add calibre and audiobookshelf

53ll/values.yaml.gotmpl

@@ -62,7 +62,7 @@ extraDeploy:
     spec:
       secretName: 53ll-ca-tls
       issuerRef:
-        name: letsencrypt-53ll
+        name: letsencrypt
         kind: ClusterIssuer
       dnsNames:
         - 53ll.ca

audiobookshelf/values.yaml.gotmpl

@@ -0,0 +1,30 @@
+env:
+  TZ: America/Edmonton
+ingress:
+  main:
+    enabled: true
+    hosts:
+      - host: audiobookshelf.incngrnt.ca
+        paths:
+        - path: /
+    tls:
+      - secretName: audiobookshelf-incngrnt-ca-tls
+        hosts:
+          - audiobookshelf.incngrnt.ca
+
+persistence:
+  config:
+    enabled: true
+    accessMode: ReadWriteOnce
+    size: 1Mi
+    storageClassName: ceph-block      
+  metadata:
+    enabled: true
+    accessMode: ReadWriteOnce
+    size: 5Gi
+    storageClassName: ceph-block      
+  media:
+    enabled: true
+    accessMode: ReadWriteOnce
+    size: 50Gi
+    storageClassName: ceph-block      

calibre-web/values.yaml.gotmpl

@@ -0,0 +1,26 @@
+env:
+  TZ: America/Edmonton
+  DOCKER_MODS: linuxserver/mods:universal-calibre
+ingress:
+  main:
+    enabled: true
+    hosts:
+      - host: calibre.incngrnt.ca
+        paths:
+        - path: /
+    tls:
+      - secretName: calibre-incngrnt-ca-tls
+        hosts:
+          - calibre.incngrnt.ca
+
+persistence:
+  config:
+    enabled: true
+    accessMode: ReadWriteOnce
+    size: 1Mi
+    storageClassName: ceph-block      
+  books:
+    enabled: true
+    accessMode: ReadWriteOnce
+    size: 1Gi
+    storageClassName: ceph-block      

cert-manager-issuers/templates/clusterissuers.yaml

@@ -6,83 +6,25 @@ metadata:
 type: Opaque
 stringData:
   api-key: {{ .Values.hetzner.apiToken }}
+  
 ---
+
 apiVersion: cert-manager.io/v1
 kind: ClusterIssuer
 metadata:
-  name: letsencrypt-incngrnt
+  name: letsencrypt
 spec:
   acme:
     server: https://acme-v02.api.letsencrypt.org/directory
     email: {{ .Values.acme.email }}
     privateKeySecretRef:
-      name: letsencrypt-incngrnt-private-key
+      name: letsencrypt-private-key
     solvers:
       - dns01:
           webhook:
             groupName: acme.hetzner.com
             solverName: hetzner
             config:
-              secretName: hetzner-dns-credentials
+              tokenSecretKeyRef:
-              zoneName: incngrnt.ca
+                name: hetzner-dns-credentials
-              apiUrl: https://dns.hetzner.com/api/v1
+                key: api-key
----
-apiVersion: cert-manager.io/v1
-kind: ClusterIssuer
-metadata:
-  name: letsencrypt-goatchat
-spec:
-  acme:
-    server: https://acme-v02.api.letsencrypt.org/directory
-    email: {{ .Values.acme.email }}
-    privateKeySecretRef:
-      name: letsencrypt-goatchat-private-key
-    solvers:
-      - dns01:
-          webhook:
-            groupName: acme.hetzner.com
-            solverName: hetzner
-            config:
-              secretName: hetzner-dns-credentials
-              zoneName: goatchat.ca
-              apiUrl: https://dns.hetzner.com/api/v1
----
-apiVersion: cert-manager.io/v1
-kind: ClusterIssuer
-metadata:
-  name: letsencrypt-53ll
-spec:
-  acme:
-    server: https://acme-v02.api.letsencrypt.org/directory
-    email: {{ .Values.acme.email }}
-    privateKeySecretRef:
-      name: letsencrypt-53ll-private-key
-    solvers:
-      - dns01:
-          webhook:
-            groupName: acme.hetzner.com
-            solverName: hetzner
-            config:
-              secretName: hetzner-dns-credentials
-              zoneName: 53ll.ca
-              apiUrl: https://dns.hetzner.com/api/v1
----
-apiVersion: cert-manager.io/v1
-kind: ClusterIssuer
-metadata:
-  name: letsencrypt-kgnot
-spec:
-  acme:
-    server: https://acme-v02.api.letsencrypt.org/directory
-    email: {{ .Values.acme.email }}
-    privateKeySecretRef:
-      name: letsencrypt-kgnot-private-key
-    solvers:
-      - dns01:
-          webhook:
-            groupName: acme.hetzner.com
-            solverName: hetzner
-            config:
-              secretName: hetzner-dns-credentials
-              zoneName: kgnot.ca
-              apiUrl: https://dns.hetzner.com/api/v1

