build(deps): bump ghcr.io/0xerr0r/blocky in /kubernetes/system/blocky

Bumps [ghcr.io/0xerr0r/blocky](https://github.com/0xERR0R/blocky) from v0.24 to 0.29.0. - [Release notes](https://github.com/0xERR0R/blocky/releases) - [Commits](https://github.com/0xERR0R/blocky/compare/v0.24...v0.29.0) --- updated-dependencies: - dependency-name: ghcr.io/0xerr0r/blocky dependency-version: 0.29.0 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com>
2026-05-08 17:47:24 +00:00 · 2026-05-02 13:30:00 +00:00
29 changed files with 86 additions and 562 deletions
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -16,7 +16,6 @@ updates:
      - "/docker/infrastructure/network/traefik"
      - "/docker/infrastructure/squid"
      - "/docker/infrastructure/sshportal"
-      - "/docker/personal/fireshare"
      - "/docker/personal/gramps"
      - "/docker/personal/media/films-series/jackett"
      - "/docker/personal/media/films-series/jellyfin"
@@ -53,7 +52,6 @@ updates:
      - "/kubernetes/personal/photoprism"
      - "/kubernetes/production/umami"
      - "/kubernetes/system/blocky"
-      - "/kubernetes/system/caddy"
      - "/kubernetes/system/coredns"
      - "/kubernetes/system/csi-driver-nfs"
      - "/kubernetes/system/external-dns"
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -3,7 +3,7 @@ creation_rules:
    encrypted_regex: ^(password|value|ssh-key|api-key|user|username|privateKey|clientSecret|clientId|apiKey|extraArgs.*|.*Secret.*|extraEnvVars|.*SECRET.*|.*secret.*|key|.*Password|.*\.ya?ml)$
    pgp: DC6910268E657FF70BA7EC289974494E76938DDC
  - path_regex: .*.yaml
-    encrypted_regex: ^(data|stringData|.*.key|.*.crt)$
+    encrypted_regex: ^(data|stringData)$
    pgp: DC6910268E657FF70BA7EC289974494E76938DDC
  - path_regex: .*.env$
    input_type: dotenv
--- a/.swarmcd/stacks.yaml
+++ b/.swarmcd/stacks.yaml
@@ -53,13 +53,6 @@ sshportal:
  branch: main
  compose_file: docker/infrastructure/sshportal/docker-compose.yml

-fireshare:
-  repo: homeprod
-  branch: main
-  compose_file: docker/personal/fireshare/docker-compose.yml
-  sops_files:
-    - docker/personal/fireshare/.env
-
 gramps:
  repo: homeprod
  branch: main
--- a/README.md
+++ b/README.md
@@ -80,13 +80,3 @@ This setup allows running multiple applications, either self-hosted applications
 | <img width=32 src="https://avatars.githubusercontent.com/u/26692192"> | Navidrome | Personal music streaming service |
 | <img width=32 src="https://avatars.githubusercontent.com/u/102734415"> | TubeArchivist | YouTube archiver |
 | <img width=24 src="https://radicale.org/assets/logo.svg"> | Radicale | Calendar and contacts server |
-
-
-## Docs (internal, using this repository)
-
-This repository uses pre-commit hooks to automate tasks like file encryption and configuration generation.
-
-After cloning, install the pre-commit hooks:
-```bash
-pre-commit install
-```
--- a/dns/production/vhaudiquet.fr.yaml
+++ b/dns/production/vhaudiquet.fr.yaml
@@ -355,13 +355,6 @@ canada:
  ttl: 300
  type: A
  value: 192.99.6.159
-clips:
-  octodns:
-    cloudflare:
-      auto-ttl: true
-  ttl: 300
-  type: A
-  value: 83.113.30.49
 flix:
  octodns:
    cloudflare:
--- a/docker/home/esphome/docker-compose.yml
+++ b/docker/home/esphome/docker-compose.yml
@@ -1,6 +1,6 @@
 services:
  esphome:
-    image: ghcr.io/esphome/esphome:2026.4.4
+    image: ghcr.io/esphome/esphome:2026.4.3
    ports:
      - "6052"
    networks:
--- a/docker/home/n8n/docker-compose.yml
+++ b/docker/home/n8n/docker-compose.yml
@@ -1,6 +1,6 @@
 services:
  n8n:
-    image: docker.n8n.io/n8nio/n8n:2.19.2
+    image: docker.n8n.io/n8nio/n8n:2.18.4
    environment:
      - TZ=Europe/Paris
      - N8N_SECURE_COOKIE=false
--- a/docker/infrastructure/mail/stalwart/docker-compose.yml
+++ b/docker/infrastructure/mail/stalwart/docker-compose.yml
@@ -1,6 +1,6 @@
 services:
  stalwart:
-    image: stalwartlabs/stalwart:v0.16.4
+    image: stalwartlabs/stalwart:v0.16.2
    container_name: stalwart
    networks:
      - default
--- a/docker/infrastructure/network/traefik/docker-compose.yml
+++ b/docker/infrastructure/network/traefik/docker-compose.yml
@@ -1,6 +1,6 @@
 services:
  traefik:
-    image: traefik:v3.7
+    image: traefik:3.6
    command: 
      - "--configFile=/etc/traefik/traefik.yml"
    ports:
--- a/docker/personal/fireshare/.env
+++ b/docker/personal/fireshare/.env
@@ -1,11 +0,0 @@
-ADMIN_USERNAME=ENC[AES256_GCM,data:8ngfC8VHpaaGCQ==,iv:Ze7ThfWmAWj0ZvV3A7Pd+aqAW/pahkTZhdFC/TnAwZ0=,tag:KCFdGV1dEw3e+q6FBgy2cw==,type:str]
