
+        resources:
+          limits:
+            memory: 20Mi
+          requests:
+            memory: 20Mi
+---
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
@@ -5,25 +47,24 @@ metadata:
  namespace: til
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt
+    kubernetes.io/ingress.class: traefik
+    traefik.ingress.kubernetes.io/router.tls: "true"
    ingress.kubernetes.io/ssl-redirect: "true"
-    nginx.ingress.kubernetes.io/server-snippet: |
-      rewrite ^/dont-reuse-keys/?$ https://marcusnoble.co.uk/2020-10-03-t-i-l-don-t-reuse-api-keys/ permanent;
-      rewrite ^/favicons/?$ https://marcusnoble.co.uk/2020-11-10-t-i-l-how-to-get-the-favicon-of-any-site/ permanent;
-      rewrite ^/getopts/?$ https://marcusnoble.co.uk/2021-08-04-t-i-l-cli-flag-handling-in-bash-using-getopts/ permanent;
-      rewrite ^/go-named-return-values/?$ https://marcusnoble.co.uk/2020-10-05-t-i-l-named-returns-in-go-functions/ permanent;
-      rewrite ^/golang-append/?$ https://marcusnoble.co.uk/2020-10-30-t-i-l-golang-s-append-mutates-the-provided-array/ permanent;
-      rewrite ^/golang-split-by-space/?$ https://marcusnoble.co.uk/2020-09-18-t-i-l-split-on-spaces-in-go/ permanent;
-      rewrite ^/kubectl-replace/?$ https://marcusnoble.co.uk/2020-09-25-t-i-l-kubectl-replace/ permanent;
-      rewrite ^/kubernetes-label-length/?$ https://marcusnoble.co.uk/2021-04-20-t-i-l-kubernetes-label-length/ permanent;
-      rewrite ^/tekton-multi-arch-builds/?$ https://marcusnoble.co.uk/2020-09-13-t-i-l-tekton-multi-arch-image-builds/ permanent;
-      rewrite ^/yaml-key-spaces/?$ https://marcusnoble.co.uk/2021-05-11-t-i-l-yaml-keys-allow-for-spaces-in-them/ permanent;
-      rewrite ^/yaml-multiline/?$ https://marcusnoble.co.uk/2020-09-17-t-i-l-yaml-multiline-values/ permanent;
-      rewrite ^/?$ https://marcusnoble.co.uk/ permanent;
+    traefik.ingress.kubernetes.io/router.entrypoints: websecure
 spec:
-  ingressClassName: nginx
  tls:
  - hosts:
    - til.marcusnoble.co.uk
    secretName: til-ingress
  rules:
  - host: til.marcusnoble.co.uk
+    http:
+      paths:
+      - path: /
+        pathType: ImplementationSpecific
+        backend:
+          service:
+            name: til
+            port:
+              number: 80
+
--- a/manifests/traefik/traefik.yaml
+++ b/manifests/traefik/traefik.yaml
@@ -45,7 +45,7 @@ spec:
        - --entrypoints.websecure.http.tls=true
        - --entrypoints.web.http.redirections.entrypoint.to=websecure
        - --entrypoints.web.http.redirections.entrypoint.scheme=https
-        image: rancher/mirrored-library-traefik:2.11.29
+        image: rancher/mirrored-library-traefik:2.11.11
        imagePullPolicy: IfNotPresent
        livenessProbe:
          failureThreshold: 3
--- a/manifests/tweetsvg/tweetsvg.yaml
+++ b/manifests/tweetsvg/tweetsvg.yaml
@@ -0,0 +1,92 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: tweetsvg
+  namespace: tweetsvg
+  annotations:
+    kube-1password: dmjtjxrcpqtmeddq5x7zikj37i
+    kube-1password/vault: Kubernetes
+    kube-1password/secret-text-key: .env
+type: Opaque
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: tweetsvg
+  namespace: tweetsvg
+spec:
+  type: ClusterIP
+  ports:
+  - port: 80
+    targetPort: 8080
+    name: web
+  selector:
+    app: tweetsvg
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: tweetsvg
+  namespace: tweetsvg
+spec:
+  replicas: 2
+  selector:
+    matchLabels:
+      app: tweetsvg
+  template:
+    metadata:
+      labels:
+        app: tweetsvg
+    spec:
+      containers:
+      - name: web
+        image: rg.fr-par.scw.cloud/averagemarcus/tweetsvg:latest
+        imagePullPolicy: Always
+        # env:
