Add renovate.json

2026-02-01 14:45:58 +00:00 · 2025-09-25 20:42:40 +00:00
83 changed files with 657 additions and 1724 deletions
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -5,16 +5,17 @@ updates:
    schedule:
      interval: weekly
    directories:
      - "/docker/gitea-actions"
      - "/docker/home/esphome"
      - "/docker/home/ha-linky"
      - "/docker/home/home-assistant"
      - "/docker/home/matter-server"
      - "/docker/home/mosquitto-mqtt"
      - "/docker/home/n8n"
      - "/docker/home/node-red"
      - "/docker/home/zigbee2mqtt"
      - "/docker/infrastructure/mail/roundcube"
      - "/docker/infrastructure/mail/stalwart"
      - "/docker/infrastructure/network/traefik"
      - "/docker/infrastructure/squid"
      - "/docker/infrastructure/sshportal"
      - "/docker/personal/gramps"
      - "/docker/personal/media/films-series/jackett"
@@ -31,11 +32,11 @@ updates:
      - "/docker/personal/syncthing"
      - "/docker/personal/tandoor"
      - "/docker/production/alexscript"
      - "/docker/production/buildpath"
      - "/docker/production/semeryfr"
      - "/docker/production/vhaudiquetfr"
      - "/docker/tools/excalidraw"
-      - "/docker/tools/obsidian-livesync"
+      - "/docker/tools/hedgedoc"
      - "/docker/tools/notesnook"
      - "/docker/tools/stirling-pdf"
  - package-ecosystem: "helm"
    open-pull-requests-limit: 15
@@ -44,14 +45,10 @@ updates:
    directories:
      - "/kubernetes/code/gitea"
      - "/kubernetes/code/harbor"
      - "/kubernetes/home/home-assisant"
      - "/kubernetes/infrastructure/authentik"
      - "/kubernetes/personal/linkwarden"
      - "/kubernetes/personal/notesnook"
      - "/kubernetes/personal/photoprism"
      - "/kubernetes/production/umami"
      - "/kubernetes/system/csi-driver-nfs"
      - "/kubernetes/system/external-dns"
      - "/kubernetes/system/traefik"
      - "/kubernetes/tools/dashy"
      - "/kubernetes/tools/glance"
--- a/.swarmcd/stacks.yaml
+++ b/.swarmcd/stacks.yaml
@@ -1,8 +1,27 @@
 gitea-actions:
  repo: homeprod
  branch: main
  compose_file: docker/gitea-actions/docker-compose.yml
  sops_files:
    - docker/gitea-actions/.env
 esphome:
  repo: homeprod
  branch: main
  compose_file: docker/home/esphome/docker-compose.yml
 ha-linky:
  repo: homeprod
  branch: main
  compose_file: docker/home/ha-linky/docker-compose.yml
  sops_files:
    - docker/home/ha-linky/.env
 home-assistant:
  repo: homeprod
  branch: main
  compose_file: docker/home/home-assistant/docker-compose.yml
 matter-server:
  repo: homeprod
  branch: main
@@ -13,11 +32,6 @@ mosquitto-mqtt:
  branch: main
  compose_file: docker/home/mosquitto-mqtt/docker-compose.yml
 n8n:
  repo: homeprod
  branch: main
  compose_file: docker/home/n8n/docker-compose.yml
 node-red:
  repo: homeprod
  branch: main
@@ -43,11 +57,6 @@ traefik:
  branch: main
  compose_file: docker/infrastructure/network/traefik/docker-compose.yml
 squid:
  repo: homeprod
  branch: main
  compose_file: docker/infrastructure/squid/docker-compose.yml
 sshportal:
  repo: homeprod
  branch: main
@@ -134,13 +143,6 @@ alexscript:
  branch: main
  compose_file: docker/production/alexscript/docker-compose.yml
 buildpath:
  repo: homeprod
  branch: main
  compose_file: docker/production/buildpath/docker-compose.yml
  sops_files:
    - docker/production/buildpath/.env
 semeryfr:
  repo: homeprod
  branch: main
@@ -156,12 +158,19 @@ excalidraw:
  branch: main
  compose_file: docker/tools/excalidraw/docker-compose.yml
-obsidian-livesync:
+hedgedoc:
  repo: homeprod
  branch: main
-  compose_file: docker/tools/obsidian-livesync/docker-compose.yml
+  compose_file: docker/tools/hedgedoc/docker-compose.yml
  sops_files:
-    - docker/tools/obsidian-livesync/.env
+    - docker/tools/hedgedoc/.env
 notesnook:
  repo: homeprod
  branch: main
  compose_file: docker/tools/notesnook/docker-compose.yml
  sops_files:
    - docker/tools/notesnook/.env
 stirling-pdf:
  repo: homeprod
--- a/README.md
+++ b/README.md
@@ -61,7 +61,7 @@ This setup allows running multiple applications, either self-hosted applications
 | Icon | Software     | Description |
 |------|--------------|-------------|
 | <img width=30 src="https://buildpath.win/_ipx/w_60&f_webp/buildpath-high-resolution-logo-transparent.png"> | BuildPath | https://buildpath.win, website for League of Legends champion builds |
-| <img width=32 src="https://vhaudiquet.fr/favicon.ico_256x256.png"> | vhaudiquet.fr | https://vhaudiquet.fr, personal website |
+| <img width=32 src="https://vhaudiquet.fr/assets/favicon.ico_256x256.png"> | vhaudiquet.fr | https://vhaudiquet.fr, personal website |
 #### Personal applications
--- a/docker/gitea-actions/.env
+++ b/docker/gitea-actions/.env
@@ -0,0 +1,11 @@
 GITEA_INSTANCE_URL=ENC[AES256_GCM,data:PYjmpgDEvPEC1S7MrN6d91IUBnGbFA9Xag==,iv:m7YQOMnuEoT5wDyy47aaTqjJG+dhqTJKf5i3hQs6GwY=,tag:2ldKTNRqdJEXTxr3uAyLLQ==,type:str]
 GITEA_RUNNER_REGISTRATION_TOKEN=ENC[AES256_GCM,data:RDnENtxQw80C7SwmMZV2DTlEx4+uvzVMy95leGb/1RR6egc6S4xWnQ==,iv:wThZ2+qukJqC+ApvXC9GBdneXJ00jkkTyq+2VXSDG+w=,tag:KygPnxauOpaI1goZ4+uf3g==,type:str]
 GITEA_RUNNER_NAME=ENC[AES256_GCM,data:HvNmmQyKxk16WQV8dRfPOfCO39w=,iv:z1YuNWvglBYaXQwZXjMzXD4ZN2d7c3eD9GdSaG1maNY=,tag:FtX6wG47uTGjTQ8UNvGfcg==,type:str]
 GITEA_RUNNER_LABELS=
 sops_lastmodified=2025-09-16T19:22:00Z
 sops_mac=ENC[AES256_GCM,data:JIp7wyaIsy2Jg9p3ybHAljkDn8vpDRHtf7Zm2/M4exe6CbWCRn1jGMle+SnKBv2DKVciquQ9B9cKtKnVCpEAQOceZ1WakwS/mCmjYTIHqcvm8/vst1BYiL1Ovbw2dDstzWo8g+UTKAmVC7E0TJ01vAbsOab+fVacKLHF97pBqW8=,iv:5tcuJntPXrWCeNTGQbXzLaGZnCc8rr+gKG+UTRBNUaY=,tag:g7EYMAaOmwjKFYfz1ID5xQ==,type:str]
 sops_pgp__list_0__map_created_at=2025-09-16T19:22:00Z
 sops_pgp__list_0__map_enc=-----BEGIN PGP MESSAGE-----\n\nhQIMA7uy4qQr71wiAQ//c0J+b0XwnMbLlQku3tAEutXuEkQPMMrdOpPYwrua9nNu\nSVPBSiamnTeoaP2kM5lcaQ7HUaRLiS1qjXNVPsnAdkGPPID3SxUJzUo7Ca/JOq7e\n39ihqetWAcn9dNDofTxVKyvKXhXKGaDFy2LhaKugj4tkx6qdMA/XAldvRD6ik1jK\nAZjl2xGYTvZ+XgTGtFs6u3Z9ugD6Q3yPjKRSfeIO8NPT5OFFzY70wqlZflxcpupD\npnsvXQkAK1Rnz6F9+dh6jJYYijTdEe9Q0i+0Uy3q+wMsf8KRWs4ARD05DpgIOnUA\nG0s2kdOOlvqoJ/m2fSV7vkIcCvCwhEirn5kfrdUGi3ENazh0g3vpppAfE0ynZdSo\nDiXI7dzCwMxYi8edieOhK3RrOn8bx7B8F1WE+mHL6StQmD2G+xfvgtKlsEJGY2Ed\n1CpMZSQ0TwFx58fYiK+HsZrwAw/3YVzPWryaYvJ6P8QnY3oJOJihSYGRMmyH5WRo\nle1Rxd+Lrt1UnWyZQ7rpqMsYiIzihsNgNix/2wS1R9R1wRFXPdNDfzjrv1BGm/aJ\nOOqUFo6Hd3jEwYcSsG7mbe+hCAAXoJjZSU43dVzeZ0k5ls/lpOjqjQrZZLgz33uF\nNVNRAKTYD2y+/mQ4vpDUsHhu5rtjxh8u1CJf0++q1W/w+Z4ooq5hcNm3ud3DHYjS\nXgF1JA9ThTS+Hs1fV5SFzGMyFMFGeiTVJeww26R+1Vws7fFwbyAYugOqAgkiNkIf\nS2dsxlH1TRjBq1XD4GYk6P3VDUU5UyxG/5XiOexGEVSxBL/wg6TwpyL1hjvgc9k=\n=fmOe\n-----END PGP MESSAGE-----
 sops_pgp__list_0__map_fp=DC6910268E657FF70BA7EC289974494E76938DDC
 sops_unencrypted_suffix=_unencrypted
 sops_version=3.10.2
--- a/docker/gitea-actions/docker-compose.yml
+++ b/docker/gitea-actions/docker-compose.yml
@@ -0,0 +1,6 @@
 services:
  runner:
    image: docker.io/gitea/act_runner:nightly
    env_file: .env
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
--- a/docker/home/esphome/docker-compose.yml
+++ b/docker/home/esphome/docker-compose.yml
@@ -1,6 +1,6 @@
 services:
  esphome:
-    image: ghcr.io/esphome/esphome:2026.1.0
+    image: ghcr.io/esphome/esphome:2025.9.1
    ports:
      - "6052"
    networks:
--- a/docker/home/ha-linky/.env
+++ b/docker/home/ha-linky/.env
@@ -0,0 +1,8 @@
 SUPERVISOR_TOKEN=ENC[AES256_GCM,data:jcW++S0qsqO3EqIHb8pP9UVtj6lAfJc2rPV5tkrOG+pxI+cCrr4BsJhMnzN4MBoUa0XbCvXlhkdo1/x3dUEcqsg4T25IaC72n7IkW/Wy3bwiVYB19y0Znl64hxHZkjFY00XbVBj6LXhtT40T72c4qAm5uzeBK4be2fomIB4FS9M1XKLL27BoH3q3IxoT04KrDUO/aReOUBCGEgGaK7zfeRj6Gm97lRNpkotxuPm0sma0bqsnGu+o,iv:Q0mD4wj2qv+k8sWntiIYe7LzTm6CaQ4QGgyG83YpyPc=,tag:yZrvtAL/+B0RYboTzGmwRA==,type:str]
 sops_lastmodified=2025-09-16T19:22:03Z
 sops_mac=ENC[AES256_GCM,data:LH5UglnUv7urj92vEukJXlF2bU4HyTeUPxtkGjLu9hB/mw7bRjV2f3BpbJqsOlPPDihQY2mxSJYYEVG5Y0DLYEfHhRy5pzMP6xKCMOAt2bH9fmYlGtdQK/FqoETK2WbB0yt66UGy2cOkYDgyRBzugyh/NpscOheKB+m7A2b4fDc=,iv:7uelheh5cbmVaZ78QIoWmbWJTCA6gscvtk1/qBCEW58=,tag:k75QaO0IRS98LJJCJdQljg==,type:str]
 sops_pgp__list_0__map_created_at=2025-09-16T19:22:00Z
 sops_pgp__list_0__map_enc=-----BEGIN PGP MESSAGE-----\n\nhQIMA7uy4qQr71wiAQ//aaSjU182qGrX5Dc+t2H/EAx3CYMIevjMjWZh2jPqSOP0\nhqd3HFic8gc5ZvYNB1SdqlZI/yqlDcbkuEyCqpOikifsic8j2u6Z3GhtkJWrhtFr\n4mkO3BF9tA+F45P07RRP3Jr5tCct36AjClaziEvM1EJctSgDpVmyqbvyRpDXmtFz\n58jzmZCIxKKajGeQ0aERlnRsMa2PrgtfQS77ewUDDq2Lgkf5wSZ8Yg91U7qfEzDE\nEqDKYuy3dJNI5FIQaK1dAeHikf47fZ8hT+YVfaY85OwJh+ojGHIJ1L9DI99DxYa+\nPTO+rswNkrPxHnRfu1eQkLZLnXMS914iW0Na8/+T0zLWrcWcnMWdDx054e3Fe/Gi\n3zTpRDTQAo69J24TYP2NNoF6pF97jVEXz9NY0gdngjM6WDLLc9N6l3ReWfwaFAD5\nZQh6w21vmseroRMgXFnddUlTJE2/8evKJS7+uR+Z86SAojlWXTXjYnJqqj29KlEw\npeSJ+Q+ZdAUWjYtRLS3afwhYnum1hbfWBWRdDgAVhYcD1Yyri37qjSA8Mr086y0S\nW+MriV2jzmtUiSyo0efYqCm+BguWgkeqQlL7YLzg4UHG0J8ZME0qV/vSbFATSzbL\ncPdv6UZY8dw1LNwCLeH9eeNrpPKItasK/pID7H1u6r+4lRFStfFta9XrWeXtZnXS\nXgHdsbBzxhFBxrHEtj2Fn4r9QdjDZhTw59Mnaf3IVp5nbDngPwMMUc9NDgZp5WGh\nqcOeIdI9nGWt6PRTLSPSJZSry/G8tqbJGHjED2imMEdXGWtf5aHy4Z2iKBTfUPw=\n=Xe2o\n-----END PGP MESSAGE-----
 sops_pgp__list_0__map_fp=DC6910268E657FF70BA7EC289974494E76938DDC
 sops_unencrypted_suffix=_unencrypted
 sops_version=3.10.2
--- a/docker/home/ha-linky/docker-compose.yml
+++ b/docker/home/ha-linky/docker-compose.yml
@@ -0,0 +1,9 @@
 services:
  ha-linky:
    image: ha-linky
    env_file: ".env"
    environment:
      - WS_URL=ws://homeassistant.lan/api/websocket
      - TZ=Europe/Paris
    volumes:
      - /root/ha-linky:/data
--- a/docker/home/home-assistant/docker-compose.yml
+++ b/docker/home/home-assistant/docker-compose.yml
@@ -0,0 +1,32 @@
 services:
  homeassistant:
    container_name: homeassistant
    image: "ghcr.io/home-assistant/home-assistant:2025.9.4"
    ports:
      - "8123"
    networks:
      - default
      - proxy
    environment:
      - TZ=Europe/Paris
    volumes:
      - ha_config:/config
      - /etc/localtime:/etc/localtime:ro
      - /run/dbus:/run/dbus:ro
    restart: unless-stopped
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.homeassistant.rule=Host(`homeassistant.lan`)"
 volumes:
  ha_config:
    driver: local
    driver_opts:
      type: 'none'
      o: 'bind'
      device: '/app/home-assistant/config'
 networks:
  proxy:
    external: true
    name: proxy
--- a/docker/home/matter-server/docker-compose.yml
+++ b/docker/home/matter-server/docker-compose.yml
@@ -1,6 +1,6 @@
 services:
  matter-server:
-    image: ghcr.io/matter-js/python-matter-server:8.1.2
+    image: ghcr.io/home-assistant-libs/python-matter-server:8.1.0
    container_name: matter-server
    restart: unless-stopped
    network_mode: host
--- a/docker/home/mosquitto-mqtt/docker-compose.yml
+++ b/docker/home/mosquitto-mqtt/docker-compose.yml
@@ -4,9 +4,7 @@ services:
    container_name: mosquitto
    restart: unless-stopped
    ports:
-      - target: 1883
+      - "1883:1883"
        published: 1883
        mode: host
      - "9001:9001"
    volumes:
      - data:/mosquitto/data
--- a/docker/home/n8n/docker-compose.yaml
+++ b/docker/home/n8n/docker-compose.yaml
@@ -1,24 +1,20 @@
 services:
  n8n:
-    image: docker.n8n.io/n8nio/n8n:2.4.5
+    image: docker.n8n.io/n8nio/n8n
    environment:
      - TZ=Europe/Paris
      - N8N_SECURE_COOKIE=false
      - NODES_EXCLUDE="[]"
    ports:
      - "5678"
    networks:
      - default
      - proxy
    volumes:
-      - data:/home/node/.n8n
+      - data:/data
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.n8n.rule=Host(`n8n.lan`)"
  redis:
    image: redis:8.2.2
 volumes:
  data:
    driver: local
--- a/docker/home/zigbee2mqtt/docker-compose.yml
+++ b/docker/home/zigbee2mqtt/docker-compose.yml
@@ -2,7 +2,7 @@ services:
  zigbee2mqtt:
    container_name: zigbee2mqtt
    restart: unless-stopped
-    image: koenkk/zigbee2mqtt:2.7.2
+    image: koenkk/zigbee2mqtt:2.6.1
    networks:
      - default
      - proxy
@@ -13,10 +13,11 @@ services:
      - "8080"
    environment:
      - TZ=Europe/Paris
    devices:
      - /dev/ttyUSB0:/dev/ttyUSB0
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.zigbee2mqtt.rule=Host(`zigbee2mqtt.lan`)"
      - "traefik.http.services.zigbee2mqtt.loadbalancer.server.port=8080"
 volumes:
  data:
--- a/docker/infrastructure/mail/roundcube/docker-compose.yml
+++ b/docker/infrastructure/mail/roundcube/docker-compose.yml
@@ -1,6 +1,6 @@
 services:
  roundcube:
-    image: roundcube/roundcubemail:1.6.12-apache
+    image: roundcube/roundcubemail:1.6.11-apache
    container_name: roundcube
    networks:
      - default
--- a/docker/infrastructure/mail/stalwart/docker-compose.yml
+++ b/docker/infrastructure/mail/stalwart/docker-compose.yml
@@ -1,6 +1,6 @@
 services:
  stalwart:
-    image: stalwartlabs/stalwart:v0.15.4
+    image: stalwartlabs/stalwart:v0.13.3
    container_name: stalwart
    networks:
      - default
@@ -8,19 +8,11 @@ services:
    volumes:
      - stalwart_data:/opt/stalwart
    ports:
-      - target: 25
+      - "25:25" # SMTP port
-        published: 25
+      - "465:465" # SMTPS port
-        mode: host
+      - "993:993" # IMAPS port
-      - target: 465
+      - "587:587" # SMTP Submission STARTTLS
-        published: 465
+      - "8080" # HTTP port
        mode: host
      - target: 993
        published: 993
        mode: host
      - target: 587
        published: 587
        mode: host
      - "8080"
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.stalwart.rule=Host(`mail.vhaudiquet.fr`)"
--- a/docker/infrastructure/network/traefik/docker-compose.yml
+++ b/docker/infrastructure/network/traefik/docker-compose.yml
@@ -1,13 +1,11 @@
 services:
  traefik:
-    image: traefik:3.6
+    image: traefik:3.5
    command: 
      - "--configFile=/etc/traefik/traefik.yml"
    ports:
-      - target: 80
+      - "80:80"
-        published: 80
+      - "8080:8080"