-ADMIN_PASSWORD=ENC[AES256_GCM,data:UhxEMnqYDyfgffqUf3Q=,iv:VvNX867P+w20Y7laG0R0c4BUw1uICeyF5SU3+waosRE=,tag:JL4GC+UZY3TqSmCq14CTpg==,type:str]
-SECRET_KEY=ENC[AES256_GCM,data:uahYXYr4DvavNMTTdcDA0hdp5wj3OLret3fPF1DEc2lis+E7/fe45DWFuhUu8RAK76tuheA=,iv:Lofc+PP7Rtg99l36yOx6bt0i8hg1DJXzwSKQNJCRYPw=,tag:AiUGZOiLyjKItf++Gya+eA==,type:str]
-DOMAIN=ENC[AES256_GCM,data:LyJ7RAgrioTltNQ/BKoPbEN8XQ==,iv:IHrT5TkaXuIhkfN/nHcapz4CNBG0t9lbzrHDjp04JLw=,tag:gjSa/tSVEqk6pXrfhjs7gQ==,type:str]
-sops_lastmodified=2026-05-06T17:05:48Z
-sops_mac=ENC[AES256_GCM,data:wRtDnVQkNsc1MtxSpbuVDuACkCwunYeyYSaQX2Tglm2kwOnx9iCyhuWY6RMYu5nfyJ1CT1kfqeGrGxhJ5uMDee29eLUv844X3hIXwpMT50jHFXEtfKLfRMfqpv9r9mbp2EP9VNDUtPyIwDk5vSjGeaYqEWtHW/q5y9qIrzqqy5g=,iv:UG4XGi3Qo8/nAddY+rzJm1AKIAmJjtR+2bDqSeaVxG4=,tag:SL2rvrxFmMfgyUyMqFIZEQ==,type:str]
-sops_pgp__list_0__map_created_at=2026-05-06T17:05:48Z
-sops_pgp__list_0__map_enc=-----BEGIN PGP MESSAGE-----\n\nhQIMA7uy4qQr71wiAQ//b6zlRVKrqzzszBJmnOUlfeZd5m2ekYv/zIBr4oxHyn5L\neLLff+N7hjBVSajg9Qg7GBQv7s3DX70vHTpdUP38UEO1aM0l3eU1JCwA4Hdh7Ds5\nnq330vUKhIAd+K8Vv4Ei9YHpj+kgMnt+R780qZUg18D39TAnx36q9b5SKzZCUsks\n3YM+G8pHLRipZhxp6zwhOPHVSnImOFjty4d6JV6Zes9zfslaETgva7p5DIKP0ttf\nI2JRacvL75MMp1USyqGKt7Bpl6Yz4VxY49aea+FxDlbzCVLuBBgZMoEjhPQifQfh\nB6OObmu1cVhECidrMHmqDBNqgKsNLble+g3Le+gJdn/zKxVc+q+cPPuk/JdT8tfv\nZTei6jg66IREZOrZCP3Gt4OB5LbkLdS0NET2CMVAYkGQvGrSC+diwUnFkI+WEh+p\noZhvgp/ytBgaw6ZyNPmvkGkFeFg1/ISpOHkVQ+P6Pnot8h4HvuI/KcBwJRCrtdbg\n+XMpqeQdmCnM04v5Uq1NVqRWHD0yvd7GHDOZCqJPMFHP0M6R+SwHq+8+pgbO3jxt\n+426MvhNKw8xWMtnUIO8sSSkzgOfT6vFXmzQvIawbXvitjGjiElkpmT5Hz3hn1Bm\nnu8CivqLwL4Gs1Uc2m6qHGkvGqxWwcHABWqftAk3VfhmjcFDwAyWROlCuD+A15PS\nXgE1wn9jLesXaiCwzAp4AOstkk0fR2yio4fa9dCeenzuedULNLuCyJfYtSm4QlSU\nvffH4iL8X/R24s6SdPsCIuNnAeKc0P4E55AlOaeZN4HcZzfspVikAZx+bK14JS8=\n=KGp6\n-----END PGP MESSAGE-----
-sops_pgp__list_0__map_fp=DC6910268E657FF70BA7EC289974494E76938DDC
-sops_unencrypted_suffix=_unencrypted
-sops_version=3.10.2
--- a/docker/personal/fireshare/docker-compose.yml
+++ b/docker/personal/fireshare/docker-compose.yml
@@ -1,58 +0,0 @@
-services:
-  fireshare:
-    container_name: fireshare
-    image: shaneisrael/fireshare:1.6.10-lite
-    ports:
-      - "80"
-    volumes:
-      - data:/data
-      - processed:/processed
-      - video:/videos
-      - images:/images
-    env_file:
-      - .env
-    environment:
-      # PUID/PGID: the user/group ID the container runs as. Files written to your
-      # volumes (data, processed, videos, images) will be owned by this user. Set these to
-      # match the owner of your host directories to avoid permission errors.
-      # Run `id` on your host to find your UID and GID.
-      - PUID=1000
-      - PGID=1000
-    networks:
-      - default
-      - proxy
-    labels:
-      - "traefik.enable=true"
-      - "traefik.http.routers.fireshare.rule=Host(`clips.vhaudiquet.fr`)"
-      - "traefik.http.services.fireshare.loadbalancer.server.port=80"
-
-volumes:
-  data:
-    driver: local
-    driver_opts:
-      type: 'none'
-      o: 'bind'
-      device: '/app/fireshare/data'
-  processed:
-    driver: local
-    driver_opts:
-      type: 'none'
-      o: 'bind'
-      device: '/app/fireshare/processed'
-  video:
-    driver: local
-    driver_opts:
-      type: 'none'
-      o: 'bind'
-      device: '/app/fireshare/video'
-  images:
-    driver: local
-    driver_opts:
-      type: 'none'
-      o: 'bind'
-      device: '/app/fireshare/images'
-
-networks:
-  proxy:
-    external: true
-    name: proxy
--- a/docker/personal/gramps/docker-compose.yml
+++ b/docker/personal/gramps/docker-compose.yml
@@ -1,7 +1,7 @@
 services:
  grampsweb:
    container_name: grampsweb
-    image: ghcr.io/gramps-project/grampsweb:26.5.0
+    image: ghcr.io/gramps-project/grampsweb:26.4.3
    restart: always
    networks:
      - default
@@ -31,7 +31,7 @@ services:

  grampsweb_celery:
    container_name: grampsweb_celery
-    image: ghcr.io/gramps-project/grampsweb:26.5.0
+    image: ghcr.io/gramps-project/grampsweb:26.4.3
    restart: always
    environment:
      - GRAMPSWEB_TREE="Gramps Web"  # will create a new tree if not exists
@@ -52,7 +52,7 @@ services:
    command: celery -A gramps_webapi.celery worker --loglevel=INFO --concurrency=2

  grampsweb_redis:
-    image: docker.io/library/redis:8.6.3-alpine
+    image: docker.io/library/redis:8.6.2-alpine
    container_name: grampsweb_redis
    restart: always

--- a/docker/personal/media/films-series/jackett/docker-compose.yml
