fixed geoip tag

2026-01-20 18:01:32 +01:00
parent 7595cbe4ad
commit 99548a235e
33 changed files with 2864 additions and 2863 deletions
@@ -29,46 +29,46 @@ spec:
        app.kubernetes.io/version: 26.1.0
    spec:
      containers:
-      - name: actualbudget
+        - name: actualbudget
-        image: actualbudget/actual-server:26.1.0
+          image: actualbudget/actual-server:26.1.0
-        imagePullPolicy: IfNotPresent
+          imagePullPolicy: IfNotPresent
-        env:
+          env:
-        - name: TZ
+            - name: TZ
-          value: Europe/Budapest
+              value: Europe/Budapest
-        ports:
+          ports:
-        - containerPort: 5006
+            - containerPort: 5006
-          name: http
+              name: http
-          protocol: TCP
+              protocol: TCP
-        livenessProbe:
+          livenessProbe:
-          httpGet:
+            httpGet:
-            path: /
+              path: /
-            port: http
+              port: http
-          initialDelaySeconds: 30
+            initialDelaySeconds: 30
-          periodSeconds: 30
+            periodSeconds: 30
-          timeoutSeconds: 10
+            timeoutSeconds: 10
-          failureThreshold: 3
+            failureThreshold: 3
-        readinessProbe:
+          readinessProbe:
-          httpGet:
+            httpGet:
-            path: /
+              path: /
-            port: http
+              port: http
-          initialDelaySeconds: 10
+            initialDelaySeconds: 10
-          periodSeconds: 10
+            periodSeconds: 10
-          timeoutSeconds: 5
+            timeoutSeconds: 5
-          failureThreshold: 3
+            failureThreshold: 3
-        resources:
+          resources:
-          limits:
+            limits:
-            cpu: 500m
+              cpu: 500m
-            memory: 512Mi
+              memory: 512Mi
-          requests:
+            requests:
-            cpu: 50m
+              cpu: 50m
-            memory: 128Mi
+              memory: 128Mi
-        volumeMounts:
+          volumeMounts:
-        - name: data
+            - name: data
-          mountPath: /data
+              mountPath: /data
      volumes:
-      - name: data
+        - name: data
-        persistentVolumeClaim:
+          persistentVolumeClaim:
-          claimName: actualbudget-data
+            claimName: actualbudget-data
 ---
 apiVersion: v1
 kind: Service
@@ -82,10 +82,10 @@ metadata:
 spec:
  type: ClusterIP
  ports:
-  - name: http
+    - name: http
-    port: 5006
+      port: 5006
-    protocol: TCP
+      protocol: TCP
-    targetPort: http
+      targetPort: http
  selector:
    app.kubernetes.io/instance: actualbudget
    app.kubernetes.io/name: actualbudget
@@ -99,7 +99,7 @@ metadata:
    nginx.ingress.kubernetes.io/proxy-body-size: 50m
    nginx.ingress.kubernetes.io/ssl-redirect: "true"
    nginx.ingress.kubernetes.io/configuration-snippet: |
-      if ($geoip2_city_country_code != "HU") {
+      if ($geoip2_country_code != "HU") {
        return 403 "Access restricted to Hungary";
      }
  labels:
@@ -110,30 +110,30 @@ metadata:
 spec:
  ingressClassName: nginx-internal
  rules:
-  - host: actualbudget.dooplex.hu
+    - host: actualbudget.dooplex.hu
-    http:
+      http:
-      paths:
+        paths:
-      - backend:
+          - backend:
-          service:
+              service:
-            name: actualbudget
+                name: actualbudget
-            port:
+                port:
-              number: 5006
+                  number: 5006
-        path: /
+            path: /
-        pathType: Prefix
+            pathType: Prefix
-  - host: actualbudget.home
+    - host: actualbudget.home
-    http:
+      http:
-      paths:
+        paths:
-      - backend:
+          - backend:
-          service:
+              service:
-            name: actualbudget
+                name: actualbudget
-            port:
+                port:
-              number: 5006
+                  number: 5006
-        path: /
+            path: /
-        pathType: Prefix
+            pathType: Prefix
  tls:
-  - hosts:
+    - hosts:
-    - actualbudget.dooplex.hu
+        - actualbudget.dooplex.hu
-    secretName: actualbudget-tls
+      secretName: actualbudget-tls
 ---
 apiVersion: v1
 kind: PersistentVolumeClaim
@@ -145,7 +145,7 @@ metadata:
  namespace: actualbudget-system
 spec:
  accessModes:
-  - ReadWriteOnce
+    - ReadWriteOnce
  resources:
    requests:
      storage: 5Gi
@@ -374,7 +374,7 @@ metadata:
    nginx.ingress.kubernetes.io/proxy-buffers-number: "4"
    nginx.ingress.kubernetes.io/ssl-redirect: "true"
    nginx.ingress.kubernetes.io/configuration-snippet: |
-      if ($geoip2_city_country_code != "HU") {
+      if ($geoip2_country_code != "HU") {
        return 403 "Access restricted to Hungary";
      }
 spec:
@@ -55,18 +55,18 @@ spec:
        app.kubernetes.io/name: romm-redis
    spec:
      containers:
-      - name: redis
+        - name: redis
-        image: redis:7.2-alpine
+          image: redis:7.2-alpine
-        ports:
+          ports:
-        - containerPort: 6379
+            - containerPort: 6379
-          name: redis
+              name: redis
-        resources:
+          resources:
-          requests:
+            requests:
-            cpu: 50m
+              cpu: 50m
-            memory: 64Mi
+              memory: 64Mi
-          limits:
+            limits:
-            cpu: 200m
+              cpu: 200m
-            memory: 128Mi
+              memory: 128Mi
 ---
 apiVersion: apps/v1
 kind: Deployment
@@ -95,151 +95,151 @@ spec:
      securityContext:
        fsGroup: 1000
      initContainers:
-      - name: init-config
+        - name: init-config
-        image: busybox:1.36
+          image: busybox:1.36
-        command:
+          command:
-        - sh
+            - sh
-        - -c
+            - -c
-        - |
+            - |
-          # Copy the template to the PVC only if it doesn't exist
+              # Copy the template to the PVC only if it doesn't exist
-          if [ ! -f /romm/config/config.yml ]; then
+              if [ ! -f /romm/config/config.yml ]; then
-            echo "Creating initial config.yml from template..."
+                echo "Creating initial config.yml from template..."
-            cp /tmp/template/config.yml /romm/config/config.yml
+                cp /tmp/template/config.yml /romm/config/config.yml
-            # Ensure the ROMM user (1000) owns the file
+                # Ensure the ROMM user (1000) owns the file
-            chown 1000:1000 /romm/config/config.yml
+                chown 1000:1000 /romm/config/config.yml
-          else
+              else
-            echo "config.yml already exists, skipping copy."
+                echo "config.yml already exists, skipping copy."
-          fi
+              fi
-        volumeMounts:
+          volumeMounts:
-        - name: config-template
+            - name: config-template
-          mountPath: /tmp/template
+              mountPath: /tmp/template
-        - name: config-storage
+            - name: config-storage
-          mountPath: /romm/config
+              mountPath: /romm/config
      containers:
-      - name: romm
+        - name: romm
-        image: rommapp/romm:4.5.0
+          image: rommapp/romm:4.5.0
-        env:
+          env:
-        # Database
+            # Database
-        - name: DB_HOST
+            - name: DB_HOST
-          value: "romm-db"          # was postgresql-rw.database-system...
+              value: "romm-db" # was postgresql-rw.database-system...
-        - name: DB_PORT
+            - name: DB_PORT
-          value: "3306"             # was 5432
+              value: "3306" # was 5432
-        - name: DB_NAME
+            - name: DB_NAME
-          valueFrom:
+              valueFrom:
-            secretKeyRef:
+                secretKeyRef:
-              name: romm-db
+                  name: romm-db
-              key: database
+                  key: database
-        - name: DB_USER
+            - name: DB_USER
-          valueFrom:
+              valueFrom:
-            secretKeyRef:
+                secretKeyRef:
-              name: romm-db
+                  name: romm-db
-              key: username
+                  key: username
-        - name: DB_PASSWD
+            - name: DB_PASSWD
-          valueFrom:
+              valueFrom:
-            secretKeyRef:
+                secretKeyRef:
-              name: romm-db
+                  name: romm-db
-              key: password
+                  key: password
-        # Redis
+            # Redis
-        - name: REDIS_HOST
+            - name: REDIS_HOST
-          value: "romm-redis"
+              value: "romm-redis"
-        - name: REDIS_PORT
+            - name: REDIS_PORT
-          value: "6379"
+              value: "6379"
-        # Auth
+            # Auth
-        - name: ROMM_AUTH_SECRET_KEY
+            - name: ROMM_AUTH_SECRET_KEY
-          valueFrom:
+              valueFrom:
-            secretKeyRef:
+                secretKeyRef:
-              name: romm-app
+                  name: romm-app
-              key: auth-secret-key
+                  key: auth-secret-key
-        # OIDC with Authentik
+            # OIDC with Authentik
-        - name: OIDC_ENABLED
+            - name: OIDC_ENABLED
-          value: "true"
+              value: "true"
-        - name: OIDC_PROVIDER
+            - name: OIDC_PROVIDER
-          value: "authentik"
+              value: "authentik"
-        - name: OIDC_CLIENT_ID
+            - name: OIDC_CLIENT_ID
-          valueFrom:
+              valueFrom:
-            secretKeyRef:
+                secretKeyRef:
-              name: romm-oidc
+                  name: romm-oidc
-              key: client-id
+                  key: client-id
-        - name: OIDC_CLIENT_SECRET
+            - name: OIDC_CLIENT_SECRET
-          valueFrom:
+              valueFrom:
-            secretKeyRef:
+                secretKeyRef:
-              name: romm-oidc
+                  name: romm-oidc
-              key: client-secret
+                  key: client-secret
-        - name: OIDC_REDIRECT_URI
+            - name: OIDC_REDIRECT_URI
-          value: "https://arcade.dooplex.hu/api/oauth/openid"
+              value: "https://arcade.dooplex.hu/api/oauth/openid"
-        - name: OIDC_SERVER_APPLICATION_URL
+            - name: OIDC_SERVER_APPLICATION_URL
-          value: "https://authentik.dooplex.hu/application/o/arcade"
+              value: "https://authentik.dooplex.hu/application/o/arcade"
-        - name: ROMM_PORT
+            - name: ROMM_PORT
-          value: "8080"
+              value: "8080"
-        # API Keys (optional)
+            # API Keys (optional)
-        - name: IGDB_CLIENT_ID
+            - name: IGDB_CLIENT_ID
-          valueFrom:
+              valueFrom:
-            secretKeyRef:
+                secretKeyRef:
-              name: romm-app
+                  name: romm-app
-              key: igdb-client-id
+                  key: igdb-client-id
-        - name: IGDB_CLIENT_SECRET
+            - name: IGDB_CLIENT_SECRET
-          valueFrom:
+              valueFrom:
-            secretKeyRef:
+                secretKeyRef:
-              name: romm-app
+                  name: romm-app
-              key: igdb-client-secret
+                  key: igdb-client-secret
-        - name: STEAMGRIDDB_API_KEY
+            - name: STEAMGRIDDB_API_KEY
-          valueFrom:
+              valueFrom:
-            secretKeyRef:
+                secretKeyRef:
-              name: romm-app
+                  name: romm-app
-              key: steamgriddb-api-key
+                  key: steamgriddb-api-key
-        - name: SCREENSCRAPER_USER
+            - name: SCREENSCRAPER_USER
-          valueFrom:
+              valueFrom:
-            secretKeyRef:
+                secretKeyRef:
-              name: romm-app
+                  name: romm-app
-              key: screenscraper-user
+                  key: screenscraper-user
-        - name: SCREENSCRAPER_PASSWORD
+            - name: SCREENSCRAPER_PASSWORD
-          valueFrom:
+              valueFrom:
-            secretKeyRef:
+                secretKeyRef:
-              name: romm-app
+                  name: romm-app
-              key: screenscraper-password
+                  key: screenscraper-password
-        ports:
+          ports:
-        - containerPort: 8080
+            - containerPort: 8080
-          name: http
+              name: http
-        resources:
+          resources:
-          requests:
+            requests:
-            cpu: 100m
+              cpu: 100m
-            memory: 256Mi
+              memory: 256Mi
-          limits:
+            limits:
-            cpu: 1000m
+              cpu: 1000m
-            memory: 1Gi
+              memory: 1Gi
-        volumeMounts:
+          volumeMounts:
-        - name: library
+            - name: library
-          mountPath: /romm/library
+              mountPath: /romm/library
-        - name: resources
+            - name: resources
-          mountPath: /romm/resources
+              mountPath: /romm/resources
-        - name: config-storage
+            - name: config-storage
-          mountPath: /romm/config
+              mountPath: /romm/config
-        livenessProbe:
+          livenessProbe:
-          httpGet:
+            httpGet:
-            path: /api/heartbeat
+              path: /api/heartbeat
-            port: http
+              port: http
-          initialDelaySeconds: 60
+            initialDelaySeconds: 60
-          periodSeconds: 30
+            periodSeconds: 30
-        readinessProbe:
+          readinessProbe:
-          httpGet:
+            httpGet:
-            path: /api/heartbeat
+              path: /api/heartbeat
-            port: http
+              port: http
-          initialDelaySeconds: 30
+            initialDelaySeconds: 30
-          periodSeconds: 10
+            periodSeconds: 10
      volumes:
-      - name: library
+        - name: library
-        hostPath:
+          hostPath:
-          path: /mnt/4_hdd/data/roms
+            path: /mnt/4_hdd/data/roms
-          type: DirectoryOrCreate
+            type: DirectoryOrCreate
-      - name: resources
+        - name: resources
-        persistentVolumeClaim:
+          persistentVolumeClaim:
-          claimName: romm-resources
+            claimName: romm-resources
-      - name: config-storage
+        - name: config-storage
-        persistentVolumeClaim:
+          persistentVolumeClaim:
-          claimName: romm-config
+            claimName: romm-config
-      - name: config-template
+        - name: config-template
-        configMap:
+          configMap:
-          name: romm-config-template
+            name: romm-config-template
 ---
 apiVersion: v1
 kind: Service
@@ -252,9 +252,9 @@ metadata:
 spec:
  type: ClusterIP
  ports:
-  - name: redis
+    - name: redis
-    port: 6379
+      port: 6379
-    targetPort: redis
+      targetPort: redis
  selector:
    app.kubernetes.io/instance: romm
    app.kubernetes.io/name: romm-redis
@@ -270,9 +270,9 @@ metadata:
 spec:
  type: ClusterIP
  ports:
-  - name: http
+    - name: http
-    port: 8080
+      port: 8080
-    targetPort: http
+      targetPort: http
  selector:
    app.kubernetes.io/instance: romm
    app.kubernetes.io/name: romm
@@ -293,36 +293,36 @@ metadata:
    nginx.ingress.kubernetes.io/proxy-read-timeout: "3600"
    nginx.ingress.kubernetes.io/proxy-send-timeout: "3600"
    nginx.ingress.kubernetes.io/configuration-snippet: |
-      if ($geoip2_city_country_code != "HU") {
+      if ($geoip2_country_code != "HU") {
        return 403 "Access restricted to Hungary";
      }
 spec:
  ingressClassName: nginx-internal
  rules:
-  - host: arcade.dooplex.hu
+    - host: arcade.dooplex.hu
-    http:
+      http:
-      paths:
+        paths:
-      - path: /
+          - path: /
-        pathType: Prefix
+            pathType: Prefix
-        backend:
+            backend:
-          service:
+              service:
-            name: romm
+                name: romm
-            port:
+                port:
-              number: 8080
+                  number: 8080
-  - host: arcade.home
+    - host: arcade.home
-    http:
+      http:
-      paths:
+        paths:
-      - path: /
+          - path: /
-        pathType: Prefix
+            pathType: Prefix
-        backend:
+            backend:
-          service:
+              service:
-            name: romm
+                name: romm
-            port:
+                port:
-              number: 8080
+                  number: 8080
  tls:
-  - hosts:
+    - hosts:
-    - arcade.dooplex.hu
+        - arcade.dooplex.hu
-    secretName: romm-tls
+      secretName: romm-tls
 ---
 apiVersion: v1
 kind: PersistentVolumeClaim
@@ -336,7 +336,7 @@ metadata:
    recurring-job.longhorn.io/source: enabled
 spec:
  accessModes:
-  - ReadWriteOnce
+    - ReadWriteOnce
  storageClassName: longhorn
  resources:
    requests:
@@ -354,7 +354,7 @@ metadata:
    recurring-job.longhorn.io/source: enabled
 spec:
  accessModes:
-  - ReadWriteOnce
+    - ReadWriteOnce
  storageClassName: longhorn
  resources:
    requests:
@@ -383,46 +383,46 @@ spec:
        app.kubernetes.io/name: romm-db
    spec:
      containers:
-      - name: mariadb
+        - name: mariadb
-        image: mariadb:11
+          image: mariadb:11
-        env:
+          env:
-        - name: MARIADB_ROOT_PASSWORD
+            - name: MARIADB_ROOT_PASSWORD
-          valueFrom:
+              valueFrom:
-            secretKeyRef:
+                secretKeyRef:
-              name: romm-db
+                  name: romm-db
-              key: root-password
+                  key: root-password
-        - name: MARIADB_DATABASE
+            - name: MARIADB_DATABASE
-          valueFrom:
+              valueFrom:
-            secretKeyRef:
+                secretKeyRef:
-              name: romm-db
+                  name: romm-db
-              key: database
+                  key: database
-        - name: MARIADB_USER
+            - name: MARIADB_USER
-          valueFrom:
+              valueFrom:
-            secretKeyRef:
+                secretKeyRef:
-              name: romm-db
+                  name: romm-db
-              key: username
+                  key: username
-        - name: MARIADB_PASSWORD
+            - name: MARIADB_PASSWORD
-          valueFrom:
+              valueFrom:
-            secretKeyRef:
+                secretKeyRef:
-              name: romm-db
+                  name: romm-db
-              key: password
+                  key: password
-        ports:
+          ports:
-        - containerPort: 3306
+            - containerPort: 3306
-          name: mariadb
+              name: mariadb
-        resources:
+          resources:
-          requests:
+            requests:
-            cpu: 100m
+              cpu: 100m
-            memory: 256Mi
+              memory: 256Mi
-          limits:
+            limits:
-            cpu: 500m
+              cpu: 500m
-            memory: 512Mi
+              memory: 512Mi
-        volumeMounts:
+          volumeMounts:
-        - name: data
+            - name: data
-          mountPath: /var/lib/mysql
+              mountPath: /var/lib/mysql
      volumes:
-      - name: data
+        - name: data
-        persistentVolumeClaim:
+          persistentVolumeClaim:
-          claimName: romm-db
+            claimName: romm-db
 ---
 apiVersion: v1
 kind: Service
@@ -435,9 +435,9 @@ metadata:
 spec:
  type: ClusterIP
  ports:
-  - name: mariadb
+    - name: mariadb
-    port: 3306
+      port: 3306
-    targetPort: mariadb
+      targetPort: mariadb
  selector:
    app.kubernetes.io/instance: romm
    app.kubernetes.io/name: romm-db
@@ -454,7 +454,7 @@ metadata:
    recurring-job.longhorn.io/source: enabled
 spec:
  accessModes:
-  - ReadWriteOnce
+    - ReadWriteOnce
  storageClassName: longhorn
  resources:
    requests:
@@ -11,36 +11,36 @@ metadata:
    external-dns.alpha.kubernetes.io/hostname: argocd.dooplex.hu,argocd.home
    nginx.ingress.kubernetes.io/ssl-redirect: "true"
    nginx.ingress.kubernetes.io/configuration-snippet: |
-      if ($geoip2_city_country_code != "HU") {
+      if ($geoip2_country_code != "HU") {
        return 403 "Access restricted to Hungary";
      }
 spec:
  ingressClassName: nginx-internal
  tls:
-  - hosts:
+    - hosts:
-    - argocd.dooplex.hu
+        - argocd.dooplex.hu
-    secretName: argocd-server-tls
+      secretName: argocd-server-tls
  rules:
-  - host: argocd.dooplex.hu
+    - host: argocd.dooplex.hu
-    http:
+      http:
-      paths:
+        paths:
-      - path: /
+          - path: /
-        pathType: Prefix
+            pathType: Prefix
-        backend:
+            backend:
-          service:
+              service:
-            name: argocd-server
+                name: argocd-server
-            port:
+                port:
-              number: 80
+                  number: 80
-  - host: argocd.home
+    - host: argocd.home
-    http:
+      http:
-      paths:
+        paths:
-      - path: /
+          - path: /
-        pathType: Prefix
+            pathType: Prefix
-        backend:
+            backend:
-          service:
+              service:
-            name: argocd-server
+                name: argocd-server
-            port:
+                port:
-              number: 80
+                  number: 80
 ---
 # ArgoCD ConfigMap patches for your environment
 apiVersion: v1
@@ -137,7 +137,7 @@ metadata:
    nginx.ingress.kubernetes.io/proxy-read-timeout: "3600"
    nginx.ingress.kubernetes.io/proxy-send-timeout: "3600"
    nginx.ingress.kubernetes.io/configuration-snippet: |
-      if ($geoip2_city_country_code != "HU") {
+      if ($geoip2_country_code != "HU") {
        return 403 "Access restricted to Hungary";
      }
  labels:
@@ -247,7 +247,6 @@ spec:
            - name: DATABASE_DIRECT_URL
              value: "postgresql://$(DB_USER):$(DB_PASS)@postgresql-rw.database-system.svc.cluster.local:5432/calcom"
            # Redis
            - name: REDIS_URL
              value: "redis://calcom-redis:6379"
@@ -408,7 +407,7 @@ metadata:
    nginx.ingress.kubernetes.io/proxy-http-version: "1.1"
    nginx.ingress.kubernetes.io/proxy-set-headers: "booking-system/calcom-proxy-headers"
    nginx.ingress.kubernetes.io/configuration-snippet: |
-      if ($geoip2_city_country_code != "HU") {
+      if ($geoip2_country_code != "HU") {
        return 403 "Access restricted to Hungary";
      }
 spec:
@@ -340,7 +340,7 @@ metadata:
    nginx.ingress.kubernetes.io/ssl-redirect: "true"
    nginx.ingress.kubernetes.io/proxy-body-size: "50m"
    nginx.ingress.kubernetes.io/configuration-snippet: |
-      if ($geoip2_city_country_code != "HU") {
+      if ($geoip2_country_code != "HU") {
        return 403 "Access restricted to Hungary";
      }
  labels:
@@ -254,7 +254,7 @@ metadata:
    nginx.ingress.kubernetes.io/proxy-send-timeout: "3600"
    nginx.ingress.kubernetes.io/ssl-redirect: "true"
    nginx.ingress.kubernetes.io/configuration-snippet: |
-      if ($geoip2_city_country_code != "HU") {
+      if ($geoip2_country_code != "HU") {
        return 403 "Access restricted to Hungary";
      }
 spec:
@@ -302,7 +302,7 @@ metadata:
    nginx.ingress.kubernetes.io/proxy-send-timeout: "600"
    nginx.ingress.kubernetes.io/ssl-redirect: "true"
    nginx.ingress.kubernetes.io/configuration-snippet: |
-      if ($geoip2_city_country_code != "HU") {
+      if ($geoip2_country_code != "HU") {
        return 403 "Access restricted to Hungary";
      }
 spec:
@@ -49,74 +49,74 @@ spec:
      securityContext:
        fsGroup: 1000
      containers:
-      - name: code-server
+        - name: code-server
-        image: codercom/code-server:4.108.0
+          image: codercom/code-server:4.108.0
-        args:
+          args:
-        - --bind-addr=0.0.0.0:8080
+            - --bind-addr=0.0.0.0:8080
-        - --auth=none
+            - --auth=none
-        - --disable-telemetry
+            - --disable-telemetry
-        - --disable-update-check
+            - --disable-update-check
-        env:
+          env:
-        - name: TZ
+            - name: TZ
-          value: "Europe/Budapest"
+              value: "Europe/Budapest"
-        - name: HOME
+            - name: HOME
-          value: "/home/coder"
+              value: "/home/coder"
-        - name: USER
+            - name: USER
-          value: "coder"
+              value: "coder"
-        # Proxy trust for headers
+            # Proxy trust for headers
-        - name: CS_DISABLE_PROXY_TRUST
+            - name: CS_DISABLE_PROXY_TRUST
-          value: "false"
+              value: "false"
-        - name: GIT_CONFIG_GLOBAL
+            - name: GIT_CONFIG_GLOBAL
-          value: "/home/coder/.config/git/config"
+              value: "/home/coder/.config/git/config"
-        lifecycle:
+          lifecycle:
-          postStart:
+            postStart:
-            exec:
+              exec:
-              command: ["/bin/sh", "-c", "mkdir -p /home/coder/.config/git"]
+                command: ["/bin/sh", "-c", "mkdir -p /home/coder/.config/git"]
-        ports:
+          ports:
-        - containerPort: 8080
+            - containerPort: 8080
-          name: http
+              name: http
-        resources:
+          resources:
-          requests:
+            requests:
-            cpu: 200m
+              cpu: 200m
-            memory: 512Mi
+              memory: 512Mi
-          limits:
+            limits:
-            cpu: 2000m
+              cpu: 2000m
-            memory: 4Gi
+              memory: 4Gi
-        volumeMounts:
+          volumeMounts:
-        - name: config
+            - name: config
-          mountPath: /home/coder/.config
+              mountPath: /home/coder/.config
-        - name: workspace
+            - name: workspace
-          mountPath: /home/coder/workspace
+              mountPath: /home/coder/workspace
-        - name: local
+            - name: local
-          mountPath: /home/coder/.local
+              mountPath: /home/coder/.local
-        - name: config
+            - name: config
-          mountPath: /home/coder/.ssh
+              mountPath: /home/coder/.ssh
-          subPath: ssh
+              subPath: ssh
-        livenessProbe:
+          livenessProbe:
-          httpGet:
+            httpGet:
-            path: /healthz
+              path: /healthz
-            port: http
+              port: http
-          initialDelaySeconds: 30
+            initialDelaySeconds: 30
-          periodSeconds: 30
+            periodSeconds: 30
-        readinessProbe:
+          readinessProbe:
-          httpGet:
+            httpGet:
-            path: /healthz
+              path: /healthz
-            port: http
+              port: http
-          initialDelaySeconds: 10
+            initialDelaySeconds: 10
-          periodSeconds: 10
+            periodSeconds: 10
-        securityContext:
+          securityContext:
-          runAsUser: 1000
+            runAsUser: 1000
-          runAsGroup: 1000
+            runAsGroup: 1000
      volumes:
-      - name: config
+        - name: config
-        persistentVolumeClaim:
+          persistentVolumeClaim:
-          claimName: code-server-config
+            claimName: code-server-config
-      - name: workspace
+        - name: workspace
-        persistentVolumeClaim:
+          persistentVolumeClaim:
-          claimName: code-server-workspace
+            claimName: code-server-workspace
-      - name: local
+        - name: local
-        persistentVolumeClaim:
+          persistentVolumeClaim:
-          claimName: code-server-local
+            claimName: code-server-local
 ---
 apiVersion: v1
 kind: Service
@@ -129,9 +129,9 @@ metadata:
 spec:
  type: ClusterIP
  ports:
-  - name: http
+    - name: http
-    port: 8080
+      port: 8080
-    targetPort: http
+      targetPort: http
  selector:
    app.kubernetes.io/instance: code-server
    app.kubernetes.io/name: code-server
@@ -161,36 +161,36 @@ metadata:
    nginx.ingress.kubernetes.io/auth-snippet: |
      proxy_set_header X-Forwarded-Host $http_host;
    nginx.ingress.kubernetes.io/configuration-snippet: |
-      if ($geoip2_city_country_code != "HU") {
+      if ($geoip2_country_code != "HU") {
        return 403 "Access restricted to Hungary";
      }
 spec:
  ingressClassName: nginx-internal
  rules:
-  - host: code.dooplex.hu
+    - host: code.dooplex.hu
-    http:
+      http:
-      paths:
+        paths:
-      - path: /
+          - path: /
-        pathType: Prefix
+            pathType: Prefix
-        backend:
+            backend:
-          service:
+              service:
-            name: code-server
+                name: code-server
-            port:
+                port:
-              number: 8080
+                  number: 8080
-  - host: code.home
+    - host: code.home
-    http:
+      http:
-      paths:
+        paths:
-      - path: /
+          - path: /
-        pathType: Prefix
+            pathType: Prefix
-        backend:
+            backend:
-          service:
+              service:
-            name: code-server
+                name: code-server
-            port:
+                port:
-              number: 8080
+                  number: 8080
  tls:
-  - hosts:
+    - hosts:
-    - code.dooplex.hu
+        - code.dooplex.hu
-    secretName: code-server-tls
+      secretName: code-server-tls
 ---
 apiVersion: v1
 kind: PersistentVolumeClaim
@@ -204,7 +204,7 @@ metadata:
    recurring-job.longhorn.io/source: enabled
 spec:
  accessModes:
-  - ReadWriteOnce
+    - ReadWriteOnce
  storageClassName: longhorn
  resources:
    requests:
@@ -222,7 +222,7 @@ metadata:
    recurring-job.longhorn.io/source: enabled
 spec:
  accessModes:
-  - ReadWriteOnce
+    - ReadWriteOnce
  storageClassName: longhorn
  resources:
    requests:
@@ -238,7 +238,7 @@ metadata:
    app.kubernetes.io/name: code-server-local
 spec:
  accessModes:
-  - ReadWriteOnce
+    - ReadWriteOnce
  storageClassName: longhorn
  resources:
    requests:
@@ -11,7 +11,7 @@ metadata:
  labels:
    app.kubernetes.io/name: craftycontroller
 data:
-  README.txt: 'Crafty Controller hostNetwork deployment.
+  README.txt: "Crafty Controller hostNetwork deployment.
    Reserved Minecraft TCP port range on the node: 25565-25575.
@@ -23,7 +23,7 @@ data:
    Port 25565 is commonly used for the primary server.
-    '
+    "
 ---
 apiVersion: v1
 kind: ServiceAccount
@@ -44,7 +44,7 @@ metadata:
    app.kubernetes.io/instance: crafty
 spec:
  accessModes:
-  - ReadWriteOnce
+    - ReadWriteOnce
  resources:
    requests:
      storage: 2Gi
@@ -60,7 +60,7 @@ metadata:
    app.kubernetes.io/instance: crafty
 spec:
  accessModes:
-  - ReadWriteOnce
+    - ReadWriteOnce
  resources:
    requests:
      storage: 50Gi
@@ -76,7 +76,7 @@ metadata:
    app.kubernetes.io/instance: crafty
 spec:
  accessModes:
-  - ReadWriteOnce
+    - ReadWriteOnce
  resources:
    requests:
      storage: 50Gi
@@ -92,7 +92,7 @@ metadata:
    app.kubernetes.io/instance: crafty
 spec:
  accessModes:
-  - ReadWriteOnce
+    - ReadWriteOnce
  resources:
    requests:
      storage: 10Gi
@@ -112,10 +112,10 @@ spec:
    app.kubernetes.io/name: craftycontroller
    app.kubernetes.io/instance: crafty
  ports:
-  - name: https
+    - name: https
-    port: 8443
+      port: 8443
-    targetPort: 8443
+      targetPort: 8443
-    protocol: TCP
+      protocol: TCP
 ---
 apiVersion: v1
 kind: Service
@@ -131,10 +131,10 @@ spec:
    app.kubernetes.io/name: craftycontroller
    app.kubernetes.io/instance: crafty
  ports:
-  - name: https
+    - name: https
-    port: 8443
+      port: 8443
-    targetPort: 8443
+      targetPort: 8443
-    protocol: TCP
+      protocol: TCP
 ---
 apiVersion: networking.k8s.io/v1
 kind: Ingress
@@ -149,44 +149,45 @@ metadata:
    external-dns.alpha.kubernetes.io/hostname: crafty.dooplex.hu,crafty.home
    nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
    nginx.ingress.kubernetes.io/proxy-ssl-verify: "off"
-    nginx.ingress.kubernetes.io/ssl-redirect: 'true'
+    nginx.ingress.kubernetes.io/ssl-redirect: "true"
    nginx.ingress.kubernetes.io/proxy-body-size: 200m
    nginx.ingress.kubernetes.io/auth-url: http://ak-outpost-crafty-outpost.auth-system.svc.cluster.local:9000/outpost.goauthentik.io/auth/nginx
    nginx.ingress.kubernetes.io/auth-signin: https://crafty.dooplex.hu/outpost.goauthentik.io/start?rd=$escaped_request_uri
-    nginx.ingress.kubernetes.io/auth-snippet: 'proxy_set_header X-Forwarded-Host $http_host;
+    nginx.ingress.kubernetes.io/auth-snippet:
      "proxy_set_header X-Forwarded-Host $http_host;
-      '
+      "
    nginx.ingress.kubernetes.io/configuration-snippet: |
-      if ($geoip2_city_country_code != "HU") {
+      if ($geoip2_country_code != "HU") {
        return 403 "Access restricted to Hungary";
      }
 spec:
  ingressClassName: nginx-internal
  tls:
-  - secretName: crafty-tls
+    - secretName: crafty-tls
-    hosts:
+      hosts:
-    - crafty.dooplex.hu
+        - crafty.dooplex.hu
  rules:
-  - host: crafty.dooplex.hu
+    - host: crafty.dooplex.hu
-    http:
+      http:
-      paths:
+        paths:
-      - path: /
+          - path: /
-        pathType: Prefix
+            pathType: Prefix
-        backend:
+            backend:
-          service:
+              service:
-            name: craftycontroller-https
+                name: craftycontroller-https
-            port:
+                port:
-              number: 8443
+                  number: 8443
-  - host: crafty.home
+    - host: crafty.home
-    http:
+      http:
-      paths:
+        paths:
-      - path: /
+          - path: /
-        pathType: Prefix
+            pathType: Prefix
-        backend:
+            backend:
-          service:
+              service:
-            name: craftycontroller-https
+                name: craftycontroller-https
-            port:
+                port:
-              number: 8443
+                  number: 8443
 ---
 apiVersion: apps/v1
 kind: StatefulSet
@@ -217,84 +218,84 @@ spec:
      securityContext:
        fsGroup: 0
      containers:
-      - name: craftycontroller
+        - name: craftycontroller
-        image: arcadiatechnology/crafty-4:4.7.0
+          image: arcadiatechnology/crafty-4:4.7.0
-        imagePullPolicy: IfNotPresent
+          imagePullPolicy: IfNotPresent
-        securityContext:
+          securityContext:
-          runAsNonRoot: true
+            runAsNonRoot: true
-          runAsUser: 1000
+            runAsUser: 1000
-          runAsGroup: 0
+            runAsGroup: 0
-        ports:
+          ports:
-        - name: https
+            - name: https
-          containerPort: 8443
+              containerPort: 8443
-          protocol: TCP
+              protocol: TCP
-        - name: minecraft
+            - name: minecraft
-          containerPort: 25565
+              containerPort: 25565
-          protocol: TCP
+              protocol: TCP
-        - name: mc25566
+            - name: mc25566
-          containerPort: 25566
+              containerPort: 25566
-          protocol: TCP
+              protocol: TCP
-        - name: mc25567
+            - name: mc25567
-          containerPort: 25567
+              containerPort: 25567
-          protocol: TCP
+              protocol: TCP
-        - name: mc25568
+            - name: mc25568
-          containerPort: 25568
+              containerPort: 25568
-          protocol: TCP
+              protocol: TCP
-        - name: mc25569
+            - name: mc25569
-          containerPort: 25569
+              containerPort: 25569
-          protocol: TCP
+              protocol: TCP
-        - name: mc25570
+            - name: mc25570
-          containerPort: 25570
+              containerPort: 25570
-          protocol: TCP
+              protocol: TCP
-        - name: mc25571
+            - name: mc25571
-          containerPort: 25571
+              containerPort: 25571
-          protocol: TCP
+              protocol: TCP
-        - name: mc25572
+            - name: mc25572
-          containerPort: 25572
+              containerPort: 25572
-          protocol: TCP
+              protocol: TCP
-        - name: mc25573
+            - name: mc25573
-          containerPort: 25573
+              containerPort: 25573
-          protocol: TCP
+              protocol: TCP
-        - name: mc25574
+            - name: mc25574
-          containerPort: 25574
+              containerPort: 25574
-          protocol: TCP
+              protocol: TCP
-        - name: mc25575
+            - name: mc25575
-          containerPort: 25575
+              containerPort: 25575
-          protocol: TCP
+              protocol: TCP
-        livenessProbe:
+          livenessProbe:
-          initialDelaySeconds: 30
+            initialDelaySeconds: 30
-          httpGet:
+            httpGet:
-            path: /
+              path: /
-            port: 8443
+              port: 8443
-            scheme: HTTPS
+              scheme: HTTPS
-        readinessProbe:
+          readinessProbe:
-          initialDelaySeconds: 30
+            initialDelaySeconds: 30
-          periodSeconds: 10
+            periodSeconds: 10
-          failureThreshold: 18
+            failureThreshold: 18
-          httpGet:
+            httpGet:
-            path: /
+              path: /
-            port: 8443
+              port: 8443
-            scheme: HTTPS
+              scheme: HTTPS
-        resources: {}
+          resources: {}
-        volumeMounts:
+          volumeMounts:
-        - name: crafty-app-config
+            - name: crafty-app-config
-          mountPath: /crafty/app/config
+              mountPath: /crafty/app/config
-        - name: crafty-servers
+            - name: crafty-servers
-          mountPath: /crafty/servers
+              mountPath: /crafty/servers
-        - name: crafty-backups
+            - name: crafty-backups
-          mountPath: /crafty/backups
+              mountPath: /crafty/backups
-        - name: crafty-import
+            - name: crafty-import
-          mountPath: /crafty/import
+              mountPath: /crafty/import
      volumes:
-      - name: crafty-app-config
+        - name: crafty-app-config
-        persistentVolumeClaim:
+          persistentVolumeClaim:
-          claimName: crafty-app-config
+            claimName: crafty-app-config
-      - name: crafty-servers
+        - name: crafty-servers
-        persistentVolumeClaim:
+          persistentVolumeClaim:
-          claimName: crafty-servers
+            claimName: crafty-servers
-      - name: crafty-backups
+        - name: crafty-backups
-        persistentVolumeClaim:
+          persistentVolumeClaim:
-          claimName: crafty-backups
+            claimName: crafty-backups
-      - name: crafty-import
+        - name: crafty-import
-        persistentVolumeClaim:
+          persistentVolumeClaim:
-          claimName: crafty-import
+            claimName: crafty-import
@@ -55,75 +55,75 @@ spec:
      securityContext:
        fsGroup: 1000
      containers:
-      - name: gokapi
+        - name: gokapi
-        image: f0rc3/gokapi:v2.1.0
+          image: f0rc3/gokapi:v2.1.0
-        env:
+          env:
-        - name: TZ
+            - name: TZ
-          value: "Europe/Budapest"
+              value: "Europe/Budapest"
-        - name: GOKAPI_PORT
+            - name: GOKAPI_PORT
-          value: "53842"
+              value: "53842"
-        - name: GOKAPI_EXTERNAL_URL
+            - name: GOKAPI_EXTERNAL_URL
-          value: "https://fileshare.dooplex.hu/"
+              value: "https://fileshare.dooplex.hu/"
-        - name: GOKAPI_LOCALHOST
+            - name: GOKAPI_LOCALHOST
-          value: "false"
+              value: "false"
-        - name: GOKAPI_USE_SSL
+            - name: GOKAPI_USE_SSL
-          value: "false"
+              value: "false"
-        - name: GOKAPI_DATA_DIR
+            - name: GOKAPI_DATA_DIR
-          value: "/app/data"
+              value: "/app/data"
-        - name: GOKAPI_CONFIG_DIR
+            - name: GOKAPI_CONFIG_DIR
-          value: "/app/config"
+              value: "/app/config"
-        - name: GOKAPI_MAX_MEMORY_UPLOAD
+            - name: GOKAPI_MAX_MEMORY_UPLOAD
-          value: "100"
+              value: "100"
-        - name: GOKAPI_LOG_STDOUT
+            - name: GOKAPI_LOG_STDOUT
-          value: "true"
+              value: "true"
-        # Initial admin user (only used for first setup)
+            # Initial admin user (only used for first setup)
-        - name: GOKAPI_USERNAME
+            - name: GOKAPI_USERNAME
-          valueFrom:
+              valueFrom:
-            secretKeyRef:
+                secretKeyRef:
-              name: gokapi-app
+                  name: gokapi-app
-              key: admin-username
+                  key: admin-username
-        - name: GOKAPI_PASSWORD
+            - name: GOKAPI_PASSWORD
-          valueFrom:
+              valueFrom:
-            secretKeyRef:
+                secretKeyRef:
-              name: gokapi-app
+                  name: gokapi-app
-              key: admin-password
+                  key: admin-password
-        ports:
+          ports:
-        - containerPort: 53842
+            - containerPort: 53842
-          name: http
+              name: http
-        resources:
+          resources:
-          requests:
+            requests:
-            cpu: 50m
+              cpu: 50m
-            memory: 64Mi
+              memory: 64Mi
-          limits:
+            limits:
-            cpu: 500m
+              cpu: 500m
-            memory: 256Mi
+              memory: 256Mi
-        volumeMounts:
+          volumeMounts:
-        - name: config
+            - name: config
-          mountPath: /app/config
+              mountPath: /app/config
-        - name: data
+            - name: data
-          mountPath: /app/data
+              mountPath: /app/data
-        livenessProbe:
+          livenessProbe:
-          httpGet:
+            httpGet:
-            path: /
+              path: /
-            port: http
+              port: http
-          initialDelaySeconds: 30
+            initialDelaySeconds: 30
-          periodSeconds: 30
+            periodSeconds: 30
-        readinessProbe:
+          readinessProbe:
-          httpGet:
+            httpGet:
-            path: /
+              path: /
-            port: http
+              port: http
-          initialDelaySeconds: 10
+            initialDelaySeconds: 10
-          periodSeconds: 10
+            periodSeconds: 10
-        securityContext:
+          securityContext:
-          runAsUser: 1000
+            runAsUser: 1000
-          runAsGroup: 1000
+            runAsGroup: 1000
      volumes:
-      - name: config
+        - name: config
-        persistentVolumeClaim:
+          persistentVolumeClaim:
-          claimName: gokapi-config
+            claimName: gokapi-config
-      - name: data
+        - name: data
-        persistentVolumeClaim:
+          persistentVolumeClaim:
-          claimName: gokapi-data
+            claimName: gokapi-data