        mode: host
      - "8080"
    networks:
      - default
      - proxy
--- a/docker/infrastructure/squid/docker-compose.yml
+++ b/docker/infrastructure/squid/docker-compose.yml
@@ -1,24 +0,0 @@
 services:
  squid:
    image: ubuntu/squid:6.13-25.04_edge
    ports:
      - target: 3128
        published: 3128
        mode: host
    environment:
      - TZ=Europe/Paris
    volumes:
      - log:/var/log/squid
      - cache:/var/spool/squid
      - type: bind
        source: /root/homeprod/docker/infrastructure/squid/squid.conf
        target: /etc/squid/squid.conf
 volumes:
  log:
  cache:
    driver: local
    driver_opts:
      type: 'none'
      o: 'bind'
      device: '/app/squid/cache'
--- a/docker/infrastructure/squid/squid.conf
+++ b/docker/infrastructure/squid/squid.conf
@@ -1,49 +0,0 @@
 acl localnet src 0.0.0.1-0.255.255.255	# RFC 1122 "this" network (LAN)
 acl localnet src 10.0.0.0/8		# RFC 1918 local private network (LAN)
 acl localnet src 100.64.0.0/10		# RFC 6598 shared address space (CGN)
 acl localnet src 169.254.0.0/16 	# RFC 3927 link-local (directly plugged) machines
 acl localnet src 172.16.0.0/12		# RFC 1918 local private network (LAN)
 acl localnet src 192.168.0.0/16		# RFC 1918 local private network (LAN)
 acl localnet src fc00::/7       	# RFC 4193 local private network range
 acl localnet src fe80::/10      	# RFC 4291 link-local (directly plugged) machines
 # Caching
 cache_dir aufs /var/spool/squid 40000 16 256
 maximum_object_size 4 GB
 ## In-memory caching
 cache_mem 256 MB
 maximum_object_size_in_memory 5 MB
 ## Always refresh Packages and Release files
 refresh_pattern \/(Packages|Sources)(|\.bz2|\.gz|\.xz)$ 0 0% 0 refresh-ims
 refresh_pattern \/Release(|\.gpg)$ 0 0% 0 refresh-ims
 refresh_pattern \/InRelease$ 0 0% 0 refresh-ims
 refresh_pattern \/(Translation-.*)(|\.bz2|\.gz|\.xz)$ 0 0% 0 refresh-ims
 ## Handle meta-release and changelogs.ubuntu.com special
 refresh_pattern changelogs.ubuntu.com\/.*  0  1% 1
 ## Archive files: cache them for 90 days
 refresh_pattern deb$   129600 100% 129600
 refresh_pattern udeb$   129600 100% 129600
 refresh_pattern tar.gz$  129600 100% 129600
 refresh_pattern tar.xz$  129600 100% 129600
 refresh_pattern tar.bz2$  129600 100% 129600
 ## Docker: cache for 24h (min) to 7 days (max)
 refresh_pattern -i (/blobs/sha256)     1440 99% 10080  ignore-no-store ignore-private override-expire store-stale reload-into-ims
 refresh_pattern -i (/images/sha256)    1440 99% 10080  ignore-no-store ignore-private override-expire store-stale reload-into-ims
 refresh_pattern -i (/manifests/)       1440 99% 10080  ignore-no-store ignore-private override-expire store-stale reload-into-ims
 ## Default: cache everything for 0h (min) to 72h (max)
 refresh_pattern .       0   20% 4320
 http_port 3128
 max_filedescriptors 1024
 http_access allow localhost
 http_access allow localnet
 dns_v4_first on
--- a/docker/personal/gramps/docker-compose.yml
+++ b/docker/personal/gramps/docker-compose.yml
@@ -1,7 +1,7 @@
 services:
  grampsweb:
    container_name: grampsweb
-    image: ghcr.io/gramps-project/grampsweb:25.12.0
+    image: ghcr.io/gramps-project/grampsweb:25.8.0
    restart: always
    networks:
      - default
@@ -9,11 +9,10 @@ services:
    ports:
      - "5000"
    environment:
-      - GDK_BACKEND=-
+      GRAMPSWEB_TREE: "Gramps Web"  # will create a new tree if not exists
-      - GRAMPSWEB_TREE="Gramps Web"  # will create a new tree if not exists
+      GRAMPSWEB_CELERY_CONFIG__broker_url: "redis://grampsweb_redis:6379/0"
-      - GRAMPSWEB_CELERY_CONFIG__broker_url="redis://grampsweb_redis:6379/0"
+      GRAMPSWEB_CELERY_CONFIG__result_backend: "redis://grampsweb_redis:6379/0"
-      - GRAMPSWEB_CELERY_CONFIG__result_backend="redis://grampsweb_redis:6379/0"
+      GRAMPSWEB_RATELIMIT_STORAGE_URI: redis://grampsweb_redis:6379/1
      - GRAMPSWEB_RATELIMIT_STORAGE_URI="redis://grampsweb_redis:6379/1"
    depends_on:
      - grampsweb_redis
    volumes:
@@ -28,20 +27,16 @@ services:
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.grampsweb.rule=Host(`gramps.lan`)"
    healthcheck:
      test: curl -f http://127.0.0.1:5000 || exit 1
      interval: 1m
      retries: 10
  grampsweb_celery:
    container_name: grampsweb_celery
-    image: ghcr.io/gramps-project/grampsweb:25.12.0
+    image: ghcr.io/gramps-project/grampsweb:latest
    restart: always
    environment:
-      - GRAMPSWEB_TREE="Gramps Web"  # will create a new tree if not exists
+      GRAMPSWEB_TREE: "Gramps Web"  # will create a new tree if not exists
-      - GRAMPSWEB_CELERY_CONFIG__broker_url="redis://grampsweb_redis:6379/0"
+      GRAMPSWEB_CELERY_CONFIG__broker_url: "redis://grampsweb_redis:6379/0"
-      - GRAMPSWEB_CELERY_CONFIG__result_backend="redis://grampsweb_redis:6379/0"
+      GRAMPSWEB_CELERY_CONFIG__result_backend: "redis://grampsweb_redis:6379/0"
-      - GRAMPSWEB_RATELIMIT_STORAGE_URI="redis://grampsweb_redis:6379/1"
+      GRAMPSWEB_RATELIMIT_STORAGE_URI: redis://grampsweb_redis:6379/1
    volumes:
      - gramps_users:/app/users
      - gramps_index:/app/indexdir
@@ -56,7 +51,7 @@ services:
    command: celery -A gramps_webapi.celery worker --loglevel=INFO --concurrency=2
  grampsweb_redis:
-    image: docker.io/library/redis:8.4.0-alpine
+    image: docker.io/library/redis:8.0.3-alpine
    container_name: grampsweb_redis
    restart: always
--- a/docker/personal/media/films-series/jackett/docker-compose.yml
+++ b/docker/personal/media/films-series/jackett/docker-compose.yml
@@ -1,7 +1,7 @@
 services:
  jackett:
    container_name: jackett
-    image: ghcr.io/hotio/jackett:release-0.24.900
+    image: ghcr.io/hotio/jackett:release-0.23.48
    ports:
      - "9117"
    networks:
--- a/docker/personal/media/films-series/jellyfin/docker-compose.yml
+++ b/docker/personal/media/films-series/jellyfin/docker-compose.yml
@@ -1,7 +1,8 @@
 services:
  jellyfin:
-    image: jellyfin/jellyfin:2026011205
+    image: jellyfin/jellyfin:2025090805
    container_name: jellyfin
    user: "1000:1000"
    networks:
      - default
      - proxy
@@ -11,6 +12,7 @@ services:
      - config:/etc/jellyfin
      - data:/var/lib/jellyfin
      - cache:/cache
      - log:/log
      - nfs_films:/films
      - nfs_series:/series
    restart: 'unless-stopped'
@@ -19,6 +21,7 @@ services:
      - JELLYFIN_PublishedServerUrl=https://flix.vhaudiquet.fr
      - JELLYFIN_CONFIG_DIR=/etc/jellyfin
      - JELLYFIN_DATA_DIR=/var/lib/jellyfin
      - JELLYFIN_LOG_DIR=/log
      - JELLYFIN_CACHE_DIR=/cache
    labels:
      - "traefik.enable=true"
@@ -28,14 +31,15 @@ volumes:
  nfs_films:
    driver_opts:
      type: 'nfs'
-      o: 'addr=truenas.lan,ro'
+      o: 'addr=truenas.local,ro'
      device: ':/mnt/media/films'
  nfs_series:
    driver_opts:
      type: 'nfs'
-      o: 'addr=truenas.lan,ro'
+      o: 'addr=truenas.local,ro'
      device: ':/mnt/media/series'
  cache:
  log:
  config:
    driver: local
    driver_opts:
--- a/docker/personal/media/films-series/radarr/docker-compose.yml
+++ b/docker/personal/media/films-series/radarr/docker-compose.yml
@@ -1,7 +1,7 @@
 services:
  radarr:
    container_name: radarr
-    image: ghcr.io/hotio/radarr:release-6.0.4.10291
+    image: ghcr.io/hotio/radarr:release-5.27.5.10198
    ports:
      - "7878"
    networks:
@@ -30,12 +30,12 @@ volumes:
  data_movies:
    driver_opts:
      type: 'nfs'
-      o: 'addr=truenas.lan'
+      o: 'addr=truenas.local'
      device: ':/mnt/media/films'
  data_downloads:
    driver_opts:
      type: 'nfs'
-      o: 'addr=truenas.lan'
+      o: 'addr=truenas.local'
      device: ':/mnt/media/download'
 networks:
--- a/docker/personal/media/films-series/sonarr/docker-compose.yml
+++ b/docker/personal/media/films-series/sonarr/docker-compose.yml
@@ -1,7 +1,7 @@
 services:
  sonarr:
    container_name: sonarr
-    image: ghcr.io/hotio/sonarr:release-4.0.16.2944
+    image: ghcr.io/hotio/sonarr:release-4.0.15.2941
    ports:
      - "8989"
    networks:
@@ -34,12 +34,12 @@ volumes:
  data_series:
    driver_opts:
      type: 'nfs'
-      o: 'addr=truenas.lan'
+      o: 'addr=truenas.local'
      device: ':/mnt/media/series'
  data_downloads:
    driver_opts:
      type: 'nfs'
-      o: 'addr=truenas.lan'
+      o: 'addr=truenas.local'
      device: ':/mnt/media/download'
 networks:
--- a/docker/personal/media/films-series/transmission/docker-compose.yml
+++ b/docker/personal/media/films-series/transmission/docker-compose.yml
@@ -34,7 +34,7 @@ volumes:
  downloads:
    driver_opts:
      type: 'nfs'
-      o: 'addr=truenas.lan'
+      o: 'addr=truenas.local'
      device: ':/mnt/media/download'
--- a/docker/personal/media/films-series/wizarr/docker-compose.yml
+++ b/docker/personal/media/films-series/wizarr/docker-compose.yml
@@ -1,7 +1,7 @@
 services:
  wizarr:
    container_name: wizarr
-    image: ghcr.io/wizarrrr/wizarr:v2025.12.0
+    image: ghcr.io/wizarrrr/wizarr:v2025.9.5
    networks:
      - default
      - proxy
--- a/docker/personal/media/music/navidrome/docker-compose.yml
+++ b/docker/personal/media/music/navidrome/docker-compose.yml
@@ -1,6 +1,6 @@
 services:
  navidrome:
-    image: deluan/navidrome:0.59.0
+    image: deluan/navidrome:0.58.0
    user: 1000:1000 # should be owner of volumes
    ports:
      - "4533"
@@ -26,7 +26,7 @@ volumes:
  music:
    driver_opts:
      type: 'nfs'
-      o: 'addr=truenas.lan,ro'
+      o: 'addr=truenas.local,ro'
      device: ':/mnt/media/music'
  data:
    driver: local
--- a/docker/personal/media/youtube/tubearchivist/docker-compose.yml
+++ b/docker/personal/media/youtube/tubearchivist/docker-compose.yml
@@ -2,7 +2,7 @@ services:
  tubearchivist:
    container_name: tubearchivist
    restart: unless-stopped
-    image: bbilly1/tubearchivist:v0.5.8
+    image: bbilly1/tubearchivist:v0.5.7
    ports:
      - "8000"
    networks:
@@ -72,7 +72,7 @@ volumes:
  media:
    driver_opts:
      type: 'nfs'
-      o: 'addr=truenas.lan'
+      o: 'addr=truenas.local'
      device: ':/mnt/media/youtube'
  cache:
  redis:
--- a/docker/personal/paperless/.env
+++ b/docker/personal/paperless/.env
@@ -1,16 +1,16 @@
-PAPERLESS_URL=ENC[AES256_GCM,data:5Vt6SqefNzOKGzUaRukM7wKu7Nw=,iv:/x12Sv55XY1znKr2UFQB1Scp+T1cZBs5XlqxTNtBQck=,tag:xahglGfuW2wCkDMgX1nZGA==,type:str]
+PAPERLESS_URL=ENC[AES256_GCM,data:JODh8rdOgce1+CZf8QANKO+c4ug=,iv:EZ/PWCT43EzNwNwdzCj9Egr+2pDk+syozozgzsx1MGI=,tag:Nq7uUJ3ngUROIx2Y+Js1Gg==,type:str]
-PAPERLESS_SECRET_KEY=ENC[AES256_GCM,data:CoWplCZsHbgFPkkBDnzaPnXcq9Fv4OpXuJHs0YTLDi+MmJjK4Lpd+Q==,iv:vX3uYJ0S6lSyHW3comqum5ncXUHFj7LCdNSbRRgY3/M=,tag:gwSwk1lVmoQdgqQ38sFN0A==,type:str]
+PAPERLESS_SECRET_KEY=ENC[AES256_GCM,data:haP1VefYx/PywNdze0atjcGsPFSOoXcRp3ZsNpT0lLPR5SeUK6y1lw==,iv:O3gNPia0t2e2HDe7BPohq51WGoWdqG6daNUoUMffO8E=,tag:aZt5HVntmX45pbjoONBmOg==,type:str]
-PAPERLESS_TIME_ZONE=ENC[AES256_GCM,data:sDtE4GwXr9CScxyq,iv:7oGDO/5Dvj8/E4qzzIhncbboTRfJbTfT/FwUhF4tCNg=,tag:mEcg/i2TaCls+FgCTl6AlA==,type:str]
+PAPERLESS_TIME_ZONE=ENC[AES256_GCM,data:+UvrtDQ1EqlL0/UT,iv:UsRm2N//W6R6/gPIeULjYnyza1xcL3yoBmoVaXuG46A=,tag:VbOmuR+ZnEyPudvTxzfZBw==,type:str]
-PAPERLESS_OCR_LANGUAGE=ENC[AES256_GCM,data:ihFV,iv:+xRvsrymSIB4z5K03bU6N+pugafhvHph3epj1HTDPag=,tag:RhBA2b1q3jIhE9bmcwtYxQ==,type:str]
+PAPERLESS_OCR_LANGUAGE=ENC[AES256_GCM,data:Bl30,iv:UrDNUb/l8vSx2ebCQnZp5XI4eS3Ax6/Refw73aUfVNk=,tag:95FZOTner1Pezn+K86bQjA==,type:str]
-PAPERLESS_OCR_LANGUAGES=ENC[AES256_GCM,data:0pbc/9WMlw==,iv:HRnX25U1CasIvdU0h0G0SYvRjzzpmyPpDrcN6sAk+Ck=,tag:Ym08zaK+LqSDEafnUVvGnQ==,type:str]
+PAPERLESS_OCR_LANGUAGES=ENC[AES256_GCM,data:R4uuEaszmg==,iv:5wmrLWv1yKWciksBT5ZFxUeFUHrdJRlhHg1rZCWrkqE=,tag:zCd7o+0fm1eRKYRfNsP7ow==,type:str]
-PAPERLESS_OCR_USER_ARGS=ENC[AES256_GCM,data:DdpIIK0k5wsJWhcVNtq6w1mK2nsBlXKs/bB3kCxUe9tj7tyff2yH,iv:htcBkWENiugF1T2N0JfJOGfn2F15Ti6icf6JnzmLNjQ=,tag:EACbCMn4aZ7zCWxd1voawA==,type:str]
+PAPERLESS_OCR_USER_ARGS=ENC[AES256_GCM,data:d6cARP14FbMK0kDGxD1GqY8MIsTnINL2g7DlStzLy+JU8wxuYiwXc4c=,iv:hhff8s1ZliL3SPL0sJT6AAzVE5nyoVg5ypbtTCWbP+0=,tag:gzZajS6DOBLTVQjVaBFpAA==,type:str]
-PAPERLESS_SOCIALACCOUNT_PROVIDERS=ENC[AES256_GCM,data:vLWinFKXotVzhHqmwpJ6R93Ep44JL7D1P91DbbLcGawfl8Hx+cTtYX2zuBAzeqrlDd+pHVX9I/F/eq3sAFUJrHhwSiscPaw4lc0KWVj3yAbR6guu3ZGKLMZiltGi8adOt+ELvL4aJYNfsdcECaj71JXaqF08+DkLuG6k3BOp/5j+BRFTuAfyS8SXgSo9UTpfNqJWLA2YyNiEy1ht9sbNJYT5FbN9++ZFlJPVmJDyo/8kU2CdkowmLuFhij2hcCt/wvhQ5kjYIzr+LCuPGtF68CVChVguXxTj7w5Mqo9bkdIIUtjzubhbP7LiERE5vQdLve75ZE4mQFt/5H01qwqZkXw7DFn4sJXKQCpCyA+IanA1NO2ypd1plYiR8F+15LNtbfPuZo5hzpYdf3y1xgPrSHUMV0AvAbvJYXyDg2UprpGzxSwLmskZc+4Dqm8ZfTp8IdC9RvETets6fA6t1ucnYFbEB4t0RfF1wzI93m5acE0XvDe7PvnW9X10XDwAhKV6EY9V7OktiL1/swO7MxI5qV6NtxXMMg46V6l/63k5GDmM0FS4Sn9BeIQ=,iv:JwSeogftyoa4k0kQAf63nnoqbIiHWH0Iwa83Nhqlx9Y=,tag:9KrbSxSmN1CzqnVxcsvPgw==,type:str]
+PAPERLESS_SOCIALACCOUNT_PROVIDERS=ENC[AES256_GCM,data:uRfd5q+qbdMrXH8t/y2SpBYAYwfiUqukvVgfo9M8QOPQSugW8rfd2clOnb8xAyTqB2yXEOxdAk9KhqJqtK1gNjmYit9Fb11OVmlC/WflvRqofc9PcpPR/BwjVnnqLzISJ80gNP198jHQGx3Qd/sA7PpLuoVi3o0ZinSm1ndmtwSI7aKNd7aUJhsTWzfkzgFwThDmANDhiFVSqP3mlVVDVDBrfX3oL5f8cL8vtkIOTs/npN3fuyOSuGIgx9z5YjomnY8R0oSUUJ3mL5fekSfWkLTOg9rr9xsP3X0/a6Y2OK6Yz0kdQ5NcIsxXyzh2ab6cYW68uVsKWD7QjKUfS0nQCSJDo2yvR9vDAa5TKOQ182phWgi2V55mXLOS9S8rN+tHvu7KvEWOaEJpDgHpYN80c7O8PFD/mq84IpknDaQ52GX0ediVIaEK/q0MlWnCWjun6AB2/in+/vm7bo4iMc1UXLMcAywYLpTmt6yFznDoj8INtWTczx+7uuGyAbdkhwwSmrzQl2n2NtueTtPTe2PCdfwpb1nZjN8yfcTPhvjTUoqN6LLQ+aRPdd9xPQ==,iv:V2AXOh5lRgApSCyGqmZ1zBnnppndFWU5eG/jngaKQ7E=,tag:+hHb+io54meKYWQDuAkjpw==,type:str]
-POSTGRES_USER=ENC[AES256_GCM,data:2IkvrQgFYj0v,iv:YxKokHIOsRhgRx2XZsCYsjtJwW0yOx+S5HKKiFQBKlY=,tag:HI4aSRYp7GotOXeF8VBHQw==,type:str]
+POSTGRES_USER=ENC[AES256_GCM,data:YqX4AEq64Sg8,iv:FnMj2DSIVtJlTDInIIABeUV+WgnGjDXtMcKPKpgDw4Y=,tag:s90Grdon0X90h+JOJ0VjVA==,type:str]