+++ b/docker/personal/media/films-series/jackett/docker-compose.yml
@@ -1,7 +1,7 @@
 services:
  jackett:
    container_name: jackett
-    image: ghcr.io/hotio/jackett:release-v0.24.1815
+    image: ghcr.io/hotio/jackett:release-v0.24.1789
    ports:
      - "9117"
    networks:
--- a/docker/personal/media/films-series/jellyfin/docker-compose.yml
+++ b/docker/personal/media/films-series/jellyfin/docker-compose.yml
@@ -1,6 +1,6 @@
 services:
  jellyfin:
-    image: jellyfin/jellyfin:2026050514
+    image: jellyfin/jellyfin:2026042706
    container_name: jellyfin
    networks:
      - default
--- a/docker/production/buildpath/docker-compose.yml
+++ b/docker/production/buildpath/docker-compose.yml
@@ -10,7 +10,7 @@ services:
    env_file: .env

  match_collector:
-    image: git.vhaudiquet.fr/vhaudiquet/lolstats-match_collector:b2178fec85027348157a5442a81d00479154e581
+    image: git.vhaudiquet.fr/vhaudiquet/lolstats-match_collector:ee32060a7f05bd963bed4337369e146ba6313d64
    build: ./match_collector
    volumes:
      - bpcdragon_cache:/cdragon
@@ -23,7 +23,7 @@ services:
    env_file: .env

  frontend:
-    image: git.vhaudiquet.fr/vhaudiquet/lolstats-frontend:b2178fec85027348157a5442a81d00479154e581
+    image: git.vhaudiquet.fr/vhaudiquet/lolstats-frontend:ee32060a7f05bd963bed4337369e146ba6313d64
    build: ./frontend
    restart: always
    volumes:
--- a/infra/r740/proxmox/docker.tf
+++ b/infra/r740/proxmox/docker.tf
@@ -61,7 +61,7 @@ resource "proxmox_virtual_environment_vm" "docker-machine" {
  }

  memory {
-    floating = 22222
+    floating = 16192
    dedicated = 38768
  }

--- a/kubernetes/system/blocky/values.yaml
+++ b/kubernetes/system/blocky/values.yaml
@@ -1,15 +1,11 @@
 # Default values for blocky (k8s-home-lab chart)
 image:
    repository: ghcr.io/0xerr0r/blocky
-    tag: v0.24
+    tag: 0.29.0
    pullPolicy: IfNotPresent
 controller:
-    replicas: 2
+    replicas: 1
    dnsPolicy: ClusterFirst
-    strategy: RollingUpdate
-    rollingUpdate:
-        maxUnavailable: 0
-        maxSurge: 1
 env:
    TZ: Europe/Paris
 service:
@@ -25,37 +21,6 @@ service:
            dns:
                port: 53
                protocol: UDP
-probes:
-    liveness:
-        enabled: true
-        custom: true
-        spec:
-            tcpSocket:
-                port: 53
-            initialDelaySeconds: 10
-            periodSeconds: 10
-            timeoutSeconds: 5
-            failureThreshold: 3
-    readiness:
-        enabled: true
-        custom: true
-        spec:
-            tcpSocket:
-                port: 53
-            initialDelaySeconds: 5
-            periodSeconds: 5
-            timeoutSeconds: 3
-            failureThreshold: 3
-    startup:
-        enabled: true
-        custom: true
-        spec:
-            tcpSocket:
-                port: 53
-            initialDelaySeconds: 5
-            periodSeconds: 2
-            timeoutSeconds: 3
-            failureThreshold: 30
 resources:
    limits:
        cpu: 200m
@@ -63,31 +28,31 @@ resources:
    requests:
        cpu: 50m
        memory: 64Mi
-# Full list of options https://github.com/0xERR0R/blocky/blob/main/docs/config.yml
-config: "upstreams:\n    groups:\n        default:\n            - 1.1.1.1\n            - 1.0.0.1\n        lan:\n            - 10.101.207.1\n\nconditional:\n    mapping:\n        lan: 10.101.207.1\n        cluster.local: 10.96.0.10\n        in-addr.arpa: 10.96.0.10\n\nblocking:\n    allowlists:\n        ads:\n            - |\n                dealabs.digidip.net\n                s.click.aliexpress.com\n                fonts.googleapis.com\n                fonts.gstatic.com\n                wl.spotify.com\n                www.googleadservices.com\n    \n    denylists:\n        ads:\n            - https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts\n            - https://adaway.org/hosts.txt\n    \n    clientGroupsBlock:\n        default:\n            - ads\n    \n    blockType: zeroIp\n    blockTTL: 1m\n    loading:\n        refreshPeriod: 4h\n        downloads:\n            timeout: 60s\n\ncaching:\n    minTime: 5m\n    maxTime: 30m\n    # Disable negative caching (NXDOMAIN responses) for dynamic DNS\n    cacheTimeNegative: 0\n    prefetching: true\n    prefetchExpires: 2h\n    prefetchThreshold: 5\n\nprometheus:\n    enable: true\n    path: /metrics\n\nports:\n    dns: 53\n    http: 4000\n\nbootstrapDns: tcp+udp:1.1.1.1\n\nlog:\n    level: info\n    format: text\n    timestamp: true\n"
+# Full list of options https://github.com/0xERR0R/blocky/blob/v0.18/docs/config.yml