 ---
 apiVersion: v1
 kind: Service
@@ -136,9 +136,9 @@ metadata:
 spec:
  type: ClusterIP
  ports:
-  - name: http
+    - name: http
-    port: 53842
+      port: 53842
-    targetPort: http
+      targetPort: http
  selector:
    app.kubernetes.io/instance: gokapi
    app.kubernetes.io/name: gokapi
@@ -159,36 +159,36 @@ metadata:
    nginx.ingress.kubernetes.io/proxy-read-timeout: "600"
    nginx.ingress.kubernetes.io/proxy-send-timeout: "600"
    nginx.ingress.kubernetes.io/configuration-snippet: |
-      if ($geoip2_city_country_code != "HU") {
+      if ($geoip2_country_code != "HU") {
        return 403 "Access restricted to Hungary";
      }
 spec:
  ingressClassName: nginx-internal
  rules:
-  - host: fileshare.dooplex.hu
+    - host: fileshare.dooplex.hu
-    http:
+      http:
-      paths:
+        paths:
-      - path: /
+          - path: /
-        pathType: Prefix
+            pathType: Prefix
-        backend:
+            backend:
-          service:
+              service:
-            name: gokapi
+                name: gokapi
-            port:
+                port:
-              number: 53842
+                  number: 53842
-  - host: fileshare.home
+    - host: fileshare.home
-    http:
+      http:
-      paths:
+        paths:
-      - path: /
+          - path: /
-        pathType: Prefix
+            pathType: Prefix
-        backend:
+            backend:
-          service:
+              service:
-            name: gokapi
+                name: gokapi
-            port:
+                port:
-              number: 53842
+                  number: 53842
  tls:
-  - hosts:
+    - hosts:
-    - fileshare.dooplex.hu
+        - fileshare.dooplex.hu
-    secretName: gokapi-tls
+      secretName: gokapi-tls
 ---
 apiVersion: v1
 kind: PersistentVolumeClaim
@@ -202,7 +202,7 @@ metadata:
    recurring-job.longhorn.io/source: enabled
 spec:
  accessModes:
-  - ReadWriteOnce
+    - ReadWriteOnce
  storageClassName: longhorn
  resources:
    requests:
@@ -220,7 +220,7 @@ metadata:
    recurring-job.longhorn.io/source: enabled
 spec:
  accessModes:
-  - ReadWriteOnce
+    - ReadWriteOnce
  storageClassName: longhorn
  resources:
    requests:
@@ -31,152 +31,152 @@ spec:
        app.kubernetes.io/name: gitea
    spec:
      initContainers:
-      - name: init-directories
+        - name: init-directories
-        image: busybox:1.36
+          image: busybox:1.36
-        command:
+          command:
-        - sh
+            - sh
-        - -c
+            - -c
-        - |
+            - |
-          mkdir -p /data/gitea/conf
+              mkdir -p /data/gitea/conf
-          chown -R 1000:1000 /data
+              chown -R 1000:1000 /data
-        volumeMounts:
+          volumeMounts:
-        - name: data
+            - name: data
-          mountPath: /data
+              mountPath: /data
      containers:
-      - name: gitea
+        - name: gitea
-        image: gitea/gitea:1.25.3
+          image: gitea/gitea:1.25.3
-        imagePullPolicy: IfNotPresent
+          imagePullPolicy: IfNotPresent
-        env:
+          env:
-        - name: USER_UID
+            - name: USER_UID
-          value: "1000"
+              value: "1000"
-        - name: USER_GID
+            - name: USER_GID
-          value: "1000"
+              value: "1000"
-        - name: GITEA__database__DB_TYPE
+            - name: GITEA__database__DB_TYPE
-          value: postgres
+              value: postgres
-        # Database - using shared PostgreSQL in database-system namespace
+            # Database - using shared PostgreSQL in database-system namespace
-        - name: GITEA__database__HOST
+            - name: GITEA__database__HOST
-          value: postgresql-rw.database-system.svc.cluster.local:5432
+              value: postgresql-rw.database-system.svc.cluster.local:5432
-        - name: GITEA__database__NAME
+            - name: GITEA__database__NAME
-          value: gitea
+              value: gitea
-        - name: GITEA__database__USER
+            - name: GITEA__database__USER
-          valueFrom:
+              valueFrom:
-            secretKeyRef:
+                secretKeyRef:
-              name: gitea-db
+                  name: gitea-db
-              key: username
+                  key: username
-        - name: GITEA__database__PASSWD
+            - name: GITEA__database__PASSWD
-          valueFrom:
+              valueFrom:
-            secretKeyRef:
+                secretKeyRef:
-              name: gitea-db
+                  name: gitea-db
-              key: password
+                  key: password
-        - name: GITEA__server__DOMAIN
+            - name: GITEA__server__DOMAIN
-          value: gitea.dooplex.hu
+              value: gitea.dooplex.hu
-        - name: GITEA__server__ROOT_URL
+            - name: GITEA__server__ROOT_URL
-          value: https://gitea.dooplex.hu/
+              value: https://gitea.dooplex.hu/
-        - name: GITEA__server__HTTP_PORT
+            - name: GITEA__server__HTTP_PORT
-          value: "3000"
+              value: "3000"
-        - name: GITEA__server__SSH_DOMAIN
+            - name: GITEA__server__SSH_DOMAIN
-          value: gitea.dooplex.hu
+              value: gitea.dooplex.hu
-        - name: GITEA__server__SSH_PORT
+            - name: GITEA__server__SSH_PORT
-          value: "22"
+              value: "22"
-        - name: GITEA__server__SSH_LISTEN_PORT
+            - name: GITEA__server__SSH_LISTEN_PORT
-          value: "2222"
+              value: "2222"
-        - name: GITEA__server__LFS_START_SERVER
+            - name: GITEA__server__LFS_START_SERVER
-          value: "true"
+              value: "true"
-        - name: GITEA__security__INSTALL_LOCK
+            - name: GITEA__security__INSTALL_LOCK
-          value: "true"
+              value: "true"
-        - name: GITEA__security__SECRET_KEY
+            - name: GITEA__security__SECRET_KEY
-          valueFrom:
+              valueFrom:
-            secretKeyRef:
+                secretKeyRef:
-              name: gitea-app
+                  name: gitea-app
-              key: secret-key
+                  key: secret-key
-        - name: GITEA__security__INTERNAL_TOKEN
+            - name: GITEA__security__INTERNAL_TOKEN
-          valueFrom:
+              valueFrom:
-            secretKeyRef:
+                secretKeyRef:
-              name: gitea-app
+                  name: gitea-app
-              key: internal-token
+                  key: internal-token
-        - name: GITEA__server__LFS_JWT_SECRET
+            - name: GITEA__server__LFS_JWT_SECRET
-          valueFrom:
+              valueFrom:
-            secretKeyRef:
+                secretKeyRef:
-              name: gitea-app
+                  name: gitea-app
-              key: lfs-jwt-secret
+                  key: lfs-jwt-secret
-        - name: GITEA__service__DISABLE_REGISTRATION
+            - name: GITEA__service__DISABLE_REGISTRATION
-          value: "true"
+              value: "true"
-        - name: GITEA__mailer__ENABLED
+            - name: GITEA__mailer__ENABLED
-          value: "true"
+              value: "true"
-        - name: GITEA__mailer__PROTOCOL
+            - name: GITEA__mailer__PROTOCOL
-          value: smtp+starttls
+              value: smtp+starttls
-        - name: GITEA__mailer__SMTP_ADDR
+            - name: GITEA__mailer__SMTP_ADDR
-          valueFrom:
+              valueFrom:
-            secretKeyRef:
+                secretKeyRef:
-              name: smtp-credentials
+                  name: smtp-credentials
-              key: host
+                  key: host
-        - name: GITEA__mailer__SMTP_PORT
+            - name: GITEA__mailer__SMTP_PORT
-          valueFrom:
+              valueFrom:
-            secretKeyRef:
+                secretKeyRef:
-              name: smtp-credentials
+                  name: smtp-credentials
-              key: port
+                  key: port
-        - name: GITEA__mailer__USER
+            - name: GITEA__mailer__USER
-          valueFrom:
+              valueFrom:
-            secretKeyRef:
+                secretKeyRef:
-              name: smtp-credentials
+                  name: smtp-credentials
-              key: username
+                  key: username
-        - name: GITEA__mailer__PASSWD
+            - name: GITEA__mailer__PASSWD
-          valueFrom:
+              valueFrom:
-            secretKeyRef:
+                secretKeyRef:
-              name: smtp-credentials
+                  name: smtp-credentials
-              key: password
+                  key: password
-        - name: GITEA__mailer__FROM
+            - name: GITEA__mailer__FROM
-          valueFrom:
+              valueFrom:
-            secretKeyRef:
+                secretKeyRef:
-              name: smtp-credentials
+                  name: smtp-credentials
-              key: from-address
+                  key: from-address
-        - name: GITEA__time__DEFAULT_UI_LOCATION
+            - name: GITEA__time__DEFAULT_UI_LOCATION
-          value: Europe/Budapest
+              value: Europe/Budapest
-        ports:
+          ports:
-        - containerPort: 3000
+            - containerPort: 3000
-          name: http
+              name: http
-          protocol: TCP
+              protocol: TCP
-        - containerPort: 2222
+            - containerPort: 2222
-          name: ssh
+              name: ssh
-          protocol: TCP
+              protocol: TCP
-        livenessProbe:
+          livenessProbe:
-          httpGet:
+            httpGet:
-            path: /api/healthz
+              path: /api/healthz
-            port: http
+              port: http
-          initialDelaySeconds: 60
+            initialDelaySeconds: 60
-          periodSeconds: 30
+            periodSeconds: 30
-          timeoutSeconds: 10
+            timeoutSeconds: 10
-          failureThreshold: 5
+            failureThreshold: 5
-        readinessProbe:
+          readinessProbe:
-          httpGet:
+            httpGet:
-            path: /api/healthz
+              path: /api/healthz
-            port: http
+              port: http
-          initialDelaySeconds: 30
+            initialDelaySeconds: 30
-          periodSeconds: 10
+            periodSeconds: 10
-          timeoutSeconds: 5
+            timeoutSeconds: 5
-          failureThreshold: 3
+            failureThreshold: 3
-        resources:
+          resources:
-          limits:
+            limits:
-            cpu: "1"
+              cpu: "1"
-            memory: 1Gi
+              memory: 1Gi
-          requests:
+            requests:
-            cpu: 100m
+              cpu: 100m
-            memory: 256Mi
+              memory: 256Mi
-        volumeMounts:
+          volumeMounts:
-        - name: data
+            - name: data
-          mountPath: /data
+              mountPath: /data
-        - name: repos
+            - name: repos
-          mountPath: /data/git/repositories
+              mountPath: /data/git/repositories
      securityContext:
        fsGroup: 1000
      volumes:
-      - name: data
+        - name: data
-        persistentVolumeClaim:
+          persistentVolumeClaim:
-          claimName: gitea-data
+            claimName: gitea-data
-      - name: repos
+        - name: repos
-        hostPath:
+          hostPath:
-          path: /mnt/4_hdd/data/gitea/repositories
+            path: /mnt/4_hdd/data/gitea/repositories
-          type: DirectoryOrCreate
+            type: DirectoryOrCreate
 ---
 apiVersion: v1
 kind: Service
@@ -190,14 +190,14 @@ spec:
  type: LoadBalancer
  loadBalancerIP: 192.168.0.203
  ports:
-  - name: http
+    - name: http
-    port: 3000
+      port: 3000
-    protocol: TCP
+      protocol: TCP
-    targetPort: http
+      targetPort: http
-  - name: ssh
+    - name: ssh
-    port: 2222
+      port: 2222
-    protocol: TCP
+      protocol: TCP
-    targetPort: 22
+      targetPort: 22
  selector:
    app.kubernetes.io/instance: gitea
    app.kubernetes.io/name: gitea
@@ -211,7 +211,7 @@ metadata:
    nginx.ingress.kubernetes.io/proxy-body-size: "0"
    nginx.ingress.kubernetes.io/ssl-redirect: "true"
    nginx.ingress.kubernetes.io/configuration-snippet: |
-      if ($geoip2_city_country_code != "HU") {
+      if ($geoip2_country_code != "HU") {
        return 403 "Access restricted to Hungary";
      }
  labels:
@@ -222,30 +222,30 @@ metadata:
 spec:
  ingressClassName: nginx-internal
  rules:
-  - host: gitea.dooplex.hu
+    - host: gitea.dooplex.hu
-    http:
+      http:
-      paths:
+        paths:
-      - backend:
+          - backend:
-          service:
+              service:
-            name: gitea
+                name: gitea
-            port:
+                port:
-              number: 3000
+                  number: 3000
-        path: /
+            path: /
-        pathType: Prefix
+            pathType: Prefix
-  - host: gitea.home
+    - host: gitea.home
-    http:
+      http:
-      paths:
+        paths:
-      - backend:
+          - backend:
-          service:
+              service:
-            name: gitea
+                name: gitea
-            port:
+                port:
-              number: 3000
+                  number: 3000
-        path: /
+            path: /
-        pathType: Prefix
+            pathType: Prefix
  tls:
-  - hosts:
+    - hosts:
-    - gitea.dooplex.hu
+        - gitea.dooplex.hu
-    secretName: gitea-tls
+      secretName: gitea-tls
 ---
 apiVersion: v1
 kind: PersistentVolumeClaim
@@ -257,7 +257,7 @@ metadata:
  namespace: gitea-system
 spec:
  accessModes:
-  - ReadWriteOnce
+    - ReadWriteOnce
  resources:
    requests:
      storage: 10Gi
@@ -2201,7 +2201,7 @@ metadata:
    nginx.ingress.kubernetes.io/auth-snippet: |
      proxy_set_header X-Forwarded-Host $http_host;
    nginx.ingress.kubernetes.io/configuration-snippet: |
-      if ($geoip2_city_country_code != "HU") {
+      if ($geoip2_country_code != "HU") {
        return 403 "Access restricted to Hungary";
      }
 spec:
@@ -752,7 +752,7 @@ metadata:
    nginx.ingress.kubernetes.io/auth-snippet: |
      proxy_set_header X-Forwarded-Host $http_host;
    nginx.ingress.kubernetes.io/configuration-snippet: |
-      if ($geoip2_city_country_code != "HU") {
+      if ($geoip2_country_code != "HU") {
        return 403 "Access restricted to Hungary";
      }
 spec:
@@ -347,7 +347,7 @@ metadata:
    nginx.ingress.kubernetes.io/proxy-buffer-size: "16k"
    nginx.ingress.kubernetes.io/proxy-buffers-number: "4"
    nginx.ingress.kubernetes.io/configuration-snippet: |
-      if ($geoip2_city_country_code != "HU") {
+      if ($geoip2_country_code != "HU") {
        return 403 "Access restricted to Hungary";
      }
    # Homepage integration annotations
@@ -716,7 +716,7 @@ metadata:
    nginx.ingress.kubernetes.io/auth-snippet: |
      proxy_set_header X-Forwarded-Host $http_host;
    nginx.ingress.kubernetes.io/configuration-snippet: |
-      if ($geoip2_city_country_code != "HU") {
+      if ($geoip2_country_code != "HU") {
        return 403 "Access restricted to Hungary";
      }
    # Homepage auto-discovery annotation
@@ -231,16 +231,16 @@ spec:
      dnsPolicy: ClusterFirst
      containers:
        - env:
-          - name: HF_XET_CACHE
+            - name: HF_XET_CACHE
-            value: /cache/huggingface-xet
+              value: /cache/huggingface-xet
-          - name: IMMICH_MACHINE_LEARNING_URL
+            - name: IMMICH_MACHINE_LEARNING_URL
-            value: http://immich-machine-learning:3003
+              value: http://immich-machine-learning:3003
-          - name: MPLCONFIGDIR
+            - name: MPLCONFIGDIR
-            value: /cache/matplotlib-config
+              value: /cache/matplotlib-config
-          - name: REDIS_HOSTNAME
+            - name: REDIS_HOSTNAME
-            value: immich-valkey
+              value: immich-valkey
-          - name: TRANSFORMERS_CACHE
+            - name: TRANSFORMERS_CACHE
-            value: /cache
+              value: /cache
          image: ghcr.io/immich-app/immich-machine-learning:v2.4.1
          imagePullPolicy: IfNotPresent
          livenessProbe:
@@ -253,9 +253,9 @@ spec:
            timeoutSeconds: 1
          name: main
          ports:
-          - containerPort: 3003
+            - containerPort: 3003
-            name: http
+              name: http
-            protocol: TCP
+              protocol: TCP
          readinessProbe:
            failureThreshold: 3
            httpGet:
@@ -273,8 +273,8 @@ spec:
            periodSeconds: 10
            timeoutSeconds: 1
          volumeMounts:
-          - mountPath: /cache
+            - mountPath: /cache
-            name: cache
+              name: cache
      volumes:
        - name: cache
          persistentVolumeClaim:
@@ -316,26 +316,26 @@ spec:
      dnsPolicy: ClusterFirst
      containers:
        - env:
-          - name: DB_HOSTNAME
+            - name: DB_HOSTNAME
-            value: immich-postgres
+              value: immich-postgres
-          - name: DB_PORT
+            - name: DB_PORT
-            value: "5432"
+              value: "5432"
-          - name: DB_DATABASE_NAME
+            - name: DB_DATABASE_NAME
-            value: immich
+              value: immich
-          - name: DB_USERNAME
+            - name: DB_USERNAME
-            valueFrom:
+              valueFrom:
-              secretKeyRef:
+                secretKeyRef:
-                name: immich-db
+                  name: immich-db
-                key: username
+                  key: username
-          - name: DB_PASSWORD
+            - name: DB_PASSWORD
-            valueFrom:
+              valueFrom:
-              secretKeyRef:
+                secretKeyRef:
-                name: immich-db
+                  name: immich-db
-                key: password
+                  key: password
-          - name: IMMICH_MACHINE_LEARNING_URL
+            - name: IMMICH_MACHINE_LEARNING_URL
-            value: http://immich-machine-learning:3003
+              value: http://immich-machine-learning:3003
-          - name: REDIS_HOSTNAME
+            - name: REDIS_HOSTNAME
-            value: immich-valkey
+              value: immich-valkey
          image: ghcr.io/immich-app/immich-server:v2.4.1
          imagePullPolicy: IfNotPresent
          livenessProbe:
@@ -348,9 +348,9 @@ spec:
            timeoutSeconds: 1
          name: main
          ports:
-          - containerPort: 2283
+            - containerPort: 2283
-            name: http
+              name: http
-            protocol: TCP
+              protocol: TCP
          readinessProbe:
            failureThreshold: 3
            httpGet:
@@ -368,8 +368,8 @@ spec:
            periodSeconds: 10
            timeoutSeconds: 1
          volumeMounts:
-          - mountPath: /data
+            - mountPath: /data
-            name: data
+              name: data
      volumes:
        - name: data
          hostPath:
@@ -412,33 +412,33 @@ spec:
      dnsPolicy: ClusterFirst
      containers:
        - env:
-          - name: IMMICH_MACHINE_LEARNING_URL
+            - name: IMMICH_MACHINE_LEARNING_URL
-            value: http://immich-machine-learning:3003
+              value: http://immich-machine-learning:3003
-          - name: REDIS_HOSTNAME
+            - name: REDIS_HOSTNAME
-            value: immich-valkey
+              value: immich-valkey
          image: docker.io/valkey/valkey:9.0-alpine@sha256:b4ee67d73e00393e712accc72cfd7003b87d0fcd63f0eba798b23251bfc9c394
          imagePullPolicy: IfNotPresent
          livenessProbe:
            exec:
              command:
-              - sh
+                - sh
-              - -c
+                - -c
-              - valkey-cli ping | grep PONG
+                - valkey-cli ping | grep PONG
            failureThreshold: 3
            initialDelaySeconds: 30
            periodSeconds: 10
            timeoutSeconds: 5
          name: main
          ports:
-          - containerPort: 6379
+            - containerPort: 6379
-            name: redis
+              name: redis
-            protocol: TCP
+              protocol: TCP
          readinessProbe:
            exec:
              command:
-              - sh
+                - sh
-              - -c
+                - -c
-              - valkey-cli ping | grep PONG
+                - valkey-cli ping | grep PONG
            failureThreshold: 3
            initialDelaySeconds: 5
            periodSeconds: 10
@@ -446,16 +446,16 @@ spec:
          startupProbe:
            exec:
              command:
-              - sh
+                - sh
-              - -c
+                - -c
-              - valkey-cli ping | grep PONG
+                - valkey-cli ping | grep PONG
            failureThreshold: 30
            initialDelaySeconds: 0
            periodSeconds: 10
            timeoutSeconds: 5
          volumeMounts:
-          - mountPath: /data
+            - mountPath: /data
-            name: data
+              name: data
      volumes:
        - name: data
          persistentVolumeClaim:
@@ -482,7 +482,7 @@ metadata:
      set $geo_allowed 0;
      # Allow all Hungarian traffic
-      if ($geoip2_city_country_code = "HU") {
+      if ($geoip2_country_code = "HU") {
        set $geo_allowed 1;
      }
@@ -11,6 +11,7 @@ metadata:
  labels:
    name: mon-system
 # =============================================================================
 # PROMETHEUS CONFIGURATION
 # =============================================================================
@@ -295,7 +296,7 @@ spec:
              cpu: 100m
              memory: 256Mi