-POSTGRES_PASSWORD=ENC[AES256_GCM,data:8IiqLOi+Xoln,iv:9zLPLvSe+7FjjunVQvcn5YiejZj0wN1mQu++B2JPy9o=,tag:HRIHXlmYTPCSaZ5BzPA/aQ==,type:str]
+POSTGRES_PASSWORD=ENC[AES256_GCM,data:4OAmFMXX0HOb,iv:D8ESA3pLlSZVCc7FsT/DNeXRJ7ew26r8cJN7we5Yads=,tag:BGmx/Y/10PTmYaAB5en5yg==,type:str]
-sops_lastmodified=2025-10-08T19:39:41Z
+sops_lastmodified=2025-09-23T16:16:55Z
-sops_mac=ENC[AES256_GCM,data:bjQBttibD3m6mjiDtQ/RqfSc0rt3eV/ip+UUzwF45k/+akQCM+kAvSVFiICpRYLQd90hGDSJJytGze0YQBIYS58u/PXovqT+BmbJ5S9jEVwDUnAnFwoVmuGI6dkorCGgLZFxbj/Vwde5v2R3K7nMTyPC/5EJPd4R9gZLgT8/+Bw=,iv:tyyjQXpBEDb+KOEFRNPxUIcEcxYAM+qw2pCyvOltuFE=,tag:xPfaZTAi1Sd0RW5PN0iKog==,type:str]
+sops_mac=ENC[AES256_GCM,data:ClQM+7txITye56fRWvnrOBRrlc2KnVpkE/2Wo79bWjv+/IhPZHymRIhQGTGpYWrH2RTX05K16jBoUKJBF6yoKybjLOrtBJgEGMe1W+0wXO+yk5gdwyEnTRZ2l03gUmG57g5MaQVbFVFAY9Vb7ksE3R0aduy7fgqrdP0QZc9MUvo=,iv:nGonrKjKW0a6qHxOj76mrfbLystM7Dj/3v5Wsgx5Kh4=,tag:Mkz30qB/9NRawVkz+zdkDA==,type:str]
-sops_pgp__list_0__map_created_at=2025-10-08T19:39:41Z
+sops_pgp__list_0__map_created_at=2025-09-23T16:16:55Z
-sops_pgp__list_0__map_enc=-----BEGIN PGP MESSAGE-----\n\nhQIMA7uy4qQr71wiAQ//WBbj9C5n7tOL8HBWRiiwRHS8nE3XWg7rAROnvEaD5QuE\nEubGw+PnsX3nSiv07Th23dN24IqpgLqz9grq1s6WDgRgQAFqu2f2FTYmIvcU/mko\n9I69i1E8iSYIvfRmReOn3L2GlhQrADYbCYC+mMEAXJtTuJ44KP0JtGTFPP0+m4vb\nspuuebFeES8cVsk2RPuRUQJC6uSk0E78ZaxMWgZm6P/6bnRwDbn4OE3NrQbkvhvn\nKupR01MQ7HAZh5jVi73aVnY0wfxe4fDToef1bjiiZUJEwJ57oKhOmj5EYlTurX0m\nzraNkpDIWQNJnVlMgUEOclmrnL0uz3wkaqu8BoUkyaWAJS2f545amJNUBO23Mogp\ng9VgFeOyivM0xx5JZAN2LRkK5CrpKNpjXYtFzGkxKZxAAs4iyrUGDecJtfZJM48M\ntvgzbL4jqJu6rrOH27e3F74HyEmX+f1sIJMSnvanEiyYxIpdbvMc8+ULtGzpsdUd\n4hQ/yYKqEkecyKwjPEN4OlAI2LdokTxeYOszjJ7iBO1jE2D7e3hgzpjsGZmj1i+J\nzTUGUSAEgfd2w+/xfYzWttMysthrGa0MMwEeKYttuoZjIJ04IDB6JBQWNWxbfGpp\nXlNd5G2+xrGl2oaYzc4fAJRZoQZRWgX1Dy78cvRm8OIUGJucz0cZeBPiI3/Ny5/S\nXgFC/aC1TJBNvFC/60oOrerjzf5LVrx6O3zevs7LCrVVq0iL/xSSU+DnTxdczKPt\nKh9x1LMKUQK5cnMOdoWt78uUNmLkKiSkht43ozLcqvb3cxgRyoSlMP2lvk9YWx4=\n=gnXz\n-----END PGP MESSAGE-----
+sops_pgp__list_0__map_enc=-----BEGIN PGP MESSAGE-----\n\nhQIMA7uy4qQr71wiARAArI3sIJzb+xpElZlHYKe9fHFcjLuGi3lN00imIgyDv6XS\ngfOkGTNE7HXLbGmH4cYqcr6TSTDLsWE9H46++jCWzOyCBZ0l+c+So8ciBs9w/YUG\nxZlBjpW39xKyPS0Oszuj6q6czFdyHw/+yDJh/dbZU3wJF5jQlorUqIZ/3fJRXxwY\nte7y1u2AZJT3RnaRjIKW6snKpQY6XiWglwKBQcuXtfz8zY63DXNDf6DfUZRquV42\ni9hFGVuM0iGvrEwe/xAcuVQNEC1i19SS2wI6DdyRY1WGzNzWmeFTGR6QTTw2Mwmr\nOPI8WajPwOuvHYrQr3+YP9bUkAljiKEDeKd/434C/S+jCcSbzqnql+MF/r2jO+bc\nS+FaU+sI0A+ICxHHXzyvRy6iC4+UjIC14m011w5HkhBDtfqGFIkr898xB3CGmTpt\nLjBoJ336KpD8QOYuK4QXLiOcy8amb3KwwWwpZrBL4hgQnsr7H7uvhz9T2Y6DCmMT\nDFmq275urc6R2NV6ktw67EiQanx6FBlHPSJi75YlEXswCD4Ryqm0Qjv0ICu/8yQ2\nVxI69woI455jZwYWNH9nRMFdlXVeA5gqj5Kmb+6aSYAdoZXKgkJPgryV4g6PalIS\nXwCLRMOne2xXDYgklXJyO67SUfWoERB2bQmVIrkGKFXEKdu4BmRJKCszHj555gLS\nUQE1oBpdIW426IYxES09Fh9SZwvbPDcUUH5iomJPMxkQEV7vrzmEhVOwGg81MxVB\nWjWV2zAdyJpWrqyEqisTnMZlLnc3LwyAraMvybM0SfTP9g==\n=0EsL\n-----END PGP MESSAGE-----
 sops_pgp__list_0__map_fp=DC6910268E657FF70BA7EC289974494E76938DDC
 sops_unencrypted_suffix=_unencrypted
 sops_version=3.10.2
--- a/docker/personal/paperless/docker-compose.yml
+++ b/docker/personal/paperless/docker-compose.yml
@@ -16,7 +16,7 @@ services:
      POSTGRES_DB: paperless
  paperless-webserver:
-    image: ghcr.io/paperless-ngx/paperless-ngx:2.20.5
+    image: ghcr.io/paperless-ngx/paperless-ngx:2.18.4
    restart: unless-stopped
    networks:
      - default
--- a/docker/personal/radicale/docker-compose.yml
+++ b/docker/personal/radicale/docker-compose.yml
@@ -1,6 +1,6 @@
 services:
  radicale:
-    image: tomsquest/docker-radicale:3.6.0.0
+    image: tomsquest/docker-radicale:3.5.6.0
    container_name: radicale
    ports:
      - 5232
--- a/docker/personal/syncthing/docker-compose.yml
+++ b/docker/personal/syncthing/docker-compose.yml
@@ -3,6 +3,7 @@ services:
    image: syncthing/syncthing:2.0
    container_name: syncthing-valentin
    hostname: syncthing-valentin
    network_mode: host
    environment:
      - PUID=1000
      - PGID=1000
@@ -11,26 +12,16 @@ services:
      - valentin_documents:/valentin/Documents
      - valentin_photos:/valentin/Photos
    ports:
-      - target: 22000
+      - 8384:8384 # Web UI
-        published: 22000
+      - 22000:22000/tcp # TCP file transfers
-        mode: host
+      - 22000:22000/udp # QUIC file transfers
-      - target: 21027
+      - 21027:21027/udp # Receive local discovery broadcasts
        published: 21027
        mode: host
      - 8384
    networks:
      - default
      - proxy
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.syncthing-valentin.rule=Host(`syncthing-valentin.lan`)"
      - "traefik.http.services.syncthing-valentin.loadbalancer.server.port=8384"
    restart: unless-stopped
    healthcheck:
      test: curl -fkLsS -m 2 127.0.0.1:8384/rest/noauth/health | grep -o --color=never OK || exit 1
      interval: 1m
-      timeout: 30s
+      timeout: 10s
-      retries: 10
+      retries: 3
 volumes:
  config:
@@ -42,15 +33,10 @@ volumes:
  valentin_documents:
    driver_opts:
      type: 'nfs'
-      o: 'addr=truenas.lan'
+      o: 'addr=truenas.local'
      device: ':/mnt/main_storage/valentin/Documents'
  valentin_photos:
    driver_opts:
      type: 'nfs'
-      o: 'addr=truenas.lan'
+      o: 'addr=truenas.local'
      device: ':/mnt/main_storage/valentin/Photos'
 networks:
  proxy:
    external: true
    name: proxy
--- a/docker/personal/tandoor/.env
+++ b/docker/personal/tandoor/.env
@@ -1,18 +1,18 @@
-#ENC[AES256_GCM,data:+dgva36e4X+kOQD6Lg7x3wN297bxXPWGm+yTqd7GuLyo3R0Ldfa9dELvEy86vqZcx6wVGyPfLZolf/7+1aZ0URQ8yyU7iinQLZRfuQ/i4zE39Wg+ug==,iv:nyTpn5naWcXC3/+2d5o84ttMKHKPqcdh1eW1Qhqu7KY=,tag:EMX20dvxj2xXxOF/uhA+qA==,type:comment]
+#ENC[AES256_GCM,data:nDJXRHo16C9LLtA8cRUD7Pu6G9k3z/JPMQyWh/sXmrYig78ocFi36KzRNut8u4gRDml/ykgHlLm94y1K5Gg4eHsaAi5Stk4CrPyPus/hDgd6nB61BA==,iv:y4BEf1FBUG5QSa4edDYFYczU9WUi4V9gqnC1NLcOYtU=,tag:revz/um+XirnUUxEY/hyOA==,type:comment]
-SECRET_KEY=ENC[AES256_GCM,data:MQpLChGTbmiTJn1A4ujjs6yTi09Agip/0J3eT7SJ84qcgAgPV28l8RR5d1JE+kLzaEQ=,iv:00k/1vrnTgEG//mlrE8TAawDbyhMuGh3zuxxhHsLuEo=,tag:4FsnE6GRvjR/bRZfqaI1mg==,type:str]
+SECRET_KEY=ENC[AES256_GCM,data:OmutGAIPHz4l3oLil7LNGdY8Cv82B7dNrkZFoQn2GNsYzSOZoj7nge+0SieKSTqyob0=,iv:NiifR5odKEgXkfsRjU91hP0wrcLf7n10XiekDkKSnTQ=,tag:yZZ3LNr6FA6Xv1t+bwBJJg==,type:str]
-#ENC[AES256_GCM,data:D9iipG6E4YUxpzUH51+6A4KFYAPPneU9AYSzNXhIK+asmUsk3ogN8QzncjTKUFeJ3IBRh3vR8q/w3bR61ATbMWq5Dvy8UV8RKI2PpKNdV+I3kTtkHF28dMpg1D81MDrZv3XG5hWsNoxuRIMXTl/ImHdb7OGt3E3Yjw==,iv:iBBDh4kuob1AHW+ztSPoMP/wgHECAUsb07GZjbbUYSY=,tag:7kOiSTYrK6hE7E3f+ZOynw==,type:comment]
+#ENC[AES256_GCM,data:4DaWj6Y1scTKoOZwkGcU9GmnXvhzxRJO3PyJvkfzlO0WkjpprRjYo5P95ZdlnZrk0M8gGHZ2zuxwm8MNxVlw8dKwdAFubTPbeTpasa/XoAFZciZgXBWmv5DLLyQ/yXP/e70mSWKYpmj8nQ7JkBoYSXwMR1mntbRSPQ==,iv:hBRikHT2RFxo488HO2WF5M8AiTHhQw/eTZoQqaFzH8U=,tag:RqwEf0QmbFfiXsMf9tZdiA==,type:comment]
-ALLOWED_HOSTS=ENC[AES256_GCM,data:fA==,iv:P7zb2UFzhOSZfBbOdXmgZz6vMAYC2UzuGVawxsfoTcQ=,tag:fhHBI8gXTXrK1eLkbZNPbA==,type:str]
+#ENC[AES256_GCM,data:FjSYK3tDKa2BeY/FUBye5wcXUjEJaAxQj7Q=,iv:+rkQmUPVOte+9W1r0RzcZl3vwCva6ONUPGwl8HdwgSY=,tag:wox8uewK5jGxBSDT87NBzQ==,type:comment]
-#ENC[AES256_GCM,data:iXUhDgm3Z7TOmuGpcoK67XRRQgwZ7gFkXR7gGQusa62pS3Q6qKkj6JzBikbgZG9d6cEpI7F00odoi2+leQoKAUCiuUkC2t9l2Bp194gJ/yf4t7HDnIpKrR+HamZh4cA6VE5q523KqVnIfSVwKzFI5KQ=,iv:QMKkjhQjA2tTOp0sdgPIcmuecHr/yQRudg14LBn9rOo=,tag:fJ95+YsKHYHWUhFPwGh1tA==,type:comment]
+#ENC[AES256_GCM,data:O/Utl77r6zCAyZpOwvXEsuNCvUN9/Uw/bz1OOHqYI23CHJxjU8bPUgnGq2F/1Y9eC+1NheMATcgEOsx8wZVNm6707SwylRXbBLWASAJY/U4oLgm2tKLcMLd8yU9Sulp65S2Iwu+LwK8f8PYMWFZRCAo=,iv:IoI9vA3PfT/GQRQn2GRpLF7WMSdFZ44z9Tci646jm0E=,tag:IVddJQwMQ8HQ0aiPEzQcZA==,type:comment]
-DB_ENGINE=ENC[AES256_GCM,data:sAHT9ykTS/fRJoGll7zbtC0f0OdolH6KoKlV5ZM=,iv:7NjD60gemxVE1IGGiX2y3qrV+C7Q+oVw+3ihgfLIYQQ=,tag:T/SCdnvjoHRTujw84tUQFw==,type:str]
+DB_ENGINE=ENC[AES256_GCM,data:YCZKf7/riM43EVwI+OC7ZK3zhSB+o1KPsZjML6E=,iv:+MVjA3706QwHE60PrnlmV5TZauZ4oiMQ2szY7d4BH4c=,tag:uR3+At7DpSi5lXxL1jGAMw==,type:str]
-POSTGRES_HOST=ENC[AES256_GCM,data:6bLRvIaWAsXuvA==,iv:M/FHf+b+RBM5s9FkuoHfbm92G/xd1nHX9ybFKgcU+r4=,tag:RdQ03UD018Sd6871IXHxbA==,type:str]
+POSTGRES_HOST=ENC[AES256_GCM,data:MEeYiNliMe0QPg==,iv:MGrySxMuVId7TUSHlMxTWfZCwQkWe/7Uzb05je+z9AY=,tag:R+neZ6AV1PmunX8SpEE+nw==,type:str]
-POSTGRES_DB=ENC[AES256_GCM,data:+l5L7LFB5rI=,iv:5dOgXGEz0NhlGc7EoseT+vqGMP7qUMHVrZtZ04saYv0=,tag:O6H8JEcZLyyHzmuLZEj0JA==,type:str]
+POSTGRES_DB=ENC[AES256_GCM,data:Oj/x13nKqww=,iv:CRX+KCvdrtMBuyQoM6lYp2jPoX3ynpEQvNvG8vVDER0=,tag:hHTZs7nyRHYbKPcwkpkLbA==,type:str]
-POSTGRES_PORT=ENC[AES256_GCM,data:moVL+Q==,iv:Up9P2BSQG0LRg7dpJmKcM9XVv8U0LwVmR1OT5IiRsjU=,tag:O+oVY2u0Z/nua3JPctqKRw==,type:str]
+POSTGRES_PORT=ENC[AES256_GCM,data:xG6OMA==,iv:RAaZMnIraUD21fz850vSrAAKr2Px8XDWT/w0j1I2KNk=,tag:SoOCZcumwJpp/OdmGnt2LQ==,type:str]
-POSTGRES_USER=ENC[AES256_GCM,data:0pvImCp8YiGwHw==,iv:HeMNTkjvj7Cn0e97sMQQ6rD1chMCq4SJYEw8ey9NzrE=,tag:szRIG56Vw7xpC1xL63l7sA==,type:str]
+POSTGRES_USER=ENC[AES256_GCM,data:CNr2sdWsOW9Rjw==,iv:OyyxMOqSfY7VGgw8gvKetbKsz711rqsx7q2q2NCgzEk=,tag:wee12iH0niPk28HhKLmRxg==,type:str]
-POSTGRES_PASSWORD=ENC[AES256_GCM,data:9eLbXMxp5fqmrID0bYMSzA==,iv:q6yJOYuivGX195TUItFFMHhDLOHC1tDR8tb47UqKsiU=,tag:09vvc9Hqjkj9O4dI95rcbQ==,type:str]
+POSTGRES_PASSWORD=ENC[AES256_GCM,data:mSUfMvGV/iInGeQmsu9TQg==,iv:XbV/XUHwKOm7khLibuTbz8P8KfnEz6YMHPWZndqzXs8=,tag:YDL1qbNq2b9WX1cmDyt88w==,type:str]
-sops_lastmodified=2025-10-11T10:38:59Z
+sops_lastmodified=2025-09-23T20:49:33Z
-sops_mac=ENC[AES256_GCM,data:1qRH5pTYnVQGt4jiqQH+bkiW24yRtWkZ2QNjNKtvNctaMEcR5J8yNOl1/aak4zswMsqUqWaXtbLJ2DR7I8FcehrxRUXnAfI4g0xekd7+tcZdsN1D0SKSBi3yk7J0rTTL3vRnZUzjdEEf1RSRf5LSjxGS4JbRqPVfhiUWRUVBKHQ=,iv:x6FqzR1EFUyLEumhAG1Yvz7c9RjlBkF30xjE5uBKyoQ=,tag:CzXuPzmZfn09A3m287JsRg==,type:str]
+sops_mac=ENC[AES256_GCM,data:mlwYhfyGIxuupvhRT5eGP+QcVoI99uw69s9ud/QYogCu8WstXsJAIsKjBZu1dlxfs1pvTN4ehX966yFfSkRNeT+UcIPHbN0UK9Gnv7CnO3AdF9IxJy4RJ607LAFeZVVobY0E7LjNyeD9Gt9UiAb1U+v5yF4XVm7A+2OTvSgBUos=,iv:Y7Vmy92yfahN0o+kNuAhGD79acY1adq859rU8hfYVMk=,tag:srfdmpfsDL7o+Su+F4zTSA==,type:str]
-sops_pgp__list_0__map_created_at=2025-10-11T10:38:59Z
+sops_pgp__list_0__map_created_at=2025-09-23T20:49:33Z
-sops_pgp__list_0__map_enc=-----BEGIN PGP MESSAGE-----\n\nhQIMA7uy4qQr71wiAQ//VJRc8ou8YvhhfoxG8vrJX20nWbPLSWsU60Soo3BBcQ33\n/NZVkYY8jtyFJxOeaARewJKK4umSKUQovHj3KgexMrTZZk+vG7wByhBD6yX0Yonh\nsm2Z9CdbOdNizg8FyBD0iryBpBRPLGp5Z2gJlM/DwAAwArOZzb2oc+fq04YrOZVO\n91/mSoDA4McVkUMH/RdBxJz8eKIVAuUtEkMHysoTs3d2HOCFkzi5cezXpNmnfzvc\ni3BPOa6o7ek1u8TIG3rXODm274atMqFaXnzPn8yWZDuqZLrcz96b/yIY89Yd6LN2\n6ZMUyeJop9FY0w6OSZ9qdLT5EuwRm/LnFRcEb2cBXXFgTHz2TpXoGQXdzJM+TFJ1\nFg2lnNxb/vxPzFrTG8cG6dtuZr/YQKRnpK/MHJ2ZlCc1hUuejmSqkMKJS05zXXOT\nS+6F/i1p9+XYTXt48ZVLDubDTqMXE6CyXX86Py3bueVvg8nysWfRPyy1ECC2+Anx\nd0YcVxpj7Wlm8Rql5pNJZJ/jj7EIuHW/cbTritWz5CAr8pYlJz/JsICi6uhMIOP7\n6Ocj6UCD5TEOc1iA45NT4f1BSioODh9n7U945npcwiPWeRpJKDTcVXlw2HJRvOE3\nHF7D+dxde3ZePkkUb0XhZWmWlvzRuuM2Ur9aztUZS8gXHEwb3V/zlH4HXvhl2tPS\nXAEh8gKTyF69pY4RKc7/p8zp5mGdybuCT4XChA63nndi9WyopJt4cul4x9oKPsE+\ngDXrllyrZsRmRAAtTcl7Gl41Il4YeBzop8u5/3qZoAjANrnFlJI3NOAL7SuP\n=7kXM\n-----END PGP MESSAGE-----
+sops_pgp__list_0__map_enc=-----BEGIN PGP MESSAGE-----\n\nhQIMA7uy4qQr71wiAQ/9HEiC8UWx+wNWy6peC+BBSG1eXi4NPHgLSxTVn5s50s1w\nXrddeGGNLJ2RJxvCbKEk4B+Q3tBguTyip97Awex2Xwsl5deTuFmxJDO7fGFxAgzK\ntRIo3dJRisSAArcUj0ElAhgxZpAoFB5U6VY9cexIjE94PBbhHo3zlcd3dSgv39v9\nJOYYy62k6MzwjIHwdS3d/oKn3tDqx8D+WQXEMEPRlyM1ptrODnxqiFu3iAUCH4SS\n97GsHsVCmvKL6O61raYa+Kt5BoFgUem2rXKj603PW7iL8Q0wdIWCPC10v4XUB4N/\nfM30qi2tPmObGkbBMnA/8VRYv9M+gUi0PBKGstuxjs15/ypJTEm4p0aTsySmTF3J\nq6YKJmZAG0fxUkdIdV/CJKNRoTpgviPHfm8est9vZwB3hbs8N4TOY5AgHMHRygbD\nhUFR5vhhqAgI0qs0BKfCjVM2nHx5h5tzxqr2OPSn8zKKDJY8EozdFvmPz6PRzEzJ\n2899UvJ1rX34zKOCxOeKMurW0BNjpkIh1Quke/Ob8F0LygAekbZJPP1fbZIQgzgz\nWSxyA2RZEdI+Rv6Z24P0VJRzNzk6NkyHVe93E/dK2ICHhUz6xd+BMRfEi38LkQ8C\nhGb/iU+eLOhtVvmcSq1/R8ezWmAo1/VjeqYgknMdhO+H1SDcUhDLX2fcDrqNv2jS\nXAEM9LPeZI4k9moLKiNAEcJe3AH/nN4GaXbDVO2UExNT12C1xd9ODqv+9aIqdOiu\nqFRxpSUjPFVgLdGdLvsk6MzXsMbhBpNSrWwYKBPA895lzKgB5b/UwQk/rnmY\n=grEF\n-----END PGP MESSAGE-----
 sops_pgp__list_0__map_fp=DC6910268E657FF70BA7EC289974494E76938DDC
 sops_unencrypted_suffix=_unencrypted
 sops_version=3.10.2
--- a/docker/personal/tandoor/docker-compose.yml
+++ b/docker/personal/tandoor/docker-compose.yml
@@ -9,20 +9,32 @@ services:
  web_recipes:
    restart: always
-    image: vabene1111/recipes:2.3.6
+    image: vabene1111/recipes:2.2.3
    networks:
      - default
      - proxy
    env_file:
      - ./.env
    ports:
      - 80
    volumes:
      - staticfiles:/opt/recipes/staticfiles
      - nginx_config:/opt/recipes/nginx/conf.d
      - mediafiles:/opt/recipes/mediafiles
    depends_on:
      - db_recipes
  nginx_recipes:
    image: nginx:1.29.1-alpine
    restart: always
    networks:
      - default
      - proxy
    ports:
      - 80
    env_file:
      - ./.env
    depends_on:
      - web_recipes
    volumes:
      - nginx_config:/etc/nginx/conf.d:ro
      - staticfiles:/static:ro
      - mediafiles:/media:ro
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.nginx_recipes.rule=Host(`tandoor.lan`)"
--- a/docker/production/alexscript/docker-compose.yml
+++ b/docker/production/alexscript/docker-compose.yml
@@ -10,12 +10,12 @@ services:
    ports:
      - 80
    volumes:
      - /etc/timezone:/etc/timezone:ro
      - reservations:/app/reservations
      - selenium_data_02:/app/.chrome-selenium
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.alexscript.rule=Host(`alexscript.vhaudiquet.fr`)"
      - "traefik.http.services.alexscript.loadbalancer.server.port=80"
 volumes:
  reservations:
--- a/docker/production/buildpath/.env
+++ b/docker/production/buildpath/.env
@@ -1,17 +0,0 @@
 ME_CONFIG_MONGODB_ADMINUSERNAME=ENC[AES256_GCM,data:FdAhZA==,iv:YXd83wy5lKSybwYdmhXA2DwbVnffX/6R7gn3doDnI1E=,tag:BLYvP9IFNky37COZOgyJvw==,type:str]