+config: "upstream:\n  default:\n    - 1.1.1.1\n    - 1.0.0.1\n  lan:\n    - coredns.coredns.svc.cluster.local\n\nconditional:\n  mapping:\n    lan: coredns.coredns.svc.cluster.local\n\nblocking:\n  whiteLists:\n    ads:\n      - dealabs.digidip.net\n      - s.click.aliexpress.com\n      - fonts.googleapis.com\n      - fonts.gstatic.com\n      - wl.spotify.com\n      - www.googleadservices.com\n  \n  blackLists:\n    ads:\n      - https://big.oisd.nl/\n      - https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts\n      - https://adaway.org/hosts.txt\n  \n  clientGroupsBlock:\n    default:\n      - ads\n  \n  blockType: zeroIp\n  blockTTL: 1m\n  refreshPeriod: 4h\n  downloadTimeout: 60s\n\ncaching:\n  minTime: 5m\n  maxTime: 30m\n  prefetching: true\n  prefetchExpires: 2h\n  prefetchThreshold: 5\n\nprometheus:\n  enable: true\n  path: /metrics\n\nport: 53\nhttpPort: 4000\nbootstrapDns: tcp+udp:1.1.1.1\nlogLevel: info\nlogFormat: text\nlogTimestamp: true\n"
 sops:
-    lastmodified: "2026-05-02T17:51:26Z"
-    mac: ENC[AES256_GCM,data:J7EovwsXi2L9XocZoi5ann71DQ+wWZk2aCUbjvaGpv0yZC5g2HNccPVRvAj3y9SyMttLT8QlESXzHpEV2A6bOfmJf5v0ACYuWn5wKNlkaBdmTs1xwXp/RcpeOb+FCL9D+9hzjBO9XF6iXZLSj4pO/n1C0IhfeqYKdDC4tHkxOHA=,iv:Qm3Uh+UUSDWCxh7gWJ9x597aWXdMHxtpixE2BVlb6c8=,tag:aHbK26P4f9YV2uGLhpT6OA==,type:str]
+    lastmodified: "2026-05-02T13:29:01Z"
+    mac: ENC[AES256_GCM,data:cfgRW7HlYE1MqgT1hiy6ZfGeiGiVbclDKJIELNrEl7DEJcaSKEwZLujBUiNQGZ0eVkY8oGkiPfEF/J0xcBtQBp/JGtKbvdxoJGTYUAZhwpyJ7LIucAXVwyMUM7ahD76jDAwiKLYxwV40Egr5X06FlyAjVZ07S3l3hmrKQzQXgao=,iv:SnkDaDUR+aCVqp61lkjO1IxPxrRc3sdYnHYCaP0Vv8c=,tag:TZdvBSzbKbbRO7FANRmXuw==,type:str]
    pgp:
-        - created_at: "2026-05-02T17:51:25Z"
+        - created_at: "2026-05-02T13:29:00Z"
          enc: |-
            -----BEGIN PGP MESSAGE-----

-            hQIMA7uy4qQr71wiAQ/+Po8UdkiFGt0LmcvCeSE23aoWwY4qi2FsGKdik+7sL3RN
-            gOt/VQ6geefhd4YDhH0jfd7TDXs7UTtYvKQ+IaKcRUyOrZzhrfTpNeT/lXuaTkHf
-            LAUiqyprq1RDzxxIPvgMh4DynfehgN8B81iMJox2/fD0oV7B6dIIABvAl87gzANw
-            7snQLJwdhNXFylKfrdC9A4AfYz7ycXBzEyYlY5BMZENw9yBGgZ1dZITU2KxeYCo/
-            gdVTCevybSBQ/Cq0+hI25ZF+nEIGjrVCN2AxPEUO98ljp4OZEu0p6KsMB4xgCD2j
-            l5LN6YPAu95TRx/bZinoHMMzth6WhFdUG0Anj2cIIYXOcreyzPxYGj+vwRlZFrkZ
-            gTU2vfpt/1Wx8ORRqocCkxZ3dMtm4KsGqe3xpd1y84ezL/bMLxSApn5e7Zzn1cEg
-            DoLwJGnZzSY4nRzfoGXOv6mjyTUVkqNexRlL2wIsgDP9VP/ohS9K2fFZzzJ/fXa1
-            G9DUg64SwfYIFzAgsyWwdE3kCJ/GSIAgrgNwBfZlLGdfB/PB2BkHNpzX4LROUEcD
-            HqqHtVlUIikiFdDQWwB5tS+APBCO6VuzKl1z3ROgV6xhvr4ZYkd9CHYu1S1r1XAs
-            JRCyow0zTLRYGQnDD8+RPQ4MsbzJsugA8Ac4bE4sVJpP8hloZBqHb38AkoUruDTS
-            XgE+Nxcy0/aznBgEscE/VuY/GTH1vwYl5/dAcV8GDYcNmd1tE9E1QwWsSurHt39u
-            +QdGZYoUbHPtsk/zODgEVqn0iTsqO7Y4Qmu93bYlYFQwCygAPKKpCaqmmu2U+rI=
-            =hq5F
+            hQIMA7uy4qQr71wiAQ//TdM8u50xb2DbQ96kgXxgh3iJnKSMnAJxZwch6RRgTDKI
+            R88+IoHRx1jLWN6yVoWumzFyyR04YB/AieZJbECCmW+qoO/fDdfolXohMxYtzus3
+            oTLNXdVHbL4O/SnLu1po8RhUWnIBJ4MCTSsA7JnqX/omdCL2VGhQjCTZye1+zc3q
+            jaFds7tz6ElZYlDtRYx07E+NkeC7UFtJDF5xzg1yoc8y6B1eBl/x5yvY3TJhXjXF
+            wEUV6x6P35ieOforlE8s8oTt89lEe12FRnA8DtvecSaA6rrd1pC7mSq2acVRxooT
+            1CdrUjQMGAFVvAYYFHEcKPaHsnPPOjuIld+eR9HqqluaIVZNPOrdN1NQkZi2q76E
+            rnvxeeBTKhiVdxkOXA9yEkFUGrAr92FJp4CuWYym/ptqxto+/qNoziT8+wCmj+xL
+            GN2tJHwHyPgGoUUYRP70pDsok7bxx4iyZCChrBzfSezkQKKN2bDHAHOjO6/+x9dU
+            V7AJOy/Cg8TDO3kBY1MWghazdbfMPCwMtZa0SCMOZU7w1FpQrG5fi3pEKrpbirSM
+            4v8QApvarzuj+OAHKAJrckMq8ocGPbaUNCC767CniQfGQR0x4/4Ff7UAZ1K0H4eO
+            hm1dzy4RUKXcQMYO7zp/ZXrTL6+uNx8CiXd4sC76yA1GeVCkWKBhUdsQoDXwzAHS
+            XgGR+qzw99Sbsx8IGx+zCgB1Kf/udAyIolzsNDw4sCmGKkzq0FpzjceLtsa2JAqE
+            n1DWl62HGL8JoozMa/4Rd9wWPfjBFcoB19QbqRuMGqg2pEw2sJL3BPSVDWADNFk=
+            =8/Jy
            -----END PGP MESSAGE-----
          fp: DC6910268E657FF70BA7EC289974494E76938DDC
    encrypted_regex: ^(password|value|ssh-key|api-key|user|username|privateKey|clientSecret|clientId|apiKey|extraArgs.*|.*Secret.*|extraEnvVars|.*SECRET.*|.*secret.*|key|.*Password|.*\.ya?ml)$
-    version: 3.10.2
+    version: 3.10.2
--- a/kubernetes/system/caddy/caddyfile.yaml
+++ b/kubernetes/system/caddy/caddyfile.yaml
@@ -1,93 +0,0 @@
-# Caddy Routes - External ConfigMap
-# This file contains all route definitions, imported by the main Caddyfile.
-# Edit this file to add/modify routes.