            limits:
-              cpu: '2'
+              cpu: "2"
              memory: 6Gi
          livenessProbe:
            httpGet:
@@ -373,6 +374,7 @@ spec:
            path: /
            pathType: Prefix
 # =============================================================================
 # GRAFANA CONFIGURATION
 # =============================================================================
@@ -571,7 +573,7 @@ metadata:
    external-dns.alpha.kubernetes.io/hostname: grafana.dooplex.hu,grafana.home
    nginx.ingress.kubernetes.io/ssl-redirect: "true"
    nginx.ingress.kubernetes.io/configuration-snippet: |
-      if ($geoip2_city_country_code != "HU") {
+      if ($geoip2_country_code != "HU") {
        return 403 "Access restricted to Hungary";
      }
 spec:
@@ -602,6 +604,7 @@ spec:
        - grafana.dooplex.hu
      secretName: grafana-tls
 # =============================================================================
 # NODE EXPORTER - Host metrics (CPU, RAM, Disk, Network)
 # Runs on the host network to collect host metrics
@@ -702,6 +705,7 @@ spec:
  selector:
    app: node-exporter
 # =============================================================================
 # EXPORTARR - Metrics for Sonarr, Radarr, Prowlarr
 # =============================================================================
@@ -450,8 +450,7 @@ spec:
              value: "https://nextcloud.dooplex.hu"
            - name: NEXTCLOUD_DATA_DIR
              value: "/data"
-          resources:
+          resources: {}
            {}
          volumeMounts:
            - name: nextcloud-main
              mountPath: /var/www/
@@ -515,8 +514,8 @@ spec:
              path: /status.php
              port: 80
              httpHeaders:
-              - name: Host
+                - name: Host
-                value: localhost
+                  value: localhost
            initialDelaySeconds: 30
            periodSeconds: 10
            timeoutSeconds: 5
@@ -524,10 +523,10 @@ spec:
          livenessProbe:
            httpGet:
              path: /status.php
-              port:  80
+              port: 80
              httpHeaders:
-              - name: Host
+                - name: Host
-                value: localhost
+                  value: localhost
            initialDelaySeconds: 10
            periodSeconds: 10
            timeoutSeconds: 5
@@ -536,10 +535,10 @@ spec:
          readinessProbe:
            httpGet:
              path: /status.php
-              port:  80
+              port: 80
              httpHeaders:
-              - name: Host
+                - name: Host
-                value: localhost
+                  value: localhost
            initialDelaySeconds: 10
            periodSeconds: 10
            timeoutSeconds: 5
@@ -548,10 +547,8 @@ spec:
      initContainers:
        - name: postgresql-isready
          image: docker.io/bitnamilegacy/postgresql:17.5.0-debian-12-r3
-          resources:
+          resources: {}
-            {}
+          securityContext: {}
          securityContext:
            {}
          env:
            - name: POSTGRES_USER
              valueFrom:
@@ -640,7 +637,7 @@ spec:
            allowPrivilegeEscalation: false
            capabilities:
              drop:
-              - ALL
+                - ALL
            privileged: false
            readOnlyRootFilesystem: true
            runAsGroup: 1001
@@ -750,7 +747,7 @@ spec:
            medium: Memory
        - name: data
          persistentVolumeClaim:
-             claimName: nextcloud-postgresql-data # NOW PERSISTENT
+            claimName: nextcloud-postgresql-data # NOW PERSISTENT
 ---
 apiVersion: networking.k8s.io/v1
 kind: Ingress
@@ -763,7 +760,7 @@ metadata:
    nginx.ingress.kubernetes.io/configuration-snippet: |
      proxy_hide_header Content-Security-Policy;
      add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' blob:; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob: https:; font-src 'self' data:; connect-src 'self' https:; media-src 'self'; frame-ancestors 'self' https://home.dooplex.hu https://orsi.dooplex.hu https://kisfenyo.dooplex.hu;" always;
-      if ($geoip2_city_country_code != "HU") {
+      if ($geoip2_country_code != "HU") {
        return 403 "Access restricted to Hungary";
      }
  name: nextcloud
@@ -771,32 +768,32 @@ metadata:
 spec:
  ingressClassName: nginx-internal
  rules:
-  - host: nextcloud.dooplex.hu
+    - host: nextcloud.dooplex.hu
-    http:
+      http:
-      paths:
+        paths:
-      - backend:
+          - backend:
-          service:
+              service:
-            name: nextcloud
+                name: nextcloud
-            port:
+                port:
-              number: 80
+                  number: 80
-        path: /
+            path: /
-        pathType: Prefix
+            pathType: Prefix
-  - host: nextcloud.home
+    - host: nextcloud.home
-    http:
+      http:
-      paths:
+        paths:
-      - backend:
+          - backend:
-          service:
+              service:
-            name: nextcloud
+                name: nextcloud
-            port:
+                port:
-              number: 80
+                  number: 80
-        path: /
+            path: /
-        pathType: Prefix
+            pathType: Prefix
  tls:
-  - hosts:
+    - hosts:
-    - nextcloud.dooplex.hu
+        - nextcloud.dooplex.hu
-    secretName: nextcloud-tls
+      secretName: nextcloud-tls
 status:
  loadBalancer:
    ingress:
-    - ip: 192.168.0.192
+      - ip: 192.168.0.192
 ---
@@ -72,60 +72,60 @@ spec:
        app.kubernetes.io/instance: opengist
    spec:
      containers:
-      - name: opengist
+        - name: opengist
-        image: ghcr.io/thomiceli/opengist:1.11.1
+          image: ghcr.io/thomiceli/opengist:1.11.1
-        args: ["--config", "/config/config.yaml"]
+          args: ["--config", "/config/config.yaml"]
-        env:
+          env:
-        # --- OIDC CONFIGURATION ---
+            # --- OIDC CONFIGURATION ---
-        - name: OG_OIDC_CLIENT_KEY
+            - name: OG_OIDC_CLIENT_KEY
-          valueFrom:
+              valueFrom:
-            secretKeyRef:
+                secretKeyRef:
-              name: opengist-oidc
+                  name: opengist-oidc
-              key: client-id
+                  key: client-id
-        - name: OG_OIDC_SECRET
+            - name: OG_OIDC_SECRET
-          valueFrom:
+              valueFrom:
-            secretKeyRef:
+                secretKeyRef:
-              name: opengist-oidc
+                  name: opengist-oidc
-              key: client-secret
+                  key: client-secret
-        - name: OG_OIDC_DISCOVERY_URL
+            - name: OG_OIDC_DISCOVERY_URL
-          value: "https://authentik.dooplex.hu/application/o/opengist/.well-known/openid-configuration"
+              value: "https://authentik.dooplex.hu/application/o/opengist/.well-known/openid-configuration"
-        ports:
+          ports:
-        - containerPort: 6157
+            - containerPort: 6157
-          name: http
+              name: http
-        - containerPort: 2222
+            - containerPort: 2222
-          name: ssh
+              name: ssh
-        resources:
+          resources:
-          requests:
+            requests:
-            cpu: 50m
+              cpu: 50m
-            memory: 64Mi
+              memory: 64Mi
-          limits:
+            limits:
-            cpu: 500m
+              cpu: 500m
-            memory: 256Mi
+              memory: 256Mi
-        volumeMounts:
+          volumeMounts:
-        - name: data
+            - name: data
-          mountPath: /opengist
+              mountPath: /opengist
-        - name: config
+            - name: config
-          mountPath: /config
+              mountPath: /config
-          readOnly: true
+              readOnly: true
-        livenessProbe:
+          livenessProbe:
-          httpGet:
+            httpGet:
-            path: /healthcheck
+              path: /healthcheck
-            port: http
+              port: http
-          initialDelaySeconds: 10
+            initialDelaySeconds: 10
-          periodSeconds: 30
+            periodSeconds: 30
-        readinessProbe:
+          readinessProbe:
-          httpGet:
+            httpGet:
-            path: /healthcheck
+              path: /healthcheck
-            port: http
+              port: http
-          initialDelaySeconds: 5
+            initialDelaySeconds: 5
-          periodSeconds: 10
+            periodSeconds: 10
      volumes:
-      - name: data
+        - name: data
-        persistentVolumeClaim:
+          persistentVolumeClaim:
-          claimName: opengist-data
+            claimName: opengist-data
-      - name: config
+        - name: config
-        configMap:
+          configMap:
-          name: opengist-config
+            name: opengist-config
 ---
 # 5. SERVICE
@@ -140,12 +140,12 @@ metadata:
 spec:
  type: ClusterIP
  ports:
-  - name: http
+    - name: http
-    port: 80
+      port: 80
-    targetPort: http
+      targetPort: http
-  - name: ssh
+    - name: ssh
-    port: 2222
+      port: 2222
-    targetPort: ssh
+      targetPort: ssh
  selector:
    app.kubernetes.io/name: opengist
    app.kubernetes.io/instance: opengist
@@ -173,7 +173,7 @@ metadata:
      set $geo_allowed 0;
      # Allow all Hungarian traffic
-      if ($geoip2_city_country_code = "HU") {
+      if ($geoip2_country_code = "HU") {
        set $geo_allowed 1;
      }
@@ -220,27 +220,27 @@ metadata:
 spec:
  ingressClassName: nginx-internal
  rules:
-  - host: paste.dooplex.hu
+    - host: paste.dooplex.hu
-    http:
+      http:
-      paths:
+        paths:
-      - path: /
+          - path: /
-        pathType: Prefix
+            pathType: Prefix
-        backend:
+            backend:
-          service:
+              service:
-            name: opengist
+                name: opengist
-            port:
+                port:
-              number: 80
+                  number: 80
-  - host: paste.home
+    - host: paste.home
-    http:
+      http:
-      paths:
+        paths:
-      - path: /
+          - path: /
-        pathType: Prefix
+            pathType: Prefix
-        backend:
+            backend:
-          service:
+              service:
-            name: opengist
+                name: opengist
-            port:
+                port:
-              number: 80
+                  number: 80
  tls:
-  - hosts:
+    - hosts:
-    - paste.dooplex.hu
+        - paste.dooplex.hu
-    secretName: opengist-tls
+      secretName: opengist-tls
@@ -30,148 +30,148 @@ spec:
        match-regex.version-checker.io/outline: '^\d+\.\d+\.\d+$'
    spec:
      containers:
-      - name: outline
+        - name: outline
-        image: outlinewiki/outline:1.2.0
+          image: outlinewiki/outline:1.2.0
-        imagePullPolicy: IfNotPresent
+          imagePullPolicy: IfNotPresent
-        env:
+          env:
-        - name: NODE_ENV
+            - name: NODE_ENV
-          value: production
+              value: production
-        - name: SECRET_KEY
+            - name: SECRET_KEY
-          valueFrom:
+              valueFrom:
-            secretKeyRef:
+                secretKeyRef:
-              name: outline-app
+                  name: outline-app
-              key: secret-key
+                  key: secret-key
-        - name: UTILS_SECRET
+            - name: UTILS_SECRET
-          valueFrom:
+              valueFrom:
-            secretKeyRef:
+                secretKeyRef:
-              name: outline-app
+                  name: outline-app
-              key: utils-secret
+                  key: utils-secret
-        - name: DB_USER
+            - name: DB_USER
-          valueFrom:
+              valueFrom:
-            secretKeyRef:
+                secretKeyRef:
-              name: outline-db
+                  name: outline-db
-              key: username
+                  key: username
-        - name: DB_PASS
+            - name: DB_PASS
-          valueFrom:
+              valueFrom:
-            secretKeyRef:
+                secretKeyRef:
-              name: outline-db
+                  name: outline-db
-              key: password
+                  key: password
-        # Database - using shared PostgreSQL in database-system namespace
+            # Database - using shared PostgreSQL in database-system namespace
-        - name: DATABASE_URL
+            - name: DATABASE_URL
-          value: postgres://$(DB_USER):$(DB_PASS)@postgresql-rw.database-system.svc.cluster.local:5432/outline
+              value: postgres://$(DB_USER):$(DB_PASS)@postgresql-rw.database-system.svc.cluster.local:5432/outline
-        - name: PGSSLMODE
+            - name: PGSSLMODE
-          value: disable
+              value: disable
-        - name: REDIS_URL
+            - name: REDIS_URL
-          value: redis://outline-redis:6379
+              value: redis://outline-redis:6379
-        - name: URL
+            - name: URL
-          value: https://outline.dooplex.hu
+              value: https://outline.dooplex.hu
-        - name: PORT
+            - name: PORT
-          value: "3000"
+              value: "3000"
-        - name: FILE_STORAGE
+            - name: FILE_STORAGE
-          value: s3
+              value: s3
-        - name: AWS_ACCESS_KEY_ID
+            - name: AWS_ACCESS_KEY_ID
-          valueFrom:
+              valueFrom:
-            secretKeyRef:
+                secretKeyRef:
-              name: outline-minio
+                  name: outline-minio
-              key: root-user
+                  key: root-user
-        - name: AWS_SECRET_ACCESS_KEY
+            - name: AWS_SECRET_ACCESS_KEY
-          valueFrom:
+              valueFrom:
-            secretKeyRef:
+                secretKeyRef:
-              name: outline-minio
+                  name: outline-minio
-              key: root-password
+                  key: root-password
-        - name: AWS_REGION
+            - name: AWS_REGION
-          value: us-east-1
+              value: us-east-1
-        - name: AWS_S3_UPLOAD_BUCKET_URL
+            - name: AWS_S3_UPLOAD_BUCKET_URL
-          value: https://outline-minio.dooplex.hu/outline  # Changed from http://outline-minio:9000
+              value: https://outline-minio.dooplex.hu/outline # Changed from http://outline-minio:9000
-        - name: AWS_S3_UPLOAD_BUCKET_NAME
+            - name: AWS_S3_UPLOAD_BUCKET_NAME
-          value: outline
+              value: outline
-        - name: AWS_S3_FORCE_PATH_STYLE
+            - name: AWS_S3_FORCE_PATH_STYLE
-          value: "true"
+              value: "true"
-        - name: AWS_S3_ACL
+            - name: AWS_S3_ACL
-          value: private
+              value: private
-        - name: OIDC_CLIENT_ID
+            - name: OIDC_CLIENT_ID
-          valueFrom:
+              valueFrom:
-            secretKeyRef:
+                secretKeyRef:
-              name: outline-oidc
+                  name: outline-oidc
-              key: client-id
+                  key: client-id
-        - name: OIDC_CLIENT_SECRET
+            - name: OIDC_CLIENT_SECRET
-          valueFrom:
+              valueFrom:
-            secretKeyRef:
+                secretKeyRef:
-              name: outline-oidc
+                  name: outline-oidc
-              key: client-secret
+                  key: client-secret
-        - name: OIDC_AUTH_URI
+            - name: OIDC_AUTH_URI
-          value: "https://authentik.dooplex.hu/application/o/authorize/"
+              value: "https://authentik.dooplex.hu/application/o/authorize/"
-        - name: OIDC_TOKEN_URI
+            - name: OIDC_TOKEN_URI
-          value: "https://authentik.dooplex.hu/application/o/token/"
+              value: "https://authentik.dooplex.hu/application/o/token/"
-        - name: OIDC_USERINFO_URI
+            - name: OIDC_USERINFO_URI
-          value: "https://authentik.dooplex.hu/application/o/userinfo/"
+              value: "https://authentik.dooplex.hu/application/o/userinfo/"
-        - name: OIDC_LOGOUT_URI
+            - name: OIDC_LOGOUT_URI
-          value: "https://authentik.dooplex.hu/application/o/outline/end-session/"
+              value: "https://authentik.dooplex.hu/application/o/outline/end-session/"
-        - name: OIDC_USERNAME_CLAIM
+            - name: OIDC_USERNAME_CLAIM
-          value: "preferred_username"
+              value: "preferred_username"
-        - name: OIDC_DISPLAY_NAME
+            - name: OIDC_DISPLAY_NAME
-          value: "authentik"
+              value: "authentik"
-        - name: OIDC_SCOPES
+            - name: OIDC_SCOPES
-          value: "openid profile email offline_access"
+              value: "openid profile email offline_access"
-        # SMTP Configuration
+            # SMTP Configuration
-        - name: SMTP_HOST
+            - name: SMTP_HOST
-          valueFrom:
+              valueFrom:
-            secretKeyRef:
+                secretKeyRef:
-              name: smtp-credentials
+                  name: smtp-credentials
-              key: host
+                  key: host
-        - name: SMTP_PORT
+            - name: SMTP_PORT
-          valueFrom:
+              valueFrom:
-            secretKeyRef:
+                secretKeyRef:
-              name: smtp-credentials
+                  name: smtp-credentials
-              key: port
+                  key: port
-        - name: SMTP_USERNAME
+            - name: SMTP_USERNAME
-          valueFrom:
+              valueFrom:
-            secretKeyRef:
+                secretKeyRef:
-              name: smtp-credentials
+                  name: smtp-credentials
-              key: username
+                  key: username
-        - name: SMTP_PASSWORD
+            - name: SMTP_PASSWORD
-          valueFrom:
+              valueFrom:
-            secretKeyRef:
+                secretKeyRef:
-              name: smtp-credentials
+                  name: smtp-credentials
-              key: password
+                  key: password
-        - name: SMTP_FROM_EMAIL
+            - name: SMTP_FROM_EMAIL
-          valueFrom:
+              valueFrom:
-            secretKeyRef:
+                secretKeyRef:
-              name: smtp-credentials
+                  name: smtp-credentials
-              key: from-address
+                  key: from-address
-        - name: SMTP_SECURE
+            - name: SMTP_SECURE
-          value: "false"
+              value: "false"
-        - name: FORCE_HTTPS
+            - name: FORCE_HTTPS
-          value: "true"
+              value: "true"
-        - name: DEFAULT_LANGUAGE
+            - name: DEFAULT_LANGUAGE
-          value: en_US
+              value: en_US
-        ports:
+          ports:
-        - containerPort: 3000
+            - containerPort: 3000
-          name: http
+              name: http
-          protocol: TCP
+              protocol: TCP
-        livenessProbe:
+          livenessProbe:
-          httpGet:
+            httpGet:
-            path: /_health
+              path: /_health
-            port: http
+              port: http
-          initialDelaySeconds: 60
+            initialDelaySeconds: 60
-          periodSeconds: 30
+            periodSeconds: 30
-          timeoutSeconds: 10
+            timeoutSeconds: 10
-          failureThreshold: 5
+            failureThreshold: 5
-        readinessProbe:
+          readinessProbe:
-          httpGet:
+            httpGet:
-            path: /_health
+              path: /_health
-            port: http
+              port: http
-          initialDelaySeconds: 30
+            initialDelaySeconds: 30
-          periodSeconds: 10
+            periodSeconds: 10
-          timeoutSeconds: 5
+            timeoutSeconds: 5
-          failureThreshold: 3
+            failureThreshold: 3
-        resources:
+          resources:
-          limits:
+            limits:
-            cpu: "1"
+              cpu: "1"
-            memory: 1Gi
+              memory: 1Gi
-          requests:
+            requests:
-            cpu: 100m
+              cpu: 100m
-            memory: 256Mi
+              memory: 256Mi
      volumes: []
 ---
 apiVersion: apps/v1
@@ -197,51 +197,51 @@ spec:
        app.kubernetes.io/name: redis
    spec:
      containers:
-      - name: redis
+        - name: redis
-        image: redis:7-alpine
+          image: redis:7-alpine
-        imagePullPolicy: IfNotPresent
+          imagePullPolicy: IfNotPresent
-        command:
+          command:
-        - redis-server
+            - redis-server
-        - --appendonly
+            - --appendonly
-        - "yes"
+            - "yes"
-        ports:
+          ports:
-        - containerPort: 6379
+            - containerPort: 6379
-          name: redis
+              name: redis
-          protocol: TCP
+              protocol: TCP
-        livenessProbe:
+          livenessProbe:
-          exec:
+            exec:
-            command:
+              command:
-            - sh
+                - sh
-            - -c
+                - -c
-            - redis-cli ping | grep PONG
+                - redis-cli ping | grep PONG
-          initialDelaySeconds: 30
+            initialDelaySeconds: 30
-          periodSeconds: 10
+            periodSeconds: 10
-          failureThreshold: 3
+            failureThreshold: 3
-          timeoutSeconds: 5
+            timeoutSeconds: 5
-        readinessProbe:
+          readinessProbe:
-          exec:
+            exec:
-            command:
+              command:
-            - sh
+                - sh
-            - -c
+                - -c
-            - redis-cli ping | grep PONG