 ME_CONFIG_MONGODB_ADMINPASSWORD=ENC[AES256_GCM,data:uvZn2q5dpbc=,iv:4ExRNf2gYK1W/VMKrcXNO5kPKjJmxml1uj44j643mvw=,tag:Xf2wKugbuOU3GlPYlLttIg==,type:str]
 ME_CONFIG_MONGODB_URL=ENC[AES256_GCM,data:porEOpLQZF2J5pvRaktvnoh76MhfjBZ3PN8dNwhNAfKs8ipO,iv:7kl+7+C1MaOGM0Gu0jzJEp1Wvl/xz0i5oW5U8EACMKs=,tag:3+xIM62x+2HMA1AggM4mww==,type:str]
 ME_CONFIG_BASICAUTH=ENC[AES256_GCM,data:lxxYUfK5cA==,iv:hbw6UUCxTZ9h+XJd0Wesz5T3L5MkBc+JA0SNUogtsOE=,tag:gCyyA6hOIcIvs+HyeqKs/A==,type:str]
 MONGO_USER=ENC[AES256_GCM,data:osGR9w==,iv:648Yv0sPTvq95q0jcRWSD14HZr6tN2I4ffw/STe38xY=,tag:rVK7sBlAuhsisPPyfnIPMg==,type:str]
 MONGO_PASS=ENC[AES256_GCM,data:2SloANMJ1mQ=,iv:PK2LyBfivEH1EjtRk76BPlnLXfAykC/F40skCeoK7NQ=,tag:JEZXKe4gNj36yLX5wlW5tQ==,type:str]
 MONGO_HOST=ENC[AES256_GCM,data:fwvt86U=,iv:YJam2joeQkaVCFUPpc7sPw6ucHpTauiJzC754VsgLPY=,tag:nUQVmxsYbmhlWwz01kHpsw==,type:str]
 MONGO_INITDB_ROOT_USERNAME=ENC[AES256_GCM,data:dSNu/Q==,iv:jJYxTZw06/npxgw5zaS5SSC4LyGzr/TLdu5JdDUtqFQ=,tag:d+q5DLS6AHakPnk9089XpQ==,type:str]
 MONGO_INITDB_ROOT_PASSWORD=ENC[AES256_GCM,data:uD3YRK4xCx8=,iv:jJVjuUBfDuiWa23UGa/n2z0uAkbr4N6Zo9Ee45R1tTs=,tag:RBn0jse9u795RHNc09cBqA==,type:str]
 RIOT_API_KEY=ENC[AES256_GCM,data:E+w0JQlYW7Bjn2wwnkb0hlYmq3ZteS2LB4NWo2l/o+30+uOTAYzpeDgy,iv:xPZmat+pexxgYxqlkBLlD6sorxRpPlBcwMbo8QDFwjg=,tag:5Loj4AGmr13HGKyVbDozqg==,type:str]
 sops_lastmodified=2025-12-31T13:08:07Z
 sops_mac=ENC[AES256_GCM,data:h+aeLcXC3s8gcIlwrU7fHwGIkp1caqMqJcQLdQmFnrtlP9gmx1iOZlZo8yRC8m+imIezhLfjI0yfHdPjyfxw9KTeNoCjNRKyDGfDhbHr0vfPQsrifjeaZj477634WA8MVcL8HrfVwZIHjh+I3fcgVI0kFbcI8/3lkEws/T4oD70=,iv:lc8ltcjngeHueLgXee539iIpIMjvcJpUAec1TGmJuY0=,tag:FkwHdQ0C4QxObEQFL6aefg==,type:str]
 sops_pgp__list_0__map_created_at=2025-12-31T13:08:07Z
 sops_pgp__list_0__map_enc=-----BEGIN PGP MESSAGE-----\n\nhQIMA7uy4qQr71wiAQ/+LVciLRpDVh/AlYawgSfwVs8ltal1+3MCHYhdwjFAggJ8\ng6twtj4szAVR7UbT0Qh2hP+my7KLLN1K+Rv/jnsXPhOFo0o8AB0Un+hCFB1i+KLd\ni6cWbv+jCqxRALf98TYe0xDMIfoPKXaIYjV2qlYmGWe3/Sd2+7KbwAKZCehZD1jV\nh21YVeVn7dlv3zPAp5mpH+6yPMp3ZSTAYa8MkUnnS3cUWlWSMHsGwlA9CUvJtKaz\ndkW6n90zEGJrfb6ATH2dPJawWNOp0q/Gcx2uci4Ro09U1jOK7ugSDWxjGOuV9TAL\nYsRYz7LH5yOLpz9HlrZH882SJWZS9xoEV8jOZN1I3NmtJY1KsgAW3BFEsbCA58Q5\nTZFKhH7XK9FW4NbRzHYxHCCZSfGtBCQyUpusGALXnQmkKHJ4MlnrxH9yBX7Go8ph\nCqQ7gvBmNjUZrgp+VWb8+ziDCfYbZDADV4cva4STcjnmFxRiFO1xvYEJpEo2H1gK\nQcMsOruazL3UGkZxWh2Od7bi1K+2Io/TNSKMTboTqgJAOcMO4Ssxn59yYhfDdS2i\n8/mlv4ADPOL4be1400/Tp33QpPnRojyJAM9b8IdJ6ahevVGjGuKPuvrzDs8lYwht\n6eKrbV3mHBv5ZUvSmeTOIwxE8moePDEkUrr3HCfxaaJcMrcjgSkGhCCN4KHbj8TS\nXgFGOX7/BZNOR1SyfBY1gc30Vdy3d7513Gpfcuwsd7Rc+0Ue+p4ysA3dBp+KWhVO\nPkfwdiVFOOvEPoUoanyUqMlvj3ENabNNmHc8jZ23FRxtlfbcyecTT+uckRXgvpU=\n=5/Ac\n-----END PGP MESSAGE-----
 sops_pgp__list_0__map_fp=DC6910268E657FF70BA7EC289974494E76938DDC
 sops_unencrypted_suffix=_unencrypted
 sops_version=3.10.2
--- a/docker/production/buildpath/docker-compose.yml
+++ b/docker/production/buildpath/docker-compose.yml
@@ -1,57 +0,0 @@
 services:
  mongo:
    hostname: mongo
    image: mongo:8.2.3
    restart: always
    user: root:root
    volumes:
      - bpmongo_data:/data/db:Z
      - bpmongo_config:/data/configdb:Z
    env_file: .env
  patch_detector:
    image: git.vhaudiquet.fr/vhaudiquet/lolstats-patch_detector:e0a39dab0a5130d8f98e956e3a1c5676410b2d25
    build: ./patch_detector
    restart: "no"
    deploy:
      restart_policy:
        condition: any
        delay: '0'
        window: 10s
    env_file: .env
  match_collector:
    image: git.vhaudiquet.fr/vhaudiquet/lolstats-match_collector:e0a39dab0a5130d8f98e956e3a1c5676410b2d25
    build: ./match_collector
    restart: "no"
    deploy:
      restart_policy:
        condition: any
        delay: '0'
        window: 20s
    env_file: .env
  frontend:
    image: git.vhaudiquet.fr/vhaudiquet/lolstats-frontend:e0a39dab0a5130d8f98e956e3a1c5676410b2d25
    build: ./frontend
    restart: always
    networks:
      - default
      - proxy
    ports:
      - "3000"
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.frontend.rule=Host(`buildpath.win`)"
      - "traefik.http.services.frontend.loadbalancer.server.port=3000"
    env_file: .env
 volumes:
  bpmongo_data:
  bpmongo_config:
 networks:
  proxy:
    external: true
    name: proxy
--- a/docker/production/vhaudiquetfr/docker-compose.yml
+++ b/docker/production/vhaudiquetfr/docker-compose.yml
@@ -1,7 +1,7 @@
 services:
  vhaudiquetfr:
    container_name: vhaudiquetfr
-    image: git.vhaudiquet.fr/vhaudiquet/vhaudiquet.fr:93dda1dd8445d885d96e8d3ec5937492a620b0d0
+    image: git.vhaudiquet.fr/vhaudiquet/vhaudiquet.fr:latest
    networks:
      - default
      - proxy
@@ -14,7 +14,6 @@ services:
      - NGINX_HOST=vhaudiquet.fr
      - NGINX_PORT=80
    volumes:
      - files:/usr/share/nginx/html/files
      - public:/usr/share/nginx/html/public
 networks:
@@ -23,14 +22,8 @@ networks:
    name: proxy
 volumes:
-  files:
+    public:
-    driver: local
+      driver_opts:
-    driver_opts:
+        type: 'nfs'
-      type: 'none'
+        o: 'addr=truenas.local'
-      o: 'bind'
+        device: ':/mnt/main_storage/public'
      device: '/app/vhaudiquetfr/files'
  public:
    driver_opts:
      type: 'nfs'
      o: 'addr=truenas.lan'
      device: ':/mnt/main_storage/public'
--- a/docker/tools/hedgedoc/.env
+++ b/docker/tools/hedgedoc/.env
@@ -0,0 +1,11 @@
 POSTGRES_PASSWORD=ENC[AES256_GCM,data:naUGUVMbgkNSbblt,iv:ao/NeYM62PnViWtNfWlobLcgZrf/K2cQV3FXJR+TidQ=,tag:MGILTlnyfy8itf1cjHkfMA==,type:str]
 POSTGRES_USER=ENC[AES256_GCM,data:kXeEALbz,iv:VgUHRsrMQoMxhPMTrbteNGbfSFSuKR0VZkdeWY7eqZM=,tag:t2Q4I0wIGsaYiHcQkZpnRA==,type:str]
 CMD_DB_URL=ENC[AES256_GCM,data:Z4gMf/68p4vNL9zv5ygAUHENAhO51lJEnN5xhEsr1yv5nQQUCcrgNwE6swxV8EhMSKweuaiIt93ybgbu,iv:rOM6DJp+z31sEYapFPuhfOL5C+Ot7PDR2GnvQkIiTuY=,tag:lC5AkC/i8/a0Q3Ou/GcByw==,type:str]
 CMD_SESSION_SECRET=ENC[AES256_GCM,data:2k+ctM/7j/JhXMzLaI+x4QMzyyHf6tJpjrQ7rLRn896h0g+5P3AB6DfUbcmdWbE0ab6AkSuUm7wKcEKFwZrDwg==,iv:JdLg/9yUstUaeoaMvPknTYInq+t+AjqhP36olCKVeXg=,tag:3dIGzKgNOJu8xX6vR4ruqw==,type:str]
 sops_lastmodified=2025-09-16T19:22:00Z
 sops_mac=ENC[AES256_GCM,data:TLX5aj8DkvlLcub8oLgYzpPM3/JkSejZzc96NVB/loOvPmbe+JWEHs4ZHWhxLW9diL8cP5a6hfRAlIsXknXG7I8TN/s11+z77h0wwVQjKk25WH5rZ5REJrz3UCa/QNkMCozFARM/rQH1WoNBHKqKqnj3z6OlntNdWC4y/E2PpDA=,iv:JZ6yVv+Rjda6KBh6Ubdggq+vmrGE4AOBMZPKPYqOwLY=,tag:bO5NgxkeSksqqiho27BoHg==,type:str]
 sops_pgp__list_0__map_created_at=2025-09-16T19:22:00Z
 sops_pgp__list_0__map_enc=-----BEGIN PGP MESSAGE-----\n\nhQIMA7uy4qQr71wiAQ/+MKdgjEQ9YAAK/6cvFuSSHwkLCiGhwhQyYuL/N4PEQ4hi\nanMMlvsAY5R691OMGi1hmSrmtm5DJuO5Ol9/Q3v4nPLuF4cvTApA6t0uhEmqPrWu\nKQc0vvakPUoxbi6RuiCiUujyh/kVaJbNpOjqGPiTAdpHxfqjTRwT7qGwOKFKLqcE\nwotXc9zCMu8tj1X2hpku5kIL2b3b6yt5tSNtrua/hjo05Q9SJmO1qOa3YRo8g5/R\nbwlqMDe5qzaASV5Tsu//P1uTpq0/MI8qhrJmYOdCY9swkYAOzpap6UGhvjbxLHwk\nd8g4YNEt+UcoIHVGn3rdLWvRo7UJS9ewTQq5UAU9ahCGzzbz9dqHSk7preO06cWG\nVsA9uCZ55UfkHqE8ucEqADPx6erduV5VPie4aakwbFUlYklwllvyc3s3NQJkorAn\nZpkI6vXBvCD3adF4JdiULUh9agRKIVfV/zDOcBdPv5bvhAr8EPmk2fU53al1ULkz\n9SMHVVl/97OJ8seMHbYbmPbsQLzChhtgFFqnhoBbPYgh1z5XSiCgxCzVUUWjub7S\nTAKxDbxOCfEn3n6h/ITdRU+LCFoc0zZi2k9dOqtXtZWQpO2RyL04pxPcS3QgMXqN\nKPtC6sY57ii6m118vBuaY9W0u+YADVJCfxSiCaQRHgVBhSV3hZUXlcMn1iGBrq/S\nXgFC4jpm+cZi7UsExMLwDUjmqlMGFUAD1IPoXymWrgZeBeeMrJ3BRpifNKYxS9Ps\no5q1Tuyslwot4XBPr/YRCcw+rEYosSUaRahYZav02FPWVuVZw1rdeKwjBiUfBFw=\n=QSUX\n-----END PGP MESSAGE-----
 sops_pgp__list_0__map_fp=DC6910268E657FF70BA7EC289974494E76938DDC
 sops_unencrypted_suffix=_unencrypted
 sops_version=3.10.2
--- a/docker/tools/hedgedoc/docker-compose.yml
+++ b/docker/tools/hedgedoc/docker-compose.yml
@@ -0,0 +1,55 @@
 services:
  hedgedoc-database:
    image: postgres:11.6-alpine
    env_file:
      - .env
    environment:
      - POSTGRES_DB=codimd
    volumes:
      - "database-data:/var/lib/postgresql/data"
    restart: always
  hedgedoc:
    image: quay.io/hedgedoc/hedgedoc:1.10.3
    networks:
      - default
      - proxy
    env_file:
      - .env
    environment:
      - CMD_USECDN=false
      - CMD_ALLOW_EMAIL_REGISTER=false
      - CMD_ALLOW_ANONYMOUS=false
      - CMD_DOMAIN=md.vhaudiquet.fr
      - CMD_PROTOCOL_USESSL=true
    depends_on:
      - hedgedoc-database
    ports:
      - "3000"
    volumes:
      - upload-data:/home/hackmd/app/public/uploads
      - upload-data:/hedgedoc/public/uploads
    restart: always
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.hedgedoc.rule=Host(`md.vhaudiquet.fr`)"
      - "traefik.http.routers.hedgedoc.entrypoints=http"
 volumes:
  database-data:
      driver: local
      driver_opts:
        type: 'none'
        o: 'bind'
        device: '/app/codimd/db'
  upload-data:
    driver: local
    driver_opts:
      type: 'none'
      o: 'bind'
      device: '/app/codimd/uploads'
 networks:
  proxy:
    external: true
    name: proxy
--- a/docker/tools/notesnook/.env
+++ b/docker/tools/notesnook/.env
@@ -0,0 +1,20 @@
 INSTANCE_NAME=ENC[AES256_GCM,data:GLnSjEj0NhKzccTJpjIN7o48LiSiIIg=,iv:ku2w/xVEhyYVsf6KQFypFK4y6154nLvgEt2XaqRcOOI=,tag:rzjxIxjyMNNfurUuD1zpMg==,type:str]
 NOTESNOOK_API_SECRET=ENC[AES256_GCM,data:97xTiLFM9pL/bUM3,iv:gSlpqmsZyIzf7jpugc0ueGVmwCrauIuo+64gmlwzZaY=,tag:zVECG8LUGTVQJfH1tsXYTA==,type:str]
 DISABLE_SIGNUPS=ENC[AES256_GCM,data:An/cGA==,iv:jQhnSXSxDaTZ847tDZ7nUeqhgNpdYu3I7Q2oqqjkO3U=,tag:l7cu2AUgUlqrckNgCIg9ng==,type:str]
 SMTP_USERNAME=ENC[AES256_GCM,data:cke9ITC/naUhfoOr19FakMOmgkk=,iv:lgJOnpPwfYyPdEPn/8zhgPM++sKQHjM2lwnqj3/349k=,tag:TfWixgwuhvdvAfYkPT+anA==,type:str]
 SMTP_PASSWORD=ENC[AES256_GCM,data:otmIJtB9wYOu5weVLgw=,iv:Cz8IgIjtQJtePNOYrIE8UE4Ey0kmLFIgql5M6co/D84=,tag:aDMvWzACfrOsqBqUQ+D2zA==,type:str]
 SMTP_HOST=ENC[AES256_GCM,data:LYUUxNHABmeHbv7tFbOeZn4n,iv:PBPZhQNseoG0CXUZ3d3ECG04aWpw/QA2wA5sToMJ7EQ=,tag:m9VlE3eWnOtmyzTV0eBgOg==,type:str]
 SMTP_PORT=ENC[AES256_GCM,data:qqQK,iv:99/i7zKxt6KAVCeIB/7TMvz2CqomwQZNIY+TeJqcgAY=,tag:/g9Kt49YkawKc8d0UBHPcA==,type:str]
 NOTESNOOK_APP_PUBLIC_URL=ENC[AES256_GCM,data:KWK12glgITh0h8at2RuUzsrfY1DzusIDSg==,iv:Z/H3NbIWjz6T1/7sC2SuBYvMJn7ltQEHwBT5e2RGm3o=,tag:2t60j9gPPOY7bqM2QqsLNw==,type:str]
 AUTH_SERVER_PUBLIC_URL=ENC[AES256_GCM,data:+bLyA0ucfycLLc4iGkWb9WisMr5wskAZK07QVCcM5oj2eTMmxfQ2Mw==,iv:Bp4JoLgxgRJMG98/QWRBTQnIpihgHp1+izCgOr1UoNI=,tag:uSPnZPEWU5QC0CTLeRCldw==,type:str]
 NOTESNOOK_APP_PUBLIC_URL=ENC[AES256_GCM,data:u/8oFwLF1ZtuiIvM/bOM0XH3ibQYvyVPIA==,iv:p/ECEwrchuqaU2MRCUZdGJGTRE/mTkglPIX+nMZQ4J4=,tag:5cBC8D+MIya1vQa3kSXHtg==,type:str]
 MONOGRAPH_PUBLIC_URL=ENC[AES256_GCM,data:uoiC69IAyraujhwVdpVQQEGM0b78tJh6VG2bLRtqoAUTBGp6bUGkABE=,iv:5UpUJKBjHaUzRFyUySI6Wyjich6E5JNmQqIVjsxOhkE=,tag:UP9NQzlX8CaB5oACMTqqtg==,type:str]
 ATTACHMENTS_SERVER_PUBLIC_URL=ENC[AES256_GCM,data:i0nNFgcLVgJI2fU72x7z0JciE3Rld10GhOdEo3p5YlGvcA==,iv:JpXfO+VfruKjbP3pkMUYQMlX4xsfts6PQ0brUK3abzQ=,tag:Jd/laba8yfEbswP3bN/UJg==,type:str]
 NOTESNOOK_CORS_ORIGINS=ENC[AES256_GCM,data:XF+aOoB9JjV1CaI0tdERfOO/TQNvaIVfZGEaRPgpzaWNjKNAaTDVN6ZffgVI+RD3pY5R03c2GBpWYYu7zwxyF7XF6fSmazGfI6bhKuk8+A==,iv:mR5v1V2npqwx7KMzps7RFy3u//SllTTxLWabG+b17ms=,tag:1myD72i/0zX79/TVOTWfGw==,type:str]
 sops_lastmodified=2025-09-16T19:22:01Z
 sops_mac=ENC[AES256_GCM,data:Nl320cxMzRHaZ0H0tfUaHb4jtZb8AadWOIEVJCFcmDA7YRofKnRkmt3xFc3cNKJj3FoDri6AflCFTSvG7FaY66FYjaQBUjz5566YHw/tng1ctHgxGjW4tyDS8NRFPEyugFm7d6QPiLAIeKSbJEGKbCfDVdQm57gptxpA2XNWc+Q=,iv:LuehCTAxGPCfnw6zg9BpqfzuJObKU6gB7MSNr51eNZI=,tag:hU0Nm1OD4V4w9nvTpQXtSA==,type:str]
 sops_pgp__list_0__map_created_at=2025-09-16T19:22:00Z
 sops_pgp__list_0__map_enc=-----BEGIN PGP MESSAGE-----\n\nhQIMA7uy4qQr71wiAQ//dbVRD62HBACKEDwmCYgfYyKQk9RGgxBhBodXGmyFP31k\nqDms2E8+9V3QHr13mw840XcTpE8g9XL0IqQYHU3+wrNafo/hDgGPrfpw+7AtVhtk\nBv5VCeULBxkPJjWEv9Tv/T/ZDP5qKAsllaqvdw0ZliuBug6viXdq1U3GOTsIprZf\nh5TyW7Y1I3zQ4w/CmzRJVJUF1Vp6eBRFzuKndGIrjOAQrlqwhd1SyCUxrJ6LW6N6\nEmpuoOvhFvGnbRnhfNwRzDU6m6yLG8VjJeKWOHxLmeQe3DcxY+/Q4tFbWtRGtrWJ\nqoqxDw5CuqdnvlDlf3TE2REbFIoZphJNibtsMVMGNZyDY93NUmfMRCg9WGmHym2o\na76jZfQhb5voRMVsdKSqdb+jNd5WfSl5u+30JWw7m5BfvXCWpL5hECFP9qn/piDl\n2bVQVRQ10VZJp6D3S8y5zHiEuCHbYtZtUZXektKjWCJBQVYTh0c+cME6Pm6oDp8E\nQIflT+QwVtrXPCulwFbl/IMMtR+/BXFFMzmyxHc7JQfItavcEu2xWYYqV8jrymqJ\nntAYlTdop9kSdn7PxGba9YxcWvcAMSox9aMeol4IJ+IAfJXCV+MCTajrmFQeyRDb\nI2draPx8VjSC5Mf0FeXDQmnRwmkcdBdZiwuHvte2xBQyIeQi2whdq/zNvOk5RFrS\nXgErWrMWM0lAZPVk/gnDCcUhdojMTn+Pz1uwLGS201D94fADXN0nhSXstqlDO5tN\naM/XJItjToWRrRc12JYXFemNIbCTvbP6kfBvt8z4pFc9OtnvNWxbSvL7mOvWUiw=\n=2MC3\n-----END PGP MESSAGE-----
 sops_pgp__list_0__map_fp=DC6910268E657FF70BA7EC289974494E76938DDC
 sops_unencrypted_suffix=_unencrypted
 sops_version=3.10.2
--- a/docker/tools/notesnook/docker-compose.yml
+++ b/docker/tools/notesnook/docker-compose.yml
@@ -0,0 +1,283 @@
 x-server-discovery: &server-discovery
  NOTESNOOK_SERVER_PORT: 5264
  NOTESNOOK_SERVER_HOST: notesnook-server
  IDENTITY_SERVER_PORT: 8264
  IDENTITY_SERVER_HOST: identity-server
  SSE_SERVER_PORT: 7264
  SSE_SERVER_HOST: sse-server
  SELF_HOSTED: 1
  IDENTITY_SERVER_URL: ${AUTH_SERVER_PUBLIC_URL}
  NOTESNOOK_APP_HOST: ${NOTESNOOK_APP_PUBLIC_URL}
 x-env-files: &env-files
  - .env
 services:
  validate:
    image: vandot/alpine-bash
    entrypoint: /bin/bash
    env_file: *env-files
    command:
      - -c
      - |
        # List of required environment variables
        required_vars=(
          "INSTANCE_NAME"
          "NOTESNOOK_API_SECRET"
          "DISABLE_SIGNUPS"
          "SMTP_USERNAME"
          "SMTP_PASSWORD"
          "SMTP_HOST"
          "SMTP_PORT"
          "AUTH_SERVER_PUBLIC_URL"
          "NOTESNOOK_APP_PUBLIC_URL"
          "MONOGRAPH_PUBLIC_URL"
          "ATTACHMENTS_SERVER_PUBLIC_URL"
        )
        # Check each required environment variable
        for var in "$${required_vars[@]}"; do
          if [ -z "$${!var}" ]; then
            echo "Error: Required environment variable $$var is not set."
            exit 1
          fi
        done
        echo "All required environment variables are set."