gitea/values.yaml.gotmpl

@@ -78,7 +78,7 @@ extraDeploy:
   spec:
     secretName: git-incngrnt-ca-tls
     issuerRef:
-      name: letsencrypt-incngrnt
+      name: letsencrypt
       kind: ClusterIssuer
     dnsNames:
       - git.incngrnt.ca

helmfile.d/01-infrastructure.lock

@@ -2,21 +2,21 @@ version: 1.2.3
 dependencies:
   - name: cert-manager
     repository: https://charts.jetstack.io
-    version: v1.19.3
+    version: v1.20.0
   - name: cert-manager-webhook-hetzner
-    repository: https://vadimkim.github.io/cert-manager-webhook-hetzner
+    repository: https://charts.hetzner.cloud
-    version: 1.4.2
+    version: 0.6.7
   - name: rook-ceph
     repository: https://charts.rook.io/release
-    version: v1.19.1
+    version: v1.19.2
   - name: rook-ceph-cluster
     repository: https://charts.rook.io/release
-    version: v1.19.1
+    version: v1.19.2
   - name: tailscale-operator
     repository: https://pkgs.tailscale.com/helmcharts
-    version: 1.94.1
+    version: 1.94.2
   - name: traefik
     repository: https://traefik.github.io/charts
-    version: 39.0.0
+    version: 39.0.6
-digest: sha256:4f5c8a239ffdf62b0ee3c5cad93fe0a155fc9d311f2754a27f28b45d08abedfc
+digest: sha256:ab4571859e9f203e981e51fddd6eb64e39e327d1f469aae0aebd5f53cf0ec025
-generated: "2026-02-08T14:48:11.557963845-07:00"
+generated: "2026-03-21T15:54:30.181487309-06:00"

helmfile.d/01-infrastructure.yaml

@@ -7,8 +7,8 @@ repositories:
     url: https://pkgs.tailscale.com/helmcharts
   - name: jetstack
     url: https://charts.jetstack.io
-  - name: cert-manager-webhook-hetzner
+  - name: hcloud 
-    url: https://vadimkim.github.io/cert-manager-webhook-hetzner
+    url: https://charts.hetzner.cloud
 
 lockFilePath: ./helmfile.d/01-infrastructure.lock
 releases:
@@ -28,9 +28,7 @@ releases:
   - name: cert-manager-webhook-hetzner
     namespace: cert-manager
     createNamespace: true
-    chart: cert-manager-webhook-hetzner/cert-manager-webhook-hetzner
+    chart: hcloud/cert-manager-webhook-hetzner
-    values:
-      - ../cert-manager-hetzner-webhook/values.yaml.gotmpl
   - name: cert-manager-issuers
     namespace: cert-manager
     createNamespace: true

helmfile.d/02-datastore.lock

@@ -2,15 +2,15 @@ version: 1.2.3
 dependencies:
   - name: k8up
     repository: https://k8up-io.github.io/k8up
-    version: 4.8.6
+    version: 4.8.7
   - name: mariadb
     repository: https://charts.bitnami.com/bitnami
-    version: 24.0.4
+    version: 25.0.5
   - name: pgo
     repository: git+https://github.com/grantdhunter/postgres-operator@helm?ref=main
     version: 5.8.1
   - name: postgrescluster
     repository: git+https://github.com/grantdhunter/postgres-operator@helm?ref=main
     version: 5.7.4
-digest: sha256:fc54869ca74c71a7cff3a47249fc1c1abad85af8b5fd46f50cc5f94e34ea196f
+digest: sha256:15aa54bcbc82cc0a0f2fde31f8a9999598a4ac8d8ae8ef4ea5d2cbc361443075
-generated: "2026-02-08T14:48:12.433127048-07:00"
+generated: "2026-03-21T14:15:00.978030866-06:00"

helmfile.d/03-apps.lock

@@ -1,5 +1,11 @@
 version: 1.2.3
 dependencies:
+  - name: audiobookshelf
+    repository: https://k8s-home-lab.github.io/helm-charts/
+    version: 2.0.1
+  - name: calibre-web
+    repository: https://k8s-home-lab.github.io/helm-charts/
+    version: 9.1.0
   - name: ghost
     repository: https://charts.bitnami.com/bitnami
     version: 25.0.4
@@ -29,9 +35,9 @@ dependencies:
     version: 0.1.0
   - name: matrix-synapse
     repository: https://ananace.gitlab.io/charts
-    version: 3.12.19
+    version: 3.12.23
   - name: static-site
     repository: git+https://github.com/cfpb/static-site@charts?ref=main
     version: 0.1.1
-digest: sha256:c3533d8c4b01672a46feeb0bf7610dddceb4387d76ab5bf5f3edc27086747ba1
+digest: sha256:5fa6810fb7db97d0ff56fc5dcf272fd59202bad89b36c5b30ce212db7956edb9
-generated: "2026-02-08T14:48:18.507177487-07:00"
+generated: "2026-03-21T15:54:36.111194061-06:00"