+                - redis-cli ping | grep PONG
-          initialDelaySeconds: 5
+            initialDelaySeconds: 5
-          periodSeconds: 10
+            periodSeconds: 10
-          failureThreshold: 3
+            failureThreshold: 3
-          timeoutSeconds: 5
+            timeoutSeconds: 5
-        resources:
+          resources:
-          limits:
+            limits:
-            cpu: 250m
+              cpu: 250m
-            memory: 256Mi
+              memory: 256Mi
-          requests:
+            requests:
-            cpu: 50m
+              cpu: 50m
-            memory: 64Mi
+              memory: 64Mi
-        volumeMounts:
+          volumeMounts:
-        - name: data
+            - name: data
-          mountPath: /data
+              mountPath: /data
      volumes:
-      - name: data
+        - name: data
-        persistentVolumeClaim:
+          persistentVolumeClaim:
-          claimName: outline-redis
+            claimName: outline-redis
 ---
 apiVersion: apps/v1
 kind: Deployment
@@ -266,64 +266,64 @@ spec:
        app.kubernetes.io/name: minio
    spec:
      containers:
-      - name: minio
+        - name: minio
-        image: minio/minio:latest
+          image: minio/minio:latest
-        imagePullPolicy: IfNotPresent
+          imagePullPolicy: IfNotPresent
-        command:
+          command:
-        - minio
+            - minio
-        - server
+            - server
-        - /data
+            - /data
-        - --console-address
+            - --console-address
-        - ":9001"
+            - ":9001"
-        env:
+          env:
-        - name: MINIO_ROOT_USER
+            - name: MINIO_ROOT_USER
-          valueFrom:
+              valueFrom:
-            secretKeyRef:
+                secretKeyRef:
-              name: outline-minio
+                  name: outline-minio
-              key: root-user
+                  key: root-user
-        - name: MINIO_ROOT_PASSWORD
+            - name: MINIO_ROOT_PASSWORD
-          valueFrom:
+              valueFrom:
-            secretKeyRef:
+                secretKeyRef:
-              name: outline-minio
+                  name: outline-minio
-              key: root-password
+                  key: root-password
-        ports:
+          ports:
-        - containerPort: 9000
+            - containerPort: 9000
-          name: api
+              name: api
-          protocol: TCP
+              protocol: TCP
-        - containerPort: 9001
+            - containerPort: 9001
-          name: console
+              name: console
-          protocol: TCP
+              protocol: TCP
-        livenessProbe:
+          livenessProbe:
-          httpGet:
+            httpGet:
-            path: /minio/health/live
+              path: /minio/health/live
-            port: api
+              port: api
-          initialDelaySeconds: 30
+            initialDelaySeconds: 30
-          periodSeconds: 30
+            periodSeconds: 30
-          timeoutSeconds: 10
+            timeoutSeconds: 10
-          failureThreshold: 3
+            failureThreshold: 3
-        readinessProbe:
+          readinessProbe:
-          httpGet:
+            httpGet:
-            path: /minio/health/ready
+              path: /minio/health/ready
-            port: api
+              port: api
-          initialDelaySeconds: 10
+            initialDelaySeconds: 10
-          periodSeconds: 10
+            periodSeconds: 10
-          timeoutSeconds: 5
+            timeoutSeconds: 5
-          failureThreshold: 3
+            failureThreshold: 3
-        resources:
+          resources:
-          limits:
+            limits:
-            cpu: 500m
+              cpu: 500m
-            memory: 512Mi
+              memory: 512Mi
-          requests:
+            requests:
-            cpu: 100m
+              cpu: 100m
-            memory: 128Mi
+              memory: 128Mi
-        volumeMounts:
+          volumeMounts:
-        - name: data
+            - name: data
-          mountPath: /data
+              mountPath: /data
      volumes:
-      - name: data
+        - name: data
-        hostPath:
+          hostPath:
-          path: /mnt/4_hdd/data/outline/minio
+            path: /mnt/4_hdd/data/outline/minio
-          type: DirectoryOrCreate
+            type: DirectoryOrCreate
 ---
 apiVersion: v1
 kind: Service
@@ -337,10 +337,10 @@ metadata:
 spec:
  type: ClusterIP
  ports:
-  - name: http
+    - name: http
-    port: 3000
+      port: 3000
-    protocol: TCP
+      protocol: TCP
-    targetPort: http
+      targetPort: http
  selector:
    app.kubernetes.io/instance: outline
    app.kubernetes.io/name: outline
@@ -356,10 +356,10 @@ metadata:
 spec:
  type: ClusterIP
  ports:
-  - name: redis
+    - name: redis
-    port: 6379
+      port: 6379
-    protocol: TCP
+      protocol: TCP
-    targetPort: redis
+      targetPort: redis
  selector:
    app.kubernetes.io/instance: outline
    app.kubernetes.io/name: redis
@@ -375,14 +375,14 @@ metadata:
 spec:
  type: ClusterIP
  ports:
-  - name: api
+    - name: api
-    port: 9000
+      port: 9000
-    protocol: TCP
+      protocol: TCP
-    targetPort: api
+      targetPort: api
-  - name: console
+    - name: console
-    port: 9001
+      port: 9001
-    protocol: TCP
+      protocol: TCP
-    targetPort: console
+      targetPort: console
  selector:
    app.kubernetes.io/instance: outline
    app.kubernetes.io/name: minio
@@ -399,7 +399,7 @@ metadata:
      proxy_hide_header X-Frame-Options;
      proxy_hide_header Content-Security-Policy;
      add_header X-Frame-Options "ALLOW-FROM https://orsi.dooplex.hu" always;
-      if ($geoip2_city_country_code != "HU") {
+      if ($geoip2_country_code != "HU") {
        return 403 "Access restricted to Hungary";
      }
  labels:
@@ -410,30 +410,30 @@ metadata:
 spec:
  ingressClassName: nginx-internal
  rules:
-  - host: outline.dooplex.hu
+    - host: outline.dooplex.hu
-    http:
+      http:
-      paths:
+        paths:
-      - backend:
+          - backend:
-          service:
+              service:
-            name: outline
+                name: outline
-            port:
+                port:
-              number: 3000
+                  number: 3000
-        path: /
+            path: /
-        pathType: Prefix
+            pathType: Prefix
-  - host: outline.home
+    - host: outline.home
-    http:
+      http:
-      paths:
+        paths:
-      - backend:
+          - backend:
-          service:
+              service:
-            name: outline
+                name: outline
-            port:
+                port:
-              number: 3000
+                  number: 3000
-        path: /
+            path: /
-        pathType: Prefix
+            pathType: Prefix
  tls:
-  - hosts:
+    - hosts:
-    - outline.dooplex.hu
+        - outline.dooplex.hu
-    secretName: outline-tls
+      secretName: outline-tls
 ---
 # Add MinIO Ingress
 apiVersion: networking.k8s.io/v1
@@ -450,20 +450,20 @@ metadata:
 spec:
  ingressClassName: nginx-internal
  rules:
-  - host: outline-minio.dooplex.hu
+    - host: outline-minio.dooplex.hu
-    http:
+      http:
-      paths:
+        paths:
-      - backend:
+          - backend:
-          service:
+              service:
-            name: outline-minio
+                name: outline-minio
-            port:
+                port:
-              number: 9000
+                  number: 9000
-        path: /
+            path: /
-        pathType: Prefix
+            pathType: Prefix
  tls:
-  - hosts:
+    - hosts:
-    - outline-minio.dooplex.hu
+        - outline-minio.dooplex.hu
-    secretName: outline-minio-tls
+      secretName: outline-minio-tls
 ---
 apiVersion: v1
 kind: PersistentVolumeClaim
@@ -475,7 +475,7 @@ metadata:
  namespace: outline-system
 spec:
  accessModes:
-  - ReadWriteOnce
+    - ReadWriteOnce
  resources:
    requests:
      storage: 1Gi
@@ -344,7 +344,7 @@ metadata:
    nginx.ingress.kubernetes.io/proxy-read-timeout: "600"
    nginx.ingress.kubernetes.io/proxy-send-timeout: "600"
    nginx.ingress.kubernetes.io/configuration-snippet: |
-      if ($geoip2_city_country_code != "HU") {
+      if ($geoip2_country_code != "HU") {
        return 403 "Access restricted to Hungary";
      }
  labels:
@@ -42,62 +42,62 @@ spec:
        app.kubernetes.io/name: plantit-db
    spec:
      containers:
-      - name: mysql
+        - name: mysql
-        image: mysql:8.0
+          image: mysql:8.0
-        env:
+          env:
-        - name: MYSQL_ROOT_PASSWORD
+            - name: MYSQL_ROOT_PASSWORD
-          valueFrom:
+              valueFrom:
-            secretKeyRef:
+                secretKeyRef:
-              name: plantit-db
+                  name: plantit-db
-              key: root-password
+                  key: root-password
-        - name: MYSQL_DATABASE
+            - name: MYSQL_DATABASE
-          valueFrom:
+              valueFrom:
-            secretKeyRef:
+                secretKeyRef:
-              name: plantit-db
+                  name: plantit-db
-              key: database
+                  key: database
-        - name: MYSQL_USER
+            - name: MYSQL_USER
-          valueFrom:
+              valueFrom:
-            secretKeyRef:
+                secretKeyRef:
-              name: plantit-db
+                  name: plantit-db
-              key: username
+                  key: username
-        - name: MYSQL_PASSWORD
+            - name: MYSQL_PASSWORD
-          valueFrom:
+              valueFrom:
-            secretKeyRef:
+                secretKeyRef:
-              name: plantit-db
+                  name: plantit-db
-              key: password
+                  key: password
-        ports:
+          ports:
-        - containerPort: 3306
+            - containerPort: 3306
-          name: mysql
+              name: mysql
-        resources:
+          resources:
-          requests:
+            requests:
-            cpu: 100m
+              cpu: 100m
-            memory: 256Mi
+              memory: 256Mi
-          limits:
+            limits:
-            cpu: 500m
+              cpu: 500m
-            memory: 512Mi
+              memory: 512Mi
-        volumeMounts:
+          volumeMounts:
-        - name: data
+            - name: data
-          mountPath: /var/lib/mysql
+              mountPath: /var/lib/mysql
-        livenessProbe:
+          livenessProbe:
-          exec:
+            exec:
-            command:
+              command:
-            - sh
+                - sh
-            - -c
+                - -c
-            - mysqladmin ping -u root -p$MYSQL_ROOT_PASSWORD
+                - mysqladmin ping -u root -p$MYSQL_ROOT_PASSWORD
-          initialDelaySeconds: 30
+            initialDelaySeconds: 30
-          periodSeconds: 10
+            periodSeconds: 10
-        readinessProbe:
+          readinessProbe:
-          exec:
+            exec:
-            command:
+              command:
-            - sh
+                - sh
-            - -c
+                - -c
-            - mysqladmin ping -u root -p$MYSQL_ROOT_PASSWORD
+                - mysqladmin ping -u root -p$MYSQL_ROOT_PASSWORD
-          initialDelaySeconds: 10
+            initialDelaySeconds: 10
-          periodSeconds: 5
+            periodSeconds: 5
      volumes:
-      - name: data
+        - name: data
-        persistentVolumeClaim:
+          persistentVolumeClaim:
-          claimName: plantit-db
+            claimName: plantit-db
 ---
 apiVersion: apps/v1
 kind: Deployment
@@ -120,18 +120,18 @@ spec:
        app.kubernetes.io/name: plantit-cache
    spec:
      containers:
-      - name: redis
+        - name: redis
-        image: redis:7.2.1
+          image: redis:7.2.1
-        ports:
+          ports:
-        - containerPort: 6379
+            - containerPort: 6379
-          name: redis
+              name: redis
-        resources:
+          resources:
-          requests:
+            requests:
-            cpu: 50m
+              cpu: 50m
-            memory: 64Mi
+              memory: 64Mi
-          limits:
+            limits:
-            cpu: 200m
+              cpu: 200m
-            memory: 128Mi
+              memory: 128Mi
 ---
 apiVersion: apps/v1
 kind: Deployment
@@ -158,91 +158,91 @@ spec:
        app.kubernetes.io/version: "1.0.0"
    spec:
      containers:
-      - name: plantit
+        - name: plantit
-        image: msdeluise/plant-it-server:0.10.0
+          image: msdeluise/plant-it-server:0.10.0
-        env:
+          env:
-        # Database
+            # Database
-        - name: MYSQL_HOST
+            - name: MYSQL_HOST
-          value: "plantit-db"
+              value: "plantit-db"
-        - name: MYSQL_PORT
+            - name: MYSQL_PORT
-          value: "3306"
+              value: "3306"
-        - name: MYSQL_DATABASE
+            - name: MYSQL_DATABASE
-          valueFrom:
+              valueFrom:
-            secretKeyRef:
+                secretKeyRef:
-              name: plantit-db
+                  name: plantit-db
-              key: database
+                  key: database
-        - name: MYSQL_USERNAME
+            - name: MYSQL_USERNAME
-          valueFrom:
+              valueFrom:
-            secretKeyRef:
+                secretKeyRef:
-              name: plantit-db
+                  name: plantit-db
-              key: username
+                  key: username
-        - name: MYSQL_PSW
+            - name: MYSQL_PSW
-          valueFrom:
+              valueFrom:
-            secretKeyRef:
+                secretKeyRef:
-              name: plantit-db
+                  name: plantit-db
-              key: password
+                  key: password
-        # JWT
+            # JWT
-        - name: JWT_SECRET
+            - name: JWT_SECRET
-          valueFrom:
+              valueFrom:
-            secretKeyRef:
+                secretKeyRef:
-              name: plantit-app
+                  name: plantit-app
-              key: jwt-secret
+                  key: jwt-secret
-        - name: JWT_EXP
+            - name: JWT_EXP
-          value: "1"
+              value: "1"
-        # Server config
+            # Server config
-        - name: API_PORT
+            - name: API_PORT
-          value: "8080"
+              value: "8080"
-        - name: USERS_LIMIT
+            - name: USERS_LIMIT
-          value: "-1"
+              value: "-1"
-        - name: UPLOAD_DIR
+            - name: UPLOAD_DIR
-          value: "/upload-dir"
+              value: "/upload-dir"
-        - name: LOG_LEVEL
+            - name: LOG_LEVEL
-          value: "INFO"
+              value: "INFO"
-        - name: ALLOWED_ORIGINS
+            - name: ALLOWED_ORIGINS
-          value: "*"
+              value: "*"
-        # Cache
+            # Cache
-        - name: CACHE_TYPE
+            - name: CACHE_TYPE
-          value: "redis"
+              value: "redis"
-        - name: CACHE_TTL
+            - name: CACHE_TTL
-          value: "86400"
+              value: "86400"
-        - name: CACHE_HOST
+            - name: CACHE_HOST
-          value: "plantit-cache"
+              value: "plantit-cache"
-        - name: CACHE_PORT
+            - name: CACHE_PORT
-          value: "6379"
+              value: "6379"
-        # FloraCodex API key (optional)
+            # FloraCodex API key (optional)
-        - name: FLORACODEX_KEY
+            - name: FLORACODEX_KEY
-          value: ""
+              value: ""
-        ports:
+          ports:
-        - containerPort: 8080
+            - containerPort: 8080
-          name: api
+              name: api
-        - containerPort: 3000
+            - containerPort: 3000
-          name: frontend
+              name: frontend
-        resources:
+          resources:
-          requests:
+            requests:
-            cpu: 100m
+              cpu: 100m
-            memory: 256Mi
+              memory: 256Mi
-          limits:
+            limits:
-            cpu: 500m
+              cpu: 500m
-            memory: 512Mi
+              memory: 512Mi
-        volumeMounts:
+          volumeMounts:
-        - name: uploads
+            - name: uploads
-          mountPath: /upload-dir
+              mountPath: /upload-dir
-        readinessProbe:
+          readinessProbe:
-          tcpSocket:
+            tcpSocket:
-            port: 8080
+              port: 8080
-          initialDelaySeconds: 90
+            initialDelaySeconds: 90
-          periodSeconds: 10
+            periodSeconds: 10
-          failureThreshold: 6
+            failureThreshold: 6
-        livenessProbe:
+          livenessProbe:
-          tcpSocket:
+            tcpSocket:
-            port: 8080
+              port: 8080
-          initialDelaySeconds: 120
+            initialDelaySeconds: 120
-          periodSeconds: 30
+            periodSeconds: 30
-          failureThreshold: 5
+            failureThreshold: 5
      volumes:
-      - name: uploads
+        - name: uploads
-        persistentVolumeClaim:
+          persistentVolumeClaim:
-          claimName: plantit-uploads
+            claimName: plantit-uploads
 ---
 apiVersion: v1
 kind: Service
@@ -255,9 +255,9 @@ metadata:
 spec:
  type: ClusterIP
  ports:
-  - name: mysql
+    - name: mysql
-    port: 3306
+      port: 3306
-    targetPort: mysql
+      targetPort: mysql
  selector:
    app.kubernetes.io/instance: plantit
    app.kubernetes.io/name: plantit-db
@@ -273,9 +273,9 @@ metadata:
 spec:
  type: ClusterIP
  ports:
-  - name: redis
+    - name: redis
-    port: 6379
+      port: 6379
-    targetPort: redis
+      targetPort: redis
  selector:
    app.kubernetes.io/instance: plantit
    app.kubernetes.io/name: plantit-cache
@@ -291,12 +291,12 @@ metadata:
 spec:
  type: ClusterIP
  ports:
-  - name: frontend
+    - name: frontend
-    port: 3000
+      port: 3000
-    targetPort: frontend
+      targetPort: frontend
-  - name: api
+    - name: api
-    port: 8080
+      port: 8080
-    targetPort: api
+      targetPort: api
  selector:
    app.kubernetes.io/instance: plantit
    app.kubernetes.io/name: plantit
@@ -321,50 +321,50 @@ metadata:
    nginx.ingress.kubernetes.io/auth-snippet: |
      proxy_set_header X-Forwarded-Host $http_host;
    nginx.ingress.kubernetes.io/configuration-snippet: |
-      if ($geoip2_city_country_code != "HU") {
+      if ($geoip2_country_code != "HU") {
        return 403 "Access restricted to Hungary";
      }
 spec:
  ingressClassName: nginx-internal
  rules:
-  - host: plantit.dooplex.hu
+    - host: plantit.dooplex.hu
-    http:
+      http:
-      paths:
+        paths:
-      - path: /
+          - path: /
-        pathType: Prefix
+            pathType: Prefix
-        backend:
+            backend:
-          service:
+              service:
-            name: plantit
+                name: plantit
-            port:
+                port:
-              number: 3000
+                  number: 3000
-      - path: /api
+          - path: /api
-        pathType: Prefix
+            pathType: Prefix
-        backend:
+            backend:
-          service:
+              service:
-            name: plantit
+                name: plantit
-            port:
+                port:
-              number: 8080
+                  number: 8080
-  - host: plantit.home
+    - host: plantit.home
-    http:
+      http:
-      paths:
+        paths:
-      - path: /
+          - path: /
-        pathType: Prefix
+            pathType: Prefix
-        backend:
+            backend:
-          service:
+              service:
-            name: plantit
+                name: plantit
-            port:
+                port:
-              number: 3000
+                  number: 3000
-      - path: /api
+          - path: /api
-        pathType: Prefix
+            pathType: Prefix
-        backend:
+            backend:
-          service:
+              service:
-            name: plantit
+                name: plantit
-            port:
+                port:
-              number: 8080
+                  number: 8080
  tls:
-  - hosts:
+    - hosts:
-    - plantit.dooplex.hu
+        - plantit.dooplex.hu
-    secretName: plantit-tls
+      secretName: plantit-tls
 ---
 apiVersion: v1
 kind: PersistentVolumeClaim
@@ -378,7 +378,7 @@ metadata:
    recurring-job.longhorn.io/source: enabled
 spec:
  accessModes:
-  - ReadWriteOnce
+    - ReadWriteOnce
  storageClassName: longhorn
  resources:
    requests:
@@ -396,7 +396,7 @@ metadata:
    recurring-job.longhorn.io/source: enabled
 spec:
  accessModes:
-  - ReadWriteOnce
+    - ReadWriteOnce
  storageClassName: longhorn
  resources:
    requests:
@@ -372,7 +372,7 @@ metadata:
    nginx.ingress.kubernetes.io/proxy-buffers-number: "4"
    nginx.ingress.kubernetes.io/proxy-busy-buffers-size: "32k"
    nginx.ingress.kubernetes.io/configuration-snippet: |
-      if ($geoip2_city_country_code != "HU") {
+      if ($geoip2_country_code != "HU") {
        return 403 "Access restricted to Hungary";
      }
 spec:
@@ -29,172 +29,172 @@ spec:
        app.kubernetes.io/version: 2.3.6
    spec:
      initContainers:
-      - name: create-superuser
+        - name: create-superuser
-        image: vabene1111/recipes:2.3.6
+          image: vabene1111/recipes:2.3.6
-        workingDir: /opt/recipes
+          workingDir: /opt/recipes
-        command:
+          command:
-        - /bin/sh
+            - /bin/sh
-        - -c
+            - -c
-        - |
+            - |
-          . /opt/recipes/venv/bin/activate
+              . /opt/recipes/venv/bin/activate
-          echo "Waiting for database..."