-#
-# Certificate files are mounted from the caddy-certificates Secret
-# at /etc/caddy/certs/
-
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: caddy-routes
-  namespace: caddy
-  labels:
-    app.kubernetes.io/name: caddy
-    app.kubernetes.io/component: routes
-data:
-  Caddyfile: |
-    vhaudiquet.fr {
-      tls /etc/caddy/certs/vhaudiquet-fr.crt /etc/caddy/certs/vhaudiquet-fr.key
-      reverse_proxy 10.1.2.212:80
-    }
-
-    *.vhaudiquet.fr {
-        tls /etc/caddy/certs/wildcard-vhaudiquet-fr.crt /etc/caddy/certs/wildcard-vhaudiquet-fr.key
-
-        # Kubernetes services (via Traefik)
-        @authentik   host authentik.vhaudiquet.fr
-
-        @auth-nook   host auth-nook.vhaudiquet.fr
-        @nook-mg     host n.vhaudiquet.fr
-        @nook        host nook.vhaudiquet.fr
-        @sse-nook    host sse-nook.vhaudiquet.fr
-
-        @gitea       host git.vhaudiquet.fr
-
-        @flux-wh     host flux-webhook.vhaudiquet.fr
-
-        @umami       host umami.vhaudiquet.fr
-
-        handle @authentik {
-            reverse_proxy traefik.traefik.svc.cluster.local:80
-        }
-        handle @auth-nook {
-            reverse_proxy traefik.traefik.svc.cluster.local:80
-        }
-        handle @nook-mg {
-            reverse_proxy traefik.traefik.svc.cluster.local:80
-        }
-        handle @nook {
-            reverse_proxy traefik.traefik.svc.cluster.local:80
-        }
-        handle @sse-nook {
-            reverse_proxy traefik.traefik.svc.cluster.local:80
-        }
-        handle @gitea {
-            reverse_proxy traefik.traefik.svc.cluster.local:80
-        }
-        handle @flux-wh {
-            reverse_proxy traefik.traefik.svc.cluster.local:80
-        }
-        handle @umami {
-            reverse_proxy traefik.traefik.svc.cluster.local:80
-        }
-
-        # Docker VM services (via Traefik)
-        @alexscript     host alexscript.vhaudiquet.fr
-        @clips          host clips.vhaudiquet.fr
-        @jellyfin       host flix.vhaudiquet.fr
-        @mail           host mail.vhaudiquet.fr
-
-        handle @alexscript {
-            reverse_proxy 10.1.2.212:80
-        }
-        handle @clips {
-            reverse_proxy 10.1.2.212:80
-        }
-        handle @jellyfin {
-            reverse_proxy 10.1.2.212:80
-        }
-        handle @mail {
-            reverse_proxy 10.1.2.212:80
-        }
-    }
-
-    semery.fr {
-      tls /etc/caddy/certs/semery-fr.crt /etc/caddy/certs/semery-fr.key
-      reverse_proxy 10.1.2.212:80
-    }
-
-    buildpath.win {
-      tls /etc/caddy/certs/buildpath-win.crt /etc/caddy/certs/buildpath-win.key
-      reverse_proxy 10.1.2.212:80
-    }
--- a/kubernetes/system/caddy/certificates-secret.yaml
+++ b/kubernetes/system/caddy/certificates-secret.yaml
--- a/kubernetes/system/caddy/kustomization.yaml
+++ b/kubernetes/system/caddy/kustomization.yaml
@@ -1,15 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-namespace: caddy
-resources:
-  - namespace.yaml
-  - repository.yaml
-  - release.yaml
-  - certificates-secret.yaml
-  - caddyfile.yaml
-secretGenerator:
-  - name: caddy-values
-    files:
-      - values.yaml=values.yaml
-configurations:
-  - kustomizeconfig.yaml
--- a/kubernetes/system/caddy/kustomizeconfig.yaml
+++ b/kubernetes/system/caddy/kustomizeconfig.yaml
@@ -1,6 +0,0 @@
-nameReference:
- kind: Secret
-  version: v1
-  fieldSpecs:
-  - path: spec/valuesFrom/name
-    kind: HelmRelease
--- a/kubernetes/system/caddy/namespace.yaml
+++ b/kubernetes/system/caddy/namespace.yaml
@@ -1,7 +0,0 @@
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: caddy
-  labels:
-    app.kubernetes.io/name: caddy
-    app.kubernetes.io/component: edge-proxy
--- a/kubernetes/system/caddy/release.yaml
+++ b/kubernetes/system/caddy/release.yaml
@@ -1,30 +0,0 @@
-apiVersion: helm.toolkit.fluxcd.io/v2
-kind: HelmRelease
-metadata:
-  name: caddy
-  namespace: caddy
-spec:
-  interval: 1m
-  chart:
-    spec:
-      sourceRef:
-        kind: HelmRepository
-        name: caddy
-        namespace: caddy
-      chart: caddy
-      interval: 1m
-      version: "0.7.1"
-  valuesFrom:
-    - kind: Secret
-      name: caddy-values
-  # Patch the Service to add loadBalancerIP since the chart doesn't support it
-  postRenderers:
-    - kustomize:
-        patches:
-          - target:
-              kind: Service
-              name: caddy
-            patch: |
-              - op: add
-                path: /spec/loadBalancerIP
-                value: "10.1.2.152"
--- a/kubernetes/system/caddy/repository.yaml
+++ b/kubernetes/system/caddy/repository.yaml
@@ -1,8 +0,0 @@
-apiVersion: source.toolkit.fluxcd.io/v1
-kind: HelmRepository
-metadata:
-  name: caddy
-  namespace: caddy
-spec:
-  interval: 1m
-  url: https://charts.alekc.dev/
--- a/kubernetes/system/caddy/values.yaml
+++ b/kubernetes/system/caddy/values.yaml
@@ -1,95 +0,0 @@
-# Caddy Edge Proxy
-replicaCount: 2
-# Listen on standard HTTP port
-listenPort: 80
-# Enable HTTPS
-https:
-    enabled: true
-    port: 443
-image:
-    repository: caddy
-    pullPolicy: IfNotPresent
-    tagSuffix: ""
-    tag: 2.11.2
-service:
-    type: LoadBalancer
-    externalTrafficPolicy: Local