    # Ensure the validate service runs first
    restart: "no"
  notesnook-db:
    image: mongo:8.0.10
    hostname: notesnookdb
    volumes:
      - dbdata:/data/db
      - dbdata:/data/configdb
    networks:
      - notesnook
    command: --replSet rs0 --bind_ip_all
    depends_on:
      validate:
        condition: service_completed_successfully
    healthcheck:
      test: echo 'db.runCommand("ping").ok' | mongosh mongodb://localhost:27017 --quiet
      interval: 40s
      timeout: 30s
      retries: 3
      start_period: 60s
  # the notesnook sync server requires transactions which only work
  # with a MongoDB replica set.
  # This job just runs `rs.initiate()` on our mongodb instance
  # upgrading it to a replica set. This is only required once but we running
  # it multiple times is no issue.
  initiate-rs0:
    image: mongo:8.0.10
    networks:
      - notesnook
    depends_on:
      - notesnook-db
    entrypoint: /bin/sh
    command:
      - -c
      - |
        mongosh mongodb://notesnookdb:27017 <<EOF
          rs.initiate();
          rs.status();
        EOF
  notesnook-s3:
    image: minio/minio:RELEASE.2024-07-29T22-14-52Z
    # ports:
      # - 9000:9000
    networks:
      - notesnook
      - proxy
    volumes:
      - s3data:/data/s3
    environment:
      MINIO_BROWSER: "on"
    depends_on:
      validate:
        condition: service_completed_successfully
    env_file: *env-files
    command: server /data/s3 --console-address :9090
    healthcheck:
      test: timeout 5s bash -c ':> /dev/tcp/127.0.0.1/9000' || exit 1
      interval: 40s
      timeout: 30s
      retries: 3
      start_period: 60s
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.notesnook-s3.rule=Host(`notesnook.vhaudiquet.fr`) && PathPrefix(`/s3`)"
      - "traefik.http.routers.notesnook-s3.middlewares=notesnook-s3"
      - "traefik.http.middlewares.notesnook-s3.stripprefix.prefixes=/s3"
      - "traefik.docker.network=proxy"
      - "traefik.http.routers.notesnook-s3.entrypoints=http"
  # There's no way to specify a default bucket in Minio so we have to
  # set it up ourselves.
  setup-s3:
    image: minio/mc:RELEASE.2024-07-26T13-08-44Z
    depends_on:
      - notesnook-s3
    networks:
      - notesnook
    entrypoint: /bin/bash
    env_file: *env-files
    command:
      - -c
      - |
        until mc alias set minio http://notesnook-s3:9000 ${MINIO_ROOT_USER:-minioadmin} ${MINIO_ROOT_PASSWORD:-minioadmin}; do
          sleep 1;
        done;
        mc mb minio/attachments -p
  identity-server:
    image: streetwriters/identity:latest
    ports:
      - 8264
    networks:
      - notesnook
      - proxy
    env_file: *env-files
    depends_on:
      - notesnook-db
    healthcheck:
      test: wget --tries=1 -nv -q  http://localhost:8264/health -O- || exit 1
      interval: 40s
      timeout: 30s
      retries: 3
      start_period: 60s
    environment:
      <<: *server-discovery
      MONGODB_CONNECTION_STRING: mongodb://notesnookdb:27017/identity?replSet=rs0
      MONGODB_DATABASE_NAME: identity
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.identity-server.rule=Host(`notesnook.vhaudiquet.fr`) && PathPrefix(`/identity`)"
      - "traefik.http.routers.identity-server.middlewares=identity-server,notesnook-server-cors"
      - "traefik.http.middlewares.identity-server.stripprefix.prefixes=/identity"
      - "traefik.docker.network=proxy"
      - "traefik.http.routers.identity-server.entrypoints=http"
      - "traefik.http.services.identity-server.loadbalancer.server.port=8264"
  notesnook-server:
    image: streetwriters/notesnook-sync:latest
    ports:
      - 5264
    networks:
      - notesnook
      - proxy
    env_file: *env-files
    depends_on:
      - notesnook-s3
      - setup-s3
      - identity-server
    healthcheck:
      test: wget --tries=1 -nv -q  http://localhost:5264/health -O- || exit 1
      interval: 40s
      timeout: 30s
      retries: 3
      start_period: 60s
    environment:
      <<: *server-discovery
      MONGODB_CONNECTION_STRING: mongodb://notesnookdb:27017/?replSet=rs0
      MONGODB_DATABASE_NAME: notesnook
      S3_INTERNAL_SERVICE_URL: "http://notesnook-s3:9000"
      S3_INTERNAL_BUCKET_NAME: "attachments"
      S3_ACCESS_KEY_ID: "${MINIO_ROOT_USER:-minioadmin}"
      S3_ACCESS_KEY: "${MINIO_ROOT_PASSWORD:-minioadmin}"
      S3_SERVICE_URL: "${ATTACHMENTS_SERVER_PUBLIC_URL}"
      S3_REGION: "us-east-1"
      S3_BUCKET_NAME: "attachments"
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.notesnook-server.rule=Host(`notesnook.vhaudiquet.fr`)"
      - "traefik.docker.network=proxy"
      - "traefik.http.routers.notesnook-server.entrypoints=http"
      - "traefik.http.routers.notesnook-server.middlewares=notesnook-server-cors"
      - "traefik.http.middlewares.notesnook-server-cors.headers.accesscontrolalloworiginlist=https://app.notesnook.com,http://localhost:3000,https://notesnook.vhaudiquet.fr"
      - "traefik.http.middlewares.notesnook-server-cors.headers.accesscontrolallowmethods=GET,OPTIONS,PUT"
      - "traefik.http.middlewares.notesnook-server-cors.headers.accesscontrolallowheaders=Authorization,*"
      - "traefik.http.middlewares.notesnook-server-cors.headers.accesscontrolallowcredentials=true"
  sse-server:
    image: streetwriters/sse:latest
    ports:
      - 7264
    env_file: *env-files
    depends_on:
      - identity-server
      - notesnook-server
    networks:
      - notesnook
      - proxy
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.sse-server.rule=Host(`notesnook.vhaudiquet.fr`) && PathPrefix(`/sse`)"
      - "traefik.http.routers.sse-server.middlewares=sse-server,notesnook-server-cors"
      - "traefik.http.middlewares.sse-server.stripprefix.prefixes=/sse"
      - "traefik.docker.network=proxy"
      - "traefik.http.routers.sse-server.entrypoints=http"
    healthcheck:
      test: wget --tries=1 -nv -q  http://localhost:7264/health -O- || exit 1
      interval: 40s
      timeout: 30s
      retries: 3
      start_period: 60s
    environment:
      <<: *server-discovery
  monograph-server:
    image: streetwriters/monograph:latest
    # ports:
      # - 6264:3000
    env_file: *env-files
    depends_on:
      - notesnook-server
    networks:
      - notesnook
      - proxy
    healthcheck:
      test: wget --tries=1 -nv -q  http://localhost:3000/api/health -O- || exit 1
      interval: 40s
      timeout: 30s
      retries: 3
      start_period: 60s
    environment:
      <<: *server-discovery
      API_HOST: http://notesnook-server:5264
      PUBLIC_URL: ${MONOGRAPH_PUBLIC_URL}
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.monograph-server.rule=Host(`notesnook.vhaudiquet.fr`) && PathPrefix(`/monograph`)"
      - "traefik.http.routers.monograph-server.middlewares=monograph-server,notesnook-server-cors"
      - "traefik.http.middlewares.monograph-server.stripprefix.prefixes=/monograph"
      - "traefik.docker.network=proxy"
      - "traefik.http.routers.monograph-server.entrypoints=http"
      - "traefik.http.services.monograph-server.loadbalancer.server.port=3000"
  autoheal:
    image: willfarrell/autoheal:latest
    tty: true
    restart: always
    environment:
      - AUTOHEAL_INTERVAL=60
      - AUTOHEAL_START_PERIOD=300
      - AUTOHEAL_DEFAULT_STOP_TIMEOUT=10
    depends_on:
      validate:
        condition: service_completed_successfully
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
 networks:
  notesnook:
  proxy:
    name: proxy
    external: true
 volumes:
  dbdata:
  s3data:
--- a/docker/tools/obsidian-livesync/.env
+++ b/docker/tools/obsidian-livesync/.env
@@ -1,9 +0,0 @@
 COUCHDB_USER=ENC[AES256_GCM,data:wMQJhlZFW30=,iv:OG3S+hZppJdP/PjDINGEEQZD8Qf4520mfzsyw+/QAx4=,tag:i1og4xc0N4Hf4UE0GKPtbg==,type:str]
 COUCHDB_PASSWORD=ENC[AES256_GCM,data:eud7WTnlZEzzBGciiwM=,iv:g8RCLIcO1ZxUn/SROHV/stl+whdzICMSX0jVLKXbTns=,tag:6gReHLd+97dqUoAlYL780Q==,type:str]
 sops_lastmodified=2025-11-21T23:00:14Z
 sops_mac=ENC[AES256_GCM,data:O+jtG9ojK8Md6NSaqfyykVdVG84Kafz3zoKb5hbj2alzvJgaLuzVu3ihM75ZU3/meu/nPl9wCc+J4RKepE7VTp5Il3HK09MVHYRHQKVlbyiZ5cTbU74JJuSL3PF1GiU7p/U5Ht9+Z9c8sDrqSN2IPSIfDr8zCdTwKZF71nYOqew=,iv:n33XCpiwVOGnrJyH3Q967u5uMknRfAwx9esJuOLl+9g=,tag:aKMwsOKXPRUaa+9/ZmnpfQ==,type:str]
 sops_pgp__list_0__map_created_at=2025-11-21T23:00:14Z
 sops_pgp__list_0__map_enc=-----BEGIN PGP MESSAGE-----\n\nhQIMA7uy4qQr71wiAQ/+Mt0/uXHnndDK7FLEM8rhWmX0NpJWtgBY3BBXMX7I2Ilg\n6hNZJxISOqcoJCPqb8gZ9pUulcGC5F8owoo/wUILyI/mK3kAzGCP+lfp6Dk03k+P\nwB6BcQTC8NJsApoygdm50h/jtnlK2KUCICFKXUxf527KLWdo8g0wnMIOBe8mBvVC\n8bI/1BOcJZeB4IhmFVrgED+Ct1dTTiuyLscJirCqHD0VTD4eavd6DVpN89m/mtY/\nhTRVT3omuV8JITLeWPdVVWyQznrq3/x8OGAs8L2c24gad5AsTLCr2WS20CvXP1uL\nUoLH9EH0IDvo36DbiMO+p3LdyEvlRe1PW+0dvOpO64CLNoH4szYDJ/dG+UUa3xWo\nRpOIT1F0puXRz3UHZv/IkAFah4Zzi8TxdZDD7Riz5pzMWqzWwdQHQUS1ZWibm1ve\nfC7strrMNybh+QUfMTXhTaW4OoRkY+rGo3d2x3eUjZpaqlKOBWaScZ0c1I7DY/CP\no4QoCoga1RNePXp/WWvWAbQf0w+hAxrsb6U3/ECKtcd4gYGE3shvH0MS6T4oAaIx\nB9ldqRbKIcEUYU7MWq3Wqt8c1k/MtJZh1q3YuZwy8C3U8cHiS5iqDWzAnjIkUwbC\nJpYVaIOvI0qOjE7v6Fc06ZnTBoh/DoTX4XfdIY39GMo3ZageBV0r7Fi0HUzbFxvS\nXAHnsiZZXFB/TJAVEZKDO0Yic3DhlYLL/glOJF0kNgUOoYGvTFaSuNhwhv4tqOrw\nSv7FLH+79LSrM/bPug3Zq9Ec7p/TSnsJ4amu6p7VSmSHRBGV0uZDxt5wkYnG\n=yY4C\n-----END PGP MESSAGE-----
 sops_pgp__list_0__map_fp=DC6910268E657FF70BA7EC289974494E76938DDC
 sops_unencrypted_suffix=_unencrypted
 sops_version=3.10.2
--- a/docker/tools/obsidian-livesync/docker-compose.yml
+++ b/docker/tools/obsidian-livesync/docker-compose.yml
@@ -1,44 +0,0 @@
 services:
  couchdb:
    image: couchdb:3.5.1
    container_name: couchdb
    env_file: .env
    volumes:
      - couchdb-data:/opt/couchdb/data
      - couchdb-etc:/opt/couchdb/etc/local.d
    networks:
      - default
      - proxy
    ports:
      - 5984
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.couchdb.rule=Host(`obsidian-livesync.lan`)"
      - "traefik.http.services.couchdb.loadbalancer.server.port=5984"
      - "traefik.http.routers.obsidian-livesync.middlewares=obsidiancors"
      - "traefik.http.middlewares.obsidiancors.headers.accesscontrolallowmethods=GET,PUT,POST,HEAD,DELETE"
      - "traefik.http.middlewares.obsidiancors.headers.accesscontrolallowheaders=accept,authorization,content-type,origin,referer"
      - "traefik.http.middlewares.obsidiancors.headers.accesscontrolalloworiginlist=app://obsidian.md,capacitor://localhost,http://localhost"
      - "traefik.http.middlewares.obsidiancors.headers.accesscontrolmaxage=3600"
      - "traefik.http.middlewares.obsidiancors.headers.addvaryheader=true"
      - "traefik.http.middlewares.obsidiancors.headers.accessControlAllowCredentials=true"
    restart: unless-stopped
 networks:
  proxy:
    external: true
    name: proxy
 volumes:
  couchdb-data:
    driver: local
    driver_opts:
      type: 'none'
      o: 'bind'
      device: '/app/obsidian-livesync/data'
  couchdb-etc:
    driver: local
    driver_opts:
      type: 'none'
      o: 'bind'
      device: '/app/obsidian-livesync/etc'
--- a/infra/r740/docker/main.tf
+++ b/infra/r740/docker/main.tf
@@ -1,49 +0,0 @@
 terraform {
  required_providers {
    docker = {
      source  = "kreuzwerker/docker"
      version = "3.6.2"
    }
  }
 }
 # Docker configuration
 provider "docker" {
  host = "ssh://root@${var.docker_host}"
 }
 resource "docker_image" "swarm-cd" {
  name = "swarm-cd:latest"
  # For now, custom-built image based on custom development branch
  # Once this reaches upstream, back to upstream tag, like:
  # ghcr.io/m-adawi/swarm-cd:1.9.0
 }
 resource "docker_container" "swarm-cd" {
  name  = "swarm-cd"
  image = docker_image.swarm-cd.image_id
  volumes {
      host_path = "/var/run/docker.sock"
      container_path = "/var/run/docker.sock"
      read_only = true
  }
  volumes {
    host_path = "/root/homeprod/.swarmcd/repos.yaml"
    container_path = "/app/repos.yaml"
    read_only = true
  }
  volumes {
    host_path = "/root/homeprod/.swarmcd/stacks.yaml"
    container_path = "/app/stacks.yaml"
    read_only = true
  }
  volumes {
    host_path = "/app/swarm-cd/data"
    container_path = "/data"
  }
  env = [
    "SOPS_GPG_PRIVATE_KEY=${var.sops_private_key}"
  ]
  depends_on = [ docker_image.swarm-cd ]
 }
--- a/infra/r740/docker/variables.tf
+++ b/infra/r740/docker/variables.tf
@@ -1,8 +0,0 @@
 variable "sops_private_key" {
  description = "Private SOPS GPG key for SwarmCD to decrypt secrets"
  type = string
 }
 variable "docker_host" {
  description = "Docker machine hostname"
  type = string
 }
--- a/infra/r740/kube/main.tf
+++ b/infra/r740/kube/main.tf
@@ -1,311 +0,0 @@
 terraform {
  required_providers {
    talos = {
      source  = "siderolabs/talos"
      version = "0.9.0"
    }
    kubernetes = {
      source = "hashicorp/kubernetes"
      version = "2.36.0"
    }
    helm = {
      source = "hashicorp/helm"
      version = "2.17.0"
    }
  }
 }
 # Talos configuration
 provider "talos" {}
 # Kubernetes configuration
 provider "kubernetes" {
  config_path = "${path.module}/kubeconfig"
 }
 # Helm configuration
 provider "helm" {
  kubernetes {
    config_path = "${path.module}/kubeconfig"
  }
 }
 resource "talos_machine_secrets" "kube" {}
 data "talos_machine_configuration" "kube" {
  cluster_name = "kube-${var.physical_hostname}"
  machine_type = "controlplane"
  cluster_endpoint = "https://${var.kube_host}:6443"
  machine_secrets = talos_machine_secrets.kube.machine_secrets
  config_patches = [
    yamlencode({
      machine = {
        install = {
          image = "factory.talos.dev/installer/ce4c980550dd2ab1b17bbf2b08801c7eb59418eafe8f279833297925d67c7515:v1.11.5"
        }
        network = {
          nameservers = [
            "10.1.2.3"
          ]
        }
        certSANs = [
          "${var.kube_host}", "${var.kube_hostname}"
        ]
      }
      cluster = {
        clusterName = "kube-${var.physical_hostname}"
        allowSchedulingOnControlPlanes = true
        apiServer = {
          certSANs = [
            "${var.kube_host}", "${var.kube_hostname}"
          ]
        }
        network = {
          dnsDomain = "cluster.local"
          cni = {
            name: "none"
          }
        }
        proxy = {
          disabled = true
        }
      }
    })
  ]
 }
 data "talos_client_configuration" "kube" {
  cluster_name = "kube-${var.physical_hostname}"
  client_configuration = talos_machine_secrets.kube.client_configuration
  nodes = ["${var.kube_host}"]
 }
 resource "talos_machine_configuration_apply" "kube" {
  client_configuration = talos_machine_secrets.kube.client_configuration
  machine_configuration_input = data.talos_machine_configuration.kube.machine_configuration
  node = var.kube_host
  depends_on = [ talos_machine_secrets.kube ]
 }
 resource "talos_machine_bootstrap" "kube" {
  node = var.kube_host
  client_configuration = talos_machine_secrets.kube.client_configuration
  depends_on = [ talos_machine_configuration_apply.kube, talos_machine_secrets.kube ]
 }
 resource "talos_cluster_kubeconfig" "kube" {
  node = var.kube_host
  depends_on = [ talos_machine_bootstrap.kube ]
  client_configuration = talos_machine_secrets.kube.client_configuration
 }
 output "kubeconfig" {
  sensitive = true
  value = talos_cluster_kubeconfig.kube.kubeconfig_raw
 }
 resource "local_file" "kubeconfig" {
    content     = "${talos_cluster_kubeconfig.kube.kubeconfig_raw}"
    filename = "${path.module}/kubeconfig"
    depends_on = [ talos_cluster_kubeconfig.kube ]
 }
 data "talos_client_configuration" "talosconfig" {
  cluster_name = "kube-${var.physical_hostname}"
  client_configuration = talos_machine_secrets.kube.client_configuration
  nodes = [var.kube_host]
 }
 resource "local_file" "talosconfig" {
    content     = "${data.talos_client_configuration.talosconfig.talos_config}"
    filename = "${path.module}/talosconfig"
    depends_on = [ data.talos_client_configuration.talosconfig ]