+        # - name: DOTENV_DIR
+        #   value: /config/
+        ports:
+        - containerPort: 8080
+          name: web
+        resources:
+          limits:
+            memory: 100Mi
+          requests:
+            memory: 100Mi
+        volumeMounts:
+          - name: dotenv
+            mountPath: /app/.env
+            subPath: .env
+      volumes:
+      - name: dotenv
+        secret:
+          secretName: tweetsvg
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: tweetsvg
+  namespace: tweetsvg
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt
+    kubernetes.io/ingress.class: traefik
+    traefik.ingress.kubernetes.io/router.tls: "true"
+    ingress.kubernetes.io/ssl-redirect: "true"
+    traefik.ingress.kubernetes.io/router.entrypoints: websecure
+spec:
+  tls:
+  - hosts:
+    - tweet.cluster.fun
+    secretName: tweetsvg-ingress
+  rules:
+  - host: tweet.cluster.fun
+    http:
+      paths:
+      - path: /
+        pathType: ImplementationSpecific
+        backend:
+          service:
+            name: tweetsvg
+            port:
+              number: 80
+
--- a/manifests/twitter-profile-pic/twitter-profile-pic.yaml
+++ b/manifests/twitter-profile-pic/twitter-profile-pic.yaml
@@ -0,0 +1,86 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: twitter-profile-pic
+  namespace: twitter-profile-pic
+  annotations:
+    kube-1password: d2rt56v47q2wij47qgj27umrky
+    kube-1password/vault: Kubernetes
+    kube-1password/secret-text-key: .env
+type: Opaque
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: twitter-profile-pic
+  namespace: twitter-profile-pic
+spec:
+  type: ClusterIP
+  ports:
+  - port: 80
+    targetPort: 9090
+    name: web
+  selector:
+    app: twitter-profile-pic
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: twitter-profile-pic
+  namespace: twitter-profile-pic
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: twitter-profile-pic
+  template:
+    metadata:
+      labels:
+        app: twitter-profile-pic
+    spec:
+      containers:
+      - name: web
+        image: rg.fr-par.scw.cloud/averagemarcus/twitter-profile-pic:latest
+        imagePullPolicy: Always
+        ports:
+        - containerPort: 9090
+          name: web
+        resources:
+          limits:
+            memory: 100Mi
+          requests:
+            memory: 100Mi
+        volumeMounts:
+          - name: dotenv
+            mountPath: /app/.env
+            subPath: .env
+      volumes:
+      - name: dotenv
+        secret:
+          secretName: twitter-profile-pic
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: twitter-profile-pic-cluster-fun
+  namespace: twitter-profile-pic
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt
+    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
+spec:
+  ingressClassName: nginx
+  tls:
+  - hosts:
+    - twitter-profile-pic.cluster.fun
+    secretName: twitter-profile-pic-cluster-fun-ingress
+  rules:
+  - host: twitter-profile-pic.cluster.fun
+    http:
+      paths:
+      - path: /
+        pathType: ImplementationSpecific
+        backend:
+          service:
+            name: twitter-profile-pic
+            port:
+              number: 80
--- a/manifests/wallabag/wallabag.yaml
+++ b/manifests/wallabag/wallabag.yaml
@@ -0,0 +1,204 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: wallabag
+  namespace: wallabag
+  annotations:
+    kube-1password: 4yogl6yx6t4trrkq7o35tiyj6i
+    kube-1password/vault: Kubernetes
+    kube-1password/secret-text-parse: "true"
+type: Opaque
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: wallabag
+  namespace: wallabag
+  labels:
+    app.kubernetes.io/name: wallabag