-# Disable ingress - Caddy IS the edge proxy
-ingress:
-    enabled: false
-resources:
-    requests:
-        cpu: 100m
-        memory: 128Mi
-    limits:
-        cpu: 500m
-        memory: 256Mi
-# Caddy needs root to bind to ports 80/443 and write runtime data
-# Using restrictive security context causes "operation not permitted"
-podSecurityContext: {}
-securityContext: {}
-health:
-    path: /
-    port: 9999
-# Extra volumes: certificates + external routes ConfigMap
-volumes:
-    - name: certificates
-      secret:
-        secretName: ENC[AES256_GCM,data:1HAy4ntUhnklTlxZgF92RLdT,iv:Vz/nfWy8yie5qre7+yzVzDpO1IW3x4SUJBQIzggGMJY=,tag:+HXDFjKHCJLjE5uW3HsEGQ==,type:str]
-        optional: ENC[AES256_GCM,data:6WPvqQ==,iv:CAxOsnyPZhLLQ4/xfDNFu8mgKVz5keDG0gfopL69v70=,tag:Nta3ov4Zmgu1uwI/1JRsWg==,type:bool]
-    - name: routes
-      configMap:
-        name: caddy-routes
-# Extra volume mounts
-volumeMounts:
-    - name: certificates
-      mountPath: /etc/caddy/certs
-      readOnly: true
-    - name: routes
-      mountPath: /etc/caddy/routes
-      readOnly: true
-# Caddy configuration
-config:
-    debug: false
-    # Global options (goes inside the global {} block)
-    global: |
-        auto_https off
-    # The main Caddyfile content - imports routes from external ConfigMap
-    # This keeps routes in a separate, easily editable file
-    caddyFile: |
-        import /etc/caddy/routes/Caddyfile
-affinity:
-    podAntiAffinity:
-        preferredDuringSchedulingIgnoredDuringExecution:
-            - weight: 100
-              podAffinityTerm:
-                labelSelector:
-                    matchLabels:
-                        app.kubernetes.io/name: caddy
-                topologyKey: kubernetes.io/hostname
-sops:
-    lastmodified: "2026-05-08T08:49:14Z"
-    mac: ENC[AES256_GCM,data:pcStIiaO4zwMLYlpA3FZlwtesiXmhOcclk6GdQ5QRziGv/Te2bUuWGVA6EaeGJML6Mo0JG3jfyua6qQbPdVp6MBt34clcqoU51BG1Nxa6li0K2oqnJlo4evuhJqW1QDzPZZWs8XZaga6rEKNtLwp1R2CIKJU4V5wZAInnqGrnh8=,iv:bhGiargUSIvJ7vePYLBiyG/ZmXDjWyG0x55NG7kxSH8=,tag:H2dIz/JrPGg53BLOvz6ikg==,type:str]
-    pgp:
-        - created_at: "2026-05-08T08:49:14Z"
-          enc: |-
-            -----BEGIN PGP MESSAGE-----
-
-            hQIMA7uy4qQr71wiAQ//VaH0Exxuw7YlBSLJc2UuNPVzDxkd6udLgpfLerMePX1s
-            9HeJslI2vcUG2lN8Pg9ZxTwqOJHsJDhetKNYIhTJ8ig899FWAz0DMG49Pv6QSQiM
-            eS8Mji6FavAhT9AkIgK635HbNqPQewBsYEyMTL3rScz5a2XEsgsNx+rta4HsFp0F
-            yqlXv/AIbxkr22edHbbfnTU+fcdEcprtaaqIg0hi1gUVqOLp+lZgakr+nfbY9KkB
-            5Y6KZFv2fYJ7xLgugT97sTXbk9YkQ+qjUvFVICkRDneTGmLfNocr+9KWe48KMXAN
-            QJ7Kb5rFkZLUko92i6KOnJlk4rbtmD2/pECmDeR1PX1ACZDRmcJMCSO0tdbuLS3C
-            8zEBsyebl5je4b91bncWNMjkXklhaF4FC8U5m2FP0BwQoGYq+9R3rGTv4Nx5ycPk
-            D4KfKY8p8kn7/AnhpBrFRg1E7YGERipMX6BvcXvgBHHUntp3VXdRG5HzHW3Fs1wq
-            w1HRQcm5VZpKfgJ4WoQ/aQB4clXrHBA+JNrrOhJ2LgRAIvayl0IKA/3ZZMahacbc
-            R1B96qr+2v160vDFp1ocZcDo72cWdCZ03t1eNPaaM7NKVsszD5WjYOomRh7ndLh1
-            l+MK3pvuqF6bekfFNmDVDgt9cpSl0UJ7wo2ZreSn5XhOXY88b7neu2BzUQOlU3LS
-            XAGnHhe99cHTE9NnH7egRZUMDhKI5gn1OkCgKCqBIcYp1gDKiPYdAHK7yjv0aJR/
-            j/VDwJzcB97ooiHmTRYrg5GpUEELkeZ6TIrjvZqOySXG9wIU74o8JUIyGtvt
-            =z8ER
-            -----END PGP MESSAGE-----
-          fp: DC6910268E657FF70BA7EC289974494E76938DDC
-    encrypted_regex: ^(password|value|ssh-key|api-key|user|username|privateKey|clientSecret|clientId|apiKey|extraArgs.*|.*Secret.*|extraEnvVars|.*SECRET.*|.*secret.*|key|.*Password|.*\.ya?ml)$
-    version: 3.10.2
--- a/kubernetes/system/cilium/pool.yaml
+++ b/kubernetes/system/cilium/pool.yaml
@@ -6,4 +6,3 @@ spec:
  blocks:
  - cidr: "10.1.2.171/32"
  - cidr: "10.1.2.148/32"
-  - cidr: "10.1.2.152/32"
--- a/kubernetes/system/coredns/release.yaml
+++ b/kubernetes/system/coredns/release.yaml
@@ -12,7 +12,7 @@ spec:
        name: coredns
        namespace: coredns
      chart: coredns
-      version: "1.45.2"
+      version: "1.x.x"
      interval: 1m
  valuesFrom:
    - kind: Secret
--- a/kubernetes/system/coredns/values.yaml
+++ b/kubernetes/system/coredns/values.yaml
@@ -1,31 +1,8 @@
-replicaCount: 2
+replicaCount: 1
 image:
    repository: coredns/coredns
-    tag: 1.14.3
+    tag: 1.12.0
    pullPolicy: IfNotPresent
-deployment:
-    dnsPolicy: ClusterFirst
-    strategy:
-        type: RollingUpdate
-        rollingUpdate:
-            maxUnavailable: 0
-            maxSurge: 1
-livenessProbe:
-    httpGet:
-        path: /health
-        port: 8080
-    initialDelaySeconds: 10
-    periodSeconds: 10
-    timeoutSeconds: 5
-    failureThreshold: 3
-readinessProbe:
-    httpGet:
-        path: /ready
-        port: 8181
-    initialDelaySeconds: 5
-    periodSeconds: 5
-    timeoutSeconds: 3
-    failureThreshold: 3
 resources:
    limits:
        cpu: 100m
@@ -38,16 +15,6 @@ service:
    annotations:
        io.cilium/lb-ipam-ips: ""
 servers:
-    - zones:
-        - zone: cluster.local
-      port: 53
-      plugins:
-        - name: kubernetes
-          parameters: cluster.local in-addr.arpa ip6.arpa
-          configBlock: |-
-            pods insecure
-            fallthrough in-addr.arpa ip6.arpa
-            ttl 30
    - zones:
        - zone: .