 }
 # TODO : Wait for talos_cluster_kubeconfig...
 resource "helm_release" "cilium" {
  name = "cilium"
  namespace = "kube-system"
  repository = "https://helm.cilium.io/"
  chart = "cilium"
  wait = false
  depends_on = [ local_file.kubeconfig, talos_cluster_kubeconfig.kube ]
  set {
    name = "ipam.mode"
    value = "kubernetes"
  }
  set {
    name = "kubeProxyReplacement"
    value = true
  }
  set {
    name = "securityContext.capabilities.ciliumAgent"
    value = "{CHOWN,KILL,NET_ADMIN,NET_RAW,IPC_LOCK,SYS_ADMIN,SYS_RESOURCE,DAC_OVERRIDE,FOWNER,SETGID,SETUID}"
  }
  set {
    name = "securityContext.capabilities.cleanCiliumState"
    value = "{NET_ADMIN,SYS_ADMIN,SYS_RESOURCE}"
  }
  set {
    name = "cgroup.autoMount.enabled"
    value = false
  }
  set {
    name = "cgroup.hostRoot"
    value = "/sys/fs/cgroup"
  }
  set {
    name = "k8sServiceHost"
    value = "localhost"
  }
  set {
    name = "k8sServicePort"
    value = 7445
  }
  set {
    name = "etcd.clusterDomain"
    value = "cluster.local"
  }
  set {
    name = "hubble.relay.enabled"
    value = true
  }
  # Enable hubble ui
  set {
    name = "hubble.ui.enabled"
    value = true
  }
  # Gateway API support
  set {
    name = "gatewayAPI.enabled"
    value = true
  }
  set {
    name = "gatewayAPI.enableAlpn"
    value = true
  }
  set {
    name = "gatewayAPI.enableAppProtocol"
    value = true
  }
  # Gateway API trusted hops : for reverse proxy
  set {
    name = "gatewayAPI.xffNumTrustedHops"
    value = 1
  }
  # Single-node cluster, so 1 operator only
  set {
    name = "operator.replicas"
    value = 1
  }
  # L2 announcements
  set {
    name = "l2announcements.enabled"
    value = true
  }
  set {
    name = "externalIPs.enabled"
    value = true
  }
  # Disable ingress controller (traefik will be used for now)
  set {
    name = "ingressController.enabled"
    value = false
  }
  set {
    name = "ingressController.loadbalancerMode"
    value = "shared"
  }
  # Ingress controller for external : behind reverse proxy, trust 1 hop
  set {
    name = "envoy.xffNumTrustedHopsL7PolicyIngress"
    value = 1
  }
  # Set cilium as default ingress controller
  set {
    name = "ingressController.default"
    value = true
  }
  set {
    name = "ingressController.service.externalTrafficPolicy"
    value = "Local"
  }
 }
 resource "kubernetes_namespace" "flux-system" {
  metadata {
    name = "flux-system"
  }
  lifecycle {
    ignore_changes = [ metadata[0].annotations, metadata[0].labels ]
  }
  depends_on = [ talos_cluster_kubeconfig.kube, local_file.kubeconfig, helm_release.cilium ]
 }
 resource "kubernetes_secret" "flux-sops" {
  metadata {
    name = "flux-sops"
    namespace = "flux-system"
  }
  type = "generic"
  data = {
    "sops.asc"=var.sops_private_key
  }
  depends_on = [ kubernetes_namespace.flux-system ]
 }
 resource "helm_release" "flux-operator" {
  name = "flux-operator"
  namespace = "flux-system"
  repository = "oci://ghcr.io/controlplaneio-fluxcd/charts"
  chart = "flux-operator"
  wait = true
  depends_on = [ kubernetes_secret.flux-sops ]
 }
 resource "helm_release" "flux-instance" {
  name = "flux"
  namespace = "flux-system"
  repository = "oci://ghcr.io/controlplaneio-fluxcd/charts"
  chart = "flux-instance"
  values = [
    file("values/components.yaml")
  ]
  set {
    name = "instance.distribution.version"
    value = "2.x"
  }
  set {
    name = "instance.distribution.registry"
    value = "ghcr.io/fluxcd"
  }
  set {
    name = "instance.sync.name"
    value = "homeprod"
  }
  set {
    name = "instance.sync.kind"
    value = "GitRepository"
  }
  set {
    name = "instance.sync.url"
    value = "https://github.com/vhaudiquet/homeprod"
  }
  set {
    name = "instance.sync.path"
    value = "kubernetes/"
  }
  set {
    name = "instance.sync.ref"
    value = "refs/heads/main"
  }
  depends_on = [ helm_release.flux-operator ]
 }
--- a/infra/r740/kube/variables.tf
+++ b/infra/r740/kube/variables.tf
@@ -1,16 +0,0 @@
 variable "sops_private_key" {
  description = "Private SOPS GPG key for flux/kubernetes to decrypt secrets"
  type = string
 }
 variable "kube_hostname" {
  description = "Kubernetes cluster hostname"
  type = string
 }
 variable "kube_host" {
  description = "Kubernetes cluster host"
  type = string
 }
 variable "physical_hostname" {
  description = "Host name of the physical host for the kubernetes VM"
  type = string
 }
--- a/infra/r740/proxmox/ai.tf
+++ b/infra/r740/proxmox/ai.tf
@@ -1,137 +0,0 @@
 resource "proxmox_virtual_environment_download_file" "ubuntu-latest-cloudimg" {
  content_type = "iso"
  datastore_id = "local"
  file_name = "noble-server-cloudimg-amd64.img"
  node_name = var.proxmox_node_name
  url = "https://cloud-images.ubuntu.com/noble/current/noble-server-cloudimg-amd64.img"
 }
 resource "proxmox_virtual_environment_file" "ai-cloud-config" {
  content_type = "snippets"
  datastore_id = "local"
  node_name    = var.proxmox_node_name
  source_raw {
    data = <<-EOF
    #cloud-config
    package_update: true
    packages:
      - git
      - ca-certificates
      - wget
      - curl
      - gnupg2
      - qemu-guest-agent
    runcmd:
      - systemctl enable --now qemu-guest-agent
      - install -m 0755 -d /etc/apt/keyrings
      - curl -fsSL https://download.docker.com/linux/ubuntu/gpg -o /etc/apt/keyrings/docker.asc
      - chmod a+r /etc/apt/keyrings/docker.asc
      - echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu $(. /etc/os-release && echo "$${UBUNTU_CODENAME:-$VERSION_CODENAME}") stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
      - apt-get update
      - apt-get -y install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
      - apt install ubuntu-drivers-common
      - ubuntu-drivers install --gpgpu
      - curl -fsSL https://nvidia.github.io/libnvidia-container/gpgkey | gpg --dearmor -o /usr/share/keyrings/nvidia-container-toolkit-keyring.gpg
      - curl -s -L https://nvidia.github.io/libnvidia-container/stable/deb/nvidia-container-toolkit.list | sed 's#deb https://#deb [signed-by=/usr/share/keyrings/nvidia-container-toolkit-keyring.gpg] https://#g' | tee /etc/apt/sources.list.d/nvidia-container-toolkit.list
      - apt-get update
      - export NVIDIA_CONTAINER_TOOLKIT_VERSION=1.17.8-1
      - apt-get install -y nvidia-container-toolkit=$NVIDIA_CONTAINER_TOOLKIT_VERSION nvidia-container-toolkit-base=$NVIDIA_CONTAINER_TOOLKIT_VERSION libnvidia-container-tools=$NVIDIA_CONTAINER_TOOLKIT_VERSION libnvidia-container1=$NVIDIA_CONTAINER_TOOLKIT_VERSION
      - nvidia-ctk runtime configure --runtime=docker
      - systemctl restart docker
    EOF
    file_name = "ai-cloud-config.yaml"
  }
 }
 resource "proxmox_virtual_environment_vm" "ai" {
  name = "ai-${var.proxmox_node_name}"
  node_name = var.proxmox_node_name
  on_boot = true
  agent {
    enabled = true
  }
  tags = ["ubuntu", "ubuntu-latest", "docker", "terraform", "gpu", "ai"]
  cpu {
    type = "host"
    cores = 20
    sockets = 1
    flags = []
  }
  memory {
    dedicated = 64536
    floating = 16192
  }
  network_device {
    bridge = "vmbr0"
    model = "virtio"
    # mac_address = "BC:24:11:E2:F5:5B"
    vlan_id = 2
  }
  lifecycle {
    ignore_changes = [
      network_interface_names,
      mac_addresses,
      ipv4_addresses,
      ipv6_addresses,
      id,
      disk,
      initialization,
      vga,
      hostpci
    ]
  }
  boot_order = ["scsi0"]
  scsi_hardware = "virtio-scsi-single"
  vga {
    type = "serial0"
  }
  disk {
    interface = "scsi0"
    iothread = true
    datastore_id = "local-lvm"
    size = 330
    discard = "ignore"
    file_id = proxmox_virtual_environment_download_file.ubuntu-latest-cloudimg.id
  }
  vm_id = 101
  initialization {
    datastore_id = "local-lvm"
    interface = "ide2"
    ip_config {
      ipv4 {
        address = "dhcp"
      }
    }
    user_account {
      keys = [trimspace(var.ssh_public_key)]
      password = var.machine_root_password
      username = "root"
    }
    vendor_data_file_id = proxmox_virtual_environment_file.ai-cloud-config.id
  }
  operating_system {
    type = "l26"
  }
  tpm_state {
    version = "v2.0"
  }
  serial_device {}
 }
--- a/infra/r740/proxmox/build-latest.tf
+++ b/infra/r740/proxmox/build-latest.tf
@@ -1,133 +0,0 @@
 resource "proxmox_virtual_environment_download_file" "ubuntu-questing-cloudimg" {
  content_type = "iso"
  datastore_id = "local"
  file_name = "questing-server-cloudimg-amd64.img"
  node_name = var.proxmox_node_name
  url = "https://cloud-images.ubuntu.com/questing/current/questing-server-cloudimg-amd64.img"
 }
 resource "proxmox_virtual_environment_file" "build-latest-cloud-config" {
  content_type = "snippets"
  datastore_id = "local"
  node_name    = var.proxmox_node_name
  source_raw {
    data = <<-EOF
    #cloud-config
    package_update: true
    packages:
      - git
      - ca-certificates
      - wget
      - curl
      - gnupg2
      - qemu-guest-agent
      - build-essential
      - sbuild
      - mmdebstrap
      - qemu-user-binfmt
      - ubuntu-dev-tools
      - micro
    runcmd:
      - systemctl enable --now qemu-guest-agent
      - snap install lxd
      - lxd init --auto
      - snap install snapcraft --classic
      - usermod --add-subuids 100000-165535 --add-subgids 100000-165535 root
      - mkdir -p /root/.config/sbuild/
      - mkdir -p /root/.cache/sbuild/
      - echo -e "\$chroot_mode = 'unshare';\n\$unshare_mmdebstrap_keep_tarball = 1;\n1;\n" >/root/.config/sbuild/config.pl
    EOF
    file_name = "build-latest-cloud-config.yaml"
  }
 }
 resource "proxmox_virtual_environment_vm" "build-latest" {
  name = "bw-${var.proxmox_node_name}"
  node_name = var.proxmox_node_name
  on_boot = true
  agent {
    enabled = true
  }
  tags = ["ubuntu", "ubuntu-questing", "docker", "terraform", "build"]
  cpu {
    type = "host"
    cores = 20
    sockets = 1
    flags = []
  }
  memory {
    dedicated = 64536
    floating = 16192
  }
  network_device {
    bridge = "vmbr0"
    model = "virtio"
    vlan_id = 2
  }
  lifecycle {
    ignore_changes = [
      network_interface_names,
      mac_addresses,
      ipv4_addresses,
      ipv6_addresses,
      id,
      disk,
      initialization,
      vga
    ]
  }
  boot_order = ["scsi0"]
  scsi_hardware = "virtio-scsi-single"
  vga {
    type = "serial0"
  }
  disk {
    interface = "scsi0"
    iothread = true
    datastore_id = "local-lvm"
    size = 330
    discard = "ignore"
    file_id = proxmox_virtual_environment_download_file.ubuntu-questing-cloudimg.id
  }
  vm_id = 201
  initialization {
    datastore_id = "local-lvm"
    interface = "ide2"
    ip_config {
      ipv4 {
        address = "dhcp"
      }
    }
    user_account {
      keys = [trimspace(var.ssh_public_key), trimspace(var.ssh_secondary_key)]
      password = var.machine_root_password
      username = "root"
    }
    vendor_data_file_id = proxmox_virtual_environment_file.build-latest-cloud-config.id
  }
  operating_system {
    type = "l26"
  }
  tpm_state {
    version = "v2.0"
  }
  serial_device {}
 }
--- a/infra/r740/proxmox/docker.tf
+++ b/infra/r740/proxmox/docker.tf
@@ -1,134 +0,0 @@
 resource "proxmox_virtual_environment_download_file" "debian-latest-cloudimg" {
  content_type = "iso"
  datastore_id = "local"
  file_name = "debian-13-generic-amd64.qcow2.img"
  node_name = var.proxmox_node_name
  url = "https://cloud.debian.org/images/cloud/trixie/latest/debian-13-generic-amd64.qcow2"
 }
 resource "proxmox_virtual_environment_file" "docker-machine-cloud-config" {
  content_type = "snippets"
  datastore_id = "local"
  node_name    = var.proxmox_node_name
  source_raw {
    data = <<-EOF
    #cloud-config
    package_update: true
    packages:
      - git
      - ca-certificates
      - wget
      - curl
      - gnupg2
      - qemu-guest-agent
      - nfs-common
    runcmd:
      - systemctl mask tmp.mount
      - systemctl enable --now qemu-guest-agent
      - install -m 0755 -d /etc/apt/keyrings
      - curl -fsSL https://download.docker.com/linux/debian/gpg -o /etc/apt/keyrings/docker.asc
      - chmod a+r /etc/apt/keyrings/docker.asc
      - echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/debian $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
      - apt-get update
      - apt-get -y install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
      - docker swarm init
      - git clone https://github.com/vhaudiquet/homeprod /root/homeprod
      - mkdir /app
      - echo "truenas.lan:/mnt/fast_app_data/docker-homeprod      /app     nfs     defaults,_netdev    0 0" >>/etc/fstab
      - mount -t nfs truenas.lan:/mnt/fast_app_data/docker-homeprod /app
    EOF
    file_name = "docker-machine-cloud-config.yaml"
  }
 }
 resource "proxmox_virtual_environment_vm" "docker-machine" {
  name = "docker-${var.proxmox_node_name}"
  node_name = var.proxmox_node_name
  on_boot = true
  agent {
    enabled = true
  }
  tags = ["debian", "debian-latest", "docker", "terraform"]
  cpu {
    type = "host"
    cores = 20
    sockets = 1
    flags = []
  }
  memory {
    floating = 16192
    dedicated = 38768
  }
  network_device {
    bridge = "vmbr0"
    model = "virtio"
    vlan_id = 2
  }
  lifecycle {
    ignore_changes = [
      network_interface_names,
      mac_addresses,
      ipv4_addresses,
      ipv6_addresses,
      id,
      disk,
      initialization,
      vga
    ]
  }
  boot_order = ["scsi0"]
  scsi_hardware = "virtio-scsi-single"
  vga {
    type = "serial0"
  }
  disk {
    interface = "scsi0"
    iothread = true
    datastore_id = "local-lvm"
    size = 128
    discard = "ignore"
    file_id = proxmox_virtual_environment_download_file.debian-latest-cloudimg.id
  }
  vm_id = 701
  initialization {
    datastore_id = "local-lvm"
    interface = "ide2"
    ip_config {
      ipv4 {
        address = "10.1.2.212/24"
        gateway = "10.1.2.1"
      }
    }
    user_account {
      keys = [trimspace(var.ssh_public_key)]
      password = var.machine_root_password
      username = "root"
    }
    vendor_data_file_id = proxmox_virtual_environment_file.docker-machine-cloud-config.id
  }
  operating_system {
    type = "l26"
  }
  tpm_state {
    version = "v2.0"
  }
  serial_device {}
 }
--- a/infra/r740/proxmox/kube.tf
+++ b/infra/r740/proxmox/kube.tf
@@ -1,95 +0,0 @@
 resource "proxmox_virtual_environment_download_file" "talos-cloudimg" {
  content_type = "iso"
  datastore_id = "local"
  file_name = "talos-v1.11.1-nocloud-amd64.iso"
  node_name = var.proxmox_node_name
  url = "https://factory.talos.dev/image/ce4c980550dd2ab1b17bbf2b08801c7eb59418eafe8f279833297925d67c7515/v1.11.5/nocloud-amd64.iso"
 }
 resource "proxmox_virtual_environment_vm" "kube" {
  name = "kube-${var.proxmox_node_name}"
  description = "Kubernetes Talos Linux"
  tags = ["kubernetes", "talos", "terraform"]
  node_name = var.proxmox_node_name
  vm_id = 702
  machine = "q35"
  keyboard_layout = "fr"
  agent {
    enabled = true
  }
  stop_on_destroy = true
  cpu {
    cores = 20
    sockets = 1
    type = "host"
  }
  memory {
    dedicated = 32768
    floating = 16192
  }
  boot_order = ["scsi0", "ide0"]
  scsi_hardware = "virtio-scsi-single"
  cdrom {
    file_id = proxmox_virtual_environment_download_file.talos-cloudimg.id
    interface = "ide0"
  }
  disk {
    interface = "scsi0"
    iothread = true
    datastore_id = "local-lvm"
    size = 128
    discard = "ignore"
    file_format = "raw"
  }
  vga {
    type = "serial0"
  }
  initialization {
    datastore_id = "local-lvm"
    interface = "ide2"
    ip_config {
      ipv4 {
        address = "dhcp"
      }
    }
    user_account {
      keys = [trimspace(var.ssh_public_key)]
      password = var.machine_root_password
      username = "root"
    }