+              echo "Waiting for database..."
-          while ! python -c "import socket; socket.create_connection(('postgresql-rw.database-system.svc.cluster.local', 5432), timeout=5)" 2>/dev/null; do
+              while ! python -c "import socket; socket.create_connection(('postgresql-rw.database-system.svc.cluster.local', 5432), timeout=5)" 2>/dev/null; do
-            sleep 2
+                sleep 2
-          done
+              done
-          echo "Database is ready. Running migrations..."
+              echo "Database is ready. Running migrations..."
-          python manage.py migrate --noinput
+              python manage.py migrate --noinput
-          echo "Collecting static files..."
+              echo "Collecting static files..."
-          python manage.py collectstatic --noinput
+              python manage.py collectstatic --noinput
-          echo "Creating superuser if not exists..."
+              echo "Creating superuser if not exists..."
-          python manage.py shell -c "
+              python manage.py shell -c "
-          from django.contrib.auth import get_user_model
+              from django.contrib.auth import get_user_model
-          User = get_user_model()
+              User = get_user_model()
-          import os
+              import os
-          username = os.environ.get('DJANGO_SUPERUSER_USERNAME', 'admin')
+              username = os.environ.get('DJANGO_SUPERUSER_USERNAME', 'admin')
-          if not User.objects.filter(username=username).exists():
+              if not User.objects.filter(username=username).exists():
-              User.objects.create_superuser(
+                  User.objects.create_superuser(
-                  username=username,
+                      username=username,
-                  email=os.environ.get('DJANGO_SUPERUSER_EMAIL', ''),
+                      email=os.environ.get('DJANGO_SUPERUSER_EMAIL', ''),
-                  password=os.environ.get('DJANGO_SUPERUSER_PASSWORD', 'admin')
+                      password=os.environ.get('DJANGO_SUPERUSER_PASSWORD', 'admin')
-              )
+                  )
-              print(f'Superuser {username} created successfully')
+                  print(f'Superuser {username} created successfully')
-          else:
+              else:
-              print(f'Superuser {username} already exists')
+                  print(f'Superuser {username} already exists')
-          "
+              "
-        volumeMounts:
+          volumeMounts:
-        - name: staticfiles
+            - name: staticfiles
-          mountPath: /opt/recipes/staticfiles
+              mountPath: /opt/recipes/staticfiles
-        env:
+          env:
-        - name: DB_ENGINE
+            - name: DB_ENGINE
-          value: django.db.backends.postgresql
+              value: django.db.backends.postgresql
-        # Database - using shared PostgreSQL in database-system namespace
+            # Database - using shared PostgreSQL in database-system namespace
-        - name: POSTGRES_HOST
+            - name: POSTGRES_HOST
-          value: postgresql-rw.database-system.svc.cluster.local
+              value: postgresql-rw.database-system.svc.cluster.local
-        - name: POSTGRES_PORT
+            - name: POSTGRES_PORT
-          value: "5432"
+              value: "5432"
-        - name: POSTGRES_DB
+            - name: POSTGRES_DB
-          value: tandoor
+              value: tandoor
-        - name: POSTGRES_USER
+            - name: POSTGRES_USER
-          valueFrom:
+              valueFrom:
-            secretKeyRef:
+                secretKeyRef:
-              name: tandoor-db
+                  name: tandoor-db
-              key: username
+                  key: username
-        - name: POSTGRES_PASSWORD
+            - name: POSTGRES_PASSWORD
-          valueFrom:
+              valueFrom:
-            secretKeyRef:
+                secretKeyRef:
-              name: tandoor-db
+                  name: tandoor-db
-              key: password
+                  key: password
-        - name: SECRET_KEY
+            - name: SECRET_KEY
-          valueFrom:
+              valueFrom:
-            secretKeyRef:
+                secretKeyRef:
-              name: tandoor-app
+                  name: tandoor-app
-              key: secret-key
+                  key: secret-key
-        - name: DJANGO_SUPERUSER_USERNAME
+            - name: DJANGO_SUPERUSER_USERNAME
-          valueFrom:
+              valueFrom:
-            secretKeyRef:
+                secretKeyRef:
-              name: tandoor-admin
+                  name: tandoor-admin
-              key: username
+                  key: username
-        - name: DJANGO_SUPERUSER_PASSWORD
+            - name: DJANGO_SUPERUSER_PASSWORD
-          valueFrom:
+              valueFrom:
-            secretKeyRef:
+                secretKeyRef:
-              name: tandoor-admin
+                  name: tandoor-admin
-              key: password
+                  key: password
-        - name: DJANGO_SUPERUSER_EMAIL
+            - name: DJANGO_SUPERUSER_EMAIL
-          valueFrom:
+              valueFrom:
-            secretKeyRef:
+                secretKeyRef:
-              name: tandoor-admin
+                  name: tandoor-admin
-              key: email
+                  key: email
      containers:
-      - name: tandoor
+        - name: tandoor
-        image: vabene1111/recipes:2.3.6
+          image: vabene1111/recipes:2.3.6
-        imagePullPolicy: IfNotPresent
+          imagePullPolicy: IfNotPresent
-        env:
+          env:
-        - name: TZ
+            - name: TZ
-          value: Europe/Budapest
+              value: Europe/Budapest
-        - name: DEBUG
+            - name: DEBUG
-          value: "0"
+              value: "0"
-        - name: ALLOWED_HOSTS
+            - name: ALLOWED_HOSTS
-          value: "*"
+              value: "*"
-        - name: CSRF_TRUSTED_ORIGINS
+            - name: CSRF_TRUSTED_ORIGINS
-          value: "https://tandoor.dooplex.hu,https://tandoor.home"
+              value: "https://tandoor.dooplex.hu,https://tandoor.home"
-        - name: SECURE_PROXY_SSL_HEADER
+            - name: SECURE_PROXY_SSL_HEADER
-          value: "HTTP_X_FORWARDED_PROTO,https"
+              value: "HTTP_X_FORWARDED_PROTO,https"
-        - name: DB_ENGINE
+            - name: DB_ENGINE
-          value: django.db.backends.postgresql
+              value: django.db.backends.postgresql
-        # Database - using shared PostgreSQL in database-system namespace
+            # Database - using shared PostgreSQL in database-system namespace
-        - name: POSTGRES_HOST
+            - name: POSTGRES_HOST
-          value: postgresql-rw.database-system.svc.cluster.local
+              value: postgresql-rw.database-system.svc.cluster.local
-        - name: POSTGRES_PORT
+            - name: POSTGRES_PORT
-          value: "5432"
+              value: "5432"
-        - name: POSTGRES_DB
+            - name: POSTGRES_DB
-          value: tandoor
+              value: tandoor
-        - name: POSTGRES_USER
+            - name: POSTGRES_USER
-          valueFrom:
+              valueFrom:
-            secretKeyRef:
+                secretKeyRef:
-              name: tandoor-db
+                  name: tandoor-db
-              key: username
+                  key: username
-        - name: POSTGRES_PASSWORD
+            - name: POSTGRES_PASSWORD
-          valueFrom:
+              valueFrom:
-            secretKeyRef:
+                secretKeyRef:
-              name: tandoor-db
+                  name: tandoor-db
-              key: password
+                  key: password
-        - name: SECRET_KEY
+            - name: SECRET_KEY
-          valueFrom:
+              valueFrom:
-            secretKeyRef:
+                secretKeyRef:
-              name: tandoor-app
+                  name: tandoor-app
-              key: secret-key
+                  key: secret-key
-        - name: GUNICORN_MEDIA
+            - name: GUNICORN_MEDIA
-          value: "1"
+              value: "1"
-        - name: ENABLE_SIGNUP
+            - name: ENABLE_SIGNUP
-          value: "0"
+              value: "0"
-        - name: ENABLE_METRICS
+            - name: ENABLE_METRICS
-          value: "1"
+              value: "1"
-        - name: TANDOOR_PORT
+            - name: TANDOOR_PORT
-          value: "8080"
+              value: "8080"
-        - name: SOCIAL_PROVIDERS
+            - name: SOCIAL_PROVIDERS
-          value: "allauth.socialaccount.providers.openid_connect"
+              value: "allauth.socialaccount.providers.openid_connect"
-        - name: SOCIALACCOUNT_PROVIDERS
+            - name: SOCIALACCOUNT_PROVIDERS
-          value: '{"openid_connect":{"APPS":[{"provider_id":"authentik","name":"authentik","client_id":"y7Mv9stcPZYAGz5QQyzFO9KBFjXHG6OWhLNWPMHL","secret":"tSbRKbfnUigzibKaJpAAwJoF8JLXazssydS6WLoAGCD3hGqZ3ceK5SUvSAEcncQCImZaMmsepO3zwfgIO3huA4GRCHS5NzLGm0L2Ifz60PGKW0htr54u12pWOUBJc6dG","settings":{"server_url":"https://authentik.dooplex.hu/application/o/tandoor/.well-known/openid-configuration"}}]}}'
+              value: '{"openid_connect":{"APPS":[{"provider_id":"authentik","name":"authentik","client_id":"y7Mv9stcPZYAGz5QQyzFO9KBFjXHG6OWhLNWPMHL","secret":"tSbRKbfnUigzibKaJpAAwJoF8JLXazssydS6WLoAGCD3hGqZ3ceK5SUvSAEcncQCImZaMmsepO3zwfgIO3huA4GRCHS5NzLGm0L2Ifz60PGKW0htr54u12pWOUBJc6dG","settings":{"server_url":"https://authentik.dooplex.hu/application/o/tandoor/.well-known/openid-configuration"}}]}}'
-        ports:
+          ports:
-        - containerPort: 8080
+            - containerPort: 8080
-          name: http
+              name: http
-          protocol: TCP
+              protocol: TCP
-        livenessProbe:
+          livenessProbe:
-          httpGet:
+            httpGet:
-            path: /
+              path: /
-            port: http
+              port: http
-          initialDelaySeconds: 60
+            initialDelaySeconds: 60
-          periodSeconds: 30
+            periodSeconds: 30
-          timeoutSeconds: 10
+            timeoutSeconds: 10
-          failureThreshold: 5
+            failureThreshold: 5
-        readinessProbe:
+          readinessProbe:
-          httpGet:
+            httpGet:
-            path: /
+              path: /
-            port: http
+              port: http
-          initialDelaySeconds: 30
+            initialDelaySeconds: 30
-          periodSeconds: 10
+            periodSeconds: 10
-          timeoutSeconds: 5
+            timeoutSeconds: 5
-          failureThreshold: 3
+            failureThreshold: 3
-        resources:
+          resources:
-          limits:
+            limits:
-            cpu: "1"
+              cpu: "1"
-            memory: 1Gi
+              memory: 1Gi
-          requests:
+            requests:
-            cpu: 100m
+              cpu: 100m
-            memory: 256Mi
+              memory: 256Mi
-        volumeMounts:
+          volumeMounts:
-        - name: staticfiles
+            - name: staticfiles
-          mountPath: /opt/recipes/staticfiles
+              mountPath: /opt/recipes/staticfiles
-        - name: mediafiles
+            - name: mediafiles
-          mountPath: /opt/recipes/mediafiles
+              mountPath: /opt/recipes/mediafiles
      volumes:
-      - name: staticfiles
+        - name: staticfiles
-        persistentVolumeClaim:
+          persistentVolumeClaim:
-          claimName: tandoor-staticfiles
+            claimName: tandoor-staticfiles
-      - name: mediafiles
+        - name: mediafiles
-        hostPath:
+          hostPath:
-          path: /mnt/4_hdd/data/tandoor/mediafiles
+            path: /mnt/4_hdd/data/tandoor/mediafiles
-          type: DirectoryOrCreate
+            type: DirectoryOrCreate
 ---
 apiVersion: v1
 kind: Service
@@ -208,10 +208,10 @@ metadata:
 spec:
  type: ClusterIP
  ports:
-  - name: http
+    - name: http
-    port: 8080
+      port: 8080
-    protocol: TCP
+      protocol: TCP
-    targetPort: http
+      targetPort: http
  selector:
    app.kubernetes.io/instance: tandoor
    app.kubernetes.io/name: tandoor
@@ -225,7 +225,7 @@ metadata:
    nginx.ingress.kubernetes.io/proxy-body-size: 128m
    nginx.ingress.kubernetes.io/ssl-redirect: "true"
    nginx.ingress.kubernetes.io/configuration-snippet: |
-      if ($geoip2_city_country_code != "HU") {
+      if ($geoip2_country_code != "HU") {
        return 403 "Access restricted to Hungary";
      }
  labels:
@@ -236,30 +236,30 @@ metadata:
 spec:
  ingressClassName: nginx-internal
  rules:
-  - host: tandoor.dooplex.hu
+    - host: tandoor.dooplex.hu
-    http:
+      http:
-      paths:
+        paths:
-      - backend:
+          - backend:
-          service:
+              service:
-            name: tandoor
+                name: tandoor
-            port:
+                port:
-              number: 8080
+                  number: 8080
-        path: /
+            path: /
-        pathType: Prefix
+            pathType: Prefix
-  - host: tandoor.home
+    - host: tandoor.home
-    http:
+      http:
-      paths:
+        paths:
-      - backend:
+          - backend:
-          service:
+              service:
-            name: tandoor
+                name: tandoor
-            port:
+                port:
-              number: 8080
+                  number: 8080
-        path: /
+            path: /
-        pathType: Prefix
+            pathType: Prefix
  tls:
-  - hosts:
+    - hosts:
-    - tandoor.dooplex.hu
+        - tandoor.dooplex.hu
-    secretName: tandoor-tls
+      secretName: tandoor-tls
 ---
 apiVersion: v1
 kind: PersistentVolumeClaim
@@ -271,7 +271,7 @@ metadata:
  namespace: tandoor-system
 spec:
  accessModes:
-  - ReadWriteOnce
+    - ReadWriteOnce
  resources:
    requests:
      storage: 1Gi
@@ -120,7 +120,7 @@ metadata:
    nginx.ingress.kubernetes.io/proxy-read-timeout: "3600"
    nginx.ingress.kubernetes.io/proxy-send-timeout: "3600"
    nginx.ingress.kubernetes.io/configuration-snippet: |
-      if ($geoip2_city_country_code != "HU") {
+      if ($geoip2_country_code != "HU") {
        return 403 "Access restricted to Hungary";
      }
 spec:
@@ -29,48 +29,48 @@ spec:
        app.kubernetes.io/version: 2.0.2
    spec:
      containers:
-      - name: uptimekuma
+        - name: uptimekuma
-        image: louislam/uptime-kuma:2.0.2
+          image: louislam/uptime-kuma:2.0.2
-        imagePullPolicy: IfNotPresent
+          imagePullPolicy: IfNotPresent
-        env:
+          env:
-        - name: TZ
+            - name: TZ
-          value: Europe/Budapest
+              value: Europe/Budapest
-        - name: UPTIME_KUMA_PORT
+            - name: UPTIME_KUMA_PORT
-          value: "3001"
+              value: "3001"
-        ports:
+          ports:
-        - containerPort: 3001
+            - containerPort: 3001
-          name: http
+              name: http
-          protocol: TCP
+              protocol: TCP
-        livenessProbe:
+          livenessProbe:
-          httpGet:
+            httpGet:
-            path: /
+              path: /
-            port: http
+              port: http
-          initialDelaySeconds: 30
+            initialDelaySeconds: 30
-          periodSeconds: 30
+            periodSeconds: 30
-          timeoutSeconds: 10
+            timeoutSeconds: 10
-          failureThreshold: 3
+            failureThreshold: 3
-        readinessProbe:
+          readinessProbe:
-          httpGet:
+            httpGet:
-            path: /
+              path: /
-            port: http
+              port: http
-          initialDelaySeconds: 10
+            initialDelaySeconds: 10
-          periodSeconds: 10
+            periodSeconds: 10
-          timeoutSeconds: 5
+            timeoutSeconds: 5
-          failureThreshold: 3
+            failureThreshold: 3
-        resources:
+          resources:
-          limits:
+            limits:
-            cpu: 500m
+              cpu: 500m
-            memory: 512Mi
+              memory: 512Mi
-          requests:
+            requests:
-            cpu: 50m
+              cpu: 50m
-            memory: 128Mi
+              memory: 128Mi
-        volumeMounts:
+          volumeMounts:
-        - name: data
+            - name: data
-          mountPath: /app/data
+              mountPath: /app/data
      volumes:
-      - name: data
+        - name: data
-        persistentVolumeClaim:
+          persistentVolumeClaim:
-          claimName: uptimekuma-data
+            claimName: uptimekuma-data
 ---
 apiVersion: v1
 kind: Service
@@ -84,10 +84,10 @@ metadata:
 spec:
  type: ClusterIP
  ports:
-  - name: http
+    - name: http
-    port: 3001
+      port: 3001
-    protocol: TCP
+      protocol: TCP
-    targetPort: http
+      targetPort: http
  selector:
    app.kubernetes.io/instance: uptimekuma
    app.kubernetes.io/name: uptimekuma
@@ -110,7 +110,7 @@ metadata:
    nginx.ingress.kubernetes.io/auth-snippet: |
      proxy_set_header X-Forwarded-Host $http_host;
    nginx.ingress.kubernetes.io/configuration-snippet: |
-      if ($geoip2_city_country_code != "HU") {
+      if ($geoip2_country_code != "HU") {
        return 403 "Access restricted to Hungary";
      }
  labels:
@@ -121,30 +121,30 @@ metadata:
 spec:
  ingressClassName: nginx-internal
  rules:
-  - host: uptimekuma.dooplex.hu
+    - host: uptimekuma.dooplex.hu
-    http:
+      http:
-      paths:
+        paths:
-      - backend:
+          - backend:
-          service:
+              service:
-            name: uptimekuma
+                name: uptimekuma
-            port:
+                port:
-              number: 3001
+                  number: 3001
-        path: /
+            path: /
-        pathType: Prefix
+            pathType: Prefix
-  - host: uptimekuma.home
+    - host: uptimekuma.home
-    http:
+      http:
-      paths:
+        paths:
-      - backend:
+          - backend:
-          service:
+              service:
-            name: uptimekuma
+                name: uptimekuma
-            port:
+                port:
-              number: 3001
+                  number: 3001
-        path: /
+            path: /
-        pathType: Prefix
+            pathType: Prefix
  tls:
-  - hosts:
+    - hosts:
-    - uptimekuma.dooplex.hu
+        - uptimekuma.dooplex.hu
-    secretName: uptimekuma-tls
+      secretName: uptimekuma-tls
 ---
 apiVersion: v1
 kind: PersistentVolumeClaim
@@ -156,7 +156,7 @@ metadata:
  namespace: uptimekuma-system
 spec:
  accessModes:
-  - ReadWriteOnce
+    - ReadWriteOnce
  resources:
    requests:
      storage: 5Gi
@@ -27,112 +27,112 @@ spec:
        app.kubernetes.io/name: vaultwarden
    spec:
      containers:
-      - name: vaultwarden
+        - name: vaultwarden
-        image: vaultwarden/server:1.35.2
+          image: vaultwarden/server:1.35.2
-        imagePullPolicy: IfNotPresent
+          imagePullPolicy: IfNotPresent
-        env:
+          env:
-        - name: TZ
+            - name: TZ
-          value: Europe/Budapest
+              value: Europe/Budapest
-        - name: DOMAIN
+            - name: DOMAIN
-          value: https://vaultwarden.dooplex.hu
+              value: https://vaultwarden.dooplex.hu
-        - name: SIGNUPS_ALLOWED
+            - name: SIGNUPS_ALLOWED
-          value: "false"
+              value: "false"
-        - name: INVITATIONS_ALLOWED
+            - name: INVITATIONS_ALLOWED
-          value: "true"
+              value: "true"
-        - name: ADMIN_TOKEN
+            - name: ADMIN_TOKEN
-          valueFrom:
+              valueFrom:
-            secretKeyRef:
+                secretKeyRef:
-              name: vaultwarden-admin
+                  name: vaultwarden-admin
-              key: admin-token