      port: 53
@@ -56,22 +23,19 @@ servers:
        - name: health
          configBlock: lameduck 5s
        - name: ready
-        - name: debug
-        - name: file
-          parameters: /etc/coredns/zones/lan.zone lan
-          configBlock: |-
-            reload 10s
-            fallthrough
        - name: etcd
          parameters: lan
          configBlock: |-
            path /skydns
            endpoint http://etcd.coredns.svc.cluster.local:2379
-            fallthrough
+        - name: file
+          parameters: /etc/coredns/zones/lan.zone lan
+          configBlock: reload 10s
        - name: cache
          parameters: 30
        - name: loadbalance
        - name: log
+          configBlock: class error
 extraVolumeMounts:
    - name: zone-config
      mountPath: /etc/coredns/zones
@@ -81,27 +45,27 @@ extraVolumes:
      configMap:
        name: coredns-lan-zone
 sops:
-    lastmodified: "2026-05-02T16:59:44Z"
-    mac: ENC[AES256_GCM,data:H4uRid1Fqx4JzsF43TSGa7QcGjpXLAHiM0N3Kf4z7ab4eMlTy1+RXMV7xVT9BinjZzH6P+ENxo0yVOsdt0Yu467KJhGznNWlb2MC2TElPxZ9/yItJ+hdVGHGWbVGFWUL5NOUQ9fY2NPGw0CGr8qyftLr5Qkx0LO/VUgKWkq6RWM=,iv:9+V/sCBhfWAsIvr4DsWQgkeqQZQyT4Ti3Y+qCEZqU5c=,tag:JCRONb54BpXQzYhhPs7VGA==,type:str]
+    lastmodified: "2026-05-02T09:18:53Z"
+    mac: ENC[AES256_GCM,data:gu19hSBFBBp516DyevduvKSHh1PAqGfBQQs1H2UdpyHHM5fueUYhJtbJxwvN8BIi9zT2GFIkcefP4VKcI+uD3+pdqpuzr9+T2im9jPj57aS0qFYRbzt7wLwkrYAE/U2fAW1uExfmIEoOKJP9StDvk5fUKnBxyAD5BmO1sc+nifo=,iv:w5Xl1KyfrynR+sHGMlwc0tYNRdI0O5+f5nFuq/R6UFQ=,tag:Gb7CvFP1CWTGkKaC2sHIQQ==,type:str]
    pgp:
-        - created_at: "2026-05-02T16:59:43Z"
+        - created_at: "2026-05-02T09:18:51Z"
          enc: |-
            -----BEGIN PGP MESSAGE-----

-            hQIMA7uy4qQr71wiAQ/9HzeTVqelbvPtluYa5xGvoYNeEEXg43CwrwZ1/z5yFWvx
-            DoOCeyro5wFsNC6td7n2HVhtK0ULkfrMHH8OC+7L3bXbnlEnQzITmDggAUvfegCv
-            b/7ohPkOdLvi6qXbr8bgqCZYFnPq+gUs3UOPh5Tl6wgzRSFXw2Hsb4YmQkvZJUNb
-            PhPpLIUe/ECE4hmEjO5v9o3X0o7qZ3bahf9mZZlnJnvXT7R/DM8eeWTis/q0WSHE
-            XnclhOX4GlMwXxa65sRrShuPcsV3qqX3VWOSWJFBhGx/FDtZTkhlHGQ9YhF2TzbB
-            xxCrn87mH2W13NH6jQOQYPh1JTTJbgZZMZXgyPNmPDSYZE1kxTdrz4l4mcmCDND0
-            hY3T8iR8ap2b3HhSNCqC1C0QN/bK217hTs8cJHWRRfa6jfh12imwk2XhJkB3zZxV
-            O1oSb6eiP0ba0CgXu31shmfXuTAeVbTm6E50heYorjQKR5djjnOVwQUdmis1Awae
-            AQTiWtBBbOgfX5WA5b6wInFr0WEsshG+YuqfB7FhJpo2SHyeFhgk47ssHWSeBpPv
-            wa4OAGaMkdGoePQhApZFrBCZHslEhPE+XQlDdyOtXCmxBOcLwe59ikWLV75j0DzS
-            NRUNOBYQ8Q1Y6Su/sJWW7TykQkmDirU+oIYxAngZyIyJSWvARPd6fJJvkqqg013S
-            XgH1+LQJWNEJzIaLKCWbkZXnMstsOYrs4ynV4f/QZKU+Md5CgVbjy9KIC/trfNhj
-            1t9kkyVVOEO7UmRhMyl8pK2gQDiOBrkhUJ5tSNFEfxM1llZ4GZRV+SUuMC3UzVA=
-            =l7Wo
+            hQIMA7uy4qQr71wiARAAw7GQOytNOmyr2inudzYnI1/c5ttiTSGXJC+yXiH1vF8B
+            Rwu6RM/7y2/7NY7h4DeUo7kW8AtgMGsAG0hZ1vIY9NWacSLKfvNyHzHMVxaUgnqe
+            4v62jC2HDLfB+NLe2L6oxKmi6ZtYq1hpEMzPTAVVz5fNCWMsepNAKPGc/yOB3Vm2
+            UzdXS/yIuiG/cWKnGXRnCx3cTZ0ypU6tw5Mxu2dyIn11su/B/T65NfsvZdWJ05gt
+            BGqSddI0pNPD3UmEivKD4zKB34MQFvtohsNLtPDrIzIRG/0Unx1Hzfm6MM1Atj3W
+            gCDkkYI8C5tgXbp7p2WI8WSvX/V6eF6Ueh6C8bMpGvGxIOaTMwfkskS8Anw6TCfj
+            uYVkJ7XYMVtvCILGmSIoSDNChFB0koOoUp2gbTtsWNvOrUQnOHsad55N+BN/5BiP
+            quXHHtluq4cGrZsVprdplz42qalJK9KxlZ6L7ydrJnMTU+E02sHOTJt6iwsI9XM+
+            3ZscNIS4QvGJAb4tzzERaIo7jmRlX/YxKtcePNhV1TQUG3/5yrcMo2XXM8hn9Rk4
+            DEA79wtgnryA4TeqwKMLhIvCXFu5B/nYOtAHj/I4nhKazIVtwSXndboM6WD4xPfM
+            bf4lc4KuvvBu3rx2d2u+DOh3k+ebU9MBONQ3B1WLjOFOe8LUnbGCsN/2KfhRRw7S
+            XgFTna/svDiYYIF7sqpRHKY3qdJ39/GRrhI06QcYQHVGpbpPv9G/4K2K7p2G1fBH
+            zUZqfwLtTvwmpCE8ko+m8WWx5OMouTWiY4GXDGybQCkUa07EfgIkYK8IwqEDwlo=
+            =Ns+9
            -----END PGP MESSAGE-----
          fp: DC6910268E657FF70BA7EC289974494E76938DDC
    encrypted_regex: ^(password|value|ssh-key|api-key|user|username|privateKey|clientSecret|clientId|apiKey|extraArgs.*|.*Secret.*|extraEnvVars|.*SECRET.*|.*secret.*|key|.*Password|.*\.ya?ml)$
--- a/kubernetes/system/external-dns/values.yaml
+++ b/kubernetes/system/external-dns/values.yaml
@@ -1,39 +1,38 @@
 provider:
-    name: coredns
-    registry: noop