+  annotations:
+spec:
+  type: ClusterIP
+  ports:
+  - port: 80
+    targetPort: http
+    protocol: TCP
+    name: http
+  selector:
+    app.kubernetes.io/name: wallabag
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: wallabag
+  namespace: wallabag
+  labels:
+    app.kubernetes.io/name: wallabag-init
+spec:
+  suspend: true
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: wallabag-init
+    spec:
+      restartPolicy: OnFailure
+      containers:
+      - name: db-init
+        image: "wallabag/wallabag:latest"
+        imagePullPolicy: IfNotPresent
+        envFrom:
+        - secretRef:
+            name: wallabag
+        env:
+          - name: "SYMFONY__ENV__DATABASE_CHARSET"
+            value: "utf8"
+          - name: "SYMFONY__ENV__DATABASE_DRIVER"
+            value: "pdo_pgsql"
+          - name: "SYMFONY__ENV__DATABASE_NAME"
+            value: "wallabag"
+          - name: "SYMFONY__ENV__DATABASE_TABLE_PREFIX"
+            value: "wallabag_"
+          - name: "SYMFONY__ENV__DOMAIN_NAME"
+            value: "https://wallabag.cluster.fun"
+          - name: "SYMFONY__ENV__FOSUSER_REGISTRATION"
+            value: "false"
+          - name: "SYMFONY__ENV__LOCALE"
+            value: "en"
+          - name: "TZ"
+            value: "UTC"
+        command:
+        - /var/www/wallabag/bin/console
+        - wallabag:install
+        - --env=prod
+        - --no-interaction
+
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: wallabag
+  namespace: wallabag
+  labels:
+    app.kubernetes.io/name: wallabag
+spec:
+  revisionHistoryLimit: 3
+  replicas: 1
+  strategy:
+    type: Recreate
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: wallabag
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: wallabag
+    spec:
+      initContainers:
+        - name: db-migrate
+          image: "wallabag/wallabag:2.6.10"
+          imagePullPolicy: IfNotPresent
+          command:
+          - /var/www/wallabag/bin/console
+          - doctrine:migrations:migrate
+          - --env=prod
+          - --no-interaction
+          envFrom:
+          - secretRef:
+              name: wallabag
+          env:
+            - name: "SYMFONY__ENV__DATABASE_CHARSET"
+              value: "utf8"
+            - name: "SYMFONY__ENV__DATABASE_DRIVER"
+              value: "pdo_pgsql"
+            - name: "SYMFONY__ENV__DATABASE_NAME"
+              value: "wallabag"
+            - name: "SYMFONY__ENV__DATABASE_TABLE_PREFIX"
+              value: "wallabag_"
+            - name: "SYMFONY__ENV__DOMAIN_NAME"
+              value: "https://wallabag.cluster.fun"
+            - name: "SYMFONY__ENV__FOSUSER_REGISTRATION"
+              value: "false"
+            - name: "SYMFONY__ENV__LOCALE"
+              value: "en"
+            - name: "TZ"
+              value: "UTC"
+            - name: "POPULATE_DATABASE"
+              value: "false"
+      containers:
+        - name: wallabag
+          image: "wallabag/wallabag:2.6.10"
+          imagePullPolicy: IfNotPresent
+          envFrom:
+          - secretRef:
+              name: wallabag
+          env:
+            - name: "SYMFONY__ENV__DATABASE_CHARSET"
+              value: "utf8"
+            - name: "SYMFONY__ENV__DATABASE_DRIVER"
+              value: "pdo_pgsql"
+            - name: "SYMFONY__ENV__DATABASE_NAME"
+              value: "wallabag"
+            - name: "SYMFONY__ENV__DATABASE_TABLE_PREFIX"
+              value: "wallabag_"
+            - name: "SYMFONY__ENV__DOMAIN_NAME"
+              value: "https://wallabag.cluster.fun"
+            - name: "SYMFONY__ENV__FOSUSER_REGISTRATION"
+              value: "false"
+            - name: "SYMFONY__ENV__LOCALE"