helmfile.d/03-apps.yaml

@@ -11,7 +11,9 @@ repositories:
     url: git+https://github.com/cfpb/static-site@charts?ref=main
   - name: incngrnt
     url: git+https://git.incngrnt.ca/grant/charts@charts?ref=main
-
+  - name: k8s-home-lab
+    url:  https://k8s-home-lab.github.io/helm-charts/
+    
 lockFilePath: ./helmfile.d/03-apps.lock
 releases:
   # goatchat matrix
@@ -64,6 +66,20 @@ releases:
     values:
       - ../gitea/values.yaml.gotmpl
 
+  # books
+  - name: calibre-web
+    namespace: calibre
+    createNamespace: true
+    chart: k8s-home-lab/calibre-web
+    values:
+      - ../calibre-web/values.yaml.gotmpl
+  - name: audiobookshelf
+    namespace: audiobookshelf
+    createNamespace: true
+    chart: k8s-home-lab/audiobookshelf
+    values:
+      - ../audiobookshelf/values.yaml.gotmpl
+
   # backups
   - name: ghost-backup
     namespace: ghost

immich/pvc.yaml

@@ -7,5 +7,5 @@ spec:
   - ReadWriteOnce
   resources:
     requests:
-      storage: 200Gi
+      storage: 300Gi
 

immich/values.yaml.gotmpl

@@ -3,7 +3,7 @@ controllers:
     containers:
       main:
         image:
-          tag: v2.5.5
+          tag: v2.5.6
 
         env:
           DB_HOSTNAME: {{ exec "kubectl" (list "-n" "immich" "get" "secrets" "postgres-pguser-immich" "-ogo-template='{{.data.host | base64decode }}'") }}

kgnot/values.yaml.gotmpl

@@ -64,7 +64,7 @@ extraDeploy:
     spec:
       secretName: kgnot-ca-tls
       issuerRef:
-        name: letsencrypt-kgnot
+        name: letsencrypt
         kind: ClusterIssuer
       dnsNames:
         - kgnot.ca

tailscale/connector.yaml

@@ -9,3 +9,4 @@ spec:
   subnetRouter:
     advertiseRoutes:
       - "192.168.1.0/24"
+  exitNode: true

traefik/values.yaml.gotmpl

@@ -116,7 +116,7 @@ extraObjects:
     spec:
       secretName: fog-incngrnt-ca-tls
       issuerRef:
-        name: letsencrypt-incngrnt
+        name: letsencrypt
         kind: ClusterIssuer
       dnsNames:
         - fog.incngrnt.ca
@@ -130,7 +130,7 @@ extraObjects:
     spec:
       secretName: goatchat-ca-tls
       issuerRef:
-        name: letsencrypt-goatchat
+        name: letsencrypt
         kind: ClusterIssuer
       dnsNames:
         - goatchat.ca
@@ -142,7 +142,7 @@ extraObjects:
     spec:
       secretName: incngrnt-ca-tls
       issuerRef:
-        name: letsencrypt-incngrnt
+        name: letsencrypt
         kind: ClusterIssuer
       dnsNames:
         - incngrnt.ca
@@ -154,7 +154,31 @@ extraObjects:
     spec:
       secretName: photos-incngrnt-ca-tls
       issuerRef:
-        name: letsencrypt-incngrnt
+        name: letsencrypt
         kind: ClusterIssuer
       dnsNames:
         - photos.incngrnt.ca
+  - apiVersion: cert-manager.io/v1
+    kind: Certificate
+    metadata:
+      name: calibre-incngrnt-ca
+      namespace: calibre
+    spec:
+      secretName: calibre-incngrnt-ca-tls
+      issuerRef:
+        name: letsencrypt
+        kind: ClusterIssuer
+      dnsNames:
+        - calibre.incngrnt.ca
+  - apiVersion: cert-manager.io/v1
+    kind: Certificate
+    metadata:
+      name: audiobookshelf-incngrnt-ca
+      namespace: audiobookshelf
+    spec:
+      secretName: audiobookshelf-incngrnt-ca-tls
+      issuerRef:
+        name: letsencrypt
+        kind: ClusterIssuer
+      dnsNames:
+        - audiobookshelf.incngrnt.ca