-    policy: upsert-only
-    sources:
-        - ingress
-        - service
+    name: pihole
+registry: noop
+policy: upsert-only
+sources:
+    - ingress
 domainFilters:
-    - lan
+    - .lan
 extraArgs:
-    - ENC[AES256_GCM,data:pWoRZNy0bqOOC/KNOy5u6yVpqJv29cJIgQ==,iv:gWQc3vdCwT7V67D0tyrPASAUNhVKjc2SIBLcQutIWG8=,tag:q6C1CLTMiGv0ZJ4jrPYOGg==,type:str]
-env:
-    - name: ETCD_URLS
-      value: ENC[AES256_GCM,data:w4cTglu/bE5AkzdHdXhC8B0IazuxfQECVdPB3S2kUSJ8L4Q21oUQOs8I,iv:p560+9a3EqNcnA83Ahx/91w0PfzqWlAY8KRhbaCO5t4=,tag:ajc0Al6wZTOVrkLDXG90+w==,type:str]
+    - ENC[AES256_GCM,data:ym7grahK+0f0ydcdbWjamJdu/fOBUdH186xaQVaXZWEb,iv:PYGTuE/0z23pXVmitjDRcESs6dwuZA89VUhC1Dw/YlI=,tag:eIFd/J0gk8AWkaBmkHXoxg==,type:str]
+    - ENC[AES256_GCM,data:ah50AImpMpFgRmu7IFsOKUO8WK+dcFSQakw=,iv:WyrXKk0WxD86A3nDu2kvjZD185LZhDwTx28g9tPvgFA=,tag:B/7Kv4FT9l3SjIuGboIkaQ==,type:str]
+    - ENC[AES256_GCM,data:5eFuaAUaRwrscxSSEOKpLxUrfgo+jfim,iv:6MQ10olVkkRzOaOf02vWKOrvmwgmEr1HedHpraprEaY=,tag:Kc2F03NjLMWmzHaByYHR9A==,type:str]
 sops:
-    lastmodified: "2026-05-02T14:07:20Z"
-    mac: ENC[AES256_GCM,data:unn1TyPyIJZZZl3rB07iCjBJLP5dACsEowaHG2kPD7ItcLeZhz8gjy0Mz0lPgZXizBLtxdPxlH9W4DPZM6tIudghKovOg7ivoUlA78We87wOxACzAlLwG02vw4f5CKwopqEpdcl9aprLbg815IzcDdsKqSLHIw+Xdm0nW4rP+T0=,iv:YCoJhgO4hlcCcvVx/dxrIBR1677U9UREX26QPB8G/WY=,tag:PguKaLKr6wm93OgYgzEENQ==,type:str]
+    lastmodified: "2025-08-27T10:07:50Z"
+    mac: ENC[AES256_GCM,data:wb+0NBxUIqQUbCVsEZUTE7fAvFy+pxaxaD+zb76BploLk0qzB66Ui+xvArNW1RV8qOVTr/fLLxAcIfDlmN+HvJRFeUZLUhZroZXWIIElDN6O8IgzFRy3B+ps5bhVtkgUGACdmML9NJ7wCKEX67AqbuqquR/JagN55cDSTzhUvwk=,iv:qIu3X8SD5H/iKkJvwfK1aI0Rd4/fpt9ApIT5cpEDwVs=,tag:9nvr+LnN1RA8WQgtUg+GTA==,type:str]
    pgp:
-        - created_at: "2026-05-02T14:07:18Z"
+        - created_at: "2025-08-27T10:07:49Z"
          enc: |-
            -----BEGIN PGP MESSAGE-----

-            hQIMA7uy4qQr71wiAQ/+OD3xMKWh/zrmSAzeha7eBUQqxV4Md+Sk5ZaZZpJwXm0F
-            Icb4N7rMRZiUL/BXaH7dDyLNKFbqTGTtLhBtp8IbW6Y6pijQDa3lgX2aC2LjZYP2
-            GTILWOVYMo18h/idESrj9RBpODDCLUwDUipmNNDrNmeq+aotWEBGZgum2mE/lIdY
-            Xx+gK9y6vE4IRnDp0AMBahYenO1QrzmzEJphBocw9H9RBwrXx3a4Ke4NY56/0cn+
-            Q0+pBZdN4T+tmsplwT55I/2UIyyuLWLzfiXqgzP9PHj2qasP/0txDr3cL1bdMnLU
-            U3ubRFbWHwstjKvsc7sHEZscaSE6CXzpxMCQs98q0I119+l5K4cm/n7ch3b7JDFB
-            vRuYVdNXBllKMbSdvl++zhh9eYD/gofkZhx9cpJTrku8u6IlKuZkuTjNPp4QtkY6
-            pPbC42znQ1xhEw5y4YtCxCfynhjCIko31P0uraMu5Ni8nPwt+nWANKLXn6T0VzlM
-            lFuU2FiPm9/p/4vNd3WlN73ShEf+QCUR6fZqJDEWY82lbdxMX5+p3JKbWtiY+rbH
-            scKh6hH1PAEYxNQosOabQWnt095niHXseWRAAYaRkm86jB500noYZw9sASmARFT6
-            ojrl+hKzUqZa7Y5QIG3VFEiLJKIMDDoT8ojeKkuq5jCznInMdqQ/LlRX68IPI53S
-            XgGNlbkKDLJx2r8ImRTXDkXIJT0d7iBnWksUHYgNnMnFgd8cR5Kud2NU2Hfh5zbQ
-            2q3dcJiO58H3CK6fZQhLkyTbodvD8+4z6E9rblWeAZR03qf8UPW2UmmWPlRgUPc=
-            =SbhF
+            hQIMA7uy4qQr71wiAQ/+IMnGLNPR17dXFL/tT/Jzm2SbZnRQJVk8pEikESBazMHy
+            qcXjwI4ZXOVKC9Azc1jwigWx1wsRzksqHWI7YihkJKSTWgDkr/WbRZUkkndMyC6o
+            1rUghPTMnw3ykrLOHw0dP5KrQyeTqj3EakJKzPLl1M5AqOlRIEQzJhpcGACy9teR
+            RZ4Z0WQL4lxl1bVQ/Yq+o7iEWDqAwlLxllBnvAz/nIfMQgaTfa9UyEz5Up71nXtz
+            f98txsSmB0kEYqEJNeNSQa6+MFT1OXJX8XijlfcEYVIyX7XO8+vKu99Neae026Ki
+            o+yXgVB8UIV/8tfhhRYofYFEUP9SPNeIrlJlXPopv1axnhhxCJeUUMDfQtrQFR1Q
+            8AUNbWluEU5q3/YLtk1HsLIDHGLG4o2WIS67Do3Feik3oZc5jP4b2sLrsSYc/2Rn
+            DkjDrnYKqXojr2jD4B9fMiKen1/MxqZwP78CFNNIjqDf44fvmHPK1BlCUbMmBmyV
+            yti3wTZEWUa3P9a1EApt3/ez+51o4R1q5En6bkZWqrzDtjd1qhs8ygP1pyU5eRJZ
+            dn0FzzDn4UuecCjXx6rZLw8ugSPIw+z3BMvB/JRx6OY3Dm6NKHBwfdIELoWwpWoY
+            28cH5X8hfVhr3uDIXmXVkJhrri3q35mRQnBIw+Gw7hgeMfWdLLmMSgwhCVvWNwDU
+            aAEJAhBlX9Uiqb+tS5fNYsnGVwS4XNIUozxtkdy3t+ZHK/rqCJ0qVr6m2rTO8QCg
+            jfNwgjOfpFC5YSsHjEuPaISBTfEMJea/1fqeUoPSXIMtgnceOT5xeqR5d7K1cOKR
+            sRirvHEkhbG3
+            =uej8
            -----END PGP MESSAGE-----
          fp: DC6910268E657FF70BA7EC289974494E76938DDC
    encrypted_regex: ^(password|value|ssh-key|api-key|user|username|privateKey|clientSecret|clientId|apiKey|extraArgs.*|.*Secret.*|extraEnvVars|.*SECRET.*|.*secret.*|key|.*Password|.*\.ya?ml)$