+              value: "en"
+            - name: "TZ"
+              value: "UTC"
+            - name: "POPULATE_DATABASE"
+              value: "false"
+          ports:
+            - name: http
+              containerPort: 80
+              protocol: TCP
+          livenessProbe:
+            tcpSocket:
+              port: 80
+            initialDelaySeconds: 0
+            failureThreshold: 3
+            timeoutSeconds: 1
+            periodSeconds: 10
+          readinessProbe:
+            tcpSocket:
+              port: 80
+            initialDelaySeconds: 0
+            failureThreshold: 3
+            timeoutSeconds: 1
+            periodSeconds: 10
+          startupProbe:
+            tcpSocket:
+              port: 80
+            initialDelaySeconds: 0
+            failureThreshold: 30
+            timeoutSeconds: 1
+            periodSeconds: 5
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: wallabag
+  namespace: wallabag
+  labels:
+    app.kubernetes.io/name: wallabag
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt
+    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
+spec:
+  tls:
+    - hosts:
+        - "wallabag.cluster.fun"
+      secretName: "wallabag-ingress"
+  rules:
+    - host: "wallabag.cluster.fun"
+      http:
+        paths:
+          - path: "/"
+            pathType: ImplementationSpecific
+            backend:
+              service:
+                name: wallabag
+                port:
+                  number: 80
--- a/manifests/yay-or-nay/yay-or-nay.yaml
+++ b/manifests/yay-or-nay/yay-or-nay.yaml
@@ -1,95 +0,0 @@
-apiVersion: v1
-kind: Secret
-metadata:
-  name: yay-or-nay
-  namespace: yay-or-nay
-  annotations:
-    kube-1password: vtnx2swze7r6qepxnlepufvcbi
-    kube-1password/vault: Kubernetes
-    kube-1password/secret-text-parse: "true"
-type: Opaque
---
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: yay-or-nay
-  labels:
-    app: yay-or-nay
-    app.kubernetes.io/name: yay-or-nay
-  annotations:
-    reloader.stakater.com/search: "true"
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: yay-or-nay
-  template:
-    metadata:
-      labels:
-        app: yay-or-nay
-        app.kubernetes.io/name: yay-or-nay
-    spec:
-      containers:
-      - name: yay-or-nay
-        image: ghcr.io/mocdaniel/yay-or-nay:1.1.1
-        imagePullPolicy: IfNotPresent
-        ports:
-        - containerPort: 3000
-          name: web
-        envFrom:
-        - secretRef:
-            name: yay-or-nay
-        livenessProbe:
-          httpGet:
-            path: /
-            port: web
-          initialDelaySeconds: 10
-        readinessProbe:
-          httpGet:
-            path: /
-            port: web
-          initialDelaySeconds: 10
-
---
-apiVersion: v1
-kind: Service
-metadata:
-  name: yay-or-nay
-  labels:
-    app.kubernetes.io/name: yay-or-nay
-spec:
-  type: ClusterIP
-  ports:
-  - port: 80
-    targetPort: web
-    name: web
-  selector:
-    app: yay-or-nay
---
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  name: yay-or-nay
-  namespace: yay-or-nay
-  labels:
-    app.kubernetes.io/name: yay-or-nay
-  annotations:
-    cert-manager.io/cluster-issuer: letsencrypt
-    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
-spec:
-  ingressClassName: nginx
-  tls:
-    - hosts:
-        - "yay-or-nay.cluster.fun"
-      secretName: "yay-or-nay-ingress"
-  rules:
-    - host: "yay-or-nay.cluster.fun"
-      http:
-        paths:
-          - path: "/"
-            pathType: ImplementationSpecific
-            backend:
-              service:
-                name: yay-or-nay
-                port:
-                  name: web