  }
  lifecycle {
    ignore_changes = [ 
      ipv4_addresses, ipv6_addresses, network_interface_names
     ]
  }
  network_device {
    bridge = "vmbr0"
    model = "virtio"
    # mac_address = "BC:24:11:F6:E1:C9"
    vlan_id = 2
  }
  operating_system {
    type = "l26"
  }
  tpm_state {
    version = "v2.0"
  }
  serial_device {}
 }
--- a/infra/r740/proxmox/main.tf
+++ b/infra/r740/proxmox/main.tf
@@ -1,18 +0,0 @@
 terraform {
  required_providers {
    proxmox = {
      source = "bpg/proxmox"
      version = "0.81.0"
    }
  }
 }
 provider "proxmox" {
  endpoint = "https://${var.proxmox_host}:8006/"
  api_token = var.proxmox_api_token
  insecure = true
  ssh {
    agent    = true
    username = "root"
  }
 }
--- a/infra/r740/proxmox/variables.tf
+++ b/infra/r740/proxmox/variables.tf
@@ -1,29 +0,0 @@
 variable "proxmox_host" {
  description = "Hostname of Proxmox server"
  type = string
 }
 variable "proxmox_node_name" {
  description = "Name of Proxmox node to use"
  type = string
 }
 variable "proxmox_api_token" {
  description = "Token to connect Proxmox API"
  type = string
 }
 variable "machine_root_password" {
  description = "Root password for VMs and containers"
  type = string
 }
 variable "ssh_public_key" {
  description = "Public SSH key authorized access for VMs and containers"
  type = string
 }
 variable "ssh_secondary_key" {
  description = "Secondary SSH key for authorized access to specific VMs and containers"
  type = string
 }
--- a/kubernetes/code/gitea/values.yaml
+++ b/kubernetes/code/gitea/values.yaml
@@ -1,5 +1,5 @@
 image:
-    tag: 1.25.3
+    tag: 1.24.3
 ingress:
    enabled: true
    hosts:
@@ -17,10 +17,10 @@ postgresql:
    global:
        postgresql:
            auth:
-                postgressPassword: ENC[AES256_GCM,data:wi0/uHE8IGcy+g==,iv:zSKYKgJ5SkGMJnJstUZIESpo03BhDOeG7ZKlZzaSsog=,tag:d5Vye+jdCrLXmv8tAqFSnw==,type:str]
+                postgressPassword: ENC[AES256_GCM,data:VUX2PSBXjfVXAQ==,iv:EokbkSVOl89e6mtIt2F2EnPTcdbSlxMccJ+AYkwz4CA=,tag:N0qeu/PKO5kdyiXIQufkMQ==,type:str]
-                password: ENC[AES256_GCM,data:w8x48V/wQlgRPQ==,iv:m1BvWULmBVriSygqIkhkB/91wsAP62HZySy4KgpLJLw=,tag:bw+f0orhIqtfzXozNHuyHQ==,type:str]
+                password: ENC[AES256_GCM,data:QU81CjR0T2EJuw==,iv:GV+2aLlO9q0f+6ydXgW8DEWjYs/MbYl3C/pslCHUfZM=,tag:IrC50vQyUc3KZhM6+A89wg==,type:str]
                database: gitea
-                username: ENC[AES256_GCM,data:ES78eak=,iv:9Pw1v/0CyZXoboevc99+jpAs+6INV+KM4HZt1XRFlVU=,tag:Q2n8Amg9tB3f09VwSVebtA==,type:str]
+                username: ENC[AES256_GCM,data:EhkRSB8=,iv:4bQZYn0WwOTfL0mA5hzENSzq49GBFMbYeYyx5ofcoVM=,tag:0pb3hrwfuWV8JSlM26tiSA==,type:str]
    volumePermissions:
        enabled: true
 postgresql-ha:
@@ -36,13 +36,13 @@ extraVolumes:
 extraContainerVolumeMounts:
    - name: git
      mountPath: /git
-clusterDomain: cluster.local
+clusterDomain: kube-talos.lan
 gitea:
    oauth:
        - name: Authentik
          provider: openidConnect
-          key: ENC[AES256_GCM,data:3e/XN6dAoE2J6ag5xkRP9LU2FT4rrsWB0DXv6ucksPW9Fkg6ZPwVLg==,iv:toID+fZWmMemwQt6DEZPk97xmdTbujVYUdNYesJykDM=,tag:2MTySscnX/PMruEbJhe4iA==,type:str]
+          key: ENC[AES256_GCM,data:izCBYkFigzgaZaERrTulvtxTRhGlvmglOOp6myaFg+4YKZIUls141Q==,iv:MOu0KNyCYqzwK4aghIJLfxpp6YNjhrfN/MTvlWj+dfQ=,tag:bLe9P1og6xuxLqA6d4fSfg==,type:str]
-          secret: ENC[AES256_GCM,data:8WBfYnDZsBnHm7FkS3cvgo7rIFwfnf9hw71oLdzTjhZkVVYA7nFk7FhhxFtA+WaFfZlhjemcYhhbHCw6zekwaKqNmczto8lbYgbhvDfx2oOUkVk33EbNb/3VTfZbIfsII0lBNanGBP/GsD+TPq535QPLnoTa70cgo5ihzYqJzQA=,iv:+GDXnjLrzKSwHNR3h/TXR1h3ZaVwAG9SdbDOS4CQikc=,tag:NAfSSp7reK5JpMgVLigExA==,type:str]
+          secret: ENC[AES256_GCM,data:DG6WH1asGPcK87IjyqoGau/JRL6A1Uu2Q+xq9XxMa0betH4yTiT68IW3f95TxPQo7NL9bEpiOKgX4qfHFu80+Qah65l5YC67OC+bnnUy4KVZ46drFWrDZMZbKPlDuSiZEav+ABszH9cc6HAoDg8LKmwtpM7TfWNbfpmYyv6iPCs=,iv:gPlM4Ol7KFVU1snuanuA7iib4AQH2+nKT2sX2h9JXlI=,tag:sddwFIZjVik+ojl2BI5o7g==,type:str]
          autoDiscoverUrl: https://authentik.vhaudiquet.fr/application/o/gitea/.well-known/openid-configuration
    config:
        APP_NAME: Gitea
@@ -69,27 +69,27 @@ gitea:
            ISSUE_INDEXER_TYPE: bleve
            REPO_INDEXER_ENABLED: true
 sops:
-    lastmodified: "2026-01-03T10:30:06Z"
+    lastmodified: "2025-09-15T21:48:05Z"
-    mac: ENC[AES256_GCM,data:cPqxcS0hMiof5YqTTcop9ofH77Teuf6pqp8zInQ9a9rqz7QxjOA88jLBOV/RitirwADebs0E3RnH8z6QdEv62xrOvbBO2BxLFOSnnWQtuAUXSuVxaDLiLiUQIzo53A8mB14jh9i6VfHzlScQg0u4gHzQkQy5ejato80uHqdlIxY=,iv:fKRjCeS8VRauzPCodW2aZhMQlyoqnzc9zsHPBgrOrg8=,tag:z3ZTTaKtU/SmH3skQ+Qsqg==,type:str]
+    mac: ENC[AES256_GCM,data:T5Ub0m8vGt+5AbJ8UiQlYLr7nLLodiPUlvdiCM9AD19YdKwiTiKmZVMTEW9rompVbPoHLArzb/reqmQ2D2D5CMNs8SgOfWiLD4/Y3qmnnxjwJi/0c6RNGmkTipYYwYu7gLVoL6GgQoNZmpr29MwNTEzCPN781XqMnxhxKtp18+A=,iv:6/t/i7a4Qr6/JDiNz9IPzaKSYZBWT8mxPB3Nnd/w9CI=,tag:l7NS89WXa8h33siY7UNTvw==,type:str]
    pgp:
-        - created_at: "2026-01-03T10:30:06Z"
+        - created_at: "2025-09-15T21:48:05Z"
          enc: |-
            -----BEGIN PGP MESSAGE-----
-            hQIMA7uy4qQr71wiAQ//QE//P/iZi988famrsHGf8+LohKQM31uj8lr+tlwAp2UC
+            hQIMA7uy4qQr71wiAQ//ZYp2oZsd950lEsQEYF8twms5kD+IwszzVFi71sGrdvTB
-            yZGRcxwCskx4zO2xYgq695vz7ZU+xCgQdcBfZW5SHUEuw+6tL0hMShj6McHXeKdC
+            3Hi3bzDDc57PcP6lzxs0wA4LaIkAVkK290nYofhxNk6r4sbX7Imqni6ECYhw1Tik
-            5tA17ejv6tspMyBxs3jyMFp1YqzrIOBt/E9WMSBi66LVmynxfITT14CJUT8hJCzD
+            XkxfR8KIlZrVNNYRvFiwcYRfcqfoiwW5fNVfw09p1replIwyqcucg4c0MgGgxj2G
-            21/10AeCS9uVUwQLDwqSChtW5JVJ/lKkCfp75/tml53rlVAKJQWuJ2XUW2iIydcU
+            n8h95hiQPKr4Iq4qf7tsp+9EsYD3PBZAQWngbihlU67FwRinHUYn9sWO/o5qe1Rs
-            F/Y8yWGCeLiaXxX9as/h1CmUwdkjywHHIFK4YwqudzzQ+oB4z+C0PipJAUibqkpC
+            UVqdejDYssQjcebCu8pZvx0wSSBTZYov149fGpWCzrkHyNVkEUKaLbs8Js2AMN/1
-            V+jhIyCpjUDEjzqEOtZH3b9T8TNIpL56ecYOmjF7i+IIMFaBnPzQoIUwP8kGkv0p
+            TgIym0AQ+U/RN0vkBujghwtiC8H9VkaFQ6UE9eSfSqP+yUY9UtAvQhGuAv+2KYqN
-            1HQJaXPYWlchrG/DNwmtyP2wzIdT+N75Lbq/zu6YI7pXkByF2KpsxeMa0pWbnt5+
+            DTtL7+IeIg19V51PUTLvvPo6I+jhKtTQhnvdKzzktZ+h3ff1y9r4OF/f5mgWpxz8
-            neDrcyttXmd7VkJEWYa+74lPKoza+Q9zdrG0rzSVpB/oYXcJBtvtC3euoxQA8sSa
+            FF1aO+oxufAvP4HdOWAn9B7KAwOdd1vLuxUHhI/DQqxmSoeJ51F6K+JJl5GYFBuy
-            sEnbjnORh9QROwzJ+J+RaIF1JbMOnIqhyeAO6t1ANhJFh+Y+JtAr4am+kCfMdB9k
+            HlgToIbCMeoBj5Yt/1g49nGLfSwN84MG90NNob+wmCtbrX1hEHW0Gv4fz8gGo5fi
-            7q5bRUvBtBtwVbJAjW1LiixrmaqhTaKnUmqoMxjUWuqAdvdPOqFNzIYChBVD/avp
+            hkQtd0OfvsRZHZgrK+HXdQfAZ3v7F5onod28ZSaJHj8HsJ7d5Bl7UNG/NmZ/jqwq
-            aWs76Wjipm57GOVmL3qjkBufznyAMaf04BdW/lN+BtPr9dAMr7Cd6ttv+WvVUYvS
+            lEnA70BoD7wQLuEojP5TnF2lEdNAbRAounXPpT7JLdbFjdVfA47xchLD9aUY1dfS
-            XgEY4RkuRJqrnKpGlfOpng/O9f0MBRat1by8D9/9T858k34plMEts6G0tE0H8GQt
+            XgFwyvyBo0ocLKAHkCoBgfVdCjUnoCH5Bi0aONiEROumTTyv+NQBRoP2UiniQYPw
-            2LwVen6E/6yUCTjpxz+FW5+TMxtBLZppebyNQ5eDrF4a9ZnhtReExpm7gBs9waA=
+            ZL0OnDYOXviLwbsmMKB8J8KatKRuvOojT4kF+xGA2fUtsachPFYWPWvtRGNZ88Q=
-            =EW1c
+            =6Lnz
            -----END PGP MESSAGE-----
          fp: DC6910268E657FF70BA7EC289974494E76938DDC
    encrypted_regex: ^(password|value|ssh-key|api-key|user|username|privateKey|clientSecret|clientId|apiKey|extraArgs.*|.*Secret.*|extraEnvVars|.*SECRET.*|.*secret.*|key|.*Password|.*\.ya?ml)$
--- a/kubernetes/home/home-assisant/kustomization.yaml
+++ b/kubernetes/home/home-assisant/kustomization.yaml
@@ -1,13 +0,0 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 namespace: home-assistant
 resources:
  - namespace.yaml
  - repository.yaml
  - release.yaml
 secretGenerator:
  - name: home-assistant-values
    files:
      - values.yaml=values.yaml
 configurations:
  - kustomizeconfig.yaml
--- a/kubernetes/home/home-assisant/kustomizeconfig.yaml
+++ b/kubernetes/home/home-assisant/kustomizeconfig.yaml
@@ -1,6 +0,0 @@
 nameReference:
 - kind: Secret
  version: v1
  fieldSpecs:
  - path: spec/valuesFrom/name
    kind: HelmRelease
--- a/kubernetes/home/home-assisant/namespace.yaml
+++ b/kubernetes/home/home-assisant/namespace.yaml
@@ -1,4 +0,0 @@
 apiVersion: v1
 kind: Namespace
 metadata:
  name: home-assistant
--- a/kubernetes/home/home-assisant/release.yaml
+++ b/kubernetes/home/home-assisant/release.yaml
@@ -1,18 +0,0 @@
 apiVersion: helm.toolkit.fluxcd.io/v2
 kind: HelmRelease
 metadata:
  name: home-assistant
  namespace: home-assistant
 spec:
  interval: 1m
  chart:
    spec:
      sourceRef:
        kind: HelmRepository
        name: home-assistant
        namespace: home-assistant
      chart: home-assistant
      interval: 1m
  valuesFrom:
    - kind: Secret
      name: home-assistant-values
--- a/kubernetes/home/home-assisant/repository.yaml
+++ b/kubernetes/home/home-assisant/repository.yaml
@@ -1,8 +0,0 @@
 apiVersion: source.toolkit.fluxcd.io/v1
 kind: HelmRepository
 metadata:
  name: home-assistant
  namespace: home-assistant
 spec:
  interval: 1m
  url: http://pajikos.github.io/home-assistant-helm-chart/
--- a/kubernetes/home/home-assisant/values.yaml
+++ b/kubernetes/home/home-assisant/values.yaml
@@ -1,42 +0,0 @@
 persistence:
    enabled: true
 ingress:
    enabled: true
    external: false
    hosts:
        - host: homeassistant.lan
          paths:
            - path: /
              pathType: Prefix
 configurations:
    trusted_proxies:
        - 10.0.0.0/8
        - 172.16.0.0/12
        - 192.168.0.0/16
        - 127.0.0.0/8
 sops:
    lastmodified: "2025-12-04T18:23:43Z"
    mac: ENC[AES256_GCM,data:JSaTCBXqpiP0R3rIEa/EZaDPbBInY2a6UMhFD9Gcw/mJVq/wF72KsFRfJl2hZ3d1FtsQ6Z0l3GrbiV41348jxzWM4XnE0e0hywdc2Ryqw0B3GS0EoNk1IoPR8ieZtxWNtFvglR2gVWWUnN7caYf/acE04NnzIDxl0tPEFckS+Nc=,iv:C784uqYb7KGhn2wGWZnCA7rhGocJWP6mfBhjNLWbimE=,tag:A7JLOmSVJ+ZrNA36DJfRCw==,type:str]
    pgp:
        - created_at: "2025-12-04T18:23:43Z"
          enc: |-
            -----BEGIN PGP MESSAGE-----
            hQIMA7uy4qQr71wiAQ/+J1e3KfHaAkFS+lYz9jKzPAffkiDVCeecEf31Lk9DJxFd
            7agtTWvcXtIsiJwF4sv4NzxY3pQrNRKwiq8pd3iXWHSqflIaQ2M9+dUGHykkjA5W
            R+y/wgM+K0MBaFMxQU/xC0lM7YFwypV1JBp4jmpNn3McGba2yZAoKo1uAQ9LMP4L
            Fd5wqNUrLNfwbh5Ts1rBVAGwStVlkRUvdUVCXjngdWVmE5xB3IBypdrFX2oclkl8
            0zSNJwknC4bi4FeKBxWC90HT0n8zSMybdZOltcl8J3YVCL6l0F9hw6Ub5j1ej7qN
            Igyll2/T4FEOExdo9oRXbEjC6GSZZBD6NMlrgJqVVUWoqDm4WQlKc7JRYAjtRgbS
            Us8qCD8CMb57E6AZHD+GRZDK48OeevM21YxRvpSQlQfyeGbMrxF05zzw5InHSMhw
            VslHQRmUMQqEzTsSeFbNxTeqy1YGGDYlnBpEjl8TPIZXE+mjwHm9QJbKwQFUK4Rh
            YuEZDlUONdaKQpNX9OS6kwiV493sSruC2yWNwYIlgERrkcjBggKYPiV7lDiFnl1W
            RVcsqOGnsrrwFHT7m6/MTIzH0k4fDt6Vv/FCToaoadvLPYNZb7xoKMahzT1z3SP9
            FMuGus2r8h6ShEZVyLAt6o+BuuYyzOrVo10k1yTKDqEDD662rbRvTrBZlOk1vUPS
            XgEtw6w6fFkESJKetHiN6TxG2+WyJw5PILm2sjak5AcR3qWiux/ENPb8kE0BIB0S
            1Z/YTHYNP2mtEegDsp1DoT9tOSTWfrllL+p3kccvizEB5hq9+oMEzPGBstjWRjg=
            =5PDx
            -----END PGP MESSAGE-----
          fp: DC6910268E657FF70BA7EC289974494E76938DDC
    encrypted_regex: ^(password|value|ssh-key|api-key|user|username|privateKey|clientSecret|clientId|apiKey|extraArgs.*|.*Secret.*|extraEnvVars|.*SECRET.*|.*secret.*|key|.*Password|.*\.ya?ml)$
    version: 3.10.2
--- a/kubernetes/infrastructure/authentik/values.yaml
+++ b/kubernetes/infrastructure/authentik/values.yaml
@@ -1,28 +1,22 @@
 authentik:
-    secret_key: ENC[AES256_GCM,data:nS0n+g3riD47shHDhs8JzfHT+a8oOKvFJDvO72mUU3bVslFYRBueJK+rWCGYjXwwyZzUjAcb638sqA66THxaxebPLtZ/UCmT79qzOw7Rf3A=,iv:o9WztN8vb8Pag8WMKIEWDMgFVWiTB3dIjCx7nU/0hrc=,tag:6tx684P4cJSZrrmut7KVcA==,type:str]
+    secret_key: ENC[AES256_GCM,data:o7yrtJ93jbwGEbF9noIn1kifWTRj9oTZ1W10vaXGkqn2a98SE5+1KHWATFNkLq68TPSyKlGDrvXKEXX7jdAPgDkDBFv9XXTfWAPX22Jymhk=,iv:iyCygmcW5jR4QfzUfOfX4uIERmef/rZ6/vddJ5SMu7Q=,tag:CV78h8WCvyZ4piMvOElm6g==,type:str]
    postgresql:
-        password: ENC[AES256_GCM,data:ES3BL3tEiv+NSg==,iv:oOKiH38wi5zqKkgvezIgj5Qg8+1bcFZXpoEewMucygM=,tag:YigQ3X8pRXVqhkoycGNjbA==,type:str]
+        password: ENC[AES256_GCM,data:BnUPCDLW/cA1hw==,iv:odEP+d3nx2Q0X9/MXimujGx7ZFnwhNCzTs1F+Vdhm48=,tag:Z2l7EhHM3qxAGY6Adue7FA==,type:str]
    email:
        from: webbot@vhaudiquet.fr
        host: mail.vhaudiquet.fr
        port: 587
-        username: ENC[AES256_GCM,data:EmE524Yp3Ihv+FnO3GfTilzLwGo=,iv:XzJW6v4owBETgLHfqvvELhkDLQJSH962eEByQF0zeSQ=,tag:rkvVWCX3JwNO+j9MIB/+LQ==,type:str]
+        username: ENC[AES256_GCM,data:aPUSXDiYvDF/E/Gd8yJdIuuoHsE=,iv:+K2CeYD8CFg9ncpPsyQQKf1YzCAc1qj2b3m7hbS7Q1I=,tag:4KLvqKvhe2bqi65h5zRslg==,type:str]
        use_tls: true
-        password: ENC[AES256_GCM,data:b6joibJRT46C+XeH2eI=,iv:Lo+28oE5mv3uxI8CUAQ1OgNhN+3iv1JfdxvkZWZC05c=,tag:VAIrnXSg9w82N00oT+d8JA==,type:str]
+        password: ENC[AES256_GCM,data:0RP14fdOUDlqPLam0jo=,iv:jZpdUzBIyqSS16t6kHvpa3YEoAPc1Z4vnWfo2zMWUXw=,tag:AHNgHPvZvdyo2UJcuUHL8g==,type:str]
 postgresql:
    enabled: true
    volumePermissions:
        enabled: true
        image:
            repository: bitnamilegacy/os-shell
            tag: 12-debian-12-r51
    auth:
-        password: ENC[AES256_GCM,data:NWk6kvOp1RRs4A==,iv:q0GoRFQ15LBXDxDnOiKWHX6/K8DwX+k2Myxk7iaBo2U=,tag:6qfY+5TF2oy4cRfeJKr7IA==,type:str]
+        password: ENC[AES256_GCM,data:+3x5Tyegl7AXDw==,iv:7wYEX57Cqr7CH57FwHi9mulZa34l0pCOyh13nWRPD+k=,tag:x0k/Yjr9DrZLbZUfz+LmTw==,type:str]
    image:
-        repository: bitnamilegacy/postgresql
+        tag: 15.9-bookworm
        tag: 15.9.0
    primary:
        args: []
 redis:
    enabled: true
 server:
@@ -31,27 +25,27 @@ server:
        hosts:
            - authentik.vhaudiquet.fr
 sops:
-    lastmodified: "2025-12-05T21:18:24Z"
+    lastmodified: "2025-08-24T08:01:35Z"
-    mac: ENC[AES256_GCM,data:DpKXYMtn+01IVQ98t/oVG4bqRVBBSQojqKGmt1A0vco8EJKNtHxyykVuuouO4mhmx+UWKjxEg+KvgvV2Ptk4uGs64x2sCSnMuqnpwfd8xpxLukqVxVd60ICKFeeVt4MgwRrlOBO2WKMDoZE5pi7pxVoGDb86P2J4XHzWqVkGGX8=,iv:W1OZznwbmlZJzICIuEVszGwFGFOgPLiThX4uxVpaOiw=,tag:s1HhjGwGt/mkWMhsqmXjZw==,type:str]
+    mac: ENC[AES256_GCM,data:R9FBswMSQKehwWNQ2oKhsRkbIPkPeuTMnPCxrMZZouWZgkAq7OLYSAdj1dOYZ0PJn6gyoiyFRzx/9GOklwqthCKRES4Kg1u1jTrv7GmUxI7H8lTPfMg37i1BXYIc4Lkr87/qWT8b4NGIZY83ufauVhryY/heXtLBXovzRXg5vEw=,iv:e2ZkquHUAFG2yjj+J2X1cte3u1s4HvqKQhKk9wZpTAg=,tag:HHZ1DV7SbIGhICAJ2uLZoQ==,type:str]
    pgp:
-        - created_at: "2025-12-05T21:18:24Z"
+        - created_at: "2025-08-24T08:01:35Z"
          enc: |-
            -----BEGIN PGP MESSAGE-----
-            hQIMA7uy4qQr71wiAQ//ZrmaLqypfT4HvrAO8tV/I8tl3PDZgLot0pQyv3Idu3s3
+            hQIMA7uy4qQr71wiAQ//XLw8WkiLxJjC0PDTflh9Yn/ruDENUznyl/z342jizaWA
-            0e+Pn7zGBUvZXNYfgd20ilCatPVzt4x2KvFgaAkEMkqHnE2btLSrN66QiwHZDxF5
+            49o0jrmnlktRtnPVR2BZAC27CaZX2waR+nhlrSwSNRyOwyhxIcw+MpCthc0uPcd2
-            1G+TNWs6ZOUSpUn7P1UdfroSm/Gy5sdUc8cTuolOkLqq0r88Wh3+RkxoR9Nv4f4p
+            8w/MCCNPxf2UcdmXn7djl5rQV8cOlomFweDga9nUna7PGv7SWewQOmCDGOzplnik
-            XDDNRo4al8t0QT+WHKlGwaD/58Vgu0CRzBsjZodZWrG+4VgzxHK+3rqPGY7s0Mpy
+            MxpBRhFyOZxuheQIqq5u5it3e+gUfwHC9My8m3OJKBqFaEAhf3clnDy0nrq+xrgZ
-            /epq73LBFRzgVagMqjH8LBJ60jjScWHVlGjRg4TtXDyhHYizEvlWt63sbWeYBLwC
+            Dgc5DvEwCHbjXE/C9pgv/vmLUHEpXoEsmIurIO9ruxxzm2D6CaOXSL1WN6zwwQ1q
-            Uz0QHR3jWZoErbb71JpEhHa5P+QuUaZTeEq/groWsD1I7cceDC9EorhbcyWm7SNa
+            3/UvrCAJx4JSNbmiXFfwYHTw3Xu3kAqpBssIyHP7qeiU+hIX11psDRFDnJHpRxnI
-            swTx23zjfdM/Hqi5Wz9UeTN8CkdSpb1mbG9YTvhB510wcpdVPTJNM1hVF+9OJycu
+            a6Sc5hGICirKFLQPGJAIYFce/nuAVpHZ4dfaCKhlZF1sqHoO8MZtOw/MG6pnYu3j
-            RP6YH6dXuWNK7aSx62ppaz+UJb27tF+KXafO4yDIu5hY1vaeFSgCUgJTpYae4tS1
+            rpyw0db1ehnGaWVjBTUrtV4wPVQ1jN0UPJ2OTRJrxAIEu/AY9gNqLGcv8tGtjnZr
-            pWBLR51FikImgkkEFjzDwAWGBwfYzvqWqGOjO6E2yaVRTSYYdZQbTj8Owq49zizT