+                  key: admin-token
-        - name: WEBSOCKET_ENABLED
+            - name: WEBSOCKET_ENABLED
-          value: "true"
+              value: "true"
-        - name: SMTP_HOST
+            - name: SMTP_HOST
-          valueFrom:
+              valueFrom:
-            secretKeyRef:
+                secretKeyRef:
-              name: smtp-credentials
+                  name: smtp-credentials
-              key: host
+                  key: host
-        - name: SMTP_PORT
+            - name: SMTP_PORT
-          valueFrom:
+              valueFrom:
-            secretKeyRef:
+                secretKeyRef:
-              name: smtp-credentials
+                  name: smtp-credentials
-              key: port
+                  key: port
-        - name: SMTP_SECURITY
+            - name: SMTP_SECURITY
-          value: starttls
+              value: starttls
-        - name: SMTP_USERNAME
+            - name: SMTP_USERNAME
-          valueFrom:
+              valueFrom:
-            secretKeyRef:
+                secretKeyRef:
-              name: smtp-credentials
+                  name: smtp-credentials
-              key: username
+                  key: username
-        - name: SMTP_PASSWORD
+            - name: SMTP_PASSWORD
-          valueFrom:
+              valueFrom:
-            secretKeyRef:
+                secretKeyRef:
-              name: smtp-credentials
+                  name: smtp-credentials
-              key: password
+                  key: password
-        - name: SMTP_FROM
+            - name: SMTP_FROM
-          valueFrom:
+              valueFrom:
-            secretKeyRef:
+                secretKeyRef:
-              name: smtp-credentials
+                  name: smtp-credentials
-              key: from-address
+                  key: from-address
-        - name: SMTP_FROM_NAME
+            - name: SMTP_FROM_NAME
-          value: Vaultwarden
+              value: Vaultwarden
-        - name: SSO_ENABLED
+            - name: SSO_ENABLED
-          value: "true"
+              value: "true"
-        - name: SSO_AUTHORITY
+            - name: SSO_AUTHORITY
-          value: "https://authentik.dooplex.hu/application/o/vaultwarden/"
+              value: "https://authentik.dooplex.hu/application/o/vaultwarden/"
-        - name: SSO_CLIENT_ID
+            - name: SSO_CLIENT_ID
-          valueFrom:
+              valueFrom:
-            secretKeyRef:
+                secretKeyRef:
-              name: vaultwarden-oauth
+                  name: vaultwarden-oauth
-              key: client-id
+                  key: client-id
-        - name: SSO_CLIENT_SECRET
+            - name: SSO_CLIENT_SECRET
-          valueFrom:
+              valueFrom:
-            secretKeyRef:
+                secretKeyRef:
-              name: vaultwarden-oauth
+                  name: vaultwarden-oauth
-              key: client-secret
+                  key: client-secret
-        - name: SSO_SCOPES
+            - name: SSO_SCOPES
-          value: "openid email profile offline_access"
+              value: "openid email profile offline_access"
-        - name: SSO_ALLOW_UNKNOWN_EMAIL_VERIFICATION
+            - name: SSO_ALLOW_UNKNOWN_EMAIL_VERIFICATION
-          value: "false"
+              value: "false"
-        - name: SSO_CLIENT_CACHE_EXPIRATION
+            - name: SSO_CLIENT_CACHE_EXPIRATION
-          value: "0"
+              value: "0"
-        - name: SSO_ONLY
+            - name: SSO_ONLY
-          value: "false"  # Set to true to disable email+password login
+              value: "false" # Set to true to disable email+password login
-        - name: SSO_SIGNUPS_MATCH_EMAIL
+            - name: SSO_SIGNUPS_MATCH_EMAIL
-          value: "true"
+              value: "true"
-        ports:
+          ports:
-        - containerPort: 80
+            - containerPort: 80
-          name: http
+              name: http
-          protocol: TCP
+              protocol: TCP
-        livenessProbe:
+          livenessProbe:
-          httpGet:
+            httpGet:
-            path: /alive
+              path: /alive
-            port: http
+              port: http
-          initialDelaySeconds: 30
+            initialDelaySeconds: 30
-          periodSeconds: 30
+            periodSeconds: 30
-          timeoutSeconds: 10
+            timeoutSeconds: 10
-          failureThreshold: 3
+            failureThreshold: 3
-        readinessProbe:
+          readinessProbe:
-          httpGet:
+            httpGet:
-            path: /alive
+              path: /alive
-            port: http
+              port: http
-          initialDelaySeconds: 10
+            initialDelaySeconds: 10
-          periodSeconds: 10
+            periodSeconds: 10
-          timeoutSeconds: 5
+            timeoutSeconds: 5
-          failureThreshold: 3
+            failureThreshold: 3
-        resources:
+          resources:
-          limits:
+            limits:
-            cpu: 500m
+              cpu: 500m
-            memory: 512Mi
+              memory: 512Mi
-          requests:
+            requests:
-            cpu: 50m
+              cpu: 50m
-            memory: 128Mi
+              memory: 128Mi
-        volumeMounts:
+          volumeMounts:
-        - name: data
+            - name: data
-          mountPath: /data
+              mountPath: /data
      volumes:
-      - name: data
+        - name: data
-        persistentVolumeClaim:
+          persistentVolumeClaim:
-          claimName: vaultwarden-data
+            claimName: vaultwarden-data
 ---
 apiVersion: v1
 kind: Service
@@ -145,10 +145,10 @@ metadata:
 spec:
  type: ClusterIP
  ports:
-  - name: http
+    - name: http
-    port: 80
+      port: 80
-    protocol: TCP
+      protocol: TCP
-    targetPort: http
+      targetPort: http
  selector:
    app.kubernetes.io/instance: vaultwarden
    app.kubernetes.io/name: vaultwarden
@@ -162,7 +162,7 @@ metadata:
    nginx.ingress.kubernetes.io/proxy-body-size: 100m
    nginx.ingress.kubernetes.io/ssl-redirect: "true"
    nginx.ingress.kubernetes.io/configuration-snippet: |
-      if ($geoip2_city_country_code != "HU") {
+      if ($geoip2_country_code != "HU") {
        return 403 "Access restricted to Hungary";
      }
  labels:
@@ -173,30 +173,30 @@ metadata:
 spec:
  ingressClassName: nginx-internal
  rules:
-  - host: vaultwarden.dooplex.hu
+    - host: vaultwarden.dooplex.hu
-    http:
+      http:
-      paths:
+        paths:
-      - backend:
+          - backend:
-          service:
+              service:
-            name: vaultwarden
+                name: vaultwarden
-            port:
+                port:
-              number: 80
+                  number: 80
-        path: /
+            path: /
-        pathType: Prefix
+            pathType: Prefix
-  - host: vaultwarden.home
+    - host: vaultwarden.home
-    http:
+      http:
-      paths:
+        paths:
-      - backend:
+          - backend:
-          service:
+              service:
-            name: vaultwarden
+                name: vaultwarden
-            port:
+                port:
-              number: 80
+                  number: 80
-        path: /
+            path: /
-        pathType: Prefix
+            pathType: Prefix
  tls:
-  - hosts:
+    - hosts:
-    - vaultwarden.dooplex.hu
+        - vaultwarden.dooplex.hu
-    secretName: vaultwarden-tls
+      secretName: vaultwarden-tls
 ---
 apiVersion: v1
 kind: PersistentVolumeClaim
@@ -208,7 +208,7 @@ metadata:
  namespace: vaultwarden-system
 spec:
  accessModes:
-  - ReadWriteOnce
+    - ReadWriteOnce
  resources:
    requests:
      storage: 5Gi
@@ -56,47 +56,47 @@ spec:
        app.kubernetes.io/name: wanderer-meilisearch
    spec:
      containers:
-      - name: meilisearch
+        - name: meilisearch
-        image: getmeili/meilisearch:v1.11.3
+          image: getmeili/meilisearch:v1.11.3
-        env:
+          env:
-        - name: MEILI_MASTER_KEY
+            - name: MEILI_MASTER_KEY
-          valueFrom:
+              valueFrom:
-            secretKeyRef:
+                secretKeyRef:
-              name: wanderer-app
+                  name: wanderer-app
-              key: meili-master-key
+                  key: meili-master-key
-        - name: MEILI_ENV
+            - name: MEILI_ENV
-          value: "production"
+              value: "production"
-        - name: MEILI_NO_ANALYTICS
+            - name: MEILI_NO_ANALYTICS
-          value: "true"
+              value: "true"
-        ports:
+          ports:
-        - containerPort: 7700
+            - containerPort: 7700
-          name: http
+              name: http
-        resources:
+          resources:
-          requests:
+            requests:
-            cpu: 100m
+              cpu: 100m
-            memory: 256Mi
+              memory: 256Mi
-          limits:
+            limits:
-            cpu: 500m
+              cpu: 500m
-            memory: 512Mi
+              memory: 512Mi
-        volumeMounts:
+          volumeMounts:
-        - name: meili-data
+            - name: meili-data
-          mountPath: /meili_data
+              mountPath: /meili_data
-        livenessProbe:
+          livenessProbe:
-          httpGet:
+            httpGet:
-            path: /health
+              path: /health
-            port: http
+              port: http
-          initialDelaySeconds: 30
+            initialDelaySeconds: 30
-          periodSeconds: 30
+            periodSeconds: 30
-        readinessProbe:
+          readinessProbe:
-          httpGet:
+            httpGet:
-            path: /health
+              path: /health
-            port: http
+              port: http
-          initialDelaySeconds: 10
+            initialDelaySeconds: 10
-          periodSeconds: 10
+            periodSeconds: 10
      volumes:
-      - name: meili-data
+        - name: meili-data
-        persistentVolumeClaim:
+          persistentVolumeClaim:
-          claimName: wanderer-meilisearch
+            claimName: wanderer-meilisearch
 ---
 apiVersion: apps/v1
 kind: Deployment
@@ -121,52 +121,52 @@ spec:
        app.kubernetes.io/name: wanderer-db
    spec:
      containers:
-      - name: pocketbase
+        - name: pocketbase
-        image: flomp/wanderer-db:v0.18.3
+          image: flomp/wanderer-db:v0.18.3
-        env:
+          env:
-        - name: ORIGIN
+            - name: ORIGIN
-          value: "https://wanderer.dooplex.hu"
+              value: "https://wanderer.dooplex.hu"
-        - name: MEILI_URL
+            - name: MEILI_URL
-          value: "http://wanderer-meilisearch:7700"
+              value: "http://wanderer-meilisearch:7700"
-        - name: MEILI_MASTER_KEY
+            - name: MEILI_MASTER_KEY
-          valueFrom:
+              valueFrom:
-            secretKeyRef:
+                secretKeyRef:
-              name: wanderer-app
+                  name: wanderer-app
-              key: meili-master-key
+                  key: meili-master-key
-        - name: POCKETBASE_ENCRYPTION_KEY
+            - name: POCKETBASE_ENCRYPTION_KEY
-          valueFrom:
+              valueFrom:
-            secretKeyRef:
+                secretKeyRef:
-              name: wanderer-app
+                  name: wanderer-app
-              key: pocketbase-encryption-key
+                  key: pocketbase-encryption-key
-        ports:
+          ports:
-        - containerPort: 8090
+            - containerPort: 8090
-          name: http
+              name: http
-        resources:
+          resources:
-          requests:
+            requests:
-            cpu: 100m
+              cpu: 100m
-            memory: 128Mi
+              memory: 128Mi
-          limits:
+            limits:
-            cpu: 500m
+              cpu: 500m
-            memory: 512Mi
+              memory: 512Mi
-        volumeMounts:
+          volumeMounts:
-        - name: pb-data
+            - name: pb-data
-          mountPath: /pb_data
+              mountPath: /pb_data
-        livenessProbe:
+          livenessProbe:
-          httpGet:
+            httpGet:
-            path: /api/health
+              path: /api/health
-            port: http
+              port: http
-          initialDelaySeconds: 30
+            initialDelaySeconds: 30
-          periodSeconds: 30
+            periodSeconds: 30
-        readinessProbe:
+          readinessProbe:
-          httpGet:
+            httpGet:
-            path: /api/health
+              path: /api/health
-            port: http
+              port: http
-          initialDelaySeconds: 10
+            initialDelaySeconds: 10
-          periodSeconds: 10
+            periodSeconds: 10
      volumes:
-      - name: pb-data
+        - name: pb-data
-        persistentVolumeClaim:
+          persistentVolumeClaim:
-          claimName: wanderer-db
+            claimName: wanderer-db
 ---
 apiVersion: apps/v1
 kind: Deployment
@@ -191,46 +191,46 @@ spec:
        app.kubernetes.io/name: wanderer-web
    spec:
      containers:
-      - name: wanderer-web
+        - name: wanderer-web
-        image: flomp/wanderer-web:v0.18.3
+          image: flomp/wanderer-web:v0.18.3
-        env:
+          env:
-        - name: NODE_TLS_REJECT_UNAUTHORIZED
+            - name: NODE_TLS_REJECT_UNAUTHORIZED
-          value: "0"
+              value: "0"
-        - name: NODE_OPTIONS
+            - name: NODE_OPTIONS
-          value: "--max-old-space-size=7168"
+              value: "--max-old-space-size=7168"
-        - name: ORIGIN
+            - name: ORIGIN
-          value: "https://wanderer.dooplex.hu"
+              value: "https://wanderer.dooplex.hu"
-        - name: POCKETBASE_URL
+            - name: POCKETBASE_URL
-          value: "http://wanderer-db:8090" 
+              value: "http://wanderer-db:8090"
-        - name: PUBLIC_POCKETBASE_URL
+            - name: PUBLIC_POCKETBASE_URL
-          value: "https://pb.wanderer.dooplex.hu"
+              value: "https://pb.wanderer.dooplex.hu"
-        - name: MEILI_URL
+            - name: MEILI_URL
-          value: "http://wanderer-meilisearch:7700"
+              value: "http://wanderer-meilisearch:7700"
-        - name: MEILI_MASTER_KEY
+            - name: MEILI_MASTER_KEY
-          valueFrom:
+              valueFrom:
-            secretKeyRef:
+                secretKeyRef:
-              name: wanderer-app
+                  name: wanderer-app
-              key: meili-master-key
+                  key: meili-master-key
-        - name: PUBLIC_DISABLE_SIGNUP
+            - name: PUBLIC_DISABLE_SIGNUP
-          value: "true"
+              value: "true"
-        - name: BODY_SIZE_LIMIT
+            - name: BODY_SIZE_LIMIT
-          value: "Infinity"
+              value: "Infinity"
-        ports:
+          ports:
-        - containerPort: 3000
+            - containerPort: 3000
-          name: http
+              name: http
-        resources:
+          resources:
-          requests:
+            requests:
-            cpu: 50m
+              cpu: 50m
-            memory: 64Mi
+              memory: 64Mi
-          limits:
+            limits:
-            memory: 8Gi
+              memory: 8Gi
-        readinessProbe:
+          readinessProbe:
-          tcpSocket:
+            tcpSocket:
-            port: 3000
+              port: 3000
-          initialDelaySeconds: 5
+            initialDelaySeconds: 5
-          periodSeconds: 10
+            periodSeconds: 10
-          timeoutSeconds: 1
+            timeoutSeconds: 1
-          failureThreshold: 3
+            failureThreshold: 3
 ---
 apiVersion: v1
 kind: Service
@@ -243,9 +243,9 @@ metadata:
 spec:
  type: ClusterIP
  ports:
-  - name: http
+    - name: http
-    port: 7700
+      port: 7700
-    targetPort: http
+      targetPort: http
  selector:
    app.kubernetes.io/instance: wanderer
    app.kubernetes.io/name: wanderer-meilisearch
@@ -261,9 +261,9 @@ metadata:
 spec:
  type: ClusterIP
  ports:
-  - name: http
+    - name: http
-    port: 8090
+      port: 8090
-    targetPort: http
+      targetPort: http
  selector:
    app.kubernetes.io/instance: wanderer
    app.kubernetes.io/name: wanderer-db
@@ -279,9 +279,9 @@ metadata:
 spec:
  type: ClusterIP
  ports:
-  - name: http
+    - name: http
-    port: 3000
+      port: 3000
-    targetPort: http
+      targetPort: http
  selector:
    app.kubernetes.io/instance: wanderer
    app.kubernetes.io/name: wanderer-web
@@ -298,7 +298,7 @@ metadata:
    # optional, only if you actually use external-dns:
    external-dns.alpha.kubernetes.io/hostname: wanderer.dooplex.hu
    nginx.ingress.kubernetes.io/configuration-snippet: |
-      if ($geoip2_city_country_code != "HU") {
+      if ($geoip2_country_code != "HU") {
        return 403 "Access restricted to Hungary";
      }
 spec:
@@ -360,7 +360,7 @@ metadata:
    recurring-job.longhorn.io/source: enabled
 spec:
  accessModes:
-  - ReadWriteOnce
+    - ReadWriteOnce
  storageClassName: longhorn
  resources:
    requests:
@@ -378,7 +378,7 @@ metadata:
    recurring-job.longhorn.io/source: enabled
 spec:
  accessModes:
-  - ReadWriteOnce
+    - ReadWriteOnce
  storageClassName: longhorn
  resources:
    requests:
@@ -245,7 +245,7 @@ metadata:
    nginx.ingress.kubernetes.io/auth-snippet: |
      proxy_set_header X-Forwarded-Host $http_host;
    nginx.ingress.kubernetes.io/configuration-snippet: |
-      if ($geoip2_city_country_code != "HU") {
+      if ($geoip2_country_code != "HU") {
        return 403 "Access restricted to Hungary";
      }
 spec:
@@ -312,7 +312,7 @@ spec:
        # Create public directory if it doesn't exist
        - name: init-public-dir
          image: busybox:1.36
-          command: ['sh', '-c', 'mkdir -p /srv/public && chmod 755 /srv/public']
+          command: ["sh", "-c", "mkdir -p /srv/public && chmod 755 /srv/public"]
          volumeMounts:
            - name: data
              mountPath: /srv
@@ -474,7 +474,7 @@ metadata:
    cert-manager.io/cluster-issuer: letsencrypt-prod
    external-dns.alpha.kubernetes.io/hostname: web.dooplex.hu
    nginx.ingress.kubernetes.io/configuration-snippet: |
-      if ($geoip2_city_country_code != "HU") {
+      if ($geoip2_country_code != "HU") {
        return 403 "Access restricted to Hungary";
      }
 spec:
@@ -44,18 +44,18 @@ spec:
        app.kubernetes.io/name: wger-redis
    spec:
      containers:
-      - name: redis
+        - name: redis
-        image: redis:7.2-alpine
+          image: redis:7.2-alpine
-        ports:
+          ports:
-        - containerPort: 6379
+            - containerPort: 6379
-          name: redis
+              name: redis
-        resources:
+          resources:
-          requests:
+            requests:
-            cpu: 50m
+              cpu: 50m
-            memory: 64Mi
+              memory: 64Mi
-          limits:
+            limits:
-            cpu: 200m
+              cpu: 200m
-            memory: 128Mi
+              memory: 128Mi
 ---
 apiVersion: apps/v1
 kind: Deployment
@@ -82,158 +82,158 @@ spec:
      securityContext:
        fsGroup: 1000
      containers:
-      - name: nginx
+        - name: nginx
-        image: nginx:alpine
+          image: nginx:alpine
-        ports:
+          ports:
-        - containerPort: 80
+            - containerPort: 80
-          name: http
+              name: http
-        volumeMounts:
+          volumeMounts:
-        - name: static
+            - name: static
-          mountPath: /home/wger/static
+              mountPath: /home/wger/static
-          readOnly: true
+              readOnly: true
-        - name: media
+            - name: media
-          mountPath: /home/wger/media
+              mountPath: /home/wger/media
-          readOnly: true
+              readOnly: true