+            /SpWn7Uvu11lpayXy7vFsXz5JsnBv/6cN6M8Ze3VcRDBKF15/S7K/YX8JyD6/oOF
-            A4eZpPEeq+Z1FmQ7kjV7+tAV/GTDrSyvtytQ+fgebhVf+0KrcNUzQDEsQfV1htNl
+            MosvgFeOZ7Hxw22M7Q+pKXoNvBj17+iBkqiZaJOVFVUG8GlxeF8hkSUBWkdWCGq8
-            mnR590NnBp83jlHVAFYUwaCEzcrfRrfGzrlacUVuOO2c4orSeRI2FOro+2AOjvzS
+            7URVftX1uNAvYjKptzSREDvCSu6fXfE+znSYUzGZT6u55lOWerdtGraRUPBr94TS
-            XgGkpLEkrINUIuI27G838z9/9cFUqMqL6MTThuJjUmKphgLAZ1iqhyfEm/2kwXZz
+            XgF1ukkgRyYqbf/eyiN02LvVDBl0IfxYiedRCkMeX6L8NCVU9vxZZZattGDf6U3O
-            oJnnbBWIxN2/vltsuu/WprLHzbL5dBusLiBUeuSbPPron4r9Do2cNcFIT2hyAfA=
+            lIT5wZTKLLAu3qeLQMOc/CkIJLePNhfzZVwcGLtQ12bLMnuTSjeS3S3EmajcFnI=
-            =1NR0
+            =yqSe
            -----END PGP MESSAGE-----
          fp: DC6910268E657FF70BA7EC289974494E76938DDC
    encrypted_regex: ^(password|value|ssh-key|api-key|user|username|privateKey|clientSecret|clientId|apiKey|extraArgs.*|.*Secret.*|extraEnvVars|.*SECRET.*|.*secret.*|key|.*Password|.*\.ya?ml)$
--- a/kubernetes/personal/notesnook/kustomization.yaml
+++ b/kubernetes/personal/notesnook/kustomization.yaml
@@ -1,13 +0,0 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 namespace: notesnook
 resources:
  - namespace.yaml
  - repository.yaml
  - release.yaml
 secretGenerator:
  - name: notesnook-values
    files:
      - values.yaml=values.yaml
 configurations:
  - kustomizeconfig.yaml
--- a/kubernetes/personal/notesnook/kustomizeconfig.yaml
+++ b/kubernetes/personal/notesnook/kustomizeconfig.yaml
@@ -1,6 +0,0 @@
 nameReference:
 - kind: Secret
  version: v1
  fieldSpecs:
  - path: spec/valuesFrom/name
    kind: HelmRelease
--- a/kubernetes/personal/notesnook/namespace.yaml
+++ b/kubernetes/personal/notesnook/namespace.yaml
@@ -1,4 +0,0 @@
 apiVersion: v1
 kind: Namespace
 metadata:
  name: notesnook
--- a/kubernetes/personal/notesnook/release.yaml
+++ b/kubernetes/personal/notesnook/release.yaml
@@ -1,19 +0,0 @@
 apiVersion: helm.toolkit.fluxcd.io/v2
 kind: HelmRelease
 metadata:
  name: notesnook
  namespace: notesnook
 spec:
  interval: 1m
  chart:
    spec:
      sourceRef:
        kind: HelmRepository
        name: notesnook
        namespace: notesnook
      chart: notesnook
      version: '1.0.5'
      interval: 1m
  valuesFrom:
    - kind: Secret
      name: notesnook-values
--- a/kubernetes/personal/notesnook/repository.yaml
+++ b/kubernetes/personal/notesnook/repository.yaml
@@ -1,8 +0,0 @@
 apiVersion: source.toolkit.fluxcd.io/v1
 kind: HelmRepository
 metadata:
  name: notesnook
  namespace: notesnook
 spec:
  interval: 1m
  url: https://gitlab.ibaraki.app/api/v4/projects/130/packages/helm/stable
--- a/kubernetes/personal/notesnook/values.yaml
+++ b/kubernetes/personal/notesnook/values.yaml
@@ -1,65 +0,0 @@
 instance:
    name: vhaudiquet-notesnook
 api:
    secret: ENC[AES256_GCM,data:C3mpoEG6y6IShpX1+o9eNn8NACaKy8s1xw5tY1/ncBzqaKrK3YiE7K0rl4d6Bq6q,iv:rGWxSmV98ef8Qx1jkVbQEKPkFmGEaCOXXFFZ4I1US7s=,tag:VBDOhPRTRRhFu5cU024Sqg==,type:str]
    knownProxies: 10.0.0.0/8
    disableSignups: true
 publicUrls:
    app: https://app.notesnook.com
    auth: https://auth-nook.vhaudiquet.fr
    monograph: https://n.vhaudiquet.fr
    attachments: http://localhost:9000
 smtp:
    username: ENC[AES256_GCM,data:C4dTnVaJCwxqTdevLJ+a9eJOWPk=,iv:9iHoQzZjHjmOuaoOWdedPHuv06MqtXZXJhWGiTdzhwE=,tag:xDL+WInm/Ms/LuZi53JuHA==,type:str]
    password: ENC[AES256_GCM,data:tIkKqwVBy94oqFJH0V8=,iv:cOKiwDhngz6mnZlD+XSfWFg1KZa+UCkhXKBgjK7IdnE=,tag:91d/aUlfeHbJqtRWPmTskQ==,type:str]
    host: mail.vhaudiquet.fr
    port: 465
 ingress:
    enabled: true
    hosts:
        identity:
            - host: auth-nook.vhaudiquet.fr
              paths:
                - path: /
                  pathType: ImplementationSpecific
        notesnook:
            - host: nook.vhaudiquet.fr
              paths:
                - path: /
                  pathType: ImplementationSpecific
        sse:
            - host: sse-nook.vhaudiquet.fr
              paths:
                - path: /
                  pathType: ImplementationSpecific
        monograph:
            - host: n.vhaudiquet.fr
              paths:
                - path: /
                  pathType: ImplementationSpecific
 sops:
    lastmodified: "2025-12-26T18:18:01Z"
    mac: ENC[AES256_GCM,data:Xy9P+Ifuz18apN7GoYdehc2bzTjUKMJAT7f8HZNTnvV/wkZEt4EUGJL2WGex12nYQyj6Ut+I9pwFwwX5m0oLO82s1zS2DK3BiaxFa6LFJ2VDUthKt8h9ZTNeT+2P5S5cOvEMvS6tljX8y8/HCUwVMCXGMNCIl8RtWo1Q9CgLjrw=,iv:6MdJwJh3xVrXX6sKCQMAEIpdOD8E0V6+305xcaQnnMI=,tag:5JE9M09u6ukPoQBzT9g0sA==,type:str]
    pgp:
        - created_at: "2025-12-26T18:18:01Z"
          enc: |-
            -----BEGIN PGP MESSAGE-----
            hQIMA7uy4qQr71wiAQ/+KZ6WDFaDTZVt6n+pu1hwxhNC9ShCSSLkiHlZjtX9DW8O
            eizwH6GAG8LQeKYr61aXXVwxsqDdM9gx/i0ynDO4fflqEQniEjlFzBeVhsqOf3CX
            rL5WImv0LSe9KjFNAZvfBhtUVENfN/Tu6RGagNb98ChOoH10MvmrzQ5t754AKPVM
            hB2f5kmOn0evFQQftYyXkQqzLvhlqdGGfBnCutXDoLz67RQwB37npzXx/c+GtlOX
            Msmp4wiYqlX9v97vjLHUX/ZeBtzm38DzUw+OTcnDPbsdZpeUMqYnpkIl8GIgSd2D
            2jZUJU4wYyOCYCnfw0+zXu3O5/1bzZ9fdc5FH6A+OlJUFbMLPXx7n9uhVOztxQ1g
            5ajZKkszSWk58IvaTueDL2QjxhJLop1y4JITgzOhiSPserXrizGn765bVEAtY8kR
            zgULAG5f41zeoJzzdMyuCFUlIJec4DFigbe7fRul4sJEjeeHtDdyINWuUXCnS4ZX
            e8/ZZ0+z98IMm7Lstb75rUezTUdlIxfJ+EtAX3L1Bdb4yJZ3i3E1VTQKWxaZWrcc
            zF5nOIZsHgD22Um8fA4mDlhX5/ygiKMHxZe2pdwps4F7H0rRzVLlM5n4g+71WeMe
            0eT4atgKPICzMNkyRJ/KWrtk4c6Kq7sSqpQKlcFsRLMga1ZBt0LQwFW+G7PU30vS
            XAFljxtoFrbdc8Yl37cQh9XCBqXMqUXSNd9t1hsgv+Vsrmv6ntPVStep8Fod/n16
            nCACAKTOe//z0OmwUXxdUCIqT/N+XEA8tOrHS+HsbB5MCfnexLDul/yUfviZ
            =yK0X
            -----END PGP MESSAGE-----
          fp: DC6910268E657FF70BA7EC289974494E76938DDC
    encrypted_regex: ^(password|value|ssh-key|api-key|user|username|privateKey|clientSecret|clientId|apiKey|extraArgs.*|.*Secret.*|extraEnvVars|.*SECRET.*|.*secret.*|key|.*Password|.*\.ya?ml)$
    version: 3.10.2
--- a/kubernetes/personal/photoprism/release.yaml
+++ b/kubernetes/personal/photoprism/release.yaml
@@ -12,7 +12,7 @@ spec:
        name: photoprism
        namespace: photoprism
      chart: photoprism
-      version: '8.11.0'
+      version: '8.9.0'
      interval: 1m
  valuesFrom:
    - kind: Secret
--- a/kubernetes/personal/photoprism/values.yaml
+++ b/kubernetes/personal/photoprism/values.yaml
@@ -1,6 +1,6 @@
 image:
    repository: photoprism/photoprism
-    tag: "251130"
+    tag: "250707"
    pullPolicy: IfNotPresent
 ingress:
    main:
@@ -31,32 +31,29 @@ mariadb:
    primary:
        persistence:
            enabled: true
    image:
        registry: docker.io
        repository: bitnamilegacy/mariadb
        tag: 12.0.2-debian-12-r0
 sops:
-    lastmodified: "2025-12-04T23:21:48Z"
+    lastmodified: "2025-08-27T10:07:51Z"
-    mac: ENC[AES256_GCM,data:UbrmZVQ9Jcy7/+N9agnQI201d5kp8lIeJ3bBymKpU7ORyYouA+AyllVts3sqWFQhFnbK2Be1IkOY+F9iEvKrjJn6frtd7b1Qz1q8j1COdpQ+h/Ok11yCsaqkVfDr32to7zlf7fHW3YdcEEmYFt/CbbzMM4C4fbxHcgFOlyzrcDk=,iv:iYggVr703vYaZ/bPXZywYOeP6ePTxyGyoLI1jfsbSFE=,tag:Ic8e2mnZD69JAlwiQmeV6A==,type:str]
+    mac: ENC[AES256_GCM,data:adWzoJckZb8ZeODL9xBK/fx9Xv0xDerkK9NBnw9k2wjtKOjd9DSedlnfoxc7GPQOLT5Sx5hE81pirvEIBU6zvs+CzyXI78Y7cOXSM5NwzUJmNdXxp9/7qOW/+0fKa3eSAZjXz4T+/eEws7LCgE8suZcEJS9QyxJzDgG7my1UmOM=,iv:ZNMBsWVN2AHlxhP9eca1i93qlUf2S0d+cz/HpMS+rgc=,tag:BWt6Or4k04VFVJNilXuEgg==,type:str]
    pgp:
-        - created_at: "2025-12-04T23:21:48Z"
+        - created_at: "2025-08-27T10:07:49Z"
          enc: |-
            -----BEGIN PGP MESSAGE-----
-            hQIMA7uy4qQr71wiAQ//XxIcDxmC0y3KzKw6OxM/9Z5HPcdJvfyXaQ7nOIqob4OH
+            hQIMA7uy4qQr71wiARAAsWsaP2fKfz/jI/zR/rFpwKEGju67sG5IlAtIDQVbl7Nb
-            1ST3R2R5liDI2XOE0Eb2cLs0LACAih0PycWfju8fLkDeB9ztenxKnCW1DFbUYmpw
+            nbLW5PwlfGDf5ZBhQmR37MLogO6YI1EjF3kw1fxgJ5RQagaVSlW4xW/Dzid6nKax
-            DXrW/opbGXMLBdPcsoq6GPeWjlNypXepIXGWwgT/+gdxZPKsqxHglauCnVHub/Ki
+            b49MaHmWQc5tdxF/o8fIXMbXIu/P7MkOFLbEsN0/K78wIvkJNvU/KhOygdjKsdn6
-            inoFimxvkVaAefFTOazJvFfSfWI04KPSl0PgnwzWna/7rycFDYkidVKjBkmHAGad
+            qlSEmdlNbabZBLRyKTsrgQeeVGDGhJu5o1RLCq6uZ7pKMVNxeXQeFth9V34BI05Q
-            BFwhXFWi4taKPdNH3/7WBYlOyB+fs7xNPENQP8Fj7/oqF8Vb9pYTpPIGvgXNC/pB
+            mxw3Mbp8bF4tDjBVgbzk2HKUYwzkDMig/i0EP1xmPjwepz0cO5iU0pbwjiROPoyi
-            0DbtvprxAxKYGODHn5WJIjnUBkYVkq+B8q7ZsjxeFdUfNXU+89f24PSGDe0VKMFf
+            ztloaYrXvO7mZGaew9zZb8UTw/LrHNYFOFQ9x9VeOSvQFK3mXtYvowk9rQUMsMh5
-            7mJ3cio0uhizslbwtUQvFOC5I7HEjWIFGoulQqDjXXE2ocGlsS8vvW1NYtJGpJx0
+            dvMal/UtX43Z+ckTbOr+PDWMC10RmLeZn//an/x/xdK3vW3UGcEvczqjkBOdSrlt
-            aYRIRdM5+CM2tSLbZVik3IGqEmnLKNhMtObxFt0UXeoUwzBFNMQLO8zw+Fxy9VEq
+            G94SamWqdVPAqm4C7fFiNb14mafk7/GoKKmFkGOlKL6Bd30tkLUlXDpLbfIlMTFD
-            gzrmNYnnFfx5oiwg7OWmsq7NoXTkhB+VktCb3Bcl3JjJgqalquqmmodThFhU52Ac
+            YrBQxu4zQD/UL86Av5jov43WSc78uNDMGCo/WI1PdTk/fCZhH0wlyrWbolkHGOrV
-            yRhGhjrBcsXx12BCy6r3Hq6nn9PFjZsBRJvXw2WSsevBghOTWSuXRmaT05aMoiD7
+            Ui0M974JfB3hX8ZEVINDW4bw2ylQE34ZYB9cw522EpxfHmdLxEy30iU7/55LQecm
-            y5ia09N4xKvms8/e4qhwpNV/X2Ee4rS3diQFNunxk5aZTPO5kpy704KthDFODnvS
+            2x7gwgUONDIwt5a1Ey4JdcgB39ZB4mkgH5Fj8ArTBzy0PghCK4ddGFhICr8Sv/bU
-            XgGcE+XcinmUFJ1RasziSK6RoYMpSK+JaNgpJMyuaz1iQu9Wc9ptnXgEees5qH2g
+            aAEJAhB7/d3fDtj2jWs9X2TEwv2MaFnthC5bVRuMqsrtNq4QmCXEatRU9+ipNyCU
-            2rA2AzfdcBhZIHWAak2LZuuC9i5O0YGP89idZOjuEaUyGdOHzgB+jQnJ97c4pPE=
+            kjbRLfFLrAu4pZ/allJqE0AstPeJA3nMXBxCVWkSvX6tNZA6Y2hcpgG1hXnUgnxp
-            =wfLM
+            cMtSdengvVOT
            =044i
            -----END PGP MESSAGE-----
          fp: DC6910268E657FF70BA7EC289974494E76938DDC
    encrypted_regex: ^(password|value|ssh-key|api-key|user|username|privateKey|clientSecret|clientId|apiKey|extraArgs.*|.*Secret.*|extraEnvVars|.*SECRET.*|.*secret.*|key|.*Password|.*\.ya?ml)$
--- a/kubernetes/production/umami/kustomization.yaml
+++ b/kubernetes/production/umami/kustomization.yaml
@@ -1,13 +0,0 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 namespace: umami
 resources:
  - namespace.yaml
  - repository.yaml
  - release.yaml
 secretGenerator:
  - name: umami-values
    files:
      - values.yaml=values.yaml
 configurations:
  - kustomizeconfig.yaml
--- a/kubernetes/production/umami/kustomizeconfig.yaml
+++ b/kubernetes/production/umami/kustomizeconfig.yaml
@@ -1,6 +0,0 @@
 nameReference:
 - kind: Secret
  version: v1
  fieldSpecs:
  - path: spec/valuesFrom/name
    kind: HelmRelease
--- a/kubernetes/production/umami/namespace.yaml
+++ b/kubernetes/production/umami/namespace.yaml
@@ -1,4 +0,0 @@
 apiVersion: v1
 kind: Namespace
 metadata:
  name: umami
--- a/kubernetes/production/umami/release.yaml
+++ b/kubernetes/production/umami/release.yaml
@@ -1,19 +0,0 @@
 apiVersion: helm.toolkit.fluxcd.io/v2
 kind: HelmRelease
 metadata:
  name: umami
  namespace: umami
 spec:
  interval: 1m
  chart:
    spec:
      sourceRef:
        kind: HelmRepository
        name: umami
        namespace: umami
      chart: umami
      version: '7.1.0'
      interval: 1m
  valuesFrom:
    - kind: Secret
      name: umami-values
--- a/kubernetes/production/umami/repository.yaml
+++ b/kubernetes/production/umami/repository.yaml
@@ -1,8 +0,0 @@
 apiVersion: source.toolkit.fluxcd.io/v1
 kind: HelmRepository
 metadata:
  name: umami
  namespace: umami
 spec:
  interval: 1m
  url: https://charts.christianhuth.de
--- a/kubernetes/production/umami/values.yaml
+++ b/kubernetes/production/umami/values.yaml
@@ -1,33 +0,0 @@
 ingress:
    enabled: true
    hosts:
        - host: umami.vhaudiquet.fr
          paths:
            - path: /
              pathType: ImplementationSpecific
 sops:
    lastmodified: "2025-12-29T18:15:28Z"
    mac: ENC[AES256_GCM,data:npCm/Cwhn5wCsf5qIu2rcwVP+OFe8Ph1qRHQriVANMTC9dioFPuS5IMU1RRnJPNt9y0nE5hSscg5LrfGBB5qCPUbqj3Ca9/Iv3raZLYR6SUcAaitFlxhdcFSEXOhLa+PW6yW5RZjjD9uD0IEuOje3+oa+05kIm3HqdL5Qszarns=,iv:LlywSpl9l1iEa9f1KatvLJSGU/jZWvUbK1HI9uRpZT4=,tag:I3L6JD3GeLNlrR8e5Gz3JA==,type:str]
    pgp:
        - created_at: "2025-12-29T18:15:28Z"
          enc: |-
            -----BEGIN PGP MESSAGE-----
            hQIMA7uy4qQr71wiAQ//S5Ormwo6DS8bywMVa3JJLuBbkD1aIvuxItPHzdJFte24
            1b3xRi/byR3i5pgOg55/VPNfscxZranA0GGayYALAepTpdKwYHkrfeZF4RNZHlwe
            C/7eQoljncOyGUw4txEcD0gfMkQ9aNYYnSs0GwWYylpc/dxaogzwsmsZOGNVK0Rc
            oeOFonEABIFs/dW+pGTAyUnexJPZO9cWQyt22dEDzRRiifPOJGcSE9+2RICS5p4A
            75riaa9jC/ANrDi3d/fTYFffAStggChNUtDQMzSKP/itpqK4rs+xWRcsF/U4LLZM
            xgDPHzJsw4apZiDT+p4dH43DWmEATPcUH/UftG420cHOJdeU7rMuabVbxRXJeXA2
            1idQiODRW4pEUNEqPMTtjrmxl+SVvCx2TlJ31idiJL9rM0DXfzEF0dacnTjV4LuW
            2oo9CiU5n+Vh6PRKPYkBXxc0GF6Vcs9/SZj47X8RQcxxqP9BoEZs4JclIS6OGiY7
            K8dw/xDmpHhLgQ1JCHEWAVuKDNH+KcnMm0mzmCHetI5yMXDVQpxuTkquhUptV3VA
            XL5+girkZ5W1XMuQiKYcKzS/r3UOHieKBRLw+MhuN+MRLOLr9FRQ+YbEGQ5Mi57R
            Qcp+nycwU+59rFRjpJaKauRDNZx3P9GnpTJBL9L/4/uibYtyyWEmMNWQcDtyhPnS
            XAG3SEsYE0547TKm/fP7q9rnAOfKwV4NwBBzGblAUJa/HIFjsT7uGicRdTexrvkK
            pbIqbyBn0qr8Y1ipaqEimfyc6OT5JDT8239SYnOwG4QPz4DV5vibjG24kykf
            =GDKV
            -----END PGP MESSAGE-----
          fp: DC6910268E657FF70BA7EC289974494E76938DDC
    encrypted_regex: ^(password|value|ssh-key|api-key|user|username|privateKey|clientSecret|clientId|apiKey|extraArgs.*|.*Secret.*|extraEnvVars|.*SECRET.*|.*secret.*|key|.*Password|.*\.ya?ml)$
    version: 3.10.2
--- a/kubernetes/system/cilium/pool.yaml
+++ b/kubernetes/system/cilium/pool.yaml
@@ -4,4 +4,4 @@ metadata:
  name: "local-pool"
 spec:
  blocks:
-  - cidr: "10.1.2.171/32"
+  - cidr: "10.1.2.187/32"
--- a/kubernetes/tools/dashy/kustomization.yaml
+++ b/kubernetes/tools/dashy/kustomization.yaml
@@ -1,13 +0,0 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 namespace: dashy
 resources:
  - namespace.yaml
  - repository.yaml
  - release.yaml
 secretGenerator:
  - name: dashy-values
    files:
      - values.yaml=values.yaml
 configurations:
  - kustomizeconfig.yaml
--- a/kubernetes/tools/dashy/kustomizeconfig.yaml
+++ b/kubernetes/tools/dashy/kustomizeconfig.yaml
@@ -1,6 +0,0 @@
 nameReference:
 - kind: Secret
  version: v1
  fieldSpecs:
  - path: spec/valuesFrom/name
    kind: HelmRelease
--- a/kubernetes/tools/dashy/namespace.yaml
+++ b/kubernetes/tools/dashy/namespace.yaml
@@ -1,4 +0,0 @@
 apiVersion: v1
 kind: Namespace
 metadata:
  name: dashy
--- a/kubernetes/tools/dashy/release.yaml
+++ b/kubernetes/tools/dashy/release.yaml
@@ -1,19 +0,0 @@
 apiVersion: helm.toolkit.fluxcd.io/v2
 kind: HelmRelease
 metadata:
  name: dashy
  namespace: dashy
 spec:
  interval: 1m
  chart:
    spec:
      reconcileStrategy: Revision
      sourceRef:
        kind: HelmRepository
        name: dashy
        namespace: dashy
      chart: dashy
      interval: 1m
  valuesFrom:
    - kind: Secret
      name: dashy-values
--- a/kubernetes/tools/dashy/repository.yaml
+++ b/kubernetes/tools/dashy/repository.yaml
@@ -1,8 +0,0 @@
 apiVersion: source.toolkit.fluxcd.io/v1
 kind: HelmRepository
 metadata:
  name: dashy
  namespace: dashy
 spec:
  interval: 1m
  url: https://ivanwongtf.github.io/nas-helm-charts/
--- a/kubernetes/tools/dashy/values.yaml
+++ b/kubernetes/tools/dashy/values.yaml
@@ -1,11 +0,0 @@
 ingress:
  main:
    enabled: true
    hosts:
        - host: dashy.lan
          paths:
            - path: /
              pathType: ImplementationSpecific
 persistence:
  data:
    enabled: true
--- a/renovate.json
+++ b/renovate.json
@@ -0,0 +1,6 @@
 {
  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
  "extends": [
    "config:recommended"
  ]
 }