-        - name: nginx-config
+            - name: nginx-config
-          mountPath: /etc/nginx/conf.d/default.conf
+              mountPath: /etc/nginx/conf.d/default.conf
-          subPath: nginx.conf
+              subPath: nginx.conf
-      - name: wger
+        - name: wger
-        image: ghcr.io/kisfenyo/wger-oidc:latest
+          image: ghcr.io/kisfenyo/wger-oidc:latest
-        imagePullPolicy: Always
+          imagePullPolicy: Always
-        env:
+          env:
-        # Django settings
+            # Django settings
-        - name: SECRET_KEY
+            - name: SECRET_KEY
-          valueFrom:
+              valueFrom:
-            secretKeyRef:
+                secretKeyRef:
-              name: wger-app
+                  name: wger-app
-              key: secret-key
+                  key: secret-key
-        - name: SIGNING_KEY
+            - name: SIGNING_KEY
-          valueFrom:
+              valueFrom:
-            secretKeyRef:
+                secretKeyRef:
-              name: wger-app
+                  name: wger-app
-              key: signing-key
+                  key: signing-key
-        - name: DJANGO_DEBUG
+            - name: DJANGO_DEBUG
-          value: "False"
+              value: "False"
-        - name: WGER_INSTANCE
+            - name: WGER_INSTANCE
-          value: "https://workout.dooplex.hu"
+              value: "https://workout.dooplex.hu"
-        - name: TIME_ZONE
+            - name: TIME_ZONE
-          value: "Europe/Budapest"
+              value: "Europe/Budapest"
-        - name: DJANGO_SETTINGS_MODULE
+            - name: DJANGO_SETTINGS_MODULE
-          value: "config.settings.production"
+              value: "config.settings.production"
-        - name: DJANGO_CACHE_TIMEOUT
+            - name: DJANGO_CACHE_TIMEOUT
-          value: "120"
+              value: "120"
-        # Database
+            # Database
-        - name: DJANGO_DB_ENGINE
+            - name: DJANGO_DB_ENGINE
-          value: "django.db.backends.postgresql"
+              value: "django.db.backends.postgresql"
-        - name: DJANGO_DB_HOST
+            - name: DJANGO_DB_HOST
-          value: "postgresql-rw.database-system.svc.cluster.local"
+              value: "postgresql-rw.database-system.svc.cluster.local"
-        - name: DJANGO_DB_PORT
+            - name: DJANGO_DB_PORT
-          value: "5432"
+              value: "5432"
-        - name: DJANGO_DB_DATABASE
+            - name: DJANGO_DB_DATABASE
-          value: "wger"
+              value: "wger"
-        - name: DJANGO_DB_USER
+            - name: DJANGO_DB_USER
-          valueFrom:
+              valueFrom:
-            secretKeyRef:
+                secretKeyRef:
-              name: wger-db
+                  name: wger-db
-              key: username
+                  key: username
-        - name: DJANGO_DB_PASSWORD
+            - name: DJANGO_DB_PASSWORD
-          valueFrom:
+              valueFrom:
-            secretKeyRef:
+                secretKeyRef:
-              name: wger-db
+                  name: wger-db
-              key: password
+                  key: password
-        # Cache
+            # Cache
-        - name: DJANGO_CACHE_BACKEND
+            - name: DJANGO_CACHE_BACKEND
-          value: "django_redis.cache.RedisCache"
+              value: "django_redis.cache.RedisCache"
-        - name: DJANGO_CACHE_LOCATION
+            - name: DJANGO_CACHE_LOCATION
-          value: "redis://wger-redis:6379/1"
+              value: "redis://wger-redis:6379/1"
-        - name: DJANGO_CACHE_CLIENT_CLASS
+            - name: DJANGO_CACHE_CLIENT_CLASS
-          value: "django_redis.client.DefaultClient"
+              value: "django_redis.client.DefaultClient"
-        # Celery
+            # Celery
-        - name: CELERY_BROKER
+            - name: CELERY_BROKER
-          value: "redis://wger-redis:6379/2"
+              value: "redis://wger-redis:6379/2"
-        - name: CELERY_BACKEND
+            - name: CELERY_BACKEND
-          value: "redis://wger-redis:6379/2"
+              value: "redis://wger-redis:6379/2"
-        - name: ENABLE_OIDC
+            - name: ENABLE_OIDC
-          value: "True"
+              value: "True"
-        - name: OIDC_RP_CLIENT_ID
+            - name: OIDC_RP_CLIENT_ID
-          value: "AXr6k4P1JcgKKMcvGeXOLwd69MJ1UVjz3fW80mEg"
+              value: "AXr6k4P1JcgKKMcvGeXOLwd69MJ1UVjz3fW80mEg"
-        - name: OIDC_RP_CLIENT_SECRET
+            - name: OIDC_RP_CLIENT_SECRET
-          value: "oaj4yWum0skWoAJVf4VvXSSnc4pdaWQbKtyPaMaG6prBN0av1b1w7bna6nUALoIXwSQWu9seFZl66XsYxaFWXVXcWyI6B63rl5saIFCifVg9hqkl6RlhxHL4X4u42pqd"
+              value: "oaj4yWum0skWoAJVf4VvXSSnc4pdaWQbKtyPaMaG6prBN0av1b1w7bna6nUALoIXwSQWu9seFZl66XsYxaFWXVXcWyI6B63rl5saIFCifVg9hqkl6RlhxHL4X4u42pqd"
-        - name: OIDC_RP_SIGN_ALGO
+            - name: OIDC_RP_SIGN_ALGO
-          value: "RS256"
+              value: "RS256"
-        - name: CSRF_TRUSTED_ORIGINS
+            - name: CSRF_TRUSTED_ORIGINS
-          value: "https://workout.dooplex.hu"
+              value: "https://workout.dooplex.hu"
-        # Authentik Endpoints (Replace 'authentik.dooplex.hu' with your actual Authentik domain)
+            # Authentik Endpoints (Replace 'authentik.dooplex.hu' with your actual Authentik domain)
-        - name: OIDC_OP_LOGOUT_ENDPOINT
+            - name: OIDC_OP_LOGOUT_ENDPOINT
-          value: "https://authentik.dooplex.hu/application/o/workout/end-session/"
+              value: "https://authentik.dooplex.hu/application/o/workout/end-session/"
-        - name: OIDC_LOGIN_BUTTON_TEXT
+            - name: OIDC_LOGIN_BUTTON_TEXT
-          value: "Login with Authentik"
+              value: "Login with Authentik"
-        - name: OIDC_ALLOW_CREATE_USER
+            - name: OIDC_ALLOW_CREATE_USER
-          value: "true"
+              value: "true"
-        - name: OIDC_OP_AUTHORIZATION_ENDPOINT
+            - name: OIDC_OP_AUTHORIZATION_ENDPOINT
-          value: "https://authentik.dooplex.hu/application/o/authorize/"
+              value: "https://authentik.dooplex.hu/application/o/authorize/"
-        - name: OIDC_OP_TOKEN_ENDPOINT
+            - name: OIDC_OP_TOKEN_ENDPOINT
-          value: "https://authentik.dooplex.hu/application/o/token/"
+              value: "https://authentik.dooplex.hu/application/o/token/"
-        - name: OIDC_OP_USER_ENDPOINT
+            - name: OIDC_OP_USER_ENDPOINT
-          value: "https://authentik.dooplex.hu/application/o/userinfo/"
+              value: "https://authentik.dooplex.hu/application/o/userinfo/"
-        - name: OIDC_OP_JWKS_ENDPOINT
+            - name: OIDC_OP_JWKS_ENDPOINT
-          value: "https://authentik.dooplex.hu/application/o/workout/jwks/"
+              value: "https://authentik.dooplex.hu/application/o/workout/jwks/"
-        # Email (disabled - no email sending)
+            # Email (disabled - no email sending)
-        - name: ENABLE_EMAIL
+            - name: ENABLE_EMAIL
-          value: "False"
+              value: "False"
-        # Media settings
+            # Media settings
-        - name: DJANGO_MEDIA_ROOT
+            - name: DJANGO_MEDIA_ROOT
-          value: "/home/wger/media"
+              value: "/home/wger/media"
-        - name: DJANGO_STATIC_ROOT
+            - name: DJANGO_STATIC_ROOT
-          value: "/home/wger/static"
+              value: "/home/wger/static"
-        # Features
+            # Features
-        - name: ALLOW_REGISTRATION
+            - name: ALLOW_REGISTRATION
-          value: "False"
+              value: "False"
-        - name: ALLOW_GUEST_USERS
+            - name: ALLOW_GUEST_USERS
-          value: "False"
+              value: "False"
-        - name: ALLOW_UPLOAD_VIDEOS
+            - name: ALLOW_UPLOAD_VIDEOS
-          value: "True"
+              value: "True"
-        - name: USE_RECAPTCHA
+            - name: USE_RECAPTCHA
-          value: "False"
+              value: "False"
-        - name: DOWNLOAD_EXERCISE_IMAGES_ON_STARTUP
+            - name: DOWNLOAD_EXERCISE_IMAGES_ON_STARTUP
-          value: "True"
+              value: "True"
-        ports:
+          ports:
-        - containerPort: 8000
+            - containerPort: 8000
-          name: http
+              name: http
-        resources:
+          resources:
-          requests:
+            requests:
-            cpu: 100m
+              cpu: 100m
-            memory: 256Mi
+              memory: 256Mi
-          limits:
+            limits:
-            cpu: 1000m
+              cpu: 1000m
-            memory: 1Gi
+              memory: 1Gi
-        volumeMounts:
+          volumeMounts:
-        - name: media
+            - name: media
-          mountPath: /home/wger/media
+              mountPath: /home/wger/media
-        - name: static
+            - name: static
-          mountPath: /home/wger/static
+              mountPath: /home/wger/static
-        livenessProbe:
+          livenessProbe:
-          httpGet:
+            httpGet:
-            path: /
+              path: /
-            port: http
+              port: http
-          initialDelaySeconds: 120
+            initialDelaySeconds: 120
-          periodSeconds: 30
+            periodSeconds: 30
-        readinessProbe:
+          readinessProbe:
-          httpGet:
+            httpGet:
-            path: /
+              path: /
-            port: http
+              port: http
-          initialDelaySeconds: 60
+            initialDelaySeconds: 60
-          periodSeconds: 10
+            periodSeconds: 10
      volumes:
-      - name: nginx-config
+        - name: nginx-config
-        configMap:
+          configMap:
-          name: wger-nginx-config
+            name: wger-nginx-config
-      - name: media
+        - name: media
-        persistentVolumeClaim:
+          persistentVolumeClaim:
-          claimName: wger-media
+            claimName: wger-media
-      - name: static
+        - name: static
-        persistentVolumeClaim:
+          persistentVolumeClaim:
-          claimName: wger-static
+            claimName: wger-static
 ---
 # Celery worker for background tasks
 apiVersion: apps/v1
@@ -259,58 +259,58 @@ spec:
      securityContext:
        fsGroup: 1000
      containers:
-      - name: celery-worker
+        - name: celery-worker
-        image: ghcr.io/kisfenyo/wger-oidc:latest
+          image: ghcr.io/kisfenyo/wger-oidc:latest
-        imagePullPolicy: Always
+          imagePullPolicy: Always
-        command: ["/start-worker"]
+          command: ["/start-worker"]
-        env:
+          env:
-        - name: SECRET_KEY
+            - name: SECRET_KEY
-          valueFrom:
+              valueFrom:
-            secretKeyRef:
+                secretKeyRef:
-              name: wger-app
+                  name: wger-app
-              key: secret-key
+                  key: secret-key
-        - name: SIGNING_KEY
+            - name: SIGNING_KEY
-          valueFrom:
+              valueFrom:
-            secretKeyRef:
+                secretKeyRef:
-              name: wger-app
+                  name: wger-app
-              key: signing-key
+                  key: signing-key
-        - name: DJANGO_DB_ENGINE
+            - name: DJANGO_DB_ENGINE
-          value: "django.db.backends.postgresql"
+              value: "django.db.backends.postgresql"
-        - name: DJANGO_DB_HOST
+            - name: DJANGO_DB_HOST
-          value: "postgresql-rw.database-system.svc.cluster.local"
+              value: "postgresql-rw.database-system.svc.cluster.local"
-        - name: DJANGO_DB_PORT
+            - name: DJANGO_DB_PORT
-          value: "5432"
+              value: "5432"
-        - name: DJANGO_DB_DATABASE
+            - name: DJANGO_DB_DATABASE
-          value: "wger"
+              value: "wger"
-        - name: DJANGO_DB_USER
+            - name: DJANGO_DB_USER
-          valueFrom:
+              valueFrom:
-            secretKeyRef:
+                secretKeyRef:
-              name: wger-db
+                  name: wger-db
-              key: username
+                  key: username
-        - name: DJANGO_DB_PASSWORD
+            - name: DJANGO_DB_PASSWORD
-          valueFrom:
+              valueFrom:
-            secretKeyRef:
+                secretKeyRef:
-              name: wger-db
+                  name: wger-db
-              key: password
+                  key: password
-        - name: DJANGO_CACHE_TIMEOUT
+            - name: DJANGO_CACHE_TIMEOUT
-          value: "120"
+              value: "120"
-        - name: DJANGO_CACHE_CLIENT_CLASS
+            - name: DJANGO_CACHE_CLIENT_CLASS
-          value: "django_redis.client.DefaultClient"
+              value: "django_redis.client.DefaultClient"
-        - name: CELERY_BROKER
+            - name: CELERY_BROKER
-          value: "redis://wger-redis:6379/2"
+              value: "redis://wger-redis:6379/2"
-        - name: CELERY_BACKEND
+            - name: CELERY_BACKEND
-          value: "redis://wger-redis:6379/2"
+              value: "redis://wger-redis:6379/2"
-        - name: DJANGO_CACHE_BACKEND
+            - name: DJANGO_CACHE_BACKEND
-          value: "django_redis.cache.RedisCache"
+              value: "django_redis.cache.RedisCache"
-        - name: DJANGO_CACHE_LOCATION
+            - name: DJANGO_CACHE_LOCATION
-          value: "redis://wger-redis:6379/1"
+              value: "redis://wger-redis:6379/1"
-        resources:
+          resources:
-          requests:
+            requests:
-            cpu: 50m
+              cpu: 50m
-            memory: 128Mi
+              memory: 128Mi
-          limits:
+            limits:
-            cpu: 500m
+              cpu: 500m
-            memory: 512Mi
+              memory: 512Mi
 ---
 # Celery beat for scheduled tasks
 apiVersion: apps/v1
@@ -336,54 +336,54 @@ spec:
      securityContext:
        fsGroup: 1000
      containers:
-      - name: celery-beat
+        - name: celery-beat
-        image: ghcr.io/kisfenyo/wger-oidc:latest
+          image: ghcr.io/kisfenyo/wger-oidc:latest
-        imagePullPolicy: Always
+          imagePullPolicy: Always
-        command: ["/start-beat"]
+          command: ["/start-beat"]
-        env:
+          env:
-        - name: SECRET_KEY
+            - name: SECRET_KEY
-          valueFrom:
+              valueFrom:
-            secretKeyRef:
+                secretKeyRef:
-              name: wger-app
+                  name: wger-app
-              key: secret-key
+                  key: secret-key
-        - name: SIGNING_KEY
+            - name: SIGNING_KEY
-          valueFrom:
+              valueFrom:
-            secretKeyRef:
+                secretKeyRef:
-              name: wger-app
+                  name: wger-app
-              key: signing-key
+                  key: signing-key
-        - name: DJANGO_CACHE_TIMEOUT
+            - name: DJANGO_CACHE_TIMEOUT
-          value: "120"
+              value: "120"
-        - name: DJANGO_CACHE_CLIENT_CLASS
+            - name: DJANGO_CACHE_CLIENT_CLASS
-          value: "django_redis.client.DefaultClient"
+              value: "django_redis.client.DefaultClient"
-        - name: DJANGO_DB_ENGINE
+            - name: DJANGO_DB_ENGINE
-          value: "django.db.backends.postgresql"
+              value: "django.db.backends.postgresql"
-        - name: DJANGO_DB_HOST
+            - name: DJANGO_DB_HOST
-          value: "postgresql-rw.database-system.svc.cluster.local"
+              value: "postgresql-rw.database-system.svc.cluster.local"
-        - name: DJANGO_DB_PORT
+            - name: DJANGO_DB_PORT
-          value: "5432"
+              value: "5432"
-        - name: DJANGO_DB_DATABASE
+            - name: DJANGO_DB_DATABASE
-          value: "wger"
+              value: "wger"
-        - name: DJANGO_DB_USER
+            - name: DJANGO_DB_USER
-          valueFrom:
+              valueFrom:
-            secretKeyRef:
+                secretKeyRef:
-              name: wger-db
+                  name: wger-db
-              key: username
+                  key: username
-        - name: DJANGO_DB_PASSWORD
+            - name: DJANGO_DB_PASSWORD
-          valueFrom:
+              valueFrom:
-            secretKeyRef:
+                secretKeyRef:
-              name: wger-db
+                  name: wger-db
-              key: password
+                  key: password
-        - name: CELERY_BROKER
+            - name: CELERY_BROKER
-          value: "redis://wger-redis:6379/2"
+              value: "redis://wger-redis:6379/2"
-        - name: CELERY_BACKEND
+            - name: CELERY_BACKEND
-          value: "redis://wger-redis:6379/2"
+              value: "redis://wger-redis:6379/2"
-        resources:
+          resources:
-          requests:
+            requests:
-            cpu: 50m
+              cpu: 50m
-            memory: 64Mi
+              memory: 64Mi
-          limits:
+            limits:
-            cpu: 200m
+              cpu: 200m
-            memory: 256Mi
+              memory: 256Mi
 ---
 apiVersion: v1
 kind: Service
@@ -396,9 +396,9 @@ metadata:
 spec:
  type: ClusterIP
  ports:
-  - name: redis
+    - name: redis
-    port: 6379
+      port: 6379
-    targetPort: redis
+      targetPort: redis
  selector:
    app.kubernetes.io/instance: wger
    app.kubernetes.io/name: wger-redis
@@ -414,9 +414,9 @@ metadata:
 spec:
  type: ClusterIP
  ports:
-  - name: http
+    - name: http
-    port: 80
+      port: 80
-    targetPort: 80
+      targetPort: 80
  selector:
    app.kubernetes.io/instance: wger
    app.kubernetes.io/name: wger
@@ -436,36 +436,36 @@ metadata:
    nginx.ingress.kubernetes.io/ssl-redirect: "true"
    nginx.ingress.kubernetes.io/proxy-body-size: "100m"
    nginx.ingress.kubernetes.io/configuration-snippet: |
-      if ($geoip2_city_country_code != "HU") {
+      if ($geoip2_country_code != "HU") {
        return 403 "Access restricted to Hungary";
      }
 spec:
  ingressClassName: nginx-internal
  rules:
-  - host: workout.dooplex.hu
+    - host: workout.dooplex.hu
-    http:
+      http:
-      paths:
+        paths:
-      - path: /
+          - path: /
-        pathType: Prefix
+            pathType: Prefix
-        backend:
+            backend:
-          service:
+              service:
-            name: wger
+                name: wger
-            port:
+                port:
-              number: 80
+                  number: 80
-  - host: workout.home
+    - host: workout.home
-    http:
+      http:
-      paths:
+        paths:
-      - path: /
+          - path: /
-        pathType: Prefix
+            pathType: Prefix
-        backend:
+            backend:
-          service:
+              service:
-            name: wger
+                name: wger
-            port:
+                port:
-              number: 80
+                  number: 80
  tls:
-  - hosts:
+    - hosts:
-    - workout.dooplex.hu
+        - workout.dooplex.hu
-    secretName: wger-tls
+      secretName: wger-tls
 ---
 apiVersion: v1
 kind: PersistentVolumeClaim
@@ -479,7 +479,7 @@ metadata:
    recurring-job.longhorn.io/source: enabled
 spec:
  accessModes:
-  - ReadWriteOnce
+    - ReadWriteOnce
  storageClassName: longhorn
  resources:
    requests:
@@ -495,7 +495,7 @@ metadata:
    app.kubernetes.io/name: wger-static
 spec:
  accessModes:
-  - ReadWriteOnce
+    - ReadWriteOnce
  storageClassName: longhorn
  resources:
    requests:
@@ -131,7 +131,7 @@ metadata:
    nginx.ingress.kubernetes.io/ssl-redirect: "true"
    nginx.ingress.kubernetes.io/proxy-body-size: "100m"
    nginx.ingress.kubernetes.io/configuration-snippet: |
-      if ($geoip2_city_country_code != "HU") {
+      if ($geoip2_country_code != "HU") {
        return 403 "Access restricted to Hungary";
      }
 spec: